1 | provider "aws" { |
2 | } |
3 | |
4 | resource "random_id" "id" { |
5 | byte_length = 8 |
6 | } |
7 | |
8 | resource "aws_iam_role" "appsync" { |
9 | assume_role_policy = <<EOF |
10 | { |
11 | "Version": "2012-10-17", |
12 | "Statement": [ |
13 | { |
14 | "Action": "sts:AssumeRole", |
15 | "Principal": { |
16 | "Service": "appsync.amazonaws.com" |
17 | }, |
18 | "Effect": "Allow" |
19 | } |
20 | ] |
21 | } |
22 | EOF |
23 | } |
24 | |
25 | data "aws_iam_policy_document" "appsync" { |
26 | statement { |
27 | actions = [ |
28 | "dynamodb:PutItem", |
29 | "dynamodb:UpdateItem", |
30 | "dynamodb:GetItem", |
31 | "dynamodb:Query", |
32 | "dynamodb:BatchGetItem", |
33 | ] |
34 | resources = [ |
35 | aws_dynamodb_table.user.arn, |
36 | aws_dynamodb_table.friend.arn, |
37 | "${aws_dynamodb_table.friend.arn}/*", |
38 | aws_dynamodb_table.post.arn, |
39 | "${aws_dynamodb_table.post.arn}/*", |
40 | aws_dynamodb_table.comment.arn, |
41 | "${aws_dynamodb_table.comment.arn}/*", |
42 | ] |
43 | } |
44 | statement { |
45 | actions = [ |
46 | "appsync:GraphQL", |
47 | ] |
48 | resources = [ |
49 | "${aws_appsync_graphql_api.appsync.arn}/types/Mutation/fields/notifyPost", |
50 | "${aws_appsync_graphql_api.appsync.arn}/types/Mutation/fields/notifyComment", |
51 | ] |
52 | } |
53 | } |
54 | |
55 | resource "aws_iam_role_policy" "appsync" { |
56 | role = aws_iam_role.appsync.id |
57 | policy = data.aws_iam_policy_document.appsync.json |
58 | } |
59 | resource "aws_appsync_graphql_api" "appsync" { |
60 | name = "social-network" |
61 | schema = file("schema.graphql") |
62 | authentication_type = "AMAZON_COGNITO_USER_POOLS" |
63 | user_pool_config { |
64 | default_action = "ALLOW" |
65 | user_pool_id = aws_cognito_user_pool.pool.id |
66 | } |
67 | additional_authentication_provider { |
68 | authentication_type = "AWS_IAM" |
69 | } |
70 | log_config { |
71 | cloudwatch_logs_role_arn = aws_iam_role.appsync_logs.arn |
72 | field_log_level = "ALL" |
73 | } |
74 | } |
75 | |
76 | resource "aws_iam_role" "appsync_logs" { |
77 | assume_role_policy = <<POLICY |
78 | { |
79 | "Version": "2012-10-17", |
80 | "Statement": [ |
81 | { |
82 | "Effect": "Allow", |
83 | "Principal": { |
84 | "Service": "appsync.amazonaws.com" |
85 | }, |
86 | "Action": "sts:AssumeRole" |
87 | } |
88 | ] |
89 | } |
90 | POLICY |
91 | } |
92 | |
93 | data "aws_iam_policy_document" "appsync_policy" { |
94 | statement { |
95 | actions = [ |
96 | "logs:CreateLogStream", |
97 | "logs:PutLogEvents" |
98 | ] |
99 | resources = [ |
100 | "arn:aws:logs:*:*:*" |
101 | ] |
102 | } |
103 | } |
104 | resource "aws_iam_role_policy" "appsync_logs" { |
105 | role = aws_iam_role.appsync_logs.id |
106 | policy = data.aws_iam_policy_document.appsync_policy.json |
107 | } |
108 | |
109 | resource "aws_cloudwatch_log_group" "loggroup" { |
110 | name = "/aws/appsync/apis/${aws_appsync_graphql_api.appsync.id}" |
111 | retention_in_days = 14 |
112 | } |
113 | |
114 | resource "aws_appsync_datasource" "ddb_user" { |
115 | api_id = aws_appsync_graphql_api.appsync.id |
116 | name = "ddb_user" |
117 | service_role_arn = aws_iam_role.appsync.arn |
118 | type = "AMAZON_DYNAMODB" |
119 | dynamodb_config { |
120 | table_name = aws_dynamodb_table.user.name |
121 | } |
122 | } |
123 | resource "aws_appsync_datasource" "ddb_friend" { |
124 | api_id = aws_appsync_graphql_api.appsync.id |
125 | name = "ddb_friend" |
126 | service_role_arn = aws_iam_role.appsync.arn |
127 | type = "AMAZON_DYNAMODB" |
128 | dynamodb_config { |
129 | table_name = aws_dynamodb_table.friend.name |
130 | } |
131 | } |
132 | resource "aws_appsync_datasource" "ddb_post" { |
133 | api_id = aws_appsync_graphql_api.appsync.id |
134 | name = "ddb_post" |
135 | service_role_arn = aws_iam_role.appsync.arn |
136 | type = "AMAZON_DYNAMODB" |
137 | dynamodb_config { |
138 | table_name = aws_dynamodb_table.post.name |
139 | } |
140 | } |
141 | resource "aws_appsync_datasource" "ddb_comment" { |
142 | api_id = aws_appsync_graphql_api.appsync.id |
143 | name = "ddb_comment" |
144 | service_role_arn = aws_iam_role.appsync.arn |
145 | type = "AMAZON_DYNAMODB" |
146 | dynamodb_config { |
147 | table_name = aws_dynamodb_table.comment.name |
148 | } |
149 | } |
150 | |
151 | resource "aws_appsync_datasource" "none" { |
152 | api_id = aws_appsync_graphql_api.appsync.id |
153 | name = "none" |
154 | type = "NONE" |
155 | } |
156 | |
157 | resource "aws_appsync_datasource" "notify" { |
158 | api_id = aws_appsync_graphql_api.appsync.id |
159 | name = "notify" |
160 | service_role_arn = aws_iam_role.appsync.arn |
161 | type = "HTTP" |
162 | http_config { |
163 | endpoint = regex("^[^/]+//[^/]+", aws_appsync_graphql_api.appsync.uris["GRAPHQL"]) |
164 | authorization_config { |
165 | aws_iam_config { |
166 | signing_region = data.aws_region.current.name |
167 | signing_service_name = "appsync" |
168 | } |
169 | } |
170 | } |
171 | } |
172 | |