Created
May 22, 2019 01:41
-
-
Save BerndWessels/9e3cbbe68275ffb6a230a95f6c814224 to your computer and use it in GitHub Desktop.
BFF pulumi appsync 1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// | |
// AppSync | |
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// | |
// Read the GraphQL Schema as a string. | |
const graphQLSchema = require('./schema.graphql'); | |
const graphQLApiCloudWatchLogsRole = new aws.iam.Role("graphQLApiCloudWatchLogsRole", { | |
assumeRolePolicy: JSON.stringify({ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Service": "appsync.amazonaws.com" | |
}, | |
"Action": "sts:AssumeRole" | |
} | |
] | |
}), | |
}); | |
const graphQLApiCloudWatchLogsRolePolicyAttachment = new aws.iam.RolePolicyAttachment("graphQLApiCloudWatchLogsRolePolicyAttachment", { | |
policyArn: "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs", | |
role: graphQLApiCloudWatchLogsRole.name, | |
}); | |
const graphQLApi = new aws.appsync.GraphQLApi("graphQLApi", { | |
authenticationType: "AMAZON_COGNITO_USER_POOLS", | |
logConfig: { | |
cloudwatchLogsRoleArn: graphQLApiCloudWatchLogsRole.arn, | |
fieldLogLevel: "ERROR", | |
}, | |
userPoolConfig: { | |
awsRegion: "us-east-1", | |
defaultAction: "DENY", | |
userPoolId: userPool.id, | |
}, | |
schema: graphQLSchema, | |
}); | |
const graphQLDataSourceServiceRole = new aws.iam.Role("graphQLDataSourceServiceRole", { | |
assumeRolePolicy: JSON.stringify({ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Service": "appsync.amazonaws.com" | |
}, | |
"Action": "sts:AssumeRole" | |
} | |
] | |
}), | |
}); | |
const graphQLDataSourceServiceRolePolicyValue = pulumi.all([ | |
dbCluster.arn, | |
dbClusterSecret.arn]) | |
.apply(([ | |
dbClusterArn, | |
dbClusterSecretArn, | |
]) => JSON.stringify({ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"rds-data:DeleteItems", | |
"rds-data:ExecuteSql", | |
"rds-data:GetItems", | |
"rds-data:InsertItems", | |
"rds-data:UpdateItems" | |
], | |
"Resource": [ | |
dbClusterArn, | |
`${dbClusterArn}:*`, | |
] | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"secretsmanager:GetSecretValue" | |
], | |
"Resource": [ | |
dbClusterSecretArn, | |
`${dbClusterSecretArn}:*`, | |
] | |
} | |
] | |
})); | |
const graphQLDataSourceServiceRolePolicy = new aws.iam.RolePolicy("graphQLDataSourceServiceRolePolicy", { | |
policy: graphQLDataSourceServiceRolePolicyValue, | |
role: graphQLDataSourceServiceRole.id, | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment