BerndWessels/index.js

## index.js
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// AppSync
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

// Read the GraphQL Schema as a string.
const graphQLSchema = require('./schema.graphql');

const graphQLApiCloudWatchLogsRole = new aws.iam.Role("graphQLApiCloudWatchLogsRole", {
    assumeRolePolicy: JSON.stringify({
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": "appsync.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    }),
});

const graphQLApiCloudWatchLogsRolePolicyAttachment = new aws.iam.RolePolicyAttachment("graphQLApiCloudWatchLogsRolePolicyAttachment", {
    policyArn: "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs",
    role: graphQLApiCloudWatchLogsRole.name,
});

const graphQLApi = new aws.appsync.GraphQLApi("graphQLApi", {
    authenticationType: "AMAZON_COGNITO_USER_POOLS",
    logConfig: {
        cloudwatchLogsRoleArn: graphQLApiCloudWatchLogsRole.arn,
        fieldLogLevel: "ERROR",
    },
    userPoolConfig: {
        awsRegion: "us-east-1",
        defaultAction: "DENY",
        userPoolId: userPool.id,
    },
    schema: graphQLSchema,
});

const graphQLDataSourceServiceRole = new aws.iam.Role("graphQLDataSourceServiceRole", {
    assumeRolePolicy: JSON.stringify({
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": "appsync.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    }),
});

const graphQLDataSourceServiceRolePolicyValue = pulumi.all([
    dbCluster.arn,
    dbClusterSecret.arn])
    .apply(([
                dbClusterArn,
                dbClusterSecretArn,
            ]) => JSON.stringify({
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "rds-data:DeleteItems",
                    "rds-data:ExecuteSql",
                    "rds-data:GetItems",
                    "rds-data:InsertItems",
                    "rds-data:UpdateItems"
                ],
                "Resource": [
                    dbClusterArn,
                    `${dbClusterArn}:*`,
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "secretsmanager:GetSecretValue"
                ],
                "Resource": [
                    dbClusterSecretArn,
                    `${dbClusterSecretArn}:*`,
                ]
            }
        ]
    }));

const graphQLDataSourceServiceRolePolicy = new aws.iam.RolePolicy("graphQLDataSourceServiceRolePolicy", {
    policy: graphQLDataSourceServiceRolePolicyValue,
    role: graphQLDataSourceServiceRole.id,
});
	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
	// AppSync
	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

	// Read the GraphQL Schema as a string.
	const graphQLSchema = require('./schema.graphql');

	const graphQLApiCloudWatchLogsRole = new aws.iam.Role("graphQLApiCloudWatchLogsRole", {
	assumeRolePolicy: JSON.stringify({
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Service": "appsync.amazonaws.com"
	},
	"Action": "sts:AssumeRole"
	}
	]
	}),
	});

	const graphQLApiCloudWatchLogsRolePolicyAttachment = new aws.iam.RolePolicyAttachment("graphQLApiCloudWatchLogsRolePolicyAttachment", {
	policyArn: "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs",
	role: graphQLApiCloudWatchLogsRole.name,
	});

	const graphQLApi = new aws.appsync.GraphQLApi("graphQLApi", {
	authenticationType: "AMAZON_COGNITO_USER_POOLS",
	logConfig: {
	cloudwatchLogsRoleArn: graphQLApiCloudWatchLogsRole.arn,
	fieldLogLevel: "ERROR",
	},
	userPoolConfig: {
	awsRegion: "us-east-1",
	defaultAction: "DENY",
	userPoolId: userPool.id,
	},
	schema: graphQLSchema,
	});

	const graphQLDataSourceServiceRole = new aws.iam.Role("graphQLDataSourceServiceRole", {
	assumeRolePolicy: JSON.stringify({
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Service": "appsync.amazonaws.com"
	},
	"Action": "sts:AssumeRole"
	}
	]
	}),
	});

	const graphQLDataSourceServiceRolePolicyValue = pulumi.all([
	dbCluster.arn,
	dbClusterSecret.arn])
	.apply(([
	dbClusterArn,
	dbClusterSecretArn,
	]) => JSON.stringify({
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"rds-data:DeleteItems",
	"rds-data:ExecuteSql",
	"rds-data:GetItems",
	"rds-data:InsertItems",
	"rds-data:UpdateItems"
	],
	"Resource": [
	dbClusterArn,
	`${dbClusterArn}:*`,
	]
	},
	{
	"Effect": "Allow",
	"Action": [
	"secretsmanager:GetSecretValue"
	],
	"Resource": [
	dbClusterSecretArn,
	`${dbClusterSecretArn}:*`,
	]
	}
	]
	}));

	const graphQLDataSourceServiceRolePolicy = new aws.iam.RolePolicy("graphQLDataSourceServiceRolePolicy", {
	policy: graphQLDataSourceServiceRolePolicyValue,
	role: graphQLDataSourceServiceRole.id,
	});