Skip to content

Commit

Permalink
Iniial GraphQL
Browse files Browse the repository at this point in the history
  • Loading branch information
jarrod-lowe committed Aug 15, 2024
1 parent bdf798f commit 383dbd2
Show file tree
Hide file tree
Showing 6 changed files with 260 additions and 2 deletions.
31 changes: 31 additions & 0 deletions graphql/schema.graphql
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
type Mutation {
createGame(input: CreateGameInput!): Game!
}

type Query {
getGame(input: ID!): Game!
}

input CreateGameInput {
name: String!
description: String
publicNotes: String
privateNotes: String
fireflyUserId: ID!
players: [ID!]!
}

type Game {
id: ID!
name: String!
description: String
publicNotes: String
privateNotes: String
# fireflyUser: User!
# players: [ID!]!
# playerSheets: [PlayerSheet!]!
# shipSheet: ShipSheet
# clocks: [Clock!]!
createdAt: AWSDateTime!
updatedAt: AWSDateTime!
}
2 changes: 1 addition & 1 deletion terraform/environment/aws-dev/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ variable "state_bucket" {
variable "environment" {
description = "Unique name for the deployment"
type = string
default = "primary"
default = "dev"
}

terraform {
Expand Down
10 changes: 9 additions & 1 deletion terraform/environment/aws/deploy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,19 @@ fi
DIR="$( dirname "$0" )"
cd "${DIR}"

if [[ "${DIR}" == *-dev ]] ; then
DEFAULT_ENVIRONMENT="dev"
else
DEFAULT_ENVIRONMENT="primary"
fi

ACCOUNT_ID="$1"
ENVIRONMENT="${2:-primary}"
ENVIRONMENT="${2:-${DEFAULT_ENVIRONMENT}}"
AWS_REGION="${3:-ap-southeast-2}"
STATE_BUCKET="terraform-state-${ACCOUNT_ID}"

echo "Using ${ENVIRONMENT} environment"

if ! aws help >/dev/null ; then
echo >&2 "Error: aws cli not installed"
exit 3
Expand Down
Binary file modified terraform/environment/wildsea-dev/plan
Binary file not shown.
163 changes: 163 additions & 0 deletions terraform/module/iac-roles/policy.tf
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,38 @@ data "aws_iam_policy_document" "ro" {
"arn:${data.aws_partition.current.id}:iam::${data.aws_caller_identity.current.account_id}:policy/${local.prefix}-*",
]
}

statement {
actions = [
"appsync:GetGraphqlApi",
]
resources = [
"arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"
]
condition {
test = "StringEquals"
variable = "aws:ResourceTag/Name"
values = [local.prefix]
}
}
statement {
actions = [
"appsync:GetSchemaCreationStatus",
]
resources = [
"arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"
]
}

statement {
actions = [
"logs:DescribeLogGroups",
"logs:ListTagsForResource",
]
resources = [
"arn:${data.aws_partition.current.id}:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:*"
]
}
}

data "aws_iam_policy_document" "rw" {
Expand Down Expand Up @@ -167,6 +199,69 @@ data "aws_iam_policy_document" "rw" {
"arn:${data.aws_partition.current.id}:iam::${data.aws_caller_identity.current.account_id}:policy/${local.prefix}-*",
]
}

statement {
actions = [
"appsync:CreateGraphqlApi",
]
resources = [
"arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"
]
condition {
test = "StringEquals"
variable = "aws:RequestTag/Name"
values = [local.prefix]
}
}

statement {
actions = [
"appsync:StartSchemaCreation",
]
resources = [
"arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"
]
}

statement {
actions = [
"appsync:UpdateGraphqlApi",
"appsync:DeleteGraphqlApi",
"appsync:TagResource",
"appsync:UntagResource",
]
resources = [
"arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"
]
condition {
test = "StringEquals"
variable = "aws:ResourceTag/Name"
values = [local.prefix]
}
}

statement {
actions = [
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:PutRetentionPolicy",
]
resources = [
"arn:${data.aws_partition.current.id}:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:*"
]
}

statement {
actions = ["iam:CreateServiceLinkedRole"]
resources = ["*"]
condition {
test = "StringEquals"
variable = "iam:AWSServiceName"
values = ["appsync.${data.aws_partition.current.dns_suffix}"]
}
}
}

data "aws_iam_policy_document" "rw_boundary" {
Expand Down Expand Up @@ -286,4 +381,72 @@ data "aws_iam_policy_document" "rw_boundary" {
"arn:${data.aws_partition.current.id}:iam::${data.aws_caller_identity.current.account_id}:policy/${local.prefix}-*",
]
}

statement {
actions = [
"appsync:CreateGraphqlApi",
]
resources = [
"arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"
]
condition {
test = "StringEquals"
variable = "aws:RequestTag/Name"
values = [local.prefix]
}
}

statement {
actions = [
"appsync:StartSchemaCreation",
"appsync:GetSchemaCreationStatus",
]
resources = [
"arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"
]
}

statement {
actions = [
"appsync:StartSchemaCreation",
"appsync:UpdateGraphqlApi",
"appsync:DeleteGraphqlApi",
"appsync:TagResource",
"appsync:UntagResource",
"appsync:GetGraphqlApi",
]
resources = [
"arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"
]
condition {
test = "StringEquals"
variable = "aws:ResourceTag/Name"
values = [local.prefix]
}
}

statement {
actions = [
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:ListTagsForResource",
]
resources = [
"arn:${data.aws_partition.current.id}:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:*"
]
}

statement {
actions = ["iam:CreateServiceLinkedRole"]
resources = ["*"]
condition {
test = "StringEquals"
variable = "iam:AWSServiceName"
values = ["appsync.${data.aws_partition.current.dns_suffix}"]
}
}
}
56 changes: 56 additions & 0 deletions terraform/module/wildsea/graphql.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
resource "aws_appsync_graphql_api" "graphql" {

Check warning on line 1 in terraform/module/wildsea/graphql.tf

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

terraform/module/wildsea/graphql.tf#L1

Ensure AppSync is protected by WAF
name = var.prefix
schema = file("../../../graphql/schema.graphql")
authentication_type = "AWS_IAM"
xray_enabled = true

log_config {
cloudwatch_logs_role_arn = aws_iam_role.graphql_log.arn
field_log_level = "ERROR"
}

additional_authentication_provider {
authentication_type = "AMAZON_COGNITO_USER_POOLS"
user_pool_config {
user_pool_id = aws_cognito_user_pool.cognito.id
aws_region = data.aws_region.current.name
}
}

tags = {
Name = var.prefix
}
}

resource "aws_cloudwatch_log_group" "graphql_log" {

Check warning on line 25 in terraform/module/wildsea/graphql.tf

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

terraform/module/wildsea/graphql.tf#L25

By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys.

Check warning on line 25 in terraform/module/wildsea/graphql.tf

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

terraform/module/wildsea/graphql.tf#L25

Ensure CloudWatch log groups retains logs for at least 1 year

Check warning on line 25 in terraform/module/wildsea/graphql.tf

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

terraform/module/wildsea/graphql.tf#L25

Ensure that CloudWatch Log Group is encrypted by KMS
name = "/aws/appsync/${var.prefix}"
retention_in_days = 14

tags = {
Name = var.prefix
}
}

resource "aws_iam_role" "graphql_log" {
name = "${var.prefix}-graphql-log"
assume_role_policy = data.aws_iam_policy_document.graphql_log_assume.json

tags = {
Name = var.prefix
}
}

data "aws_iam_policy_document" "graphql_log_assume" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["appsync.${data.aws_partition.current.dns_suffix}"]
}
}
}

resource "aws_iam_role_policy_attachment" "grahql_log" {
role = aws_iam_role.graphql_log.name
policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"
}

0 comments on commit 383dbd2

Please sign in to comment.