diff --git a/.gitignore b/.gitignore
index 998dfc7d..7551e3cb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -34,4 +34,4 @@ override.tf.json
 terraform.rc
 .validate
 .apply
-.plan
+plan.tfplan
diff --git a/Makefile b/Makefile
index 3e2707be..1c0e8f87 100644
--- a/Makefile
+++ b/Makefile
@@ -35,13 +35,13 @@ terraform/environment/aws-dev/.apply: terraform/environment/aws-dev/*.tf terrafo
 	./terraform/environment/aws-dev/deploy.sh $(ACCOUNT_ID) dev
 	touch $@
 
-terraform/environment/wildsea-dev/.plan: terraform/environment/wildsea-dev/*.tf terraform/module/wildsea/*.tf terraform/environment/wildsea-dev/.terraform
+terraform/environment/wildsea-dev/plan.tfplan: terraform/environment/wildsea-dev/*.tf terraform/module/wildsea/*.tf terraform/environment/wildsea-dev/.terraform
 	cd terraform/environment/wildsea-dev ; ../../../scripts/run-as.sh $(RO_ROLE) \
-		terraform plan -out=./plan
+		terraform plan -out=./plan.tfplan
 
-terraform/environment/wildsea-dev/.apply: terraform/environment/wildsea-dev/.plan
+terraform/environment/wildsea-dev/.apply: terraform/environment/wildsea-dev/plan.tfplan
 	cd terraform/environment/wildsea-dev ; ../../../scripts/run-as.sh $(RW_ROLE) \
-		terraform apply ./plan
+		terraform apply ./plan.tfplan
 	touch $@
 
 terraform/environment/wildsea-dev/.terraform: terraform/environment/wildsea-dev/*.tf terraform/module/wildsea/*.tf 
@@ -49,3 +49,8 @@ terraform/environment/wildsea-dev/.terraform: terraform/environment/wildsea-dev/
 		-backend-config=bucket=terraform-state-$(ACCOUNT_ID) \
         -backend-config=key=dev/terraform.tfstate \
         -backend-config=region=$(AWS_REGION)
+
+.PHONY: clean
+clean:
+	rm -f terraform/environment/*/.validate
+	rm -f terraform/environment/*/plan.tfplan
diff --git a/terraform/environment/wildsea-dev/plan b/terraform/environment/wildsea-dev/plan
index ca1bf49a..43dadce6 100644
Binary files a/terraform/environment/wildsea-dev/plan and b/terraform/environment/wildsea-dev/plan differ
diff --git a/terraform/module/iac-roles/policy.tf b/terraform/module/iac-roles/policy.tf
index 79476b04..e1c8ffd7 100644
--- a/terraform/module/iac-roles/policy.tf
+++ b/terraform/module/iac-roles/policy.tf
@@ -95,6 +95,7 @@ data "aws_iam_policy_document" "ro" {
   statement {
     actions = [
       "appsync:GetSchemaCreationStatus",
+      "appsync:GetDataSource",
     ]
     resources = [
       "arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"
@@ -233,6 +234,8 @@ data "aws_iam_policy_document" "rw" {
   statement {
     actions = [
       "appsync:StartSchemaCreation",
+      "appsync:CreateDataSource",
+      "appsync:DeleteDataSource",
     ]
     resources = [
       "arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"
@@ -457,6 +460,9 @@ data "aws_iam_policy_document" "rw_boundary" {
     actions = [
       "appsync:StartSchemaCreation",
       "appsync:GetSchemaCreationStatus",
+      "appsync:CreateDataSource",
+      "appsync:DeleteDataSource",
+      "appsync:GetDataSource",
     ]
     resources = [
       "arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"
diff --git a/terraform/module/wildsea/graphql.tf b/terraform/module/wildsea/graphql.tf
index 53167286..0ff576bc 100644
--- a/terraform/module/wildsea/graphql.tf
+++ b/terraform/module/wildsea/graphql.tf
@@ -167,3 +167,62 @@ resource "aws_wafv2_web_acl" "graphql" {
     Name = var.prefix
   }
 }
+
+resource "aws_appsync_datasource" "graphql" {
+  api_id           = aws_appsync_graphql_api.graphql.id
+  name             = replace(var.prefix, "-", "_")
+  type             = "AMAZON_DYNAMODB"
+  service_role_arn = aws_iam_role.graphql_datasource.arn
+  description      = "DynamoDB Resolver"
+
+  dynamodb_config {
+    table_name = aws_dynamodb_table.table.name
+    region     = data.aws_region.current.name
+  }
+}
+
+resource "aws_iam_role" "graphql_datasource" {
+  name               = "${var.prefix}-graphql-datasource"
+  assume_role_policy = data.aws_iam_policy_document.graphql_datasource_assume.json
+
+  tags = {
+    Name = var.prefix
+  }
+}
+
+data "aws_iam_policy_document" "graphql_datasource_assume" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["appsync.${data.aws_partition.current.dns_suffix}"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "graphql_datasource" {
+  name   = "${var.prefix}-graphql-datasource"
+  policy = data.aws_iam_policy_document.graphql_datasource.json
+
+  tags = {
+    Name = var.prefix
+  }
+}
+
+data "aws_iam_policy_document" "graphql_datasource" {
+  statement {
+    actions = [
+      "dynamodb:BatchGetItem",
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:UpdateutItem",
+      "dynamodb:Query",
+    ]
+    resources = [aws_dynamodb_table.table.arn]
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "graphql_datasource" {
+  role       = aws_iam_role.graphql_datasource.name
+  policy_arn = aws_iam_policy.graphql_datasource.arn
+}