Add a mutation to graphql

.codacy.yml

@@ -0,0 +1,4 @@
+---
+exclude_paths:
+  - "graphql/mutation/*/appsync.js"
+  - "graphql/query/*/appsync.js"

.eslintrc.js

@@ -0,0 +1,12 @@
+modules.exports = {
+    extends: ["eslint:recommended"],
+    rules: {
+        "spellcheck/spell-checker": [1,
+            {
+                "skipWords": [
+                    "appsync"
+                ]
+            }
+        ]
+    }
+}

.gitignore

@@ -32,6 +32,9 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
 .validate
 .apply
 plan.tfplan
+
+graphql/node_modules

Makefile

@@ -10,6 +10,8 @@ RW_ROLE = arn:aws:iam::$(ACCOUNT_ID):role/GitHubAction-Wildsea-rw-dev
 
 all: $(TERRAFOM_VALIDATE)
 
+include graphql/graphql.mk
+
 .PHONY: terraform-format
 terraform-format: $(addprefix terraform-format-environment-,$(TERRAFORM_ENVIRONMENTS)) $(addprefix terraform-format-module-,$(TERRAFORM_MODULES))
 	@true
@@ -35,13 +37,16 @@ terraform/environment/aws-dev/.apply: terraform/environment/aws-dev/*.tf terrafo
 	./terraform/environment/aws-dev/deploy.sh $(ACCOUNT_ID) dev
 	touch $@
 
-terraform/environment/wildsea-dev/plan.tfplan: terraform/environment/wildsea-dev/*.tf terraform/module/wildsea/*.tf terraform/environment/wildsea-dev/.terraform
+terraform/environment/wildsea-dev/plan.tfplan: terraform/environment/wildsea-dev/*.tf terraform/module/wildsea/*.tf terraform/environment/wildsea-dev/.terraform $(GRAPHQL)
 	cd terraform/environment/wildsea-dev ; ../../../scripts/run-as.sh $(RO_ROLE) \
 		terraform plan -out=./plan.tfplan
 
-terraform/environment/wildsea-dev/.apply: terraform/environment/wildsea-dev/plan.tfplan
+terraform/environment/wildsea-dev/.apply: terraform/environment/wildsea-dev/plan.tfplan $(GRAPHQL)
 	cd terraform/environment/wildsea-dev ; ../../../scripts/run-as.sh $(RW_ROLE) \
-		terraform apply ./plan.tfplan
+		terraform apply ./plan.tfplan ; \
+		status=$$? ; \
+		rm -f $< ; \
+		[ "$$status" -eq 0 ]
 	touch $@
 
 terraform/environment/wildsea-dev/.terraform: terraform/environment/wildsea-dev/*.tf terraform/module/wildsea/*.tf 
@@ -54,3 +59,6 @@ terraform/environment/wildsea-dev/.terraform: terraform/environment/wildsea-dev/
 clean:
 	rm -f terraform/environment/*/.validate
 	rm -f terraform/environment/*/plan.tfplan
+	rm -f graphql/mutation/*/appsync.js
+	rm -f graphql/query/*/appsync.js
+	rm -rf graphql/node_modules

README.md

@@ -86,6 +86,8 @@ If you do not set the secret, then Cognito will be used as the identity source.
 
 ## Development Environment
 
+Install esbuild with `sudo npm install -g --save-exact --save-dev esbuild`
+
 After having set up the AWS Account, use `AWS_PROFILE=<profile> make dev` to
 deploy a development version. If this is a different AWS Account from the real
 deployment, you will need to create an S3 bucket for the state, in the same way

graphql/graphql.mk

@@ -0,0 +1,20 @@
+graphql/%/appsync.js: graphql/node_modules $(wildcard graphql/%/*.ts)
+	cd graphql && \
+	esbuild $*/*.ts \
+		--bundle \
+		--external:"@aws-appsync/utils" \
+		--format=esm \
+		--platform=node \
+		--target=esnext \
+		--sourcemap=inline \
+		--sources-content=false \
+		--outdir=$*
+
+graphql/node_modules: graphql/package.json
+	cd graphql && npm install
+
+GRAPHQL := $(patsubst %.ts,%.js,$(wildcard graphql/*/*/appsync.ts))
+
+.PHONY: graphql
+graphql: $(GRAPHQL)
+	echo $(GRAPHQL)

graphql/mutation/createGame/appsync.ts

@@ -0,0 +1,63 @@
+import { util, Context, DynamoDBPutItemRequest, AppSyncIdentityCognito, PutItemInputAttributeMap } from '@aws-appsync/utils';
+
+/**
+ * A CreateGameInput creates a Game.
+ * They are stored in DynamoDB with a PK of `GAME#<id>` and an SK of `GAME`.
+ * The ID is a UUID
+ * The fireflyUserId is the Cognito ID of the user
+
+input CreateGameInput {
+    name: String!
+    description: String
+}
+
+type Game {
+  id: ID!
+  name: String!
+  description: String
+  publicNotes: String
+  privateNotes: String
+  fireflyUserId: ID!
+  createdAt: AWSDateTime!
+  updatedAt: AWSDateTime!
+}
+ */
+
+interface CreateGameInput {
+  name: string;
+  description?: string;
+}
+
+export function request(ctx: Context<{ input: CreateGameInput }>): DynamoDBPutItemRequest {
+    if (!ctx.identity) {
+        util.error('Unauthorized: Identity information is missing.');
+    }
+
+    const identity = ctx.identity as AppSyncIdentityCognito;
+    if (!identity.sub) {
+        util.error('Unauthorized: User ID is missing.');
+    }
+
+    const { input } = ctx.arguments;
+    const id = util.autoId();
+    const timestamp = util.time.nowISO8601();
+    return {
+        operation: 'PutItem',
+        key: util.dynamodb.toMapValues({ PK: `GAME#${id}`, SK: 'GAME' }),
+        attributeValues: util.dynamodb.toMapValues({
+            ...input,
+            id,
+            fireflyUserId: identity.sub,
+            createdAt: timestamp,
+            updatedAt: timestamp,
+        }) as PutItemInputAttributeMap,
+    };
+}
+
+export function response(ctx: Context): unknown {
+    const { error, result } = ctx;
+    if (error) {
+        return util.appendError(error.message, error.type, result);
+    }
+    return result;
+}

graphql/package.json

@@ -0,0 +1,7 @@
+{
+    "name": "graphql",
+    "version": "1.0.0",
+    "dependencies": {
+        "@aws-appsync/utils": "^1.7.0"
+    }
+}

graphql/schema.graphql

@@ -1,21 +1,17 @@
 type Mutation {
-    createGame(input: CreateGameInput!): Game!
+    createGame(input: CreateGameInput!): Game! @aws_cognito_user_pools
 }
 
 type Query {
-    getGame(input: ID!): Game!
+    getGame(input: ID!): Game! @aws_cognito_user_pools
 }
 
 input CreateGameInput {
     name: String!
     description: String
-    publicNotes: String
-    privateNotes: String
-    fireflyUserId: ID!
-    players: [ID!]!
 }
 
-type Game {
+type Game @aws_cognito_user_pools {
   id: ID!
   name: String!
   description: String

terraform/module/iac-roles/policy.tf

@@ -46,9 +46,9 @@ data "aws_iam_policy_document" "ro" {
     sid = "CognitoIdpGlobal"
     actions = [
       "cognito-idp:DescribeUserPoolDomain",
-      "appsync:SetWebACL",
       "wafv2:GetWebACLForResource",
       "wafv2:GetWebAcl",
+      "appsync:GetResolver",
     ]
     resources = [
       "*"
@@ -194,6 +194,9 @@ data "aws_iam_policy_document" "rw" {
       "cognito-identity:SetIdentityPoolRoles",
       "cognito-identity:TagResource",
       "cognito-identity:UntagResource",
+      "appsync:CreateResolver",
+      "appsync:DeleteResolver",
+      "appsync:SetWebACL",
     ]
     resources = [
       "*"
@@ -389,6 +392,9 @@ data "aws_iam_policy_document" "rw_boundary" {
       "appsync:SetWebACL",
       "wafv2:GetWebACLForResource",
       "wafv2:GetWebAcl",
+      "appsync:CreateResolver",
+      "appsync:DeleteResolver",
+      "appsync:GetResolver",
     ]
     resources = [
       "*"

terraform/module/wildsea/cognito.tf

@@ -27,7 +27,7 @@ resource "aws_cognito_identity_provider" "idp" {
 resource "aws_cognito_user_pool_client" "cognito" {
   name                                 = var.prefix
   user_pool_id                         = aws_cognito_user_pool.cognito.id
-  generate_secret                      = true
+  generate_secret                      = false
   explicit_auth_flows                  = ["ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_PASSWORD_AUTH", "ALLOW_USER_SRP_AUTH"]
   allowed_oauth_flows_user_pool_client = true
   callback_urls                        = ["https://TODO"]