Add a mutation to graphql

.gitignore

@@ -32,6 +32,9 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
 .validate
 .apply
 plan.tfplan
+
+graphql/node_modules

Makefile

@@ -10,6 +10,8 @@ RW_ROLE = arn:aws:iam::$(ACCOUNT_ID):role/GitHubAction-Wildsea-rw-dev
 
 all: $(TERRAFOM_VALIDATE)
 
+include graphql/graphql.mk
+
 .PHONY: terraform-format
 terraform-format: $(addprefix terraform-format-environment-,$(TERRAFORM_ENVIRONMENTS)) $(addprefix terraform-format-module-,$(TERRAFORM_MODULES))
 	@true
@@ -35,13 +37,16 @@ terraform/environment/aws-dev/.apply: terraform/environment/aws-dev/*.tf terrafo
 	./terraform/environment/aws-dev/deploy.sh $(ACCOUNT_ID) dev
 	touch $@
 
-terraform/environment/wildsea-dev/plan.tfplan: terraform/environment/wildsea-dev/*.tf terraform/module/wildsea/*.tf terraform/environment/wildsea-dev/.terraform
+terraform/environment/wildsea-dev/plan.tfplan: terraform/environment/wildsea-dev/*.tf terraform/module/wildsea/*.tf terraform/environment/wildsea-dev/.terraform $(GRAPHQL)
 	cd terraform/environment/wildsea-dev ; ../../../scripts/run-as.sh $(RO_ROLE) \
 		terraform plan -out=./plan.tfplan
 
-terraform/environment/wildsea-dev/.apply: terraform/environment/wildsea-dev/plan.tfplan
+terraform/environment/wildsea-dev/.apply: terraform/environment/wildsea-dev/plan.tfplan $(GRAPHQL)
 	cd terraform/environment/wildsea-dev ; ../../../scripts/run-as.sh $(RW_ROLE) \
-		terraform apply ./plan.tfplan
+		terraform apply ./plan.tfplan ; \
+		status=$$? ; \
+		rm -f $< ; \
+		[ "$$status" -eq 0 ]
 	touch $@
 
 terraform/environment/wildsea-dev/.terraform: terraform/environment/wildsea-dev/*.tf terraform/module/wildsea/*.tf 
@@ -54,3 +59,6 @@ terraform/environment/wildsea-dev/.terraform: terraform/environment/wildsea-dev/
 clean:
 	rm -f terraform/environment/*/.validate
 	rm -f terraform/environment/*/plan.tfplan
+	rm -f graphql/mutation/*/appsync.js
+	rm -f graphql/query/*/appsync.js
+	rm -rf graphql/node_modules

README.md

@@ -86,6 +86,8 @@ If you do not set the secret, then Cognito will be used as the identity source.
 
 ## Development Environment
 
+Install esbuild with `sudo npm install -g --save-exact --save-dev esbuild`
+
 After having set up the AWS Account, use `AWS_PROFILE=<profile> make dev` to
 deploy a development version. If this is a different AWS Account from the real
 deployment, you will need to create an S3 bucket for the state, in the same way

graphql/graphql.mk

@@ -0,0 +1,20 @@
+graphql/%/appsync.js: graphql/node_modules $(wildcard graphql/%/*.ts)
+	cd graphql && \
+	esbuild $*/*.ts \
+		--bundle \
+		--external:"@aws-appsync/utils" \
+		--format=esm \
+		--platform=node \
+		--target=esnext \
+		--sourcemap=inline \
+		--sources-content=false \
+		--outdir=$*
+
+graphql/node_modules: graphql/package.json
+	cd graphql && npm install
+
+GRAPHQL := $(patsubst %.ts,%.js,$(wildcard graphql/*/*/appsync.ts))
+
+.PHONY: graphql
+graphql: $(GRAPHQL)
+	echo $(GRAPHQL)

graphql/mutation/createGame/appsync.ts

@@ -0,0 +1,63 @@
+import { util, Context, DynamoDBPutItemRequest, AppSyncIdentityCognito } from '@aws-appsync/utils';
+
+/**
+ * A CreateGameInput creates a Game.
+ * They are stored in DynamoDB with a PK of `GAME#<id>` and an SK of `GAME`.
+ * The ID is a UUID
+ * The fireflyUserId is the Cognito ID of the user
+
+input CreateGameInput {
+    name: String!
+    description: String
+}
+
+type Game {
+  id: ID!
+  name: String!
+  description: String
+  publicNotes: String
+  privateNotes: String
+  fireflyUserId: ID!
+  createdAt: AWSDateTime!
+  updatedAt: AWSDateTime!
+}
+ */
+
+interface CreateGameInput {
+  name: string;
+  description?: string;
+}
+
+export function request(ctx: Context<{ input: CreateGameInput }>): DynamoDBPutItemRequest {
+    if (!ctx.identity) {
+        util.error('Unauthorized: Identity information is missing.');
+    }
+
+    const identity = ctx.identity as AppSyncIdentityCognito;
+    if (!identity.sub) {
+        util.error('Unauthorized: User ID is missing.');
+    }
+
+    const { input } = ctx.arguments;
+    const id = util.autoId();
+    const timestamp = util.time.nowISO8601();
+    return {
+        operation: 'PutItem',
+        key: util.dynamodb.toMapValues({ PK: `GAME#${id}`, SK: 'GAME' }),
+        attributeValues: util.dynamodb.toMapValues({
+            ...input,
+            id,
+            fireflyUserId: identity.sub,
+            createdAt: timestamp,
+            updatedAt: timestamp,
+        }),
+    };
+}
+
+export function response(ctx: Context): unknown {
+    const { error, result } = ctx;
+    if (error) {
+        return util.appendError(error.message, error.type, result);
+    }
+    return result;
+}

graphql/package.json

@@ -0,0 +1,7 @@
+{
+    "name": "graphql",
+    "version": "1.0.0",
+    "dependencies": {
+        "@aws-appsync/utils": "^1.7.0"
+    }
+}

graphql/schema.graphql

@@ -1,21 +1,17 @@
 type Mutation {
-    createGame(input: CreateGameInput!): Game!
+    createGame(input: CreateGameInput!): Game! @aws_cognito_user_pools
 }
 
 type Query {
-    getGame(input: ID!): Game!
+    getGame(input: ID!): Game! @aws_cognito_user_pools
 }
 
 input CreateGameInput {
     name: String!
     description: String
-    publicNotes: String
-    privateNotes: String
-    fireflyUserId: ID!
-    players: [ID!]!
 }
 
-type Game {
+type Game @aws_cognito_user_pools {
   id: ID!
   name: String!
   description: String

terraform/module/iac-roles/policy.tf

@@ -46,9 +46,9 @@ data "aws_iam_policy_document" "ro" {
     sid = "CognitoIdpGlobal"
     actions = [
       "cognito-idp:DescribeUserPoolDomain",
-      "appsync:SetWebACL",
       "wafv2:GetWebACLForResource",
       "wafv2:GetWebAcl",
+      "appsync:GetResolver",
     ]
     resources = [
       "*"
@@ -194,6 +194,9 @@ data "aws_iam_policy_document" "rw" {
       "cognito-identity:SetIdentityPoolRoles",
       "cognito-identity:TagResource",
       "cognito-identity:UntagResource",
+      "appsync:CreateResolver",
+      "appsync:DeleteResolver",
+      "appsync:SetWebACL",
     ]
     resources = [
       "*"
@@ -389,6 +392,9 @@ data "aws_iam_policy_document" "rw_boundary" {
       "appsync:SetWebACL",
       "wafv2:GetWebACLForResource",
       "wafv2:GetWebAcl",
+      "appsync:CreateResolver",
+      "appsync:DeleteResolver",
+      "appsync:GetResolver",
     ]
     resources = [
       "*"

terraform/module/wildsea/cognito.tf

@@ -27,7 +27,7 @@ resource "aws_cognito_identity_provider" "idp" {
 resource "aws_cognito_user_pool_client" "cognito" {
   name                                 = var.prefix
   user_pool_id                         = aws_cognito_user_pool.cognito.id
-  generate_secret                      = true
+  generate_secret                      = false
   explicit_auth_flows                  = ["ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_PASSWORD_AUTH", "ALLOW_USER_SRP_AUTH"]
   allowed_oauth_flows_user_pool_client = true
   callback_urls                        = ["https://TODO"]

terraform/module/wildsea/graphql.tf

@@ -226,3 +226,62 @@ resource "aws_iam_role_policy_attachment" "graphql_datasource" {
   role       = aws_iam_role.graphql_datasource.name
   policy_arn = aws_iam_policy.graphql_datasource.arn
 }
+
+locals {
+  mutations = distinct([for d in fileset("${path.module}/../../../graphql/mutation", "**") : dirname(d)])
+  queries   = distinct([for d in fileset("${path.module}/../../../graphql/query", "**") : dirname(d)])
+
+  mutations_map = {
+    for mutation in local.mutations : replace(mutation, "../../../graphql/mutation/", "") => {
+      "type" : "Mutation",
+      "path" : "../../../graphql/mutation/${mutation}/appsync.js",
+      "make" : "graphql/mutation/${mutation}/appsync.js",
+      "source" : "../../../graphql/mutation/${mutation}/appsync.ts"
+    }
+  }
+
+  queries_map = {
+    for query in local.queries : replace(query, "../../../graphql/query/", "") => {
+      "type" : "Query",
+      "path" : "../../../graphql/query/${query}/appsync.js",
+      "make" : "graphql/query/${query}/appsync.js",
+      "source" : "../../../graphql/query/${query}/appsync.ts"
+    }
+  }
+
+  all = merge(local.mutations_map, local.queries_map)
+}
+
+resource "aws_appsync_resolver" "resolver" {
+  for_each = local.all
+
+  api_id      = aws_appsync_graphql_api.graphql.id
+  type        = each.value.type
+  field       = each.key
+  data_source = aws_appsync_datasource.graphql.name
+  code        = data.local_file.graphql_code[each.key].content
+
+  runtime {
+    name            = "APPSYNC_JS"
+    runtime_version = "1.0.0"
+  }
+}
+
+resource "null_resource" "graphql_compile" {
+  for_each = local.all
+
+  provisioner "local-exec" {
+    command = "cd ${path.module}/../../.. && make ${each.value.make}"
+  }
+
+  triggers = {
+    source_change = filesha256(each.value.source)
+    dest_file     = each.value.path
+  }
+}
+
+data "local_file" "graphql_code" {
+  for_each = local.all
+
+  filename = null_resource.graphql_compile[each.key].triggers.dest_file
+}