feat: Add appsync arguments to support appsync security features

README.md

@@ -133,13 +133,13 @@ $ terraform apply
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.37.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.37.0 |
 
 ## Modules
 
@@ -194,6 +194,7 @@ No modules.
 | <a name="input_functions"></a> [functions](#input\_functions) | Map of functions to create | `any` | `{}` | no |
 | <a name="input_graphql_api_tags"></a> [graphql\_api\_tags](#input\_graphql\_api\_tags) | Map of tags to add to GraphQL API | `map(string)` | `{}` | no |
 | <a name="input_iam_permissions_boundary"></a> [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN for iam permissions boundary | `string` | `null` | no |
+| <a name="input_introspection_config"></a> [introspection\_config](#input\_introspection\_config) | Whether to enable or disable introspection of the GraphQL API. | `string` | `"ENABLED"` | no |
 | <a name="input_lambda_allowed_actions"></a> [lambda\_allowed\_actions](#input\_lambda\_allowed\_actions) | List of allowed IAM actions for datasources type AWS\_LAMBDA | `list(string)` | <pre>[<br>  "lambda:invokeFunction"<br>]</pre> | no |
 | <a name="input_lambda_authorizer_config"></a> [lambda\_authorizer\_config](#input\_lambda\_authorizer\_config) | Nested argument containing Lambda authorizer configuration. | `map(string)` | `{}` | no |
 | <a name="input_log_cloudwatch_logs_role_arn"></a> [log\_cloudwatch\_logs\_role\_arn](#input\_log\_cloudwatch\_logs\_role\_arn) | Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account. | `string` | `null` | no |
@@ -205,8 +206,10 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | Name of GraphQL API | `string` | `""` | no |
 | <a name="input_openid_connect_config"></a> [openid\_connect\_config](#input\_openid\_connect\_config) | Nested argument containing OpenID Connect configuration. | `map(string)` | `{}` | no |
 | <a name="input_opensearchservice_allowed_actions"></a> [opensearchservice\_allowed\_actions](#input\_opensearchservice\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_OPENSEARCH\_SERVICE | `list(string)` | <pre>[<br>  "es:ESHttpDelete",<br>  "es:ESHttpHead",<br>  "es:ESHttpGet",<br>  "es:ESHttpPost",<br>  "es:ESHttpPut"<br>]</pre> | no |
+| <a name="input_query_depth_limit"></a> [query\_depth\_limit](#input\_query\_depth\_limit) | The maximum depth a query can have in a single request. | `number` | `0` | no |
 | <a name="input_relational_database_allowed_actions"></a> [relational\_database\_allowed\_actions](#input\_relational\_database\_allowed\_actions) | List of allowed IAM actions for datasources type RELATIONAL\_DATABASE | `list(string)` | <pre>[<br>  "rds-data:BatchExecuteStatement",<br>  "rds-data:BeginTransaction",<br>  "rds-data:CommitTransaction",<br>  "rds-data:ExecuteStatement",<br>  "rds-data:RollbackTransaction"<br>]</pre> | no |
 | <a name="input_resolver_caching_ttl"></a> [resolver\_caching\_ttl](#input\_resolver\_caching\_ttl) | Default caching TTL for resolvers when caching is enabled | `number` | `60` | no |
+| <a name="input_resolver_count_limit"></a> [resolver\_count\_limit](#input\_resolver\_count\_limit) | The maximum number of resolvers that can be invoked in a single request. | `number` | `0` | no |
 | <a name="input_resolvers"></a> [resolvers](#input\_resolvers) | Map of resolvers to create | `any` | `{}` | no |
 | <a name="input_schema"></a> [schema](#input\_schema) | The schema definition, in GraphQL schema language format. Terraform cannot perform drift detection of this configuration. | `string` | `""` | no |
 | <a name="input_secrets_manager_allowed_actions"></a> [secrets\_manager\_allowed\_actions](#input\_secrets\_manager\_allowed\_actions) | List of allowed IAM actions for secrets manager datasources type RELATIONAL\_DATABASE | `list(string)` | <pre>[<br>  "secretsmanager:GetSecretValue"<br>]</pre> | no |

examples/complete/main.tf

@@ -90,6 +90,10 @@ module "appsync" {
   domain_name_association_enabled = true
   caching_enabled                 = true
 
+  introspection_config = "DISABLED"
+  query_depth_limit    = 10
+  resolver_count_limit = 25
+
   domain_name             = "api.${local.domain}"
   domain_name_description = "My ${random_pet.this.id} AppSync Domain"
   certificate_arn         = module.acm.acm_certificate_arn

main.tf

@@ -15,6 +15,10 @@ resource "aws_appsync_graphql_api" "this" {
   xray_enabled        = var.xray_enabled
   visibility          = var.visibility
 
+  introspection_config = var.introspection_config
+  query_depth_limit    = var.query_depth_limit
+  resolver_count_limit = var.resolver_count_limit
+
   dynamic "log_config" {
     for_each = var.logging_enabled ? [true] : []
 

variables.tf

@@ -321,3 +321,35 @@ variable "functions" {
   type        = any
   default     = {}
 }
+variable "introspection_config" {
+  description = "Whether to enable or disable introspection of the GraphQL API."
+  type        = string
+  default     = "ENABLED"
+
+  validation {
+    condition     = var.introspection_config == "DISABLED" || var.introspection_config == "ENABLED"
+    error_message = "The introspection_config must be either 'DISABLED' or 'ENABLED'."
+  }
+}
+
+variable "query_depth_limit" {
+  description = "The maximum depth a query can have in a single request."
+  type        = number
+  default     = 0
+
+  validation {
+    condition     = var.query_depth_limit >= 0 && var.query_depth_limit <= 75 && floor(var.query_depth_limit) == var.query_depth_limit
+    error_message = "The query depth limit must be an integer between 0 and 75."
+  }
+}
+
+variable "resolver_count_limit" {
+  description = "The maximum number of resolvers that can be invoked in a single request."
+  type        = number
+  default     = 0
+
+  validation {
+    condition     = var.resolver_count_limit >= 0 && var.resolver_count_limit <= 10000 && floor(var.resolver_count_limit) == var.resolver_count_limit
+    error_message = "The resolver count limit must be an integer between 0 and 10000."
+  }
+}

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.1"
+      version = ">= 5.37.0"
     }
   }
 }

wrappers/main.tf

@@ -51,6 +51,7 @@ module "wrapper" {
   functions                           = try(each.value.functions, var.defaults.functions, {})
   graphql_api_tags                    = try(each.value.graphql_api_tags, var.defaults.graphql_api_tags, {})
   iam_permissions_boundary            = try(each.value.iam_permissions_boundary, var.defaults.iam_permissions_boundary, null)
+  introspection_config                = try(each.value.introspection_config, var.defaults.introspection_config, "ENABLED")
   lambda_allowed_actions              = try(each.value.lambda_allowed_actions, var.defaults.lambda_allowed_actions, ["lambda:invokeFunction"])
   lambda_authorizer_config            = try(each.value.lambda_authorizer_config, var.defaults.lambda_authorizer_config, {})
   log_cloudwatch_logs_role_arn        = try(each.value.log_cloudwatch_logs_role_arn, var.defaults.log_cloudwatch_logs_role_arn, null)
@@ -62,8 +63,10 @@ module "wrapper" {
   name                                = try(each.value.name, var.defaults.name, "")
   openid_connect_config               = try(each.value.openid_connect_config, var.defaults.openid_connect_config, {})
   opensearchservice_allowed_actions   = try(each.value.opensearchservice_allowed_actions, var.defaults.opensearchservice_allowed_actions, ["es:ESHttpDelete", "es:ESHttpHead", "es:ESHttpGet", "es:ESHttpPost", "es:ESHttpPut"])
+  query_depth_limit                   = try(each.value.query_depth_limit, var.defaults.query_depth_limit, 0)
   relational_database_allowed_actions = try(each.value.relational_database_allowed_actions, var.defaults.relational_database_allowed_actions, ["rds-data:BatchExecuteStatement", "rds-data:BeginTransaction", "rds-data:CommitTransaction", "rds-data:ExecuteStatement", "rds-data:RollbackTransaction"])
   resolver_caching_ttl                = try(each.value.resolver_caching_ttl, var.defaults.resolver_caching_ttl, 60)
+  resolver_count_limit                = try(each.value.resolver_count_limit, var.defaults.resolver_count_limit, 0)
   resolvers                           = try(each.value.resolvers, var.defaults.resolvers, {})
   schema                              = try(each.value.schema, var.defaults.schema, "")
   secrets_manager_allowed_actions     = try(each.value.secrets_manager_allowed_actions, var.defaults.secrets_manager_allowed_actions, ["secretsmanager:GetSecretValue"])