aws.appsync.GraphQLApi (v5)

AWS v5.43.0 (5.x), Mar 10 26

Viewing docs for AWS v5.43.0 (Older version)
published on Tuesday, Mar 10, 2026 by Pulumi

Go to latest version

Schema (JSON)

pulumi/pulumi-aws

Viewing docs for AWS v5.43.0 (Older version)
published on Tuesday, Mar 10, 2026 by Pulumi

Go to latest version

Schema (JSON)

pulumi/pulumi-aws

Example Usage

API Key Authentication

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.AppSync.GraphQLApi("example", new()
    {
        AuthenticationType = "API_KEY",
    });

});

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/appsync"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := appsync.NewGraphQLApi(ctx, "example", &appsync.GraphQLApiArgs{
			AuthenticationType: pulumi.String("API_KEY"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.appsync.GraphQLApi;
import com.pulumi.aws.appsync.GraphQLApiArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new GraphQLApi("example", GraphQLApiArgs.builder()        
            .authenticationType("API_KEY")
            .build());

    }
}

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.appsync.GraphQLApi("example", {authenticationType: "API_KEY"});

import pulumi
import pulumi_aws as aws

example = aws.appsync.GraphQLApi("example", authentication_type="API_KEY")

resources:
  example:
    type: aws:appsync:GraphQLApi
    properties:
      authenticationType: API_KEY

AWS IAM Authentication

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.AppSync.GraphQLApi("example", new()
    {
        AuthenticationType = "AWS_IAM",
    });

});

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/appsync"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := appsync.NewGraphQLApi(ctx, "example", &appsync.GraphQLApiArgs{
			AuthenticationType: pulumi.String("AWS_IAM"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.appsync.GraphQLApi;
import com.pulumi.aws.appsync.GraphQLApiArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new GraphQLApi("example", GraphQLApiArgs.builder()        
            .authenticationType("AWS_IAM")
            .build());

    }
}

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.appsync.GraphQLApi("example", {authenticationType: "AWS_IAM"});

import pulumi
import pulumi_aws as aws

example = aws.appsync.GraphQLApi("example", authentication_type="AWS_IAM")

resources:
  example:
    type: aws:appsync:GraphQLApi
    properties:
      authenticationType: AWS_IAM

AWS Cognito User Pool Authentication

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.AppSync.GraphQLApi("example", new()
    {
        AuthenticationType = "AMAZON_COGNITO_USER_POOLS",
        UserPoolConfig = new Aws.AppSync.Inputs.GraphQLApiUserPoolConfigArgs
        {
            AwsRegion = data.Aws_region.Current.Name,
            DefaultAction = "DENY",
            UserPoolId = aws_cognito_user_pool.Example.Id,
        },
    });

});

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/appsync"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := appsync.NewGraphQLApi(ctx, "example", &appsync.GraphQLApiArgs{
			AuthenticationType: pulumi.String("AMAZON_COGNITO_USER_POOLS"),
			UserPoolConfig: &appsync.GraphQLApiUserPoolConfigArgs{
				AwsRegion:     pulumi.Any(data.Aws_region.Current.Name),
				DefaultAction: pulumi.String("DENY"),
				UserPoolId:    pulumi.Any(aws_cognito_user_pool.Example.Id),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.appsync.GraphQLApi;
import com.pulumi.aws.appsync.GraphQLApiArgs;
import com.pulumi.aws.appsync.inputs.GraphQLApiUserPoolConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new GraphQLApi("example", GraphQLApiArgs.builder()        
            .authenticationType("AMAZON_COGNITO_USER_POOLS")
            .userPoolConfig(GraphQLApiUserPoolConfigArgs.builder()
                .awsRegion(data.aws_region().current().name())
                .defaultAction("DENY")
                .userPoolId(aws_cognito_user_pool.example().id())
                .build())
            .build());

    }
}

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.appsync.GraphQLApi("example", {
    authenticationType: "AMAZON_COGNITO_USER_POOLS",
    userPoolConfig: {
        awsRegion: data.aws_region.current.name,
        defaultAction: "DENY",
        userPoolId: aws_cognito_user_pool.example.id,
    },
});

import pulumi
import pulumi_aws as aws

example = aws.appsync.GraphQLApi("example",
    authentication_type="AMAZON_COGNITO_USER_POOLS",
    user_pool_config=aws.appsync.GraphQLApiUserPoolConfigArgs(
        aws_region=data["aws_region"]["current"]["name"],
        default_action="DENY",
        user_pool_id=aws_cognito_user_pool["example"]["id"],
    ))

resources:
  example:
    type: aws:appsync:GraphQLApi
    properties:
      authenticationType: AMAZON_COGNITO_USER_POOLS
      userPoolConfig:
        awsRegion: ${data.aws_region.current.name}
        defaultAction: DENY
        userPoolId: ${aws_cognito_user_pool.example.id}

OpenID Connect Authentication

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.AppSync.GraphQLApi("example", new()
    {
        AuthenticationType = "OPENID_CONNECT",
        OpenidConnectConfig = new Aws.AppSync.Inputs.GraphQLApiOpenidConnectConfigArgs
        {
            Issuer = "https://example.com",
        },
    });

});

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/appsync"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := appsync.NewGraphQLApi(ctx, "example", &appsync.GraphQLApiArgs{
			AuthenticationType: pulumi.String("OPENID_CONNECT"),
			OpenidConnectConfig: &appsync.GraphQLApiOpenidConnectConfigArgs{
				Issuer: pulumi.String("https://example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.appsync.GraphQLApi;
import com.pulumi.aws.appsync.GraphQLApiArgs;
import com.pulumi.aws.appsync.inputs.GraphQLApiOpenidConnectConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new GraphQLApi("example", GraphQLApiArgs.builder()        
            .authenticationType("OPENID_CONNECT")
            .openidConnectConfig(GraphQLApiOpenidConnectConfigArgs.builder()
                .issuer("https://example.com")
                .build())
            .build());

    }
}

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.appsync.GraphQLApi("example", {
    authenticationType: "OPENID_CONNECT",
    openidConnectConfig: {
        issuer: "https://example.com",
    },
});

import pulumi
import pulumi_aws as aws

example = aws.appsync.GraphQLApi("example",
    authentication_type="OPENID_CONNECT",
    openid_connect_config=aws.appsync.GraphQLApiOpenidConnectConfigArgs(
        issuer="https://example.com",
    ))

resources:
  example:
    type: aws:appsync:GraphQLApi
    properties:
      authenticationType: OPENID_CONNECT
      openidConnectConfig:
        issuer: https://example.com

AWS Lambda Authorizer Authentication

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.AppSync.GraphQLApi("example", new()
    {
        AuthenticationType = "AWS_LAMBDA",
        LambdaAuthorizerConfig = new Aws.AppSync.Inputs.GraphQLApiLambdaAuthorizerConfigArgs
        {
            AuthorizerUri = "arn:aws:lambda:us-east-1:123456789012:function:custom_lambda_authorizer",
        },
    });

    var appsyncLambdaAuthorizer = new Aws.Lambda.Permission("appsyncLambdaAuthorizer", new()
    {
        Action = "lambda:InvokeFunction",
        Function = "custom_lambda_authorizer",
        Principal = "appsync.amazonaws.com",
        SourceArn = example.Arn,
    });

});

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/appsync"
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/lambda"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := appsync.NewGraphQLApi(ctx, "example", &appsync.GraphQLApiArgs{
			AuthenticationType: pulumi.String("AWS_LAMBDA"),
			LambdaAuthorizerConfig: &appsync.GraphQLApiLambdaAuthorizerConfigArgs{
				AuthorizerUri: pulumi.String("arn:aws:lambda:us-east-1:123456789012:function:custom_lambda_authorizer"),
			},
		})
		if err != nil {
			return err
		}
		_, err = lambda.NewPermission(ctx, "appsyncLambdaAuthorizer", &lambda.PermissionArgs{
			Action:    pulumi.String("lambda:InvokeFunction"),
			Function:  pulumi.Any("custom_lambda_authorizer"),
			Principal: pulumi.String("appsync.amazonaws.com"),
			SourceArn: example.Arn,
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.appsync.GraphQLApi;
import com.pulumi.aws.appsync.GraphQLApiArgs;
import com.pulumi.aws.appsync.inputs.GraphQLApiLambdaAuthorizerConfigArgs;
import com.pulumi.aws.lambda.Permission;
import com.pulumi.aws.lambda.PermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new GraphQLApi("example", GraphQLApiArgs.builder()        
            .authenticationType("AWS_LAMBDA")
            .lambdaAuthorizerConfig(GraphQLApiLambdaAuthorizerConfigArgs.builder()
                .authorizerUri("arn:aws:lambda:us-east-1:123456789012:function:custom_lambda_authorizer")
                .build())
            .build());

        var appsyncLambdaAuthorizer = new Permission("appsyncLambdaAuthorizer", PermissionArgs.builder()        
            .action("lambda:InvokeFunction")
            .function("custom_lambda_authorizer")
            .principal("appsync.amazonaws.com")
            .sourceArn(example.arn())
            .build());

    }
}

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.appsync.GraphQLApi("example", {
    authenticationType: "AWS_LAMBDA",
    lambdaAuthorizerConfig: {
        authorizerUri: "arn:aws:lambda:us-east-1:123456789012:function:custom_lambda_authorizer",
    },
});
const appsyncLambdaAuthorizer = new aws.lambda.Permission("appsyncLambdaAuthorizer", {
    action: "lambda:InvokeFunction",
    "function": "custom_lambda_authorizer",
    principal: "appsync.amazonaws.com",
    sourceArn: example.arn,
});

import pulumi
import pulumi_aws as aws

example = aws.appsync.GraphQLApi("example",
    authentication_type="AWS_LAMBDA",
    lambda_authorizer_config=aws.appsync.GraphQLApiLambdaAuthorizerConfigArgs(
        authorizer_uri="arn:aws:lambda:us-east-1:123456789012:function:custom_lambda_authorizer",
    ))
appsync_lambda_authorizer = aws.lambda_.Permission("appsyncLambdaAuthorizer",
    action="lambda:InvokeFunction",
    function="custom_lambda_authorizer",
    principal="appsync.amazonaws.com",
    source_arn=example.arn)

resources:
  example:
    type: aws:appsync:GraphQLApi
    properties:
      authenticationType: AWS_LAMBDA
      lambdaAuthorizerConfig:
        authorizerUri: arn:aws:lambda:us-east-1:123456789012:function:custom_lambda_authorizer
  appsyncLambdaAuthorizer:
    type: aws:lambda:Permission
    properties:
      action: lambda:InvokeFunction
      function: custom_lambda_authorizer
      principal: appsync.amazonaws.com
      sourceArn: ${example.arn}

With Multiple Authentication Providers

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.AppSync.GraphQLApi("example", new()
    {
        AdditionalAuthenticationProviders = new[]
        {
            new Aws.AppSync.Inputs.GraphQLApiAdditionalAuthenticationProviderArgs
            {
                AuthenticationType = "AWS_IAM",
            },
        },
        AuthenticationType = "API_KEY",
    });

});

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/appsync"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := appsync.NewGraphQLApi(ctx, "example", &appsync.GraphQLApiArgs{
			AdditionalAuthenticationProviders: appsync.GraphQLApiAdditionalAuthenticationProviderArray{
				&appsync.GraphQLApiAdditionalAuthenticationProviderArgs{
					AuthenticationType: pulumi.String("AWS_IAM"),
				},
			},
			AuthenticationType: pulumi.String("API_KEY"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.appsync.GraphQLApi;
import com.pulumi.aws.appsync.GraphQLApiArgs;
import com.pulumi.aws.appsync.inputs.GraphQLApiAdditionalAuthenticationProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new GraphQLApi("example", GraphQLApiArgs.builder()        
            .additionalAuthenticationProviders(GraphQLApiAdditionalAuthenticationProviderArgs.builder()
                .authenticationType("AWS_IAM")
                .build())
            .authenticationType("API_KEY")
            .build());

    }
}

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.appsync.GraphQLApi("example", {
    additionalAuthenticationProviders: [{
        authenticationType: "AWS_IAM",
    }],
    authenticationType: "API_KEY",
});

import pulumi
import pulumi_aws as aws

example = aws.appsync.GraphQLApi("example",
    additional_authentication_providers=[aws.appsync.GraphQLApiAdditionalAuthenticationProviderArgs(
        authentication_type="AWS_IAM",
    )],
    authentication_type="API_KEY")

resources:
  example:
    type: aws:appsync:GraphQLApi
    properties:
      additionalAuthenticationProviders:
        - authenticationType: AWS_IAM
      authenticationType: API_KEY

With Schema

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.AppSync.GraphQLApi("example", new()
    {
        AuthenticationType = "AWS_IAM",
        Schema = @"schema {
	query: Query
}
type Query {
  test: Int
}

",
    });

});

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/appsync"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := appsync.NewGraphQLApi(ctx, "example", &appsync.GraphQLApiArgs{
			AuthenticationType: pulumi.String("AWS_IAM"),
			Schema: pulumi.String(`schema {
	query: Query
}
type Query {
  test: Int
}

`),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.appsync.GraphQLApi;
import com.pulumi.aws.appsync.GraphQLApiArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new GraphQLApi("example", GraphQLApiArgs.builder()        
            .authenticationType("AWS_IAM")
            .schema("""
schema {
	query: Query
}
type Query {
  test: Int
}

            """)
            .build());

    }
}

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.appsync.GraphQLApi("example", {
    authenticationType: "AWS_IAM",
    schema: `schema {
	query: Query
}
type Query {
  test: Int
}

`,
});

import pulumi
import pulumi_aws as aws

example = aws.appsync.GraphQLApi("example",
    authentication_type="AWS_IAM",
    schema="""schema {
	query: Query
}
type Query {
  test: Int
}

""")

resources:
  example:
    type: aws:appsync:GraphQLApi
    properties:
      authenticationType: AWS_IAM
      schema: |+
        schema {
        	query: Query
        }
        type Query {
          test: Int
        }

Enabling Logging

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()
    {
        Statements = new[]
        {
            new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
            {
                Effect = "Allow",
                Principals = new[]
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                    {
                        Type = "Service",
                        Identifiers = new[]
                        {
                            "appsync.amazonaws.com",
                        },
                    },
                },
                Actions = new[]
                {
                    "sts:AssumeRole",
                },
            },
        },
    });

    var exampleRole = new Aws.Iam.Role("exampleRole", new()
    {
        AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
    });

    var exampleRolePolicyAttachment = new Aws.Iam.RolePolicyAttachment("exampleRolePolicyAttachment", new()
    {
        PolicyArn = "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs",
        Role = exampleRole.Name,
    });

    // ... other configuration ...
    var exampleGraphQLApi = new Aws.AppSync.GraphQLApi("exampleGraphQLApi", new()
    {
        LogConfig = new Aws.AppSync.Inputs.GraphQLApiLogConfigArgs
        {
            CloudwatchLogsRoleArn = exampleRole.Arn,
            FieldLogLevel = "ERROR",
        },
    });

});

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/appsync"
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				{
					Effect: pulumi.StringRef("Allow"),
					Principals: []iam.GetPolicyDocumentStatementPrincipal{
						{
							Type: "Service",
							Identifiers: []string{
								"appsync.amazonaws.com",
							},
						},
					},
					Actions: []string{
						"sts:AssumeRole",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		exampleRole, err := iam.NewRole(ctx, "exampleRole", &iam.RoleArgs{
			AssumeRolePolicy: *pulumi.String(assumeRole.Json),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewRolePolicyAttachment(ctx, "exampleRolePolicyAttachment", &iam.RolePolicyAttachmentArgs{
			PolicyArn: pulumi.String("arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"),
			Role:      exampleRole.Name,
		})
		if err != nil {
			return err
		}
		_, err = appsync.NewGraphQLApi(ctx, "exampleGraphQLApi", &appsync.GraphQLApiArgs{
			LogConfig: &appsync.GraphQLApiLogConfigArgs{
				CloudwatchLogsRoleArn: exampleRole.Arn,
				FieldLogLevel:         pulumi.String("ERROR"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.RolePolicyAttachment;
import com.pulumi.aws.iam.RolePolicyAttachmentArgs;
import com.pulumi.aws.appsync.GraphQLApi;
import com.pulumi.aws.appsync.GraphQLApiArgs;
import com.pulumi.aws.appsync.inputs.GraphQLApiLogConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .effect("Allow")
                .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                    .type("Service")
                    .identifiers("appsync.amazonaws.com")
                    .build())
                .actions("sts:AssumeRole")
                .build())
            .build());

        var exampleRole = new Role("exampleRole", RoleArgs.builder()        
            .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
            .build());

        var exampleRolePolicyAttachment = new RolePolicyAttachment("exampleRolePolicyAttachment", RolePolicyAttachmentArgs.builder()        
            .policyArn("arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs")
            .role(exampleRole.name())
            .build());

        var exampleGraphQLApi = new GraphQLApi("exampleGraphQLApi", GraphQLApiArgs.builder()        
            .logConfig(GraphQLApiLogConfigArgs.builder()
                .cloudwatchLogsRoleArn(exampleRole.arn())
                .fieldLogLevel("ERROR")
                .build())
            .build());

    }
}

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const assumeRole = aws.iam.getPolicyDocument({
    statements: [{
        effect: "Allow",
        principals: [{
            type: "Service",
            identifiers: ["appsync.amazonaws.com"],
        }],
        actions: ["sts:AssumeRole"],
    }],
});
const exampleRole = new aws.iam.Role("exampleRole", {assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json)});
const exampleRolePolicyAttachment = new aws.iam.RolePolicyAttachment("exampleRolePolicyAttachment", {
    policyArn: "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs",
    role: exampleRole.name,
});
// ... other configuration ...
const exampleGraphQLApi = new aws.appsync.GraphQLApi("exampleGraphQLApi", {logConfig: {
    cloudwatchLogsRoleArn: exampleRole.arn,
    fieldLogLevel: "ERROR",
}});

import pulumi
import pulumi_aws as aws

assume_role = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    effect="Allow",
    principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
        type="Service",
        identifiers=["appsync.amazonaws.com"],
    )],
    actions=["sts:AssumeRole"],
)])
example_role = aws.iam.Role("exampleRole", assume_role_policy=assume_role.json)
example_role_policy_attachment = aws.iam.RolePolicyAttachment("exampleRolePolicyAttachment",
    policy_arn="arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs",
    role=example_role.name)
# ... other configuration ...
example_graph_ql_api = aws.appsync.GraphQLApi("exampleGraphQLApi", log_config=aws.appsync.GraphQLApiLogConfigArgs(
    cloudwatch_logs_role_arn=example_role.arn,
    field_log_level="ERROR",
))

resources:
  exampleRole:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${assumeRole.json}
  exampleRolePolicyAttachment:
    type: aws:iam:RolePolicyAttachment
    properties:
      policyArn: arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs
      role: ${exampleRole.name}
  exampleGraphQLApi:
    type: aws:appsync:GraphQLApi
    properties:
      logConfig:
        cloudwatchLogsRoleArn: ${exampleRole.arn}
        fieldLogLevel: ERROR
variables:
  assumeRole:
    fn::invoke:
      Function: aws:iam:getPolicyDocument
      Arguments:
        statements:
          - effect: Allow
            principals:
              - type: Service
                identifiers:
                  - appsync.amazonaws.com
            actions:
              - sts:AssumeRole

Associate Web ACL (v2)

Example coming soon!

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.appsync.GraphQLApi;
import com.pulumi.aws.appsync.GraphQLApiArgs;
import com.pulumi.aws.wafv2.WebAcl;
import com.pulumi.aws.wafv2.WebAclArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclDefaultActionAllowArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleOverrideActionArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleStatementManagedRuleGroupStatementArgs;
import com.pulumi.aws.wafv2.inputs.WebAclRuleVisibilityConfigArgs;
import com.pulumi.aws.wafv2.inputs.WebAclVisibilityConfigArgs;
import com.pulumi.aws.wafv2.WebAclAssociation;
import com.pulumi.aws.wafv2.WebAclAssociationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var exampleGraphQLApi = new GraphQLApi("exampleGraphQLApi", GraphQLApiArgs.builder()        
            .authenticationType("API_KEY")
            .build());

        var exampleWebAcl = new WebAcl("exampleWebAcl", WebAclArgs.builder()        
            .description("Example of a managed rule.")
            .scope("REGIONAL")
            .defaultAction(WebAclDefaultActionArgs.builder()
                .allow()
                .build())
            .rules(WebAclRuleArgs.builder()
                .name("rule-1")
                .priority(1)
                .overrideAction(WebAclRuleOverrideActionArgs.builder()
                    .block()
                    .build())
                .statement(WebAclRuleStatementArgs.builder()
                    .managedRuleGroupStatement(WebAclRuleStatementManagedRuleGroupStatementArgs.builder()
                        .name("AWSManagedRulesCommonRuleSet")
                        .vendorName("AWS")
                        .build())
                    .build())
                .visibilityConfig(WebAclRuleVisibilityConfigArgs.builder()
                    .cloudwatchMetricsEnabled(false)
                    .metricName("friendly-rule-metric-name")
                    .sampledRequestsEnabled(false)
                    .build())
                .build())
            .visibilityConfig(WebAclVisibilityConfigArgs.builder()
                .cloudwatchMetricsEnabled(false)
                .metricName("friendly-metric-name")
                .sampledRequestsEnabled(false)
                .build())
            .build());

        var exampleWebAclAssociation = new WebAclAssociation("exampleWebAclAssociation", WebAclAssociationArgs.builder()        
            .resourceArn(exampleGraphQLApi.arn())
            .webAclArn(exampleWebAcl.arn())
            .build());

    }
}

Example coming soon!

resources:
  exampleGraphQLApi:
    type: aws:appsync:GraphQLApi
    properties:
      authenticationType: API_KEY
  exampleWebAclAssociation:
    type: aws:wafv2:WebAclAssociation
    properties:
      resourceArn: ${exampleGraphQLApi.arn}
      webAclArn: ${exampleWebAcl.arn}
  exampleWebAcl:
    type: aws:wafv2:WebAcl
    properties:
      description: Example of a managed rule.
      scope: REGIONAL
      defaultAction:
        allow: {}
      rules:
        - name: rule-1
          priority: 1
          overrideAction:
            block:
              - {}
          statement:
            managedRuleGroupStatement:
              name: AWSManagedRulesCommonRuleSet
              vendorName: AWS
          visibilityConfig:
            cloudwatchMetricsEnabled: false
            metricName: friendly-rule-metric-name
            sampledRequestsEnabled: false
      visibilityConfig:
        cloudwatchMetricsEnabled: false
        metricName: friendly-metric-name
        sampledRequestsEnabled: false

Create GraphQLApi Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new GraphQLApi(name: string, args: GraphQLApiArgs, opts?: CustomResourceOptions);

@overload
def GraphQLApi(resource_name: str,
               args: GraphQLApiArgs,
               opts: Optional[ResourceOptions] = None)

@overload
def GraphQLApi(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               authentication_type: Optional[str] = None,
               additional_authentication_providers: Optional[Sequence[GraphQLApiAdditionalAuthenticationProviderArgs]] = None,
               lambda_authorizer_config: Optional[GraphQLApiLambdaAuthorizerConfigArgs] = None,
               log_config: Optional[GraphQLApiLogConfigArgs] = None,
               name: Optional[str] = None,
               openid_connect_config: Optional[GraphQLApiOpenidConnectConfigArgs] = None,
               schema: Optional[str] = None,
               tags: Optional[Mapping[str, str]] = None,
               user_pool_config: Optional[GraphQLApiUserPoolConfigArgs] = None,
               xray_enabled: Optional[bool] = None)

func NewGraphQLApi(ctx *Context, name string, args GraphQLApiArgs, opts ...ResourceOption) (*GraphQLApi, error)

public GraphQLApi(string name, GraphQLApiArgs args, CustomResourceOptions? opts = null)

public GraphQLApi(String name, GraphQLApiArgs args)
public GraphQLApi(String name, GraphQLApiArgs args, CustomResourceOptions options)

type: aws:appsync:GraphQLApi
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args GraphQLApiArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args GraphQLApiArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args GraphQLApiArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args GraphQLApiArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args GraphQLApiArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var graphQLApiResource = new Aws.AppSync.GraphQLApi("graphQLApiResource", new()
{
    AuthenticationType = "string",
    AdditionalAuthenticationProviders = new[]
    {
        new Aws.AppSync.Inputs.GraphQLApiAdditionalAuthenticationProviderArgs
        {
            AuthenticationType = "string",
            LambdaAuthorizerConfig = new Aws.AppSync.Inputs.GraphQLApiAdditionalAuthenticationProviderLambdaAuthorizerConfigArgs
            {
                AuthorizerUri = "string",
                AuthorizerResultTtlInSeconds = 0,
                IdentityValidationExpression = "string",
            },
            OpenidConnectConfig = new Aws.AppSync.Inputs.GraphQLApiAdditionalAuthenticationProviderOpenidConnectConfigArgs
            {
                Issuer = "string",
                AuthTtl = 0,
                ClientId = "string",
                IatTtl = 0,
            },
            UserPoolConfig = new Aws.AppSync.Inputs.GraphQLApiAdditionalAuthenticationProviderUserPoolConfigArgs
            {
                UserPoolId = "string",
                AppIdClientRegex = "string",
                AwsRegion = "string",
            },
        },
    },
    LambdaAuthorizerConfig = new Aws.AppSync.Inputs.GraphQLApiLambdaAuthorizerConfigArgs
    {
        AuthorizerUri = "string",
        AuthorizerResultTtlInSeconds = 0,
        IdentityValidationExpression = "string",
    },
    LogConfig = new Aws.AppSync.Inputs.GraphQLApiLogConfigArgs
    {
        CloudwatchLogsRoleArn = "string",
        FieldLogLevel = "string",
        ExcludeVerboseContent = false,
    },
    Name = "string",
    OpenidConnectConfig = new Aws.AppSync.Inputs.GraphQLApiOpenidConnectConfigArgs
    {
        Issuer = "string",
        AuthTtl = 0,
        ClientId = "string",
        IatTtl = 0,
    },
    Schema = "string",
    Tags = 
    {
        { "string", "string" },
    },
    UserPoolConfig = new Aws.AppSync.Inputs.GraphQLApiUserPoolConfigArgs
    {
        DefaultAction = "string",
        UserPoolId = "string",
        AppIdClientRegex = "string",
        AwsRegion = "string",
    },
    XrayEnabled = false,
});

example, err := appsync.NewGraphQLApi(ctx, "graphQLApiResource", &appsync.GraphQLApiArgs{
	AuthenticationType: pulumi.String("string"),
	AdditionalAuthenticationProviders: appsync.GraphQLApiAdditionalAuthenticationProviderArray{
		&appsync.GraphQLApiAdditionalAuthenticationProviderArgs{
			AuthenticationType: pulumi.String("string"),
			LambdaAuthorizerConfig: &appsync.GraphQLApiAdditionalAuthenticationProviderLambdaAuthorizerConfigArgs{
				AuthorizerUri:                pulumi.String("string"),
				AuthorizerResultTtlInSeconds: pulumi.Int(0),
				IdentityValidationExpression: pulumi.String("string"),
			},
			OpenidConnectConfig: &appsync.GraphQLApiAdditionalAuthenticationProviderOpenidConnectConfigArgs{
				Issuer:   pulumi.String("string"),
				AuthTtl:  pulumi.Int(0),
				ClientId: pulumi.String("string"),
				IatTtl:   pulumi.Int(0),
			},
			UserPoolConfig: &appsync.GraphQLApiAdditionalAuthenticationProviderUserPoolConfigArgs{
				UserPoolId:       pulumi.String("string"),
				AppIdClientRegex: pulumi.String("string"),
				AwsRegion:        pulumi.String("string"),
			},
		},
	},
	LambdaAuthorizerConfig: &appsync.GraphQLApiLambdaAuthorizerConfigArgs{
		AuthorizerUri:                pulumi.String("string"),
		AuthorizerResultTtlInSeconds: pulumi.Int(0),
		IdentityValidationExpression: pulumi.String("string"),
	},
	LogConfig: &appsync.GraphQLApiLogConfigArgs{
		CloudwatchLogsRoleArn: pulumi.String("string"),
		FieldLogLevel:         pulumi.String("string"),
		ExcludeVerboseContent: pulumi.Bool(false),
	},
	Name: pulumi.String("string"),
	OpenidConnectConfig: &appsync.GraphQLApiOpenidConnectConfigArgs{
		Issuer:   pulumi.String("string"),
		AuthTtl:  pulumi.Int(0),
		ClientId: pulumi.String("string"),
		IatTtl:   pulumi.Int(0),
	},
	Schema: pulumi.String("string"),
	Tags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	UserPoolConfig: &appsync.GraphQLApiUserPoolConfigArgs{
		DefaultAction:    pulumi.String("string"),
		UserPoolId:       pulumi.String("string"),
		AppIdClientRegex: pulumi.String("string"),
		AwsRegion:        pulumi.String("string"),
	},
	XrayEnabled: pulumi.Bool(false),
})

var graphQLApiResource = new GraphQLApi("graphQLApiResource", GraphQLApiArgs.builder()
    .authenticationType("string")
    .additionalAuthenticationProviders(GraphQLApiAdditionalAuthenticationProviderArgs.builder()
        .authenticationType("string")
        .lambdaAuthorizerConfig(GraphQLApiAdditionalAuthenticationProviderLambdaAuthorizerConfigArgs.builder()
            .authorizerUri("string")
            .authorizerResultTtlInSeconds(0)
            .identityValidationExpression("string")
            .build())
        .openidConnectConfig(GraphQLApiAdditionalAuthenticationProviderOpenidConnectConfigArgs.builder()
            .issuer("string")
            .authTtl(0)
            .clientId("string")
            .iatTtl(0)
            .build())
        .userPoolConfig(GraphQLApiAdditionalAuthenticationProviderUserPoolConfigArgs.builder()
            .userPoolId("string")
            .appIdClientRegex("string")
            .awsRegion("string")
            .build())
        .build())
    .lambdaAuthorizerConfig(GraphQLApiLambdaAuthorizerConfigArgs.builder()
        .authorizerUri("string")
        .authorizerResultTtlInSeconds(0)
        .identityValidationExpression("string")
        .build())
    .logConfig(GraphQLApiLogConfigArgs.builder()
        .cloudwatchLogsRoleArn("string")
        .fieldLogLevel("string")
        .excludeVerboseContent(false)
        .build())
    .name("string")
    .openidConnectConfig(GraphQLApiOpenidConnectConfigArgs.builder()
        .issuer("string")
        .authTtl(0)
        .clientId("string")
        .iatTtl(0)
        .build())
    .schema("string")
    .tags(Map.of("string", "string"))
    .userPoolConfig(GraphQLApiUserPoolConfigArgs.builder()
        .defaultAction("string")
        .userPoolId("string")
        .appIdClientRegex("string")
        .awsRegion("string")
        .build())
    .xrayEnabled(false)
    .build());

graph_ql_api_resource = aws.appsync.GraphQLApi("graphQLApiResource",
    authentication_type="string",
    additional_authentication_providers=[{
        "authentication_type": "string",
        "lambda_authorizer_config": {
            "authorizer_uri": "string",
            "authorizer_result_ttl_in_seconds": 0,
            "identity_validation_expression": "string",
        },
        "openid_connect_config": {
            "issuer": "string",
            "auth_ttl": 0,
            "client_id": "string",
            "iat_ttl": 0,
        },
        "user_pool_config": {
            "user_pool_id": "string",
            "app_id_client_regex": "string",
            "aws_region": "string",
        },
    }],
    lambda_authorizer_config={
        "authorizer_uri": "string",
        "authorizer_result_ttl_in_seconds": 0,
        "identity_validation_expression": "string",
    },
    log_config={
        "cloudwatch_logs_role_arn": "string",
        "field_log_level": "string",
        "exclude_verbose_content": False,
    },
    name="string",
    openid_connect_config={
        "issuer": "string",
        "auth_ttl": 0,
        "client_id": "string",
        "iat_ttl": 0,
    },
    schema="string",
    tags={
        "string": "string",
    },
    user_pool_config={
        "default_action": "string",
        "user_pool_id": "string",
        "app_id_client_regex": "string",
        "aws_region": "string",
    },
    xray_enabled=False)

const graphQLApiResource = new aws.appsync.GraphQLApi("graphQLApiResource", {
    authenticationType: "string",
    additionalAuthenticationProviders: [{
        authenticationType: "string",
        lambdaAuthorizerConfig: {
            authorizerUri: "string",
            authorizerResultTtlInSeconds: 0,
            identityValidationExpression: "string",
        },
        openidConnectConfig: {
            issuer: "string",
            authTtl: 0,
            clientId: "string",
            iatTtl: 0,
        },
        userPoolConfig: {
            userPoolId: "string",
            appIdClientRegex: "string",
            awsRegion: "string",
        },
    }],
    lambdaAuthorizerConfig: {
        authorizerUri: "string",
        authorizerResultTtlInSeconds: 0,
        identityValidationExpression: "string",
    },
    logConfig: {
        cloudwatchLogsRoleArn: "string",
        fieldLogLevel: "string",
        excludeVerboseContent: false,
    },
    name: "string",
    openidConnectConfig: {
        issuer: "string",
        authTtl: 0,
        clientId: "string",
        iatTtl: 0,
    },
    schema: "string",
    tags: {
        string: "string",
    },
    userPoolConfig: {
        defaultAction: "string",
        userPoolId: "string",
        appIdClientRegex: "string",
        awsRegion: "string",
    },
    xrayEnabled: false,
});

type: aws:appsync:GraphQLApi
properties:
    additionalAuthenticationProviders:
        - authenticationType: string
          lambdaAuthorizerConfig:
            authorizerResultTtlInSeconds: 0
            authorizerUri: string
            identityValidationExpression: string
          openidConnectConfig:
            authTtl: 0
            clientId: string
            iatTtl: 0
            issuer: string
          userPoolConfig:
            appIdClientRegex: string
            awsRegion: string
            userPoolId: string
    authenticationType: string
    lambdaAuthorizerConfig:
        authorizerResultTtlInSeconds: 0
        authorizerUri: string
        identityValidationExpression: string
    logConfig:
        cloudwatchLogsRoleArn: string
        excludeVerboseContent: false
        fieldLogLevel: string
    name: string
    openidConnectConfig:
        authTtl: 0
        clientId: string
        iatTtl: 0
        issuer: string
    schema: string
    tags:
        string: string
    userPoolConfig:
        appIdClientRegex: string
        awsRegion: string
        defaultAction: string
        userPoolId: string
    xrayEnabled: false

GraphQLApi Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The GraphQLApi resource accepts the following input properties:

AuthenticationType string: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
AdditionalAuthenticationProviders List<GraphQLApiAdditionalAuthenticationProvider>: One or more additional authentication providers for the GraphqlApi. Defined below.
LambdaAuthorizerConfig GraphQLApiLambdaAuthorizerConfig: Nested argument containing Lambda authorizer configuration. Defined below.
LogConfig GraphQLApiLogConfig: Nested argument containing logging configuration. Defined below.
Name string: User-supplied name for the GraphqlApi.
OpenidConnectConfig GraphQLApiOpenidConnectConfig: Nested argument containing OpenID Connect configuration. Defined below.
Schema string: Schema definition, in GraphQL schema language format. This provider cannot perform drift detection of this configuration.
Tags Dictionary<string, string>: Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
UserPoolConfig GraphQLApiUserPoolConfig: Amazon Cognito User Pool configuration. Defined below.
XrayEnabled bool: Whether tracing with X-ray is enabled. Defaults to false.

AuthenticationType string: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
AdditionalAuthenticationProviders []GraphQLApiAdditionalAuthenticationProviderArgs: One or more additional authentication providers for the GraphqlApi. Defined below.
LambdaAuthorizerConfig GraphQLApiLambdaAuthorizerConfigArgs: Nested argument containing Lambda authorizer configuration. Defined below.
LogConfig GraphQLApiLogConfigArgs: Nested argument containing logging configuration. Defined below.
Name string: User-supplied name for the GraphqlApi.
OpenidConnectConfig GraphQLApiOpenidConnectConfigArgs: Nested argument containing OpenID Connect configuration. Defined below.
Schema string: Schema definition, in GraphQL schema language format. This provider cannot perform drift detection of this configuration.
Tags map[string]string: Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
UserPoolConfig GraphQLApiUserPoolConfigArgs: Amazon Cognito User Pool configuration. Defined below.
XrayEnabled bool: Whether tracing with X-ray is enabled. Defaults to false.

authenticationType String: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
additionalAuthenticationProviders List<GraphQLApiAdditionalAuthenticationProvider>: One or more additional authentication providers for the GraphqlApi. Defined below.
lambdaAuthorizerConfig GraphQLApiLambdaAuthorizerConfig: Nested argument containing Lambda authorizer configuration. Defined below.
logConfig GraphQLApiLogConfig: Nested argument containing logging configuration. Defined below.
name String: User-supplied name for the GraphqlApi.
openidConnectConfig GraphQLApiOpenidConnectConfig: Nested argument containing OpenID Connect configuration. Defined below.
schema String: Schema definition, in GraphQL schema language format. This provider cannot perform drift detection of this configuration.
tags Map<String,String>: Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
userPoolConfig GraphQLApiUserPoolConfig: Amazon Cognito User Pool configuration. Defined below.
xrayEnabled Boolean: Whether tracing with X-ray is enabled. Defaults to false.

authenticationType string: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
additionalAuthenticationProviders GraphQLApiAdditionalAuthenticationProvider[]: One or more additional authentication providers for the GraphqlApi. Defined below.
lambdaAuthorizerConfig GraphQLApiLambdaAuthorizerConfig: Nested argument containing Lambda authorizer configuration. Defined below.
logConfig GraphQLApiLogConfig: Nested argument containing logging configuration. Defined below.
name string: User-supplied name for the GraphqlApi.
openidConnectConfig GraphQLApiOpenidConnectConfig: Nested argument containing OpenID Connect configuration. Defined below.
schema string: Schema definition, in GraphQL schema language format. This provider cannot perform drift detection of this configuration.
tags {[key: string]: string}: Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
userPoolConfig GraphQLApiUserPoolConfig: Amazon Cognito User Pool configuration. Defined below.
xrayEnabled boolean: Whether tracing with X-ray is enabled. Defaults to false.

authentication_type str: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
additional_authentication_providers Sequence[GraphQLApiAdditionalAuthenticationProviderArgs]: One or more additional authentication providers for the GraphqlApi. Defined below.
lambda_authorizer_config GraphQLApiLambdaAuthorizerConfigArgs: Nested argument containing Lambda authorizer configuration. Defined below.
log_config GraphQLApiLogConfigArgs: Nested argument containing logging configuration. Defined below.
name str: User-supplied name for the GraphqlApi.
openid_connect_config GraphQLApiOpenidConnectConfigArgs: Nested argument containing OpenID Connect configuration. Defined below.
schema str: Schema definition, in GraphQL schema language format. This provider cannot perform drift detection of this configuration.
tags Mapping[str, str]: Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
user_pool_config GraphQLApiUserPoolConfigArgs: Amazon Cognito User Pool configuration. Defined below.
xray_enabled bool: Whether tracing with X-ray is enabled. Defaults to false.

authenticationType String: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
additionalAuthenticationProviders List<Property Map>: One or more additional authentication providers for the GraphqlApi. Defined below.
lambdaAuthorizerConfig Property Map: Nested argument containing Lambda authorizer configuration. Defined below.
logConfig Property Map: Nested argument containing logging configuration. Defined below.
name String: User-supplied name for the GraphqlApi.
openidConnectConfig Property Map: Nested argument containing OpenID Connect configuration. Defined below.
schema String: Schema definition, in GraphQL schema language format. This provider cannot perform drift detection of this configuration.
tags Map<String>: Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
userPoolConfig Property Map: Amazon Cognito User Pool configuration. Defined below.
xrayEnabled Boolean: Whether tracing with X-ray is enabled. Defaults to false.

Outputs

All input properties are implicitly available as output properties. Additionally, the GraphQLApi resource produces the following output properties:

Arn string: ARN
Id string: The provider-assigned unique ID for this managed resource.
TagsAll Dictionary<string, string>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Uris Dictionary<string, string>: Map of URIs associated with the APIE.g., uris["GRAPHQL"] = https://ID.appsync-api.REGION.amazonaws.com/graphql

Arn string: ARN
Id string: The provider-assigned unique ID for this managed resource.
TagsAll map[string]string: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Uris map[string]string: Map of URIs associated with the APIE.g., uris["GRAPHQL"] = https://ID.appsync-api.REGION.amazonaws.com/graphql

arn String: ARN
id String: The provider-assigned unique ID for this managed resource.
tagsAll Map<String,String>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
uris Map<String,String>: Map of URIs associated with the APIE.g., uris["GRAPHQL"] = https://ID.appsync-api.REGION.amazonaws.com/graphql

arn string: ARN
id string: The provider-assigned unique ID for this managed resource.
tagsAll {[key: string]: string}: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
uris {[key: string]: string}: Map of URIs associated with the APIE.g., uris["GRAPHQL"] = https://ID.appsync-api.REGION.amazonaws.com/graphql

arn str: ARN
id str: The provider-assigned unique ID for this managed resource.
tags_all Mapping[str, str]: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
uris Mapping[str, str]: Map of URIs associated with the APIE.g., uris["GRAPHQL"] = https://ID.appsync-api.REGION.amazonaws.com/graphql

arn String: ARN
id String: The provider-assigned unique ID for this managed resource.
tagsAll Map<String>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
uris Map<String>: Map of URIs associated with the APIE.g., uris["GRAPHQL"] = https://ID.appsync-api.REGION.amazonaws.com/graphql

Look up Existing GraphQLApi Resource

Get an existing GraphQLApi resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: GraphQLApiState, opts?: CustomResourceOptions): GraphQLApi

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        additional_authentication_providers: Optional[Sequence[GraphQLApiAdditionalAuthenticationProviderArgs]] = None,
        arn: Optional[str] = None,
        authentication_type: Optional[str] = None,
        lambda_authorizer_config: Optional[GraphQLApiLambdaAuthorizerConfigArgs] = None,
        log_config: Optional[GraphQLApiLogConfigArgs] = None,
        name: Optional[str] = None,
        openid_connect_config: Optional[GraphQLApiOpenidConnectConfigArgs] = None,
        schema: Optional[str] = None,
        tags: Optional[Mapping[str, str]] = None,
        tags_all: Optional[Mapping[str, str]] = None,
        uris: Optional[Mapping[str, str]] = None,
        user_pool_config: Optional[GraphQLApiUserPoolConfigArgs] = None,
        xray_enabled: Optional[bool] = None) -> GraphQLApi

func GetGraphQLApi(ctx *Context, name string, id IDInput, state *GraphQLApiState, opts ...ResourceOption) (*GraphQLApi, error)

public static GraphQLApi Get(string name, Input<string> id, GraphQLApiState? state, CustomResourceOptions? opts = null)

public static GraphQLApi get(String name, Output<String> id, GraphQLApiState state, CustomResourceOptions options)

resources:  _:    type: aws:appsync:GraphQLApi    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AdditionalAuthenticationProviders List<GraphQLApiAdditionalAuthenticationProvider>: One or more additional authentication providers for the GraphqlApi. Defined below.
Arn string: ARN
AuthenticationType string: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
LambdaAuthorizerConfig GraphQLApiLambdaAuthorizerConfig: Nested argument containing Lambda authorizer configuration. Defined below.
LogConfig GraphQLApiLogConfig: Nested argument containing logging configuration. Defined below.
Name string: User-supplied name for the GraphqlApi.
OpenidConnectConfig GraphQLApiOpenidConnectConfig: Nested argument containing OpenID Connect configuration. Defined below.
Schema string: Schema definition, in GraphQL schema language format. This provider cannot perform drift detection of this configuration.
Tags Dictionary<string, string>: Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll Dictionary<string, string>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Uris Dictionary<string, string>: Map of URIs associated with the APIE.g., uris["GRAPHQL"] = https://ID.appsync-api.REGION.amazonaws.com/graphql
UserPoolConfig GraphQLApiUserPoolConfig: Amazon Cognito User Pool configuration. Defined below.
XrayEnabled bool: Whether tracing with X-ray is enabled. Defaults to false.

AdditionalAuthenticationProviders []GraphQLApiAdditionalAuthenticationProviderArgs: One or more additional authentication providers for the GraphqlApi. Defined below.
Arn string: ARN
AuthenticationType string: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
LambdaAuthorizerConfig GraphQLApiLambdaAuthorizerConfigArgs: Nested argument containing Lambda authorizer configuration. Defined below.
LogConfig GraphQLApiLogConfigArgs: Nested argument containing logging configuration. Defined below.
Name string: User-supplied name for the GraphqlApi.
OpenidConnectConfig GraphQLApiOpenidConnectConfigArgs: Nested argument containing OpenID Connect configuration. Defined below.
Schema string: Schema definition, in GraphQL schema language format. This provider cannot perform drift detection of this configuration.
Tags map[string]string: Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll map[string]string: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Uris map[string]string: Map of URIs associated with the APIE.g., uris["GRAPHQL"] = https://ID.appsync-api.REGION.amazonaws.com/graphql
UserPoolConfig GraphQLApiUserPoolConfigArgs: Amazon Cognito User Pool configuration. Defined below.
XrayEnabled bool: Whether tracing with X-ray is enabled. Defaults to false.

additionalAuthenticationProviders List<GraphQLApiAdditionalAuthenticationProvider>: One or more additional authentication providers for the GraphqlApi. Defined below.
arn String: ARN
authenticationType String: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
lambdaAuthorizerConfig GraphQLApiLambdaAuthorizerConfig: Nested argument containing Lambda authorizer configuration. Defined below.
logConfig GraphQLApiLogConfig: Nested argument containing logging configuration. Defined below.
name String: User-supplied name for the GraphqlApi.
openidConnectConfig GraphQLApiOpenidConnectConfig: Nested argument containing OpenID Connect configuration. Defined below.
schema String: Schema definition, in GraphQL schema language format. This provider cannot perform drift detection of this configuration.
tags Map<String,String>: Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll Map<String,String>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
uris Map<String,String>: Map of URIs associated with the APIE.g., uris["GRAPHQL"] = https://ID.appsync-api.REGION.amazonaws.com/graphql
userPoolConfig GraphQLApiUserPoolConfig: Amazon Cognito User Pool configuration. Defined below.
xrayEnabled Boolean: Whether tracing with X-ray is enabled. Defaults to false.

additionalAuthenticationProviders GraphQLApiAdditionalAuthenticationProvider[]: One or more additional authentication providers for the GraphqlApi. Defined below.
arn string: ARN
authenticationType string: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
lambdaAuthorizerConfig GraphQLApiLambdaAuthorizerConfig: Nested argument containing Lambda authorizer configuration. Defined below.
logConfig GraphQLApiLogConfig: Nested argument containing logging configuration. Defined below.
name string: User-supplied name for the GraphqlApi.
openidConnectConfig GraphQLApiOpenidConnectConfig: Nested argument containing OpenID Connect configuration. Defined below.
schema string: Schema definition, in GraphQL schema language format. This provider cannot perform drift detection of this configuration.
tags {[key: string]: string}: Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll {[key: string]: string}: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
uris {[key: string]: string}: Map of URIs associated with the APIE.g., uris["GRAPHQL"] = https://ID.appsync-api.REGION.amazonaws.com/graphql
userPoolConfig GraphQLApiUserPoolConfig: Amazon Cognito User Pool configuration. Defined below.
xrayEnabled boolean: Whether tracing with X-ray is enabled. Defaults to false.

additional_authentication_providers Sequence[GraphQLApiAdditionalAuthenticationProviderArgs]: One or more additional authentication providers for the GraphqlApi. Defined below.
arn str: ARN
authentication_type str: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
lambda_authorizer_config GraphQLApiLambdaAuthorizerConfigArgs: Nested argument containing Lambda authorizer configuration. Defined below.
log_config GraphQLApiLogConfigArgs: Nested argument containing logging configuration. Defined below.
name str: User-supplied name for the GraphqlApi.
openid_connect_config GraphQLApiOpenidConnectConfigArgs: Nested argument containing OpenID Connect configuration. Defined below.
schema str: Schema definition, in GraphQL schema language format. This provider cannot perform drift detection of this configuration.
tags Mapping[str, str]: Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tags_all Mapping[str, str]: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
uris Mapping[str, str]: Map of URIs associated with the APIE.g., uris["GRAPHQL"] = https://ID.appsync-api.REGION.amazonaws.com/graphql
user_pool_config GraphQLApiUserPoolConfigArgs: Amazon Cognito User Pool configuration. Defined below.
xray_enabled bool: Whether tracing with X-ray is enabled. Defaults to false.

additionalAuthenticationProviders List<Property Map>: One or more additional authentication providers for the GraphqlApi. Defined below.
arn String: ARN
authenticationType String: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
lambdaAuthorizerConfig Property Map: Nested argument containing Lambda authorizer configuration. Defined below.
logConfig Property Map: Nested argument containing logging configuration. Defined below.
name String: User-supplied name for the GraphqlApi.
openidConnectConfig Property Map: Nested argument containing OpenID Connect configuration. Defined below.
schema String: Schema definition, in GraphQL schema language format. This provider cannot perform drift detection of this configuration.
tags Map<String>: Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll Map<String>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
uris Map<String>: Map of URIs associated with the APIE.g., uris["GRAPHQL"] = https://ID.appsync-api.REGION.amazonaws.com/graphql
userPoolConfig Property Map: Amazon Cognito User Pool configuration. Defined below.
xrayEnabled Boolean: Whether tracing with X-ray is enabled. Defaults to false.

Supporting Types

GraphQLApiAdditionalAuthenticationProvider, GraphQLApiAdditionalAuthenticationProviderArgs

AuthenticationType string: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
LambdaAuthorizerConfig GraphQLApiAdditionalAuthenticationProviderLambdaAuthorizerConfig: Nested argument containing Lambda authorizer configuration. Defined below.
OpenidConnectConfig GraphQLApiAdditionalAuthenticationProviderOpenidConnectConfig: Nested argument containing OpenID Connect configuration. Defined below.
UserPoolConfig GraphQLApiAdditionalAuthenticationProviderUserPoolConfig: Amazon Cognito User Pool configuration. Defined below.

AuthenticationType string: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
LambdaAuthorizerConfig GraphQLApiAdditionalAuthenticationProviderLambdaAuthorizerConfig: Nested argument containing Lambda authorizer configuration. Defined below.
OpenidConnectConfig GraphQLApiAdditionalAuthenticationProviderOpenidConnectConfig: Nested argument containing OpenID Connect configuration. Defined below.
UserPoolConfig GraphQLApiAdditionalAuthenticationProviderUserPoolConfig: Amazon Cognito User Pool configuration. Defined below.

authenticationType String: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
lambdaAuthorizerConfig GraphQLApiAdditionalAuthenticationProviderLambdaAuthorizerConfig: Nested argument containing Lambda authorizer configuration. Defined below.
openidConnectConfig GraphQLApiAdditionalAuthenticationProviderOpenidConnectConfig: Nested argument containing OpenID Connect configuration. Defined below.
userPoolConfig GraphQLApiAdditionalAuthenticationProviderUserPoolConfig: Amazon Cognito User Pool configuration. Defined below.

authenticationType string: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
lambdaAuthorizerConfig GraphQLApiAdditionalAuthenticationProviderLambdaAuthorizerConfig: Nested argument containing Lambda authorizer configuration. Defined below.
openidConnectConfig GraphQLApiAdditionalAuthenticationProviderOpenidConnectConfig: Nested argument containing OpenID Connect configuration. Defined below.
userPoolConfig GraphQLApiAdditionalAuthenticationProviderUserPoolConfig: Amazon Cognito User Pool configuration. Defined below.

authentication_type str: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
lambda_authorizer_config GraphQLApiAdditionalAuthenticationProviderLambdaAuthorizerConfig: Nested argument containing Lambda authorizer configuration. Defined below.
openid_connect_config GraphQLApiAdditionalAuthenticationProviderOpenidConnectConfig: Nested argument containing OpenID Connect configuration. Defined below.
user_pool_config GraphQLApiAdditionalAuthenticationProviderUserPoolConfig: Amazon Cognito User Pool configuration. Defined below.

authenticationType String: Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
lambdaAuthorizerConfig Property Map: Nested argument containing Lambda authorizer configuration. Defined below.
openidConnectConfig Property Map: Nested argument containing OpenID Connect configuration. Defined below.
userPoolConfig Property Map: Amazon Cognito User Pool configuration. Defined below.

GraphQLApiAdditionalAuthenticationProviderLambdaAuthorizerConfig, GraphQLApiAdditionalAuthenticationProviderLambdaAuthorizerConfigArgs

AuthorizerUri string: ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
AuthorizerResultTtlInSeconds int: Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
IdentityValidationExpression string: Regular expression for validation of tokens before the Lambda function is called.

AuthorizerUri string: ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
AuthorizerResultTtlInSeconds int: Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
IdentityValidationExpression string: Regular expression for validation of tokens before the Lambda function is called.

authorizerUri String: ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
authorizerResultTtlInSeconds Integer: Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
identityValidationExpression String: Regular expression for validation of tokens before the Lambda function is called.

authorizerUri string: ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
authorizerResultTtlInSeconds number: Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
identityValidationExpression string: Regular expression for validation of tokens before the Lambda function is called.

authorizer_uri str: ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
authorizer_result_ttl_in_seconds int: Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
identity_validation_expression str: Regular expression for validation of tokens before the Lambda function is called.

authorizerUri String: ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
authorizerResultTtlInSeconds Number: Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
identityValidationExpression String: Regular expression for validation of tokens before the Lambda function is called.

GraphQLApiAdditionalAuthenticationProviderOpenidConnectConfig, GraphQLApiAdditionalAuthenticationProviderOpenidConnectConfigArgs

Issuer string: Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
AuthTtl int: Number of milliseconds a token is valid after being authenticated.
ClientId string: Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
IatTtl int: Number of milliseconds a token is valid after being issued to a user.

Issuer string: Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
AuthTtl int: Number of milliseconds a token is valid after being authenticated.
ClientId string: Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
IatTtl int: Number of milliseconds a token is valid after being issued to a user.

issuer String: Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
authTtl Integer: Number of milliseconds a token is valid after being authenticated.
clientId String: Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
iatTtl Integer: Number of milliseconds a token is valid after being issued to a user.

issuer string: Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
authTtl number: Number of milliseconds a token is valid after being authenticated.
clientId string: Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
iatTtl number: Number of milliseconds a token is valid after being issued to a user.

issuer str: Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
auth_ttl int: Number of milliseconds a token is valid after being authenticated.
client_id str: Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
iat_ttl int: Number of milliseconds a token is valid after being issued to a user.

issuer String: Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
authTtl Number: Number of milliseconds a token is valid after being authenticated.
clientId String: Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
iatTtl Number: Number of milliseconds a token is valid after being issued to a user.

GraphQLApiAdditionalAuthenticationProviderUserPoolConfig, GraphQLApiAdditionalAuthenticationProviderUserPoolConfigArgs

UserPoolId string: User pool ID.
AppIdClientRegex string: Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
AwsRegion string: AWS region in which the user pool was created.

UserPoolId string: User pool ID.
AppIdClientRegex string: Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
AwsRegion string: AWS region in which the user pool was created.

userPoolId String: User pool ID.
appIdClientRegex String: Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
awsRegion String: AWS region in which the user pool was created.

userPoolId string: User pool ID.
appIdClientRegex string: Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
awsRegion string: AWS region in which the user pool was created.

user_pool_id str: User pool ID.
app_id_client_regex str: Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
aws_region str: AWS region in which the user pool was created.

userPoolId String: User pool ID.
appIdClientRegex String: Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
awsRegion String: AWS region in which the user pool was created.

GraphQLApiLambdaAuthorizerConfig, GraphQLApiLambdaAuthorizerConfigArgs

AuthorizerUri string: ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
AuthorizerResultTtlInSeconds int: Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
IdentityValidationExpression string: Regular expression for validation of tokens before the Lambda function is called.

AuthorizerUri string: ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
AuthorizerResultTtlInSeconds int: Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
IdentityValidationExpression string: Regular expression for validation of tokens before the Lambda function is called.

authorizerUri String: ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
authorizerResultTtlInSeconds Integer: Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
identityValidationExpression String: Regular expression for validation of tokens before the Lambda function is called.

authorizerUri string: ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
authorizerResultTtlInSeconds number: Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
identityValidationExpression string: Regular expression for validation of tokens before the Lambda function is called.

authorizer_uri str: ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
authorizer_result_ttl_in_seconds int: Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
identity_validation_expression str: Regular expression for validation of tokens before the Lambda function is called.

authorizerUri String: ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
authorizerResultTtlInSeconds Number: Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
identityValidationExpression String: Regular expression for validation of tokens before the Lambda function is called.

GraphQLApiLogConfig, GraphQLApiLogConfigArgs

CloudwatchLogsRoleArn string: Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account.
FieldLogLevel string: Field logging level. Valid values: ALL, ERROR, NONE.
ExcludeVerboseContent bool: Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level. Valid values: true, false. Default value: false

CloudwatchLogsRoleArn string: Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account.
FieldLogLevel string: Field logging level. Valid values: ALL, ERROR, NONE.
ExcludeVerboseContent bool: Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level. Valid values: true, false. Default value: false

cloudwatchLogsRoleArn String: Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account.
fieldLogLevel String: Field logging level. Valid values: ALL, ERROR, NONE.
excludeVerboseContent Boolean: Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level. Valid values: true, false. Default value: false

cloudwatchLogsRoleArn string: Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account.
fieldLogLevel string: Field logging level. Valid values: ALL, ERROR, NONE.
excludeVerboseContent boolean: Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level. Valid values: true, false. Default value: false

cloudwatch_logs_role_arn str: Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account.
field_log_level str: Field logging level. Valid values: ALL, ERROR, NONE.
exclude_verbose_content bool: Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level. Valid values: true, false. Default value: false

cloudwatchLogsRoleArn String: Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account.
fieldLogLevel String: Field logging level. Valid values: ALL, ERROR, NONE.
excludeVerboseContent Boolean: Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level. Valid values: true, false. Default value: false

GraphQLApiOpenidConnectConfig, GraphQLApiOpenidConnectConfigArgs

Issuer string: Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
AuthTtl int: Number of milliseconds a token is valid after being authenticated.
ClientId string: Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
IatTtl int: Number of milliseconds a token is valid after being issued to a user.

Issuer string: Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
AuthTtl int: Number of milliseconds a token is valid after being authenticated.
ClientId string: Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
IatTtl int: Number of milliseconds a token is valid after being issued to a user.

issuer String: Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
authTtl Integer: Number of milliseconds a token is valid after being authenticated.
clientId String: Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
iatTtl Integer: Number of milliseconds a token is valid after being issued to a user.

issuer string: Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
authTtl number: Number of milliseconds a token is valid after being authenticated.
clientId string: Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
iatTtl number: Number of milliseconds a token is valid after being issued to a user.

issuer str: Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
auth_ttl int: Number of milliseconds a token is valid after being authenticated.
client_id str: Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
iat_ttl int: Number of milliseconds a token is valid after being issued to a user.

issuer String: Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
authTtl Number: Number of milliseconds a token is valid after being authenticated.
clientId String: Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
iatTtl Number: Number of milliseconds a token is valid after being issued to a user.

GraphQLApiUserPoolConfig, GraphQLApiUserPoolConfigArgs

DefaultAction string: Action that you want your GraphQL API to take when a request that uses Amazon Cognito User Pool authentication doesn't match the Amazon Cognito User Pool configuration. Valid: ALLOW and DENY
UserPoolId string: User pool ID.
AppIdClientRegex string: Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
AwsRegion string: AWS region in which the user pool was created.

DefaultAction string: Action that you want your GraphQL API to take when a request that uses Amazon Cognito User Pool authentication doesn't match the Amazon Cognito User Pool configuration. Valid: ALLOW and DENY
UserPoolId string: User pool ID.
AppIdClientRegex string: Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
AwsRegion string: AWS region in which the user pool was created.

defaultAction String: Action that you want your GraphQL API to take when a request that uses Amazon Cognito User Pool authentication doesn't match the Amazon Cognito User Pool configuration. Valid: ALLOW and DENY
userPoolId String: User pool ID.
appIdClientRegex String: Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
awsRegion String: AWS region in which the user pool was created.

defaultAction string: Action that you want your GraphQL API to take when a request that uses Amazon Cognito User Pool authentication doesn't match the Amazon Cognito User Pool configuration. Valid: ALLOW and DENY
userPoolId string: User pool ID.
appIdClientRegex string: Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
awsRegion string: AWS region in which the user pool was created.

default_action str: Action that you want your GraphQL API to take when a request that uses Amazon Cognito User Pool authentication doesn't match the Amazon Cognito User Pool configuration. Valid: ALLOW and DENY
user_pool_id str: User pool ID.
app_id_client_regex str: Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
aws_region str: AWS region in which the user pool was created.

defaultAction String: Action that you want your GraphQL API to take when a request that uses Amazon Cognito User Pool authentication doesn't match the Amazon Cognito User Pool configuration. Valid: ALLOW and DENY
userPoolId String: User pool ID.
appIdClientRegex String: Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
awsRegion String: AWS region in which the user pool was created.

Import

AppSync GraphQL API can be imported using the GraphQL API ID, e.g.,

 $ pulumi import aws:appsync/graphQLApi:GraphQLApi example 0123456789

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: AWS Classic pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

Viewing docs for AWS v5.43.0 (Older version)
published on Tuesday, Mar 10, 2026 by Pulumi

Go to latest version

Schema (JSON)

pulumi/pulumi-aws

aws.appsync.GraphQLApi

On this page

On this page

Example Usage

API Key Authentication

AWS IAM Authentication

AWS Cognito User Pool Authentication

OpenID Connect Authentication

AWS Lambda Authorizer Authentication

With Multiple Authentication Providers

With Schema

Enabling Logging

Associate Web ACL (v2)

Create GraphQLApi Resource

Constructor syntax

Parameters

Constructor example

GraphQLApi Resource Properties

Inputs

Outputs

Look up Existing GraphQLApi Resource

Supporting Types

GraphQLApiAdditionalAuthenticationProvider, GraphQLApiAdditionalAuthenticationProviderArgs

GraphQLApiAdditionalAuthenticationProviderLambdaAuthorizerConfig, GraphQLApiAdditionalAuthenticationProviderLambdaAuthorizerConfigArgs

GraphQLApiAdditionalAuthenticationProviderOpenidConnectConfig, GraphQLApiAdditionalAuthenticationProviderOpenidConnectConfigArgs

GraphQLApiAdditionalAuthenticationProviderUserPoolConfig, GraphQLApiAdditionalAuthenticationProviderUserPoolConfigArgs

GraphQLApiLambdaAuthorizerConfig, GraphQLApiLambdaAuthorizerConfigArgs

GraphQLApiLogConfig, GraphQLApiLogConfigArgs

GraphQLApiOpenidConnectConfig, GraphQLApiOpenidConnectConfigArgs

GraphQLApiUserPoolConfig, GraphQLApiUserPoolConfigArgs

Import

Package Details

On this page

On this page