feat(appsync): Move appsync permission grants to base class #27818
Conversation
This allows the grant functions to be called for an imported graphql API
github-actions
bot
added
beginning-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
|
I don't think anything necessarily needs to be added to the current README, as this change should just make a imported API act more like a constructed one. Although I'm happy to modify it if anyone disagrees Exemption Request |
aws-cdk-automation
added
pr-linter/exemption-requested
There was a problem hiding this comment.
Thanks for the contribution, the implementation looks good.
However, a couple of additions are needed (as suggested by the linter):
- An integration test (here) to verify that granting permissions on an imported API works for better coverage
- Some documentation about the fact that permissions are grantable on imported APIs as well (the Permissions section is a good place for it)
vinayak-kukreja
removed
the
pr-linter/exemption-requested
aws-cdk-automation
removed
the
pr/needs-community-review
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-community-review
This reverts commit 9e74b05.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
| @@ -108,4 +109,29 @@ new Function(stack, 'testFail', { | |||
| environment: { APPSYNC_ENDPOINT: api.graphqlUrl }, | |||
| }); | |||
|
|
|||
| const otherStack = new Stack(app, 'aws-appsync-import-integ'); | |||
There was a problem hiding this comment.
The implementation looks good.
Can you please move it to a separate integ.graphql-import-iam.ts file in the same directory?
| the expected `arn` for the imported api, given the `apiId`. For creating data | ||
| sources and resolvers, an `apiId` is sufficient. | ||
| the expected `arn` for the imported api, given the `apiId`. sources, creating | ||
| resolvers, and granting IAM permissions, an `apiId` is sufficient. |
There was a problem hiding this comment.
Let's instead add a section here:
### Permissions on imported APIs
You can use the `grant` functions on imported GraphQL APIs as well:
```ts
declare const api: appsync.GraphqlApi;
declare const role: iam.Role;
const importedApi = appsync.GraphqlApi.fromGraphqlApiAttributes(this, 'IApi', {
graphqlApiId: api.apiId,
graphqlApiArn: api.arn,
});
// For generic types
importedApi.grantMutation(role, 'updateImportedExample');
// For custom types and granular design
importedApi.grant(role, appsync.IamResource.ofType('Mutation', 'updateImportedExample'), 'appsync:GraphQL');
Feel free to improve it further.
|
@TimQuelch are you still available to work on this? Looks like there are some outstanding action items from the latest review. |
|
Closing for staleness, @TimQuelch feel free to open a new PR if you'd like to continue working on this. |
This allows the grant functions to be called for an API imported with
GraphqlApi.fromGraphqlApiAttributesThe grant methods as they currently exist don't use any properties that are unique to the full GraphqlApi construct. They are able to be moved to GraphqlApiBase and IGraphqlApi without any behavior change.
Closes #23031 .
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license