aws.graphql-api

Resource Manager for AppSync GraphQLApi

Filters

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

Actions

delete

Delete an AppSync GraphQL API.

example:

policies:
  - name: appsync-delete-unlogged-api
    resource: graphql-api
    filters:
      - type: value
        key: logConfig
        value: absent
    actions:
      - delete
properties:
  type:
    enum:
    - delete
required:
- type

Permissions - appsync:DeleteGraphqlApi

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App
properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

set-wafv2

Enable wafv2 protection on AppSync graphqlApi.

example:

policies:
  - name: set-wafv2-for-graphql-api
    resource: graphql-api
    filters:
      - type: wafv2-enabled
        state: false
        web-acl: test-waf-v2
    actions:
      - type: set-wafv2
        state: true
        force: true
        web-acl: test-waf-v2

  - name: unset-wafv2-for-graphql-api
    resource: graphql-api
    filters:
      - type: wafv2-enabled
        state: true
    actions:
      - type: set-wafv2
        state: true
        force: true
        web-acl: test-waf-v2

policies:
  - name: set-wafv2-for-graphql-api-regex
    resource: graphql-api
    filters:
      - type: wafv2-enabled
        state: false
        web-acl: .*FMManagedWebACLV2-?FMS-.*
    actions:
      - type: set-wafv2
        state: true
        force: true
        web-acl: FMManagedWebACLV2-?FMS-TestWebACL
properties:
  force:
    type: boolean
  state:
    type: boolean
  type:
    enum:
    - set-wafv2
  web-acl:
    type: string
required:
- type

Permissions - wafv2:AssociateWebACL, wafv2:DisassociateWebACL, wafv2:ListWebACLs