aws.graphql-api

Resource Manager for AppSync GraphQLApi

Filters

• api-cache

• config-compliance

• event

• finding

• json-diff

• list-item

• marked-for-op

• ops-item

• reduce

• tag-count

• value

• wafv2-enabled

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

Actions

• auto-tag-user

• copy-related-tag

• delete

• invoke-lambda

• invoke-sfn

• mark-for-op

• notify

• post-finding

• post-item

• put-metric

• remove-tag

• rename-tag

• set-wafv2

• tag

• webhook

delete

Delete an AppSync GraphQL API.

example:

policies:
  - name: appsync-delete-unlogged-api
    resource: graphql-api
    filters:
      - type: value
        key: logConfig
        value: absent
    actions:
      - delete

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - appsync:DeleteGraphqlApi

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App

properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

set-wafv2

Enable wafv2 protection on AppSync graphqlApi.

example:

policies:
  - name: set-wafv2-for-graphql-api
    resource: graphql-api
    filters:
      - type: wafv2-enabled
        state: false
        web-acl: test-waf-v2
    actions:
      - type: set-wafv2
        state: true
        force: true
        web-acl: test-waf-v2

  - name: unset-wafv2-for-graphql-api
    resource: graphql-api
    filters:
      - type: wafv2-enabled
        state: true
    actions:
      - type: set-wafv2
        state: true
        force: true
        web-acl: test-waf-v2

policies:
  - name: set-wafv2-for-graphql-api-regex
    resource: graphql-api
    filters:
      - type: wafv2-enabled
        state: false
        web-acl: .*FMManagedWebACLV2-?FMS-.*
    actions:
      - type: set-wafv2
        state: true
        force: true
        web-acl: FMManagedWebACLV2-?FMS-TestWebACL

properties:
  force:
    type: boolean
  state:
    type: boolean
  type:
    enum:
    - set-wafv2
  web-acl:
    type: string
required:
- type

Permissions - wafv2:AssociateWebACL, wafv2:DisassociateWebACL, wafv2:ListWebACLs