176 lines
5.6 KiB
TypeScript
176 lines
5.6 KiB
TypeScript
import type { Construct } from 'constructs';
|
|
import { CfnApiKey } from './appsync.generated';
|
|
import type { IUserPool } from '../../aws-cognito';
|
|
import type { IFunction } from '../../aws-lambda';
|
|
import type { Expiration } from '../../core';
|
|
import { Duration } from '../../core';
|
|
/**
|
|
* Auth provider settings for AppSync Event APIs
|
|
*
|
|
* @see https://docs.aws.amazon.com/appsync/latest/eventapi/configure-event-api-auth.html
|
|
*/
|
|
export interface AppSyncAuthProvider {
|
|
/**
|
|
* One of possible authorization types AppSync supports
|
|
*
|
|
* @default - `AuthorizationType.API_KEY`
|
|
*/
|
|
readonly authorizationType: AppSyncAuthorizationType;
|
|
/**
|
|
* If authorizationType is `AuthorizationType.USER_POOL`, this option is required.
|
|
* @default - none
|
|
*/
|
|
readonly cognitoConfig?: AppSyncCognitoConfig;
|
|
/**
|
|
* If authorizationType is `AuthorizationType.API_KEY`, this option can be configured.
|
|
* @default - name: 'DefaultAPIKey'
|
|
*/
|
|
readonly apiKeyConfig?: AppSyncApiKeyConfig;
|
|
/**
|
|
* If authorizationType is `AuthorizationType.OIDC`, this option is required.
|
|
* @default - none
|
|
*/
|
|
readonly openIdConnectConfig?: AppSyncOpenIdConnectConfig;
|
|
/**
|
|
* If authorizationType is `AuthorizationType.LAMBDA`, this option is required.
|
|
* @default - none
|
|
*/
|
|
readonly lambdaAuthorizerConfig?: AppSyncLambdaAuthorizerConfig;
|
|
}
|
|
/**
|
|
* enum with all possible values for AppSync authorization type
|
|
*/
|
|
export declare enum AppSyncAuthorizationType {
|
|
/**
|
|
* API Key authorization type
|
|
*/
|
|
API_KEY = "API_KEY",
|
|
/**
|
|
* AWS IAM authorization type. Can be used with Cognito Identity Pool federated credentials
|
|
*/
|
|
IAM = "AWS_IAM",
|
|
/**
|
|
* Cognito User Pool authorization type
|
|
*/
|
|
USER_POOL = "AMAZON_COGNITO_USER_POOLS",
|
|
/**
|
|
* OpenID Connect authorization type
|
|
*/
|
|
OIDC = "OPENID_CONNECT",
|
|
/**
|
|
* Lambda authorization type
|
|
*/
|
|
LAMBDA = "AWS_LAMBDA"
|
|
}
|
|
/**
|
|
* Configuration for Cognito user-pools in AppSync for Api
|
|
*/
|
|
export interface AppSyncCognitoConfig {
|
|
/**
|
|
* The Cognito user pool to use as identity source
|
|
*/
|
|
readonly userPool: IUserPool;
|
|
/**
|
|
* the optional app id regex
|
|
*
|
|
* @default - None
|
|
*/
|
|
readonly appIdClientRegex?: string;
|
|
}
|
|
/**
|
|
* Configuration for API Key authorization in AppSync
|
|
*/
|
|
export interface AppSyncApiKeyConfig {
|
|
/**
|
|
* Unique name of the API Key
|
|
* @default - 'DefaultAPIKey'
|
|
*/
|
|
readonly name?: string;
|
|
/**
|
|
* Description of API key
|
|
* @default - 'Default API Key created by CDK'
|
|
*/
|
|
readonly description?: string;
|
|
/**
|
|
* The time from creation time after which the API key expires.
|
|
* It must be a minimum of 1 day and a maximum of 365 days from date of creation.
|
|
* Rounded down to the nearest hour.
|
|
*
|
|
* @default - 7 days rounded down to nearest hour
|
|
*/
|
|
readonly expires?: Expiration;
|
|
}
|
|
/**
|
|
* Configuration for OpenID Connect authorization in AppSync
|
|
*/
|
|
export interface AppSyncOpenIdConnectConfig {
|
|
/**
|
|
* The number of milliseconds an OIDC token is valid after being authenticated by OIDC provider.
|
|
* `auth_time` claim in OIDC token is required for this validation to work.
|
|
* @default - no validation
|
|
*/
|
|
readonly tokenExpiryFromAuth?: number;
|
|
/**
|
|
* The number of milliseconds an OIDC token is valid after being issued to a user.
|
|
* This validation uses `iat` claim of OIDC token.
|
|
* @default - no validation
|
|
*/
|
|
readonly tokenExpiryFromIssue?: number;
|
|
/**
|
|
* The client identifier of the Relying party at the OpenID identity provider.
|
|
* A regular expression can be specified so AppSync can validate against multiple client identifiers at a time.
|
|
* @example - 'ABCD|CDEF' // where ABCD and CDEF are two different clientId
|
|
* @default - * (All)
|
|
*/
|
|
readonly clientId?: string;
|
|
/**
|
|
* The issuer for the OIDC configuration. The issuer returned by discovery must exactly match the value of `iss` in the OIDC token.
|
|
*/
|
|
readonly oidcProvider: string;
|
|
}
|
|
/**
|
|
* Configuration for Lambda authorization in AppSync. Note that you can only have a single AWS Lambda function configured to authorize your API.
|
|
*/
|
|
export interface AppSyncLambdaAuthorizerConfig {
|
|
/**
|
|
* The authorizer lambda function.
|
|
*
|
|
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appsync-graphqlapi-lambdaauthorizerconfig.html
|
|
*/
|
|
readonly handler: IFunction;
|
|
/**
|
|
* How long the results are cached.
|
|
* Disable caching by setting this to 0.
|
|
*
|
|
* @default Duration.minutes(5)
|
|
*/
|
|
readonly resultsCacheTtl?: Duration;
|
|
/**
|
|
* A regular expression for validation of tokens before the Lambda function is called.
|
|
*
|
|
* @default - no regex filter will be applied.
|
|
*/
|
|
readonly validationRegex?: string;
|
|
}
|
|
/**
|
|
* Exposes methods for defining authorization config for AppSync APIs
|
|
*/
|
|
export interface IAppSyncAuthConfig {
|
|
/**
|
|
* Set up OIDC Authorization configuration for AppSync APIs
|
|
*/
|
|
setupOpenIdConnectConfig(config?: AppSyncOpenIdConnectConfig): any;
|
|
/**
|
|
* Set up Cognito Authorization configuration for AppSync APIs
|
|
*/
|
|
setupCognitoConfig(config?: AppSyncCognitoConfig): any;
|
|
/**
|
|
* Set up Lambda Authorization configuration AppSync APIs
|
|
*/
|
|
setupLambdaAuthorizerConfig(config?: AppSyncLambdaAuthorizerConfig): any;
|
|
}
|
|
/**
|
|
* Create an API Key for GraphQL APIs and Event APIs
|
|
*/
|
|
export declare function createAPIKey(scope: Construct, apiId: string, config?: AppSyncApiKeyConfig): CfnApiKey;
|