AWS AppSync Update: AWS AppSync now supports a new authorization mode allowing you to define your own authorization logic using an AWS Lambda function.

Author: AWS

.changes/next-release/feature-AWSAppSync-3b78cda.json

@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS AppSync",
+    "contributor": "",
+    "description": "AWS AppSync now supports a new authorization mode allowing you to define your own authorization logic using an AWS Lambda function."
+}

services/appsync/src/main/resources/codegen-resources/service-2.json

@@ -716,7 +716,7 @@
       "members":{
         "authenticationType":{
           "shape":"AuthenticationType",
-          "documentation":"<p>The authentication type: API key, AWS IAM, OIDC, or Amazon Cognito user pools.</p>"
+          "documentation":"<p>The authentication type: API key, Identity and Access Management, OIDC, or Amazon Cognito user pools.</p>"
         },
         "openIDConnectConfig":{
           "shape":"OpenIDConnectConfig",
@@ -725,6 +725,10 @@
         "userPoolConfig":{
           "shape":"CognitoUserPoolConfig",
           "documentation":"<p>The Amazon Cognito user pool configuration.</p>"
+        },
+        "lambdaAuthorizerConfig":{
+          "shape":"LambdaAuthorizerConfig",
+          "documentation":"<p>Configuration for AWS Lambda function authorization.</p>"
         }
       },
       "documentation":"<p>Describes an additional authentication provider.</p>"
@@ -820,7 +824,7 @@
           "documentation":"<p>The time after which the API key is deleted. The date is represented as seconds since the epoch, rounded down to the nearest hour.</p>"
         }
       },
-      "documentation":"<p>Describes an API key.</p> <p>Customers invoke AWS AppSync GraphQL API operations with API keys as an identity mechanism. There are two key versions:</p> <p> <b>da1</b>: This version was introduced at launch in November 2017. These keys always expire after 7 days. Key expiration is managed by Amazon DynamoDB TTL. The keys ceased to be valid after February 21, 2018 and should not be used after that date.</p> <ul> <li> <p> <code>ListApiKeys</code> returns the expiration time in milliseconds.</p> </li> <li> <p> <code>CreateApiKey</code> returns the expiration time in milliseconds.</p> </li> <li> <p> <code>UpdateApiKey</code> is not available for this key version.</p> </li> <li> <p> <code>DeleteApiKey</code> deletes the item from the table.</p> </li> <li> <p>Expiration is stored in Amazon DynamoDB as milliseconds. This results in a bug where keys are not automatically deleted because DynamoDB expects the TTL to be stored in seconds. As a one-time action, we will delete these keys from the table after February 21, 2018.</p> </li> </ul> <p> <b>da2</b>: This version was introduced in February 2018 when AppSync added support to extend key expiration.</p> <ul> <li> <p> <code>ListApiKeys</code> returns the expiration time and deletion time in seconds.</p> </li> <li> <p> <code>CreateApiKey</code> returns the expiration time and deletion time in seconds and accepts a user-provided expiration time in seconds.</p> </li> <li> <p> <code>UpdateApiKey</code> returns the expiration time and and deletion time in seconds and accepts a user-provided expiration time in seconds. Expired API keys are kept for 60 days after the expiration time. Key expiration time can be updated while the key is not deleted. </p> </li> <li> <p> <code>DeleteApiKey</code> deletes the item from the table.</p> </li> <li> <p>Expiration is stored in Amazon DynamoDB as seconds. After the expiration time, using the key to authenticate will fail. But the key can be reinstated before deletion.</p> </li> <li> <p>Deletion is stored in Amazon DynamoDB as seconds. The key will be deleted after deletion time. </p> </li> </ul>"
+      "documentation":"<p>Describes an API key.</p> <p>Customers invoke AppSync GraphQL API operations with API keys as an identity mechanism. There are two key versions:</p> <p> <b>da1</b>: This version was introduced at launch in November 2017. These keys always expire after 7 days. Key expiration is managed by Amazon DynamoDB TTL. The keys ceased to be valid after February 21, 2018 and should not be used after that date.</p> <ul> <li> <p> <code>ListApiKeys</code> returns the expiration time in milliseconds.</p> </li> <li> <p> <code>CreateApiKey</code> returns the expiration time in milliseconds.</p> </li> <li> <p> <code>UpdateApiKey</code> is not available for this key version.</p> </li> <li> <p> <code>DeleteApiKey</code> deletes the item from the table.</p> </li> <li> <p>Expiration is stored in Amazon DynamoDB as milliseconds. This results in a bug where keys are not automatically deleted because DynamoDB expects the TTL to be stored in seconds. As a one-time action, we will delete these keys from the table after February 21, 2018.</p> </li> </ul> <p> <b>da2</b>: This version was introduced in February 2018 when AppSync added support to extend key expiration.</p> <ul> <li> <p> <code>ListApiKeys</code> returns the expiration time and deletion time in seconds.</p> </li> <li> <p> <code>CreateApiKey</code> returns the expiration time and deletion time in seconds and accepts a user-provided expiration time in seconds.</p> </li> <li> <p> <code>UpdateApiKey</code> returns the expiration time and and deletion time in seconds and accepts a user-provided expiration time in seconds. Expired API keys are kept for 60 days after the expiration time. Key expiration time can be updated while the key is not deleted. </p> </li> <li> <p> <code>DeleteApiKey</code> deletes the item from the table.</p> </li> <li> <p>Expiration is stored in Amazon DynamoDB as seconds. After the expiration time, using the key to authenticate will fail. But the key can be reinstated before deletion.</p> </li> <li> <p>Deletion is stored in Amazon DynamoDB as seconds. The key will be deleted after deletion time. </p> </li> </ul>"
     },
     "ApiKeyLimitExceededException":{
       "type":"structure",
@@ -859,7 +863,8 @@
         "API_KEY",
         "AWS_IAM",
         "AMAZON_COGNITO_USER_POOLS",
-        "OPENID_CONNECT"
+        "OPENID_CONNECT",
+        "AWS_LAMBDA"
       ]
     },
     "AuthorizationConfig":{
@@ -872,7 +877,7 @@
         },
         "awsIamConfig":{
           "shape":"AwsIamConfig",
-          "documentation":"<p>The AWS IAM settings.</p>"
+          "documentation":"<p>The Identity and Access Management settings.</p>"
         }
       },
       "documentation":"<p>The authorization config in case the HTTP endpoint requires authorization.</p>"
@@ -886,14 +891,14 @@
       "members":{
         "signingRegion":{
           "shape":"String",
-          "documentation":"<p>The signing region for AWS IAM authorization.</p>"
+          "documentation":"<p>The signing region for Identity and Access Management authorization.</p>"
         },
         "signingServiceName":{
           "shape":"String",
-          "documentation":"<p>The signing service name for AWS IAM authorization.</p>"
+          "documentation":"<p>The signing service name for Identity and Access Management authorization.</p>"
         }
       },
-      "documentation":"<p>The AWS IAM configuration.</p>"
+      "documentation":"<p>The Identity and Access Management configuration.</p>"
     },
     "BadRequestException":{
       "type":"structure",
@@ -938,7 +943,7 @@
         },
         "awsRegion":{
           "shape":"String",
-          "documentation":"<p>The AWS Region in which the user pool was created.</p>"
+          "documentation":"<p>The Amazon Web Services Region in which the user pool was created.</p>"
         },
         "appIdClientRegex":{
           "shape":"String",
@@ -1077,15 +1082,15 @@
         },
         "serviceRoleArn":{
           "shape":"String",
-          "documentation":"<p>The AWS IAM service role ARN for the data source. The system assumes this role when accessing the data source.</p>"
+          "documentation":"<p>The Identity and Access Management service role ARN for the data source. The system assumes this role when accessing the data source.</p>"
         },
         "dynamodbConfig":{
           "shape":"DynamodbDataSourceConfig",
           "documentation":"<p>Amazon DynamoDB settings.</p>"
         },
         "lambdaConfig":{
           "shape":"LambdaDataSourceConfig",
-          "documentation":"<p>AWS Lambda settings.</p>"
+          "documentation":"<p>Amazon Web Services Lambda settings.</p>"
         },
         "elasticsearchConfig":{
           "shape":"ElasticsearchDataSourceConfig",
@@ -1178,7 +1183,7 @@
         },
         "authenticationType":{
           "shape":"AuthenticationType",
-          "documentation":"<p>The authentication type: API key, AWS IAM, OIDC, or Amazon Cognito user pools.</p>"
+          "documentation":"<p>The authentication type: API key, Identity and Access Management, OIDC, or Amazon Cognito user pools.</p>"
         },
         "userPoolConfig":{
           "shape":"UserPoolConfig",
@@ -1199,6 +1204,10 @@
         "xrayEnabled":{
           "shape":"Boolean",
           "documentation":"<p>A flag indicating whether to enable X-Ray tracing for the <code>GraphqlApi</code>.</p>"
+        },
+        "lambdaAuthorizerConfig":{
+          "shape":"LambdaAuthorizerConfig",
+          "documentation":"<p>Configuration for AWS Lambda function authorization.</p>"
         }
       }
     },
@@ -1324,19 +1333,19 @@
         },
         "type":{
           "shape":"DataSourceType",
-          "documentation":"<p>The type of the data source.</p> <ul> <li> <p> <b>AMAZON_DYNAMODB</b>: The data source is an Amazon DynamoDB table.</p> </li> <li> <p> <b>AMAZON_ELASTICSEARCH</b>: The data source is an Amazon Elasticsearch Service domain.</p> </li> <li> <p> <b>AWS_LAMBDA</b>: The data source is an AWS Lambda function.</p> </li> <li> <p> <b>NONE</b>: There is no data source. This type is used when you wish to invoke a GraphQL operation without connecting to a data source, such as performing data transformation with resolvers or triggering a subscription to be invoked from a mutation.</p> </li> <li> <p> <b>HTTP</b>: The data source is an HTTP endpoint.</p> </li> <li> <p> <b>RELATIONAL_DATABASE</b>: The data source is a relational database.</p> </li> </ul>"
+          "documentation":"<p>The type of the data source.</p> <ul> <li> <p> <b>AMAZON_DYNAMODB</b>: The data source is an Amazon DynamoDB table.</p> </li> <li> <p> <b>AMAZON_ELASTICSEARCH</b>: The data source is an Amazon Elasticsearch Service domain.</p> </li> <li> <p> <b>AWS_LAMBDA</b>: The data source is an Amazon Web Services Lambda function.</p> </li> <li> <p> <b>NONE</b>: There is no data source. This type is used when you wish to invoke a GraphQL operation without connecting to a data source, such as performing data transformation with resolvers or triggering a subscription to be invoked from a mutation.</p> </li> <li> <p> <b>HTTP</b>: The data source is an HTTP endpoint.</p> </li> <li> <p> <b>RELATIONAL_DATABASE</b>: The data source is a relational database.</p> </li> </ul>"
         },
         "serviceRoleArn":{
           "shape":"String",
-          "documentation":"<p>The AWS IAM service role ARN for the data source. The system assumes this role when accessing the data source.</p>"
+          "documentation":"<p>The Identity and Access Management service role ARN for the data source. The system assumes this role when accessing the data source.</p>"
         },
         "dynamodbConfig":{
           "shape":"DynamodbDataSourceConfig",
           "documentation":"<p>Amazon DynamoDB settings.</p>"
         },
         "lambdaConfig":{
           "shape":"LambdaDataSourceConfig",
-          "documentation":"<p>AWS Lambda settings.</p>"
+          "documentation":"<p>Amazon Web Services Lambda settings.</p>"
         },
         "elasticsearchConfig":{
           "shape":"ElasticsearchDataSourceConfig",
@@ -1579,7 +1588,7 @@
         },
         "awsRegion":{
           "shape":"String",
-          "documentation":"<p>The AWS Region.</p>"
+          "documentation":"<p>The Amazon Web Services Region.</p>"
         },
         "useCallerCredentials":{
           "shape":"Boolean",
@@ -1609,7 +1618,7 @@
         },
         "awsRegion":{
           "shape":"String",
-          "documentation":"<p>The AWS Region.</p>"
+          "documentation":"<p>The Amazon Web Services Region.</p>"
         }
       },
       "documentation":"<p>Describes an Elasticsearch data source configuration.</p>"
@@ -1987,7 +1996,11 @@
         },
         "wafWebAclArn":{
           "shape":"String",
-          "documentation":"<p>The ARN of the AWS Web Application Firewall (WAF) ACL associated with this <code>GraphqlApi</code>, if one exists.</p>"
+          "documentation":"<p>The ARN of the WAF ACL associated with this <code>GraphqlApi</code>, if one exists.</p>"
+        },
+        "lambdaAuthorizerConfig":{
+          "shape":"LambdaAuthorizerConfig",
+          "documentation":"<p/> <p>Configuration for AWS Lambda function authorization.</p>"
         }
       },
       "documentation":"<p>Describes a GraphQL API.</p>"
@@ -2001,7 +2014,7 @@
       "members":{
         "endpoint":{
           "shape":"String",
-          "documentation":"<p>The HTTP URL endpoint. You can either specify the domain name or IP, and port combination, and the URL scheme must be HTTP or HTTPS. If the port is not specified, AWS AppSync uses the default port 80 for the HTTP endpoint and port 443 for HTTPS endpoints.</p>"
+          "documentation":"<p>The HTTP URL endpoint. You can either specify the domain name or IP, and port combination, and the URL scheme must be HTTP or HTTPS. If the port is not specified, AppSync uses the default port 80 for the HTTP endpoint and port 443 for HTTPS endpoints.</p>"
         },
         "authorizationConfig":{
           "shape":"AuthorizationConfig",
@@ -2015,11 +2028,30 @@
       "members":{
         "message":{"shape":"String"}
       },
-      "documentation":"<p>An internal AWS AppSync error occurred. Try your request again.</p>",
+      "documentation":"<p>An internal AppSync error occurred. Try your request again.</p>",
       "error":{"httpStatusCode":500},
       "exception":true,
       "fault":true
     },
+    "LambdaAuthorizerConfig":{
+      "type":"structure",
+      "required":["authorizerUri"],
+      "members":{
+        "authorizerResultTtlInSeconds":{
+          "shape":"TTL",
+          "documentation":"<p>The number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a <code>ttlOverride</code> key in its response. A value of 0 disables caching of responses.</p>"
+        },
+        "authorizerUri":{
+          "shape":"String",
+          "documentation":"<p>The ARN of the lambda function to be called for authorization. This may be a standard Lambda ARN, a version ARN (<code>.../v3</code>) or alias ARN. </p> <p> <i>Note</i>: This Lambda function must have the following resource-based policy assigned to it. When configuring Lambda authorizers in the Console, this is done for you. To do so with the AWS CLI, run the following:</p> <p> <code>aws lambda add-permission --function-name \"arn:aws:lambda:us-east-2:111122223333:function:my-function\" --statement-id \"appsync\" --principal appsync.amazonaws.com --action lambda:InvokeFunction</code> </p>"
+        },
+        "identityValidationExpression":{
+          "shape":"String",
+          "documentation":"<p>A regular expression for validation of tokens before the Lambda Function is called.</p>"
+        }
+      },
+      "documentation":"<p>A <code>LambdaAuthorizerConfig</code> holds configuration on how to authorize AppSync API access when using the <code>AWS_LAMBDA</code> authorizer mode. Be aware that an AppSync API may have only one Lambda authorizer configured at a time.</p>"
+    },
     "LambdaConflictHandlerConfig":{
       "type":"structure",
       "members":{
@@ -2039,7 +2071,7 @@
           "documentation":"<p>The ARN for the Lambda function.</p>"
         }
       },
-      "documentation":"<p>Describes an AWS Lambda data source configuration.</p>"
+      "documentation":"<p>Describes an Amazon Web Services Lambda data source configuration.</p>"
     },
     "LimitExceededException":{
       "type":"structure",
@@ -2363,7 +2395,7 @@
         },
         "cloudWatchLogsRoleArn":{
           "shape":"String",
-          "documentation":"<p>The service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account. </p>"
+          "documentation":"<p>The service role that AppSync will assume to publish to Amazon CloudWatch logs in your account. </p>"
         },
         "excludeVerboseContent":{
           "shape":"Boolean",
@@ -2407,7 +2439,7 @@
         },
         "clientId":{
           "shape":"String",
-          "documentation":"<p>The client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.</p>"
+          "documentation":"<p>The client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AppSync can validate against multiple client identifiers at a time.</p>"
         },
         "iatTTL":{
           "shape":"Long",
@@ -2448,7 +2480,7 @@
       "members":{
         "awsRegion":{
           "shape":"String",
-          "documentation":"<p>AWS Region for RDS HTTP endpoint.</p>"
+          "documentation":"<p>Amazon Web Services Region for RDS HTTP endpoint.</p>"
         },
         "dbClusterIdentifier":{
           "shape":"String",
@@ -2464,7 +2496,7 @@
         },
         "awsSecretStoreArn":{
           "shape":"String",
-          "documentation":"<p>AWS secret store ARN for database credentials.</p>"
+          "documentation":"<p>Amazon Web Services secret store ARN for database credentials.</p>"
         }
       },
       "documentation":"<p>The Amazon RDS HTTP endpoint configuration.</p>"
@@ -2614,12 +2646,17 @@
       },
       "documentation":"<p>Describes a Sync configuration for a resolver.</p> <p>Contains information on which Conflict Detection as well as Resolution strategy should be performed when the resolver is invoked.</p>"
     },
+    "TTL":{
+      "type":"integer",
+      "max":3600,
+      "min":0
+    },
     "TagKey":{
       "type":"string",
       "documentation":"<p>The key for the tag.</p>",
       "max":128,
       "min":1,
-      "pattern":"^(?!aws:)[a-zA-Z+-=._:/]+$"
+      "pattern":"^(?!aws:)[ a-zA-Z+-=._:/]+$"
     },
     "TagKeyList":{
       "type":"list",
@@ -2852,7 +2889,7 @@
         },
         "lambdaConfig":{
           "shape":"LambdaDataSourceConfig",
-          "documentation":"<p>The new AWS Lambda configuration.</p>"
+          "documentation":"<p>The new Amazon Web Services Lambda configuration.</p>"
         },
         "elasticsearchConfig":{
           "shape":"ElasticsearchDataSourceConfig",
@@ -2975,6 +3012,10 @@
         "xrayEnabled":{
           "shape":"Boolean",
           "documentation":"<p>A flag indicating whether to enable X-Ray tracing for the <code>GraphqlApi</code>.</p>"
+        },
+        "lambdaAuthorizerConfig":{
+          "shape":"LambdaAuthorizerConfig",
+          "documentation":"<p>Configuration for AWS Lambda function authorization.</p>"
         }
       }
     },
@@ -3105,7 +3146,7 @@
         },
         "awsRegion":{
           "shape":"String",
-          "documentation":"<p>The AWS Region in which the user pool was created.</p>"
+          "documentation":"<p>The Amazon Web Services Region in which the user pool was created.</p>"
         },
         "defaultAction":{
           "shape":"DefaultAction",
@@ -3119,5 +3160,5 @@
       "documentation":"<p>Describes an Amazon Cognito user pool configuration.</p>"
     }
   },
-  "documentation":"<p>AWS AppSync provides API actions for creating and interacting with data sources using GraphQL from your application.</p>"
+  "documentation":"<p>AppSync provides API actions for creating and interacting with data sources using GraphQL from your application.</p>"
 }