We are using AppSync and dynamoDB and have a react website. We are trying to trigger a pass through mutation from a Lambda, but are getting WAFForbiddenException.
We can call mutations from the website as we have our IP address listed in the WAF. Is there are setting in the WAF to allow access to Appsync from Lambdas?
const { HttpRequest, Endpoint, Signers, EnvironmentCredentials, NodeHttpClient, } = AbstractAlertsAwsSdk;
.....
async triggerPassThroughMutationForAlert(alert, mutationName) {
const p = new Promise((resolve, reject) => {
const creds = new EnvironmentCredentials("AWS");
const req = new HttpRequest(this.graphQlEndpoint);
req.method = "POST";
req.path = "/graphql";
req.region = "ap-southeast-2";
req.headers["presigned-expires"] = false;
req.headers["Host"] = this.graphQlEndpoint.host;
req.headers["Content-Type"] = "application/json";
req.body = `${JSON.stringify({
query: `mutation AlertMutation($input: AlertInput!) {
${mutationName}(input: $input) {
id
tag
name
outstandingDate
}
}`,
operationName:'AlertMutation',
variables: {
input: { ...alert },
},
})}`
const signer = new Signers.V4(req, "appsync", true);
signer.addAuthorization(creds, new Date());
const client = new NodeHttpClient();
client.handleRequest(req, null, function (httpResp) {
let body = "";
httpResp.on("data", function (chunk) {
body += chunk;
});
httpResp.on("end", function (chunk) {
console.info(alert.reference, "triggerPassThroughMutationForAlert() Successful", chunk !== null && chunk !== void 0 ? chunk : "", body);
resolve();
});
}, function (err) {
console.log("triggerPassThroughMutationForAlert() Error: " + err);
resolve();
});
});
return p;
}
}
Obviously, i can turn off the default rule in the WAF to block all, but then i would let everyone in. Given i am already in AWS, and have a VPC set up, how do i call it directly without going out to the internet first.