I am building a multi-tenant application, with the tenants sharing a GraphQL API backed by AppSync. All of a tenant's metadata is stored in a single DynamoDB table, and AppSync uses a DynamoDB data source on that table to resolve queries and mutations. I would like to pick which table to perform the operation on based on the Cognito identity in the request resolver.
In AppSync, each data source must specify a table to resolve the DynamoDB operations, and this cannot be overridden in the AppSync resolver (except for some batch operations that allow multiple table operations in one resolver). There does not appear to be a way to dynamically select a data source in a pipeline resolver. Since each tenant's metadata is in a separate DynamoDB table, there does not appear to be a way to define a single API that is shared between tenants when using only DynamoDB data sources.
I have tried using an HTTPS resolver and recreating the DynamoDB request in that, but unfortunately there does not seem to be a $util.dynamodb.fromDynamoDB to convert the typed DynamoDB response to an untyped JSON response that the DynamoDB resolver performs automatically.
Here are my options as I understand them:
- Put all tenant metadata into a single table, and use then tenant ID as the partition key for each item
- Use a Lambda resolver that makes the subsequent DynamoDB request
- Create a different AppSync API per-tenant with the same definitions for everything (but a different Cognito pool configuration for each)
Option 1 doesn't work for me because I'm already using the partition key in a number of different ways, especially to generate several sparse global indices on the table. I'd also like to provision the table throughput on a per-tenant basis, rather than sharing this across all tenants at once.
Option 2 may be the most straightforward answer, but I would prefer not to have to set up Lambdas for most of my resolvers when I'm just trying to perform a straightforward operation on DynamoDB.
Option 3 definitively solves the problem, but now I have to maintain as many APIs (and their endpoints) as I have tenants, which defeats the purpose of this question.
Are there any other options to support a multi-tenant setup with distinct tables per tenant in AppSync, preferably performing the routing logic in resolver templates?