Merge pull request #1295 from aligent/feature/DO-1609-rate-limiting-b…

…ypass-list Feature/do 1609 rate limiting bypass list
aligent · Jan 31, 2024 · 2173f8e · 2173f8e
2 parents 2d4c69f + d09691d
commit 2173f8e
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/packages/graphql-mesh-server/README.md b/packages/graphql-mesh-server/README.md
@@ -28,6 +28,7 @@ If notificationArn is set this construct creates a CodeStar notification rule, S
 - `wafRules?`: List of custom rules
 - `rateLimit?`: The limit on requests per 5-minute period. If provided, rate limiting will be enabled
 - `rateLimitPriority?`: The WAF rule priority. Only used when a rateLimit value is provided (defaults to 10)
+- `rateLimitBypassList?`: List of IPv4 addresses that can bypass rate limiting
 - `containerInsights?`: Enable/disable container insights (defaults to true)
 - `logStreamPrefix?`: Log stream prefix (defaults to 'graphql-server')
 - `snsTopic?`: Optional SNS topic to subscribe all alarms to

diff --git a/packages/graphql-mesh-server/lib/fargate.ts b/packages/graphql-mesh-server/lib/fargate.ts
@@ -96,6 +96,10 @@ export interface MeshServiceProps {
    * Defaults to 10
    */
   rateLimitPriority?: number;
+  /**
+   * List of IPv4 addresses that can bypass rate limiting.
+   */
+  rateLimitBypassList?: string[];
   /**
    * Pass custom cpu scaling steps
    * Default value:
@@ -249,6 +253,13 @@ export class MeshService extends Construct {
     this.service = fargateService.service;
     this.loadBalancer = fargateService.loadBalancer;
 
+    const rateLimitBypassList = new CfnIPSet(this, "RateLimitBypassList", {
+      addresses: props.rateLimitBypassList || [],
+      ipAddressVersion: "IPV4",
+      scope: "REGIONAL",
+      description: "List of IPs that are whitelisted from rate limiting",
+    });
+
     const blockedIpList = new CfnIPSet(this, "BlockedIpList", {
       addresses: props.blockedIps || [],
       ipAddressVersion: "IPV4",
@@ -312,6 +323,20 @@ export class MeshService extends Construct {
               fallbackBehavior: "MATCH",
               headerName: "X-Forwarded-For",
             },
+            scopeDownStatement: {
+              notStatement: {
+                statement: {
+                  ipSetReferenceStatement: {
+                    arn: rateLimitBypassList.attrArn,
+                    ipSetForwardedIpConfig: {
+                      fallbackBehavior: "MATCH",
+                      headerName: "X-Forwarded-For",
+                      position: "FIRST",
+                    },
+                  },
+                },
+              },
+            },
           },
         },
         visibilityConfig: {

diff --git a/packages/graphql-mesh-server/lib/graphql-mesh-server.ts b/packages/graphql-mesh-server/lib/graphql-mesh-server.ts
@@ -121,6 +121,10 @@ export type MeshHostingProps = {
    * Defaults to 10
    */
   rateLimitPriority?: number;
+  /**
+   * List of IPv4 addresses that can bypass rate limiting.
+   */
+  rateLimitBypassList?: string[];
   /**
    * Enable / disable container insights
    * Defaults to true