From 721a39413af98831525f6d0f92090ac8653a04a1 Mon Sep 17 00:00:00 2001
From: Daniel Van Der Ploeg <daniel.vanderploeg@aligent.com.au>
Date: Tue, 30 Jan 2024 12:33:28 +1030
Subject: [PATCH 1/3] feat DO-1609: add rate limiting bypass list

---
 packages/graphql-mesh-server/lib/fargate.ts      | 16 ++++++++++++++++
 .../lib/graphql-mesh-server.ts                   |  4 ++++
 2 files changed, 20 insertions(+)

diff --git a/packages/graphql-mesh-server/lib/fargate.ts b/packages/graphql-mesh-server/lib/fargate.ts
index 285c6397..7c4a6e4b 100644
--- a/packages/graphql-mesh-server/lib/fargate.ts
+++ b/packages/graphql-mesh-server/lib/fargate.ts
@@ -96,6 +96,10 @@ export interface MeshServiceProps {
    * Defaults to 10
    */
   rateLimitPriority?: number;
+  /**
+   * List of IPv4 addresses that can bypass rate limiting.
+   */
+  rateLimitBypassList?: string[];
   /**
    * Pass custom cpu scaling steps
    * Default value:
@@ -249,6 +253,13 @@ export class MeshService extends Construct {
     this.service = fargateService.service;
     this.loadBalancer = fargateService.loadBalancer;
 
+    const rateLimitBypassList = new CfnIPSet(this, "RateLimitBypassList", {
+      addresses: props.rateLimitBypassList || [],
+      ipAddressVersion: "IPV4",
+      scope: "REGIONAL",
+      description: "List of IPs that are whitelisted from rate limiting",
+    });
+
     const blockedIpList = new CfnIPSet(this, "BlockedIpList", {
       addresses: props.blockedIps || [],
       ipAddressVersion: "IPV4",
@@ -312,6 +323,11 @@ export class MeshService extends Construct {
               fallbackBehavior: "MATCH",
               headerName: "X-Forwarded-For",
             },
+            scopeDownStatement: {
+              ipSetReferenceStatement: {
+                arn: rateLimitBypassList.attrArn,
+              },
+            },
           },
         },
         visibilityConfig: {
diff --git a/packages/graphql-mesh-server/lib/graphql-mesh-server.ts b/packages/graphql-mesh-server/lib/graphql-mesh-server.ts
index 16494b8e..d49f9fbe 100644
--- a/packages/graphql-mesh-server/lib/graphql-mesh-server.ts
+++ b/packages/graphql-mesh-server/lib/graphql-mesh-server.ts
@@ -121,6 +121,10 @@ export type MeshHostingProps = {
    * Defaults to 10
    */
   rateLimitPriority?: number;
+  /**
+   * List of IPv4 addresses that can bypass rate limiting.
+   */
+  rateLimitBypassList?: string[];
   /**
    * Enable / disable container insights
    * Defaults to true

From 6837f634de929489455f3bd5433023a308a907d9 Mon Sep 17 00:00:00 2001
From: Daniel Van Der Ploeg <daniel.vanderploeg@aligent.com.au>
Date: Tue, 30 Jan 2024 13:42:01 +1030
Subject: [PATCH 2/3] chore DO-1609: update readme

---
 packages/graphql-mesh-server/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/graphql-mesh-server/README.md b/packages/graphql-mesh-server/README.md
index ceab8998..226e3e07 100644
--- a/packages/graphql-mesh-server/README.md
+++ b/packages/graphql-mesh-server/README.md
@@ -28,6 +28,7 @@ If notificationArn is set this construct creates a CodeStar notification rule, S
 - `wafRules?`: List of custom rules
 - `rateLimit?`: The limit on requests per 5-minute period. If provided, rate limiting will be enabled
 - `rateLimitPriority?`: The WAF rule priority. Only used when a rateLimit value is provided (defaults to 10)
+- `rateLimitBypassList?`: List of IPv4 addresses that can bypass rate limiting
 - `containerInsights?`: Enable/disable container insights (defaults to true)
 - `logStreamPrefix?`: Log stream prefix (defaults to 'graphql-server')
 - `snsTopic?`: Optional SNS topic to subscribe all alarms to

From d09691d10cabf65b318fdb41249d0891d363fd23 Mon Sep 17 00:00:00 2001
From: Daniel Van Der Ploeg <daniel.vanderploeg@aligent.com.au>
Date: Tue, 30 Jan 2024 14:53:51 +1030
Subject: [PATCH 3/3] feat DO-1609: fix allow list

---
 packages/graphql-mesh-server/lib/fargate.ts | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/packages/graphql-mesh-server/lib/fargate.ts b/packages/graphql-mesh-server/lib/fargate.ts
index 7c4a6e4b..17dc9e89 100644
--- a/packages/graphql-mesh-server/lib/fargate.ts
+++ b/packages/graphql-mesh-server/lib/fargate.ts
@@ -324,8 +324,17 @@ export class MeshService extends Construct {
               headerName: "X-Forwarded-For",
             },
             scopeDownStatement: {
-              ipSetReferenceStatement: {
-                arn: rateLimitBypassList.attrArn,
+              notStatement: {
+                statement: {
+                  ipSetReferenceStatement: {
+                    arn: rateLimitBypassList.attrArn,
+                    ipSetForwardedIpConfig: {
+                      fallbackBehavior: "MATCH",
+                      headerName: "X-Forwarded-For",
+                      position: "FIRST",
+                    },
+                  },
+                },
               },
             },
           },