Skip to content

Commit

Permalink
feat: remove ip block and pass priority var
Browse files Browse the repository at this point in the history
  • Loading branch information
TheOrangePuff committed Nov 16, 2023
1 parent d519186 commit 658cae8
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 32 deletions.
35 changes: 7 additions & 28 deletions packages/graphql-mesh-server/lib/fargate.ts
Original file line number Diff line number Diff line change
Expand Up @@ -58,10 +58,6 @@ export interface MeshServiceProps {
* SSM values to pass through to the container as secrets
*/
secrets?: { [key: string]: ssm.IStringParameter | ssm.IStringListParameter };
/**
* List of IP addresses to block (currently only support IPv4)
*/
blockedIps?: string[];
/**
* List of AWS Managed rules to add to the WAF
*/
Expand All @@ -75,6 +71,11 @@ export interface MeshServiceProps {
* If provided, rate limiting will be enabled
*/
rateLimit?: number;
/**
* The waf rule priority. Only used when a rateLimit value is provided.
* Defaults to 10
*/
rateLimitPriority?: number;
}

export class MeshService extends Construct {
Expand Down Expand Up @@ -193,34 +194,12 @@ export class MeshService extends Construct {

this.service = fargateService.service;

const blockedIpList = new CfnIPSet(this, "BlockedIpList", {
addresses: props.blockedIps || [],
ipAddressVersion: "IPV4",
scope: "CLOUDFRONT",
description: "List of IPs blocked by WAF",
});

const defaultRules: CfnWebACL.RuleProperty[] = [
{
name: "IPBlockList",
priority: 2,
statement: {
ipSetReferenceStatement: {
arn: blockedIpList.attrArn,
},
},
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: "IPBlockList",
sampledRequestsEnabled: true,
},
},
];
const defaultRules: CfnWebACL.RuleProperty[] = [];

if (props.rateLimit) {
defaultRules.push({
name: "RateLimit",
priority: 3,
priority: 10 || props.rateLimitPriority,
statement: {
rateBasedStatement: {
aggregateKeyType: "FORWARDED_IP",
Expand Down
9 changes: 5 additions & 4 deletions packages/graphql-mesh-server/lib/graphql-mesh-server.ts
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,6 @@ export type MeshHostingProps = {
* ARN of the SNS Topic to send deployment notifications to
*/
notificationArn?: string;
/**
* List of IP addresses to block (currently only support IPv4)
*/
blockedIps?: string[];
/**
* List of AWS Managed rules to add to the WAF
*/
Expand All @@ -79,6 +75,11 @@ export type MeshHostingProps = {
* If provided, rate limiting will be enabled
*/
rateLimit?: number;
/**
* The waf rule priority. Only used when a rateLimit value is provided.
* Defaults to 10
*/
rateLimitPriority?: number;
};

export class MeshHosting extends Construct {
Expand Down

0 comments on commit 658cae8

Please sign in to comment.