From 658cae8dd5d004d41082c0bb4e71dab3f3e33e66 Mon Sep 17 00:00:00 2001
From: Daniel Van Der Ploeg <daniel.vanderploeg@aligent.com.au>
Date: Thu, 16 Nov 2023 11:19:29 +1030
Subject: [PATCH] feat: remove ip block and pass priority var

---
 packages/graphql-mesh-server/lib/fargate.ts   | 35 ++++---------------
 .../lib/graphql-mesh-server.ts                |  9 ++---
 2 files changed, 12 insertions(+), 32 deletions(-)

diff --git a/packages/graphql-mesh-server/lib/fargate.ts b/packages/graphql-mesh-server/lib/fargate.ts
index 164afd74..666011d2 100644
--- a/packages/graphql-mesh-server/lib/fargate.ts
+++ b/packages/graphql-mesh-server/lib/fargate.ts
@@ -58,10 +58,6 @@ export interface MeshServiceProps {
    * SSM values to pass through to the container as secrets
    */
   secrets?: { [key: string]: ssm.IStringParameter | ssm.IStringListParameter };
-  /**
-   * List of IP addresses to block (currently only support IPv4)
-   */
-  blockedIps?: string[];
   /**
    * List of AWS Managed rules to add to the WAF
    */
@@ -75,6 +71,11 @@ export interface MeshServiceProps {
    * If provided, rate limiting will be enabled
    */
   rateLimit?: number;
+  /**
+   * The waf rule priority. Only used when a rateLimit value is provided.
+   * Defaults to 10 
+   */
+  rateLimitPriority?: number;
 }
 
 export class MeshService extends Construct {
@@ -193,34 +194,12 @@ export class MeshService extends Construct {
 
     this.service = fargateService.service;
 
-    const blockedIpList = new CfnIPSet(this, "BlockedIpList", {
-      addresses: props.blockedIps || [],
-      ipAddressVersion: "IPV4",
-      scope: "CLOUDFRONT",
-      description: "List of IPs blocked by WAF",
-    });
-
-    const defaultRules: CfnWebACL.RuleProperty[] = [
-      {
-        name: "IPBlockList",
-        priority: 2,
-        statement: {
-          ipSetReferenceStatement: {
-            arn: blockedIpList.attrArn,
-          },
-        },
-        visibilityConfig: {
-          cloudWatchMetricsEnabled: true,
-          metricName: "IPBlockList",
-          sampledRequestsEnabled: true,
-        },
-      },
-    ];
+    const defaultRules: CfnWebACL.RuleProperty[] = [];
 
     if (props.rateLimit) {
       defaultRules.push({
         name: "RateLimit",
-        priority: 3,
+        priority: 10 || props.rateLimitPriority,
         statement: {
           rateBasedStatement: {
             aggregateKeyType: "FORWARDED_IP",
diff --git a/packages/graphql-mesh-server/lib/graphql-mesh-server.ts b/packages/graphql-mesh-server/lib/graphql-mesh-server.ts
index 3ec7c159..fa8eaa90 100644
--- a/packages/graphql-mesh-server/lib/graphql-mesh-server.ts
+++ b/packages/graphql-mesh-server/lib/graphql-mesh-server.ts
@@ -62,10 +62,6 @@ export type MeshHostingProps = {
    * ARN of the SNS Topic to send deployment notifications to
    */
   notificationArn?: string;
-  /**
-   * List of IP addresses to block (currently only support IPv4)
-   */
-  blockedIps?: string[];
   /**
    * List of AWS Managed rules to add to the WAF
    */
@@ -79,6 +75,11 @@ export type MeshHostingProps = {
    * If provided, rate limiting will be enabled
    */
   rateLimit?: number;
+  /**
+   * The waf rule priority. Only used when a rateLimit value is provided.
+   * Defaults to 10 
+   */
+  rateLimitPriority?: number;
 };
 
 export class MeshHosting extends Construct {