feat: add ipv6 support for block list

aligent · Nov 16, 2023 · 8a96dde · 8a96dde
1 parent da49299
commit 8a96dde
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 2 deletions.
diff --git a/packages/graphql-mesh-server/lib/fargate.ts b/packages/graphql-mesh-server/lib/fargate.ts
@@ -59,14 +59,23 @@ export interface MeshServiceProps {
    */
   secrets?: { [key: string]: ssm.IStringParameter | ssm.IStringListParameter };
   /**
-   * List of IP addresses to block (currently only support IPv4)
+   * List of IPv4 addresses to block
    */
   blockedIps?: string[];
   /**
    * The waf rule priority.
    * Defaults to 2
    */
   blockedIpPriority?: number;
+  /**
+   * List of IPv6 addresses to block
+   */
+  blockedIpv6s?: string[];
+  /**
+   * The waf rule priority.
+   * Defaults to 3
+   */
+  blockedIpv6Priority?: number;
   /**
    * List of AWS Managed rules to add to the WAF
    */
@@ -220,6 +229,13 @@ export class MeshService extends Construct {
       description: "List of IPs blocked by WAF",
     });
 
+    const blockedIpv6List = new CfnIPSet(this, "BlockedIpv6List", {
+      addresses: props.blockedIpv6s || [],
+      ipAddressVersion: "IPV6",
+      scope: "REGIONAL",
+      description: "List of IPv6s blocked by WAF",
+    });
+
     const defaultRules: CfnWebACL.RuleProperty[] = [
       {
         name: "IPBlockList",
@@ -238,6 +254,23 @@ export class MeshService extends Construct {
           block: {},
         },
       },
+      {
+        name: "IPv6BlockList",
+        priority: 3 || props.blockedIpPriority,
+        statement: {
+          ipSetReferenceStatement: {
+            arn: blockedIpv6List.attrArn,
+          },
+        },
+        visibilityConfig: {
+          cloudWatchMetricsEnabled: true,
+          metricName: "IPv6BlockList",
+          sampledRequestsEnabled: true,
+        },
+        action: {
+          block: {},
+        },
+      },
     ];
 
     if (props.rateLimit) {

diff --git a/packages/graphql-mesh-server/lib/graphql-mesh-server.ts b/packages/graphql-mesh-server/lib/graphql-mesh-server.ts
@@ -74,14 +74,23 @@ export type MeshHostingProps = {
    */
   notificationArn?: string;
   /**
-   * List of IP addresses to block (currently only support IPv4)
+   * List of IPv4 addresses to block
    */
   blockedIps?: string[];
   /**
    * The waf rule priority.
    * Defaults to 2
    */
   blockedIpPriority?: number;
+  /**
+   * List of IPv6 addresses to block
+   */
+  blockedIpv6s?: string[];
+  /**
+   * The waf rule priority.
+   * Defaults to 3
+   */
+  blockedIpv6Priority?: number;
   /**
    * List of AWS Managed rules to add to the WAF
    */