Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Graphql Mesh add WAF rules #1211

Merged
merged 7 commits into from
Nov 16, 2023
Merged

feat: Graphql Mesh add WAF rules #1211

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
b1f472b
feat: create some default waf rules
TheOrangePuff Nov 15, 2023
cd246b8
feat: pass props between constructs
TheOrangePuff Nov 15, 2023
d519186
feat: fix rate limit rule
TheOrangePuff Nov 16, 2023
658cae8
feat: remove ip block and pass priority var
TheOrangePuff Nov 16, 2023
cdb0387
feat: add ip block list
TheOrangePuff Nov 16, 2023
776f379
chore: run prettier
TheOrangePuff Nov 16, 2023
c14b6bc
Merge branch 'main' into feature/waf-rules
TheOrangePuff Nov 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 84 additions & 1 deletion packages/graphql-mesh-server/lib/fargate.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,12 @@ import * as ssm from "aws-cdk-lib/aws-ssm";
import { Port, SecurityGroup, IVpc, Vpc } from "aws-cdk-lib/aws-ec2";
import { RedisService } from "./redis-construct";
import {
AWSManagedRule,
ManagedRule,
Scope,
WebApplicationFirewall,
} from "./web-application-firewall";
import { CfnIPSet, CfnWebACL } from "aws-cdk-lib/aws-wafv2";
import { ScalingInterval, AdjustmentType } from "aws-cdk-lib/aws-autoscaling";

export interface MeshServiceProps {
Expand Down Expand Up @@ -56,6 +58,33 @@ export interface MeshServiceProps {
* SSM values to pass through to the container as secrets
*/
secrets?: { [key: string]: ssm.IStringParameter | ssm.IStringListParameter };
/**
* List of IP addresses to block (currently only support IPv4)
*/
blockedIps?: string[];
/**
* The waf rule priority.
* Defaults to 2
*/
blockedIpPriority?: number;
/**
* List of AWS Managed rules to add to the WAF
*/
wafManagedRules?: AWSManagedRule[];
/**
* List of custom rules
*/
wafRules?: CfnWebACL.RuleProperty[];
/**
* The limit on requests per 5-minute period
* If provided, rate limiting will be enabled
*/
rateLimit?: number;
/**
* The waf rule priority. Only used when a rateLimit value is provided.
* Defaults to 10
*/
rateLimitPriority?: number;
/**
* Pass custom cpu scaling steps
* Default value:
Expand All @@ -65,7 +94,7 @@ export interface MeshServiceProps {
* { lower: 85, change: +3 },
* ]
*/
cpuScalingSteps: ScalingInterval[];
cpuScalingSteps?: ScalingInterval[];
}

export class MeshService extends Construct {
Expand Down Expand Up @@ -184,6 +213,58 @@ export class MeshService extends Construct {

this.service = fargateService.service;

const blockedIpList = new CfnIPSet(this, "BlockedIpList", {
addresses: props.blockedIps || [],
ipAddressVersion: "IPV4",
scope: "REGIONAL",
description: "List of IPs blocked by WAF",
});

const defaultRules: CfnWebACL.RuleProperty[] = [
{
name: "IPBlockList",
priority: 2 || props.blockedIpPriority,
statement: {
ipSetReferenceStatement: {
arn: blockedIpList.attrArn,
},
},
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: "IPBlockList",
sampledRequestsEnabled: true,
},
action: {
block: {},
},
},
];

if (props.rateLimit) {
defaultRules.push({
name: "RateLimit",
priority: 10 || props.rateLimitPriority,
statement: {
rateBasedStatement: {
aggregateKeyType: "FORWARDED_IP",
limit: props.rateLimit,
forwardedIpConfig: {
fallbackBehavior: "MATCH",
headerName: "X-Forwarded-For",
},
},
},
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: "RateLimit",
sampledRequestsEnabled: true,
},
action: {
block: {},
},
});
}

this.firewall = new WebApplicationFirewall(this, "waf", {
scope: Scope.REGIONAL,
visibilityConfig: {
Expand All @@ -203,7 +284,9 @@ export class MeshService extends Construct {
{
name: ManagedRule.KNOWN_BAD_INPUTS_RULE_SET,
},
...(props.wafManagedRules || []),
],
rules: [...defaultRules, ...(props.wafRules || [])],
});

this.firewall.addAssociation(
Expand Down
31 changes: 30 additions & 1 deletion packages/graphql-mesh-server/lib/graphql-mesh-server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ import { Repository } from "aws-cdk-lib/aws-ecr";
import { FargateService } from "aws-cdk-lib/aws-ecs";
import { CfnCacheCluster } from "aws-cdk-lib/aws-elasticache";
import * as ssm from "aws-cdk-lib/aws-ssm";
import { AWSManagedRule } from "./web-application-firewall";
import { CfnWebACL } from "aws-cdk-lib/aws-wafv2";
import { ScalingInterval } from "aws-cdk-lib/aws-autoscaling";

export type MeshHostingProps = {
Expand Down Expand Up @@ -66,11 +68,38 @@ export type MeshHostingProps = {
* { lower: 85, change: +3 },
* ]
*/
cpuScalingSteps: ScalingInterval[];
cpuScalingSteps?: ScalingInterval[];
/**
* ARN of the SNS Topic to send deployment notifications to
*/
notificationArn?: string;
/**
* List of IP addresses to block (currently only support IPv4)
*/
blockedIps?: string[];
/**
* The waf rule priority.
* Defaults to 2
*/
blockedIpPriority?: number;
/**
* List of AWS Managed rules to add to the WAF
*/
wafManagedRules?: AWSManagedRule[];
/**
* List of custom rules
*/
wafRules?: CfnWebACL.RuleProperty[];
/**
* The limit on requests per 5-minute period
* If provided, rate limiting will be enabled
*/
rateLimit?: number;
/**
* The waf rule priority. Only used when a rateLimit value is provided.
* Defaults to 10
*/
rateLimitPriority?: number;
};

export class MeshHosting extends Construct {
Expand Down
Loading