@quiltdata/benchling-webhook 0.9.0-20251129T063536Z → 0.9.0-20251129T071202Z
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/lib/benchling-webhook-stack.d.ts.map +1 -1
- package/dist/lib/benchling-webhook-stack.js +8 -12
- package/dist/lib/benchling-webhook-stack.js.map +1 -1
- package/dist/lib/http-api-gateway.d.ts +2 -3
- package/dist/lib/http-api-gateway.d.ts.map +1 -1
- package/dist/lib/http-api-gateway.js +44 -115
- package/dist/lib/http-api-gateway.js.map +1 -1
- package/dist/lib/waf-web-acl.d.ts +51 -0
- package/dist/lib/waf-web-acl.d.ts.map +1 -0
- package/dist/lib/waf-web-acl.js +192 -0
- package/dist/lib/waf-web-acl.js.map +1 -0
- package/dist/package.json +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"benchling-webhook-stack.d.ts","sourceRoot":"","sources":["../../lib/benchling-webhook-stack.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,GAAG,MAAM,aAAa,CAAC;AAGnC,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAGvC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAG/C;;;;;GAKG;AACH,MAAM,WAAW,0BAA2B,SAAQ,GAAG,CAAC,UAAU;IAC9D;;;OAGG;IACH,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;CAClC;AAED,qBAAa,qBAAsB,SAAQ,GAAG,CAAC,KAAK;IAChD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAiB;IAChD,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAiB;IACrC,SAAgB,eAAe,EAAE,MAAM,CAAC;gBAGpC,KAAK,EAAE,SAAS,EAChB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,0BAA0B;
|
|
1
|
+
{"version":3,"file":"benchling-webhook-stack.d.ts","sourceRoot":"","sources":["../../lib/benchling-webhook-stack.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,GAAG,MAAM,aAAa,CAAC;AAGnC,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAGvC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAG/C;;;;;GAKG;AACH,MAAM,WAAW,0BAA2B,SAAQ,GAAG,CAAC,UAAU;IAC9D;;;OAGG;IACH,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;CAClC;AAED,qBAAa,qBAAsB,SAAQ,GAAG,CAAC,KAAK;IAChD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAiB;IAChD,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAiB;IACrC,SAAgB,eAAe,EAAE,MAAM,CAAC;gBAGpC,KAAK,EAAE,SAAS,EAChB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,0BAA0B;CA8QxC"}
|
|
@@ -252,18 +252,14 @@ class BenchlingWebhookStack extends cdk.Stack {
|
|
|
252
252
|
value: this.api.logGroup.logGroupName,
|
|
253
253
|
description: "CloudWatch log group for API Gateway access logs",
|
|
254
254
|
});
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
|
|
263
|
-
value: this.api.authorizerLogGroup.logGroupName,
|
|
264
|
-
description: "CloudWatch log group for Lambda authorizer logs",
|
|
265
|
-
});
|
|
266
|
-
}
|
|
255
|
+
new cdk.CfnOutput(this, "WafWebAclArn", {
|
|
256
|
+
value: this.api.wafWebAcl.webAcl.attrArn,
|
|
257
|
+
description: "WAF Web ACL ARN for IP filtering",
|
|
258
|
+
});
|
|
259
|
+
new cdk.CfnOutput(this, "WafLogGroup", {
|
|
260
|
+
value: this.api.wafWebAcl.logGroup.logGroupName,
|
|
261
|
+
description: "CloudWatch log group for WAF logs",
|
|
262
|
+
});
|
|
267
263
|
// Export configuration metadata
|
|
268
264
|
new cdk.CfnOutput(this, "ConfigVersion", {
|
|
269
265
|
value: config._metadata.version,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"benchling-webhook-stack.js","sourceRoot":"","sources":["../../lib/benchling-webhook-stack.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AACnC,yDAA2C;AAC3C,yDAA2C;AAE3C,uDAAmD;AACnD,yDAAoD;AAEpD,mEAA0C;AAgB1C,MAAa,qBAAsB,SAAQ,GAAG,CAAC,KAAK;IAKhD,YACI,KAAgB,EAChB,EAAU,EACV,KAAiC;QAEjC,KAAK,CAAC,KAAK,EAAE,EAAE,EAAE,KAAK,CAAC,CAAC;QAExB,MAAM,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;QAEzB,yCAAyC;QACzC,4EAA4E;QAC5E,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,MAAM,CAAC;QACrE,IAAI,CAAC,cAAc,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CACX,qDAAqD;gBACrD,gEAAgE;gBAChE,mDAAmD,CACtD,CAAC;QACN,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,0CAA0C,sBAAW,CAAC,OAAO,GAAG,CAAC,CAAC;QAC9E,OAAO,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;QAErD,mEAAmE;QACnE,mEAAmE;QAEnE,wCAAwC;QACxC,sDAAsD;QACtD,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,kBAAkB,EAAE;YACzE,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,+CAA+C;YAC5D,OAAO,EAAE,EAAE,EAAG,sCAAsC;SACvD,CAAC,CAAC;QAEH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,oBAAoB,EAAE;YAC7E,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sDAAsD;YACnE,OAAO,EAAE,EAAE,EAAG,sCAAsC;SACvD,CAAC,CAAC;QAEH,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,cAAc,EAAE;YACjE,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,2DAA2D;YACxE,OAAO,EAAE,EAAE,EAAG,sCAAsC;SACvD,CAAC,CAAC;QAEH,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,iBAAiB,EAAE;YACvE,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,2DAA2D;YACxE,OAAO,EAAE,EAAE;SACd,CAAC,CAAC;QAEH,8DAA8D;QAC9D,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,kBAAkB,EAAE;YACzE,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,+DAA+D;YAC5E,OAAO,EAAE,EAAE;SACd,CAAC,CAAC;QAEH,MAAM,wBAAwB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,qBAAqB,EAAE;YAC/E,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,0EAA0E;YACvF,OAAO,EAAE,EAAE;SACd,CAAC,CAAC;QAEH,MAAM,wBAAwB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,qBAAqB,EAAE;YAC/E,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,2EAA2E;YACxF,OAAO,EAAE,EAAE;SACd,CAAC,CAAC;QAEH,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,oBAAoB,EAAE;YAC1E,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,0DAA0D;YACvE,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,SAAS;SACtC,CAAC,CAAC;QAEH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,UAAU,EAAE;YACzD,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,qDAAqD;YAClE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,IAAI,MAAM;YACxC,aAAa,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC;SACvD,CAAC,CAAC;QAEH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,UAAU,EAAE;YACzD,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,0EAA0E;YACvF,OAAO,EAAE,MAAM,CAAC,UAAU,CAAC,QAAQ,IAAI,QAAQ;SAClD,CAAC,CAAC;QAEH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,eAAe,EAAE;YACnE,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,kFAAkF;YAC/F,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM;SAClC,CAAC,CAAC;QAEH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,eAAe,EAAE;YACnE,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sFAAsF;YACnG,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ,IAAI,EAAE;SACvC,CAAC,CAAC;QAEH,uDAAuD;QACvD,iDAAiD;QACjD,MAAM,qBAAqB,GAAG,qBAAqB,CAAC,aAAa,CAAC;QAClE,MAAM,uBAAuB,GAAG,uBAAuB,CAAC,aAAa,CAAC;QACtE,MAAM,iBAAiB,GAAG,iBAAiB,CAAC,aAAa,CAAC;QAC1D,MAAM,oBAAoB,GAAG,oBAAoB,CAAC,aAAa,CAAC;QAChE,MAAM,qBAAqB,GAAG,qBAAqB,CAAC,aAAa,CAAC;QAClE,MAAM,wBAAwB,GAAG,wBAAwB,CAAC,aAAa,CAAC;QACxE,MAAM,wBAAwB,GAAG,wBAAwB,CAAC,aAAa,CAAC;QACxE,MAAM,oBAAoB,GAAG,oBAAoB,CAAC,aAAa,CAAC;QAChE,MAAM,aAAa,GAAG,aAAa,CAAC,aAAa,CAAC;QAClD,MAAM,aAAa,GAAG,aAAa,CAAC,aAAa,CAAC;QAClD,MAAM,kBAAkB,GAAG,kBAAkB,CAAC,aAAa,CAAC;QAC5D,MAAM,kBAAkB,GAAG,kBAAkB,CAAC,aAAa,CAAC;QAE5D,sEAAsE;QACtE,6DAA6D;QAE7D,8BAA8B;QAC9B,wFAAwF;QACxF,8DAA8D;QAC9D,wFAAwF;QACxF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK;YACpC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,aAAa,EAAE;gBACtC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK;aACrC,CAAC;YACF,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,qBAAqB,EAAE;gBACvC,MAAM,EAAE,CAAC;gBACT,WAAW,EAAE,CAAC,EAAE,gEAAgE;gBAChF,mBAAmB,EAAE;oBACjB;wBACI,IAAI,EAAE,QAAQ;wBACd,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,MAAM;wBACjC,QAAQ,EAAE,EAAE;qBACf;oBACD;wBACI,IAAI,EAAE,SAAS;wBACf,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,mBAAmB,EAAE,wBAAwB;wBACxE,QAAQ,EAAE,EAAE;qBACf;iBACJ;aACJ,CAAC,CAAC;QAEP,8FAA8F;QAC9F,IAAI,GAAG,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClC,MAAM,aAAa,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK,IAAI,SAAS,CAAC;YAChE,MAAM,IAAI,KAAK,CACX,QAAQ,aAAa,mCAAmC;gBACpD,0EAA0E;gBAC1E,oDAAoD;gBACpD,sDAAsD;gBACtD,4CAA4C;gBAC5C,wDAAwD;gBACxD,mDAAmD;gBACnD,wCAAwC;gBACxC,oFAAoF,CAC3F,CAAC;QACN,CAAC;QAED,OAAO,CAAC,GAAG,CACP,cAAc,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK,IAAI,cAAc,KAAK,GAAG,CAAC,cAAc,CAAC,MAAM,mBAAmB,CAChH,CAAC;QAEF,iEAAiE;QACjE,MAAM,OAAO,GAAG,cAAc,CAAC;QAC/B,MAAM,MAAM,GAAG,WAAW,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,aAAa,IAAI,qBAAqB,CAAC;QAC1E,MAAM,MAAM,GAAG,eAAe,MAAM,IAAI,OAAO,eAAe,QAAQ,EAAE,CAAC;QACzE,MAAM,OAAO,GAAG,GAAG,CAAC,UAAU,CAAC,iBAAiB,CAAC,IAAI,EAAE,uBAAuB,EAAE,MAAM,CAAC,CAAC;QACxF,MAAM,WAAW,GAAG,GAAG,OAAO,YAAY,MAAM,kBAAkB,QAAQ,IAAI,aAAa,EAAE,CAAC;QAE9F,6BAA6B;QAC7B,2EAA2E;QAC3E,uEAAuE;QACvE,MAAM,YAAY,GAAG,aAAa,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACzE,MAAM,YAAY,GAAG,YAAY,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,sBAAW,CAAC,OAAO,CAAC;QAExE,yDAAyD;QACzD,IAAI,CAAC,cAAc,GAAG,IAAI,gCAAc,CAAC,IAAI,EAAE,gBAAgB,EAAE;YAC7D,GAAG;YACH,MAAM,EAAE,MAAM;YACd,aAAa,EAAE,OAAO;YACtB,QAAQ,EAAE,aAAa;YACvB,YAAY,EAAE,YAAY;YAC1B,kCAAkC;YAClC,4CAA4C;YAC5C,gBAAgB,EAAE,qBAAqB;YACvC,kBAAkB,EAAE,uBAAuB;YAC3C,YAAY,EAAE,iBAAiB;YAC/B,eAAe,EAAE,oBAAoB;YACrC,8DAA8D;YAC9D,gBAAgB,EAAE,qBAAqB;YACvC,mBAAmB,EAAE,wBAAwB;YAC7C,mBAAmB,EAAE,wBAAwB;YAC7C,gFAAgF;YAChF,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,YAAY;YACvC,oBAAoB;YACpB,eAAe,EAAE,oBAAoB;YACrC,aAAa,EAAE,kBAAkB;YACjC,aAAa,EAAE,kBAAkB;YACjC,QAAQ,EAAE,aAAa;SAC1B,CAAC,CAAC;QAEH,iEAAiE;QACjE,IAAI,CAAC,GAAG,GAAG,IAAI,iCAAc,CAAC,IAAI,EAAE,gBAAgB,EAAE;YAClD,GAAG,EAAE,GAAG;YACR,eAAe,EAAE,IAAI,CAAC,cAAc,CAAC,eAAe;YACpD,oBAAoB,EAAE,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC,CAAC;YAC/E,MAAM,EAAE,MAAM;SACjB,CAAC,CAAC;QAEH,qEAAqE;QACrE,+EAA+E;QAC/E,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;QAC9C,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC/E,CAAC;QAED,4CAA4C;QAC5C,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,iBAAiB,EAAE;YACvC,KAAK,EAAE,IAAI,CAAC,eAAe;YAC3B,WAAW,EAAE,gEAAgE;SAChF,CAAC,CAAC;QAEH,kCAAkC;QAClC,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,gBAAgB,EAAE;YACtC,KAAK,EAAE,WAAW;YAClB,WAAW,EAAE,sCAAsC;SACtD,CAAC,CAAC;QAEH,6BAA6B;QAC7B,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,cAAc,EAAE;YACpC,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,IAAI,sBAAW,CAAC,OAAO;YAChE,WAAW,EAAE,eAAe;SAC/B,CAAC,CAAC;QAEH,+BAA+B;QAC/B,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,aAAa,EAAE;YACnC,KAAK,EAAE,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,YAAY;YAChD,WAAW,EAAE,6CAA6C;SAC7D,CAAC,CAAC;QAEH,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,oBAAoB,EAAE;YAC1C,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY;YACrC,WAAW,EAAE,kDAAkD;SAClE,CAAC,CAAC;QAEH,IAAI,
|
|
1
|
+
{"version":3,"file":"benchling-webhook-stack.js","sourceRoot":"","sources":["../../lib/benchling-webhook-stack.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AACnC,yDAA2C;AAC3C,yDAA2C;AAE3C,uDAAmD;AACnD,yDAAoD;AAEpD,mEAA0C;AAgB1C,MAAa,qBAAsB,SAAQ,GAAG,CAAC,KAAK;IAKhD,YACI,KAAgB,EAChB,EAAU,EACV,KAAiC;QAEjC,KAAK,CAAC,KAAK,EAAE,EAAE,EAAE,KAAK,CAAC,CAAC;QAExB,MAAM,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;QAEzB,yCAAyC;QACzC,4EAA4E;QAC5E,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,MAAM,CAAC;QACrE,IAAI,CAAC,cAAc,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CACX,qDAAqD;gBACrD,gEAAgE;gBAChE,mDAAmD,CACtD,CAAC;QACN,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,0CAA0C,sBAAW,CAAC,OAAO,GAAG,CAAC,CAAC;QAC9E,OAAO,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;QAErD,mEAAmE;QACnE,mEAAmE;QAEnE,wCAAwC;QACxC,sDAAsD;QACtD,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,kBAAkB,EAAE;YACzE,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,+CAA+C;YAC5D,OAAO,EAAE,EAAE,EAAG,sCAAsC;SACvD,CAAC,CAAC;QAEH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,oBAAoB,EAAE;YAC7E,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sDAAsD;YACnE,OAAO,EAAE,EAAE,EAAG,sCAAsC;SACvD,CAAC,CAAC;QAEH,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,cAAc,EAAE;YACjE,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,2DAA2D;YACxE,OAAO,EAAE,EAAE,EAAG,sCAAsC;SACvD,CAAC,CAAC;QAEH,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,iBAAiB,EAAE;YACvE,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,2DAA2D;YACxE,OAAO,EAAE,EAAE;SACd,CAAC,CAAC;QAEH,8DAA8D;QAC9D,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,kBAAkB,EAAE;YACzE,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,+DAA+D;YAC5E,OAAO,EAAE,EAAE;SACd,CAAC,CAAC;QAEH,MAAM,wBAAwB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,qBAAqB,EAAE;YAC/E,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,0EAA0E;YACvF,OAAO,EAAE,EAAE;SACd,CAAC,CAAC;QAEH,MAAM,wBAAwB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,qBAAqB,EAAE;YAC/E,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,2EAA2E;YACxF,OAAO,EAAE,EAAE;SACd,CAAC,CAAC;QAEH,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,oBAAoB,EAAE;YAC1E,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,0DAA0D;YACvE,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,SAAS;SACtC,CAAC,CAAC;QAEH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,UAAU,EAAE;YACzD,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,qDAAqD;YAClE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,IAAI,MAAM;YACxC,aAAa,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC;SACvD,CAAC,CAAC;QAEH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,UAAU,EAAE;YACzD,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,0EAA0E;YACvF,OAAO,EAAE,MAAM,CAAC,UAAU,CAAC,QAAQ,IAAI,QAAQ;SAClD,CAAC,CAAC;QAEH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,eAAe,EAAE;YACnE,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,kFAAkF;YAC/F,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM;SAClC,CAAC,CAAC;QAEH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,eAAe,EAAE;YACnE,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sFAAsF;YACnG,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ,IAAI,EAAE;SACvC,CAAC,CAAC;QAEH,uDAAuD;QACvD,iDAAiD;QACjD,MAAM,qBAAqB,GAAG,qBAAqB,CAAC,aAAa,CAAC;QAClE,MAAM,uBAAuB,GAAG,uBAAuB,CAAC,aAAa,CAAC;QACtE,MAAM,iBAAiB,GAAG,iBAAiB,CAAC,aAAa,CAAC;QAC1D,MAAM,oBAAoB,GAAG,oBAAoB,CAAC,aAAa,CAAC;QAChE,MAAM,qBAAqB,GAAG,qBAAqB,CAAC,aAAa,CAAC;QAClE,MAAM,wBAAwB,GAAG,wBAAwB,CAAC,aAAa,CAAC;QACxE,MAAM,wBAAwB,GAAG,wBAAwB,CAAC,aAAa,CAAC;QACxE,MAAM,oBAAoB,GAAG,oBAAoB,CAAC,aAAa,CAAC;QAChE,MAAM,aAAa,GAAG,aAAa,CAAC,aAAa,CAAC;QAClD,MAAM,aAAa,GAAG,aAAa,CAAC,aAAa,CAAC;QAClD,MAAM,kBAAkB,GAAG,kBAAkB,CAAC,aAAa,CAAC;QAC5D,MAAM,kBAAkB,GAAG,kBAAkB,CAAC,aAAa,CAAC;QAE5D,sEAAsE;QACtE,6DAA6D;QAE7D,8BAA8B;QAC9B,wFAAwF;QACxF,8DAA8D;QAC9D,wFAAwF;QACxF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK;YACpC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,aAAa,EAAE;gBACtC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK;aACrC,CAAC;YACF,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,qBAAqB,EAAE;gBACvC,MAAM,EAAE,CAAC;gBACT,WAAW,EAAE,CAAC,EAAE,gEAAgE;gBAChF,mBAAmB,EAAE;oBACjB;wBACI,IAAI,EAAE,QAAQ;wBACd,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,MAAM;wBACjC,QAAQ,EAAE,EAAE;qBACf;oBACD;wBACI,IAAI,EAAE,SAAS;wBACf,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,mBAAmB,EAAE,wBAAwB;wBACxE,QAAQ,EAAE,EAAE;qBACf;iBACJ;aACJ,CAAC,CAAC;QAEP,8FAA8F;QAC9F,IAAI,GAAG,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClC,MAAM,aAAa,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK,IAAI,SAAS,CAAC;YAChE,MAAM,IAAI,KAAK,CACX,QAAQ,aAAa,mCAAmC;gBACpD,0EAA0E;gBAC1E,oDAAoD;gBACpD,sDAAsD;gBACtD,4CAA4C;gBAC5C,wDAAwD;gBACxD,mDAAmD;gBACnD,wCAAwC;gBACxC,oFAAoF,CAC3F,CAAC;QACN,CAAC;QAED,OAAO,CAAC,GAAG,CACP,cAAc,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK,IAAI,cAAc,KAAK,GAAG,CAAC,cAAc,CAAC,MAAM,mBAAmB,CAChH,CAAC;QAEF,iEAAiE;QACjE,MAAM,OAAO,GAAG,cAAc,CAAC;QAC/B,MAAM,MAAM,GAAG,WAAW,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,aAAa,IAAI,qBAAqB,CAAC;QAC1E,MAAM,MAAM,GAAG,eAAe,MAAM,IAAI,OAAO,eAAe,QAAQ,EAAE,CAAC;QACzE,MAAM,OAAO,GAAG,GAAG,CAAC,UAAU,CAAC,iBAAiB,CAAC,IAAI,EAAE,uBAAuB,EAAE,MAAM,CAAC,CAAC;QACxF,MAAM,WAAW,GAAG,GAAG,OAAO,YAAY,MAAM,kBAAkB,QAAQ,IAAI,aAAa,EAAE,CAAC;QAE9F,6BAA6B;QAC7B,2EAA2E;QAC3E,uEAAuE;QACvE,MAAM,YAAY,GAAG,aAAa,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACzE,MAAM,YAAY,GAAG,YAAY,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,sBAAW,CAAC,OAAO,CAAC;QAExE,yDAAyD;QACzD,IAAI,CAAC,cAAc,GAAG,IAAI,gCAAc,CAAC,IAAI,EAAE,gBAAgB,EAAE;YAC7D,GAAG;YACH,MAAM,EAAE,MAAM;YACd,aAAa,EAAE,OAAO;YACtB,QAAQ,EAAE,aAAa;YACvB,YAAY,EAAE,YAAY;YAC1B,kCAAkC;YAClC,4CAA4C;YAC5C,gBAAgB,EAAE,qBAAqB;YACvC,kBAAkB,EAAE,uBAAuB;YAC3C,YAAY,EAAE,iBAAiB;YAC/B,eAAe,EAAE,oBAAoB;YACrC,8DAA8D;YAC9D,gBAAgB,EAAE,qBAAqB;YACvC,mBAAmB,EAAE,wBAAwB;YAC7C,mBAAmB,EAAE,wBAAwB;YAC7C,gFAAgF;YAChF,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,YAAY;YACvC,oBAAoB;YACpB,eAAe,EAAE,oBAAoB;YACrC,aAAa,EAAE,kBAAkB;YACjC,aAAa,EAAE,kBAAkB;YACjC,QAAQ,EAAE,aAAa;SAC1B,CAAC,CAAC;QAEH,iEAAiE;QACjE,IAAI,CAAC,GAAG,GAAG,IAAI,iCAAc,CAAC,IAAI,EAAE,gBAAgB,EAAE;YAClD,GAAG,EAAE,GAAG;YACR,eAAe,EAAE,IAAI,CAAC,cAAc,CAAC,eAAe;YACpD,oBAAoB,EAAE,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC,CAAC;YAC/E,MAAM,EAAE,MAAM;SACjB,CAAC,CAAC;QAEH,qEAAqE;QACrE,+EAA+E;QAC/E,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;QAC9C,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC/E,CAAC;QAED,4CAA4C;QAC5C,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,iBAAiB,EAAE;YACvC,KAAK,EAAE,IAAI,CAAC,eAAe;YAC3B,WAAW,EAAE,gEAAgE;SAChF,CAAC,CAAC;QAEH,kCAAkC;QAClC,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,gBAAgB,EAAE;YACtC,KAAK,EAAE,WAAW;YAClB,WAAW,EAAE,sCAAsC;SACtD,CAAC,CAAC;QAEH,6BAA6B;QAC7B,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,cAAc,EAAE;YACpC,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,IAAI,sBAAW,CAAC,OAAO;YAChE,WAAW,EAAE,eAAe;SAC/B,CAAC,CAAC;QAEH,+BAA+B;QAC/B,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,aAAa,EAAE;YACnC,KAAK,EAAE,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,YAAY;YAChD,WAAW,EAAE,6CAA6C;SAC7D,CAAC,CAAC;QAEH,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,oBAAoB,EAAE;YAC1C,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY;YACrC,WAAW,EAAE,kDAAkD;SAClE,CAAC,CAAC;QAEH,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,cAAc,EAAE;YACpC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO;YACxC,WAAW,EAAE,kCAAkC;SAClD,CAAC,CAAC;QAEH,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,aAAa,EAAE;YACnC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY;YAC/C,WAAW,EAAE,mCAAmC;SACnD,CAAC,CAAC;QAEH,gCAAgC;QAChC,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,eAAe,EAAE;YACrC,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,OAAO;YAC/B,WAAW,EAAE,8BAA8B;SAC9C,CAAC,CAAC;QAEH,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,cAAc,EAAE;YACpC,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM;YAC9B,WAAW,EAAE,4CAA4C;SAC5D,CAAC,CAAC;IACP,CAAC;CAGJ;AAtRD,sDAsRC"}
|
|
@@ -2,9 +2,9 @@ import * as apigatewayv2 from "aws-cdk-lib/aws-apigatewayv2";
|
|
|
2
2
|
import * as ec2 from "aws-cdk-lib/aws-ec2";
|
|
3
3
|
import * as servicediscovery from "aws-cdk-lib/aws-servicediscovery";
|
|
4
4
|
import * as logs from "aws-cdk-lib/aws-logs";
|
|
5
|
-
import * as lambda from "aws-cdk-lib/aws-lambda";
|
|
6
5
|
import { Construct } from "constructs";
|
|
7
6
|
import { ProfileConfig } from "./types/config";
|
|
7
|
+
import { WafWebAcl } from "./waf-web-acl";
|
|
8
8
|
export interface HttpApiGatewayProps {
|
|
9
9
|
readonly vpc: ec2.IVpc;
|
|
10
10
|
readonly cloudMapService: servicediscovery.IService;
|
|
@@ -15,8 +15,7 @@ export declare class HttpApiGateway {
|
|
|
15
15
|
readonly api: apigatewayv2.HttpApi;
|
|
16
16
|
readonly vpcLink: apigatewayv2.VpcLink;
|
|
17
17
|
readonly logGroup: logs.ILogGroup;
|
|
18
|
-
readonly
|
|
19
|
-
readonly authorizerLogGroup?: logs.ILogGroup;
|
|
18
|
+
readonly wafWebAcl: WafWebAcl;
|
|
20
19
|
constructor(scope: Construct, id: string, props: HttpApiGatewayProps);
|
|
21
20
|
}
|
|
22
21
|
//# sourceMappingURL=http-api-gateway.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"http-api-gateway.d.ts","sourceRoot":"","sources":["../../lib/http-api-gateway.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,YAAY,MAAM,8BAA8B,CAAC;AAG7D,OAAO,KAAK,GAAG,MAAM,qBAAqB,CAAC;AAC3C,OAAO,KAAK,gBAAgB,MAAM,kCAAkC,CAAC;AACrE,OAAO,KAAK,IAAI,MAAM,sBAAsB,CAAC;AAC7C,OAAO,
|
|
1
|
+
{"version":3,"file":"http-api-gateway.d.ts","sourceRoot":"","sources":["../../lib/http-api-gateway.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,YAAY,MAAM,8BAA8B,CAAC;AAG7D,OAAO,KAAK,GAAG,MAAM,qBAAqB,CAAC;AAC3C,OAAO,KAAK,gBAAgB,MAAM,kCAAkC,CAAC;AACrE,OAAO,KAAK,IAAI,MAAM,sBAAsB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAE1C,MAAM,WAAW,mBAAmB;IAChC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC;IACvB,QAAQ,CAAC,eAAe,EAAE,gBAAgB,CAAC,QAAQ,CAAC;IACpD,QAAQ,CAAC,oBAAoB,EAAE,GAAG,CAAC,cAAc,CAAC;IAClD,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;CAClC;AAED,qBAAa,cAAc;IACvB,SAAgB,GAAG,EAAE,YAAY,CAAC,OAAO,CAAC;IAC1C,SAAgB,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC;IAC9C,SAAgB,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC;IACzC,SAAgB,SAAS,EAAE,SAAS,CAAC;gBAEzB,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,mBAAmB;CA+HvE"}
|
|
@@ -36,11 +36,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
36
36
|
exports.HttpApiGateway = void 0;
|
|
37
37
|
const cdk = __importStar(require("aws-cdk-lib"));
|
|
38
38
|
const apigatewayv2 = __importStar(require("aws-cdk-lib/aws-apigatewayv2"));
|
|
39
|
-
const apigatewayv2Authorizers = __importStar(require("aws-cdk-lib/aws-apigatewayv2-authorizers"));
|
|
40
39
|
const apigatewayv2Integrations = __importStar(require("aws-cdk-lib/aws-apigatewayv2-integrations"));
|
|
40
|
+
const wafv2 = __importStar(require("aws-cdk-lib/aws-wafv2"));
|
|
41
41
|
const logs = __importStar(require("aws-cdk-lib/aws-logs"));
|
|
42
|
-
const
|
|
43
|
-
const iam = __importStar(require("aws-cdk-lib/aws-iam"));
|
|
42
|
+
const waf_web_acl_1 = require("./waf-web-acl");
|
|
44
43
|
class HttpApiGateway {
|
|
45
44
|
constructor(scope, id, props) {
|
|
46
45
|
// Access logs for HTTP API
|
|
@@ -55,120 +54,32 @@ class HttpApiGateway {
|
|
|
55
54
|
securityGroups: [props.serviceSecurityGroup],
|
|
56
55
|
vpcLinkName: "benchling-webhook-vpclink",
|
|
57
56
|
});
|
|
58
|
-
// Lambda authorizer for webhook verification (HTTP API v2 SIMPLE response)
|
|
59
|
-
const verificationEnabled = props.config.security?.enableVerification !== false;
|
|
60
|
-
const benchlingSecretArn = props.config.benchling.secretArn;
|
|
61
|
-
if (!benchlingSecretArn) {
|
|
62
|
-
throw new Error("Benchling secret ARN is required to configure the Lambda authorizer");
|
|
63
|
-
}
|
|
64
|
-
// Create authorizer Lambda if verification is enabled
|
|
65
|
-
let httpAuthorizer;
|
|
66
|
-
if (verificationEnabled) {
|
|
67
|
-
this.authorizerLogGroup = new logs.LogGroup(scope, "WebhookAuthorizerLogGroup", {
|
|
68
|
-
retention: logs.RetentionDays.ONE_WEEK,
|
|
69
|
-
removalPolicy: cdk.RemovalPolicy.DESTROY,
|
|
70
|
-
});
|
|
71
|
-
// Lambda bundling: Install dependencies at build time
|
|
72
|
-
// NOTE: For local development, pre-build with: make lambda-bundle
|
|
73
|
-
// This reduces CDK build time by using cached wheels
|
|
74
|
-
const bundlingCommands = [
|
|
75
|
-
"set -euo pipefail",
|
|
76
|
-
"export PIP_NO_BUILD_ISOLATION=1 PIP_ONLY_BINARY=:all: PIP_DISABLE_PIP_VERSION_CHECK=1 PIP_CACHE_DIR=/tmp/pipcache",
|
|
77
|
-
"pip install -q --platform manylinux2014_x86_64 --implementation cp --python-version 3.12 --abi cp312 --only-binary=:all: -t /asset-output -r /asset-input/lambda/authorizer/requirements.txt -c /asset-input/lambda/authorizer/constraints.txt",
|
|
78
|
-
"cp /asset-input/docker/src/lambda_authorizer.py /asset-output/index.py",
|
|
79
|
-
].join(" && ");
|
|
80
|
-
const authorizerCode = process.env.NODE_ENV === "test"
|
|
81
|
-
? lambda.Code.fromInline("def handler(event, context):\n return {'isAuthorized': True}")
|
|
82
|
-
: lambda.Code.fromAsset(".", {
|
|
83
|
-
bundling: {
|
|
84
|
-
image: lambda.Runtime.PYTHON_3_12.bundlingImage,
|
|
85
|
-
command: ["bash", "-c", bundlingCommands],
|
|
86
|
-
},
|
|
87
|
-
});
|
|
88
|
-
this.authorizer = new lambda.Function(scope, "WebhookAuthorizerFunction", {
|
|
89
|
-
runtime: lambda.Runtime.PYTHON_3_12,
|
|
90
|
-
handler: "index.handler",
|
|
91
|
-
memorySize: 128,
|
|
92
|
-
timeout: cdk.Duration.seconds(10),
|
|
93
|
-
architecture: lambda.Architecture.X86_64,
|
|
94
|
-
description: "Benchling webhook signature verification (HTTP API v2)",
|
|
95
|
-
environment: {
|
|
96
|
-
BENCHLING_SECRET_ARN: benchlingSecretArn,
|
|
97
|
-
LOG_LEVEL: props.config.logging?.level || "INFO",
|
|
98
|
-
},
|
|
99
|
-
code: authorizerCode,
|
|
100
|
-
logGroup: this.authorizerLogGroup,
|
|
101
|
-
});
|
|
102
|
-
// Grant Secrets Manager access
|
|
103
|
-
this.authorizer.addToRolePolicy(new iam.PolicyStatement({
|
|
104
|
-
actions: ["secretsmanager:GetSecretValue"],
|
|
105
|
-
resources: [benchlingSecretArn],
|
|
106
|
-
}));
|
|
107
|
-
// Create HTTP Lambda Authorizer with SIMPLE response format
|
|
108
|
-
// Note: HTTP API v2 uses a simpler response format than REST API (REQUEST authorizer)
|
|
109
|
-
httpAuthorizer = new apigatewayv2Authorizers.HttpLambdaAuthorizer("WebhookAuthorizer", this.authorizer, {
|
|
110
|
-
authorizerName: "WebhookAuthorizer",
|
|
111
|
-
identitySource: [
|
|
112
|
-
"$request.header.webhook-signature",
|
|
113
|
-
"$request.header.webhook-id",
|
|
114
|
-
"$request.header.webhook-timestamp",
|
|
115
|
-
],
|
|
116
|
-
responseTypes: [apigatewayv2Authorizers.HttpLambdaResponseType.SIMPLE],
|
|
117
|
-
resultsCacheTtl: cdk.Duration.seconds(0), // No caching for HMAC signatures
|
|
118
|
-
});
|
|
119
|
-
}
|
|
120
57
|
// Create HTTP API v2
|
|
121
58
|
this.api = new apigatewayv2.HttpApi(scope, "BenchlingWebhookHttpAPI", {
|
|
122
59
|
apiName: "BenchlingWebhookHttpAPI",
|
|
123
|
-
description: "HTTP API for Benchling webhook integration (
|
|
60
|
+
description: "HTTP API for Benchling webhook integration (v1.0.0+ with WAF)",
|
|
124
61
|
});
|
|
125
62
|
// Service Discovery integration via VPC Link
|
|
126
63
|
const integration = new apigatewayv2Integrations.HttpServiceDiscoveryIntegration("CloudMapIntegration", props.cloudMapService, { vpcLink: this.vpcLink });
|
|
127
|
-
// Webhook routes -
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
methods: [apigatewayv2.HttpMethod.POST],
|
|
147
|
-
integration,
|
|
148
|
-
authorizer: httpAuthorizer,
|
|
149
|
-
});
|
|
150
|
-
}
|
|
151
|
-
else {
|
|
152
|
-
// No authorizer - allow all webhook routes (for testing only)
|
|
153
|
-
this.api.addRoutes({
|
|
154
|
-
path: "/event",
|
|
155
|
-
methods: [apigatewayv2.HttpMethod.POST],
|
|
156
|
-
integration,
|
|
157
|
-
});
|
|
158
|
-
this.api.addRoutes({
|
|
159
|
-
path: "/lifecycle",
|
|
160
|
-
methods: [apigatewayv2.HttpMethod.POST],
|
|
161
|
-
integration,
|
|
162
|
-
});
|
|
163
|
-
this.api.addRoutes({
|
|
164
|
-
path: "/canvas",
|
|
165
|
-
methods: [apigatewayv2.HttpMethod.POST],
|
|
166
|
-
integration,
|
|
167
|
-
});
|
|
168
|
-
console.warn("WARNING: Webhook signature verification is DISABLED. " +
|
|
169
|
-
"This should only be used for testing. Enable it in production by setting " +
|
|
170
|
-
"config.security.enableVerification = true");
|
|
171
|
-
}
|
|
64
|
+
// Webhook routes - HMAC verification handled by FastAPI application
|
|
65
|
+
// Event webhooks
|
|
66
|
+
this.api.addRoutes({
|
|
67
|
+
path: "/event",
|
|
68
|
+
methods: [apigatewayv2.HttpMethod.POST],
|
|
69
|
+
integration,
|
|
70
|
+
});
|
|
71
|
+
// Lifecycle webhooks
|
|
72
|
+
this.api.addRoutes({
|
|
73
|
+
path: "/lifecycle",
|
|
74
|
+
methods: [apigatewayv2.HttpMethod.POST],
|
|
75
|
+
integration,
|
|
76
|
+
});
|
|
77
|
+
// Canvas webhooks
|
|
78
|
+
this.api.addRoutes({
|
|
79
|
+
path: "/canvas",
|
|
80
|
+
methods: [apigatewayv2.HttpMethod.POST],
|
|
81
|
+
integration,
|
|
82
|
+
});
|
|
172
83
|
// Health check routes - always unauthenticated
|
|
173
84
|
this.api.addRoutes({
|
|
174
85
|
path: "/health",
|
|
@@ -191,6 +102,22 @@ class HttpApiGateway {
|
|
|
191
102
|
methods: [apigatewayv2.HttpMethod.GET],
|
|
192
103
|
integration,
|
|
193
104
|
});
|
|
105
|
+
// Create WAF Web ACL for IP filtering
|
|
106
|
+
this.wafWebAcl = new waf_web_acl_1.WafWebAcl(scope, "WafWebAcl", {
|
|
107
|
+
ipAllowList: props.config.security?.webhookAllowList || "",
|
|
108
|
+
});
|
|
109
|
+
// Construct HTTP API ARN for WAF association
|
|
110
|
+
// Format: arn:aws:apigateway:{region}::/apis/{api-id}/stages/{stage-name}
|
|
111
|
+
const apiArn = cdk.Stack.of(scope).formatArn({
|
|
112
|
+
service: "apigateway",
|
|
113
|
+
resource: `/apis/${this.api.apiId}/stages/${this.api.defaultStage?.stageName || "$default"}`,
|
|
114
|
+
arnFormat: cdk.ArnFormat.SLASH_RESOURCE_NAME,
|
|
115
|
+
});
|
|
116
|
+
// Associate WAF with HTTP API
|
|
117
|
+
new wafv2.CfnWebACLAssociation(scope, "WafAssociation", {
|
|
118
|
+
resourceArn: apiArn,
|
|
119
|
+
webAclArn: this.wafWebAcl.webAcl.attrArn,
|
|
120
|
+
});
|
|
194
121
|
// Configure access logging on the default stage
|
|
195
122
|
const stage = this.api.defaultStage?.node.defaultChild;
|
|
196
123
|
if (stage) {
|
|
@@ -207,16 +134,18 @@ class HttpApiGateway {
|
|
|
207
134
|
responseLength: "$context.responseLength",
|
|
208
135
|
errorMessage: "$context.error.message",
|
|
209
136
|
errorType: "$context.error.messageString",
|
|
210
|
-
authorizerError: "$context.authorizer.error",
|
|
211
137
|
}),
|
|
212
138
|
};
|
|
213
139
|
}
|
|
214
|
-
//
|
|
140
|
+
// Webhook verification status
|
|
141
|
+
const verificationEnabled = props.config.security?.enableVerification !== false;
|
|
215
142
|
if (verificationEnabled) {
|
|
216
|
-
console.log("Webhook signature verification: ENABLED (
|
|
143
|
+
console.log("Webhook signature verification: ENABLED (FastAPI application)");
|
|
217
144
|
}
|
|
218
145
|
else {
|
|
219
|
-
console.
|
|
146
|
+
console.warn("WARNING: Webhook signature verification is DISABLED. " +
|
|
147
|
+
"This should only be used for testing. Enable it in production by setting " +
|
|
148
|
+
"config.security.enableVerification = true");
|
|
220
149
|
}
|
|
221
150
|
}
|
|
222
151
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"http-api-gateway.js","sourceRoot":"","sources":["../../lib/http-api-gateway.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AACnC,2EAA6D;AAC7D,
|
|
1
|
+
{"version":3,"file":"http-api-gateway.js","sourceRoot":"","sources":["../../lib/http-api-gateway.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AACnC,2EAA6D;AAC7D,oGAAsF;AACtF,6DAA+C;AAG/C,2DAA6C;AAG7C,+CAA0C;AAS1C,MAAa,cAAc;IAMvB,YAAY,KAAgB,EAAE,EAAU,EAAE,KAA0B;QAChE,2BAA2B;QAC3B,IAAI,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,sBAAsB,EAAE;YAC7D,YAAY,EAAE,wCAAwC;YACtD,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ;YACtC,aAAa,EAAE,GAAG,CAAC,aAAa,CAAC,OAAO;SAC3C,CAAC,CAAC;QAEH,0DAA0D;QAC1D,IAAI,CAAC,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,SAAS,EAAE;YACtD,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,cAAc,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC;YAC5C,WAAW,EAAE,2BAA2B;SAC3C,CAAC,CAAC;QAEH,qBAAqB;QACrB,IAAI,CAAC,GAAG,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,yBAAyB,EAAE;YAClE,OAAO,EAAE,yBAAyB;YAClC,WAAW,EAAE,+DAA+D;SAC/E,CAAC,CAAC;QAEH,6CAA6C;QAC7C,MAAM,WAAW,GAAG,IAAI,wBAAwB,CAAC,+BAA+B,CAC5E,qBAAqB,EACrB,KAAK,CAAC,eAAe,EACrB,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAC5B,CAAC;QAEF,oEAAoE;QACpE,iBAAiB;QACjB,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC;YACvC,WAAW;SACd,CAAC,CAAC;QAEH,qBAAqB;QACrB,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,YAAY;YAClB,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC;YACvC,WAAW;SACd,CAAC,CAAC;QAEH,kBAAkB;QAClB,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC;YACvC,WAAW;SACd,CAAC,CAAC;QAEH,+CAA+C;QAC/C,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACtC,WAAW;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACtC,WAAW;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACtC,WAAW;SACd,CAAC,CAAC;QAEH,uDAAuD;QACvD,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,GAAG;YACT,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACtC,WAAW;SACd,CAAC,CAAC;QAEH,sCAAsC;QACtC,IAAI,CAAC,SAAS,GAAG,IAAI,uBAAS,CAAC,KAAK,EAAE,WAAW,EAAE;YAC/C,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,IAAI,EAAE;SAC7D,CAAC,CAAC;QAEH,6CAA6C;QAC7C,0EAA0E;QAC1E,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC;YACzC,OAAO,EAAE,YAAY;YACrB,QAAQ,EAAE,SAAS,IAAI,CAAC,GAAG,CAAC,KAAK,WAAW,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,SAAS,IAAI,UAAU,EAAE;YAC5F,SAAS,EAAE,GAAG,CAAC,SAAS,CAAC,mBAAmB;SAC/C,CAAC,CAAC;QAEH,8BAA8B;QAC9B,IAAI,KAAK,CAAC,oBAAoB,CAAC,KAAK,EAAE,gBAAgB,EAAE;YACpD,WAAW,EAAE,MAAM;YACnB,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO;SAC3C,CAAC,CAAC;QAEH,gDAAgD;QAChD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,YAAiD,CAAC;QAC5F,IAAI,KAAK,EAAE,CAAC;YACR,KAAK,CAAC,iBAAiB,GAAG;gBACtB,cAAc,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW;gBACzC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,SAAS,EAAE,oBAAoB;oBAC/B,EAAE,EAAE,4BAA4B;oBAChC,WAAW,EAAE,sBAAsB;oBACnC,UAAU,EAAE,qBAAqB;oBACjC,QAAQ,EAAE,mBAAmB;oBAC7B,MAAM,EAAE,iBAAiB;oBACzB,QAAQ,EAAE,mBAAmB;oBAC7B,cAAc,EAAE,yBAAyB;oBACzC,YAAY,EAAE,wBAAwB;oBACtC,SAAS,EAAE,8BAA8B;iBAC5C,CAAC;aACL,CAAC;QACN,CAAC;QAED,8BAA8B;QAC9B,MAAM,mBAAmB,GAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,kBAAkB,KAAK,KAAK,CAAC;QAChF,IAAI,mBAAmB,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAC;QACjF,CAAC;aAAM,CAAC;YACJ,OAAO,CAAC,IAAI,CACR,uDAAuD;gBACvD,2EAA2E;gBAC3E,2CAA2C,CAC9C,CAAC;QACN,CAAC;IACL,CAAC;CACJ;AArID,wCAqIC"}
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
import * as wafv2 from "aws-cdk-lib/aws-wafv2";
|
|
2
|
+
import * as logs from "aws-cdk-lib/aws-logs";
|
|
3
|
+
import { Construct } from "constructs";
|
|
4
|
+
export interface WafWebAclProps {
|
|
5
|
+
/**
|
|
6
|
+
* Comma-separated list of allowed IP addresses/CIDR blocks
|
|
7
|
+
*
|
|
8
|
+
* Empty string means no IP filtering (discovery mode - COUNT all requests).
|
|
9
|
+
* Non-empty string enables IP filtering (security mode - BLOCK unknown IPs).
|
|
10
|
+
*
|
|
11
|
+
* @example "192.168.1.0/24,10.0.0.0/8"
|
|
12
|
+
* @default ""
|
|
13
|
+
*/
|
|
14
|
+
readonly ipAllowList?: string;
|
|
15
|
+
}
|
|
16
|
+
/**
|
|
17
|
+
* WAF Web ACL for Benchling webhook IP filtering
|
|
18
|
+
*
|
|
19
|
+
* Provides defense-in-depth security at AWS edge with two rules:
|
|
20
|
+
* 1. Health check exception - Always allow /health, /health/ready, /health/live
|
|
21
|
+
* 2. IP allowlist - Allow requests from configured IP ranges
|
|
22
|
+
*
|
|
23
|
+
* **Automatic Mode Selection:**
|
|
24
|
+
* - Empty IP allowlist → COUNT mode (discovery phase - logs requests but doesn't block)
|
|
25
|
+
* - Non-empty IP allowlist → BLOCK mode (security phase - blocks unknown IPs)
|
|
26
|
+
*
|
|
27
|
+
* This allows customers to deploy initially without knowing Benchling IPs,
|
|
28
|
+
* discover them from CloudWatch logs, then add them to enable blocking mode.
|
|
29
|
+
*/
|
|
30
|
+
export declare class WafWebAcl extends Construct {
|
|
31
|
+
readonly webAcl: wafv2.CfnWebACL;
|
|
32
|
+
readonly ipSet: wafv2.CfnIPSet;
|
|
33
|
+
readonly logGroup: logs.ILogGroup;
|
|
34
|
+
constructor(scope: Construct, id: string, props?: WafWebAclProps);
|
|
35
|
+
/**
|
|
36
|
+
* Parse IP allowlist string into array of CIDR blocks
|
|
37
|
+
*
|
|
38
|
+
* - Splits by comma
|
|
39
|
+
* - Trims whitespace
|
|
40
|
+
* - Adds /32 suffix if not present
|
|
41
|
+
* - Filters out empty entries
|
|
42
|
+
*
|
|
43
|
+
* @param allowList Comma-separated list of IPs/CIDR blocks
|
|
44
|
+
* @returns Array of CIDR blocks
|
|
45
|
+
*
|
|
46
|
+
* @example
|
|
47
|
+
* parseIpAllowList("192.168.1.0/24, 10.0.0.1") → ["192.168.1.0/24", "10.0.0.1/32"]
|
|
48
|
+
*/
|
|
49
|
+
private parseIpAllowList;
|
|
50
|
+
}
|
|
51
|
+
//# sourceMappingURL=waf-web-acl.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"waf-web-acl.d.ts","sourceRoot":"","sources":["../../lib/waf-web-acl.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,KAAK,MAAM,uBAAuB,CAAC;AAC/C,OAAO,KAAK,IAAI,MAAM,sBAAsB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC,MAAM,WAAW,cAAc;IAC3B;;;;;;;;OAQG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;;;;;;;;;;;;GAaG;AACH,qBAAa,SAAU,SAAQ,SAAS;IACpC,SAAgB,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC;IACxC,SAAgB,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC;IACtC,SAAgB,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC;gBAE7B,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,GAAE,cAAmB;IA2HpE;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,gBAAgB;CAU3B"}
|
|
@@ -0,0 +1,192 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
+
exports.WafWebAcl = void 0;
|
|
37
|
+
const cdk = __importStar(require("aws-cdk-lib"));
|
|
38
|
+
const wafv2 = __importStar(require("aws-cdk-lib/aws-wafv2"));
|
|
39
|
+
const logs = __importStar(require("aws-cdk-lib/aws-logs"));
|
|
40
|
+
const constructs_1 = require("constructs");
|
|
41
|
+
/**
|
|
42
|
+
* WAF Web ACL for Benchling webhook IP filtering
|
|
43
|
+
*
|
|
44
|
+
* Provides defense-in-depth security at AWS edge with two rules:
|
|
45
|
+
* 1. Health check exception - Always allow /health, /health/ready, /health/live
|
|
46
|
+
* 2. IP allowlist - Allow requests from configured IP ranges
|
|
47
|
+
*
|
|
48
|
+
* **Automatic Mode Selection:**
|
|
49
|
+
* - Empty IP allowlist → COUNT mode (discovery phase - logs requests but doesn't block)
|
|
50
|
+
* - Non-empty IP allowlist → BLOCK mode (security phase - blocks unknown IPs)
|
|
51
|
+
*
|
|
52
|
+
* This allows customers to deploy initially without knowing Benchling IPs,
|
|
53
|
+
* discover them from CloudWatch logs, then add them to enable blocking mode.
|
|
54
|
+
*/
|
|
55
|
+
class WafWebAcl extends constructs_1.Construct {
|
|
56
|
+
constructor(scope, id, props = {}) {
|
|
57
|
+
super(scope, id);
|
|
58
|
+
// Parse IP allowlist with CIDR notation normalization
|
|
59
|
+
const ipAllowList = this.parseIpAllowList(props.ipAllowList || "");
|
|
60
|
+
// Automatic mode selection based on IP allowlist
|
|
61
|
+
// - Empty allowlist: Allow mode (discovery - logs all requests, no blocking)
|
|
62
|
+
// - Has IPs: Block mode (security - blocks unknown IPs)
|
|
63
|
+
const isDiscoveryMode = ipAllowList.length === 0;
|
|
64
|
+
const mode = isDiscoveryMode ? "Allow" : "Block";
|
|
65
|
+
console.log(`WAF mode: ${mode} (${isDiscoveryMode ? "discovery - no IPs configured, all traffic allowed" : `security - ${ipAllowList.length} IP ranges configured`})`);
|
|
66
|
+
// Create IP Set for allowlist
|
|
67
|
+
this.ipSet = new wafv2.CfnIPSet(this, "IPSet", {
|
|
68
|
+
name: "BenchlingWebhookIPSet",
|
|
69
|
+
scope: "REGIONAL",
|
|
70
|
+
ipAddressVersion: "IPV4",
|
|
71
|
+
addresses: ipAllowList,
|
|
72
|
+
description: "Allowed IP addresses for Benchling webhooks",
|
|
73
|
+
});
|
|
74
|
+
// CloudWatch log group for WAF logs
|
|
75
|
+
this.logGroup = new logs.LogGroup(this, "WafLogGroup", {
|
|
76
|
+
logGroupName: "/aws/waf/benchling-webhook",
|
|
77
|
+
retention: logs.RetentionDays.ONE_WEEK,
|
|
78
|
+
removalPolicy: cdk.RemovalPolicy.DESTROY,
|
|
79
|
+
});
|
|
80
|
+
// Create Web ACL with two rules
|
|
81
|
+
// Default action: Allow (discovery mode) or Block (security mode)
|
|
82
|
+
const defaultActionConfig = isDiscoveryMode
|
|
83
|
+
? { allow: {} }
|
|
84
|
+
: { block: {} };
|
|
85
|
+
this.webAcl = new wafv2.CfnWebACL(this, "WebACL", {
|
|
86
|
+
name: "BenchlingWebhookWebACL",
|
|
87
|
+
scope: "REGIONAL",
|
|
88
|
+
defaultAction: defaultActionConfig,
|
|
89
|
+
description: "WAF for Benchling webhook IP filtering with automatic discovery mode. " +
|
|
90
|
+
`Mode: ${mode} (${isDiscoveryMode ? "empty allowlist - all traffic allowed" : `${ipAllowList.length} IPs configured`})`,
|
|
91
|
+
rules: [
|
|
92
|
+
// Rule 1: Health check exception (Priority 10)
|
|
93
|
+
// Always allow health check endpoints regardless of IP
|
|
94
|
+
{
|
|
95
|
+
name: "HealthCheckException",
|
|
96
|
+
priority: 10,
|
|
97
|
+
statement: {
|
|
98
|
+
orStatement: {
|
|
99
|
+
statements: [
|
|
100
|
+
{
|
|
101
|
+
byteMatchStatement: {
|
|
102
|
+
fieldToMatch: { uriPath: {} },
|
|
103
|
+
positionalConstraint: "EXACTLY",
|
|
104
|
+
searchString: "/health",
|
|
105
|
+
textTransformations: [{ priority: 0, type: "NONE" }],
|
|
106
|
+
},
|
|
107
|
+
},
|
|
108
|
+
{
|
|
109
|
+
byteMatchStatement: {
|
|
110
|
+
fieldToMatch: { uriPath: {} },
|
|
111
|
+
positionalConstraint: "EXACTLY",
|
|
112
|
+
searchString: "/health/ready",
|
|
113
|
+
textTransformations: [{ priority: 0, type: "NONE" }],
|
|
114
|
+
},
|
|
115
|
+
},
|
|
116
|
+
{
|
|
117
|
+
byteMatchStatement: {
|
|
118
|
+
fieldToMatch: { uriPath: {} },
|
|
119
|
+
positionalConstraint: "EXACTLY",
|
|
120
|
+
searchString: "/health/live",
|
|
121
|
+
textTransformations: [{ priority: 0, type: "NONE" }],
|
|
122
|
+
},
|
|
123
|
+
},
|
|
124
|
+
],
|
|
125
|
+
},
|
|
126
|
+
},
|
|
127
|
+
action: { allow: {} },
|
|
128
|
+
visibilityConfig: {
|
|
129
|
+
sampledRequestsEnabled: true,
|
|
130
|
+
cloudWatchMetricsEnabled: true,
|
|
131
|
+
metricName: "HealthCheckException",
|
|
132
|
+
},
|
|
133
|
+
},
|
|
134
|
+
// Rule 2: IP allowlist (Priority 20)
|
|
135
|
+
// Allow requests from configured IP ranges
|
|
136
|
+
// Note: When IP allowlist is empty, this rule matches no IPs,
|
|
137
|
+
// so all non-health requests fall through to default action (COUNT or BLOCK)
|
|
138
|
+
{
|
|
139
|
+
name: "IPAllowlist",
|
|
140
|
+
priority: 20,
|
|
141
|
+
statement: {
|
|
142
|
+
ipSetReferenceStatement: {
|
|
143
|
+
arn: this.ipSet.attrArn,
|
|
144
|
+
},
|
|
145
|
+
},
|
|
146
|
+
action: { allow: {} },
|
|
147
|
+
visibilityConfig: {
|
|
148
|
+
sampledRequestsEnabled: true,
|
|
149
|
+
cloudWatchMetricsEnabled: true,
|
|
150
|
+
metricName: "IPAllowlist",
|
|
151
|
+
},
|
|
152
|
+
},
|
|
153
|
+
],
|
|
154
|
+
visibilityConfig: {
|
|
155
|
+
sampledRequestsEnabled: true,
|
|
156
|
+
cloudWatchMetricsEnabled: true,
|
|
157
|
+
metricName: "BenchlingWebhookWebACL",
|
|
158
|
+
},
|
|
159
|
+
});
|
|
160
|
+
// Configure WAF logging to CloudWatch
|
|
161
|
+
new wafv2.CfnLoggingConfiguration(this, "WafLogging", {
|
|
162
|
+
resourceArn: this.webAcl.attrArn,
|
|
163
|
+
logDestinationConfigs: [this.logGroup.logGroupArn],
|
|
164
|
+
});
|
|
165
|
+
}
|
|
166
|
+
/**
|
|
167
|
+
* Parse IP allowlist string into array of CIDR blocks
|
|
168
|
+
*
|
|
169
|
+
* - Splits by comma
|
|
170
|
+
* - Trims whitespace
|
|
171
|
+
* - Adds /32 suffix if not present
|
|
172
|
+
* - Filters out empty entries
|
|
173
|
+
*
|
|
174
|
+
* @param allowList Comma-separated list of IPs/CIDR blocks
|
|
175
|
+
* @returns Array of CIDR blocks
|
|
176
|
+
*
|
|
177
|
+
* @example
|
|
178
|
+
* parseIpAllowList("192.168.1.0/24, 10.0.0.1") → ["192.168.1.0/24", "10.0.0.1/32"]
|
|
179
|
+
*/
|
|
180
|
+
parseIpAllowList(allowList) {
|
|
181
|
+
return allowList
|
|
182
|
+
.split(",")
|
|
183
|
+
.map((ip) => ip.trim())
|
|
184
|
+
.filter((ip) => ip.length > 0)
|
|
185
|
+
.map((ip) => {
|
|
186
|
+
// Ensure CIDR notation (add /32 if not specified)
|
|
187
|
+
return ip.includes("/") ? ip : `${ip}/32`;
|
|
188
|
+
});
|
|
189
|
+
}
|
|
190
|
+
}
|
|
191
|
+
exports.WafWebAcl = WafWebAcl;
|
|
192
|
+
//# sourceMappingURL=waf-web-acl.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"waf-web-acl.js","sourceRoot":"","sources":["../../lib/waf-web-acl.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AACnC,6DAA+C;AAC/C,2DAA6C;AAC7C,2CAAuC;AAevC;;;;;;;;;;;;;GAaG;AACH,MAAa,SAAU,SAAQ,sBAAS;IAKpC,YAAY,KAAgB,EAAE,EAAU,EAAE,QAAwB,EAAE;QAChE,KAAK,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAEjB,sDAAsD;QACtD,MAAM,WAAW,GAAG,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QAEnE,iDAAiD;QACjD,6EAA6E;QAC7E,wDAAwD;QACxD,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,KAAK,CAAC,CAAC;QACjD,MAAM,IAAI,GAAG,eAAe,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;QAEjD,OAAO,CAAC,GAAG,CACP,aAAa,IAAI,KAAK,eAAe,CAAC,CAAC,CAAC,oDAAoD,CAAC,CAAC,CAAC,cAAc,WAAW,CAAC,MAAM,uBAAuB,GAAG,CAC5J,CAAC;QAEF,8BAA8B;QAC9B,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE;YAC3C,IAAI,EAAE,uBAAuB;YAC7B,KAAK,EAAE,UAAU;YACjB,gBAAgB,EAAE,MAAM;YACxB,SAAS,EAAE,WAAW;YACtB,WAAW,EAAE,6CAA6C;SAC7D,CAAC,CAAC;QAEH,oCAAoC;QACpC,IAAI,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,aAAa,EAAE;YACnD,YAAY,EAAE,4BAA4B;YAC1C,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ;YACtC,aAAa,EAAE,GAAG,CAAC,aAAa,CAAC,OAAO;SAC3C,CAAC,CAAC;QAEH,gCAAgC;QAChC,kEAAkE;QAClE,MAAM,mBAAmB,GAA0C,eAAe;YAC9E,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;YACf,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAEpB,IAAI,CAAC,MAAM,GAAG,IAAI,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE;YAC9C,IAAI,EAAE,wBAAwB;YAC9B,KAAK,EAAE,UAAU;YACjB,aAAa,EAAE,mBAAmB;YAClC,WAAW,EACP,wEAAwE;gBACxE,SAAS,IAAI,KAAK,eAAe,CAAC,CAAC,CAAC,uCAAuC,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,MAAM,iBAAiB,GAAG;YAC3H,KAAK,EAAE;gBACH,+CAA+C;gBAC/C,uDAAuD;gBACvD;oBACI,IAAI,EAAE,sBAAsB;oBAC5B,QAAQ,EAAE,EAAE;oBACZ,SAAS,EAAE;wBACP,WAAW,EAAE;4BACT,UAAU,EAAE;gCACR;oCACI,kBAAkB,EAAE;wCAChB,YAAY,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;wCAC7B,oBAAoB,EAAE,SAAS;wCAC/B,YAAY,EAAE,SAAS;wCACvB,mBAAmB,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;qCACvD;iCACJ;gCACD;oCACI,kBAAkB,EAAE;wCAChB,YAAY,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;wCAC7B,oBAAoB,EAAE,SAAS;wCAC/B,YAAY,EAAE,eAAe;wCAC7B,mBAAmB,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;qCACvD;iCACJ;gCACD;oCACI,kBAAkB,EAAE;wCAChB,YAAY,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;wCAC7B,oBAAoB,EAAE,SAAS;wCAC/B,YAAY,EAAE,cAAc;wCAC5B,mBAAmB,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;qCACvD;iCACJ;6BACJ;yBACJ;qBACJ;oBACD,MAAM,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;oBACrB,gBAAgB,EAAE;wBACd,sBAAsB,EAAE,IAAI;wBAC5B,wBAAwB,EAAE,IAAI;wBAC9B,UAAU,EAAE,sBAAsB;qBACrC;iBACJ;gBAED,qCAAqC;gBACrC,2CAA2C;gBAC3C,8DAA8D;gBAC9D,6EAA6E;gBAC7E;oBACI,IAAI,EAAE,aAAa;oBACnB,QAAQ,EAAE,EAAE;oBACZ,SAAS,EAAE;wBACP,uBAAuB,EAAE;4BACrB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;yBAC1B;qBACJ;oBACD,MAAM,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;oBACrB,gBAAgB,EAAE;wBACd,sBAAsB,EAAE,IAAI;wBAC5B,wBAAwB,EAAE,IAAI;wBAC9B,UAAU,EAAE,aAAa;qBAC5B;iBACJ;aACJ;YACD,gBAAgB,EAAE;gBACd,sBAAsB,EAAE,IAAI;gBAC5B,wBAAwB,EAAE,IAAI;gBAC9B,UAAU,EAAE,wBAAwB;aACvC;SACJ,CAAC,CAAC;QAEH,sCAAsC;QACtC,IAAI,KAAK,CAAC,uBAAuB,CAAC,IAAI,EAAE,YAAY,EAAE;YAClD,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAChC,qBAAqB,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;SACrD,CAAC,CAAC;IACP,CAAC;IAED;;;;;;;;;;;;;OAaG;IACK,gBAAgB,CAAC,SAAiB;QACtC,OAAO,SAAS;aACX,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;aACtB,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;aAC7B,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;YACR,kDAAkD;YAClD,OAAO,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC;QAC9C,CAAC,CAAC,CAAC;IACX,CAAC;CACJ;AAxJD,8BAwJC"}
|
package/dist/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@quiltdata/benchling-webhook",
|
|
3
|
-
"version": "0.9.0-
|
|
3
|
+
"version": "0.9.0-20251129T071202Z",
|
|
4
4
|
"description": "AWS CDK deployment for Benchling webhook processing using Fargate - Deploy directly with npx",
|
|
5
5
|
"main": "dist/lib/index.js",
|
|
6
6
|
"types": "dist/lib/index.d.ts",
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@quiltdata/benchling-webhook",
|
|
3
|
-
"version": "0.9.0-
|
|
3
|
+
"version": "0.9.0-20251129T071202Z",
|
|
4
4
|
"description": "AWS CDK deployment for Benchling webhook processing using Fargate - Deploy directly with npx",
|
|
5
5
|
"main": "dist/lib/index.js",
|
|
6
6
|
"types": "dist/lib/index.d.ts",
|