@quiltdata/benchling-webhook 0.9.0-20251129T063536Z → 0.9.0-20251130T062440Z

package/dist/lib/http-api-gateway.js

@@ -36,11 +36,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.HttpApiGateway = void 0;
 const cdk = __importStar(require("aws-cdk-lib"));
 const apigatewayv2 = __importStar(require("aws-cdk-lib/aws-apigatewayv2"));
-const apigatewayv2Authorizers = __importStar(require("aws-cdk-lib/aws-apigatewayv2-authorizers"));
 const apigatewayv2Integrations = __importStar(require("aws-cdk-lib/aws-apigatewayv2-integrations"));
+const wafv2 = __importStar(require("aws-cdk-lib/aws-wafv2"));
 const logs = __importStar(require("aws-cdk-lib/aws-logs"));
-const lambda = __importStar(require("aws-cdk-lib/aws-lambda"));
-const iam = __importStar(require("aws-cdk-lib/aws-iam"));
+const waf_web_acl_1 = require("./waf-web-acl");
 class HttpApiGateway {
     constructor(scope, id, props) {
         // Access logs for HTTP API
@@ -49,126 +48,42 @@ class HttpApiGateway {
             retention: logs.RetentionDays.ONE_WEEK,
             removalPolicy: cdk.RemovalPolicy.DESTROY,
         });
-        // VPC Link for private integration with Cloud Map service
+        // VPC Link for private integration with Network Load Balancer
+        // v0.9.0: NLB provides reliable health checks for ECS tasks
         this.vpcLink = new apigatewayv2.VpcLink(scope, "VpcLink", {
             vpc: props.vpc,
             securityGroups: [props.serviceSecurityGroup],
             vpcLinkName: "benchling-webhook-vpclink",
         });
-        // Lambda authorizer for webhook verification (HTTP API v2 SIMPLE response)
-        const verificationEnabled = props.config.security?.enableVerification !== false;
-        const benchlingSecretArn = props.config.benchling.secretArn;
-        if (!benchlingSecretArn) {
-            throw new Error("Benchling secret ARN is required to configure the Lambda authorizer");
-        }
-        // Create authorizer Lambda if verification is enabled
-        let httpAuthorizer;
-        if (verificationEnabled) {
-            this.authorizerLogGroup = new logs.LogGroup(scope, "WebhookAuthorizerLogGroup", {
-                retention: logs.RetentionDays.ONE_WEEK,
-                removalPolicy: cdk.RemovalPolicy.DESTROY,
-            });
-            // Lambda bundling: Install dependencies at build time
-            // NOTE: For local development, pre-build with: make lambda-bundle
-            // This reduces CDK build time by using cached wheels
-            const bundlingCommands = [
-                "set -euo pipefail",
-                "export PIP_NO_BUILD_ISOLATION=1 PIP_ONLY_BINARY=:all: PIP_DISABLE_PIP_VERSION_CHECK=1 PIP_CACHE_DIR=/tmp/pipcache",
-                "pip install -q --platform manylinux2014_x86_64 --implementation cp --python-version 3.12 --abi cp312 --only-binary=:all: -t /asset-output -r /asset-input/lambda/authorizer/requirements.txt -c /asset-input/lambda/authorizer/constraints.txt",
-                "cp /asset-input/docker/src/lambda_authorizer.py /asset-output/index.py",
-            ].join(" && ");
-            const authorizerCode = process.env.NODE_ENV === "test"
-                ? lambda.Code.fromInline("def handler(event, context):\n    return {'isAuthorized': True}")
-                : lambda.Code.fromAsset(".", {
-                    bundling: {
-                        image: lambda.Runtime.PYTHON_3_12.bundlingImage,
-                        command: ["bash", "-c", bundlingCommands],
-                    },
-                });
-            this.authorizer = new lambda.Function(scope, "WebhookAuthorizerFunction", {
-                runtime: lambda.Runtime.PYTHON_3_12,
-                handler: "index.handler",
-                memorySize: 128,
-                timeout: cdk.Duration.seconds(10),
-                architecture: lambda.Architecture.X86_64,
-                description: "Benchling webhook signature verification (HTTP API v2)",
-                environment: {
-                    BENCHLING_SECRET_ARN: benchlingSecretArn,
-                    LOG_LEVEL: props.config.logging?.level || "INFO",
-                },
-                code: authorizerCode,
-                logGroup: this.authorizerLogGroup,
-            });
-            // Grant Secrets Manager access
-            this.authorizer.addToRolePolicy(new iam.PolicyStatement({
-                actions: ["secretsmanager:GetSecretValue"],
-                resources: [benchlingSecretArn],
-            }));
-            // Create HTTP Lambda Authorizer with SIMPLE response format
-            // Note: HTTP API v2 uses a simpler response format than REST API (REQUEST authorizer)
-            httpAuthorizer = new apigatewayv2Authorizers.HttpLambdaAuthorizer("WebhookAuthorizer", this.authorizer, {
-                authorizerName: "WebhookAuthorizer",
-                identitySource: [
-                    "$request.header.webhook-signature",
-                    "$request.header.webhook-id",
-                    "$request.header.webhook-timestamp",
-                ],
-                responseTypes: [apigatewayv2Authorizers.HttpLambdaResponseType.SIMPLE],
-                resultsCacheTtl: cdk.Duration.seconds(0), // No caching for HMAC signatures
-            });
-        }
         // Create HTTP API v2
         this.api = new apigatewayv2.HttpApi(scope, "BenchlingWebhookHttpAPI", {
             apiName: "BenchlingWebhookHttpAPI",
-            description: "HTTP API for Benchling webhook integration (v0.9.0+)",
+            description: "HTTP API for Benchling webhook integration (v0.9.0+ with NLB and optional WAF)",
+        });
+        // Network Load Balancer integration via VPC Link
+        // v0.9.0: Replaced Cloud Map with NLB for reliable routing
+        const integration = new apigatewayv2Integrations.HttpNlbIntegration("NlbIntegration", props.nlbListener, {
+            vpcLink: this.vpcLink,
+        });
+        // Webhook routes - HMAC verification handled by FastAPI application
+        // Event webhooks
+        this.api.addRoutes({
+            path: "/event",
+            methods: [apigatewayv2.HttpMethod.POST],
+            integration,
+        });
+        // Lifecycle webhooks
+        this.api.addRoutes({
+            path: "/lifecycle",
+            methods: [apigatewayv2.HttpMethod.POST],
+            integration,
+        });
+        // Canvas webhooks
+        this.api.addRoutes({
+            path: "/canvas",
+            methods: [apigatewayv2.HttpMethod.POST],
+            integration,
         });
-        // Service Discovery integration via VPC Link
-        const integration = new apigatewayv2Integrations.HttpServiceDiscoveryIntegration("CloudMapIntegration", props.cloudMapService, { vpcLink: this.vpcLink });
-        // Webhook routes - protected by Lambda authorizer
-        if (httpAuthorizer) {
-            // Event webhooks (protected)
-            this.api.addRoutes({
-                path: "/event",
-                methods: [apigatewayv2.HttpMethod.POST],
-                integration,
-                authorizer: httpAuthorizer,
-            });
-            // Lifecycle webhooks (protected)
-            this.api.addRoutes({
-                path: "/lifecycle",
-                methods: [apigatewayv2.HttpMethod.POST],
-                integration,
-                authorizer: httpAuthorizer,
-            });
-            // Canvas webhooks (protected)
-            this.api.addRoutes({
-                path: "/canvas",
-                methods: [apigatewayv2.HttpMethod.POST],
-                integration,
-                authorizer: httpAuthorizer,
-            });
-        }
-        else {
-            // No authorizer - allow all webhook routes (for testing only)
-            this.api.addRoutes({
-                path: "/event",
-                methods: [apigatewayv2.HttpMethod.POST],
-                integration,
-            });
-            this.api.addRoutes({
-                path: "/lifecycle",
-                methods: [apigatewayv2.HttpMethod.POST],
-                integration,
-            });
-            this.api.addRoutes({
-                path: "/canvas",
-                methods: [apigatewayv2.HttpMethod.POST],
-                integration,
-            });
-            console.warn("WARNING: Webhook signature verification is DISABLED. " +
-                "This should only be used for testing. Enable it in production by setting " +
-                "config.security.enableVerification = true");
-        }
         // Health check routes - always unauthenticated
         this.api.addRoutes({
             path: "/health",
@@ -191,6 +106,31 @@ class HttpApiGateway {
             methods: [apigatewayv2.HttpMethod.GET],
             integration,
         });
+        // Conditionally create WAF Web ACL for IP filtering
+        // Only deploy WAF if webhookAllowList is configured
+        const webhookAllowList = props.config.security?.webhookAllowList || "";
+        if (webhookAllowList) {
+            console.log("WAF IP filtering: ENABLED");
+            // Create WAF Web ACL
+            this.wafWebAcl = new waf_web_acl_1.WafWebAcl(scope, "WafWebAcl", {
+                ipAllowList: webhookAllowList,
+            });
+            // Construct HTTP API ARN for WAF association
+            // Format: arn:aws:apigateway:{region}::/apis/{api-id}/stages/{stage-name}
+            const apiArn = cdk.Stack.of(scope).formatArn({
+                service: "apigateway",
+                resource: `/apis/${this.api.apiId}/stages/${this.api.defaultStage?.stageName || "$default"}`,
+                arnFormat: cdk.ArnFormat.SLASH_RESOURCE_NAME,
+            });
+            // Associate WAF with HTTP API
+            new wafv2.CfnWebACLAssociation(scope, "WafAssociation", {
+                resourceArn: apiArn,
+                webAclArn: this.wafWebAcl.webAcl.attrArn,
+            });
+        }
+        else {
+            console.log("WAF IP filtering: DISABLED (no webhookAllowList configured)");
+        }
         // Configure access logging on the default stage
         const stage = this.api.defaultStage?.node.defaultChild;
         if (stage) {
@@ -207,16 +147,18 @@ class HttpApiGateway {
                     responseLength: "$context.responseLength",
                     errorMessage: "$context.error.message",
                     errorType: "$context.error.messageString",
-                    authorizerError: "$context.authorizer.error",
                 }),
             };
         }
-        // Output verification status
+        // Webhook verification status
+        const verificationEnabled = props.config.security?.enableVerification !== false;
         if (verificationEnabled) {
-            console.log("Webhook signature verification: ENABLED (Lambda authorizer)");
+            console.log("Webhook signature verification: ENABLED (FastAPI application)");
         }
         else {
-            console.log("Webhook signature verification: DISABLED (testing mode)");
+            console.warn("WARNING: Webhook signature verification is DISABLED. " +
+                "This should only be used for testing. Enable it in production by setting " +
+                "config.security.enableVerification = true");
         }
     }
 }

package/dist/lib/http-api-gateway.js.map

@@ -1 +1 @@
-{"version":3,"file":"http-api-gateway.js","sourceRoot":"","sources":["../../lib/http-api-gateway.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AACnC,2EAA6D;AAC7D,kGAAoF;AACpF,oGAAsF;AAGtF,2DAA6C;AAC7C,+DAAiD;AACjD,yDAA2C;AAW3C,MAAa,cAAc;IAOvB,YAAY,KAAgB,EAAE,EAAU,EAAE,KAA0B;QAChE,2BAA2B;QAC3B,IAAI,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,sBAAsB,EAAE;YAC7D,YAAY,EAAE,wCAAwC;YACtD,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ;YACtC,aAAa,EAAE,GAAG,CAAC,aAAa,CAAC,OAAO;SAC3C,CAAC,CAAC;QAEH,0DAA0D;QAC1D,IAAI,CAAC,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,SAAS,EAAE;YACtD,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,cAAc,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC;YAC5C,WAAW,EAAE,2BAA2B;SAC3C,CAAC,CAAC;QAEH,2EAA2E;QAC3E,MAAM,mBAAmB,GAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,kBAAkB,KAAK,KAAK,CAAC;QAChF,MAAM,kBAAkB,GAAG,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,SAAS,CAAC;QAE5D,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;QAC3F,CAAC;QAED,sDAAsD;QACtD,IAAI,cAA6D,CAAC;QAElE,IAAI,mBAAmB,EAAE,CAAC;YACtB,IAAI,CAAC,kBAAkB,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,2BAA2B,EAAE;gBAC5E,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ;gBACtC,aAAa,EAAE,GAAG,CAAC,aAAa,CAAC,OAAO;aAC3C,CAAC,CAAC;YAEH,sDAAsD;YACtD,kEAAkE;YAClE,qDAAqD;YACrD,MAAM,gBAAgB,GAAG;gBACrB,mBAAmB;gBACnB,mHAAmH;gBACnH,gPAAgP;gBAChP,wEAAwE;aAC3E,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAEf,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM;gBAClD,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,iEAAiE,CAAC;gBAC3F,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;oBACzB,QAAQ,EAAE;wBACN,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,aAAa;wBAC/C,OAAO,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,gBAAgB,CAAC;qBAC5C;iBACJ,CAAC,CAAC;YAEP,IAAI,CAAC,UAAU,GAAG,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,2BAA2B,EAAE;gBACtE,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW;gBACnC,OAAO,EAAE,eAAe;gBACxB,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,MAAM;gBACxC,WAAW,EAAE,wDAAwD;gBACrE,WAAW,EAAE;oBACT,oBAAoB,EAAE,kBAAkB;oBACxC,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,IAAI,MAAM;iBACnD;gBACD,IAAI,EAAE,cAAc;gBACpB,QAAQ,EAAE,IAAI,CAAC,kBAAkB;aACpC,CAAC,CAAC;YAEH,+BAA+B;YAC/B,IAAI,CAAC,UAAU,CAAC,eAAe,CAC3B,IAAI,GAAG,CAAC,eAAe,CAAC;gBACpB,OAAO,EAAE,CAAC,+BAA+B,CAAC;gBAC1C,SAAS,EAAE,CAAC,kBAAkB,CAAC;aAClC,CAAC,CACL,CAAC;YAEF,4DAA4D;YAC5D,sFAAsF;YACtF,cAAc,GAAG,IAAI,uBAAuB,CAAC,oBAAoB,CAC7D,mBAAmB,EACnB,IAAI,CAAC,UAAU,EACf;gBACI,cAAc,EAAE,mBAAmB;gBACnC,cAAc,EAAE;oBACZ,mCAAmC;oBACnC,4BAA4B;oBAC5B,mCAAmC;iBACtC;gBACD,aAAa,EAAE,CAAC,uBAAuB,CAAC,sBAAsB,CAAC,MAAM,CAAC;gBACtE,eAAe,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,iCAAiC;aAC9E,CACJ,CAAC;QACN,CAAC;QAED,qBAAqB;QACrB,IAAI,CAAC,GAAG,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,yBAAyB,EAAE;YAClE,OAAO,EAAE,yBAAyB;YAClC,WAAW,EAAE,sDAAsD;SACtE,CAAC,CAAC;QAEH,6CAA6C;QAC7C,MAAM,WAAW,GAAG,IAAI,wBAAwB,CAAC,+BAA+B,CAC5E,qBAAqB,EACrB,KAAK,CAAC,eAAe,EACrB,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAC5B,CAAC;QAEF,kDAAkD;QAClD,IAAI,cAAc,EAAE,CAAC;YACjB,6BAA6B;YAC7B,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;gBACf,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC;gBACvC,WAAW;gBACX,UAAU,EAAE,cAAc;aAC7B,CAAC,CAAC;YAEH,iCAAiC;YACjC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;gBACf,IAAI,EAAE,YAAY;gBAClB,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC;gBACvC,WAAW;gBACX,UAAU,EAAE,cAAc;aAC7B,CAAC,CAAC;YAEH,8BAA8B;YAC9B,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;gBACf,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC;gBACvC,WAAW;gBACX,UAAU,EAAE,cAAc;aAC7B,CAAC,CAAC;QACP,CAAC;aAAM,CAAC;YACJ,8DAA8D;YAC9D,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;gBACf,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC;gBACvC,WAAW;aACd,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;gBACf,IAAI,EAAE,YAAY;gBAClB,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC;gBACvC,WAAW;aACd,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;gBACf,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC;gBACvC,WAAW;aACd,CAAC,CAAC;YAEH,OAAO,CAAC,IAAI,CACR,uDAAuD;gBACvD,2EAA2E;gBAC3E,2CAA2C,CAC9C,CAAC;QACN,CAAC;QAED,+CAA+C;QAC/C,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACtC,WAAW;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACtC,WAAW;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACtC,WAAW;SACd,CAAC,CAAC;QAEH,uDAAuD;QACvD,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,GAAG;YACT,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACtC,WAAW;SACd,CAAC,CAAC;QAEH,gDAAgD;QAChD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,YAAiD,CAAC;QAC5F,IAAI,KAAK,EAAE,CAAC;YACR,KAAK,CAAC,iBAAiB,GAAG;gBACtB,cAAc,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW;gBACzC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,SAAS,EAAE,oBAAoB;oBAC/B,EAAE,EAAE,4BAA4B;oBAChC,WAAW,EAAE,sBAAsB;oBACnC,UAAU,EAAE,qBAAqB;oBACjC,QAAQ,EAAE,mBAAmB;oBAC7B,MAAM,EAAE,iBAAiB;oBACzB,QAAQ,EAAE,mBAAmB;oBAC7B,cAAc,EAAE,yBAAyB;oBACzC,YAAY,EAAE,wBAAwB;oBACtC,SAAS,EAAE,8BAA8B;oBACzC,eAAe,EAAE,2BAA2B;iBAC/C,CAAC;aACL,CAAC;QACN,CAAC;QAED,6BAA6B;QAC7B,IAAI,mBAAmB,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;QAC/E,CAAC;aAAM,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;QAC3E,CAAC;IACL,CAAC;CACJ;AA1ND,wCA0NC"}
+{"version":3,"file":"http-api-gateway.js","sourceRoot":"","sources":["../../lib/http-api-gateway.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AACnC,2EAA6D;AAC7D,oGAAsF;AACtF,6DAA+C;AAG/C,2DAA6C;AAG7C,+CAA0C;AAU1C,MAAa,cAAc;IAMvB,YAAY,KAAgB,EAAE,EAAU,EAAE,KAA0B;QAChE,2BAA2B;QAC3B,IAAI,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,sBAAsB,EAAE;YAC7D,YAAY,EAAE,wCAAwC;YACtD,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ;YACtC,aAAa,EAAE,GAAG,CAAC,aAAa,CAAC,OAAO;SAC3C,CAAC,CAAC;QAEH,8DAA8D;QAC9D,4DAA4D;QAC5D,IAAI,CAAC,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,SAAS,EAAE;YACtD,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,cAAc,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC;YAC5C,WAAW,EAAE,2BAA2B;SAC3C,CAAC,CAAC;QAEH,qBAAqB;QACrB,IAAI,CAAC,GAAG,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,yBAAyB,EAAE;YAClE,OAAO,EAAE,yBAAyB;YAClC,WAAW,EAAE,gFAAgF;SAChG,CAAC,CAAC;QAEH,iDAAiD;QACjD,2DAA2D;QAC3D,MAAM,WAAW,GAAG,IAAI,wBAAwB,CAAC,kBAAkB,CAC/D,gBAAgB,EAChB,KAAK,CAAC,WAAW,EACjB;YACI,OAAO,EAAE,IAAI,CAAC,OAAO;SACxB,CACJ,CAAC;QAEF,oEAAoE;QACpE,iBAAiB;QACjB,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC;YACvC,WAAW;SACd,CAAC,CAAC;QAEH,qBAAqB;QACrB,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,YAAY;YAClB,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC;YACvC,WAAW;SACd,CAAC,CAAC;QAEH,kBAAkB;QAClB,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC;YACvC,WAAW;SACd,CAAC,CAAC;QAEH,+CAA+C;QAC/C,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACtC,WAAW;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACtC,WAAW;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACtC,WAAW;SACd,CAAC,CAAC;QAEH,uDAAuD;QACvD,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;YACf,IAAI,EAAE,GAAG;YACT,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACtC,WAAW;SACd,CAAC,CAAC;QAEH,oDAAoD;QACpD,oDAAoD;QACpD,MAAM,gBAAgB,GAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,IAAI,EAAE,CAAC;QACvE,IAAI,gBAAgB,EAAE,CAAC;YACnB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;YAEzC,qBAAqB;YACrB,IAAI,CAAC,SAAS,GAAG,IAAI,uBAAS,CAAC,KAAK,EAAE,WAAW,EAAE;gBAC/C,WAAW,EAAE,gBAAgB;aAChC,CAAC,CAAC;YAEH,6CAA6C;YAC7C,0EAA0E;YAC1E,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC;gBACzC,OAAO,EAAE,YAAY;gBACrB,QAAQ,EAAE,SAAS,IAAI,CAAC,GAAG,CAAC,KAAK,WAAW,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,SAAS,IAAI,UAAU,EAAE;gBAC5F,SAAS,EAAE,GAAG,CAAC,SAAS,CAAC,mBAAmB;aAC/C,CAAC,CAAC;YAEH,8BAA8B;YAC9B,IAAI,KAAK,CAAC,oBAAoB,CAAC,KAAK,EAAE,gBAAgB,EAAE;gBACpD,WAAW,EAAE,MAAM;gBACnB,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO;aAC3C,CAAC,CAAC;QACP,CAAC;aAAM,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;QAC/E,CAAC;QAED,gDAAgD;QAChD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,YAAiD,CAAC;QAC5F,IAAI,KAAK,EAAE,CAAC;YACR,KAAK,CAAC,iBAAiB,GAAG;gBACtB,cAAc,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW;gBACzC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,SAAS,EAAE,oBAAoB;oBAC/B,EAAE,EAAE,4BAA4B;oBAChC,WAAW,EAAE,sBAAsB;oBACnC,UAAU,EAAE,qBAAqB;oBACjC,QAAQ,EAAE,mBAAmB;oBAC7B,MAAM,EAAE,iBAAiB;oBACzB,QAAQ,EAAE,mBAAmB;oBAC7B,cAAc,EAAE,yBAAyB;oBACzC,YAAY,EAAE,wBAAwB;oBACtC,SAAS,EAAE,8BAA8B;iBAC5C,CAAC;aACL,CAAC;QACN,CAAC;QAED,8BAA8B;QAC9B,MAAM,mBAAmB,GAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,kBAAkB,KAAK,KAAK,CAAC;QAChF,IAAI,mBAAmB,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAC;QACjF,CAAC;aAAM,CAAC;YACJ,OAAO,CAAC,IAAI,CACR,uDAAuD;gBACvD,2EAA2E;gBAC3E,2CAA2C,CAC9C,CAAC;QACN,CAAC;IACL,CAAC;CACJ;AAlJD,wCAkJC"}

package/dist/lib/network-load-balancer.d.ts

@@ -0,0 +1,27 @@
+import * as ec2 from "aws-cdk-lib/aws-ec2";
+import * as elbv2 from "aws-cdk-lib/aws-elasticloadbalancingv2";
+import { Construct } from "constructs";
+export interface NetworkLoadBalancerProps {
+    readonly vpc: ec2.IVpc;
+}
+/**
+ * Network Load Balancer for ECS Fargate service
+ *
+ * Provides reliable health checks and routing for ECS tasks.
+ * Replaces Cloud Map service discovery which has issues with custom health checks.
+ *
+ * Architecture:
+ * - Internal NLB (not internet-facing)
+ * - TCP listener on port 80
+ * - Target Group with IP targets for ECS Fargate tasks
+ * - HTTP health checks on /health endpoint
+ *
+ * @since v0.9.0
+ */
+export declare class NetworkLoadBalancer extends Construct {
+    readonly loadBalancer: elbv2.NetworkLoadBalancer;
+    readonly targetGroup: elbv2.NetworkTargetGroup;
+    readonly listener: elbv2.NetworkListener;
+    constructor(scope: Construct, id: string, props: NetworkLoadBalancerProps);
+}
+//# sourceMappingURL=network-load-balancer.d.ts.map

package/dist/lib/network-load-balancer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-load-balancer.d.ts","sourceRoot":"","sources":["../../lib/network-load-balancer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,GAAG,MAAM,qBAAqB,CAAC;AAC3C,OAAO,KAAK,KAAK,MAAM,wCAAwC,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC,MAAM,WAAW,wBAAwB;IACrC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC;CAC1B;AAED;;;;;;;;;;;;;GAaG;AACH,qBAAa,mBAAoB,SAAQ,SAAS;IAC9C,SAAgB,YAAY,EAAE,KAAK,CAAC,mBAAmB,CAAC;IACxD,SAAgB,WAAW,EAAE,KAAK,CAAC,kBAAkB,CAAC;IACtD,SAAgB,QAAQ,EAAE,KAAK,CAAC,eAAe,CAAC;gBAEpC,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,wBAAwB;CA4D5E"}

package/dist/lib/network-load-balancer.js

@@ -0,0 +1,111 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NetworkLoadBalancer = void 0;
+const cdk = __importStar(require("aws-cdk-lib"));
+const elbv2 = __importStar(require("aws-cdk-lib/aws-elasticloadbalancingv2"));
+const constructs_1 = require("constructs");
+/**
+ * Network Load Balancer for ECS Fargate service
+ *
+ * Provides reliable health checks and routing for ECS tasks.
+ * Replaces Cloud Map service discovery which has issues with custom health checks.
+ *
+ * Architecture:
+ * - Internal NLB (not internet-facing)
+ * - TCP listener on port 80
+ * - Target Group with IP targets for ECS Fargate tasks
+ * - HTTP health checks on /health endpoint
+ *
+ * @since v0.9.0
+ */
+class NetworkLoadBalancer extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        // Create internal Network Load Balancer
+        // Internal = only accessible within VPC (not from internet)
+        this.loadBalancer = new elbv2.NetworkLoadBalancer(this, "LoadBalancer", {
+            vpc: props.vpc,
+            internetFacing: false,
+            loadBalancerName: "benchling-webhook-nlb",
+            vpcSubnets: {
+                subnets: props.vpc.privateSubnets,
+            },
+            crossZoneEnabled: true, // Distribute traffic evenly across AZs
+        });
+        // Create Target Group for ECS tasks
+        // IP target type is required for Fargate tasks
+        this.targetGroup = new elbv2.NetworkTargetGroup(this, "TargetGroup", {
+            vpc: props.vpc,
+            port: 8080,
+            protocol: elbv2.Protocol.TCP,
+            targetType: elbv2.TargetType.IP, // Required for Fargate
+            targetGroupName: "benchling-webhook-tg",
+            deregistrationDelay: cdk.Duration.seconds(30), // Quick deregistration
+            // HTTP health checks for application health
+            // NLB supports HTTP health checks even with TCP listener
+            healthCheck: {
+                enabled: true,
+                protocol: elbv2.Protocol.HTTP,
+                path: "/health",
+                interval: cdk.Duration.seconds(30),
+                timeout: cdk.Duration.seconds(10),
+                healthyThresholdCount: 2, // 2 successful checks = healthy
+                unhealthyThresholdCount: 3, // 3 failed checks = unhealthy
+                healthyHttpCodes: "200",
+            },
+        });
+        // Create TCP listener on port 80
+        // API Gateway will connect to this via VPC Link
+        this.listener = this.loadBalancer.addListener("Listener", {
+            port: 80,
+            protocol: elbv2.Protocol.TCP,
+            defaultTargetGroups: [this.targetGroup],
+        });
+        // Outputs for debugging
+        new cdk.CfnOutput(this, "LoadBalancerDnsName", {
+            value: this.loadBalancer.loadBalancerDnsName,
+            description: "Network Load Balancer DNS name",
+            exportName: "BenchlingWebhookNLBDnsName",
+        });
+        new cdk.CfnOutput(this, "TargetGroupArn", {
+            value: this.targetGroup.targetGroupArn,
+            description: "Target Group ARN for ECS tasks",
+            exportName: "BenchlingWebhookTargetGroupArn",
+        });
+    }
+}
+exports.NetworkLoadBalancer = NetworkLoadBalancer;
+//# sourceMappingURL=network-load-balancer.js.map

package/dist/lib/network-load-balancer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-load-balancer.js","sourceRoot":"","sources":["../../lib/network-load-balancer.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AAEnC,8EAAgE;AAChE,2CAAuC;AAMvC;;;;;;;;;;;;;GAaG;AACH,MAAa,mBAAoB,SAAQ,sBAAS;IAK9C,YAAY,KAAgB,EAAE,EAAU,EAAE,KAA+B;QACrE,KAAK,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAEjB,wCAAwC;QACxC,4DAA4D;QAC5D,IAAI,CAAC,YAAY,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,IAAI,EAAE,cAAc,EAAE;YACpE,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,cAAc,EAAE,KAAK;YACrB,gBAAgB,EAAE,uBAAuB;YACzC,UAAU,EAAE;gBACR,OAAO,EAAE,KAAK,CAAC,GAAG,CAAC,cAAc;aACpC;YACD,gBAAgB,EAAE,IAAI,EAAE,uCAAuC;SAClE,CAAC,CAAC;QAEH,oCAAoC;QACpC,+CAA+C;QAC/C,IAAI,CAAC,WAAW,GAAG,IAAI,KAAK,CAAC,kBAAkB,CAAC,IAAI,EAAE,aAAa,EAAE;YACjE,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,IAAI,EAAE,IAAI;YACV,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG;YAC5B,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,EAAE,uBAAuB;YACxD,eAAe,EAAE,sBAAsB;YACvC,mBAAmB,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,uBAAuB;YAEtE,4CAA4C;YAC5C,yDAAyD;YACzD,WAAW,EAAE;gBACT,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI;gBAC7B,IAAI,EAAE,SAAS;gBACf,QAAQ,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClC,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjC,qBAAqB,EAAE,CAAC,EAAG,gCAAgC;gBAC3D,uBAAuB,EAAE,CAAC,EAAE,8BAA8B;gBAC1D,gBAAgB,EAAE,KAAK;aAC1B;SACJ,CAAC,CAAC;QAEH,iCAAiC;QACjC,gDAAgD;QAChD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,UAAU,EAAE;YACtD,IAAI,EAAE,EAAE;YACR,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG;YAC5B,mBAAmB,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC;SAC1C,CAAC,CAAC;QAEH,wBAAwB;QACxB,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,qBAAqB,EAAE;YAC3C,KAAK,EAAE,IAAI,CAAC,YAAY,CAAC,mBAAmB;YAC5C,WAAW,EAAE,gCAAgC;YAC7C,UAAU,EAAE,4BAA4B;SAC3C,CAAC,CAAC;QAEH,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,gBAAgB,EAAE;YACtC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,cAAc;YACtC,WAAW,EAAE,gCAAgC;YAC7C,UAAU,EAAE,gCAAgC;SAC/C,CAAC,CAAC;IACP,CAAC;CACJ;AAjED,kDAiEC"}

package/dist/lib/types/config.d.ts

@@ -112,7 +112,7 @@ export interface ProfileConfig {
  * Configuration for Quilt data catalog integration, including service endpoints
  * and SQS queue for package creation.
  *
- * **Breaking Change (v1.0.0)**: `stackArn` is used at deployment time only to resolve services.
+ * **Breaking Change (v0.9.0)**: `stackArn` is used at deployment time only to resolve services.
  * Services are passed as explicit environment variables to the container.
  * No runtime CloudFormation API calls are made.
  *
@@ -128,7 +128,7 @@ export interface QuiltConfig {
      * The resolved services are then passed as explicit environment variables to the container.
      *
      * **Deployment usage only** - not passed to container runtime.
-     * **Breaking Change (v1.0.0)**: No longer passed as environment variable or CloudFormation parameter.
+     * **Breaking Change (v0.9.0)**: No longer passed as environment variable or CloudFormation parameter.
      *
      * @example "arn:aws:cloudformation:us-east-1:123456789012:stack/quilt-stack/..."
      */

package/dist/lib/utils/service-resolver.d.ts

@@ -5,7 +5,7 @@
  * These values are then passed as explicit environment variables to the container,
  * eliminating the need for runtime CloudFormation API calls.
  *
- * **Breaking Change (v1.0.0)**: Replaces runtime config-resolver with deployment-time resolution.
+ * **Breaking Change (v0.9.0)**: Replaces runtime config-resolver with deployment-time resolution.
  *
  * @module utils/service-resolver
  * @version 1.0.0

package/dist/lib/utils/service-resolver.js

@@ -6,7 +6,7 @@
  * These values are then passed as explicit environment variables to the container,
  * eliminating the need for runtime CloudFormation API calls.
  *
- * **Breaking Change (v1.0.0)**: Replaces runtime config-resolver with deployment-time resolution.
+ * **Breaking Change (v0.9.0)**: Replaces runtime config-resolver with deployment-time resolution.
  *
  * @module utils/service-resolver
  * @version 1.0.0

package/dist/lib/waf-web-acl.d.ts

@@ -0,0 +1,51 @@
+import * as wafv2 from "aws-cdk-lib/aws-wafv2";
+import * as logs from "aws-cdk-lib/aws-logs";
+import { Construct } from "constructs";
+export interface WafWebAclProps {
+    /**
+     * Comma-separated list of allowed IP addresses/CIDR blocks
+     *
+     * Empty string means no IP filtering (discovery mode - COUNT all requests).
+     * Non-empty string enables IP filtering (security mode - BLOCK unknown IPs).
+     *
+     * @example "192.168.1.0/24,10.0.0.0/8"
+     * @default ""
+     */
+    readonly ipAllowList?: string;
+}
+/**
+ * WAF Web ACL for Benchling webhook IP filtering
+ *
+ * Provides defense-in-depth security at AWS edge with two rules:
+ * 1. Health check exception - Always allow /health, /health/ready, /health/live
+ * 2. IP allowlist - Allow requests from configured IP ranges
+ *
+ * **Automatic Mode Selection:**
+ * - Empty IP allowlist → COUNT mode (discovery phase - logs requests but doesn't block)
+ * - Non-empty IP allowlist → BLOCK mode (security phase - blocks unknown IPs)
+ *
+ * This allows customers to deploy initially without knowing Benchling IPs,
+ * discover them from CloudWatch logs, then add them to enable blocking mode.
+ */
+export declare class WafWebAcl extends Construct {
+    readonly webAcl: wafv2.CfnWebACL;
+    readonly ipSet: wafv2.CfnIPSet;
+    readonly logGroup: logs.ILogGroup;
+    constructor(scope: Construct, id: string, props?: WafWebAclProps);
+    /**
+     * Parse IP allowlist string into array of CIDR blocks
+     *
+     * - Splits by comma
+     * - Trims whitespace
+     * - Adds /32 suffix if not present
+     * - Filters out empty entries
+     *
+     * @param allowList Comma-separated list of IPs/CIDR blocks
+     * @returns Array of CIDR blocks
+     *
+     * @example
+     * parseIpAllowList("192.168.1.0/24, 10.0.0.1") → ["192.168.1.0/24", "10.0.0.1/32"]
+     */
+    private parseIpAllowList;
+}
+//# sourceMappingURL=waf-web-acl.d.ts.map

package/dist/lib/waf-web-acl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"waf-web-acl.d.ts","sourceRoot":"","sources":["../../lib/waf-web-acl.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,KAAK,MAAM,uBAAuB,CAAC;AAC/C,OAAO,KAAK,IAAI,MAAM,sBAAsB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC,MAAM,WAAW,cAAc;IAC3B;;;;;;;;OAQG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;;;;;;;;;;;;GAaG;AACH,qBAAa,SAAU,SAAQ,SAAS;IACpC,SAAgB,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC;IACxC,SAAgB,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC;IACtC,SAAgB,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC;gBAE7B,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,GAAE,cAAmB;IA2HpE;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,gBAAgB;CAU3B"}