@quiltdata/benchling-webhook 0.9.0-20251130T062440Z → 0.9.0-20251204T040448Z

package/dist/lib/waf-web-acl.d.ts

@@ -1,51 +0,0 @@
-import * as wafv2 from "aws-cdk-lib/aws-wafv2";
-import * as logs from "aws-cdk-lib/aws-logs";
-import { Construct } from "constructs";
-export interface WafWebAclProps {
-    /**
-     * Comma-separated list of allowed IP addresses/CIDR blocks
-     *
-     * Empty string means no IP filtering (discovery mode - COUNT all requests).
-     * Non-empty string enables IP filtering (security mode - BLOCK unknown IPs).
-     *
-     * @example "192.168.1.0/24,10.0.0.0/8"
-     * @default ""
-     */
-    readonly ipAllowList?: string;
-}
-/**
- * WAF Web ACL for Benchling webhook IP filtering
- *
- * Provides defense-in-depth security at AWS edge with two rules:
- * 1. Health check exception - Always allow /health, /health/ready, /health/live
- * 2. IP allowlist - Allow requests from configured IP ranges
- *
- * **Automatic Mode Selection:**
- * - Empty IP allowlist → COUNT mode (discovery phase - logs requests but doesn't block)
- * - Non-empty IP allowlist → BLOCK mode (security phase - blocks unknown IPs)
- *
- * This allows customers to deploy initially without knowing Benchling IPs,
- * discover them from CloudWatch logs, then add them to enable blocking mode.
- */
-export declare class WafWebAcl extends Construct {
-    readonly webAcl: wafv2.CfnWebACL;
-    readonly ipSet: wafv2.CfnIPSet;
-    readonly logGroup: logs.ILogGroup;
-    constructor(scope: Construct, id: string, props?: WafWebAclProps);
-    /**
-     * Parse IP allowlist string into array of CIDR blocks
-     *
-     * - Splits by comma
-     * - Trims whitespace
-     * - Adds /32 suffix if not present
-     * - Filters out empty entries
-     *
-     * @param allowList Comma-separated list of IPs/CIDR blocks
-     * @returns Array of CIDR blocks
-     *
-     * @example
-     * parseIpAllowList("192.168.1.0/24, 10.0.0.1") → ["192.168.1.0/24", "10.0.0.1/32"]
-     */
-    private parseIpAllowList;
-}
-//# sourceMappingURL=waf-web-acl.d.ts.map

package/dist/lib/waf-web-acl.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"waf-web-acl.d.ts","sourceRoot":"","sources":["../../lib/waf-web-acl.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,KAAK,MAAM,uBAAuB,CAAC;AAC/C,OAAO,KAAK,IAAI,MAAM,sBAAsB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC,MAAM,WAAW,cAAc;IAC3B;;;;;;;;OAQG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;;;;;;;;;;;;GAaG;AACH,qBAAa,SAAU,SAAQ,SAAS;IACpC,SAAgB,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC;IACxC,SAAgB,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC;IACtC,SAAgB,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC;gBAE7B,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,GAAE,cAAmB;IA2HpE;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,gBAAgB;CAU3B"}

package/dist/lib/waf-web-acl.js

@@ -1,192 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.WafWebAcl = void 0;
-const cdk = __importStar(require("aws-cdk-lib"));
-const wafv2 = __importStar(require("aws-cdk-lib/aws-wafv2"));
-const logs = __importStar(require("aws-cdk-lib/aws-logs"));
-const constructs_1 = require("constructs");
-/**
- * WAF Web ACL for Benchling webhook IP filtering
- *
- * Provides defense-in-depth security at AWS edge with two rules:
- * 1. Health check exception - Always allow /health, /health/ready, /health/live
- * 2. IP allowlist - Allow requests from configured IP ranges
- *
- * **Automatic Mode Selection:**
- * - Empty IP allowlist → COUNT mode (discovery phase - logs requests but doesn't block)
- * - Non-empty IP allowlist → BLOCK mode (security phase - blocks unknown IPs)
- *
- * This allows customers to deploy initially without knowing Benchling IPs,
- * discover them from CloudWatch logs, then add them to enable blocking mode.
- */
-class WafWebAcl extends constructs_1.Construct {
-    constructor(scope, id, props = {}) {
-        super(scope, id);
-        // Parse IP allowlist with CIDR notation normalization
-        const ipAllowList = this.parseIpAllowList(props.ipAllowList || "");
-        // Automatic mode selection based on IP allowlist
-        // - Empty allowlist: Allow mode (discovery - logs all requests, no blocking)
-        // - Has IPs: Block mode (security - blocks unknown IPs)
-        const isDiscoveryMode = ipAllowList.length === 0;
-        const mode = isDiscoveryMode ? "Allow" : "Block";
-        console.log(`WAF mode: ${mode} (${isDiscoveryMode ? "discovery - no IPs configured, all traffic allowed" : `security - ${ipAllowList.length} IP ranges configured`})`);
-        // Create IP Set for allowlist
-        this.ipSet = new wafv2.CfnIPSet(this, "IPSet", {
-            name: "BenchlingWebhookIPSet",
-            scope: "REGIONAL",
-            ipAddressVersion: "IPV4",
-            addresses: ipAllowList,
-            description: "Allowed IP addresses for Benchling webhooks",
-        });
-        // CloudWatch log group for WAF logs
-        this.logGroup = new logs.LogGroup(this, "WafLogGroup", {
-            logGroupName: "/aws/waf/benchling-webhook",
-            retention: logs.RetentionDays.ONE_WEEK,
-            removalPolicy: cdk.RemovalPolicy.DESTROY,
-        });
-        // Create Web ACL with two rules
-        // Default action: Allow (discovery mode) or Block (security mode)
-        const defaultActionConfig = isDiscoveryMode
-            ? { allow: {} }
-            : { block: {} };
-        this.webAcl = new wafv2.CfnWebACL(this, "WebACL", {
-            name: "BenchlingWebhookWebACL",
-            scope: "REGIONAL",
-            defaultAction: defaultActionConfig,
-            description: "WAF for Benchling webhook IP filtering with automatic discovery mode. " +
-                `Mode: ${mode} (${isDiscoveryMode ? "empty allowlist - all traffic allowed" : `${ipAllowList.length} IPs configured`})`,
-            rules: [
-                // Rule 1: Health check exception (Priority 10)
-                // Always allow health check endpoints regardless of IP
-                {
-                    name: "HealthCheckException",
-                    priority: 10,
-                    statement: {
-                        orStatement: {
-                            statements: [
-                                {
-                                    byteMatchStatement: {
-                                        fieldToMatch: { uriPath: {} },
-                                        positionalConstraint: "EXACTLY",
-                                        searchString: "/health",
-                                        textTransformations: [{ priority: 0, type: "NONE" }],
-                                    },
-                                },
-                                {
-                                    byteMatchStatement: {
-                                        fieldToMatch: { uriPath: {} },
-                                        positionalConstraint: "EXACTLY",
-                                        searchString: "/health/ready",
-                                        textTransformations: [{ priority: 0, type: "NONE" }],
-                                    },
-                                },
-                                {
-                                    byteMatchStatement: {
-                                        fieldToMatch: { uriPath: {} },
-                                        positionalConstraint: "EXACTLY",
-                                        searchString: "/health/live",
-                                        textTransformations: [{ priority: 0, type: "NONE" }],
-                                    },
-                                },
-                            ],
-                        },
-                    },
-                    action: { allow: {} },
-                    visibilityConfig: {
-                        sampledRequestsEnabled: true,
-                        cloudWatchMetricsEnabled: true,
-                        metricName: "HealthCheckException",
-                    },
-                },
-                // Rule 2: IP allowlist (Priority 20)
-                // Allow requests from configured IP ranges
-                // Note: When IP allowlist is empty, this rule matches no IPs,
-                // so all non-health requests fall through to default action (COUNT or BLOCK)
-                {
-                    name: "IPAllowlist",
-                    priority: 20,
-                    statement: {
-                        ipSetReferenceStatement: {
-                            arn: this.ipSet.attrArn,
-                        },
-                    },
-                    action: { allow: {} },
-                    visibilityConfig: {
-                        sampledRequestsEnabled: true,
-                        cloudWatchMetricsEnabled: true,
-                        metricName: "IPAllowlist",
-                    },
-                },
-            ],
-            visibilityConfig: {
-                sampledRequestsEnabled: true,
-                cloudWatchMetricsEnabled: true,
-                metricName: "BenchlingWebhookWebACL",
-            },
-        });
-        // Configure WAF logging to CloudWatch
-        new wafv2.CfnLoggingConfiguration(this, "WafLogging", {
-            resourceArn: this.webAcl.attrArn,
-            logDestinationConfigs: [this.logGroup.logGroupArn],
-        });
-    }
-    /**
-     * Parse IP allowlist string into array of CIDR blocks
-     *
-     * - Splits by comma
-     * - Trims whitespace
-     * - Adds /32 suffix if not present
-     * - Filters out empty entries
-     *
-     * @param allowList Comma-separated list of IPs/CIDR blocks
-     * @returns Array of CIDR blocks
-     *
-     * @example
-     * parseIpAllowList("192.168.1.0/24, 10.0.0.1") → ["192.168.1.0/24", "10.0.0.1/32"]
-     */
-    parseIpAllowList(allowList) {
-        return allowList
-            .split(",")
-            .map((ip) => ip.trim())
-            .filter((ip) => ip.length > 0)
-            .map((ip) => {
-            // Ensure CIDR notation (add /32 if not specified)
-            return ip.includes("/") ? ip : `${ip}/32`;
-        });
-    }
-}
-exports.WafWebAcl = WafWebAcl;
-//# sourceMappingURL=waf-web-acl.js.map

package/dist/lib/waf-web-acl.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"waf-web-acl.js","sourceRoot":"","sources":["../../lib/waf-web-acl.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AACnC,6DAA+C;AAC/C,2DAA6C;AAC7C,2CAAuC;AAevC;;;;;;;;;;;;;GAaG;AACH,MAAa,SAAU,SAAQ,sBAAS;IAKpC,YAAY,KAAgB,EAAE,EAAU,EAAE,QAAwB,EAAE;QAChE,KAAK,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAEjB,sDAAsD;QACtD,MAAM,WAAW,GAAG,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QAEnE,iDAAiD;QACjD,6EAA6E;QAC7E,wDAAwD;QACxD,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,KAAK,CAAC,CAAC;QACjD,MAAM,IAAI,GAAG,eAAe,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;QAEjD,OAAO,CAAC,GAAG,CACP,aAAa,IAAI,KAAK,eAAe,CAAC,CAAC,CAAC,oDAAoD,CAAC,CAAC,CAAC,cAAc,WAAW,CAAC,MAAM,uBAAuB,GAAG,CAC5J,CAAC;QAEF,8BAA8B;QAC9B,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE;YAC3C,IAAI,EAAE,uBAAuB;YAC7B,KAAK,EAAE,UAAU;YACjB,gBAAgB,EAAE,MAAM;YACxB,SAAS,EAAE,WAAW;YACtB,WAAW,EAAE,6CAA6C;SAC7D,CAAC,CAAC;QAEH,oCAAoC;QACpC,IAAI,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,aAAa,EAAE;YACnD,YAAY,EAAE,4BAA4B;YAC1C,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ;YACtC,aAAa,EAAE,GAAG,CAAC,aAAa,CAAC,OAAO;SAC3C,CAAC,CAAC;QAEH,gCAAgC;QAChC,kEAAkE;QAClE,MAAM,mBAAmB,GAA0C,eAAe;YAC9E,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;YACf,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAEpB,IAAI,CAAC,MAAM,GAAG,IAAI,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE;YAC9C,IAAI,EAAE,wBAAwB;YAC9B,KAAK,EAAE,UAAU;YACjB,aAAa,EAAE,mBAAmB;YAClC,WAAW,EACP,wEAAwE;gBACxE,SAAS,IAAI,KAAK,eAAe,CAAC,CAAC,CAAC,uCAAuC,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,MAAM,iBAAiB,GAAG;YAC3H,KAAK,EAAE;gBACH,+CAA+C;gBAC/C,uDAAuD;gBACvD;oBACI,IAAI,EAAE,sBAAsB;oBAC5B,QAAQ,EAAE,EAAE;oBACZ,SAAS,EAAE;wBACP,WAAW,EAAE;4BACT,UAAU,EAAE;gCACR;oCACI,kBAAkB,EAAE;wCAChB,YAAY,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;wCAC7B,oBAAoB,EAAE,SAAS;wCAC/B,YAAY,EAAE,SAAS;wCACvB,mBAAmB,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;qCACvD;iCACJ;gCACD;oCACI,kBAAkB,EAAE;wCAChB,YAAY,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;wCAC7B,oBAAoB,EAAE,SAAS;wCAC/B,YAAY,EAAE,eAAe;wCAC7B,mBAAmB,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;qCACvD;iCACJ;gCACD;oCACI,kBAAkB,EAAE;wCAChB,YAAY,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;wCAC7B,oBAAoB,EAAE,SAAS;wCAC/B,YAAY,EAAE,cAAc;wCAC5B,mBAAmB,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;qCACvD;iCACJ;6BACJ;yBACJ;qBACJ;oBACD,MAAM,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;oBACrB,gBAAgB,EAAE;wBACd,sBAAsB,EAAE,IAAI;wBAC5B,wBAAwB,EAAE,IAAI;wBAC9B,UAAU,EAAE,sBAAsB;qBACrC;iBACJ;gBAED,qCAAqC;gBACrC,2CAA2C;gBAC3C,8DAA8D;gBAC9D,6EAA6E;gBAC7E;oBACI,IAAI,EAAE,aAAa;oBACnB,QAAQ,EAAE,EAAE;oBACZ,SAAS,EAAE;wBACP,uBAAuB,EAAE;4BACrB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;yBAC1B;qBACJ;oBACD,MAAM,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;oBACrB,gBAAgB,EAAE;wBACd,sBAAsB,EAAE,IAAI;wBAC5B,wBAAwB,EAAE,IAAI;wBAC9B,UAAU,EAAE,aAAa;qBAC5B;iBACJ;aACJ;YACD,gBAAgB,EAAE;gBACd,sBAAsB,EAAE,IAAI;gBAC5B,wBAAwB,EAAE,IAAI;gBAC9B,UAAU,EAAE,wBAAwB;aACvC;SACJ,CAAC,CAAC;QAEH,sCAAsC;QACtC,IAAI,KAAK,CAAC,uBAAuB,CAAC,IAAI,EAAE,YAAY,EAAE;YAClD,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAChC,qBAAqB,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;SACrD,CAAC,CAAC;IACP,CAAC;IAED;;;;;;;;;;;;;OAaG;IACK,gBAAgB,CAAC,SAAiB;QACtC,OAAO,SAAS;aACX,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;aACtB,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;aAC7B,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;YACR,kDAAkD;YAClD,OAAO,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC;QAC9C,CAAC,CAAC,CAAC;IACX,CAAC;CACJ;AAxJD,8BAwJC"}