in packages/blueprints/gen-ai-chatbot/static-assets/chatbot-genai-cdk/lib/frontend-waf-stack.ts [21:93]
constructor(scope: Construct, id: string, props: FrontendWafStackProps) {
super(scope, id, props);
// create Ipset for ACL
const ipV4SetReferenceStatement = new wafv2.CfnIPSet(
this,
"FrontendIpV4Set",
{
ipAddressVersion: "IPV4",
scope: "CLOUDFRONT",
addresses: props.allowedIpV4AddressRanges,
}
);
const ipV6SetReferenceStatement = new wafv2.CfnIPSet(
this,
"FrontendIpV6Set",
{
ipAddressVersion: "IPV6",
scope: "CLOUDFRONT",
addresses: props.allowedIpV6AddressRanges,
}
);
const defaultAction =
props.allowedIpV4AddressRanges.length +
props.allowedIpV6AddressRanges.length ===
0
? { allow: {} }
: { block: {} };
const webAcl = new wafv2.CfnWebACL(this, "WebAcl", {
defaultAction,
name: props.aclName,
scope: "CLOUDFRONT",
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: "FrontendWebAcl",
sampledRequestsEnabled: true,
},
rules: [
{
priority: 0,
name: "FrontendWebAclIpV4RuleSet",
action: { allow: {} },
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: "FrontendWebAcl",
sampledRequestsEnabled: true,
},
statement: {
ipSetReferenceStatement: { arn: ipV4SetReferenceStatement.attrArn },
},
},
{
priority: 1,
name: "FrontendWebAclIpV6RuleSet",
action: { allow: {} },
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: "FrontendWebAcl",
sampledRequestsEnabled: true,
},
statement: {
ipSetReferenceStatement: { arn: ipV6SetReferenceStatement.attrArn },
},
},
],
});
this.webAclArn = new cdk.CfnOutput(this, "WebAclId", {
value: webAcl.attrArn,
});
}