./knowledge-base/cdk/lib/waf-stack.js
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || (function () {
var ownKeys = function(o) {
ownKeys = Object.getOwnPropertyNames || function (o) {
var ar = [];
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
return ar;
};
return ownKeys(o);
};
return function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
__setModuleDefault(result, mod);
return result;
};
})();
Object.defineProperty(exports, "__esModule", { value: true });
exports.WafStack = void 0;
const cdk = __importStar(require("aws-cdk-lib"));
const wafv2 = __importStar(require("aws-cdk-lib/aws-wafv2"));
const allowed_ips_1 = require("./allowed-ips");
/**
* WAF WebACL スタック(CloudFront用はus-east-1に作成必須)
* CloudFrontディストリビューションへのIPアドレス制限を提供する
*/
class WafStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
// 許可IPアドレスセット(NHK社内ネットワーク+固定IP+リモートアクセスIP)
// IPリストは allowed-ips.ts で一元管理
const ipSet = new wafv2.CfnIPSet(this, "AllowedIPSet", {
name: "historical-research-allowed-ips",
scope: "CLOUDFRONT",
ipAddressVersion: "IPV4",
addresses: allowed_ips_1.ALLOWED_IPS,
});
// CloudFront用 WAF WebACL(デフォルト: ブロック、許可IPのみ通過)
const webAcl = new wafv2.CfnWebACL(this, "CloudFrontWebACL", {
name: "historical-research-cloudfront-waf",
scope: "CLOUDFRONT",
defaultAction: { block: {} },
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: "historical-research-cloudfront-waf",
sampledRequestsEnabled: true,
},
rules: [
{
name: "AllowSpecificIPs",
priority: 1,
action: { allow: {} },
statement: {
ipSetReferenceStatement: {
arn: ipSet.attrArn,
},
},
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: "AllowSpecificIPs",
sampledRequestsEnabled: true,
},
},
],
});
this.webAclArn = webAcl.attrArn;
new cdk.CfnOutput(this, "WebAclArn", {
value: webAcl.attrArn,
exportName: "HistoricalResearchWebAclArn",
description: "WAF WebACL ARN for CloudFront IP restriction",
});
}
}
exports.WafStack = WafStack;
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoid2FmLXN0YWNrLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsid2FmLXN0YWNrLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLGlEQUFtQztBQUNuQyw2REFBK0M7QUFFL0MsK0NBQTRDO0FBRTVDOzs7R0FHRztBQUNILE1BQWEsUUFBUyxTQUFRLEdBQUcsQ0FBQyxLQUFLO0lBR3JDLFlBQVksS0FBZ0IsRUFBRSxFQUFVLEVBQUUsS0FBc0I7UUFDOUQsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLEVBQUUsS0FBSyxDQUFDLENBQUM7UUFFeEIsMkNBQTJDO1FBQzNDLDhCQUE4QjtRQUM5QixNQUFNLEtBQUssR0FBRyxJQUFJLEtBQUssQ0FBQyxRQUFRLENBQUMsSUFBSSxFQUFFLGNBQWMsRUFBRTtZQUNyRCxJQUFJLEVBQUUsaUNBQWlDO1lBQ3ZDLEtBQUssRUFBRSxZQUFZO1lBQ25CLGdCQUFnQixFQUFFLE1BQU07WUFDeEIsU0FBUyxFQUFFLHlCQUFXO1NBQ3ZCLENBQUMsQ0FBQztRQUVILCtDQUErQztRQUMvQyxNQUFNLE1BQU0sR0FBRyxJQUFJLEtBQUssQ0FBQyxTQUFTLENBQUMsSUFBSSxFQUFFLGtCQUFrQixFQUFFO1lBQzNELElBQUksRUFBRSxvQ0FBb0M7WUFDMUMsS0FBSyxFQUFFLFlBQVk7WUFDbkIsYUFBYSxFQUFFLEVBQUUsS0FBSyxFQUFFLEVBQUUsRUFBRTtZQUM1QixnQkFBZ0IsRUFBRTtnQkFDaEIsd0JBQXdCLEVBQUUsSUFBSTtnQkFDOUIsVUFBVSxFQUFFLG9DQUFvQztnQkFDaEQsc0JBQXNCLEVBQUUsSUFBSTthQUM3QjtZQUNELEtBQUssRUFBRTtnQkFDTDtvQkFDRSxJQUFJLEVBQUUsa0JBQWtCO29CQUN4QixRQUFRLEVBQUUsQ0FBQztvQkFDWCxNQUFNLEVBQUUsRUFBRSxLQUFLLEVBQUUsRUFBRSxFQUFFO29CQUNyQixTQUFTLEVBQUU7d0JBQ1QsdUJBQXVCLEVBQUU7NEJBQ3ZCLEdBQUcsRUFBRSxLQUFLLENBQUMsT0FBTzt5QkFDbkI7cUJBQ0Y7b0JBQ0QsZ0JBQWdCLEVBQUU7d0JBQ2hCLHdCQUF3QixFQUFFLElBQUk7d0JBQzlCLFVBQVUsRUFBRSxrQkFBa0I7d0JBQzlCLHNCQUFzQixFQUFFLElBQUk7cUJBQzdCO2lCQUNGO2FBQ0Y7U0FDRixDQUFDLENBQUM7UUFFSCxJQUFJLENBQUMsU0FBUyxHQUFHLE1BQU0sQ0FBQyxPQUFPLENBQUM7UUFFaEMsSUFBSSxHQUFHLENBQUMsU0FBUyxDQUFDLElBQUksRUFBRSxXQUFXLEVBQUU7WUFDbkMsS0FBSyxFQUFFLE1BQU0sQ0FBQyxPQUFPO1lBQ3JCLFVBQVUsRUFBRSw2QkFBNkI7WUFDekMsV0FBVyxFQUFFLDhDQUE4QztTQUM1RCxDQUFDLENBQUM7SUFDTCxDQUFDO0NBQ0Y7QUFwREQsNEJBb0RDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0ICogYXMgY2RrIGZyb20gXCJhd3MtY2RrLWxpYlwiO1xyXG5pbXBvcnQgKiBhcyB3YWZ2MiBmcm9tIFwiYXdzLWNkay1saWIvYXdzLXdhZnYyXCI7XHJcbmltcG9ydCB7IENvbnN0cnVjdCB9IGZyb20gXCJjb25zdHJ1Y3RzXCI7XHJcbmltcG9ydCB7IEFMTE9XRURfSVBTIH0gZnJvbSBcIi4vYWxsb3dlZC1pcHNcIjtcclxuXHJcbi8qKlxyXG4gKiBXQUYgV2ViQUNMIOOCueOCv+ODg+OCr++8iENsb3VkRnJvbnTnlKjjga91cy1lYXN0LTHjgavkvZzmiJDlv4XpoIjvvIlcclxuICogQ2xvdWRGcm9udOODh+OCo+OCueODiOODquODk+ODpeODvOOCt+ODp+ODs+OBuOOBrklQ44Ki44OJ44Os44K55Yi26ZmQ44KS5o+Q5L6b44GZ44KLXHJcbiAqL1xyXG5leHBvcnQgY2xhc3MgV2FmU3RhY2sgZXh0ZW5kcyBjZGsuU3RhY2sge1xyXG4gIHB1YmxpYyByZWFkb25seSB3ZWJBY2xBcm46IHN0cmluZztcclxuXHJcbiAgY29uc3RydWN0b3Ioc2NvcGU6IENvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM/OiBjZGsuU3RhY2tQcm9wcykge1xyXG4gICAgc3VwZXIoc2NvcGUsIGlkLCBwcm9wcyk7XHJcblxyXG4gICAgLy8g6Kix5Y+vSVDjgqLjg4njg6zjgrnjgrvjg4Pjg4jvvIhOSEvnpL7lhoXjg43jg4Pjg4jjg6/jg7zjgq/vvIvlm7rlrppJUO+8i+ODquODouODvOODiOOCouOCr+OCu+OCuUlQ77yJXHJcbiAgICAvLyBJUOODquOCueODiOOBryBhbGxvd2VkLWlwcy50cyDjgafkuIDlhYPnrqHnkIZcclxuICAgIGNvbnN0IGlwU2V0ID0gbmV3IHdhZnYyLkNmbklQU2V0KHRoaXMsIFwiQWxsb3dlZElQU2V0XCIsIHtcclxuICAgICAgbmFtZTogXCJoaXN0b3JpY2FsLXJlc2VhcmNoLWFsbG93ZWQtaXBzXCIsXHJcbiAgICAgIHNjb3BlOiBcIkNMT1VERlJPTlRcIixcclxuICAgICAgaXBBZGRyZXNzVmVyc2lvbjogXCJJUFY0XCIsXHJcbiAgICAgIGFkZHJlc3NlczogQUxMT1dFRF9JUFMsXHJcbiAgICB9KTtcclxuXHJcbiAgICAvLyBDbG91ZEZyb25055SoIFdBRiBXZWJBQ0zvvIjjg4fjg5Xjgqnjg6vjg4g6IOODluODreODg+OCr+OAgeioseWPr0lQ44Gu44G/6YCa6YGO77yJXHJcbiAgICBjb25zdCB3ZWJBY2wgPSBuZXcgd2FmdjIuQ2ZuV2ViQUNMKHRoaXMsIFwiQ2xvdWRGcm9udFdlYkFDTFwiLCB7XHJcbiAgICAgIG5hbWU6IFwiaGlzdG9yaWNhbC1yZXNlYXJjaC1jbG91ZGZyb250LXdhZlwiLFxyXG4gICAgICBzY29wZTogXCJDTE9VREZST05UXCIsXHJcbiAgICAgIGRlZmF1bHRBY3Rpb246IHsgYmxvY2s6IHt9IH0sXHJcbiAgICAgIHZpc2liaWxpdHlDb25maWc6IHtcclxuICAgICAgICBjbG91ZFdhdGNoTWV0cmljc0VuYWJsZWQ6IHRydWUsXHJcbiAgICAgICAgbWV0cmljTmFtZTogXCJoaXN0b3JpY2FsLXJlc2VhcmNoLWNsb3VkZnJvbnQtd2FmXCIsXHJcbiAgICAgICAgc2FtcGxlZFJlcXVlc3RzRW5hYmxlZDogdHJ1ZSxcclxuICAgICAgfSxcclxuICAgICAgcnVsZXM6IFtcclxuICAgICAgICB7XHJcbiAgICAgICAgICBuYW1lOiBcIkFsbG93U3BlY2lmaWNJUHNcIixcclxuICAgICAgICAgIHByaW9yaXR5OiAxLFxyXG4gICAgICAgICAgYWN0aW9uOiB7IGFsbG93OiB7fSB9LFxyXG4gICAgICAgICAgc3RhdGVtZW50OiB7XHJcbiAgICAgICAgICAgIGlwU2V0UmVmZXJlbmNlU3RhdGVtZW50OiB7XHJcbiAgICAgICAgICAgICAgYXJuOiBpcFNldC5hdHRyQXJuLFxyXG4gICAgICAgICAgICB9LFxyXG4gICAgICAgICAgfSxcclxuICAgICAgICAgIHZpc2liaWxpdHlDb25maWc6IHtcclxuICAgICAgICAgICAgY2xvdWRXYXRjaE1ldHJpY3NFbmFibGVkOiB0cnVlLFxyXG4gICAgICAgICAgICBtZXRyaWNOYW1lOiBcIkFsbG93U3BlY2lmaWNJUHNcIixcclxuICAgICAgICAgICAgc2FtcGxlZFJlcXVlc3RzRW5hYmxlZDogdHJ1ZSxcclxuICAgICAgICAgIH0sXHJcbiAgICAgICAgfSxcclxuICAgICAgXSxcclxuICAgIH0pO1xyXG5cclxuICAgIHRoaXMud2ViQWNsQXJuID0gd2ViQWNsLmF0dHJBcm47XHJcblxyXG4gICAgbmV3IGNkay5DZm5PdXRwdXQodGhpcywgXCJXZWJBY2xBcm5cIiwge1xyXG4gICAgICB2YWx1ZTogd2ViQWNsLmF0dHJBcm4sXHJcbiAgICAgIGV4cG9ydE5hbWU6IFwiSGlzdG9yaWNhbFJlc2VhcmNoV2ViQWNsQXJuXCIsXHJcbiAgICAgIGRlc2NyaXB0aW9uOiBcIldBRiBXZWJBQ0wgQVJOIGZvciBDbG91ZEZyb250IElQIHJlc3RyaWN0aW9uXCIsXHJcbiAgICB9KTtcclxuICB9XHJcbn1cclxuIl19