Merge pull request #1550 from aligent/feat/load-balancer-auth

Feat/load balancer auth

Author: TheOrangePuff

.changeset/deep-hornets-sip.md

@@ -0,0 +1,5 @@
+---
+"@aligent/cdk-graphql-mesh-server": minor
+---
+
+Use policy interface rather than plain objects as required in upgraded cdk version

.changeset/twenty-cars-brush.md

@@ -0,0 +1,5 @@
+---
+"@aligent/cdk-prerender-fargate": minor
+---
+
+Add check for prerender token before hitting the backend

packages/graphql-mesh-server/lib/fargate.ts

@@ -441,13 +441,14 @@ export class MeshService extends Construct {
     this.service = fargateService.service;
     this.loadBalancer = fargateService.loadBalancer;
 
-    taskDefinition.taskRole.addManagedPolicy({
-      managedPolicyArn:
-        "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
-    });
-    taskDefinition.taskRole.addManagedPolicy({
-      managedPolicyArn: "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess",
-    });
+    taskDefinition.taskRole.addManagedPolicy(
+      iam.ManagedPolicy.fromAwsManagedPolicyName(
+        "service-role/AmazonECSTaskExecutionRolePolicy"
+      )
+    );
+    taskDefinition.taskRole.addManagedPolicy(
+      iam.ManagedPolicy.fromAwsManagedPolicyName("AWSXRayDaemonWriteAccess")
+    );
 
     if (props.authenticationTable) {
       const authTable = new dynamodb.Table(this, "authenticationTable", {

packages/prerender-fargate/lib/prerender-fargate.ts

@@ -13,7 +13,12 @@ import { PrerenderRecacheApi } from "./recaching/prerender-recache-api-construct
 import { PrerenderFargateOptions } from "./prerender-fargate-options";
 import { PerformanceMetrics } from "./monitoring";
 import { LogGroup } from "aws-cdk-lib/aws-logs";
-import { SslPolicy } from "aws-cdk-lib/aws-elasticloadbalancingv2";
+import {
+  SslPolicy,
+  ListenerCondition,
+  ListenerAction,
+  CfnListener,
+} from "aws-cdk-lib/aws-elasticloadbalancingv2";
 
 /**
  * `PrerenderFargate` construct sets up an AWS Fargate service to run a
@@ -223,6 +228,39 @@ export class PrerenderFargate extends Construct {
     // Grant S3 Bucket access to the task role
     this.bucket.grantReadWrite(fargateService.taskDefinition.taskRole);
 
+    // Override the default action to return 403 for unauthorized requests
+    const listenerCfn = fargateService.listener.node
+      .defaultChild as CfnListener;
+    listenerCfn.defaultActions = [
+      {
+        type: "fixed-response",
+        fixedResponseConfig: {
+          statusCode: "403",
+          contentType: "application/json",
+          messageBody: JSON.stringify({
+            error: "Forbidden",
+            message: "Missing required header",
+          }),
+        },
+      },
+    ];
+
+    // Allow health checks on /health path without token
+    fargateService.listener.addAction("allow-health-check", {
+      priority: 50,
+      conditions: [ListenerCondition.pathPatterns(["/health"])],
+      action: ListenerAction.forward([fargateService.targetGroup]),
+    });
+
+    // Allow requests WITH the x-prerender-token header (forward to target group)
+    fargateService.listener.addAction("allow-with-token", {
+      priority: 100,
+      conditions: [
+        ListenerCondition.httpHeader("x-prerender-token", ["*"]), // Any value present
+      ],
+      action: ListenerAction.forward([fargateService.targetGroup]),
+    });
+
     // As the prerender service will return a 401 on all unauthorised requests
     // It should be considered healthy when receiving a 401 response
     fargateService.targetGroup.configureHealthCheck({

packages/prerender-fargate/lib/prerender/server.js

@@ -22,7 +22,7 @@ const logger = require("./utils/logger");
  * @param  {...any} args
  * @returns
  */
-util.log = function (...args) {
+util.log = function(...args) {
   if (process.env.DISABLE_LOGGING) {
     return;
   }
@@ -120,7 +120,7 @@ server.use({
     return next();
   },
   // Append a custom header to indicate the response is from Prerender
-  beforeSend: function (req, res, next) {
+  beforeSend: function(req, res, next) {
     res.setHeader("x-prerender-requestid", crypto.randomUUID());
     return next();
   },
@@ -144,8 +144,8 @@ server.use({
   // The requestReceived and pageLoaded functions are a modified version of
   // httpHeader plugin - https://github.com/prerender/prerender/blob/478fa6d0a5196ea29c88c69e64e72eb5507b6d2c/lib/plugins/httpHeaders.js combined with
   // s3cache plugin - https://github.com/prerender/prerender-aws-s3-cache/blob/98707fa0f787de83aa41583682cd2c2d330a9cca/index.js
-  requestReceived: function (req, res, next) {
-    const fetchCachedObject = function (err, result) {
+  requestReceived: function(req, res, next) {
+    const fetchCachedObject = function(err, result) {
       if (!err && result) {
         logger.info(`Found cached object: ${key}`);
 
@@ -184,7 +184,7 @@ server.use({
 server.use(prerender.removeScriptTags());
 
 server.use({
-  pageLoaded: function (req, res, next) {
+  pageLoaded: function(req, res, next) {
     const statusCodesToCache = ["200"];
 
     if (process.env.ENABLE_REDIRECT_CACHE.toLowerCase() === "true") {
@@ -196,7 +196,7 @@ server.use({
     }
 
     var s3Metadata = {};
-    const cacheObject = function (err, result) {
+    const cacheObject = function(err, result) {
       if (!err && result) {
         logger.info(
           `Cached object ${key} already present. Skipping caching...`
@@ -213,7 +213,7 @@ server.use({
             Body: req.prerender.content,
             Metadata: s3Metadata,
           },
-          function (err, result) {
+          function(err, result) {
             logger.info(result);
             if (err) logger.error(err);
           }