aws · wulfmann · Feb 11, 2020 · Feb 11, 2020 · Feb 11, 2020 · Feb 11, 2020
diff --git a/packages/@aws-cdk/aws-wafv2/README.md b/packages/@aws-cdk/aws-wafv2/README.md
@@ -21,3 +21,20 @@ This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aw
 ```ts
 import wafv2 = require('@aws-cdk/aws-wafv2');
 ```
+
+### IPSet
+
+Use an AWS::WAFv2::IPSet to identify web requests that originate from specific IP addresses or ranges of IP addresses. For example, if you're receiving a lot of requests from a ranges of IP addresses, you can configure AWS WAF to block them using an IP set that lists those IP addresses.
+
+Example:
+
+```ts
+import waf = require('@aws-cdk/aws-wafv2');
+
+new waf.IPSet(this, 'MyIPSet', {
+    addresses: [
+        '192.168.1.1/32
+    ],
+    name: 'MyIPSet'
+})
+```
diff --git a/packages/@aws-cdk/aws-wafv2/lib/index.ts b/packages/@aws-cdk/aws-wafv2/lib/index.ts
@@ -1,2 +1,3 @@
 // AWS::WAFv2 CloudFormation Resources:
 export * from './wafv2.generated';
+export * from './ipset';
diff --git a/packages/@aws-cdk/aws-wafv2/lib/ipset.ts b/packages/@aws-cdk/aws-wafv2/lib/ipset.ts
@@ -0,0 +1,111 @@
+import * as cdk from '@aws-cdk/core';
+import * as waf from './index';
+
+export enum IPAddressVersion {
+    IPV4 = 'IPV4',
+    IPV6 = 'IPV6'
+}
+
+export enum IPSetScope {
+    CLOUDFRONT = 'CLOUDFRONT',
+    REGIONAL = 'REGIONAL'
+}
+
+export interface IIPSet {
+    /**
+     * A friendly name of the IP set. You cannot change the name of an IPSet
+     * after you create it.
+     */
+    readonly ipSetName: string;
+}
+
+export abstract class IPSetBase extends cdk.Resource implements IIPSet {
+    /**
+     * A friendly name of the IP set. You cannot change the name of an IPSet
+     * after you create it.
+     */
+    public abstract readonly ipSetName: string;
+}
+
+export interface IPSetProps {
+    /**
+     * A friendly name of the IP set. You cannot change the name of an IPSet
+     * after you create it.
+     */
+    readonly name?: string;
+
+    /**
+     * A friendly description of the IP set. You cannot change the description
+     * of an IP set after you create it.
+     */
+    readonly description?: string;
+
+    /**
+     * Contains an array of strings that specify one or more IP addresses or
+     * blocks of IP addresses in Classless Inter-Domain Routing (CIDR) notation.
+     * AWS WAF supports all address ranges for IP versions IPv4 and IPv6.
+     */
+    readonly addresses?: string[];
+
+    /**
+     * Specify IPV4 or IPV6.
+     *
+     * @efault IPV4
+     */
+    readonly ipAddressVersion: IPAddressVersion;
+
+    /**
+     * Specifies whether this is for an AWS CloudFront distribution or for a
+     * regional application. A regional application can be an Application
+     * Load Balancer (ALB) or an API Gateway stage.
+     *
+     * @default CLOUDFRONT
+     */
+    readonly scope: IPSetScope;
+}
+
+export class IPSet extends IPSetBase {
+    /**
+     * A friendly name of the IP set. You cannot change the name of an IPSet
+     * after you create it.
+     */
+    public readonly ipSetName: string;
+
+    /**
+     * Contains an array of strings that specify one or more IP addresses or
+     * blocks of IP addresses in Classless Inter-Domain Routing (CIDR) notation.
+     * AWS WAF supports all address ranges for IP versions IPv4 and IPv6.
+     */
+    private addresses: string[] = [];
+
+    constructor(scope: cdk.Construct, id: string, props: IPSetProps) {
+        super(scope, id, {
+            physicalName: props.name || cdk.PhysicalName.GENERATE_IF_NEEDED
+        });
+
+        this.ipSetName = this.physicalName;
+
+        this.addAddresses(...props.addresses || []);
+
+        const resource: waf.CfnIPSet = new waf.CfnIPSet(this, 'Resource', {
+            addresses: {
+                ipAddresses: cdk.Lazy.listValue({ produce: () => this.addresses }, { omitEmpty: true })
+            },
+            ipAddressVersion: props.ipAddressVersion || IPAddressVersion.IPV4,
+            name: props.name,
+            scope: props.scope || IPSetScope.CLOUDFRONT,
+            description: props.description
+        });
+
+        this.node.defaultChild = resource;
+    }
+
+    /**
+     * Adds an ip address to the the addresses list
+     */
+    public addAddresses(...addresses: string[]): void {
+        for (const address of addresses) {
+            this.addresses.push(address);
+        }
+    }
+}
diff --git a/packages/@aws-cdk/aws-wafv2/test/ipset.test.ts b/packages/@aws-cdk/aws-wafv2/test/ipset.test.ts
@@ -0,0 +1,89 @@
+import { expect } from '@aws-cdk/assert';
+import * as cdk from '@aws-cdk/core';
+import * as waf from '../lib';
+
+test('IPV4 IP Set', () => {
+    const stack = new cdk.Stack();
+    new waf.IPSet(stack, 'IPSet', {
+        addresses: [
+            '192.168.1.1'
+        ],
+        scope: waf.IPSetScope.CLOUDFRONT,
+        ipAddressVersion: waf.IPAddressVersion.IPV4
+    });
+
+    expect(stack).toMatch({
+        Resources: {
+            IPSetEBDDFDAE: {
+                Type: "AWS::WAFv2::IPSet",
+                Properties: {
+                    Addresses: {
+                        IPAddresses: ["192.168.1.1"]
+                    },
+                    IPAddressVersion: "IPV4",
+                    Scope: "CLOUDFRONT"
+                }
+            }
+        }
+    });
+});
+
+test('IPV6 IP Set', () => {
+    const stack = new cdk.Stack();
+    new waf.IPSet(stack, 'IPSet', {
+        addresses: [
+            '2001:0db8:85a3:0000:0000:8a2e:0370:7334'
+        ],
+        scope: waf.IPSetScope.CLOUDFRONT,
+        ipAddressVersion: waf.IPAddressVersion.IPV6
+    });
+
+    expect(stack).toMatch({
+        Resources: {
+            IPSetEBDDFDAE: {
+                Type: "AWS::WAFv2::IPSet",
+                Properties: {
+                    Addresses: {
+                        IPAddresses: [
+                            "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+                        ]
+                    },
+                    IPAddressVersion: "IPV6",
+                    Scope: "CLOUDFRONT"
+                }
+            }
+        }
+    });
+});
+
+test('addAddresses method with name and description', () => {
+    const stack = new cdk.Stack();
+
+    const ipSet = new waf.IPSet(stack, 'IPSet', {
+        scope: waf.IPSetScope.CLOUDFRONT,
+        ipAddressVersion: waf.IPAddressVersion.IPV6,
+        name: 'MyIPSet',
+        description: 'MyIPSet Description'
+    });
+
+    ipSet.addAddresses('2001:0db8:85a3:0000:0000:8a2e:0370:7334');
+
+    expect(stack).toMatch({
+        Resources: {
+            IPSetEBDDFDAE: {
+                Type: "AWS::WAFv2::IPSet",
+                Properties: {
+                    Addresses: {
+                        IPAddresses: [
+                            "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+                        ]
+                    },
+                    IPAddressVersion: "IPV6",
+                    Scope: "CLOUDFRONT",
+                    Name: "MyIPSet",
+                    Description: "MyIPSet Description"
+                }
+            }
+        }
+    });
+});