By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Calling graphQL mutation from AWS Lambda returning WAFForbiddenException

0

We are using AppSync and dynamoDB and have a react website. We are trying to trigger a pass through mutation from a Lambda, but are getting WAFForbiddenException. We can call mutations from the website as we have our IP address listed in the WAF. Is there are setting in the WAF to allow access to Appsync from Lambdas?

const { HttpRequest, Endpoint, Signers, EnvironmentCredentials, NodeHttpClient, } = AbstractAlertsAwsSdk;

.....

async triggerPassThroughMutationForAlert(alert, mutationName) {
        const p = new Promise((resolve, reject) => {
            const creds = new EnvironmentCredentials("AWS");
            const req = new HttpRequest(this.graphQlEndpoint);
            req.method = "POST";
            req.path = "/graphql";
            req.region = "ap-southeast-2";
            req.headers["presigned-expires"] = false;
            req.headers["Host"] = this.graphQlEndpoint.host;
            req.headers["Content-Type"] = "application/json";
            req.body = `${JSON.stringify({
                query: `mutation AlertMutation($input: AlertInput!) {
                    ${mutationName}(input: $input) {
                        id
                        tag
                        name
                        outstandingDate
                    }
                }`,
                operationName:'AlertMutation',
                variables: {
                    input: { ...alert },
                },
            })}`
            const signer = new Signers.V4(req, "appsync", true);
            signer.addAuthorization(creds, new Date());
            const client = new NodeHttpClient();
            client.handleRequest(req, null, function (httpResp) {
                let body = "";
                httpResp.on("data", function (chunk) {
                    body += chunk;
                });
                httpResp.on("end", function (chunk) {
                    console.info(alert.reference, "triggerPassThroughMutationForAlert() Successful", chunk !== null && chunk !== void 0 ? chunk : "", body);
                    resolve();
                });
            }, function (err) {
                console.log("triggerPassThroughMutationForAlert() Error: " + err);
                resolve();
            });
        });
        return p;
    }
}

Obviously, i can turn off the default rule in the WAF to block all, but then i would let everyone in. Given i am already in AWS, and have a VPC set up, how do i call it directly without going out to the internet first.

1 Answer
0

One way is to do the following Place the Lambda inside a VPC to make requests with a fixed IP, and then add a rule to the WAF to allow that IP.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions