aws-powertools · sdangol · Aug 29, 2025 · Aug 29, 2025 · Aug 29, 2025 · Aug 29, 2025
diff --git a/packages/parser/src/schemas/api-gateway.ts b/packages/parser/src/schemas/api-gateway.ts
@@ -30,7 +30,9 @@ const APIGatewayEventIdentity = z.object({
    *
    * See aws-powertools/powertools-lambda-python#1562 for more information.
    */
-  sourceIp: z.union([z.ipv4(), z.literal('test-invoke-source-ip')]).optional(),
+  sourceIp: z
+    .union([z.ipv4(), z.ipv6(), z.literal('test-invoke-source-ip')])
+    .optional(),
   user: z.string().nullish(),
   userAgent: z.string().nullish(),
   userArn: z.string().nullish(),

diff --git a/packages/parser/src/schemas/api-gatewayv2.ts b/packages/parser/src/schemas/api-gatewayv2.ts
@@ -110,7 +110,7 @@ const APIGatewayRequestContextV2Schema = z.object({
     method: APIGatewayHttpMethod,
     path: z.string(),
     protocol: z.string(),
-    sourceIp: z.ipv4(),
+    sourceIp: z.union([z.ipv4(), z.ipv6()]),
     userAgent: z.string(),
   }),
   requestId: z.string(),

diff --git a/packages/parser/src/schemas/appsync-shared.ts b/packages/parser/src/schemas/appsync-shared.ts
@@ -16,7 +16,7 @@ const AppSyncCognitoIdentity = z.object({
   issuer: z.string(),
   username: z.string(),
   claims: z.record(z.string(), z.unknown()),
-  sourceIp: z.array(z.ipv4()),
+  sourceIp: z.array(z.union([z.ipv4(), z.ipv6()])),
   defaultAuthStrategy: z.string().nullable(),
   groups: z.array(z.string()).nullable(),
 });

diff --git a/packages/parser/tests/unit/schema/apigw.test.ts b/packages/parser/tests/unit/schema/apigw.test.ts
@@ -98,6 +98,40 @@ describe('Schema: API Gateway REST', () => {
       // Assess
       expect(parsedEvent).toEqual(event);
     });
+    it('parses an event with IPv6 sourceIp', () => {
+      // Prepare
+      const event = getTestEvent({
+        eventsPath,
+        filename: 'no-auth',
+      }) as any;
+      // Add IPv6 address to the event
+      event.requestContext.identity.sourceIp =
+        '2001:0db8:85a3:0000:0000:8a2e:0370:7334';
+
+      // Act
+      const parsedEvent = APIGatewayProxyEventSchema.parse(event);
+
+      // Assess
+      expect(parsedEvent.requestContext.identity.sourceIp).toEqual(
+        '2001:0db8:85a3:0000:0000:8a2e:0370:7334'
+      );
+    });
+
+    it('parses an event with shortened IPv6 sourceIp', () => {
+      // Prepare
+      const event = getTestEvent({
+        eventsPath,
+        filename: 'no-auth',
+      }) as any;
+      // Add shortened IPv6 address to the event
+      event.requestContext.identity.sourceIp = '::1';
+
+      // Act
+      const parsedEvent = APIGatewayProxyEventSchema.parse(event);
+
+      // Assess
+      expect(parsedEvent.requestContext.identity.sourceIp).toEqual('::1');
+    });
   });
 
   describe('APIGatewayRequestAuthorizerEventSchema', () => {

diff --git a/packages/parser/tests/unit/schema/apigwv2.test.ts b/packages/parser/tests/unit/schema/apigwv2.test.ts
@@ -45,6 +45,41 @@ describe('Schema: API Gateway HTTP (v2)', () => {
       expect(parsedEvent).toEqual(event);
     });
 
+    it('parses an event with IPv6 sourceIp', () => {
+      // Prepare
+      const event = getTestEvent({
+        eventsPath,
+        filename: 'no-auth',
+      }) as any;
+      // Add IPv6 address to the event
+      event.requestContext.http.sourceIp =
+        '2001:0db8:85a3:0000:0000:8a2e:0370:7334';
+
+      // Act
+      const parsedEvent = APIGatewayProxyEventV2Schema.parse(event);
+
+      // Assess
+      expect(parsedEvent.requestContext.http.sourceIp).toEqual(
+        '2001:0db8:85a3:0000:0000:8a2e:0370:7334'
+      );
+    });
+
+    it('parses an event with shortened IPv6 sourceIp', () => {
+      // Prepare
+      const event = getTestEvent({
+        eventsPath,
+        filename: 'no-auth',
+      }) as any;
+      // Add shortened IPv6 address to the event
+      event.requestContext.http.sourceIp = '::1';
+
+      // Act
+      const parsedEvent = APIGatewayProxyEventV2Schema.parse(event);
+
+      // Assess
+      expect(parsedEvent.requestContext.http.sourceIp).toEqual('::1');
+    });
+
     it('parses an event with a JWT authorizer', () => {
       // Prepare
       const event = getTestEvent({

diff --git a/packages/parser/tests/unit/schema/appsync.test.ts b/packages/parser/tests/unit/schema/appsync.test.ts
@@ -112,6 +112,40 @@ describe('Schema: AppSync Resolver', () => {
         },
       },
     },
+    {
+      name: 'cognito identity with IPv6 sourceIp',
+      event: {
+        ...appSyncResolverEvent,
+        identity: {
+          claims: {
+            sub: '192879fc-a240-4bf1-ab5a-d6a00f3063f9',
+          },
+          defaultAuthStrategy: 'ALLOW',
+          groups: null,
+          issuer:
+            'https://cognito-idp.us-west-2.amazonaws.com/us-west-xxxxxxxxxxx',
+          sourceIp: ['2001:0db8:85a3:0000:0000:8a2e:0370:7334'],
+          sub: '192879fc-a240-4bf1-ab5a-d6a00f3063f9',
+          username: 'jdoe',
+        },
+      },
+    },
+    {
+      name: 'iam identity with mixed IPv4 and IPv6 sourceIp',
+      event: {
+        ...appSyncResolverEvent,
+        identity: {
+          accountId: '012345678901',
+          cognitoIdentityAuthProvider: null,
+          cognitoIdentityAuthType: null,
+          cognitoIdentityId: null,
+          cognitoIdentityPoolId: null,
+          sourceIp: ['1.1.1.1', '::1', '2001:db8::8a2e:370:7334'],
+          userArn: 'arn:aws:sts::012345678901:assumed-role/role',
+          username: 'AROAXYKJUOW6FHGUSK5FA:username',
+        },
+      },
+    },
   ];
 
   it.each(events)('parses an AppSyn resolver event with $name', ({ event }) => {