add variables for limit whitelist

ministryofjustice · Nov 15, 2024 · 5f5c392 · 5f5c392
1 parent f4ebd30
commit 5f5c392
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 2 deletions.
diff --git a/.github/workflows/deploy-dev-from-branch.yml b/.github/workflows/deploy-dev-from-branch.yml
@@ -39,3 +39,4 @@ jobs:
       slack_alert_webhook: ${{ secrets.SLACK_ALERT_WEBHOOK }}
       azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
       notify_api_key: ${{ secrets.NOTIFY_API_KEY }}
+      limit_whitelist: ${{ secrets.LIMIT_WHITELIST }}
diff --git a/.github/workflows/deploy-staged.yml b/.github/workflows/deploy-staged.yml
@@ -30,6 +30,7 @@ jobs:
       slack_alert_webhook: ${{ secrets.SLACK_ALERT_WEBHOOK }}
       azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
       notify_api_key: ${{ secrets.NOTIFY_API_KEY }}
+      limit_whitelist: ${{ secrets.LIMIT_WHITELIST }}
 
   deploy-preprod:
     uses: "./.github/workflows/reusable-push-and-deploy.yml"
@@ -47,6 +48,7 @@ jobs:
       slack_alert_webhook: ${{ secrets.SLACK_ALERT_WEBHOOK }}
       azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
       notify_api_key: ${{ secrets.NOTIFY_API_KEY }}
+      limit_whitelist: ${{ secrets.LIMIT_WHITELIST }}
 
   notify-preprod-success:
     needs: deploy-preprod
@@ -88,6 +90,7 @@ jobs:
       slack_alert_webhook: ${{ secrets.SLACK_ALERT_WEBHOOK }}
       azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
       notify_api_key: ${{ secrets.NOTIFY_API_KEY }}
+      limit_whitelist: ${{ secrets.LIMIT_WHITELIST }}
 
   post-deploy:
     name: "Post-deploy admin"

diff --git a/.github/workflows/reusable-push-and-deploy.yml b/.github/workflows/reusable-push-and-deploy.yml
@@ -38,6 +38,9 @@ on:
       notify_api_key:
         description: "api key for the gds notify service"
         required: true
+      limit_whitelist:
+        description: "string of comma delimited subnets"
+        required: true
 
 jobs:
   push-and-deploy:
@@ -128,6 +131,7 @@ jobs:
           NOTIFY_SENDER_TEMPLATE_ID: ${{ vars.NOTIFY_SENDER_TEMPLATE_ID }}
           NOTIFY_DATA_CATALOGUE_TEMPLATE_ID: ${{ vars.NOTIFY_DATA_CATALOGUE_TEMPLATE_ID }}
           DATA_CATALOGUE_EMAIL: ${{ vars.DATA_CATALOGUE_EMAIL }}
+          LIMIT_WHITELIST: ${{ secrets.LIMIT_WHITELIST }}
 
         run: |
           cat deployments/templates/deployment.yml | envsubst > deployments/deployment.yml

diff --git a/deployments/templates/ingress.yml b/deployments/templates/ingress.yml
@@ -5,8 +5,7 @@ metadata:
   annotations:
     external-dns.alpha.kubernetes.io/set-identifier: find-moj-data-ingress-${NAMESPACE}-green
     external-dns.alpha.kubernetes.io/aws-weight: "100"
-    nginx.ingress.kubernetes.io/limit-whitelist: |
-      217.33.148.210/32,35.177.252.195/32,81.134.202.29/32,35.178.209.113/32,3.8.51.207/32,35.177.252.54/32,194.33.192.0/25,194.33.196.0/25,35.176.93.186/32,51.149.250.0/24,51.149.249.0/29,51.149.249.32/29,194.33.248.0/29,194.33.249.0/29,194.33.200.0/21,194.33.216.0/24,194.33.217.0/24,194.33.218.0/24,128.77.75.64/26,20.49.214.199/32,20.49.214.228/32,20.26.11.71/32,20.26.11.108/32
+    nginx.ingress.kubernetes.io/limit-whitelist: ${{ LIMIT_WHITELIST }}
     nginx.ingress.kubernetes.io/limit-rps: "200"
     nginx.ingress.kubernetes.io/enable-modsecurity: "true"
     nginx.ingress.kubernetes.io/modsecurity-snippet: |