https://www.runatlantis.io/ logo
Title
p

Pradeep Reddy

03/06/2023, 1:59 PM
Hi , we are trying to have atlantis on AWS eks and alb endpoint as github webhook. But eks , alb , everything is behind our company's vpn. Anyone know how to configure GitHub webhook with alb which is behind vpn?
r

RB

03/06/2023, 2:08 PM
You'd need to exclude the github webhook ips from needing the vpn to hit the lb, id imagine
πŸ‘ 1
d

Dylan Page

03/06/2023, 3:29 PM
Yes that's what we do, Github has a provider to pull down their IP ranges to whitelist in the ALB
πŸ™Œ 1
################################################
# Get github IP range information for use w/ atlantis webhooks
################################################
provider "github" {}

data "github_ip_ranges" "github_cidrs" {}
and then
# AWS doesn't support ipv6 so we have to filter them out
# <https://discuss.hashicorp.com/t/how-to-filter-out-ip4-and-ip6-subnets/22556/2>
ipv4_github_hooks = [for cidr in data.github_ip_ranges.github_cidrs.hooks : cidr if length(regexall("\\:", cidr)) == 0]
and pass
local.ipv4_github_hooks
to the ALB or the ALB's SG
πŸ‘ 1
p

Pradeep Reddy

03/06/2023, 4:07 PM
Cool, Thanks.
w

wby

03/06/2023, 5:02 PM
@Dylan Page if it helps, looks like they have a
hooks_ipv4
attribute that’s already ipv4 only
d

Dylan Page

03/06/2023, 5:08 PM
@wby oh nice, that must be new!
This TF hasn't been touched in two years lmao
w

wby

03/06/2023, 5:12 PM
I only came across it when I was checking out the structure to try to implement something similar.. thanks for the pointers and reminder that this existed
πŸ‘ 1
l

Luiz Silva

03/07/2023, 4:24 PM
You need to allow the github ranges inside your Security Group, I had the same issue, but with AWS Firewall. If you have your atlantis running inside the cluster you can run this command inside the pod and see the CIDR range of github
ssh -vvv -T <http://github.com|github.com>
Then you need to allow the blocks in your SG.
πŸ™Œ 1