This message was deleted.
# atlantis-community
s
This message was deleted.
r
You'd need to exclude the github webhook ips from needing the vpn to hit the lb, id imagine
πŸ‘ 1
d
Yes that's what we do, Github has a provider to pull down their IP ranges to whitelist in the ALB
πŸ™Œ 1
Copy code
################################################
# Get github IP range information for use w/ atlantis webhooks
################################################
provider "github" {}

data "github_ip_ranges" "github_cidrs" {}
and then
Copy code
# AWS doesn't support ipv6 so we have to filter them out
# <https://discuss.hashicorp.com/t/how-to-filter-out-ip4-and-ip6-subnets/22556/2>
ipv4_github_hooks = [for cidr in data.github_ip_ranges.github_cidrs.hooks : cidr if length(regexall("\\:", cidr)) == 0]
and pass
local.ipv4_github_hooks
to the ALB or the ALB's SG
πŸ‘ 1
p
Cool, Thanks.
w
@Dylan Page if it helps, looks like they have a
hooks_ipv4
attribute that’s already ipv4 only
d
@wby oh nice, that must be new!
This TF hasn't been touched in two years lmao
w
I only came across it when I was checking out the structure to try to implement something similar.. thanks for the pointers and reminder that this existed
πŸ‘ 1
l
You need to allow the github ranges inside your Security Group, I had the same issue, but with AWS Firewall. If you have your atlantis running inside the cluster you can run this command inside the pod and see the CIDR range of github
ssh -vvv -T <http://github.com|github.com>
Then you need to allow the blocks in your SG.
πŸ™Œ 1