Block ips fro last atack #11
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update WAF IP blacklists | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| - 'staging' | |
| - 'waf_block_ip' | |
| permissions: | |
| id-token: write | |
| contents: read | |
| env: | |
| AWS_REGION: us-east-1 | |
| SCOPE: REGIONAL | |
| IPSET_NAME_STAGING: ipset-block-ohm-staging | |
| IPSET_NAME_PROD: ipset-block-ohm-production | |
| # --- Archivos actualizados a .yaml --- | |
| FILE_STAGING: firewall/ip-blacklist-staging.yaml | |
| FILE_PROD: firewall/ip-blacklist-production.yaml | |
| jobs: | |
| update-waf-ipset: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Install jq and yq | |
| run: | | |
| sudo apt-get update && sudo apt-get install -y jq | |
| sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq | |
| sudo chmod +x /usr/bin/yq | |
| - name: Resolve target env, IP set and file | |
| id: target | |
| run: | | |
| # This logic remains the same, but will now point to .yaml files | |
| if [[ "${{ github.ref_name }}" == "main" ]]; then | |
| echo "IPSET_NAME=${IPSET_NAME_PROD}" >> $GITHUB_OUTPUT | |
| echo "IP_FILE=${FILE_PROD}" >> $GITHUB_OUTPUT | |
| else | |
| echo "IPSET_NAME=${IPSET_NAME_STAGING}" >> $GITHUB_OUTPUT | |
| echo "IP_FILE=${FILE_STAGING}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Build IP list from YAML | |
| id: iplist | |
| shell: bash | |
| run: | | |
| TMP=$(mktemp) | |
| FILE="${{ steps.target.outputs.IP_FILE }}" | |
| if [[ ! -f "$FILE" ]]; then | |
| echo "File $FILE not found" >&2 | |
| exit 1 | |
| fi | |
| # --- Cambio principal: Usar yq para leer el YAML --- | |
| # Extrae cada IP de la lista 'block_ips' y la pone en una nueva línea | |
| yq '.block_ips[]' "$FILE" > "$TMP" | |
| # La validación y el resto del script no necesitan cambios | |
| INVALID=$(grep -Ev '^([0-9]{1,3}\.){3}[0-9]{1,3}(/[0-9]{1,2})?$|^([0-9a-fA-F:]+)(/[0-9]{1,3})?$' "$TMP" || true) | |
| if [[ -n "$INVALID" ]]; then | |
| echo "Invalid entries:"; echo "$INVALID"; exit 1 | |
| fi | |
| sort -u "$TMP" > "${TMP}.uniq" | |
| LIST=$(paste -sd' ' "${TMP}.uniq") | |
| echo "addresses=$LIST" >> $GITHUB_OUTPUT | |
| echo "Addresses to apply:"; cat "${TMP}.uniq" | |
| - name: Get IP set Id and LockToken | |
| id: getipset | |
| run: | | |
| NAME="${{ steps.target.outputs.IPSET_NAME }}" | |
| DATA=$(aws wafv2 list-ip-sets --scope $SCOPE --region $AWS_REGION --query "IPSets[?Name=='${NAME}'].[Id,ARN]" --output json) | |
| if [[ "$DATA" == "[]" ]]; then | |
| echo "IP set ${NAME} not found in ${AWS_REGION}" >&2; exit 1 | |
| fi | |
| ID=$(echo "$DATA" | jq -r '.[0][0]') | |
| LOCK=$(aws wafv2 get-ip-set --scope $SCOPE --region $AWS_REGION --id "$ID" --name "$NAME" --query "LockToken" --output text) | |
| echo "IPSET_ID=$ID" >> $GITHUB_OUTPUT | |
| echo "LOCK_TOKEN=$LOCK" >> $GITHUB_OUTPUT | |
| - name: Update IP set (replace full list) | |
| run: | | |
| aws wafv2 update-ip-set \ | |
| --scope $SCOPE \ | |
| --region $AWS_REGION \ | |
| --id "${{ steps.getipset.outputs.IPSET_ID }}" \ | |
| --name "${{ steps.target.outputs.IPSET_NAME }}" \ | |
| --lock-token "${{ steps.getipset.outputs.LOCK_TOKEN }}" \ | |
| --addresses ${{ steps.iplist.outputs.addresses }} | |
| - name: Summary | |
| run: | | |
| echo "Updated IP set: ${{ steps.target.outputs.IPSET_NAME }}" |