support de-whitelisting an IP locally in pulumi (#3510)

isegall-da · web-flow · commit 82a11c72f42d · 2026-01-09T18:31:10.000Z
Signed-off-by: Itai Segall &lt;itai.segall@digitalasset.com&gt;
diff --git a/cluster/pulumi/infra/src/config.ts b/cluster/pulumi/infra/src/config.ts
@@ -91,6 +91,7 @@ export const InfraConfigSchema = z.object({
     ipWhitelisting: z
       .object({
         extraWhitelistedIngress: z.array(z.string()).default([]),
+        excludedIps: z.array(z.string()).default([]),
       })
       .optional(),
     enableGCReaperJob: z.boolean().default(false),
@@ -163,8 +164,12 @@ export function loadIPRanges(svsOnly: boolean = false): pulumi.Output<string[]>
   });
 
   const configWhitelistedIps = infraConfig.ipWhitelisting?.extraWhitelistedIngress || [];
+  const excludedIps = infraConfig.ipWhitelisting?.excludedIps || [];
 
   return internalWhitelistedIps.apply(whitelists =>
-    whitelists.concat(externalIpRanges).concat(configWhitelistedIps)
+    whitelists
+      .concat(externalIpRanges)
+      .concat(configWhitelistedIps)
+      .filter(ip => excludedIps.indexOf(ip) < 0)
   );
 }
