Thx for taking the time to start the work on a allow list for incoming traffic. Indeed we had a previous PR, but we also have not always thte time to check PR. I know it is a pitty but a fact at the moment.

We also have refactored thw webhook module, which creates breaking changes in this PR. However we are open to support an IP allow list. I think we could consider several options.

1. Refactor the webhook further and allow to bring your own API GA, with the API GW 1 IP filterlign can be implemented, it also allows to put the WAF in front of it.
2. Add support for the API GW 1
3. Use indeed the API autherozier, but this will be antother lambda to run.
4. Implment logic in the lambda.

Lambda option

Adding support to the lambda is most likely the simplest approach. Adding the support straitgh away is OK to me. Would suggest to mark it eperimental, which allows us to replace it with one of the other options over time.

Some implementation directions / thoughts.

• Add a method to check here, just before the signature check:https://github.com/philips-labs/terraform-aws-github-runner/blob/0d87aec9b9cc487a221e7eabc075e6be77252021/lambdas/functions/webhook/src/webhook/index.ts#L20
• Add configuration item for IP_ALLOW_LIST tohttps://github.com/philips-labs/terraform-aws-github-runner/blob/main/lambdas/functions/webhook/src/ConfigLoader.ts to bothConfigWebhook andConfigWebhookEventBridge
• Add top level configuration to runner (root module) as well multi-runner. Inject to the webhook mddule. And via the configuration object is the module sent downstream to both the eventbridge and direct module to configure the lambda.

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions.