aws-waf-temp-access

A GitHub Action that automatically adds the current GitHub runner's public IP address to AWS WAF IPSets and/or Security Groups and removes it after the workflow completes. This is useful for allowing temporary access from GitHub Actions runners to resources protected by AWS WAF or Security Groups.

Features

• ✅ Automatically detects and adds the GitHub runner's public IP to AWS WAF IPSets and/or Security Groups
• ✅ Supports both AWS WAF IPSets and EC2 Security Groups (can be used independently or together)
• ✅ Removes the IP address after the workflow completes (success or failure)
• ✅ Supports optimistic locking to handle concurrent access to the same IPSet
• ✅ Works with both CloudFront (CLOUDFRONT) and Regional (REGIONAL) IPSets
• ✅ Configurable AWS region support
• ✅ Uses the latest AWS SDK v3

Usage

WAF IPSet Only (Original behavior)

steps:
  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/github-actions-role
      aws-region: us-east-1
      
  - name: Add runner IP to WAF IPSet
    uses: digglife/aws-waf-temp-access@v1
    with:
      id: 'your-ipset-id-here'
      name: 'your-ipset-name'
      scope: 'REGIONAL'
      region: 'us-east-1'

Security Group Only (New)

steps:
  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/github-actions-role
      aws-region: us-east-1
      
  - name: Add runner IP to Security Group
    uses: digglife/aws-waf-temp-access@v1
    with:
      security-group-id: 'sg-1234567890abcdef0'
      security-group-description: 'GitHub Actions temporary access'
      region: 'us-east-1'

Both WAF IPSet and Security Group (New)

steps:
  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/github-actions-role
      aws-region: us-east-1
      
  - name: Add runner IP to WAF IPSet and Security Group
    uses: digglife/aws-waf-temp-access@v1
    with:
      # WAF IPSet configuration
      id: 'your-ipset-id-here'
      name: 'your-ipset-name'
      scope: 'REGIONAL'
      # Security Group configuration
      security-group-id: 'sg-1234567890abcdef0'
      security-group-description: 'GitHub Actions temporary access'
      region: 'us-east-1'

Basic Usage

steps:
  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/github-actions-role
      aws-region: us-east-1
      
  - name: Add runner IP to WAF IPSet
    uses: digglife/aws-waf-temp-access@v1
    with:
      id: 'your-ipset-id-here'
      name: 'your-ipset-name'
      scope: 'REGIONAL'
      region: 'us-east-1'

Complete Workflow Example

name: Deploy with WAF Protection
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/github-actions-role
          aws-region: us-west-2
      
      - name: Add runner IP to WAF IPSet
        uses: digglife/aws-waf-temp-access@v1
        with:
          id: 'abcdef12-3456-7890-abcd-ef1234567890'
          name: 'github-runners-ipset'
          scope: 'REGIONAL'
          region: 'us-west-2'
      
      # Your deployment steps here
      - name: Deploy application
        run: |
          echo "Deploying application..."
          # The runner IP is now allowed through WAF
      
      # IP cleanup happens automatically in post-action

Inputs

Input	Description	Required	Default
id	The ID of the IPSet	❌ No*
name	The name of the IPSet	❌ No*
scope	The scope of the IPSet (CLOUDFRONT or REGIONAL)	❌ No*	REGIONAL
region	The AWS region	✅ Yes	us-east-1
security-group-id	The ID of the Security Group	❌ No*
security-group-description	Description for the Security Group rule	❌ No	Temporary access from GitHub Actions runner

*At least one target must be specified: either WAF IPSet configuration (id, name, scope) or Security Group configuration (security-group-id), or both.

Outputs

Output	Description
ip-address	The public IP address that was added to the IPSet/Security Group
status	Status of the operation (success or failed)

AWS Permissions

The action requires different AWS IAM permissions depending on which services you're using:

For WAF IPSets only:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "wafv2:GetIPSet",
        "wafv2:UpdateIPSet"
      ],
      "Resource": "arn:aws:wafv2:*:*:*/ipset/*/*"
    }
  ]
}

For Security Groups only:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupIngress"
      ],
      "Resource": "arn:aws:ec2:*:*:security-group/*"
    }
  ]
}

For both WAF IPSets and Security Groups:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "wafv2:GetIPSet",
        "wafv2:UpdateIPSet"
      ],
      "Resource": "arn:aws:wafv2:*:*:*/ipset/*/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupIngress"
      ],
      "Resource": "arn:aws:ec2:*:*:security-group/*"
    }
  ]
}

For more restrictive permissions, you can specify exact ARNs:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "wafv2:GetIPSet",
        "wafv2:UpdateIPSet"
      ],
      "Resource": "arn:aws:wafv2:us-west-2:123456789012:regional/ipset/github-runners-ipset/abcdef12-3456-7890-abcd-ef1234567890"
    }
  ]
}

Authentication

This action uses the AWS SDK's default credential chain to authenticate with AWS. You can provide credentials using any of the following methods:

Option 1: aws-actions/configure-aws-credentials (Recommended)

steps:
  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/github-actions-role
      aws-region: us-west-2
      
  - name: Add runner IP to WAF IPSet
    uses: digglife/aws-waf-temp-access@v1
    with:
      id: 'your-ipset-id-here'
      name: 'your-ipset-name'
      scope: 'REGIONAL'
      region: 'us-west-2'

Option 2: Environment Variables

steps:
  - name: Add runner IP to WAF IPSet
    uses: digglife/aws-waf-temp-access@v1
    with:
      id: 'your-ipset-id-here'
      name: 'your-ipset-name'
      scope: 'REGIONAL'
      region: 'us-west-2'
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }} # Optional for temporary credentials

Option 3: IAM Roles (Self-hosted runners)

If running on self-hosted runners with IAM roles attached, no explicit credential configuration is needed.

How It Works

1. IP Detection: The action detects the public IP address of the GitHub runner using external services
2. Target Updates: Depending on configuration:
   • WAF IPSet: Adds the IP address (with /32 CIDR) to the specified AWS WAF IPSet using optimistic locking
   • Security Group: Adds an HTTPS (port 443) ingress rule for the IP address (with /32 CIDR) to the specified Security Group
3. Concurrent Handling: Uses retry logic with exponential backoff to handle concurrent updates safely
4. Cleanup: Automatically removes the IP address from all configured targets when the workflow completes (via post-action)

Concurrent Usage

The action supports multiple workflows running simultaneously against the same targets through:

• WAF IPSets: Optimistic locking with automatic retry logic and exponential backoff with jitter for lock conflicts
• Security Groups: Retry logic with exponential backoff to handle transient API errors
• Safe addition/removal of IP addresses without affecting other entries

Error Handling

• If IP detection fails, the action will try alternative services
• Lock conflicts are automatically retried with exponential backoff
• Cleanup failures are logged as warnings but don't fail the workflow
• Detailed logging helps with troubleshooting

Security Considerations

• IP addresses are automatically cleaned up after workflow completion
• The action only adds/removes the specific runner's IP address
• Uses HTTPS for IP detection services
• Supports AWS temporary credentials and IAM roles

Troubleshooting

Common Issues

Error: "Failed to get public IP"

• Check if the runner has internet access
• Verify firewall settings allow HTTPS requests

Error: "Access Denied"

• Verify AWS credentials are correct
• For WAF: Check IAM permissions include wafv2:GetIPSet and wafv2:UpdateIPSet
• For Security Groups: Check IAM permissions include ec2:AuthorizeSecurityGroupIngress and ec2:RevokeSecurityGroupIngresss
• Ensure the IPSet/Security Group exists and the ID/name are correct

Error: "IPSet not found" or "Security Group not found"

• Verify the IPSet ID, name, scope, and region are correct
• Verify the Security Group ID and region are correct
• Ensure the resources exist in the specified region

Error: "Either WAF IPSet configuration or Security Group configuration must be provided"

• You must specify at least one target: either WAF IPSet inputs (id, name, scope) or Security Group input (security-group-id)

Lock conflicts persist (WAF only)

• This is normal with high concurrency; the action will retry automatically
• If issues persist, consider staggering workflow starts

License

MIT

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.