Initial implementation of IPv4 allow list in the webhook endpoint

[PerGon]

(OK... this is embarrassing... as I'm about to open the PR and write the description - most code already written - I found this one here 🤦 damn! I still think there is some value in the PR tho)

There have been requests before of having some sort of IP allowlist.

This PR implements something like that. It creates a lambda that will be used as an api gateway authorizer to validate if the client ID is part the configured allowed CIDR ranges. (it is, pretty much exactly what was suggested here)
Initially this will mostly be valid for self-hosted Github, but it can eventually be extended to load the IPs for Github cloud from wherever Github publishes them.

I'm creating as a draft PR as there's a couple of things missing (var descriptions), but I was keen on early feedback before taking the time to do those things 😅

So, for the maintainers: should I spend more time in making this PR "mergeable" so it can be available for more people? No hard feelings if not 😅 I can add the relevant capability just in our case like explained in the other PR.

[npalm]

Thx for taking the time to start the work on a allow list for incoming traffic. Indeed we had a previous PR, but we also have not always thte time to check PR. I know it is a pitty but a fact at the moment.

We also have refactored thw webhook module, which creates breaking changes in this PR. However we are open to support an IP allow list. I think we could consider several options.

1. Refactor the webhook further and allow to bring your own API GA, with the API GW 1 IP filterlign can be implemented, it also allows to put the WAF in front of it.
2. Add support for the API GW 1
3. Use indeed the API autherozier, but this will be antother lambda to run.
4. Implment logic in the lambda.

Lambda option

Adding support to the lambda is most likely the simplest approach. Adding the support straitgh away is OK to me. Would suggest to mark it eperimental, which allows us to replace it with one of the other options over time.

Some implementation directions / thoughts.

• Add a method to check here, just before the signature check: https://github.com/philips-labs/terraform-aws-github-runner/blob/0d87aec9b9cc487a221e7eabc075e6be77252021/lambdas/functions/webhook/src/webhook/index.ts#L20
• Add configuration item for IP_ALLOW_LIST to https://github.com/philips-labs/terraform-aws-github-runner/blob/main/lambdas/functions/webhook/src/ConfigLoader.ts to both ConfigWebhook and ConfigWebhookEventBridge
• Add top level configuration to runner (root module) as well multi-runner. Inject to the webhook mddule. And via the configuration object is the module sent downstream to both the eventbridge and direct module to configure the lambda.

[github-actions]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions.