EC2 - GitHub Actions - Port 22

[bendsouza2]

The inbound rules on the security group of my EC2 instance are blocking SSH access (port 22) (relevant for deploying the backend)

There are thousands of IPs that GitHub actions could use so not feasible to add the inbound rules manually & I can't find a simple way to do it through AWS UI.

Options:

• shell script for making curl request to the github api endpoint with the IPs and adding them to the security group
• python script (similar to above)
• terraform

[bendsouza2]

Wrote the below .sh script to allow me to add all of the github actions IPs to my security group.

(# This script is dependent on jq. On macos use brew install jq or on linux use apt-get install jq)

SECURITY_GROUP_ID="$1"
REGION="eu-west-2"
PROFILE="$2"

IP_RANGES=$(curl -s https://api.github.com/meta | jq -r '.actions[]')

for IP in $IP_RANGES
do
  aws ec2 authorize-security-group-ingress --region $REGION --group-id $SECURITY_GROUP_ID --protocol tcp --port 22 --cidr $IP --profile $PROFILE
done

Issue is that there are too many IPs (> 4000) and AWS won't let me add this many rules to the security group. Gives the below error

An error occurred (RulesPerSecurityGroupLimitExceeded) when calling the AuthorizeSecurityGroupIngress operation: The maximum number of rules per security group has been reached

Potential solutions:

• Scale up number of security groups (but could be hard to manage)
• Dynamically retrieve the GitHub actions IP during the workflow, so that I can add a security group rule allowing the IP. Then delete the IP at the end of the workflow (so we don't run into max number of IPs down the line)