1616 SCOPE : REGIONAL
1717 IPSET_NAME_STAGING : ipset-block-ohm-staging
1818 IPSET_NAME_PROD : ipset-block-ohm-production
19- FILE_STAGING : firewall/ip-blacklist-staging.txt
20- FILE_PROD : firewall/ip-blacklist-production.txt
19+ # --- Archivos actualizados a .yaml ---
20+ FILE_STAGING : firewall/ip-blacklist-staging.yaml
21+ FILE_PROD : firewall/ip-blacklist-production.yaml
2122
2223jobs :
2324 update-waf-ipset :
@@ -27,54 +28,51 @@ jobs:
2728 - name : Checkout repository
2829 uses : actions/checkout@v4
2930
30- # Configure AWS credentials from secrets (access keys)
3131 - name : Configure AWS credentials
3232 uses : aws-actions/configure-aws-credentials@v4
3333 with :
3434 aws-access-key-id : ${{ secrets.AWS_ACCESS_KEY_ID }}
3535 aws-secret-access-key : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
3636 aws-region : ${{ env.AWS_REGION }}
3737
38- - name : Install jq
39- run : sudo apt-get update && sudo apt-get install -y jq
38+ - name : Install jq and yq
39+ run : |
40+ sudo apt-get update && sudo apt-get install -y jq
41+ sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
42+ sudo chmod +x /usr/bin/yq
4043
4144 - name : Resolve target env, IP set and file
4245 id : target
4346 run : |
44- ENV_IN="${{ inputs.environment }}"
45- if [[ "$ENV_IN " == "main" ]]; then
47+ # This logic remains the same, but will now point to .yaml files
48+ if [[ "${{ github.ref_name }} " == "main" ]]; then
4649 echo "IPSET_NAME=${IPSET_NAME_PROD}" >> $GITHUB_OUTPUT
4750 echo "IP_FILE=${FILE_PROD}" >> $GITHUB_OUTPUT
4851 else
4952 echo "IPSET_NAME=${IPSET_NAME_STAGING}" >> $GITHUB_OUTPUT
5053 echo "IP_FILE=${FILE_STAGING}" >> $GITHUB_OUTPUT
5154 fi
5255
53- - name : Build IP list
56+ - name : Build IP list from YAML
5457 id : iplist
5558 shell : bash
5659 run : |
5760 TMP=$(mktemp)
58- if [[ -n "${{ inputs.ips }}" ]]; then
59- # Convert space/newline-separated input to one-per-line
60- echo "${{ inputs.ips }}" | tr ' ' '\n' | sed '/^\s*$/d' > "$TMP"
61- else
62- FILE="${{ steps.target.outputs.IP_FILE }}"
63- if [[ ! -f "$FILE" ]]; then
64- echo "File $FILE not found" >&2
65- exit 1
66- fi
67- # Remove comments and blank lines
68- sed '/^\s*#/d;/^\s*$/d' "$FILE" > "$TMP"
61+ FILE="${{ steps.target.outputs.IP_FILE }}"
62+ if [[ ! -f "$FILE" ]]; then
63+ echo "File $FILE not found" >&2
64+ exit 1
6965 fi
66+ # --- Cambio principal: Usar yq para leer el YAML ---
67+ # Extrae cada IP de la lista 'block_ips' y la pone en una nueva línea
68+ yq '.block_ips[]' "$FILE" > "$TMP"
7069
71- # Basic validation for IPv4/IPv6 with optional CIDR
70+ # La validación y el resto del script no necesitan cambios
7271 INVALID=$(grep -Ev '^([0-9]{1,3}\.){3}[0-9]{1,3}(/[0-9]{1,2})?$|^([0-9a-fA-F:]+)(/[0-9]{1,3})?$' "$TMP" || true)
7372 if [[ -n "$INVALID" ]]; then
7473 echo "Invalid entries:"; echo "$INVALID"; exit 1
7574 fi
7675
77- # Unique and sorted list
7876 sort -u "$TMP" > "${TMP}.uniq"
7977 LIST=$(paste -sd' ' "${TMP}.uniq")
8078 echo "addresses=$LIST" >> $GITHUB_OUTPUT
@@ -105,4 +103,4 @@ jobs:
105103
106104 - name : Summary
107105 run : |
108- echo "Updated IP set: ${{ steps.target.outputs.IPSET_NAME }}"
106+ echo "Updated IP set: ${{ steps.target.outputs.IPSET_NAME }}"
0 commit comments