eli-537 added US to permitted geos, for preprod only, to allow github action tests to still flow

eddalmond1 · eddalmond1 · commit e4af36e27e0b · 2026-03-02T15:24:58.000Z
diff --git a/infrastructure/stacks/api-layer/waf.tf b/infrastructure/stacks/api-layer/waf.tf
@@ -118,8 +118,9 @@ resource "aws_wafv2_web_acl" "api_gateway" {
   }
 
   # Rule 5: Geographic Block Rule - Block non-UK traffic
-  # NHS-specific requirement: block requests originating from outside GB
-  # Defence-in-depth against stolen mTLS certificates being used from outside the UK
+  # Blocks requests from outside the allowed country list.
+  # In prod: GB only - all legitimate traffic must originate from within the UK
+  # In preprod: GB + US - GitHub Actions integration tests run from US-based servers
   rule {
     name     = "BlockNonUK"
     priority = 50
@@ -132,7 +133,7 @@ resource "aws_wafv2_web_acl" "api_gateway" {
       not_statement {
         statement {
           geo_match_statement {
-            country_codes = ["GB"] # United Kingdom only (does NOT include Crown Dependencies)
+            country_codes = var.environment == "preprod" ? ["GB", "US"] : ["GB"]
           }
         }
       }
diff --git a/infrastructure/stacks/api-layer/waf_alarms.tf b/infrastructure/stacks/api-layer/waf_alarms.tf
@@ -130,6 +130,8 @@ resource "aws_cloudwatch_metric_alarm" "waf_rate_limit_blocks" {
 }
 
 # Alarm for blocked non-UK requests
+# In preprod US is also allowed (for GitHub Actions), so this alarm fires on traffic
+# from countries outside GB+US. In prod it fires on anything outside GB.
 resource "aws_cloudwatch_metric_alarm" "waf_non_uk_counted" {
   count               = local.waf_enabled ? 1 : 0
   alarm_name          = "WAF-NonUK-BlockedRequests-${local.workspace}"

Original file line number	Diff line number	Diff line change
`@@ -118,8 +118,9 @@ resource "aws_wafv2_web_acl" "api_gateway" {`
`118`	`118`	`}`
`119`	`119`
`120`	`120`	`# Rule 5: Geographic Block Rule - Block non-UK traffic`
`121`		`- # NHS-specific requirement: block requests originating from outside GB`
`122`		`- # Defence-in-depth against stolen mTLS certificates being used from outside the UK`
	`121`	`+ # Blocks requests from outside the allowed country list.`
	`122`	`+ # In prod: GB only - all legitimate traffic must originate from within the UK`
	`123`	`+ # In preprod: GB + US - GitHub Actions integration tests run from US-based servers`
`123`	`124`	`rule {`
`124`	`125`	`name = "BlockNonUK"`
`125`	`126`	`priority = 50`
`@@ -132,7 +133,7 @@ resource "aws_wafv2_web_acl" "api_gateway" {`
`132`	`133`	`not_statement {`
`133`	`134`	`statement {`
`134`	`135`	`geo_match_statement {`
`135`		`- country_codes = ["GB"] # United Kingdom only (does NOT include Crown Dependencies)`
	`136`	`+ country_codes = var.environment == "preprod" ? ["GB", "US"] : ["GB"]`
`136`	`137`	`}`
`137`	`138`	`}`
`138`	`139`	`}`
Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,8 @@ resource "aws_cloudwatch_metric_alarm" "waf_rate_limit_blocks" {`
`130`	`130`	`}`
`131`	`131`
`132`	`132`	`# Alarm for blocked non-UK requests`
	`133`	`+# In preprod US is also allowed (for GitHub Actions), so this alarm fires on traffic`
	`134`	`+# from countries outside GB+US. In prod it fires on anything outside GB.`
`133`	`135`	`resource "aws_cloudwatch_metric_alarm" "waf_non_uk_counted" {`
`134`	`136`	`count = local.waf_enabled ? 1 : 0`
`135`	`137`	`alarm_name = "WAF-NonUK-BlockedRequests-${local.workspace}"`