Last updated: 8 Sep 2025

Update Allowed Ingress IPs for Staging and Integration

We allow the White Chapel Building office networks (both Brattain and GovWifi) to view integration and staging without requiring HTTP Basic Authorisation. Occasionally the IP addresses of these networks change and we need to update the list.

To update the list the process is broadly:

1. Update the AWS WAF rules
2. Update the Fastly config

Update the AWS WAF rules

Update the terraform lists

In the terraform-govuk-infrastructure-sensitive repo you need to update the modules/variables/main.tf file.

You need to update the office_ips tfvars section in the sensitive-security-integration module, and also in the sensitive-security-staging module.

NOTE currently there is no pre-commit hook or github actions to validate this is ok. You should run terraform validate in the module prior to merging to main.

Release a new version of the infrastructure-sensitive module

Once the terraform is merged to main you need to:

1. Go to the infrastructure-sensitive module in the govuk private registry.
2. Note the current version number (which is listed in the breadcrumb at the top of the page).
3. Click the Publish New Version button.
4. From the opened pop up choose a commit (the most recent is at the top, and should be your merge).
5. Enter a higher version number than the current module version, but keep a note of the version number you have published.

Very quickly it should tell you the new version has been published. If you see it is taking a long time you will need to see the details and resolve whatever is stopping it publishing (usually a terraform syntax error)

Update the terraform deployments to use the new module version

In govuk-infrastructure You need to update the version of the infrastructure-sensitive modules to your new version:

• tfc-configuration/variables-sensitive.tf
• govuk-publishing-infrastructure/wafs.tf

Apply the terraform

Finally, once you have merged the version updates to the infrastructure-sensitive repo you should run the following terraform workspaces (in this order):

• tfc-configuration
• govuk-publishing-infrastructure-integration
• govuk-publishing-infrastructure-staging

Update the Fastly config

Update the fastly-secrets IP allow lists

In the govuk-fastly-secrets git repo you need to update the allowed_ip_addresses list in:

• secrets/datagovuk/integration.yaml
• secrets/datagovuk/staging.yaml
• secrets/www/integration.yaml
• secrets/www/staging.yaml

Apply the Fastly Terraform Workspaces for datagovuk and www

After the changes above are merged you need to apply the Terraform Workspaces:

• govuk-fastly-datagovuk-integration
• govuk-fastly-datagovuk-staging
• govuk-fastly-www-integration
• govuk-fastly-www-staging

More in the Infrastructure section

Learn

• Domain Name System (DNS) records
• GOV.UK's environments (integration, staging, production)
• Organisations API
• Rate Limiting
• Terraform Cloud

How to...

• Add a new Ruby version
• Databases on GOV.UK
• Manage Amazon MQ
• Manage OpenSearch on AWS
• Provision machines for data science research
• Raise issues with Reliability Engineering
• Retrieve shared credentials from AWS Secrets Manager