feat: per-region + direction CIDR feeds#6
Merged
Conversation
added 2 commits
May 11, 2026 09:56
- update_outputs.py: per-region loop now emits three variants per region —
combined (existing), `-inbound`, and `-outbound`. ≥1-CIDR guard applies
to each variant independently, so regions with one direction (e.g.
aws-eu-north-1 has only outbound) emit only the variant they have.
- 156 new direction-scoped TXT files in docs/output/, all covered by the
existing SHA256SUMS manifest.
- test_update_outputs.py: 6 new tests covering emission, contents
isolation per direction, the ≥1-CIDR guard for empty directions, and
SHA256SUMS coverage. 18/18 passing in this file, 45/45 across the repo.
- Docs updated: README (Features + Implementation Notes),
docs/firewall-automation-guide.md (URL pattern table with concrete
Azure Storage Account / AWS KMS use cases), terraform/README.md
("does NOT do" section now points consumers at the published split
feeds via source_files), and the generated docs/index.html and
docs/output/index.html nav copy.
Motivation: combined per-region files force consumers into a both-
directions allowlist even when the target only accepts one direction —
Azure Storage Account network rules cap at 400 IPs per account and AWS
KMS aws:SourceIp policies are size-constrained. Direction-scoped feeds
let those consumers cut their footprint roughly in half.
Regenerate docs/output/ on latest weekly data (4 weeks of upstream chore updates: 2026-05-11, 2026-05-18, 2026-05-25, 2026-06-01). Direction-scoped feeds preserved; SHA256SUMS verified; 45/45 tests pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #5.
Summary
update_outputs.pynow emits three variants per region — combined (existing),-inbound,-outbound. The ≥1-CIDR guard applies to each variant independently, so regions that only carry one direction (e.g.aws-eu-north-1, several Azure China/USGov regions) emit just the variant they have.docs/output/, all covered by the existingSHA256SUMSmanifest (verified locally withsha256sum -c).test_update_outputs.pyfor emission, per-direction content isolation, the ≥1-CIDR guard, and SHA256SUMS coverage. Full suite: 45/45 passing.README.md(Features + Implementation Notes),docs/firewall-automation-guide.md(URL pattern table + concrete use cases),terraform/README.md("does NOT do" note now points consumers at the published split feeds), and the generateddocs/index.html/docs/output/index.htmlnav copy.Why
The current
<cloud>-<region>.txtfiles force consumers into a both-directions allowlist even when the target only accepts one direction. Two concrete cases:aws:SourceIpsize-constrained; only outbound CP IPs reach KMS.Direction-scoped feeds let those consumers tighten the allowlist without forking the repo or post-processing the combined file.
Test plan
python3 -m pytest -v— 45/45 pass locallypython3 update_outputs.py— generates expected filescd docs/output && sha256sum -c SHA256SUMS— all OK including new filesaws-us-east-1-inbound.txtcontains only inbound CIDRs;aws-us-east-1-outbound.txtcontains only outbound; combinedaws-us-east-1.txtis the deduplicated union (unchanged)aws-eu-north-1-outbound.txtexists,aws-eu-north-1-inbound.txtdoes not (region has no inbound CIDRs)docs/output/index.htmllists every new file; existing files unchangedBackward compatibility
<cloud>.txt,<cloud>-<inbound|outbound>.txt,<cloud>-<region>.txt,all.txt, etc.).<cloud>-<region>.txtURLs; direction filtering remains an explicitsource_filesopt-in for now, per the updated note interraform/README.md).