diff --git a/terraform/environments/apex/waf.tf b/terraform/environments/apex/waf.tf
index ef03cac3920..7348922a2da 100644
--- a/terraform/environments/apex/waf.tf
+++ b/terraform/environments/apex/waf.tf
@@ -1,10 +1,29 @@
+# resource "aws_waf_ipset" "wafmanualallowset" {
+#   name     = "${upper(local.application_name)} Manual Allow Set"
+#   # description        = ""
+#   # scope              = "CLOUDFRONT"
+#   provider           = aws.us-east-1
+#   # ip_address_version = "IPV4"
+#   addresses          = [for ip in split("\n", chomp(file("${path}/aws_waf_ipset.txt"))) : ip]
+# }
+
+locals {
+ip_set_list   = [for ip in split("\n", chomp(file("${path.module}/aws_waf_ipset.txt"))) : ip]
+}
+
 resource "aws_waf_ipset" "wafmanualallowset" {
   name     = "${upper(local.application_name)} Manual Allow Set"
-  # description        = ""
-  # scope              = "CLOUDFRONT"
-  provider           = aws.us-east-1
-  # ip_address_version = "IPV4"
-  addresses          = [for ip in split("\n", chomp(file("${path}/aws_waf_ipset.txt"))) : ip]
+
+  # Ranges from https://github.com/ministryofjustice/laa-apex/blob/master/aws/application/application_stack.template
+  # removed redundant ip addresses such as RedCentric access and AWS Holborn offices
+
+  dynamic "ip_set_descriptors" {
+    for_each = local.ip_set_list
+    content {
+      type  = "IPV4"
+      value = ip_set_descriptors.value
+    }
+  }
 }
 
 resource "aws_waf_ipset" "wafmanualblockset" {