From 0a79cd5045fa2405fc75186013968e3ed6bdccfe Mon Sep 17 00:00:00 2001
From: Andrew Dryga <a@firezone.dev>
Date: Wed, 6 Nov 2024 16:40:20 -0600
Subject: [PATCH] chore(portal): Do not allow signing up from
 legally-restricted jurisdictions (#7088)

Related to #6807

---------

Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
---
 .../modules/google-cloud/apps/elixir/network.tf     | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/terraform/modules/google-cloud/apps/elixir/network.tf b/terraform/modules/google-cloud/apps/elixir/network.tf
index 15faffbfb..6506bdf87 100644
--- a/terraform/modules/google-cloud/apps/elixir/network.tf
+++ b/terraform/modules/google-cloud/apps/elixir/network.tf
@@ -65,6 +65,19 @@ resource "google_compute_security_policy" "default" {
     }
   }
 
+  rule {
+    description = "block sanctioned countries"
+
+    action   = "deny(451)"
+    priority = "101"
+
+    match {
+      expr {
+        expression = "request.path.matches(\"/sign_up\") && origin.region_code in ('RU', 'BY', 'KP', 'IR', 'SY', 'CU', 'VE', 'XC', 'XD')"
+      }
+    }
+  }
+
   rule {
     description = "log all requests that match preconfigured sqli-v33-stable OWASP rule"
     preview     = true