From 124e08c13bd6241d1710ea3a019e7749c642daec Mon Sep 17 00:00:00 2001
From: Andrew Dryga <andrew@dryga.com>
Date: Thu, 19 Oct 2023 22:27:21 -0600
Subject: [PATCH] Fix ssh firewall rules

---
 terraform/environments/production/main.tf | 36 ++++++++++++++++++++---
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/terraform/environments/production/main.tf b/terraform/environments/production/main.tf
index 8be633523..4cb167431 100644
--- a/terraform/environments/production/main.tf
+++ b/terraform/environments/production/main.tf
@@ -710,11 +710,11 @@ module "relays" {
   portal_token         = var.relay_portal_token
 }
 
-resource "google_compute_firewall" "iap-ssh" {
+resource "google_compute_firewall" "portal-ssh-ipv4" {
   project = module.google-cloud-project.project.project_id
 
-  name    = "staging-iap-ssh"
-  network = module.relays[0].network
+  name    = "portal-ssh-ipv4"
+  network = module.google-cloud-vpc.self_link
 
   allow {
     protocol = "tcp"
@@ -733,7 +733,35 @@ resource "google_compute_firewall" "iap-ssh" {
 
   # Only allows connections using IAP
   source_ranges = ["35.235.240.0/20"]
-  target_tags   = concat(module.web.target_tags, module.api.target_tags, module.relays[0] ? module.relays[0].target_tags : [])
+  target_tags   = concat(module.web.target_tags, module.api.target_tags)
+}
+
+resource "google_compute_firewall" "relays-ssh-ipv4" {
+  count = length(module.relays) > 0 ? 1 : 0
+
+  project = module.google-cloud-project.project.project_id
+
+  name    = "relays-ssh-ipv4"
+  network = module.google-cloud-vpc.self_link
+
+  allow {
+    protocol = "tcp"
+    ports    = [22]
+  }
+
+  allow {
+    protocol = "udp"
+    ports    = [22]
+  }
+
+  allow {
+    protocol = "sctp"
+    ports    = [22]
+  }
+
+  # Only allows connections using IAP
+  source_ranges = ["35.235.240.0/20"]
+  target_tags   = module.relays[0].target_tags
 }
 
 module "ops" {