Allow SSH to relays using IAP

2026-01-27 18:18:55 +00:00 · 2024-03-30 13:13:18 -06:00
parent b0bde8b0a7
commit afaeb69565
4 changed files with 60 additions and 4 deletions
--- a/terraform/environments/production/main.tf
+++ b/terraform/environments/production/main.tf
@@ -201,8 +201,7 @@ resource "google_compute_firewall" "ssh-ipv4" {
  target_tags = concat(
    module.web.target_tags,
    module.api.target_tags,
-    module.domain.target_tags,
-    length(module.relays) > 0 ? module.relays[0].target_tags : []
+    module.domain.target_tags
  )
 }

--- a/terraform/environments/production/relays.tf
+++ b/terraform/environments/production/relays.tf
@@ -121,3 +121,32 @@ module "relays" {
  api_url = "wss://api.${local.tld}"
  token   = var.relay_token
 }
+
+# Allow SSH acces using IAP for relays
+resource "google_compute_firewall" "relays-ssh-ipv4" {
+  count = length(module.relays) > 0 ? 1 : 0
+
+  project = module.google-cloud-project.project.project_id
+
+  name    = "relays-ssh-ipv4"
+  network = module.google-cloud-vpc.id
+
+  allow {
+    protocol = "tcp"
+    ports    = [22]
+  }
+
+  allow {
+    protocol = "udp"
+    ports    = [22]
+  }
+
+  allow {
+    protocol = "sctp"
+    ports    = [22]
+  }
+
+  # Only allows connections using IAP
+  source_ranges = local.iap_ipv4_ranges
+  target_tags   = module.relays[0].target_tags
+}
--- a/terraform/environments/staging/main.tf
+++ b/terraform/environments/staging/main.tf
@@ -201,8 +201,7 @@ resource "google_compute_firewall" "ssh-ipv6" {
  target_tags = concat(
    module.web.target_tags,
    module.api.target_tags,
-    module.domain.target_tags,
-    length(module.relays) > 0 ? module.relays[0].target_tags : []
+    module.domain.target_tags
  )
 }

--- a/terraform/environments/staging/relays.tf
+++ b/terraform/environments/staging/relays.tf
@@ -121,3 +121,32 @@ module "relays" {
  api_url = "wss://api.${local.tld}"
  token   = var.relay_token
 }
+
+# Allow SSH acces using IAP for relays
+resource "google_compute_firewall" "relays-ssh-ipv4" {
+  count = length(module.relays) > 0 ? 1 : 0
+
+  project = module.google-cloud-project.project.project_id
+
+  name    = "relays-ssh-ipv4"
+  network = module.google-cloud-vpc.id
+
+  allow {
+    protocol = "tcp"
+    ports    = [22]
+  }
+
+  allow {
+    protocol = "udp"
+    ports    = [22]
+  }
+
+  allow {
+    protocol = "sctp"
+    ports    = [22]
+  }
+
+  # Only allows connections using IAP
+  source_ranges = local.iap_ipv4_ranges
+  target_tags   = module.relays[0].target_tags
+}