From f2c55330c03e215a675f662fd952a0766e0f9bd3 Mon Sep 17 00:00:00 2001
From: Jamil <jamilbk@users.noreply.github.com>
Date: Mon, 17 Feb 2025 10:07:38 -0800
Subject: [PATCH] fix(infra): Fix SSH firewall rules; enforce Relays IAP
 (#8158)

This PR resolves more drift between staging and prod in the area of SSH
firewall rules:

- Adds IPv6 SSH IAP access to prod firewall
- Removes SCTP and UDP port 22 access (this is not required by SSH)
- Enforces IAP for SSH access on staging
- Enable firewall logging for SSH on staging
---
 terraform/environments/production/main.tf   | 41 +++++++++++++++------
 terraform/environments/production/relays.tf | 28 --------------
 terraform/environments/staging/main.tf      | 37 ++++++++-----------
 terraform/environments/staging/relays.tf    | 28 --------------
 4 files changed, 45 insertions(+), 89 deletions(-)

diff --git a/terraform/environments/production/main.tf b/terraform/environments/production/main.tf
index e0329a1f0..9867e48af 100644
--- a/terraform/environments/production/main.tf
+++ b/terraform/environments/production/main.tf
@@ -13,6 +13,10 @@ locals {
     "35.235.240.0/20"
   ]
 
+  iap_ipv6_ranges = [
+    "2600:2d00:1:7::/64"
+  ]
+
   gateway_image_tag = var.gateway_image_tag != null ? var.gateway_image_tag : var.image_tag
   relay_image_tag   = var.relay_image_tag != null ? var.relay_image_tag : var.image_tag
   portal_image_tag  = var.portal_image_tag != null ? var.portal_image_tag : var.image_tag
@@ -232,16 +236,6 @@ resource "google_compute_firewall" "ssh-ipv4" {
     ports    = [22]
   }
 
-  allow {
-    protocol = "udp"
-    ports    = [22]
-  }
-
-  allow {
-    protocol = "sctp"
-    ports    = [22]
-  }
-
   log_config {
     metadata = "INCLUDE_ALL_METADATA"
   }
@@ -251,7 +245,32 @@ resource "google_compute_firewall" "ssh-ipv4" {
   target_tags = concat(
     module.web.target_tags,
     module.api.target_tags,
-    module.domain.target_tags
+    module.domain.target_tags,
+    module.relays[0].target_tags
+  )
+}
+
+resource "google_compute_firewall" "ssh-ipv6" {
+  project = module.google-cloud-project.project.project_id
+
+  name    = "iap-ssh-ipv6"
+  network = module.google-cloud-vpc.self_link
+
+  allow {
+    protocol = "tcp"
+    ports    = [22]
+  }
+
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+
+  source_ranges = local.iap_ipv6_ranges
+  target_tags = concat(
+    module.web.target_tags,
+    module.api.target_tags,
+    module.domain.target_tags,
+    module.relays[0].target_tags
   )
 }
 
diff --git a/terraform/environments/production/relays.tf b/terraform/environments/production/relays.tf
index 2fc0c9bc4..ddac0c4cd 100644
--- a/terraform/environments/production/relays.tf
+++ b/terraform/environments/production/relays.tf
@@ -384,34 +384,6 @@ module "relays" {
   token   = var.relay_token
 }
 
-# Allow SSH access using IAP for relays
-resource "google_compute_firewall" "relays-ssh-ipv4" {
-  count   = length(module.relays) > 0 ? 1 : 0
-  project = module.google-cloud-project.project.project_id
-  name    = "relays-ssh-ipv4"
-  network = google_compute_network.network.self_link
-  allow {
-    protocol = "tcp"
-    ports    = [22]
-  }
-  allow {
-    protocol = "udp"
-    ports    = [22]
-  }
-  allow {
-    protocol = "sctp"
-    ports    = [22]
-  }
-
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
-  }
-
-  # Only allows connections using IAP
-  source_ranges = local.iap_ipv4_ranges
-  target_tags   = module.relays[0].target_tags
-}
-
 # Trigger an alert when there is at least one region without a healthy relay
 resource "google_monitoring_alert_policy" "connected_relays_count" {
   project = module.google-cloud-project.project.project_id
diff --git a/terraform/environments/staging/main.tf b/terraform/environments/staging/main.tf
index fb38088db..04e640a0f 100644
--- a/terraform/environments/staging/main.tf
+++ b/terraform/environments/staging/main.tf
@@ -23,6 +23,10 @@ locals {
     "35.235.240.0/20"
   ]
 
+  iap_ipv6_ranges = [
+    "2600:2d00:1:7::/64"
+  ]
+
   gateway_image_tag = var.gateway_image_tag != null ? var.gateway_image_tag : var.image_tag
   relay_image_tag   = var.relay_image_tag != null ? var.relay_image_tag : var.image_tag
   portal_image_tag  = var.portal_image_tag != null ? var.portal_image_tag : var.image_tag
@@ -152,7 +156,7 @@ module "google-cloud-sql" {
 resource "google_compute_firewall" "ssh-ipv4" {
   project = module.google-cloud-project.project.project_id
 
-  name    = "ssh-ipv4"
+  name    = "iap-ssh-ipv4"
   network = module.google-cloud-vpc.self_link
 
   allow {
@@ -160,29 +164,23 @@ resource "google_compute_firewall" "ssh-ipv4" {
     ports    = [22]
   }
 
-  allow {
-    protocol = "udp"
-    ports    = [22]
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
   }
 
-  allow {
-    protocol = "sctp"
-    ports    = [22]
-  }
-
-  source_ranges = ["0.0.0.0/0"]
+  source_ranges = local.iap_ipv4_ranges
   target_tags = concat(
     module.web.target_tags,
     module.api.target_tags,
     module.domain.target_tags,
-    length(module.relays) > 0 ? module.relays[0].target_tags : []
+    module.relays[0].target_tags
   )
 }
 
 resource "google_compute_firewall" "ssh-ipv6" {
   project = module.google-cloud-project.project.project_id
 
-  name    = "ssh-ipv6"
+  name    = "iap-ssh-ipv6"
   network = module.google-cloud-vpc.self_link
 
   allow {
@@ -190,21 +188,16 @@ resource "google_compute_firewall" "ssh-ipv6" {
     ports    = [22]
   }
 
-  allow {
-    protocol = "udp"
-    ports    = [22]
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
   }
 
-  allow {
-    protocol = "sctp"
-    ports    = [22]
-  }
-
-  source_ranges = ["::/0"]
+  source_ranges = local.iap_ipv6_ranges
   target_tags = concat(
     module.web.target_tags,
     module.api.target_tags,
-    module.domain.target_tags
+    module.domain.target_tags,
+    module.relays[0].target_tags
   )
 }
 
diff --git a/terraform/environments/staging/relays.tf b/terraform/environments/staging/relays.tf
index 1bd8dcbf2..ddac0c4cd 100644
--- a/terraform/environments/staging/relays.tf
+++ b/terraform/environments/staging/relays.tf
@@ -384,34 +384,6 @@ module "relays" {
   token   = var.relay_token
 }
 
-# Allow SSH access using IAP for relays
-resource "google_compute_firewall" "relays-ssh-ipv4" {
-  count   = length(module.relays) > 0 ? 1 : 0
-  project = module.google-cloud-project.project.project_id
-  name    = "relays-ssh-ipv4"
-  network = module.google-cloud-vpc.id
-  allow {
-    protocol = "tcp"
-    ports    = [22]
-  }
-  allow {
-    protocol = "udp"
-    ports    = [22]
-  }
-  allow {
-    protocol = "sctp"
-    ports    = [22]
-  }
-
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
-  }
-
-  # Only allows connections using IAP
-  source_ranges = local.iap_ipv4_ranges
-  target_tags   = module.relays[0].target_tags
-}
-
 # Trigger an alert when there is at least one region without a healthy relay
 resource "google_monitoring_alert_policy" "connected_relays_count" {
   project = module.google-cloud-project.project.project_id