Skip to content

Commit c3d358a

Browse files
nandajavarmaona-agent
nandajavarma
and
ona-agent
committed
feat: add flow logging to security-critical firewall rules
Add log_config with INCLUDE_ALL_METADATA to: - deny_environments_to_services (env→runner/proxy deny) - allow_iap_to_environments (IAP SSH access) - deny_email_from_environments (outbound email block) - deny_proxy_to_environments_ssh_egress (proxy→env SSH deny) - allow_environments_internet_egress (env internet access) Enables incident response visibility on security-relevant traffic. Co-authored-by: Ona <no-reply@ona.com>
1 parent 59066c3 commit c3d358a

1 file changed

Lines changed: 20 additions & 0 deletions

File tree

firewall.tf

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,10 @@ resource "google_compute_firewall" "deny_environments_to_services" {
9999
target_tags = ["gitpod-runner", "gitpod-proxy"]
100100
priority = 1000 # Higher priority than allow rules
101101

102+
log_config {
103+
metadata = "INCLUDE_ALL_METADATA"
104+
}
105+
102106
# depends on proxy vm
103107
depends_on = [google_compute_backend_service.proxy]
104108
}
@@ -119,6 +123,10 @@ resource "google_compute_firewall" "allow_iap_to_environments" {
119123
source_ranges = ["35.235.240.0/20"]
120124
target_tags = ["gitpod-type-environment"]
121125

126+
log_config {
127+
metadata = "INCLUDE_ALL_METADATA"
128+
}
129+
122130
# depends on proxy vm
123131
depends_on = [google_compute_backend_service.proxy]
124132
}
@@ -164,6 +172,10 @@ resource "google_compute_firewall" "deny_email_from_environments" {
164172
destination_ranges = ["0.0.0.0/0"]
165173
target_tags = ["gitpod-type-environment"]
166174

175+
log_config {
176+
metadata = "INCLUDE_ALL_METADATA"
177+
}
178+
167179
# depends on proxy vm
168180
depends_on = [google_compute_backend_service.proxy]
169181
}
@@ -393,6 +405,10 @@ resource "google_compute_firewall" "deny_proxy_to_environments_ssh_egress" {
393405

394406
destination_ranges = [data.google_compute_subnetwork.runner_subnet.ip_cidr_range]
395407
target_tags = ["gitpod-proxy"]
408+
409+
log_config {
410+
metadata = "INCLUDE_ALL_METADATA"
411+
}
396412
}
397413

398414
# Allow proxy egress to environments on application ports only
@@ -474,4 +490,8 @@ resource "google_compute_firewall" "allow_environments_internet_egress" {
474490

475491
destination_ranges = ["0.0.0.0/0"]
476492
target_tags = ["gitpod-type-environment"]
493+
494+
log_config {
495+
metadata = "INCLUDE_ALL_METADATA"
496+
}
477497
}

0 commit comments

Comments
 (0)