Merge pull request #28 from gitpod-io/nv/firewall-flow-logging

nandajavarma · web-flow · commit d6d818e197c9 · 2026-05-07T16:41:19.000+02:00
feat: add flow logging to security-critical firewall rules (A17)
diff --git a/firewall.tf b/firewall.tf
@@ -99,6 +99,10 @@ resource "google_compute_firewall" "deny_environments_to_services" {
   target_tags = ["gitpod-runner", "gitpod-proxy"]
   priority    = 1000 # Higher priority than allow rules
 
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+
   # depends on proxy vm
   depends_on = [google_compute_backend_service.proxy]
 }
@@ -119,6 +123,10 @@ resource "google_compute_firewall" "allow_iap_to_environments" {
   source_ranges = ["35.235.240.0/20"]
   target_tags   = ["gitpod-type-environment"]
 
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+
   # depends on proxy vm
   depends_on = [google_compute_backend_service.proxy]
 }
@@ -164,6 +172,10 @@ resource "google_compute_firewall" "deny_email_from_environments" {
   destination_ranges = ["0.0.0.0/0"]
   target_tags        = ["gitpod-type-environment"]
 
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+
   # depends on proxy vm
   depends_on = [google_compute_backend_service.proxy]
 }
@@ -430,6 +442,10 @@ resource "google_compute_firewall" "deny_proxy_to_environments_ssh_egress" {
 
   destination_ranges = [data.google_compute_subnetwork.runner_subnet.ip_cidr_range]
   target_tags        = ["gitpod-proxy"]
+
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
 }
 
 # Allow proxy egress to environments on application ports only
@@ -511,4 +527,8 @@ resource "google_compute_firewall" "allow_environments_internet_egress" {
 
   destination_ranges = ["0.0.0.0/0"]
   target_tags        = ["gitpod-type-environment"]
+
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
 }
