2023-01-23: delete insecure firewall rules in the default VPC in gprd

Production Change

Change Summary

In https://gitlab.com/gitlab-com/gl-security/security-operations/infrastructure-security/bau/-/issues/238 we've identified that https://console.cloud.google.com/networking/firewalls/details/default-allow-ssh?project=gitlab-production is an insecure firewall rule. Luckily we don't have anything attached to it so we can delete it to prevent mistakes.

We did this in pre and gstg in #8260 (closed). Noticed that in pre and gstg we deleted the VPC as well but this wasn't a good idea because it resulted in terraform state drift, which we'll be fixing with https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/merge_requests/4844

Change Details

1. Services Impacted - ServiceGCP
2. Change Technician - @steveazz
3. Change Reviewer - @ahmadsherif
4. Time tracking - 30
5. Downtime Component - none

Detailed steps for the change

Change Steps - steps to take to execute the change

Estimated Time to Complete (mins) - Estimated Time to Complete in Minutes

• Set label changein-progress /label ~change::in-progress
• Take a screen of the firewall rules
• Validate no VM are running in the default VPC: gcloud --project='gitlab-production' compute instances list --filter='networkInterfaces.network:default'
• Validate no VPC peering exists: gcloud --project='gitlab-production' compute networks peerings list --network=default
• Delete all the firewall rules for the default VPC: gcloud --project='gitlab-production' compute firewall-rules list --filter="network:default" --format="value(name)" | parallel gcloud --project='gitlab-production' compute firewall-rules delete --quite {}
• Validate that the firewall rules don't exist anymore: gcloud --project='gitlab-production' compute firewall-rules list --filter='network:default'
• Validate that there is no state drift in config-mgmt for environments/gprd: ../../tf plan
• Set label changecomplete /label ~change::complete

Rollback

Rollback steps - steps to be taken in the event of a need to rollback this change

Estimated Time to Complete (mins) - 15

• Create the firewall rules

  gcloud compute firewall-rules create cpallares-qa-tunnel-allow-ingress-from-iap --allow tcp:22 --network default --source-ranges 35.235.240.0/20 --project=gitlab-production
  gcloud compute firewall-rules create default-allow-http --allow tcp:80 --network default --source-ranges 0.0.0.0/0 --target-tags=http-server --project=gitlab-production
  gcloud compute firewall-rules create default-allow-https --allow tcp:443 --network default --source-ranges 0.0.0.0/0 --target-tags=https-server --project=gitlab-production
  gcloud compute firewall-rules create default-allow-icmp --allow icmp --network default --source-ranges 0.0.0.0/0 --priority=65534 --project=gitlab-production
  gcloud compute firewall-rules create default-allow-internal --allow tcp,udp,icmp --network default --source-ranges 10.128.0.0/9 --priority=65534 --project=gitlab-production
  gcloud compute firewall-rules create default-allow-rdp --allow tcp:3389 --network default --source-ranges 0.0.0.0/0 --priority=65534 --project=gitlab-production
  gcloud compute firewall-rules create default-allow-ssh --allow tcp:22 --network default --source-ranges 0.0.0.0/0 --priority=65534 --project=gitlab-production

• Set label changeaborted /label ~change::aborted

Monitoring

Key metrics to observe

None of these resources are used.

Change Reviewer checklist

C4 C3 C2 C1:

• Check if the following applies:
  • The scheduled day and time of execution of the change is appropriate.
  • The change plan is technically accurate.
  • The change plan includes estimated timing values based on previous testing.
  • The change plan includes a viable rollback plan.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.

C2 C1:

• Check if the following applies:
  • The complexity of the plan is appropriate for the corresponding risk of the change. (i.e. the plan contains clear details).
  • The change plan includes success measures for all steps/milestones during the execution.
  • The change adequately minimizes risk within the environment/service.
  • The performance implications of executing the change are well-understood and documented.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.
    • If not, is it possible (or necessary) to make changes to observability platforms for added visibility?
  • The change has a primary and secondary SRE with knowledge of the details available during the change window.
  • The labels blocks deployments and/or blocks feature-flags are applied as necessary

Change Technician checklist

• Check if all items below are complete:
  • The change plan is technically accurate.
  • This Change Issue is linked to the appropriate Issue and/or Epic
  • Change has been tested in staging and results noted in a comment on this issue.
  • A dry-run has been conducted and results noted in a comment on this issue.
  • The change execution window respects the Production Change Lock periods.
  • For C1 and C2 change issues, the change event is added to the GitLab Production calendar.
  • For C1 and C2 change issues, the SRE on-call has been informed prior to change being rolled out. (In #production channel, mention @sre-oncall and this issue and await their acknowledgement.)
  • For C1 and C2 change issues, the SRE on-call provided approval with the eoc_approved label on the issue.
  • For C1 and C2 change issues, the Infrastructure Manager provided approval with the manager_approved label on the issue.
  • Release managers have been informed (If needed! Cases include DB change) prior to change being rolled out. (In #production channel, mention @release-managers and this issue and await their acknowledgment.)
  • There are currently no active incidents that are severity1 or severity2
  • If the change involves doing maintenance on a database host, an appropriate silence targeting the host(s) should be added for the duration of the change.