Implement IP Filtering for GitLab test instances created in SandboxCloud GCP Existing Terraform Templates
Summary
GitLab team members, especially support engineers, need to be able to test specific versions or configurations of GitLab that may be vulnerable to remote compromise. The red team has discovered that these vulnerable instances have sometimes been exploited for various purposes. The purpose of this issue is to better secure cloud-based test instances created using the available terraform templates in SandboxCloud GCP automatically to be in line with the advice given in the handbook.
Related Issues
- https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/4072
- https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/4097
- https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-internal/red-team-operations/-/issues/259
Scope of Work
The initial scope of work should follow the suggestions discussed in this issue for "option 1" as a first iteration:
Within the HackyStack source code, we would need to add the following:
-
Add a known IP addresses array to the auth_users
table. -
Use the X-Forwarded-For
HTTP header to get the IP address of the team member upon sign in, and check if exists or append to array.{ "1.2.3.4", "5.6.7.8 }
-
Add a calculation method to convert the array of IPs to CIDR notation in a Terraform list formatted array. [ "1.2.3.4/32", "5.6.7.8/32" ]
-
Add the TF_VAR_authorized_networks
variable to the environment template array of variables that are pushed. This is added to each template separately so we have flexibility on where it's used. -
Add a UI button and backend method for pushing updated CI variables to the environment from GitLab Sandbox Cloud. This is currently a one time push upon creation. -
We could add a UI for customizing allowed IP ranges, but it would be a global settings without a lot more work, so I'd rather let the user customize the CI variable in the specific project with the additional CIDR range they need at the time they need it.
Within the Terraform environment template repository, we would need to add the following:
-
Add a new variable to variables.tf
namedauthorized_networks
or similar.
When using any Terraform resource or module, you would simply:
-
Add var.authorized_networks
to add an array of IPs that are allowed.
Any changelog notes should be added to the merge request description.
cc @gitlab-com/gl-security/threatmanagement/redteam/redteam-internal, @lyle, @greg
Closes https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/4097