Skip to content

GitLab Next

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Adjust GCP External Firewall rule condition

Review changes
Download
Patches
Plain diff

Grant Young requested to merge gy-adjust-gcp-external-ssh-rule-condition into main Feb 06, 2024

Overview 6
Commits 2
Pipelines 0
Changes 1

What does this MR do?

MR adjusts the Terraform GCP External Firewall Rules for scenarios where no public IPs are assigned via setup_external_ips. Firewall rules for HTTP, SSH, GitLab SSH and IMCP access can now be created when either Public IPs are created or if the user specifically passes an CIDR range:

gitlab_http_https - Created when either HAProxy External or Monitor nodes are present AND either setup_external_ips is true or http_allowed_ingress_cidr_blocks has been set.
gitlab_ssh - Created when HAProxy External is present AND either setup_external_ips is true or ssh_allowed_ingress_cidr_blocks has been set.
ssh - Created when setup_external_ips is true or external_ssh_allowed_ingress_cidr_blocks has been set.
icmp - Created when setup_external_ips is true or external_ssh_allowed_ingress_cidr_blocks has been set.

This is needed for the use cases such of Identity Aware Proxy, which while internal still requires firewall ports to be opened. It also prevents dead firewall rules being created needlessly.

Related issues

Closes #829 (closed)

Relates #830

Author's checklist

When ready for review, the Author applies the workflowready for review label and mention @gl-quality/get-maintainers:

Merge request:
- Corresponding Issue raised and reviewed by the GET maintainers team.
- Merge Request Title and Description are up-to-date, accurate, and descriptive
- MR targeting the appropriate branch
- MR has a green pipeline
- MR has no new security alerts in the widget from the Secret Detection and IaC Scan (SAST) jobs.
Code:
- Check the area changed works as expected. Consider testing it in different environment sizes (1k,3k,10k,etc.).
- Documentation created/updated in the same MR.
- If this MR adds an optional configuration - check that all permutations continue to work.
- For Terraform changes: set up a previous version environment, then run a terraform plan with your new changes and ensure nothing will be destroyed. If anything will be destroyed and this can't be avoided please add a comment to the current MR.
Create any follow-up issue(s) to support the new feature across other supported cloud providers or advanced configurations. Create 1 issue for each provider/configuration. Contact the Quality Enablement team if unsure.

Edited Feb 07, 2024 by Grant Young

Merge request reports

Assignee

Reviewers

Request review from

Time tracking