From 5ef4867243f6311178bd9ab4b13f8184ae79efd4 Mon Sep 17 00:00:00 2001
From: Andrew Erickson <aerickson@mozilla.com>
Date: Wed, 3 May 2023 19:58:32 -0700
Subject: [PATCH 1/3] add two rules

---
 .../translations_sandbox_gce_firewall.tf      | 90 +++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 terraform/gcp-translations-sandbox/translations_sandbox_gce_firewall.tf

diff --git a/terraform/gcp-translations-sandbox/translations_sandbox_gce_firewall.tf b/terraform/gcp-translations-sandbox/translations_sandbox_gce_firewall.tf
new file mode 100644
index 00000000..315dc26d
--- /dev/null
+++ b/terraform/gcp-translations-sandbox/translations_sandbox_gce_firewall.tf
@@ -0,0 +1,90 @@
+# terraform reference
+#   https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall
+#   https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network
+
+# TODO: not possible to remove default rules... really should make new non-default network and use it for instances...
+
+# not needed, just use "default"
+# resource "google_compute_network" "default" {
+#   name = "default"
+#   project = "translations-sandbox"
+# }
+
+# TODO: replicate l1's rules
+#   see https://console.cloud.google.com/networking/firewalls/list?project=fxci-production-level1-workers&supportedpurview=project
+
+resource "google_compute_firewall" "allow-livelog" {
+  name        = "default-allow-livelog"
+  network     = "default"
+  description = "TF_MANAGED, Allow livelog connections (https://bugzilla.mozilla.org/show_bug.cgi?id=1607241)"
+
+  allow {
+    protocol = "tcp"
+    ports    = ["32768-65535"]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+  priority      = 1000
+}
+
+
+# {
+#   "allowed": [
+#     {
+#       "IPProtocol": "tcp",
+#       "ports": [
+#         "0-65535"
+#       ]
+#     },
+#     {
+#       "IPProtocol": "udp",
+#       "ports": [
+#         "0-65535"
+#       ]
+#     },
+#     {
+#       "IPProtocol": "icmp"
+#     }
+#   ],
+#   "creationTimestamp": "2019-10-13T22:52:00.375-07:00",
+#   "description": "Allow internal traffic on the default network",
+#   "direction": "INGRESS",
+#   "disabled": false,
+#   "enableLogging": false,
+#   "id": "3319068565822878703",
+#   "kind": "compute#firewall",
+#   "logConfig": {
+#     "enable": false
+#   },
+#   "name": "default-allow-internal",
+#   "network": "projects/fxci-production-level1-workers/global/networks/default",
+#   "priority": 65534,
+#   "selfLink": "projects/fxci-production-level1-workers/global/firewalls/default-allow-internal",
+#   "sourceRanges": [
+#     "10.128.0.0/9"
+#   ]
+# }
+
+resource "google_compute_firewall" "allow-all-from-vpn" {
+  name        = "default-allow-all-from-vpn"
+  network     = "default"
+  description = "TF_MANAGED"
+
+  allow {
+    protocol = "tcp"
+    ports    = ["0-65535"]
+  }
+
+  allow {
+    protocol = "udp"
+    ports    = ["0-65535"]
+  }
+
+  # from ../vault/lb.tf
+  source_ranges = [
+    "10.48.240.0/23", # MDC1 VPN prod udp
+    "10.48.242.0/23", # MDC1 VPN prod tcp
+    "10.64.0.0/16",   # Ber3 VPN and future vpn space
+  ]
+  priority = 2000
+}

From bf7360cf23f6b2bdd6124226c06959e0faa92ad3 Mon Sep 17 00:00:00 2001
From: Andrew Erickson <aerickson@mozilla.com>
Date: Wed, 3 May 2023 20:48:23 -0700
Subject: [PATCH 2/3] fixes, add ssh rule

---
 .../translations_sandbox_gce_firewall.tf      | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/terraform/gcp-translations-sandbox/translations_sandbox_gce_firewall.tf b/terraform/gcp-translations-sandbox/translations_sandbox_gce_firewall.tf
index 315dc26d..06338e4d 100644
--- a/terraform/gcp-translations-sandbox/translations_sandbox_gce_firewall.tf
+++ b/terraform/gcp-translations-sandbox/translations_sandbox_gce_firewall.tf
@@ -80,6 +80,10 @@ resource "google_compute_firewall" "allow-all-from-vpn" {
     ports    = ["0-65535"]
   }
 
+  allow {
+    protocol = "icmp"
+  }
+
   # from ../vault/lb.tf
   source_ranges = [
     "10.48.240.0/23", # MDC1 VPN prod udp
@@ -88,3 +92,25 @@ resource "google_compute_firewall" "allow-all-from-vpn" {
   ]
   priority = 2000
 }
+
+# temporary, allow ssh from 0.0.0.0/0
+#   - TODO: figure out how to get traffic to transit via OpenVPN
+#     nc -vz 34.134.254.175 22
+#     // works
+#
+#     nc -b utun10 -vz 34.134.254.175 22
+#     // fails
+
+resource "google_compute_firewall" "allow-ssh-from-all" {
+  name        = "default-allow-ssh-from-all"
+  network     = "default"
+  description = "TF_MANAGED"
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22"]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+  priority      = 3000
+}

From 16e4ac5f315f5c6744bd465720ee3209f72a3f87 Mon Sep 17 00:00:00 2001
From: Andrew Erickson <aerickson@mozilla.com>
Date: Wed, 17 May 2023 14:56:04 -0400
Subject: [PATCH 3/3] only manage my personal fw rule for now

---
 .../translations_sandbox_gce_firewall.tf      | 23 +++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/terraform/gcp-translations-sandbox/translations_sandbox_gce_firewall.tf b/terraform/gcp-translations-sandbox/translations_sandbox_gce_firewall.tf
index 06338e4d..017a4c8c 100644
--- a/terraform/gcp-translations-sandbox/translations_sandbox_gce_firewall.tf
+++ b/terraform/gcp-translations-sandbox/translations_sandbox_gce_firewall.tf
@@ -101,8 +101,23 @@ resource "google_compute_firewall" "allow-all-from-vpn" {
 #     nc -b utun10 -vz 34.134.254.175 22
 #     // fails
 
-resource "google_compute_firewall" "allow-ssh-from-all" {
-  name        = "default-allow-ssh-from-all"
+# resource "google_compute_firewall" "allow-ssh-from-all" {
+#   name        = "default-allow-ssh-from-all"
+#   network     = "default"
+#   description = "TF_MANAGED"
+
+#   allow {
+#     protocol = "tcp"
+#     ports    = ["22"]
+#   }
+
+#   source_ranges = ["0.0.0.0/0"]
+#   priority      = 3000
+# }
+
+# aerickson
+resource "google_compute_firewall" "allow-ssh-from-aerickson-home" {
+  name        = "default-ssh-from-aerickson-home"
   network     = "default"
   description = "TF_MANAGED"
 
@@ -111,6 +126,6 @@ resource "google_compute_firewall" "allow-ssh-from-all" {
     ports    = ["22"]
   }
 
-  source_ranges = ["0.0.0.0/0"]
-  priority      = 3000
+  source_ranges = ["136.25.89.230/32"]
+  priority      = 4000
 }