allow ssh with terraform

gcp888 · 05-04-2024 08:51 AM

I am trying to allow gcloud ssh or use ssh from the console but seems like even when i allow the ssh on my vpc its not working and I have to allow all on the internal network. any idea why?

allow ssh:

# Create firewall rule for allow ssh
resource "google_compute_firewall" "allow_all" {
  name    = "allow-ssh"
  network = google_compute_network.vpc_network.name

  allow {
    protocol = "22"
  }

  source_ranges = var.allow_ssh_source_ranges
}

Allow all:

resource "google_compute_firewall" "allow-internal" {
  name    = "default-allow-internal-1"
  network = google_compute_network.vpc_network.name  # Replace 'default' with your network if different

  allow {
    protocol = "all"
  }

  source_ranges = var.allow_ssh_source_ranges
}

any idea why?

Ham

Hi, if you want to ssh to your vm which is don't have external ip through ssh console, you have to IAP, you can read the doc https://cloud.google.com/iap/docs/using-tcp-forwarding
for your terraform you should add source ip to use by iap (just see the doc).

you can put "35.235.240.0/20" source ip IAP in your source ip terraform variable

DamianS

Hello @gcp888 ,Welcome on Google Cloud Community.

I'm creating FW via terraform in this way:

resource "google_compute_firewall" "iap_ssh_allow" {
  name      = "allow-iap-ssh"
  network   = google_compute_network.vpc_network.name
  direction = "INGRESS"
  project   = google_project.project.project_id
  disabled  = false
  allow {
    protocol = "tcp"
    ports    = ["22"]
  }
  source_ranges = ["35.235.240.0/20"]
  target_tags   = ["allow-iap-ssh"]
}

@gcp888 wrote:

# Create firewall rule for allow ssh resource "google_compute_firewall" "allow_all" { name = "allow-ssh" network = google_compute_network.vpc_network.name allow { protocol = "22" } source_ranges = var.allow_ssh_source_ranges }

I believe, that you've missed "DIRECTION" parameter.

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost