From 6b1deaf7fc1f43e1b43cab62856cc05e7e2dd8d9 Mon Sep 17 00:00:00 2001
From: Aiden Grossman <aidengrossman@google.com>
Date: Fri, 24 Oct 2025 01:33:01 +0000
Subject: [PATCH] =?UTF-8?q?[=F0=9D=98=80=F0=9D=97=BD=F0=9D=97=BF]=20change?=
 =?UTF-8?q?s=20to=20main=20this=20commit=20is=20based=20on?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Created using spr 1.3.6

[skip ci]
---
 premerge/gke_cluster/main.tf |  3 +++
 premerge/main.tf             | 16 ++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/premerge/gke_cluster/main.tf b/premerge/gke_cluster/main.tf
index cc01357ea..5da235dc3 100644
--- a/premerge/gke_cluster/main.tf
+++ b/premerge/gke_cluster/main.tf
@@ -12,6 +12,7 @@ resource "google_container_cluster" "llvm_premerge" {
   # for adding windows nodes to the cluster.
   networking_mode = "VPC_NATIVE"
   ip_allocation_policy {}
+  disable_l4_lb_firewall_reconciliation = true
 
   # Set the workload identity config so that we can authenticate with Google
   # Cloud APIs using workload identity federation as described in
@@ -44,6 +45,8 @@ resource "google_container_node_pool" "llvm_premerge_linux_service" {
     workload_metadata_config {
       mode = "GKE_METADATA"
     }
+
+    tags = ["premerge-service"]
   }
 }
 
diff --git a/premerge/main.tf b/premerge/main.tf
index 7843e2b60..f9715fdac 100644
--- a/premerge/main.tf
+++ b/premerge/main.tf
@@ -41,6 +41,22 @@ resource "local_file" "terraform_state" {
   EOT
 }
 
+# Set up firewall rules that allow for access to the premerge advisor.
+data "google_compute_network" "default" {
+  name = "default"
+}
+
+resource "google_compute_firewall" "premerge_advisor_firewall" {
+  name    = "premerge-advisor-firewall"
+  network = data.google_compute_network.default.name
+  allow {
+    protocol = "tcp"
+    ports    = ["5000"]
+  }
+
+  source_tags = ["premerge-service"]
+}
+
 data "google_client_config" "current" {}
 
 locals {