service_perimeter.tf defines a list of 6 services to restrict, with the option for the user to customize additional_restricted_services. This is a contradiction of Google recommended best practices for VPC service controls.
From Best practices for VPC Service Controls for enterprises...
We recommend that you enable all protected services when you create a perimeter, which helps to reduce complexity and exfiltration vectors. There is no reason to protect one API and not all others,
Stated more explicitly, a VPCSC perimeter that protects only a few services does not protect against data exfiltration, because an insider could use any other GCP service to copy data read by Cloud Run to other services.
service_perimeter.tf defines a list of 6 services to restrict, with the option for the user to customize
additional_restricted_services. This is a contradiction of Google recommended best practices for VPC service controls.From Best practices for VPC Service Controls for enterprises... We recommend that you enable all protected services when you create a perimeter, which helps to reduce complexity and exfiltration vectors. There is no reason to protect one API and not all others, Stated more explicitly, a VPCSC perimeter that protects only a few services does not protect against data exfiltration, because an insider could use any other GCP service to copy data read by Cloud Run to other services.
Please update the module to include all services supported by VPCSC by default.