search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.29k stars 1.72k forks source link

Allow `google_cloudbuild_worker_pool` to use Cloud NAT for egress to Public IPs #14374

Open dylan-tock opened 1 year ago

dylan-tock commented 1 year ago

Community Note

Description

The provider documentation for the google_cloudbuild_worker_pool resource says setting no_external_ip to true will prevent network egress to Public IPs. We have many VMs configured without Public IPs and they use Cloud NAT for egress.

It would be highly desirable from a security perspective to avoid Cloud Build hosts having external IP address and be able to specify an existing Cloud NAT for any egress.

New or Affected Resource(s)

Potential Terraform Configuration

resource "google_cloudbuild_worker_pool" "pool" {
  name = "my-pool"
  location = "europe-west1"
  worker_config {
    disk_size_gb = 100
    machine_type = "e2-standard-4"
    no_external_ip = true
    nat_gateway = google_compute_router_nat.name
  }
}

References

trodge commented 1 year ago

b/280101071

glanvl commented 1 year ago

You can configure a VM to work as a NAT with a static IP for Cloud Build worker pools. Hopefully that works to solve your problem for now though I would also second that it would be good it I could use a standard cloud NAT for this.

https://cloud.google.com/build/docs/private-pools/use-in-private-network#running_behind_a_nat

Access external resource from a static source IP address using Cloud Build