eeaton
commented
3 months ago I'll close this Issue as a duplicate of https://github.com/terraform-google-modules/terraform-example-foundation/issues/1209, I'm tracking work to enable VPCSC in dryrun mode and avoid the friction associated with immediately deploying an enforced VPCSC perimeter.
However to the specific question:
why hardcode vpc_accessible_services = ["RESTRICTED-SERVICES"]. Shouldn't be configurable? Default is "*"
This is a confusingly named convention for vpc_accessible_services, but it's working as intended.
"restricted services" means API traffic for this service cannot cross the perimeter.
"VPC accessible services" means that API endpoints can be reached from a VPC inside the perimeter.
vpc_accessible_services = ["RESTRICTED-SERVICES"] is the recommended convention to ensure these two settings align. The string "RESTRICTED-SERVICES" is equivalent to listing out all the services already configured for this perimeter as restricted. So only the endpoints for Google APIs can be reached from the VPC if they are restricted in the perimeter.
This helps avoid exfiltration paths that could happen with vpc_accessible_services = * such as:
- Google Cloud APIs that are not compatible with VPCSC might be accessed from the customer VPC inside the perimeter, leading to exfiltration
- New services will be created in the future with VPCSC support, but are not restricted in the customer's specific perimeter until they configure it. Without
vpc_accessible_services = ["RESTRICTED-SERVICES"], a new service might suddenly create an exfiltration path tomorrow where there was none today
TL;DR
In module 3-networks-hub-and-spoke/modules/restricted_shared_vpc (and the same in 3-networks-dual-svpc/modules/restricted_shared_vpc) there is no option to conditionally enable the deployment of SCP and access levels. Moreover: why hardcode vpc_accessible_services = ["RESTRICTED-SERVICES"]. Shouldn't be configurable? Default is "*"
Terraform Resources
Detailed design
Additional information
No response