search

terraform-google-modules / terraform-google-vpc-service-controls

Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments
https://registry.terraform.io/modules/terraform-google-modules/vpc-service-controls/google
Apache License 2.0
59 stars 67 forks source link

feat: added VPC network support to perimeter resources #106

Closed mikepietruszka closed 1 year ago

mikepietruszka commented 1 year ago

Added VPC network support to resources parameter since that's now allowed by the API: https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters.

A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.

In this PR, I added a test condition on the resources parameter in regular_service_perimeter module. The API method behind this resource now accepts a VPC network ID value for resources parameter: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME} in addition to projects/{PROJECT_NUM}. Since the existing module already accepts {PROJECT_NUM} and prefixes projects/, I followed the same convention and accepted projects/{PROJECT_ID}/global/networks/{NAME}. This value can be retrieved using the most common output for data source attribute compute_network.id or passed as string.

This can be tested with:

Example:

module "protected_service_perimeter_1" {
  source                = "../modules/terraform-google-vpc-service-controls/modules/regular_service_perimeter"
  policy                  = module.access_context_manager_policy.policy_id
  perimeter_name = "protected_1"
  description          = "Protected Service Perimeter 1"

  resources = [
      "PROJECT_NUMBER",
      "projects/host_project/global/networks/vpc_network_name"
  ]

  restricted_services = ["storage.googleapis.com"]
  access_levels          = [module.access_level_1.name]
}
google-cla[bot] commented 1 year ago

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

github-actions[bot] commented 1 year ago

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

mikepietruszka commented 1 year ago

Can this be re-opened and reviewed by someone?

apeabody commented 1 year ago

/gcbrun

apeabody commented 1 year ago

Hi @mikepietruszka Here is the relevant output from the INT test:

Profile: simple_example
Version: (not specified)
Target:  local://

  ✔  big_query_vpc_positive_test: Command: `gcloud alpha bq tables show-rows --table=example_table --dataset=dataset_vpc_sc_test_a9e1 --limit=10 --project=ci-project-policy-test-0-4cdc`
     ✔  Command: `gcloud alpha bq tables show-rows --table=example_table --dataset=dataset_vpc_sc_test_a9e1 --limit=10 --project=ci-project-policy-test-0-4cdc` exit_status is expected to equal 0
     ✔  Command: `gcloud alpha bq tables show-rows --table=example_table --dataset=dataset_vpc_sc_test_a9e1 --limit=10 --project=ci-project-policy-test-0-4cdc` stderr is expected to eq ""
  ×  big_query_vpc_negative_test: Command: `bq query --use_legacy_sql=false --project_id=ci-project-policy-test-1-1457 'select * from `ci-project-policy-test-0-4cdc.dataset_vpc_sc_test_a9e1.example_table` limit 10'` (1 failed)
     ✔  Command: `bq query --use_legacy_sql=false --project_id=ci-project-policy-test-1-1457 'select * from `ci-project-policy-test-0-4cdc.dataset_vpc_sc_test_a9e1.example_table` limit 10'` exit_status is expected to equal 1
     ×  Command: `bq query --use_legacy_sql=false --project_id=ci-project-policy-test-1-1457 'select * from `ci-project-policy-test-0-4cdc.dataset_vpc_sc_test_a9e1.example_table` limit 10'` stderr is expected to eq ""

     expected: ""
          got: "I0601 22:34:00.170196 139637272861512 bigquery_client.py:730] There is no apilog flag so non-critical logging is disabled.\n"

     (compared using ==)
imrannayer commented 1 year ago

/gcbrun

imrannayer commented 1 year ago

/gcbrun

imrannayer commented 1 year ago

@apeabody Error is due to a bug in CLI which is generating extra messages. Bug is fixed in 4.29. Do you know which version of container has this CLI version?

Removed excess line of logging to stderr that was printed on most commands
apeabody commented 1 year ago

@apeabody Error is due to a bug in CLI which is generating extra messages. Bug is fixed in 4.29. Do you know which version of container has this CLI version?

Removed excess line of logging to stderr that was printed on most commands

Hi @imrannayer - Looks like 1.11.6, which is curious as this repo appears to be using the most current version of 1.11?

imrannayer commented 1 year ago

@apeabody b/277805750 has the detail about the error in this CI.

apeabody commented 1 year ago

b/277805750

@imrannayer looks like you might want to try gcloud 433 which is in dev-tools 1.12.4. I just merged https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/pull/113 which will update this repo to 1.12.

apeabody commented 1 year ago

/gcbrun

imrannayer commented 1 year ago

/gcbrun

imrannayer commented 1 year ago

/gcbrun