Cloud Function for automatic folder inclusion

[morgante]

We need to develop a solution which automatically includes all projects within a folder in the VPC Service Perimeter.

Notes: https://docs.google.com/document/d/1WskXmjiyPjvavoQM2k-jE46XI1TogegUsGJCOjYnLY8/edit

[jasonwicks]

Hi,

I have been asked by Google Support engineer James W to provide feedback on this feature request, so sorry if this is not the correct place to put this information. Reasons why we don't believe folder based logic to determine perimeter/bridge membership would be the best solution in our organisation:

1. Our org is setup based on our business structure - which does not represent how our VPCSC perimeters/bridges are setup.

2. We are currently using folder level IAM on some parts of the hierarchy which would need to be reworked to cater for folder based VPCSC perimeters.

3. Bridges are used to connect projects in different levels of the org structure - so not sure how that would work.

We think a project level "tagging" solution would be a more flexible solution - similar to network tags. If we could tag a project with the name/type of perimeter/bridge to specify perimeter membership, we could setup VPC perimeters/bridges in our TF code as part of the project creation modules.

[morgante]

One concern with using labels is that there are no ACLs on them, so nothing prevents an owner of a Dev project from labeling it "production" and thereby bridging it into a production VPC perimeter. Is that a concern?

[jasonwicks]

Security of the labels would probably be a concern for the security team. We could maybe develop some features to control this, but it would not be ideal...however, would still be interested in looking at this as a version 1 - something is better than nothing at the moment.

[nick4fake]

Blocked by https://github.com/terraform-google-modules/terraform-google-event-function/issues/30

[nick4fake]

Initial PR is ready, TODO:

• Switch to a native Go library
• Add support for projects being moved OUT of a folder - fixed
• Add support for subfolders
• Use Cloud Functions service account instead of cred file
• Add tests

Nice to have:

• Retries for cloud function
• failure notifications
• Move VPC service controls code to a separate folder not to do function updates from itself - not required
• Reduce function code zip file
• Possibly simplify whole approach