search

terraform-google-modules / terraform-google-vpc-service-controls

Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments
https://registry.terraform.io/modules/terraform-google-modules/vpc-service-controls/google
Apache License 2.0
59 stars 67 forks source link

Automatic folder create/delete projects with Bridges #46

Closed aba75-sbg closed 3 years ago

aba75-sbg commented 3 years ago

Hello,

I've taken a look at the example provided in automatic_folder on how to keep VPC-SC up-to-date with Project lifecycle.

For my use-case rather than use Cloud Functions and event-driven architecture. I'm running Terraform every 2 hrs during office-hours to detect any new or deleted Projects within the folders and updating the VPC-SC perimeter and bridges as necessary.

The issue I'm having is when Projects are deleted. Terraform detects this and tries to remove the Projects from the perimeters, but the bridges make reference to the Projects within those perimeters. So the bridges complain once a Project has been removed from a perimeter with this error:

Error: Error updating ServicePerimeter "accessPolicies/xxxxxxx/servicePerimeters/regular_perimeter_Data_Dev": googleapi: Error 400: Project 'projects/xxxxxxx' is in Service Perimeter Bridge(s) 'bridge_perimeter_Data_Platform_Dev', but no regular Service Perimeter. Each project in a Service Perimeter Bridge must be in a regular Service Perimeter.

So I thought about adding a depends_on for the bridges to update first. Then the perimeters will update following the bridges. However, this introduces a new problem in that when a new Project is created, the bridges will attempt to add it first and complain it cannot be added to a bridge without first being in a perimeter.

I'd like someone to suggest a better of doing this?

I did think about actually using Cloud Functions to have two functions, one for adding Projects and one for removing Projects. That way I can selectively choose to update the perimeter/bridge first depending on the Project lifecycle event.

Before I do so, I wanted to reach out and see if I'm missing something first.

Thanks, Andrew

Perimeter code

module "regular_service_perimeter_data_dev" {
  source              = "xxx"
  policy              = module.access_context_manager_policy.policy_id
  perimeter_name      = "regular_perimeter_Data_Dev"
  description         = "Perimeter shielding Dev project ${null_resource.wait_for_members.id}"
  resources           = local.project_numbers_protected_data_dev
  access_levels       = [xxx]
  restricted_services = var.restricted_services

  shared_resources    = {
    all = local.project_numbers_protected_data_dev
  }
}

Bridge code

module "bridge_service_perimeter_data_platform_dev" {
  source         = "xxx"
  policy         = module.access_context_manager_policy.policy_id
  perimeter_name = "bridge_perimeter_Data_Platform_Dev"
  description    = "Bridges the Platform and Data Dev perimeters together"

  resources = concat(
    module.regular_service_perimeter_platform_shared.shared_resources["all"],
    module.regular_service_perimeter_data_dev.shared_resources["all"],
  )
}
github-actions[bot] commented 3 years ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days