Skip to content

Commit

Permalink
feat: allow reuse of VPC-SC perimeters (#203)
Browse files Browse the repository at this point in the history 
* allow replacemente of internal VPC-SC perimeters with external perimeters

* rename external perimeter variables

* add comment regarding default perimeter and existing perimeter

* rename external perimeter variable names
  • Loading branch information
@daniel-cit
daniel-cit authored Dec 4, 2021
1 parent 9864b44 commit c68c0c4
Show file tree
Hide file tree
Showing 4 changed files with 101 additions and 9 deletions.
3 changes: 3 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,13 +55,16 @@ module "secured_data_warehouse" {
| confidential\_access\_members | List of members in the standard GCP form: user:{email}, serviceAccount:{email}, group:{email} who will have access to confidential information in BigQuery. | `list(string)` | `[]` | no |
| confidential\_data\_dataflow\_deployer\_identities | List of members in the standard GCP form: user:{email}, serviceAccount:{email} that will deploy Dataflow jobs in the Confidential Data project. These identities will be added to the VPC-SC secure data exchange egress rules. | `list(string)` | `[]` | no |
| confidential\_data\_egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) for the Confidential Data perimeter, each list object has a `from` and `to` value that describes egress\_from and egress\_to. See also [secure data exchange](https://cloud.google.com/vpc-service-controls/docs/secure-data-exchange#allow_access_to_a_google_cloud_resource_outside_the_perimeter) and the [VPC-SC](https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/v3.1.0/modules/regular_service_perimeter/README.md) module. | <pre>list(object({<br> from = any<br> to = any<br> }))</pre> | `[]` | no |
| confidential\_data\_perimeter | Existing confidential data perimeter to be used instead of the auto-crated perimeter. The service account provided in the variable `terraform_service_account` must be in an access level member list for this perimeter **before** this perimeter can be used in this module. | `string` | `""` | no |
| confidential\_data\_project\_id | Project where the confidential datasets and tables are created. | `string` | n/a | yes |
| confidential\_dataset\_default\_table\_expiration\_ms | TTL of tables using the dataset in MS. The default value is null. | `number` | `null` | no |
| confidential\_dataset\_id | Unique ID for the confidential dataset being provisioned. | `string` | `"secured_dataset"` | no |
| data\_governance\_egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) for the Data Governance perimeter, each list object has a `from` and `to` value that describes egress\_from and egress\_to. See also [secure data exchange](https://cloud.google.com/vpc-service-controls/docs/secure-data-exchange#allow_access_to_a_google_cloud_resource_outside_the_perimeter) and the [VPC-SC](https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/v3.1.0/modules/regular_service_perimeter/README.md) module. | <pre>list(object({<br> from = any<br> to = any<br> }))</pre> | `[]` | no |
| data\_governance\_perimeter | Existing data governance perimeter to be used instead of the auto-crated perimeter. The service account provided in the variable `terraform_service_account` must be in an access level member list for this perimeter **before** this perimeter can be used in this module. | `string` | `""` | no |
| data\_governance\_project\_id | The ID of the project in which the data governance resources will be created. | `string` | n/a | yes |
| data\_ingestion\_dataflow\_deployer\_identities | List of members in the standard GCP form: user:{email}, serviceAccount:{email} that will deploy Dataflow jobs in the Data Ingestion project. These identities will be added to the VPC-SC secure data exchange egress rules. | `list(string)` | `[]` | no |
| data\_ingestion\_egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) for the Data Ingestion perimeter, each list object has a `from` and `to` value that describes egress\_from and egress\_to. See also [secure data exchange](https://cloud.google.com/vpc-service-controls/docs/secure-data-exchange#allow_access_to_a_google_cloud_resource_outside_the_perimeter) and the [VPC-SC](https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/v3.1.0/modules/regular_service_perimeter/README.md) module. | <pre>list(object({<br> from = any<br> to = any<br> }))</pre> | `[]` | no |
| data\_ingestion\_perimeter | Existing data ingestion perimeter to be used instead of the auto-crated perimeter. The service account provided in the variable `terraform_service_account` must be in an access level member list for this perimeter **before** this perimeter can be used in this module. | `string` | `""` | no |
| data\_ingestion\_project\_id | The ID of the project in which the data ingestion resources will be created | `string` | n/a | yes |
| dataset\_default\_table\_expiration\_ms | TTL of tables using the dataset in MS. The default value is null. | `number` | `null` | no |
| dataset\_description | Dataset description. | `string` | `"Data-ingestion dataset"` | no |
Expand Down
12 changes: 6 additions & 6 deletions outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,32 +98,32 @@ output "data_ingestion_bigquery_dataset" {

output "data_ingestion_access_level_name" {
description = "Access context manager access level name."
value = module.data_ingestion_vpc_sc.access_level_name
value = var.data_ingestion_perimeter == "" ? module.data_ingestion_vpc_sc[0].access_level_name : ""
}

output "data_ingestion_service_perimeter_name" {
description = "Access context manager service perimeter name."
value = module.data_ingestion_vpc_sc.service_perimeter_name
value = var.data_ingestion_perimeter == "" ? module.data_ingestion_vpc_sc[0].service_perimeter_name : ""
}

output "data_governance_access_level_name" {
description = "Access context manager access level name."
value = module.data_governance_vpc_sc.access_level_name
value = var.data_governance_perimeter == "" ? module.data_governance_vpc_sc[0].access_level_name : ""
}

output "data_governance_service_perimeter_name" {
description = "Access context manager service perimeter name."
value = module.data_governance_vpc_sc.service_perimeter_name
value = var.data_governance_perimeter == "" ? module.data_governance_vpc_sc[0].service_perimeter_name : ""
}

output "confidential_access_level_name" {
description = "Access context manager access level name."
value = module.confidential_data_vpc_sc.access_level_name
value = var.confidential_data_perimeter == "" ? module.confidential_data_vpc_sc[0].access_level_name : ""
}

output "confidential_service_perimeter_name" {
description = "Access context manager service perimeter name."
value = module.confidential_data_vpc_sc.service_perimeter_name
value = var.confidential_data_perimeter == "" ? module.confidential_data_vpc_sc[0].service_perimeter_name : ""
}

output "cmek_data_ingestion_crypto_key" {
Expand Down
77 changes: 74 additions & 3 deletions service_control.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ locals {
]

restricted_services = distinct(concat(local.base_restricted_services, var.additional_restricted_services))

}

data "google_project" "data_ingestion_project" {
Expand Down Expand Up @@ -85,9 +86,12 @@ resource "time_sleep" "forces_wait_propagation" {
]
}

# Default VPC Service Controls perimeter and access list.
module "data_ingestion_vpc_sc" {
source = ".//modules/dwh-vpc-sc"

count = var.data_ingestion_perimeter == "" ? 1 : 0

org_id = var.org_id
project_id = var.data_ingestion_project_id
access_context_manager_policy_id = var.access_context_manager_policy_id
Expand Down Expand Up @@ -127,9 +131,37 @@ module "data_ingestion_vpc_sc" {
]
}

# Adding project to an existing VPC Service Controls Perimeter
# instead of the default VPC Service Controls perimeter.
# The default VPC Service Controls perimeter and access list will not be created.
resource "google_access_context_manager_service_perimeter_resource" "ingestion-perimeter-resource" {
count = var.data_ingestion_perimeter != "" ? 1 : 0

perimeter_name = "accessPolicies/${var.access_context_manager_policy_id}/servicePerimeters/${var.data_ingestion_perimeter}"
resource = "projects/${data.google_project.data_ingestion_project.number}"

depends_on = [
time_sleep.forces_wait_propagation
]
}

resource "google_access_context_manager_service_perimeter_resource" "non-confidential-perimeter-resource" {
count = var.data_ingestion_perimeter != "" ? 1 : 0

perimeter_name = "accessPolicies/${var.access_context_manager_policy_id}/servicePerimeters/${var.data_ingestion_perimeter}"
resource = "projects/${data.google_project.non_confidential_data_project.number}"

depends_on = [
time_sleep.forces_wait_propagation
]
}

# Default VPC Service Controls perimeter and access list.
module "data_governance_vpc_sc" {
source = ".//modules/dwh-vpc-sc"

count = var.data_governance_perimeter == "" ? 1 : 0

org_id = var.org_id
project_id = var.data_governance_project_id
access_context_manager_policy_id = var.access_context_manager_policy_id
Expand All @@ -149,9 +181,26 @@ module "data_governance_vpc_sc" {
]
}

# Adding project to an existing VPC Service Controls Perimeter
# instead of the default VPC Service Controls perimeter.
# The default VPC Service Controls perimeter and access list will not be created.
resource "google_access_context_manager_service_perimeter_resource" "governance-perimeter-resource" {
count = var.data_governance_perimeter != "" ? 1 : 0

perimeter_name = "accessPolicies/${var.access_context_manager_policy_id}/servicePerimeters/${var.data_governance_perimeter}"
resource = "projects/${data.google_project.governance_project.number}"

depends_on = [
time_sleep.forces_wait_propagation
]
}

# Default VPC Service Controls perimeter and access list.
module "confidential_data_vpc_sc" {
source = ".//modules/dwh-vpc-sc"

count = var.confidential_data_perimeter == "" ? 1 : 0

org_id = var.org_id
project_id = var.confidential_data_project_id
access_context_manager_policy_id = var.access_context_manager_policy_id
Expand Down Expand Up @@ -191,6 +240,20 @@ module "confidential_data_vpc_sc" {
]
}

# Adding project to an existing VPC Service Controls Perimeter
# instead of the default VPC Service Controls perimeter.
# The default VPC Service Controls perimeter and access list will not be created.
resource "google_access_context_manager_service_perimeter_resource" "confidential-perimeter-resource" {
count = var.confidential_data_perimeter != "" ? 1 : 0

perimeter_name = "accessPolicies/${var.access_context_manager_policy_id}/servicePerimeters/${var.confidential_data_perimeter}"
resource = "projects/${data.google_project.confidential_project.number}"

depends_on = [
time_sleep.forces_wait_propagation
]
}

module "vpc_sc_bridge_data_ingestion_governance" {
source = "terraform-google-modules/vpc-service-controls/google//modules/bridge_service_perimeter"
version = "~> 3.0"
Expand All @@ -208,7 +271,10 @@ module "vpc_sc_bridge_data_ingestion_governance" {
depends_on = [
time_sleep.forces_wait_propagation,
module.data_governance_vpc_sc,
module.data_ingestion_vpc_sc
module.data_ingestion_vpc_sc,
google_access_context_manager_service_perimeter_resource.ingestion-perimeter-resource,
google_access_context_manager_service_perimeter_resource.governance-perimeter-resource,
google_access_context_manager_service_perimeter_resource.non-confidential-perimeter-resource,
]
}

Expand All @@ -228,7 +294,9 @@ module "vpc_sc_bridge_confidential_governance" {
depends_on = [
time_sleep.forces_wait_propagation,
module.confidential_data_vpc_sc,
module.data_governance_vpc_sc
module.data_governance_vpc_sc,
google_access_context_manager_service_perimeter_resource.confidential-perimeter-resource,
google_access_context_manager_service_perimeter_resource.governance-perimeter-resource
]
}

Expand All @@ -248,7 +316,10 @@ module "vpc_sc_bridge_confidential_data_ingestion" {
depends_on = [
time_sleep.forces_wait_propagation,
module.confidential_data_vpc_sc,
module.data_ingestion_vpc_sc
module.data_ingestion_vpc_sc,
google_access_context_manager_service_perimeter_resource.confidential-perimeter-resource,
google_access_context_manager_service_perimeter_resource.non-confidential-perimeter-resource,
google_access_context_manager_service_perimeter_resource.ingestion-perimeter-resource
]
}

Expand Down
18 changes: 18 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -227,3 +227,21 @@ variable "additional_restricted_services" {
type = list(string)
default = []
}

variable "data_ingestion_perimeter" {
description = "Existing data ingestion perimeter to be used instead of the auto-crated perimeter. The service account provided in the variable `terraform_service_account` must be in an access level member list for this perimeter **before** this perimeter can be used in this module."
type = string
default = ""
}

variable "data_governance_perimeter" {
description = "Existing data governance perimeter to be used instead of the auto-crated perimeter. The service account provided in the variable `terraform_service_account` must be in an access level member list for this perimeter **before** this perimeter can be used in this module."
type = string
default = ""
}

variable "confidential_data_perimeter" {
description = "Existing confidential data perimeter to be used instead of the auto-crated perimeter. The service account provided in the variable `terraform_service_account` must be in an access level member list for this perimeter **before** this perimeter can be used in this module."
type = string
default = ""
}

0 comments on commit c68c0c4

Please sign in to comment.