Skip to content

Commit 4365eab

Browse files
eeatondaniel-cit
andauthored
fix(VPCSC): enable dryrun mode (terraform-google-modules#1210)
Co-authored-by: Daniel Andrade <dandrade@ciandt.com>
1 parent 55b06bf commit 4365eab

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

54 files changed

+775
-194
lines changed

1-org/modules/cai-monitoring/main.tf

+3-2
Original file line numberDiff line numberDiff line change
@@ -161,8 +161,9 @@ module "cloud_function" {
161161
service_config = {
162162
service_account_email = google_service_account.cloudfunction.email
163163
runtime_env_variables = {
164-
ROLES = join(",", var.roles_to_monitor)
165-
SOURCE_ID = google_scc_source.cai_monitoring.id
164+
ROLES = join(",", var.roles_to_monitor)
165+
SOURCE_ID = google_scc_source.cai_monitoring.id
166+
LOG_EXECUTION_ID = "true"
166167
}
167168
}
168169

3-networks-dual-svpc/README.md

+11-2
Original file line numberDiff line numberDiff line change
@@ -55,10 +55,11 @@ For an overview of the architecture and the parts, see the
5555

5656
## Purpose
5757

58+
5859
The purpose of this step is to:
5960

6061
- Set up the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones).
61-
- Set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, on-premises Dedicated or Partner Interconnect, and baseline firewall rules for each environment.
62+
- Set up base and restricted Hubs and it corresponding Spokes. With default DNS, NAT (optional), Private Service networking, VPC Service Controls (optional), on-premises Dedicated or Partner Interconnect, and baseline firewall rules for each environment.
6263

6364
## Prerequisites
6465

@@ -188,7 +189,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
188189

189190
sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars
190191
```
191-
**Note:** Make sure that you update the `perimeter_additional_members` variable with your e-mail in order to be able to view/access resources in the project protected by the VPC service controls.
192+
**Note:** Make sure that you update the `perimeter_additional_members` variable with your user identity in order to be able to view/access resources in the project protected by the VPC Service Controls.
192193

193194
1. Commit changes
194195

@@ -413,3 +414,11 @@ Before executing the next stages, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT`
413414
```bash
414415
unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
415416
```
417+
418+
### (Optional) Enforce VPC Service Controls
419+
420+
Because enabling VPC Service Controls can be a disruptive process, this repo configures VPC Service Controls perimeters in dry run mode by default. This configuration will service traffic that crosses the security perimeter (API requests that originate from inside your perimeter communicating with external resources, or API requests from external resources communicating with resources inside your perimeter) but still allow service traffic normally.
421+
422+
When you are ready to enforce VPC Service Controls, we recommend that you review the guidance at [Best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable). After you have added the necessary exceptions and are confident that VPC Service Controls will not disrupt your intended operations, set the variable `enforce_vpcsc` under the module `restricted_shared_vpc` to `true` and re-apply this stage. Then re-apply the 4-projects stage, which will inherit the new setting and include those projects inside the enforced perimeter.
423+
424+
When you need to make changes to an existing enforced perimeter, you can test safely by modifying the configuration of the [dry run perimeter](https://cloud.google.com/vpc-service-controls/docs/dry-run-mode). This will log traffic denied by the dry run perimeter without impacting whether the enforced perimeter allows or denies traffic.

3-networks-dual-svpc/envs/development/README.md

+9-4
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,12 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
1717
|------|-------------|------|---------|:--------:|
1818
| access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes |
1919
| domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes |
20-
| egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.<br><br>Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br> from = any<br> to = any<br> }))</pre> | `[]` | no |
21-
| ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.<br><br>Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br> from = any<br> to = any<br> }))</pre> | `[]` | no |
22-
| perimeter\_additional\_members | The list of additional members to be added to the perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | n/a | yes |
20+
| egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.<br><br>Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br> from = any<br> to = any<br> }))</pre> | `[]` | no |
21+
| egress\_policies\_dry\_run | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes egress\_from and egress\_to.<br><br>Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br> from = any<br> to = any<br> }))</pre> | `[]` | no |
22+
| ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference) to use in an enforced perimeter. Each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.<br><br>Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br> from = any<br> to = any<br> }))</pre> | `[]` | no |
23+
| ingress\_policies\_dry\_run | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference) to use in a dry-run perimeter. Each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.<br><br>Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br> from = any<br> to = any<br> }))</pre> | `[]` | no |
24+
| perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no |
25+
| perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | `[]` | no |
2326
| remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
2427
| tfc\_org\_name | Name of the TFC organization | `string` | `""` | no |
2528

@@ -28,14 +31,16 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
2831
| Name | Description |
2932
|------|-------------|
3033
| access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
34+
| access\_level\_name | Access context manager access level name |
35+
| access\_level\_name\_dry\_run | Access context manager access level name for the dry-run perimeter |
3136
| base\_host\_project\_id | The base host project ID |
3237
| base\_network\_name | The name of the VPC being created |
3338
| base\_network\_self\_link | The URI of the VPC being created |
3439
| base\_subnets\_ips | The IPs and CIDRs of the subnets being created |
3540
| base\_subnets\_names | The names of the subnets being created |
3641
| base\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets |
3742
| base\_subnets\_self\_links | The self-links of subnets being created |
38-
| restricted\_access\_level\_name | Access context manager access level name |
43+
| enforce\_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. |
3944
| restricted\_host\_project\_id | The restricted host project ID |
4045
| restricted\_network\_name | The name of the VPC being created |
4146
| restricted\_network\_self\_link | The URI of the VPC being created |

3-networks-dual-svpc/envs/development/main.tf

+3
Original file line numberDiff line numberDiff line change
@@ -74,11 +74,14 @@ module "base_env" {
7474
environment_code = local.environment_code
7575
access_context_manager_policy_id = var.access_context_manager_policy_id
7676
perimeter_additional_members = var.perimeter_additional_members
77+
perimeter_additional_members_dry_run = var.perimeter_additional_members_dry_run
7778
default_region1 = local.default_region1
7879
default_region2 = local.default_region2
7980
domain = var.domain
8081
ingress_policies = var.ingress_policies
82+
ingress_policies_dry_run = var.ingress_policies_dry_run
8183
egress_policies = var.egress_policies
84+
egress_policies_dry_run = var.egress_policies_dry_run
8285
enable_partner_interconnect = false
8386
base_private_service_cidr = local.base_private_service_cidr
8487
base_subnet_primary_ranges = local.base_subnet_primary_ranges

3-networks-dual-svpc/envs/development/outputs.tf

+13-2
Original file line numberDiff line numberDiff line change
@@ -58,16 +58,27 @@ output "restricted_subnets_secondary_ranges" {
5858
description = "The secondary ranges associated with these subnets"
5959
}
6060

61-
output "restricted_access_level_name" {
62-
value = module.base_env.restricted_access_level_name
61+
output "access_level_name" {
62+
value = module.base_env.access_level_name
6363
description = "Access context manager access level name"
6464
}
6565

66+
output "access_level_name_dry_run" {
67+
value = module.base_env.access_level_name_dry_run
68+
description = "Access context manager access level name for the dry-run perimeter"
69+
}
70+
71+
output "enforce_vpcsc" {
72+
value = module.base_env.enforce_vpcsc
73+
description = "Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases."
74+
}
75+
6676
output "restricted_service_perimeter_name" {
6777
value = module.base_env.restricted_service_perimeter_name
6878
description = "Access context manager service perimeter name"
6979
}
7080

81+
7182
/******************************************
7283
Private Outputs
7384
*****************************************/

0 commit comments

Comments
 (0)