Skip to content

Latest commit

 

History

History
92 lines (65 loc) · 4.34 KB

File metadata and controls

92 lines (65 loc) · 4.34 KB

Frequently Asked Questions

How do I use an existing VPC-SC service perimeter instead of the perimeter auto-created by the Secured Data Warehouse module?

The Secured Data Warehouse has inputs to use an existing VPC-SC service perimeter:

  • data_ingestion_perimeter
  • data_governance_perimeter
  • confidential_data_perimeter

On your existing VPC-SC service perimeter:

How do I add new projects to one of the auto-created perimeters?

Use the Terraform resource google_access_context_manager_service_perimeter_resource to add add new projects to the perimiter.

Each auto-created perimeter has an output for its name:

  • data_ingestion_service_perimeter_name
  • data_governance_service_perimeter_name
  • confidential_service_perimeter_name

Example

resource "google_access_context_manager_service_perimeter_resource" "service_perimeter_resource" {
  perimeter_name = "accessPolicies/ACCESS-CONTEXT-MANAGER-POLICY-ID/servicePerimeters/PERIMETER-NAME"
  resource       = "projects/PROJECT-NUMBER"
}

As an alternative, the Google Cloud Project Factory Terraform Module also allows for the inclusion of a new project in an existing perimeter.

Note: all the services supported by VPC-SC are included as restricted at perimeter.

How do I call a Google service protected by the perimeters from a project outside of the auto-created perimeters?

To be able to call a Google service from a project outside of the perimeter you will need to configure an egress rule that allows communication to the external service.

Each perimeter has an input for a list of egress rules:

  • data_ingestion_egress_policies
  • data_governance_egress_policies
  • confidential_data_egress_policies

Example of an egress rule that allows reading from a private bucket outside of the project:

[
    {
      "from" = {
        "identity_type" = ""
        "identities" = ["user:YOUR-EMAIL","serviceAccount:YOUR-SERVICE-ACCOUNT-EMAIL"]
      },
      "to" = {
        "resources" = ["projects/TARGET-PROJECT-NUMBER"]
        "operations" = {
          "storage.googleapis.com" = {
            "methods" = [
              "google.storage.objects.get"
            ]
          }
        }
      }
    }
]

The format is the same one used in the module terraform-google-vpc-service-controls.

Use the VPC-SC error created when trying to access a service to find out the information for the egress rule:

  • The identities that where trying to access the Google API service.
  • The Google API service blocked.
  • The Google API method blocked.

The error will have a component like:

Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: UNIQUE-IDENTIFIER

Use the Unique Identifier UNIQUE-IDENTIFIER value in the Troubleshoot page to obtain the details regarding the policy violation.

Note: Some API methods may not be directly available to be added to the egress rule. In this case use "methods" = ["*"].