### Apply Example Module with Kitchen-Terraform Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/CONTRIBUTING.md Applies the Terraform configuration for a specified example module using Kitchen-Terraform. This step provisions the resources defined in the module. ```bash kitchen_do converge ``` -------------------------------- ### Verify Example Module with Kitchen-Terraform Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/CONTRIBUTING.md Runs verification tests on a converged example module using Kitchen-Terraform. This step ensures that the deployed module behaves as expected. It requires activating the Google Cloud service account first. ```bash activate_gcloud_sa && kitchen_do verify ``` -------------------------------- ### Initialize Kitchen-Terraform Working Directory Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/CONTRIBUTING.md Initializes the working directory for a specific example module within the Kitchen-Terraform testing framework. This prepares the environment for subsequent testing steps. ```bash kitchen_do create ``` -------------------------------- ### Destroy Example Module State with Kitchen-Terraform Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/CONTRIBUTING.md Destroys the resources and state associated with a specific example module using Kitchen-Terraform. This cleans up the test environment after verification. ```bash kitchen_do destroy ``` -------------------------------- ### Prepare Test Project Environment with Make Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/CONTRIBUTING.md Prepares the necessary environment for integration testing within a Docker container. This includes setting up a test project using Docker and requires Google Cloud SDK and Docker Engine to be installed. ```bash make docker_test_prepare ``` -------------------------------- ### Configure IAM Policy Bindings with gcloud Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/simple_example_bridge/README.md These gcloud commands are used to grant necessary IAM roles to a service account on specified projects. Ensure you replace placeholders like '' and '' with your actual values. These roles are crucial for BigQuery operations within the VPC Service Controls setup. ```bash gcloud projects add-iam-policy-binding --member=serviceAccount: --role=roles/bigquery.jobUser gcloud projects add-iam-policy-binding --member=serviceAccount: --role=roles/bigquery.dataOwner ``` -------------------------------- ### Complete Multi-Perimeter VPC Service Controls Setup (Terraform) Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This comprehensive Terraform configuration demonstrates a full VPC Service Controls deployment. It includes setting up the root policy, defining multiple access levels for different user groups and network sources, and establishing regular and bridge perimeters for robust security. This example serves as a template for complex organizational deployments. ```hcl # Provider configuration provider "google" { project = "my-terraform-project" region = "us-central1" } # Root policy module "org_policy" { source = "terraform-google-modules/vpc-service-controls/google" version = "~> 7.0" parent_id = "123456789012" policy_name = "enterprise_vpc_sc_policy" } # Access level for admin users module "admin_access" { source = "terraform-google-modules/vpc-service-controls/google//modules/access_level" version = "~> 7.0" policy = module.org_policy.policy_id name = "admin_access" description = "Full admin access" members = ["user:admin@company.com"] } # Access level for corporate network module "corp_network_access" { source = "terraform-google-modules/vpc-service-controls/google//modules/access_level" version = "~> 7.0" policy = module.org_policy.policy_id name = "corporate_network" description = "Corporate network access" ip_subnetworks = ["203.0.113.0/24", "198.51.100.0/24"] } ``` -------------------------------- ### Start Testing Docker Container Interactively Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/CONTRIBUTING.md Launches the Docker container used for testing in interactive mode. This allows for manual execution of Kitchen-Terraform commands within the containerized environment. ```bash make docker_run ``` -------------------------------- ### Initialize, Plan, Apply, and Destroy Terraform Infrastructure Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/simple_example_bridge/README.md Standard Terraform commands to manage infrastructure. 'terraform init' downloads necessary plugins, 'terraform plan' previews changes, 'terraform apply' provisions resources, and 'terraform destroy' removes them. These commands are essential for deploying and managing the VPC Service Controls configuration. ```bash terraform init terraform plan terraform apply terraform destroy ``` -------------------------------- ### Run Integration Tests Non-interactively with Make Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/CONTRIBUTING.md Executes integration tests for all example modules non-interactively. This command assumes the test environment has been prepared using 'make docker_test_prepare' and requires Docker Engine. ```bash make docker_test_integration ``` -------------------------------- ### Grant IAM Policy Binding using gcloud Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/simple_example/README.md These gcloud commands are used to grant necessary IAM roles to a service account on a specified project. This is a prerequisite for running integration tests or for the service account to manage resources within the protected project. ```bash gcloud projects add-iam-policy-binding --member=serviceAccount: --role=roles/bigquery.jobUser gcloud projects add-iam-policy-binding --member=serviceAccount: --role=roles/bigquery.dataOwner ``` -------------------------------- ### Gcloud Command for IAM Policy Binding Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/scoped_example_with_egress_rule/README.md This gcloud command grants the Storage Admin role to a specified service account on a target project. This is a prerequisite for setting up certain permissions required by the VPC Service Controls example, particularly for external storage bucket access. ```bash gcloud projects add-iam-policy-binding --member=serviceAccount: --role=roles/storage.Admin ``` -------------------------------- ### Get Target Bucket Name Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/bq-exfil-demo/README.md Retrieves the name of the target Google Cloud Storage bucket from Terraform's state output. This is a prerequisite for subsequent data exfiltration attempts. ```bash terraform output target_bucket ``` -------------------------------- ### Configure VPC Service Controls with Terraform Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/simple_example/README.md This snippet shows the basic Terraform configuration for the VPC Service Controls module. It defines input variables such as access level name, dataset ID, members, parent ID, perimeter name, policy name, protected project details, and regions. The module provisions an organization policy, an access level, a regular perimeter, and a BigQuery resource within the perimeter. ```Terraform module "vpc_service_controls" { source = "../.." access_level_name = "terraform_members" dataset_id = "sample_dataset" members = ["user:test@example.com"] parent_id = "organizations/123456789" perimeter_name = "regular_perimeter_1" policy_name = "my_vpc_policy" protected_project_ids = { id = "protected-project-id" number = 1234567890 } regions = ["US"] } ``` -------------------------------- ### Terraform Configuration for VPC Service Controls Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/scoped_example_with_egress_rule/README.md This Terraform configuration sets up VPC Service Controls, including defining access levels, perimeters, and egress rules. It requires specifying parent organization ID, protected and public project details, and bucket names. The module manages the creation of these resources within Google Cloud. ```terraform module "vpc_service_controls" { source = "../../" policy_name = "example-policy" parent_id = "organizations/1234567890" members = ["user:test-user@example.com"] perimeter_name = "regular_perimeter_e" access_level_name = "terraform_members_e" access_level_name_dry_run = "terraform_members_e_dry_run" buckets_names = ["bucket1-e", "bucket2-e"] buckets_prefix = "test-bucket-e" regions = ["US", "EU"] scopes = ["folders/123456789"] protected_project_ids = { id = "protected-project-id" number = 111111111111 } public_project_ids = { id = "public-project-id" number = 222222222222 } } output "policy_id" { description = "Resource name of the AccessPolicy." value = module.vpc_service_controls.policy_id } output "policy_name" { description = "Name of the parent policy." value = module.vpc_service_controls.policy_name } output "protected_project_id" { description = "Project id of the project INSIDE the regular service perimeter." value = module.vpc_service_controls.protected_project_id } output "service_perimeter_name" { description = "Service perimeter name." value = module.vpc_service_controls.service_perimeter_name } ``` -------------------------------- ### Create Bridge Service Perimeter (Terraform) Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This configuration sets up a bridge service perimeter to facilitate communication between resources in different regular perimeters. It combines shared resources from multiple perimeters, allowing data exchange across security boundaries. The example demonstrates creating two regular perimeters and then a bridge perimeter to connect them. ```hcl # First perimeter - Production data module "production_perimeter" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" version = "~> 7.0" policy = module.access_context_manager_policy.policy_id perimeter_name = "production_perimeter" description = "Production data perimeter" resources = ["111111111111"] restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] shared_resources = { all = ["111111111111"] # Resources to share via bridge } } # Second perimeter - Analytics module "analytics_perimeter" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" version = "~> 7.0" policy = module.access_context_manager_policy.policy_id perimeter_name = "analytics_perimeter" description = "Analytics perimeter" resources = ["222222222222"] restricted_services = ["bigquery.googleapis.com"] shared_resources = { all = ["222222222222"] } } # Bridge perimeter connecting production and analytics module "bridge_perimeter" { source = "terraform-google-modules/vpc-service-controls/google//modules/bridge_service_perimeter" version = "~> 7.0" policy = module.access_context_manager_policy.policy_id perimeter_name = "production_analytics_bridge" description = "Enables data flow between production and analytics" # Combine shared resources from both perimeters resources = concat( module.production_perimeter.shared_resources["all"], module.analytics_perimeter.shared_resources["all"] ) } # Output bridge resources output "bridge_resources" { value = module.bridge_perimeter.resources # Example output: ["111111111111", "222222222222"] } ``` -------------------------------- ### Connect to Bastion Host Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/bq-exfil-demo/README.md Logs into the bastion host using gcloud. This connection is established through Identity-Aware Proxy (IAP) as the bastion instance lacks a public IP address. It also sets the correct GCP project. ```bash gcloud config set project $(terraform output source_project) gcloud compute ssh bastion-vm ``` -------------------------------- ### Generate Module Documentation with Make Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/CONTRIBUTING.md Automatically generates Input and Output tables for module README files. This command should be run whenever module interfaces (variables or outputs) are changed. It relies on the 'make' utility. ```bash make generate_docs ``` -------------------------------- ### Configure Terraform Backend Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/automatic_folder/README.md Copies the sample backend configuration file to 'backend.tf' and updates it to use your specified Google Cloud Storage bucket for state management. This step is essential for remote state storage. ```bash cp backend.tf.sample backend.tf ``` -------------------------------- ### Configure Google Cloud Project Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/automatic_folder/README.md Sets the active Google Cloud project for subsequent gcloud commands. Replace 'YOUR_PROJECT' with your actual project ID. ```bash gcloud config set project YOUR_PROJECT ``` -------------------------------- ### Access BigQuery Data Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/bq-exfil-demo/README.md Queries a BigQuery dataset ('project_1_dataset.cars') from the bastion host. This command verifies that the service account associated with the bastion has the necessary permissions to access BigQuery data. ```bash bq head project_1_dataset.cars ``` -------------------------------- ### Run Linting and Formatting Checks with Make Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/CONTRIBUTING.md Executes linting and formatting checks across various files in the repository to maintain code quality. This command is executed within a Docker container and requires Docker Engine. ```bash make docker_test_lint ``` -------------------------------- ### Enable Google Cloud APIs Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/automatic_folder/README.md Enables the necessary Google Cloud APIs for managing VPC Service Controls, Cloud Functions, and Cloud Resource Manager. These APIs are required for the Terraform and Cloud Function resources to operate correctly. ```bash gcloud services enable cloudresourcemanager.googleapis.com gcloud services enable cloudfunctions.googleapis.com gcloud services enable accesscontextmanager.googleapis.com ``` -------------------------------- ### Configure User Permissions using gcloud Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/README.md This command assigns the 'roles/resourcemanager.organizationViewer' role to a user account for a specific project. This role allows users to view VPC Service Controls and Access Context Manager configurations within the Google Cloud Platform Console. Replace '' and the user email with your specific details. ```bash gcloud projects add-iam-policy-binding \ --member="user:example@domain.com" \ --role="roles/resourcemanager.organizationViewer" ``` -------------------------------- ### Attempt Data Exfiltration (Blocked by VPC SC) Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/bq-exfil-demo/README.md Attempts to extract data from the BigQuery 'cars' table to a specified GCS bucket. This operation is expected to fail due to VPC Service Controls preventing data exfiltration to unauthorized locations. ```bash bq extract project_1_dataset.cars BUCKET_URL/cars.csv # Expected Output: # BigQuery error in extract operation: VPC Service Controls: Request is prohibited by organization's policy. ``` -------------------------------- ### Create Google Cloud Storage Bucket for Terraform State Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/automatic_folder/README.md Creates a Google Cloud Storage bucket to store Terraform state files. This is crucial for managing Terraform resources effectively, especially in team environments. Replace 'YOUR_PROJECT' and 'YOUR_BUCKET_NAME' with your specific values. ```bash gsutil mb -p YOUR_PROJECT gs://YOUR_BUCKET_NAME ``` -------------------------------- ### Export Service Account Credentials for Testing Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/CONTRIBUTING.md Exports Google Cloud service account credentials to an environment variable. This is a prerequisite for setting up the test environment and requires a JSON key file for the service account. ```bash export SERVICE_ACCOUNT_JSON=$(< credentials.json) ``` -------------------------------- ### Configure VPC Service Controls with Terraform Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/README.md This snippet demonstrates the basic usage of the terraform-google-vpc-service-controls module. It sets up the root module for the Access Context Manager policy and then uses submodules to define access levels and a regular service perimeter. It requires the Google provider and specifies dependencies on other modules. ```hcl provider "google" { version = "~> 3.19.0" } module "org_policy" { source = "terraform-google-modules/vpc-service-controls/google" parent_id = var.parent_id policy_name = var.policy_name } module "access_level_members" { source = "terraform-google-modules/vpc-service-controls/google//modules/access_level" policy = module.org_policy.policy_id name = "terraform_members" members = var.members } module "regular_service_perimeter_1" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" policy = module.org_policy.policy_id perimeter_name = "regular_perimeter_1" description = "Perimeter shielding projects" resources = ["1111111"] access_levels = [module.access_level_members.name] restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] shared_resources = { all = ["11111111"] } } ``` -------------------------------- ### Import Service Perimeter Resources (Terraform) Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/docs/upgrading_to_v4.0.md This snippet provides the Terraform import commands required after upgrading to v4.x. When you run `terraform plan`, Terraform will detect new `google_access_context_manager_service_perimeter_resource` resources. These need to be imported into the Terraform state to manage them correctly. ```Terraform terraform import 'module.bridge.google_access_context_manager_service_perimeter_resource.service_perimeter_resource["one"]' 'accessPolicies/209696272439/servicePerimeters/bridge_perimeter_1/projects/34502780858' terraform import 'module.bridge.google_access_context_manager_service_perimeter_resource.service_perimeter_resource["two"]' 'accessPolicies/209696272439/servicePerimeters/bridge_perimeter_1/projects/843696391937' terraform import 'module.regular_service_perimeter_1.google_access_context_manager_service_perimeter_resource.service_perimeter_resource["34502780858"]' 'accessPolicies/209696272439/servicePerimeters/regular_perimeter_1/projects/34502780858' ``` -------------------------------- ### Configure Dry-Run VPC Accessible Services in Terraform Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/regular_service_perimeter/README.md Sets up a dry-run configuration for VPC Accessible Services in Terraform. This allows testing access restrictions without enforcing them, using options like allowing any service (`"*"`), restricting to a predefined list (`"RESTRICTED-SERVICES"`), or disallowing all services (`[]`). ```terraform vpc_accessible_services_dry_run = [ "*" ] ``` -------------------------------- ### Define Terraform Variables Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/automatic_folder/README.md Creates a local 'terraform.tfvars' file to define input variables for your Terraform configuration. This includes project, organization, and folder IDs, as well as policy details and restricted services. ```tf project_id = "YOUR_PROJECT" org_id = "ORG_ID" folder_id = "FOLDER_ID" policy_name = "automatic_folder" members = ["user:YOUR_NAME@google.com"] region = "us-east1" restricted_services = ["storage.googleapis.com"] ``` -------------------------------- ### Add Delay for API Propagation using time_sleep Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This resource introduces a delay to allow for API propagation, ensuring that subsequent resources are created after necessary changes have taken effect. It is often used before creating VPC Service Controls perimeters to avoid race conditions. The duration can be configured for both creation and destruction phases. ```hcl resource "time_sleep" "wait_for_access_levels" { create_duration = "60s" destroy_duration = "60s" depends_on = [module.admin_access, module.corp_network_access] } ``` -------------------------------- ### Update Module Version and Add Resource Keys (Terraform) Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/docs/upgrading_to_v4.0.md This snippet demonstrates how to update the version of the VPC Service Controls module and add the `resource_keys` variable when resources are defined within the same Terraform configuration as the perimeter. This is necessary because resources are now created using `for_each` and their values are only known after apply. ```Terraform module "regular_service_perimeter_2" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" version = "~> 4.0" ... resources = [module.project_two.project_number, module.project_three.project_number] resource_keys = ["two", "three"] } module "bridge" { source = "terraform-google-modules/vpc-service-controls/google//modules/bridge_service_perimeter" version = "~> 4.0" ... resources = concat( module.regular_service_perimeter_1.shared_resources["all"], module.regular_service_perimeter_2.shared_resources["all"], ) resource_keys = ["one", "two", "three"] } ``` -------------------------------- ### Create Device Policy Access Level with Terraform Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This module creates an access level with device security requirements. It enforces corporate device ownership, screen lock, and encryption policies, and can specify allowed operating systems and minimum versions. ```hcl module "access_level_device" { source = "terraform-google-modules/vpc-service-controls/google//modules/access_level" version = "~> 7.0" policy = module.access_context_manager_policy.policy_id name = "secure_device_level" description = "Requires compliant corporate devices" members = ["user:admin@example.com"] # Device policy requirements require_corp_owned = true require_screen_lock = true # Allowed encryption statuses: ENCRYPTED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED allowed_encryption_statuses = ["ENCRYPTED"] # Allowed management levels: NONE, BASIC, COMPLETE allowed_device_management_levels = ["COMPLETE", "BASIC"] # OS requirements os_type = "DESKTOP_CHROME_OS" # Options: OS_UNSPECIFIED, DESKTOP_MAC, DESKTOP_WINDOWS, DESKTOP_LINUX, DESKTOP_CHROME_OS, ANDROID, IOS minimum_version = "100.0.0" } ``` -------------------------------- ### Create VPC Network Access Level with Terraform Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This module creates an access level that allows access from specific VPC network sources. It takes a network ID and a list of IP address ranges within that network. If no IP ranges are specified, all subnets within the VPC are allowed. ```hcl module "access_level_vpc" { source = "terraform-google-modules/vpc-service-controls/google//modules/access_level" version = "~> 7.0" policy = module.access_context_manager_policy.policy_id name = "vpc_network_level" description = "Access from authorized VPC networks" vpc_network_sources = { "production_vpc" = { network_id = "projects/my-project/global/networks/production-vpc" ip_address_ranges = [ "10.0.0.0/24", "10.0.1.0/24" ] } "development_vpc" = { network_id = "projects/my-project/global/networks/dev-vpc" # Empty ip_address_ranges means all subnets in this VPC } } } # Output the created access level resource output "vpc_access_level" { value = module.access_level_vpc.access_level } ``` -------------------------------- ### Create Access Context Manager Policy (Terraform) Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This Terraform code creates the root Access Context Manager policy resource, which is essential for organizing access levels and service perimeters. It supports both organization-level and scoped policies (folders/projects). ```hcl module "access_context_manager_policy" { source = "terraform-google-modules/vpc-service-controls/google" version = "~> 7.0" parent_id = "123456789012" # Your GCP organization ID policy_name = "my_vpc_sc_policy" } module "scoped_access_policy" { source = "terraform-google-modules/vpc-service-controls/google" version = "~> 7.0" parent_id = "123456789012" policy_name = "scoped_policy" scopes = ["folders/987654321098"] # Or "projects/123456789" } output "policy_id" { value = module.access_context_manager_policy.policy_id } output "policy_name" { value = module.access_context_manager_policy.policy_name } ``` -------------------------------- ### Deploy VPC Service Controls Access Level Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/access_level/README.md This snippet demonstrates how to configure and deploy an access level using the VPC Service Controls Terraform module. It requires the Google provider and defines the parent policy and access level details. ```hcl provider "google" { version = "~> 2.5.0" } module "org_policy" { source = "terraform-google-modules/vpc-service-controls/google" parent_id = var.parent_id policy_name = var.policy_name } module "access_level_members" { source = "terraform-google-modules/vpc-service-controls/google//modules/access_level" policy = module.org_policy.policy_id name = "terraform_members" members = ["serviceAccount:", "user:"] } ``` -------------------------------- ### Configure Regular Service Perimeter with Dry-Run (Terraform) Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This module configures a regular service perimeter with dry-run mode enabled. It allows testing policy changes by logging potential violations without enforcing them, minimizing risk to production traffic. Dependencies include the Access Context Manager policy and defined access levels. ```hcl module "perimeter_with_dry_run" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" version = "~> 7.0" policy = module.access_context_manager_policy.policy_id perimeter_name = "staged_perimeter" description = "Perimeter with dry-run for testing" # Enforced configuration (currently active) resources = ["123456789012"] access_levels = [module.access_level_members.name] restricted_services = ["storage.googleapis.com"] # Dry-run configuration (logged but not enforced) resources_dry_run = ["123456789012", "234567890123"] # Test adding new project access_levels_dry_run = [module.access_level_dry_run.name] restricted_services_dry_run = ["storage.googleapis.com", "bigquery.googleapis.com"] ingress_policies_dry_run = [ { title = "Test new ingress rule" from = { identities = ["serviceAccount:new-service@project.iam.gserviceaccount.com"] sources = { access_levels = [module.access_level_dry_run.name] } } to = { resources = ["*"] operations = { "storage.googleapis.com" = { methods = ["google.storage.objects.get"] } } } } ] ingress_policies_keys_dry_run = ["test_ingress_rule"] vpc_accessible_services_dry_run = ["RESTRICTED-SERVICES"] shared_resources = { all = ["123456789012"] } } ``` -------------------------------- ### Set Google Cloud Test Environment Variables Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/CONTRIBUTING.md Sets essential environment variables required for Google Cloud testing, including organization ID, folder ID, and billing account ID. These variables are used by Terraform and testing tools. ```bash export TF_VAR_org_id="your_org_id" export TF_VAR_folder_id="your_folder_id" export TF_VAR_billing_account="your_billing_account_id" ``` -------------------------------- ### Configure Regular Service Perimeter with Terraform Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/regular_service_perimeter/README.md This snippet demonstrates how to configure a regular service perimeter using the `regular_service_perimeter` module. It requires the `google` provider and specifies resources, restricted services, ingress/egress policies, and shared resources. The `parent_id` and `policy_name` are passed from a parent `org_policy` module. ```hcl provider "google" { version = "~> 2.5.0" } module "org_policy" { source = "terraform-google-modules/vpc-service-controls/google" parent_id = var.parent_id policy_name = var.policy_name } module "regular_service_perimeter_1" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" policy = module.org_policy.policy_id perimeter_name = "regular_perimeter_1" description = "Some description" resources = ["1111111111"] restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] ingress_policies = [{ "from" = { "sources" = { resources = [ "projects/688789777678", "projects/557367936583" ], access_levels = [ "some_access_level_name" ] }, "identity_type" = "" "identities" = ["some_user_identity or service account"] } "to" = { "operations" = { "bigquery.googleapis.com" = { "methods" = [ "BigQueryStorage.ReadRows", "TableService.ListTables" ], "permissions" = [ "bigquery.jobs.get" ] } "storage.googleapis.com" = { "methods" = [ "google.storage.objects.create" ] } } } }, ] egress_policies = [{ "from" = { "identity_type" = "" "identities" = ["some_user_identity or service account"] }, "to" = { "resources" = ["*"] "operations" = { "bigquery.googleapis.com" = { "methods" = [ "BigQueryStorage.ReadRows", "TableService.ListTables" ], "permissions" = [ "bigquery.jobs.get" ] } "storage.googleapis.com" = { "methods" = [ "google.storage.objects.create" ] } } } }, ] shared_resources = { all = ["1111111111"] } } ``` -------------------------------- ### Create Regular Service Perimeter with Terraform Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This module creates a regular service perimeter to protect GCP resources. It defines which projects are protected, which access levels can bypass the perimeter, which services are restricted, and which VPC accessible services are allowed. ```hcl module "regular_service_perimeter" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" version = "~> 7.0" policy = module.access_context_manager_policy.policy_id perimeter_name = "data_protection_perimeter" description = "Protects sensitive data projects" # Project numbers to protect (not project IDs) resources = [ "123456789012", "234567890123" ] # Access levels that can bypass the perimeter access_levels = [ module.access_level_members.name, module.access_level_ip.name ] # Services restricted within the perimeter restricted_services = [ "bigquery.googleapis.com", "storage.googleapis.com", "compute.googleapis.com", "cloudfunctions.googleapis.com" ] # VPC accessible services (use ["*"] to allow all, [] to block all) vpc_accessible_services = ["storage.googleapis.com", "bigquery.googleapis.com"] # Resources to share with bridge perimeters shared_resources = { all = ["123456789012", "234567890123"] } } # Outputs output "perimeter_name" { value = module.regular_service_perimeter.perimeter_name } output "protected_resources" { value = module.regular_service_perimeter.resources } ``` -------------------------------- ### Authenticate Terraform to Google Cloud Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/examples/automatic_folder/README.md This snippet shows how to authenticate Terraform to your Google Cloud environment using a service account key. Ensure the service account has the necessary roles: Access Context Manager Admin, Editor on the watched project, and Logs Configuration Writer on the watched folder. ```bash export GOOGLE_APPLICATION_CREDENTIALS=~/mykey.json ``` -------------------------------- ### List Projects for Dry-Run VPC Service Perimeter (Terraform) Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/regular_service_perimeter/README.md Defines a list of Google Cloud projects for dry-run mode within a VPC Service Perimeter. This enables testing the effects of perimeter policies on specific projects without actual enforcement. Useful for validating policy configurations. ```terraform resources_dry_run = [ "projects/3333333333", "projects/4444444444" ] ``` -------------------------------- ### List Projects within VPC Service Perimeter (Terraform) Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/regular_service_perimeter/README.md Defines a list of Google Cloud projects to be included within the VPC Service Perimeter. Resources within these projects will be protected by the perimeter's access policies. This is fundamental for defining the scope of the security boundary. ```terraform resources = [ "projects/1111111111", "projects/2222222222" ] ``` -------------------------------- ### Configure Ingress Policies for VPC Service Perimeter (HCL) Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This snippet demonstrates how to configure ingress policies for a regular service perimeter using Terraform. It allows specific inbound access patterns to resources within the perimeter, controlling who and what can access protected services like Cloud Storage and BigQuery. Dependencies include the Access Context Manager policy and defined access levels. ```hcl module "perimeter_with_ingress" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" version = "~> 7.0" policy = module.access_context_manager_policy.policy_id perimeter_name = "ingress_enabled_perimeter" description = "Perimeter with ingress rules for external access" resources = ["123456789012"] restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"] access_levels = [module.access_level_members.name] ingress_policies = [ { title = "Allow storage read from anywhere" from = { identities = [ "user:external-analyst@partner.com", "serviceAccount:data-pipeline@external-project.iam.gserviceaccount.com" ] sources = { access_levels = ["*"] # Allow from any access level } } to = { resources = ["*"] # All resources in perimeter operations = { "storage.googleapis.com" = { methods = [ "google.storage.objects.get", "google.storage.objects.list" ] } } } }, { title = "Allow BigQuery access from specific project" from = { sources = { resources = ["projects/987654321098"] } identity_type = "ANY_SERVICE_ACCOUNT" } to = { resources = ["projects/123456789012"] operations = { "bigquery.googleapis.com" = { permissions = [ "bigquery.datasets.get", "bigquery.tables.get", "bigquery.tables.getData", "bigquery.tables.list" ] } } } } ] shared_resources = { all = ["123456789012"] } } ``` -------------------------------- ### Grant Organization Level Permissions using gcloud Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/README.md This command grants the 'roles/accesscontextmanager.policyAdmin' role to a specified service account at the organization level. This permission is required to create and manage VPC Service Controls policies. Ensure you replace 'ORGANIZATION_ID' and the service account email with your actual values. ```bash gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="serviceAccount:example@project_id.iam.gserviceaccount.com" \ --role="roles/accesscontextmanager.policyAdmin" ``` -------------------------------- ### Configure Dry-Run Restricted Services for VPC Service Controls (Terraform) Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/regular_service_perimeter/README.md Specifies a list of Google Cloud services for dry-run mode within VPC Service Perimeters. This allows for testing the impact of restricting services without enforcing the policy. It's a safe way to evaluate security configurations. ```terraform restricted_services_dry_run = [ "pubsub.googleapis.com", "cloudsqladmin.googleapis.com" ] ``` -------------------------------- ### Configure Bridge Service Perimeter with Terraform Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/bridge_service_perimeter/README.md This HCL code defines the configuration for a bridge service perimeter using the terraform-google-modules. It specifies the parent policy, perimeter name, description, and the GCP resources to be included. It also demonstrates how to integrate with other regular service perimeters. ```hcl provider "google" { version = "~> 2.5.0" } module "org_policy" { source = "terraform-google-modules/vpc-service-controls/google" parent_id = var.parent_id policy_name = var.policy_name } module "bridge_service_perimeter_1" { source = "terraform-google-modules/vpc-service-controls/google//modules/bridge_service_perimeter" policy = module.org_policy.policy_id perimeter_name = "bridge_perimeter_1" description = "Some description" resources = [ module.regular_service_perimeter_1.shared_resources["all"], module.regular_service_perimeter_2.shared_resources["all"], ] } module "regular_service_perimeter_1" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" policy = module.org_policy.policy_id perimeter_name = "regular_perimeter_1" description = "Some description" resources = ["1111111111"] restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] shared_resources = { all = ["1111111111"] } } module "regular_service_perimeter_2" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" policy = module.org_policy.policy_id perimeter_name = "regular_perimeter_2" description = "Some description" resources = ["222222222222"] restricted_services = ["storage.googleapis.com"] shared_resources = { all = ["222222222222"] } } ``` -------------------------------- ### Define Dry-Run Ingress Policies for VPC Service Controls (Terraform) Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/regular_service_perimeter/README.md Defines a list of ingress policies for VPC Service Controls in dry-run mode. This allows testing policy changes without enforcing them. The structure is identical to regular ingress policies, enabling validation of access rules before production deployment. ```terraform ingress_policies_dry_run = [ { from = { sources = { resources = ["projects/0987654321"] access_levels = ["another_access_level"] } identity_type = "ANY_SERVICE_ACCOUNT" identities = ["serviceAccount:my-service@my-project.iam.gserviceaccount.com"] } to = { resources = ["*"] operations = { "bigquery.googleapis.com" = { methods = ["bigquery.tables.getData"] permissions = [] } } } } ] ``` -------------------------------- ### Define Ingress Policies for VPC Service Controls (Terraform) Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/regular_service_perimeter/README.md Defines a list of ingress policies for VPC Service Controls. Each policy specifies 'from' and 'to' conditions for network traffic. Supports specifying sources, identities, and operations for granular access control. This configuration is crucial for enforcing network security boundaries. ```terraform ingress_policies = [ { from = { sources = { resources = ["projects/1234567890"] access_levels = ["my_access_level"] } identity_type = "ANY_USER_ACCOUNT" identities = ["user:test@example.com"] } to = { resources = ["*"] operations = { "storage.googleapis.com" = { methods = ["storage.objects.get"] permissions = [] } } } } ] ``` -------------------------------- ### Configure VPC Service Controls Dry-Run Access Levels in Terraform Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/regular_service_perimeter/README.md Specifies a list of AccessLevel resource names for dry-run mode in VPC Service Controls using Terraform. Similar to regular access levels, these define which external access points are allowed during a dry-run, helping to test policy impacts without enforcement. ```terraform [ "accessPolicies/my-policy/accessLevels/my-dryrun-level" ] ``` -------------------------------- ### Output Production Perimeter Name Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This output block provides the name of the configured production VPC Service Controls perimeter. This can be useful for referencing the perimeter in other parts of your infrastructure or for auditing purposes. ```hcl output "production_perimeter" { value = module.production.perimeter_name } ``` -------------------------------- ### Configure VPC Service Controls Access Levels in Terraform Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/regular_service_perimeter/README.md Specifies a list of AccessLevel resource names that permit access to resources within a Service Perimeter from the internet using Terraform. Access levels must reside in the same policy as the Service Perimeter. Referencing a non-existent AccessLevel will result in a syntax error. ```terraform [ "accessPolicies/my-policy/accessLevels/my-level" ] ``` -------------------------------- ### Configure Restricted VPC Accessible Services in Terraform Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/regular_service_perimeter/README.md Specifies a list of VPC Accessible Services to be restricted within a VPC Network using Terraform. Options include allowing any service (`"*"`), restricting to a predefined list (`"RESTRICTED-SERVICES"`), or disallowing all services (`[]`). ```terraform vpc_accessible_services = [ "*" ] ``` -------------------------------- ### Configure VPC Service Controls Dry-Run Egress Policies in Terraform Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/regular_service_perimeter/README.md Defines egress policies for VPC Service Controls in dry-run mode using Terraform. This input allows testing egress policy configurations without enforcing them, providing visibility into potential policy violations. It uses the same structure as regular egress policies. ```terraform { title = "Dry-run access to GCS" from = { identity_type = "ANY_USER_ACCOUNT" } to = { resources = ["projects/my-project/buckets/my-bucket"] operations = { "storage.googleapis.com" = { methods = ["storage.objects.get"] } } } } ``` -------------------------------- ### Define Data Warehouse VPC Service Controls Perimeter Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This configuration sets up a 'data_warehouse' VPC Service Controls perimeter focused on analytics. It includes specific GCP resources, access levels, and restricted services relevant to data warehousing. Ingress policies are defined to allow data ingestion from the production environment. ```hcl module "data_warehouse" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" version = "~> 7.0" policy = module.org_policy.policy_id perimeter_name = "data_warehouse" description = "Data warehouse for analytics" resources = ["222222222222"] access_levels = [module.admin_access.name] restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] ingress_policies = [ { title = "Allow production data ingestion" from = { sources = { resources = ["projects/111111111111"] } identity_type = "ANY_SERVICE_ACCOUNT" } to = { resources = ["*"] operations = { "bigquery.googleapis.com" = { methods = ["*"] } "storage.googleapis.com" = { methods = ["*"] } } } } ] shared_resources = { all = ["222222222222"] } depends_on = [time_sleep.wait_for_access_levels] } ``` -------------------------------- ### Configure VPC Service Controls Egress Policies in Terraform Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/regular_service_perimeter/README.md Defines egress policies for VPC Service Controls using Terraform. This input allows specifying detailed rules for traffic originating from within a perimeter to external resources or services. It supports granular control over allowed services, methods, and permissions. ```terraform { title = "Allow access to GCS" from = { identity_type = "ANY_USER_ACCOUNT" } to = { resources = ["projects/my-project/buckets/my-bucket"] operations = { "storage.googleapis.com" = { methods = ["storage.objects.get"] } } } } ``` -------------------------------- ### Configure Egress Policies for VPC Service Perimeter (HCL) Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This snippet illustrates how to configure egress policies for a regular service perimeter using Terraform. It controls outbound access from resources within the perimeter to external resources, enabling secure data transfers to approved destinations. Key inputs include the perimeter's resources, restricted services, and specific external destinations. ```hcl module "perimeter_with_egress" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" version = "~> 7.0" policy = module.access_context_manager_policy.policy_id perimeter_name = "egress_enabled_perimeter" description = "Perimeter with controlled egress" resources = ["123456789012"] restricted_services = ["storage.googleapis.com", "bigquery.googleapis.com"] access_levels = [module.access_level_members.name] egress_policies = [ { title = "Allow storage access to external bucket" from = { sources = { resources = ["projects/123456789012"] } identity_type = "ANY_SERVICE_ACCOUNT" } to = { resources = ["projects/987654321098"] # External project operations = { "storage.googleapis.com" = { methods = [ "google.storage.objects.get", "google.storage.objects.list", "google.storage.objects.create" ] } } } }, { title = "Allow BigQuery export with specific permissions" from = { sources = { resources = ["projects/123456789012"] } identity_type = "ANY_SERVICE_ACCOUNT" } to = { resources = ["projects/987654321098"] operations = { "bigquery.googleapis.com" = { permissions = [ "bigquery.datasets.get", "bigquery.models.getData", "bigquery.models.getMetadata", "bigquery.tables.get", "bigquery.tables.getData", "bigquery.tables.list" ] } } external_resources = ["s3://partner-bucket"] # External cloud resources } } ] shared_resources = { all = ["123456789012"] } } ``` -------------------------------- ### Configure Restricted Services for VPC Service Controls (Terraform) Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/modules/regular_service_perimeter/README.md Specifies a list of Google Cloud services that will be subject to VPC Service Perimeter restrictions. This ensures that access to sensitive services like Cloud Storage or BigQuery is controlled by the defined perimeter policies. Essential for data exfiltration prevention. ```terraform restricted_services = [ "storage.googleapis.com", "bigquery.googleapis.com", "cloudkms.googleapis.com" ] ``` -------------------------------- ### Define Production VPC Service Controls Perimeter Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This configuration defines a 'production' VPC Service Controls perimeter with strict restrictions. It specifies the policy, perimeter name, description, associated GCP resources, allowed access levels, restricted services, and egress policies for controlled data export. It depends on a time_sleep resource to ensure API propagation. ```hcl module "production" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" version = "~> 7.0" policy = module.org_policy.policy_id perimeter_name = "production" description = "Production environment - highly restricted" resources = ["111111111111"] access_levels = [ module.admin_access.name, module.corp_network_access.name ] restricted_services = [ "bigquery.googleapis.com", "storage.googleapis.com", "compute.googleapis.com", "container.googleapis.com", "cloudfunctions.googleapis.com", "run.googleapis.com" ] vpc_accessible_services = ["RESTRICTED-SERVICES"] egress_policies = [ { title = "Allow export to data warehouse" from = { identity_type = "ANY_SERVICE_ACCOUNT" } to = { resources = ["projects/222222222222"] operations = { "bigquery.googleapis.com" = { methods = ["*"] } } } } ] shared_resources = { all = ["111111111111"] } depends_on = [time_sleep.wait_for_access_levels] } ``` -------------------------------- ### Output VPC Service Controls Policy ID Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This output block exposes the ID of the organization's VPC Service Controls policy. This ID is typically used to reference the policy when configuring other resources or perimeters within the same organization. ```hcl output "policy_id" { value = module.org_policy.policy_id } ``` -------------------------------- ### Output Data Warehouse Perimeter Name Source: https://context7.com/terraform-google-modules/terraform-google-vpc-service-controls/llms.txt This output block exposes the name of the data warehouse VPC Service Controls perimeter. This allows for easy reference to the data warehouse perimeter in other Terraform configurations or for monitoring and management. ```hcl output "data_warehouse_perimeter" { value = module.data_warehouse.perimeter_name } ``` -------------------------------- ### Remove Google Cloud Organization Access Policy Source: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/main/CONTRIBUTING.md A utility function to remove an Access Policy from a Google Cloud organization. This is typically used for cleanup after integration testing. ```bash remove_gcloud_org_accesspolicy ```