Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deployment of access levels and service control perimeter should be optional and "allowed services" parameterizable #1185

Closed
mromascanu123 opened this issue Apr 10, 2024 · 1 comment
Closed

Deployment of access levels and service control perimeter should be optional and "allowed services" parameterizable #1185

mromascanu123 opened this issue Apr 10, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@mromascanu123
Copy link

TL;DR

In module 3-networks-hub-and-spoke/modules/restricted_shared_vpc (and the same in 3-networks-dual-svpc/modules/restricted_shared_vpc) there is no option to conditionally enable the deployment of SCP and access levels.
Moreover: why hardcode vpc_accessible_services = ["RESTRICTED-SERVICES"]. Shouldn't be configurable? Default is "*"

Terraform Resources

https://registry.terraform.io/modules/terraform-google-modules/vpc-service-controls/google/latest/submodules/regular_service_perimeter?tab=inputs

Detailed design

Add an enablement variable

Additional information

No response
@mromascanu123 mromascanu123 added the enhancement New feature or request label Apr 10, 2024
@eeaton
Copy link
Collaborator

eeaton commented May 20, 2024
edited

I'll close this Issue as a duplicate of #1209, I'm tracking work to enable VPCSC in dryrun mode and avoid the friction associated with immediately deploying an enforced VPCSC perimeter.

However to the specific question:

why hardcode vpc_accessible_services = ["RESTRICTED-SERVICES"]. Shouldn't be configurable? Default is "*"

This is a confusingly named convention for vpc_accessible_services, but it's working as intended.
"restricted services" means API traffic for this service cannot cross the perimeter.
"VPC accessible services" means that API endpoints can be reached from a VPC inside the perimeter.
vpc_accessible_services = ["RESTRICTED-SERVICES"] is the recommended convention to ensure these two settings align. The string "RESTRICTED-SERVICES" is equivalent to listing out all the services already configured for this perimeter as restricted. So only the endpoints for Google APIs can be reached from the VPC if they are restricted in the perimeter.

This helps avoid exfiltration paths that could happen with vpc_accessible_services = * such as:

  • Google Cloud APIs that are not compatible with VPCSC might be accessed from the customer VPC inside the perimeter, leading to exfiltration
  • New services will be created in the future with VPCSC support, but are not restricted in the customer's specific perimeter until they configure it. Without vpc_accessible_services = ["RESTRICTED-SERVICES"], a new service might suddenly create an exfiltration path tomorrow where there was none today

@eeaton eeaton closed this as completed May 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eeaton @mromascanu123