FAQ.md

Frequently Asked Questions

How do I use an existing VPC-SC service perimeter instead of the perimeter auto-created by the Secured Data Warehouse module?

The Secured Data Warehouse has inputs to use an existing VPC-SC service perimeter:

• data_ingestion_perimeter
• data_governance_perimeter
• data_perimeter

On your existing VPC-SC service perimeter:

• Configure the additional services from the Secured Data Warehouse that need to be protected
• Add the terraform service account to the access level member list for this perimeter. The service account must be in the access level member list before this perimeter can be used in this module.
• Add an egress rule to allow access to external Dataflow templates using Cloud Storage API, see How do I call a Google service protected by the perimeters from a project outside of the auto-created perimeters?.

How do I add new projects to one of the auto-created perimeters?

Use the Terraform resource google_access_context_manager_service_perimeter_resource to add add new projects to the perimeter.

Each auto-created perimeter has an output for its name:

• data_ingestion_service_perimeter_name
• data_governance_service_perimeter_name
• service_perimeter_name

Example

resource "google_access_context_manager_service_perimeter_resource" "service-perimeter-resource" {
  perimeter_name = "accessPolicies/ACCESS-CONTEXT-MANAGER-POLICY-ID/servicePerimeters/PERIMETER-NAME"
  resource       = "projects/PROJECT-NUMBER"
}

As an alternative, the Google Cloud Project Factory Terraform Module also allows for the inclusion of a new project in an existing perimeter.

Note: use the input additional_restricted_services for additional services from your project that need to be protected by the service perimeter.

How do I call a Google service protected by the perimeters from a project outside of the auto-created perimeters?

To be able to call a Google service from a project outside of the perimeter you will need to configure an egress rule that allows communication to the external service.

Each perimeter has an input for a list of egress rules:

• data_ingestion_egress_policies
• data_governance_egress_policies
• data_egress_policies

Example of an egress rule that allows reading from a private bucket outside of the project:

[
    {
      "from" = {
        "identity_type" = ""
        "identities" = ["user:YOUR-EMAIL","serviceAccount:YOUR-SERVICE-ACCOUNT-EMAIL"]
      },
      "to" = {
        "resources" = ["projects/TARGET-PROJECT-NUMBER"]
        "operations" = {
          "storage.googleapis.com" = {
            "methods" = [
              "google.storage.objects.get"
            ]
          }
        }
      }
    }
]

The format is the same one used in the module terraform-google-vpc-service-controls.

Use the VPC-SC error created when trying to access a service to find out the information for the egress rule:

• The identities that where trying to access the Google API service.
• The Google API service blocked.
• The Google API method blocked.

The error will have a component like:

Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: UNIQUE-IDENTIFIER

Use the Unique Identifier UNIQUE-IDENTIFIER value in the Troubleshoot page to obtain the details regarding the policy violation.

Note: Some API methods may not be directly available to be added to the egress rule. In this case use "methods" = ["*"].