Fast VPC-SC Layer ideas

[jackspyder]

Helllo,

First off, i like the split of security and VPC-SC, bringing it in early, and ill also say, ive not had much experience with them but ive had a hard requirement to implement them and found the very simple implementation here a little lacking.

My requirement was for a global organisation with a single but distributed data team to have access to several GCS/BQ instances in different geographies and have location based access controls for each datastore. US users can access US stores from the US, eu from eu, etc. VPC-SC was the right call here obviously, but if im reading the fabric layer right, we can't create multiple perimeters. I needed one for each major geography, but also another common usecase would be a dev and prod perimeter for dry run vs enforcement.

to achieve this i simply copied some variables from the underlying module for service perimeter regular:

variable "service_perimeters_regular" {
  description = "Regular service perimeters."
  type = map(object({
    description = optional(string)
    spec = optional(object({
      access_levels       = optional(list(string))
      resources           = optional(list(string))
      restricted_services = optional(list(string))
      egress_policies     = optional(list(string))
      ingress_policies    = optional(list(string))
      vpc_accessible_services = optional(object({
        allowed_services   = list(string)
        enable_restriction = optional(bool, true)
      }))
    }))
    status = optional(object({
      access_levels       = optional(list(string))
      resources           = optional(list(string))
      restricted_services = optional(list(string))
      egress_policies     = optional(list(string))
      ingress_policies    = optional(list(string))
      vpc_accessible_services = optional(object({
        allowed_services   = list(string)
        enable_restriction = bool
      }))
    }))
    use_explicit_dry_run_spec = optional(bool, false)
  }))
  default  = {}
  nullable = false
}

then i simply changed the main.tf

module "vpc-sc" {
  source = "[email protected]:ancoris/fabric-modules.git//modules/vpc-sc?ref=v34.1.0"
  # only enable if the default perimeter is defined
  count         = var.perimeters.default == null ? 0 : 1
  access_policy = var.access_policy
  access_policy_create = var.access_policy != null ? null : {
    parent = "organizations/${var.organization.id}"
    title  = "default"
  }
  access_levels    = var.access_levels
  egress_policies  = var.egress_policies
  factories_config = var.factories_config
  ingress_policies = merge(
    local.fast_ingress_policies,
    var.ingress_policies
  )
  service_perimeters_regular = var.service_perimeters_regular
}

its such a small change, but makes this layer much more useable. I understand the need for simple, as VPC-SC are quite tricky, but i think the strength of fabric is it presents complexity in a simple way. I'd be happy to raise this as a change.

Thoughts?

[ludoo]

One thing you already discovered (and thanks for validating our approach!) is that the stage is small and legible enough to lend itself easily to changes.

Your approach works, but I'm just wondering why you're not using the perimeters variable, and passing in your own default via tfvars that configures the additional perimeters you need and keeps or omits the default one we configure?

[jackspyder]

Good question and i can't quite remember, i think i went on a circular journey on another thread of thinking haha.