Skip to content

refactor: one default common perimeter #1429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mariammartins wants to merge 124 commits into
base: main
Choose a base branch
from
Open

refactor: one default common perimeter #1429

mariammartins wants to merge 124 commits into from

Conversation

@mariammartins
Copy link
Contributor

@mariammartins mariammartins commented Aug 29, 2025

This PR contains the refactoring of VPC Service Controls, with the creation of a single common perimeter, with all projects inserted in it, with the exception of the cloud build project.

@mariammartins
add service usage consumer role to SA's
1a4b372
@mariammartins
add cicd and seed output prjs numbers
21f33bb
@mariammartins
add cloud nat
aee66cb
@mariammartins
add service control module
21b32d4
@mariammartins
add cicd, seed and parent_id ouputs
ddc929b
@mariammartins
add new nariables related to vpc-sc
1651277
@mariammartins
add perimeter adittional members variable
b701d6e
@mariammartins
upd README
d3771c4
@mariammartins
add service control file
85178d9
@mariammartins
add depends on in projects.tf
97d9f6b
@mariammartins
add SA builder cloud function
e0186cb
@mariammartins
add access context manager in org_policy.tf
c100a00
@mariammartins
add access context manager policy id variable
55ad04a
@mariammartins
updt README
7887d10
@mariammartins
add log sinks identities outputs
948a08f
@mariammartins
upd README
f4b0a95
@mariammartins
upd README with new instructions
3ce8b8d
@mariammartins
add enforce_vpcsc in remote.tf
4144682
@mariammartins
add kms prjs in vpc-sc
ff20ec1
@mariammartins
add secrets prjs in vpc-sc
c6f1ed5
@mariammartins
rm all related to vpc-sc
75e9207
@mariammartins
rm vpc-sc
6d1421e
@mariammartins
fix networks READMES
d7faa72
@mariammartins
add projects to perimeter
b1c3370
@mariammartins
add roles/iam.serviceAccountAdmin proj SA folder level
03fc14c
@mariammartins
upd README with required directional rules instructions to add
5ac971b
@mariammartins
updt README with add direcional rule instructions
1a09eea
@mariammartins
Initialize policy library repo
244f850
@mariammartins
rm enforce_vpc-sc variable from service_control.tf
1a638eb
@mariammartins
add directional policies variables keys
bb808b3
@mariammartins
rm access context manager varible in test files
834e448
@mariammartins
rm access context manager variable references in hub and spoke README
98d570e
@mariammartins
add warning to directional policies dry run variables
0ffcbe0
@mariammartins
add warning to disable dry run directional rules variable before enfo…
b3490ab 
…rced mode
@mariammartins
merge with main
12e002e
@mariammartins
fix lint
88fff0b
@mariammartins
Merge branch 'main' into refactor/one-default-common-perimeter
1705bcc
@mariammartins
rm access context and perimeter variables in shared test
14008d2
@mariammartins
Merge branch 'main' into refactor/one-default-common-perimeter
aa8715c
@mariammartins
updt bootstrap module
6ec4b45
@mariammartins
fix service perimeter name in projects_test.go
dd27a7e
@mariammartins
upd bootstrap module
b36fc8d
@mariammartins
add floating prj number output
a054a54
@mariammartins
add dot in OAuth retry messsage error
99b097e
@mariammartins
add depends_on
255a3ed
@mariammartins
fix retry message error
55e4f5b
@mariammartins
add deletion_protection variabel in folder resources 1-org, updt serv…
0c201c7 
…ice control versions.tf module
@mariammartins
add depends on for cloud build nat instance
62f725f
@mariammartins
fix bootstrap module version
5295db9
@mariammartins
Merge branch 'main' into refactor/one-default-common-perimeter
8734775
@mariammartins
Copy link
Contributor Author

mariammartins commented Sep 30, 2025

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 30, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the VPC Service Controls to use a single, common perimeter, which is a positive architectural simplification. The changes are extensive, touching documentation, Terraform configurations, and helper scripts to align with this new model. However, the implementation introduces some significant issues. There's a critical conflict in the Cloud Build private pool networking where both a managed Cloud NAT and a self-managed NAT VM are configured, which needs to be resolved. More importantly, the new perimeter configuration relies on placeholders in the Terraform code that must be manually updated using scripts in a later step. This approach is brittle, error-prone, and undermines the declarative nature of Infrastructure as Code. I've raised a critical issue to address this architectural flaw. Additionally, there are medium-severity concerns regarding hardcoded IP ranges and the use of a git branch reference instead of a specific tag or commit for a module source.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eeaton eeaton Awaiting requested review from eeaton eeaton is a code owner

@rjerrems rjerrems Awaiting requested review from rjerrems rjerrems is a code owner

@sleighton2022 sleighton2022 Awaiting requested review from sleighton2022 sleighton2022 is a code owner

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mariammartins