Skip to content

refactor: one default common perimeter #1429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mariammartins wants to merge 140 commits into
base: main
Choose a base branch
from
Open

refactor: one default common perimeter #1429

mariammartins wants to merge 140 commits into from
+3,099 −2,304

Conversation

@mariammartins
Copy link
Contributor

@mariammartins mariammartins commented Aug 29, 2025
edited
Loading

This PR contains the refactoring of VPC Service Controls, with the creation of a single common perimeter, with all projects inserted in it, with the exception of the cloud build project.

@mariammartins
add service usage consumer role to SA's
1a4b372
@mariammartins
add cicd and seed output prjs numbers
21f33bb
@mariammartins
add cloud nat
aee66cb
@mariammartins
add service control module
21b32d4
@mariammartins
add cicd, seed and parent_id ouputs
ddc929b
@mariammartins
add new nariables related to vpc-sc
1651277
@mariammartins
add perimeter adittional members variable
b701d6e
@mariammartins
upd README
d3771c4
@mariammartins
add service control file
85178d9
@mariammartins
add depends on in projects.tf
97d9f6b
@mariammartins
add SA builder cloud function
e0186cb
@mariammartins
add access context manager in org_policy.tf
c100a00
@mariammartins
add access context manager policy id variable
55ad04a
@mariammartins
updt README
7887d10
@mariammartins
add log sinks identities outputs
948a08f
@mariammartins
upd README
f4b0a95
@mariammartins
upd README with new instructions
3ce8b8d
@mariammartins
add enforce_vpcsc in remote.tf
4144682
@mariammartins
add kms prjs in vpc-sc
ff20ec1
@mariammartins
add secrets prjs in vpc-sc
c6f1ed5
@mariammartins
rm all related to vpc-sc
75e9207
@mariammartins
rm vpc-sc
6d1421e
@mariammartins
fix networks READMES
d7faa72
@mariammartins
add projects to perimeter
b1c3370
@mariammartins
add roles/iam.serviceAccountAdmin proj SA folder level
03fc14c
@mariammartins
upd README with required directional rules instructions to add
5ac971b
@mariammartins
updt README with add direcional rule instructions
1a09eea
@mariammartins
Initialize policy library repo
244f850
@mariammartins
rm enforce_vpc-sc variable from service_control.tf
1a638eb
@mariammartins
add directional policies variables keys
bb808b3
@mariammartins
Copy link
Contributor Author

mariammartins commented Sep 30, 2025

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 30, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the VPC Service Controls to use a single, common perimeter, which is a positive architectural simplification. The changes are extensive, touching documentation, Terraform configurations, and helper scripts to align with this new model. However, the implementation introduces some significant issues. There's a critical conflict in the Cloud Build private pool networking where both a managed Cloud NAT and a self-managed NAT VM are configured, which needs to be resolved. More importantly, the new perimeter configuration relies on placeholders in the Terraform code that must be manually updated using scripts in a later step. This approach is brittle, error-prone, and undermines the declarative nature of Infrastructure as Code. I've raised a critical issue to address this architectural flaw. Additionally, there are medium-severity concerns regarding hardcoded IP ranges and the use of a git branch reference instead of a specific tag or commit for a module source.

@mariammartins
Copy link
Contributor Author

mariammartins commented Dec 24, 2025

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 24, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request is a significant and valuable refactoring of the VPC Service Controls implementation. By centralizing the configuration and creating a single common perimeter, it greatly simplifies the architecture and improves maintainability. The changes across the various stages to support this new model are comprehensive. My review focuses on a few areas for improvement, mainly around security hardening, documentation accuracy, and maintainability of the new Terraform configurations.

@daniel-cit daniel-cit force-pushed the refactor/one-default-common-perimeter branch from 9582a15 to fc2b28e Compare January 22, 2026 22:08
@daniel-cit
Copy link
Contributor

daniel-cit commented Jan 27, 2026

@eeaton Could you PTAL?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daniel-cit daniel-cit daniel-cit left review comments

@eeaton eeaton Awaiting requested review from eeaton eeaton is a code owner

@rjerrems rjerrems Awaiting requested review from rjerrems rjerrems is a code owner

@sleighton2022 sleighton2022 Awaiting requested review from sleighton2022 sleighton2022 is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mariammartins @daniel-cit