6

I have a question that is confusing me a little. I have a project locked down at the org level through a perimeter fence. This is to whitelist ip ranges to access a cloud storage bucket as the user has no ability to authenticate through service accounts or api's and requires a streaming of data.

This is fine and working however I am confused about how to open up access to serverless enviroments aswell inside gcp. The issue in question is cloud build. Since introduction of the perimeter I can no longer run cloud build due to violation of vpc controls. Wondering can anyone point me in the direction of how to enable this as obviously white listing the entire cloud build ip range is not an option?

Jan Hernandez
  • 4,414
  • 2
  • 12
  • 18
Seamus O'Connor
  • 175
  • 4
  • 12
  • As I understand it when you speak about a VPC Perimeter you are speaking of the VPC Service Controls technology (https://cloud.google.com/vpc-service-controls/docs/overview). This can be used what can talk to what from a VPC networking perspective. Next you talk about Cloud Build ... I tend to think of Cloud Build as being used to build, test and deploy software as part of a CI/CD pipeline. I am not seeing a core issue. Can you give us a concrete example of just one instance where there is a failure. This will help illustrate your question. – Kolban Nov 20 '19 at 16:53
  • Cloud Build jobs run in a Google Managed project, outside your perimeter. It uses Cloud Storage to get source code when you run `gcloud builds submit` so if you have setup a perimeter for Cloud Storage it'll fail – LundinCast Nov 20 '19 at 16:59
  • I am using cloud build to deploy Terraform so the backend is stored in GCS, however I am not able to access GCS using cloud build. – Seamus O'Connor Nov 21 '19 at 10:27
  • @SeamusO'Connor are you still facing this issue ? or any workaround you found it to use cloud build inside VPC SC. If it is , could you please share . – Deena Dhayal Jul 08 '21 at 06:59

4 Answers4

1

You want to create a Perimeter Bridge between the resources that you want to be able to access each other. You can do this in the console or using gcloud as noted in the docs that I linked.

Travis Webb
  • 14,688
  • 7
  • 55
  • 109
  • 1
    Hmmmm so cloud build is currently in the same project. I am guessing you are saying to move this out to another project? I am using Terraform from there but in this case how can you ever work with Terraform, ci/cd and VPC's? The only way I can think of is have the storage buckets not in the vpc but this I can't do in this case – Seamus O'Connor Nov 21 '19 at 10:29
1

The official documentation mention that if you use VPC service controls, some services are not supported, for example, Cloud Build, for this reason the problem started right after you deployed the perimeter.

Jan Hernandez
  • 4,414
  • 2
  • 12
  • 18
1

Hi all so the answer is this.

What you want to do is set up one project that is locked down by vpc and has no api's available for ingestion of the ip white listed storage bucket. Then you create a 2nd project that has a vpc but does not disable cloud storage api's etc. Now from here you can read directly from the ip whitelisted cloud storage bucket in the other project.

Hope this makes sense as I wanted to share back to the awesome guys above who put me on the right track.

Thanks again

Seamus O'Connor
  • 175
  • 4
  • 12
0

Cloud Build is now supported by VPC Service Controls VPC Supported products and limitations

paulina moreno
  • 46
  • 4
  • 1
    While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/31594611) – Ethan Apr 27 '22 at 20:29