feat(TPG>=6.37)!: Add support for ip_filter to storage buckets #403
Conversation
|
should I create test case? |
|
Any timelines when this feature branch would be reviewed and merged ? |
|
/gcbrun |
malikalrizky
force-pushed
the
feat/add-ip-filter-support
branch
from
7ed9cc0 to
972c1eb
Compare
done @q2w |
|
@malikalrizky The integration tests are failing because the apply is failing for both the examples. |
This commit introduces the `ip_filter` functionality to the `google_storage_bucket` resource, allowing for more granular, IP-based access controls. The changes include: - A new `ip_filter` variable in `variables.tf` to define the IP filtering rules. - A dynamic `ip_filter` block in `main.tf` to apply the configuration to the storage buckets. - An update to `versions.tf` to enforce a minimum `terraform-provider-google` version of `6.37.0`, which is required for this feature.
This update expands the `ip_filter` functionality by allowing for dynamic configuration of public network sources. The changes include: - A new `ip_filter` variable in `variables.tf` to define the IP filtering rules. - An updated dynamic block in `main.tf` to apply the public network source settings for allowed IP CIDR ranges.
…and outputs This commit enhances the README.md by adding comprehensive sections for module requirements, inputs, and outputs. Key additions include: - Detailed requirements for Terraform and provider versions. - A complete list of inputs with descriptions and types. - An overview of outputs available from the module.
This update enhances the `ip_filter` configuration by adding support for VPC network sources. The changes include: - A new `vpc_network_sources` variable in `variables.tf` to define VPC-specific IP filtering rules. - An updated dynamic block in `main.tf` to apply the VPC network source settings for allowed IP CIDR ranges.
This commit enhances the `ip_filter` configuration for storage buckets by: - Updating the `ip_filter` variable to include detailed descriptions and examples for public and VPC network sources. - Modifying the minimum required Terraform version to `1.3` and the Google provider version to `6.37.0`. - Adding an example for the `ip_filter` in the README to illustrate its usage. These changes improve the clarity and functionality of the IP filtering feature.
This commit updates the `ip_filter` configuration for storage buckets by adding two new optional parameters: `allow_cross_org_vpcs` and `allow_all_service_agent_access`. These enhancements provide greater flexibility in managing access controls. Additionally, the Google provider version requirement is updated to `6.49.2` to ensure compatibility with these changes.
malikalrizky
force-pushed
the
feat/add-ip-filter-support
branch
from
55d5e3f to
8a9fefb
Compare
This commit adds the `allow_all_service_agent_access` option to the bucket module, enhancing the configuration flexibility for service agents.
This commit modifies the source paths for the cloud storage modules in the `multiple_buckets` and `simple_bucket` examples to use relative paths instead of the Terraform Google Modules repository.
|
@q2w got it. i saw allow_all_service_agent_access is only available on newer provider versions so i'll use the latest one available. I have a question about the example configurations and how they interact with integration tests. Currently, both examples reference the published registry versions:
Question: For integration tests in CI/CD to work properly with new development features (like the new ip_filter fields), should these examples reference the local module paths instead? For example:
Context:
My understanding: Integration tests should validate the current development code, so examples should reference local paths during development. But I want to confirm the correct pattern before updating. What's the recommended approach here? Should I:
Thanks for the guidance! |
|
@malikalrizky The registry module references are replaced with local once before running the integration tests. https://pantheon.corp.google.com/cloud-build/builds/043a2330-1f85-44e1-a852-a87e2ee4d20e;step=0?e=AdcAppManagementForCloudNextLaunch::AdcAppManagementForCloudNextEnabled,AdcCoreForCloudNextLaunch::AdcCoreForCloudNextEnabled,AdcPrivateCatalogLaunch::AdcPrivateCatalogEnabled&project=cloud-foundation-cicd |
|
@malikalrizky Could you run |
…ble formatting This commit updates the source paths for the cloud storage modules in the `multiple_buckets` and `simple_bucket` examples to use the Terraform Google Modules repository. Additionally, it standardizes the formatting of the `allow_cross_org_vpcs` variable in the `variables.tf` files for consistency.
|
@q2w got it. please help review again |
…pport newer releases This commit updates the version constraints for the Google provider in the `metadata.yaml` and `versions.tf` files across the main and simple_bucket modules from `>= 6.49.2, < 7` to `>= 6.9.0, < 8`, ensuring compatibility with newer features and improvements.
…izky/terraform-google-cloud-storage into feat/add-ip-filter-support
This commit updates the formatting of the `allow_cross_org_vpcs` variable in the `metadata.yaml` and `README.md` files across the main and simple_bucket modules for consistency. The change ensures uniformity in the presentation of optional boolean variables.
…google-cloud-storage into feat/add-ip-filter-support
m0ps
force-pushed
the
feat/add-ip-filter-support
branch
from
350a894 to
fec647a
Compare
|
Hey, @q2w! |
|
Thanks @m0ps! I see that the tests are still failing even after enabling allow_all_service_agent_access. This is happening because tests are run using SA provisioned on the fly and doesn't use any service agent to access the buckets. Since this change is time critical and has been tested locally, i would recommend making changes to example and tests in a followup PR. @apeabody What do you think? |
apeabody
changed the title
Co-authored-by: Andrew Peabody <[email protected]>
|
Thanks for checking it, @apeabody and @q2w
I've tried to replicate the Cloud Build setup in our env, and I finally managed to replicate this issue. See the details below.
I'm looking forward to your reply, since this feature is really crucial for us. |
Thanks @m0ps - It looks like it should be possible to bypass the bucket IP filtering rules for the test SA: https://cloud.devsite.corp.google.com/storage/docs/bypass-ip-filter#bypass-filtering-rules. That should permit the SA to complete the required |
|
Thanks for the hint, @apeabody, but as I mentioned in my prev message, it's not as easy as it looks at a glance. While there is a permission that can allow SA to bypass IP filtering, it allows bypassing only the specific API calls:
However, the simple_bucket example includes IAM roles assignment, which performs a setIamPolicy call, which can't be bypassed. So... I've updated examples to keep the |
Thanks for the deep dive @malikalrizky. Yes, I was focused on the provider's |
apeabody
changed the title
5 participants
This commit introduces the
ip_filterfunctionality to thegoogle_storage_bucketresource, allowing for more granular, IP-based access controls.The changes include:
ip_filtervariable invariables.tfto define the IP filtering rules.ip_filterblock inmain.tfto apply the configuration to the storage buckets.versions.tfto enforce a minimumterraform-provider-googleversion of6.37.0, which is required for this feature.