Documentation

GCP Onboarding - Ternary Access with GCP VPC Service Controls (VPC-SC)

Suggest Edits

If your organization has implemented GCP VPC Service Controls (VPC-SC) or is currently considering implementing VPC-SC, we have developed a VPC-SC policy template to quickly onboard Ternary within your security perimeter. Parameters in CODE BLOCKS(SERVICE_ACCOUNT_ID, SOURCE_DATASET_PROJECT_NUMBER) require your input and are unique to your organization. Parameters in bold (project ID) will be provided by your Ternary account team. We have a have different set of parameters for Americas-based Ternary customers and EU-based Ternary customers. Please ask your Ternary team if you are unsure which region Ternary is hosting your environment.

The two parameters you will need to provide

  • SERVICE_ACCOUNT_ID - Your Ternary service account ([email protected])
  • SOURCE_DATASET_PROJECT_NUMBER - Your project number containing the BigQuery billing export dataset Ternary will access

Access Level stanza

TERNARY_ALLOWED_SA = {
combining_function = "AND"
conditions = [{
ip_subnetworks = []
required_access_levels = null
members = ["SERVICE_ACCOUNT_ID"]
negate = false
regions = null
}]
}

Ingress Policy stanza

ternary_policy_in = {
ingress_from = {
identity_type = "ANY_IDENTITY"
sources = {
resource = "projects/111111111111"
}
}
ingress_to = {
resources = ["projects/SOURCE_DATASET_PROJECT_NUMBER"]
operations = {
"bigquery.googleapis.com" = [{ method = "*" }],
"bigquerydatatransfer.googleapis.com" = [{ method = "*" }],
"cloudasset.googleapis.com" = [{ method = "*" }],
"cloudresourcemanager.googleapis.com" = [{ method = "*" }],
"monitoring.googleapis.com" = [{ method = "*" }],
"recommender.googleapis.com" = [{ method = "*" }],
}
}
}

Egress Policy stanza

ternary_policy_out = {
egress_from = {
identity_type = "ANY_IDENTITY"
}
egress_to = {
resources = ["projects/111111111111","projects/222222222222","projects/333333333333"]
operations = {
"bigquery.googleapis.com" = [{ method = "*" }],
"bigquerydatatransfer.googleapis.com" = [{ method = "*" }],
"cloudasset.googleapis.com" = [{ method = "*" }],
"cloudresourcemanager.googleapis.com" = [{ method = "*" }],
"monitoring.googleapis.com" = [{ method = "*" }],
"recommender.googleapis.com" = [{ method = "*" }],
}
}
}

Updated about 1 month ago