GCP Onboarding - Ternary Access with GCP VPC Service Controls (VPC-SC)
If your organization has implemented GCP VPC Service Controls (VPC-SC) or is currently considering implementing VPC-SC, we have developed a VPC-SC policy template to quickly onboard Ternary within your security perimeter. Parameters in CODE BLOCKS(SERVICE_ACCOUNT_ID, SOURCE_DATASET_PROJECT_NUMBER) require your input and are unique to your organization. Parameters in bold (project ID) will be provided by your Ternary account team. We have a have different set of parameters for Americas-based Ternary customers and EU-based Ternary customers. Please ask your Ternary team if you are unsure which region Ternary is hosting your environment.
The two parameters you will need to provide
- SERVICE_ACCOUNT_ID - Your Ternary service account (your-unique-alias@ternary-prod-cacc.iam.gserviceaccount.com)
- SOURCE_DATASET_PROJECT_NUMBER - Your project number containing the BigQuery billing export dataset Ternary will access
Access Level stanza
TERNARY_ALLOWED_SA = {
combining_function = "AND"
conditions = [{
ip_subnetworks = []
required_access_levels = null
members = ["SERVICE_ACCOUNT_ID"]
negate = false
regions = null
}]
}
Ingress Policy stanza
ternary_policy_in = {
ingress_from = {
identity_type = "ANY_IDENTITY"
sources = {
resource = "projects/111111111111"
}
}
ingress_to = {
resources = ["projects/SOURCE_DATASET_PROJECT_NUMBER"]
operations = {
"bigquery.googleapis.com" = [{ method = "*" }],
"bigquerydatatransfer.googleapis.com" = [{ method = "*" }],
"cloudasset.googleapis.com" = [{ method = "*" }],
"cloudresourcemanager.googleapis.com" = [{ method = "*" }],
"monitoring.googleapis.com" = [{ method = "*" }],
"recommender.googleapis.com" = [{ method = "*" }],
}
}
}
Egress Policy stanza
ternary_policy_out = {
egress_from = {
identity_type = "ANY_IDENTITY"
}
egress_to = {
resources = ["projects/**111111111111**","projects/**222222222222**","projects/**333333333333**"]
operations = {
"bigquery.googleapis.com" = [{ method = "*" }],
"bigquerydatatransfer.googleapis.com" = [{ method = "*" }],
"cloudasset.googleapis.com" = [{ method = "*" }],
"cloudresourcemanager.googleapis.com" = [{ method = "*" }],
"monitoring.googleapis.com" = [{ method = "*" }],
"recommender.googleapis.com" = [{ method = "*" }],
}
}
}
Updated 6 days ago