/** * Copyright 2024 The Isolator Authors * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ locals { #TODO Uncomment and add the below after running the 04 pipeline which creates the Isolator folder log sinks # Project Number for Logs and Monitoring Project # This will be used to allow ingress from the two log sinks (folder and org) to the bucket in the security perimeter # logs_and_monitoring_project_number_formatted = "projects/${data.terraform_remote_state.rs_04_iso_security_projects.outputs.project_numbers.security_log}" # TODO Uncomment and add the below after running the 05 pipeline which creates the Isolator folder log sinks # Log Bucket Writer Identity # This is used in our ingress rule to allow the folder log sink created # log_bucket_log_sink_isolator_folder_log_writer_identity = data.terraform_remote_state.rs_05_iso_security_projects_resources.outputs.isolator_folder_log_sink_log_writer_identity # TODO Uncomment and add the below after running the 06 and 07 pipeline which creates the Isolator data access logs folder log sinks # This will be used to allow ingress from the folder log sink for the Data Access logs to the data access log project in the data perimeter # data_access_logs_project_number_formatted = "projects/${data.terraform_remote_state.rs_06_iso_data_projects.outputs.project_numbers.data_access_logs}" restricted_services_list = [ # As new products become GA they should be added to the below list to be protected # See here for latest list of supported APIs: # https://cloud.google.com/vpc-service-controls/docs/supported-products "accessapproval.googleapis.com", "aiplatform.googleapis.com", "alloydb.googleapis.com", "analyticshub.googleapis.com", "apigee.googleapis.com", "apigeeconnect.googleapis.com", "artifactregistry.googleapis.com", "assuredworkloads.googleapis.com", "automl.googleapis.com", "bigquery.googleapis.com", "bigquerydatapolicy.googleapis.com", "bigquerydatatransfer.googleapis.com", "bigquerymigration.googleapis.com", "bigtable.googleapis.com", "binaryauthorization.googleapis.com", "cloud.googleapis.com", "cloudasset.googleapis.com", "cloudbuild.googleapis.com", "clouddebugger.googleapis.com", "clouddeploy.googleapis.com", "clouderrorreporting.googleapis.com", "cloudfunctions.googleapis.com", "cloudkms.googleapis.com", "cloudprofiler.googleapis.com", "cloudscheduler.googleapis.com", "cloudsearch.googleapis.com", "cloudtasks.googleapis.com", "cloudtrace.googleapis.com", "composer.googleapis.com", "compute.googleapis.com", "connectgateway.googleapis.com", "contactcenterinsights.googleapis.com", "container.googleapis.com", "containeranalysis.googleapis.com", "containerregistry.googleapis.com", "containerthreatdetection.googleapis.com", "contentwarehouse.googleapis.com", "datacatalog.googleapis.com", "dataflow.googleapis.com", "datafusion.googleapis.com", "datalineage.googleapis.com", "datamigration.googleapis.com", "dataplex.googleapis.com", "dataproc.googleapis.com", "datastream.googleapis.com", "dialogflow.googleapis.com", "dlp.googleapis.com", "dns.googleapis.com", "documentai.googleapis.com", "domains.googleapis.com", "essentialcontacts.googleapis.com", "eventarc.googleapis.com", "file.googleapis.com", "firebaseappcheck.googleapis.com", "firebaserules.googleapis.com", "firestore.googleapis.com", "gameservices.googleapis.com", "gkeconnect.googleapis.com", "gkehub.googleapis.com", "gkemulticloud.googleapis.com", "gkeonprem.googleapis.com", "healthcare.googleapis.com", "iamcredentials.googleapis.com", "iap.googleapis.com", "iaptunnel.googleapis.com", "identitytoolkit.googleapis.com", "ids.googleapis.com", "kmsinventory.googleapis.com", "krmapihosting.googleapis.com", "language.googleapis.com", "logging.googleapis.com", "looker.googleapis.com", "managedidentities.googleapis.com", "memcache.googleapis.com", "meshca.googleapis.com", "meshconfig.googleapis.com", "metastore.googleapis.com", "ml.googleapis.com", "monitoring.googleapis.com", "networkconnectivity.googleapis.com", "networkmanagement.googleapis.com", "notebooks.googleapis.com", "ondemandscanning.googleapis.com", "orgpolicy.googleapis.com", "osconfig.googleapis.com", "oslogin.googleapis.com", "privateca.googleapis.com", "pubsub.googleapis.com", "pubsublite.googleapis.com", "recaptchaenterprise.googleapis.com", "recommender.googleapis.com", "redis.googleapis.com", "retail.googleapis.com", "run.googleapis.com", "secretmanager.googleapis.com", "servicecontrol.googleapis.com", "servicedirectory.googleapis.com", "spanner.googleapis.com", "speakerid.googleapis.com", "speech.googleapis.com", "sqladmin.googleapis.com", "storage.googleapis.com", "storagetransfer.googleapis.com", "sts.googleapis.com", "texttospeech.googleapis.com", "tpu.googleapis.com", "trafficdirector.googleapis.com", "transcoder.googleapis.com", "translate.googleapis.com", "videointelligence.googleapis.com", "vision.googleapis.com", "vmmigration.googleapis.com", "vpcaccess.googleapis.com", "webrisk.googleapis.com", "workflows.googleapis.com", "workstations.googleapis.com", ] }