Use VPC Service Controls

VPC Service Controls is a Google Cloud feature that lets you set up a service perimeter to guard against data exfiltration.

VPC Service Controls in Developer Connect don't guard against possible exfiltration to external source code management systems. This guide shows further controls that use Custom Org Policies to help block these scenarios. SCMSs

See Set up a service perimeter by using VPC Service Controls for more information on how to use VPC Service Controls.

• Create a custom org policy that restricts what your developers can create connections to.

• Create a custom org policy that allows your developers to create and update connections only through a specific Service Directory resource.

Before you begin

To use the command-line examples in this guide, install and configure the Google Cloud CLI.

Required roles

To get the permissions that you need to create or edit a custom organization policy, ask your administrator to grant you the Organization Policy Administrator (roles/orgpolicy.policyAdmin) IAM role on the organization resource. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create a constraint to limit the SCMSs to which your team can create connections

One way to mitigate the possibility of data exfiltration to an SCMS is to limit which SCMSs are allowed for connections. You can create a custom organization policy that allows connections to one or more specified SCMSs.

The following organization policy limits repository connections to allow connections to GitHub Enterprise only:

name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME
resourceTypes:
- developerconnect.googleapis.com/Connection
methodTypes:
- CREATE
- UPDATE
condition: |
  resource.githubEnterpriseConfig.hostUri=="https://github.mycompany.net"
actionType: ALLOW
displayName: Connection GitHub Enterprise Host Constraint
description: |
  Allows creation/update of Developer Connect connections only to GitHub Enterprise host github.mycompany.net

Create a constraint to require connections through Service Directory

You can mitigate the possibility of data exfiltration by creating a custom organization policy that allows connections only to a specified Service Directory endpoint.

The following organization policy allows connections to a specific Service Directory endpoint only:

name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME
resourceTypes:
- developerconnect.googleapis.com/Connection
methodTypes:
- CREATE
- UPDATE
condition: |
  resource.gitlabEnterpriseConfig.serviceDirectoryConfig.service=="projects/my-project/locations/us-central1/namespaces/ns/services/myendpoint"
actionType: ALLOW
displayName: Connection GitLab Enterprise Service Directory endpoint
description: |
  Allows creation/update of Developer Connect connections only through a specific Service Directory resource

What's next

• Learn more about creating custom organization policies.

• Learn more about VPC Service Controls.

• Learn more about Service Directory.