Compute modules in Foundry operate under a "zero trust" security model, ensuring maximum isolation and security. By default, these modules lack any external network access, including access to other Foundry services. This strict isolation is crucial for maintaining a secure environment.
To enable external network access for your compute module, you must explicitly configure a source through the Data Connection application. Sources also allow secure storage of credentials needed to access external systems for use in your compute module. This following sections outline the process of using sources within your compute module as a means of packaging network policies and credentials.
Create a source in the Data Connection application, attaching any required network policies and secrets.
Ensure the following configurations:
In your compute module, select Configure > Sources > Add Sources.
When a compute module launches, source credentials are mounted as JSON in a file where the file path is contained by the SOURCE_CREDENTIALS
environment variable. To access these credentials, perform the following:
SOURCE_CREDENTIALS
environment variable.Some sources, like REST sources, require an additionalSecret
prefix before the specified secret's name (for example, additionalSecretMySecretName
).
# read_sources_credentials.py
import json
import os
with open(os.environ['SOURCE_CREDENTIALS'], 'r') as f:
credentials = json.load(f)
# Access a specific secret
secret = credentials["<Source API Name>"]["<Secret Name>"]
You can use the compute module SDK ↗ to simplify this process.
To add or remove sources on your compute module, you must first stop the compute module. You cannot add or remove a source if the compute module is running. Additionally, changes to network policies on the source require a full restart of the compute module to apply. Changes to credentials will be reflected in a compute module rolling upgrade.