Sources

Compute modules in Foundry operate under a "zero trust" security model, ensuring maximum isolation and security. By default, these modules lack any external network access, including access to other Foundry services. This strict isolation is crucial for maintaining a secure environment.

To enable external network access for your compute module, you must explicitly configure a source through the Data Connection application. Sources also allow secure storage of credentials needed to access external systems for use in your compute module. This following sections outline the process of using sources within your compute module as a means of packaging network policies and credentials.

Add a source to your compute module

Create a source in Data Connection

  1. Create a source in the Data Connection application, attaching any required network policies and secrets.

  2. Ensure the following configurations:

  • The source must be in the same Project as your compute module.
  • In the Code import configuration tab, choose to Allow this source to be imported into compute modules.
  • Add an API name for the source that you will use to access it from your compute module.

Add the source to the compute module configuration

In your compute module, select Configure > Sources > Add Sources.

Access source credentials within a compute module

When a compute module launches, source credentials are mounted as JSON in a file where the file path is contained by the SOURCE_CREDENTIALS environment variable. To access these credentials, perform the following:

  1. Read the file pointed to by the SOURCE_CREDENTIALS environment variable.
  2. Parse the contents as a JSON dictionary.
  3. Access specific credentials first by specifying the source's API name, then the secret's name.

Some sources, like REST sources, require an additionalSecret prefix before the specified secret's name (for example, additionalSecretMySecretName).

# read_sources_credentials.py
import json
import os

with open(os.environ['SOURCE_CREDENTIALS'], 'r') as f:
    credentials = json.load(f)

# Access a specific secret
secret = credentials["<Source API Name>"]["<Secret Name>"]

You can use the compute module SDK ↗ to simplify this process.

Manage sources

To add or remove sources on your compute module, you must first stop the compute module. You cannot add or remove a source if the compute module is running. Additionally, changes to network policies on the source require a full restart of the compute module to apply. Changes to credentials will be reflected in a compute module rolling upgrade.