Add basic tests for nwt-vpc-firewall-yaml module
This commit is contained in:
parent
5a796f3637
commit
07cf386427
|
@ -0,0 +1,13 @@
|
|||
# Copyright 2021 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
|
@ -0,0 +1,23 @@
|
|||
/**
|
||||
* Copyright 2021 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
module "firewall" {
|
||||
source = "../../../../modules/net-vpc-firewall-yaml"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
config_path = "./rules"
|
||||
log_config = var.log_config
|
||||
}
|
|
@ -0,0 +1,20 @@
|
|||
# allow ingress from GCLB to all instances in the network
|
||||
lb-health-checks:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: tcp
|
||||
direction: INGRESS
|
||||
priority: 1001
|
||||
source_ranges:
|
||||
- 35.191.0.0/16
|
||||
- 130.211.0.0/22
|
||||
|
||||
# deny all egress
|
||||
deny-all:
|
||||
deny:
|
||||
- ports: []
|
||||
protocol: all
|
||||
direction: EGRESS
|
||||
priority: 65535
|
||||
destination_ranges:
|
||||
- 0.0.0.0/0
|
|
@ -0,0 +1,23 @@
|
|||
/**
|
||||
* Copyright 2021 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "log_config" {
|
||||
description = "Log configuration. Possible values for `metadata` are `EXCLUDE_ALL_METADATA` and `INCLUDE_ALL_METADATA`. Set to `null` for disabling firewall logging."
|
||||
type = object({
|
||||
metadata = string
|
||||
})
|
||||
default = null
|
||||
}
|
|
@ -0,0 +1,50 @@
|
|||
# Copyright 2021 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
import os
|
||||
import pytest
|
||||
|
||||
|
||||
FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
|
||||
|
||||
|
||||
def test_firewall_simple(plan_runner):
|
||||
"Test firewall rules from rules/common.yaml with no extra options."
|
||||
_, resources = plan_runner(FIXTURES_DIR)
|
||||
assert len(resources) == 4
|
||||
assert set(r['type'] for r in resources) == set([
|
||||
'google_compute_firewall', 'time_static'
|
||||
])
|
||||
firewall_values = [r['values'] for r in resources if r['type']
|
||||
== 'google_compute_firewall']
|
||||
assert set([f['project'] for f in firewall_values]) == set(['my-project'])
|
||||
assert set([f['network'] for f in firewall_values]) == set(['my-network'])
|
||||
|
||||
|
||||
def test_firewall_log_config(plan_runner):
|
||||
"Test firewall rules log configuration."
|
||||
log_config = """ {
|
||||
metadata = "INCLUDE_ALL_METADATA"
|
||||
}
|
||||
"""
|
||||
log_config_value = [{"metadata": "INCLUDE_ALL_METADATA"}]
|
||||
_, resources = plan_runner(FIXTURES_DIR, log_config=log_config)
|
||||
assert len(resources) == 4
|
||||
assert set(r['type'] for r in resources) == set([
|
||||
'google_compute_firewall', 'time_static'
|
||||
])
|
||||
firewall_values = [r['values'] for r in resources if r['type']
|
||||
== 'google_compute_firewall']
|
||||
assert all(f['log_config'] == log_config_value for f in firewall_values)
|
Loading…
Reference in New Issue