hierarchical-policies updated with new resources

2021-10-15 12:15:36 +02:00 · 2021-10-15 12:15:36 +02:00 · 0836433e55
parent 23dbe0ae85
commit 0836433e55
4 changed files with 51 additions and 46 deletions
--- a/factories/firewall-hierarchical-policies/README.md
+++ b/factories/firewall-hierarchical-policies/README.md
@ -65,9 +65,12 @@ allow-icmp:
  action: allow                         
  # Priority (must be unique on a node)
  priority: 1000                        
-  # List of CIDRs this rule applies to
+  # List of CIDRs this rule applies to (for INGRESS rules)
  source_ranges:                        
    - 0.0.0.0/0
+  # List of CIDRs this rule applies to (for EGRESS rules)
+  destination_ranges:                        
+    - 0.0.0.0/0    
  # List of ports this rule applies to (empty array means all ports)
  ports:                                  
    tcp: []
@ -148,14 +151,14 @@ web_frontends:
 <!-- BEGIN TFDOC -->
 ## Variables

-| name | description | type | required | default |
-|---|---|:---: |:---:|:---:|
-| config_folder | Relative path of the folder containing the hierarchical firewall configuration | <code title="">string</code> | ✓ |  |
-| templates_folder | Relative path of the folder containing the cidr/service account templates | <code title="">string</code> | ✓ |  |
+| name             | description                                                                    |             type             | required | default |
+| ---------------- | ------------------------------------------------------------------------------ | :--------------------------: | :------: | :-----: |
+| config_folder    | Relative path of the folder containing the hierarchical firewall configuration | <code title="">string</code> |    ✓     |         |
+| templates_folder | Relative path of the folder containing the cidr/service account templates      | <code title="">string</code> |    ✓     |         |

 ## Outputs

-| name | description | sensitive |
-|---|---|:---:|
-| hierarchical-firewall-rules | Generated Hierarchical Firewall Rules |  |
+| name                        | description                           | sensitive |
+| --------------------------- | ------------------------------------- | :-------: |
+| hierarchical-firewall-rules | Generated Hierarchical Firewall Rules |           |
 <!-- END TFDOC -->
--- a/factories/firewall-hierarchical-policies/main.tf
+++ b/factories/firewall-hierarchical-policies/main.tf
@ -59,17 +59,16 @@ locals {
  ])
 }

-resource "google_compute_organization_security_policy" "default" {
-  provider     = google-beta
-  for_each     = { for rule in local.rules : rule.parent_id => rule.name... }
-  display_name = replace("hierarchical-fw-policy-${each.key}", "/", "-")
-  parent       = each.key
+resource "google_compute_firewall_policy" "default" {
+  for_each    = { for rule in local.rules : rule.parent_id => rule.name... }
+  short_name  = replace("hierarchical-fw-policy-${each.key}", "/", "-")
+  description = replace("hierarchical-fw-policy-${each.key}", "/", "-")
+  parent      = each.key
 }

-resource "google_compute_organization_security_policy_rule" "default" {
-  provider                = google-beta
+resource "google_compute_firewall_policy_rule" "default" {
  for_each                = { for rule in local.rules : "${rule.parent_id}-${rule.name}" => rule }
-  policy_id               = google_compute_organization_security_policy.default[each.value.parent_id].id
+  firewall_policy         = google_compute_firewall_policy.default[each.value.parent_id].id
  action                  = each.value.action
  direction               = each.value.direction
  priority                = each.value.priority
@ -78,24 +77,22 @@ resource "google_compute_organization_security_policy_rule" "default" {
  enable_logging          = try(each.value.enable_logging, false)
  # preview                 = each.value.preview
  match {
-    config {
-      src_ip_ranges = each.value.source_ranges
-      dynamic "layer4_config" {
-        for_each = each.value.ports
-        iterator = port
-        content {
-          ip_protocol = port.key
-          ports       = port.value
-        }
+    src_ip_ranges  = each.value.direction == "INGRESS" ? each.value.source_ranges : null
+    dest_ip_ranges = each.value.direction == "EGRESS" ? each.value.destination_ranges : null
+    dynamic "layer4_configs" {
+      for_each = each.value.ports
+      iterator = port
+      content {
+        ip_protocol = port.key
+        ports       = port.value
      }
    }
  }
 }

-resource "google_compute_organization_security_policy_association" "default" {
-  provider      = google-beta
-  for_each      = { for rule in local.rules : rule.parent_id => rule.name... }
-  name          = replace("hierarchical-fw-policy-${each.key}", "/", "-")
-  attachment_id = google_compute_organization_security_policy.default[each.key].parent
-  policy_id     = google_compute_organization_security_policy.default[each.key].id
+resource "google_compute_firewall_policy_association" "default" {
+  for_each          = { for rule in local.rules : rule.parent_id => rule.name... }
+  name              = replace("hierarchical-fw-policy-${each.key}", "/", "-")
+  attachment_target = google_compute_firewall_policy.default[each.key].parent
+  firewall_policy   = google_compute_firewall_policy.default[each.key].id
 }
--- a/factories/firewall-hierarchical-policies/outputs.tf
+++ b/factories/firewall-hierarchical-policies/outputs.tf
@ -17,11 +17,10 @@
 output "hierarchical-firewall-rules" {
  description = "Generated Hierarchical Firewall Rules"
  value = {
-    for k, v in google_compute_organization_security_policy_rule.default :
+    for k, v in google_compute_firewall_policy_rule.default :
    k => {
-      parent_id   = split("-", k)[0]
-      id          = v.id
-      description = v.match[0].description
+      parent_id = split("-", k)[0]
+      id        = v.id
    }
  }
 }
--- a/tests/factories/firewall_hierarchical_policies/test_plan.py
+++ b/tests/factories/firewall_hierarchical_policies/test_plan.py
@ -25,25 +25,31 @@ def test_firewall(plan_runner):
  _, resources = plan_runner(FIXTURES_DIR)
  assert len(resources) == 6
  assert set(r["type"] for r in resources) == set([
-      "google_compute_organization_security_policy_rule", "google_compute_organization_security_policy_association", "google_compute_organization_security_policy"
+      "google_compute_firewall_policy_rule", "google_compute_firewall_policy_association", "google_compute_firewall_policy"
  ])
  rule_ssh = [r["values"] for r in resources if r["type"] ==
-              "google_compute_organization_security_policy_rule" and r["values"]["priority"] == 1001]
+              "google_compute_firewall_policy_rule"
+              and r["values"]["priority"] == 1001]
  rule_icmp = [r["values"] for r in resources if r["type"] ==
-               "google_compute_organization_security_policy_rule" and r["values"]["priority"] == 1000]
+               "google_compute_firewall_policy_rule"
+               and r["values"]["priority"] == 1000]
  association_org = [r["values"] for r in resources if r["type"] ==
-                     "google_compute_organization_security_policy_association" and r["values"]["attachment_id"] == "organizations/1234567890"]
+                     "google_compute_firewall_policy_association"
+                     and r["values"]["attachment_target"] == "organizations/1234567890"]
  association_folder = [r["values"] for r in resources if r["type"] ==
-                        "google_compute_organization_security_policy_association" and r["values"]["attachment_id"] == "folders/0987654321"]
+                        "google_compute_firewall_policy_association"
+                        and r["values"]["attachment_target"] == "folders/0987654321"]
  policies_org = [r["values"] for r in resources if r["type"] ==
-                  "google_compute_organization_security_policy" and r["values"]["parent"] == "organizations/1234567890"]
+                  "google_compute_firewall_policy"
+                  and r["values"]["parent"] == "organizations/1234567890"]
  policies_folder = [r["values"] for r in resources if r["type"] ==
-                     "google_compute_organization_security_policy" and r["values"]["parent"] == "folders/0987654321"]
+                     "google_compute_firewall_policy"
+                     and r["values"]["parent"] == "folders/0987654321"]

-  assert set(rule_ssh[0]["match"][0]["config"][0]["src_ip_ranges"]) == set(
+  assert set(rule_ssh[0]["match"][0]["src_ip_ranges"]) == set(
      ["10.0.0.0/24", "10.0.10.0/24", "192.168.1.1/32"])
-  assert rule_icmp[0]["match"][0]["config"][0]["layer4_config"][0]["ip_protocol"] == "icmp"
+  assert rule_icmp[0]["match"][0]["layer4_configs"][0]["ip_protocol"] == "icmp"
  assert association_org[0]["name"] == "hierarchical-fw-policy-organizations-1234567890"
  assert association_folder[0]["name"] == "hierarchical-fw-policy-folders-0987654321"
-  assert policies_org[0]["display_name"] == "hierarchical-fw-policy-organizations-1234567890"
-  assert policies_folder[0]["display_name"] == "hierarchical-fw-policy-folders-0987654321"
+  assert policies_org[0]["short_name"] == "hierarchical-fw-policy-organizations-1234567890"
+  assert policies_folder[0]["short_name"] == "hierarchical-fw-policy-folders-0987654321"