hierarchical-policies updated with new resources
This commit is contained in:
parent
23dbe0ae85
commit
0836433e55
|
@ -65,9 +65,12 @@ allow-icmp:
|
|||
action: allow
|
||||
# Priority (must be unique on a node)
|
||||
priority: 1000
|
||||
# List of CIDRs this rule applies to
|
||||
# List of CIDRs this rule applies to (for INGRESS rules)
|
||||
source_ranges:
|
||||
- 0.0.0.0/0
|
||||
# List of CIDRs this rule applies to (for EGRESS rules)
|
||||
destination_ranges:
|
||||
- 0.0.0.0/0
|
||||
# List of ports this rule applies to (empty array means all ports)
|
||||
ports:
|
||||
tcp: []
|
||||
|
@ -148,14 +151,14 @@ web_frontends:
|
|||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---: |:---:|:---:|
|
||||
| config_folder | Relative path of the folder containing the hierarchical firewall configuration | <code title="">string</code> | ✓ | |
|
||||
| templates_folder | Relative path of the folder containing the cidr/service account templates | <code title="">string</code> | ✓ | |
|
||||
| name | description | type | required | default |
|
||||
| ---------------- | ------------------------------------------------------------------------------ | :--------------------------: | :------: | :-----: |
|
||||
| config_folder | Relative path of the folder containing the hierarchical firewall configuration | <code title="">string</code> | ✓ | |
|
||||
| templates_folder | Relative path of the folder containing the cidr/service account templates | <code title="">string</code> | ✓ | |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| hierarchical-firewall-rules | Generated Hierarchical Firewall Rules | |
|
||||
| name | description | sensitive |
|
||||
| --------------------------- | ------------------------------------- | :-------: |
|
||||
| hierarchical-firewall-rules | Generated Hierarchical Firewall Rules | |
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -59,17 +59,16 @@ locals {
|
|||
])
|
||||
}
|
||||
|
||||
resource "google_compute_organization_security_policy" "default" {
|
||||
provider = google-beta
|
||||
for_each = { for rule in local.rules : rule.parent_id => rule.name... }
|
||||
display_name = replace("hierarchical-fw-policy-${each.key}", "/", "-")
|
||||
parent = each.key
|
||||
resource "google_compute_firewall_policy" "default" {
|
||||
for_each = { for rule in local.rules : rule.parent_id => rule.name... }
|
||||
short_name = replace("hierarchical-fw-policy-${each.key}", "/", "-")
|
||||
description = replace("hierarchical-fw-policy-${each.key}", "/", "-")
|
||||
parent = each.key
|
||||
}
|
||||
|
||||
resource "google_compute_organization_security_policy_rule" "default" {
|
||||
provider = google-beta
|
||||
resource "google_compute_firewall_policy_rule" "default" {
|
||||
for_each = { for rule in local.rules : "${rule.parent_id}-${rule.name}" => rule }
|
||||
policy_id = google_compute_organization_security_policy.default[each.value.parent_id].id
|
||||
firewall_policy = google_compute_firewall_policy.default[each.value.parent_id].id
|
||||
action = each.value.action
|
||||
direction = each.value.direction
|
||||
priority = each.value.priority
|
||||
|
@ -78,24 +77,22 @@ resource "google_compute_organization_security_policy_rule" "default" {
|
|||
enable_logging = try(each.value.enable_logging, false)
|
||||
# preview = each.value.preview
|
||||
match {
|
||||
config {
|
||||
src_ip_ranges = each.value.source_ranges
|
||||
dynamic "layer4_config" {
|
||||
for_each = each.value.ports
|
||||
iterator = port
|
||||
content {
|
||||
ip_protocol = port.key
|
||||
ports = port.value
|
||||
}
|
||||
src_ip_ranges = each.value.direction == "INGRESS" ? each.value.source_ranges : null
|
||||
dest_ip_ranges = each.value.direction == "EGRESS" ? each.value.destination_ranges : null
|
||||
dynamic "layer4_configs" {
|
||||
for_each = each.value.ports
|
||||
iterator = port
|
||||
content {
|
||||
ip_protocol = port.key
|
||||
ports = port.value
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_organization_security_policy_association" "default" {
|
||||
provider = google-beta
|
||||
for_each = { for rule in local.rules : rule.parent_id => rule.name... }
|
||||
name = replace("hierarchical-fw-policy-${each.key}", "/", "-")
|
||||
attachment_id = google_compute_organization_security_policy.default[each.key].parent
|
||||
policy_id = google_compute_organization_security_policy.default[each.key].id
|
||||
resource "google_compute_firewall_policy_association" "default" {
|
||||
for_each = { for rule in local.rules : rule.parent_id => rule.name... }
|
||||
name = replace("hierarchical-fw-policy-${each.key}", "/", "-")
|
||||
attachment_target = google_compute_firewall_policy.default[each.key].parent
|
||||
firewall_policy = google_compute_firewall_policy.default[each.key].id
|
||||
}
|
||||
|
|
|
@ -17,11 +17,10 @@
|
|||
output "hierarchical-firewall-rules" {
|
||||
description = "Generated Hierarchical Firewall Rules"
|
||||
value = {
|
||||
for k, v in google_compute_organization_security_policy_rule.default :
|
||||
for k, v in google_compute_firewall_policy_rule.default :
|
||||
k => {
|
||||
parent_id = split("-", k)[0]
|
||||
id = v.id
|
||||
description = v.match[0].description
|
||||
parent_id = split("-", k)[0]
|
||||
id = v.id
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -25,25 +25,31 @@ def test_firewall(plan_runner):
|
|||
_, resources = plan_runner(FIXTURES_DIR)
|
||||
assert len(resources) == 6
|
||||
assert set(r["type"] for r in resources) == set([
|
||||
"google_compute_organization_security_policy_rule", "google_compute_organization_security_policy_association", "google_compute_organization_security_policy"
|
||||
"google_compute_firewall_policy_rule", "google_compute_firewall_policy_association", "google_compute_firewall_policy"
|
||||
])
|
||||
rule_ssh = [r["values"] for r in resources if r["type"] ==
|
||||
"google_compute_organization_security_policy_rule" and r["values"]["priority"] == 1001]
|
||||
"google_compute_firewall_policy_rule"
|
||||
and r["values"]["priority"] == 1001]
|
||||
rule_icmp = [r["values"] for r in resources if r["type"] ==
|
||||
"google_compute_organization_security_policy_rule" and r["values"]["priority"] == 1000]
|
||||
"google_compute_firewall_policy_rule"
|
||||
and r["values"]["priority"] == 1000]
|
||||
association_org = [r["values"] for r in resources if r["type"] ==
|
||||
"google_compute_organization_security_policy_association" and r["values"]["attachment_id"] == "organizations/1234567890"]
|
||||
"google_compute_firewall_policy_association"
|
||||
and r["values"]["attachment_target"] == "organizations/1234567890"]
|
||||
association_folder = [r["values"] for r in resources if r["type"] ==
|
||||
"google_compute_organization_security_policy_association" and r["values"]["attachment_id"] == "folders/0987654321"]
|
||||
"google_compute_firewall_policy_association"
|
||||
and r["values"]["attachment_target"] == "folders/0987654321"]
|
||||
policies_org = [r["values"] for r in resources if r["type"] ==
|
||||
"google_compute_organization_security_policy" and r["values"]["parent"] == "organizations/1234567890"]
|
||||
"google_compute_firewall_policy"
|
||||
and r["values"]["parent"] == "organizations/1234567890"]
|
||||
policies_folder = [r["values"] for r in resources if r["type"] ==
|
||||
"google_compute_organization_security_policy" and r["values"]["parent"] == "folders/0987654321"]
|
||||
"google_compute_firewall_policy"
|
||||
and r["values"]["parent"] == "folders/0987654321"]
|
||||
|
||||
assert set(rule_ssh[0]["match"][0]["config"][0]["src_ip_ranges"]) == set(
|
||||
assert set(rule_ssh[0]["match"][0]["src_ip_ranges"]) == set(
|
||||
["10.0.0.0/24", "10.0.10.0/24", "192.168.1.1/32"])
|
||||
assert rule_icmp[0]["match"][0]["config"][0]["layer4_config"][0]["ip_protocol"] == "icmp"
|
||||
assert rule_icmp[0]["match"][0]["layer4_configs"][0]["ip_protocol"] == "icmp"
|
||||
assert association_org[0]["name"] == "hierarchical-fw-policy-organizations-1234567890"
|
||||
assert association_folder[0]["name"] == "hierarchical-fw-policy-folders-0987654321"
|
||||
assert policies_org[0]["display_name"] == "hierarchical-fw-policy-organizations-1234567890"
|
||||
assert policies_folder[0]["display_name"] == "hierarchical-fw-policy-folders-0987654321"
|
||||
assert policies_org[0]["short_name"] == "hierarchical-fw-policy-organizations-1234567890"
|
||||
assert policies_folder[0]["short_name"] == "hierarchical-fw-policy-folders-0987654321"
|
||||
|
|
Loading…
Reference in New Issue