Merge pull request #1322 from GoogleCloudPlatform/jccb/fw-tests
Add inventories to net-vpc-firewall tests
This commit is contained in:
commit
23302b1efd
|
@ -22,7 +22,7 @@ module "firewall" {
|
||||||
admin_ranges = ["10.0.0.0/8"]
|
admin_ranges = ["10.0.0.0/8"]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=4
|
# tftest modules=1 resources=4 inventory=basic.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
### Custom rules
|
### Custom rules
|
||||||
|
@ -77,7 +77,7 @@ module "firewall" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=9
|
# tftest modules=1 resources=9 inventory=custom-rules.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
### Controlling or turning off default rules
|
### Controlling or turning off default rules
|
||||||
|
@ -103,7 +103,7 @@ module "firewall" {
|
||||||
ssh_tags = ["ssh-default"]
|
ssh_tags = ["ssh-default"]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=3
|
# tftest modules=1 resources=3 inventory=custom-ssh-default-rule.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Disabling predefined rules
|
#### Disabling predefined rules
|
||||||
|
@ -119,7 +119,7 @@ module "firewall" {
|
||||||
ssh_ranges = []
|
ssh_ranges = []
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=2
|
# tftest modules=1 resources=2 inventory=no-ssh-default-rules.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
Or the entire set of rules can be disabled via the `disabled` attribute:
|
Or the entire set of rules can be disabled via the `disabled` attribute:
|
||||||
|
@ -133,7 +133,7 @@ module "firewall" {
|
||||||
disabled = true
|
disabled = true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=0 resources=0
|
# tftest modules=0 resources=0 inventory=no-default-rules.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
### Including source & destination ranges
|
### Including source & destination ranges
|
||||||
|
@ -163,7 +163,7 @@ module "firewall" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=2
|
# tftest modules=1 resources=2 inventory=local-ranges.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
### Rules Factory
|
### Rules Factory
|
||||||
|
@ -181,7 +181,7 @@ module "firewall" {
|
||||||
}
|
}
|
||||||
default_rules_config = { disabled = true }
|
default_rules_config = { disabled = true }
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=3 files=lbs,cidrs
|
# tftest modules=1 resources=3 files=lbs,cidrs inventory=factory.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
default_rules_config = {
|
|
||||||
admin_ranges = ["10.0.0.0/8"]
|
|
||||||
https_ranges = []
|
|
||||||
}
|
|
|
@ -1,44 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
values:
|
|
||||||
google_compute_firewall.allow-admins[0]:
|
|
||||||
source_ranges:
|
|
||||||
- 10.0.0.0/8
|
|
||||||
google_compute_firewall.allow-tag-http[0]:
|
|
||||||
allow:
|
|
||||||
- ports:
|
|
||||||
- "80"
|
|
||||||
protocol: tcp
|
|
||||||
source_ranges:
|
|
||||||
- 130.211.0.0/22
|
|
||||||
- 209.85.152.0/22
|
|
||||||
- 209.85.204.0/22
|
|
||||||
- 35.191.0.0/16
|
|
||||||
google_compute_firewall.allow-tag-ssh[0]:
|
|
||||||
allow:
|
|
||||||
- ports:
|
|
||||||
- "22"
|
|
||||||
protocol: tcp
|
|
||||||
source_ranges:
|
|
||||||
- 35.235.240.0/20
|
|
||||||
|
|
||||||
counts:
|
|
||||||
google_compute_firewall: 3
|
|
||||||
modules: 0
|
|
||||||
resources: 3
|
|
||||||
|
|
||||||
outputs:
|
|
||||||
default_rules: __missing__
|
|
||||||
rules: {}
|
|
|
@ -1,2 +0,0 @@
|
||||||
project_id = "test-project"
|
|
||||||
network = "test-network"
|
|
|
@ -1,33 +0,0 @@
|
||||||
default_rules_config = {
|
|
||||||
disabled = true
|
|
||||||
}
|
|
||||||
egress_rules = {
|
|
||||||
allow-egress-rfc1918 = {
|
|
||||||
deny = false
|
|
||||||
description = "Allow egress to RFC 1918 ranges."
|
|
||||||
destination_ranges = [
|
|
||||||
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
allow-egress-tag = {
|
|
||||||
deny = false
|
|
||||||
description = "Allow egress from a specific tag to 0/0."
|
|
||||||
targets = ["target-tag"]
|
|
||||||
}
|
|
||||||
deny-egress-all = {
|
|
||||||
description = "Block egress."
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ingress_rules = {
|
|
||||||
allow-ingress-ntp = {
|
|
||||||
description = "Allow NTP service based on tag."
|
|
||||||
targets = ["ntp-svc"]
|
|
||||||
rules = [{ protocol = "udp", ports = [123] }]
|
|
||||||
}
|
|
||||||
allow-ingress-tag = {
|
|
||||||
description = "Allow ingress from a specific tag."
|
|
||||||
source_ranges = []
|
|
||||||
sources = ["client-tag"]
|
|
||||||
targets = ["target-tag"]
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,83 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
values:
|
|
||||||
google_compute_firewall.custom-rules["allow-egress-rfc1918"]:
|
|
||||||
allow:
|
|
||||||
- ports: []
|
|
||||||
protocol: all
|
|
||||||
deny: []
|
|
||||||
description: Allow egress to RFC 1918 ranges.
|
|
||||||
destination_ranges:
|
|
||||||
- 10.0.0.0/8
|
|
||||||
- 172.16.0.0/12
|
|
||||||
- 192.168.0.0/16
|
|
||||||
direction: EGRESS
|
|
||||||
google_compute_firewall.custom-rules["allow-egress-tag"]:
|
|
||||||
allow:
|
|
||||||
- ports: []
|
|
||||||
protocol: all
|
|
||||||
deny: []
|
|
||||||
description: Allow egress from a specific tag to 0/0.
|
|
||||||
destination_ranges:
|
|
||||||
- 0.0.0.0/0
|
|
||||||
direction: EGRESS
|
|
||||||
target_tags:
|
|
||||||
- target-tag
|
|
||||||
google_compute_firewall.custom-rules["allow-ingress-ntp"]:
|
|
||||||
allow:
|
|
||||||
- ports:
|
|
||||||
- "123"
|
|
||||||
protocol: udp
|
|
||||||
deny: []
|
|
||||||
description: Allow NTP service based on tag.
|
|
||||||
direction: INGRESS
|
|
||||||
source_ranges:
|
|
||||||
- 0.0.0.0/0
|
|
||||||
source_service_accounts: null
|
|
||||||
source_tags: null
|
|
||||||
target_tags:
|
|
||||||
- ntp-svc
|
|
||||||
google_compute_firewall.custom-rules["allow-ingress-tag"]:
|
|
||||||
allow:
|
|
||||||
- ports: []
|
|
||||||
protocol: all
|
|
||||||
deny: []
|
|
||||||
description: Allow ingress from a specific tag.
|
|
||||||
direction: INGRESS
|
|
||||||
source_ranges: null
|
|
||||||
source_tags:
|
|
||||||
- client-tag
|
|
||||||
target_tags:
|
|
||||||
- target-tag
|
|
||||||
google_compute_firewall.custom-rules["deny-egress-all"]:
|
|
||||||
allow: []
|
|
||||||
deny:
|
|
||||||
- ports: []
|
|
||||||
protocol: all
|
|
||||||
description: Block egress.
|
|
||||||
direction: EGRESS
|
|
||||||
|
|
||||||
counts:
|
|
||||||
google_compute_firewall: 5
|
|
||||||
modules: 0
|
|
||||||
resources: 5
|
|
||||||
|
|
||||||
outputs:
|
|
||||||
default_rules:
|
|
||||||
admin: []
|
|
||||||
http: []
|
|
||||||
https: []
|
|
||||||
ssh: []
|
|
||||||
rules: __missing__
|
|
|
@ -1,25 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
ingress:
|
|
||||||
allow-healthchecks:
|
|
||||||
description: Allow ingress from healthchecks.
|
|
||||||
source_ranges:
|
|
||||||
- healthchecks
|
|
||||||
targets: ["lb-backends"]
|
|
||||||
rules:
|
|
||||||
- protocol: tcp
|
|
||||||
ports:
|
|
||||||
- 80
|
|
||||||
- 443
|
|
|
@ -0,0 +1,98 @@
|
||||||
|
# Copyright 2023 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
module.firewall.google_compute_firewall.allow-admins[0]:
|
||||||
|
allow:
|
||||||
|
- ports: []
|
||||||
|
protocol: all
|
||||||
|
deny: []
|
||||||
|
disabled: null
|
||||||
|
log_config: []
|
||||||
|
name: my-network-ingress-admins
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges:
|
||||||
|
- 10.0.0.0/8
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags: null
|
||||||
|
module.firewall.google_compute_firewall.allow-tag-http[0]:
|
||||||
|
allow:
|
||||||
|
- ports:
|
||||||
|
- '80'
|
||||||
|
protocol: tcp
|
||||||
|
deny: []
|
||||||
|
disabled: null
|
||||||
|
log_config: []
|
||||||
|
name: my-network-ingress-tag-http
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges:
|
||||||
|
- 130.211.0.0/22
|
||||||
|
- 209.85.152.0/22
|
||||||
|
- 209.85.204.0/22
|
||||||
|
- 35.191.0.0/16
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags:
|
||||||
|
- http-server
|
||||||
|
module.firewall.google_compute_firewall.allow-tag-https[0]:
|
||||||
|
allow:
|
||||||
|
- ports:
|
||||||
|
- '443'
|
||||||
|
protocol: tcp
|
||||||
|
deny: []
|
||||||
|
disabled: null
|
||||||
|
log_config: []
|
||||||
|
name: my-network-ingress-tag-https
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges:
|
||||||
|
- 130.211.0.0/22
|
||||||
|
- 209.85.152.0/22
|
||||||
|
- 209.85.204.0/22
|
||||||
|
- 35.191.0.0/16
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags:
|
||||||
|
- https-server
|
||||||
|
module.firewall.google_compute_firewall.allow-tag-ssh[0]:
|
||||||
|
allow:
|
||||||
|
- ports:
|
||||||
|
- '22'
|
||||||
|
protocol: tcp
|
||||||
|
deny: []
|
||||||
|
disabled: null
|
||||||
|
log_config: []
|
||||||
|
name: my-network-ingress-tag-ssh
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges:
|
||||||
|
- 35.235.240.0/20
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags:
|
||||||
|
- ssh
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_compute_firewall: 4
|
|
@ -0,0 +1,127 @@
|
||||||
|
# Copyright 2023 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
# the following 4 rules are already tested by simple.yaml
|
||||||
|
module.firewall.google_compute_firewall.allow-admins[0]: {}
|
||||||
|
module.firewall.google_compute_firewall.allow-tag-http[0]: {}
|
||||||
|
module.firewall.google_compute_firewall.allow-tag-https[0]: {}
|
||||||
|
module.firewall.google_compute_firewall.allow-tag-ssh[0]: {}
|
||||||
|
module.firewall.google_compute_firewall.custom-rules["allow-egress-rfc1918"]:
|
||||||
|
allow:
|
||||||
|
- ports: []
|
||||||
|
protocol: all
|
||||||
|
deny: []
|
||||||
|
description: Allow egress to RFC 1918 ranges.
|
||||||
|
destination_ranges:
|
||||||
|
- 10.0.0.0/8
|
||||||
|
- 172.16.0.0/12
|
||||||
|
- 192.168.0.0/16
|
||||||
|
direction: EGRESS
|
||||||
|
disabled: false
|
||||||
|
log_config: []
|
||||||
|
name: allow-egress-rfc1918
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges: null
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags: null
|
||||||
|
module.firewall.google_compute_firewall.custom-rules["allow-egress-tag"]:
|
||||||
|
allow:
|
||||||
|
- ports: []
|
||||||
|
protocol: all
|
||||||
|
deny: []
|
||||||
|
description: Allow egress from a specific tag to 0/0.
|
||||||
|
destination_ranges:
|
||||||
|
- 0.0.0.0/0
|
||||||
|
direction: EGRESS
|
||||||
|
disabled: false
|
||||||
|
log_config: []
|
||||||
|
name: allow-egress-tag
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges: null
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags:
|
||||||
|
- target-tag
|
||||||
|
module.firewall.google_compute_firewall.custom-rules["allow-ingress-ntp"]:
|
||||||
|
allow:
|
||||||
|
- ports:
|
||||||
|
- '123'
|
||||||
|
protocol: udp
|
||||||
|
deny: []
|
||||||
|
description: Allow NTP service based on tag.
|
||||||
|
direction: INGRESS
|
||||||
|
disabled: false
|
||||||
|
log_config: []
|
||||||
|
name: allow-ingress-ntp
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges:
|
||||||
|
- 0.0.0.0/0
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags:
|
||||||
|
- ntp-svc
|
||||||
|
module.firewall.google_compute_firewall.custom-rules["allow-ingress-tag"]:
|
||||||
|
allow:
|
||||||
|
- ports: []
|
||||||
|
protocol: all
|
||||||
|
deny: []
|
||||||
|
description: Allow ingress from a specific tag.
|
||||||
|
direction: INGRESS
|
||||||
|
disabled: false
|
||||||
|
log_config: []
|
||||||
|
name: allow-ingress-tag
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges: null
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags:
|
||||||
|
- client-tag
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags:
|
||||||
|
- target-tag
|
||||||
|
module.firewall.google_compute_firewall.custom-rules["deny-egress-all"]:
|
||||||
|
allow: []
|
||||||
|
deny:
|
||||||
|
- ports: []
|
||||||
|
protocol: all
|
||||||
|
description: Block egress.
|
||||||
|
destination_ranges:
|
||||||
|
- 0.0.0.0/0
|
||||||
|
direction: EGRESS
|
||||||
|
disabled: false
|
||||||
|
log_config: []
|
||||||
|
name: deny-egress-all
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges: null
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags: null
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_compute_firewall: 9
|
|
@ -1,4 +1,4 @@
|
||||||
# Copyright 2022 Google LLC
|
# Copyright 2023 Google LLC
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
# you may not use this file except in compliance with the License.
|
# you may not use this file except in compliance with the License.
|
||||||
|
@ -13,42 +13,28 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
values:
|
values:
|
||||||
google_compute_firewall.custom-rules["allow-healthchecks"]:
|
module.firewall.google_compute_firewall.allow-tag-http[0]: {}
|
||||||
|
module.firewall.google_compute_firewall.allow-tag-https[0]: {}
|
||||||
|
module.firewall.google_compute_firewall.allow-tag-ssh[0]:
|
||||||
allow:
|
allow:
|
||||||
- ports:
|
- ports:
|
||||||
- "80"
|
- '22'
|
||||||
- "443"
|
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
deny: []
|
deny: []
|
||||||
description: Allow ingress from healthchecks.
|
description: Allow SSH to machines with matching tags.
|
||||||
direction: INGRESS
|
disabled: null
|
||||||
disabled: false
|
|
||||||
log_config: []
|
log_config: []
|
||||||
name: allow-healthchecks
|
name: my-network-ingress-tag-ssh
|
||||||
network: test-network
|
network: my-network
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: test-project
|
project: my-project
|
||||||
source_ranges:
|
source_ranges:
|
||||||
- 130.211.0.0/22
|
- 10.0.0.0/8
|
||||||
- 209.85.152.0/22
|
|
||||||
- 209.85.204.0/22
|
|
||||||
- 35.191.0.0/16
|
|
||||||
source_service_accounts: null
|
source_service_accounts: null
|
||||||
source_tags: null
|
source_tags: null
|
||||||
target_service_accounts: null
|
target_service_accounts: null
|
||||||
target_tags:
|
target_tags:
|
||||||
- lb-backends
|
- ssh-default
|
||||||
timeouts: null
|
|
||||||
|
|
||||||
counts:
|
counts:
|
||||||
google_compute_firewall: 1
|
google_compute_firewall: 3
|
||||||
modules: 0
|
|
||||||
resources: 1
|
|
||||||
|
|
||||||
outputs:
|
|
||||||
default_rules:
|
|
||||||
admin: []
|
|
||||||
http: []
|
|
||||||
https: []
|
|
||||||
ssh: []
|
|
||||||
rules: __missing__
|
|
|
@ -0,0 +1,87 @@
|
||||||
|
# Copyright 2023 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
module.firewall.google_compute_firewall.custom-rules["allow-healthchecks"]:
|
||||||
|
allow:
|
||||||
|
- ports:
|
||||||
|
- '80'
|
||||||
|
- '443'
|
||||||
|
protocol: tcp
|
||||||
|
deny: []
|
||||||
|
description: Allow ingress from healthchecks.
|
||||||
|
direction: INGRESS
|
||||||
|
disabled: false
|
||||||
|
log_config: []
|
||||||
|
name: allow-healthchecks
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges:
|
||||||
|
- 130.211.0.0/22
|
||||||
|
- 209.85.152.0/22
|
||||||
|
- 209.85.204.0/22
|
||||||
|
- 35.191.0.0/16
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags:
|
||||||
|
- lb-backends
|
||||||
|
module.firewall.google_compute_firewall.custom-rules["allow-service-1-to-service-2"]:
|
||||||
|
allow:
|
||||||
|
- ports:
|
||||||
|
- '80'
|
||||||
|
- '443'
|
||||||
|
protocol: tcp
|
||||||
|
deny: []
|
||||||
|
description: Allow ingress from service-1 SA
|
||||||
|
direction: INGRESS
|
||||||
|
disabled: false
|
||||||
|
log_config: []
|
||||||
|
name: allow-service-1-to-service-2
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges:
|
||||||
|
- 0.0.0.0/0
|
||||||
|
source_service_accounts:
|
||||||
|
- service-1@my-project.iam.gserviceaccount.com
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts:
|
||||||
|
- service-2
|
||||||
|
target_tags: null
|
||||||
|
module.firewall.google_compute_firewall.custom-rules["block-telnet"]:
|
||||||
|
allow: []
|
||||||
|
deny:
|
||||||
|
- ports:
|
||||||
|
- '23'
|
||||||
|
protocol: tcp
|
||||||
|
description: block outbound telnet
|
||||||
|
destination_ranges:
|
||||||
|
- 0.0.0.0/0
|
||||||
|
direction: EGRESS
|
||||||
|
disabled: false
|
||||||
|
log_config: []
|
||||||
|
name: block-telnet
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges: null
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags: null
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_compute_firewall: 3
|
|
@ -0,0 +1,62 @@
|
||||||
|
# Copyright 2023 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
module.firewall.google_compute_firewall.custom-rules["allow-ingress-source-destination-ranges"]:
|
||||||
|
allow:
|
||||||
|
- ports: []
|
||||||
|
protocol: all
|
||||||
|
deny: []
|
||||||
|
description: Allow ingress using source and destination ranges
|
||||||
|
destination_ranges:
|
||||||
|
- 10.132.0.0/20
|
||||||
|
- 10.138.0.0/20
|
||||||
|
direction: INGRESS
|
||||||
|
disabled: false
|
||||||
|
log_config: []
|
||||||
|
name: allow-ingress-source-destination-ranges
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges:
|
||||||
|
- 172.16.0.0/12
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags: null
|
||||||
|
module.firewall.google_compute_firewall.custom-rules["deny-egress-source-destination-ranges"]:
|
||||||
|
allow: []
|
||||||
|
deny:
|
||||||
|
- ports: []
|
||||||
|
protocol: all
|
||||||
|
description: Deny egress using source and destination ranges
|
||||||
|
destination_ranges:
|
||||||
|
- 172.16.0.0/12
|
||||||
|
direction: EGRESS
|
||||||
|
disabled: false
|
||||||
|
log_config: []
|
||||||
|
name: deny-egress-source-destination-ranges
|
||||||
|
network: my-network
|
||||||
|
priority: 1000
|
||||||
|
project: my-project
|
||||||
|
source_ranges:
|
||||||
|
- 10.132.0.0/20
|
||||||
|
- 10.138.0.0/20
|
||||||
|
source_service_accounts: null
|
||||||
|
source_tags: null
|
||||||
|
target_service_accounts: null
|
||||||
|
target_tags: null
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_compute_firewall: 2
|
|
@ -1,4 +1,4 @@
|
||||||
# Copyright 2022 Google LLC
|
# Copyright 2023 Google LLC
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
# you may not use this file except in compliance with the License.
|
# you may not use this file except in compliance with the License.
|
||||||
|
@ -11,3 +11,9 @@
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
values: {}
|
||||||
|
|
||||||
|
counts:
|
||||||
|
modules: 0
|
||||||
|
resources: 0
|
|
@ -1,4 +1,4 @@
|
||||||
# Copyright 2022 Google LLC
|
# Copyright 2023 Google LLC
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
# you may not use this file except in compliance with the License.
|
# you may not use this file except in compliance with the License.
|
||||||
|
@ -12,8 +12,9 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
healthchecks:
|
values:
|
||||||
- 35.191.0.0/16
|
module.firewall.google_compute_firewall.allow-tag-http[0]: {}
|
||||||
- 130.211.0.0/22
|
module.firewall.google_compute_firewall.allow-tag-https[0]: {}
|
||||||
- 209.85.152.0/22
|
|
||||||
- 209.85.204.0/22
|
counts:
|
||||||
|
google_compute_firewall: 2
|
|
@ -1,7 +0,0 @@
|
||||||
default_rules_config = {
|
|
||||||
disabled = true
|
|
||||||
}
|
|
||||||
factories_config = {
|
|
||||||
cidr_tpl_file = "../../tests/modules/net_vpc_firewall/data/cidr_template.yaml"
|
|
||||||
rules_folder = "../../tests/modules/net_vpc_firewall/data/firewall"
|
|
||||||
}
|
|
|
@ -1,58 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
import pytest
|
|
||||||
|
|
||||||
|
|
||||||
def test_defaults(plan_runner):
|
|
||||||
"Test variable defaults."
|
|
||||||
_, resources = plan_runner()
|
|
||||||
assert len(resources) == 3
|
|
||||||
assert set([r['type'] for r in resources]) == set(['google_compute_firewall'])
|
|
||||||
assert set([r['values']['name'] for r in resources]) == set([
|
|
||||||
'test-vpc-ingress-tag-http', 'test-vpc-ingress-tag-https',
|
|
||||||
'test-vpc-ingress-tag-ssh'
|
|
||||||
])
|
|
||||||
assert set([r['values']['project'] for r in resources
|
|
||||||
]) == set(['test-project'])
|
|
||||||
assert set([r['values']['network'] for r in resources]) == set(['test-vpc'])
|
|
||||||
|
|
||||||
|
|
||||||
def test_rules(plan_runner):
|
|
||||||
"Test custom rules."
|
|
||||||
_, resources = plan_runner(tf_var_file='test.rules.tfvars')
|
|
||||||
assert len(resources) == 3
|
|
||||||
rules = {r['index']: r['values'] for r in resources}
|
|
||||||
rule = rules['allow-ingress-ntp']
|
|
||||||
assert rule['source_ranges'] == ['0.0.0.0/0']
|
|
||||||
assert rule['allow'] == [{'ports': ['123'], 'protocol': 'udp'}]
|
|
||||||
rule = rules['deny-egress-all']
|
|
||||||
assert rule['destination_ranges'] == ['0.0.0.0/0']
|
|
||||||
assert rule['deny'] == [{'ports': [], 'protocol': 'all'}]
|
|
||||||
|
|
||||||
|
|
||||||
def test_factory(plan_runner):
|
|
||||||
"Test factory."
|
|
||||||
factories_config = '''{
|
|
||||||
cidr_tpl_file = "config/cidr_template.yaml"
|
|
||||||
rules_folder = "config/firewall"
|
|
||||||
}'''
|
|
||||||
_, resources = plan_runner(factories_config=factories_config)
|
|
||||||
assert len(resources) == 4
|
|
||||||
factory_rule = [
|
|
||||||
r for r in resources if r["values"]["name"] == "allow-healthchecks"
|
|
||||||
][0]["values"]
|
|
||||||
assert set(factory_rule["source_ranges"]) == set(
|
|
||||||
["130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22", "35.191.0.0/16"])
|
|
||||||
assert set(factory_rule["target_tags"]) == set(["lb-backends"])
|
|
|
@ -1,21 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
module: modules/net-vpc-firewall
|
|
||||||
common_tfvars:
|
|
||||||
- common.tfvars
|
|
||||||
tests:
|
|
||||||
auto-rules:
|
|
||||||
custom-rules:
|
|
||||||
factory:
|
|
Loading…
Reference in New Issue