Merge branch 'master' into shielded-dataset-fix
This commit is contained in:
commit
4443fe90f5
|
@ -22,7 +22,7 @@ module "firewall" {
|
|||
admin_ranges = ["10.0.0.0/8"]
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=4
|
||||
# tftest modules=1 resources=4 inventory=basic.yaml
|
||||
```
|
||||
|
||||
### Custom rules
|
||||
|
@ -77,7 +77,7 @@ module "firewall" {
|
|||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=9
|
||||
# tftest modules=1 resources=9 inventory=custom-rules.yaml
|
||||
```
|
||||
|
||||
### Controlling or turning off default rules
|
||||
|
@ -103,7 +103,7 @@ module "firewall" {
|
|||
ssh_tags = ["ssh-default"]
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=3
|
||||
# tftest modules=1 resources=3 inventory=custom-ssh-default-rule.yaml
|
||||
```
|
||||
|
||||
#### Disabling predefined rules
|
||||
|
@ -119,7 +119,7 @@ module "firewall" {
|
|||
ssh_ranges = []
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2
|
||||
# tftest modules=1 resources=2 inventory=no-ssh-default-rules.yaml
|
||||
```
|
||||
|
||||
Or the entire set of rules can be disabled via the `disabled` attribute:
|
||||
|
@ -133,7 +133,7 @@ module "firewall" {
|
|||
disabled = true
|
||||
}
|
||||
}
|
||||
# tftest modules=0 resources=0
|
||||
# tftest modules=0 resources=0 inventory=no-default-rules.yaml
|
||||
```
|
||||
|
||||
### Including source & destination ranges
|
||||
|
@ -163,7 +163,7 @@ module "firewall" {
|
|||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2
|
||||
# tftest modules=1 resources=2 inventory=local-ranges.yaml
|
||||
```
|
||||
|
||||
### Rules Factory
|
||||
|
@ -181,7 +181,7 @@ module "firewall" {
|
|||
}
|
||||
default_rules_config = { disabled = true }
|
||||
}
|
||||
# tftest modules=1 resources=3 files=lbs,cidrs
|
||||
# tftest modules=1 resources=3 files=lbs,cidrs inventory=factory.yaml
|
||||
```
|
||||
|
||||
```yaml
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
default_rules_config = {
|
||||
admin_ranges = ["10.0.0.0/8"]
|
||||
https_ranges = []
|
||||
}
|
|
@ -1,44 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
google_compute_firewall.allow-admins[0]:
|
||||
source_ranges:
|
||||
- 10.0.0.0/8
|
||||
google_compute_firewall.allow-tag-http[0]:
|
||||
allow:
|
||||
- ports:
|
||||
- "80"
|
||||
protocol: tcp
|
||||
source_ranges:
|
||||
- 130.211.0.0/22
|
||||
- 209.85.152.0/22
|
||||
- 209.85.204.0/22
|
||||
- 35.191.0.0/16
|
||||
google_compute_firewall.allow-tag-ssh[0]:
|
||||
allow:
|
||||
- ports:
|
||||
- "22"
|
||||
protocol: tcp
|
||||
source_ranges:
|
||||
- 35.235.240.0/20
|
||||
|
||||
counts:
|
||||
google_compute_firewall: 3
|
||||
modules: 0
|
||||
resources: 3
|
||||
|
||||
outputs:
|
||||
default_rules: __missing__
|
||||
rules: {}
|
|
@ -1,2 +0,0 @@
|
|||
project_id = "test-project"
|
||||
network = "test-network"
|
|
@ -1,33 +0,0 @@
|
|||
default_rules_config = {
|
||||
disabled = true
|
||||
}
|
||||
egress_rules = {
|
||||
allow-egress-rfc1918 = {
|
||||
deny = false
|
||||
description = "Allow egress to RFC 1918 ranges."
|
||||
destination_ranges = [
|
||||
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"
|
||||
]
|
||||
}
|
||||
allow-egress-tag = {
|
||||
deny = false
|
||||
description = "Allow egress from a specific tag to 0/0."
|
||||
targets = ["target-tag"]
|
||||
}
|
||||
deny-egress-all = {
|
||||
description = "Block egress."
|
||||
}
|
||||
}
|
||||
ingress_rules = {
|
||||
allow-ingress-ntp = {
|
||||
description = "Allow NTP service based on tag."
|
||||
targets = ["ntp-svc"]
|
||||
rules = [{ protocol = "udp", ports = [123] }]
|
||||
}
|
||||
allow-ingress-tag = {
|
||||
description = "Allow ingress from a specific tag."
|
||||
source_ranges = []
|
||||
sources = ["client-tag"]
|
||||
targets = ["target-tag"]
|
||||
}
|
||||
}
|
|
@ -1,83 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
google_compute_firewall.custom-rules["allow-egress-rfc1918"]:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: all
|
||||
deny: []
|
||||
description: Allow egress to RFC 1918 ranges.
|
||||
destination_ranges:
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
||||
- 192.168.0.0/16
|
||||
direction: EGRESS
|
||||
google_compute_firewall.custom-rules["allow-egress-tag"]:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: all
|
||||
deny: []
|
||||
description: Allow egress from a specific tag to 0/0.
|
||||
destination_ranges:
|
||||
- 0.0.0.0/0
|
||||
direction: EGRESS
|
||||
target_tags:
|
||||
- target-tag
|
||||
google_compute_firewall.custom-rules["allow-ingress-ntp"]:
|
||||
allow:
|
||||
- ports:
|
||||
- "123"
|
||||
protocol: udp
|
||||
deny: []
|
||||
description: Allow NTP service based on tag.
|
||||
direction: INGRESS
|
||||
source_ranges:
|
||||
- 0.0.0.0/0
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_tags:
|
||||
- ntp-svc
|
||||
google_compute_firewall.custom-rules["allow-ingress-tag"]:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: all
|
||||
deny: []
|
||||
description: Allow ingress from a specific tag.
|
||||
direction: INGRESS
|
||||
source_ranges: null
|
||||
source_tags:
|
||||
- client-tag
|
||||
target_tags:
|
||||
- target-tag
|
||||
google_compute_firewall.custom-rules["deny-egress-all"]:
|
||||
allow: []
|
||||
deny:
|
||||
- ports: []
|
||||
protocol: all
|
||||
description: Block egress.
|
||||
direction: EGRESS
|
||||
|
||||
counts:
|
||||
google_compute_firewall: 5
|
||||
modules: 0
|
||||
resources: 5
|
||||
|
||||
outputs:
|
||||
default_rules:
|
||||
admin: []
|
||||
http: []
|
||||
https: []
|
||||
ssh: []
|
||||
rules: __missing__
|
|
@ -1,25 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
ingress:
|
||||
allow-healthchecks:
|
||||
description: Allow ingress from healthchecks.
|
||||
source_ranges:
|
||||
- healthchecks
|
||||
targets: ["lb-backends"]
|
||||
rules:
|
||||
- protocol: tcp
|
||||
ports:
|
||||
- 80
|
||||
- 443
|
|
@ -0,0 +1,98 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.firewall.google_compute_firewall.allow-admins[0]:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: all
|
||||
deny: []
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: my-network-ingress-admins
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges:
|
||||
- 10.0.0.0/8
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags: null
|
||||
module.firewall.google_compute_firewall.allow-tag-http[0]:
|
||||
allow:
|
||||
- ports:
|
||||
- '80'
|
||||
protocol: tcp
|
||||
deny: []
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: my-network-ingress-tag-http
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges:
|
||||
- 130.211.0.0/22
|
||||
- 209.85.152.0/22
|
||||
- 209.85.204.0/22
|
||||
- 35.191.0.0/16
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags:
|
||||
- http-server
|
||||
module.firewall.google_compute_firewall.allow-tag-https[0]:
|
||||
allow:
|
||||
- ports:
|
||||
- '443'
|
||||
protocol: tcp
|
||||
deny: []
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: my-network-ingress-tag-https
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges:
|
||||
- 130.211.0.0/22
|
||||
- 209.85.152.0/22
|
||||
- 209.85.204.0/22
|
||||
- 35.191.0.0/16
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags:
|
||||
- https-server
|
||||
module.firewall.google_compute_firewall.allow-tag-ssh[0]:
|
||||
allow:
|
||||
- ports:
|
||||
- '22'
|
||||
protocol: tcp
|
||||
deny: []
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: my-network-ingress-tag-ssh
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges:
|
||||
- 35.235.240.0/20
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags:
|
||||
- ssh
|
||||
|
||||
counts:
|
||||
google_compute_firewall: 4
|
|
@ -0,0 +1,127 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
# the following 4 rules are already tested by simple.yaml
|
||||
module.firewall.google_compute_firewall.allow-admins[0]: {}
|
||||
module.firewall.google_compute_firewall.allow-tag-http[0]: {}
|
||||
module.firewall.google_compute_firewall.allow-tag-https[0]: {}
|
||||
module.firewall.google_compute_firewall.allow-tag-ssh[0]: {}
|
||||
module.firewall.google_compute_firewall.custom-rules["allow-egress-rfc1918"]:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: all
|
||||
deny: []
|
||||
description: Allow egress to RFC 1918 ranges.
|
||||
destination_ranges:
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
||||
- 192.168.0.0/16
|
||||
direction: EGRESS
|
||||
disabled: false
|
||||
log_config: []
|
||||
name: allow-egress-rfc1918
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags: null
|
||||
module.firewall.google_compute_firewall.custom-rules["allow-egress-tag"]:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: all
|
||||
deny: []
|
||||
description: Allow egress from a specific tag to 0/0.
|
||||
destination_ranges:
|
||||
- 0.0.0.0/0
|
||||
direction: EGRESS
|
||||
disabled: false
|
||||
log_config: []
|
||||
name: allow-egress-tag
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags:
|
||||
- target-tag
|
||||
module.firewall.google_compute_firewall.custom-rules["allow-ingress-ntp"]:
|
||||
allow:
|
||||
- ports:
|
||||
- '123'
|
||||
protocol: udp
|
||||
deny: []
|
||||
description: Allow NTP service based on tag.
|
||||
direction: INGRESS
|
||||
disabled: false
|
||||
log_config: []
|
||||
name: allow-ingress-ntp
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges:
|
||||
- 0.0.0.0/0
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags:
|
||||
- ntp-svc
|
||||
module.firewall.google_compute_firewall.custom-rules["allow-ingress-tag"]:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: all
|
||||
deny: []
|
||||
description: Allow ingress from a specific tag.
|
||||
direction: INGRESS
|
||||
disabled: false
|
||||
log_config: []
|
||||
name: allow-ingress-tag
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags:
|
||||
- client-tag
|
||||
target_service_accounts: null
|
||||
target_tags:
|
||||
- target-tag
|
||||
module.firewall.google_compute_firewall.custom-rules["deny-egress-all"]:
|
||||
allow: []
|
||||
deny:
|
||||
- ports: []
|
||||
protocol: all
|
||||
description: Block egress.
|
||||
destination_ranges:
|
||||
- 0.0.0.0/0
|
||||
direction: EGRESS
|
||||
disabled: false
|
||||
log_config: []
|
||||
name: deny-egress-all
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags: null
|
||||
|
||||
counts:
|
||||
google_compute_firewall: 9
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -13,42 +13,28 @@
|
|||
# limitations under the License.
|
||||
|
||||
values:
|
||||
google_compute_firewall.custom-rules["allow-healthchecks"]:
|
||||
module.firewall.google_compute_firewall.allow-tag-http[0]: {}
|
||||
module.firewall.google_compute_firewall.allow-tag-https[0]: {}
|
||||
module.firewall.google_compute_firewall.allow-tag-ssh[0]:
|
||||
allow:
|
||||
- ports:
|
||||
- "80"
|
||||
- "443"
|
||||
protocol: tcp
|
||||
- ports:
|
||||
- '22'
|
||||
protocol: tcp
|
||||
deny: []
|
||||
description: Allow ingress from healthchecks.
|
||||
direction: INGRESS
|
||||
disabled: false
|
||||
description: Allow SSH to machines with matching tags.
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: allow-healthchecks
|
||||
network: test-network
|
||||
name: my-network-ingress-tag-ssh
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: test-project
|
||||
project: my-project
|
||||
source_ranges:
|
||||
- 130.211.0.0/22
|
||||
- 209.85.152.0/22
|
||||
- 209.85.204.0/22
|
||||
- 35.191.0.0/16
|
||||
- 10.0.0.0/8
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags:
|
||||
- lb-backends
|
||||
timeouts: null
|
||||
- ssh-default
|
||||
|
||||
counts:
|
||||
google_compute_firewall: 1
|
||||
modules: 0
|
||||
resources: 1
|
||||
|
||||
outputs:
|
||||
default_rules:
|
||||
admin: []
|
||||
http: []
|
||||
https: []
|
||||
ssh: []
|
||||
rules: __missing__
|
||||
google_compute_firewall: 3
|
|
@ -0,0 +1,87 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.firewall.google_compute_firewall.custom-rules["allow-healthchecks"]:
|
||||
allow:
|
||||
- ports:
|
||||
- '80'
|
||||
- '443'
|
||||
protocol: tcp
|
||||
deny: []
|
||||
description: Allow ingress from healthchecks.
|
||||
direction: INGRESS
|
||||
disabled: false
|
||||
log_config: []
|
||||
name: allow-healthchecks
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges:
|
||||
- 130.211.0.0/22
|
||||
- 209.85.152.0/22
|
||||
- 209.85.204.0/22
|
||||
- 35.191.0.0/16
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags:
|
||||
- lb-backends
|
||||
module.firewall.google_compute_firewall.custom-rules["allow-service-1-to-service-2"]:
|
||||
allow:
|
||||
- ports:
|
||||
- '80'
|
||||
- '443'
|
||||
protocol: tcp
|
||||
deny: []
|
||||
description: Allow ingress from service-1 SA
|
||||
direction: INGRESS
|
||||
disabled: false
|
||||
log_config: []
|
||||
name: allow-service-1-to-service-2
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges:
|
||||
- 0.0.0.0/0
|
||||
source_service_accounts:
|
||||
- service-1@my-project.iam.gserviceaccount.com
|
||||
source_tags: null
|
||||
target_service_accounts:
|
||||
- service-2
|
||||
target_tags: null
|
||||
module.firewall.google_compute_firewall.custom-rules["block-telnet"]:
|
||||
allow: []
|
||||
deny:
|
||||
- ports:
|
||||
- '23'
|
||||
protocol: tcp
|
||||
description: block outbound telnet
|
||||
destination_ranges:
|
||||
- 0.0.0.0/0
|
||||
direction: EGRESS
|
||||
disabled: false
|
||||
log_config: []
|
||||
name: block-telnet
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags: null
|
||||
|
||||
counts:
|
||||
google_compute_firewall: 3
|
|
@ -0,0 +1,62 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.firewall.google_compute_firewall.custom-rules["allow-ingress-source-destination-ranges"]:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: all
|
||||
deny: []
|
||||
description: Allow ingress using source and destination ranges
|
||||
destination_ranges:
|
||||
- 10.132.0.0/20
|
||||
- 10.138.0.0/20
|
||||
direction: INGRESS
|
||||
disabled: false
|
||||
log_config: []
|
||||
name: allow-ingress-source-destination-ranges
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges:
|
||||
- 172.16.0.0/12
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags: null
|
||||
module.firewall.google_compute_firewall.custom-rules["deny-egress-source-destination-ranges"]:
|
||||
allow: []
|
||||
deny:
|
||||
- ports: []
|
||||
protocol: all
|
||||
description: Deny egress using source and destination ranges
|
||||
destination_ranges:
|
||||
- 172.16.0.0/12
|
||||
direction: EGRESS
|
||||
disabled: false
|
||||
log_config: []
|
||||
name: deny-egress-source-destination-ranges
|
||||
network: my-network
|
||||
priority: 1000
|
||||
project: my-project
|
||||
source_ranges:
|
||||
- 10.132.0.0/20
|
||||
- 10.138.0.0/20
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags: null
|
||||
|
||||
counts:
|
||||
google_compute_firewall: 2
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -11,3 +11,9 @@
|
|||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values: {}
|
||||
|
||||
counts:
|
||||
modules: 0
|
||||
resources: 0
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -12,8 +12,9 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
healthchecks:
|
||||
- 35.191.0.0/16
|
||||
- 130.211.0.0/22
|
||||
- 209.85.152.0/22
|
||||
- 209.85.204.0/22
|
||||
values:
|
||||
module.firewall.google_compute_firewall.allow-tag-http[0]: {}
|
||||
module.firewall.google_compute_firewall.allow-tag-https[0]: {}
|
||||
|
||||
counts:
|
||||
google_compute_firewall: 2
|
|
@ -1,7 +0,0 @@
|
|||
default_rules_config = {
|
||||
disabled = true
|
||||
}
|
||||
factories_config = {
|
||||
cidr_tpl_file = "../../tests/modules/net_vpc_firewall/data/cidr_template.yaml"
|
||||
rules_folder = "../../tests/modules/net_vpc_firewall/data/firewall"
|
||||
}
|
|
@ -1,58 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import pytest
|
||||
|
||||
|
||||
def test_defaults(plan_runner):
|
||||
"Test variable defaults."
|
||||
_, resources = plan_runner()
|
||||
assert len(resources) == 3
|
||||
assert set([r['type'] for r in resources]) == set(['google_compute_firewall'])
|
||||
assert set([r['values']['name'] for r in resources]) == set([
|
||||
'test-vpc-ingress-tag-http', 'test-vpc-ingress-tag-https',
|
||||
'test-vpc-ingress-tag-ssh'
|
||||
])
|
||||
assert set([r['values']['project'] for r in resources
|
||||
]) == set(['test-project'])
|
||||
assert set([r['values']['network'] for r in resources]) == set(['test-vpc'])
|
||||
|
||||
|
||||
def test_rules(plan_runner):
|
||||
"Test custom rules."
|
||||
_, resources = plan_runner(tf_var_file='test.rules.tfvars')
|
||||
assert len(resources) == 3
|
||||
rules = {r['index']: r['values'] for r in resources}
|
||||
rule = rules['allow-ingress-ntp']
|
||||
assert rule['source_ranges'] == ['0.0.0.0/0']
|
||||
assert rule['allow'] == [{'ports': ['123'], 'protocol': 'udp'}]
|
||||
rule = rules['deny-egress-all']
|
||||
assert rule['destination_ranges'] == ['0.0.0.0/0']
|
||||
assert rule['deny'] == [{'ports': [], 'protocol': 'all'}]
|
||||
|
||||
|
||||
def test_factory(plan_runner):
|
||||
"Test factory."
|
||||
factories_config = '''{
|
||||
cidr_tpl_file = "config/cidr_template.yaml"
|
||||
rules_folder = "config/firewall"
|
||||
}'''
|
||||
_, resources = plan_runner(factories_config=factories_config)
|
||||
assert len(resources) == 4
|
||||
factory_rule = [
|
||||
r for r in resources if r["values"]["name"] == "allow-healthchecks"
|
||||
][0]["values"]
|
||||
assert set(factory_rule["source_ranges"]) == set(
|
||||
["130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22", "35.191.0.0/16"])
|
||||
assert set(factory_rule["target_tags"]) == set(["lb-backends"])
|
|
@ -1,21 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
module: modules/net-vpc-firewall
|
||||
common_tfvars:
|
||||
- common.tfvars
|
||||
tests:
|
||||
auto-rules:
|
||||
custom-rules:
|
||||
factory:
|
Loading…
Reference in New Issue