Merge pull request #173 from terraform-google-modules/hierarchical-firewall
Add support for hierarchical firewalls
This commit is contained in:
commit
6154cdce1c
|
@ -41,6 +41,48 @@ module "folder" {
|
||||||
# tftest:modules=1:resources=4
|
# tftest:modules=1:resources=4
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Hierarchical firewall policies
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "folder1" {
|
||||||
|
source = "./modules/folder"
|
||||||
|
parent = var.organization_id
|
||||||
|
name = "policy-container"
|
||||||
|
|
||||||
|
firewall_policies = {
|
||||||
|
iap-policy = {
|
||||||
|
allow-iap-ssh = {
|
||||||
|
description = "Always allow ssh from IAP"
|
||||||
|
direction = "INGRESS"
|
||||||
|
action = "allow"
|
||||||
|
priority = 100
|
||||||
|
ranges = ["35.235.240.0/20"]
|
||||||
|
ports = {
|
||||||
|
tcp = ["22"]
|
||||||
|
}
|
||||||
|
target_service_accounts = null
|
||||||
|
target_resources = null
|
||||||
|
logging = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
firewall_policy_attachments = {
|
||||||
|
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module "folder2" {
|
||||||
|
source = "./modules/folder"
|
||||||
|
parent = var.organization_id
|
||||||
|
name = "hf2"
|
||||||
|
firewall_policy_attachments = {
|
||||||
|
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest:modules=2:resources=6
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
<!-- BEGIN TFDOC -->
|
<!-- BEGIN TFDOC -->
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
|
@ -48,6 +90,8 @@ module "folder" {
|
||||||
|---|---|:---: |:---:|:---:|
|
|---|---|:---: |:---:|:---:|
|
||||||
| name | Folder name. | <code title="">string</code> | ✓ | |
|
| name | Folder name. | <code title="">string</code> | ✓ | |
|
||||||
| parent | Parent in folders/folder_id or organizations/org_id format. | <code title="string validation { condition = can(regex("(organizations|folders)/[0-9]+", var.parent)) error_message = "Parent must be of the form folders/folder_id or organizations/organization_id." }">string</code> | ✓ | |
|
| parent | Parent in folders/folder_id or organizations/org_id format. | <code title="string validation { condition = can(regex("(organizations|folders)/[0-9]+", var.parent)) error_message = "Parent must be of the form folders/folder_id or organizations/organization_id." }">string</code> | ✓ | |
|
||||||
|
| *firewall_policies* | Hierarchical firewall policies to *create* in this folder. | <code title="map(map(object({ description = string direction = string action = string priority = number ranges = list(string) ports = map(list(string)) target_service_accounts = list(string) target_resources = list(string) logging = bool })))">map(map(object({...})))</code> | | <code title="">{}</code> |
|
||||||
|
| *firewall_policy_attachments* | List of hierarchical firewall policy IDs to *attach* to this folder. | <code title="map(string)">map(string)</code> | | <code title="">{}</code> |
|
||||||
| *iam* | IAM bindings in {ROLE => [MEMBERS]} format. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
| *iam* | IAM bindings in {ROLE => [MEMBERS]} format. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||||
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
||||||
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||||
|
@ -56,6 +100,8 @@ module "folder" {
|
||||||
|
|
||||||
| name | description | sensitive |
|
| name | description | sensitive |
|
||||||
|---|---|:---:|
|
|---|---|:---:|
|
||||||
|
| firewall_policies | Map of firewall policy resources created in this folder. | |
|
||||||
|
| firewall_policy_id | Map of firewall policy ids created in this folder. | |
|
||||||
| folder | Folder resource. | |
|
| folder | Folder resource. | |
|
||||||
| id | Folder id. | |
|
| id | Folder id. | |
|
||||||
| name | Folder name. | |
|
| name | Folder name. | |
|
||||||
|
|
|
@ -14,6 +14,18 @@
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
locals {
|
||||||
|
extended_rules = flatten([
|
||||||
|
for policy, rules in var.firewall_policies : [
|
||||||
|
for rule_name, rule in rules :
|
||||||
|
merge(rule, { policy = policy, name = rule_name })
|
||||||
|
]
|
||||||
|
])
|
||||||
|
rules_map = {
|
||||||
|
for rule in local.extended_rules :
|
||||||
|
"${rule.policy}-${rule.name}" => rule
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "google_folder" "folder" {
|
resource "google_folder" "folder" {
|
||||||
display_name = var.name
|
display_name = var.name
|
||||||
|
@ -99,3 +111,48 @@ resource "google_folder_organization_policy" "list" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "google_compute_organization_security_policy" "policy" {
|
||||||
|
provider = google-beta
|
||||||
|
for_each = var.firewall_policies
|
||||||
|
|
||||||
|
display_name = each.key
|
||||||
|
parent = google_folder.folder.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_compute_organization_security_policy_rule" "rule" {
|
||||||
|
provider = google-beta
|
||||||
|
for_each = local.rules_map
|
||||||
|
|
||||||
|
policy_id = google_compute_organization_security_policy.policy[each.value.policy].id
|
||||||
|
action = each.value.action
|
||||||
|
direction = each.value.direction
|
||||||
|
priority = each.value.priority
|
||||||
|
target_resources = each.value.target_resources
|
||||||
|
target_service_accounts = each.value.target_service_accounts
|
||||||
|
enable_logging = each.value.logging
|
||||||
|
# preview = each.value.preview
|
||||||
|
match {
|
||||||
|
description = each.value.description
|
||||||
|
config {
|
||||||
|
src_ip_ranges = each.value.direction == "INGRESS" ? each.value.ranges : null
|
||||||
|
dest_ip_ranges = each.value.direction == "EGRESS" ? each.value.ranges : null
|
||||||
|
dynamic "layer4_config" {
|
||||||
|
for_each = each.value.ports
|
||||||
|
iterator = port
|
||||||
|
content {
|
||||||
|
ip_protocol = port.key
|
||||||
|
ports = port.value
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_compute_organization_security_policy_association" "attachment" {
|
||||||
|
provider = google-beta
|
||||||
|
for_each = var.firewall_policy_attachments
|
||||||
|
name = "${google_folder.folder.id}-${each.key}"
|
||||||
|
attachment_id = google_folder.folder.id
|
||||||
|
policy_id = each.value
|
||||||
|
}
|
||||||
|
|
|
@ -33,3 +33,19 @@ output "name" {
|
||||||
description = "Folder name."
|
description = "Folder name."
|
||||||
value = google_folder.folder.display_name
|
value = google_folder.folder.display_name
|
||||||
}
|
}
|
||||||
|
|
||||||
|
output "firewall_policies" {
|
||||||
|
description = "Map of firewall policy resources created in this folder."
|
||||||
|
value = {
|
||||||
|
for name, _ in var.firewall_policies :
|
||||||
|
name => google_compute_organization_security_policy.policy[name]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
output "firewall_policy_id" {
|
||||||
|
description = "Map of firewall policy ids created in this folder."
|
||||||
|
value = {
|
||||||
|
for name, _ in var.firewall_policies :
|
||||||
|
name => google_compute_organization_security_policy.policy[name].id
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -50,3 +50,25 @@ variable "policy_list" {
|
||||||
}))
|
}))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "firewall_policies" {
|
||||||
|
description = "Hierarchical firewall policies to *create* in this folder."
|
||||||
|
type = map(map(object({
|
||||||
|
description = string
|
||||||
|
direction = string
|
||||||
|
action = string
|
||||||
|
priority = number
|
||||||
|
ranges = list(string)
|
||||||
|
ports = map(list(string))
|
||||||
|
target_service_accounts = list(string)
|
||||||
|
target_resources = list(string)
|
||||||
|
logging = bool
|
||||||
|
})))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "firewall_policy_attachments" {
|
||||||
|
description = "List of hierarchical firewall policy IDs to *attach* to this folder."
|
||||||
|
type = map(string)
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
|
@ -30,6 +30,35 @@ module "org" {
|
||||||
# tftest:modules=1:resources=4
|
# tftest:modules=1:resources=4
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Hierarchical firewall rules
|
||||||
|
```hcl
|
||||||
|
module "org" {
|
||||||
|
source = "./modules/organization"
|
||||||
|
org_id = 11223344
|
||||||
|
firewall_policies = {
|
||||||
|
iap-policy = {
|
||||||
|
allow-iap-ssh = {
|
||||||
|
description = "Always allow ssh from IAP"
|
||||||
|
direction = "INGRESS"
|
||||||
|
action = "allow"
|
||||||
|
priority = 100
|
||||||
|
ranges = ["35.235.240.0/20"]
|
||||||
|
ports = {
|
||||||
|
tcp = ["22"]
|
||||||
|
}
|
||||||
|
target_service_accounts = null
|
||||||
|
target_resources = null
|
||||||
|
logging = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
firewall_policy_attachments = {
|
||||||
|
iap_policy = module.org.firewall_policy_id["iap-policy"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest:modules=1:resources=3
|
||||||
|
```
|
||||||
|
|
||||||
<!-- BEGIN TFDOC -->
|
<!-- BEGIN TFDOC -->
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
|
@ -37,6 +66,8 @@ module "org" {
|
||||||
|---|---|:---: |:---:|:---:|
|
|---|---|:---: |:---:|:---:|
|
||||||
| org_id | Organization id in nnnnnn format. | <code title="">number</code> | ✓ | |
|
| org_id | Organization id in nnnnnn format. | <code title="">number</code> | ✓ | |
|
||||||
| *custom_roles* | Map of role name => list of permissions to create in this project. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
| *custom_roles* | Map of role name => list of permissions to create in this project. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||||
|
| *firewall_policies* | Hierarchical firewall policies to *create* in the organization. | <code title="map(map(object({ description = string direction = string action = string priority = number ranges = list(string) ports = map(list(string)) target_service_accounts = list(string) target_resources = list(string) logging = bool })))">map(map(object({...})))</code> | | <code title="">{}</code> |
|
||||||
|
| *firewall_policy_attachments* | List of hierarchical firewall policy IDs to *attach* to the organization | <code title="map(string)">map(string)</code> | | <code title="">{}</code> |
|
||||||
| *iam* | IAM bindings, in {ROLE => [MEMBERS]} format. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
| *iam* | IAM bindings, in {ROLE => [MEMBERS]} format. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||||
| *iam_additive* | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
| *iam_additive* | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||||
| *iam_additive_members* | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
| *iam_additive_members* | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||||
|
@ -48,5 +79,7 @@ module "org" {
|
||||||
|
|
||||||
| name | description | sensitive |
|
| name | description | sensitive |
|
||||||
|---|---|:---:|
|
|---|---|:---:|
|
||||||
|
| firewall_policies | Map of firewall policy resources created in the organization. | |
|
||||||
|
| firewall_policy_id | Map of firewall policy ids created in the organization. | |
|
||||||
| org_id | Organization id dependent on module resources. | |
|
| org_id | Organization id dependent on module resources. | |
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
||||||
|
|
|
@ -29,6 +29,16 @@ locals {
|
||||||
for pair in concat(local.iam_additive_pairs, local.iam_additive_member_pairs) :
|
for pair in concat(local.iam_additive_pairs, local.iam_additive_member_pairs) :
|
||||||
"${pair.role}-${pair.member}" => pair
|
"${pair.role}-${pair.member}" => pair
|
||||||
}
|
}
|
||||||
|
extended_rules = flatten([
|
||||||
|
for policy, rules in var.firewall_policies : [
|
||||||
|
for rule_name, rule in rules :
|
||||||
|
merge(rule, { policy = policy, name = rule_name })
|
||||||
|
]
|
||||||
|
])
|
||||||
|
rules_map = {
|
||||||
|
for rule in local.extended_rules :
|
||||||
|
"${rule.policy}-${rule.name}" => rule
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_organization_iam_custom_role" "roles" {
|
resource "google_organization_iam_custom_role" "roles" {
|
||||||
|
@ -144,3 +154,48 @@ resource "google_organization_policy" "list" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "google_compute_organization_security_policy" "policy" {
|
||||||
|
provider = google-beta
|
||||||
|
for_each = var.firewall_policies
|
||||||
|
|
||||||
|
display_name = each.key
|
||||||
|
parent = "organizations/${var.org_id}"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_compute_organization_security_policy_rule" "rule" {
|
||||||
|
provider = google-beta
|
||||||
|
for_each = local.rules_map
|
||||||
|
|
||||||
|
policy_id = google_compute_organization_security_policy.policy[each.value.policy].id
|
||||||
|
action = each.value.action
|
||||||
|
direction = each.value.direction
|
||||||
|
priority = each.value.priority
|
||||||
|
target_resources = each.value.target_resources
|
||||||
|
target_service_accounts = each.value.target_service_accounts
|
||||||
|
enable_logging = each.value.logging
|
||||||
|
# preview = each.value.preview
|
||||||
|
match {
|
||||||
|
description = each.value.description
|
||||||
|
config {
|
||||||
|
src_ip_ranges = each.value.direction == "INGRESS" ? each.value.ranges : null
|
||||||
|
dest_ip_ranges = each.value.direction == "EGRESS" ? each.value.ranges : null
|
||||||
|
dynamic "layer4_config" {
|
||||||
|
for_each = each.value.ports
|
||||||
|
iterator = port
|
||||||
|
content {
|
||||||
|
ip_protocol = port.key
|
||||||
|
ports = port.value
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_compute_organization_security_policy_association" "attachment" {
|
||||||
|
provider = google-beta
|
||||||
|
for_each = var.firewall_policy_attachments
|
||||||
|
name = "organizations/${var.org_id}-${each.key}"
|
||||||
|
attachment_id = "organizations/${var.org_id}"
|
||||||
|
policy_id = each.value
|
||||||
|
}
|
||||||
|
|
|
@ -26,3 +26,19 @@ output "org_id" {
|
||||||
google_organization_policy.list
|
google_organization_policy.list
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
output "firewall_policies" {
|
||||||
|
description = "Map of firewall policy resources created in the organization."
|
||||||
|
value = {
|
||||||
|
for name, _ in var.firewall_policies :
|
||||||
|
name => google_compute_organization_security_policy.policy[name]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
output "firewall_policy_id" {
|
||||||
|
description = "Map of firewall policy ids created in the organization."
|
||||||
|
value = {
|
||||||
|
for name, _ in var.firewall_policies :
|
||||||
|
name => google_compute_organization_security_policy.policy[name].id
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -70,3 +70,27 @@ variable "policy_list" {
|
||||||
}))
|
}))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "firewall_policies" {
|
||||||
|
description = "Hierarchical firewall policies to *create* in the organization."
|
||||||
|
type = map(map(object({
|
||||||
|
description = string
|
||||||
|
direction = string
|
||||||
|
action = string
|
||||||
|
priority = number
|
||||||
|
ranges = list(string)
|
||||||
|
ports = map(list(string))
|
||||||
|
target_service_accounts = list(string)
|
||||||
|
target_resources = list(string)
|
||||||
|
logging = bool
|
||||||
|
#preview = bool
|
||||||
|
})))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "firewall_policy_attachments" {
|
||||||
|
description = "List of hierarchical firewall policy IDs to *attach* to the organization"
|
||||||
|
# set to avoid manual casting with toset()
|
||||||
|
type = map(string)
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
|
@ -15,7 +15,7 @@
|
||||||
# common variables used for examples
|
# common variables used for examples
|
||||||
|
|
||||||
variable "organization_id" {
|
variable "organization_id" {
|
||||||
default = "organization/organization"
|
default = "organizations/1122334455"
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "project_id" {
|
variable "project_id" {
|
||||||
|
|
|
@ -15,10 +15,12 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
module "test" {
|
module "test" {
|
||||||
source = "../../../../modules/folder"
|
source = "../../../../modules/folder"
|
||||||
parent = "organizations/12345678"
|
parent = "organizations/12345678"
|
||||||
name = "folder-a"
|
name = "folder-a"
|
||||||
iam = var.iam
|
iam = var.iam
|
||||||
policy_boolean = var.policy_boolean
|
policy_boolean = var.policy_boolean
|
||||||
policy_list = var.policy_list
|
policy_list = var.policy_list
|
||||||
|
firewall_policies = var.firewall_policies
|
||||||
|
firewall_policy_attachments = var.firewall_policy_attachments
|
||||||
}
|
}
|
||||||
|
|
|
@ -33,3 +33,23 @@ variable "policy_list" {
|
||||||
}))
|
}))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "firewall_policies" {
|
||||||
|
type = map(map(object({
|
||||||
|
description = string
|
||||||
|
direction = string
|
||||||
|
action = string
|
||||||
|
priority = number
|
||||||
|
ranges = list(string)
|
||||||
|
ports = map(list(string))
|
||||||
|
target_service_accounts = list(string)
|
||||||
|
target_resources = list(string)
|
||||||
|
logging = bool
|
||||||
|
})))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "firewall_policy_attachments" {
|
||||||
|
type = map(string)
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,97 @@
|
||||||
|
# Copyright 2020 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
import os
|
||||||
|
import pytest
|
||||||
|
|
||||||
|
|
||||||
|
FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
|
||||||
|
|
||||||
|
|
||||||
|
def test_firweall_policy(plan_runner):
|
||||||
|
"Test boolean folder policy."
|
||||||
|
policy = """
|
||||||
|
{
|
||||||
|
policy1 = {
|
||||||
|
allow-ingress = {
|
||||||
|
description = ""
|
||||||
|
direction = "INGRESS"
|
||||||
|
action = "allow"
|
||||||
|
priority = 100
|
||||||
|
ranges = ["10.0.0.0/8"]
|
||||||
|
ports = {
|
||||||
|
tcp = ["22"]
|
||||||
|
}
|
||||||
|
target_service_accounts = null
|
||||||
|
target_resources = null
|
||||||
|
logging = false
|
||||||
|
}
|
||||||
|
deny-egress = {
|
||||||
|
description = ""
|
||||||
|
direction = "EGRESS"
|
||||||
|
action = "deny"
|
||||||
|
priority = 200
|
||||||
|
ranges = ["192.168.0.0/24"]
|
||||||
|
ports = {
|
||||||
|
tcp = ["443"]
|
||||||
|
}
|
||||||
|
target_service_accounts = null
|
||||||
|
target_resources = null
|
||||||
|
logging = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
attachment = '{ iap_policy = "policy1" }'
|
||||||
|
_, resources = plan_runner(FIXTURES_DIR, firewall_policies=policy,
|
||||||
|
firewall_policy_attachments=attachment)
|
||||||
|
assert len(resources) == 5
|
||||||
|
|
||||||
|
policies = [r for r in resources
|
||||||
|
if r['type'] == 'google_compute_organization_security_policy']
|
||||||
|
assert len(policies) == 1
|
||||||
|
|
||||||
|
rules = [r for r in resources
|
||||||
|
if r['type'] == 'google_compute_organization_security_policy_rule']
|
||||||
|
assert len(rules) == 2
|
||||||
|
|
||||||
|
rule_values = []
|
||||||
|
for rule in rules:
|
||||||
|
name = rule['name']
|
||||||
|
index = rule['index']
|
||||||
|
action = rule['values']['action']
|
||||||
|
direction = rule['values']['direction']
|
||||||
|
priority = rule['values']['priority']
|
||||||
|
config = rule['values']['match']
|
||||||
|
assert len(config) == 1
|
||||||
|
config = config[0]['config']
|
||||||
|
rule_values.append((name, index, action, direction, priority, config))
|
||||||
|
|
||||||
|
assert sorted(rule_values) == sorted([
|
||||||
|
('rule', 'policy1-allow-ingress', 'allow', 'INGRESS', 100,[
|
||||||
|
{
|
||||||
|
'dest_ip_ranges': None,
|
||||||
|
'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['22']}],
|
||||||
|
'src_ip_ranges': ['10.0.0.0/8']
|
||||||
|
}]),
|
||||||
|
('rule', 'policy1-deny-egress', 'deny', 'EGRESS', 200, [
|
||||||
|
{
|
||||||
|
'dest_ip_ranges': ['192.168.0.0/24'],
|
||||||
|
'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['443']}],
|
||||||
|
'src_ip_ranges': None
|
||||||
|
}])
|
||||||
|
])
|
||||||
|
|
||||||
|
|
|
@ -15,13 +15,15 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
module "test" {
|
module "test" {
|
||||||
source = "../../../../modules/organization"
|
source = "../../../../modules/organization"
|
||||||
org_id = 1234567890
|
org_id = 1234567890
|
||||||
custom_roles = var.custom_roles
|
custom_roles = var.custom_roles
|
||||||
iam = var.iam
|
iam = var.iam
|
||||||
iam_additive = var.iam_additive
|
iam_additive = var.iam_additive
|
||||||
iam_additive_members = var.iam_additive_members
|
iam_additive_members = var.iam_additive_members
|
||||||
iam_audit_config = var.iam_audit_config
|
iam_audit_config = var.iam_audit_config
|
||||||
policy_boolean = var.policy_boolean
|
policy_boolean = var.policy_boolean
|
||||||
policy_list = var.policy_list
|
policy_list = var.policy_list
|
||||||
|
firewall_policies = var.firewall_policies
|
||||||
|
firewall_policy_attachments = var.firewall_policy_attachments
|
||||||
}
|
}
|
||||||
|
|
|
@ -53,3 +53,23 @@ variable "policy_list" {
|
||||||
}))
|
}))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "firewall_policies" {
|
||||||
|
type = map(map(object({
|
||||||
|
description = string
|
||||||
|
direction = string
|
||||||
|
action = string
|
||||||
|
priority = number
|
||||||
|
ranges = list(string)
|
||||||
|
ports = map(list(string))
|
||||||
|
target_service_accounts = list(string)
|
||||||
|
target_resources = list(string)
|
||||||
|
logging = bool
|
||||||
|
})))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "firewall_policy_attachments" {
|
||||||
|
type = map(string)
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
|
@ -75,8 +75,6 @@ def test_policy_list(plan_runner):
|
||||||
'}'
|
'}'
|
||||||
)
|
)
|
||||||
_, resources = plan_runner(FIXTURES_DIR, policy_list=policy_list)
|
_, resources = plan_runner(FIXTURES_DIR, policy_list=policy_list)
|
||||||
# from pprint import pprint
|
|
||||||
# pprint(resources)
|
|
||||||
assert len(resources) == 3
|
assert len(resources) == 3
|
||||||
values = [r['values'] for r in resources]
|
values = [r['values'] for r in resources]
|
||||||
assert [r['constraint']
|
assert [r['constraint']
|
||||||
|
@ -86,3 +84,78 @@ def test_policy_list(plan_runner):
|
||||||
assert values[1]['list_policy'][0]['deny'] == [
|
assert values[1]['list_policy'][0]['deny'] == [
|
||||||
{'all': False, 'values': ["bar"]}]
|
{'all': False, 'values': ["bar"]}]
|
||||||
assert values[2]['restore_policy'] == [{'default': True}]
|
assert values[2]['restore_policy'] == [{'default': True}]
|
||||||
|
|
||||||
|
|
||||||
|
def test_firweall_policy(plan_runner):
|
||||||
|
"Test boolean folder policy."
|
||||||
|
policy = """
|
||||||
|
{
|
||||||
|
policy1 = {
|
||||||
|
allow-ingress = {
|
||||||
|
description = ""
|
||||||
|
direction = "INGRESS"
|
||||||
|
action = "allow"
|
||||||
|
priority = 100
|
||||||
|
ranges = ["10.0.0.0/8"]
|
||||||
|
ports = {
|
||||||
|
tcp = ["22"]
|
||||||
|
}
|
||||||
|
target_service_accounts = null
|
||||||
|
target_resources = null
|
||||||
|
logging = false
|
||||||
|
}
|
||||||
|
deny-egress = {
|
||||||
|
description = ""
|
||||||
|
direction = "EGRESS"
|
||||||
|
action = "deny"
|
||||||
|
priority = 200
|
||||||
|
ranges = ["192.168.0.0/24"]
|
||||||
|
ports = {
|
||||||
|
tcp = ["443"]
|
||||||
|
}
|
||||||
|
target_service_accounts = null
|
||||||
|
target_resources = null
|
||||||
|
logging = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
attachment = '{ iap_policy = "policy1" }'
|
||||||
|
_, resources = plan_runner(FIXTURES_DIR, firewall_policies=policy,
|
||||||
|
firewall_policy_attachments=attachment)
|
||||||
|
assert len(resources) == 4
|
||||||
|
|
||||||
|
policies = [r for r in resources
|
||||||
|
if r['type'] == 'google_compute_organization_security_policy']
|
||||||
|
assert len(policies) == 1
|
||||||
|
|
||||||
|
rules = [r for r in resources
|
||||||
|
if r['type'] == 'google_compute_organization_security_policy_rule']
|
||||||
|
assert len(rules) == 2
|
||||||
|
|
||||||
|
rule_values = []
|
||||||
|
for rule in rules:
|
||||||
|
name = rule['name']
|
||||||
|
index = rule['index']
|
||||||
|
action = rule['values']['action']
|
||||||
|
direction = rule['values']['direction']
|
||||||
|
priority = rule['values']['priority']
|
||||||
|
config = rule['values']['match']
|
||||||
|
assert len(config) == 1
|
||||||
|
config = config[0]['config']
|
||||||
|
rule_values.append((name, index, action, direction, priority, config))
|
||||||
|
|
||||||
|
assert sorted(rule_values) == sorted([
|
||||||
|
('rule', 'policy1-allow-ingress', 'allow', 'INGRESS', 100,[
|
||||||
|
{
|
||||||
|
'dest_ip_ranges': None,
|
||||||
|
'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['22']}],
|
||||||
|
'src_ip_ranges': ['10.0.0.0/8']
|
||||||
|
}]),
|
||||||
|
('rule', 'policy1-deny-egress', 'deny', 'EGRESS', 200, [
|
||||||
|
{
|
||||||
|
'dest_ip_ranges': ['192.168.0.0/24'],
|
||||||
|
'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['443']}],
|
||||||
|
'src_ip_ranges': None
|
||||||
|
}])
|
||||||
|
])
|
||||||
|
|
Loading…
Reference in New Issue