Add tests for hierarchical firewall policy

2020-11-25 16:21:49 +01:00 · 2020-11-25 16:21:49 +01:00 · dc038ad71f
parent ce6311f684
commit dc038ad71f
7 changed files with 233 additions and 21 deletions
--- a/modules/folder/variables.tf
+++ b/modules/folder/variables.tf
@ -63,14 +63,12 @@ variable "firewall_policies" {
    target_service_accounts = list(string)
    target_resources        = list(string)
    logging                 = bool
-    #preview                 = bool
  })))
  default = {}
 }

 variable "firewall_policy_attachments" {
  description = "List of hierarchical firewall policy IDs to *attach* to this folder."
-  # set to avoid manual casting with toset()
-  type    = map(string)
-  default = {}
+  type        = map(string)
+  default     = {}
 }
--- a/tests/modules/folder/fixture/main.tf
+++ b/tests/modules/folder/fixture/main.tf
@ -15,10 +15,12 @@
 */

 module "test" {
-  source         = "../../../../modules/folder"
-  parent         = "organizations/12345678"
-  name           = "folder-a"
-  iam            = var.iam
-  policy_boolean = var.policy_boolean
-  policy_list    = var.policy_list
+  source                      = "../../../../modules/folder"
+  parent                      = "organizations/12345678"
+  name                        = "folder-a"
+  iam                         = var.iam
+  policy_boolean              = var.policy_boolean
+  policy_list                 = var.policy_list
+  firewall_policies           = var.firewall_policies
+  firewall_policy_attachments = var.firewall_policy_attachments
 }
--- a/tests/modules/folder/fixture/variables.tf
+++ b/tests/modules/folder/fixture/variables.tf
@ -33,3 +33,23 @@ variable "policy_list" {
  }))
  default = {}
 }
+
+variable "firewall_policies" {
+  type = map(map(object({
+    description             = string
+    direction               = string
+    action                  = string
+    priority                = number
+    ranges                  = list(string)
+    ports                   = map(list(string))
+    target_service_accounts = list(string)
+    target_resources        = list(string)
+    logging                 = bool
+  })))
+  default = {}
+}
+
+variable "firewall_policy_attachments" {
+  type    = map(string)
+  default = {}
+}
--- a/tests/modules/folder/test_plan_firewall_policy.py
+++ b/tests/modules/folder/test_plan_firewall_policy.py
@ -0,0 +1,97 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+import os
+import pytest
+
+
+FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
+
+
+def test_firweall_policy(plan_runner):
+  "Test boolean folder policy."
+  policy = """
+  {
+    policy1 = {
+      allow-ingress = {
+        description = ""
+        direction   = "INGRESS"
+        action      = "allow"
+        priority    = 100
+        ranges      = ["10.0.0.0/8"]
+        ports = {
+          tcp = ["22"]
+        }
+        target_service_accounts = null
+        target_resources        = null
+        logging                 = false
+      }
+      deny-egress = {
+        description = ""
+        direction   = "EGRESS"
+        action      = "deny"
+        priority    = 200
+        ranges      = ["192.168.0.0/24"]
+        ports = {
+          tcp = ["443"]
+        }
+        target_service_accounts = null
+        target_resources        = null
+        logging                 = false
+      }
+    }
+  }
+  """
+  attachment = '{ iap_policy = "policy1" }'
+  _, resources = plan_runner(FIXTURES_DIR, firewall_policies=policy,
+                             firewall_policy_attachments=attachment)
+  assert len(resources) == 5
+  
+  policies = [r for r in resources
+           if r['type'] == 'google_compute_organization_security_policy']
+  assert len(policies) == 1
+
+  rules = [r for r in resources
+           if r['type'] == 'google_compute_organization_security_policy_rule']
+  assert len(rules) == 2
+
+  rule_values = []
+  for rule in rules:
+    name = rule['name']
+    index = rule['index']
+    action = rule['values']['action']
+    direction = rule['values']['direction']
+    priority = rule['values']['priority']
+    config = rule['values']['match']
+    assert len(config) == 1
+    config = config[0]['config']
+    rule_values.append((name, index, action, direction, priority, config))
+
+  assert sorted(rule_values) == sorted([
+    ('rule', 'policy1-allow-ingress', 'allow', 'INGRESS', 100,[
+      {
+        'dest_ip_ranges': None,
+        'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['22']}],
+        'src_ip_ranges': ['10.0.0.0/8']
+      }]),
+    ('rule', 'policy1-deny-egress', 'deny', 'EGRESS', 200, [
+      {
+        'dest_ip_ranges': ['192.168.0.0/24'],
+        'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['443']}],
+        'src_ip_ranges': None
+      }])
+  ])
+
+
--- a/tests/modules/organization/fixture/main.tf
+++ b/tests/modules/organization/fixture/main.tf
@ -15,13 +15,15 @@
 */

 module "test" {
-  source               = "../../../../modules/organization"
-  org_id               = 1234567890
-  custom_roles         = var.custom_roles
-  iam                  = var.iam
-  iam_additive         = var.iam_additive
-  iam_additive_members = var.iam_additive_members
-  iam_audit_config     = var.iam_audit_config
-  policy_boolean       = var.policy_boolean
-  policy_list          = var.policy_list
+  source                      = "../../../../modules/organization"
+  org_id                      = 1234567890
+  custom_roles                = var.custom_roles
+  iam                         = var.iam
+  iam_additive                = var.iam_additive
+  iam_additive_members        = var.iam_additive_members
+  iam_audit_config            = var.iam_audit_config
+  policy_boolean              = var.policy_boolean
+  policy_list                 = var.policy_list
+  firewall_policies           = var.firewall_policies
+  firewall_policy_attachments = var.firewall_policy_attachments
 }
--- a/tests/modules/organization/fixture/variables.tf
+++ b/tests/modules/organization/fixture/variables.tf
@ -53,3 +53,23 @@ variable "policy_list" {
  }))
  default = {}
 }
+
+variable "firewall_policies" {
+  type = map(map(object({
+    description             = string
+    direction               = string
+    action                  = string
+    priority                = number
+    ranges                  = list(string)
+    ports                   = map(list(string))
+    target_service_accounts = list(string)
+    target_resources        = list(string)
+    logging                 = bool
+  })))
+  default = {}
+}
+
+variable "firewall_policy_attachments" {
+  type    = map(string)
+  default = {}
+}
--- a/tests/modules/organization/test_plan.py
+++ b/tests/modules/organization/test_plan.py
@ -75,8 +75,6 @@ def test_policy_list(plan_runner):
      '}'
  )
  _, resources = plan_runner(FIXTURES_DIR, policy_list=policy_list)
-  # from pprint import pprint
-  # pprint(resources)
  assert len(resources) == 3
  values = [r['values'] for r in resources]
  assert [r['constraint']
@ -86,3 +84,78 @@ def test_policy_list(plan_runner):
  assert values[1]['list_policy'][0]['deny'] == [
      {'all': False, 'values': ["bar"]}]
  assert values[2]['restore_policy'] == [{'default': True}]
+
+
+def test_firweall_policy(plan_runner):
+  "Test boolean folder policy."
+  policy = """
+  {
+    policy1 = {
+      allow-ingress = {
+        description = ""
+        direction   = "INGRESS"
+        action      = "allow"
+        priority    = 100
+        ranges      = ["10.0.0.0/8"]
+        ports = {
+          tcp = ["22"]
+        }
+        target_service_accounts = null
+        target_resources        = null
+        logging                 = false
+      }
+      deny-egress = {
+        description = ""
+        direction   = "EGRESS"
+        action      = "deny"
+        priority    = 200
+        ranges      = ["192.168.0.0/24"]
+        ports = {
+          tcp = ["443"]
+        }
+        target_service_accounts = null
+        target_resources        = null
+        logging                 = false
+      }
+    }
+  }
+  """
+  attachment = '{ iap_policy = "policy1" }'
+  _, resources = plan_runner(FIXTURES_DIR, firewall_policies=policy,
+                             firewall_policy_attachments=attachment)
+  assert len(resources) == 4
+
+  policies = [r for r in resources
+           if r['type'] == 'google_compute_organization_security_policy']
+  assert len(policies) == 1
+
+  rules = [r for r in resources
+           if r['type'] == 'google_compute_organization_security_policy_rule']
+  assert len(rules) == 2
+
+  rule_values = []
+  for rule in rules:
+    name = rule['name']
+    index = rule['index']
+    action = rule['values']['action']
+    direction = rule['values']['direction']
+    priority = rule['values']['priority']
+    config = rule['values']['match']
+    assert len(config) == 1
+    config = config[0]['config']
+    rule_values.append((name, index, action, direction, priority, config))
+
+  assert sorted(rule_values) == sorted([
+    ('rule', 'policy1-allow-ingress', 'allow', 'INGRESS', 100,[
+      {
+        'dest_ip_ranges': None,
+        'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['22']}],
+        'src_ip_ranges': ['10.0.0.0/8']
+      }]),
+    ('rule', 'policy1-deny-egress', 'deny', 'EGRESS', 200, [
+      {
+        'dest_ip_ranges': ['192.168.0.0/24'],
+        'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['443']}],
+        'src_ip_ranges': None
+      }])
+  ])