Add tests for hierarchical firewall policy
This commit is contained in:
parent
ce6311f684
commit
dc038ad71f
|
@ -63,14 +63,12 @@ variable "firewall_policies" {
|
|||
target_service_accounts = list(string)
|
||||
target_resources = list(string)
|
||||
logging = bool
|
||||
#preview = bool
|
||||
})))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "firewall_policy_attachments" {
|
||||
description = "List of hierarchical firewall policy IDs to *attach* to this folder."
|
||||
# set to avoid manual casting with toset()
|
||||
type = map(string)
|
||||
default = {}
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
|
|
@ -15,10 +15,12 @@
|
|||
*/
|
||||
|
||||
module "test" {
|
||||
source = "../../../../modules/folder"
|
||||
parent = "organizations/12345678"
|
||||
name = "folder-a"
|
||||
iam = var.iam
|
||||
policy_boolean = var.policy_boolean
|
||||
policy_list = var.policy_list
|
||||
source = "../../../../modules/folder"
|
||||
parent = "organizations/12345678"
|
||||
name = "folder-a"
|
||||
iam = var.iam
|
||||
policy_boolean = var.policy_boolean
|
||||
policy_list = var.policy_list
|
||||
firewall_policies = var.firewall_policies
|
||||
firewall_policy_attachments = var.firewall_policy_attachments
|
||||
}
|
||||
|
|
|
@ -33,3 +33,23 @@ variable "policy_list" {
|
|||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "firewall_policies" {
|
||||
type = map(map(object({
|
||||
description = string
|
||||
direction = string
|
||||
action = string
|
||||
priority = number
|
||||
ranges = list(string)
|
||||
ports = map(list(string))
|
||||
target_service_accounts = list(string)
|
||||
target_resources = list(string)
|
||||
logging = bool
|
||||
})))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "firewall_policy_attachments" {
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,97 @@
|
|||
# Copyright 2020 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
import os
|
||||
import pytest
|
||||
|
||||
|
||||
FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
|
||||
|
||||
|
||||
def test_firweall_policy(plan_runner):
|
||||
"Test boolean folder policy."
|
||||
policy = """
|
||||
{
|
||||
policy1 = {
|
||||
allow-ingress = {
|
||||
description = ""
|
||||
direction = "INGRESS"
|
||||
action = "allow"
|
||||
priority = 100
|
||||
ranges = ["10.0.0.0/8"]
|
||||
ports = {
|
||||
tcp = ["22"]
|
||||
}
|
||||
target_service_accounts = null
|
||||
target_resources = null
|
||||
logging = false
|
||||
}
|
||||
deny-egress = {
|
||||
description = ""
|
||||
direction = "EGRESS"
|
||||
action = "deny"
|
||||
priority = 200
|
||||
ranges = ["192.168.0.0/24"]
|
||||
ports = {
|
||||
tcp = ["443"]
|
||||
}
|
||||
target_service_accounts = null
|
||||
target_resources = null
|
||||
logging = false
|
||||
}
|
||||
}
|
||||
}
|
||||
"""
|
||||
attachment = '{ iap_policy = "policy1" }'
|
||||
_, resources = plan_runner(FIXTURES_DIR, firewall_policies=policy,
|
||||
firewall_policy_attachments=attachment)
|
||||
assert len(resources) == 5
|
||||
|
||||
policies = [r for r in resources
|
||||
if r['type'] == 'google_compute_organization_security_policy']
|
||||
assert len(policies) == 1
|
||||
|
||||
rules = [r for r in resources
|
||||
if r['type'] == 'google_compute_organization_security_policy_rule']
|
||||
assert len(rules) == 2
|
||||
|
||||
rule_values = []
|
||||
for rule in rules:
|
||||
name = rule['name']
|
||||
index = rule['index']
|
||||
action = rule['values']['action']
|
||||
direction = rule['values']['direction']
|
||||
priority = rule['values']['priority']
|
||||
config = rule['values']['match']
|
||||
assert len(config) == 1
|
||||
config = config[0]['config']
|
||||
rule_values.append((name, index, action, direction, priority, config))
|
||||
|
||||
assert sorted(rule_values) == sorted([
|
||||
('rule', 'policy1-allow-ingress', 'allow', 'INGRESS', 100,[
|
||||
{
|
||||
'dest_ip_ranges': None,
|
||||
'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['22']}],
|
||||
'src_ip_ranges': ['10.0.0.0/8']
|
||||
}]),
|
||||
('rule', 'policy1-deny-egress', 'deny', 'EGRESS', 200, [
|
||||
{
|
||||
'dest_ip_ranges': ['192.168.0.0/24'],
|
||||
'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['443']}],
|
||||
'src_ip_ranges': None
|
||||
}])
|
||||
])
|
||||
|
||||
|
|
@ -15,13 +15,15 @@
|
|||
*/
|
||||
|
||||
module "test" {
|
||||
source = "../../../../modules/organization"
|
||||
org_id = 1234567890
|
||||
custom_roles = var.custom_roles
|
||||
iam = var.iam
|
||||
iam_additive = var.iam_additive
|
||||
iam_additive_members = var.iam_additive_members
|
||||
iam_audit_config = var.iam_audit_config
|
||||
policy_boolean = var.policy_boolean
|
||||
policy_list = var.policy_list
|
||||
source = "../../../../modules/organization"
|
||||
org_id = 1234567890
|
||||
custom_roles = var.custom_roles
|
||||
iam = var.iam
|
||||
iam_additive = var.iam_additive
|
||||
iam_additive_members = var.iam_additive_members
|
||||
iam_audit_config = var.iam_audit_config
|
||||
policy_boolean = var.policy_boolean
|
||||
policy_list = var.policy_list
|
||||
firewall_policies = var.firewall_policies
|
||||
firewall_policy_attachments = var.firewall_policy_attachments
|
||||
}
|
||||
|
|
|
@ -53,3 +53,23 @@ variable "policy_list" {
|
|||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "firewall_policies" {
|
||||
type = map(map(object({
|
||||
description = string
|
||||
direction = string
|
||||
action = string
|
||||
priority = number
|
||||
ranges = list(string)
|
||||
ports = map(list(string))
|
||||
target_service_accounts = list(string)
|
||||
target_resources = list(string)
|
||||
logging = bool
|
||||
})))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "firewall_policy_attachments" {
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
|
|
@ -75,8 +75,6 @@ def test_policy_list(plan_runner):
|
|||
'}'
|
||||
)
|
||||
_, resources = plan_runner(FIXTURES_DIR, policy_list=policy_list)
|
||||
# from pprint import pprint
|
||||
# pprint(resources)
|
||||
assert len(resources) == 3
|
||||
values = [r['values'] for r in resources]
|
||||
assert [r['constraint']
|
||||
|
@ -86,3 +84,78 @@ def test_policy_list(plan_runner):
|
|||
assert values[1]['list_policy'][0]['deny'] == [
|
||||
{'all': False, 'values': ["bar"]}]
|
||||
assert values[2]['restore_policy'] == [{'default': True}]
|
||||
|
||||
|
||||
def test_firweall_policy(plan_runner):
|
||||
"Test boolean folder policy."
|
||||
policy = """
|
||||
{
|
||||
policy1 = {
|
||||
allow-ingress = {
|
||||
description = ""
|
||||
direction = "INGRESS"
|
||||
action = "allow"
|
||||
priority = 100
|
||||
ranges = ["10.0.0.0/8"]
|
||||
ports = {
|
||||
tcp = ["22"]
|
||||
}
|
||||
target_service_accounts = null
|
||||
target_resources = null
|
||||
logging = false
|
||||
}
|
||||
deny-egress = {
|
||||
description = ""
|
||||
direction = "EGRESS"
|
||||
action = "deny"
|
||||
priority = 200
|
||||
ranges = ["192.168.0.0/24"]
|
||||
ports = {
|
||||
tcp = ["443"]
|
||||
}
|
||||
target_service_accounts = null
|
||||
target_resources = null
|
||||
logging = false
|
||||
}
|
||||
}
|
||||
}
|
||||
"""
|
||||
attachment = '{ iap_policy = "policy1" }'
|
||||
_, resources = plan_runner(FIXTURES_DIR, firewall_policies=policy,
|
||||
firewall_policy_attachments=attachment)
|
||||
assert len(resources) == 4
|
||||
|
||||
policies = [r for r in resources
|
||||
if r['type'] == 'google_compute_organization_security_policy']
|
||||
assert len(policies) == 1
|
||||
|
||||
rules = [r for r in resources
|
||||
if r['type'] == 'google_compute_organization_security_policy_rule']
|
||||
assert len(rules) == 2
|
||||
|
||||
rule_values = []
|
||||
for rule in rules:
|
||||
name = rule['name']
|
||||
index = rule['index']
|
||||
action = rule['values']['action']
|
||||
direction = rule['values']['direction']
|
||||
priority = rule['values']['priority']
|
||||
config = rule['values']['match']
|
||||
assert len(config) == 1
|
||||
config = config[0]['config']
|
||||
rule_values.append((name, index, action, direction, priority, config))
|
||||
|
||||
assert sorted(rule_values) == sorted([
|
||||
('rule', 'policy1-allow-ingress', 'allow', 'INGRESS', 100,[
|
||||
{
|
||||
'dest_ip_ranges': None,
|
||||
'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['22']}],
|
||||
'src_ip_ranges': ['10.0.0.0/8']
|
||||
}]),
|
||||
('rule', 'policy1-deny-egress', 'deny', 'EGRESS', 200, [
|
||||
{
|
||||
'dest_ip_ranges': ['192.168.0.0/24'],
|
||||
'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['443']}],
|
||||
'src_ip_ranges': None
|
||||
}])
|
||||
])
|
||||
|
|
Loading…
Reference in New Issue