e2e tests for net-vpc-firewall module (#1896)
e2e tests for net-vpc-firewall module
This commit is contained in:
parent
42fa742528
commit
e2d170c1a6
|
@ -29,13 +29,13 @@ This is often useful for prototyping or testing infrastructure, allowing open in
|
||||||
```hcl
|
```hcl
|
||||||
module "firewall" {
|
module "firewall" {
|
||||||
source = "./fabric/modules/net-vpc-firewall"
|
source = "./fabric/modules/net-vpc-firewall"
|
||||||
project_id = "my-project"
|
project_id = var.project_id
|
||||||
network = "my-network"
|
network = var.vpc.name
|
||||||
default_rules_config = {
|
default_rules_config = {
|
||||||
admin_ranges = ["10.0.0.0/8"]
|
admin_ranges = ["10.0.0.0/8"]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=4 inventory=basic.yaml
|
# tftest modules=1 resources=4 inventory=basic.yaml e2e
|
||||||
```
|
```
|
||||||
|
|
||||||
### Custom rules
|
### Custom rules
|
||||||
|
@ -52,8 +52,8 @@ Some implicit defaults are used in the rules variable types and can be controlle
|
||||||
```hcl
|
```hcl
|
||||||
module "firewall" {
|
module "firewall" {
|
||||||
source = "./fabric/modules/net-vpc-firewall"
|
source = "./fabric/modules/net-vpc-firewall"
|
||||||
project_id = "my-project"
|
project_id = var.project_id
|
||||||
network = "my-network"
|
network = var.vpc.name
|
||||||
default_rules_config = {
|
default_rules_config = {
|
||||||
admin_ranges = ["10.0.0.0/8"]
|
admin_ranges = ["10.0.0.0/8"]
|
||||||
}
|
}
|
||||||
|
@ -90,7 +90,7 @@ module "firewall" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=9 inventory=custom-rules.yaml
|
# tftest modules=1 resources=9 inventory=custom-rules.yaml e2e
|
||||||
```
|
```
|
||||||
|
|
||||||
### Controlling or turning off default rules
|
### Controlling or turning off default rules
|
||||||
|
@ -109,14 +109,14 @@ Default tags and ranges can be overridden for each protocol, like shown here for
|
||||||
```hcl
|
```hcl
|
||||||
module "firewall" {
|
module "firewall" {
|
||||||
source = "./fabric/modules/net-vpc-firewall"
|
source = "./fabric/modules/net-vpc-firewall"
|
||||||
project_id = "my-project"
|
project_id = var.project_id
|
||||||
network = "my-network"
|
network = var.vpc.name
|
||||||
default_rules_config = {
|
default_rules_config = {
|
||||||
ssh_ranges = ["10.0.0.0/8"]
|
ssh_ranges = ["10.0.0.0/8"]
|
||||||
ssh_tags = ["ssh-default"]
|
ssh_tags = ["ssh-default"]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=3 inventory=custom-ssh-default-rule.yaml
|
# tftest modules=1 resources=3 inventory=custom-ssh-default-rule.yaml e2e
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Disabling predefined rules
|
#### Disabling predefined rules
|
||||||
|
@ -126,13 +126,13 @@ Default rules can be disabled individually by specifying an empty set of ranges:
|
||||||
```hcl
|
```hcl
|
||||||
module "firewall" {
|
module "firewall" {
|
||||||
source = "./fabric/modules/net-vpc-firewall"
|
source = "./fabric/modules/net-vpc-firewall"
|
||||||
project_id = "my-project"
|
project_id = var.project_id
|
||||||
network = "my-network"
|
network = var.vpc.name
|
||||||
default_rules_config = {
|
default_rules_config = {
|
||||||
ssh_ranges = []
|
ssh_ranges = []
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=2 inventory=no-ssh-default-rules.yaml
|
# tftest modules=1 resources=2 inventory=no-ssh-default-rules.yaml e2e
|
||||||
```
|
```
|
||||||
|
|
||||||
Or the entire set of rules can be disabled via the `disabled` attribute:
|
Or the entire set of rules can be disabled via the `disabled` attribute:
|
||||||
|
@ -140,13 +140,13 @@ Or the entire set of rules can be disabled via the `disabled` attribute:
|
||||||
```hcl
|
```hcl
|
||||||
module "firewall" {
|
module "firewall" {
|
||||||
source = "./fabric/modules/net-vpc-firewall"
|
source = "./fabric/modules/net-vpc-firewall"
|
||||||
project_id = "my-project"
|
project_id = var.project_id
|
||||||
network = "my-network"
|
network = var.vpc.name
|
||||||
default_rules_config = {
|
default_rules_config = {
|
||||||
disabled = true
|
disabled = true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=0 resources=0 inventory=no-default-rules.yaml
|
# tftest modules=0 resources=0 inventory=no-default-rules.yaml e2e
|
||||||
```
|
```
|
||||||
|
|
||||||
### Including source & destination ranges
|
### Including source & destination ranges
|
||||||
|
@ -156,8 +156,8 @@ Custom rules now support including both source & destination ranges in ingress a
|
||||||
```hcl
|
```hcl
|
||||||
module "firewall" {
|
module "firewall" {
|
||||||
source = "./fabric/modules/net-vpc-firewall"
|
source = "./fabric/modules/net-vpc-firewall"
|
||||||
project_id = "my-project"
|
project_id = var.project_id
|
||||||
network = "my-network"
|
network = var.vpc.name
|
||||||
default_rules_config = {
|
default_rules_config = {
|
||||||
disabled = true
|
disabled = true
|
||||||
}
|
}
|
||||||
|
@ -176,7 +176,7 @@ module "firewall" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=2 inventory=local-ranges.yaml
|
# tftest modules=1 resources=2 inventory=local-ranges.yaml e2e
|
||||||
```
|
```
|
||||||
|
|
||||||
### Rules Factory
|
### Rules Factory
|
||||||
|
@ -186,8 +186,8 @@ The module includes a rules factory (see [Resource Factories](../../blueprints/f
|
||||||
```hcl
|
```hcl
|
||||||
module "firewall" {
|
module "firewall" {
|
||||||
source = "./fabric/modules/net-vpc-firewall"
|
source = "./fabric/modules/net-vpc-firewall"
|
||||||
project_id = "my-project"
|
project_id = var.project_id
|
||||||
network = "my-network"
|
network = var.vpc.name
|
||||||
factories_config = {
|
factories_config = {
|
||||||
rules_folder = "configs/firewall/rules"
|
rules_folder = "configs/firewall/rules"
|
||||||
cidr_tpl_file = "configs/firewall/cidrs.yaml"
|
cidr_tpl_file = "configs/firewall/cidrs.yaml"
|
||||||
|
@ -220,7 +220,7 @@ ingress:
|
||||||
targets: ["service-2"]
|
targets: ["service-2"]
|
||||||
use_service_accounts: true
|
use_service_accounts: true
|
||||||
sources:
|
sources:
|
||||||
- service-1@my-project.iam.gserviceaccount.com
|
- service-1@project-id.iam.gserviceaccount.com
|
||||||
rules:
|
rules:
|
||||||
- protocol: tcp
|
- protocol: tcp
|
||||||
ports:
|
ports:
|
||||||
|
|
|
@ -71,7 +71,7 @@ variable "subnet" {
|
||||||
|
|
||||||
variable "vpc" {
|
variable "vpc" {
|
||||||
default = {
|
default = {
|
||||||
name = "vpc_name"
|
name = "vpc-name"
|
||||||
self_link = "projects/xxx/global/networks/aaa"
|
self_link = "projects/xxx/global/networks/aaa"
|
||||||
id = "projects/xxx/global/networks/aaa"
|
id = "projects/xxx/global/networks/aaa"
|
||||||
}
|
}
|
||||||
|
@ -79,14 +79,14 @@ variable "vpc" {
|
||||||
|
|
||||||
variable "vpc1" {
|
variable "vpc1" {
|
||||||
default = {
|
default = {
|
||||||
name = "vpc_name"
|
name = "vpc-name"
|
||||||
self_link = "projects/xxx/global/networks/bbb"
|
self_link = "projects/xxx/global/networks/bbb"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "vpc2" {
|
variable "vpc2" {
|
||||||
default = {
|
default = {
|
||||||
name = "vpc2_name"
|
name = "vpc2-name"
|
||||||
self_link = "projects/xxx/global/networks/ccc"
|
self_link = "projects/xxx/global/networks/ccc"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,10 +20,10 @@ values:
|
||||||
deny: []
|
deny: []
|
||||||
disabled: null
|
disabled: null
|
||||||
log_config: []
|
log_config: []
|
||||||
name: my-network-ingress-admins
|
name: vpc-name-ingress-admins
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges:
|
source_ranges:
|
||||||
- 10.0.0.0/8
|
- 10.0.0.0/8
|
||||||
source_service_accounts: null
|
source_service_accounts: null
|
||||||
|
@ -38,10 +38,10 @@ values:
|
||||||
deny: []
|
deny: []
|
||||||
disabled: null
|
disabled: null
|
||||||
log_config: []
|
log_config: []
|
||||||
name: my-network-ingress-tag-http
|
name: vpc-name-ingress-tag-http
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges:
|
source_ranges:
|
||||||
- 130.211.0.0/22
|
- 130.211.0.0/22
|
||||||
- 209.85.152.0/22
|
- 209.85.152.0/22
|
||||||
|
@ -60,10 +60,10 @@ values:
|
||||||
deny: []
|
deny: []
|
||||||
disabled: null
|
disabled: null
|
||||||
log_config: []
|
log_config: []
|
||||||
name: my-network-ingress-tag-https
|
name: vpc-name-ingress-tag-https
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges:
|
source_ranges:
|
||||||
- 130.211.0.0/22
|
- 130.211.0.0/22
|
||||||
- 209.85.152.0/22
|
- 209.85.152.0/22
|
||||||
|
@ -82,10 +82,10 @@ values:
|
||||||
deny: []
|
deny: []
|
||||||
disabled: null
|
disabled: null
|
||||||
log_config: []
|
log_config: []
|
||||||
name: my-network-ingress-tag-ssh
|
name: vpc-name-ingress-tag-ssh
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges:
|
source_ranges:
|
||||||
- 35.235.240.0/20
|
- 35.235.240.0/20
|
||||||
source_service_accounts: null
|
source_service_accounts: null
|
||||||
|
|
|
@ -32,9 +32,9 @@ values:
|
||||||
disabled: false
|
disabled: false
|
||||||
log_config: []
|
log_config: []
|
||||||
name: allow-egress-rfc1918
|
name: allow-egress-rfc1918
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges: null
|
source_ranges: null
|
||||||
source_service_accounts: null
|
source_service_accounts: null
|
||||||
source_tags: null
|
source_tags: null
|
||||||
|
@ -52,9 +52,9 @@ values:
|
||||||
disabled: false
|
disabled: false
|
||||||
log_config: []
|
log_config: []
|
||||||
name: allow-egress-tag
|
name: allow-egress-tag
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges: null
|
source_ranges: null
|
||||||
source_service_accounts: null
|
source_service_accounts: null
|
||||||
source_tags: null
|
source_tags: null
|
||||||
|
@ -72,9 +72,9 @@ values:
|
||||||
disabled: false
|
disabled: false
|
||||||
log_config: []
|
log_config: []
|
||||||
name: allow-ingress-ntp
|
name: allow-ingress-ntp
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges:
|
source_ranges:
|
||||||
- 0.0.0.0/0
|
- 0.0.0.0/0
|
||||||
source_service_accounts: null
|
source_service_accounts: null
|
||||||
|
@ -92,9 +92,9 @@ values:
|
||||||
disabled: false
|
disabled: false
|
||||||
log_config: []
|
log_config: []
|
||||||
name: allow-ingress-tag
|
name: allow-ingress-tag
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges: null
|
source_ranges: null
|
||||||
source_service_accounts: null
|
source_service_accounts: null
|
||||||
source_tags:
|
source_tags:
|
||||||
|
@ -114,9 +114,9 @@ values:
|
||||||
disabled: false
|
disabled: false
|
||||||
log_config: []
|
log_config: []
|
||||||
name: deny-egress-all
|
name: deny-egress-all
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges: null
|
source_ranges: null
|
||||||
source_service_accounts: null
|
source_service_accounts: null
|
||||||
source_tags: null
|
source_tags: null
|
||||||
|
|
|
@ -24,10 +24,10 @@ values:
|
||||||
description: Allow SSH to machines with matching tags.
|
description: Allow SSH to machines with matching tags.
|
||||||
disabled: null
|
disabled: null
|
||||||
log_config: []
|
log_config: []
|
||||||
name: my-network-ingress-tag-ssh
|
name: vpc-name-ingress-tag-ssh
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges:
|
source_ranges:
|
||||||
- 10.0.0.0/8
|
- 10.0.0.0/8
|
||||||
source_service_accounts: null
|
source_service_accounts: null
|
||||||
|
|
|
@ -25,9 +25,9 @@ values:
|
||||||
disabled: false
|
disabled: false
|
||||||
log_config: []
|
log_config: []
|
||||||
name: allow-healthchecks
|
name: allow-healthchecks
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges:
|
source_ranges:
|
||||||
- 130.211.0.0/22
|
- 130.211.0.0/22
|
||||||
- 209.85.152.0/22
|
- 209.85.152.0/22
|
||||||
|
@ -50,11 +50,11 @@ values:
|
||||||
disabled: false
|
disabled: false
|
||||||
log_config: []
|
log_config: []
|
||||||
name: allow-service-1-to-service-2
|
name: allow-service-1-to-service-2
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_service_accounts:
|
source_service_accounts:
|
||||||
- service-1@my-project.iam.gserviceaccount.com
|
- service-1@project-id.iam.gserviceaccount.com
|
||||||
source_tags: null
|
source_tags: null
|
||||||
target_service_accounts:
|
target_service_accounts:
|
||||||
- service-2
|
- service-2
|
||||||
|
@ -72,9 +72,9 @@ values:
|
||||||
disabled: false
|
disabled: false
|
||||||
log_config: []
|
log_config: []
|
||||||
name: block-telnet
|
name: block-telnet
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges: null
|
source_ranges: null
|
||||||
source_service_accounts: null
|
source_service_accounts: null
|
||||||
source_tags: null
|
source_tags: null
|
||||||
|
|
|
@ -26,9 +26,9 @@ values:
|
||||||
disabled: false
|
disabled: false
|
||||||
log_config: []
|
log_config: []
|
||||||
name: allow-ingress-source-destination-ranges
|
name: allow-ingress-source-destination-ranges
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges:
|
source_ranges:
|
||||||
- 172.16.0.0/12
|
- 172.16.0.0/12
|
||||||
source_service_accounts: null
|
source_service_accounts: null
|
||||||
|
@ -47,9 +47,9 @@ values:
|
||||||
disabled: false
|
disabled: false
|
||||||
log_config: []
|
log_config: []
|
||||||
name: deny-egress-source-destination-ranges
|
name: deny-egress-source-destination-ranges
|
||||||
network: my-network
|
network: vpc-name
|
||||||
priority: 1000
|
priority: 1000
|
||||||
project: my-project
|
project: project-id
|
||||||
source_ranges:
|
source_ranges:
|
||||||
- 10.132.0.0/20
|
- 10.132.0.0/20
|
||||||
- 10.138.0.0/20
|
- 10.138.0.0/20
|
||||||
|
|
|
@ -18,7 +18,7 @@ values:
|
||||||
parent: organizations/1122334455
|
parent: organizations/1122334455
|
||||||
purpose: GCE_FIREWALL
|
purpose: GCE_FIREWALL
|
||||||
purpose_data:
|
purpose_data:
|
||||||
network: project-id/vpc_name
|
network: project-id/vpc-name
|
||||||
short_name: net-environment
|
short_name: net-environment
|
||||||
timeouts: null
|
timeouts: null
|
||||||
module.org.google_tags_tag_key_iam_binding.default["net-environment:roles/resourcemanager.tagAdmin"]:
|
module.org.google_tags_tag_key_iam_binding.default["net-environment:roles/resourcemanager.tagAdmin"]:
|
||||||
|
|
Loading…
Reference in New Issue