zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

e2e tests for net-vpc-firewall module (#1896) 

e2e tests for net-vpc-firewall module
This commit is contained in:
Thangaraju R 2023-12-01 13:50:56 +01:00 committed by GitHub
parent 42fa742528
commit e2d170c1a6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 61 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
modules/net-vpc-firewall/README.md
View File

@ -29,13 +29,13 @@ This is often useful for prototyping or testing infrastructure, allowing open in
```hcl ```hcl
module "firewall" { module "firewall" {
source = "./fabric/modules/net-vpc-firewall" source = "./fabric/modules/net-vpc-firewall"
project_id = "my-project" project_id = var.project_id
network = "my-network" network = var.vpc.name
default_rules_config = { default_rules_config = {
admin_ranges = ["10.0.0.0/8"] admin_ranges = ["10.0.0.0/8"]
} }
} }
# tftest modules=1 resources=4 inventory=basic.yaml # tftest modules=1 resources=4 inventory=basic.yaml e2e
``` ```
### Custom rules ### Custom rules
@ -52,8 +52,8 @@ Some implicit defaults are used in the rules variable types and can be controlle
```hcl ```hcl
module "firewall" { module "firewall" {
source = "./fabric/modules/net-vpc-firewall" source = "./fabric/modules/net-vpc-firewall"
project_id = "my-project" project_id = var.project_id
network = "my-network" network = var.vpc.name
default_rules_config = { default_rules_config = {
admin_ranges = ["10.0.0.0/8"] admin_ranges = ["10.0.0.0/8"]
} }
@ -90,7 +90,7 @@ module "firewall" {
} }
} }
} }
# tftest modules=1 resources=9 inventory=custom-rules.yaml # tftest modules=1 resources=9 inventory=custom-rules.yaml e2e
``` ```
### Controlling or turning off default rules ### Controlling or turning off default rules
@ -109,14 +109,14 @@ Default tags and ranges can be overridden for each protocol, like shown here for
```hcl ```hcl
module "firewall" { module "firewall" {
source = "./fabric/modules/net-vpc-firewall" source = "./fabric/modules/net-vpc-firewall"
project_id = "my-project" project_id = var.project_id
network = "my-network" network = var.vpc.name
default_rules_config = { default_rules_config = {
ssh_ranges = ["10.0.0.0/8"] ssh_ranges = ["10.0.0.0/8"]
ssh_tags = ["ssh-default"] ssh_tags = ["ssh-default"]
} }
} }
# tftest modules=1 resources=3 inventory=custom-ssh-default-rule.yaml # tftest modules=1 resources=3 inventory=custom-ssh-default-rule.yaml e2e
``` ```
#### Disabling predefined rules #### Disabling predefined rules
@ -126,13 +126,13 @@ Default rules can be disabled individually by specifying an empty set of ranges:
```hcl ```hcl
module "firewall" { module "firewall" {
source = "./fabric/modules/net-vpc-firewall" source = "./fabric/modules/net-vpc-firewall"
project_id = "my-project" project_id = var.project_id
network = "my-network" network = var.vpc.name
default_rules_config = { default_rules_config = {
ssh_ranges = [] ssh_ranges = []
} }
} }
# tftest modules=1 resources=2 inventory=no-ssh-default-rules.yaml # tftest modules=1 resources=2 inventory=no-ssh-default-rules.yaml e2e
``` ```
Or the entire set of rules can be disabled via the `disabled` attribute: Or the entire set of rules can be disabled via the `disabled` attribute:
@ -140,13 +140,13 @@ Or the entire set of rules can be disabled via the `disabled` attribute:
```hcl ```hcl
module "firewall" { module "firewall" {
source = "./fabric/modules/net-vpc-firewall" source = "./fabric/modules/net-vpc-firewall"
project_id = "my-project" project_id = var.project_id
network = "my-network" network = var.vpc.name
default_rules_config = { default_rules_config = {
disabled = true disabled = true
} }
} }
# tftest modules=0 resources=0 inventory=no-default-rules.yaml # tftest modules=0 resources=0 inventory=no-default-rules.yaml e2e
``` ```
### Including source & destination ranges ### Including source & destination ranges
@ -156,8 +156,8 @@ Custom rules now support including both source & destination ranges in ingress a
```hcl ```hcl
module "firewall" { module "firewall" {
source = "./fabric/modules/net-vpc-firewall" source = "./fabric/modules/net-vpc-firewall"
project_id = "my-project" project_id = var.project_id
network = "my-network" network = var.vpc.name
default_rules_config = { default_rules_config = {
disabled = true disabled = true
} }
@ -176,7 +176,7 @@ module "firewall" {
} }
} }
} }
# tftest modules=1 resources=2 inventory=local-ranges.yaml # tftest modules=1 resources=2 inventory=local-ranges.yaml e2e
``` ```
### Rules Factory ### Rules Factory
@ -186,8 +186,8 @@ The module includes a rules factory (see [Resource Factories](../../blueprints/f
```hcl ```hcl
module "firewall" { module "firewall" {
source = "./fabric/modules/net-vpc-firewall" source = "./fabric/modules/net-vpc-firewall"
project_id = "my-project" project_id = var.project_id
network = "my-network" network = var.vpc.name
factories_config = { factories_config = {
rules_folder = "configs/firewall/rules" rules_folder = "configs/firewall/rules"
cidr_tpl_file = "configs/firewall/cidrs.yaml" cidr_tpl_file = "configs/firewall/cidrs.yaml"
@ -220,7 +220,7 @@ ingress:
targets: ["service-2"] targets: ["service-2"]
use_service_accounts: true use_service_accounts: true
sources: sources:
- service-1@my-project.iam.gserviceaccount.com - service-1@project-id.iam.gserviceaccount.com
rules: rules:
- protocol: tcp - protocol: tcp
ports: ports:

6
tests/examples/variables.tf
View File

@ -71,7 +71,7 @@ variable "subnet" {
variable "vpc" { variable "vpc" {
default = { default = {
name = "vpc_name" name = "vpc-name"
self_link = "projects/xxx/global/networks/aaa" self_link = "projects/xxx/global/networks/aaa"
id = "projects/xxx/global/networks/aaa" id = "projects/xxx/global/networks/aaa"
} }
@ -79,14 +79,14 @@ variable "vpc" {
variable "vpc1" { variable "vpc1" {
default = { default = {
name = "vpc_name" name = "vpc-name"
self_link = "projects/xxx/global/networks/bbb" self_link = "projects/xxx/global/networks/bbb"
} }
} }
variable "vpc2" { variable "vpc2" {
default = { default = {
name = "vpc2_name" name = "vpc2-name"
self_link = "projects/xxx/global/networks/ccc" self_link = "projects/xxx/global/networks/ccc"
} }
} }

24
tests/modules/net_vpc_firewall/examples/basic.yaml
View File

@ -20,10 +20,10 @@ values:
deny: [] deny: []
disabled: null disabled: null
log_config: [] log_config: []
name: my-network-ingress-admins name: vpc-name-ingress-admins
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: source_ranges:
- 10.0.0.0/8 - 10.0.0.0/8
source_service_accounts: null source_service_accounts: null
@ -38,10 +38,10 @@ values:
deny: [] deny: []
disabled: null disabled: null
log_config: [] log_config: []
name: my-network-ingress-tag-http name: vpc-name-ingress-tag-http
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: source_ranges:
- 130.211.0.0/22 - 130.211.0.0/22
- 209.85.152.0/22 - 209.85.152.0/22
@ -60,10 +60,10 @@ values:
deny: [] deny: []
disabled: null disabled: null
log_config: [] log_config: []
name: my-network-ingress-tag-https name: vpc-name-ingress-tag-https
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: source_ranges:
- 130.211.0.0/22 - 130.211.0.0/22
- 209.85.152.0/22 - 209.85.152.0/22
@ -82,10 +82,10 @@ values:
deny: [] deny: []
disabled: null disabled: null
log_config: [] log_config: []
name: my-network-ingress-tag-ssh name: vpc-name-ingress-tag-ssh
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: source_ranges:
- 35.235.240.0/20 - 35.235.240.0/20
source_service_accounts: null source_service_accounts: null

20
tests/modules/net_vpc_firewall/examples/custom-rules.yaml
View File

@ -32,9 +32,9 @@ values:
disabled: false disabled: false
log_config: [] log_config: []
name: allow-egress-rfc1918 name: allow-egress-rfc1918
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: null source_ranges: null
source_service_accounts: null source_service_accounts: null
source_tags: null source_tags: null
@ -52,9 +52,9 @@ values:
disabled: false disabled: false
log_config: [] log_config: []
name: allow-egress-tag name: allow-egress-tag
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: null source_ranges: null
source_service_accounts: null source_service_accounts: null
source_tags: null source_tags: null
@ -72,9 +72,9 @@ values:
disabled: false disabled: false
log_config: [] log_config: []
name: allow-ingress-ntp name: allow-ingress-ntp
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: source_ranges:
- 0.0.0.0/0 - 0.0.0.0/0
source_service_accounts: null source_service_accounts: null
@ -92,9 +92,9 @@ values:
disabled: false disabled: false
log_config: [] log_config: []
name: allow-ingress-tag name: allow-ingress-tag
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: null source_ranges: null
source_service_accounts: null source_service_accounts: null
source_tags: source_tags:
@ -114,9 +114,9 @@ values:
disabled: false disabled: false
log_config: [] log_config: []
name: deny-egress-all name: deny-egress-all
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: null source_ranges: null
source_service_accounts: null source_service_accounts: null
source_tags: null source_tags: null

6
tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml
View File

@ -24,10 +24,10 @@ values:
description: Allow SSH to machines with matching tags. description: Allow SSH to machines with matching tags.
disabled: null disabled: null
log_config: [] log_config: []
name: my-network-ingress-tag-ssh name: vpc-name-ingress-tag-ssh
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: source_ranges:
- 10.0.0.0/8 - 10.0.0.0/8
source_service_accounts: null source_service_accounts: null

14
tests/modules/net_vpc_firewall/examples/factory.yaml
View File

@ -25,9 +25,9 @@ values:
disabled: false disabled: false
log_config: [] log_config: []
name: allow-healthchecks name: allow-healthchecks
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: source_ranges:
- 130.211.0.0/22 - 130.211.0.0/22
- 209.85.152.0/22 - 209.85.152.0/22
@ -50,11 +50,11 @@ values:
disabled: false disabled: false
log_config: [] log_config: []
name: allow-service-1-to-service-2 name: allow-service-1-to-service-2
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_service_accounts: source_service_accounts:
- service-1@my-project.iam.gserviceaccount.com - service-1@project-id.iam.gserviceaccount.com
source_tags: null source_tags: null
target_service_accounts: target_service_accounts:
- service-2 - service-2
@ -72,9 +72,9 @@ values:
disabled: false disabled: false
log_config: [] log_config: []
name: block-telnet name: block-telnet
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: null source_ranges: null
source_service_accounts: null source_service_accounts: null
source_tags: null source_tags: null

8
tests/modules/net_vpc_firewall/examples/local-ranges.yaml
View File

@ -26,9 +26,9 @@ values:
disabled: false disabled: false
log_config: [] log_config: []
name: allow-ingress-source-destination-ranges name: allow-ingress-source-destination-ranges
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: source_ranges:
- 172.16.0.0/12 - 172.16.0.0/12
source_service_accounts: null source_service_accounts: null
@ -47,9 +47,9 @@ values:
disabled: false disabled: false
log_config: [] log_config: []
name: deny-egress-source-destination-ranges name: deny-egress-source-destination-ranges
network: my-network network: vpc-name
priority: 1000 priority: 1000
project: my-project project: project-id
source_ranges: source_ranges:
- 10.132.0.0/20 - 10.132.0.0/20
- 10.138.0.0/20 - 10.138.0.0/20

2
tests/modules/organization/examples/network-tags.yaml
View File

@ -18,7 +18,7 @@ values:
parent: organizations/1122334455 parent: organizations/1122334455
purpose: GCE_FIREWALL purpose: GCE_FIREWALL
purpose_data: purpose_data:
network: project-id/vpc_name network: project-id/vpc-name
short_name: net-environment short_name: net-environment
timeouts: null timeouts: null
module.org.google_tags_tag_key_iam_binding.default["net-environment:roles/resourcemanager.tagAdmin"]: module.org.google_tags_tag_key_iam_binding.default["net-environment:roles/resourcemanager.tagAdmin"]: