e2e tests for net-vpc-firewall module (#1896)
e2e tests for net-vpc-firewall module
This commit is contained in:
parent
42fa742528
commit
e2d170c1a6
|
@ -29,13 +29,13 @@ This is often useful for prototyping or testing infrastructure, allowing open in
|
|||
```hcl
|
||||
module "firewall" {
|
||||
source = "./fabric/modules/net-vpc-firewall"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
project_id = var.project_id
|
||||
network = var.vpc.name
|
||||
default_rules_config = {
|
||||
admin_ranges = ["10.0.0.0/8"]
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=4 inventory=basic.yaml
|
||||
# tftest modules=1 resources=4 inventory=basic.yaml e2e
|
||||
```
|
||||
|
||||
### Custom rules
|
||||
|
@ -52,8 +52,8 @@ Some implicit defaults are used in the rules variable types and can be controlle
|
|||
```hcl
|
||||
module "firewall" {
|
||||
source = "./fabric/modules/net-vpc-firewall"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
project_id = var.project_id
|
||||
network = var.vpc.name
|
||||
default_rules_config = {
|
||||
admin_ranges = ["10.0.0.0/8"]
|
||||
}
|
||||
|
@ -90,7 +90,7 @@ module "firewall" {
|
|||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=9 inventory=custom-rules.yaml
|
||||
# tftest modules=1 resources=9 inventory=custom-rules.yaml e2e
|
||||
```
|
||||
|
||||
### Controlling or turning off default rules
|
||||
|
@ -109,14 +109,14 @@ Default tags and ranges can be overridden for each protocol, like shown here for
|
|||
```hcl
|
||||
module "firewall" {
|
||||
source = "./fabric/modules/net-vpc-firewall"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
project_id = var.project_id
|
||||
network = var.vpc.name
|
||||
default_rules_config = {
|
||||
ssh_ranges = ["10.0.0.0/8"]
|
||||
ssh_tags = ["ssh-default"]
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=3 inventory=custom-ssh-default-rule.yaml
|
||||
# tftest modules=1 resources=3 inventory=custom-ssh-default-rule.yaml e2e
|
||||
```
|
||||
|
||||
#### Disabling predefined rules
|
||||
|
@ -126,13 +126,13 @@ Default rules can be disabled individually by specifying an empty set of ranges:
|
|||
```hcl
|
||||
module "firewall" {
|
||||
source = "./fabric/modules/net-vpc-firewall"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
project_id = var.project_id
|
||||
network = var.vpc.name
|
||||
default_rules_config = {
|
||||
ssh_ranges = []
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2 inventory=no-ssh-default-rules.yaml
|
||||
# tftest modules=1 resources=2 inventory=no-ssh-default-rules.yaml e2e
|
||||
```
|
||||
|
||||
Or the entire set of rules can be disabled via the `disabled` attribute:
|
||||
|
@ -140,13 +140,13 @@ Or the entire set of rules can be disabled via the `disabled` attribute:
|
|||
```hcl
|
||||
module "firewall" {
|
||||
source = "./fabric/modules/net-vpc-firewall"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
project_id = var.project_id
|
||||
network = var.vpc.name
|
||||
default_rules_config = {
|
||||
disabled = true
|
||||
}
|
||||
}
|
||||
# tftest modules=0 resources=0 inventory=no-default-rules.yaml
|
||||
# tftest modules=0 resources=0 inventory=no-default-rules.yaml e2e
|
||||
```
|
||||
|
||||
### Including source & destination ranges
|
||||
|
@ -156,8 +156,8 @@ Custom rules now support including both source & destination ranges in ingress a
|
|||
```hcl
|
||||
module "firewall" {
|
||||
source = "./fabric/modules/net-vpc-firewall"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
project_id = var.project_id
|
||||
network = var.vpc.name
|
||||
default_rules_config = {
|
||||
disabled = true
|
||||
}
|
||||
|
@ -176,7 +176,7 @@ module "firewall" {
|
|||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2 inventory=local-ranges.yaml
|
||||
# tftest modules=1 resources=2 inventory=local-ranges.yaml e2e
|
||||
```
|
||||
|
||||
### Rules Factory
|
||||
|
@ -186,8 +186,8 @@ The module includes a rules factory (see [Resource Factories](../../blueprints/f
|
|||
```hcl
|
||||
module "firewall" {
|
||||
source = "./fabric/modules/net-vpc-firewall"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
project_id = var.project_id
|
||||
network = var.vpc.name
|
||||
factories_config = {
|
||||
rules_folder = "configs/firewall/rules"
|
||||
cidr_tpl_file = "configs/firewall/cidrs.yaml"
|
||||
|
@ -220,7 +220,7 @@ ingress:
|
|||
targets: ["service-2"]
|
||||
use_service_accounts: true
|
||||
sources:
|
||||
- service-1@my-project.iam.gserviceaccount.com
|
||||
- service-1@project-id.iam.gserviceaccount.com
|
||||
rules:
|
||||
- protocol: tcp
|
||||
ports:
|
||||
|
|
|
@ -71,7 +71,7 @@ variable "subnet" {
|
|||
|
||||
variable "vpc" {
|
||||
default = {
|
||||
name = "vpc_name"
|
||||
name = "vpc-name"
|
||||
self_link = "projects/xxx/global/networks/aaa"
|
||||
id = "projects/xxx/global/networks/aaa"
|
||||
}
|
||||
|
@ -79,14 +79,14 @@ variable "vpc" {
|
|||
|
||||
variable "vpc1" {
|
||||
default = {
|
||||
name = "vpc_name"
|
||||
name = "vpc-name"
|
||||
self_link = "projects/xxx/global/networks/bbb"
|
||||
}
|
||||
}
|
||||
|
||||
variable "vpc2" {
|
||||
default = {
|
||||
name = "vpc2_name"
|
||||
name = "vpc2-name"
|
||||
self_link = "projects/xxx/global/networks/ccc"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -20,10 +20,10 @@ values:
|
|||
deny: []
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: my-network-ingress-admins
|
||||
network: my-network
|
||||
name: vpc-name-ingress-admins
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges:
|
||||
- 10.0.0.0/8
|
||||
source_service_accounts: null
|
||||
|
@ -38,10 +38,10 @@ values:
|
|||
deny: []
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: my-network-ingress-tag-http
|
||||
network: my-network
|
||||
name: vpc-name-ingress-tag-http
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges:
|
||||
- 130.211.0.0/22
|
||||
- 209.85.152.0/22
|
||||
|
@ -60,10 +60,10 @@ values:
|
|||
deny: []
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: my-network-ingress-tag-https
|
||||
network: my-network
|
||||
name: vpc-name-ingress-tag-https
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges:
|
||||
- 130.211.0.0/22
|
||||
- 209.85.152.0/22
|
||||
|
@ -82,10 +82,10 @@ values:
|
|||
deny: []
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: my-network-ingress-tag-ssh
|
||||
network: my-network
|
||||
name: vpc-name-ingress-tag-ssh
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges:
|
||||
- 35.235.240.0/20
|
||||
source_service_accounts: null
|
||||
|
|
|
@ -32,9 +32,9 @@ values:
|
|||
disabled: false
|
||||
log_config: []
|
||||
name: allow-egress-rfc1918
|
||||
network: my-network
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
|
@ -52,9 +52,9 @@ values:
|
|||
disabled: false
|
||||
log_config: []
|
||||
name: allow-egress-tag
|
||||
network: my-network
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
|
@ -72,9 +72,9 @@ values:
|
|||
disabled: false
|
||||
log_config: []
|
||||
name: allow-ingress-ntp
|
||||
network: my-network
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges:
|
||||
- 0.0.0.0/0
|
||||
source_service_accounts: null
|
||||
|
@ -92,9 +92,9 @@ values:
|
|||
disabled: false
|
||||
log_config: []
|
||||
name: allow-ingress-tag
|
||||
network: my-network
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags:
|
||||
|
@ -114,9 +114,9 @@ values:
|
|||
disabled: false
|
||||
log_config: []
|
||||
name: deny-egress-all
|
||||
network: my-network
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
|
|
|
@ -24,10 +24,10 @@ values:
|
|||
description: Allow SSH to machines with matching tags.
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: my-network-ingress-tag-ssh
|
||||
network: my-network
|
||||
name: vpc-name-ingress-tag-ssh
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges:
|
||||
- 10.0.0.0/8
|
||||
source_service_accounts: null
|
||||
|
|
|
@ -25,9 +25,9 @@ values:
|
|||
disabled: false
|
||||
log_config: []
|
||||
name: allow-healthchecks
|
||||
network: my-network
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges:
|
||||
- 130.211.0.0/22
|
||||
- 209.85.152.0/22
|
||||
|
@ -50,11 +50,11 @@ values:
|
|||
disabled: false
|
||||
log_config: []
|
||||
name: allow-service-1-to-service-2
|
||||
network: my-network
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_service_accounts:
|
||||
- service-1@my-project.iam.gserviceaccount.com
|
||||
- service-1@project-id.iam.gserviceaccount.com
|
||||
source_tags: null
|
||||
target_service_accounts:
|
||||
- service-2
|
||||
|
@ -72,9 +72,9 @@ values:
|
|||
disabled: false
|
||||
log_config: []
|
||||
name: block-telnet
|
||||
network: my-network
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
|
|
|
@ -26,9 +26,9 @@ values:
|
|||
disabled: false
|
||||
log_config: []
|
||||
name: allow-ingress-source-destination-ranges
|
||||
network: my-network
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges:
|
||||
- 172.16.0.0/12
|
||||
source_service_accounts: null
|
||||
|
@ -47,9 +47,9 @@ values:
|
|||
disabled: false
|
||||
log_config: []
|
||||
name: deny-egress-source-destination-ranges
|
||||
network: my-network
|
||||
network: vpc-name
|
||||
priority: 1000
|
||||
project: my-project
|
||||
project: project-id
|
||||
source_ranges:
|
||||
- 10.132.0.0/20
|
||||
- 10.138.0.0/20
|
||||
|
|
|
@ -18,7 +18,7 @@ values:
|
|||
parent: organizations/1122334455
|
||||
purpose: GCE_FIREWALL
|
||||
purpose_data:
|
||||
network: project-id/vpc_name
|
||||
network: project-id/vpc-name
|
||||
short_name: net-environment
|
||||
timeouts: null
|
||||
module.org.google_tags_tag_key_iam_binding.default["net-environment:roles/resourcemanager.tagAdmin"]:
|
||||
|
|
Loading…
Reference in New Issue