From 07cf38642785bb120838965f4a48c0bdfbabbcd4 Mon Sep 17 00:00:00 2001 From: averbukh Date: Sun, 14 Mar 2021 19:49:07 +0100 Subject: [PATCH] Add basic tests for nwt-vpc-firewall-yaml module --- .../modules/net_vpc_firewall_yaml/__init__.py | 13 +++++ .../net_vpc_firewall_yaml/fixture/main.tf | 23 +++++++++ .../fixture/rules/common..yaml | 20 ++++++++ .../fixture/variables.tf | 23 +++++++++ .../net_vpc_firewall_yaml/test_plan.py | 50 +++++++++++++++++++ 5 files changed, 129 insertions(+) create mode 100644 tests/modules/net_vpc_firewall_yaml/__init__.py create mode 100644 tests/modules/net_vpc_firewall_yaml/fixture/main.tf create mode 100644 tests/modules/net_vpc_firewall_yaml/fixture/rules/common..yaml create mode 100644 tests/modules/net_vpc_firewall_yaml/fixture/variables.tf create mode 100644 tests/modules/net_vpc_firewall_yaml/test_plan.py diff --git a/tests/modules/net_vpc_firewall_yaml/__init__.py b/tests/modules/net_vpc_firewall_yaml/__init__.py new file mode 100644 index 000000000..d46dbae5e --- /dev/null +++ b/tests/modules/net_vpc_firewall_yaml/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/tests/modules/net_vpc_firewall_yaml/fixture/main.tf b/tests/modules/net_vpc_firewall_yaml/fixture/main.tf new file mode 100644 index 000000000..7db37c77c --- /dev/null +++ b/tests/modules/net_vpc_firewall_yaml/fixture/main.tf @@ -0,0 +1,23 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "firewall" { + source = "../../../../modules/net-vpc-firewall-yaml" + project_id = "my-project" + network = "my-network" + config_path = "./rules" + log_config = var.log_config +} diff --git a/tests/modules/net_vpc_firewall_yaml/fixture/rules/common..yaml b/tests/modules/net_vpc_firewall_yaml/fixture/rules/common..yaml new file mode 100644 index 000000000..6e2871495 --- /dev/null +++ b/tests/modules/net_vpc_firewall_yaml/fixture/rules/common..yaml @@ -0,0 +1,20 @@ +# allow ingress from GCLB to all instances in the network +lb-health-checks: + allow: + - ports: [] + protocol: tcp + direction: INGRESS + priority: 1001 + source_ranges: + - 35.191.0.0/16 + - 130.211.0.0/22 + +# deny all egress +deny-all: + deny: + - ports: [] + protocol: all + direction: EGRESS + priority: 65535 + destination_ranges: + - 0.0.0.0/0 diff --git a/tests/modules/net_vpc_firewall_yaml/fixture/variables.tf b/tests/modules/net_vpc_firewall_yaml/fixture/variables.tf new file mode 100644 index 000000000..690f2878a --- /dev/null +++ b/tests/modules/net_vpc_firewall_yaml/fixture/variables.tf @@ -0,0 +1,23 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "log_config" { + description = "Log configuration. Possible values for `metadata` are `EXCLUDE_ALL_METADATA` and `INCLUDE_ALL_METADATA`. Set to `null` for disabling firewall logging." + type = object({ + metadata = string + }) + default = null +} diff --git a/tests/modules/net_vpc_firewall_yaml/test_plan.py b/tests/modules/net_vpc_firewall_yaml/test_plan.py new file mode 100644 index 000000000..8e86d2c00 --- /dev/null +++ b/tests/modules/net_vpc_firewall_yaml/test_plan.py @@ -0,0 +1,50 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +import os +import pytest + + +FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture') + + +def test_firewall_simple(plan_runner): + "Test firewall rules from rules/common.yaml with no extra options." + _, resources = plan_runner(FIXTURES_DIR) + assert len(resources) == 4 + assert set(r['type'] for r in resources) == set([ + 'google_compute_firewall', 'time_static' + ]) + firewall_values = [r['values'] for r in resources if r['type'] + == 'google_compute_firewall'] + assert set([f['project'] for f in firewall_values]) == set(['my-project']) + assert set([f['network'] for f in firewall_values]) == set(['my-network']) + + +def test_firewall_log_config(plan_runner): + "Test firewall rules log configuration." + log_config = """ { + metadata = "INCLUDE_ALL_METADATA" + } + """ + log_config_value = [{"metadata": "INCLUDE_ALL_METADATA"}] + _, resources = plan_runner(FIXTURES_DIR, log_config=log_config) + assert len(resources) == 4 + assert set(r['type'] for r in resources) == set([ + 'google_compute_firewall', 'time_static' + ]) + firewall_values = [r['values'] for r in resources if r['type'] + == 'google_compute_firewall'] + assert all(f['log_config'] == log_config_value for f in firewall_values)