diff --git a/tests/modules/net_vpc_firewall/__init__.py b/tests/modules/net_vpc_firewall/__init__.py new file mode 100644 index 000000000..d46dbae5e --- /dev/null +++ b/tests/modules/net_vpc_firewall/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/tests/modules/net_vpc_firewall/fixture/config/cidr_template.yaml b/tests/modules/net_vpc_firewall/fixture/config/cidr_template.yaml new file mode 100644 index 000000000..b33125de8 --- /dev/null +++ b/tests/modules/net_vpc_firewall/fixture/config/cidr_template.yaml @@ -0,0 +1,19 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +healthchecks: + - 35.191.0.0/16 + - 130.211.0.0/22 + - 209.85.152.0/22 + - 209.85.204.0/22 diff --git a/tests/modules/net_vpc_firewall/fixture/config/firewall/load_balancers.yaml b/tests/modules/net_vpc_firewall/fixture/config/firewall/load_balancers.yaml new file mode 100644 index 000000000..558e65b10 --- /dev/null +++ b/tests/modules/net_vpc_firewall/fixture/config/firewall/load_balancers.yaml @@ -0,0 +1,28 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow-healthchecks: + description: Allow ingress from healthchecks. + direction: INGRESS + action: allow + sources: [] + ranges: + - $healthchecks + targets: ["lb-backends"] + use_service_accounts: false + rules: + - protocol: tcp + ports: + - 80 + - 443 diff --git a/tests/modules/net_vpc_firewall/fixture/main.tf b/tests/modules/net_vpc_firewall/fixture/main.tf new file mode 100644 index 000000000..59201cb23 --- /dev/null +++ b/tests/modules/net_vpc_firewall/fixture/main.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "firewall" { + source = "../../../../modules/net-vpc-firewall" + project_id = var.project_id + network = var.network + admin_ranges = var.admin_ranges + http_source_ranges = var.http_source_ranges + https_source_ranges = var.https_source_ranges + ssh_source_ranges = var.ssh_source_ranges + custom_rules = var.custom_rules + data_folder = var.data_folder + cidr_template_file = var.cidr_template_file +} diff --git a/tests/modules/net_vpc_firewall/fixture/variables.tf b/tests/modules/net_vpc_firewall/fixture/variables.tf new file mode 100644 index 000000000..7f261a6f3 --- /dev/null +++ b/tests/modules/net_vpc_firewall/fixture/variables.tf @@ -0,0 +1,97 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "admin_ranges" { + description = "IP CIDR ranges that have complete access to all subnets." + type = list(string) + default = [] +} + +variable "cidr_template_file" { + description = "Path for optional file containing name->cidr_list map to be used by the rules factory." + type = string + default = null +} + +variable "custom_rules" { + description = "List of custom rule definitions (refer to variables file for syntax)." + type = map(object({ + description = string + direction = string + action = string # (allow|deny) + ranges = list(string) + sources = list(string) + targets = list(string) + use_service_accounts = bool + rules = list(object({ + protocol = string + ports = list(string) + })) + extra_attributes = map(string) + })) + default = {} +} + +variable "data_folder" { + description = "Path for optional folder containing firewall rules defined as YaML objects used by the rules factory." + type = string + default = null +} + +variable "http_source_ranges" { + description = "List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges." + type = list(string) + default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] +} + +variable "https_source_ranges" { + description = "List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges." + type = list(string) + default = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] +} + +variable "named_ranges" { + description = "Names that can be used of valid values for the `ranges` field of `custom_rules`" + type = map(list(string)) + default = { + any = ["0.0.0.0/0"] + dns-forwarders = ["35.199.192.0/19"] + health-checkers = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] + iap-forwarders = ["35.235.240.0/20"] + private-googleapis = ["199.36.153.8/30"] + restricted-googleapis = ["199.36.153.4/30"] + rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] + } +} + +variable "network" { + description = "Name of the network this set of firewall rules applies to." + type = string + default = "vpc" +} + +variable "project_id" { + description = "Project id of the project that holds the network." + type = string + default = "project" +} + +variable "ssh_source_ranges" { + description = "List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range." + type = list(string) + default = ["35.235.240.0/20"] +} + diff --git a/tests/modules/net_vpc_firewall/test_plan.py b/tests/modules/net_vpc_firewall/test_plan.py new file mode 100644 index 000000000..8159a7fcd --- /dev/null +++ b/tests/modules/net_vpc_firewall/test_plan.py @@ -0,0 +1,44 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +import os +import pytest + + +FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture') + + +def test_vpc_firewall_simple(plan_runner): + "Test vpc with no extra options." + _, resources = plan_runner(FIXTURES_DIR) + assert len(resources) == 3 + assert set([r['type'] for r in resources]) == set( + ['google_compute_firewall']) + assert set([r['values']['name'] for r in resources]) == set( + ['vpc-ingress-tag-http', 'vpc-ingress-tag-https', 'vpc-ingress-tag-ssh']) + assert set([r['values']['project'] for r in resources]) == set(['project']) + assert set([r['values']['network'] for r in resources]) == set(['vpc']) + + +def test_vpc_firewall_factory(plan_runner): + "Test shared vpc variables." + _, resources = plan_runner( + FIXTURES_DIR, data_folder="config/firewall", cidr_template_file="config/cidr_template.yaml") + assert len(resources) == 4 + factory_rule = [r for r in resources if r["values"] + ["name"] == "allow-healthchecks"][0]["values"] + assert set(factory_rule["source_ranges"]) == set( + ["130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22", "35.191.0.0/16"]) + assert set(factory_rule["target_tags"]) == set(["lb-backends"])