New vpc-sc module implementation (#406)

* first implementation

* minimal output

* split service perimeters in regular and bridge

* tests and fixes

* new vpc-sc implementation

* remove providers file used for testing

* remove provider used during development

tests/conftest.py

@@ -79,9 +79,10 @@ def example_plan_runner(_plan_runner):
     "Runs Terraform plan and returns count of modules and resources."
     plan = _plan_runner(fixture_path)
     # the fixture is the example we are testing
+    modules = plan.modules or {}
     return (
-        len(plan.modules),
-        sum(len(m.resources) for m in plan.modules.values()))
+        len(modules),
+        sum(len(m.resources) for m in modules.values()))
 
   return run_plan
 

tests/modules/vpc_sc/__init__.py

@@ -0,0 +1,13 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

tests/modules/vpc_sc/fixture/main.tf

@@ -0,0 +1,146 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "access_policy" {
+  description = "Access Policy name, leave null to use auto-created one."
+  type        = string
+  default     = null
+}
+
+variable "access_policy_create" {
+  description = "Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format."
+  type = object({
+    parent = string
+    title  = string
+  })
+  default = {
+    parent = "organizations/123456"
+    title  = "vpcsc-policy"
+  }
+}
+
+module "test" {
+  source               = "../../../../modules/vpc-sc"
+  access_policy        = var.access_policy
+  access_policy_create = var.access_policy_create
+  access_levels = {
+    a1 = {
+      combining_function = null
+      conditions = [
+        {
+          device_policy          = null
+          ip_subnetworks         = null
+          members                = ["user:ludomagno@google.com"]
+          negate                 = null
+          regions                = null
+          required_access_levels = null
+        }
+      ]
+    }
+    a2 = {
+      combining_function = "OR"
+      conditions = [
+        {
+          device_policy          = null
+          ip_subnetworks         = null
+          members                = null
+          negate                 = null
+          regions                = ["IT", "FR"]
+          required_access_levels = null
+        },
+        {
+          device_policy          = null
+          ip_subnetworks         = null
+          members                = null
+          negate                 = null
+          regions                = ["US"]
+          required_access_levels = null
+        }
+      ]
+    }
+  }
+  service_perimeters_bridge = {
+    b1 = {
+      status_resources          = ["projects/111110", "projects/111111"]
+      spec_resources            = null
+      use_explicit_dry_run_spec = false
+    }
+    b2 = {
+      status_resources          = ["projects/111110", "projects/222220"]
+      spec_resources            = ["projects/111110", "projects/222220"]
+      use_explicit_dry_run_spec = true
+    }
+  }
+  service_perimeters_regular = {
+    r1 = {
+      spec = null
+      status = {
+        access_levels       = [module.test.access_level_names["a1"]]
+        resources           = ["projects/11111", "projects/111111"]
+        restricted_services = ["storage.googleapis.com"]
+        egress_policies     = null
+        ingress_policies    = null
+        vpc_accessible_services = {
+          allowed_services   = ["compute.googleapis.com"]
+          enable_restriction = true
+        }
+      }
+      use_explicit_dry_run_spec = false
+    }
+    r2 = {
+      spec = null
+      status = {
+        access_levels       = [module.test.access_level_names["a1"]]
+        resources           = ["projects/222220", "projects/222221"]
+        restricted_services = ["storage.googleapis.com"]
+        egress_policies = [
+          {
+            egress_from = {
+              identity_type = null
+              identities    = ["user:foo@example.com"]
+            }
+            egress_to = {
+              operations = null
+              resources  = ["projects/333330"]
+            }
+          }
+        ]
+        ingress_policies = [
+          {
+            ingress_from = {
+              identity_type        = null
+              identities           = null
+              source_access_levels = [module.test.access_level_names["a2"]]
+              source_resources     = ["projects/333330"]
+            }
+            ingress_to = {
+              operations = [{
+                method_selectors = null
+                service_name     = "compute.googleapis.com"
+              }]
+              resources = ["projects/222220"]
+            }
+          }
+        ]
+        vpc_accessible_services = {
+          allowed_services   = ["compute.googleapis.com"]
+          enable_restriction = true
+        }
+      }
+      use_explicit_dry_run_spec = false
+    }
+  }
+}

tests/modules/vpc_sc/test_plan.py

@@ -0,0 +1,49 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+import os
+
+
+FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
+
+
+def test_create_policy(plan_runner):
+  "Test with auto-created policy."
+  _, resources = plan_runner(FIXTURES_DIR)
+  counts = {}
+  for r in resources:
+    n = f'{r["type"]}.{r["name"]}'
+    counts[n] = counts.get(n, 0) + 1
+  assert counts == {
+      'google_access_context_manager_access_level.basic': 2,
+      'google_access_context_manager_access_policy.default': 1,
+      'google_access_context_manager_service_perimeter.bridge': 2,
+      'google_access_context_manager_service_perimeter.regular': 2
+  }
+
+
+def test_use_policy(plan_runner):
+  "Test with existing policy."
+  _, resources = plan_runner(FIXTURES_DIR, access_policy_create="null",
+                             access_policy="accessPolicies/foobar")
+  counts = {}
+  for r in resources:
+    n = f'{r["type"]}.{r["name"]}'
+    counts[n] = counts.get(n, 0) + 1
+  assert counts == {
+      'google_access_context_manager_access_level.basic': 2,
+      'google_access_context_manager_service_perimeter.bridge': 2,
+      'google_access_context_manager_service_perimeter.regular': 2
+  }

tests/requirements.txt

@@ -1,4 +1,4 @@
 pytest>=4.6.0
 PyYAML>=5.3
-tftest>=1.6.1
+tftest>=1.6.2
 marko>=0.9.1