Resource factories

tests/factories/firewall_hierarchical_policies/__init__.py

@@ -0,0 +1,13 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

tests/factories/firewall_hierarchical_policies/fixture/conf/rules/1234567890/0987654321-foobar.yaml

@@ -0,0 +1,11 @@
+allow-ssh-from-onprem:
+  description: Enable SSH for onprem ranges
+  direction: INGRESS
+  action: allow
+  priority: 1001
+  source_ranges:
+    - $example
+  ports:
+    tcp: ["22"]
+  target_resources: null
+  enable_logging: false

tests/factories/firewall_hierarchical_policies/fixture/conf/rules/1234567890/org.yaml

@@ -0,0 +1,11 @@
+allow-icmp:
+  description: Enable ICMP for all hosts
+  direction: INGRESS
+  action: allow
+  priority: 1000
+  source_ranges:
+    - 0.0.0.0/0
+  ports:
+    icmp: []
+  target_resources: null
+  enable_logging: false

tests/factories/firewall_hierarchical_policies/fixture/conf/templates/cidrs.yaml

@@ -0,0 +1,8 @@
+example:
+  - 10.0.0.0/24
+  - 10.0.10.0/24
+  - 192.168.1.1/32
+
+healthcheck:
+  - 35.191.0.0/16
+  - 130.211.0.0/22

tests/factories/firewall_hierarchical_policies/fixture/conf/templates/service_accounts.yaml

@@ -0,0 +1,2 @@
+example:
+  - example-service-account@resource-factory-playground.iam.gserviceaccount.com

tests/factories/firewall_hierarchical_policies/fixture/main.tf

@@ -0,0 +1,21 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "hierarchical-firewall-rules" {
+  source           = "../../../../factories/firewall-hierarchical-policies/"
+  config_folder    = "conf/rules"
+  templates_folder = "conf/templates"
+}

tests/factories/firewall_hierarchical_policies/test_plan.py

@@ -0,0 +1,43 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+import os
+import pytest
+
+
+FIXTURES_DIR = os.path.join(os.path.dirname(__file__), "fixture")
+
+
+def test_firewall(plan_runner):
+    "Test hierarchical firewall rules from conf/rules"
+    _, resources = plan_runner(FIXTURES_DIR)
+    assert len(resources) == 6
+    assert set(r["type"] for r in resources) == set([
+        "google_compute_organization_security_policy_rule", "google_compute_organization_security_policy_association", "google_compute_organization_security_policy"
+    ])
+    rule_ssh = [r["values"] for r in resources if r["type"]== "google_compute_organization_security_policy_rule" and r["values"]["priority"]==1001]
+    rule_icmp = [r["values"] for r in resources if r["type"]== "google_compute_organization_security_policy_rule" and r["values"]["priority"]==1000]
+    association_org = [r["values"] for r in resources if r["type"]== "google_compute_organization_security_policy_association" and r["values"]["attachment_id"]=="organizations/1234567890"]
+    association_folder = [r["values"] for r in resources if r["type"]== "google_compute_organization_security_policy_association" and r["values"]["attachment_id"]=="folders/0987654321"]
+    policies_org = [r["values"] for r in resources if r["type"]== "google_compute_organization_security_policy" and r["values"]["parent"]=="organizations/1234567890"]
+    policies_folder = [r["values"] for r in resources if r["type"]== "google_compute_organization_security_policy" and r["values"]["parent"]=="folders/0987654321"]
+  
+    assert set(rule_ssh[0]["match"][0]["config"][0]["src_ip_ranges"])==set(["10.0.0.0/24", "10.0.10.0/24", "192.168.1.1/32"])
+    assert rule_icmp[0]["match"][0]["config"][0]["layer4_config"][0]["ip_protocol"]=="icmp"
+    assert association_org[0]["name"]=="hierarchical-fw-policy-organizations-1234567890"
+    assert association_folder[0]["name"]=="hierarchical-fw-policy-folders-0987654321"
+    assert policies_org[0]["display_name"]=="hierarchical-fw-policy-organizations-1234567890"
+    assert policies_folder[0]["display_name"]=="hierarchical-fw-policy-folders-0987654321"
+  

tests/factories/subnets/__init__.py

@@ -0,0 +1,13 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

tests/factories/subnets/fixture/conf/project-a/vpc-a/subnet-a.yaml

@@ -0,0 +1,6 @@
+region: europe-west1
+ip_cidr_range: 10.0.0.0/24
+description: Sample Subnet in project project-a, vpc-a
+secondary_ip_ranges:
+  secondary-range-a: 192.168.0.0/24
+  secondary-range-b: 192.168.1.0/24

tests/factories/subnets/fixture/conf/project-a/vpc-a/subnet-b.yaml

@@ -0,0 +1,4 @@
+region: europe-west3
+ip_cidr_range: 10.0.1.0/24
+description: Sample Subnet in project project-a, vpc-a
+private_ip_google_access: false

tests/factories/subnets/fixture/conf/project-a/vpc-b/subnet-one.yaml

@@ -0,0 +1,5 @@
+region: europe-west4
+ip_cidr_range: 10.0.2.0/24
+description: Sample Subnet in project project-a, vpc-b
+iam_users: ["sruffilli@google.com"]
+iam_groups: []

tests/factories/subnets/fixture/conf/project-b/vpc-x/subnet-alpha.yaml

@@ -0,0 +1,5 @@
+region: europe-west4
+ip_cidr_range: 172.16.0.0/24
+description: Sample Subnet in project project-b, vpc-x
+iam_users: ["sruffilli@google.com"]
+iam_groups: []

tests/factories/subnets/fixture/main.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "subnets" {
+  source        = "../../../../factories/subnets"
+  config_folder = "conf"
+}

tests/factories/subnets/test_plan.py

@@ -0,0 +1,64 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import pytest
+
+FIXTURES_DIR = os.path.join(os.path.dirname(__file__), "fixture")
+
+
+def test_firewall(plan_runner):
+    "Test hierarchical firewall rules from conf/rules"
+    _, resources = plan_runner(FIXTURES_DIR)
+    assert len(resources) == 6
+    assert set(r["type"] for r in resources) == set(
+        ["google_compute_subnetwork", "google_compute_subnetwork_iam_binding"])
+    subnets = [
+        r["values"] for r in resources
+        if r["type"] == "google_compute_subnetwork"
+    ]
+    iam_bindings = [
+        r["values"] for r in resources
+        if r["type"] == "google_compute_subnetwork_iam_binding"
+    ]
+
+    subnet_a_a = [
+        s for s in subnets
+        if s["project"] == "project-a" and s["network"] == "vpc-a" and s["name"] == "subnet-a"
+    ][0]
+    assert subnet_a_a["ip_cidr_range"] == "10.0.0.0/24"
+    assert subnet_a_a["private_ip_google_access"] == True
+    assert subnet_a_a["region"] == "europe-west1"
+    assert subnet_a_a["secondary_ip_range"] == [{
+        "ip_cidr_range":
+        "192.168.0.0/24",
+        "range_name":
+        "secondary-range-a"
+    }, {
+        "ip_cidr_range":
+        "192.168.1.0/24",
+        "range_name":
+        "secondary-range-b"
+    }]
+
+    subnet_a_b = [
+        s for s in subnets
+        if s["project"] == "project-a" and s["network"] == "vpc-a" and s["name"] == "subnet-b"
+    ][0]
+    assert subnet_a_b["private_ip_google_access"] == False
+
+    iam_binding_b_alpha = [b for b in iam_bindings if b["project"]=="project-b"][0]
+    assert set(iam_binding_b_alpha["members"])==set(["user:sruffilli@google.com"])
+    assert iam_binding_b_alpha["role"]=="roles/compute.networkUser"
+    assert iam_binding_b_alpha["subnetwork"]=="subnet-alpha"

tests/factories/vpc_firewall/__init__.py

@@ -0,0 +1,13 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

tests/factories/vpc_firewall/flat/__init__.py

@@ -0,0 +1,13 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

tests/factories/vpc_firewall/flat/fixture/main.tf

@@ -15,7 +15,7 @@
  */
 
 module "firewall" {
-  source     = "../../../../modules/net-vpc-firewall-yaml"
+  source     = "../../../../../factories/firewall-vpc-rules/flat"
   project_id = "my-project"
   network    = "my-network"
   config_directories = [

tests/factories/vpc_firewall/nested/__init__.py

@@ -0,0 +1,13 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

tests/factories/vpc_firewall/nested/fixture/conf/rules/resource-factory-playground/vpc-a/ingress-loadbalancers.yaml

@@ -0,0 +1,23 @@
+allow-healthchecks:
+  description: "Allow traffic from healthcheck"
+  direction: INGRESS
+  action: allow
+  priority: 1000
+  source_ranges:
+    - $healthcheck
+  ports:
+    tcp: ["80"]
+  enable_logging: false
+
+allow-http:
+  description: "Allow traffic to LB backend"
+  direction: INGRESS
+  action: allow
+  priority: 1000
+  source_ranges:
+    - 0.0.0.0/0
+  target_service_accounts:
+    - example-service-account@resource-factory-playground.iam.gserviceaccount.com
+  ports:
+    tcp: ["80", "443"]
+  enable_logging: true

tests/factories/vpc_firewall/nested/fixture/conf/templates/cidrs.yaml

@@ -0,0 +1,8 @@
+example:
+  - 10.0.0.0/24
+  - 10.0.10.0/24
+  - 192.168.1.1/32
+
+healthcheck:
+  - 35.191.0.0/16
+  - 130.211.0.0/22

tests/factories/vpc_firewall/nested/fixture/conf/templates/service_accounts.yaml

@@ -0,0 +1,2 @@
+couchbase:
+  - example-service-account@resource-factory-playground.iam.gserviceaccount.com

tests/factories/vpc_firewall/nested/fixture/main.tf

@@ -0,0 +1,21 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "vpc-firewall-rules" {
+  source           = "../../../../../factories/firewall-vpc-rules/nested"
+  config_folder    = "conf/rules"
+  templates_folder = "conf/templates"
+}

tests/factories/vpc_firewall/nested/test_plan.py

@@ -0,0 +1,45 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import pytest
+
+FIXTURES_DIR = os.path.join(os.path.dirname(__file__), "fixture")
+
+
+def test_firewall(plan_runner):
+    "Test hierarchical firewall rules from conf/rules"
+    _, resources = plan_runner(FIXTURES_DIR)
+    assert len(resources) == 2
+
+    assert set(r["type"]
+               for r in resources) == set(["google_compute_firewall"])
+
+    rule_hc = [
+        r["values"] for r in resources
+        if r["values"]["name"] == "allow-healthchecks-vpc-a"
+    ][0]
+    rule_be = [
+        r["values"] for r in resources
+        if r["values"]["description"] == "Allow traffic to LB backend"
+    ][0]
+
+    assert set(rule_hc["source_ranges"]) == set(
+        ["130.211.0.0/22", "35.191.0.0/16"])
+    assert rule_hc["direction"] == "INGRESS"
+    assert rule_hc["network"] == "vpc-a"
+    assert rule_hc["priority"] == 1000
+    assert rule_hc["project"] == "resource-factory-playground"
+    assert rule_hc["allow"][0] == {'ports': ['80'], 'protocol': 'tcp'}
+    assert rule_be["log_config"][0] == {'metadata': 'INCLUDE_ALL_METADATA'}