Add support for context to net-lb-int net-vpc-firewall and net-vpc module (#3419)

* net-lb-int * net-vpc-firewall * net-vpc * net-vpc
2025-10-16 07:54:14 +02:00
parent ecdc248f3f
commit 7c920d7d35
25 changed files with 1044 additions and 221 deletions
--- a/tests/modules/net_vpc_firewall/context.tfvars
+++ b/tests/modules/net_vpc_firewall/context.tfvars
@@ -0,0 +1,47 @@
+context = {
+  cidr_ranges = {
+    rfc1918-10 = "10.0.0.0/8"
+  }
+  iam_principals = {
+    test = "serviceAccount:test@test-project.iam.gserviceaccount.com"
+  }
+  networks = {
+    test = "projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0"
+  }
+  project_ids = {
+    test = "foo-test-0"
+  }
+}
+project_id = "$project_ids:test"
+network    = "$networks:test"
+attachments = {
+  test = "$networks:test"
+}
+default_rules_config = {
+  admin_ranges = ["$cidr_ranges:rfc1918-10"]
+  http_ranges  = ["$cidr_ranges:rfc1918-10"]
+  https_ranges = ["$cidr_ranges:rfc1918-10"]
+  ssh_ranges   = ["$cidr_ranges:rfc1918-10"]
+}
+egress_rules = {
+  allow-egress-rfc1918 = {
+    deny        = false
+    description = "Allow egress."
+    destination_ranges = [
+      "$cidr_ranges:rfc1918-10", "172.16.0.0/12", "192.168.0.0/16"
+    ]
+    source_ranges        = ["$cidr_ranges:rfc1918-10"]
+    targets              = ["$iam_principals:test"]
+    use_service_accounts = true
+  }
+}
+ingress_rules = {
+  allow-ingress-tag = {
+    description          = "Allow ingress."
+    destination_ranges   = ["$cidr_ranges:rfc1918-10"]
+    source_ranges        = ["$cidr_ranges:rfc1918-10"]
+    sources              = ["$iam_principals:test"]
+    targets              = ["$iam_principals:test"]
+    use_service_accounts = true
+  }
+}
--- a/tests/modules/net_vpc_firewall/context.yaml
+++ b/tests/modules/net_vpc_firewall/context.yaml
@@ -0,0 +1,157 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  google_compute_firewall.allow-admins[0]:
+    allow:
+    - ports: []
+      protocol: all
+    deny: []
+    description: Access from the admin subnet to all subnets.
+    disabled: null
+    log_config: []
+    name: dev-spoke-0-ingress-admins
+    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    params: []
+    priority: 1000
+    project: foo-test-0
+    source_ranges:
+    - 10.0.0.0/8
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts: null
+    target_tags: null
+    timeouts: null
+  google_compute_firewall.allow-tag-http[0]:
+    allow:
+    - ports:
+      - '80'
+      protocol: tcp
+    deny: []
+    description: Allow http to machines with matching tags.
+    disabled: null
+    log_config: []
+    name: dev-spoke-0-ingress-tag-http
+    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    params: []
+    priority: 1000
+    project: foo-test-0
+    source_ranges:
+    - 10.0.0.0/8
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts: null
+    target_tags:
+    - http-server
+    timeouts: null
+  google_compute_firewall.allow-tag-https[0]:
+    allow:
+    - ports:
+      - '443'
+      protocol: tcp
+    deny: []
+    description: Allow http to machines with matching tags.
+    disabled: null
+    log_config: []
+    name: dev-spoke-0-ingress-tag-https
+    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    params: []
+    priority: 1000
+    project: foo-test-0
+    source_ranges:
+    - 10.0.0.0/8
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts: null
+    target_tags:
+    - https-server
+    timeouts: null
+  google_compute_firewall.allow-tag-ssh[0]:
+    allow:
+    - ports:
+      - '22'
+      protocol: tcp
+    deny: []
+    description: Allow SSH to machines with matching tags.
+    disabled: null
+    log_config: []
+    name: dev-spoke-0-ingress-tag-ssh
+    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    params: []
+    priority: 1000
+    project: foo-test-0
+    source_ranges:
+    - 10.0.0.0/8
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts: null
+    target_tags:
+    - ssh
+    timeouts: null
+  google_compute_firewall.custom-rules["allow-egress-rfc1918"]:
+    allow:
+    - ports: []
+      protocol: all
+    deny: []
+    description: Allow egress.
+    destination_ranges:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+    direction: EGRESS
+    disabled: false
+    log_config: []
+    name: allow-egress-rfc1918
+    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    params: []
+    priority: 1000
+    project: foo-test-0
+    source_ranges:
+    - 10.0.0.0/8
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts:
+    - serviceAccount:test@test-project.iam.gserviceaccount.com
+    target_tags: null
+    timeouts: null
+  google_compute_firewall.custom-rules["allow-ingress-tag"]:
+    allow:
+    - ports: []
+      protocol: all
+    deny: []
+    description: Allow ingress.
+    destination_ranges:
+    - 10.0.0.0/8
+    direction: INGRESS
+    disabled: false
+    log_config: []
+    name: allow-ingress-tag
+    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    params: []
+    priority: 1000
+    project: foo-test-0
+    source_ranges:
+    - 10.0.0.0/8
+    source_service_accounts:
+    - serviceAccount:test@test-project.iam.gserviceaccount.com
+    source_tags: null
+    target_service_accounts:
+    - serviceAccount:test@test-project.iam.gserviceaccount.com
+    target_tags: null
+    timeouts: null
+
+counts:
+  google_compute_firewall: 6
+  modules: 0
+  resources: 6
--- a/tests/modules/net_vpc_firewall/tftest.yaml
+++ b/tests/modules/net_vpc_firewall/tftest.yaml
@@ -0,0 +1,17 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module: modules/net-vpc-firewall
+tests:
+  context: