Support CIDR range sets in firewall modules context (#3424)

2025-10-16 11:01:05 +02:00
parent 509b715a09
commit 8e8be1eda5
16 changed files with 177 additions and 82 deletions
--- a/tests/modules/net_vpc_firewall/context.tfvars
+++ b/tests/modules/net_vpc_firewall/context.tfvars
@@ -1,6 +1,14 @@
 context = {
  cidr_ranges = {
    rfc1918-10 = "10.0.0.0/8"
+    test       = "8.8.8.8"
+  }
+  cidr_ranges_sets = {
+    rfc1918 = [
+      "10.0.0.0/8",
+      "172.16.10.0/12",
+      "192.168.0.0/24"
+    ]
  }
  iam_principals = {
    test = "serviceAccount:test@test-project.iam.gserviceaccount.com"
@@ -24,22 +32,20 @@ default_rules_config = {
  ssh_ranges   = ["$cidr_ranges:rfc1918-10"]
 }
 egress_rules = {
-  allow-egress-rfc1918 = {
-    deny        = false
-    description = "Allow egress."
-    destination_ranges = [
-      "$cidr_ranges:rfc1918-10", "172.16.0.0/12", "192.168.0.0/16"
-    ]
-    source_ranges        = ["$cidr_ranges:rfc1918-10"]
+  egress-test = {
+    deny                 = false
+    description          = "Allow egress."
+    destination_ranges   = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
+    source_ranges        = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
    targets              = ["$iam_principals:test"]
    use_service_accounts = true
  }
 }
 ingress_rules = {
-  allow-ingress-tag = {
+  ingress-test = {
    description          = "Allow ingress."
-    destination_ranges   = ["$cidr_ranges:rfc1918-10"]
-    source_ranges        = ["$cidr_ranges:rfc1918-10"]
+    destination_ranges   = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
+    source_ranges        = ["$cidr_ranges_sets:rfc1918", "10.0.0.1/32", "$cidr_ranges:test", "10.0.0.0/8"]
    sources              = ["$iam_principals:test"]
    targets              = ["$iam_principals:test"]
    use_service_accounts = true
--- a/tests/modules/net_vpc_firewall/context.yaml
+++ b/tests/modules/net_vpc_firewall/context.yaml
@@ -99,7 +99,7 @@ values:
    target_tags:
    - ssh
    timeouts: null
-  google_compute_firewall.custom-rules["allow-egress-rfc1918"]:
+  google_compute_firewall.custom-rules["egress-test"]:
    allow:
    - ports: []
      protocol: all
@@ -107,25 +107,31 @@ values:
    description: Allow egress.
    destination_ranges:
    - 10.0.0.0/8
-    - 172.16.0.0/12
-    - 192.168.0.0/16
+    - 10.0.0.1/32
+    - 172.16.10.0/12
+    - 192.168.0.0/24
+    - 8.8.8.8
    direction: EGRESS
    disabled: false
    log_config: []
-    name: allow-egress-rfc1918
+    name: egress-test
    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
    params: []
    priority: 1000
    project: foo-test-0
    source_ranges:
    - 10.0.0.0/8
+    - 10.0.0.1/32
+    - 172.16.10.0/12
+    - 192.168.0.0/24
+    - 8.8.8.8
    source_service_accounts: null
    source_tags: null
    target_service_accounts:
    - serviceAccount:test@test-project.iam.gserviceaccount.com
    target_tags: null
    timeouts: null
-  google_compute_firewall.custom-rules["allow-ingress-tag"]:
+  google_compute_firewall.custom-rules["ingress-test"]:
    allow:
    - ports: []
      protocol: all
@@ -133,16 +139,24 @@ values:
    description: Allow ingress.
    destination_ranges:
    - 10.0.0.0/8
+    - 10.0.0.1/32
+    - 172.16.10.0/12
+    - 192.168.0.0/24
+    - 8.8.8.8
    direction: INGRESS
    disabled: false
    log_config: []
-    name: allow-ingress-tag
+    name: ingress-test
    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
    params: []
    priority: 1000
    project: foo-test-0
    source_ranges:
    - 10.0.0.0/8
+    - 10.0.0.1/32
+    - 172.16.10.0/12
+    - 192.168.0.0/24
+    - 8.8.8.8
    source_service_accounts:
    - serviceAccount:test@test-project.iam.gserviceaccount.com
    source_tags: null