Update folder tests
This commit is contained in:
Julio Castillo
@@ -2,9 +2,7 @@
|
||||
|
||||
This module allows the creation and management of folders, including support for IAM bindings, organization policies, and hierarchical firewall rules.
|
||||
|
||||
## Examples
|
||||
|
||||
### IAM bindings
|
||||
## Basic example with IAM bindings
|
||||
|
||||
```hcl
|
||||
module "folder" {
|
||||
@@ -14,17 +12,26 @@ module "folder" {
|
||||
group_iam = {
|
||||
"cloud-owners@example.org" = [
|
||||
"roles/owner",
|
||||
"roles/resourcemanager.folderAdmin",
|
||||
"roles/resourcemanager.projectCreator"
|
||||
]
|
||||
}
|
||||
iam = {
|
||||
"roles/owner" = ["user:one@example.com"]
|
||||
"roles/owner" = ["user:one@example.org"]
|
||||
}
|
||||
iam_additive = {
|
||||
"roles/compute.admin" = ["user:a1@example.org", "user:a2@example.org"]
|
||||
"roles/compute.viewer" = ["user:a2@example.org"]
|
||||
}
|
||||
iam_additive_members = {
|
||||
"user:am1@example.org" = ["roles/storage.admin"]
|
||||
"user:am2@example.org" = ["roles/storage.objectViewer"]
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=3
|
||||
# tftest modules=1 resources=9 inventory=iam.yaml
|
||||
```
|
||||
|
||||
### Organization policies
|
||||
## Organization policies
|
||||
|
||||
To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
|
||||
|
||||
@@ -72,70 +79,14 @@ module "folder" {
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=8
|
||||
# tftest modules=1 resources=8 inventory=org-policies.yaml
|
||||
```
|
||||
|
||||
### Organization policy factory
|
||||
|
||||
See the [organization policy factory in the project module](../project#organization-policy-factory).
|
||||
|
||||
### Firewall policy factory
|
||||
|
||||
In the same way as for the [organization](../organization) module, the in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
|
||||
|
||||
```hcl
|
||||
module "folder" {
|
||||
source = "./fabric/modules/folder"
|
||||
parent = "organizations/1234567890"
|
||||
name = "Folder name"
|
||||
firewall_policy_factory = {
|
||||
cidr_file = "configs/firewall-policies/cidrs.yaml"
|
||||
policy_name = null
|
||||
rules_file = "configs/firewall-policies/rules.yaml"
|
||||
}
|
||||
firewall_policy_association = {
|
||||
factory-policy = module.folder.firewall_policy_id["factory"]
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=5 files=cidrs,rules
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=cidrs path=configs/firewall-policies/cidrs.yaml
|
||||
rfc1918:
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
||||
- 192.168.0.0/16
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=rules path=configs/firewall-policies/rules.yaml
|
||||
allow-admins:
|
||||
description: Access from the admin subnet to all subnets
|
||||
direction: INGRESS
|
||||
action: allow
|
||||
priority: 1000
|
||||
ranges:
|
||||
- $rfc1918
|
||||
ports:
|
||||
all: []
|
||||
target_resources: null
|
||||
enable_logging: false
|
||||
|
||||
allow-ssh-from-iap:
|
||||
description: Enable SSH from IAP
|
||||
direction: INGRESS
|
||||
action: allow
|
||||
priority: 1002
|
||||
ranges:
|
||||
- 35.235.240.0/20
|
||||
ports:
|
||||
tcp: ["22"]
|
||||
target_resources: null
|
||||
enable_logging: false
|
||||
```
|
||||
|
||||
### Logging Sinks
|
||||
## Logging Sinks
|
||||
|
||||
```hcl
|
||||
module "gcs" {
|
||||
@@ -164,7 +115,6 @@ module "bucket" {
|
||||
id = "bucket"
|
||||
}
|
||||
|
||||
|
||||
module "folder-sink" {
|
||||
source = "./fabric/modules/folder"
|
||||
parent = "folders/657104291943"
|
||||
@@ -198,10 +148,19 @@ module "folder-sink" {
|
||||
no-gce-instances = "resource.type=gce_instance"
|
||||
}
|
||||
}
|
||||
# tftest modules=5 resources=14
|
||||
# tftest modules=5 resources=14 inventory=logging.yaml
|
||||
```
|
||||
|
||||
### Hierarchical firewall policies
|
||||
## Hierarchical firewall policies
|
||||
|
||||
Hierarchical firewall policies can be managed in two ways:
|
||||
|
||||
- via the `firewall_policies` variable, to directly define policies and rules in Terraform
|
||||
- via the `firewall_policy_factory` variable, to leverage external YaML files via a simple "factory" embedded in the module ([see here](../../blueprints/factories) for more context on factories)
|
||||
|
||||
Once you have policies (either created via the module or externally), you can associate them using the `firewall_policy_association` variable.
|
||||
|
||||
### Directly defined firewall policies
|
||||
|
||||
```hcl
|
||||
module "folder1" {
|
||||
@@ -211,6 +170,17 @@ module "folder1" {
|
||||
|
||||
firewall_policies = {
|
||||
iap-policy = {
|
||||
allow-admins = {
|
||||
description = "Access from the admin subnet to all subnets"
|
||||
direction = "INGRESS"
|
||||
action = "allow"
|
||||
priority = 1000
|
||||
ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
|
||||
ports = { all = [] }
|
||||
target_service_accounts = null
|
||||
target_resources = null
|
||||
logging = false
|
||||
}
|
||||
allow-iap-ssh = {
|
||||
description = "Always allow ssh from IAP"
|
||||
direction = "INGRESS"
|
||||
@@ -237,7 +207,71 @@ module "folder2" {
|
||||
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
|
||||
}
|
||||
}
|
||||
# tftest modules=2 resources=6
|
||||
# tftest modules=2 resources=7 inventory=hfw.yaml
|
||||
```
|
||||
### Firewall policy factory
|
||||
|
||||
The in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
|
||||
|
||||
```hcl
|
||||
module "folder1" {
|
||||
source = "./fabric/modules/folder"
|
||||
parent = var.organization_id
|
||||
name = "policy-container"
|
||||
firewall_policy_factory = {
|
||||
cidr_file = "configs/firewall-policies/cidrs.yaml"
|
||||
policy_name = "iap-policy"
|
||||
rules_file = "configs/firewall-policies/rules.yaml"
|
||||
}
|
||||
firewall_policy_association = {
|
||||
iap-policy = "iap-policy"
|
||||
}
|
||||
}
|
||||
|
||||
module "folder2" {
|
||||
source = "./fabric/modules/folder"
|
||||
parent = var.organization_id
|
||||
name = "hf2"
|
||||
firewall_policy_association = {
|
||||
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
|
||||
}
|
||||
}
|
||||
# tftest modules=2 resources=7 files=cidrs,rules inventory=hfw.yaml
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=cidrs path=configs/firewall-policies/cidrs.yaml
|
||||
rfc1918:
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
||||
- 192.168.0.0/16
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=rules path=configs/firewall-policies/rules.yaml
|
||||
allow-admins:
|
||||
description: Access from the admin subnet to all subnets
|
||||
direction: INGRESS
|
||||
action: allow
|
||||
priority: 1000
|
||||
ranges:
|
||||
- $rfc1918
|
||||
ports:
|
||||
all: []
|
||||
target_resources: null
|
||||
logging: false
|
||||
|
||||
allow-iap-ssh:
|
||||
description: "Always allow ssh from IAP"
|
||||
direction: INGRESS
|
||||
action: allow
|
||||
priority: 100
|
||||
ranges:
|
||||
- 35.235.240.0/20
|
||||
ports:
|
||||
tcp: ["22"]
|
||||
target_resources: null
|
||||
logging: false
|
||||
```
|
||||
|
||||
## Tags
|
||||
@@ -269,7 +303,7 @@ module "folder" {
|
||||
foo = "tagValues/12345678"
|
||||
}
|
||||
}
|
||||
# tftest modules=2 resources=6
|
||||
# tftest modules=2 resources=6 inventory=tags.yaml
|
||||
```
|
||||
|
||||
<!-- TFDOC OPTS files:1 -->
|
||||
|
||||
Reference in New Issue
Block a user