diff --git a/modules/folder/variables.tf b/modules/folder/variables.tf index 24c0c171c..aba267e6a 100644 --- a/modules/folder/variables.tf +++ b/modules/folder/variables.tf @@ -63,14 +63,12 @@ variable "firewall_policies" { target_service_accounts = list(string) target_resources = list(string) logging = bool - #preview = bool }))) default = {} } variable "firewall_policy_attachments" { description = "List of hierarchical firewall policy IDs to *attach* to this folder." - # set to avoid manual casting with toset() - type = map(string) - default = {} + type = map(string) + default = {} } diff --git a/tests/modules/folder/fixture/main.tf b/tests/modules/folder/fixture/main.tf index e9a141f9b..5607b3669 100644 --- a/tests/modules/folder/fixture/main.tf +++ b/tests/modules/folder/fixture/main.tf @@ -15,10 +15,12 @@ */ module "test" { - source = "../../../../modules/folder" - parent = "organizations/12345678" - name = "folder-a" - iam = var.iam - policy_boolean = var.policy_boolean - policy_list = var.policy_list + source = "../../../../modules/folder" + parent = "organizations/12345678" + name = "folder-a" + iam = var.iam + policy_boolean = var.policy_boolean + policy_list = var.policy_list + firewall_policies = var.firewall_policies + firewall_policy_attachments = var.firewall_policy_attachments } diff --git a/tests/modules/folder/fixture/variables.tf b/tests/modules/folder/fixture/variables.tf index f1cebb93f..908b2cb90 100644 --- a/tests/modules/folder/fixture/variables.tf +++ b/tests/modules/folder/fixture/variables.tf @@ -33,3 +33,23 @@ variable "policy_list" { })) default = {} } + +variable "firewall_policies" { + type = map(map(object({ + description = string + direction = string + action = string + priority = number + ranges = list(string) + ports = map(list(string)) + target_service_accounts = list(string) + target_resources = list(string) + logging = bool + }))) + default = {} +} + +variable "firewall_policy_attachments" { + type = map(string) + default = {} +} diff --git a/tests/modules/folder/test_plan_firewall_policy.py b/tests/modules/folder/test_plan_firewall_policy.py new file mode 100644 index 000000000..0bb0204d2 --- /dev/null +++ b/tests/modules/folder/test_plan_firewall_policy.py @@ -0,0 +1,97 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +import os +import pytest + + +FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture') + + +def test_firweall_policy(plan_runner): + "Test boolean folder policy." + policy = """ + { + policy1 = { + allow-ingress = { + description = "" + direction = "INGRESS" + action = "allow" + priority = 100 + ranges = ["10.0.0.0/8"] + ports = { + tcp = ["22"] + } + target_service_accounts = null + target_resources = null + logging = false + } + deny-egress = { + description = "" + direction = "EGRESS" + action = "deny" + priority = 200 + ranges = ["192.168.0.0/24"] + ports = { + tcp = ["443"] + } + target_service_accounts = null + target_resources = null + logging = false + } + } + } + """ + attachment = '{ iap_policy = "policy1" }' + _, resources = plan_runner(FIXTURES_DIR, firewall_policies=policy, + firewall_policy_attachments=attachment) + assert len(resources) == 5 + + policies = [r for r in resources + if r['type'] == 'google_compute_organization_security_policy'] + assert len(policies) == 1 + + rules = [r for r in resources + if r['type'] == 'google_compute_organization_security_policy_rule'] + assert len(rules) == 2 + + rule_values = [] + for rule in rules: + name = rule['name'] + index = rule['index'] + action = rule['values']['action'] + direction = rule['values']['direction'] + priority = rule['values']['priority'] + config = rule['values']['match'] + assert len(config) == 1 + config = config[0]['config'] + rule_values.append((name, index, action, direction, priority, config)) + + assert sorted(rule_values) == sorted([ + ('rule', 'policy1-allow-ingress', 'allow', 'INGRESS', 100,[ + { + 'dest_ip_ranges': None, + 'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['22']}], + 'src_ip_ranges': ['10.0.0.0/8'] + }]), + ('rule', 'policy1-deny-egress', 'deny', 'EGRESS', 200, [ + { + 'dest_ip_ranges': ['192.168.0.0/24'], + 'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['443']}], + 'src_ip_ranges': None + }]) + ]) + + diff --git a/tests/modules/organization/fixture/main.tf b/tests/modules/organization/fixture/main.tf index d1b0dd350..90abee757 100644 --- a/tests/modules/organization/fixture/main.tf +++ b/tests/modules/organization/fixture/main.tf @@ -15,13 +15,15 @@ */ module "test" { - source = "../../../../modules/organization" - org_id = 1234567890 - custom_roles = var.custom_roles - iam = var.iam - iam_additive = var.iam_additive - iam_additive_members = var.iam_additive_members - iam_audit_config = var.iam_audit_config - policy_boolean = var.policy_boolean - policy_list = var.policy_list + source = "../../../../modules/organization" + org_id = 1234567890 + custom_roles = var.custom_roles + iam = var.iam + iam_additive = var.iam_additive + iam_additive_members = var.iam_additive_members + iam_audit_config = var.iam_audit_config + policy_boolean = var.policy_boolean + policy_list = var.policy_list + firewall_policies = var.firewall_policies + firewall_policy_attachments = var.firewall_policy_attachments } diff --git a/tests/modules/organization/fixture/variables.tf b/tests/modules/organization/fixture/variables.tf index 7a2ddfdb4..7fe883946 100644 --- a/tests/modules/organization/fixture/variables.tf +++ b/tests/modules/organization/fixture/variables.tf @@ -53,3 +53,23 @@ variable "policy_list" { })) default = {} } + +variable "firewall_policies" { + type = map(map(object({ + description = string + direction = string + action = string + priority = number + ranges = list(string) + ports = map(list(string)) + target_service_accounts = list(string) + target_resources = list(string) + logging = bool + }))) + default = {} +} + +variable "firewall_policy_attachments" { + type = map(string) + default = {} +} diff --git a/tests/modules/organization/test_plan.py b/tests/modules/organization/test_plan.py index 8d4152bac..2b42637cd 100644 --- a/tests/modules/organization/test_plan.py +++ b/tests/modules/organization/test_plan.py @@ -75,8 +75,6 @@ def test_policy_list(plan_runner): '}' ) _, resources = plan_runner(FIXTURES_DIR, policy_list=policy_list) - # from pprint import pprint - # pprint(resources) assert len(resources) == 3 values = [r['values'] for r in resources] assert [r['constraint'] @@ -86,3 +84,78 @@ def test_policy_list(plan_runner): assert values[1]['list_policy'][0]['deny'] == [ {'all': False, 'values': ["bar"]}] assert values[2]['restore_policy'] == [{'default': True}] + + +def test_firweall_policy(plan_runner): + "Test boolean folder policy." + policy = """ + { + policy1 = { + allow-ingress = { + description = "" + direction = "INGRESS" + action = "allow" + priority = 100 + ranges = ["10.0.0.0/8"] + ports = { + tcp = ["22"] + } + target_service_accounts = null + target_resources = null + logging = false + } + deny-egress = { + description = "" + direction = "EGRESS" + action = "deny" + priority = 200 + ranges = ["192.168.0.0/24"] + ports = { + tcp = ["443"] + } + target_service_accounts = null + target_resources = null + logging = false + } + } + } + """ + attachment = '{ iap_policy = "policy1" }' + _, resources = plan_runner(FIXTURES_DIR, firewall_policies=policy, + firewall_policy_attachments=attachment) + assert len(resources) == 4 + + policies = [r for r in resources + if r['type'] == 'google_compute_organization_security_policy'] + assert len(policies) == 1 + + rules = [r for r in resources + if r['type'] == 'google_compute_organization_security_policy_rule'] + assert len(rules) == 2 + + rule_values = [] + for rule in rules: + name = rule['name'] + index = rule['index'] + action = rule['values']['action'] + direction = rule['values']['direction'] + priority = rule['values']['priority'] + config = rule['values']['match'] + assert len(config) == 1 + config = config[0]['config'] + rule_values.append((name, index, action, direction, priority, config)) + + assert sorted(rule_values) == sorted([ + ('rule', 'policy1-allow-ingress', 'allow', 'INGRESS', 100,[ + { + 'dest_ip_ranges': None, + 'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['22']}], + 'src_ip_ranges': ['10.0.0.0/8'] + }]), + ('rule', 'policy1-deny-egress', 'deny', 'EGRESS', 200, [ + { + 'dest_ip_ranges': ['192.168.0.0/24'], + 'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['443']}], + 'src_ip_ranges': None + }]) + ])