diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md index af04343f39..47a696de3e 100644 --- a/modules/net-vpc-firewall/README.md +++ b/modules/net-vpc-firewall/README.md @@ -22,7 +22,7 @@ module "firewall" { admin_ranges = ["10.0.0.0/8"] } } -# tftest modules=1 resources=4 +# tftest modules=1 resources=4 inventory=basic.yaml ``` ### Custom rules @@ -77,7 +77,7 @@ module "firewall" { } } } -# tftest modules=1 resources=9 +# tftest modules=1 resources=9 inventory=custom-rules.yaml ``` ### Controlling or turning off default rules @@ -103,7 +103,7 @@ module "firewall" { ssh_tags = ["ssh-default"] } } -# tftest modules=1 resources=3 +# tftest modules=1 resources=3 inventory=custom-ssh-default-rule.yaml ``` #### Disabling predefined rules @@ -119,7 +119,7 @@ module "firewall" { ssh_ranges = [] } } -# tftest modules=1 resources=2 +# tftest modules=1 resources=2 inventory=no-ssh-default-rules.yaml ``` Or the entire set of rules can be disabled via the `disabled` attribute: @@ -133,7 +133,7 @@ module "firewall" { disabled = true } } -# tftest modules=0 resources=0 +# tftest modules=0 resources=0 inventory=no-default-rules.yaml ``` ### Including source & destination ranges @@ -163,7 +163,7 @@ module "firewall" { } } } -# tftest modules=1 resources=2 +# tftest modules=1 resources=2 inventory=local-ranges.yaml ``` ### Rules Factory @@ -181,7 +181,7 @@ module "firewall" { } default_rules_config = { disabled = true } } -# tftest modules=1 resources=3 files=lbs,cidrs +# tftest modules=1 resources=3 files=lbs,cidrs inventory=factory.yaml ``` ```yaml diff --git a/tests/modules/net_vpc_firewall/auto-rules.tfvars b/tests/modules/net_vpc_firewall/auto-rules.tfvars deleted file mode 100644 index 6b991da790..0000000000 --- a/tests/modules/net_vpc_firewall/auto-rules.tfvars +++ /dev/null @@ -1,4 +0,0 @@ -default_rules_config = { - admin_ranges = ["10.0.0.0/8"] - https_ranges = [] -} diff --git a/tests/modules/net_vpc_firewall/auto-rules.yaml b/tests/modules/net_vpc_firewall/auto-rules.yaml deleted file mode 100644 index ed3c84f23c..0000000000 --- a/tests/modules/net_vpc_firewall/auto-rules.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - google_compute_firewall.allow-admins[0]: - source_ranges: - - 10.0.0.0/8 - google_compute_firewall.allow-tag-http[0]: - allow: - - ports: - - "80" - protocol: tcp - source_ranges: - - 130.211.0.0/22 - - 209.85.152.0/22 - - 209.85.204.0/22 - - 35.191.0.0/16 - google_compute_firewall.allow-tag-ssh[0]: - allow: - - ports: - - "22" - protocol: tcp - source_ranges: - - 35.235.240.0/20 - -counts: - google_compute_firewall: 3 - modules: 0 - resources: 3 - -outputs: - default_rules: __missing__ - rules: {} diff --git a/tests/modules/net_vpc_firewall/common.tfvars b/tests/modules/net_vpc_firewall/common.tfvars deleted file mode 100644 index fda6ab8f41..0000000000 --- a/tests/modules/net_vpc_firewall/common.tfvars +++ /dev/null @@ -1,2 +0,0 @@ -project_id = "test-project" -network = "test-network" diff --git a/tests/modules/net_vpc_firewall/custom-rules.tfvars b/tests/modules/net_vpc_firewall/custom-rules.tfvars deleted file mode 100644 index 181a8248c8..0000000000 --- a/tests/modules/net_vpc_firewall/custom-rules.tfvars +++ /dev/null @@ -1,33 +0,0 @@ -default_rules_config = { - disabled = true -} -egress_rules = { - allow-egress-rfc1918 = { - deny = false - description = "Allow egress to RFC 1918 ranges." - destination_ranges = [ - "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" - ] - } - allow-egress-tag = { - deny = false - description = "Allow egress from a specific tag to 0/0." - targets = ["target-tag"] - } - deny-egress-all = { - description = "Block egress." - } -} -ingress_rules = { - allow-ingress-ntp = { - description = "Allow NTP service based on tag." - targets = ["ntp-svc"] - rules = [{ protocol = "udp", ports = [123] }] - } - allow-ingress-tag = { - description = "Allow ingress from a specific tag." - source_ranges = [] - sources = ["client-tag"] - targets = ["target-tag"] - } -} diff --git a/tests/modules/net_vpc_firewall/custom-rules.yaml b/tests/modules/net_vpc_firewall/custom-rules.yaml deleted file mode 100644 index 652048975d..0000000000 --- a/tests/modules/net_vpc_firewall/custom-rules.yaml +++ /dev/null @@ -1,83 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - google_compute_firewall.custom-rules["allow-egress-rfc1918"]: - allow: - - ports: [] - protocol: all - deny: [] - description: Allow egress to RFC 1918 ranges. - destination_ranges: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - direction: EGRESS - google_compute_firewall.custom-rules["allow-egress-tag"]: - allow: - - ports: [] - protocol: all - deny: [] - description: Allow egress from a specific tag to 0/0. - destination_ranges: - - 0.0.0.0/0 - direction: EGRESS - target_tags: - - target-tag - google_compute_firewall.custom-rules["allow-ingress-ntp"]: - allow: - - ports: - - "123" - protocol: udp - deny: [] - description: Allow NTP service based on tag. - direction: INGRESS - source_ranges: - - 0.0.0.0/0 - source_service_accounts: null - source_tags: null - target_tags: - - ntp-svc - google_compute_firewall.custom-rules["allow-ingress-tag"]: - allow: - - ports: [] - protocol: all - deny: [] - description: Allow ingress from a specific tag. - direction: INGRESS - source_ranges: null - source_tags: - - client-tag - target_tags: - - target-tag - google_compute_firewall.custom-rules["deny-egress-all"]: - allow: [] - deny: - - ports: [] - protocol: all - description: Block egress. - direction: EGRESS - -counts: - google_compute_firewall: 5 - modules: 0 - resources: 5 - -outputs: - default_rules: - admin: [] - http: [] - https: [] - ssh: [] - rules: __missing__ diff --git a/tests/modules/net_vpc_firewall/data/firewall/load_balancers.yaml b/tests/modules/net_vpc_firewall/data/firewall/load_balancers.yaml deleted file mode 100644 index 9e773273ad..0000000000 --- a/tests/modules/net_vpc_firewall/data/firewall/load_balancers.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ingress: - allow-healthchecks: - description: Allow ingress from healthchecks. - source_ranges: - - healthchecks - targets: ["lb-backends"] - rules: - - protocol: tcp - ports: - - 80 - - 443 diff --git a/tests/modules/net_vpc_firewall/examples/basic.yaml b/tests/modules/net_vpc_firewall/examples/basic.yaml new file mode 100644 index 0000000000..38aae194aa --- /dev/null +++ b/tests/modules/net_vpc_firewall/examples/basic.yaml @@ -0,0 +1,98 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.firewall.google_compute_firewall.allow-admins[0]: + allow: + - ports: [] + protocol: all + deny: [] + disabled: null + log_config: [] + name: my-network-ingress-admins + network: my-network + priority: 1000 + project: my-project + source_ranges: + - 10.0.0.0/8 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + module.firewall.google_compute_firewall.allow-tag-http[0]: + allow: + - ports: + - '80' + protocol: tcp + deny: [] + disabled: null + log_config: [] + name: my-network-ingress-tag-http + network: my-network + priority: 1000 + project: my-project + source_ranges: + - 130.211.0.0/22 + - 209.85.152.0/22 + - 209.85.204.0/22 + - 35.191.0.0/16 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: + - http-server + module.firewall.google_compute_firewall.allow-tag-https[0]: + allow: + - ports: + - '443' + protocol: tcp + deny: [] + disabled: null + log_config: [] + name: my-network-ingress-tag-https + network: my-network + priority: 1000 + project: my-project + source_ranges: + - 130.211.0.0/22 + - 209.85.152.0/22 + - 209.85.204.0/22 + - 35.191.0.0/16 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: + - https-server + module.firewall.google_compute_firewall.allow-tag-ssh[0]: + allow: + - ports: + - '22' + protocol: tcp + deny: [] + disabled: null + log_config: [] + name: my-network-ingress-tag-ssh + network: my-network + priority: 1000 + project: my-project + source_ranges: + - 35.235.240.0/20 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: + - ssh + +counts: + google_compute_firewall: 4 diff --git a/tests/modules/net_vpc_firewall/examples/custom-rules.yaml b/tests/modules/net_vpc_firewall/examples/custom-rules.yaml new file mode 100644 index 0000000000..920ee750ec --- /dev/null +++ b/tests/modules/net_vpc_firewall/examples/custom-rules.yaml @@ -0,0 +1,127 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + # the following 4 rules are already tested by simple.yaml + module.firewall.google_compute_firewall.allow-admins[0]: {} + module.firewall.google_compute_firewall.allow-tag-http[0]: {} + module.firewall.google_compute_firewall.allow-tag-https[0]: {} + module.firewall.google_compute_firewall.allow-tag-ssh[0]: {} + module.firewall.google_compute_firewall.custom-rules["allow-egress-rfc1918"]: + allow: + - ports: [] + protocol: all + deny: [] + description: Allow egress to RFC 1918 ranges. + destination_ranges: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + direction: EGRESS + disabled: false + log_config: [] + name: allow-egress-rfc1918 + network: my-network + priority: 1000 + project: my-project + source_ranges: null + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + module.firewall.google_compute_firewall.custom-rules["allow-egress-tag"]: + allow: + - ports: [] + protocol: all + deny: [] + description: Allow egress from a specific tag to 0/0. + destination_ranges: + - 0.0.0.0/0 + direction: EGRESS + disabled: false + log_config: [] + name: allow-egress-tag + network: my-network + priority: 1000 + project: my-project + source_ranges: null + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: + - target-tag + module.firewall.google_compute_firewall.custom-rules["allow-ingress-ntp"]: + allow: + - ports: + - '123' + protocol: udp + deny: [] + description: Allow NTP service based on tag. + direction: INGRESS + disabled: false + log_config: [] + name: allow-ingress-ntp + network: my-network + priority: 1000 + project: my-project + source_ranges: + - 0.0.0.0/0 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: + - ntp-svc + module.firewall.google_compute_firewall.custom-rules["allow-ingress-tag"]: + allow: + - ports: [] + protocol: all + deny: [] + description: Allow ingress from a specific tag. + direction: INGRESS + disabled: false + log_config: [] + name: allow-ingress-tag + network: my-network + priority: 1000 + project: my-project + source_ranges: null + source_service_accounts: null + source_tags: + - client-tag + target_service_accounts: null + target_tags: + - target-tag + module.firewall.google_compute_firewall.custom-rules["deny-egress-all"]: + allow: [] + deny: + - ports: [] + protocol: all + description: Block egress. + destination_ranges: + - 0.0.0.0/0 + direction: EGRESS + disabled: false + log_config: [] + name: deny-egress-all + network: my-network + priority: 1000 + project: my-project + source_ranges: null + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + +counts: + google_compute_firewall: 9 diff --git a/tests/modules/net_vpc_firewall/factory.yaml b/tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml similarity index 54% rename from tests/modules/net_vpc_firewall/factory.yaml rename to tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml index 26f90bd5b1..1e3d3b0401 100644 --- a/tests/modules/net_vpc_firewall/factory.yaml +++ b/tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,42 +13,28 @@ # limitations under the License. values: - google_compute_firewall.custom-rules["allow-healthchecks"]: + module.firewall.google_compute_firewall.allow-tag-http[0]: {} + module.firewall.google_compute_firewall.allow-tag-https[0]: {} + module.firewall.google_compute_firewall.allow-tag-ssh[0]: allow: - - ports: - - "80" - - "443" - protocol: tcp + - ports: + - '22' + protocol: tcp deny: [] - description: Allow ingress from healthchecks. - direction: INGRESS - disabled: false + description: Allow SSH to machines with matching tags. + disabled: null log_config: [] - name: allow-healthchecks - network: test-network + name: my-network-ingress-tag-ssh + network: my-network priority: 1000 - project: test-project + project: my-project source_ranges: - - 130.211.0.0/22 - - 209.85.152.0/22 - - 209.85.204.0/22 - - 35.191.0.0/16 + - 10.0.0.0/8 source_service_accounts: null source_tags: null target_service_accounts: null target_tags: - - lb-backends - timeouts: null + - ssh-default counts: - google_compute_firewall: 1 - modules: 0 - resources: 1 - -outputs: - default_rules: - admin: [] - http: [] - https: [] - ssh: [] - rules: __missing__ + google_compute_firewall: 3 diff --git a/tests/modules/net_vpc_firewall/examples/factory.yaml b/tests/modules/net_vpc_firewall/examples/factory.yaml new file mode 100644 index 0000000000..389fb52a25 --- /dev/null +++ b/tests/modules/net_vpc_firewall/examples/factory.yaml @@ -0,0 +1,87 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.firewall.google_compute_firewall.custom-rules["allow-healthchecks"]: + allow: + - ports: + - '80' + - '443' + protocol: tcp + deny: [] + description: Allow ingress from healthchecks. + direction: INGRESS + disabled: false + log_config: [] + name: allow-healthchecks + network: my-network + priority: 1000 + project: my-project + source_ranges: + - 130.211.0.0/22 + - 209.85.152.0/22 + - 209.85.204.0/22 + - 35.191.0.0/16 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: + - lb-backends + module.firewall.google_compute_firewall.custom-rules["allow-service-1-to-service-2"]: + allow: + - ports: + - '80' + - '443' + protocol: tcp + deny: [] + description: Allow ingress from service-1 SA + direction: INGRESS + disabled: false + log_config: [] + name: allow-service-1-to-service-2 + network: my-network + priority: 1000 + project: my-project + source_ranges: + - 0.0.0.0/0 + source_service_accounts: + - service-1@my-project.iam.gserviceaccount.com + source_tags: null + target_service_accounts: + - service-2 + target_tags: null + module.firewall.google_compute_firewall.custom-rules["block-telnet"]: + allow: [] + deny: + - ports: + - '23' + protocol: tcp + description: block outbound telnet + destination_ranges: + - 0.0.0.0/0 + direction: EGRESS + disabled: false + log_config: [] + name: block-telnet + network: my-network + priority: 1000 + project: my-project + source_ranges: null + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + +counts: + google_compute_firewall: 3 diff --git a/tests/modules/net_vpc_firewall/examples/local-ranges.yaml b/tests/modules/net_vpc_firewall/examples/local-ranges.yaml new file mode 100644 index 0000000000..df83717cec --- /dev/null +++ b/tests/modules/net_vpc_firewall/examples/local-ranges.yaml @@ -0,0 +1,62 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.firewall.google_compute_firewall.custom-rules["allow-ingress-source-destination-ranges"]: + allow: + - ports: [] + protocol: all + deny: [] + description: Allow ingress using source and destination ranges + destination_ranges: + - 10.132.0.0/20 + - 10.138.0.0/20 + direction: INGRESS + disabled: false + log_config: [] + name: allow-ingress-source-destination-ranges + network: my-network + priority: 1000 + project: my-project + source_ranges: + - 172.16.0.0/12 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + module.firewall.google_compute_firewall.custom-rules["deny-egress-source-destination-ranges"]: + allow: [] + deny: + - ports: [] + protocol: all + description: Deny egress using source and destination ranges + destination_ranges: + - 172.16.0.0/12 + direction: EGRESS + disabled: false + log_config: [] + name: deny-egress-source-destination-ranges + network: my-network + priority: 1000 + project: my-project + source_ranges: + - 10.132.0.0/20 + - 10.138.0.0/20 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + +counts: + google_compute_firewall: 2 diff --git a/tests/modules/net_vpc_firewall/__init__.py b/tests/modules/net_vpc_firewall/examples/no-default-rules.yaml similarity index 87% rename from tests/modules/net_vpc_firewall/__init__.py rename to tests/modules/net_vpc_firewall/examples/no-default-rules.yaml index 6d6d1266c3..f3454066c4 100644 --- a/tests/modules/net_vpc_firewall/__init__.py +++ b/tests/modules/net_vpc_firewall/examples/no-default-rules.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -11,3 +11,9 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + +values: {} + +counts: + modules: 0 + resources: 0 diff --git a/tests/modules/net_vpc_firewall/data/cidr_template.yaml b/tests/modules/net_vpc_firewall/examples/no-ssh-default-rules.yaml similarity index 72% rename from tests/modules/net_vpc_firewall/data/cidr_template.yaml rename to tests/modules/net_vpc_firewall/examples/no-ssh-default-rules.yaml index b150c30502..46b1d04d5f 100644 --- a/tests/modules/net_vpc_firewall/data/cidr_template.yaml +++ b/tests/modules/net_vpc_firewall/examples/no-ssh-default-rules.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,8 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -healthchecks: - - 35.191.0.0/16 - - 130.211.0.0/22 - - 209.85.152.0/22 - - 209.85.204.0/22 +values: + module.firewall.google_compute_firewall.allow-tag-http[0]: {} + module.firewall.google_compute_firewall.allow-tag-https[0]: {} + +counts: + google_compute_firewall: 2 diff --git a/tests/modules/net_vpc_firewall/factory.tfvars b/tests/modules/net_vpc_firewall/factory.tfvars deleted file mode 100644 index 5d2e1ab71b..0000000000 --- a/tests/modules/net_vpc_firewall/factory.tfvars +++ /dev/null @@ -1,7 +0,0 @@ -default_rules_config = { - disabled = true -} -factories_config = { - cidr_tpl_file = "../../tests/modules/net_vpc_firewall/data/cidr_template.yaml" - rules_folder = "../../tests/modules/net_vpc_firewall/data/firewall" -} diff --git a/tests/modules/net_vpc_firewall/test_plan.py_ b/tests/modules/net_vpc_firewall/test_plan.py_ deleted file mode 100644 index f164d02c3f..0000000000 --- a/tests/modules/net_vpc_firewall/test_plan.py_ +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import pytest - - -def test_defaults(plan_runner): - "Test variable defaults." - _, resources = plan_runner() - assert len(resources) == 3 - assert set([r['type'] for r in resources]) == set(['google_compute_firewall']) - assert set([r['values']['name'] for r in resources]) == set([ - 'test-vpc-ingress-tag-http', 'test-vpc-ingress-tag-https', - 'test-vpc-ingress-tag-ssh' - ]) - assert set([r['values']['project'] for r in resources - ]) == set(['test-project']) - assert set([r['values']['network'] for r in resources]) == set(['test-vpc']) - - -def test_rules(plan_runner): - "Test custom rules." - _, resources = plan_runner(tf_var_file='test.rules.tfvars') - assert len(resources) == 3 - rules = {r['index']: r['values'] for r in resources} - rule = rules['allow-ingress-ntp'] - assert rule['source_ranges'] == ['0.0.0.0/0'] - assert rule['allow'] == [{'ports': ['123'], 'protocol': 'udp'}] - rule = rules['deny-egress-all'] - assert rule['destination_ranges'] == ['0.0.0.0/0'] - assert rule['deny'] == [{'ports': [], 'protocol': 'all'}] - - -def test_factory(plan_runner): - "Test factory." - factories_config = '''{ - cidr_tpl_file = "config/cidr_template.yaml" - rules_folder = "config/firewall" - }''' - _, resources = plan_runner(factories_config=factories_config) - assert len(resources) == 4 - factory_rule = [ - r for r in resources if r["values"]["name"] == "allow-healthchecks" - ][0]["values"] - assert set(factory_rule["source_ranges"]) == set( - ["130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22", "35.191.0.0/16"]) - assert set(factory_rule["target_tags"]) == set(["lb-backends"]) diff --git a/tests/modules/net_vpc_firewall/tftest.yaml b/tests/modules/net_vpc_firewall/tftest.yaml deleted file mode 100644 index e11810c45a..0000000000 --- a/tests/modules/net_vpc_firewall/tftest.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module: modules/net-vpc-firewall -common_tfvars: - - common.tfvars -tests: - auto-rules: - custom-rules: - factory: