Add inventories to net-vpc-firewall tests

GoogleCloudPlatform · Apr 12, 2023 · a7df477 · a7df477
1 parent a504738
commit a7df477
Show file tree

Hide file tree

Showing 8 changed files with 460 additions and 7 deletions.
diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md
@@ -22,7 +22,7 @@ module "firewall" {
     admin_ranges = ["10.0.0.0/8"]
   }
 }
-# tftest modules=1 resources=4
+# tftest modules=1 resources=4 inventory=basic.yaml
 ```
 
 ### Custom rules
@@ -77,7 +77,7 @@ module "firewall" {
     }
   }
 }
-# tftest modules=1 resources=9
+# tftest modules=1 resources=9 inventory=custom-rules.yaml
 ```
 
 ### Controlling or turning off default rules
@@ -103,7 +103,7 @@ module "firewall" {
     ssh_tags   = ["ssh-default"]
   }
 }
-# tftest modules=1 resources=3
+# tftest modules=1 resources=3 inventory=custom-ssh-default-rule.yaml
 ```
 
 #### Disabling predefined rules
@@ -119,7 +119,7 @@ module "firewall" {
     ssh_ranges = []
   }
 }
-# tftest modules=1 resources=2
+# tftest modules=1 resources=2 inventory=no-ssh-default-rules.yaml
 ```
 
 Or the entire set of rules can be disabled via the `disabled` attribute:
@@ -133,7 +133,7 @@ module "firewall" {
     disabled = true
   }
 }
-# tftest modules=0 resources=0
+# tftest modules=0 resources=0 inventory=no-default-rules.yaml
 ```
 
 ### Including source & destination ranges
@@ -163,7 +163,7 @@ module "firewall" {
     }
   }
 }
-# tftest modules=1 resources=2
+# tftest modules=1 resources=2 inventory=local-ranges.yaml
 ```
 
 ### Rules Factory
@@ -181,7 +181,7 @@ module "firewall" {
   }
   default_rules_config = { disabled = true }
 }
-# tftest modules=1 resources=3 files=lbs,cidrs
+# tftest modules=1 resources=3 files=lbs,cidrs inventory=factory.yaml
 ```
 
 ```yaml

diff --git a/tests/modules/net_vpc_firewall/examples/basic.yaml b/tests/modules/net_vpc_firewall/examples/basic.yaml
@@ -0,0 +1,98 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.firewall.google_compute_firewall.allow-admins[0]:
+    allow:
+    - ports: []
+      protocol: all
+    deny: []
+    disabled: null
+    log_config: []
+    name: my-network-ingress-admins
+    network: my-network
+    priority: 1000
+    project: my-project
+    source_ranges:
+    - 10.0.0.0/8
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts: null
+    target_tags: null
+  module.firewall.google_compute_firewall.allow-tag-http[0]:
+    allow:
+    - ports:
+      - '80'
+      protocol: tcp
+    deny: []
+    disabled: null
+    log_config: []
+    name: my-network-ingress-tag-http
+    network: my-network
+    priority: 1000
+    project: my-project
+    source_ranges:
+    - 130.211.0.0/22
+    - 209.85.152.0/22
+    - 209.85.204.0/22
+    - 35.191.0.0/16
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts: null
+    target_tags:
+    - http-server
+  module.firewall.google_compute_firewall.allow-tag-https[0]:
+    allow:
+    - ports:
+      - '443'
+      protocol: tcp
+    deny: []
+    disabled: null
+    log_config: []
+    name: my-network-ingress-tag-https
+    network: my-network
+    priority: 1000
+    project: my-project
+    source_ranges:
+    - 130.211.0.0/22
+    - 209.85.152.0/22
+    - 209.85.204.0/22
+    - 35.191.0.0/16
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts: null
+    target_tags:
+    - https-server
+  module.firewall.google_compute_firewall.allow-tag-ssh[0]:
+    allow:
+    - ports:
+      - '22'
+      protocol: tcp
+    deny: []
+    disabled: null
+    log_config: []
+    name: my-network-ingress-tag-ssh
+    network: my-network
+    priority: 1000
+    project: my-project
+    source_ranges:
+    - 35.235.240.0/20
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts: null
+    target_tags:
+    - ssh
+
+counts:
+  google_compute_firewall: 4
diff --git a/tests/modules/net_vpc_firewall/examples/custom-rules.yaml b/tests/modules/net_vpc_firewall/examples/custom-rules.yaml
@@ -0,0 +1,127 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  # the following 4 rules are already tested by simple.yaml
+  module.firewall.google_compute_firewall.allow-admins[0]: {}
+  module.firewall.google_compute_firewall.allow-tag-http[0]: {}
+  module.firewall.google_compute_firewall.allow-tag-https[0]: {}
+  module.firewall.google_compute_firewall.allow-tag-ssh[0]: {}
+  module.firewall.google_compute_firewall.custom-rules["allow-egress-rfc1918"]:
+    allow:
+    - ports: []
+      protocol: all
+    deny: []
+    description: Allow egress to RFC 1918 ranges.
+    destination_ranges:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+    direction: EGRESS
+    disabled: false
+    log_config: []
+    name: allow-egress-rfc1918
+    network: my-network
+    priority: 1000
+    project: my-project
+    source_ranges: null
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts: null
+    target_tags: null
+  module.firewall.google_compute_firewall.custom-rules["allow-egress-tag"]:
+    allow:
+    - ports: []
+      protocol: all
+    deny: []
+    description: Allow egress from a specific tag to 0/0.
+    destination_ranges:
+    - 0.0.0.0/0
+    direction: EGRESS
+    disabled: false
+    log_config: []
+    name: allow-egress-tag
+    network: my-network
+    priority: 1000
+    project: my-project
+    source_ranges: null
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts: null
+    target_tags:
+    - target-tag
+  module.firewall.google_compute_firewall.custom-rules["allow-ingress-ntp"]:
+    allow:
+    - ports:
+      - '123'
+      protocol: udp
+    deny: []
+    description: Allow NTP service based on tag.
+    direction: INGRESS
+    disabled: false
+    log_config: []
+    name: allow-ingress-ntp
+    network: my-network
+    priority: 1000
+    project: my-project
+    source_ranges:
+    - 0.0.0.0/0
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts: null
+    target_tags:
+    - ntp-svc
+  module.firewall.google_compute_firewall.custom-rules["allow-ingress-tag"]:
+    allow:
+    - ports: []
+      protocol: all
+    deny: []
+    description: Allow ingress from a specific tag.
+    direction: INGRESS
+    disabled: false
+    log_config: []
+    name: allow-ingress-tag
+    network: my-network
+    priority: 1000
+    project: my-project
+    source_ranges: null
+    source_service_accounts: null
+    source_tags:
+    - client-tag
+    target_service_accounts: null
+    target_tags:
+    - target-tag
+  module.firewall.google_compute_firewall.custom-rules["deny-egress-all"]:
+    allow: []
+    deny:
+    - ports: []
+      protocol: all
+    description: Block egress.
+    destination_ranges:
+    - 0.0.0.0/0
+    direction: EGRESS
+    disabled: false
+    log_config: []
+    name: deny-egress-all
+    network: my-network
+    priority: 1000
+    project: my-project
+    source_ranges: null
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts: null
+    target_tags: null
+
+counts:
+  google_compute_firewall: 9
diff --git a/tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml b/tests/modules/net_vpc_firewall/examples/custom-ssh-default-rule.yaml
@@ -0,0 +1,40 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.firewall.google_compute_firewall.allow-tag-http[0]: {}
+  module.firewall.google_compute_firewall.allow-tag-https[0]: {}
+  module.firewall.google_compute_firewall.allow-tag-ssh[0]:
+    allow:
+    - ports:
+      - '22'
+      protocol: tcp
+    deny: []
+    description: Allow SSH to machines with matching tags.
+    disabled: null
+    log_config: []
+    name: my-network-ingress-tag-ssh
+    network: my-network
+    priority: 1000
+    project: my-project
+    source_ranges:
+    - 10.0.0.0/8
+    source_service_accounts: null
+    source_tags: null
+    target_service_accounts: null
+    target_tags:
+    - ssh-default
+
+counts:
+  google_compute_firewall: 3