mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-07-08 11:12:40 +00:00
c9fb64ed57
We removed ipv4_range, but the API still exists, it's just deprecated. This breaks configs for users that haven't migrated off yet. I added it back, added some tests to use it, included it in the docs, and basically tried to put things back the way they were. The main difference now is that the auto_create_subnetworks field defaults to true, and we want to keep that behaviour to avoid a breaking change. So now if users want to use the lagacy API, they need to set auto_create_subnetworks to false explicitly.
512 lines
14 KiB
Go
512 lines
14 KiB
Go
package google
|
|
|
|
import (
|
|
"fmt"
|
|
"testing"
|
|
|
|
"github.com/hashicorp/terraform/helper/acctest"
|
|
"github.com/hashicorp/terraform/helper/resource"
|
|
"github.com/hashicorp/terraform/terraform"
|
|
|
|
"strings"
|
|
|
|
computeBeta "google.golang.org/api/compute/v0.beta"
|
|
"google.golang.org/api/compute/v1"
|
|
)
|
|
|
|
func TestAccComputeFirewall_basic(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
var firewall compute.Firewall
|
|
networkName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
firewallName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
|
|
resource.Test(t, resource.TestCase{
|
|
PreCheck: func() { testAccPreCheck(t) },
|
|
Providers: testAccProviders,
|
|
CheckDestroy: testAccCheckComputeFirewallDestroy,
|
|
Steps: []resource.TestStep{
|
|
resource.TestStep{
|
|
Config: testAccComputeFirewall_basic(networkName, firewallName),
|
|
Check: resource.ComposeTestCheckFunc(
|
|
testAccCheckComputeFirewallExists(
|
|
"google_compute_firewall.foobar", &firewall),
|
|
testAccCheckComputeFirewallApiVersion(&firewall),
|
|
),
|
|
},
|
|
},
|
|
})
|
|
}
|
|
|
|
func TestAccComputeFirewall_update(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
var firewall compute.Firewall
|
|
networkName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
firewallName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
|
|
resource.Test(t, resource.TestCase{
|
|
PreCheck: func() { testAccPreCheck(t) },
|
|
Providers: testAccProviders,
|
|
CheckDestroy: testAccCheckComputeFirewallDestroy,
|
|
Steps: []resource.TestStep{
|
|
resource.TestStep{
|
|
Config: testAccComputeFirewall_basic(networkName, firewallName),
|
|
Check: resource.ComposeTestCheckFunc(
|
|
testAccCheckComputeFirewallExists(
|
|
"google_compute_firewall.foobar", &firewall),
|
|
testAccCheckComputeFirewallApiVersion(&firewall),
|
|
),
|
|
},
|
|
resource.TestStep{
|
|
Config: testAccComputeFirewall_update(networkName, firewallName),
|
|
Check: resource.ComposeTestCheckFunc(
|
|
testAccCheckComputeFirewallExists(
|
|
"google_compute_firewall.foobar", &firewall),
|
|
testAccCheckComputeFirewallPorts(
|
|
&firewall, "80-255"),
|
|
testAccCheckComputeFirewallApiVersion(&firewall),
|
|
),
|
|
},
|
|
},
|
|
})
|
|
}
|
|
|
|
func TestAccComputeFirewall_priority(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
var firewall compute.Firewall
|
|
networkName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
firewallName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
|
|
resource.Test(t, resource.TestCase{
|
|
PreCheck: func() { testAccPreCheck(t) },
|
|
Providers: testAccProviders,
|
|
CheckDestroy: testAccCheckComputeFirewallDestroy,
|
|
Steps: []resource.TestStep{{
|
|
Config: testAccComputeFirewall_priority(networkName, firewallName, 1001),
|
|
Check: resource.ComposeTestCheckFunc(
|
|
testAccCheckComputeFirewallExists(
|
|
"google_compute_firewall.foobar", &firewall),
|
|
testAccCheckComputeFirewallHasPriority(&firewall, 1001),
|
|
testAccCheckComputeFirewallApiVersion(&firewall),
|
|
),
|
|
}},
|
|
})
|
|
}
|
|
|
|
func TestAccComputeFirewall_noSource(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
var firewall compute.Firewall
|
|
networkName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
firewallName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
|
|
resource.Test(t, resource.TestCase{
|
|
PreCheck: func() { testAccPreCheck(t) },
|
|
Providers: testAccProviders,
|
|
CheckDestroy: testAccCheckComputeFirewallDestroy,
|
|
Steps: []resource.TestStep{
|
|
resource.TestStep{
|
|
Config: testAccComputeFirewall_noSource(networkName, firewallName),
|
|
Check: resource.ComposeTestCheckFunc(
|
|
testAccCheckComputeFirewallExists(
|
|
"google_compute_firewall.foobar", &firewall),
|
|
testAccCheckComputeFirewallApiVersion(&firewall),
|
|
),
|
|
},
|
|
},
|
|
})
|
|
}
|
|
|
|
func TestAccComputeFirewall_denied(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
var firewall compute.Firewall
|
|
networkName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
firewallName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
|
|
resource.Test(t, resource.TestCase{
|
|
PreCheck: func() { testAccPreCheck(t) },
|
|
Providers: testAccProviders,
|
|
CheckDestroy: testAccCheckComputeFirewallDestroy,
|
|
Steps: []resource.TestStep{
|
|
resource.TestStep{
|
|
Config: testAccComputeFirewall_denied(networkName, firewallName),
|
|
Check: resource.ComposeTestCheckFunc(
|
|
testAccCheckComputeFirewallExists("google_compute_firewall.foobar", &firewall),
|
|
testAccCheckComputeFirewallDenyPorts(&firewall, "22"),
|
|
testAccCheckComputeFirewallApiVersion(&firewall),
|
|
),
|
|
},
|
|
},
|
|
})
|
|
}
|
|
|
|
func TestAccComputeFirewall_egress(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
var firewall compute.Firewall
|
|
networkName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
firewallName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
|
|
resource.Test(t, resource.TestCase{
|
|
PreCheck: func() { testAccPreCheck(t) },
|
|
Providers: testAccProviders,
|
|
CheckDestroy: testAccCheckComputeFirewallDestroy,
|
|
Steps: []resource.TestStep{
|
|
resource.TestStep{
|
|
Config: testAccComputeFirewall_egress(networkName, firewallName),
|
|
Check: resource.ComposeTestCheckFunc(
|
|
testAccCheckComputeFirewallExists("google_compute_firewall.foobar", &firewall),
|
|
testAccCheckComputeFirewallEgress(&firewall),
|
|
testAccCheckComputeFirewallApiVersion(&firewall),
|
|
),
|
|
},
|
|
},
|
|
})
|
|
}
|
|
|
|
func TestAccComputeFirewall_serviceAccounts(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
var firewall compute.Firewall
|
|
networkName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
firewallName := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
|
|
sourceSa := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
targetSa := fmt.Sprintf("firewall-test-%s", acctest.RandString(10))
|
|
project := getTestProjectFromEnv()
|
|
sourceSaEmail := fmt.Sprintf("%s@%s.iam.gserviceaccount.com", sourceSa, project)
|
|
targetSaEmail := fmt.Sprintf("%s@%s.iam.gserviceaccount.com", targetSa, project)
|
|
|
|
resource.Test(t, resource.TestCase{
|
|
PreCheck: func() { testAccPreCheck(t) },
|
|
Providers: testAccProviders,
|
|
CheckDestroy: testAccCheckComputeFirewallDestroy,
|
|
Steps: []resource.TestStep{
|
|
resource.TestStep{
|
|
Config: testAccComputeFirewall_serviceAccounts(sourceSa, targetSa, networkName, firewallName),
|
|
Check: resource.ComposeTestCheckFunc(
|
|
testAccCheckComputeFirewallExists("google_compute_firewall.foobar", &firewall),
|
|
testAccCheckComputeFirewallServiceAccounts(sourceSaEmail, targetSaEmail, &firewall),
|
|
testAccCheckComputeFirewallApiVersion(&firewall),
|
|
),
|
|
},
|
|
},
|
|
})
|
|
}
|
|
|
|
func testAccCheckComputeFirewallDestroy(s *terraform.State) error {
|
|
config := testAccProvider.Meta().(*Config)
|
|
|
|
for _, rs := range s.RootModule().Resources {
|
|
if rs.Type != "google_compute_firewall" {
|
|
continue
|
|
}
|
|
|
|
_, err := config.clientCompute.Firewalls.Get(
|
|
config.Project, rs.Primary.ID).Do()
|
|
if err == nil {
|
|
return fmt.Errorf("Firewall still exists")
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func testAccCheckComputeFirewallExists(n string, firewall *compute.Firewall) resource.TestCheckFunc {
|
|
return func(s *terraform.State) error {
|
|
rs, ok := s.RootModule().Resources[n]
|
|
if !ok {
|
|
return fmt.Errorf("Not found: %s", n)
|
|
}
|
|
|
|
if rs.Primary.ID == "" {
|
|
return fmt.Errorf("No ID is set")
|
|
}
|
|
|
|
config := testAccProvider.Meta().(*Config)
|
|
|
|
found, err := config.clientCompute.Firewalls.Get(
|
|
config.Project, rs.Primary.ID).Do()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if found.Name != rs.Primary.ID {
|
|
return fmt.Errorf("Firewall not found")
|
|
}
|
|
|
|
*firewall = *found
|
|
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func testAccCheckComputeFirewallHasPriority(firewall *compute.Firewall, priority int) resource.TestCheckFunc {
|
|
return func(s *terraform.State) error {
|
|
if firewall.Priority != int64(priority) {
|
|
return fmt.Errorf("Priority for firewall does not match: expected %d, found %d", priority, firewall.Priority)
|
|
}
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func testAccCheckComputeBetaFirewallExists(n string, firewall *computeBeta.Firewall) resource.TestCheckFunc {
|
|
return func(s *terraform.State) error {
|
|
rs, ok := s.RootModule().Resources[n]
|
|
if !ok {
|
|
return fmt.Errorf("Not found: %s", n)
|
|
}
|
|
|
|
if rs.Primary.ID == "" {
|
|
return fmt.Errorf("No ID is set")
|
|
}
|
|
|
|
config := testAccProvider.Meta().(*Config)
|
|
|
|
found, err := config.clientComputeBeta.Firewalls.Get(
|
|
config.Project, rs.Primary.ID).Do()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if found.Name != rs.Primary.ID {
|
|
return fmt.Errorf("Firewall not found")
|
|
}
|
|
|
|
*firewall = *found
|
|
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func testAccCheckComputeFirewallPorts(
|
|
firewall *compute.Firewall, ports string) resource.TestCheckFunc {
|
|
return func(s *terraform.State) error {
|
|
if len(firewall.Allowed) == 0 {
|
|
return fmt.Errorf("no allowed rules")
|
|
}
|
|
|
|
if firewall.Allowed[0].Ports[0] != ports {
|
|
return fmt.Errorf("bad: %#v", firewall.Allowed[0].Ports)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func testAccCheckComputeFirewallDenyPorts(firewall *compute.Firewall, ports string) resource.TestCheckFunc {
|
|
return func(s *terraform.State) error {
|
|
if len(firewall.Denied) == 0 {
|
|
return fmt.Errorf("no denied rules")
|
|
}
|
|
|
|
if firewall.Denied[0].Ports[0] != ports {
|
|
return fmt.Errorf("bad: %#v", firewall.Denied[0].Ports)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func testAccCheckComputeFirewallEgress(firewall *compute.Firewall) resource.TestCheckFunc {
|
|
return func(s *terraform.State) error {
|
|
if firewall.Direction != "EGRESS" {
|
|
return fmt.Errorf("firewall not EGRESS")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func testAccCheckComputeFirewallServiceAccounts(sourceSa, targetSa string, firewall *compute.Firewall) resource.TestCheckFunc {
|
|
return func(s *terraform.State) error {
|
|
if len(firewall.SourceServiceAccounts) != 1 || firewall.SourceServiceAccounts[0] != sourceSa {
|
|
return fmt.Errorf("Expected sourceServiceAccount of %s, got %v", sourceSa, firewall.SourceServiceAccounts)
|
|
}
|
|
if len(firewall.TargetServiceAccounts) != 1 || firewall.TargetServiceAccounts[0] != targetSa {
|
|
return fmt.Errorf("Expected targetServiceAccount of %s, got %v", targetSa, firewall.TargetServiceAccounts)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func testAccCheckComputeFirewallBetaApiVersion(firewall *computeBeta.Firewall) resource.TestCheckFunc {
|
|
return func(s *terraform.State) error {
|
|
// The self-link of the network field is used to determine which API was used when fetching
|
|
// the state from the API.
|
|
if !strings.Contains(firewall.Network, "compute/beta") {
|
|
return fmt.Errorf("firewall beta API was not used")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func testAccCheckComputeFirewallApiVersion(firewall *compute.Firewall) resource.TestCheckFunc {
|
|
return func(s *terraform.State) error {
|
|
// The self-link of the network field is used to determine which API was used when fetching
|
|
// the state from the API.
|
|
if !strings.Contains(firewall.Network, "compute/v1") {
|
|
return fmt.Errorf("firewall v1 API was not used")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func testAccComputeFirewall_basic(network, firewall string) string {
|
|
return fmt.Sprintf(`
|
|
resource "google_compute_network" "foobar" {
|
|
name = "%s"
|
|
auto_create_subnetworks = false
|
|
ipv4_range = "10.0.0.0/16"
|
|
}
|
|
|
|
resource "google_compute_firewall" "foobar" {
|
|
name = "firewall-test-%s"
|
|
description = "Resource created for Terraform acceptance testing"
|
|
network = "${google_compute_network.foobar.name}"
|
|
source_tags = ["foo"]
|
|
|
|
allow {
|
|
protocol = "icmp"
|
|
}
|
|
}`, network, firewall)
|
|
}
|
|
|
|
func testAccComputeFirewall_update(network, firewall string) string {
|
|
return fmt.Sprintf(`
|
|
resource "google_compute_network" "foobar" {
|
|
name = "%s"
|
|
auto_create_subnetworks = false
|
|
ipv4_range = "10.0.0.0/16"
|
|
}
|
|
|
|
resource "google_compute_firewall" "foobar" {
|
|
name = "firewall-test-%s"
|
|
description = "Resource created for Terraform acceptance testing"
|
|
network = "${google_compute_network.foobar.self_link}"
|
|
source_tags = ["foo"]
|
|
|
|
allow {
|
|
protocol = "tcp"
|
|
ports = ["80-255"]
|
|
}
|
|
}`, network, firewall)
|
|
}
|
|
|
|
func testAccComputeFirewall_priority(network, firewall string, priority int) string {
|
|
return fmt.Sprintf(`
|
|
resource "google_compute_network" "foobar" {
|
|
name = "%s"
|
|
auto_create_subnetworks = false
|
|
ipv4_range = "10.0.0.0/16"
|
|
}
|
|
|
|
resource "google_compute_firewall" "foobar" {
|
|
name = "firewall-test-%s"
|
|
description = "Resource created for Terraform acceptance testing"
|
|
network = "${google_compute_network.foobar.name}"
|
|
source_tags = ["foo"]
|
|
|
|
allow {
|
|
protocol = "icmp"
|
|
}
|
|
priority = %d
|
|
}`, network, firewall, priority)
|
|
}
|
|
|
|
func testAccComputeFirewall_noSource(network, firewall string) string {
|
|
return fmt.Sprintf(`
|
|
resource "google_compute_network" "foobar" {
|
|
name = "%s"
|
|
auto_create_subnetworks = false
|
|
ipv4_range = "10.0.0.0/16"
|
|
}
|
|
|
|
resource "google_compute_firewall" "foobar" {
|
|
name = "firewall-test-%s"
|
|
description = "Resource created for Terraform acceptance testing"
|
|
network = "${google_compute_network.foobar.name}"
|
|
|
|
allow {
|
|
protocol = "tcp"
|
|
ports = [22]
|
|
}
|
|
}`, network, firewall)
|
|
}
|
|
|
|
func testAccComputeFirewall_denied(network, firewall string) string {
|
|
return fmt.Sprintf(`
|
|
resource "google_compute_network" "foobar" {
|
|
name = "%s"
|
|
auto_create_subnetworks = false
|
|
ipv4_range = "10.0.0.0/16"
|
|
}
|
|
|
|
resource "google_compute_firewall" "foobar" {
|
|
name = "firewall-test-%s"
|
|
description = "Resource created for Terraform acceptance testing"
|
|
network = "${google_compute_network.foobar.name}"
|
|
source_tags = ["foo"]
|
|
|
|
deny {
|
|
protocol = "tcp"
|
|
ports = [22]
|
|
}
|
|
}`, network, firewall)
|
|
}
|
|
|
|
func testAccComputeFirewall_egress(network, firewall string) string {
|
|
return fmt.Sprintf(`
|
|
resource "google_compute_network" "foobar" {
|
|
name = "%s"
|
|
auto_create_subnetworks = false
|
|
ipv4_range = "10.0.0.0/16"
|
|
}
|
|
|
|
resource "google_compute_firewall" "foobar" {
|
|
name = "firewall-test-%s"
|
|
direction = "EGRESS"
|
|
description = "Resource created for Terraform acceptance testing"
|
|
network = "${google_compute_network.foobar.name}"
|
|
|
|
allow {
|
|
protocol = "tcp"
|
|
ports = [22]
|
|
}
|
|
}`, network, firewall)
|
|
}
|
|
|
|
func testAccComputeFirewall_serviceAccounts(sourceSa, targetSa, network, firewall string) string {
|
|
return fmt.Sprintf(`
|
|
resource "google_service_account" "source" {
|
|
account_id = "%s"
|
|
}
|
|
|
|
resource "google_service_account" "target" {
|
|
account_id = "%s"
|
|
}
|
|
|
|
resource "google_compute_network" "foobar" {
|
|
name = "%s"
|
|
}
|
|
|
|
resource "google_compute_firewall" "foobar" {
|
|
name = "firewall-test-%s"
|
|
description = "Resource created for Terraform acceptance testing"
|
|
network = "${google_compute_network.foobar.name}"
|
|
|
|
allow {
|
|
protocol = "icmp"
|
|
}
|
|
|
|
source_service_accounts = ["${google_service_account.source.email}"]
|
|
target_service_accounts = ["${google_service_account.target.email}"]
|
|
}`, sourceSa, targetSa, network, firewall)
|
|
}
|