Merge pull request #130 from mesoform/develop

Develop - Update service_perimeter_regular module

gcp/access_context_manager/service_perimeter_regular/locals.tf

@@ -1,11 +1,11 @@
 locals {
-  ingress_file      = try(fileexists(var.ingress_file_path), fileexists("./ingress_policies.yml")) ? file(var.ingress_file_path) : null
+  ingress_file      = fileexists(var.ingress_file_path) ? file(var.ingress_file_path) : null
   ingress_policies_read  = try(yamldecode(local.ingress_file), {})
-  ingress_policies = lookup(local.ingress_policies_read, "ingressPolicies", [])
+  ingress_policies = {for index, policy in lookup(local.ingress_policies_read, "ingressPolicies", []): index => policy}
 
-  egress_file      = try(fileexists(var.egress_file_path), fileexists("./egress_policies.yml")) ? file(var.egress_file_path) : null
+  egress_file      = fileexists(var.egress_file_path) ? file(var.egress_file_path) : null
   egress_policies_read  = try(yamldecode(local.egress_file), {})
-  egress_policies = lookup(local.egress_policies_read, "egressPolicies", [] )
+  egress_policies = {for index, policy in lookup(local.egress_policies_read, "egressPolicies", [] ): index => policy}
 
   requested_restricted_services = var.restricted_services == null ? ["ALL-SERVICES"] : var.restricted_services
   restricted_services = contains(local.requested_restricted_services, "ALL-SERVICES") ? local.vpc_sc_supported_services : var.restricted_services
@@ -16,85 +16,165 @@ locals {
                                 "accessapproval.googleapis.com",
                                 "adsdatahub.googleapis.com",
                                 "aiplatform.googleapis.com",
-                                "apigeeconnect.googleapis.com",
+                                "alloydb.googleapis.com",
+                                "analyticshub.googleapis.com",
                                 "apigee.googleapis.com",
+                                "apigeeconnect.googleapis.com",
                                 "artifactregistry.googleapis.com",
                                 "assuredworkloads.googleapis.com",
                                 "automl.googleapis.com",
-                                "bigquerydatatransfer.googleapis.com",
+                                "backupdr.googleapis.com",
+                                "baremetalsolution.googleapis.com",
+                                "batch.googleapis.com",
+                                "beyondcorp.googleapis.com",
+                                "biglake.googleapis.com",
                                 "bigquery.googleapis.com",
+                                "bigquerydatapolicy.googleapis.com",
+                                "bigquerydatatransfer.googleapis.com",
+                                "bigquerymigration.googleapis.com",
                                 "bigtable.googleapis.com",
                                 "binaryauthorization.googleapis.com",
+                                "blockchainnodeengine.googleapis.com",
+                                "certificatemanager.googleapis.com",
+                                "cloud.googleapis.com",
+                                "cloudaicompanion.googleapis.com",
                                 "cloudasset.googleapis.com",
                                 "cloudbuild.googleapis.com",
+                                "clouddeploy.googleapis.com",
+                                "clouderrorreporting.googleapis.com",
                                 "cloudfunctions.googleapis.com",
                                 "cloudkms.googleapis.com",
                                 "cloudprofiler.googleapis.com",
                                 "cloudresourcemanager.googleapis.com",
+                                "cloudscheduler.googleapis.com",
                                 "cloudsearch.googleapis.com",
+                                "cloudsupport.googleapis.com",
+                                "cloudtasks.googleapis.com",
                                 "cloudtrace.googleapis.com",
                                 "composer.googleapis.com",
                                 "compute.googleapis.com",
+                                "confidentialcomputing.googleapis.com",
+                                "config.googleapis.com",
                                 "connectgateway.googleapis.com",
-                                "containeranalysis.googleapis.com",
+                                "connectors.googleapis.com",
+                                "contactcenterinsights.googleapis.com",
                                 "container.googleapis.com",
+                                "containeranalysis.googleapis.com",
+                                "containerfilesystem.googleapis.com",
                                 "containerregistry.googleapis.com",
+                                "containersecurity.googleapis.com",
                                 "containerthreatdetection.googleapis.com",
+                                "contentwarehouse.googleapis.com",
                                 "datacatalog.googleapis.com",
                                 "dataflow.googleapis.com",
+                                "dataform.googleapis.com",
                                 "datafusion.googleapis.com",
+                                "datalineage.googleapis.com",
+                                "datamigration.googleapis.com",
+                                "datapipelines.googleapis.com",
+                                "dataplex.googleapis.com",
                                 "dataproc.googleapis.com",
+                                "datastream.googleapis.com",
                                 "dialogflow.googleapis.com",
+                                "discoveryengine.googleapis.com",
                                 "dlp.googleapis.com",
                                 "dns.googleapis.com",
                                 "documentai.googleapis.com",
+                                "domains.googleapis.com",
+                                "earthengine.googleapis.com",
+                                "essentialcontacts.googleapis.com",
+                                "eventarc.googleapis.com",
                                 "file.googleapis.com",
+                                "financialservices.googleapis.com",
+                                "firebaseappcheck.googleapis.com",
+                                "firebasecrashlytics.googleapis.com",
+                                "firebaserules.googleapis.com",
+                                "firestore.googleapis.com",
                                 "gameservices.googleapis.com",
+                                "gkebackup.googleapis.com",
                                 "gkeconnect.googleapis.com",
                                 "gkehub.googleapis.com",
+                                "gkemulticloud.googleapis.com",
+                                "gkeonprem.googleapis.com",
                                 "healthcare.googleapis.com",
                                 "iam.googleapis.com",
+                                "iamcredentials.googleapis.com",
+                                "iap.googleapis.com",
                                 "iaptunnel.googleapis.com",
+                                "identitytoolkit.googleapis.com",
+                                "ids.googleapis.com",
+                                "integrations.googleapis.com",
+                                "kmsinventory.googleapis.com",
+                                "krmapihosting.googleapis.com",
                                 "language.googleapis.com",
                                 "lifesciences.googleapis.com",
+                                "livestream.googleapis.com",
                                 "logging.googleapis.com",
+                                "looker.googleapis.com",
                                 "managedidentities.googleapis.com",
                                 "memcache.googleapis.com",
                                 "meshca.googleapis.com",
+                                "meshconfig.googleapis.com",
                                 "metastore.googleapis.com",
+                                "microservices.googleapis.com",
+                                "migrationcenter.googleapis.com",
                                 "ml.googleapis.com",
                                 "monitoring.googleapis.com",
                                 "networkconnectivity.googleapis.com",
                                 "networkmanagement.googleapis.com",
                                 "networksecurity.googleapis.com",
                                 "networkservices.googleapis.com",
                                 "notebooks.googleapis.com",
+                                "ondemandscanning.googleapis.com",
                                 "opsconfigmonitoring.googleapis.com",
+                                "orgpolicy.googleapis.com",
                                 "osconfig.googleapis.com",
                                 "oslogin.googleapis.com",
+                                "policysimulator.googleapis.com",
+                                "policytroubleshooter.googleapis.com",
                                 "privateca.googleapis.com",
+                                "publicca.googleapis.com",
                                 "pubsub.googleapis.com",
                                 "pubsublite.googleapis.com",
+                                "rapidmigrationassessment.googleapis.com",
                                 "recaptchaenterprise.googleapis.com",
                                 "recommender.googleapis.com",
                                 "redis.googleapis.com",
+                                "retail.googleapis.com",
                                 "run.googleapis.com",
                                 "secretmanager.googleapis.com",
+                                "securesourcemanager.googleapis.com",
+                                "securetoken.googleapis.com",
+                                "securitycenter.googleapis.com",
                                 "servicecontrol.googleapis.com",
                                 "servicedirectory.googleapis.com",
+                                "servicehealth.googleapis.com",
                                 "spanner.googleapis.com",
+                                "speakerid.googleapis.com",
                                 "speech.googleapis.com",
                                 "sqladmin.googleapis.com",
+                                "ssh-serialport.googleapis.com",
                                 "storage.googleapis.com",
+                                "storageinsights.googleapis.com",
                                 "storagetransfer.googleapis.com",
                                 "sts.googleapis.com",
                                 "texttospeech.googleapis.com",
+                                "timeseriesinsights.googleapis.com",
                                 "tpu.googleapis.com",
                                 "trafficdirector.googleapis.com",
                                 "transcoder.googleapis.com",
                                 "translate.googleapis.com",
                                 "videointelligence.googleapis.com",
+                                "videostitcher.googleapis.com",
                                 "vision.googleapis.com",
-                                "vpcaccess.googleapis.com"
+                                "visionai.googleapis.com",
+                                "visualinspection.googleapis.com",
+                                "vmmigration.googleapis.com",
+                                "vmwareengine.googleapis.com",
+                                "vpcaccess.googleapis.com",
+                                "webrisk.googleapis.com",
+                                "websecurityscanner.googleapis.com",
+                                "workflows.googleapis.com",
+                                "workstations.googleapis.com"
                               ]
 }

gcp/access_context_manager/service_perimeter_regular/outputs.tf

@@ -0,0 +1,30 @@
+output "var_ingress_policies_file_path" {
+  value = var.ingress_file_path
+}
+
+output "var_egress_policies_file_path" {
+  value = var.egress_file_path
+}
+output "locals_ingress_policies_file_path" {
+  value = local.ingress_file
+}
+
+output "locals_egress_policies_file_path" {
+  value = local.egress_file
+}
+
+output "locals_ingress_policies" {
+  value = local.ingress_policies
+}
+
+output "locals_egress_policies" {
+  value = local.egress_policies
+}
+
+output locals_vpc_accessible_services {
+  value = local.vpc_accessible_services
+}
+
+output locals_restricted_services {
+  value = local.restricted_services
+}

tests/gcp/unit_tests/service_perimeter_regular/main.tf

@@ -92,5 +92,24 @@ output test_ingress_policies {
 }
 
 output test_egress_policies {
-  value = module.ingress_egress_test.test_egress_policy_non_existent_file
+  value = module.ingress_egress_test.test_egress_policy
 }
+
+
+//Ingress and Egress
+module ingress_egress_empty_test{
+  source = "./test_files"
+  ingress_file_path = "./test_files/non_existent_ingress_policies_file.yml"
+  egress_file_path = "./test_files/non_existent_egress_policies_file.yml"
+  access_policy_name = "name"
+  name = "name"
+}
+
+output test_empty_ingress_policies {
+  value = module.ingress_egress_empty_test.test_ingress_policy_non_existent_file
+}
+
+output test_empty_egress_policies {
+  value = module.ingress_egress_empty_test.test_egress_policy_non_existent_file
+}
+

tests/gcp/unit_tests/service_perimeter_regular/test_files/egress_policies.yml

@@ -0,0 +1,10 @@
+egressPolicies:
+  - egressFrom:
+      identityType: ANY_IDENTITY
+    egressTo:
+      operations:
+        - serviceName: compute.googleapis.com
+          methodSelectors:
+            - method: '*'
+      resources:
+        - projects/000000000000

tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_egress_policy.py

@@ -7,10 +7,28 @@
     print(e, stderr)
 
 """
-    Tests whether an unfound file defaults to null
+    Tests whether key values appear in an ingress policy yaml file. File takes the structure:
+    
+    ```
+        egressPolicies:
+          - egressFrom:
+              identityType: ANY_IDENTITY
+            egressTo:
+              operations:
+                - serviceName: compute.googleapis.com
+                  methodSelectors:
+                    - method: '*'
+              resources:
+                - projects/000000000000
+    ```
 """
 
-expected_data = {}
+expected_data = {
+    "identity-type": "ANY_IDENTITY",
+    "method": "*",
+    "resource": "projects/000000000000",
+    "serviceName": "compute.googleapis.com"
+}
 
 
 

tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_egress_policy_empty.py

@@ -0,0 +1,18 @@
+from sys import path, stderr
+
+try:
+    path.insert(1, '../../../test_fixtures/python_validator')
+    from python_validator import python_validator
+except Exception as e:
+    print(e, stderr)
+
+"""
+    Tests whether an unfound file defaults to null
+"""
+
+expected_data = {}
+
+
+
+if __name__ == '__main__':
+    python_validator(expected_data)

tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_ingress_policy_empty.py

@@ -0,0 +1,18 @@
+from sys import path, stderr
+
+try:
+    path.insert(1, '../../../test_fixtures/python_validator')
+    from python_validator import python_validator
+except Exception as e:
+    print(e, stderr)
+
+"""
+    Tests whether an unfound file defaults to null
+"""
+
+expected_data = {}
+
+
+
+if __name__ == '__main__':
+    python_validator(expected_data)