From 4e8b60cce063d55788086764adeb3903a3788c95 Mon Sep 17 00:00:00 2001 From: Alex Bailey Date: Tue, 30 Jan 2024 13:44:14 +0000 Subject: [PATCH 1/7] Update vpc_sc_supported_services list, add outputs for debugging --- .../service_perimeter_regular/locals.tf | 88 ++++++++++++++++++- .../service_perimeter_regular/outputs.tf | 15 ++++ 2 files changed, 99 insertions(+), 4 deletions(-) create mode 100644 gcp/access_context_manager/service_perimeter_regular/outputs.tf diff --git a/gcp/access_context_manager/service_perimeter_regular/locals.tf b/gcp/access_context_manager/service_perimeter_regular/locals.tf index 9dcaf155..a2aef577 100644 --- a/gcp/access_context_manager/service_perimeter_regular/locals.tf +++ b/gcp/access_context_manager/service_perimeter_regular/locals.tf @@ -16,52 +16,108 @@ locals { "accessapproval.googleapis.com", "adsdatahub.googleapis.com", "aiplatform.googleapis.com", - "apigeeconnect.googleapis.com", + "alloydb.googleapis.com", + "analyticshub.googleapis.com", "apigee.googleapis.com", + "apigeeconnect.googleapis.com", "artifactregistry.googleapis.com", "assuredworkloads.googleapis.com", "automl.googleapis.com", - "bigquerydatatransfer.googleapis.com", + "backupdr.googleapis.com", + "baremetalsolution.googleapis.com", + "batch.googleapis.com", + "beyondcorp.googleapis.com", + "biglake.googleapis.com", "bigquery.googleapis.com", + "bigquerydatapolicy.googleapis.com", + "bigquerydatatransfer.googleapis.com", + "bigquerymigration.googleapis.com", "bigtable.googleapis.com", "binaryauthorization.googleapis.com", + "blockchainnodeengine.googleapis.com", + "certificatemanager.googleapis.com", + "cloud.googleapis.com", + "cloudaicompanion.googleapis.com", "cloudasset.googleapis.com", "cloudbuild.googleapis.com", + "clouddeploy.googleapis.com", + "clouderrorreporting.googleapis.com", "cloudfunctions.googleapis.com", "cloudkms.googleapis.com", "cloudprofiler.googleapis.com", "cloudresourcemanager.googleapis.com", + "cloudscheduler.googleapis.com", "cloudsearch.googleapis.com", + "cloudsupport.googleapis.com", + "cloudtasks.googleapis.com", "cloudtrace.googleapis.com", "composer.googleapis.com", "compute.googleapis.com", + "confidentialcomputing.googleapis.com", + "config.googleapis.com", "connectgateway.googleapis.com", - "containeranalysis.googleapis.com", + "connectors.googleapis.com", + "contactcenterinsights.googleapis.com", "container.googleapis.com", + "containeranalysis.googleapis.com", + "containerfilesystem.googleapis.com", "containerregistry.googleapis.com", + "containersecurity.googleapis.com", "containerthreatdetection.googleapis.com", + "contentwarehouse.googleapis.com", "datacatalog.googleapis.com", "dataflow.googleapis.com", + "dataform.googleapis.com", "datafusion.googleapis.com", + "datalineage.googleapis.com", + "datamigration.googleapis.com", + "datapipelines.googleapis.com", + "dataplex.googleapis.com", "dataproc.googleapis.com", + "datastream.googleapis.com", "dialogflow.googleapis.com", + "discoveryengine.googleapis.com", "dlp.googleapis.com", "dns.googleapis.com", "documentai.googleapis.com", + "domains.googleapis.com", + "earthengine.googleapis.com", + "essentialcontacts.googleapis.com", + "eventarc.googleapis.com", "file.googleapis.com", + "financialservices.googleapis.com", + "firebaseappcheck.googleapis.com", + "firebasecrashlytics.googleapis.com", + "firebaserules.googleapis.com", + "firestore.googleapis.com", "gameservices.googleapis.com", + "gkebackup.googleapis.com", "gkeconnect.googleapis.com", "gkehub.googleapis.com", + "gkemulticloud.googleapis.com", + "gkeonprem.googleapis.com", "healthcare.googleapis.com", "iam.googleapis.com", + "iamcredentials.googleapis.com", + "iap.googleapis.com", "iaptunnel.googleapis.com", + "identitytoolkit.googleapis.com", + "ids.googleapis.com", + "integrations.googleapis.com", + "kmsinventory.googleapis.com", + "krmapihosting.googleapis.com", "language.googleapis.com", "lifesciences.googleapis.com", + "livestream.googleapis.com", "logging.googleapis.com", + "looker.googleapis.com", "managedidentities.googleapis.com", "memcache.googleapis.com", "meshca.googleapis.com", + "meshconfig.googleapis.com", "metastore.googleapis.com", + "microservices.googleapis.com", + "migrationcenter.googleapis.com", "ml.googleapis.com", "monitoring.googleapis.com", "networkconnectivity.googleapis.com", @@ -69,32 +125,56 @@ locals { "networksecurity.googleapis.com", "networkservices.googleapis.com", "notebooks.googleapis.com", + "ondemandscanning.googleapis.com", "opsconfigmonitoring.googleapis.com", + "orgpolicy.googleapis.com", "osconfig.googleapis.com", "oslogin.googleapis.com", + "policysimulator.googleapis.com", + "policytroubleshooter.googleapis.com", "privateca.googleapis.com", + "publicca.googleapis.com", "pubsub.googleapis.com", "pubsublite.googleapis.com", + "rapidmigrationassessment.googleapis.com", "recaptchaenterprise.googleapis.com", "recommender.googleapis.com", "redis.googleapis.com", + "retail.googleapis.com", "run.googleapis.com", "secretmanager.googleapis.com", + "securesourcemanager.googleapis.com", + "securetoken.googleapis.com", + "securitycenter.googleapis.com", "servicecontrol.googleapis.com", "servicedirectory.googleapis.com", + "servicehealth.googleapis.com", "spanner.googleapis.com", + "speakerid.googleapis.com", "speech.googleapis.com", "sqladmin.googleapis.com", + "ssh-serialport.googleapis.com", "storage.googleapis.com", + "storageinsights.googleapis.com", "storagetransfer.googleapis.com", "sts.googleapis.com", "texttospeech.googleapis.com", + "timeseriesinsights.googleapis.com", "tpu.googleapis.com", "trafficdirector.googleapis.com", "transcoder.googleapis.com", "translate.googleapis.com", "videointelligence.googleapis.com", + "videostitcher.googleapis.com", "vision.googleapis.com", - "vpcaccess.googleapis.com" + "visionai.googleapis.com", + "visualinspection.googleapis.com", + "vmmigration.googleapis.com", + "vmwareengine.googleapis.com", + "vpcaccess.googleapis.com", + "webrisk.googleapis.com", + "websecurityscanner.googleapis.com", + "workflows.googleapis.com", + "workstations.googleapis.com" ] } diff --git a/gcp/access_context_manager/service_perimeter_regular/outputs.tf b/gcp/access_context_manager/service_perimeter_regular/outputs.tf new file mode 100644 index 00000000..51a57019 --- /dev/null +++ b/gcp/access_context_manager/service_perimeter_regular/outputs.tf @@ -0,0 +1,15 @@ +output "locals_ingress_policies" { + value = local.ingress_policies +} + +output "locals_egress_policies" { + value = local.ingress_policies +} + +output locals_vpc_accessible_services { + value = local.vpc_accessible_services +} + +output locals_restricted_services { + value = local.restricted_services +} From adaedeec8ae14500c115c61f53644d5e96709fb3 Mon Sep 17 00:00:00 2001 From: Alex Bailey Date: Tue, 30 Jan 2024 14:02:50 +0000 Subject: [PATCH 2/7] Update unit tests with new services list --- .../test_restricted_services_all_services.py | 88 ++++++++++++++++++- .../test_restricted_services_default.py | 88 ++++++++++++++++++- 2 files changed, 168 insertions(+), 8 deletions(-) diff --git a/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_all_services.py b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_all_services.py index e2993e78..c6e05315 100644 --- a/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_all_services.py +++ b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_all_services.py @@ -14,52 +14,108 @@ "accessapproval.googleapis.com": "accessapproval.googleapis.com", "adsdatahub.googleapis.com": "adsdatahub.googleapis.com", "aiplatform.googleapis.com": "aiplatform.googleapis.com", - "apigeeconnect.googleapis.com": "apigeeconnect.googleapis.com", + "alloydb.googleapis.com": "alloydb.googleapis.com", + "analyticshub.googleapis.com": "analyticshub.googleapis.com", "apigee.googleapis.com": "apigee.googleapis.com", + "apigeeconnect.googleapis.com": "apigeeconnect.googleapis.com", "artifactregistry.googleapis.com": "artifactregistry.googleapis.com", "assuredworkloads.googleapis.com": "assuredworkloads.googleapis.com", "automl.googleapis.com": "automl.googleapis.com", - "bigquerydatatransfer.googleapis.com": "bigquerydatatransfer.googleapis.com", + "backupdr.googleapis.com": "backupdr.googleapis.com", + "baremetalsolution.googleapis.com": "baremetalsolution.googleapis.com", + "batch.googleapis.com": "batch.googleapis.com", + "beyondcorp.googleapis.com": "beyondcorp.googleapis.com", + "biglake.googleapis.com": "biglake.googleapis.com", "bigquery.googleapis.com": "bigquery.googleapis.com", + "bigquerydatapolicy.googleapis.com": "bigquerydatapolicy.googleapis.com", + "bigquerydatatransfer.googleapis.com": "bigquerydatatransfer.googleapis.com", + "bigquerymigration.googleapis.com": "bigquerymigration.googleapis.com", "bigtable.googleapis.com": "bigtable.googleapis.com", "binaryauthorization.googleapis.com": "binaryauthorization.googleapis.com", + "blockchainnodeengine.googleapis.com": "blockchainnodeengine.googleapis.com", + "certificatemanager.googleapis.com": "certificatemanager.googleapis.com", + "cloud.googleapis.com": "cloud.googleapis.com", + "cloudaicompanion.googleapis.com": "cloudaicompanion.googleapis.com", "cloudasset.googleapis.com": "cloudasset.googleapis.com", "cloudbuild.googleapis.com": "cloudbuild.googleapis.com", + "clouddeploy.googleapis.com": "clouddeploy.googleapis.com", + "clouderrorreporting.googleapis.com": "clouderrorreporting.googleapis.com", "cloudfunctions.googleapis.com": "cloudfunctions.googleapis.com", "cloudkms.googleapis.com": "cloudkms.googleapis.com", "cloudprofiler.googleapis.com": "cloudprofiler.googleapis.com", "cloudresourcemanager.googleapis.com": "cloudresourcemanager.googleapis.com", + "cloudscheduler.googleapis.com": "cloudscheduler.googleapis.com", "cloudsearch.googleapis.com": "cloudsearch.googleapis.com", + "cloudsupport.googleapis.com": "cloudsupport.googleapis.com", + "cloudtasks.googleapis.com": "cloudtasks.googleapis.com", "cloudtrace.googleapis.com": "cloudtrace.googleapis.com", "composer.googleapis.com": "composer.googleapis.com", "compute.googleapis.com": "compute.googleapis.com", + "confidentialcomputing.googleapis.com": "confidentialcomputing.googleapis.com", + "config.googleapis.com": "config.googleapis.com", "connectgateway.googleapis.com": "connectgateway.googleapis.com", - "containeranalysis.googleapis.com": "containeranalysis.googleapis.com", + "connectors.googleapis.com": "connectors.googleapis.com", + "contactcenterinsights.googleapis.com": "contactcenterinsights.googleapis.com", "container.googleapis.com": "container.googleapis.com", + "containeranalysis.googleapis.com": "containeranalysis.googleapis.com", + "containerfilesystem.googleapis.com": "containerfilesystem.googleapis.com", "containerregistry.googleapis.com": "containerregistry.googleapis.com", + "containersecurity.googleapis.com": "containersecurity.googleapis.com", "containerthreatdetection.googleapis.com": "containerthreatdetection.googleapis.com", + "contentwarehouse.googleapis.com": "contentwarehouse.googleapis.com", "datacatalog.googleapis.com": "datacatalog.googleapis.com", "dataflow.googleapis.com": "dataflow.googleapis.com", + "dataform.googleapis.com": "dataform.googleapis.com", "datafusion.googleapis.com": "datafusion.googleapis.com", + "datalineage.googleapis.com": "datalineage.googleapis.com", + "datamigration.googleapis.com": "datamigration.googleapis.com", + "datapipelines.googleapis.com": "datapipelines.googleapis.com", + "dataplex.googleapis.com": "dataplex.googleapis.com", "dataproc.googleapis.com": "dataproc.googleapis.com", + "datastream.googleapis.com": "datastream.googleapis.com", "dialogflow.googleapis.com": "dialogflow.googleapis.com", + "discoveryengine.googleapis.com": "discoveryengine.googleapis.com", "dlp.googleapis.com": "dlp.googleapis.com", "dns.googleapis.com": "dns.googleapis.com", "documentai.googleapis.com": "documentai.googleapis.com", + "domains.googleapis.com": "domains.googleapis.com", + "earthengine.googleapis.com": "earthengine.googleapis.com", + "essentialcontacts.googleapis.com": "essentialcontacts.googleapis.com", + "eventarc.googleapis.com": "eventarc.googleapis.com", "file.googleapis.com": "file.googleapis.com", + "financialservices.googleapis.com": "financialservices.googleapis.com", + "firebaseappcheck.googleapis.com": "firebaseappcheck.googleapis.com", + "firebasecrashlytics.googleapis.com": "firebasecrashlytics.googleapis.com", + "firebaserules.googleapis.com": "firebaserules.googleapis.com", + "firestore.googleapis.com": "firestore.googleapis.com", "gameservices.googleapis.com": "gameservices.googleapis.com", + "gkebackup.googleapis.com": "gkebackup.googleapis.com", "gkeconnect.googleapis.com": "gkeconnect.googleapis.com", "gkehub.googleapis.com": "gkehub.googleapis.com", + "gkemulticloud.googleapis.com": "gkemulticloud.googleapis.com", + "gkeonprem.googleapis.com": "gkeonprem.googleapis.com", "healthcare.googleapis.com": "healthcare.googleapis.com", "iam.googleapis.com": "iam.googleapis.com", + "iamcredentials.googleapis.com": "iamcredentials.googleapis.com", + "iap.googleapis.com": "iap.googleapis.com", "iaptunnel.googleapis.com": "iaptunnel.googleapis.com", + "identitytoolkit.googleapis.com": "identitytoolkit.googleapis.com", + "ids.googleapis.com": "ids.googleapis.com", + "integrations.googleapis.com": "integrations.googleapis.com", + "kmsinventory.googleapis.com": "kmsinventory.googleapis.com", + "krmapihosting.googleapis.com": "krmapihosting.googleapis.com", "language.googleapis.com": "language.googleapis.com", "lifesciences.googleapis.com": "lifesciences.googleapis.com", + "livestream.googleapis.com": "livestream.googleapis.com", "logging.googleapis.com": "logging.googleapis.com", + "looker.googleapis.com": "looker.googleapis.com", "managedidentities.googleapis.com": "managedidentities.googleapis.com", "memcache.googleapis.com": "memcache.googleapis.com", "meshca.googleapis.com": "meshca.googleapis.com", + "meshconfig.googleapis.com": "meshconfig.googleapis.com", "metastore.googleapis.com": "metastore.googleapis.com", + "microservices.googleapis.com": "microservices.googleapis.com", + "migrationcenter.googleapis.com": "migrationcenter.googleapis.com", "ml.googleapis.com": "ml.googleapis.com", "monitoring.googleapis.com": "monitoring.googleapis.com", "networkconnectivity.googleapis.com": "networkconnectivity.googleapis.com", @@ -67,33 +123,57 @@ "networksecurity.googleapis.com": "networksecurity.googleapis.com", "networkservices.googleapis.com": "networkservices.googleapis.com", "notebooks.googleapis.com": "notebooks.googleapis.com", + "ondemandscanning.googleapis.com": "ondemandscanning.googleapis.com", "opsconfigmonitoring.googleapis.com": "opsconfigmonitoring.googleapis.com", + "orgpolicy.googleapis.com": "orgpolicy.googleapis.com", "osconfig.googleapis.com": "osconfig.googleapis.com", "oslogin.googleapis.com": "oslogin.googleapis.com", + "policysimulator.googleapis.com": "policysimulator.googleapis.com", + "policytroubleshooter.googleapis.com": "policytroubleshooter.googleapis.com", "privateca.googleapis.com": "privateca.googleapis.com", + "publicca.googleapis.com": "publicca.googleapis.com", "pubsub.googleapis.com": "pubsub.googleapis.com", "pubsublite.googleapis.com": "pubsublite.googleapis.com", + "rapidmigrationassessment.googleapis.com": "rapidmigrationassessment.googleapis.com", "recaptchaenterprise.googleapis.com": "recaptchaenterprise.googleapis.com", "recommender.googleapis.com": "recommender.googleapis.com", "redis.googleapis.com": "redis.googleapis.com", + "retail.googleapis.com": "retail.googleapis.com", "run.googleapis.com": "run.googleapis.com", "secretmanager.googleapis.com": "secretmanager.googleapis.com", + "securesourcemanager.googleapis.com": "securesourcemanager.googleapis.com", + "securetoken.googleapis.com": "securetoken.googleapis.com", + "securitycenter.googleapis.com": "securitycenter.googleapis.com", "servicecontrol.googleapis.com": "servicecontrol.googleapis.com", "servicedirectory.googleapis.com": "servicedirectory.googleapis.com", + "servicehealth.googleapis.com": "servicehealth.googleapis.com", "spanner.googleapis.com": "spanner.googleapis.com", + "speakerid.googleapis.com": "speakerid.googleapis.com", "speech.googleapis.com": "speech.googleapis.com", "sqladmin.googleapis.com": "sqladmin.googleapis.com", + "ssh-serialport.googleapis.c om":"ssh-serialport.googleapis.com", "storage.googleapis.com": "storage.googleapis.com", + "storageinsights.googleapis.com": "storageinsights.googleapis.com", "storagetransfer.googleapis.com": "storagetransfer.googleapis.com", "sts.googleapis.com": "sts.googleapis.com", "texttospeech.googleapis.com": "texttospeech.googleapis.com", + "timeseriesinsights.googleapis.com": "timeseriesinsights.googleapis.com", "tpu.googleapis.com": "tpu.googleapis.com", "trafficdirector.googleapis.com": "trafficdirector.googleapis.com", "transcoder.googleapis.com": "transcoder.googleapis.com", "translate.googleapis.com": "translate.googleapis.com", "videointelligence.googleapis.com": "videointelligence.googleapis.com", + "videostitcher.googleapis.com": "videostitcher.googleapis.com", "vision.googleapis.com": "vision.googleapis.com", - "vpcaccess.googleapis.com": "vpcaccess.googleapis.com" + "visionai.googleapis.com": "visionai.googleapis.com", + "visualinspection.googleapis.com": "visualinspection.googleapis.com", + "vmmigration.googleapis.com": "vmmigration.googleapis.com", + "vmwareengine.googleapis.com": "vmwareengine.googleapis.com", + "vpcaccess.googleapis.com": "vpcaccess.googleapis.com", + "webrisk.googleapis.com": "webrisk.googleapis.com", + "websecurityscanner.googleapis.com": "websecurityscanner.googleapis.com", + "workflows.googleapis.com": "workflows.googleapis.com", + "workstations.googleapis.com": "workstations.googleapis.com" } diff --git a/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_default.py b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_default.py index 39311beb..a1be701b 100644 --- a/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_default.py +++ b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_default.py @@ -14,52 +14,108 @@ "accessapproval.googleapis.com": "accessapproval.googleapis.com", "adsdatahub.googleapis.com": "adsdatahub.googleapis.com", "aiplatform.googleapis.com": "aiplatform.googleapis.com", - "apigeeconnect.googleapis.com": "apigeeconnect.googleapis.com", + "alloydb.googleapis.com": "alloydb.googleapis.com", + "analyticshub.googleapis.com": "analyticshub.googleapis.com", "apigee.googleapis.com": "apigee.googleapis.com", + "apigeeconnect.googleapis.com": "apigeeconnect.googleapis.com", "artifactregistry.googleapis.com": "artifactregistry.googleapis.com", "assuredworkloads.googleapis.com": "assuredworkloads.googleapis.com", "automl.googleapis.com": "automl.googleapis.com", - "bigquerydatatransfer.googleapis.com": "bigquerydatatransfer.googleapis.com", + "backupdr.googleapis.com": "backupdr.googleapis.com", + "baremetalsolution.googleapis.com": "baremetalsolution.googleapis.com", + "batch.googleapis.com": "batch.googleapis.com", + "beyondcorp.googleapis.com": "beyondcorp.googleapis.com", + "biglake.googleapis.com": "biglake.googleapis.com", "bigquery.googleapis.com": "bigquery.googleapis.com", + "bigquerydatapolicy.googleapis.com": "bigquerydatapolicy.googleapis.com", + "bigquerydatatransfer.googleapis.com": "bigquerydatatransfer.googleapis.com", + "bigquerymigration.googleapis.com": "bigquerymigration.googleapis.com", "bigtable.googleapis.com": "bigtable.googleapis.com", "binaryauthorization.googleapis.com": "binaryauthorization.googleapis.com", + "blockchainnodeengine.googleapis.com": "blockchainnodeengine.googleapis.com", + "certificatemanager.googleapis.com": "certificatemanager.googleapis.com", + "cloud.googleapis.com": "cloud.googleapis.com", + "cloudaicompanion.googleapis.com": "cloudaicompanion.googleapis.com", "cloudasset.googleapis.com": "cloudasset.googleapis.com", "cloudbuild.googleapis.com": "cloudbuild.googleapis.com", + "clouddeploy.googleapis.com": "clouddeploy.googleapis.com", + "clouderrorreporting.googleapis.com": "clouderrorreporting.googleapis.com", "cloudfunctions.googleapis.com": "cloudfunctions.googleapis.com", "cloudkms.googleapis.com": "cloudkms.googleapis.com", "cloudprofiler.googleapis.com": "cloudprofiler.googleapis.com", "cloudresourcemanager.googleapis.com": "cloudresourcemanager.googleapis.com", + "cloudscheduler.googleapis.com": "cloudscheduler.googleapis.com", "cloudsearch.googleapis.com": "cloudsearch.googleapis.com", + "cloudsupport.googleapis.com": "cloudsupport.googleapis.com", + "cloudtasks.googleapis.com": "cloudtasks.googleapis.com", "cloudtrace.googleapis.com": "cloudtrace.googleapis.com", "composer.googleapis.com": "composer.googleapis.com", "compute.googleapis.com": "compute.googleapis.com", + "confidentialcomputing.googleapis.com": "confidentialcomputing.googleapis.com", + "config.googleapis.com": "config.googleapis.com", "connectgateway.googleapis.com": "connectgateway.googleapis.com", - "containeranalysis.googleapis.com": "containeranalysis.googleapis.com", + "connectors.googleapis.com": "connectors.googleapis.com", + "contactcenterinsights.googleapis.com": "contactcenterinsights.googleapis.com", "container.googleapis.com": "container.googleapis.com", + "containeranalysis.googleapis.com": "containeranalysis.googleapis.com", + "containerfilesystem.googleapis.com": "containerfilesystem.googleapis.com", "containerregistry.googleapis.com": "containerregistry.googleapis.com", + "containersecurity.googleapis.com": "containersecurity.googleapis.com", "containerthreatdetection.googleapis.com": "containerthreatdetection.googleapis.com", + "contentwarehouse.googleapis.com": "contentwarehouse.googleapis.com", "datacatalog.googleapis.com": "datacatalog.googleapis.com", "dataflow.googleapis.com": "dataflow.googleapis.com", + "dataform.googleapis.com": "dataform.googleapis.com", "datafusion.googleapis.com": "datafusion.googleapis.com", + "datalineage.googleapis.com": "datalineage.googleapis.com", + "datamigration.googleapis.com": "datamigration.googleapis.com", + "datapipelines.googleapis.com": "datapipelines.googleapis.com", + "dataplex.googleapis.com": "dataplex.googleapis.com", "dataproc.googleapis.com": "dataproc.googleapis.com", + "datastream.googleapis.com": "datastream.googleapis.com", "dialogflow.googleapis.com": "dialogflow.googleapis.com", + "discoveryengine.googleapis.com": "discoveryengine.googleapis.com", "dlp.googleapis.com": "dlp.googleapis.com", "dns.googleapis.com": "dns.googleapis.com", "documentai.googleapis.com": "documentai.googleapis.com", + "domains.googleapis.com": "domains.googleapis.com", + "earthengine.googleapis.com": "earthengine.googleapis.com", + "essentialcontacts.googleapis.com": "essentialcontacts.googleapis.com", + "eventarc.googleapis.com": "eventarc.googleapis.com", "file.googleapis.com": "file.googleapis.com", + "financialservices.googleapis.com": "financialservices.googleapis.com", + "firebaseappcheck.googleapis.com": "firebaseappcheck.googleapis.com", + "firebasecrashlytics.googleapis.com": "firebasecrashlytics.googleapis.com", + "firebaserules.googleapis.com": "firebaserules.googleapis.com", + "firestore.googleapis.com": "firestore.googleapis.com", "gameservices.googleapis.com": "gameservices.googleapis.com", + "gkebackup.googleapis.com": "gkebackup.googleapis.com", "gkeconnect.googleapis.com": "gkeconnect.googleapis.com", "gkehub.googleapis.com": "gkehub.googleapis.com", + "gkemulticloud.googleapis.com": "gkemulticloud.googleapis.com", + "gkeonprem.googleapis.com": "gkeonprem.googleapis.com", "healthcare.googleapis.com": "healthcare.googleapis.com", "iam.googleapis.com": "iam.googleapis.com", + "iamcredentials.googleapis.com": "iamcredentials.googleapis.com", + "iap.googleapis.com": "iap.googleapis.com", "iaptunnel.googleapis.com": "iaptunnel.googleapis.com", + "identitytoolkit.googleapis.com": "identitytoolkit.googleapis.com", + "ids.googleapis.com": "ids.googleapis.com", + "integrations.googleapis.com": "integrations.googleapis.com", + "kmsinventory.googleapis.com": "kmsinventory.googleapis.com", + "krmapihosting.googleapis.com": "krmapihosting.googleapis.com", "language.googleapis.com": "language.googleapis.com", "lifesciences.googleapis.com": "lifesciences.googleapis.com", + "livestream.googleapis.com": "livestream.googleapis.com", "logging.googleapis.com": "logging.googleapis.com", + "looker.googleapis.com": "looker.googleapis.com", "managedidentities.googleapis.com": "managedidentities.googleapis.com", "memcache.googleapis.com": "memcache.googleapis.com", "meshca.googleapis.com": "meshca.googleapis.com", + "meshconfig.googleapis.com": "meshconfig.googleapis.com", "metastore.googleapis.com": "metastore.googleapis.com", + "microservices.googleapis.com": "microservices.googleapis.com", + "migrationcenter.googleapis.com": "migrationcenter.googleapis.com", "ml.googleapis.com": "ml.googleapis.com", "monitoring.googleapis.com": "monitoring.googleapis.com", "networkconnectivity.googleapis.com": "networkconnectivity.googleapis.com", @@ -67,33 +123,57 @@ "networksecurity.googleapis.com": "networksecurity.googleapis.com", "networkservices.googleapis.com": "networkservices.googleapis.com", "notebooks.googleapis.com": "notebooks.googleapis.com", + "ondemandscanning.googleapis.com": "ondemandscanning.googleapis.com", "opsconfigmonitoring.googleapis.com": "opsconfigmonitoring.googleapis.com", + "orgpolicy.googleapis.com": "orgpolicy.googleapis.com", "osconfig.googleapis.com": "osconfig.googleapis.com", "oslogin.googleapis.com": "oslogin.googleapis.com", + "policysimulator.googleapis.com": "policysimulator.googleapis.com", + "policytroubleshooter.googleapis.com": "policytroubleshooter.googleapis.com", "privateca.googleapis.com": "privateca.googleapis.com", + "publicca.googleapis.com": "publicca.googleapis.com", "pubsub.googleapis.com": "pubsub.googleapis.com", "pubsublite.googleapis.com": "pubsublite.googleapis.com", + "rapidmigrationassessment.googleapis.com": "rapidmigrationassessment.googleapis.com", "recaptchaenterprise.googleapis.com": "recaptchaenterprise.googleapis.com", "recommender.googleapis.com": "recommender.googleapis.com", "redis.googleapis.com": "redis.googleapis.com", + "retail.googleapis.com": "retail.googleapis.com", "run.googleapis.com": "run.googleapis.com", "secretmanager.googleapis.com": "secretmanager.googleapis.com", + "securesourcemanager.googleapis.com": "securesourcemanager.googleapis.com", + "securetoken.googleapis.com": "securetoken.googleapis.com", + "securitycenter.googleapis.com": "securitycenter.googleapis.com", "servicecontrol.googleapis.com": "servicecontrol.googleapis.com", "servicedirectory.googleapis.com": "servicedirectory.googleapis.com", + "servicehealth.googleapis.com": "servicehealth.googleapis.com", "spanner.googleapis.com": "spanner.googleapis.com", + "speakerid.googleapis.com": "speakerid.googleapis.com", "speech.googleapis.com": "speech.googleapis.com", "sqladmin.googleapis.com": "sqladmin.googleapis.com", + "ssh-serialport.googleapis.c om":"ssh-serialport.googleapis.com", "storage.googleapis.com": "storage.googleapis.com", + "storageinsights.googleapis.com": "storageinsights.googleapis.com", "storagetransfer.googleapis.com": "storagetransfer.googleapis.com", "sts.googleapis.com": "sts.googleapis.com", "texttospeech.googleapis.com": "texttospeech.googleapis.com", + "timeseriesinsights.googleapis.com": "timeseriesinsights.googleapis.com", "tpu.googleapis.com": "tpu.googleapis.com", "trafficdirector.googleapis.com": "trafficdirector.googleapis.com", "transcoder.googleapis.com": "transcoder.googleapis.com", "translate.googleapis.com": "translate.googleapis.com", "videointelligence.googleapis.com": "videointelligence.googleapis.com", + "videostitcher.googleapis.com": "videostitcher.googleapis.com", "vision.googleapis.com": "vision.googleapis.com", - "vpcaccess.googleapis.com": "vpcaccess.googleapis.com" + "visionai.googleapis.com": "visionai.googleapis.com", + "visualinspection.googleapis.com": "visualinspection.googleapis.com", + "vmmigration.googleapis.com": "vmmigration.googleapis.com", + "vmwareengine.googleapis.com": "vmwareengine.googleapis.com", + "vpcaccess.googleapis.com": "vpcaccess.googleapis.com", + "webrisk.googleapis.com": "webrisk.googleapis.com", + "websecurityscanner.googleapis.com": "websecurityscanner.googleapis.com", + "workflows.googleapis.com": "workflows.googleapis.com", + "workstations.googleapis.com": "workstations.googleapis.com" } From 225a2b4a52ecd5289e954f974d255f1ec5730e55 Mon Sep 17 00:00:00 2001 From: Alex Bailey Date: Tue, 30 Jan 2024 14:39:00 +0000 Subject: [PATCH 3/7] Restricted services unit test typo --- .../test_files/python/test_restricted_services_all_services.py | 2 +- .../test_files/python/test_restricted_services_default.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_all_services.py b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_all_services.py index c6e05315..14668b65 100644 --- a/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_all_services.py +++ b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_all_services.py @@ -151,7 +151,7 @@ "speakerid.googleapis.com": "speakerid.googleapis.com", "speech.googleapis.com": "speech.googleapis.com", "sqladmin.googleapis.com": "sqladmin.googleapis.com", - "ssh-serialport.googleapis.c om":"ssh-serialport.googleapis.com", + "ssh-serialport.googleapis.com": "ssh-serialport.googleapis.com", "storage.googleapis.com": "storage.googleapis.com", "storageinsights.googleapis.com": "storageinsights.googleapis.com", "storagetransfer.googleapis.com": "storagetransfer.googleapis.com", diff --git a/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_default.py b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_default.py index a1be701b..a8654714 100644 --- a/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_default.py +++ b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_restricted_services_default.py @@ -151,7 +151,7 @@ "speakerid.googleapis.com": "speakerid.googleapis.com", "speech.googleapis.com": "speech.googleapis.com", "sqladmin.googleapis.com": "sqladmin.googleapis.com", - "ssh-serialport.googleapis.c om":"ssh-serialport.googleapis.com", + "ssh-serialport.googleapis.com": "ssh-serialport.googleapis.com", "storage.googleapis.com": "storage.googleapis.com", "storageinsights.googleapis.com": "storageinsights.googleapis.com", "storagetransfer.googleapis.com": "storagetransfer.googleapis.com", From ac85f72a2a4cccce4945b037374543f5a5cf00b7 Mon Sep 17 00:00:00 2001 From: Alex Bailey Date: Tue, 30 Jan 2024 15:31:28 +0000 Subject: [PATCH 4/7] Add further unit tests for ingress/egress policies --- .../service_perimeter_regular/main.tf | 21 ++++++++++++++- .../test_files/egress_policies.yml | 10 +++++++ .../test_files/python/test_egress_policy.py | 22 +++++++++++++-- .../python/test_egress_policy_empty.py | 18 +++++++++++++ .../python/test_ingress_policy_empty.py | 18 +++++++++++++ .../test_files/unit_tests.tf | 27 +++++++++++++++++-- 6 files changed, 111 insertions(+), 5 deletions(-) create mode 100644 tests/gcp/unit_tests/service_perimeter_regular/test_files/egress_policies.yml create mode 100644 tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_egress_policy_empty.py create mode 100644 tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_ingress_policy_empty.py diff --git a/tests/gcp/unit_tests/service_perimeter_regular/main.tf b/tests/gcp/unit_tests/service_perimeter_regular/main.tf index bb69044e..fdd63886 100644 --- a/tests/gcp/unit_tests/service_perimeter_regular/main.tf +++ b/tests/gcp/unit_tests/service_perimeter_regular/main.tf @@ -92,5 +92,24 @@ output test_ingress_policies { } output test_egress_policies { - value = module.ingress_egress_test.test_egress_policy_non_existent_file + value = module.ingress_egress_test.test_egress_policy } + + +//Ingress and Egress +module ingress_egress_empty_test{ + source = "./test_files" + ingress_file_path = "./test_files/non_existent_ingress_policies_file.yml" + egress_file_path = "./test_files/non_existent_egress_policies_file.yml" + access_policy_name = "name" + name = "name" +} + +output test_empty_ingress_policies { + value = module.ingress_egress_empty_test.test_ingress_policy_non_existent_file +} + +output test_empty_egress_policies { + value = module.ingress_egress_empty_test.test_egress_policy_non_existent_file +} + diff --git a/tests/gcp/unit_tests/service_perimeter_regular/test_files/egress_policies.yml b/tests/gcp/unit_tests/service_perimeter_regular/test_files/egress_policies.yml new file mode 100644 index 00000000..677b787a --- /dev/null +++ b/tests/gcp/unit_tests/service_perimeter_regular/test_files/egress_policies.yml @@ -0,0 +1,10 @@ +egressPolicies: + - egressFrom: + identityType: ANY_IDENTITY + egressTo: + operations: + - serviceName: compute.googleapis.com + methodSelectors: + - method: '*' + resources: + - projects/000000000000 \ No newline at end of file diff --git a/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_egress_policy.py b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_egress_policy.py index 1440f9ba..8d3b302c 100644 --- a/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_egress_policy.py +++ b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_egress_policy.py @@ -7,10 +7,28 @@ print(e, stderr) """ - Tests whether an unfound file defaults to null + Tests whether key values appear in an ingress policy yaml file. File takes the structure: + + ``` + egressPolicies: + - egressFrom: + identityType: ANY_IDENTITY + egressTo: + operations: + - serviceName: compute.googleapis.com + methodSelectors: + - method: '*' + resources: + - projects/000000000000 + ``` """ -expected_data = {} +expected_data = { + "identity-type": "ANY_IDENTITY", + "method": "*", + "resource": "projects/000000000000", + "serviceName": "compute.googleapis.com" +} diff --git a/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_egress_policy_empty.py b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_egress_policy_empty.py new file mode 100644 index 00000000..1440f9ba --- /dev/null +++ b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_egress_policy_empty.py @@ -0,0 +1,18 @@ +from sys import path, stderr + +try: + path.insert(1, '../../../test_fixtures/python_validator') + from python_validator import python_validator +except Exception as e: + print(e, stderr) + +""" + Tests whether an unfound file defaults to null +""" + +expected_data = {} + + + +if __name__ == '__main__': + python_validator(expected_data) diff --git a/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_ingress_policy_empty.py b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_ingress_policy_empty.py new file mode 100644 index 00000000..1440f9ba --- /dev/null +++ b/tests/gcp/unit_tests/service_perimeter_regular/test_files/python/test_ingress_policy_empty.py @@ -0,0 +1,18 @@ +from sys import path, stderr + +try: + path.insert(1, '../../../test_fixtures/python_validator') + from python_validator import python_validator +except Exception as e: + print(e, stderr) + +""" + Tests whether an unfound file defaults to null +""" + +expected_data = {} + + + +if __name__ == '__main__': + python_validator(expected_data) diff --git a/tests/gcp/unit_tests/service_perimeter_regular/test_files/unit_tests.tf b/tests/gcp/unit_tests/service_perimeter_regular/test_files/unit_tests.tf index 2c1c4579..d8014426 100644 --- a/tests/gcp/unit_tests/service_perimeter_regular/test_files/unit_tests.tf +++ b/tests/gcp/unit_tests/service_perimeter_regular/test_files/unit_tests.tf @@ -49,11 +49,34 @@ data external test_ingress_policy { output test_ingress_policy { value = data.external.test_ingress_policy.result } - // Egress Policy +data external test_egress_policy { + query = {"identity-type" = try(local.egress_policies[0]["egressFrom"]["identityType"], ""), + "serviceName" = try(local.egress_policies[0]["egressTo"]["operations"][0]["serviceName"], ""), + "method" = try(local.egress_policies[0]["egressTo"]["operations"][0]["methodSelectors"][0]["method"], ""), + "resource" = try(local.egress_policies[0]["egressTo"]["resources"][0], "")} + program = ["python", "${path.module}/python/test_egress_policy.py"] +} + +output test_egress_policy { + value = data.external.test_egress_policy.result +} + +// Empty Ingress Policy +data external test_ingress_policy_non_existent{ + query = local.ingress_file == null ? {} : {exists = true} + program = ["python", "${path.module}/python/test_ingress_policy_empty.py"] +} + +output test_ingress_policy_non_existent_file{ + value = data.external.test_ingress_policy_non_existent.result +} + + +// Empty Egress Policy data external test_egress_policy_non_existent{ query = local.egress_file == null ? {} : {exists = true} - program = ["python", "${path.module}/python/test_egress_policy.py"] + program = ["python", "${path.module}/python/test_egress_policy_empty.py"] } output test_egress_policy_non_existent_file{ From 86ff538f5a503d4004ae081793b5e2b7e7e69d29 Mon Sep 17 00:00:00 2001 From: Alex Bailey Date: Tue, 30 Jan 2024 15:51:03 +0000 Subject: [PATCH 5/7] Change ingress_policies and egress_policies into maps --- .../service_perimeter_regular/locals.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gcp/access_context_manager/service_perimeter_regular/locals.tf b/gcp/access_context_manager/service_perimeter_regular/locals.tf index a2aef577..0793afa5 100644 --- a/gcp/access_context_manager/service_perimeter_regular/locals.tf +++ b/gcp/access_context_manager/service_perimeter_regular/locals.tf @@ -1,11 +1,11 @@ locals { ingress_file = try(fileexists(var.ingress_file_path), fileexists("./ingress_policies.yml")) ? file(var.ingress_file_path) : null ingress_policies_read = try(yamldecode(local.ingress_file), {}) - ingress_policies = lookup(local.ingress_policies_read, "ingressPolicies", []) + ingress_policies = {for index, policy in lookup(local.ingress_policies_read, "ingressPolicies", []): index => policy} egress_file = try(fileexists(var.egress_file_path), fileexists("./egress_policies.yml")) ? file(var.egress_file_path) : null egress_policies_read = try(yamldecode(local.egress_file), {}) - egress_policies = lookup(local.egress_policies_read, "egressPolicies", [] ) + egress_policies = {for index, policy in lookup(local.egress_policies_read, "egressPolicies", [] ): index => policy} requested_restricted_services = var.restricted_services == null ? ["ALL-SERVICES"] : var.restricted_services restricted_services = contains(local.requested_restricted_services, "ALL-SERVICES") ? local.vpc_sc_supported_services : var.restricted_services From 8b9dce4ac27a55bcf82a17c9f36488d127e4d6cb Mon Sep 17 00:00:00 2001 From: Alex Bailey Date: Tue, 30 Jan 2024 17:45:50 +0000 Subject: [PATCH 6/7] Add extra outputs for debugging, remove unnecessary try functions from local --- .../service_perimeter_regular/locals.tf | 4 ++-- .../service_perimeter_regular/outputs.tf | 10 +++++++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/gcp/access_context_manager/service_perimeter_regular/locals.tf b/gcp/access_context_manager/service_perimeter_regular/locals.tf index 0793afa5..597ddca7 100644 --- a/gcp/access_context_manager/service_perimeter_regular/locals.tf +++ b/gcp/access_context_manager/service_perimeter_regular/locals.tf @@ -1,9 +1,9 @@ locals { - ingress_file = try(fileexists(var.ingress_file_path), fileexists("./ingress_policies.yml")) ? file(var.ingress_file_path) : null + ingress_file = fileexists(var.ingress_file_path) ? file(var.ingress_file_path) : null ingress_policies_read = try(yamldecode(local.ingress_file), {}) ingress_policies = {for index, policy in lookup(local.ingress_policies_read, "ingressPolicies", []): index => policy} - egress_file = try(fileexists(var.egress_file_path), fileexists("./egress_policies.yml")) ? file(var.egress_file_path) : null + egress_file = fileexists(var.egress_file_path) ? file(var.egress_file_path) : null egress_policies_read = try(yamldecode(local.egress_file), {}) egress_policies = {for index, policy in lookup(local.egress_policies_read, "egressPolicies", [] ): index => policy} diff --git a/gcp/access_context_manager/service_perimeter_regular/outputs.tf b/gcp/access_context_manager/service_perimeter_regular/outputs.tf index 51a57019..4c36d75b 100644 --- a/gcp/access_context_manager/service_perimeter_regular/outputs.tf +++ b/gcp/access_context_manager/service_perimeter_regular/outputs.tf @@ -1,9 +1,17 @@ +output "locals_ingress_policies_file_path" { + value = local.ingress_file +} + +output "locals_egress_policies_file_path" { + value = local.egress_file +} + output "locals_ingress_policies" { value = local.ingress_policies } output "locals_egress_policies" { - value = local.ingress_policies + value = local.egress_policies } output locals_vpc_accessible_services { From cfa61149ccd755845b5eaefd900c9fbf05afa7e1 Mon Sep 17 00:00:00 2001 From: Alex Bailey Date: Tue, 30 Jan 2024 17:49:58 +0000 Subject: [PATCH 7/7] Add outputs for debugging variables --- .../service_perimeter_regular/outputs.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/gcp/access_context_manager/service_perimeter_regular/outputs.tf b/gcp/access_context_manager/service_perimeter_regular/outputs.tf index 4c36d75b..99819a47 100644 --- a/gcp/access_context_manager/service_perimeter_regular/outputs.tf +++ b/gcp/access_context_manager/service_perimeter_regular/outputs.tf @@ -1,3 +1,10 @@ +output "var_ingress_policies_file_path" { + value = var.ingress_file_path +} + +output "var_egress_policies_file_path" { + value = var.egress_file_path +} output "locals_ingress_policies_file_path" { value = local.ingress_file }