Add gcp compute firewall table. Closes #42 (#44)

* Add GCP firewall table. Closes #42 * Add docs for GCP compute firewall Co-authored-by: rajeshbal65 <[email protected]>
turbot · Feb 1, 2021 · b281950 · b281950
1 parent 2a6fc5e
commit b281950
Show file tree

Hide file tree

Showing 18 changed files with 443 additions and 0 deletions.
diff --git a/docs/tables/gcp_compute_firewall.md b/docs/tables/gcp_compute_firewall.md
@@ -0,0 +1,62 @@
+# Table: gcp_compute_firewall
+
+VPC firewall rules allows or denies connections to or from your virtual machine (VM) instances based on a specified configuration. Enabled VPC firewall rules are always enforced, protecting instances regardless of their configuration and operating system, even if they have not started up.
+
+### Firewall rules basic info
+
+```sql
+select
+  name,
+  id,
+  description,
+  direction
+from
+  gcp_compute_firewall;
+```
+
+
+### List of rules which are applied to TCP protocol
+
+```sql
+select
+  name,
+  id,
+  p ->> 'IPProtocol' as ip_protocol,
+  p ->> 'ports' as ports
+from
+  gcp_compute_firewall,
+  jsonb_array_elements(allowed) as p
+where
+  p ->> 'IPProtocol' = 'tcp';
+```
+
+
+### List of disabled rules
+
+```sql
+select
+  name,
+  id,
+  description,
+  disabled
+from
+  gcp_compute_firewall
+where
+  disabled
+```
+
+
+### List of Egress rules
+
+```sql
+select
+  name,
+  id,
+  direction,
+  allowed,
+  denied
+from
+  gcp_compute_firewall
+where
+  direction = 'EGRESS';
+```
diff --git a/gcp-test/tests/gcp_compute_firewall/dependencies.txt b/gcp-test/tests/gcp_compute_firewall/dependencies.txt
diff --git a/gcp-test/tests/gcp_compute_firewall/test-get-expected.json b/gcp-test/tests/gcp_compute_firewall/test-get-expected.json
@@ -0,0 +1,30 @@
+[
+  {
+    "action": "Allow",
+    "allowed": [
+      {
+        "IPProtocol": "icmp"
+      },
+      {
+        "IPProtocol":"tcp",
+        "ports":[
+          "80", 
+          "8080", 
+          "1000-2000"
+        ]
+      }
+    ],
+    "description": "Test firewall rule to verify the table.",
+    "direction": "INGRESS",
+    "disabled": false,
+    "kind": "compute#firewall",
+    "log_config_enable": false,
+    "name": "{{ resourceName }}",
+    "network": "{{ output.network.value }}",
+    "project": "{{ output.project_id.value }}",
+    "self_link": "{{ output.self_link.value }}",
+    "source_tags": [
+      "web"
+    ]
+  }
+]
diff --git a/gcp-test/tests/gcp_compute_firewall/test-get-query.sql b/gcp-test/tests/gcp_compute_firewall/test-get-query.sql
@@ -0,0 +1,3 @@
+select name, direction, description, kind, disabled, self_link, action, project, network, log_config_enable, allowed, source_tags
+from gcp.gcp_compute_firewall
+where name = '{{ resourceName }}'
diff --git a/gcp-test/tests/gcp_compute_firewall/test-hydrate-expected.json b/gcp-test/tests/gcp_compute_firewall/test-hydrate-expected.json
@@ -0,0 +1,10 @@
+[
+  {
+    "action": "Allow",
+    "description": "Test firewall rule to verify the table.",
+    "direction": "INGRESS",
+    "kind": "compute#firewall",
+    "name": "{{ resourceName }}",
+    "self_link": "{{ output.self_link.value }}"
+  }
+]
diff --git a/gcp-test/tests/gcp_compute_firewall/test-hydrate-query.sql b/gcp-test/tests/gcp_compute_firewall/test-hydrate-query.sql
@@ -0,0 +1,3 @@
+select name, direction, description, kind, action, self_link
+from gcp.gcp_compute_firewall
+where name = '{{ resourceName }}'
diff --git a/gcp-test/tests/gcp_compute_firewall/test-invalid-name-expected.json b/gcp-test/tests/gcp_compute_firewall/test-invalid-name-expected.json
@@ -0,0 +1 @@
+null
diff --git a/gcp-test/tests/gcp_compute_firewall/test-invalid-name-query.sql b/gcp-test/tests/gcp_compute_firewall/test-invalid-name-query.sql
@@ -0,0 +1,3 @@
+select name, id, description
+from gcp.gcp_compute_firewall
+where name = ''
diff --git a/gcp-test/tests/gcp_compute_firewall/test-list-expected.json b/gcp-test/tests/gcp_compute_firewall/test-list-expected.json
@@ -0,0 +1,6 @@
+[
+  {
+    "description": "Test firewall rule to verify the table.",
+    "name": "{{ resourceName }}"
+  }
+]
diff --git a/gcp-test/tests/gcp_compute_firewall/test-list-query.sql b/gcp-test/tests/gcp_compute_firewall/test-list-query.sql
@@ -0,0 +1,3 @@
+select name, description
+from gcp.gcp_compute_firewall
+where title = '{{ resourceName }}'
diff --git a/gcp-test/tests/gcp_compute_firewall/test-not-found-expected.json b/gcp-test/tests/gcp_compute_firewall/test-not-found-expected.json
@@ -0,0 +1 @@
+null
diff --git a/gcp-test/tests/gcp_compute_firewall/test-not-found-query.sql b/gcp-test/tests/gcp_compute_firewall/test-not-found-query.sql
@@ -0,0 +1,3 @@
+select name, id, direction, kind
+from gcp.gcp_compute_firewall
+where name = 'dummy-{{ resourceName }}'
diff --git a/gcp-test/tests/gcp_compute_firewall/test-turbot-expected.json b/gcp-test/tests/gcp_compute_firewall/test-turbot-expected.json
@@ -0,0 +1,8 @@
+[
+  {
+    "akas": [
+      "{{ output.resource_aka.value }}"
+    ],
+    "title": "{{ resourceName }}"
+  }
+]
diff --git a/gcp-test/tests/gcp_compute_firewall/test-turbot-query.sql b/gcp-test/tests/gcp_compute_firewall/test-turbot-query.sql
@@ -0,0 +1,3 @@
+select title, akas
+from gcp.gcp_compute_firewall
+where name = '{{ resourceName }}'
diff --git a/gcp-test/tests/gcp_compute_firewall/variables.json b/gcp-test/tests/gcp_compute_firewall/variables.json
@@ -0,0 +1 @@
+{}
diff --git a/gcp-test/tests/gcp_compute_firewall/variables.tf b/gcp-test/tests/gcp_compute_firewall/variables.tf
@@ -0,0 +1,76 @@
+
+variable "resource_name" {
+  type        = string
+  default     = "turbot-test-20200125-create-update"
+  description = "Name of the resource used throughout the test."
+}
+
+variable "gcp_project" {
+  type        = string
+  default     = "niteowl-aaa"
+  description = "GCP project used for the test."
+}
+
+variable "gcp_region" {
+  type        = string
+  default     = "us-east1"
+  description = "GCP region used for the test."
+}
+
+provider "google" {
+  project = var.gcp_project
+  region  = var.gcp_region
+}
+
+data "google_client_config" "current" {}
+
+data "null_data_source" "resource" {
+  inputs = {
+    scope = "gcp://cloudresourcemanager.googleapis.com/projects/${data.google_client_config.current.project}"
+  }
+}
+
+resource "google_compute_network" "named_test_resource" {
+  name = var.resource_name
+}
+
+resource "google_compute_firewall" "named_test_resource" {
+  name    = var.resource_name
+  network = google_compute_network.named_test_resource.name
+  description = "Test firewall rule to verify the table."
+
+  allow {
+    protocol = "icmp"
+  }
+
+  allow {
+    protocol = "tcp"
+    ports    = ["80", "8080", "1000-2000"]
+  }
+
+  source_tags = ["web"]
+}
+
+output "resource_aka" {
+  value = "gcp://compute.googleapis.com/${google_compute_firewall.named_test_resource.id}"
+}
+
+output "resource_name" {
+  value = var.resource_name
+}
+
+output "resource_id" {
+  value = google_compute_firewall.named_test_resource.id
+}
+
+output "self_link" {
+  value = google_compute_firewall.named_test_resource.self_link
+}
+
+output "network" {
+  value = google_compute_network.named_test_resource.self_link
+}
+
+output "project_id" {
+  value = var.gcp_project
+}
diff --git a/gcp/plugin.go b/gcp/plugin.go
@@ -27,6 +27,7 @@ func Plugin(ctx context.Context) *plugin.Plugin {
 			"gcp_audit_policy":                    tableGcpAuditPolicy(ctx),
 			"gcp_cloudfunctions_function":         tableGcpCloudfunctionFunction(ctx),
 			"gcp_compute_address":                 tableGcpComputeAddress(ctx),
+			"gcp_compute_firewall":                tableGcpComputeFirewall(ctx),
 			"gcp_compute_global_address":          tableGcpComputeGlobalAddress(ctx),
 			"gcp_compute_global_forwarding_rule":  tableGcpComputeGlobalForwardingRule(ctx),
 			"gcp_compute_instance":                tableGcpComputeInstance(ctx),