From 8c830d1e6243d4f5f1d3afd8cca71f6c357215cd Mon Sep 17 00:00:00 2001 From: Yair Slobodin <154875779+YairSlobodin1@users.noreply.github.com> Date: Thu, 19 Dec 2024 15:25:56 +0200 Subject: [PATCH] Support locals other than 0.0.0.0/32 (#225) --- pkg/io/commonSG.go | 2 + pkg/io/confio/parse_sgs.go | 35 +++---- pkg/io/tfio/sg.go | 1 + pkg/ir/sg.go | 28 ++++-- pkg/optimize/sg/ipCubesToRules.go | 31 +++--- pkg/optimize/sg/sg.go | 48 +++++---- pkg/optimize/sg/sgCubesToRules.go | 12 +-- .../config_object.json | 99 ++++++++++++++++++- .../optimize_sg_protocols_to_all/details.txt | 9 +- .../sg_expected.csv | 20 ++-- .../sg_expected.json | 35 ++++++- .../sg_expected.md | 22 +++-- .../sg_expected.tf | 20 ++++ .../optimize_sg_redundant/sg_expected.tf | 10 ++ test/expected/optimize_sg_t/sg_expected.tf | 6 ++ .../expected/optimize_sg_t_all/sg_expected.tf | 6 ++ .../expected/sg_protocols_csv/sg_expected.csv | 34 +++---- test/expected/sg_protocols_md/sg_expected.md | 36 +++---- test/expected/sg_protocols_tf/sg_expected.tf | 16 +++ test/expected/sg_segments1_tf/sg_expected.tf | 8 ++ test/expected/sg_segments2_tf/sg_expected.tf | 10 ++ test/expected/sg_segments3_tf/sg_expected.tf | 12 +++ test/expected/sg_segments4_tf/sg_expected.tf | 8 ++ test/expected/sg_testing3_csv/sg_expected.csv | 24 ++--- test/expected/sg_testing3_md/sg_expected.md | 26 ++--- test/expected/sg_testing3_tf/sg_expected.tf | 11 +++ .../sg_tg_multiple_tf_separate/test-vpc0.tf | 2 + .../sg_tg_multiple_tf_separate/test-vpc1.tf | 2 + .../sg_tg_multiple_tf_separate/test-vpc2.tf | 2 + test/main_test_list.go | 1 + 30 files changed, 421 insertions(+), 155 deletions(-) diff --git a/pkg/io/commonSG.go b/pkg/io/commonSG.go index 3a05a5ec..cee8f49f 100644 --- a/pkg/io/commonSG.go +++ b/pkg/io/commonSG.go @@ -37,6 +37,7 @@ func makeSGHeader() [][]string { return [][]string{{ "SG", "Direction", + "Local", "Remote type", "Remote", "Protocol", @@ -69,6 +70,7 @@ func makeSGRow(rule *ir.SGRule, sgName ir.SGName) ([]string, error) { return []string{ string(sgName), direction(rule.Direction), + rule.Local.String(), remoteType, remote, printProtocolName(rule.Protocol), diff --git a/pkg/io/confio/parse_sgs.go b/pkg/io/confio/parse_sgs.go index 9d06f7b5..d55fc35b 100644 --- a/pkg/io/confio/parse_sgs.go +++ b/pkg/io/confio/parse_sgs.go @@ -28,14 +28,14 @@ func ReadSGs(filename string) (*ir.SGCollection, error) { result := ir.NewSGCollection() for i, sg := range config.SecurityGroupList { - inbound, outbound, err := translateSGRules(&sg.SecurityGroup) - if err != nil { - return nil, err - } if sg.Name == nil || sg.VPC == nil || sg.VPC.Name == nil { log.Printf("Warning: missing SG/VPC name in sg at index %d\n", i) continue } + inbound, outbound, err := translateSGRules(&sg.SecurityGroup) + if err != nil { + return nil, err + } sgName := ir.SGName(*sg.Name) vpcName := *sg.VPC.Name if result.SGs[vpcName] == nil { @@ -52,16 +52,19 @@ func ReadSGs(filename string) (*ir.SGCollection, error) { } // parse security rules, splitted into ingress and egress rules -func translateSGRules(sg *vpcv1.SecurityGroup) (ingressRules, egressRules []*ir.SGRule, err error) { +func translateSGRules(sg *vpcv1.SecurityGroup) (ingressRules, egressRules map[string][]*ir.SGRule, err error) { + ingressRules = make(map[string][]*ir.SGRule) + egressRules = make(map[string][]*ir.SGRule) for index := range sg.Rules { rule, err := translateSGRule(sg, index) if err != nil { return nil, nil, err } + local := rule.Local.String() if rule.Direction == ir.Inbound { - ingressRules = append(ingressRules, rule) + ingressRules[local] = append(ingressRules[local], rule) } else { - egressRules = append(egressRules, rule) + egressRules[local] = append(egressRules[local], rule) } } return ingressRules, egressRules, nil @@ -136,19 +139,13 @@ func translateRemote(remote vpcv1.SecurityGroupRuleRemoteIntf) (ir.RemoteType, e } func translateLocal(local vpcv1.SecurityGroupRuleLocalIntf) (*netset.IPBlock, error) { - var err error - var ipAddrs *netset.IPBlock if l, ok := local.(*vpcv1.SecurityGroupRuleLocal); ok { if l.CIDRBlock != nil { - ipAddrs, err = netset.IPBlockFromCidr(*l.CIDRBlock) + return netset.IPBlockFromCidr(*l.CIDRBlock) } if l.Address != nil { - ipAddrs, err = netset.IPBlockFromIPAddress(*l.CIDRBlock) - } - if err != nil { - return nil, err + return netset.IPBlockFromIPAddress(*l.Address) } - return verifyLocalValue(ipAddrs) } return nil, fmt.Errorf("error parsing Local field") } @@ -169,14 +166,6 @@ func translateTargets(sg *vpcv1.SecurityGroup) []string { return res } -// temporary - first version of optimization requires local = 0.0.0.0/32 -func verifyLocalValue(ipAddrs *netset.IPBlock) (*netset.IPBlock, error) { - if !ipAddrs.Equal(netset.GetCidrAll()) { - return nil, fmt.Errorf("only 0.0.0.0/32 CIDR block is supported for local values") - } - return ipAddrs, nil -} - func translateProtocolTCPUDP(rule *vpcv1.SecurityGroupRuleSecurityGroupRuleProtocolTcpudp) (netp.Protocol, error) { isTCP := *rule.Protocol == vpcv1.SecurityGroupRuleSecurityGroupRuleProtocolTcpudpProtocolTCPConst minDstPort := utils.GetProperty(rule.PortMin, netp.MinPort) diff --git a/pkg/io/tfio/sg.go b/pkg/io/tfio/sg.go index a66d7b24..7271c117 100644 --- a/pkg/io/tfio/sg.go +++ b/pkg/io/tfio/sg.go @@ -102,6 +102,7 @@ func sgRule(rule *ir.SGRule, sgName ir.SGName, i int) (tf.Block, error) { Arguments: []tf.Argument{ {Name: "group", Value: group}, {Name: "direction", Value: quote(direction(rule.Direction))}, + {Name: "local", Value: quote(rule.Local.String())}, {Name: "remote", Value: remote}, }, Blocks: sgProtocol(rule.Protocol), diff --git a/pkg/ir/sg.go b/pkg/ir/sg.go index a9e6be56..3f9fa27d 100644 --- a/pkg/ir/sg.go +++ b/pkg/ir/sg.go @@ -34,8 +34,8 @@ type ( SG struct { SGName SGName - InboundRules []*SGRule - OutboundRules []*SGRule + InboundRules map[string][]*SGRule // the key is the locals value + OutboundRules map[string][]*SGRule // the key is the locals value Targets []ID } @@ -75,7 +75,10 @@ func NewSGRule(direction Direction, remote RemoteType, p netp.Protocol, local *n } func NewSG(sgName SGName) *SG { - return &SG{SGName: sgName, InboundRules: []*SGRule{}, OutboundRules: []*SGRule{}, Targets: []ID{}} + return &SG{SGName: sgName, + InboundRules: make(map[string][]*SGRule), + OutboundRules: make(map[string][]*SGRule), + } } func NewSGCollection() *SGCollection { @@ -96,16 +99,25 @@ func (c *SGCollection) LookupOrCreate(name SGName) *SG { } func (a *SG) Add(rule *SGRule) { - if rule.Direction == Outbound && !rule.isRedundant(a.OutboundRules) { - a.OutboundRules = append(a.OutboundRules, rule) + local := rule.Local.String() + if rule.Direction == Outbound && !rule.isRedundant(a.OutboundRules[local]) { + a.OutboundRules[local] = append(a.OutboundRules[local], rule) } - if rule.Direction == Inbound && !rule.isRedundant(a.InboundRules) { - a.InboundRules = append(a.InboundRules, rule) + + if rule.Direction == Inbound && !rule.isRedundant(a.InboundRules[local]) { + a.InboundRules[local] = append(a.InboundRules[local], rule) } } func (a *SG) AllRules() []*SGRule { - return slices.Concat(a.InboundRules, a.OutboundRules) + res := make([]*SGRule, 0) + for _, key := range utils.SortedMapKeys(a.InboundRules) { + res = slices.Concat(res, a.InboundRules[key]) + } + for _, key := range utils.SortedMapKeys(a.OutboundRules) { + res = slices.Concat(res, a.OutboundRules[key]) + } + return res } func (c *SGCollection) VpcNames() []string { diff --git a/pkg/optimize/sg/ipCubesToRules.go b/pkg/optimize/sg/ipCubesToRules.go index 1e46873c..87c082b5 100644 --- a/pkg/optimize/sg/ipCubesToRules.go +++ b/pkg/optimize/sg/ipCubesToRules.go @@ -19,17 +19,17 @@ import ( // any protocol IP-segments, represented by a single ipblock that will be decomposed // into cidrs. Each cidr will be a remote of a single SG rule -func anyProtocolIPCubesToRules(cubes *netset.IPBlock, direction ir.Direction) []*ir.SGRule { +func anyProtocolIPCubesToRules(cubes *netset.IPBlock, direction ir.Direction, l *netset.IPBlock) []*ir.SGRule { result := make([]*ir.SGRule, 0) for _, cidr := range cubes.SplitToCidrs() { - result = append(result, ir.NewSGRule(direction, cidr, netp.AnyProtocol{}, netset.GetCidrAll(), "")) + result = append(result, ir.NewSGRule(direction, cidr, netp.AnyProtocol{}, l, "")) } return result } // tcpudpIPCubesToRules converts cubes representing tcp or udp protocol rules to SG rules func tcpudpIPCubesToRules(cubes []ds.Pair[*netset.IPBlock, *netset.PortSet], anyProtocolCubes *netset.IPBlock, direction ir.Direction, - isTCP bool) []*ir.SGRule { + isTCP bool, l *netset.IPBlock) []*ir.SGRule { if len(cubes) == 0 { return []*ir.SGRule{} } @@ -40,7 +40,7 @@ func tcpudpIPCubesToRules(cubes []ds.Pair[*netset.IPBlock, *netset.PortSet], any for i := range cubes { // if it is not possible to continue the rule between the cubes, generate all existing rules if i > 0 && uncoveredHole(cubes[i-1], cubes[i], anyProtocolCubes) { - res = slices.Concat(res, createActiveRules(activeRules, cubes[i-1].Left.LastIPAddressObject(), direction)) + res = slices.Concat(res, createActiveRules(activeRules, cubes[i-1].Left.LastIPAddressObject(), direction, l)) activeRules = make(map[*netset.IPBlock]netp.Protocol) } @@ -50,7 +50,7 @@ func tcpudpIPCubesToRules(cubes []ds.Pair[*netset.IPBlock, *netset.PortSet], any for startIP, protocol := range activeRules { tcpudp, _ := protocol.(netp.TCPUDP) // already checked if !tcpudp.DstPorts().ToSet().IsSubset(cubes[i].Right) { - res = slices.Concat(res, createNewRules(protocol, startIP, cubes[i-1].Left.LastIPAddressObject(), direction)) + res = slices.Concat(res, createNewRules(protocol, startIP, cubes[i-1].Left.LastIPAddressObject(), direction, l)) delete(activeRules, startIP) } else { activePorts.AddInterval(tcpudp.DstPorts()) @@ -66,12 +66,12 @@ func tcpudpIPCubesToRules(cubes []ds.Pair[*netset.IPBlock, *netset.PortSet], any } } // generate all existing rules - return slices.Concat(res, createActiveRules(activeRules, cubes[len(cubes)-1].Left.LastIPAddressObject(), direction)) + return slices.Concat(res, createActiveRules(activeRules, cubes[len(cubes)-1].Left.LastIPAddressObject(), direction, l)) } // icmpIPCubesToRules converts cubes representing icmp protocol rules to SG rules -func icmpIPCubesToRules(cubes []ds.Pair[*netset.IPBlock, *netset.ICMPSet], anyProtocolCubes *netset.IPBlock, - direction ir.Direction) []*ir.SGRule { +func icmpIPCubesToRules(cubes []ds.Pair[*netset.IPBlock, *netset.ICMPSet], anyProtocolCubes *netset.IPBlock, direction ir.Direction, + l *netset.IPBlock) []*ir.SGRule { if len(cubes) == 0 { return []*ir.SGRule{} } @@ -82,7 +82,7 @@ func icmpIPCubesToRules(cubes []ds.Pair[*netset.IPBlock, *netset.ICMPSet], anyPr for i := range cubes { // if it is not possible to continue the rule between the cubes, generate all existing rules if i > 0 && uncoveredHole(cubes[i-1], cubes[i], anyProtocolCubes) { - res = slices.Concat(res, createActiveRules(activeRules, cubes[i-1].Left.LastIPAddressObject(), direction)) + res = slices.Concat(res, createActiveRules(activeRules, cubes[i-1].Left.LastIPAddressObject(), direction, l)) activeRules = make(map[*netset.IPBlock]netp.Protocol) } @@ -93,7 +93,7 @@ func icmpIPCubesToRules(cubes []ds.Pair[*netset.IPBlock, *netset.ICMPSet], anyPr icmp, _ := protocol.(netp.ICMP) ruleIcmpSet := optimize.IcmpRuleToIcmpSet(icmp) if !ruleIcmpSet.IsSubset(cubes[i].Right) { - res = slices.Concat(res, createNewRules(protocol, startIP, cubes[i-1].Left.LastIPAddressObject(), direction)) + res = slices.Concat(res, createNewRules(protocol, startIP, cubes[i-1].Left.LastIPAddressObject(), direction, l)) delete(activeRules, startIP) } else { activeICMP.Union(ruleIcmpSet) @@ -109,7 +109,7 @@ func icmpIPCubesToRules(cubes []ds.Pair[*netset.IPBlock, *netset.ICMPSet], anyPr } // generate all existing rules - return slices.Concat(res, createActiveRules(activeRules, cubes[len(cubes)-1].Left.LastIPAddressObject(), direction)) + return slices.Concat(res, createActiveRules(activeRules, cubes[len(cubes)-1].Left.LastIPAddressObject(), direction, l)) } // uncoveredHole returns true if the rules can not be continued between the two cubes @@ -128,20 +128,21 @@ func uncoveredHole[T ds.Set[T]](prevPair, currPair ds.Pair[*netset.IPBlock, T], } // creates sgRules from SG active rules -func createActiveRules(activeRules map[*netset.IPBlock]netp.Protocol, lastIP *netset.IPBlock, direction ir.Direction) []*ir.SGRule { +func createActiveRules(activeRules map[*netset.IPBlock]netp.Protocol, lastIP *netset.IPBlock, + direction ir.Direction, l *netset.IPBlock) []*ir.SGRule { res := make([]*ir.SGRule, 0) for firstIP, protocol := range activeRules { - res = slices.Concat(res, createNewRules(protocol, firstIP, lastIP, direction)) + res = slices.Concat(res, createNewRules(protocol, firstIP, lastIP, direction, l)) } return res } // createNewRules breaks the startIP-endIP ip range into cidrs and creates SG rules -func createNewRules(protocol netp.Protocol, startIP, endIP *netset.IPBlock, direction ir.Direction) []*ir.SGRule { +func createNewRules(protocol netp.Protocol, startIP, endIP *netset.IPBlock, direction ir.Direction, l *netset.IPBlock) []*ir.SGRule { res := make([]*ir.SGRule, 0) ipRange, _ := netset.IPBlockFromIPRange(startIP, endIP) for _, cidr := range ipRange.SplitToCidrs() { - res = append(res, ir.NewSGRule(direction, cidr, protocol, netset.GetCidrAll(), "")) + res = append(res, ir.NewSGRule(direction, cidr, protocol, l, "")) } return res } diff --git a/pkg/optimize/sg/sg.go b/pkg/optimize/sg/sg.go index fed45079..06feaacc 100644 --- a/pkg/optimize/sg/sg.go +++ b/pkg/optimize/sg/sg.go @@ -95,17 +95,23 @@ func (s *sgOptimizer) optimizeSG(sg *ir.SG) { reducedRules := 0 // reduce inbound rules first - newInboundRules := s.reduceSGRules(sg.InboundRules, ir.Inbound) - if len(sg.InboundRules) > len(newInboundRules) { - reducedRules += len(sg.InboundRules) - len(newInboundRules) - sg.InboundRules = newInboundRules + for l, rules := range sg.InboundRules { + local, _ := netset.IPBlockFromCidr(l) + newInboundRules := s.reduceSGRules(rules, ir.Inbound, local) + if len(rules) > len(newInboundRules) { + reducedRules += len(rules) - len(newInboundRules) + sg.InboundRules[l] = newInboundRules + } } // reduce outbound rules second - newOutboundRules := s.reduceSGRules(sg.OutboundRules, ir.Outbound) - if len(sg.OutboundRules) > len(newOutboundRules) { - reducedRules += len(sg.OutboundRules) - len(newOutboundRules) - sg.OutboundRules = newOutboundRules + for l, rules := range sg.OutboundRules { + local, _ := netset.IPBlockFromCidr(l) + newOutboundRules := s.reduceSGRules(rules, ir.Outbound, local) + if len(rules) > len(newOutboundRules) { + reducedRules += len(rules) - len(newOutboundRules) + sg.OutboundRules[l] = newOutboundRules + } } // print a message to the log @@ -117,19 +123,19 @@ func (s *sgOptimizer) optimizeSG(sg *ir.SG) { } // reduceSGRules attempts to reduce the number of rules with different remote types separately -func (s *sgOptimizer) reduceSGRules(rules []*ir.SGRule, direction ir.Direction) []*ir.SGRule { +func (s *sgOptimizer) reduceSGRules(rules []*ir.SGRule, direction ir.Direction, l *netset.IPBlock) []*ir.SGRule { // separate all rules to groups of protocol X remote ([tcp, udp, icmp, protocolAll] X [ip, sg]) ruleGroups := divideSGRules(rules) // rules with SG as a remote - optimizedRulesToSG := reduceRulesSGRemote(rulesToSGCubes(ruleGroups.sgRemoteRules), direction) + optimizedRulesToSG := reduceRulesSGRemote(rulesToSGCubes(ruleGroups.sgRemoteRules), direction, l) originalRulesToSG := ruleGroups.sgRemoteRules.allRules() if len(originalRulesToSG) <= len(optimizedRulesToSG) { // failed to reduce number of rules optimizedRulesToSG = originalRulesToSG } // rules with IPBlock as a remote - optimizedRulesToIPAddrs := reduceRulesIPRemote(rulesToIPCubes(ruleGroups.ipRemoteRules), direction) + optimizedRulesToIPAddrs := reduceRulesIPRemote(rulesToIPCubes(ruleGroups.ipRemoteRules), direction, l) originalRulesToIPAddrs := ruleGroups.ipRemoteRules.allRules() if len(originalRulesToIPAddrs) <= len(optimizedRulesToSG) { // failed to reduce number of rules optimizedRulesToIPAddrs = originalRulesToIPAddrs @@ -138,27 +144,27 @@ func (s *sgOptimizer) reduceSGRules(rules []*ir.SGRule, direction ir.Direction) return slices.Concat(optimizedRulesToSG, optimizedRulesToIPAddrs) } -func reduceRulesSGRemote(cubes *sgCubesPerProtocol, direction ir.Direction) []*ir.SGRule { +func reduceRulesSGRemote(cubes *sgCubesPerProtocol, direction ir.Direction, l *netset.IPBlock) []*ir.SGRule { reduceCubesWithSGRemote(cubes) // cubes to SG rules - tcpRules := tcpudpSGCubesToRules(cubes.tcp, direction, true) - udpRules := tcpudpSGCubesToRules(cubes.udp, direction, false) - icmpRules := icmpSGCubesToRules(cubes.icmp, direction) - anyProtocolRules := anyProtocolCubesToRules(cubes.anyProtocol, direction) + tcpRules := tcpudpSGCubesToRules(cubes.tcp, direction, true, l) + udpRules := tcpudpSGCubesToRules(cubes.udp, direction, false, l) + icmpRules := icmpSGCubesToRules(cubes.icmp, direction, l) + anyProtocolRules := anyProtocolCubesToRules(cubes.anyProtocol, direction, l) // return all rules return slices.Concat(tcpRules, udpRules, icmpRules, anyProtocolRules) } -func reduceRulesIPRemote(cubes *ipCubesPerProtocol, direction ir.Direction) []*ir.SGRule { +func reduceRulesIPRemote(cubes *ipCubesPerProtocol, direction ir.Direction, l *netset.IPBlock) []*ir.SGRule { reduceIPCubes(cubes) // cubes to SG rules - tcpRules := tcpudpIPCubesToRules(cubes.tcp, cubes.anyProtocol, direction, true) - udpRules := tcpudpIPCubesToRules(cubes.udp, cubes.anyProtocol, direction, false) - icmpRules := icmpIPCubesToRules(cubes.icmp, cubes.anyProtocol, direction) - anyProtocolRules := anyProtocolIPCubesToRules(cubes.anyProtocol, direction) + tcpRules := tcpudpIPCubesToRules(cubes.tcp, cubes.anyProtocol, direction, true, l) + udpRules := tcpudpIPCubesToRules(cubes.udp, cubes.anyProtocol, direction, false, l) + icmpRules := icmpIPCubesToRules(cubes.icmp, cubes.anyProtocol, direction, l) + anyProtocolRules := anyProtocolIPCubesToRules(cubes.anyProtocol, direction, l) // return all rules return slices.Concat(tcpRules, udpRules, icmpRules, anyProtocolRules) diff --git a/pkg/optimize/sg/sgCubesToRules.go b/pkg/optimize/sg/sgCubesToRules.go index 94904c5d..bcad1682 100644 --- a/pkg/optimize/sg/sgCubesToRules.go +++ b/pkg/optimize/sg/sgCubesToRules.go @@ -14,33 +14,33 @@ import ( ) // cubes (SGName X portSet) to SG rules -func tcpudpSGCubesToRules(cubes map[ir.SGName]*netset.PortSet, direction ir.Direction, isTCP bool) []*ir.SGRule { +func tcpudpSGCubesToRules(cubes map[ir.SGName]*netset.PortSet, direction ir.Direction, isTCP bool, l *netset.IPBlock) []*ir.SGRule { result := make([]*ir.SGRule, 0) for sgName, portSet := range cubes { for _, dstPorts := range portSet.Intervals() { p, _ := netp.NewTCPUDP(isTCP, netp.MinPort, netp.MaxPort, int(dstPorts.Start()), int(dstPorts.End())) - result = append(result, ir.NewSGRule(direction, sgName, p, netset.GetCidrAll(), "")) + result = append(result, ir.NewSGRule(direction, sgName, p, l, "")) } } return result } // cubes (SGName X icmpset) to SG rules -func icmpSGCubesToRules(cubes map[ir.SGName]*netset.ICMPSet, direction ir.Direction) []*ir.SGRule { +func icmpSGCubesToRules(cubes map[ir.SGName]*netset.ICMPSet, direction ir.Direction, l *netset.IPBlock) []*ir.SGRule { result := make([]*ir.SGRule, 0) for sgName, icmpSet := range cubes { for _, icmp := range optimize.IcmpsetPartitions(icmpSet) { - result = append(result, ir.NewSGRule(direction, sgName, icmp, netset.GetCidrAll(), "")) + result = append(result, ir.NewSGRule(direction, sgName, icmp, l, "")) } } return result } // slice of remote SGs to SG rules -func anyProtocolCubesToRules(remoteSG []ir.SGName, direction ir.Direction) []*ir.SGRule { +func anyProtocolCubesToRules(remoteSG []ir.SGName, direction ir.Direction, l *netset.IPBlock) []*ir.SGRule { result := make([]*ir.SGRule, len(remoteSG)) for i, sgName := range remoteSG { - result[i] = ir.NewSGRule(direction, sgName, netp.AnyProtocol{}, netset.GetCidrAll(), "") + result[i] = ir.NewSGRule(direction, sgName, netp.AnyProtocol{}, l, "") } return result } diff --git a/test/data/optimize_sg_protocols_to_all/config_object.json b/test/data/optimize_sg_protocols_to_all/config_object.json index e4d7662a..b3413252 100644 --- a/test/data/optimize_sg_protocols_to_all/config_object.json +++ b/test/data/optimize_sg_protocols_to_all/config_object.json @@ -1434,6 +1434,54 @@ "port_max": 65535, "port_min": 151, "protocol": "udp" + }, + { + "direction": "outbound", + "href": "fake:href:111", + "id": "fake:id:111", + "ip_version": "ipv4", + "local": { + "cidr_block": "10.240.0.0/16" + }, + "remote": { + "crn": "fake:crn:19", + "href": "fake:href:19", + "id": "fake:id:19", + "name": "test-vpc1--vsi3a" + }, + "protocol": "icmp" + }, + { + "direction": "outbound", + "href": "fake:href:222", + "id": "fake:id:222", + "ip_version": "ipv4", + "local": { + "cidr_block": "10.240.0.0/16" + }, + "remote": { + "crn": "fake:crn:19", + "href": "fake:href:19", + "id": "fake:id:19", + "name": "test-vpc1--vsi3a" + }, + "protocol": "tcp" + }, + { + "direction": "outbound", + "href": "fake:href:333", + "id": "fake:id:333", + "ip_version": "ipv4", + "local": { + "cidr_block": "10.240.0.0/16" + }, + "remote": { + "crn": "fake:crn:19", + "href": "fake:href:19", + "id": "fake:id:19", + "name": "test-vpc1--vsi3a" + }, + "protocol": "udp" } ], "targets": [ @@ -1493,7 +1541,56 @@ "id": "id:17", "name": "name:4" }, - "rules": [], + "rules": [ + { + "direction": "inbound", + "href": "fake:href:1111", + "id": "fake:id:1111", + "ip_version": "ipv4", + "local": { + "cidr_block": "10.240.0.0/16" + }, + "remote": { + "crn": "fake:crn:2", + "href": "fake:href:2", + "id": "fake:id:2", + "name": "test-vpc1--vsi1" + }, + "protocol": "icmp" + }, + { + "direction": "inbound", + "href": "fake:href:2222", + "id": "fake:id:2222", + "ip_version": "ipv4", + "local": { + "cidr_block": "10.240.0.0/16" + }, + "remote": { + "crn": "fake:crn:2", + "href": "fake:href:2", + "id": "fake:id:2", + "name": "test-vpc1--vsi1" + }, + "protocol": "tcp" + }, + { + "direction": "inbound", + "href": "fake:href:3333", + "id": "fake:id:3333", + "ip_version": "ipv4", + "local": { + "cidr_block": "10.240.0.0/16" + }, + "remote": { + "crn": "fake:crn:2", + "href": "fake:href:2", + "id": "fake:id:2", + "name": "test-vpc1--vsi1" + }, + "protocol": "udp" + } + ], "targets": [ { "href": "href:83", diff --git a/test/data/optimize_sg_protocols_to_all/details.txt b/test/data/optimize_sg_protocols_to_all/details.txt index dcd70519..683608c0 100644 --- a/test/data/optimize_sg_protocols_to_all/details.txt +++ b/test/data/optimize_sg_protocols_to_all/details.txt @@ -1,4 +1,7 @@ +#################################### original config object: acl_testing4 config +please note that vsi1-->vsi3a coonnections do not appear in conn_spec.json file +#################################### ######## BEFORE ######## @@ -14,10 +17,14 @@ vsi1 --> vsi2 (udp ports 1-100) vsi1 --> vsi2 (udp ports 50-150) vsi1 --> vsi2 (udp ports 151-65535) +vsi1 --> vsi3a (icmp) [local=10.240.0.0/16] +vsi1 --> vsi3a (tcp) [local=10.240.0.0/16] +vsi1 --> vsi3a (udp) [local=10.240.0.0/16] ######## AFTER ######## vsi1 --> 0.0.0.0/31 (any protocol) vsi1 --> 0.0.0.0/30 (icmp) -vsi1 --> vsi2 (any protocol) \ No newline at end of file +vsi1 --> vsi2 (any protocol) +vsi1 --> vsi3a (any protocol) [local=10.240.0.0/16] \ No newline at end of file diff --git a/test/expected/optimize_sg_protocols_to_all_csv/sg_expected.csv b/test/expected/optimize_sg_protocols_to_all_csv/sg_expected.csv index 2e4c7efb..a945268c 100644 --- a/test/expected/optimize_sg_protocols_to_all_csv/sg_expected.csv +++ b/test/expected/optimize_sg_protocols_to_all_csv/sg_expected.csv @@ -1,9 +1,11 @@ -SG,Direction,Remote type,Remote,Protocol,Protocol params,Description -sg1,Inbound,CIDR block,Any IP,ALL,, -sg1,Outbound,CIDR block,Any IP,ALL,, -test-vpc1--vsi1,Outbound,Security group,test-vpc1--vsi2,ALL,, -test-vpc1--vsi1,Outbound,CIDR block,0.0.0.0/30,ICMP,"Type: Any, Code: Any", -test-vpc1--vsi1,Outbound,CIDR block,0.0.0.0/31,ALL,, -test-vpc1--vsi2,Inbound,Security group,test-vpc1--vsi1,ALL,, -wombat-hesitate-scorn-subprime,Inbound,Security group,wombat-hesitate-scorn-subprime,ALL,, -wombat-hesitate-scorn-subprime,Outbound,CIDR block,Any IP,ALL,, +SG,Direction,Local,Remote type,Remote,Protocol,Protocol params,Description +sg1,Inbound,0.0.0.0/0,CIDR block,Any IP,ALL,, +sg1,Outbound,0.0.0.0/0,CIDR block,Any IP,ALL,, +test-vpc1--vsi1,Outbound,0.0.0.0/0,Security group,test-vpc1--vsi2,ALL,, +test-vpc1--vsi1,Outbound,0.0.0.0/0,CIDR block,0.0.0.0/30,ICMP,"Type: Any, Code: Any", +test-vpc1--vsi1,Outbound,0.0.0.0/0,CIDR block,0.0.0.0/31,ALL,, +test-vpc1--vsi1,Outbound,10.240.0.0/16,Security group,test-vpc1--vsi3a,ALL,, +test-vpc1--vsi2,Inbound,0.0.0.0/0,Security group,test-vpc1--vsi1,ALL,, +test-vpc1--vsi3a,Inbound,10.240.0.0/16,Security group,test-vpc1--vsi1,ALL,, +wombat-hesitate-scorn-subprime,Inbound,0.0.0.0/0,Security group,wombat-hesitate-scorn-subprime,ALL,, +wombat-hesitate-scorn-subprime,Outbound,0.0.0.0/0,CIDR block,Any IP,ALL,, diff --git a/test/expected/optimize_sg_protocols_to_all_json/sg_expected.json b/test/expected/optimize_sg_protocols_to_all_json/sg_expected.json index 7c8093aa..279065bc 100644 --- a/test/expected/optimize_sg_protocols_to_all_json/sg_expected.json +++ b/test/expected/optimize_sg_protocols_to_all_json/sg_expected.json @@ -1243,6 +1243,22 @@ "cidr_block": "0.0.0.0/31" }, "protocol": "all" + }, + { + "direction": "outbound", + "href": "fake:href:5", + "id": "fake:id:5", + "ip_version": "ipv4", + "local": { + "cidr_block": "10.240.0.0/16" + }, + "remote": { + "crn": "fake:crn:19", + "href": "fake:href:19", + "id": "fake:id:19", + "name": "test-vpc1--vsi3a" + }, + "protocol": "all" } ], "targets": [ @@ -1302,7 +1318,24 @@ "id": "id:17", "name": "name:4" }, - "rules": [], + "rules": [ + { + "direction": "inbound", + "href": "fake:href:6", + "id": "fake:id:6", + "ip_version": "ipv4", + "local": { + "cidr_block": "10.240.0.0/16" + }, + "remote": { + "crn": "fake:crn:2", + "href": "fake:href:2", + "id": "fake:id:2", + "name": "test-vpc1--vsi1" + }, + "protocol": "all" + } + ], "targets": [ { "href": "href:83", diff --git a/test/expected/optimize_sg_protocols_to_all_md/sg_expected.md b/test/expected/optimize_sg_protocols_to_all_md/sg_expected.md index 52e2f303..c79beaf3 100644 --- a/test/expected/optimize_sg_protocols_to_all_md/sg_expected.md +++ b/test/expected/optimize_sg_protocols_to_all_md/sg_expected.md @@ -1,10 +1,12 @@ - | SG | Direction | Remote type | Remote | Protocol | Protocol params | Description | - | :--- | :--- | :--- | :--- | :--- | :--- | :--- | - | sg1 | Inbound | CIDR block | Any IP | ALL | | | - | sg1 | Outbound | CIDR block | Any IP | ALL | | | - | test-vpc1--vsi1 | Outbound | Security group | test-vpc1--vsi2 | ALL | | | - | test-vpc1--vsi1 | Outbound | CIDR block | 0.0.0.0/30 | ICMP | Type: Any, Code: Any | | - | test-vpc1--vsi1 | Outbound | CIDR block | 0.0.0.0/31 | ALL | | | - | test-vpc1--vsi2 | Inbound | Security group | test-vpc1--vsi1 | ALL | | | - | wombat-hesitate-scorn-subprime | Inbound | Security group | wombat-hesitate-scorn-subprime | ALL | | | - | wombat-hesitate-scorn-subprime | Outbound | CIDR block | Any IP | ALL | | | + | SG | Direction | Local | Remote type | Remote | Protocol | Protocol params | Description | + | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | + | sg1 | Inbound | 0.0.0.0/0 | CIDR block | Any IP | ALL | | | + | sg1 | Outbound | 0.0.0.0/0 | CIDR block | Any IP | ALL | | | + | test-vpc1--vsi1 | Outbound | 0.0.0.0/0 | Security group | test-vpc1--vsi2 | ALL | | | + | test-vpc1--vsi1 | Outbound | 0.0.0.0/0 | CIDR block | 0.0.0.0/30 | ICMP | Type: Any, Code: Any | | + | test-vpc1--vsi1 | Outbound | 0.0.0.0/0 | CIDR block | 0.0.0.0/31 | ALL | | | + | test-vpc1--vsi1 | Outbound | 10.240.0.0/16 | Security group | test-vpc1--vsi3a | ALL | | | + | test-vpc1--vsi2 | Inbound | 0.0.0.0/0 | Security group | test-vpc1--vsi1 | ALL | | | + | test-vpc1--vsi3a | Inbound | 10.240.0.0/16 | Security group | test-vpc1--vsi1 | ALL | | | + | wombat-hesitate-scorn-subprime | Inbound | 0.0.0.0/0 | Security group | wombat-hesitate-scorn-subprime | ALL | | | + | wombat-hesitate-scorn-subprime | Outbound | 0.0.0.0/0 | CIDR block | Any IP | ALL | | | diff --git a/test/expected/optimize_sg_protocols_to_all_tf/sg_expected.tf b/test/expected/optimize_sg_protocols_to_all_tf/sg_expected.tf index 3b2fc12f..5b44ad30 100644 --- a/test/expected/optimize_sg_protocols_to_all_tf/sg_expected.tf +++ b/test/expected/optimize_sg_protocols_to_all_tf/sg_expected.tf @@ -7,11 +7,13 @@ resource "ibm_is_security_group" "sg1" { resource "ibm_is_security_group_rule" "sg1-0" { group = ibm_is_security_group.sg1.id direction = "inbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } resource "ibm_is_security_group_rule" "sg1-1" { group = ibm_is_security_group.sg1.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } @@ -24,11 +26,13 @@ resource "ibm_is_security_group" "test-vpc1--vsi1" { resource "ibm_is_security_group_rule" "test-vpc1--vsi1-0" { group = ibm_is_security_group.test-vpc1--vsi1.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc1--vsi2.id } resource "ibm_is_security_group_rule" "test-vpc1--vsi1-1" { group = ibm_is_security_group.test-vpc1--vsi1.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/30" icmp { } @@ -36,8 +40,15 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi1-1" { resource "ibm_is_security_group_rule" "test-vpc1--vsi1-2" { group = ibm_is_security_group.test-vpc1--vsi1.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/31" } +resource "ibm_is_security_group_rule" "test-vpc1--vsi1-3" { + group = ibm_is_security_group.test-vpc1--vsi1.id + direction = "outbound" + local = "10.240.0.0/16" + remote = ibm_is_security_group.test-vpc1--vsi3a.id +} ### SG test-vpc1--vsi2 is attached to ni2 resource "ibm_is_security_group" "test-vpc1--vsi2" { @@ -48,6 +59,7 @@ resource "ibm_is_security_group" "test-vpc1--vsi2" { resource "ibm_is_security_group_rule" "test-vpc1--vsi2-0" { group = ibm_is_security_group.test-vpc1--vsi2.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc1--vsi1.id } @@ -57,6 +69,12 @@ resource "ibm_is_security_group" "test-vpc1--vsi3a" { resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } +resource "ibm_is_security_group_rule" "test-vpc1--vsi3a-0" { + group = ibm_is_security_group.test-vpc1--vsi3a.id + direction = "inbound" + local = "10.240.0.0/16" + remote = ibm_is_security_group.test-vpc1--vsi1.id +} ### SG test-vpc1--vsi3b is attached to ni3b resource "ibm_is_security_group" "test-vpc1--vsi3b" { @@ -74,10 +92,12 @@ resource "ibm_is_security_group" "wombat-hesitate-scorn-subprime" { resource "ibm_is_security_group_rule" "wombat-hesitate-scorn-subprime-0" { group = ibm_is_security_group.wombat-hesitate-scorn-subprime.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.wombat-hesitate-scorn-subprime.id } resource "ibm_is_security_group_rule" "wombat-hesitate-scorn-subprime-1" { group = ibm_is_security_group.wombat-hesitate-scorn-subprime.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } diff --git a/test/expected/optimize_sg_redundant/sg_expected.tf b/test/expected/optimize_sg_redundant/sg_expected.tf index 4b8524ef..fa598624 100644 --- a/test/expected/optimize_sg_redundant/sg_expected.tf +++ b/test/expected/optimize_sg_redundant/sg_expected.tf @@ -7,11 +7,13 @@ resource "ibm_is_security_group" "sg1" { resource "ibm_is_security_group_rule" "sg1-0" { group = ibm_is_security_group.sg1.id direction = "inbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } resource "ibm_is_security_group_rule" "sg1-1" { group = ibm_is_security_group.sg1.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } @@ -24,21 +26,25 @@ resource "ibm_is_security_group" "test-vpc1--vsi1" { resource "ibm_is_security_group_rule" "test-vpc1--vsi1-0" { group = ibm_is_security_group.test-vpc1--vsi1.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc1--vsi2.id } resource "ibm_is_security_group_rule" "test-vpc1--vsi1-1" { group = ibm_is_security_group.test-vpc1--vsi1.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc1--vsi3a.id } resource "ibm_is_security_group_rule" "test-vpc1--vsi1-2" { group = ibm_is_security_group.test-vpc1--vsi1.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/30" } resource "ibm_is_security_group_rule" "test-vpc1--vsi1-3" { group = ibm_is_security_group.test-vpc1--vsi1.id direction = "outbound" + local = "0.0.0.0/0" remote = "1.0.0.0/30" } @@ -51,6 +57,7 @@ resource "ibm_is_security_group" "test-vpc1--vsi2" { resource "ibm_is_security_group_rule" "test-vpc1--vsi2-0" { group = ibm_is_security_group.test-vpc1--vsi2.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc1--vsi1.id } @@ -63,6 +70,7 @@ resource "ibm_is_security_group" "test-vpc1--vsi3a" { resource "ibm_is_security_group_rule" "test-vpc1--vsi3a-0" { group = ibm_is_security_group.test-vpc1--vsi3a.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc1--vsi1.id } @@ -82,10 +90,12 @@ resource "ibm_is_security_group" "wombat-hesitate-scorn-subprime" { resource "ibm_is_security_group_rule" "wombat-hesitate-scorn-subprime-0" { group = ibm_is_security_group.wombat-hesitate-scorn-subprime.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.wombat-hesitate-scorn-subprime.id } resource "ibm_is_security_group_rule" "wombat-hesitate-scorn-subprime-1" { group = ibm_is_security_group.wombat-hesitate-scorn-subprime.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } diff --git a/test/expected/optimize_sg_t/sg_expected.tf b/test/expected/optimize_sg_t/sg_expected.tf index 995e1b94..03e61dc1 100644 --- a/test/expected/optimize_sg_t/sg_expected.tf +++ b/test/expected/optimize_sg_t/sg_expected.tf @@ -7,11 +7,13 @@ resource "ibm_is_security_group" "sg1" { resource "ibm_is_security_group_rule" "sg1-0" { group = ibm_is_security_group.sg1.id direction = "inbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } resource "ibm_is_security_group_rule" "sg1-1" { group = ibm_is_security_group.sg1.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } @@ -24,6 +26,7 @@ resource "ibm_is_security_group" "test-vpc1--vsi1" { resource "ibm_is_security_group_rule" "test-vpc1--vsi1-0" { group = ibm_is_security_group.test-vpc1--vsi1.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/29" tcp { port_max = 10 @@ -32,6 +35,7 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi1-0" { resource "ibm_is_security_group_rule" "test-vpc1--vsi1-1" { group = ibm_is_security_group.test-vpc1--vsi1.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.2/31" tcp { port_max = 20 @@ -68,10 +72,12 @@ resource "ibm_is_security_group" "wombat-hesitate-scorn-subprime" { resource "ibm_is_security_group_rule" "wombat-hesitate-scorn-subprime-0" { group = ibm_is_security_group.wombat-hesitate-scorn-subprime.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.wombat-hesitate-scorn-subprime.id } resource "ibm_is_security_group_rule" "wombat-hesitate-scorn-subprime-1" { group = ibm_is_security_group.wombat-hesitate-scorn-subprime.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } diff --git a/test/expected/optimize_sg_t_all/sg_expected.tf b/test/expected/optimize_sg_t_all/sg_expected.tf index fd5b626f..34fde7ea 100644 --- a/test/expected/optimize_sg_t_all/sg_expected.tf +++ b/test/expected/optimize_sg_t_all/sg_expected.tf @@ -7,11 +7,13 @@ resource "ibm_is_security_group" "sg1" { resource "ibm_is_security_group_rule" "sg1-0" { group = ibm_is_security_group.sg1.id direction = "inbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } resource "ibm_is_security_group_rule" "sg1-1" { group = ibm_is_security_group.sg1.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } @@ -24,6 +26,7 @@ resource "ibm_is_security_group" "test-vpc1--vsi1" { resource "ibm_is_security_group_rule" "test-vpc1--vsi1-0" { group = ibm_is_security_group.test-vpc1--vsi1.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/29" tcp { port_max = 10 @@ -32,6 +35,7 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi1-0" { resource "ibm_is_security_group_rule" "test-vpc1--vsi1-1" { group = ibm_is_security_group.test-vpc1--vsi1.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.2/31" } @@ -65,10 +69,12 @@ resource "ibm_is_security_group" "wombat-hesitate-scorn-subprime" { resource "ibm_is_security_group_rule" "wombat-hesitate-scorn-subprime-0" { group = ibm_is_security_group.wombat-hesitate-scorn-subprime.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.wombat-hesitate-scorn-subprime.id } resource "ibm_is_security_group_rule" "wombat-hesitate-scorn-subprime-1" { group = ibm_is_security_group.wombat-hesitate-scorn-subprime.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } diff --git a/test/expected/sg_protocols_csv/sg_expected.csv b/test/expected/sg_protocols_csv/sg_expected.csv index 301ae2a2..e329df21 100644 --- a/test/expected/sg_protocols_csv/sg_expected.csv +++ b/test/expected/sg_protocols_csv/sg_expected.csv @@ -1,17 +1,17 @@ -SG,Direction,Remote type,Remote,Protocol,Protocol params,Description -test-vpc0/vsi0-subnet0,Outbound,Security group,test-vpc0/vsi0-subnet1,UDP,any port,Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[0] -test-vpc0/vsi0-subnet0,Outbound,Security group,test-vpc0/vsi0-subnet1,ICMP,"Type: Any, Code: Any",Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[1] -test-vpc0/vsi0-subnet1,Inbound,Security group,test-vpc0/vsi0-subnet0,UDP,any port,Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[0] -test-vpc0/vsi0-subnet1,Inbound,Security group,test-vpc0/vsi0-subnet0,ICMP,"Type: Any, Code: Any",Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[1] -test-vpc0/vsi0-subnet2,Outbound,Security group,test-vpc0/vsi0-subnet3,TCP,any port,Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[0] -test-vpc0/vsi0-subnet2,Outbound,Security group,test-vpc0/vsi0-subnet3,ICMP,"Type: 11, Code: 1",Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[1] -test-vpc0/vsi0-subnet3,Inbound,Security group,test-vpc0/vsi0-subnet2,TCP,any port,Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[0] -test-vpc0/vsi0-subnet3,Inbound,Security group,test-vpc0/vsi0-subnet2,ICMP,"Type: 11, Code: 1",Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[1] -test-vpc0/vsi1-subnet0,Outbound,Security group,test-vpc0/vsi1-subnet1,TCP,ports 8080-8080,Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[0] -test-vpc0/vsi1-subnet0,Outbound,Security group,test-vpc0/vsi1-subnet1,UDP,ports 53-53,Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[1] -test-vpc0/vsi1-subnet0,Outbound,Security group,test-vpc0/vsi1-subnet1,ICMP,"Type: 8, Code: Any",Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[2] -test-vpc0/vsi1-subnet1,Inbound,Security group,test-vpc0/vsi1-subnet0,TCP,ports 8080-8080,Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[0] -test-vpc0/vsi1-subnet1,Inbound,Security group,test-vpc0/vsi1-subnet0,UDP,ports 53-53,Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[1] -test-vpc0/vsi1-subnet1,Inbound,Security group,test-vpc0/vsi1-subnet0,ICMP,"Type: 8, Code: Any",Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[2] -test-vpc1/vsi0-subnet10,Outbound,IP address,8.8.8.8,TCP,any port,External. required-connections[3]: (instance test-vpc1/vsi0-subnet10)->(external dns); allowed-protocols[0] -test-vpc2/vsi1-subnet20,Outbound,CIDR block,Any IP,ALL,,External. required-connections[4]: (instance test-vpc2/vsi1-subnet20)->(external public internet); allowed-protocols[0] +SG,Direction,Local,Remote type,Remote,Protocol,Protocol params,Description +test-vpc0/vsi0-subnet0,Outbound,0.0.0.0/0,Security group,test-vpc0/vsi0-subnet1,UDP,any port,Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[0] +test-vpc0/vsi0-subnet0,Outbound,0.0.0.0/0,Security group,test-vpc0/vsi0-subnet1,ICMP,"Type: Any, Code: Any",Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[1] +test-vpc0/vsi0-subnet1,Inbound,0.0.0.0/0,Security group,test-vpc0/vsi0-subnet0,UDP,any port,Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[0] +test-vpc0/vsi0-subnet1,Inbound,0.0.0.0/0,Security group,test-vpc0/vsi0-subnet0,ICMP,"Type: Any, Code: Any",Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[1] +test-vpc0/vsi0-subnet2,Outbound,0.0.0.0/0,Security group,test-vpc0/vsi0-subnet3,TCP,any port,Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[0] +test-vpc0/vsi0-subnet2,Outbound,0.0.0.0/0,Security group,test-vpc0/vsi0-subnet3,ICMP,"Type: 11, Code: 1",Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[1] +test-vpc0/vsi0-subnet3,Inbound,0.0.0.0/0,Security group,test-vpc0/vsi0-subnet2,TCP,any port,Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[0] +test-vpc0/vsi0-subnet3,Inbound,0.0.0.0/0,Security group,test-vpc0/vsi0-subnet2,ICMP,"Type: 11, Code: 1",Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[1] +test-vpc0/vsi1-subnet0,Outbound,0.0.0.0/0,Security group,test-vpc0/vsi1-subnet1,TCP,ports 8080-8080,Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[0] +test-vpc0/vsi1-subnet0,Outbound,0.0.0.0/0,Security group,test-vpc0/vsi1-subnet1,UDP,ports 53-53,Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[1] +test-vpc0/vsi1-subnet0,Outbound,0.0.0.0/0,Security group,test-vpc0/vsi1-subnet1,ICMP,"Type: 8, Code: Any",Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[2] +test-vpc0/vsi1-subnet1,Inbound,0.0.0.0/0,Security group,test-vpc0/vsi1-subnet0,TCP,ports 8080-8080,Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[0] +test-vpc0/vsi1-subnet1,Inbound,0.0.0.0/0,Security group,test-vpc0/vsi1-subnet0,UDP,ports 53-53,Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[1] +test-vpc0/vsi1-subnet1,Inbound,0.0.0.0/0,Security group,test-vpc0/vsi1-subnet0,ICMP,"Type: 8, Code: Any",Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[2] +test-vpc1/vsi0-subnet10,Outbound,0.0.0.0/0,IP address,8.8.8.8,TCP,any port,External. required-connections[3]: (instance test-vpc1/vsi0-subnet10)->(external dns); allowed-protocols[0] +test-vpc2/vsi1-subnet20,Outbound,0.0.0.0/0,CIDR block,Any IP,ALL,,External. required-connections[4]: (instance test-vpc2/vsi1-subnet20)->(external public internet); allowed-protocols[0] diff --git a/test/expected/sg_protocols_md/sg_expected.md b/test/expected/sg_protocols_md/sg_expected.md index b6ac8951..82e0ca15 100644 --- a/test/expected/sg_protocols_md/sg_expected.md +++ b/test/expected/sg_protocols_md/sg_expected.md @@ -1,18 +1,18 @@ - | SG | Direction | Remote type | Remote | Protocol | Protocol params | Description | - | :--- | :--- | :--- | :--- | :--- | :--- | :--- | - | test-vpc0/vsi0-subnet0 | Outbound | Security group | test-vpc0/vsi0-subnet1 | UDP | any port | Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[0] | - | test-vpc0/vsi0-subnet0 | Outbound | Security group | test-vpc0/vsi0-subnet1 | ICMP | Type: Any, Code: Any | Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[1] | - | test-vpc0/vsi0-subnet1 | Inbound | Security group | test-vpc0/vsi0-subnet0 | UDP | any port | Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[0] | - | test-vpc0/vsi0-subnet1 | Inbound | Security group | test-vpc0/vsi0-subnet0 | ICMP | Type: Any, Code: Any | Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[1] | - | test-vpc0/vsi0-subnet2 | Outbound | Security group | test-vpc0/vsi0-subnet3 | TCP | any port | Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[0] | - | test-vpc0/vsi0-subnet2 | Outbound | Security group | test-vpc0/vsi0-subnet3 | ICMP | Type: 11, Code: 1 | Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[1] | - | test-vpc0/vsi0-subnet3 | Inbound | Security group | test-vpc0/vsi0-subnet2 | TCP | any port | Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[0] | - | test-vpc0/vsi0-subnet3 | Inbound | Security group | test-vpc0/vsi0-subnet2 | ICMP | Type: 11, Code: 1 | Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[1] | - | test-vpc0/vsi1-subnet0 | Outbound | Security group | test-vpc0/vsi1-subnet1 | TCP | ports 8080-8080 | Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[0] | - | test-vpc0/vsi1-subnet0 | Outbound | Security group | test-vpc0/vsi1-subnet1 | UDP | ports 53-53 | Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[1] | - | test-vpc0/vsi1-subnet0 | Outbound | Security group | test-vpc0/vsi1-subnet1 | ICMP | Type: 8, Code: Any | Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[2] | - | test-vpc0/vsi1-subnet1 | Inbound | Security group | test-vpc0/vsi1-subnet0 | TCP | ports 8080-8080 | Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[0] | - | test-vpc0/vsi1-subnet1 | Inbound | Security group | test-vpc0/vsi1-subnet0 | UDP | ports 53-53 | Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[1] | - | test-vpc0/vsi1-subnet1 | Inbound | Security group | test-vpc0/vsi1-subnet0 | ICMP | Type: 8, Code: Any | Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[2] | - | test-vpc1/vsi0-subnet10 | Outbound | IP address | 8.8.8.8 | TCP | any port | External. required-connections[3]: (instance test-vpc1/vsi0-subnet10)->(external dns); allowed-protocols[0] | - | test-vpc2/vsi1-subnet20 | Outbound | CIDR block | Any IP | ALL | | External. required-connections[4]: (instance test-vpc2/vsi1-subnet20)->(external public internet); allowed-protocols[0] | + | SG | Direction | Local | Remote type | Remote | Protocol | Protocol params | Description | + | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | + | test-vpc0/vsi0-subnet0 | Outbound | 0.0.0.0/0 | Security group | test-vpc0/vsi0-subnet1 | UDP | any port | Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[0] | + | test-vpc0/vsi0-subnet0 | Outbound | 0.0.0.0/0 | Security group | test-vpc0/vsi0-subnet1 | ICMP | Type: Any, Code: Any | Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[1] | + | test-vpc0/vsi0-subnet1 | Inbound | 0.0.0.0/0 | Security group | test-vpc0/vsi0-subnet0 | UDP | any port | Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[0] | + | test-vpc0/vsi0-subnet1 | Inbound | 0.0.0.0/0 | Security group | test-vpc0/vsi0-subnet0 | ICMP | Type: Any, Code: Any | Internal. required-connections[0]: (instance test-vpc0/vsi0-subnet0)->(instance test-vpc0/vsi0-subnet1); allowed-protocols[1] | + | test-vpc0/vsi0-subnet2 | Outbound | 0.0.0.0/0 | Security group | test-vpc0/vsi0-subnet3 | TCP | any port | Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[0] | + | test-vpc0/vsi0-subnet2 | Outbound | 0.0.0.0/0 | Security group | test-vpc0/vsi0-subnet3 | ICMP | Type: 11, Code: 1 | Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[1] | + | test-vpc0/vsi0-subnet3 | Inbound | 0.0.0.0/0 | Security group | test-vpc0/vsi0-subnet2 | TCP | any port | Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[0] | + | test-vpc0/vsi0-subnet3 | Inbound | 0.0.0.0/0 | Security group | test-vpc0/vsi0-subnet2 | ICMP | Type: 11, Code: 1 | Internal. required-connections[2]: (nif test-vpc0/vsi0-subnet2/graveyard-handmade-ransack-acquaint)->(nif test-vpc0/vsi0-subnet3/icky-balsamic-outgoing-leached); allowed-protocols[1] | + | test-vpc0/vsi1-subnet0 | Outbound | 0.0.0.0/0 | Security group | test-vpc0/vsi1-subnet1 | TCP | ports 8080-8080 | Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[0] | + | test-vpc0/vsi1-subnet0 | Outbound | 0.0.0.0/0 | Security group | test-vpc0/vsi1-subnet1 | UDP | ports 53-53 | Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[1] | + | test-vpc0/vsi1-subnet0 | Outbound | 0.0.0.0/0 | Security group | test-vpc0/vsi1-subnet1 | ICMP | Type: 8, Code: Any | Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[2] | + | test-vpc0/vsi1-subnet1 | Inbound | 0.0.0.0/0 | Security group | test-vpc0/vsi1-subnet0 | TCP | ports 8080-8080 | Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[0] | + | test-vpc0/vsi1-subnet1 | Inbound | 0.0.0.0/0 | Security group | test-vpc0/vsi1-subnet0 | UDP | ports 53-53 | Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[1] | + | test-vpc0/vsi1-subnet1 | Inbound | 0.0.0.0/0 | Security group | test-vpc0/vsi1-subnet0 | ICMP | Type: 8, Code: Any | Internal. required-connections[1]: (instance test-vpc0/vsi1-subnet0)->(instance test-vpc0/vsi1-subnet1); allowed-protocols[2] | + | test-vpc1/vsi0-subnet10 | Outbound | 0.0.0.0/0 | IP address | 8.8.8.8 | TCP | any port | External. required-connections[3]: (instance test-vpc1/vsi0-subnet10)->(external dns); allowed-protocols[0] | + | test-vpc2/vsi1-subnet20 | Outbound | 0.0.0.0/0 | CIDR block | Any IP | ALL | | External. required-connections[4]: (instance test-vpc2/vsi1-subnet20)->(external public internet); allowed-protocols[0] | diff --git a/test/expected/sg_protocols_tf/sg_expected.tf b/test/expected/sg_protocols_tf/sg_expected.tf index a85f889c..4b76e20e 100644 --- a/test/expected/sg_protocols_tf/sg_expected.tf +++ b/test/expected/sg_protocols_tf/sg_expected.tf @@ -8,6 +8,7 @@ resource "ibm_is_security_group" "test-vpc0--vsi0-subnet0" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet0-0" { group = ibm_is_security_group.test-vpc0--vsi0-subnet0.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet1.id udp { } @@ -16,6 +17,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet0-0" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet0-1" { group = ibm_is_security_group.test-vpc0--vsi0-subnet0.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet1.id icmp { } @@ -31,6 +33,7 @@ resource "ibm_is_security_group" "test-vpc0--vsi0-subnet1" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet1-0" { group = ibm_is_security_group.test-vpc0--vsi0-subnet1.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet0.id udp { } @@ -39,6 +42,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet1-0" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet1-1" { group = ibm_is_security_group.test-vpc0--vsi0-subnet1.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet0.id icmp { } @@ -54,6 +58,7 @@ resource "ibm_is_security_group" "test-vpc0--vsi0-subnet2" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet2-0" { group = ibm_is_security_group.test-vpc0--vsi0-subnet2.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet3.id tcp { } @@ -62,6 +67,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet2-0" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet2-1" { group = ibm_is_security_group.test-vpc0--vsi0-subnet2.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet3.id icmp { type = 11 @@ -79,6 +85,7 @@ resource "ibm_is_security_group" "test-vpc0--vsi0-subnet3" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet3-0" { group = ibm_is_security_group.test-vpc0--vsi0-subnet3.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet2.id tcp { } @@ -87,6 +94,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet3-0" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet3-1" { group = ibm_is_security_group.test-vpc0--vsi0-subnet3.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet2.id icmp { type = 11 @@ -118,6 +126,7 @@ resource "ibm_is_security_group" "test-vpc0--vsi1-subnet0" { resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet0-0" { group = ibm_is_security_group.test-vpc0--vsi1-subnet0.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi1-subnet1.id tcp { port_min = 8080 @@ -128,6 +137,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet0-0" { resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet0-1" { group = ibm_is_security_group.test-vpc0--vsi1-subnet0.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi1-subnet1.id udp { port_min = 53 @@ -138,6 +148,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet0-1" { resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet0-2" { group = ibm_is_security_group.test-vpc0--vsi1-subnet0.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi1-subnet1.id icmp { type = 8 @@ -154,6 +165,7 @@ resource "ibm_is_security_group" "test-vpc0--vsi1-subnet1" { resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet1-0" { group = ibm_is_security_group.test-vpc0--vsi1-subnet1.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi1-subnet0.id tcp { port_min = 8080 @@ -164,6 +176,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet1-0" { resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet1-1" { group = ibm_is_security_group.test-vpc0--vsi1-subnet1.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi1-subnet0.id udp { port_min = 53 @@ -174,6 +187,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet1-1" { resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet1-2" { group = ibm_is_security_group.test-vpc0--vsi1-subnet1.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi1-subnet0.id icmp { type = 8 @@ -218,6 +232,7 @@ resource "ibm_is_security_group" "test-vpc1--vsi0-subnet10" { resource "ibm_is_security_group_rule" "test-vpc1--vsi0-subnet10-0" { group = ibm_is_security_group.test-vpc1--vsi0-subnet10.id direction = "outbound" + local = "0.0.0.0/0" remote = "8.8.8.8" tcp { } @@ -247,6 +262,7 @@ resource "ibm_is_security_group" "test-vpc2--vsi1-subnet20" { resource "ibm_is_security_group_rule" "test-vpc2--vsi1-subnet20-0" { group = ibm_is_security_group.test-vpc2--vsi1-subnet20.id direction = "outbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } diff --git a/test/expected/sg_segments1_tf/sg_expected.tf b/test/expected/sg_segments1_tf/sg_expected.tf index e32bb433..98726a53 100644 --- a/test/expected/sg_segments1_tf/sg_expected.tf +++ b/test/expected/sg_segments1_tf/sg_expected.tf @@ -8,12 +8,14 @@ resource "ibm_is_security_group" "test-vpc0--vsi0-subnet0" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet0-0" { group = ibm_is_security_group.test-vpc0--vsi0-subnet0.id direction = "inbound" + local = "0.0.0.0/0" remote = "10.240.0.0/23" } # Internal. required-connections[0]: (segment cidrSegment)->(segment cidrSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet0-1" { group = ibm_is_security_group.test-vpc0--vsi0-subnet0.id direction = "outbound" + local = "0.0.0.0/0" remote = "10.240.0.0/23" } @@ -27,12 +29,14 @@ resource "ibm_is_security_group" "test-vpc0--vsi0-subnet1" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet1-0" { group = ibm_is_security_group.test-vpc0--vsi0-subnet1.id direction = "inbound" + local = "0.0.0.0/0" remote = "10.240.0.0/23" } # Internal. required-connections[0]: (segment cidrSegment)->(segment cidrSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet1-1" { group = ibm_is_security_group.test-vpc0--vsi0-subnet1.id direction = "outbound" + local = "0.0.0.0/0" remote = "10.240.0.0/23" } @@ -74,12 +78,14 @@ resource "ibm_is_security_group" "test-vpc0--vsi1-subnet0" { resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet0-0" { group = ibm_is_security_group.test-vpc0--vsi1-subnet0.id direction = "inbound" + local = "0.0.0.0/0" remote = "10.240.0.0/23" } # Internal. required-connections[0]: (segment cidrSegment)->(segment cidrSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet0-1" { group = ibm_is_security_group.test-vpc0--vsi1-subnet0.id direction = "outbound" + local = "0.0.0.0/0" remote = "10.240.0.0/23" } @@ -93,12 +99,14 @@ resource "ibm_is_security_group" "test-vpc0--vsi1-subnet1" { resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet1-0" { group = ibm_is_security_group.test-vpc0--vsi1-subnet1.id direction = "inbound" + local = "0.0.0.0/0" remote = "10.240.0.0/23" } # Internal. required-connections[0]: (segment cidrSegment)->(segment cidrSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet1-1" { group = ibm_is_security_group.test-vpc0--vsi1-subnet1.id direction = "outbound" + local = "0.0.0.0/0" remote = "10.240.0.0/23" } diff --git a/test/expected/sg_segments2_tf/sg_expected.tf b/test/expected/sg_segments2_tf/sg_expected.tf index 3db420a0..972438cd 100644 --- a/test/expected/sg_segments2_tf/sg_expected.tf +++ b/test/expected/sg_segments2_tf/sg_expected.tf @@ -8,12 +8,14 @@ resource "ibm_is_security_group" "test-vpc0--vsi0-subnet0" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet0-0" { group = ibm_is_security_group.test-vpc0--vsi0-subnet0.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc1--vsi0-subnet11.id } # Internal. required-connections[0]: (segment instanceSegment)->(segment cidrSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet0-1" { group = ibm_is_security_group.test-vpc0--vsi0-subnet0.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet5.id } @@ -27,12 +29,14 @@ resource "ibm_is_security_group" "test-vpc0--vsi0-subnet1" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet1-0" { group = ibm_is_security_group.test-vpc0--vsi0-subnet1.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc1--vsi0-subnet11.id } # Internal. required-connections[0]: (segment instanceSegment)->(segment cidrSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet1-1" { group = ibm_is_security_group.test-vpc0--vsi0-subnet1.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet5.id } @@ -67,6 +71,7 @@ resource "ibm_is_security_group" "test-vpc0--vsi0-subnet5" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet5-0" { group = ibm_is_security_group.test-vpc0--vsi0-subnet5.id direction = "outbound" + local = "0.0.0.0/0" remote = "10.240.0.0/23" } @@ -80,12 +85,14 @@ resource "ibm_is_security_group" "test-vpc0--vsi1-subnet0" { resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet0-0" { group = ibm_is_security_group.test-vpc0--vsi1-subnet0.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc1--vsi0-subnet11.id } # Internal. required-connections[0]: (segment instanceSegment)->(segment cidrSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet0-1" { group = ibm_is_security_group.test-vpc0--vsi1-subnet0.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet5.id } @@ -99,12 +106,14 @@ resource "ibm_is_security_group" "test-vpc0--vsi1-subnet1" { resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet1-0" { group = ibm_is_security_group.test-vpc0--vsi1-subnet1.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc1--vsi0-subnet11.id } # Internal. required-connections[0]: (segment instanceSegment)->(segment cidrSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet1-1" { group = ibm_is_security_group.test-vpc0--vsi1-subnet1.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet5.id } @@ -153,6 +162,7 @@ resource "ibm_is_security_group" "test-vpc1--vsi0-subnet11" { resource "ibm_is_security_group_rule" "test-vpc1--vsi0-subnet11-0" { group = ibm_is_security_group.test-vpc1--vsi0-subnet11.id direction = "outbound" + local = "0.0.0.0/0" remote = "10.240.0.0/23" } diff --git a/test/expected/sg_segments3_tf/sg_expected.tf b/test/expected/sg_segments3_tf/sg_expected.tf index 82443b46..b740ab4e 100644 --- a/test/expected/sg_segments3_tf/sg_expected.tf +++ b/test/expected/sg_segments3_tf/sg_expected.tf @@ -36,12 +36,14 @@ resource "ibm_is_security_group" "test-vpc0--vsi0-subnet4" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet4-0" { group = ibm_is_security_group.test-vpc0--vsi0-subnet4.id direction = "inbound" + local = "0.0.0.0/0" remote = "10.240.64.0/24" } # Internal. required-connections[0]: (segment subnetSegment)->(segment nifSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet4-1" { group = ibm_is_security_group.test-vpc0--vsi0-subnet4.id direction = "inbound" + local = "0.0.0.0/0" remote = "10.240.128.0/24" } @@ -97,12 +99,14 @@ resource "ibm_is_security_group" "test-vpc0--vsi1-subnet5" { resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet5-0" { group = ibm_is_security_group.test-vpc0--vsi1-subnet5.id direction = "inbound" + local = "0.0.0.0/0" remote = "10.240.64.0/24" } # Internal. required-connections[0]: (segment subnetSegment)->(segment nifSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet5-1" { group = ibm_is_security_group.test-vpc0--vsi1-subnet5.id direction = "inbound" + local = "0.0.0.0/0" remote = "10.240.128.0/24" } @@ -116,12 +120,14 @@ resource "ibm_is_security_group" "test-vpc1--vsi0-subnet10" { resource "ibm_is_security_group_rule" "test-vpc1--vsi0-subnet10-0" { group = ibm_is_security_group.test-vpc1--vsi0-subnet10.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet4.id } # Internal. required-connections[0]: (segment subnetSegment)->(segment nifSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc1--vsi0-subnet10-1" { group = ibm_is_security_group.test-vpc1--vsi0-subnet10.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi1-subnet5.id } @@ -142,12 +148,14 @@ resource "ibm_is_security_group" "test-vpc2--vsi0-subnet20" { resource "ibm_is_security_group_rule" "test-vpc2--vsi0-subnet20-0" { group = ibm_is_security_group.test-vpc2--vsi0-subnet20.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet4.id } # Internal. required-connections[0]: (segment subnetSegment)->(segment nifSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc2--vsi0-subnet20-1" { group = ibm_is_security_group.test-vpc2--vsi0-subnet20.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi1-subnet5.id } @@ -161,12 +169,14 @@ resource "ibm_is_security_group" "test-vpc2--vsi1-subnet20" { resource "ibm_is_security_group_rule" "test-vpc2--vsi1-subnet20-0" { group = ibm_is_security_group.test-vpc2--vsi1-subnet20.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet4.id } # Internal. required-connections[0]: (segment subnetSegment)->(segment nifSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc2--vsi1-subnet20-1" { group = ibm_is_security_group.test-vpc2--vsi1-subnet20.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi1-subnet5.id } @@ -180,12 +190,14 @@ resource "ibm_is_security_group" "test-vpc2--vsi2-subnet20" { resource "ibm_is_security_group_rule" "test-vpc2--vsi2-subnet20-0" { group = ibm_is_security_group.test-vpc2--vsi2-subnet20.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet4.id } # Internal. required-connections[0]: (segment subnetSegment)->(segment nifSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc2--vsi2-subnet20-1" { group = ibm_is_security_group.test-vpc2--vsi2-subnet20.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi1-subnet5.id } diff --git a/test/expected/sg_segments4_tf/sg_expected.tf b/test/expected/sg_segments4_tf/sg_expected.tf index fde97298..25db114d 100644 --- a/test/expected/sg_segments4_tf/sg_expected.tf +++ b/test/expected/sg_segments4_tf/sg_expected.tf @@ -8,12 +8,14 @@ resource "ibm_is_security_group" "test-vpc--appdata-endpoint-gateway" { resource "ibm_is_security_group_rule" "test-vpc--appdata-endpoint-gateway-0" { group = ibm_is_security_group.test-vpc--appdata-endpoint-gateway.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--fe.id } # Internal. required-connections[0]: (segment vpeSegment)->(segment instanceSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc--appdata-endpoint-gateway-1" { group = ibm_is_security_group.test-vpc--appdata-endpoint-gateway.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--be.id } @@ -27,12 +29,14 @@ resource "ibm_is_security_group" "test-vpc--be" { resource "ibm_is_security_group_rule" "test-vpc--be-0" { group = ibm_is_security_group.test-vpc--be.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--appdata-endpoint-gateway.id } # Internal. required-connections[0]: (segment vpeSegment)->(segment instanceSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc--be-1" { group = ibm_is_security_group.test-vpc--be.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--policydb-endpoint-gateway.id } @@ -46,12 +50,14 @@ resource "ibm_is_security_group" "test-vpc--fe" { resource "ibm_is_security_group_rule" "test-vpc--fe-0" { group = ibm_is_security_group.test-vpc--fe.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--appdata-endpoint-gateway.id } # Internal. required-connections[0]: (segment vpeSegment)->(segment instanceSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc--fe-1" { group = ibm_is_security_group.test-vpc--fe.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--policydb-endpoint-gateway.id } @@ -72,12 +78,14 @@ resource "ibm_is_security_group" "test-vpc--policydb-endpoint-gateway" { resource "ibm_is_security_group_rule" "test-vpc--policydb-endpoint-gateway-0" { group = ibm_is_security_group.test-vpc--policydb-endpoint-gateway.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--fe.id } # Internal. required-connections[0]: (segment vpeSegment)->(segment instanceSegment); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc--policydb-endpoint-gateway-1" { group = ibm_is_security_group.test-vpc--policydb-endpoint-gateway.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--be.id } diff --git a/test/expected/sg_testing3_csv/sg_expected.csv b/test/expected/sg_testing3_csv/sg_expected.csv index 73c2c2b8..b7d46339 100644 --- a/test/expected/sg_testing3_csv/sg_expected.csv +++ b/test/expected/sg_testing3_csv/sg_expected.csv @@ -1,12 +1,12 @@ -SG,Direction,Remote type,Remote,Protocol,Protocol params,Description -test-vpc/be,Inbound,Security group,test-vpc/fe,TCP,any port,Internal. required-connections[2]: (instance test-vpc/fe)->(instance test-vpc/be); allowed-protocols[0] -test-vpc/be,Outbound,Security group,test-vpc/opa,ALL,,Internal. required-connections[3]: (instance test-vpc/be)->(instance test-vpc/opa); allowed-protocols[0] -test-vpc/be,Outbound,Security group,test-vpc/policydb-endpoint-gateway,ALL,,Internal. required-connections[4]: (instance test-vpc/be)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] -test-vpc/fe,Inbound,Security group,test-vpc/proxy,TCP,ports 9000-9000,Internal. required-connections[1]: (instance test-vpc/proxy)->(instance test-vpc/fe); allowed-protocols[0] -test-vpc/fe,Outbound,Security group,test-vpc/be,TCP,any port,Internal. required-connections[2]: (instance test-vpc/fe)->(instance test-vpc/be); allowed-protocols[0] -test-vpc/opa,Inbound,Security group,test-vpc/be,ALL,,Internal. required-connections[3]: (instance test-vpc/be)->(instance test-vpc/opa); allowed-protocols[0] -test-vpc/opa,Outbound,Security group,test-vpc/policydb-endpoint-gateway,ALL,,Internal. required-connections[5]: (instance test-vpc/opa)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] -test-vpc/policydb-endpoint-gateway,Inbound,Security group,test-vpc/be,ALL,,Internal. required-connections[4]: (instance test-vpc/be)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] -test-vpc/policydb-endpoint-gateway,Inbound,Security group,test-vpc/opa,ALL,,Internal. required-connections[5]: (instance test-vpc/opa)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] -test-vpc/proxy,Inbound,CIDR block,Any IP,ALL,,External. required-connections[0]: (external public internet)->(instance test-vpc/proxy); allowed-protocols[0] -test-vpc/proxy,Outbound,Security group,test-vpc/fe,TCP,ports 9000-9000,Internal. required-connections[1]: (instance test-vpc/proxy)->(instance test-vpc/fe); allowed-protocols[0] +SG,Direction,Local,Remote type,Remote,Protocol,Protocol params,Description +test-vpc/be,Inbound,0.0.0.0/0,Security group,test-vpc/fe,TCP,any port,Internal. required-connections[2]: (instance test-vpc/fe)->(instance test-vpc/be); allowed-protocols[0] +test-vpc/be,Outbound,0.0.0.0/0,Security group,test-vpc/opa,ALL,,Internal. required-connections[3]: (instance test-vpc/be)->(instance test-vpc/opa); allowed-protocols[0] +test-vpc/be,Outbound,0.0.0.0/0,Security group,test-vpc/policydb-endpoint-gateway,ALL,,Internal. required-connections[4]: (instance test-vpc/be)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] +test-vpc/fe,Inbound,0.0.0.0/0,Security group,test-vpc/proxy,TCP,ports 9000-9000,Internal. required-connections[1]: (instance test-vpc/proxy)->(instance test-vpc/fe); allowed-protocols[0] +test-vpc/fe,Outbound,0.0.0.0/0,Security group,test-vpc/be,TCP,any port,Internal. required-connections[2]: (instance test-vpc/fe)->(instance test-vpc/be); allowed-protocols[0] +test-vpc/opa,Inbound,0.0.0.0/0,Security group,test-vpc/be,ALL,,Internal. required-connections[3]: (instance test-vpc/be)->(instance test-vpc/opa); allowed-protocols[0] +test-vpc/opa,Outbound,0.0.0.0/0,Security group,test-vpc/policydb-endpoint-gateway,ALL,,Internal. required-connections[5]: (instance test-vpc/opa)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] +test-vpc/policydb-endpoint-gateway,Inbound,0.0.0.0/0,Security group,test-vpc/be,ALL,,Internal. required-connections[4]: (instance test-vpc/be)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] +test-vpc/policydb-endpoint-gateway,Inbound,0.0.0.0/0,Security group,test-vpc/opa,ALL,,Internal. required-connections[5]: (instance test-vpc/opa)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] +test-vpc/proxy,Inbound,0.0.0.0/0,CIDR block,Any IP,ALL,,External. required-connections[0]: (external public internet)->(instance test-vpc/proxy); allowed-protocols[0] +test-vpc/proxy,Outbound,0.0.0.0/0,Security group,test-vpc/fe,TCP,ports 9000-9000,Internal. required-connections[1]: (instance test-vpc/proxy)->(instance test-vpc/fe); allowed-protocols[0] diff --git a/test/expected/sg_testing3_md/sg_expected.md b/test/expected/sg_testing3_md/sg_expected.md index fb2ac5d4..01eeba07 100644 --- a/test/expected/sg_testing3_md/sg_expected.md +++ b/test/expected/sg_testing3_md/sg_expected.md @@ -1,13 +1,13 @@ - | SG | Direction | Remote type | Remote | Protocol | Protocol params | Description | - | :--- | :--- | :--- | :--- | :--- | :--- | :--- | - | test-vpc/be | Inbound | Security group | test-vpc/fe | TCP | any port | Internal. required-connections[2]: (instance test-vpc/fe)->(instance test-vpc/be); allowed-protocols[0] | - | test-vpc/be | Outbound | Security group | test-vpc/opa | ALL | | Internal. required-connections[3]: (instance test-vpc/be)->(instance test-vpc/opa); allowed-protocols[0] | - | test-vpc/be | Outbound | Security group | test-vpc/policydb-endpoint-gateway | ALL | | Internal. required-connections[4]: (instance test-vpc/be)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] | - | test-vpc/fe | Inbound | Security group | test-vpc/proxy | TCP | ports 9000-9000 | Internal. required-connections[1]: (instance test-vpc/proxy)->(instance test-vpc/fe); allowed-protocols[0] | - | test-vpc/fe | Outbound | Security group | test-vpc/be | TCP | any port | Internal. required-connections[2]: (instance test-vpc/fe)->(instance test-vpc/be); allowed-protocols[0] | - | test-vpc/opa | Inbound | Security group | test-vpc/be | ALL | | Internal. required-connections[3]: (instance test-vpc/be)->(instance test-vpc/opa); allowed-protocols[0] | - | test-vpc/opa | Outbound | Security group | test-vpc/policydb-endpoint-gateway | ALL | | Internal. required-connections[5]: (instance test-vpc/opa)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] | - | test-vpc/policydb-endpoint-gateway | Inbound | Security group | test-vpc/be | ALL | | Internal. required-connections[4]: (instance test-vpc/be)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] | - | test-vpc/policydb-endpoint-gateway | Inbound | Security group | test-vpc/opa | ALL | | Internal. required-connections[5]: (instance test-vpc/opa)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] | - | test-vpc/proxy | Inbound | CIDR block | Any IP | ALL | | External. required-connections[0]: (external public internet)->(instance test-vpc/proxy); allowed-protocols[0] | - | test-vpc/proxy | Outbound | Security group | test-vpc/fe | TCP | ports 9000-9000 | Internal. required-connections[1]: (instance test-vpc/proxy)->(instance test-vpc/fe); allowed-protocols[0] | + | SG | Direction | Local | Remote type | Remote | Protocol | Protocol params | Description | + | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | + | test-vpc/be | Inbound | 0.0.0.0/0 | Security group | test-vpc/fe | TCP | any port | Internal. required-connections[2]: (instance test-vpc/fe)->(instance test-vpc/be); allowed-protocols[0] | + | test-vpc/be | Outbound | 0.0.0.0/0 | Security group | test-vpc/opa | ALL | | Internal. required-connections[3]: (instance test-vpc/be)->(instance test-vpc/opa); allowed-protocols[0] | + | test-vpc/be | Outbound | 0.0.0.0/0 | Security group | test-vpc/policydb-endpoint-gateway | ALL | | Internal. required-connections[4]: (instance test-vpc/be)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] | + | test-vpc/fe | Inbound | 0.0.0.0/0 | Security group | test-vpc/proxy | TCP | ports 9000-9000 | Internal. required-connections[1]: (instance test-vpc/proxy)->(instance test-vpc/fe); allowed-protocols[0] | + | test-vpc/fe | Outbound | 0.0.0.0/0 | Security group | test-vpc/be | TCP | any port | Internal. required-connections[2]: (instance test-vpc/fe)->(instance test-vpc/be); allowed-protocols[0] | + | test-vpc/opa | Inbound | 0.0.0.0/0 | Security group | test-vpc/be | ALL | | Internal. required-connections[3]: (instance test-vpc/be)->(instance test-vpc/opa); allowed-protocols[0] | + | test-vpc/opa | Outbound | 0.0.0.0/0 | Security group | test-vpc/policydb-endpoint-gateway | ALL | | Internal. required-connections[5]: (instance test-vpc/opa)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] | + | test-vpc/policydb-endpoint-gateway | Inbound | 0.0.0.0/0 | Security group | test-vpc/be | ALL | | Internal. required-connections[4]: (instance test-vpc/be)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] | + | test-vpc/policydb-endpoint-gateway | Inbound | 0.0.0.0/0 | Security group | test-vpc/opa | ALL | | Internal. required-connections[5]: (instance test-vpc/opa)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] | + | test-vpc/proxy | Inbound | 0.0.0.0/0 | CIDR block | Any IP | ALL | | External. required-connections[0]: (external public internet)->(instance test-vpc/proxy); allowed-protocols[0] | + | test-vpc/proxy | Outbound | 0.0.0.0/0 | Security group | test-vpc/fe | TCP | ports 9000-9000 | Internal. required-connections[1]: (instance test-vpc/proxy)->(instance test-vpc/fe); allowed-protocols[0] | diff --git a/test/expected/sg_testing3_tf/sg_expected.tf b/test/expected/sg_testing3_tf/sg_expected.tf index c7ced9bf..fb0423f3 100644 --- a/test/expected/sg_testing3_tf/sg_expected.tf +++ b/test/expected/sg_testing3_tf/sg_expected.tf @@ -15,6 +15,7 @@ resource "ibm_is_security_group" "test-vpc--be" { resource "ibm_is_security_group_rule" "test-vpc--be-0" { group = ibm_is_security_group.test-vpc--be.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--fe.id tcp { } @@ -23,12 +24,14 @@ resource "ibm_is_security_group_rule" "test-vpc--be-0" { resource "ibm_is_security_group_rule" "test-vpc--be-1" { group = ibm_is_security_group.test-vpc--be.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--opa.id } # Internal. required-connections[4]: (instance test-vpc/be)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc--be-2" { group = ibm_is_security_group.test-vpc--be.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--policydb-endpoint-gateway.id } @@ -42,6 +45,7 @@ resource "ibm_is_security_group" "test-vpc--fe" { resource "ibm_is_security_group_rule" "test-vpc--fe-0" { group = ibm_is_security_group.test-vpc--fe.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--proxy.id tcp { port_min = 9000 @@ -52,6 +56,7 @@ resource "ibm_is_security_group_rule" "test-vpc--fe-0" { resource "ibm_is_security_group_rule" "test-vpc--fe-1" { group = ibm_is_security_group.test-vpc--fe.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--be.id tcp { } @@ -67,12 +72,14 @@ resource "ibm_is_security_group" "test-vpc--opa" { resource "ibm_is_security_group_rule" "test-vpc--opa-0" { group = ibm_is_security_group.test-vpc--opa.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--be.id } # Internal. required-connections[5]: (instance test-vpc/opa)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc--opa-1" { group = ibm_is_security_group.test-vpc--opa.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--policydb-endpoint-gateway.id } @@ -86,12 +93,14 @@ resource "ibm_is_security_group" "test-vpc--policydb-endpoint-gateway" { resource "ibm_is_security_group_rule" "test-vpc--policydb-endpoint-gateway-0" { group = ibm_is_security_group.test-vpc--policydb-endpoint-gateway.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--be.id } # Internal. required-connections[5]: (instance test-vpc/opa)->(vpe test-vpc/policydb-endpoint-gateway); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc--policydb-endpoint-gateway-1" { group = ibm_is_security_group.test-vpc--policydb-endpoint-gateway.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--opa.id } @@ -105,12 +114,14 @@ resource "ibm_is_security_group" "test-vpc--proxy" { resource "ibm_is_security_group_rule" "test-vpc--proxy-0" { group = ibm_is_security_group.test-vpc--proxy.id direction = "inbound" + local = "0.0.0.0/0" remote = "0.0.0.0/0" } # Internal. required-connections[1]: (instance test-vpc/proxy)->(instance test-vpc/fe); allowed-protocols[0] resource "ibm_is_security_group_rule" "test-vpc--proxy-1" { group = ibm_is_security_group.test-vpc--proxy.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc--fe.id tcp { port_min = 9000 diff --git a/test/expected/sg_tg_multiple_tf_separate/test-vpc0.tf b/test/expected/sg_tg_multiple_tf_separate/test-vpc0.tf index 1486e315..84facdb5 100644 --- a/test/expected/sg_tg_multiple_tf_separate/test-vpc0.tf +++ b/test/expected/sg_tg_multiple_tf_separate/test-vpc0.tf @@ -8,6 +8,7 @@ resource "ibm_is_security_group" "test-vpc0--vsi0-subnet0" { resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet0-0" { group = ibm_is_security_group.test-vpc0--vsi0-subnet0.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi1-subnet4.id } @@ -84,6 +85,7 @@ resource "ibm_is_security_group" "test-vpc0--vsi1-subnet4" { resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet4-0" { group = ibm_is_security_group.test-vpc0--vsi1-subnet4.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc0--vsi0-subnet0.id } diff --git a/test/expected/sg_tg_multiple_tf_separate/test-vpc1.tf b/test/expected/sg_tg_multiple_tf_separate/test-vpc1.tf index 9149e693..7749f3a9 100644 --- a/test/expected/sg_tg_multiple_tf_separate/test-vpc1.tf +++ b/test/expected/sg_tg_multiple_tf_separate/test-vpc1.tf @@ -8,6 +8,7 @@ resource "ibm_is_security_group" "test-vpc1--vsi0-subnet10" { resource "ibm_is_security_group_rule" "test-vpc1--vsi0-subnet10-0" { group = ibm_is_security_group.test-vpc1--vsi0-subnet10.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc1--vsi0-subnet11.id tcp { } @@ -23,6 +24,7 @@ resource "ibm_is_security_group" "test-vpc1--vsi0-subnet11" { resource "ibm_is_security_group_rule" "test-vpc1--vsi0-subnet11-0" { group = ibm_is_security_group.test-vpc1--vsi0-subnet11.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc1--vsi0-subnet10.id tcp { } diff --git a/test/expected/sg_tg_multiple_tf_separate/test-vpc2.tf b/test/expected/sg_tg_multiple_tf_separate/test-vpc2.tf index 7adad885..9dd76f79 100644 --- a/test/expected/sg_tg_multiple_tf_separate/test-vpc2.tf +++ b/test/expected/sg_tg_multiple_tf_separate/test-vpc2.tf @@ -8,6 +8,7 @@ resource "ibm_is_security_group" "test-vpc2--vsi0-subnet20" { resource "ibm_is_security_group_rule" "test-vpc2--vsi0-subnet20-0" { group = ibm_is_security_group.test-vpc2--vsi0-subnet20.id direction = "outbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc2--vsi2-subnet20.id tcp { port_min = 53 @@ -32,6 +33,7 @@ resource "ibm_is_security_group" "test-vpc2--vsi2-subnet20" { resource "ibm_is_security_group_rule" "test-vpc2--vsi2-subnet20-0" { group = ibm_is_security_group.test-vpc2--vsi2-subnet20.id direction = "inbound" + local = "0.0.0.0/0" remote = ibm_is_security_group.test-vpc2--vsi0-subnet20.id tcp { port_min = 53 diff --git a/test/main_test_list.go b/test/main_test_list.go index 7b150fff..e0d88937 100644 --- a/test/main_test_list.go +++ b/test/main_test_list.go @@ -429,6 +429,7 @@ func synthSGTestsList() []testCase { // Note2: each data folder has a details.txt file with the test explanation func optimizeSGTestsLists() []testCase { return []testCase{ + // optimize_sg_protocols_to_all tests also test SG rules with local values different from 0.0.0.0/0 { testName: "optimize_sg_protocols_to_all_tf", args: &command{