Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Composer access control #3503

Merged
merged 8 commits into from
May 15, 2020
Merged

Composer access control #3503

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
e4f21d1
Create works, update needs help
slevenick May 12, 2020
5be647b
non-plural name for set items
slevenick May 12, 2020
b459a8e
Add sql and web server ip cidr blocks
slevenick May 12, 2020
0e04ce7
Test passes
slevenick May 13, 2020
bd35b9c
Remove schema from ga version, fix lint erro
slevenick May 13, 2020
a9014b4
Add note to composer docs linking to private environment setup
slevenick May 13, 2020
40ba298
Computed web server access as it has default values set by API. Ignor…
slevenick May 13, 2020
95d6a43
Add computed to new cidr blocks as they get default values based on t…
slevenick May 13, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
150 changes: 150 additions & 0 deletions third_party/terraform/resources/resource_composer_environment.go.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,25 @@ var (
"config.0.node_config",
"config.0.software_config",
"config.0.private_environment_config",
<% unless version == "ga" -%>
"config.0.web_server_network_access_control",
<% end -%>
}

<% unless version == "ga" -%>
allowedIpRangesConfig = &schema.Resource{
Schema: map[string]*schema.Schema{
"value": {
Type: schema.TypeString,
Required: true,
},
"description": {
Type: schema.TypeString,
Optional: true,
},
},
}
<% end -%>
)

func resourceComposerEnvironment() *schema.Resource {
Expand Down Expand Up @@ -279,6 +296,8 @@ func resourceComposerEnvironment() *schema.Resource {
AtLeastOneOf: []string{
"config.0.private_environment_config.0.enable_private_endpoint",
"config.0.private_environment_config.0.master_ipv4_cidr_block",
"config.0.private_environment_config.0.cloud_sql_ipv4_cidr_block",
"config.0.private_environment_config.0.web_server_ipv4_cidr_block",
},
ForceNew: true,
},
Expand All @@ -288,13 +307,57 @@ func resourceComposerEnvironment() *schema.Resource {
AtLeastOneOf: []string{
"config.0.private_environment_config.0.enable_private_endpoint",
"config.0.private_environment_config.0.master_ipv4_cidr_block",
"config.0.private_environment_config.0.cloud_sql_ipv4_cidr_block",
"config.0.private_environment_config.0.web_server_ipv4_cidr_block",
},
ForceNew: true,
Default: "172.16.0.0/28",
},
"web_server_ipv4_cidr_block": {
Type: schema.TypeString,
Optional: true,
Computed: true,
AtLeastOneOf: []string{
"config.0.private_environment_config.0.enable_private_endpoint",
"config.0.private_environment_config.0.master_ipv4_cidr_block",
"config.0.private_environment_config.0.cloud_sql_ipv4_cidr_block",
"config.0.private_environment_config.0.web_server_ipv4_cidr_block",
},
ForceNew: true,
},
"cloud_sql_ipv4_cidr_block": {
Type: schema.TypeString,
Optional: true,
Computed: true,
AtLeastOneOf: []string{
"config.0.private_environment_config.0.enable_private_endpoint",
"config.0.private_environment_config.0.master_ipv4_cidr_block",
"config.0.private_environment_config.0.cloud_sql_ipv4_cidr_block",
"config.0.private_environment_config.0.web_server_ipv4_cidr_block",
},
ForceNew: true,
},
},
},
},
<% unless version == "ga" -%>
"web_server_network_access_control": {
Type: schema.TypeList,
Optional: true,
Computed: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"allowed_ip_range": {
Type: schema.TypeSet,
Computed: true,
Optional: true,
Elem: allowedIpRangesConfig,
},
},
},
},
<% end -%>
"airflow_uri": {
Type: schema.TypeString,
Computed: true,
Expand Down Expand Up @@ -514,6 +577,18 @@ func resourceComposerEnvironmentUpdate(d *schema.ResourceData, meta interface{})
}
d.SetPartial("config")
}

if d.HasChange("config.0.web_server_network_access_control") {
patchObj := &composer.Environment{Config: &composer.EnvironmentConfig{}}
if config != nil {
patchObj.Config.WebServerNetworkAccessControl = config.WebServerNetworkAccessControl
}
err = resourceComposerEnvironmentPatchField("config.webServerNetworkAccessControl", patchObj, d, tfConfig)
if err != nil {
return err
}
d.SetPartial("config")
}
}

if d.HasChange("labels") {
Expand Down Expand Up @@ -630,10 +705,36 @@ func flattenComposerEnvironmentConfig(envCfg *composer.EnvironmentConfig) interf
transformed["node_config"] = flattenComposerEnvironmentConfigNodeConfig(envCfg.NodeConfig)
transformed["software_config"] = flattenComposerEnvironmentConfigSoftwareConfig(envCfg.SoftwareConfig)
transformed["private_environment_config"] = flattenComposerEnvironmentConfigPrivateEnvironmentConfig(envCfg.PrivateEnvironmentConfig)
<% unless version == "ga" -%>
transformed["web_server_network_access_control"] = flattenComposerEnvironmentConfigWebServerNetworkAccessControl(envCfg.WebServerNetworkAccessControl)
<% end -%>

return []interface{}{transformed}
}

<% unless version == "ga" -%>
func flattenComposerEnvironmentConfigWebServerNetworkAccessControl(accessControl *composer.WebServerNetworkAccessControl) interface{} {
if accessControl == nil || accessControl.AllowedIpRanges == nil {
return nil
}

transformed := make([]interface{}, 0, len(accessControl.AllowedIpRanges))
for _, ipRange := range accessControl.AllowedIpRanges {
data := map[string]interface{}{
"value": ipRange.Value,
"description": ipRange.Description,
}
transformed = append(transformed, data)
}

webServerNetworkAccessControl := make(map[string]interface{})

webServerNetworkAccessControl["allowed_ip_range"] = schema.NewSet(schema.HashResource(allowedIpRangesConfig), transformed)

return []interface{}{webServerNetworkAccessControl}
}

<% end -%>
func flattenComposerEnvironmentConfigPrivateEnvironmentConfig(envCfg *composer.PrivateEnvironmentConfig) interface{} {
if envCfg == nil {
return nil
Expand All @@ -642,6 +743,8 @@ func flattenComposerEnvironmentConfigPrivateEnvironmentConfig(envCfg *composer.P
transformed := make(map[string]interface{})
transformed["enable_private_endpoint"] = envCfg.PrivateClusterConfig.EnablePrivateEndpoint
transformed["master_ipv4_cidr_block"] = envCfg.PrivateClusterConfig.MasterIpv4CidrBlock
transformed["cloud_sql_ipv4_cidr_block"] = envCfg.CloudSqlIpv4CidrBlock
transformed["web_server_ipv4_cidr_block"] = envCfg.WebServerIpv4CidrBlock

return []interface{}{transformed}
}
Expand Down Expand Up @@ -738,6 +841,14 @@ func expandComposerEnvironmentConfig(v interface{}, d *schema.ResourceData, conf
}
transformed.PrivateEnvironmentConfig = transformedPrivateEnvironmentConfig

<% unless version == "ga" -%>
transformedWebServerNetworkAccessControl, err := expandComposerEnvironmentConfigWebServerNetworkAccessControl(original["web_server_network_access_control"], d, config)
if err != nil {
return nil, err
}
transformed.WebServerNetworkAccessControl = transformedWebServerNetworkAccessControl

<% end -%>
return transformed, nil
}

Expand All @@ -748,6 +859,37 @@ func expandComposerEnvironmentConfigNodeCount(v interface{}, d *schema.ResourceD
return int64(v.(int)), nil
}

<% unless version == "ga" -%>
func expandComposerEnvironmentConfigWebServerNetworkAccessControl(v interface{}, d *schema.ResourceData, config *Config) (*composer.WebServerNetworkAccessControl, error) {
l := v.([]interface{})
if len(l) == 0 {
return nil, nil
}
raw := l[0]
original := raw.(map[string]interface{})

allowedIpRangesRaw := original["allowed_ip_range"].(*schema.Set).List()
if len(allowedIpRangesRaw) == 0 {
return nil, nil
}

transformed := &composer.WebServerNetworkAccessControl{}
allowedIpRanges := make([]*composer.AllowedIpRange, 0, len(original))

for _, originalIpRange := range allowedIpRangesRaw {
originalRangeRaw := originalIpRange.(map[string]interface{})
transformedRange := &composer.AllowedIpRange{Value: originalRangeRaw["value"].(string)}
if v, ok := originalRangeRaw["description"]; ok {
transformedRange.Description = v.(string)
}
allowedIpRanges = append(allowedIpRanges, transformedRange)
}

transformed.AllowedIpRanges = allowedIpRanges
return transformed, nil
}

<% end -%>
func expandComposerEnvironmentConfigPrivateEnvironmentConfig(v interface{}, d *schema.ResourceData, config *Config) (*composer.PrivateEnvironmentConfig, error) {
l := v.([]interface{})
if len(l) == 0 {
Expand All @@ -769,6 +911,14 @@ func expandComposerEnvironmentConfigPrivateEnvironmentConfig(v interface{}, d *s
subBlock.MasterIpv4CidrBlock = v.(string)
}

if v, ok := original["cloud_sql_ipv4_cidr_block"]; ok {
transformed.CloudSqlIpv4CidrBlock = v.(string)
}

if v, ok := original["web_server_ipv4_cidr_block"]; ok {
transformed.WebServerIpv4CidrBlock = v.(string)
}

transformed.PrivateClusterConfig = subBlock

return transformed, nil
Expand Down
156 changes: 156 additions & 0 deletions third_party/terraform/tests/resource_composer_environment_test.go.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,56 @@ func TestAccComposerEnvironment_private(t *testing.T) {
})
}

<% unless version == "ga" -%>
// Checks environment creation with minimum required information.
func TestAccComposerEnvironment_privateWithWebServerControl(t *testing.T) {
t.Parallel()

envName := fmt.Sprintf("%s-%d", testComposerEnvironmentPrefix, randInt(t))
network := fmt.Sprintf("%s-%d", testComposerNetworkPrefix, randInt(t))
subnetwork := network + "-1"

vcrTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccComposerEnvironmentDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccComposerEnvironment_privateWithWebServerControl(envName, network, subnetwork),
},
{
ResourceName: "google_composer_environment.test",
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccComposerEnvironment_privateWithWebServerControlUpdated(envName, network, subnetwork),
},
{
ResourceName: "google_composer_environment.test",
ImportState: true,
ImportStateVerify: true,
},
{
ResourceName: "google_composer_environment.test",
ImportState: true,
ImportStateId: fmt.Sprintf("projects/%s/locations/%s/environments/%s", getTestProjectFromEnv(), "us-central1", envName),
ImportStateVerify: true,
},
// This is a terrible clean-up step in order to get destroy to succeed,
// due to dangling firewall rules left by the Composer Environment blocking network deletion.
// TODO(emilyye): Remove this check if firewall rules bug gets fixed by Composer.
{
PlanOnly: true,
ExpectNonEmptyPlan: false,
Config: testAccComposerEnvironment_privateWithWebServerControlUpdated(envName, network, subnetwork),
Check: testAccCheckClearComposerEnvironmentFirewalls(t, network),
},
},
})
}

<% end -%>
// Checks behavior of node config, including dependencies on Compute resources.
func TestAccComposerEnvironment_withNodeConfig(t *testing.T) {
t.Parallel()
Expand Down Expand Up @@ -373,6 +423,112 @@ resource "google_compute_subnetwork" "test" {
`, name, network, subnetwork)
}

<% unless version == "ga" -%>
func testAccComposerEnvironment_privateWithWebServerControl(name, network, subnetwork string) string {
return fmt.Sprintf(`
resource "google_composer_environment" "test" {
name = "%s"
region = "us-central1"

config {
node_config {
network = google_compute_network.test.self_link
subnetwork = google_compute_subnetwork.test.self_link
zone = "us-central1-a"
ip_allocation_policy {
use_ip_aliases = true
cluster_ipv4_cidr_block = "10.56.0.0/14"
services_ipv4_cidr_block = "10.122.0.0/20"
}
}
private_environment_config {
enable_private_endpoint = false
web_server_ipv4_cidr_block = "172.30.240.0/24"
cloud_sql_ipv4_cidr_block = "10.32.0.0/12"
master_ipv4_cidr_block = "172.17.50.0/28"
}
web_server_network_access_control {
allowed_ip_range {
value = "192.168.0.1"
description = "my range1"
}
allowed_ip_range {
value = "0.0.0.0/0"
}
}
}
}

// use a separate network to avoid conflicts with other tests running in parallel
// that use the default network/subnet
resource "google_compute_network" "test" {
name = "%s"
auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "test" {
name = "%s"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.test.self_link
private_ip_google_access = true
}
`, name, network, subnetwork)
}

func testAccComposerEnvironment_privateWithWebServerControlUpdated(name, network, subnetwork string) string {
return fmt.Sprintf(`
resource "google_composer_environment" "test" {
name = "%s"
region = "us-central1"

config {
node_config {
network = google_compute_network.test.self_link
subnetwork = google_compute_subnetwork.test.self_link
zone = "us-central1-a"
ip_allocation_policy {
use_ip_aliases = true
cluster_ipv4_cidr_block = "10.56.0.0/14"
services_ipv4_cidr_block = "10.122.0.0/20"
}
}
private_environment_config {
enable_private_endpoint = false
web_server_ipv4_cidr_block = "172.30.240.0/24"
cloud_sql_ipv4_cidr_block = "10.32.0.0/12"
master_ipv4_cidr_block = "172.17.50.0/28"
}
web_server_network_access_control {
allowed_ip_range {
value = "192.168.0.1"
description = "my range1"
}
allowed_ip_range {
value = "0.0.0.0/0"
}
}
}
}

// use a separate network to avoid conflicts with other tests running in parallel
// that use the default network/subnet
resource "google_compute_network" "test" {
name = "%s"
auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "test" {
name = "%s"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.test.self_link
private_ip_google_access = true
}
`, name, network, subnetwork)
}

<% end -%>
func testAccComposerEnvironment_update(name, network, subnetwork string) string {
return fmt.Sprintf(`
data "google_composer_image_versions" "all" {
Expand Down
Loading