test: Add cloud firewall for integration tests #1444
Conversation
ykim-akamai
requested review from
jriddle-linode and
lgarber-akamai
and removed request for
a team
| @@ -26,3 +27,9 @@ var ProtoV5ProviderFactories = map[string]func() (tfprotov5.ProviderServer, erro | |||
| return muxServer.ProviderServer(), nil | |||
| }, | |||
| } | |||
|
|
|||
| var HttpExternalProviders = map[string]resource.ExternalProvider{ | |||
There was a problem hiding this comment.
Now this external provider is required for any tests that use Linode Cloud Firewall
e.g. ExternalProviders: acceptance.HttpExternalProviders,
| outbound_policy = "ACCEPT" | ||
| inbound_policy = "DROP" | ||
|
|
||
| dynamic "inbound" { |
There was a problem hiding this comment.
This incoming block will include either IPv4, IPv6, or both in Firewall rule, depending on their validity and availability.
|
@ykim-1 I noticed some test configs in this PR don't implement firewalls but have been changed to disable booting. Will this be enough for us to stay compliant with the new policy? |
Thank you for tracking this :) |
I think it should be fine based on conversation with John earlier last wek but, I will confirm with someone from security team. Update: I just got notified "Up to 48H there is no need to add them to a FW, as long as there is no sensitive data there", also given disk(s) is not booted |
@ykim-1 Sounds perfect, thank you! |
📝 Description
This PR implements Linode Cloud Firewall for integration tests to enhance security.
Default Inbound policy: DROP
Default Outbound policy: ACCEPT
Inbound rule: inbound rule with public ip on port 22
Note: GHA does not support ipv6 so only ipv4 will get added in firewall during GHA execution. However, ipv6 will get added automatically if ipv6 address and route exist
✔️ How to Test
make int-test📷 Preview
If applicable, include a screenshot or code snippet of this change. Otherwise, please remove this section.