From c90c55edd24443ee7f242c156fa4cea71719a335 Mon Sep 17 00:00:00 2001 From: The Magician Date: Mon, 12 Aug 2019 14:26:45 -0700 Subject: [PATCH] New range types supported on google_netblock_ip_ranges (#986) Signed-off-by: Modular Magician --- .../data_source_google_netblock_ip_ranges.go | 81 +++++++++-- ...a_source_google_netblock_ip_ranges_test.go | 134 +++++++++++++++++- ...ce_google_netblock_ip_ranges.html.markdown | 59 +++++++- 3 files changed, 249 insertions(+), 25 deletions(-) diff --git a/google-beta/data_source_google_netblock_ip_ranges.go b/google-beta/data_source_google_netblock_ip_ranges.go index 0af86f262b..1f39d0ab87 100644 --- a/google-beta/data_source_google_netblock_ip_ranges.go +++ b/google-beta/data_source_google_netblock_ip_ranges.go @@ -13,6 +13,11 @@ func dataSourceGoogleNetblockIpRanges() *schema.Resource { Read: dataSourceGoogleNetblockIpRangesRead, Schema: map[string]*schema.Schema{ + "range_type": { + Type: schema.TypeString, + Optional: true, + Default: "cloud-netblocks", + }, "cidr_blocks": { Type: schema.TypeList, Elem: &schema.Schema{Type: schema.TypeString}, @@ -33,18 +38,73 @@ func dataSourceGoogleNetblockIpRanges() *schema.Resource { } func dataSourceGoogleNetblockIpRangesRead(d *schema.ResourceData, meta interface{}) error { - d.SetId("netblock-ip-ranges") - // https://cloud.google.com/compute/docs/faq#where_can_i_find_product_name_short_ip_ranges - CidrBlocks, err := getCidrBlocks() + rt := d.Get("range_type").(string) + CidrBlocks := make(map[string][]string) - if err != nil { - return err + switch rt { + // Dynamic ranges + case "cloud-netblocks": + // https://cloud.google.com/compute/docs/faq#where_can_i_find_product_name_short_ip_ranges + const CLOUD_NETBLOCK_DNS = "_cloud-netblocks.googleusercontent.com" + CidrBlocks, err := getCidrBlocks(CLOUD_NETBLOCK_DNS) + + if err != nil { + return err + } + d.Set("cidr_blocks", CidrBlocks["cidr_blocks"]) + d.Set("cidr_blocks_ipv4", CidrBlocks["cidr_blocks_ipv4"]) + d.Set("cidr_blocks_ipv6", CidrBlocks["cidr_blocks_ipv6"]) + case "google-netblocks": + // https://support.google.com/a/answer/33786?hl=en + const GOOGLE_NETBLOCK_DNS = "_spf.google.com" + CidrBlocks, err := getCidrBlocks(GOOGLE_NETBLOCK_DNS) + + if err != nil { + return err + } + d.Set("cidr_blocks", CidrBlocks["cidr_blocks"]) + d.Set("cidr_blocks_ipv4", CidrBlocks["cidr_blocks_ipv4"]) + d.Set("cidr_blocks_ipv6", CidrBlocks["cidr_blocks_ipv6"]) + // Static ranges + case "restricted-googleapis": + // https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid + CidrBlocks["cidr_blocks_ipv4"] = append(CidrBlocks["cidr_blocks_ipv4"], "199.36.153.4/30") + CidrBlocks["cidr_blocks"] = CidrBlocks["cidr_blocks_ipv4"] + d.Set("cidr_blocks", CidrBlocks["cidr_blocks"]) + d.Set("cidr_blocks_ipv4", CidrBlocks["cidr_blocks_ipv4"]) + case "dns-forwarders": + // https://cloud.google.com/dns/zones/#creating-forwarding-zones + CidrBlocks["cidr_blocks_ipv4"] = append(CidrBlocks["cidr_blocks_ipv4"], "35.199.192.0/19") + CidrBlocks["cidr_blocks"] = CidrBlocks["cidr_blocks_ipv4"] + d.Set("cidr_blocks", CidrBlocks["cidr_blocks"]) + d.Set("cidr_blocks_ipv4", CidrBlocks["cidr_blocks_ipv4"]) + case "iap-forwarders": + // https://cloud.google.com/iap/docs/using-tcp-forwarding + CidrBlocks["cidr_blocks_ipv4"] = append(CidrBlocks["cidr_blocks_ipv4"], "35.235.240.0/20") + CidrBlocks["cidr_blocks"] = CidrBlocks["cidr_blocks_ipv4"] + d.Set("cidr_blocks", CidrBlocks["cidr_blocks"]) + d.Set("cidr_blocks_ipv4", CidrBlocks["cidr_blocks_ipv4"]) + case "health-checkers": + // https://cloud.google.com/load-balancing/docs/health-checks#fw-ruleh + CidrBlocks["cidr_blocks_ipv4"] = append(CidrBlocks["cidr_blocks_ipv4"], "35.191.0.0/16") + CidrBlocks["cidr_blocks_ipv4"] = append(CidrBlocks["cidr_blocks_ipv4"], "130.211.0.0/22") + CidrBlocks["cidr_blocks"] = CidrBlocks["cidr_blocks_ipv4"] + d.Set("cidr_blocks", CidrBlocks["cidr_blocks"]) + d.Set("cidr_blocks_ipv4", CidrBlocks["cidr_blocks_ipv4"]) + case "legacy-health-checkers": + // https://cloud.google.com/load-balancing/docs/health-check#fw-netlbs + CidrBlocks["cidr_blocks_ipv4"] = append(CidrBlocks["cidr_blocks_ipv4"], "35.191.0.0/16") + CidrBlocks["cidr_blocks_ipv4"] = append(CidrBlocks["cidr_blocks_ipv4"], "209.85.152.0/22") + CidrBlocks["cidr_blocks_ipv4"] = append(CidrBlocks["cidr_blocks_ipv4"], "209.85.204.0/22") + CidrBlocks["cidr_blocks"] = CidrBlocks["cidr_blocks_ipv4"] + d.Set("cidr_blocks", CidrBlocks["cidr_blocks"]) + d.Set("cidr_blocks_ipv4", CidrBlocks["cidr_blocks_ipv4"]) + default: + return fmt.Errorf("Unknown range_type: %s", rt) } - d.Set("cidr_blocks", CidrBlocks["cidr_blocks"]) - d.Set("cidr_blocks_ipv4", CidrBlocks["cidr_blocks_ipv4"]) - d.Set("cidr_blocks_ipv6", CidrBlocks["cidr_blocks_ipv6"]) + d.SetId("netblock-ip-ranges-" + rt) return nil } @@ -66,12 +126,11 @@ func netblock_request(name string) (string, error) { return string(body), nil } -func getCidrBlocks() (map[string][]string, error) { - const INITIAL_NETBLOCK_DNS = "_cloud-netblocks.googleusercontent.com" +func getCidrBlocks(netblock string) (map[string][]string, error) { var dnsNetblockList []string cidrBlocks := make(map[string][]string) - response, err := netblock_request(INITIAL_NETBLOCK_DNS) + response, err := netblock_request(netblock) if err != nil { return nil, err diff --git a/google-beta/data_source_google_netblock_ip_ranges_test.go b/google-beta/data_source_google_netblock_ip_ranges_test.go index 9f7b9a8106..50602bcdb4 100644 --- a/google-beta/data_source_google_netblock_ip_ranges_test.go +++ b/google-beta/data_source_google_netblock_ip_ranges_test.go @@ -15,24 +15,144 @@ func TestAccDataSourceGoogleNetblockIpRanges_basic(t *testing.T) { { Config: testAccNetblockIpRangesConfig, Check: resource.ComposeTestCheckFunc( - resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.some", + // Cloud netblocks + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.cloud", "cidr_blocks.#", regexp.MustCompile(("^[1-9]+[0-9]*$"))), - resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.some", + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.cloud", "cidr_blocks.0", regexp.MustCompile("^(?:[0-9a-fA-F./:]{1,4}){1,2}.*/[0-9]{1,3}$")), - resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.some", + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.cloud", "cidr_blocks_ipv4.#", regexp.MustCompile(("^[1-9]+[0-9]*$"))), - resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.some", + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.cloud", "cidr_blocks_ipv4.0", regexp.MustCompile("^(?:[0-9]{1,3}.){3}[0-9]{1,3}/[0-9]{1,2}$")), - resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.some", + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.cloud", "cidr_blocks_ipv6.#", regexp.MustCompile(("^[1-9]+[0-9]*$"))), - resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.some", + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.cloud", "cidr_blocks_ipv6.0", regexp.MustCompile("^(?:[0-9a-fA-F]{1,4}:){1,2}.*/[0-9]{1,3}$")), ), }, + { + Config: testAccNetblockIpRangesConfig_google, + Check: resource.ComposeTestCheckFunc( + // Google netblocks + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.google", + "cidr_blocks.#", regexp.MustCompile(("^[1-9]+[0-9]*$"))), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.google", + "cidr_blocks.0", regexp.MustCompile("^(?:[0-9a-fA-F./:]{1,4}){1,2}.*/[0-9]{1,3}$")), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.google", + "cidr_blocks_ipv4.#", regexp.MustCompile(("^[1-9]+[0-9]*$"))), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.google", + "cidr_blocks_ipv4.0", regexp.MustCompile("^(?:[0-9]{1,3}.){3}[0-9]{1,3}/[0-9]{1,2}$")), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.google", + "cidr_blocks_ipv6.#", regexp.MustCompile(("^[1-9]+[0-9]*$"))), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.google", + "cidr_blocks_ipv6.0", regexp.MustCompile("^(?:[0-9a-fA-F]{1,4}:){1,2}.*/[0-9]{1,3}$")), + ), + }, + { + Config: testAccNetblockIpRangesConfig_restricted, + Check: resource.ComposeTestCheckFunc( + // Private Google Access Restricted VIP + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.restricted", "cidr_blocks.#", "1"), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.restricted", + "cidr_blocks.0", regexp.MustCompile("^(?:[0-9a-fA-F./:]{1,4}){1,2}.*/[0-9]{1,3}$")), + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.restricted", "cidr_blocks_ipv4.#", "1"), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.restricted", + "cidr_blocks_ipv4.0", regexp.MustCompile("^(?:[0-9]{1,3}.){3}[0-9]{1,3}/[0-9]{1,2}$")), + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.restricted", "cidr_blocks_ipv6.#", "0"), + ), + }, + { + Config: testAccNetblockIpRangesConfig_dns, + Check: resource.ComposeTestCheckFunc( + // DNS outbound forwarding + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.dns", "cidr_blocks.#", "1"), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.dns", + "cidr_blocks.0", regexp.MustCompile("^(?:[0-9a-fA-F./:]{1,4}){1,2}.*/[0-9]{1,3}$")), + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.dns", "cidr_blocks_ipv4.#", "1"), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.dns", + "cidr_blocks_ipv4.0", regexp.MustCompile("^(?:[0-9]{1,3}.){3}[0-9]{1,3}/[0-9]{1,2}$")), + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.dns", "cidr_blocks_ipv6.#", "0"), + ), + }, + { + Config: testAccNetblockIpRangesConfig_iap, + Check: resource.ComposeTestCheckFunc( + // IAP sources + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.iap", "cidr_blocks.#", "1"), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.iap", + "cidr_blocks.0", regexp.MustCompile("^(?:[0-9a-fA-F./:]{1,4}){1,2}.*/[0-9]{1,3}$")), + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.iap", "cidr_blocks_ipv4.#", "1"), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.iap", + "cidr_blocks_ipv4.0", regexp.MustCompile("^(?:[0-9]{1,3}.){3}[0-9]{1,3}/[0-9]{1,2}$")), + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.iap", "cidr_blocks_ipv6.#", "0"), + ), + }, + { + Config: testAccNetblockIpRangesConfig_hc, + Check: resource.ComposeTestCheckFunc( + // Modern health checkers + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.hc", "cidr_blocks.#", "2"), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.hc", + "cidr_blocks.0", regexp.MustCompile("^(?:[0-9a-fA-F./:]{1,4}){1,2}.*/[0-9]{1,3}$")), + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.hc", "cidr_blocks_ipv4.#", "2"), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.hc", + "cidr_blocks_ipv4.0", regexp.MustCompile("^(?:[0-9]{1,3}.){3}[0-9]{1,3}/[0-9]{1,2}$")), + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.hc", "cidr_blocks_ipv6.#", "0"), + ), + }, + { + Config: testAccNetblockIpRangesConfig_lhc, + Check: resource.ComposeTestCheckFunc( + // Legacy health checkers + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.lhc", "cidr_blocks.#", "3"), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.lhc", + "cidr_blocks.0", regexp.MustCompile("^(?:[0-9a-fA-F./:]{1,4}){1,2}.*/[0-9]{1,3}$")), + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.lhc", "cidr_blocks_ipv4.#", "3"), + resource.TestMatchResourceAttr("data.google_netblock_ip_ranges.lhc", + "cidr_blocks_ipv4.0", regexp.MustCompile("^(?:[0-9]{1,3}.){3}[0-9]{1,3}/[0-9]{1,2}$")), + resource.TestCheckResourceAttr("data.google_netblock_ip_ranges.lhc", "cidr_blocks_ipv6.#", "0"), + ), + }, }, }) } const testAccNetblockIpRangesConfig = ` -data "google_netblock_ip_ranges" "some" {} +data "google_netblock_ip_ranges" "cloud" {} +` + +const testAccNetblockIpRangesConfig_google = ` +data "google_netblock_ip_ranges" "google" { + range_type = "google-netblocks" +} +` + +const testAccNetblockIpRangesConfig_restricted = ` +data "google_netblock_ip_ranges" "restricted" { + range_type = "restricted-googleapis" +} +` + +const testAccNetblockIpRangesConfig_dns = ` +data "google_netblock_ip_ranges" "dns" { + range_type = "dns-forwarders" +} +` + +const testAccNetblockIpRangesConfig_iap = ` +data "google_netblock_ip_ranges" "iap" { + range_type = "iap-forwarders" +} +` + +const testAccNetblockIpRangesConfig_hc = ` +data "google_netblock_ip_ranges" "hc" { + range_type = "health-checkers" +} +` + +const testAccNetblockIpRangesConfig_lhc = ` +data "google_netblock_ip_ranges" "lhc" { + range_type = "legacy-health-checkers" +} ` diff --git a/website/docs/d/datasource_google_netblock_ip_ranges.html.markdown b/website/docs/d/datasource_google_netblock_ip_ranges.html.markdown index 654642dca4..493fbdf107 100644 --- a/website/docs/d/datasource_google_netblock_ip_ranges.html.markdown +++ b/website/docs/d/datasource_google_netblock_ip_ranges.html.markdown @@ -3,16 +3,14 @@ layout: "google" page_title: "Google: google_netblock_ip_ranges" sidebar_current: "docs-google-datasource-netblock-ip-ranges" description: |- - Use this data source to get the IP ranges from the sender policy framework (SPF) record of \_cloud-netblocks.googleusercontent.com + Use this data source to get the IP addresses from different special IP ranges on Google Cloud Platform. --- # google_netblock_ip_ranges -Use this data source to get the IP ranges from the sender policy framework (SPF) record of \_cloud-netblocks.googleusercontent +Use this data source to get the IP addresses from different special IP ranges on Google Cloud Platform. -https://cloud.google.com/compute/docs/faq#where_can_i_find_product_name_short_ip_ranges - -## Example Usage +## Example Usage - Cloud Ranges ```tf data "google_netblock_ip_ranges" "netblock" {} @@ -30,10 +28,57 @@ output "cidr_blocks_ipv6" { } ``` +## Example Usage - Allow Health Checks + +```tf +data "google_netblock_ip_ranges" "legacy-hcs" { + range_type = "legacy-health-checkers" +} + +resource "google_compute_firewall" "allow-hcs" { + name = "allow-hcs" + network = "${google_compute_network.default.name}" + + allow { + protocol = "tcp" + ports = ["80"] + } + + source_ranges = ["${data.google_netblock_ip_ranges.legacy-hcs.cidr_blocks_ipv4}"] +} + +resource "google_compute_network" "default" { + name = "test-network" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `range_type` (Optional) - The type of range for which to provide results. + + Defaults to `cloud-netblocks`. The following `range_type`s are supported: + + * `cloud-netblocks` - Corresponds to the IP addresses used for resources on Google Cloud Platform. [More details.](https://cloud.google.com/compute/docs/faq#where_can_i_find_product_name_short_ip_ranges) + + * `google-netblocks` - Corresponds to IP addresses used for Google services. [More details.](https://support.google.com/a/answer/33786?hl=en) + + * `restricted-googleapis` - Corresponds to the IP addresses used for Private Google Access and/or VPC Service Controls API access. [More details.](https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid) + + * `dns-forwarders` - Corresponds to the IP addresses used to originate Cloud DNS outbound forwarding. [More details.](https://cloud.google.com/dns/zones/#creating-forwarding-zones) + + * `iap-forwarders` - Corresponds to the IP addresses used for Cloud IAP for TCP forwarding. [More details.](https://cloud.google.com/iap/docs/using-tcp-forwarding) + + * `health-checkers` - Corresponds to the IP addresses used for health checking in Cloud Load Balancing. [More details.](https://cloud.google.com/load-balancing/docs/health-checks) + + * `legacy-health-checkers` - Corresponds to the IP addresses used for legacy style health checkers (used by Network Load Balancing). [ More details.](https://cloud.google.com/load-balancing/docs/health-checks) + + ## Attributes Reference * `cidr_blocks` - Retrieve list of all CIDR blocks. -* `cidr_blocks_ipv4` - Retrieve list of the IP4 CIDR blocks +* `cidr_blocks_ipv4` - Retrieve list of the IPv4 CIDR blocks -* `cidr_blocks_ipv6` - Retrieve list of the IP6 CIDR blocks. +* `cidr_blocks_ipv6` - Retrieve list of the IPv6 CIDR blocks, if available.