inspec-gcp icon indicating copy to clipboard operation
inspec-gcp copied to clipboard

Published 20 hours ago verified publisher icon inspec

google_compute_firewall: allow_port_protocol fails on icmp

Open rrey opened this issue 5 years ago • 2 comments

Describe the problem

Given the following test:

  describe google_compute_firewall(project: PROJECT_ID, region: REGION, name: 'allow-ingress-icmp') do
    it { should exist }
    its('network') { should eq "https://www.googleapis.com/compute/v1/projects/#{PROJECT_ID}/global/networks/default" }
    its('priority') { should eq 65533 }
    its('direction') { should eq 'INGRESS' }
    its('source_ranges') { should eq ["10.10.3.0/24", "10.179.0.0/16", "10.10.6.0/23", "10.178.0.0/16", "10.182.0.0/16", "10.176.0.0/15"] }
    it { should allow_port_protocol(nil, 'icmp') }
  end

and the following output from a gcloud compute firewall-rules describe allow-ingress-icmp --project=xxxxxxxxxx:

allowed:
- IPProtocol: icmp
creationTimestamp: '2019-07-30T08:20:19.727-07:00'
description: Open ingress ICMP traffic
direction: INGRESS
disabled: false
id: '2827874966038240988'
kind: compute#firewall
logConfig:
  enable: false
name: allow-ingress-icmp
network: https://www.googleapis.com/compute/v1/projects/xxxxxxxxx/global/networks/default
priority: 65533
selfLink: https://www.googleapis.com/compute/v1/projects/xxxxxxxxx/global/firewalls/allow-ingress-icmp
sourceRanges:
- 10.10.3.0/24
- 10.179.0.0/16
- 10.10.6.0/23
- 10.178.0.0/16
- 10.182.0.0/16
- 10.176.0.0/15

The inspec test result shows an error in the execution:

     ×  Firewall Rule allow-ingress-icmp should allow port protocol 0 and "icmp"
     expected `Firewall Rule allow-ingress-icmp.allow_port_protocol?(0, "icmp")` to return true, got false

tests on tcp rules does not fail though ...

rrey avatar Jul 30 '19 15:07 rrey

Hey @rrey,

I'm not too familiar with this, but I believe ICMP doesn't work with specific ports. allow_port_protocol doesn't work when nil is passed as the port, but I think what you are looking for is something like this:

its('allowed.first.ip_protocol') { should cmp 'icmp' }

This will only work if there is a single allow rule on the firewall though.

If we want to get a little more complex you can do something like this:

firewall = google_compute_firewall(project: 'project', region:'us-central1-a', name: 'rule-name') 
describe.one do
	firewall.allowed.each do |allow_rule|
		describe allow_rule do
			its('ip_protocol') { should cmp 'icmp' }
		end
	end
end

This will loop through all the allow rules for the firewall rule and make sure that at least one of them has the ip_protocol of icmp.

Does this solve your issue?

slevenick avatar Aug 05 '19 23:08 slevenick

Hi @slevenick,

I'll try to test that, maybe it will be enough. FYI I'm using nil in working test that implies the all case (with tcp), but it is probably because of the all exception.

rrey avatar Aug 09 '19 21:08 rrey