def main():
parser = argparse.ArgumentParser()
parser.add_argument('--location', required=False, default= "eastus",
help='Region where the resource template should be deployed')
parser.add_argument('--resourceGroup', required=True,
help='Resource Group Name')
parser.add_argument('--subscriptionId', required=True,
help='Subscription Id')
parser.add_argument('--policyPath', required=True,
help='Path of the customer firewall policy json file')
args = parser.parse_args()
cl = ArmClient()
# path to vnet sandbox
template_path = '../tests/firewall_policy/templates/firewallPolicySandbox.json'
rg = cl.create_resource_group(args.subscriptionId, args.resourceGroup, args.location)
resource_group_id = '/subscriptions/' + args.subscriptionId + '/resourceGroups/' + args.resourceGroup
cl.deploy_template(args.subscriptionId, "test-deployment01", args.resourceGroup, args.location, template_path)
# load the firewall policy from json
fw_policy_resource_id =resource_group_id + '/providers/Microsoft.Network/firewallPolicies/' + 'fwpolicy01'
rcg_list = []
for filename in os.listdir(args.policyPath):
if filename.endswith('.json'):
print('Opening file ', filename)
with open(os.path.join(args.policyPath, filename), 'r') as f:
resource_dict = json.load(f)
if "RuleCollectionGroups" in resource_dict['type']:
rcg = FirewallPolicyRuleCollectionGroup.from_dict(resource_dict)
rcg.id = None
rcg.location = args.location
rcg_list.append(rcg)
else:
fp = FirewallPolicy.from_dict(resource_dict)
fp.location = args.location
fp.resourceGroup = args.resourceGroup
fp.id = None
# create the firewall policy resource
resp = cl.put_resource(fw_policy_resource_id, json.dumps(fp.serialize()), "2020-06-01")
for index, rcg in enumerate(rcg_list):
res_id = fw_policy_resource_id + '/RuleCollectionGroups/rcg' + str(index)
print('Creating Resource: ', res_id)
resp = cl.put_resource(res_id, json.dumps(rcg.serialize()), "2020-06-01")
print('Created Resource: ', res_id)
class TestVirtualWan:
cl = None
@pytest.fixture
def setup_rg(self, subscriptionId, resourceGroup, location):
self.cl = ArmClient()
self.rg = self.cl.create_resource_group(subscriptionId, resourceGroup,
location)
def test_vwan_create_delete(self, setup_rg, subscriptionId, location,
resourceGroup):
vwan = VirtualWAN()
vwan.location = location
vwan.resourceGroup = resourceGroup
resource_id = '/subscriptions/' + subscriptionId + '/resourceGroups/' + resourceGroup + '/providers/Microsoft.Network/virtualWans/jammyvwan01'
resourceJson = json.dumps(vwan.serialize())
resp = self.cl.put_resource(resource_id, resourceJson, version.VERSION)
def main():
parser = argparse.ArgumentParser()
parser.add_argument(
'--location',
required=False,
default="eastus",
help='Region where the resource template should be deployed')
parser.add_argument('--resourceGroup',
required=True,
help='Resource Group Name')
parser.add_argument('--subscriptionId',
required=True,
help='Subscription Id')
parser.add_argument('--filePath',
required=True,
help='Path of the template file')
args = parser.parse_args()
cl = ArmClient()
rg = cl.create_resource_group(args.subscriptionId, args.resourceGroup,
args.location)
resource_group_id = '/subscriptions/' + args.subscriptionId + '/resourceGroups/' + args.resourceGroup
cl.deploy_template(args.subscriptionId, "test-deployment",
args.resourceGroup, args.location, args.filePath)
class TestFirewallPolicy:
cl = None
@pytest.fixture
def setup_rg(self, subscriptionId, resourceGroup, location):
self.cl = ArmClient()
self.rg = self.cl.create_resource_group(subscriptionId, resourceGroup, location)
def get_firewall_policy(self, resource_id):
resp = self.cl.get_resource(resource_id, "2021-05-01")
return FirewallPolicy.from_dict(json.loads(resp))
def put_firewall_policy(self, resource_id, policy):
resourceJson = json.dumps(policy.serialize())
resp = self.cl.put_resource(resource_id, resourceJson, "2021-05-01")
return resp
def create_network_rule(self, rule_name, src_addresses, dest_addresses, ports, protocols):
net_rule = NetworkRule()
net_rule.name = rule_name
net_rule.source_addresses = src_addresses
net_rule.destination_addresses = dest_addresses
net_rule.destination_ports = ports
net_rule.ip_protocols = protocols
return net_rule
def test_policy_with_ruleCollectionGroup(self, setup_rg, subscriptionId, location, resourceGroup):
fp = FirewallPolicy()
fp.location = location
fp.resourceGroup = resourceGroup
resourceId = '/subscriptions/' + subscriptionId + '/resourceGroups/' + resourceGroup + '/providers/Microsoft.Network/firewallPolicies/jammyFP01'
resp = self.put_firewall_policy(resourceId, fp)
rcg_resourceId = resourceId + '/ruleCollectionGroups/rcg01'
rcg = FirewallPolicyRuleCollectionGroup()
rcg.priority = 200
rcg.rule_collections = []
rc = FirewallPolicyRuleCollection()
rc.rule_collection_type = 'FirewallPolicyFilterRuleCollection'
rcg.rule_collections.append(rc)
resourceJson = json.dumps(rcg.serialize())
resp = self.cl.put_resource(rcg_resourceId, resourceJson, "2021-05-01")
updated_policy = self.get_firewall_policy(resourceId)
def test_create_delete_vhub_fw(self, setup_rg, subscriptionId, location, resourceGroup):
fp = FirewallPolicy()
fp.location = location
fp.resourceGroup = resourceGroup
resource_group_id = '/subscriptions/' + subscriptionId + '/resourceGroups/' + resourceGroup
# first deploy the ARM template
template_file = os.path.join(os.path.dirname(__file__), 'templates', 'firewallPolicyVhubSandbox.json')
self.cl.deploy_template(subscriptionId, "test-deployment-vhub", resourceGroup, location, template_file)
logger.info("test_create_delete_vhub_fw: Step 1: Deploying sandbox template succeeded")
# create firewall policy
resourceId = resource_group_id + '/providers/Microsoft.Network/firewallPolicies/jammyFP03'
resp = self.put_firewall_policy(resourceId, fp)
# create a rule collection group
rcg_resourceId = resourceId + '/ruleCollectionGroups/rcg01'
rcg = FirewallPolicyRuleCollectionGroup()
rcg.priority = 200
rcg.rule_collections = []
rc = FirewallPolicyRuleCollection()
allow_action = FirewallPolicyFilterRuleCollectionAction()
allow_action.type = "ALLOW"
rc.name = "testRuleCollection01"
rc.priority = 1000
rc.action = allow_action
rc.rule_collection_type = 'FirewallPolicyFilterRuleCollection'
rule_list = []
rule_list.append(self.create_network_rule("rule1", ["10.1.0.0/16"], ["8.8.8.8"], ["53"],[FirewallPolicyRuleNetworkProtocol.udp]))
rule_list.append(self.create_network_rule("rule2", ["10.1.0.0/16"], ["8.8.8.4"], ["53"],[FirewallPolicyRuleNetworkProtocol.udp]))
rule_list.append(self.create_network_rule("rule3", ["10.1.0.0/16"], ["8.8.8.4"], ["443"],[FirewallPolicyRuleNetworkProtocol.tcp]))
rc.rules = rule_list
rcg.rule_collections.append(rc)
resourceJson = json.dumps(rcg.serialize())
resp = self.cl.put_resource(rcg_resourceId, resourceJson, "2021-05-01")
logger.info("test_create_delete_vhub_fw: Step 2: Create FP with RuleCollectionGroup succeeded")
# now associate the firewall policy with the firewall deployed.
fw_resourceId = resource_group_id + '/providers/Microsoft.Network/azureFirewalls/' + 'firewall1'
resp = self.cl.get_resource(fw_resourceId , "2020-07-01")
firewall = AzureFirewall.from_dict(json.loads(resp))
policy_ref = SubResource()
policy_ref.id = resourceId
firewall.firewall_policy = policy_ref
resp = self.cl.put_resource(firewall.id, json.dumps(firewall.serialize()), "2020-07-01")
# verify that the policy is associated with the firewall
updated_policy = self.get_firewall_policy(resourceId)
assert len(updated_policy.firewalls) > 0 , "No firewalls associated with firewall policy"
logger.info("test_create_delete_vhub_fw: Step 3: Associate FP with Firewall succeeded")
#finally delete the resource group
self.cl.delete_resource(resource_group_id, '2019-10-01')
def test_create_delete_vnet_fw(self, setup_rg, subscriptionId, location, resourceGroup):
fp = FirewallPolicy()
fp.location = location
fp.resourceGroup = resourceGroup
resource_group_id = '/subscriptions/' + subscriptionId + '/resourceGroups/' + resourceGroup
# first deploy the ARM template
template_file = os.path.join(os.path.dirname(__file__), 'templates', 'firewallPolicySandbox.json')
self.cl.deploy_template(subscriptionId, "test-deployment", resourceGroup, location, template_file)
logger.info("test_create_delete_vnet_fw: Step 1: Deploying sandbox template succeeded")
# create firewall policy
resourceId = resource_group_id + '/providers/Microsoft.Network/firewallPolicies/jammyFP02'
resp = self.put_firewall_policy(resourceId, fp)
# create a rule collection group
rcg_id = resourceId + '/ruleCollectionGroups/rcg01'
net_rule = NetworkRule()
net_rule.name = 'google_dns'
net_rule.source_addresses = ['10.1.0.0/24']
net_rule.destination_addresses = ['8.8.8.8', '8.8.8.4']
net_rule.destination_ports = ["53"]
net_rule.ip_protocols = [FirewallPolicyRuleNetworkProtocol.udp]
rule_list = []
rule_list.append(net_rule)
rcg = FirewallPolicyRuleCollectionGroup()
rcg.priority = 200
rcg.rule_collections = []
rc = FirewallPolicyFilterRuleCollection()
allow_action = FirewallPolicyFilterRuleCollectionAction()
allow_action.type = "ALLOW"
rc.rule_collection_type = 'FirewallPolicyFilterRuleCollection'
rc.name = "testRuleCollection01"
rc.priority = 1000
rc.action = allow_action
rc.rules = rule_list
rcg.rule_collections.append(rc)
resourceJson = json.dumps(rcg.serialize())
resp = self.cl.put_resource(rcg_id, resourceJson, "2021-05-01")
logger.info("test_create_delete_vnet_fw: Step 2: Create FP with RuleCollectionGroup succeeded")
# now associate the firewall policy with the firewall deployed.
fw_resourceId = resource_group_id + '/providers/Microsoft.Network/azureFirewalls/' + 'firewall1'
resp = self.cl.get_resource(fw_resourceId , "2020-07-01")
firewall = AzureFirewall.from_dict(json.loads(resp))
policy_ref = SubResource()
policy_ref.id = resourceId
firewall.firewall_policy = policy_ref
resp = self.cl.put_resource(firewall.id, json.dumps(firewall.serialize()), "2020-07-01")
# verify that the policy is associated with the firewall
updated_policy = self.get_firewall_policy(resourceId)
assert len(updated_policy.firewalls) > 0 , "No firewalls associated with firewall policy"
logger.info("test_create_delete_vnet_fw: Step 3: Associate FP with Firewall succeeded")
#update the policy rule settings
ftp_rule = NetworkRule()
ftp_rule.name = 'ftp'
ftp_rule.source_addresses = ['10.1.0.0/24']
ftp_rule.destination_addresses = ['52.8.4.1', '80.1.18.4']
ftp_rule.destination_ports = ["21"]
ftp_rule.ip_protocols = [FirewallPolicyRuleNetworkProtocol.tcp]
rule_list.append(ftp_rule)
rcg = FirewallPolicyRuleCollectionGroup.from_dict(json.loads(self.cl.get_resource(rcg_id, "2021-05-01")))
rc = rcg.rule_collections[0]
rc.rules = rule_list
resourceJson = json.dumps(rcg.serialize())
resp = self.cl.put_resource(rcg_id, resourceJson, "2021-05-01")
assert (self.get_firewall_policy(resourceId)).provisioning_state == 'Succeeded', "Policy in failed state post update"
logger.info("test_create_delete_vnet_fw: Step 4: Update Firewall Policy succeeded")
#finally delete the resource group
self.cl.delete_resource(resource_group_id, '2019-10-01')
def test_firewall_policy_inheritence(self, subscriptionId, location, resourceGroup):
resourceGroup = "inheritence" + resourceGroup
self.cl = ArmClient()
self.rg = self.cl.create_resource_group(subscriptionId, resourceGroup, location)
fp = FirewallPolicy()
fp.location = location
fp.resourceGroup = resourceGroup
resource_group_id = '/subscriptions/' + subscriptionId + '/resourceGroups/' + resourceGroup
# first deploy the ARM template
template_file = os.path.join(os.path.dirname(__file__), 'templates', 'firewallPolicySandbox.json')
self.cl.deploy_template(subscriptionId, "test-deployment-inheritence", resourceGroup, location, template_file)
# create base firewall policy
resourceId = resource_group_id + '/providers/Microsoft.Network/firewallPolicies/jammyFPBase'
childPolicyId = resource_group_id + '/providers/Microsoft.Network/firewallPolicies/jammyFPChild'
resp = self.put_firewall_policy(resourceId, fp)
# create a rule collection group
rcg_id = resourceId + '/ruleCollectionGroups/rcg01'
net_rule = NetworkRule()
net_rule.name = 'google_dns'
net_rule.source_addresses = ['10.1.0.0/24']
net_rule.destination_addresses = ['8.8.8.8', '8.8.8.4']
net_rule.destination_ports = ["53"]
net_rule.ip_protocols = [FirewallPolicyRuleNetworkProtocol.udp]
rule_list = []
rule_list.append(net_rule)
rcg = FirewallPolicyRuleCollectionGroup()
rcg.priority = 200
rcg.rule_collections = []
rc = FirewallPolicyFilterRuleCollection()
allow_action = FirewallPolicyFilterRuleCollectionAction()
allow_action.type = "ALLOW"
rc.rule_collection_type = 'FirewallPolicyFilterRuleCollection'
rc.name = "testRuleCollection01"
rc.priority = 1000
rc.action = allow_action
rc.rules = rule_list
rcg.rule_collections.append(rc)
resourceJson = json.dumps(rcg.serialize())
resp = self.cl.put_resource(rcg_id, resourceJson, "2021-05-01")
base_policy_ref = SubResource()
base_policy_ref.id = resourceId
fp.base_policy = base_policy_ref
resp = self.put_firewall_policy(childPolicyId, fp)
# now associate the firewall policy with the firewall deployed.
fw_resourceId = resource_group_id + '/providers/Microsoft.Network/azureFirewalls/' + 'firewall1'
resp = self.cl.get_resource(fw_resourceId , "2020-07-01")
firewall = AzureFirewall.from_dict(json.loads(resp))
policy_ref = SubResource()
policy_ref.id = childPolicyId
firewall.firewall_policy = policy_ref
resp = self.cl.put_resource(firewall.id, json.dumps(firewall.serialize()), "2020-07-01")
# verify that the policy is associated with the firewall
updated_policy = self.get_firewall_policy(childPolicyId)
assert len(updated_policy.firewalls) > 0 , "No firewalls associated with firewall policy"
#update the base policy rule settings
ftp_rule = NetworkRule()
ftp_rule.name = 'ftp'
ftp_rule.source_addresses = ['10.1.0.0/24']
ftp_rule.destination_addresses = ['52.8.4.1', '80.1.18.4']
ftp_rule.destination_ports = ["21"]
ftp_rule.ip_protocols = [FirewallPolicyRuleNetworkProtocol.tcp]
rule_list.append(ftp_rule)
rcg = FirewallPolicyRuleCollectionGroup.from_dict(json.loads(self.cl.get_resource(rcg_id, "2021-05-01")))
rc = rcg.rule_collections[0]
rc.rules = rule_list
resourceJson = json.dumps(rcg.serialize())
resp = self.cl.put_resource(rcg_id, resourceJson, "2021-05-01")
assert (self.get_firewall_policy(resourceId)).provisioning_state == 'Succeeded', "Policy in failed state post update"
#finally delete the resource group
self.cl.delete_resource(resource_group_id, '2019-10-01')