Add test for setting proxy allowlist

main.tf

@@ -9,6 +9,7 @@ locals {
     "*.fedoraproject.org",                 # fedora runner dependencies install
     "s3.dualstack.us-east-1.amazonaws.com" # gitlab-runner-helper source for runners
   ]
+  proxy_allowlist = setunion(local.devtools_egress_allowlist, var.worker_egress_allowlist)
 }
 
 # the `depends_on` lines for each resource or module is needed to properly sequence initial creation
@@ -168,7 +169,7 @@ module "egress_proxy" {
   cf_egress_space = module.egress_space.space
   name            = var.egress_app_name
   allowports      = [80, 443, 2222]
-  allowlist       = setunion(local.devtools_egress_allowlist, var.worker_egress_allowlist)
+  allowlist       = local.proxy_allowlist
   # see egress_proxy/variables.tf for full list of optional arguments
   depends_on = [module.egress_space]
 }

tests/creation.tftest.hcl

@@ -6,8 +6,9 @@ provider "cloudfoundry-community" {
 }
 
 variables {
-  cf_space_prefix = "glr-cg-ci-tests"
-  ci_server_token = "fake-gdg-server-token"
+  cf_space_prefix         = "glr-cg-ci-tests"
+  ci_server_token         = "fake-gdg-server-token"
+  worker_egress_allowlist = ["*.rubygems.org", "gsa-0.gitlab-dedicated.us"]
 }
 
 run "test-system-creation" {
@@ -94,4 +95,18 @@ run "test-system-creation" {
     ])
     error_message = "Service account is granted space_developer on the egress space"
   }
+
+  assert {
+    condition = local.proxy_allowlist == toset([
+      "*.fr.cloud.gov",
+      "gsa-0.gitlab-dedicated.us",
+      "deb.debian.org",
+      "*.ubuntu.com",
+      "dl-cdn.alpinelinux.org",
+      "*.fedoraproject.org",
+      "s3.dualstack.us-east-1.amazonaws.com",
+      "*.rubygems.org"
+    ])
+    error_message = "The egress allowlist contains manager and worker entries"
+  }
 }