From dd4a2d772f3c8463514821261d0348fa958eb78e Mon Sep 17 00:00:00 2001 From: Yair Slobodin <154875779+YairSlobodin1@users.noreply.github.com> Date: Wed, 18 Dec 2024 17:25:12 +0200 Subject: [PATCH 1/4] Remove duplicate code in io package (#220) --- cmd/subcmds/output.go | 7 +- pkg/io/{csvio => }/common.go | 48 ++++----- pkg/io/{csvio/acl.go => commonACL.go} | 80 ++++++-------- pkg/io/{csvio/sg.go => commonSG.go} | 57 ++++------ pkg/io/csvWriter.go | 39 +++++++ pkg/io/jsonio/unmarshalConns.go | 4 +- pkg/io/jsonio/unmarshalDefinitions.go | 1 + pkg/io/mdWriter.go | 65 ++++++++++++ pkg/io/mdio/acl.go | 138 ------------------------ pkg/io/mdio/common.go | 82 --------------- pkg/io/mdio/sg.go | 144 -------------------------- pkg/io/tfio/acl.go | 129 +++++++++++------------ pkg/io/tfio/common.go | 5 + pkg/io/tfio/sg.go | 139 ++++++++++++------------- pkg/ir/acl.go | 4 +- pkg/ir/sg.go | 3 +- pkg/ir/spec.go | 5 +- pkg/optimize/sg/sg.go | 2 +- pkg/synth/sg.go | 4 +- pkg/utils/utils.go | 2 +- 20 files changed, 335 insertions(+), 623 deletions(-) rename pkg/io/{csvio => }/common.go (76%) rename pkg/io/{csvio/acl.go => commonACL.go} (68%) rename pkg/io/{csvio/sg.go => commonSG.go} (80%) create mode 100644 pkg/io/csvWriter.go create mode 100644 pkg/io/mdWriter.go delete mode 100644 pkg/io/mdio/acl.go delete mode 100644 pkg/io/mdio/common.go delete mode 100644 pkg/io/mdio/sg.go diff --git a/cmd/subcmds/output.go b/cmd/subcmds/output.go index 339b06b1..b10cf364 100644 --- a/cmd/subcmds/output.go +++ b/cmd/subcmds/output.go @@ -12,9 +12,8 @@ import ( "os" "path/filepath" + "github.com/np-guard/vpc-network-config-synthesis/pkg/io" "github.com/np-guard/vpc-network-config-synthesis/pkg/io/confio" - "github.com/np-guard/vpc-network-config-synthesis/pkg/io/csvio" - "github.com/np-guard/vpc-network-config-synthesis/pkg/io/mdio" "github.com/np-guard/vpc-network-config-synthesis/pkg/io/tfio" "github.com/np-guard/vpc-network-config-synthesis/pkg/ir" ) @@ -77,9 +76,9 @@ func pickWriter(args *inArgs, data *bytes.Buffer, isSynth bool) (ir.Writer, erro case tfOutputFormat: return tfio.NewWriter(w), nil case csvOutputFormat: - return csvio.NewWriter(w), nil + return io.NewCSVWriter(w), nil case mdOutputFormat: - return mdio.NewWriter(w), nil + return io.NewMDWriter(w), nil case jsonOutputFormat: if isSynth { return confio.NewWriter(w, args.configFile) diff --git a/pkg/io/csvio/common.go b/pkg/io/common.go similarity index 76% rename from pkg/io/csvio/common.go rename to pkg/io/common.go index 41cd664d..1a0eb695 100644 --- a/pkg/io/csvio/common.go +++ b/pkg/io/common.go @@ -3,33 +3,22 @@ Copyright 2023- IBM Inc. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 */ -// Package csvio implements output of ACLs and security groups in CSV format -package csvio +package io import ( - "encoding/csv" "fmt" - "io" "strconv" "strings" + "github.com/np-guard/models/pkg/interval" "github.com/np-guard/models/pkg/netp" "github.com/np-guard/vpc-network-config-synthesis/pkg/ir" ) -// Writer implements ir.Writer -type Writer struct { - w *csv.Writer -} - -func NewWriter(w io.Writer) *Writer { - return &Writer{w: csv.NewWriter(w)} -} - const ( anyProtocol = "ALL" - nonIcmp = "-" // IBM cloud uses "—" + nonIcmp = "-" anyIcmpValue = "Any" ) @@ -40,6 +29,25 @@ func direction(d ir.Direction) string { return "Outbound" } +func printProtocolName(protocol netp.Protocol) string { + switch p := protocol.(type) { + case netp.ICMP: + return string(netp.ProtocolStringICMP) + case netp.TCPUDP: + return strings.ToUpper(string(p.ProtocolString())) + case netp.AnyProtocol: + return anyProtocol + } + return "" +} + +func printPorts(p interval.Interval) string { + if p.Equal(netp.AllPorts()) { + return "any port" + } + return fmt.Sprintf("ports %v-%v", p.Start(), p.End()) +} + func printICMPTypeCode(protocol netp.Protocol) string { p, ok := protocol.(netp.ICMP) if !ok { @@ -55,15 +63,3 @@ func printICMPTypeCode(protocol netp.Protocol) string { } return fmt.Sprintf("Type: %v, Code: %v", icmpType, icmpCode) } - -func printProtocolName(protocol netp.Protocol) string { - switch p := protocol.(type) { - case netp.ICMP: - return "ICMP" - case netp.TCPUDP: - return strings.ToUpper(string(p.ProtocolString())) - case netp.AnyProtocol: - return anyProtocol - } - return "" -} diff --git a/pkg/io/csvio/acl.go b/pkg/io/commonACL.go similarity index 68% rename from pkg/io/csvio/acl.go rename to pkg/io/commonACL.go index 643dfe38..865e3251 100644 --- a/pkg/io/csvio/acl.go +++ b/pkg/io/commonACL.go @@ -3,66 +3,34 @@ Copyright 2023- IBM Inc. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 */ -package csvio +package io import ( "errors" "fmt" + "slices" "strconv" - "github.com/np-guard/models/pkg/interval" "github.com/np-guard/models/pkg/netp" "github.com/np-guard/models/pkg/netset" "github.com/np-guard/vpc-network-config-synthesis/pkg/ir" ) -// Write prints an entire collection of acls as a single CSV table. -func (w *Writer) WriteACL(collection *ir.ACLCollection, vpc string) error { - if err := w.w.WriteAll(aclHeader()); err != nil { - return err - } +func WriteACL(collection *ir.ACLCollection, vpc string) ([][]string, error) { + res := make([][]string, 0) for _, subnet := range collection.SortedACLSubnets(vpc) { vpcName := ir.VpcFromScopedResource(subnet) aclTable, err := makeACLTable(collection.ACLs[vpcName][subnet], subnet) - if err != nil { - return err - } - if err := w.w.WriteAll(aclTable); err != nil { - return err - } - } - return nil -} - -func makeACLTable(t *ir.ACL, subnet string) ([][]string, error) { - rules := t.Rules() - rows := make([][]string, len(rules)) - for i, rule := range rules { - aclRow, err := makeACLRow(i+1, rule, t.Name(), subnet) if err != nil { return nil, err } - rows[i] = aclRow - } - return rows, nil -} - -func aclPort(p interval.Interval) string { - if p.Equal(netp.AllPorts()) { - return "any port" //nolint:goconst // independent decision for SG and ACL - } - return fmt.Sprintf("ports %v-%v", p.Start(), p.End()) -} - -func action(a ir.Action) string { - if a == ir.Deny { - return "Deny" + res = slices.Concat(res, aclTable) } - return "Allow" + return res, nil } -func aclHeader() [][]string { +func makeACLHeader() [][]string { return [][]string{{ "Acl", "Subnet", @@ -77,9 +45,22 @@ func aclHeader() [][]string { }} } +func makeACLTable(t *ir.ACL, subnet string) ([][]string, error) { + rules := t.Rules() + rows := make([][]string, len(rules)) + for i, rule := range rules { + aclRow, err := makeACLRow(i+1, rule, t.Name(), subnet) + if err != nil { + return nil, err + } + rows[i] = aclRow + } + return rows, nil +} + func makeACLRow(priority int, rule *ir.ACLRule, aclName, subnet string) ([]string, error) { - srcProtocol, err1 := printIP(rule.Source, rule.Protocol, true) - dstProtocol, err2 := printIP(rule.Destination, rule.Protocol, false) + src, err1 := printIP(rule.Source, rule.Protocol, true) + dst, err2 := printIP(rule.Destination, rule.Protocol, false) if errors.Join(err1, err2) != nil { return nil, errors.Join(err1, err2) } @@ -91,13 +72,20 @@ func makeACLRow(priority int, rule *ir.ACLRule, aclName, subnet string) ([]strin strconv.Itoa(priority), action(rule.Action), printProtocolName(rule.Protocol), - srcProtocol, - dstProtocol, + src, + dst, printICMPTypeCode(rule.Protocol), rule.Explanation, }, nil } +func action(a ir.Action) string { + if a == ir.Deny { + return "Deny" + } + return "Allow" +} + func printIP(ip *netset.IPBlock, protocol netp.Protocol, isSource bool) (string, error) { ipString := ip.String() if ip.Equal(netset.GetCidrAll()) { @@ -107,13 +95,11 @@ func printIP(ip *netset.IPBlock, protocol netp.Protocol, isSource bool) (string, case netp.ICMP: return ipString, nil case netp.TCPUDP: - var r interval.Interval + r := p.DstPorts() if isSource { r = p.SrcPorts() - } else { - r = p.DstPorts() } - return fmt.Sprintf("%v, %v", ipString, aclPort(r)), nil + return fmt.Sprintf("%v, %v", ipString, printPorts(r)), nil case netp.AnyProtocol: return ipString, nil } diff --git a/pkg/io/csvio/sg.go b/pkg/io/commonSG.go similarity index 80% rename from pkg/io/csvio/sg.go rename to pkg/io/commonSG.go index 35c74f8b..3a05a5ec 100644 --- a/pkg/io/csvio/sg.go +++ b/pkg/io/commonSG.go @@ -3,23 +3,21 @@ Copyright 2023- IBM Inc. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 */ -package csvio +package io import ( "errors" "fmt" + "slices" - "github.com/np-guard/models/pkg/interval" "github.com/np-guard/models/pkg/netp" "github.com/np-guard/models/pkg/netset" "github.com/np-guard/vpc-network-config-synthesis/pkg/ir" ) -func (w *Writer) WriteSG(collection *ir.SGCollection, vpc string) error { - if err := w.w.WriteAll(sgHeader()); err != nil { - return err - } +func WriteSG(collection *ir.SGCollection, vpc string) ([][]string, error) { + res := make([][]string, 0) for _, vpcName := range collection.VpcNames() { if vpc != vpcName && vpc != "" { continue @@ -27,17 +25,15 @@ func (w *Writer) WriteSG(collection *ir.SGCollection, vpc string) error { for _, sgName := range collection.SortedSGNames(vpcName) { sgTable, err := makeSGTable(collection.SGs[vpcName][sgName], sgName) if err != nil { - return err - } - if err := w.w.WriteAll(sgTable); err != nil { - return err + return nil, err } + res = slices.Concat(res, sgTable) } } - return nil + return res, nil } -func sgHeader() [][]string { +func makeSGHeader() [][]string { return [][]string{{ "SG", "Direction", @@ -49,6 +45,19 @@ func sgHeader() [][]string { }} } +func makeSGTable(t *ir.SG, sgName ir.SGName) ([][]string, error) { + rules := t.AllRules() + rows := make([][]string, len(rules)) + for i, rule := range rules { + sgRow, err := makeSGRow(rule, sgName) + if err != nil { + return nil, err + } + rows[i] = sgRow + } + return rows, nil +} + func makeSGRow(rule *ir.SGRule, sgName ir.SGName) ([]string, error) { remoteType, err1 := sgRemoteType(rule.Remote) remote, err2 := sgRemote(rule.Remote) @@ -68,28 +77,6 @@ func makeSGRow(rule *ir.SGRule, sgName ir.SGName) ([]string, error) { }, nil } -func makeSGTable(t *ir.SG, sgName ir.SGName) ([][]string, error) { - rules := t.AllRules() - rows := make([][]string, len(rules)) - for i, rule := range rules { - sgRow, err := makeSGRow(rule, sgName) - if err != nil { - return nil, err - } - rows[i] = sgRow - } - return rows, nil -} - -func sgPort(p interval.Interval) string { - switch { - case p.Start() == netp.MinPort && p.End() == netp.MaxPort: - return "any port" - default: - return fmt.Sprintf("ports %v-%v", p.Start(), p.End()) - } -} - func sgRemoteType(t ir.RemoteType) (string, error) { switch p := t.(type) { case *netset.IPBlock: @@ -122,7 +109,7 @@ func printProtocolParams(protocol netp.Protocol) (string, error) { case netp.ICMP: return printICMPTypeCode(protocol), nil case netp.TCPUDP: - return sgPort(p.DstPorts()), nil + return printPorts(p.DstPorts()), nil case netp.AnyProtocol: return "", nil } diff --git a/pkg/io/csvWriter.go b/pkg/io/csvWriter.go new file mode 100644 index 00000000..4a31e67a --- /dev/null +++ b/pkg/io/csvWriter.go @@ -0,0 +1,39 @@ +/* +Copyright 2023- IBM Inc. All Rights Reserved. +SPDX-License-Identifier: Apache-2.0 +*/ + +package io + +import ( + "encoding/csv" + "io" + "slices" + + "github.com/np-guard/vpc-network-config-synthesis/pkg/ir" +) + +// CSVWriter implements ir.Writer +type CSVWriter struct { + w *csv.Writer +} + +func NewCSVWriter(w io.Writer) *CSVWriter { + return &CSVWriter{w: csv.NewWriter(w)} +} + +func (w *CSVWriter) WriteSG(collection *ir.SGCollection, vpc string) error { + sgTable, err := WriteSG(collection, vpc) + if err != nil { + return err + } + return w.w.WriteAll(slices.Concat(makeSGHeader(), sgTable)) +} + +func (w *CSVWriter) WriteACL(collection *ir.ACLCollection, vpc string) error { + aclTable, err := WriteACL(collection, vpc) + if err != nil { + return err + } + return w.w.WriteAll(slices.Concat(makeACLHeader(), aclTable)) +} diff --git a/pkg/io/jsonio/unmarshalConns.go b/pkg/io/jsonio/unmarshalConns.go index c6fc06bc..8f4a5145 100644 --- a/pkg/io/jsonio/unmarshalConns.go +++ b/pkg/io/jsonio/unmarshalConns.go @@ -10,9 +10,11 @@ import ( "errors" "fmt" "log" + "slices" "github.com/np-guard/models/pkg/netp" "github.com/np-guard/models/pkg/spec" + "github.com/np-guard/vpc-network-config-synthesis/pkg/ir" ) @@ -25,7 +27,7 @@ func (r *Reader) translateConnections(conns []spec.SpecRequiredConnectionsElem, if err != nil { return nil, err } - res = append(res, connections...) + res = slices.Concat(res, connections) } return res, nil } diff --git a/pkg/io/jsonio/unmarshalDefinitions.go b/pkg/io/jsonio/unmarshalDefinitions.go index 20dae58d..b675c564 100644 --- a/pkg/io/jsonio/unmarshalDefinitions.go +++ b/pkg/io/jsonio/unmarshalDefinitions.go @@ -11,6 +11,7 @@ import ( "github.com/np-guard/models/pkg/netset" "github.com/np-guard/models/pkg/spec" + "github.com/np-guard/vpc-network-config-synthesis/pkg/ir" "github.com/np-guard/vpc-network-config-synthesis/pkg/utils" ) diff --git a/pkg/io/mdWriter.go b/pkg/io/mdWriter.go new file mode 100644 index 00000000..3b102b49 --- /dev/null +++ b/pkg/io/mdWriter.go @@ -0,0 +1,65 @@ +/* +Copyright 2023- IBM Inc. All Rights Reserved. +SPDX-License-Identifier: Apache-2.0 +*/ + +package io + +import ( + "bufio" + "io" + "slices" + "strings" + + "github.com/np-guard/vpc-network-config-synthesis/pkg/ir" +) + +const ( + leftAlign = " :--- " + separator = " | " +) + +// MDWriter implements ir.Writer +type MDWriter struct { + w *bufio.Writer +} + +func NewMDWriter(w io.Writer) *MDWriter { + return &MDWriter{w: bufio.NewWriter(w)} +} + +func (w *MDWriter) WriteSG(collection *ir.SGCollection, vpc string) error { + sgTable, err := WriteSG(collection, vpc) + if err != nil { + return err + } + sgHeader := makeSGHeader() + return w.writeAll(slices.Concat(sgHeader, addAligns(len(sgHeader[0])), sgTable)) +} + +func (w *MDWriter) WriteACL(collection *ir.ACLCollection, vpc string) error { + aclTable, err := WriteACL(collection, vpc) + if err != nil { + return err + } + aclHeader := makeACLHeader() + return w.writeAll(slices.Concat(aclHeader, addAligns(len(aclHeader[0])), aclTable)) +} + +func (w *MDWriter) writeAll(rows [][]string) error { + for _, row := range rows { + finalString := separator + strings.Join(row, separator) + separator + "\n" + if _, err := w.w.WriteString(finalString); err != nil { + return err + } + } + return w.w.Flush() +} + +func addAligns(n int) [][]string { + res := make([]string, n) + for i := range n { + res[i] = leftAlign + } + return [][]string{res} +} diff --git a/pkg/io/mdio/acl.go b/pkg/io/mdio/acl.go deleted file mode 100644 index 17f2b2ee..00000000 --- a/pkg/io/mdio/acl.go +++ /dev/null @@ -1,138 +0,0 @@ -/* -Copyright 2023- IBM Inc. All Rights Reserved. -SPDX-License-Identifier: Apache-2.0 -*/ - -package mdio - -import ( - "errors" - "fmt" - "strconv" - - "github.com/np-guard/models/pkg/interval" - "github.com/np-guard/models/pkg/netp" - "github.com/np-guard/models/pkg/netset" - - "github.com/np-guard/vpc-network-config-synthesis/pkg/ir" -) - -// Write prints an entire collection of acls as a single MD table. -func (w *Writer) WriteACL(collection *ir.ACLCollection, vpc string) error { - if err := w.writeAll(aclHeader()); err != nil { - return err - } - for _, subnet := range collection.SortedACLSubnets(vpc) { - vpcName := ir.VpcFromScopedResource(subnet) - aclTable, err := makeACLTable(collection.ACLs[vpcName][subnet], subnet) - if err != nil { - return err - } - if err := w.writeAll(aclTable); err != nil { - return err - } - } - return nil -} - -func makeACLTable(t *ir.ACL, subnet string) ([][]string, error) { - rules := t.Rules() - rows := make([][]string, len(rules)) - for i, rule := range rules { - aclRow, err := makeACLRow(i+1, rule, t.Name(), subnet) - if err != nil { - return nil, err - } - rows[i] = aclRow - } - return rows, nil -} - -func aclPort(p interval.Interval) string { - if p.Equal(netp.AllPorts()) { - return "any port" //nolint:goconst // independent decision for SG and ACL - } - return fmt.Sprintf("ports %v-%v", p.Start(), p.End()) -} - -func action(a ir.Action) string { - if a == ir.Deny { - return "Deny" - } - return "Allow" -} - -func aclHeader() [][]string { - return [][]string{{ - "", - "Acl", - "Subnet", - "Direction", - "Rule priority", - "Allow or deny", - "Protocol", - "Source", - "Destination", - "Value", - "Description", - "", - }, { - "", - leftAlign, - leftAlign, - leftAlign, - leftAlign, - leftAlign, - leftAlign, - leftAlign, - leftAlign, - leftAlign, - leftAlign, - "", - }} -} - -func makeACLRow(priority int, rule *ir.ACLRule, aclName, subnet string) ([]string, error) { - srcProtocol, err1 := printIP(rule.Source, rule.Protocol, true) - dstProtocol, err2 := printIP(rule.Destination, rule.Protocol, false) - if err := errors.Join(err1, err2); err != nil { - return nil, err - } - - return []string{ - "", - aclName, - subnet, - direction(rule.Direction), - strconv.Itoa(priority), - action(rule.Action), - printProtocolName(rule.Protocol), - srcProtocol, - dstProtocol, - printICMPTypeCode(rule.Protocol), - rule.Explanation, - "", - }, nil -} - -func printIP(ip *netset.IPBlock, protocol netp.Protocol, isSource bool) (string, error) { - ipString := ip.String() - if ip.Equal(netset.GetCidrAll()) { - ipString = "Any IP" //nolint:goconst // independent decision for SG and ACL - } - switch p := protocol.(type) { - case netp.ICMP: - return ipString, nil - case netp.TCPUDP: - var r interval.Interval - if isSource { - r = p.SrcPorts() - } else { - r = p.DstPorts() - } - return fmt.Sprintf("%v, %v", ipString, aclPort(r)), nil - case netp.AnyProtocol: - return ipString, nil - } - return "", fmt.Errorf("impossible protocol %T", protocol) -} diff --git a/pkg/io/mdio/common.go b/pkg/io/mdio/common.go deleted file mode 100644 index abfb24a8..00000000 --- a/pkg/io/mdio/common.go +++ /dev/null @@ -1,82 +0,0 @@ -/* -Copyright 2023- IBM Inc. All Rights Reserved. -SPDX-License-Identifier: Apache-2.0 -*/ - -// Package mdio implements output of ACLs and security groups in CSV format -package mdio - -import ( - "bufio" - "fmt" - "io" - "strconv" - "strings" - - "github.com/np-guard/models/pkg/netp" - - "github.com/np-guard/vpc-network-config-synthesis/pkg/ir" -) - -const leftAlign = " :--- " - -// Writer implements ir.Writer -type Writer struct { - w *bufio.Writer -} - -func NewWriter(w io.Writer) *Writer { - return &Writer{w: bufio.NewWriter(w)} -} - -func (w *Writer) writeAll(rows [][]string) error { - for _, row := range rows { - _, err := w.w.WriteString(strings.Join(row, " | ") + "\n") - if err != nil { - return err - } - } - w.w.Flush() - return nil -} - -const ( - anyProtocol = "ALL" - nonIcmp = "-" - anyIcmpValue = "Any" -) - -func direction(d ir.Direction) string { - if d == ir.Inbound { - return "Inbound" - } - return "Outbound" -} - -func printICMPTypeCode(protocol netp.Protocol) string { - p, ok := protocol.(netp.ICMP) - if !ok { - return nonIcmp - } - icmpType := anyIcmpValue - icmpCode := anyIcmpValue - if typeCode := p.ICMPTypeCode(); typeCode != nil { - icmpType = strconv.Itoa(typeCode.Type) - if typeCode.Code != nil { - icmpCode = strconv.Itoa(*typeCode.Code) - } - } - return fmt.Sprintf("Type: %v, Code: %v", icmpType, icmpCode) -} - -func printProtocolName(protocol netp.Protocol) string { - switch p := protocol.(type) { - case netp.ICMP: - return "ICMP" - case netp.TCPUDP: - return strings.ToUpper(string(p.ProtocolString())) - case netp.AnyProtocol: - return anyProtocol - } - return "" -} diff --git a/pkg/io/mdio/sg.go b/pkg/io/mdio/sg.go deleted file mode 100644 index 0fcbf734..00000000 --- a/pkg/io/mdio/sg.go +++ /dev/null @@ -1,144 +0,0 @@ -/* -Copyright 2023- IBM Inc. All Rights Reserved. -SPDX-License-Identifier: Apache-2.0 -*/ - -package mdio - -import ( - "errors" - "fmt" - - "github.com/np-guard/models/pkg/interval" - "github.com/np-guard/models/pkg/netp" - "github.com/np-guard/models/pkg/netset" - - "github.com/np-guard/vpc-network-config-synthesis/pkg/ir" -) - -func (w *Writer) WriteSG(collection *ir.SGCollection, vpc string) error { - if err := w.writeAll(sgHeader()); err != nil { - return err - } - for _, vpcName := range collection.VpcNames() { - if vpc != vpcName && vpc != "" { - continue - } - for _, sgName := range collection.SortedSGNames(vpcName) { - sgTable, err := makeSGTable(collection.SGs[vpcName][sgName], sgName) - if err != nil { - return err - } - if err := w.writeAll(sgTable); err != nil { - return err - } - } - } - return nil -} - -func sgHeader() [][]string { - return [][]string{{ - "", - "SG", - "Direction", - "Remote type", - "Remote", - "Protocol", - "Protocol params", - "Description", - "", - }, { - "", - leftAlign, - leftAlign, - leftAlign, - leftAlign, - leftAlign, - leftAlign, - leftAlign, - "", - }} -} - -func makeSGRow(rule *ir.SGRule, sgName ir.SGName) ([]string, error) { - remoteType, err1 := sgRemoteType(rule.Remote) - remote, err2 := sgRemote(rule.Remote) - protocolParams, err3 := printProtocolParams(rule.Protocol) - if err := errors.Join(err1, err2, err3); err != nil { - return nil, err - } - - return []string{ - "", - string(sgName), - direction(rule.Direction), - remoteType, - remote, - printProtocolName(rule.Protocol), - protocolParams, - rule.Explanation, - "", - }, nil -} - -func makeSGTable(t *ir.SG, sgName ir.SGName) ([][]string, error) { - rules := t.AllRules() - rows := make([][]string, len(rules)) - for i, rule := range rules { - sgRow, err := makeSGRow(rule, sgName) - if err != nil { - return nil, err - } - rows[i] = sgRow - } - return rows, nil -} - -func sgPort(p interval.Interval) string { - switch { - case p.Start() == netp.MinPort && p.End() == netp.MaxPort: - return "any port" - default: - return fmt.Sprintf("ports %v-%v", p.Start(), p.End()) - } -} - -func sgRemoteType(t ir.RemoteType) (string, error) { - switch r := t.(type) { - case *netset.IPBlock: - if ipString := r.ToIPAddressString(); ipString != "" { // single IP address - return "IP address", nil - } - return "CIDR block", nil - case ir.SGName: - return "Security group", nil - } - return "", fmt.Errorf("impossible remote type %T", t) -} - -func sgRemote(r ir.RemoteType) (string, error) { - switch tr := r.(type) { - case *netset.IPBlock: - s := tr.String() - if s == netset.CidrAll { - return "Any IP", nil - } - return s, nil - case ir.SGName: - return tr.String(), nil - } - return "", fmt.Errorf("impossible remote %v (%T)", r, r) -} - -func printProtocolParams(protocol netp.Protocol) (string, error) { - switch p := protocol.(type) { - case netp.ICMP: - return printICMPTypeCode(protocol), nil - case netp.TCPUDP: - return sgPort(p.DstPorts()), nil - case netp.AnyProtocol: - return "", nil - } - return "", fmt.Errorf("impossible protocol %v (type %T)", protocol, protocol) -} diff --git a/pkg/io/tfio/acl.go b/pkg/io/tfio/acl.go index d71b8d56..90a1fdfe 100644 --- a/pkg/io/tfio/acl.go +++ b/pkg/io/tfio/acl.go @@ -8,6 +8,7 @@ package tfio import ( "fmt" + "slices" "strings" "github.com/np-guard/models/pkg/netp" @@ -23,57 +24,32 @@ func (w *Writer) WriteACL(c *ir.ACLCollection, vpc string) error { if err != nil { return err } - output := collection.Print() - _, err = w.w.WriteString(output) - if err != nil { + if _, err := w.w.WriteString(collection.Print()); err != nil { return err } - err = w.w.Flush() - return err -} - -func aclProtocol(t netp.Protocol) []tf.Block { - switch p := t.(type) { - case netp.TCPUDP: - return []tf.Block{{ - Name: strings.ToLower(string(p.ProtocolString())), - Arguments: append( - portRange(p.DstPorts(), "port"), - portRange(p.SrcPorts(), "source_port")..., - ), - }} - case netp.ICMP: - return []tf.Block{{ - Name: "icmp", - Arguments: codeTypeArguments(p.ICMPTypeCode()), - }} - case netp.AnyProtocol: - return []tf.Block{} - } - return nil + return w.w.Flush() } -func aclRule(rule *ir.ACLRule, name string) (tf.Block, error) { - if err := verifyName(name); err != nil { - return tf.Block{}, err - } - arguments := []tf.Argument{ - {Name: "name", Value: quote(name)}, - {Name: "action", Value: quote(action(rule.Action))}, - {Name: "direction", Value: quote(direction(rule.Direction))}, - {Name: "source", Value: quote(rule.Source.String())}, - {Name: "destination", Value: quote(rule.Destination.String())}, - } - - comment := "\n" - if rule.Explanation != "" { - comment = fmt.Sprintf("# %v", rule.Explanation) +func aclCollection(t *ir.ACLCollection, vpc string) (*tf.ConfigFile, error) { + sortedACLs := t.SortedACLSubnets(vpc) + var acls = make([]tf.Block, len(sortedACLs)) + i := 0 + for _, subnet := range sortedACLs { + vpcName := ir.VpcFromScopedResource(subnet) + acl := t.ACLs[vpcName][subnet] + comment := "\n" + if len(sortedACLs) > 1 { // not a single nacl + comment = fmt.Sprintf("\n# %v [%v]", subnet, subnetCidr(acl)) + } + singleACL, err := singleACL(acl, comment) + if err != nil { + return nil, err + } + acls[i] = singleACL + i += 1 } - - return tf.Block{Name: "rules", - Comment: comment, - Arguments: arguments, - Blocks: aclProtocol(rule.Protocol), + return &tf.ConfigFile{ + Resources: acls, }, nil } @@ -93,10 +69,10 @@ func singleACL(t *ir.ACL, comment string) (tf.Block, error) { } return tf.Block{ Comment: comment, - Name: "resource", + Name: resourceConst, Labels: []string{quote("ibm_is_network_acl"), quote(aclName)}, Arguments: []tf.Argument{ - {Name: "name", Value: quote(aclName)}, //nolint:revive // obvious false positive + {Name: nameConst, Value: quote(aclName)}, {Name: "resource_group", Value: "local.acl_synth_resource_group_id"}, {Name: "vpc", Value: fmt.Sprintf("local.acl_synth_%s_id", ir.VpcFromScopedResource(t.Subnet))}, }, @@ -104,29 +80,48 @@ func singleACL(t *ir.ACL, comment string) (tf.Block, error) { }, nil } -func aclCollection(t *ir.ACLCollection, vpc string) (*tf.ConfigFile, error) { - sortedACLs := t.SortedACLSubnets(vpc) - var acls = make([]tf.Block, len(sortedACLs)) - i := 0 - for _, subnet := range sortedACLs { - comment := "\n" - vpcName := ir.VpcFromScopedResource(subnet) - acl := t.ACLs[vpcName][subnet] - if len(sortedACLs) > 1 { // not a single nacl - comment = fmt.Sprintf("\n# %v [%v]", subnet, subnetCidr(acl)) - } - singleACL, err := singleACL(acl, comment) - if err != nil { - return nil, err - } - acls[i] = singleACL - i += 1 +func aclRule(rule *ir.ACLRule, name string) (tf.Block, error) { + if err := verifyName(name); err != nil { + return tf.Block{}, err } - return &tf.ConfigFile{ - Resources: acls, + arguments := []tf.Argument{ + {Name: nameConst, Value: quote(name)}, + {Name: "action", Value: quote(action(rule.Action))}, + {Name: "direction", Value: quote(direction(rule.Direction))}, + {Name: "source", Value: quote(rule.Source.String())}, + {Name: "destination", Value: quote(rule.Destination.String())}, + } + + comment := "\n" + if rule.Explanation != "" { + comment = fmt.Sprintf("# %v", rule.Explanation) + } + + return tf.Block{Name: "rules", + Comment: comment, + Arguments: arguments, + Blocks: aclProtocol(rule.Protocol), }, nil } +func aclProtocol(t netp.Protocol) []tf.Block { + switch p := t.(type) { + case netp.TCPUDP: + return []tf.Block{{ + Name: strings.ToLower(string(p.ProtocolString())), + Arguments: slices.Concat(portRange(p.DstPorts(), "port"), portRange(p.SrcPorts(), "source_port")), + }} + case netp.ICMP: + return []tf.Block{{ + Name: "icmp", + Arguments: codeTypeArguments(p.ICMPTypeCode()), + }} + case netp.AnyProtocol: + return []tf.Block{} + } + return nil +} + func subnetCidr(acl *ir.ACL) *netset.IPBlock { if len(acl.Internal) > 0 { return acl.Internal[0].Target() diff --git a/pkg/io/tfio/common.go b/pkg/io/tfio/common.go index 96611c65..2cfe0057 100644 --- a/pkg/io/tfio/common.go +++ b/pkg/io/tfio/common.go @@ -20,6 +20,11 @@ import ( "github.com/np-guard/vpc-network-config-synthesis/pkg/ir" ) +const ( + resourceConst = "resource" + nameConst = "name" +) + // Writer implements ir.Writer type Writer struct { w *bufio.Writer diff --git a/pkg/io/tfio/sg.go b/pkg/io/tfio/sg.go index dafcaa6d..e2716fbd 100644 --- a/pkg/io/tfio/sg.go +++ b/pkg/io/tfio/sg.go @@ -23,41 +23,59 @@ func (w *Writer) WriteSG(c *ir.SGCollection, vpc string) error { if err != nil { return err } - output := collection.Print() - _, err = w.w.WriteString(output) - if err != nil { + if _, err := w.w.WriteString(collection.Print()); err != nil { return err } - err = w.w.Flush() - return err + return w.w.Flush() } -func value(x interface{}) (string, error) { - switch v := x.(type) { - case *netset.IPBlock: - return quote(v.String()), nil - case ir.SGName: - return ir.ChangeScoping(fmt.Sprintf("ibm_is_security_group.%v.id", v)), nil +func sgCollection(collection *ir.SGCollection, vpc string) (*tf.ConfigFile, error) { + var resources []tf.Block + + for _, vpcName := range collection.VpcNames() { + if vpc != vpcName && vpc != "" { + continue + } + for _, sgName := range collection.SortedSGNames(vpcName) { + rules := collection.SGs[vpcName][sgName].AllRules() + sg, err := sg(sgName.String(), vpcName) + if err != nil { + return nil, err + } + resources = append(resources, sg) + for i, rule := range rules { + rule, err := sgRule(rule, sgName, i) + if err != nil { + return nil, err + } + resources = append(resources, rule) + } + } } - return "", fmt.Errorf("invalid terraform value %v (type %T)", x, x) + return &tf.ConfigFile{ + Resources: resources, + }, nil } -func sgProtocol(t netp.Protocol) []tf.Block { - switch p := t.(type) { - case netp.TCPUDP: - return []tf.Block{{ - Name: strings.ToLower(string(p.ProtocolString())), - Arguments: portRange(p.DstPorts(), "port"), - }} - case netp.ICMP: - return []tf.Block{{ - Name: "icmp", - Arguments: codeTypeArguments(p.ICMPTypeCode()), - }} - case netp.AnyProtocol: - return []tf.Block{} +func sg(sgName, vpcName string) (tf.Block, error) { + tfSGName := ir.ChangeScoping(sgName) + comment := fmt.Sprintf("\n### SG attached to %s", sgName) + if sgName == tfSGName { // optimization mode + comment = "\n" } - return nil + if err := verifyName(tfSGName); err != nil { + return tf.Block{}, err + } + return tf.Block{ + Name: resourceConst, + Labels: []string{quote("ibm_is_security_group"), quote(tfSGName)}, + Comment: comment, + Arguments: []tf.Argument{ + {Name: nameConst, Value: quote("sg-" + tfSGName)}, + {Name: "resource_group", Value: "local.sg_synth_resource_group_id"}, + {Name: "vpc", Value: fmt.Sprintf("local.sg_synth_%s_id", vpcName)}, + }, + }, nil } func sgRule(rule *ir.SGRule, sgName ir.SGName, i int) (tf.Block, error) { @@ -78,7 +96,7 @@ func sgRule(rule *ir.SGRule, sgName ir.SGName, i int) (tf.Block, error) { } return tf.Block{ - Name: "resource", + Name: resourceConst, Labels: []string{quote("ibm_is_security_group_rule"), ir.ChangeScoping(quote(ruleName))}, Comment: comment, Arguments: []tf.Argument{ @@ -90,51 +108,30 @@ func sgRule(rule *ir.SGRule, sgName ir.SGName, i int) (tf.Block, error) { }, nil } -func sg(sgName, vpcName string) (tf.Block, error) { - tfSGName := ir.ChangeScoping(sgName) - comment := fmt.Sprintf("\n### SG attached to %s", sgName) - if sgName == tfSGName { // optimization mode - comment = "\n" - } - if err := verifyName(tfSGName); err != nil { - return tf.Block{}, err +func sgProtocol(t netp.Protocol) []tf.Block { + switch p := t.(type) { + case netp.TCPUDP: + return []tf.Block{{ + Name: strings.ToLower(string(p.ProtocolString())), + Arguments: portRange(p.DstPorts(), "port"), + }} + case netp.ICMP: + return []tf.Block{{ + Name: "icmp", + Arguments: codeTypeArguments(p.ICMPTypeCode()), + }} + case netp.AnyProtocol: + return []tf.Block{} } - return tf.Block{ - Name: "resource", //nolint:revive // obvious false positive - Labels: []string{quote("ibm_is_security_group"), quote(tfSGName)}, - Comment: comment, - Arguments: []tf.Argument{ - {Name: "name", Value: quote("sg-" + tfSGName)}, - {Name: "resource_group", Value: "local.sg_synth_resource_group_id"}, - {Name: "vpc", Value: fmt.Sprintf("local.sg_synth_%s_id", vpcName)}, - }, - }, nil + return nil } -func sgCollection(collection *ir.SGCollection, vpc string) (*tf.ConfigFile, error) { - var resources []tf.Block - - for _, vpcName := range collection.VpcNames() { - if vpc != vpcName && vpc != "" { - continue - } - for _, sgName := range collection.SortedSGNames(vpcName) { - rules := collection.SGs[vpcName][sgName].AllRules() - sg, err := sg(sgName.String(), vpcName) - if err != nil { - return nil, err - } - resources = append(resources, sg) - for i, rule := range rules { - rule, err := sgRule(rule, sgName, i) - if err != nil { - return nil, err - } - resources = append(resources, rule) - } - } +func value(x interface{}) (string, error) { + switch v := x.(type) { + case *netset.IPBlock: + return quote(v.String()), nil + case ir.SGName: + return ir.ChangeScoping(fmt.Sprintf("ibm_is_security_group.%v.id", v)), nil } - return &tf.ConfigFile{ - Resources: resources, - }, nil + return "", fmt.Errorf("invalid terraform value %v (type %T)", x, x) } diff --git a/pkg/ir/acl.go b/pkg/ir/acl.go index 9274c48e..5fd79c7e 100644 --- a/pkg/ir/acl.go +++ b/pkg/ir/acl.go @@ -8,6 +8,7 @@ package ir import ( "fmt" "reflect" + "slices" "github.com/np-guard/models/pkg/netp" "github.com/np-guard/models/pkg/netset" @@ -74,8 +75,7 @@ func (r *ACLRule) Target() *netset.IPBlock { func (a *ACL) Rules() []*ACLRule { rules := a.Internal if len(a.External) != 0 { - rules = append(rules, makeDenyInternal()...) - rules = append(rules, a.External...) + rules = slices.Concat(rules, makeDenyInternal(), a.External) } return rules } diff --git a/pkg/ir/sg.go b/pkg/ir/sg.go index 3b877809..7cb6242c 100644 --- a/pkg/ir/sg.go +++ b/pkg/ir/sg.go @@ -8,6 +8,7 @@ package ir import ( "fmt" "reflect" + "slices" "github.com/np-guard/models/pkg/netp" "github.com/np-guard/models/pkg/netset" @@ -104,7 +105,7 @@ func (a *SG) Add(rule *SGRule) { } func (a *SG) AllRules() []*SGRule { - return append(a.InboundRules, a.OutboundRules...) + return slices.Concat(a.InboundRules, a.OutboundRules) } func (c *SGCollection) VpcNames() []string { diff --git a/pkg/ir/spec.go b/pkg/ir/spec.go index ca70b0fd..a8a723e5 100644 --- a/pkg/ir/spec.go +++ b/pkg/ir/spec.go @@ -8,6 +8,7 @@ package ir import ( "fmt" + "slices" "strings" "github.com/np-guard/models/pkg/netp" @@ -312,8 +313,8 @@ func (s *Definitions) lookupSegment(segment map[ID]*SegmentDetails, name string, if err != nil { return nil, err } - res.CidrsWhenLocal = append(res.CidrsWhenLocal, element.CidrsWhenLocal...) - res.CidrsWhenRemote = append(res.CidrsWhenRemote, element.CidrsWhenRemote...) + res.CidrsWhenLocal = slices.Concat(res.CidrsWhenLocal, element.CidrsWhenLocal) + res.CidrsWhenRemote = slices.Concat(res.CidrsWhenRemote, element.CidrsWhenRemote) } segmentDetails.ConnectedResource = res return res, nil diff --git a/pkg/optimize/sg/sg.go b/pkg/optimize/sg/sg.go index dc49400c..fed45079 100644 --- a/pkg/optimize/sg/sg.go +++ b/pkg/optimize/sg/sg.go @@ -135,7 +135,7 @@ func (s *sgOptimizer) reduceSGRules(rules []*ir.SGRule, direction ir.Direction) optimizedRulesToIPAddrs = originalRulesToIPAddrs } - return append(optimizedRulesToSG, optimizedRulesToIPAddrs...) + return slices.Concat(optimizedRulesToSG, optimizedRulesToIPAddrs) } func reduceRulesSGRemote(cubes *sgCubesPerProtocol, direction ir.Direction) []*ir.SGRule { diff --git a/pkg/synth/sg.go b/pkg/synth/sg.go index 0caec383..54190b1a 100644 --- a/pkg/synth/sg.go +++ b/pkg/synth/sg.go @@ -6,6 +6,8 @@ SPDX-License-Identifier: Apache-2.0 package synth import ( + "slices" + "github.com/np-guard/models/pkg/netp" "github.com/np-guard/vpc-network-config-synthesis/pkg/ir" @@ -98,7 +100,7 @@ func isSGRemote(t ir.ResourceType) bool { // generate SGs for blocked endpoints (endpoints that do not appear in Spec) func (s *SGSynthesizer) generateSGsForBlockedResources() string { - blockedResources := append(utils.TrueKeyValues(s.spec.BlockedInstances), utils.TrueKeyValues(s.spec.BlockedVPEs)...) + blockedResources := slices.Concat(utils.TrueKeyValues(s.spec.BlockedInstances), utils.TrueKeyValues(s.spec.BlockedVPEs)) for _, resource := range blockedResources { sg := s.result.LookupOrCreate(ir.SGName(resource)) // an empty SG allows no connections sg.Attached = []ir.ID{resource} diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go index e5f14e28..d919189c 100644 --- a/pkg/utils/utils.go +++ b/pkg/utils/utils.go @@ -26,7 +26,7 @@ func SortedMapKeys[T cmp.Ordered, V any](m map[T]V) []T { func SortedAllInnerMapsKeys[T, K cmp.Ordered, V any](m map[K]map[T]V) []T { keys := make([]T, 0) for _, vpc := range m { - keys = append(keys, MapKeys(vpc)...) + keys = slices.Concat(keys, MapKeys(vpc)) } slices.Sort(keys) return keys From e77e0bfffbd767bb5f6a685befd213431c704310 Mon Sep 17 00:00:00 2001 From: Yair Slobodin <154875779+YairSlobodin1@users.noreply.github.com> Date: Wed, 18 Dec 2024 17:51:34 +0200 Subject: [PATCH 2/4] Read SG targets, fixed tf comment (#221) --- cmd/subcmds/output.go | 2 +- pkg/io/confio/acl.go | 2 +- pkg/io/confio/parse_sgs.go | 23 +++++++++++- pkg/io/confio/sg.go | 2 +- pkg/io/csvWriter.go | 4 +-- pkg/io/mdWriter.go | 4 +-- pkg/io/tfio/acl.go | 2 +- pkg/io/tfio/sg.go | 26 +++++++------- pkg/ir/acl.go | 6 ++-- pkg/ir/common.go | 2 +- pkg/ir/sg.go | 10 +++--- pkg/synth/sg.go | 4 +-- .../sg_expected.tf | 11 +++--- .../optimize_sg_redundant/sg_expected.tf | 11 +++--- test/expected/optimize_sg_t/sg_expected.tf | 11 +++--- .../expected/optimize_sg_t_all/sg_expected.tf | 11 +++--- test/expected/sg_protocols_tf/sg_expected.tf | 36 +++++++++---------- test/expected/sg_segments1_tf/sg_expected.tf | 36 +++++++++---------- test/expected/sg_segments2_tf/sg_expected.tf | 36 +++++++++---------- test/expected/sg_segments3_tf/sg_expected.tf | 36 +++++++++---------- test/expected/sg_segments4_tf/sg_expected.tf | 12 +++---- test/expected/sg_testing3_tf/sg_expected.tf | 12 +++---- .../sg_tg_multiple_tf_separate/test-vpc0.tf | 24 ++++++------- .../sg_tg_multiple_tf_separate/test-vpc1.tf | 4 +-- .../sg_tg_multiple_tf_separate/test-vpc2.tf | 6 ++-- .../sg_tg_multiple_tf_separate/test-vpc3.tf | 2 +- 26 files changed, 180 insertions(+), 155 deletions(-) diff --git a/cmd/subcmds/output.go b/cmd/subcmds/output.go index b10cf364..8647952e 100644 --- a/cmd/subcmds/output.go +++ b/cmd/subcmds/output.go @@ -64,7 +64,7 @@ func writeCollection(args *inArgs, collection ir.Collection, vpc string, isSynth if err != nil { return nil, err } - if err := collection.Write(writer, vpc); err != nil { + if err := collection.Write(writer, vpc, isSynth); err != nil { return nil, err } return &data, nil diff --git a/pkg/io/confio/acl.go b/pkg/io/confio/acl.go index ae5e7a7b..03059301 100644 --- a/pkg/io/confio/acl.go +++ b/pkg/io/confio/acl.go @@ -209,7 +209,7 @@ func subnetRef(subnet *configModel.Subnet) *vpcv1.SubnetReference { } } -func (w *Writer) WriteACL(collection *ir.ACLCollection, _ string) error { +func (w *Writer) WriteACL(collection *ir.ACLCollection, _ string, _ bool) error { if err := updateACLList(w.model, collection); err != nil { return err } diff --git a/pkg/io/confio/parse_sgs.go b/pkg/io/confio/parse_sgs.go index 6285e8ee..9d06f7b5 100644 --- a/pkg/io/confio/parse_sgs.go +++ b/pkg/io/confio/parse_sgs.go @@ -41,7 +41,12 @@ func ReadSGs(filename string) (*ir.SGCollection, error) { if result.SGs[vpcName] == nil { result.SGs[vpcName] = make(map[ir.SGName]*ir.SG) } - result.SGs[vpcName][sgName] = &ir.SG{SGName: sgName, InboundRules: inbound, OutboundRules: outbound} + result.SGs[vpcName][sgName] = &ir.SG{ + SGName: sgName, + InboundRules: inbound, + OutboundRules: outbound, + Targets: translateTargets(&sg.SecurityGroup), + } } return result, nil } @@ -148,6 +153,22 @@ func translateLocal(local vpcv1.SecurityGroupRuleLocalIntf) (*netset.IPBlock, er return nil, fmt.Errorf("error parsing Local field") } +// translate SG targets +func translateTargets(sg *vpcv1.SecurityGroup) []string { + if len(sg.Targets) == 0 { + log.Printf("Warning: Security Groups %s does not have attached resources", *sg.Name) + } + res := make([]string, 0) + for i := range sg.Targets { + if t, ok := sg.Targets[i].(*vpcv1.SecurityGroupTargetReference); ok && t.Name != nil { + res = append(res, *t.Name) + } else { + log.Printf("Warning: error translating target %d in %s Security Group", i, *sg.Name) + } + } + return res +} + // temporary - first version of optimization requires local = 0.0.0.0/32 func verifyLocalValue(ipAddrs *netset.IPBlock) (*netset.IPBlock, error) { if !ipAddrs.Equal(netset.GetCidrAll()) { diff --git a/pkg/io/confio/sg.go b/pkg/io/confio/sg.go index e4b74be7..90f1fd4f 100644 --- a/pkg/io/confio/sg.go +++ b/pkg/io/confio/sg.go @@ -258,7 +258,7 @@ func updateSG(model *configModel.ResourcesContainerModel, collection *ir.SGColle return errors.Join(err1, err2) } -func (w *Writer) WriteSG(collection *ir.SGCollection, _ string) error { +func (w *Writer) WriteSG(collection *ir.SGCollection, _ string, isSynth bool) error { if err := updateSG(w.model, collection); err != nil { return err } diff --git a/pkg/io/csvWriter.go b/pkg/io/csvWriter.go index 4a31e67a..7a5edea7 100644 --- a/pkg/io/csvWriter.go +++ b/pkg/io/csvWriter.go @@ -22,7 +22,7 @@ func NewCSVWriter(w io.Writer) *CSVWriter { return &CSVWriter{w: csv.NewWriter(w)} } -func (w *CSVWriter) WriteSG(collection *ir.SGCollection, vpc string) error { +func (w *CSVWriter) WriteSG(collection *ir.SGCollection, vpc string, _ bool) error { sgTable, err := WriteSG(collection, vpc) if err != nil { return err @@ -30,7 +30,7 @@ func (w *CSVWriter) WriteSG(collection *ir.SGCollection, vpc string) error { return w.w.WriteAll(slices.Concat(makeSGHeader(), sgTable)) } -func (w *CSVWriter) WriteACL(collection *ir.ACLCollection, vpc string) error { +func (w *CSVWriter) WriteACL(collection *ir.ACLCollection, vpc string, _ bool) error { aclTable, err := WriteACL(collection, vpc) if err != nil { return err diff --git a/pkg/io/mdWriter.go b/pkg/io/mdWriter.go index 3b102b49..461e2599 100644 --- a/pkg/io/mdWriter.go +++ b/pkg/io/mdWriter.go @@ -28,7 +28,7 @@ func NewMDWriter(w io.Writer) *MDWriter { return &MDWriter{w: bufio.NewWriter(w)} } -func (w *MDWriter) WriteSG(collection *ir.SGCollection, vpc string) error { +func (w *MDWriter) WriteSG(collection *ir.SGCollection, vpc string, _ bool) error { sgTable, err := WriteSG(collection, vpc) if err != nil { return err @@ -37,7 +37,7 @@ func (w *MDWriter) WriteSG(collection *ir.SGCollection, vpc string) error { return w.writeAll(slices.Concat(sgHeader, addAligns(len(sgHeader[0])), sgTable)) } -func (w *MDWriter) WriteACL(collection *ir.ACLCollection, vpc string) error { +func (w *MDWriter) WriteACL(collection *ir.ACLCollection, vpc string, _ bool) error { aclTable, err := WriteACL(collection, vpc) if err != nil { return err diff --git a/pkg/io/tfio/acl.go b/pkg/io/tfio/acl.go index 90a1fdfe..1fc79e81 100644 --- a/pkg/io/tfio/acl.go +++ b/pkg/io/tfio/acl.go @@ -19,7 +19,7 @@ import ( ) // WriteACL prints an entire collection of acls as a sequence of terraform resources. -func (w *Writer) WriteACL(c *ir.ACLCollection, vpc string) error { +func (w *Writer) WriteACL(c *ir.ACLCollection, vpc string, _ bool) error { collection, err := aclCollection(c, vpc) if err != nil { return err diff --git a/pkg/io/tfio/sg.go b/pkg/io/tfio/sg.go index e2716fbd..a66d7b24 100644 --- a/pkg/io/tfio/sg.go +++ b/pkg/io/tfio/sg.go @@ -18,7 +18,7 @@ import ( ) // WriteSG prints an entire collection of Security Groups as a sequence of terraform resources. -func (w *Writer) WriteSG(c *ir.SGCollection, vpc string) error { +func (w *Writer) WriteSG(c *ir.SGCollection, vpc string, _ bool) error { collection, err := sgCollection(c, vpc) if err != nil { return err @@ -37,13 +37,13 @@ func sgCollection(collection *ir.SGCollection, vpc string) (*tf.ConfigFile, erro continue } for _, sgName := range collection.SortedSGNames(vpcName) { - rules := collection.SGs[vpcName][sgName].AllRules() - sg, err := sg(sgName.String(), vpcName) + sgObject := collection.SGs[vpcName][sgName] + sgTf, err := sg(sgObject, vpcName) if err != nil { return nil, err } - resources = append(resources, sg) - for i, rule := range rules { + resources = append(resources, sgTf) + for i, rule := range sgObject.AllRules() { rule, err := sgRule(rule, sgName, i) if err != nil { return nil, err @@ -57,21 +57,21 @@ func sgCollection(collection *ir.SGCollection, vpc string) (*tf.ConfigFile, erro }, nil } -func sg(sgName, vpcName string) (tf.Block, error) { - tfSGName := ir.ChangeScoping(sgName) - comment := fmt.Sprintf("\n### SG attached to %s", sgName) - if sgName == tfSGName { // optimization mode - comment = "\n" +func sg(sG *ir.SG, vpcName string) (tf.Block, error) { + sgName := ir.ChangeScoping(sG.SGName.String()) + comment := fmt.Sprintf("\n### SG %s is attached to %s", sgName, strings.Join(sG.Targets, ", ")) + if len(sG.Targets) == 0 { + comment = fmt.Sprintf("\n### SG %s is not attached to anything", sgName) } - if err := verifyName(tfSGName); err != nil { + if err := verifyName(sgName); err != nil { return tf.Block{}, err } return tf.Block{ Name: resourceConst, - Labels: []string{quote("ibm_is_security_group"), quote(tfSGName)}, + Labels: []string{quote("ibm_is_security_group"), quote(sgName)}, Comment: comment, Arguments: []tf.Argument{ - {Name: nameConst, Value: quote("sg-" + tfSGName)}, + {Name: nameConst, Value: quote("sg-" + sgName)}, {Name: "resource_group", Value: "local.sg_synth_resource_group_id"}, {Name: "vpc", Value: fmt.Sprintf("local.sg_synth_%s_id", vpcName)}, }, diff --git a/pkg/ir/acl.go b/pkg/ir/acl.go index 5fd79c7e..8a9dbfd6 100644 --- a/pkg/ir/acl.go +++ b/pkg/ir/acl.go @@ -39,7 +39,7 @@ type ( } ACLWriter interface { - WriteACL(aclColl *ACLCollection, vpc string) error + WriteACL(aclColl *ACLCollection, vpc string, isSynth bool) error } ) @@ -126,8 +126,8 @@ func (c *ACLCollection) VpcNames() []string { return utils.SortedMapKeys(c.ACLs) } -func (c *ACLCollection) Write(w Writer, vpc string) error { - return w.WriteACL(c, vpc) +func (c *ACLCollection) Write(w Writer, vpc string, isSynth bool) error { + return w.WriteACL(c, vpc, isSynth) } func (c *ACLCollection) SortedACLSubnets(vpc string) []string { diff --git a/pkg/ir/common.go b/pkg/ir/common.go index a89aeae8..49d87bbc 100644 --- a/pkg/ir/common.go +++ b/pkg/ir/common.go @@ -9,7 +9,7 @@ type ( Direction string Collection interface { - Write(writer Writer, vpc string) error + Write(writer Writer, vpc string, isSynth bool) error VpcNames() []string } diff --git a/pkg/ir/sg.go b/pkg/ir/sg.go index 7cb6242c..a9e6be56 100644 --- a/pkg/ir/sg.go +++ b/pkg/ir/sg.go @@ -36,7 +36,7 @@ type ( SGName SGName InboundRules []*SGRule OutboundRules []*SGRule - Attached []ID + Targets []ID } SGCollection struct { @@ -44,7 +44,7 @@ type ( } SGWriter interface { - WriteSG(sgColl *SGCollection, vpc string) error + WriteSG(sgColl *SGCollection, vpc string, isSynth bool) error } ) @@ -75,7 +75,7 @@ func NewSGRule(direction Direction, remote RemoteType, p netp.Protocol, local *n } func NewSG(sgName SGName) *SG { - return &SG{SGName: sgName, InboundRules: []*SGRule{}, OutboundRules: []*SGRule{}, Attached: []ID{}} + return &SG{SGName: sgName, InboundRules: []*SGRule{}, OutboundRules: []*SGRule{}, Targets: []ID{}} } func NewSGCollection() *SGCollection { @@ -112,8 +112,8 @@ func (c *SGCollection) VpcNames() []string { return utils.SortedMapKeys(c.SGs) } -func (c *SGCollection) Write(w Writer, vpc string) error { - return w.WriteSG(c, vpc) +func (c *SGCollection) Write(w Writer, vpc string, isSynth bool) error { + return w.WriteSG(c, vpc, isSynth) } func (c *SGCollection) SortedSGNames(vpc ID) []SGName { diff --git a/pkg/synth/sg.go b/pkg/synth/sg.go index 54190b1a..30fbc503 100644 --- a/pkg/synth/sg.go +++ b/pkg/synth/sg.go @@ -64,7 +64,7 @@ func (s *SGSynthesizer) allowConnectionEndpoint(localEndpoint, remoteEndpoint *i } localSGName := ir.SGName(localEndpoint.Name) localSG := s.result.LookupOrCreate(localSGName) - localSG.Attached = []ir.ID{ir.ID(localSGName)} + localSG.Targets = []ir.ID{ir.ID(localSGName)} rule := &ir.SGRule{ Remote: sgRemote(remoteEndpoint, remoteType), Direction: direction, @@ -103,7 +103,7 @@ func (s *SGSynthesizer) generateSGsForBlockedResources() string { blockedResources := slices.Concat(utils.TrueKeyValues(s.spec.BlockedInstances), utils.TrueKeyValues(s.spec.BlockedVPEs)) for _, resource := range blockedResources { sg := s.result.LookupOrCreate(ir.SGName(resource)) // an empty SG allows no connections - sg.Attached = []ir.ID{resource} + sg.Targets = []ir.ID{resource} } return setUnspecifiedWarning(WarningUnspecifiedSG, blockedResources) } diff --git a/test/expected/optimize_sg_protocols_to_all_tf/sg_expected.tf b/test/expected/optimize_sg_protocols_to_all_tf/sg_expected.tf index 10f44116..3b2fc12f 100644 --- a/test/expected/optimize_sg_protocols_to_all_tf/sg_expected.tf +++ b/test/expected/optimize_sg_protocols_to_all_tf/sg_expected.tf @@ -1,3 +1,4 @@ +### SG sg1 is not attached to anything resource "ibm_is_security_group" "sg1" { name = "sg-sg1" resource_group = local.sg_synth_resource_group_id @@ -14,7 +15,7 @@ resource "ibm_is_security_group_rule" "sg1-1" { remote = "0.0.0.0/0" } - +### SG test-vpc1--vsi1 is attached to ni1 resource "ibm_is_security_group" "test-vpc1--vsi1" { name = "sg-test-vpc1--vsi1" resource_group = local.sg_synth_resource_group_id @@ -38,7 +39,7 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi1-2" { remote = "0.0.0.0/31" } - +### SG test-vpc1--vsi2 is attached to ni2 resource "ibm_is_security_group" "test-vpc1--vsi2" { name = "sg-test-vpc1--vsi2" resource_group = local.sg_synth_resource_group_id @@ -50,21 +51,21 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi2-0" { remote = ibm_is_security_group.test-vpc1--vsi1.id } - +### SG test-vpc1--vsi3a is attached to ni3a resource "ibm_is_security_group" "test-vpc1--vsi3a" { name = "sg-test-vpc1--vsi3a" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } - +### SG test-vpc1--vsi3b is attached to ni3b resource "ibm_is_security_group" "test-vpc1--vsi3b" { name = "sg-test-vpc1--vsi3b" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } - +### SG wombat-hesitate-scorn-subprime is not attached to anything resource "ibm_is_security_group" "wombat-hesitate-scorn-subprime" { name = "sg-wombat-hesitate-scorn-subprime" resource_group = local.sg_synth_resource_group_id diff --git a/test/expected/optimize_sg_redundant/sg_expected.tf b/test/expected/optimize_sg_redundant/sg_expected.tf index 7319be9e..4b8524ef 100644 --- a/test/expected/optimize_sg_redundant/sg_expected.tf +++ b/test/expected/optimize_sg_redundant/sg_expected.tf @@ -1,3 +1,4 @@ +### SG sg1 is not attached to anything resource "ibm_is_security_group" "sg1" { name = "sg-sg1" resource_group = local.sg_synth_resource_group_id @@ -14,7 +15,7 @@ resource "ibm_is_security_group_rule" "sg1-1" { remote = "0.0.0.0/0" } - +### SG test-vpc1--vsi1 is attached to ni1 resource "ibm_is_security_group" "test-vpc1--vsi1" { name = "sg-test-vpc1--vsi1" resource_group = local.sg_synth_resource_group_id @@ -41,7 +42,7 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi1-3" { remote = "1.0.0.0/30" } - +### SG test-vpc1--vsi2 is attached to ni2 resource "ibm_is_security_group" "test-vpc1--vsi2" { name = "sg-test-vpc1--vsi2" resource_group = local.sg_synth_resource_group_id @@ -53,7 +54,7 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi2-0" { remote = ibm_is_security_group.test-vpc1--vsi1.id } - +### SG test-vpc1--vsi3a is attached to ni3a resource "ibm_is_security_group" "test-vpc1--vsi3a" { name = "sg-test-vpc1--vsi3a" resource_group = local.sg_synth_resource_group_id @@ -65,14 +66,14 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi3a-0" { remote = ibm_is_security_group.test-vpc1--vsi1.id } - +### SG test-vpc1--vsi3b is attached to ni3b resource "ibm_is_security_group" "test-vpc1--vsi3b" { name = "sg-test-vpc1--vsi3b" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } - +### SG wombat-hesitate-scorn-subprime is not attached to anything resource "ibm_is_security_group" "wombat-hesitate-scorn-subprime" { name = "sg-wombat-hesitate-scorn-subprime" resource_group = local.sg_synth_resource_group_id diff --git a/test/expected/optimize_sg_t/sg_expected.tf b/test/expected/optimize_sg_t/sg_expected.tf index 448d25d8..995e1b94 100644 --- a/test/expected/optimize_sg_t/sg_expected.tf +++ b/test/expected/optimize_sg_t/sg_expected.tf @@ -1,3 +1,4 @@ +### SG sg1 is not attached to anything resource "ibm_is_security_group" "sg1" { name = "sg-sg1" resource_group = local.sg_synth_resource_group_id @@ -14,7 +15,7 @@ resource "ibm_is_security_group_rule" "sg1-1" { remote = "0.0.0.0/0" } - +### SG test-vpc1--vsi1 is attached to ni1 resource "ibm_is_security_group" "test-vpc1--vsi1" { name = "sg-test-vpc1--vsi1" resource_group = local.sg_synth_resource_group_id @@ -37,28 +38,28 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi1-1" { } } - +### SG test-vpc1--vsi2 is attached to ni2 resource "ibm_is_security_group" "test-vpc1--vsi2" { name = "sg-test-vpc1--vsi2" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } - +### SG test-vpc1--vsi3a is attached to ni3a resource "ibm_is_security_group" "test-vpc1--vsi3a" { name = "sg-test-vpc1--vsi3a" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } - +### SG test-vpc1--vsi3b is attached to ni3b resource "ibm_is_security_group" "test-vpc1--vsi3b" { name = "sg-test-vpc1--vsi3b" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } - +### SG wombat-hesitate-scorn-subprime is not attached to anything resource "ibm_is_security_group" "wombat-hesitate-scorn-subprime" { name = "sg-wombat-hesitate-scorn-subprime" resource_group = local.sg_synth_resource_group_id diff --git a/test/expected/optimize_sg_t_all/sg_expected.tf b/test/expected/optimize_sg_t_all/sg_expected.tf index 0f4d41e0..fd5b626f 100644 --- a/test/expected/optimize_sg_t_all/sg_expected.tf +++ b/test/expected/optimize_sg_t_all/sg_expected.tf @@ -1,3 +1,4 @@ +### SG sg1 is not attached to anything resource "ibm_is_security_group" "sg1" { name = "sg-sg1" resource_group = local.sg_synth_resource_group_id @@ -14,7 +15,7 @@ resource "ibm_is_security_group_rule" "sg1-1" { remote = "0.0.0.0/0" } - +### SG test-vpc1--vsi1 is attached to ni1 resource "ibm_is_security_group" "test-vpc1--vsi1" { name = "sg-test-vpc1--vsi1" resource_group = local.sg_synth_resource_group_id @@ -34,28 +35,28 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi1-1" { remote = "0.0.0.2/31" } - +### SG test-vpc1--vsi2 is attached to ni2 resource "ibm_is_security_group" "test-vpc1--vsi2" { name = "sg-test-vpc1--vsi2" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } - +### SG test-vpc1--vsi3a is attached to ni3a resource "ibm_is_security_group" "test-vpc1--vsi3a" { name = "sg-test-vpc1--vsi3a" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } - +### SG test-vpc1--vsi3b is attached to ni3b resource "ibm_is_security_group" "test-vpc1--vsi3b" { name = "sg-test-vpc1--vsi3b" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } - +### SG wombat-hesitate-scorn-subprime is not attached to anything resource "ibm_is_security_group" "wombat-hesitate-scorn-subprime" { name = "sg-wombat-hesitate-scorn-subprime" resource_group = local.sg_synth_resource_group_id diff --git a/test/expected/sg_protocols_tf/sg_expected.tf b/test/expected/sg_protocols_tf/sg_expected.tf index f7519b05..a85f889c 100644 --- a/test/expected/sg_protocols_tf/sg_expected.tf +++ b/test/expected/sg_protocols_tf/sg_expected.tf @@ -1,4 +1,4 @@ -### SG attached to test-vpc0/vsi0-subnet0 +### SG test-vpc0--vsi0-subnet0 is attached to test-vpc0/vsi0-subnet0 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet0" { name = "sg-test-vpc0--vsi0-subnet0" resource_group = local.sg_synth_resource_group_id @@ -21,7 +21,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet0-1" { } } -### SG attached to test-vpc0/vsi0-subnet1 +### SG test-vpc0--vsi0-subnet1 is attached to test-vpc0/vsi0-subnet1 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet1" { name = "sg-test-vpc0--vsi0-subnet1" resource_group = local.sg_synth_resource_group_id @@ -44,7 +44,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet1-1" { } } -### SG attached to test-vpc0/vsi0-subnet2 +### SG test-vpc0--vsi0-subnet2 is attached to test-vpc0/vsi0-subnet2 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet2" { name = "sg-test-vpc0--vsi0-subnet2" resource_group = local.sg_synth_resource_group_id @@ -69,7 +69,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet2-1" { } } -### SG attached to test-vpc0/vsi0-subnet3 +### SG test-vpc0--vsi0-subnet3 is attached to test-vpc0/vsi0-subnet3 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet3" { name = "sg-test-vpc0--vsi0-subnet3" resource_group = local.sg_synth_resource_group_id @@ -94,21 +94,21 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet3-1" { } } -### SG attached to test-vpc0/vsi0-subnet4 +### SG test-vpc0--vsi0-subnet4 is attached to test-vpc0/vsi0-subnet4 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet4" { name = "sg-test-vpc0--vsi0-subnet4" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet5 +### SG test-vpc0--vsi0-subnet5 is attached to test-vpc0/vsi0-subnet5 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet5" { name = "sg-test-vpc0--vsi0-subnet5" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet0 +### SG test-vpc0--vsi1-subnet0 is attached to test-vpc0/vsi1-subnet0 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet0" { name = "sg-test-vpc0--vsi1-subnet0" resource_group = local.sg_synth_resource_group_id @@ -144,7 +144,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet0-2" { } } -### SG attached to test-vpc0/vsi1-subnet1 +### SG test-vpc0--vsi1-subnet1 is attached to test-vpc0/vsi1-subnet1 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet1" { name = "sg-test-vpc0--vsi1-subnet1" resource_group = local.sg_synth_resource_group_id @@ -180,35 +180,35 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet1-2" { } } -### SG attached to test-vpc0/vsi1-subnet2 +### SG test-vpc0--vsi1-subnet2 is attached to test-vpc0/vsi1-subnet2 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet2" { name = "sg-test-vpc0--vsi1-subnet2" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet3 +### SG test-vpc0--vsi1-subnet3 is attached to test-vpc0/vsi1-subnet3 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet3" { name = "sg-test-vpc0--vsi1-subnet3" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet4 +### SG test-vpc0--vsi1-subnet4 is attached to test-vpc0/vsi1-subnet4 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet4" { name = "sg-test-vpc0--vsi1-subnet4" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet5 +### SG test-vpc0--vsi1-subnet5 is attached to test-vpc0/vsi1-subnet5 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet5" { name = "sg-test-vpc0--vsi1-subnet5" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc1/vsi0-subnet10 +### SG test-vpc1--vsi0-subnet10 is attached to test-vpc1/vsi0-subnet10 resource "ibm_is_security_group" "test-vpc1--vsi0-subnet10" { name = "sg-test-vpc1--vsi0-subnet10" resource_group = local.sg_synth_resource_group_id @@ -223,21 +223,21 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi0-subnet10-0" { } } -### SG attached to test-vpc1/vsi0-subnet11 +### SG test-vpc1--vsi0-subnet11 is attached to test-vpc1/vsi0-subnet11 resource "ibm_is_security_group" "test-vpc1--vsi0-subnet11" { name = "sg-test-vpc1--vsi0-subnet11" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } -### SG attached to test-vpc2/vsi0-subnet20 +### SG test-vpc2--vsi0-subnet20 is attached to test-vpc2/vsi0-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi0-subnet20" { name = "sg-test-vpc2--vsi0-subnet20" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc2_id } -### SG attached to test-vpc2/vsi1-subnet20 +### SG test-vpc2--vsi1-subnet20 is attached to test-vpc2/vsi1-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi1-subnet20" { name = "sg-test-vpc2--vsi1-subnet20" resource_group = local.sg_synth_resource_group_id @@ -250,14 +250,14 @@ resource "ibm_is_security_group_rule" "test-vpc2--vsi1-subnet20-0" { remote = "0.0.0.0/0" } -### SG attached to test-vpc2/vsi2-subnet20 +### SG test-vpc2--vsi2-subnet20 is attached to test-vpc2/vsi2-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi2-subnet20" { name = "sg-test-vpc2--vsi2-subnet20" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc2_id } -### SG attached to test-vpc3/vsi0-subnet30 +### SG test-vpc3--vsi0-subnet30 is attached to test-vpc3/vsi0-subnet30 resource "ibm_is_security_group" "test-vpc3--vsi0-subnet30" { name = "sg-test-vpc3--vsi0-subnet30" resource_group = local.sg_synth_resource_group_id diff --git a/test/expected/sg_segments1_tf/sg_expected.tf b/test/expected/sg_segments1_tf/sg_expected.tf index 7e8c7c2d..e32bb433 100644 --- a/test/expected/sg_segments1_tf/sg_expected.tf +++ b/test/expected/sg_segments1_tf/sg_expected.tf @@ -1,4 +1,4 @@ -### SG attached to test-vpc0/vsi0-subnet0 +### SG test-vpc0--vsi0-subnet0 is attached to test-vpc0/vsi0-subnet0 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet0" { name = "sg-test-vpc0--vsi0-subnet0" resource_group = local.sg_synth_resource_group_id @@ -17,7 +17,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet0-1" { remote = "10.240.0.0/23" } -### SG attached to test-vpc0/vsi0-subnet1 +### SG test-vpc0--vsi0-subnet1 is attached to test-vpc0/vsi0-subnet1 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet1" { name = "sg-test-vpc0--vsi0-subnet1" resource_group = local.sg_synth_resource_group_id @@ -36,35 +36,35 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet1-1" { remote = "10.240.0.0/23" } -### SG attached to test-vpc0/vsi0-subnet2 +### SG test-vpc0--vsi0-subnet2 is attached to test-vpc0/vsi0-subnet2 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet2" { name = "sg-test-vpc0--vsi0-subnet2" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet3 +### SG test-vpc0--vsi0-subnet3 is attached to test-vpc0/vsi0-subnet3 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet3" { name = "sg-test-vpc0--vsi0-subnet3" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet4 +### SG test-vpc0--vsi0-subnet4 is attached to test-vpc0/vsi0-subnet4 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet4" { name = "sg-test-vpc0--vsi0-subnet4" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet5 +### SG test-vpc0--vsi0-subnet5 is attached to test-vpc0/vsi0-subnet5 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet5" { name = "sg-test-vpc0--vsi0-subnet5" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet0 +### SG test-vpc0--vsi1-subnet0 is attached to test-vpc0/vsi1-subnet0 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet0" { name = "sg-test-vpc0--vsi1-subnet0" resource_group = local.sg_synth_resource_group_id @@ -83,7 +83,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet0-1" { remote = "10.240.0.0/23" } -### SG attached to test-vpc0/vsi1-subnet1 +### SG test-vpc0--vsi1-subnet1 is attached to test-vpc0/vsi1-subnet1 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet1" { name = "sg-test-vpc0--vsi1-subnet1" resource_group = local.sg_synth_resource_group_id @@ -102,70 +102,70 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet1-1" { remote = "10.240.0.0/23" } -### SG attached to test-vpc0/vsi1-subnet2 +### SG test-vpc0--vsi1-subnet2 is attached to test-vpc0/vsi1-subnet2 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet2" { name = "sg-test-vpc0--vsi1-subnet2" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet3 +### SG test-vpc0--vsi1-subnet3 is attached to test-vpc0/vsi1-subnet3 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet3" { name = "sg-test-vpc0--vsi1-subnet3" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet4 +### SG test-vpc0--vsi1-subnet4 is attached to test-vpc0/vsi1-subnet4 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet4" { name = "sg-test-vpc0--vsi1-subnet4" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet5 +### SG test-vpc0--vsi1-subnet5 is attached to test-vpc0/vsi1-subnet5 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet5" { name = "sg-test-vpc0--vsi1-subnet5" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc1/vsi0-subnet10 +### SG test-vpc1--vsi0-subnet10 is attached to test-vpc1/vsi0-subnet10 resource "ibm_is_security_group" "test-vpc1--vsi0-subnet10" { name = "sg-test-vpc1--vsi0-subnet10" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } -### SG attached to test-vpc1/vsi0-subnet11 +### SG test-vpc1--vsi0-subnet11 is attached to test-vpc1/vsi0-subnet11 resource "ibm_is_security_group" "test-vpc1--vsi0-subnet11" { name = "sg-test-vpc1--vsi0-subnet11" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } -### SG attached to test-vpc2/vsi0-subnet20 +### SG test-vpc2--vsi0-subnet20 is attached to test-vpc2/vsi0-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi0-subnet20" { name = "sg-test-vpc2--vsi0-subnet20" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc2_id } -### SG attached to test-vpc2/vsi1-subnet20 +### SG test-vpc2--vsi1-subnet20 is attached to test-vpc2/vsi1-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi1-subnet20" { name = "sg-test-vpc2--vsi1-subnet20" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc2_id } -### SG attached to test-vpc2/vsi2-subnet20 +### SG test-vpc2--vsi2-subnet20 is attached to test-vpc2/vsi2-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi2-subnet20" { name = "sg-test-vpc2--vsi2-subnet20" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc2_id } -### SG attached to test-vpc3/vsi0-subnet30 +### SG test-vpc3--vsi0-subnet30 is attached to test-vpc3/vsi0-subnet30 resource "ibm_is_security_group" "test-vpc3--vsi0-subnet30" { name = "sg-test-vpc3--vsi0-subnet30" resource_group = local.sg_synth_resource_group_id diff --git a/test/expected/sg_segments2_tf/sg_expected.tf b/test/expected/sg_segments2_tf/sg_expected.tf index 0ecc69d1..3db420a0 100644 --- a/test/expected/sg_segments2_tf/sg_expected.tf +++ b/test/expected/sg_segments2_tf/sg_expected.tf @@ -1,4 +1,4 @@ -### SG attached to test-vpc0/vsi0-subnet0 +### SG test-vpc0--vsi0-subnet0 is attached to test-vpc0/vsi0-subnet0 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet0" { name = "sg-test-vpc0--vsi0-subnet0" resource_group = local.sg_synth_resource_group_id @@ -17,7 +17,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet0-1" { remote = ibm_is_security_group.test-vpc0--vsi0-subnet5.id } -### SG attached to test-vpc0/vsi0-subnet1 +### SG test-vpc0--vsi0-subnet1 is attached to test-vpc0/vsi0-subnet1 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet1" { name = "sg-test-vpc0--vsi0-subnet1" resource_group = local.sg_synth_resource_group_id @@ -36,28 +36,28 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet1-1" { remote = ibm_is_security_group.test-vpc0--vsi0-subnet5.id } -### SG attached to test-vpc0/vsi0-subnet2 +### SG test-vpc0--vsi0-subnet2 is attached to test-vpc0/vsi0-subnet2 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet2" { name = "sg-test-vpc0--vsi0-subnet2" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet3 +### SG test-vpc0--vsi0-subnet3 is attached to test-vpc0/vsi0-subnet3 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet3" { name = "sg-test-vpc0--vsi0-subnet3" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet4 +### SG test-vpc0--vsi0-subnet4 is attached to test-vpc0/vsi0-subnet4 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet4" { name = "sg-test-vpc0--vsi0-subnet4" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet5 +### SG test-vpc0--vsi0-subnet5 is attached to test-vpc0/vsi0-subnet5 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet5" { name = "sg-test-vpc0--vsi0-subnet5" resource_group = local.sg_synth_resource_group_id @@ -70,7 +70,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet5-0" { remote = "10.240.0.0/23" } -### SG attached to test-vpc0/vsi1-subnet0 +### SG test-vpc0--vsi1-subnet0 is attached to test-vpc0/vsi1-subnet0 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet0" { name = "sg-test-vpc0--vsi1-subnet0" resource_group = local.sg_synth_resource_group_id @@ -89,7 +89,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet0-1" { remote = ibm_is_security_group.test-vpc0--vsi0-subnet5.id } -### SG attached to test-vpc0/vsi1-subnet1 +### SG test-vpc0--vsi1-subnet1 is attached to test-vpc0/vsi1-subnet1 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet1" { name = "sg-test-vpc0--vsi1-subnet1" resource_group = local.sg_synth_resource_group_id @@ -108,42 +108,42 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet1-1" { remote = ibm_is_security_group.test-vpc0--vsi0-subnet5.id } -### SG attached to test-vpc0/vsi1-subnet2 +### SG test-vpc0--vsi1-subnet2 is attached to test-vpc0/vsi1-subnet2 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet2" { name = "sg-test-vpc0--vsi1-subnet2" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet3 +### SG test-vpc0--vsi1-subnet3 is attached to test-vpc0/vsi1-subnet3 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet3" { name = "sg-test-vpc0--vsi1-subnet3" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet4 +### SG test-vpc0--vsi1-subnet4 is attached to test-vpc0/vsi1-subnet4 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet4" { name = "sg-test-vpc0--vsi1-subnet4" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet5 +### SG test-vpc0--vsi1-subnet5 is attached to test-vpc0/vsi1-subnet5 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet5" { name = "sg-test-vpc0--vsi1-subnet5" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc1/vsi0-subnet10 +### SG test-vpc1--vsi0-subnet10 is attached to test-vpc1/vsi0-subnet10 resource "ibm_is_security_group" "test-vpc1--vsi0-subnet10" { name = "sg-test-vpc1--vsi0-subnet10" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } -### SG attached to test-vpc1/vsi0-subnet11 +### SG test-vpc1--vsi0-subnet11 is attached to test-vpc1/vsi0-subnet11 resource "ibm_is_security_group" "test-vpc1--vsi0-subnet11" { name = "sg-test-vpc1--vsi0-subnet11" resource_group = local.sg_synth_resource_group_id @@ -156,28 +156,28 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi0-subnet11-0" { remote = "10.240.0.0/23" } -### SG attached to test-vpc2/vsi0-subnet20 +### SG test-vpc2--vsi0-subnet20 is attached to test-vpc2/vsi0-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi0-subnet20" { name = "sg-test-vpc2--vsi0-subnet20" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc2_id } -### SG attached to test-vpc2/vsi1-subnet20 +### SG test-vpc2--vsi1-subnet20 is attached to test-vpc2/vsi1-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi1-subnet20" { name = "sg-test-vpc2--vsi1-subnet20" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc2_id } -### SG attached to test-vpc2/vsi2-subnet20 +### SG test-vpc2--vsi2-subnet20 is attached to test-vpc2/vsi2-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi2-subnet20" { name = "sg-test-vpc2--vsi2-subnet20" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc2_id } -### SG attached to test-vpc3/vsi0-subnet30 +### SG test-vpc3--vsi0-subnet30 is attached to test-vpc3/vsi0-subnet30 resource "ibm_is_security_group" "test-vpc3--vsi0-subnet30" { name = "sg-test-vpc3--vsi0-subnet30" resource_group = local.sg_synth_resource_group_id diff --git a/test/expected/sg_segments3_tf/sg_expected.tf b/test/expected/sg_segments3_tf/sg_expected.tf index a14bcf10..82443b46 100644 --- a/test/expected/sg_segments3_tf/sg_expected.tf +++ b/test/expected/sg_segments3_tf/sg_expected.tf @@ -1,32 +1,32 @@ -### SG attached to test-vpc0/vsi0-subnet0 +### SG test-vpc0--vsi0-subnet0 is attached to test-vpc0/vsi0-subnet0 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet0" { name = "sg-test-vpc0--vsi0-subnet0" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet1 +### SG test-vpc0--vsi0-subnet1 is attached to test-vpc0/vsi0-subnet1 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet1" { name = "sg-test-vpc0--vsi0-subnet1" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet2 +### SG test-vpc0--vsi0-subnet2 is attached to test-vpc0/vsi0-subnet2 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet2" { name = "sg-test-vpc0--vsi0-subnet2" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet3 +### SG test-vpc0--vsi0-subnet3 is attached to test-vpc0/vsi0-subnet3 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet3" { name = "sg-test-vpc0--vsi0-subnet3" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet4 +### SG test-vpc0--vsi0-subnet4 is attached to test-vpc0/vsi0-subnet4 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet4" { name = "sg-test-vpc0--vsi0-subnet4" resource_group = local.sg_synth_resource_group_id @@ -45,49 +45,49 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet4-1" { remote = "10.240.128.0/24" } -### SG attached to test-vpc0/vsi0-subnet5 +### SG test-vpc0--vsi0-subnet5 is attached to test-vpc0/vsi0-subnet5 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet5" { name = "sg-test-vpc0--vsi0-subnet5" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet0 +### SG test-vpc0--vsi1-subnet0 is attached to test-vpc0/vsi1-subnet0 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet0" { name = "sg-test-vpc0--vsi1-subnet0" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet1 +### SG test-vpc0--vsi1-subnet1 is attached to test-vpc0/vsi1-subnet1 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet1" { name = "sg-test-vpc0--vsi1-subnet1" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet2 +### SG test-vpc0--vsi1-subnet2 is attached to test-vpc0/vsi1-subnet2 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet2" { name = "sg-test-vpc0--vsi1-subnet2" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet3 +### SG test-vpc0--vsi1-subnet3 is attached to test-vpc0/vsi1-subnet3 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet3" { name = "sg-test-vpc0--vsi1-subnet3" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet4 +### SG test-vpc0--vsi1-subnet4 is attached to test-vpc0/vsi1-subnet4 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet4" { name = "sg-test-vpc0--vsi1-subnet4" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet5 +### SG test-vpc0--vsi1-subnet5 is attached to test-vpc0/vsi1-subnet5 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet5" { name = "sg-test-vpc0--vsi1-subnet5" resource_group = local.sg_synth_resource_group_id @@ -106,7 +106,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet5-1" { remote = "10.240.128.0/24" } -### SG attached to test-vpc1/vsi0-subnet10 +### SG test-vpc1--vsi0-subnet10 is attached to test-vpc1/vsi0-subnet10 resource "ibm_is_security_group" "test-vpc1--vsi0-subnet10" { name = "sg-test-vpc1--vsi0-subnet10" resource_group = local.sg_synth_resource_group_id @@ -125,14 +125,14 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi0-subnet10-1" { remote = ibm_is_security_group.test-vpc0--vsi1-subnet5.id } -### SG attached to test-vpc1/vsi0-subnet11 +### SG test-vpc1--vsi0-subnet11 is attached to test-vpc1/vsi0-subnet11 resource "ibm_is_security_group" "test-vpc1--vsi0-subnet11" { name = "sg-test-vpc1--vsi0-subnet11" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc1_id } -### SG attached to test-vpc2/vsi0-subnet20 +### SG test-vpc2--vsi0-subnet20 is attached to test-vpc2/vsi0-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi0-subnet20" { name = "sg-test-vpc2--vsi0-subnet20" resource_group = local.sg_synth_resource_group_id @@ -151,7 +151,7 @@ resource "ibm_is_security_group_rule" "test-vpc2--vsi0-subnet20-1" { remote = ibm_is_security_group.test-vpc0--vsi1-subnet5.id } -### SG attached to test-vpc2/vsi1-subnet20 +### SG test-vpc2--vsi1-subnet20 is attached to test-vpc2/vsi1-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi1-subnet20" { name = "sg-test-vpc2--vsi1-subnet20" resource_group = local.sg_synth_resource_group_id @@ -170,7 +170,7 @@ resource "ibm_is_security_group_rule" "test-vpc2--vsi1-subnet20-1" { remote = ibm_is_security_group.test-vpc0--vsi1-subnet5.id } -### SG attached to test-vpc2/vsi2-subnet20 +### SG test-vpc2--vsi2-subnet20 is attached to test-vpc2/vsi2-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi2-subnet20" { name = "sg-test-vpc2--vsi2-subnet20" resource_group = local.sg_synth_resource_group_id @@ -189,7 +189,7 @@ resource "ibm_is_security_group_rule" "test-vpc2--vsi2-subnet20-1" { remote = ibm_is_security_group.test-vpc0--vsi1-subnet5.id } -### SG attached to test-vpc3/vsi0-subnet30 +### SG test-vpc3--vsi0-subnet30 is attached to test-vpc3/vsi0-subnet30 resource "ibm_is_security_group" "test-vpc3--vsi0-subnet30" { name = "sg-test-vpc3--vsi0-subnet30" resource_group = local.sg_synth_resource_group_id diff --git a/test/expected/sg_segments4_tf/sg_expected.tf b/test/expected/sg_segments4_tf/sg_expected.tf index 07166fff..fde97298 100644 --- a/test/expected/sg_segments4_tf/sg_expected.tf +++ b/test/expected/sg_segments4_tf/sg_expected.tf @@ -1,4 +1,4 @@ -### SG attached to test-vpc/appdata-endpoint-gateway +### SG test-vpc--appdata-endpoint-gateway is attached to test-vpc/appdata-endpoint-gateway resource "ibm_is_security_group" "test-vpc--appdata-endpoint-gateway" { name = "sg-test-vpc--appdata-endpoint-gateway" resource_group = local.sg_synth_resource_group_id @@ -17,7 +17,7 @@ resource "ibm_is_security_group_rule" "test-vpc--appdata-endpoint-gateway-1" { remote = ibm_is_security_group.test-vpc--be.id } -### SG attached to test-vpc/be +### SG test-vpc--be is attached to test-vpc/be resource "ibm_is_security_group" "test-vpc--be" { name = "sg-test-vpc--be" resource_group = local.sg_synth_resource_group_id @@ -36,7 +36,7 @@ resource "ibm_is_security_group_rule" "test-vpc--be-1" { remote = ibm_is_security_group.test-vpc--policydb-endpoint-gateway.id } -### SG attached to test-vpc/fe +### SG test-vpc--fe is attached to test-vpc/fe resource "ibm_is_security_group" "test-vpc--fe" { name = "sg-test-vpc--fe" resource_group = local.sg_synth_resource_group_id @@ -55,14 +55,14 @@ resource "ibm_is_security_group_rule" "test-vpc--fe-1" { remote = ibm_is_security_group.test-vpc--policydb-endpoint-gateway.id } -### SG attached to test-vpc/opa +### SG test-vpc--opa is attached to test-vpc/opa resource "ibm_is_security_group" "test-vpc--opa" { name = "sg-test-vpc--opa" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc_id } -### SG attached to test-vpc/policydb-endpoint-gateway +### SG test-vpc--policydb-endpoint-gateway is attached to test-vpc/policydb-endpoint-gateway resource "ibm_is_security_group" "test-vpc--policydb-endpoint-gateway" { name = "sg-test-vpc--policydb-endpoint-gateway" resource_group = local.sg_synth_resource_group_id @@ -81,7 +81,7 @@ resource "ibm_is_security_group_rule" "test-vpc--policydb-endpoint-gateway-1" { remote = ibm_is_security_group.test-vpc--be.id } -### SG attached to test-vpc/proxy +### SG test-vpc--proxy is attached to test-vpc/proxy resource "ibm_is_security_group" "test-vpc--proxy" { name = "sg-test-vpc--proxy" resource_group = local.sg_synth_resource_group_id diff --git a/test/expected/sg_testing3_tf/sg_expected.tf b/test/expected/sg_testing3_tf/sg_expected.tf index 8bfb66a3..c7ced9bf 100644 --- a/test/expected/sg_testing3_tf/sg_expected.tf +++ b/test/expected/sg_testing3_tf/sg_expected.tf @@ -1,11 +1,11 @@ -### SG attached to test-vpc/appdata-endpoint-gateway +### SG test-vpc--appdata-endpoint-gateway is attached to test-vpc/appdata-endpoint-gateway resource "ibm_is_security_group" "test-vpc--appdata-endpoint-gateway" { name = "sg-test-vpc--appdata-endpoint-gateway" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc_id } -### SG attached to test-vpc/be +### SG test-vpc--be is attached to test-vpc/be resource "ibm_is_security_group" "test-vpc--be" { name = "sg-test-vpc--be" resource_group = local.sg_synth_resource_group_id @@ -32,7 +32,7 @@ resource "ibm_is_security_group_rule" "test-vpc--be-2" { remote = ibm_is_security_group.test-vpc--policydb-endpoint-gateway.id } -### SG attached to test-vpc/fe +### SG test-vpc--fe is attached to test-vpc/fe resource "ibm_is_security_group" "test-vpc--fe" { name = "sg-test-vpc--fe" resource_group = local.sg_synth_resource_group_id @@ -57,7 +57,7 @@ resource "ibm_is_security_group_rule" "test-vpc--fe-1" { } } -### SG attached to test-vpc/opa +### SG test-vpc--opa is attached to test-vpc/opa resource "ibm_is_security_group" "test-vpc--opa" { name = "sg-test-vpc--opa" resource_group = local.sg_synth_resource_group_id @@ -76,7 +76,7 @@ resource "ibm_is_security_group_rule" "test-vpc--opa-1" { remote = ibm_is_security_group.test-vpc--policydb-endpoint-gateway.id } -### SG attached to test-vpc/policydb-endpoint-gateway +### SG test-vpc--policydb-endpoint-gateway is attached to test-vpc/policydb-endpoint-gateway resource "ibm_is_security_group" "test-vpc--policydb-endpoint-gateway" { name = "sg-test-vpc--policydb-endpoint-gateway" resource_group = local.sg_synth_resource_group_id @@ -95,7 +95,7 @@ resource "ibm_is_security_group_rule" "test-vpc--policydb-endpoint-gateway-1" { remote = ibm_is_security_group.test-vpc--opa.id } -### SG attached to test-vpc/proxy +### SG test-vpc--proxy is attached to test-vpc/proxy resource "ibm_is_security_group" "test-vpc--proxy" { name = "sg-test-vpc--proxy" resource_group = local.sg_synth_resource_group_id diff --git a/test/expected/sg_tg_multiple_tf_separate/test-vpc0.tf b/test/expected/sg_tg_multiple_tf_separate/test-vpc0.tf index 8f4979ba..1486e315 100644 --- a/test/expected/sg_tg_multiple_tf_separate/test-vpc0.tf +++ b/test/expected/sg_tg_multiple_tf_separate/test-vpc0.tf @@ -1,4 +1,4 @@ -### SG attached to test-vpc0/vsi0-subnet0 +### SG test-vpc0--vsi0-subnet0 is attached to test-vpc0/vsi0-subnet0 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet0" { name = "sg-test-vpc0--vsi0-subnet0" resource_group = local.sg_synth_resource_group_id @@ -11,70 +11,70 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi0-subnet0-0" { remote = ibm_is_security_group.test-vpc0--vsi1-subnet4.id } -### SG attached to test-vpc0/vsi0-subnet1 +### SG test-vpc0--vsi0-subnet1 is attached to test-vpc0/vsi0-subnet1 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet1" { name = "sg-test-vpc0--vsi0-subnet1" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet2 +### SG test-vpc0--vsi0-subnet2 is attached to test-vpc0/vsi0-subnet2 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet2" { name = "sg-test-vpc0--vsi0-subnet2" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet3 +### SG test-vpc0--vsi0-subnet3 is attached to test-vpc0/vsi0-subnet3 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet3" { name = "sg-test-vpc0--vsi0-subnet3" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet4 +### SG test-vpc0--vsi0-subnet4 is attached to test-vpc0/vsi0-subnet4 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet4" { name = "sg-test-vpc0--vsi0-subnet4" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi0-subnet5 +### SG test-vpc0--vsi0-subnet5 is attached to test-vpc0/vsi0-subnet5 resource "ibm_is_security_group" "test-vpc0--vsi0-subnet5" { name = "sg-test-vpc0--vsi0-subnet5" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet0 +### SG test-vpc0--vsi1-subnet0 is attached to test-vpc0/vsi1-subnet0 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet0" { name = "sg-test-vpc0--vsi1-subnet0" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet1 +### SG test-vpc0--vsi1-subnet1 is attached to test-vpc0/vsi1-subnet1 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet1" { name = "sg-test-vpc0--vsi1-subnet1" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet2 +### SG test-vpc0--vsi1-subnet2 is attached to test-vpc0/vsi1-subnet2 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet2" { name = "sg-test-vpc0--vsi1-subnet2" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet3 +### SG test-vpc0--vsi1-subnet3 is attached to test-vpc0/vsi1-subnet3 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet3" { name = "sg-test-vpc0--vsi1-subnet3" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc0_id } -### SG attached to test-vpc0/vsi1-subnet4 +### SG test-vpc0--vsi1-subnet4 is attached to test-vpc0/vsi1-subnet4 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet4" { name = "sg-test-vpc0--vsi1-subnet4" resource_group = local.sg_synth_resource_group_id @@ -87,7 +87,7 @@ resource "ibm_is_security_group_rule" "test-vpc0--vsi1-subnet4-0" { remote = ibm_is_security_group.test-vpc0--vsi0-subnet0.id } -### SG attached to test-vpc0/vsi1-subnet5 +### SG test-vpc0--vsi1-subnet5 is attached to test-vpc0/vsi1-subnet5 resource "ibm_is_security_group" "test-vpc0--vsi1-subnet5" { name = "sg-test-vpc0--vsi1-subnet5" resource_group = local.sg_synth_resource_group_id diff --git a/test/expected/sg_tg_multiple_tf_separate/test-vpc1.tf b/test/expected/sg_tg_multiple_tf_separate/test-vpc1.tf index 06e11954..9149e693 100644 --- a/test/expected/sg_tg_multiple_tf_separate/test-vpc1.tf +++ b/test/expected/sg_tg_multiple_tf_separate/test-vpc1.tf @@ -1,4 +1,4 @@ -### SG attached to test-vpc1/vsi0-subnet10 +### SG test-vpc1--vsi0-subnet10 is attached to test-vpc1/vsi0-subnet10 resource "ibm_is_security_group" "test-vpc1--vsi0-subnet10" { name = "sg-test-vpc1--vsi0-subnet10" resource_group = local.sg_synth_resource_group_id @@ -13,7 +13,7 @@ resource "ibm_is_security_group_rule" "test-vpc1--vsi0-subnet10-0" { } } -### SG attached to test-vpc1/vsi0-subnet11 +### SG test-vpc1--vsi0-subnet11 is attached to test-vpc1/vsi0-subnet11 resource "ibm_is_security_group" "test-vpc1--vsi0-subnet11" { name = "sg-test-vpc1--vsi0-subnet11" resource_group = local.sg_synth_resource_group_id diff --git a/test/expected/sg_tg_multiple_tf_separate/test-vpc2.tf b/test/expected/sg_tg_multiple_tf_separate/test-vpc2.tf index bf96f422..7adad885 100644 --- a/test/expected/sg_tg_multiple_tf_separate/test-vpc2.tf +++ b/test/expected/sg_tg_multiple_tf_separate/test-vpc2.tf @@ -1,4 +1,4 @@ -### SG attached to test-vpc2/vsi0-subnet20 +### SG test-vpc2--vsi0-subnet20 is attached to test-vpc2/vsi0-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi0-subnet20" { name = "sg-test-vpc2--vsi0-subnet20" resource_group = local.sg_synth_resource_group_id @@ -15,14 +15,14 @@ resource "ibm_is_security_group_rule" "test-vpc2--vsi0-subnet20-0" { } } -### SG attached to test-vpc2/vsi1-subnet20 +### SG test-vpc2--vsi1-subnet20 is attached to test-vpc2/vsi1-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi1-subnet20" { name = "sg-test-vpc2--vsi1-subnet20" resource_group = local.sg_synth_resource_group_id vpc = local.sg_synth_test-vpc2_id } -### SG attached to test-vpc2/vsi2-subnet20 +### SG test-vpc2--vsi2-subnet20 is attached to test-vpc2/vsi2-subnet20 resource "ibm_is_security_group" "test-vpc2--vsi2-subnet20" { name = "sg-test-vpc2--vsi2-subnet20" resource_group = local.sg_synth_resource_group_id diff --git a/test/expected/sg_tg_multiple_tf_separate/test-vpc3.tf b/test/expected/sg_tg_multiple_tf_separate/test-vpc3.tf index ef77175b..312dad54 100644 --- a/test/expected/sg_tg_multiple_tf_separate/test-vpc3.tf +++ b/test/expected/sg_tg_multiple_tf_separate/test-vpc3.tf @@ -1,4 +1,4 @@ -### SG attached to test-vpc3/vsi0-subnet30 +### SG test-vpc3--vsi0-subnet30 is attached to test-vpc3/vsi0-subnet30 resource "ibm_is_security_group" "test-vpc3--vsi0-subnet30" { name = "sg-test-vpc3--vsi0-subnet30" resource_group = local.sg_synth_resource_group_id From 623a9557e63a75683bde545e59debe70a016165a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Dec 2024 16:00:36 +0000 Subject: [PATCH 3/4] Bump golang.org/x/crypto from 0.24.0 to 0.31.0 (#244) --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 6aabf93f..1830e6d3 100644 --- a/go.mod +++ b/go.mod @@ -29,9 +29,9 @@ require ( github.com/oklog/ulid v1.3.1 // indirect github.com/spf13/pflag v1.0.5 // indirect go.mongodb.org/mongo-driver v1.15.0 // indirect - golang.org/x/crypto v0.24.0 // indirect + golang.org/x/crypto v0.31.0 // indirect golang.org/x/net v0.26.0 // indirect - golang.org/x/sys v0.21.0 // indirect - golang.org/x/text v0.16.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/text v0.21.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) diff --git a/go.sum b/go.sum index 01b9286e..3b34428d 100644 --- a/go.sum +++ b/go.sum @@ -198,8 +198,8 @@ golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaE golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= -golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -235,16 +235,16 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190329151228-23e29df326fe/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190416151739-9c9e1878f421/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= From 9b275788a4530fdf28b5858046d4f0a996dbc3a2 Mon Sep 17 00:00:00 2001 From: Yair Slobodin Date: Thu, 19 Dec 2024 10:36:05 +0200 Subject: [PATCH 4/4] src ports --- pkg/io/confio/parse_acls.go | 3 ++- pkg/io/confio/parse_sgs.go | 12 +++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/pkg/io/confio/parse_acls.go b/pkg/io/confio/parse_acls.go index 09647519..567fbc00 100644 --- a/pkg/io/confio/parse_acls.go +++ b/pkg/io/confio/parse_acls.go @@ -94,7 +94,8 @@ func translateACLRuleProtocolTCPUDP(rule *vpcv1.NetworkACLRuleItemNetworkACLRule direction, err2 := translateDirection(*rule.Direction) src, err3 := translateResource(rule.Source) dst, err4 := translateResource(rule.Destination) - protocol, err5 := translateProtocolTCPUDP(*rule.Protocol, rule.DestinationPortMin, rule.DestinationPortMax) + protocol, err5 := translateProtocolTCPUDP(*rule.Protocol, rule.SourcePortMin, rule.SourcePortMax, + rule.DestinationPortMin, rule.DestinationPortMax) if err := errors.Join(err1, err2, err3, err4, err5); err != nil { return nil, err } diff --git a/pkg/io/confio/parse_sgs.go b/pkg/io/confio/parse_sgs.go index dd325772..25904ca9 100644 --- a/pkg/io/confio/parse_sgs.go +++ b/pkg/io/confio/parse_sgs.go @@ -97,7 +97,7 @@ func translateSGRuleProtocolTCPUDP(rule *vpcv1.SecurityGroupRuleSecurityGroupRul direction, err1 := translateDirection(*rule.Direction) remote, err2 := translateRemote(rule.Remote) local, err3 := translateLocal(rule.Local) - protocol, err4 := translateProtocolTCPUDP(*rule.Protocol, rule.PortMin, rule.PortMax) + protocol, err4 := translateProtocolTCPUDP(*rule.Protocol, nil, nil, rule.PortMin, rule.PortMax) if err := errors.Join(err1, err2, err3, err4); err != nil { return nil, err } @@ -166,9 +166,11 @@ func translateTargets(sg *vpcv1.SecurityGroup) []string { return res } -func translateProtocolTCPUDP(protocolName string, portMin, portMax *int64) (netp.Protocol, error) { +func translateProtocolTCPUDP(protocolName string, srcPortMin, srcPortMax, dstPortMin, dstPortMax *int64) (netp.Protocol, error) { isTCP := protocolName == vpcv1.SecurityGroupRuleSecurityGroupRuleProtocolTcpudpProtocolTCPConst - minDstPort := utils.GetProperty(portMin, netp.MinPort) - maxDstPort := utils.GetProperty(portMax, netp.MaxPort) - return netp.NewTCPUDP(isTCP, netp.MinPort, netp.MaxPort, int(minDstPort), int(maxDstPort)) + minSrcPort := utils.GetProperty(srcPortMin, netp.MinPort) + maxSrcPort := utils.GetProperty(srcPortMax, netp.MaxPort) + minDstPort := utils.GetProperty(dstPortMin, netp.MinPort) + maxDstPort := utils.GetProperty(dstPortMax, netp.MaxPort) + return netp.NewTCPUDP(isTCP, int(minSrcPort), int(maxSrcPort), int(minDstPort), int(maxDstPort)) }