forked from pulumi/examples
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Validate address spaces in configuration (pulumi#683)
* Validate config and update api * Fix errata and edge cases * Clarify comments * Remove unnecessary variable * Move configuration into module * Clarify comments
- Loading branch information
1 parent
818b9f3
commit de060e6
Showing
7 changed files
with
166 additions
and
134 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
from ipaddress import ip_network | ||
from pulumi import Config, get_stack, get_project | ||
|
||
class Error(Exception): | ||
"""Base class for exceptions in this module.""" | ||
pass | ||
|
||
class ConfigError(Error): | ||
"""Exception raised for errors in Pulumi Config. | ||
Attributes: | ||
keys -- Config keys with the error | ||
message -- explanation of the error | ||
""" | ||
def __init__(self, keys: [str], message: str): | ||
self.keys = keys | ||
self.message = message | ||
|
||
# retrieve the stack configuration data | ||
config = Config() | ||
|
||
# set default tags to be applied to all taggable resources | ||
stack = get_stack() | ||
default_tags = { | ||
'environment': stack | ||
} | ||
|
||
# Azure Bastion hosts in hub and spokes (until functional across peerings) | ||
azure_bastion = config.get_bool('azure_bastion') | ||
|
||
# Azure Firewall to route all Internet-bound traffic to designated next hop | ||
forced_tunnel = config.get_bool('forced_tunnel') | ||
|
||
# another stack in the same project and organization may be peered | ||
peer = config.get('peer') | ||
if peer: | ||
org = config.require('org') | ||
project = get_project() | ||
reference = f'{org}/{project}/{peer}' | ||
else: | ||
reference = None | ||
|
||
# validate firewall_address_space and hub_address_space | ||
firewall_address_space = config.require('firewall_address_space') | ||
fwz_nw = ip_network(firewall_address_space) | ||
if not fwz_nw.is_private: | ||
raise ConfigError(['firewall_address_space'], 'must be private') | ||
if fwz_nw.prefixlen > 24: | ||
raise ConfigError(['firewall_address_space'], 'must be /24 or larger') | ||
hub_address_space = config.require('hub_address_space') | ||
hub_nw = ip_network(hub_address_space) | ||
if not hub_nw.is_private: | ||
raise ConfigError(['hub_address_space'], 'must be private') | ||
if hub_nw.prefixlen > 24: | ||
raise ConfigError(['hub_address_space'], 'must be /24 or larger') | ||
if fwz_nw.overlaps(hub_nw): | ||
raise ConfigError( | ||
['firewall_address_space', 'hub_address_space'], | ||
'may not overlap' | ||
) | ||
|
||
# locate hub_address_space within supernet for contiguous spoke_address_space | ||
sup_diff = hub_nw.prefixlen - 8 # largest private IPv4 network is 10/8 | ||
super_nw = hub_nw.supernet(prefixlen_diff=sup_diff) | ||
while not super_nw.is_private: # accommodate longer private network prefixes | ||
sup_diff = sup_diff - 1 | ||
super_nw = hub_nw.supernet(prefixlen_diff=sup_diff) | ||
if sup_diff <= 0: | ||
raise ConfigError( | ||
['hub_address_space'], | ||
'must be a subnet of a private supernet' | ||
) | ||
stack_sn = super_nw.subnets(prefixlen_diff=sup_diff) | ||
hub_as = next(stack_sn) | ||
while hub_as < hub_nw: | ||
hub_as = next(stack_sn) | ||
if hub_address_space != str(hub_as): | ||
raise ConfigError(['hub_address_space'], 'check assumptions') |
Oops, something went wrong.