in pce/validator/validation_suite.py [0:0]
def validate_firewall(self, pce: PCE) -> ValidationResult:
"""
Check that inbound traffic from the peers is allowed i.e. there is a rule whose CIDR is overlapped by any firewall rule.
"""
vpc = pce.pce_network.vpc
if not vpc:
return ValidationResult(
ValidationResultCode.ERROR,
ValidationErrorDescriptionTemplate.VPC_PEERING_NO_VPC.value,
)
vpc_cidr = vpc.cidr
if not vpc_cidr:
return ValidationResult(
ValidationResultCode.ERROR,
ValidationErrorDescriptionTemplate.VPC_PEERING_NO_VPC_CIDR.value,
)
# Don't bother in validating route table if there are no firewall rules
firewall_rulesets = pce.pce_network.firewall_rulesets
if not firewall_rulesets:
return ValidationResult(
ValidationResultCode.ERROR,
ValidationErrorDescriptionTemplate.FIREWALL_RULES_NOT_FOUND.value.format(
pce_id=vpc.tags[PCE_ID_KEY]
),
)
route_table = pce.pce_network.route_table
if not route_table:
return ValidationResult(
ValidationResultCode.ERROR,
ValidationErrorDescriptionTemplate.VPC_PEERING_NO_ROUTE_TABLE.value,
)
peer_routes = [
r
for r in (route_table.routes if route_table else [])
if r.route_target.route_target_type == RouteTargetType.VPC_PEERING
]
if not peer_routes:
return ValidationResult(
ValidationResultCode.ERROR,
ValidationErrorDescriptionTemplate.FIREWALL_PEER_ROUTE_NOT_SET.value,
)
error_reasons, warning_reasons = self._check_inbound_peer_route_allowed(
peer_routes, firewall_rulesets, vpc
)
if error_reasons:
return ValidationResult(
ValidationResultCode.ERROR,
ValidationErrorDescriptionTemplate.FIREWALL_INVALID_RULESETS.value.format(
error_reasons=";".join(error_reasons)
),
ValidationErrorSolutionHintTemplate.FIREWALL_INVALID_RULESETS.value,
)
if warning_reasons:
return ValidationResult(
ValidationResultCode.WARNING,
ValidationWarningDescriptionTemplate.FIREWALL_FLAGGED_RULESETS.value.format(
warning_reasons=";".join(warning_reasons)
),
)
return ValidationResult(ValidationResultCode.SUCCESS)