vcloud-edge_gateway 0.0.1

data/lib/vcloud/edge_gateway/configuration_generator/load_balancer_service.rb

@@ -0,0 +1,243 @@
+module Vcloud
+  module EdgeGateway
+    module ConfigurationGenerator
+      class LoadBalancerService
+
+        def initialize edge_gateway
+          @edge_gateway = Vcloud::Core::EdgeGateway.get_by_name(edge_gateway)
+        end
+
+        def generate_fog_config(load_balancer_input_config)
+          return nil if load_balancer_input_config.nil?
+          vcloud_load_balancer_section = {}
+          vcloud_load_balancer_section[:IsEnabled] =
+            load_balancer_input_config.key?(:enabled) ?
+              load_balancer_input_config[:enabled].to_s : 'true'
+          vcloud_pools = []
+          vcloud_virtual_servers = []
+          if pools = load_balancer_input_config[:pools]
+            pools.each do |pool_input_entry|
+              vcloud_pools << generate_pool_entry(pool_input_entry)
+            end
+          end
+          if virtual_servers = load_balancer_input_config[:virtual_servers]
+            virtual_servers.each do |virtual_server_input_entry|
+              vcloud_virtual_servers << generate_virtual_server_entry(virtual_server_input_entry)
+            end
+          end
+          vcloud_load_balancer_section[:Pool] = vcloud_pools
+          vcloud_load_balancer_section[:VirtualServer] = vcloud_virtual_servers
+          vcloud_load_balancer_section
+        end
+
+        private
+
+        def generate_virtual_server_entry(input_virtual_server)
+          vcloud_virtual_server = {}
+          vcloud_virtual_server[:IsEnabled] =
+            input_virtual_server.key(:enabled) ? input_virtual_server[:enabled] : 'true'
+          vcloud_virtual_server[:Name] = input_virtual_server[:name]
+          vcloud_virtual_server[:Description] =
+            input_virtual_server[:description] || ''
+          vcloud_virtual_server[:Interface] =
+            generate_virtual_server_interface_section(input_virtual_server[:network])
+          vcloud_virtual_server[:IpAddress] = input_virtual_server[:ip_address]
+          vcloud_virtual_server[:ServiceProfile] =
+            generate_virtual_server_service_profile_section(input_virtual_server[:service_profiles])
+          vcloud_virtual_server[:Logging] =
+            input_virtual_server.key(:logging) ? input_virtual_server[:logging] : 'false'
+          vcloud_virtual_server[:Pool] = input_virtual_server[:pool]
+          vcloud_virtual_server
+        end
+
+        def generate_virtual_server_interface_section(network_id)
+          vcloud_virtual_server_interface = {}
+          vcloud_virtual_server_interface[:type] = 'application/vnd.vmware.vcloud.orgVdcNetwork+xml'
+          vcloud_virtual_server_interface[:name] = look_up_network_name(network_id)
+          vcloud_virtual_server_interface[:href] = look_up_network_href(network_id)
+          vcloud_virtual_server_interface
+        end
+
+        def look_up_network_name(network_id)
+          gateway_interface = @edge_gateway.vcloud_gateway_interface_by_id(network_id)
+          raise "Could not find network #{network_id}" unless gateway_interface
+          gateway_interface[:Network][:name]
+        end
+
+        def look_up_network_href(network_id)
+          gateway_interface = @edge_gateway.vcloud_gateway_interface_by_id(network_id)
+          raise "Could not find network #{network_id}" unless gateway_interface
+          gateway_interface[:Network][:href]
+        end
+
+        def generate_virtual_server_service_profile_section(input_service_profile)
+          input_service_profile = {} if input_service_profile.nil?
+          vcloud_service_profiles = []
+          protocols = [ :http, :https, :tcp ]
+          protocols.each do |protocol|
+            vcloud_service_profiles <<
+              generate_virtual_server_service_profile_protocol_section(
+                protocol,
+                input_service_profile[protocol]
+              )
+          end
+          vcloud_service_profiles
+        end
+
+        def generate_virtual_server_service_profile_protocol_section(protocol, input_protocol_section)
+          vcloud_protocol_section = {
+            IsEnabled: 'false',
+            Protocol: protocol.to_s.upcase,
+            Port:     default_port(protocol),
+            Persistence: generate_virtual_server_persistence_section(protocol, nil)
+          }
+          if input_protocol_section
+            vcloud_protocol_section[:IsEnabled] =
+              input_protocol_section.key?(:enabled) ?
+                input_protocol_section[:enabled].to_s : 'true'
+            vcloud_protocol_section[:Port] =
+              input_protocol_section.key?(:port) ?
+                input_protocol_section[:port].to_s : default_port(protocol)
+            vcloud_protocol_section[:Persistence] =
+              generate_virtual_server_persistence_section(
+                protocol,
+                input_protocol_section[:persistence]
+              )
+          end
+          vcloud_protocol_section
+        end
+
+        def default_port(protocol)
+          default_port_for = { http: '80', https: '443', tcp: '' }
+          default_port_for[protocol]
+        end
+
+        def generate_virtual_server_persistence_section(protocol, input_persistence_section)
+          input_persistence_section = {} if input_persistence_section.nil?
+          vcloud_persistence_section = { Method: '' }
+          if input_persistence_section.key?(:method)
+            if input_persistence_section.key?(:method)
+              vcloud_persistence_section[:Method] = input_persistence_section[:method]
+            end
+            if input_persistence_section[:method] == 'COOKIE'
+              vcloud_persistence_section[:CookieName] = input_persistence_section[:cookie_name]
+              vcloud_persistence_section[:CookieMode] = input_persistence_section[:cookie_mode]
+            end
+          end
+          vcloud_persistence_section
+        end
+
+        def generate_pool_entry(input_pool_entry)
+          service_port_modes = [ :http, :https, :tcp ]
+          vcloud_pool_entry = {}
+          vcloud_pool_entry[:Name] = input_pool_entry[:name]
+          if input_pool_entry.key?(:description)
+            vcloud_pool_entry[:Description] = input_pool_entry[:description]
+          end
+          vcloud_pool_entry[:ServicePort] = service_port_modes.map do |mode|
+            generate_pool_service_port(
+              mode,
+              input_pool_entry.key?(:service) ? input_pool_entry[:service][mode] : nil
+            )
+          end
+          if input_pool_entry.key?(:members)
+            vcloud_pool_entry[:Member] = []
+            input_pool_entry[:members].each do |member|
+              vcloud_pool_entry[:Member] << generate_pool_member_entry(member)
+            end
+          end
+          vcloud_pool_entry
+        end
+
+        def generate_pool_member_entry(input_pool_member)
+          {
+            IpAddress: input_pool_member[:ip_address],
+            Weight:    input_pool_member.key?(:weight) ? input_pool_member[:weight].to_s : '1',
+            ServicePort: [
+              { Protocol: 'HTTP',  Port: '', HealthCheckPort: '' },
+              { Protocol: 'HTTPS', Port: '', HealthCheckPort: '' },
+              { Protocol: 'TCP',   Port: '', HealthCheckPort: '' },
+            ]
+          }
+        end
+
+        def generate_pool_service_port(mode, input_pool_service_port)
+
+          vcloud_pool_service_port = {
+            IsEnabled: 'false',
+            Protocol: mode.to_s.upcase,
+            Algorithm: 'ROUND_ROBIN',
+            Port: default_port(mode),
+            HealthCheckPort: '',
+            HealthCheck: generate_pool_healthcheck(mode)
+          }
+
+          if input_pool_service_port
+            vcloud_pool_service_port[:IsEnabled] =
+              input_pool_service_port.key?(:enabled) ?
+                input_pool_service_port[:enabled].to_s : 'true'
+            if input_pool_service_port.key?(:algorithm)
+              vcloud_pool_service_port[:Algorithm] = input_pool_service_port[:algorithm]
+            end
+            vcloud_pool_service_port[:Port] =
+              input_pool_service_port.key?(:port) ?
+                input_pool_service_port[:port].to_s : default_port(mode)
+            if health_check = input_pool_service_port[:health_check]
+              vcloud_pool_service_port[:HealthCheckPort] =
+                health_check.key?(:port) ? health_check[:port].to_s : ''
+              vcloud_pool_service_port[:HealthCheck] =
+                generate_pool_healthcheck(mode, input_pool_service_port[:health_check])
+            end
+          end
+          vcloud_pool_service_port
+        end
+
+        def generate_pool_healthcheck(protocol, input_pool_healthcheck_entry = nil)
+          default_mode = ( protocol == :https ) ? 'SSL' : protocol.to_s.upcase
+          vcloud_pool_healthcheck_entry = {
+            Mode: default_mode,
+          }
+          if protocol == :http
+            vcloud_pool_healthcheck_entry[:Uri] = ''
+          elsif ( protocol == :https ) &&
+                  input_pool_healthcheck_entry &&
+                  ( input_pool_healthcheck_entry[:protocol] == 'TCP' )
+            vcloud_pool_healthcheck_entry[:Uri] = ''
+          end
+          vcloud_pool_healthcheck_entry[:HealthThreshold] = '2'
+          vcloud_pool_healthcheck_entry[:UnhealthThreshold] = '3'
+          vcloud_pool_healthcheck_entry[:Interval] = '5'
+          vcloud_pool_healthcheck_entry[:Timeout] = '15'
+
+          if input_pool_healthcheck_entry
+            if input_pool_healthcheck_entry.key?(:protocol)
+              vcloud_pool_healthcheck_entry[:Mode] = input_pool_healthcheck_entry[:protocol]
+            end
+            if input_pool_healthcheck_entry.key?(:uri) and protocol == :http
+              vcloud_pool_healthcheck_entry[:Uri]  = input_pool_healthcheck_entry[:uri]
+            end
+            if input_pool_healthcheck_entry.key?(:health_threshold)
+              vcloud_pool_healthcheck_entry[:HealthThreshold] =
+                input_pool_healthcheck_entry[:health_threshold]
+            end
+            if input_pool_healthcheck_entry.key?(:unhealth_threshold)
+              vcloud_pool_healthcheck_entry[:UnhealthThreshold] =
+                input_pool_healthcheck_entry[:unhealth_threshold]
+            end
+            if input_pool_healthcheck_entry.key?(:interval)
+              vcloud_pool_healthcheck_entry[:Interval] =
+                input_pool_healthcheck_entry[:interval]
+            end
+            if input_pool_healthcheck_entry.key?(:timeout)
+              vcloud_pool_healthcheck_entry[:Timeout] =
+                input_pool_healthcheck_entry[:timeout]
+            end
+          end
+          vcloud_pool_healthcheck_entry
+        end
+
+      end
+    end
+  end
+
+end

data/lib/vcloud/edge_gateway/configuration_generator/nat_service.rb

@@ -0,0 +1,54 @@
+module Vcloud
+  module EdgeGateway
+    module ConfigurationGenerator
+
+      class NatService
+        def initialize edge_gateway, input_config
+          @edge_gateway = Vcloud::Core::EdgeGateway.get_by_name(edge_gateway)
+          @input_config = input_config
+          @interfaces_by_id = {}
+        end
+
+        def generate_fog_config
+          if @input_config
+            nat_service = {}
+            nat_service[:IsEnabled] = @input_config.key?(:enabled) ? @input_config[:enabled].to_s : 'true'
+            nat_service[:NatRule] = populate_nat_rules
+            nat_service
+          end
+        end
+
+        def populate_nat_rules
+          rules = @input_config[:nat_rules]
+            i = ID_RANGES::NAT_SERVICE[:min]
+            rules.collect do |rule|
+              new_rule = {}
+              new_rule[:Id] = rule.key?(:id) ? rule[:id] : i.to_s
+              new_rule[:IsEnabled] = rule.key?(:enabled) ? rule[:enabled].to_s : 'true'
+              new_rule[:RuleType] = rule[:rule_type]
+              gateway_nat_rule = populate_gateway_nat_rule(rule)
+              new_rule[:GatewayNatRule] = gateway_nat_rule
+              i += 1
+              new_rule
+          end
+        end
+
+        def populate_gateway_nat_rule(rule)
+          raise "Must supply a :network_id parameter" unless net_id = rule[:network_id]
+          @interfaces_by_id[net_id] ||= @edge_gateway.vcloud_gateway_interface_by_id(net_id)
+          raise "unable to find gateway network interface with id #{net_id}" unless @interfaces_by_id[net_id]
+          gateway_nat_rule = {:Interface => @interfaces_by_id[net_id][:Network]}
+          gateway_nat_rule[:OriginalIp] = rule[:original_ip]
+          gateway_nat_rule[:TranslatedIp] = rule[:translated_ip]
+          gateway_nat_rule[:OriginalPort] = rule[:original_port] if rule.key?(:original_port)
+          gateway_nat_rule[:TranslatedPort] = rule[:translated_port] if rule.key?(:translated_port)
+          if rule[:rule_type] == 'DNAT'
+            gateway_nat_rule[:Protocol] = rule.key?(:protocol) ? rule[:protocol] : "tcp"
+          end
+          gateway_nat_rule
+        end
+
+      end
+    end
+  end
+end

data/lib/vcloud/edge_gateway/edge_gateway_configuration.rb

@@ -0,0 +1,41 @@
+module Vcloud
+  module EdgeGateway
+    class EdgeGatewayConfiguration
+
+      def initialize(local_config)
+        @local_config = local_config
+        @config = { }
+      end
+
+      def update_required?(remote_config)
+        update_required = false
+
+        firewall_service_config = EdgeGateway::ConfigurationGenerator::FirewallService.new.generate_fog_config(@local_config[:firewall_service])
+        unless firewall_service_config.nil?
+          differ = EdgeGateway::ConfigurationDiffer.new(firewall_service_config, remote_config[:FirewallService])
+          unless differ.diff.empty?
+            @config[:FirewallService] = firewall_service_config
+            update_required = true
+          end
+        end
+
+        nat_service_config = EdgeGateway::ConfigurationGenerator::NatService.new(@local_config[:gateway], @local_config[:nat_service]).generate_fog_config
+
+        unless nat_service_config.nil?
+          differ = EdgeGateway::ConfigurationDiffer.new(nat_service_config, remote_config[:NatService])
+          unless differ.diff.empty?
+            @config[:NatService] = nat_service_config
+            update_required = true
+          end
+        end
+
+        update_required
+      end
+
+      def config
+        @config
+      end
+
+    end
+  end
+end

data/lib/vcloud/edge_gateway/version.rb

@@ -0,0 +1,6 @@
+module Vcloud
+  module EdgeGateway
+    VERSION = '0.0.1'
+  end
+end
+

data/lib/vcloud/edge_gateway.rb

@@ -0,0 +1,32 @@
+require 'vcloud/edge_gateway/version'
+
+require 'vcloud/core'
+require 'vcloud/fog'
+
+require 'vcloud/config_loader'
+require 'vcloud/config_validator'
+
+require 'vcloud/edge_gateway_services'
+
+require 'vcloud/schema/nat_service'
+require 'vcloud/schema/firewall_service'
+require 'vcloud/schema/load_balancer_service'
+require 'vcloud/schema/edge_gateway'
+
+require 'vcloud/edge_gateway/configuration_generator/id_ranges'
+require 'vcloud/edge_gateway/configuration_generator/firewall_service'
+require 'vcloud/edge_gateway/configuration_generator/nat_service'
+require 'vcloud/edge_gateway/configuration_generator/load_balancer_service'
+require 'vcloud/edge_gateway/configuration_differ'
+require 'vcloud/edge_gateway/edge_gateway_configuration'
+
+
+module Vcloud
+  module EdgeGateway
+
+    def self.logger
+      @logger ||=Logger.new(STDOUT)
+    end
+
+  end
+end

data/lib/vcloud/edge_gateway_services.rb

@@ -0,0 +1,26 @@
+require 'hashdiff'
+
+module Vcloud
+  class EdgeGatewayServices
+
+    def initialize
+      @config_loader = Vcloud::ConfigLoader.new
+    end
+
+    def update(config_file = nil)
+      config = @config_loader.load_config(config_file, Vcloud::Schema::EDGE_GATEWAY_SERVICES)
+
+      edge_gateway = Core::EdgeGateway.get_by_name config[:gateway]
+      remote_config = edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration]
+
+      proposed_config = EdgeGateway::EdgeGatewayConfiguration.new(config)
+
+      if proposed_config.update_required?(remote_config)
+        edge_gateway.update_configuration proposed_config.config
+      else
+        Vcloud::EdgeGateway.logger.info("EdgeGatewayServices.update: Configuration is already up to date. Skipping.")
+      end
+    end
+
+  end
+end

data/lib/vcloud/schema/edge_gateway.rb

@@ -0,0 +1,15 @@
+module Vcloud
+  module Schema
+
+    EDGE_GATEWAY_SERVICES = {
+        type: 'hash',
+        allowed_empty: false,
+        internals: {
+            gateway: { type: 'string' },
+            firewall_service: FIREWALL_SERVICE,
+            nat_service: NAT_SERVICE
+        }
+    }
+
+  end
+end

data/lib/vcloud/schema/firewall_service.rb

@@ -0,0 +1,39 @@
+module Vcloud
+  module Schema
+
+    FIREWALL_RULE = {
+        type: Hash,
+        internals: {
+            id: { type: 'string_or_number', required: false},
+            enabled: { type: 'boolean', required: false},
+            match_on_translate: { type: 'boolean', required: false},
+            description: { type: 'string', required: false, allowed_empty: true},
+            policy: { type: 'enum', required: false, acceptable_values: ['allow', 'drop'] },
+            source_ip: { type: 'ip_address_range', required: true },
+            destination_ip: { type: 'ip_address_range', required: true },
+            source_port_range: { type: 'string', required: false },
+            destination_port_range: { type: 'string', required: false },
+            enable_logging: { type: 'boolean', required: false },
+            protocols: { type: 'enum', required: false, acceptable_values: ['tcp', 'udp', 'icmp', 'tcp+udp', 'any']},
+        }
+    }
+
+    FIREWALL_SERVICE = {
+        type: Hash,
+        allowed_empty: true,
+        required: false,
+        internals: {
+            enabled: { type: 'boolean', required: false},
+            policy: { type: 'enum', required: false, acceptable_values: ['allow', 'drop'] },
+            log_default_action: { type: 'boolean', required: false},
+            firewall_rules: {
+                type: Array,
+                required: false,
+                allowed_empty: true,
+                each_element_is: FIREWALL_RULE
+            }
+        }
+    }
+
+  end
+end

data/lib/vcloud/schema/load_balancer_service.rb

@@ -0,0 +1,129 @@
+module Vcloud
+  module Schema
+
+    POOL_MEMBER_SERVICE_PORT_ENTRY = {
+      type: Hash,
+      required: false,
+      internals: {
+        port: { type: 'string_or_number', required: false },
+        health_check_port: { type: 'string_or_number', required: false },
+      }
+    }
+
+    LOAD_BALANCER_MEMBER_ENTRY = {
+      type: Hash,
+      internals: {
+        ip_address: { type: 'ip_address', required: true },
+        weight:     { type: 'string_or_number', required: false },
+        service_port: {
+          type: 'hash',
+          required: false,
+          internals: {
+            http:  POOL_MEMBER_SERVICE_PORT_ENTRY,
+            https: POOL_MEMBER_SERVICE_PORT_ENTRY,
+            tcp:   POOL_MEMBER_SERVICE_PORT_ENTRY,
+          },
+        },
+      },
+    }
+
+    POOL_SERVICE_SECTION = {
+      type: Hash,
+      required: false,
+      internals: {
+        enabled: { type: 'boolean', required: false },
+        port:    { type: 'string_or_number', required: false },
+        algorithm: { type: 'enum', required: false,
+          acceptable_values: [ 'ROUND_ROBIN', 'IP_HASH', 'URI', 'LEAST_CONNECTED' ]},
+        health_check: {
+          type: 'hash',
+          required: false,
+          internals: {
+            port: { type: 'string_or_number', required: false },
+            uri: { type: 'string', required: false },
+            protocol: { type: 'enum', required: false,
+              acceptable_values: [ 'HTTP', 'SSL', 'TCP' ] },
+            health_threshold: { type: 'string_or_number', required: false },
+            unhealth_threshold: { type: 'string_or_number', required: false },
+            interval: { type: 'string_or_number', required: false },
+            timeout: { type: 'string_or_number', required: false },
+          },
+        },
+      }
+    }
+
+    LOAD_BALANCER_POOL_ENTRY = {
+      type: Hash,
+      internals: {
+        name: { type: 'string', required: true },
+        description: { type: 'string', required: false },
+        service: {
+          type: 'hash',
+          required: false,
+          internals: {
+            http:  POOL_SERVICE_SECTION,
+            https: POOL_SERVICE_SECTION,
+            tcp:   POOL_SERVICE_SECTION,
+          }
+        },
+        members: {
+          type: Array,
+          required: true,
+          allowed_empty: false,
+          each_element_is: LOAD_BALANCER_MEMBER_ENTRY,
+        }
+      }
+    }
+
+    VIRTUAL_SERVER_SERVICE_PROFILE_ENTRY = {
+      type: Hash,
+      required: false,
+      internals: {
+        enabled: { type: 'boolean', required: false },
+        port: { type: 'string_or_number', required: false },
+      }
+    }
+
+    LOAD_BALANCER_VIRTUAL_SERVER_ENTRY = {
+      type: Hash,
+      internals: {
+        enabled: { type: 'boolean', required: false },
+        name:    { type: 'string', required: true },
+        description: { type: 'string', required: false },
+        ip_address: { type: 'ip_address', required: true },
+        network: { type: 'string', required: true },
+        pool: { type: 'string', required: true },
+        logging: { type: 'boolean', required: false },
+        service_profiles: {
+          type: 'hash',
+          required: false,
+          internals: {
+            http:  VIRTUAL_SERVER_SERVICE_PROFILE_ENTRY,
+            https: VIRTUAL_SERVER_SERVICE_PROFILE_ENTRY,
+            tcp:   VIRTUAL_SERVER_SERVICE_PROFILE_ENTRY,
+          },
+        },
+      }
+    }
+
+    LOAD_BALANCER_SERVICE = {
+      type: Hash,
+      allowed_empty: true,
+      internals: {
+        enabled: { type: 'boolean', required: false },
+        pools: {
+          type: Array,
+          required: true,
+          allowed_empty: true,
+          each_element_is: LOAD_BALANCER_POOL_ENTRY,
+        },
+        virtual_servers: {
+          type: Array,
+          required: true,
+          allowed_empty: true,
+          each_element_is: LOAD_BALANCER_VIRTUAL_SERVER_ENTRY,
+        },
+      }
+    }
+  end
+end

data/lib/vcloud/schema/nat_service.rb

@@ -0,0 +1,35 @@
+module Vcloud
+  module Schema
+
+    NAT_RULE = {
+      type: Hash,
+      internals: {
+        id: {type: 'string_or_number', required: false},
+        enabled: {type: 'boolean', required: false},
+        rule_type: { type: 'enum', required: true, acceptable_values: ['SNAT', 'DNAT' ]},
+        description: {type: 'string', required: false, allowed_empty: true},
+        network_id: {type: 'string', required: true},
+        original_ip: {type: 'ip_address_range', required: true},
+        original_port: {type: 'string', required: false},
+        translated_ip: {type: 'ip_address_range', required: true},
+        translated_port: {type: 'string', required: false},
+        protocol: {type: 'enum', required: false, acceptable_values: ['tcp', 'udp', 'icmp', 'tcp+udp', 'any']},
+      }
+    }
+
+    NAT_SERVICE = {
+      type: Hash,
+      allowed_empty: true,
+      required: false,
+      internals: {
+        enabled: {type: 'boolean', required: false},
+        nat_rules: {
+          type: Array,
+          required: false,
+          allowed_empty: true,
+          each_element_is: NAT_RULE
+        }
+      }
+    }
+  end
+end

data/scripts/generate_fog_conf_file.sh

@@ -0,0 +1,6 @@
+cat <<EOF >fog_integration_test.config
+default:
+    vcloud_director_username: '$API_USERNAME'
+    vcloud_director_password: '$API_PASSWORD'
+    vcloud_director_host: '$API_HOST'
+EOF

data/spec/erb_helper.rb

@@ -0,0 +1,11 @@
+class ErbHelper
+  def self.convert_erb_template_to_yaml test_namespace, input_erb_config
+    input_erb_config = input_erb_config
+    e = ERB.new(File.open(input_erb_config).read)
+    output_yaml_config = File.join(File.dirname(input_erb_config), "output_#{Time.now.strftime('%s')}.yaml")
+    File.open(output_yaml_config, 'w') { |f|
+      f.write e.result(OpenStruct.new(test_namespace).instance_eval { binding })
+    }
+    output_yaml_config
+  end
+end

data/spec/integration/edge_gateway/data/firewall_config.yaml.erb

@@ -0,0 +1,17 @@
+---
+gateway: <%= edge_gateway_name %>
+firewall_service:
+  policy: drop
+  log_default_action: true
+  firewall_rules:
+  - enabled: true
+    description: 'A rule'
+    policy: allow
+    protocols: 'tcp'
+    destination_port_range: Any
+    destination_ip: 10.10.1.2
+    source_port_range: Any
+    source_ip: 192.0.2.2
+  - enabled: true
+    destination_ip: '10.10.1.3-10.10.1.5'
+    source_ip: 192.0.2.2/24

data/spec/integration/edge_gateway/data/firewall_config_updated_rule.yaml.erb

@@ -0,0 +1,17 @@
+---
+gateway: <%= edge_gateway_name %>
+firewall_service:
+  policy: drop
+  log_default_action: true
+  firewall_rules:
+  - enabled: true
+    description: 'A rule'
+    policy: allow
+    protocols: 'tcp'
+    destination_port_range: Any
+    destination_ip: 10.10.1.2
+    source_port_range: Any
+    source_ip: 192.0.2.2
+  - enabled: true
+    destination_ip: '10.10.1.3-10.10.1.6'
+    source_ip: 192.0.2.2/24