diff --git a/.fixtures.yml b/.fixtures.yml index dd1c888bd..b8538871e 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -28,9 +28,8 @@ fixtures: augeas_core: {"repo": "puppetlabs/augeas_core", "ref": "1.5.0" } concat: {"repo": "puppetlabs/concat", "ref": "9.0.2" } cron_core: {"repo": "puppetlabs/cron_core", "ref": "1.3.0" } - docker: {"repo": "puppetlabs/docker", "ref": "10.0.1" } - # TODO: Upgrading to 7 requires nuking PuppetDB. https://forge.puppet.com/modules/puppetlabs/firewall/8.0.3/changelog - firewall: {"repo": "puppetlabs/firewall", "ref": "6.0.0" } + docker: {"repo": "puppetlabs/docker", "ref": "10.0.1"} + firewall: {"repo": "puppetlabs/firewall", "ref": "8.1.1" } host_core: {"repo": "puppetlabs/host_core", "ref": "1.3.0" } inifile: {"repo": "puppetlabs/inifile", "ref": "6.1.1" } lvm: {"repo": "puppetlabs/lvm", "ref": "2.3.0" } diff --git a/manifests/exposed_port.pp b/manifests/exposed_port.pp index f44414300..a8953bd3d 100644 --- a/manifests/exposed_port.pp +++ b/manifests/exposed_port.pp @@ -66,7 +66,7 @@ dport => $port, source => $cidr['block'], state => 'NEW', - action => 'accept', + jump => 'accept', } } } diff --git a/manifests/firewall_allow.pp b/manifests/firewall_allow.pp index 2a66443d4..36361fb7f 100644 --- a/manifests/firewall_allow.pp +++ b/manifests/firewall_allow.pp @@ -76,7 +76,7 @@ dport => $port, source => $cidr, state => 'NEW', - action => 'accept', + jump => 'accept', } } } diff --git a/manifests/profile/fulcrum/nginx.pp b/manifests/profile/fulcrum/nginx.pp index 1be068c59..0c6474efe 100644 --- a/manifests/profile/fulcrum/nginx.pp +++ b/manifests/profile/fulcrum/nginx.pp @@ -197,6 +197,6 @@ proto => 'tcp', dport => 443, state => 'NEW', - action => 'accept', + jump => 'accept', } } diff --git a/manifests/profile/haproxy.pp b/manifests/profile/haproxy.pp index 3277bd40f..f2553e623 100644 --- a/manifests/profile/haproxy.pp +++ b/manifests/profile/haproxy.pp @@ -139,15 +139,6 @@ tag => "${::datacenter}_haproxy" } - @@firewall { "200 HTTP firewall6: HAProxy ${::hostname}": - proto => 'tcp', - dport => [80, 443], - source => $::ipaddress, - state => 'NEW', - action => 'accept', - tag => 'firewall6-haproxy' - } - # HAProxy should listen for kubernetes connections. nebula::exposed_port { '200 kubectl': port => 6443, diff --git a/manifests/profile/hathitrust/rsync.pp b/manifests/profile/hathitrust/rsync.pp index 7c98a6a3e..0e13e6097 100644 --- a/manifests/profile/hathitrust/rsync.pp +++ b/manifests/profile/hathitrust/rsync.pp @@ -48,7 +48,7 @@ dport => 873, source => $user['ip'], state => 'NEW', - action => 'accept' + jump => 'accept' } } } diff --git a/manifests/profile/hathitrust/secure_rsync.pp b/manifests/profile/hathitrust/secure_rsync.pp index 1fe416ba0..b2f0b8078 100644 --- a/manifests/profile/hathitrust/secure_rsync.pp +++ b/manifests/profile/hathitrust/secure_rsync.pp @@ -69,7 +69,7 @@ source => $network['block'], src_range => $network['range'], state => 'NEW', - action => 'accept', + jump => 'accept', } } } diff --git a/manifests/profile/kubernetes/dns_server.pp b/manifests/profile/kubernetes/dns_server.pp index 03254d339..3b1e856c1 100644 --- a/manifests/profile/kubernetes/dns_server.pp +++ b/manifests/profile/kubernetes/dns_server.pp @@ -76,7 +76,7 @@ dport => 53, source => $node_cidr, state => 'NEW', - action => 'accept', + jump => 'accept', ; '200 Nameserver (TCP)': diff --git a/manifests/profile/kubernetes/haproxy.pp b/manifests/profile/kubernetes/haproxy.pp index a7d366e01..360ba6085 100644 --- a/manifests/profile/kubernetes/haproxy.pp +++ b/manifests/profile/kubernetes/haproxy.pp @@ -52,7 +52,7 @@ default: proto => 'tcp', state => 'NEW', - action => 'accept', + jump => 'accept', ; '200 private api': diff --git a/manifests/profile/kubernetes/kubelet.pp b/manifests/profile/kubernetes/kubelet.pp index 639da2c81..7f2452761 100644 --- a/manifests/profile/kubernetes/kubelet.pp +++ b/manifests/profile/kubernetes/kubelet.pp @@ -53,7 +53,7 @@ proto => 'tcp', source => $node_cidr, state => 'NEW', - action => 'accept', + jump => 'accept', ; '200 Cluster ssh': diff --git a/manifests/profile/kubernetes/router.pp b/manifests/profile/kubernetes/router.pp index af60aec88..62a76b400 100644 --- a/manifests/profile/kubernetes/router.pp +++ b/manifests/profile/kubernetes/router.pp @@ -20,7 +20,7 @@ firewall { '001 Do not NAT internal requests': table => 'nat', chain => 'POSTROUTING', - action => 'accept', + jump => 'accept', proto => 'all', source => $node_cidr, destination => $node_cidr, diff --git a/manifests/profile/letsencrypt.pp b/manifests/profile/letsencrypt.pp index c6777af05..74caf94cc 100644 --- a/manifests/profile/letsencrypt.pp +++ b/manifests/profile/letsencrypt.pp @@ -22,6 +22,6 @@ proto => 'tcp', dport => 80, state => 'NEW', - action => 'accept', + jump => 'accept', } } diff --git a/manifests/profile/networking/firewall.pp b/manifests/profile/networking/firewall.pp index 29cb0bb11..a6185b81e 100644 --- a/manifests/profile/networking/firewall.pp +++ b/manifests/profile/networking/firewall.pp @@ -144,7 +144,7 @@ $firewall_defaults = { proto => 'tcp', state => 'NEW', - action => 'accept' + jump => 'accept' } create_resources(firewall,$rules,$firewall_defaults) @@ -154,18 +154,18 @@ firewall { '001 accept related established rules': proto => 'all', state => ['RELATED', 'ESTABLISHED'], - action => 'accept', + jump => 'accept', } firewall { '001 accept all to lo interface': proto => 'all', iniface => 'lo', - action => 'accept', + jump => 'accept', } firewall { '999 drop all': proto => 'all', - action => 'drop', + jump => 'drop', before => undef, } @@ -173,22 +173,22 @@ firewall { '001 accept related established rules (v6)': proto => 'all', state => ['RELATED', 'ESTABLISHED'], - action => 'accept', - provider => 'ip6tables', + jump => 'accept', + protocol => 'ip6tables', } firewall { '001 accept all to lo interface (v6)': proto => 'all', iniface => 'lo', - action => 'accept', - provider => 'ip6tables', + jump => 'accept', + protocol => 'ip6tables', } firewall { '999 drop all (v6)': proto => 'all', - action => 'drop', + jump => 'drop', before => undef, - provider => 'ip6tables', + protocol => 'ip6tables', } } diff --git a/manifests/profile/networking/firewall/http.pp b/manifests/profile/networking/firewall/http.pp index 7822f52cf..9ec5d71ca 100644 --- a/manifests/profile/networking/firewall/http.pp +++ b/manifests/profile/networking/firewall/http.pp @@ -14,7 +14,7 @@ # @example # include nebula::profile::networking::firewall::http class nebula::profile::networking::firewall::http () { - Firewall <<| tag == 'firewall6-haproxy' |>> + Firewall <<| tag == "${::datacenter}_haproxy" |>> } diff --git a/manifests/profile/networking/firewall/http_datacenters.pp b/manifests/profile/networking/firewall/http_datacenters.pp index 1a3f3488c..005d148c4 100644 --- a/manifests/profile/networking/firewall/http_datacenters.pp +++ b/manifests/profile/networking/firewall/http_datacenters.pp @@ -16,7 +16,7 @@ proto => 'tcp', dport => [80, 443], state => 'NEW', - action => 'accept' + jump => 'accept' } $networks.flatten.each |$network| { diff --git a/manifests/profile/networking/firewall/private_ssh.pp b/manifests/profile/networking/firewall/private_ssh.pp index 904397cf7..0a500a558 100644 --- a/manifests/profile/networking/firewall/private_ssh.pp +++ b/manifests/profile/networking/firewall/private_ssh.pp @@ -9,7 +9,7 @@ $cidrs.each |$cidr| { firewall { "100 Private SSH: ${cidr}": state => 'NEW', - action => 'accept', + jump => 'accept', dport => $port, source => $cidr, proto => 'tcp' diff --git a/manifests/profile/prometheus.pp b/manifests/profile/prometheus.pp index 10b5e2d1b..6974188e0 100644 --- a/manifests/profile/prometheus.pp +++ b/manifests/profile/prometheus.pp @@ -176,23 +176,10 @@ proto => 'tcp', dport => [443], state => 'NEW', - action => 'accept', + jump => 'accept', } } - # Delete this once nothing is importing it. It's only here for the - # sake of hosts that aren't in production. - # Referenced in branches: fulcrum_demo, tdx_7298538 - # ** intentionally retains puppetlabs/firewall v6.0.0 semantics ** - @@firewall { "010 prometheus legacy node exporter ${::hostname}": - tag => "${::datacenter}_prometheus_node_exporter", - proto => 'tcp', - dport => 9100, - source => $::ipaddress, - state => 'NEW', - action => 'accept', - } - case $facts["mlibrary_ip_addresses"] { Hash[String, Array[String]]: { $all_public_addresses = $facts["mlibrary_ip_addresses"]["public"] @@ -244,25 +231,6 @@ dport => 9290, ; } - - @@firewall { - default: - proto => 'tcp', - source => $address, - state => 'NEW', - action => 'accept', - ; - - "010 prometheus public node exporter firewall6 ${::hostname} ${address}": - tag => "firewall6-${::datacenter}_prometheus_public_node_exporter", - dport => 9100, - ; - - "010 prometheus public ipmi exporter firewall6 ${::hostname} ${address}": - tag => "firewall6-${::datacenter}_prometheus_public_ipmi_exporter", - dport => 9290, - ; - } } $all_private_addresses.each |$address| { @@ -284,25 +252,6 @@ dport => 9290, ; } - - @@firewall { - default: - proto => 'tcp', - source => $address, - state => 'NEW', - action => 'accept', - ; - - "010 prometheus firewall6 private node exporter ${::hostname} ${address}": - tag => "firewall6-${::datacenter}_prometheus_private_node_exporter", - dport => 9100, - ; - - "010 prometheus firewall6 private ipmi exporter ${::hostname} ${address}": - tag => "firewall6-${::datacenter}_prometheus_private_ipmi_exporter", - dport => 9290, - ; - } } @@firewall { "010 prometheus haproxy exporter ${::hostname}": @@ -314,15 +263,6 @@ jump => 'accept', } - @@firewall { "010 prometheus firewall6 haproxy exporter ${::hostname}": - tag => "firewall6-${::datacenter}_prometheus_haproxy_exporter", - proto => 'tcp', - dport => 9101, - source => $::ipaddress, - state => 'NEW', - action => 'accept', - } - @@firewall { "010 prometheus mysql exporter ${::hostname}": tag => "${::datacenter}_prometheus_mysql_exporter", proto => 'tcp', @@ -332,14 +272,5 @@ jump => 'accept', } - @@firewall { "010 prometheus firewall6 mysql exporter ${::hostname}": - tag => "firewall6-${::datacenter}_prometheus_mysql_exporter", - proto => 'tcp', - dport => 9104, - source => $::ipaddress, - state => 'NEW', - action => 'accept', - } - - Firewall <<| tag == "firewall6-${::datacenter}_pushgateway_node" |>> + Firewall <<| tag == "${::datacenter}_pushgateway_node" |>> } diff --git a/manifests/profile/prometheus/exporter/haproxy.pp b/manifests/profile/prometheus/exporter/haproxy.pp index 771d50a43..b76418185 100644 --- a/manifests/profile/prometheus/exporter/haproxy.pp +++ b/manifests/profile/prometheus/exporter/haproxy.pp @@ -32,6 +32,6 @@ content => template('nebula/profile/prometheus/exporter/haproxy/target.yaml.erb') } - Firewall <<| tag == "firewall6-${::datacenter}_prometheus_haproxy_exporter" |>> + Firewall <<| tag == "${::datacenter}_prometheus_haproxy_exporter" |>> } diff --git a/manifests/profile/prometheus/exporter/ipmi.pp b/manifests/profile/prometheus/exporter/ipmi.pp index 38ad49d2b..372dcadcf 100644 --- a/manifests/profile/prometheus/exporter/ipmi.pp +++ b/manifests/profile/prometheus/exporter/ipmi.pp @@ -33,10 +33,10 @@ fail('Host cannot be scraped without a public or private IP address') } elsif $all_private_addresses != [] { $ipaddress = $all_private_addresses[0] - Firewall <<| tag == "firewall6-${::datacenter}_prometheus_private_ipmi_exporter" |>> + Firewall <<| tag == "${::datacenter}_prometheus_private_ipmi_exporter" |>> } else { $ipaddress = $all_public_addresses[0] - Firewall <<| tag == "firewall6-${::datacenter}_prometheus_public_ipmi_exporter" |>> + Firewall <<| tag == "${::datacenter}_prometheus_public_ipmi_exporter" |>> } @@concat_fragment { "prometheus ipmi scrape config ${::hostname}": diff --git a/manifests/profile/prometheus/exporter/mysql.pp b/manifests/profile/prometheus/exporter/mysql.pp index f01faeaa2..a93693006 100644 --- a/manifests/profile/prometheus/exporter/mysql.pp +++ b/manifests/profile/prometheus/exporter/mysql.pp @@ -30,7 +30,7 @@ content => template('nebula/profile/prometheus/exporter/mysql/target.yaml.erb') } - Firewall <<| tag == "firewall6-${::datacenter}_prometheus_mysql_exporter" |>> + Firewall <<| tag == "${::datacenter}_prometheus_mysql_exporter" |>> $role = lookup_role() diff --git a/manifests/profile/prometheus/exporter/node.pp b/manifests/profile/prometheus/exporter/node.pp index b7b949b6f..34fd714aa 100644 --- a/manifests/profile/prometheus/exporter/node.pp +++ b/manifests/profile/prometheus/exporter/node.pp @@ -139,11 +139,11 @@ fail("${datacenter} host cannot be scraped by ${monitoring_datacenter} prometheus server without a public IP address") } elsif $all_private_addresses != [] and $monitoring_datacenter == $datacenter { $ipaddresses = $all_private_addresses - Firewall <<| tag == "firewall6-${monitoring_datacenter}_prometheus_private_node_exporter" |>> + Firewall <<| tag == "${monitoring_datacenter}_prometheus_private_node_exporter" |>> Concat_fragment <<| title == "02 pushgateway advanced private url ${monitoring_datacenter}" |>> } else { $ipaddresses = $all_public_addresses - Firewall <<| tag == "firewall6-${monitoring_datacenter}_prometheus_public_node_exporter" |>> + Firewall <<| tag == "${monitoring_datacenter}_prometheus_public_node_exporter" |>> Concat_fragment <<| title == "02 pushgateway advanced public url ${monitoring_datacenter}" |>> } @@ -157,15 +157,6 @@ state => 'NEW', jump => 'accept', } - - @@firewall { "300 pushgateway firewall6 ${::hostname} ${address}": - tag => "firewall6-${monitoring_datacenter}_pushgateway_node", - proto => 'tcp', - dport => 9091, - source => $address, - state => 'NEW', - action => 'accept', - } } ensure_packages(['curl', 'jq']) diff --git a/manifests/role/webhost/htvm/test.pp b/manifests/role/webhost/htvm/test.pp index f611a1f42..090ffcd23 100644 --- a/manifests/role/webhost/htvm/test.pp +++ b/manifests/role/webhost/htvm/test.pp @@ -13,7 +13,7 @@ dport => [80,443], source => $network['block'], state => 'NEW', - action => 'accept', + jump => 'accept', } } diff --git a/manifests/unison/client.pp b/manifests/unison/client.pp index ef8010e17..c515e3f83 100644 --- a/manifests/unison/client.pp +++ b/manifests/unison/client.pp @@ -42,13 +42,4 @@ jump => 'accept', tag => "unison-client-${title}" } - - @@firewall { "200 Unison firewall6: ${title} ${::hostname}": - proto => 'tcp', - dport => [$port], - source => $::ipaddress, - state => 'NEW', - action => 'accept', - tag => "firewall6-unison-client-${title}" - } } diff --git a/manifests/unison/server.pp b/manifests/unison/server.pp index 7445e84dc..f9ca32b73 100644 --- a/manifests/unison/server.pp +++ b/manifests/unison/server.pp @@ -33,6 +33,6 @@ filesystems => $filesystems } - Firewall <<| tag == "firewall6-unison-client-${title}" |>> + Firewall <<| tag == "unison-client-${title}" |>> } diff --git a/metadata.json b/metadata.json index 332d7208c..7a5727c53 100644 --- a/metadata.json +++ b/metadata.json @@ -20,7 +20,7 @@ {"name": "puppetlabs/concat", "version_requirement": ">= 9.0.2 < 10.0.0"}, {"name": "puppetlabs/cron_core", "version_requirement": ">= 1.3.0 < 2.0.0" }, {"name": "puppetlabs/docker", "version_requirement": ">= 10.0.1 < 11.0.0"}, - {"name": "puppetlabs/firewall", "version_requirement": "6.0.0"}, + {"name": "puppetlabs/firewall", "version_requirement": ">= 8.1.1 < 9.0.0 "}, {"name": "puppetlabs/host_core", "version_requirement": ">= 1.3.0 < 2.0.0" }, {"name": "puppetlabs/inifile", "version_requirement": ">= 6.1.1 < 7.0.0" }, {"name": "puppetlabs/lvm", "version_requirement": ">= 2.3.0 < 3.0.0" }, diff --git a/spec/classes/profile/kubernetes/dns_server_spec.rb b/spec/classes/profile/kubernetes/dns_server_spec.rb index f318fdcc4..cd067b557 100644 --- a/spec/classes/profile/kubernetes/dns_server_spec.rb +++ b/spec/classes/profile/kubernetes/dns_server_spec.rb @@ -36,7 +36,7 @@ .with_dport(53) .with_source('172.28.0.0/14') .with_state('NEW') - .with_action('accept') + .with_jump('accept') end end diff --git a/spec/classes/profile/kubernetes/haproxy_spec.rb b/spec/classes/profile/kubernetes/haproxy_spec.rb index feb513fb5..184b19254 100644 --- a/spec/classes/profile/kubernetes/haproxy_spec.rb +++ b/spec/classes/profile/kubernetes/haproxy_spec.rb @@ -66,7 +66,7 @@ expect(subject).to contain_firewall("200 public #{service}") .with_proto('tcp') .with_state('NEW') - .with_action('accept') + .with_jump('accept') .with_dport(port) .without_source when :private @@ -77,7 +77,7 @@ expect(subject).to contain_firewall("200 private #{service}") .with_proto('tcp') .with_state('NEW') - .with_action('accept') + .with_jump('accept') .with_dport(port) .with_source('172.28.0.0/14') end diff --git a/spec/classes/profile/kubernetes/kubelet_spec.rb b/spec/classes/profile/kubernetes/kubelet_spec.rb index ccf5deb78..d185dbb23 100644 --- a/spec/classes/profile/kubernetes/kubelet_spec.rb +++ b/spec/classes/profile/kubernetes/kubelet_spec.rb @@ -102,7 +102,7 @@ .with_dport(ports) .with_source('172.28.0.0/14') .with_state('NEW') - .with_action('accept') + .with_jump('accept') end end end diff --git a/spec/classes/profile/kubernetes/router_spec.rb b/spec/classes/profile/kubernetes/router_spec.rb index 909a4f937..4f0edafb9 100644 --- a/spec/classes/profile/kubernetes/router_spec.rb +++ b/spec/classes/profile/kubernetes/router_spec.rb @@ -23,7 +23,7 @@ expect(subject).to contain_firewall('001 Do not NAT internal requests') .with_table('nat') .with_chain('POSTROUTING') - .with_action('accept') + .with_jump('accept') .with_proto('all') .with_source('172.28.0.0/14') .with_destination('172.28.0.0/14') diff --git a/spec/classes/profile/networking/firewall/private_ssh_spec.rb b/spec/classes/profile/networking/firewall/private_ssh_spec.rb index 84469743b..86161a3b0 100644 --- a/spec/classes/profile/networking/firewall/private_ssh_spec.rb +++ b/spec/classes/profile/networking/firewall/private_ssh_spec.rb @@ -17,7 +17,7 @@ it { is_expected.to compile } it { is_expected.to contain_firewall('100 Private SSH: 10.0.0.0/8').with_state('NEW') } - it { is_expected.to contain_firewall('100 Private SSH: 10.0.0.0/8').with_action('accept') } + it { is_expected.to contain_firewall('100 Private SSH: 10.0.0.0/8').with_jump('accept') } it { is_expected.to contain_firewall('100 Private SSH: 10.0.0.0/8').with_proto('tcp') } it { is_expected.to contain_firewall('100 Private SSH: 10.0.0.0/8').with_dport(22) } it { is_expected.to contain_firewall('100 Private SSH: 10.0.0.0/8').with_source('10.0.0.0/8') } diff --git a/spec/classes/profile/networking/firewall_spec.rb b/spec/classes/profile/networking/firewall_spec.rb index 2ad502f24..c58761c49 100644 --- a/spec/classes/profile/networking/firewall_spec.rb +++ b/spec/classes/profile/networking/firewall_spec.rb @@ -16,7 +16,7 @@ expect(subject).to contain_firewall('001 accept related established rules').with( proto: 'all', state: %w[RELATED ESTABLISHED], - action: 'accept', + jump: 'accept', ) end @@ -24,8 +24,8 @@ expect(subject).to contain_firewall('001 accept related established rules (v6)').with( proto: 'all', state: %w[RELATED ESTABLISHED], - action: 'accept', - provider: 'ip6tables', + jump: 'accept', + protocol: 'ip6tables', ) end @@ -33,7 +33,7 @@ expect(subject).to contain_firewall('001 accept all to lo interface').with( proto: 'all', iniface: 'lo', - action: 'accept', + jump: 'accept', ) end @@ -41,8 +41,8 @@ expect(subject).to contain_firewall('001 accept all to lo interface (v6)').with( proto: 'all', iniface: 'lo', - action: 'accept', - provider: 'ip6tables', + jump: 'accept', + protocol: 'ip6tables', ) end @@ -53,7 +53,7 @@ dport: %w[8081 8082], source: '10.2.3.4', state: 'NEW', - action: 'accept', + jump: 'accept', ) end @@ -63,7 +63,7 @@ dport: 123, source: '10.4.5.6', state: 'NEW', - action: 'accept', + jump: 'accept', ) end @@ -77,7 +77,7 @@ toports: '1234', ) expect(subject).not_to contain_firewall('900 port forwarding: an advanced rule').with( - action: 'accept', + jump: 'accept', state: 'NEW', ) end @@ -85,15 +85,15 @@ it do expect(subject).to contain_firewall('999 drop all').with( proto: 'all', - action: 'drop', + jump: 'drop', ) end it do expect(subject).to contain_firewall('999 drop all (v6)').with( proto: 'all', - action: 'drop', - provider: 'ip6tables', + jump: 'drop', + protocol: 'ip6tables', ) end diff --git a/spec/classes/profile/prometheus_spec.rb b/spec/classes/profile/prometheus_spec.rb index e77da9f62..ddcc9ced1 100644 --- a/spec/classes/profile/prometheus_spec.rb +++ b/spec/classes/profile/prometheus_spec.rb @@ -193,14 +193,8 @@ end end - it 'exports a firewall so that nodes can open 9100' do - expect(exported_resources).to contain_firewall("010 prometheus legacy node exporter #{facts[:hostname]}") - .with_tag('mydatacenter_prometheus_node_exporter') - .with_proto('tcp') - .with_dport(9100) - .with_source(facts[:ipaddress]) - .with_state('NEW') - .with_action('accept') + it 'does not export legacy port 9100 firewall resource' do + expect(exported_resources).not_to contain_firewall("010 prometheus legacy node exporter #{facts[:hostname]}") end context 'with no mlibrary_ip_addresses fact' do diff --git a/spec/defines/cert_spec.rb b/spec/defines/cert_spec.rb index d7022372f..11a66b1d3 100644 --- a/spec/defines/cert_spec.rb +++ b/spec/defines/cert_spec.rb @@ -28,7 +28,7 @@ .with_proto('tcp') .with_dport(80) .with_state('NEW') - .with_action('accept') + .with_jump('accept') end context 'with additional_domains set to sub.example.invalid' do diff --git a/spec/defines/exposed_port_spec.rb b/spec/defines/exposed_port_spec.rb index 2ac2c36a3..639380956 100644 --- a/spec/defines/exposed_port_spec.rb +++ b/spec/defines/exposed_port_spec.rb @@ -23,7 +23,7 @@ dport: 22, source: '10.0.0.0/16', state: 'NEW', - action: 'accept', + jump: 'accept', ) end diff --git a/spec/defines/firewall_allow_spec.rb b/spec/defines/firewall_allow_spec.rb index 02181d876..8c65d00cc 100644 --- a/spec/defines/firewall_allow_spec.rb +++ b/spec/defines/firewall_allow_spec.rb @@ -23,7 +23,7 @@ dport: 1234, source: '10.0.0.0/32', state: 'NEW', - action: 'accept', + jump: 'accept', ) end @@ -59,7 +59,7 @@ dport: [123, 456, 789], source: '10.255.255.255/32', state: 'NEW', - action: 'accept', + jump: 'accept', ) end end