fix: added example for address group in global security policy (#138)

examples/global-backend-security-policy-example/README.md

@@ -1,4 +1,4 @@
-# Simple Cloud Armor Policy with preconfigured rules, custom rules and security rules
+# Simple Cloud Armor Policy with pre-configured rules, custom rules and security rules
 
 This example configures a single cloud armor policy with following types of rules:
 - Pre-configured rules
@@ -7,6 +7,8 @@ This example configures a single cloud armor policy with following types of rule
 - Threat Intelligence Rules (Requires [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview). Remove these rules if you dont have Cloud Armor Enterprise enabled for your project)
 - Rule for Automatically deploying Adaptive Protection suggested rules (Requires [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview). Remove these rules if you dont have Cloud Armor Enterprise enabled for your project)
 
+This example also shows how you can deploy custom rules with [address groups](https://cloud.google.com/armor/docs/address-groups-using)
+
 ## Usage
 
 To run this example you need to execute:
@@ -32,6 +34,7 @@ terraform apply
 
 | Name | Description |
 |------|-------------|
+| address\_group\_name | n/a |
 | policy\_name | Security Policy name |
 | security\_policy | Cloud Armor security policy created |
 

examples/global-backend-security-policy-example/main.tf

@@ -18,6 +18,20 @@ resource "random_id" "suffix" {
   byte_length = 4
 }
 
+resource "google_network_security_address_group" "address_group" {
+  provider = google-beta
+  name     = "address-groups-${random_id.suffix.hex}"
+  parent   = "projects/${var.project_id}"
+  location = "global"
+  type     = "IPV4"
+  capacity = "100"
+  purpose  = ["CLOUD_ARMOR"]
+  items = [
+    "208.80.154.224/32",
+    "47.185.201.160/32",
+  ]
+}
+
 module "cloud_armor" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
   version = "~> 3.0"
@@ -267,7 +281,7 @@ module "cloud_armor" {
 
     deny_java_level3_with_exclude = {
       action      = "deny(502)"
-      priority    = 100
+      priority    = 26
       description = "Deny pre-configured rule java-v33-stable at sensitivity level 3"
       preview     = true
 
@@ -278,7 +292,7 @@ module "cloud_armor" {
 
     "methodenforcement-v33-stable_level_1" = {
       action      = "deny(403)"
-      priority    = 6
+      priority    = 27
       description = "Method enforcement Level 1"
       preview     = true
       expression  = "evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1}) && !request.path.matches('/keyword/here/')"
@@ -294,6 +308,17 @@ module "cloud_armor" {
         ]
       }
     }
+
+    deny_address_group = {
+      action      = "deny(502)"
+      priority    = 28
+      description = "Deny address group"
+
+      expression = <<-EOT
+        evaluateAddressGroup('${google_network_security_address_group.address_group.name}', origin.ip, ['47.185.201.160'])
+      EOT
+    }
+
   }
 
   #adaptive protection auto deploy rules

examples/global-backend-security-policy-example/outputs.tf

@@ -23,3 +23,7 @@ output "policy_name" {
   value       = module.cloud_armor.policy.name
   description = "Security Policy name"
 }
+
+output "address_group_name" {
+  value = google_network_security_address_group.address_group.name
+}

examples/global-backend-security-policy-example/versions.tf

@@ -0,0 +1,29 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 4.74, < 7"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 4.74, < 7"
+    }
+  }
+}

examples/regional-adv-ddos-and-network-edge-security-policy-complete/nlb.tf

@@ -41,7 +41,8 @@ resource "google_compute_region_backend_service" "backend" {
   load_balancing_scheme = "EXTERNAL"
   health_checks         = [google_compute_region_health_check.default.id]
   backend {
-    group = google_compute_instance_group.ca_vm_1_ig.self_link
+    group          = google_compute_instance_group.ca_vm_1_ig.self_link
+    balancing_mode = "CONNECTION"
   }
 
   log_config {

test/integration/global-backend-security-policy-example/simple_example_test.go

@@ -225,13 +225,21 @@ func TestGlobalSecurityPolicyExample(t *testing.T) {
 			assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 24 rule has Rate limit threshold interval")
 		}
 
-		// 	Rule 100
-		spRule100 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 100 --security-policy=%s --project %s", policyName, projectId))
-		for _, sp := range spRule100.Array() {
-			assert.True(sp.Get("preview").Bool(), "priority 100 rule Preview is set to True")
-			assert.Equal("deny(502)", sp.Get("action").String(), "priority 100 rule has expected action")
-			assert.Equal("Deny pre-configured rule java-v33-stable at sensitivity level 3", sp.Get("description").String(), "priority 100 rule has expected description")
-			assert.Equal("evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 3, 'opt_out_rule_ids': ['owasp-crs-v030301-id944240-java', 'owasp-crs-v030301-id944120-java']})\n", sp.Get("match.expr.expression").String(), "priority 100 rule has expected expression")
+		// 	Rule 26
+		spRule26 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 26 --security-policy=%s --project %s", policyName, projectId))
+		for _, sp := range spRule26.Array() {
+			assert.True(sp.Get("preview").Bool(), "priority 26 rule Preview is set to True")
+			assert.Equal("deny(502)", sp.Get("action").String(), "priority 28 rule has expected action")
+			assert.Equal("Deny pre-configured rule java-v33-stable at sensitivity level 3", sp.Get("description").String(), "priority 26 rule has expected description")
+			assert.Equal("evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 3, 'opt_out_rule_ids': ['owasp-crs-v030301-id944240-java', 'owasp-crs-v030301-id944120-java']})\n", sp.Get("match.expr.expression").String(), "priority 26 rule has expected expression")
+		}
+
+		// 	Rule 28
+		spRule28 := gcloud.Run(t, fmt.Sprintf("compute security-policies rules describe 28 --security-policy=%s --project %s", policyName, projectId))
+		for _, sp := range spRule28.Array() {
+			assert.False(sp.Get("preview").Bool(), "priority 28 rule Preview is set to False")
+			assert.Equal("deny(502)", sp.Get("action").String(), "priority 28 rule has expected action")
+			assert.Equal("Deny address group", sp.Get("description").String(), "priority 28 rule has expected description")
 		}
 
 	})

test/setup/iam.tf

@@ -24,6 +24,7 @@ locals {
     "roles/servicenetworking.networksAdmin",
     "roles/iam.serviceAccountAdmin",
     "roles/iam.serviceAccountUser",
+    "roles/compute.networkAdmin",
   ]
 }
 

test/setup/main.tf

@@ -16,20 +16,22 @@
 
 module "project" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 15.0"
+  version = "~> 17.0"
 
   name              = "ci-cloud-armor"
   random_project_id = "true"
   org_id            = var.org_id
   folder_id         = var.folder_id
   billing_account   = var.billing_account
+  deletion_policy   = "DELETE"
 
   activate_apis = [
     "iam.googleapis.com",
     "cloudresourcemanager.googleapis.com",
     "compute.googleapis.com",
     "serviceusage.googleapis.com",
     "recaptchaenterprise.googleapis.com",
+    "networksecurity.googleapis.com",
   ]
 }