added option to override default security rule in regional backend se…

…curity policy

README.md

@@ -62,7 +62,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
 ```
 module "security_policy" {
   source   = "GoogleCloudPlatform/cloud-armor/google"
-  version  = "~> 3.0"
+  version  = "~> 4.0"
 
   project_id                           = var.project_id
   name                                 = "my-test-security-policy"

docs/upgrading_to_v4.0.md

@@ -0,0 +1,9 @@
+# Upgrading to v4.0.0
+
+The v4.0 release contains backwards-incompatible changes.
+
+### TPG max version is bumped to 6.10 for regional-backend-security-policy module
+There is no known breaking change for Cloud Armor in 6.X.
+
+### Added default rule at priority 2147483647
+Before this version a default security rule with priority 2147483647 was created. This update will override that rule so users can manage it in terraform

examples/global-backend-security-policy-complete/main.tf

@@ -24,7 +24,7 @@ resource "random_id" "suffix" {
 }
 module "cloud_armor" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id                           = var.project_id
   name                                 = "test-casp-policy-${random_id.suffix.hex}"

examples/global-backend-security-policy-enterprise/main.tf

@@ -19,7 +19,7 @@ resource "random_id" "suffix" {
 }
 module "cloud_armor" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id                  = var.project_id
   name                        = "test-camp-policy-${random_id.suffix.hex}"

examples/global-backend-security-policy-example/main.tf

@@ -34,7 +34,7 @@ resource "google_network_security_address_group" "address_group" {
 
 module "cloud_armor" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id                           = var.project_id
   name                                 = "test-casp-policy-${random_id.suffix.hex}"

examples/global-backend-security-policy-recaptcha/main.tf

@@ -36,7 +36,7 @@ resource "random_id" "suffix" {
 
 module "cloud_armor" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id                  = var.project_id
   name                        = "test-policy-recaptcha-${random_id.suffix.hex}"

examples/global-edge-security-policy/main.tf

@@ -19,7 +19,7 @@ resource "random_id" "suffix" {
 }
 module "cloud_armor" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id          = var.project_id
   name                = "test-casp-edge-policy-${random_id.suffix.hex}"

examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf

@@ -25,7 +25,7 @@ resource "random_id" "suffix" {
 
 module "advanced_network_ddos_protection" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id                         = var.project_id
   regions                            = [local.primary_region, local.secondary_region]
@@ -35,7 +35,7 @@ module "advanced_network_ddos_protection" {
 
 module "network_edge_security_policy" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   region      = local.primary_region

examples/regional-advanced-network-ddos-protection-enterprise/main.tf

@@ -20,7 +20,7 @@ resource "random_id" "suffix" {
 
 module "advanced_network_ddos_protection" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id                         = var.project_id
   regions                            = ["us-central1", "us-east1"]

examples/regional-backend-security-policy-example/main.tf

@@ -20,7 +20,7 @@ resource "random_id" "suffix" {
 
 module "cloud_armor_regional_security_policy" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/regional-backend-security-policy"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   name        = "test-regional-external-sp-${random_id.suffix.hex}"

examples/regional-network-edge-security-policy-enterprise/main.tf

@@ -20,7 +20,7 @@ resource "random_id" "suffix" {
 
 module "network_edge_security_policy" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   region      = "us-central1"
@@ -85,7 +85,7 @@ module "network_edge_security_policy" {
 
 module "network_edge_security_policy_no_rules" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   region      = "us-central1"

modules/advanced-network-ddos-protection/README.md

@@ -16,7 +16,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
 ```
 module "advanced_network_ddos_protection" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   regions     = ["us-central1", "us-east1"]

modules/network-edge-security-policy/README.md

@@ -8,7 +8,7 @@ You can attch network edge security policy to backend services of [external pass
 ```
 module "network_edge_security_policy" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   region      = "us-central1"
@@ -35,7 +35,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
 ```
 module "network_edge_security_policy" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   region      = "us-central1"

modules/regional-backend-security-policy/README.md

@@ -34,7 +34,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
 ```
 module "cloud_armor_regional_security_policy" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   name        = "test-regional-external-sp-${random_id.suffix.hex}"
@@ -194,6 +194,7 @@ module "cloud_armor_regional_security_policy" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | custom\_rules | Custome security rules | <pre>map(object({<br>    action      = string<br>    priority    = number<br>    description = optional(string)<br>    preview     = optional(bool, false)<br>    expression  = string<br>    rate_limit_options = optional(object({<br>      enforce_on_key      = optional(string)<br>      enforce_on_key_name = optional(string)<br>      enforce_on_key_configs = optional(list(object({<br>        enforce_on_key_name = optional(string)<br>        enforce_on_key_type = optional(string)<br>      })))<br>      exceed_action                        = optional(string)<br>      rate_limit_http_request_count        = optional(number)<br>      rate_limit_http_request_interval_sec = optional(number)<br>      ban_duration_sec                     = optional(number)<br>      ban_http_request_count               = optional(number)<br>      ban_http_request_interval_sec        = optional(number)<br>      }),<br>    {})<br><br>    preconfigured_waf_config_exclusions = optional(map(object({<br>      target_rule_set = string<br>      target_rule_ids = optional(list(string), [])<br>      request_header = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_cookie = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_uri = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_query_param = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>    })), null)<br><br>  }))</pre> | `{}` | no |
+| default\_rule\_action | default rule that allows/denies all traffic with the lowest priority (2,147,483,647). | `string` | `"allow"` | no |
 | description | An optional description of advanced network ddos protection security policy | `string` | `"CA Advance DDoS protection"` | no |
 | name | Name of regional security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | `string` | `"adv-network-ddos-protection"` | no |
 | pre\_configured\_rules | Map of pre-configured rules with Sensitivity levels | <pre>map(object({<br>    action                  = string<br>    priority                = number<br>    description             = optional(string)<br>    preview                 = optional(bool, false)<br>    target_rule_set         = string<br>    sensitivity_level       = optional(number, 4)<br>    include_target_rule_ids = optional(list(string), [])<br>    exclude_target_rule_ids = optional(list(string), [])<br>    rate_limit_options = optional(object({<br>      enforce_on_key      = optional(string)<br>      enforce_on_key_name = optional(string)<br>      enforce_on_key_configs = optional(list(object({<br>        enforce_on_key_name = optional(string)<br>        enforce_on_key_type = optional(string)<br>      })))<br>      exceed_action                        = optional(string)<br>      rate_limit_http_request_count        = optional(number)<br>      rate_limit_http_request_interval_sec = optional(number)<br>      ban_duration_sec                     = optional(number)<br>      ban_http_request_count               = optional(number)<br>      ban_http_request_interval_sec        = optional(number)<br>    }), {})<br><br>    preconfigured_waf_config_exclusions = optional(map(object({<br>      target_rule_set = string<br>      target_rule_ids = optional(list(string), [])<br>      request_header = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_cookie = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_uri = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_query_param = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>    })), null)<br><br>  }))</pre> | `{}` | no |

modules/regional-backend-security-policy/main.tf

@@ -237,7 +237,7 @@ resource "google_compute_region_security_policy_rule" "custom_rules" {
 
 resource "google_compute_region_security_policy_rule" "pre_configured_rules" {
   provider        = google-beta
-  for_each        = var.pre_configured_rules #var.pre_configured_rules == null ? {} : { for x in var.pre_configured_rules : x.priority => x }
+  for_each        = var.pre_configured_rules
   project         = var.project_id
   region          = var.region
   security_policy = google_compute_region_security_policy.security_policy.name
@@ -334,3 +334,20 @@ resource "google_compute_region_security_policy_rule" "pre_configured_rules" {
 
 }
 
+##### Default Rule
+
+resource "google_compute_region_security_policy_rule" "default_rule" {
+  provider        = google-beta
+  region          = var.region
+  project         = var.project_id
+  security_policy = google_compute_region_security_policy.security_policy.name
+  description     = "default rule"
+  action          = var.default_rule_action
+  priority        = "2147483647"
+  match {
+    versioned_expr = "SRC_IPS_V1"
+    config {
+      src_ip_ranges = ["*"]
+    }
+  }
+}

modules/regional-backend-security-policy/variables.tf

@@ -170,3 +170,9 @@ variable "custom_rules" {
   }))
   default = {}
 }
+
+variable "default_rule_action" {
+  description = "default rule that allows/denies all traffic with the lowest priority (2,147,483,647)."
+  type        = string
+  default     = "allow"
+}

modules/regional-backend-security-policy/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.29, < 7"
+      version = ">= 6.10, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.29, < 7"
+      version = ">= 6.10, < 7"
     }
   }
   provider_meta "google" {