diff --git a/README.md b/README.md
index 095563f..8c58614 100644
--- a/README.md
+++ b/README.md
@@ -62,7 +62,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
```
module "security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "my-test-security-policy"
diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md
new file mode 100644
index 0000000..3169f72
--- /dev/null
+++ b/docs/upgrading_to_v4.0.md
@@ -0,0 +1,9 @@
+# Upgrading to v4.0.0
+
+The v4.0 release contains backwards-incompatible changes.
+
+### TPG max version is bumped to 6.10 for regional-backend-security-policy module
+There is no known breaking change for Cloud Armor in 6.X.
+
+### Added default rule at priority 2147483647
+Before this version a default security rule with priority 2147483647 was created. This update will override that rule so users can manage it in terraform
diff --git a/examples/global-backend-security-policy-complete/main.tf b/examples/global-backend-security-policy-complete/main.tf
index dbbc455..c940e07 100644
--- a/examples/global-backend-security-policy-complete/main.tf
+++ b/examples/global-backend-security-policy-complete/main.tf
@@ -24,7 +24,7 @@ resource "random_id" "suffix" {
}
module "cloud_armor" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-casp-policy-${random_id.suffix.hex}"
diff --git a/examples/global-backend-security-policy-enterprise/main.tf b/examples/global-backend-security-policy-enterprise/main.tf
index e675492..255c774 100644
--- a/examples/global-backend-security-policy-enterprise/main.tf
+++ b/examples/global-backend-security-policy-enterprise/main.tf
@@ -19,7 +19,7 @@ resource "random_id" "suffix" {
}
module "cloud_armor" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-camp-policy-${random_id.suffix.hex}"
diff --git a/examples/global-backend-security-policy-example/main.tf b/examples/global-backend-security-policy-example/main.tf
index f2ab7d9..aaa7472 100644
--- a/examples/global-backend-security-policy-example/main.tf
+++ b/examples/global-backend-security-policy-example/main.tf
@@ -34,7 +34,7 @@ resource "google_network_security_address_group" "address_group" {
module "cloud_armor" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-casp-policy-${random_id.suffix.hex}"
diff --git a/examples/global-backend-security-policy-recaptcha/main.tf b/examples/global-backend-security-policy-recaptcha/main.tf
index cd0767f..f17a30f 100644
--- a/examples/global-backend-security-policy-recaptcha/main.tf
+++ b/examples/global-backend-security-policy-recaptcha/main.tf
@@ -36,7 +36,7 @@ resource "random_id" "suffix" {
module "cloud_armor" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-policy-recaptcha-${random_id.suffix.hex}"
diff --git a/examples/global-edge-security-policy/main.tf b/examples/global-edge-security-policy/main.tf
index c800213..5bb31b4 100644
--- a/examples/global-edge-security-policy/main.tf
+++ b/examples/global-edge-security-policy/main.tf
@@ -19,7 +19,7 @@ resource "random_id" "suffix" {
}
module "cloud_armor" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-casp-edge-policy-${random_id.suffix.hex}"
diff --git a/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf b/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf
index 864d18d..078229b 100644
--- a/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf
+++ b/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf
@@ -25,7 +25,7 @@ resource "random_id" "suffix" {
module "advanced_network_ddos_protection" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
regions = [local.primary_region, local.secondary_region]
@@ -35,7 +35,7 @@ module "advanced_network_ddos_protection" {
module "network_edge_security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
region = local.primary_region
diff --git a/examples/regional-advanced-network-ddos-protection-enterprise/main.tf b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf
index 07d4cfa..60c8176 100644
--- a/examples/regional-advanced-network-ddos-protection-enterprise/main.tf
+++ b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf
@@ -20,7 +20,7 @@ resource "random_id" "suffix" {
module "advanced_network_ddos_protection" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
regions = ["us-central1", "us-east1"]
diff --git a/examples/regional-backend-security-policy-example/main.tf b/examples/regional-backend-security-policy-example/main.tf
index db0f8e8..eafb560 100644
--- a/examples/regional-backend-security-policy-example/main.tf
+++ b/examples/regional-backend-security-policy-example/main.tf
@@ -20,7 +20,7 @@ resource "random_id" "suffix" {
module "cloud_armor_regional_security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/regional-backend-security-policy"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-regional-external-sp-${random_id.suffix.hex}"
diff --git a/examples/regional-network-edge-security-policy-enterprise/main.tf b/examples/regional-network-edge-security-policy-enterprise/main.tf
index 0eb0902..1bf7ccc 100644
--- a/examples/regional-network-edge-security-policy-enterprise/main.tf
+++ b/examples/regional-network-edge-security-policy-enterprise/main.tf
@@ -20,7 +20,7 @@ resource "random_id" "suffix" {
module "network_edge_security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
region = "us-central1"
@@ -85,7 +85,7 @@ module "network_edge_security_policy" {
module "network_edge_security_policy_no_rules" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
region = "us-central1"
diff --git a/modules/advanced-network-ddos-protection/README.md b/modules/advanced-network-ddos-protection/README.md
index fee24c9..9686d36 100644
--- a/modules/advanced-network-ddos-protection/README.md
+++ b/modules/advanced-network-ddos-protection/README.md
@@ -16,7 +16,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
```
module "advanced_network_ddos_protection" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
regions = ["us-central1", "us-east1"]
diff --git a/modules/network-edge-security-policy/README.md b/modules/network-edge-security-policy/README.md
index c1b8621..f34179a 100644
--- a/modules/network-edge-security-policy/README.md
+++ b/modules/network-edge-security-policy/README.md
@@ -8,7 +8,7 @@ You can attch network edge security policy to backend services of [external pass
```
module "network_edge_security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
region = "us-central1"
@@ -35,7 +35,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
```
module "network_edge_security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
region = "us-central1"
diff --git a/modules/regional-backend-security-policy/README.md b/modules/regional-backend-security-policy/README.md
index 95c397d..8cffeeb 100644
--- a/modules/regional-backend-security-policy/README.md
+++ b/modules/regional-backend-security-policy/README.md
@@ -34,7 +34,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
```
module "cloud_armor_regional_security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-regional-external-sp-${random_id.suffix.hex}"
@@ -194,6 +194,7 @@ module "cloud_armor_regional_security_policy" {
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| custom\_rules | Custome security rules | map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
expression = string
rate_limit_options = optional(object({
enforce_on_key = optional(string)
enforce_on_key_name = optional(string)
enforce_on_key_configs = optional(list(object({
enforce_on_key_name = optional(string)
enforce_on_key_type = optional(string)
})))
exceed_action = optional(string)
rate_limit_http_request_count = optional(number)
rate_limit_http_request_interval_sec = optional(number)
ban_duration_sec = optional(number)
ban_http_request_count = optional(number)
ban_http_request_interval_sec = optional(number)
}),
{})
preconfigured_waf_config_exclusions = optional(map(object({
target_rule_set = string
target_rule_ids = optional(list(string), [])
request_header = optional(list(object({
operator = string
value = optional(string)
})))
request_cookie = optional(list(object({
operator = string
value = optional(string)
})))
request_uri = optional(list(object({
operator = string
value = optional(string)
})))
request_query_param = optional(list(object({
operator = string
value = optional(string)
})))
})), null)
})) | `{}` | no |
+| default\_rule\_action | default rule that allows/denies all traffic with the lowest priority (2,147,483,647). | `string` | `"allow"` | no |
| description | An optional description of advanced network ddos protection security policy | `string` | `"CA Advance DDoS protection"` | no |
| name | Name of regional security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | `string` | `"adv-network-ddos-protection"` | no |
| pre\_configured\_rules | Map of pre-configured rules with Sensitivity levels | map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
target_rule_set = string
sensitivity_level = optional(number, 4)
include_target_rule_ids = optional(list(string), [])
exclude_target_rule_ids = optional(list(string), [])
rate_limit_options = optional(object({
enforce_on_key = optional(string)
enforce_on_key_name = optional(string)
enforce_on_key_configs = optional(list(object({
enforce_on_key_name = optional(string)
enforce_on_key_type = optional(string)
})))
exceed_action = optional(string)
rate_limit_http_request_count = optional(number)
rate_limit_http_request_interval_sec = optional(number)
ban_duration_sec = optional(number)
ban_http_request_count = optional(number)
ban_http_request_interval_sec = optional(number)
}), {})
preconfigured_waf_config_exclusions = optional(map(object({
target_rule_set = string
target_rule_ids = optional(list(string), [])
request_header = optional(list(object({
operator = string
value = optional(string)
})))
request_cookie = optional(list(object({
operator = string
value = optional(string)
})))
request_uri = optional(list(object({
operator = string
value = optional(string)
})))
request_query_param = optional(list(object({
operator = string
value = optional(string)
})))
})), null)
})) | `{}` | no |
diff --git a/modules/regional-backend-security-policy/main.tf b/modules/regional-backend-security-policy/main.tf
index 7b3f3c8..3e3a8f4 100644
--- a/modules/regional-backend-security-policy/main.tf
+++ b/modules/regional-backend-security-policy/main.tf
@@ -237,7 +237,7 @@ resource "google_compute_region_security_policy_rule" "custom_rules" {
resource "google_compute_region_security_policy_rule" "pre_configured_rules" {
provider = google-beta
- for_each = var.pre_configured_rules #var.pre_configured_rules == null ? {} : { for x in var.pre_configured_rules : x.priority => x }
+ for_each = var.pre_configured_rules
project = var.project_id
region = var.region
security_policy = google_compute_region_security_policy.security_policy.name
@@ -334,3 +334,20 @@ resource "google_compute_region_security_policy_rule" "pre_configured_rules" {
}
+##### Default Rule
+
+resource "google_compute_region_security_policy_rule" "default_rule" {
+ provider = google-beta
+ region = var.region
+ project = var.project_id
+ security_policy = google_compute_region_security_policy.security_policy.name
+ description = "default rule"
+ action = var.default_rule_action
+ priority = "2147483647"
+ match {
+ versioned_expr = "SRC_IPS_V1"
+ config {
+ src_ip_ranges = ["*"]
+ }
+ }
+}
\ No newline at end of file
diff --git a/modules/regional-backend-security-policy/variables.tf b/modules/regional-backend-security-policy/variables.tf
index 4b8e2ad..8e0335d 100644
--- a/modules/regional-backend-security-policy/variables.tf
+++ b/modules/regional-backend-security-policy/variables.tf
@@ -170,3 +170,9 @@ variable "custom_rules" {
}))
default = {}
}
+
+variable "default_rule_action" {
+ description = "default rule that allows/denies all traffic with the lowest priority (2,147,483,647)."
+ type = string
+ default = "allow"
+}
diff --git a/modules/regional-backend-security-policy/versions.tf b/modules/regional-backend-security-policy/versions.tf
index 997d50f..d56ec33 100644
--- a/modules/regional-backend-security-policy/versions.tf
+++ b/modules/regional-backend-security-policy/versions.tf
@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.29, < 7"
+ version = ">= 6.10, < 7"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.29, < 7"
+ version = ">= 6.10, < 7"
}
}
provider_meta "google" {