From 3f313882017ca329c1073b7014b595e0ae12880a Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Wed, 4 Dec 2024 18:07:00 +0000 Subject: [PATCH] added option to override default security rule in regional backend security policy --- README.md | 2 +- docs/upgrading_to_v4.0.md | 9 +++++++++ .../main.tf | 2 +- .../main.tf | 2 +- .../main.tf | 2 +- .../main.tf | 2 +- examples/global-edge-security-policy/main.tf | 2 +- .../main.tf | 4 ++-- .../main.tf | 2 +- .../main.tf | 2 +- .../main.tf | 4 ++-- .../README.md | 2 +- .../network-edge-security-policy/README.md | 4 ++-- .../README.md | 3 ++- .../regional-backend-security-policy/main.tf | 19 ++++++++++++++++++- .../variables.tf | 6 ++++++ .../versions.tf | 4 ++-- 17 files changed, 52 insertions(+), 19 deletions(-) create mode 100644 docs/upgrading_to_v4.0.md diff --git a/README.md b/README.md index 095563f..8c58614 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "security_policy" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "my-test-security-policy" diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md new file mode 100644 index 0000000..3169f72 --- /dev/null +++ b/docs/upgrading_to_v4.0.md @@ -0,0 +1,9 @@ +# Upgrading to v4.0.0 + +The v4.0 release contains backwards-incompatible changes. + +### TPG max version is bumped to 6.10 for regional-backend-security-policy module +There is no known breaking change for Cloud Armor in 6.X. + +### Added default rule at priority 2147483647 +Before this version a default security rule with priority 2147483647 was created. This update will override that rule so users can manage it in terraform diff --git a/examples/global-backend-security-policy-complete/main.tf b/examples/global-backend-security-policy-complete/main.tf index dbbc455..c940e07 100644 --- a/examples/global-backend-security-policy-complete/main.tf +++ b/examples/global-backend-security-policy-complete/main.tf @@ -24,7 +24,7 @@ resource "random_id" "suffix" { } module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-casp-policy-${random_id.suffix.hex}" diff --git a/examples/global-backend-security-policy-enterprise/main.tf b/examples/global-backend-security-policy-enterprise/main.tf index e675492..255c774 100644 --- a/examples/global-backend-security-policy-enterprise/main.tf +++ b/examples/global-backend-security-policy-enterprise/main.tf @@ -19,7 +19,7 @@ resource "random_id" "suffix" { } module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-camp-policy-${random_id.suffix.hex}" diff --git a/examples/global-backend-security-policy-example/main.tf b/examples/global-backend-security-policy-example/main.tf index f2ab7d9..aaa7472 100644 --- a/examples/global-backend-security-policy-example/main.tf +++ b/examples/global-backend-security-policy-example/main.tf @@ -34,7 +34,7 @@ resource "google_network_security_address_group" "address_group" { module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-casp-policy-${random_id.suffix.hex}" diff --git a/examples/global-backend-security-policy-recaptcha/main.tf b/examples/global-backend-security-policy-recaptcha/main.tf index cd0767f..f17a30f 100644 --- a/examples/global-backend-security-policy-recaptcha/main.tf +++ b/examples/global-backend-security-policy-recaptcha/main.tf @@ -36,7 +36,7 @@ resource "random_id" "suffix" { module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-policy-recaptcha-${random_id.suffix.hex}" diff --git a/examples/global-edge-security-policy/main.tf b/examples/global-edge-security-policy/main.tf index c800213..5bb31b4 100644 --- a/examples/global-edge-security-policy/main.tf +++ b/examples/global-edge-security-policy/main.tf @@ -19,7 +19,7 @@ resource "random_id" "suffix" { } module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-casp-edge-policy-${random_id.suffix.hex}" diff --git a/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf b/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf index 864d18d..078229b 100644 --- a/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf +++ b/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf @@ -25,7 +25,7 @@ resource "random_id" "suffix" { module "advanced_network_ddos_protection" { source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id regions = [local.primary_region, local.secondary_region] @@ -35,7 +35,7 @@ module "advanced_network_ddos_protection" { module "network_edge_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = local.primary_region diff --git a/examples/regional-advanced-network-ddos-protection-enterprise/main.tf b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf index 07d4cfa..60c8176 100644 --- a/examples/regional-advanced-network-ddos-protection-enterprise/main.tf +++ b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf @@ -20,7 +20,7 @@ resource "random_id" "suffix" { module "advanced_network_ddos_protection" { source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id regions = ["us-central1", "us-east1"] diff --git a/examples/regional-backend-security-policy-example/main.tf b/examples/regional-backend-security-policy-example/main.tf index db0f8e8..eafb560 100644 --- a/examples/regional-backend-security-policy-example/main.tf +++ b/examples/regional-backend-security-policy-example/main.tf @@ -20,7 +20,7 @@ resource "random_id" "suffix" { module "cloud_armor_regional_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/regional-backend-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-regional-external-sp-${random_id.suffix.hex}" diff --git a/examples/regional-network-edge-security-policy-enterprise/main.tf b/examples/regional-network-edge-security-policy-enterprise/main.tf index 0eb0902..1bf7ccc 100644 --- a/examples/regional-network-edge-security-policy-enterprise/main.tf +++ b/examples/regional-network-edge-security-policy-enterprise/main.tf @@ -20,7 +20,7 @@ resource "random_id" "suffix" { module "network_edge_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = "us-central1" @@ -85,7 +85,7 @@ module "network_edge_security_policy" { module "network_edge_security_policy_no_rules" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = "us-central1" diff --git a/modules/advanced-network-ddos-protection/README.md b/modules/advanced-network-ddos-protection/README.md index fee24c9..9686d36 100644 --- a/modules/advanced-network-ddos-protection/README.md +++ b/modules/advanced-network-ddos-protection/README.md @@ -16,7 +16,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "advanced_network_ddos_protection" { source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id regions = ["us-central1", "us-east1"] diff --git a/modules/network-edge-security-policy/README.md b/modules/network-edge-security-policy/README.md index c1b8621..f34179a 100644 --- a/modules/network-edge-security-policy/README.md +++ b/modules/network-edge-security-policy/README.md @@ -8,7 +8,7 @@ You can attch network edge security policy to backend services of [external pass ``` module "network_edge_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = "us-central1" @@ -35,7 +35,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "network_edge_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = "us-central1" diff --git a/modules/regional-backend-security-policy/README.md b/modules/regional-backend-security-policy/README.md index 95c397d..8cffeeb 100644 --- a/modules/regional-backend-security-policy/README.md +++ b/modules/regional-backend-security-policy/README.md @@ -34,7 +34,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "cloud_armor_regional_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-regional-external-sp-${random_id.suffix.hex}" @@ -194,6 +194,7 @@ module "cloud_armor_regional_security_policy" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | custom\_rules | Custome security rules |
map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
expression = string
rate_limit_options = optional(object({
enforce_on_key = optional(string)
enforce_on_key_name = optional(string)
enforce_on_key_configs = optional(list(object({
enforce_on_key_name = optional(string)
enforce_on_key_type = optional(string)
})))
exceed_action = optional(string)
rate_limit_http_request_count = optional(number)
rate_limit_http_request_interval_sec = optional(number)
ban_duration_sec = optional(number)
ban_http_request_count = optional(number)
ban_http_request_interval_sec = optional(number)
}),
{})

preconfigured_waf_config_exclusions = optional(map(object({
target_rule_set = string
target_rule_ids = optional(list(string), [])
request_header = optional(list(object({
operator = string
value = optional(string)
})))
request_cookie = optional(list(object({
operator = string
value = optional(string)
})))
request_uri = optional(list(object({
operator = string
value = optional(string)
})))
request_query_param = optional(list(object({
operator = string
value = optional(string)
})))
})), null)

}))
| `{}` | no | +| default\_rule\_action | default rule that allows/denies all traffic with the lowest priority (2,147,483,647). | `string` | `"allow"` | no | | description | An optional description of advanced network ddos protection security policy | `string` | `"CA Advance DDoS protection"` | no | | name | Name of regional security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | `string` | `"adv-network-ddos-protection"` | no | | pre\_configured\_rules | Map of pre-configured rules with Sensitivity levels |
map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
target_rule_set = string
sensitivity_level = optional(number, 4)
include_target_rule_ids = optional(list(string), [])
exclude_target_rule_ids = optional(list(string), [])
rate_limit_options = optional(object({
enforce_on_key = optional(string)
enforce_on_key_name = optional(string)
enforce_on_key_configs = optional(list(object({
enforce_on_key_name = optional(string)
enforce_on_key_type = optional(string)
})))
exceed_action = optional(string)
rate_limit_http_request_count = optional(number)
rate_limit_http_request_interval_sec = optional(number)
ban_duration_sec = optional(number)
ban_http_request_count = optional(number)
ban_http_request_interval_sec = optional(number)
}), {})

preconfigured_waf_config_exclusions = optional(map(object({
target_rule_set = string
target_rule_ids = optional(list(string), [])
request_header = optional(list(object({
operator = string
value = optional(string)
})))
request_cookie = optional(list(object({
operator = string
value = optional(string)
})))
request_uri = optional(list(object({
operator = string
value = optional(string)
})))
request_query_param = optional(list(object({
operator = string
value = optional(string)
})))
})), null)

}))
| `{}` | no | diff --git a/modules/regional-backend-security-policy/main.tf b/modules/regional-backend-security-policy/main.tf index 7b3f3c8..3e3a8f4 100644 --- a/modules/regional-backend-security-policy/main.tf +++ b/modules/regional-backend-security-policy/main.tf @@ -237,7 +237,7 @@ resource "google_compute_region_security_policy_rule" "custom_rules" { resource "google_compute_region_security_policy_rule" "pre_configured_rules" { provider = google-beta - for_each = var.pre_configured_rules #var.pre_configured_rules == null ? {} : { for x in var.pre_configured_rules : x.priority => x } + for_each = var.pre_configured_rules project = var.project_id region = var.region security_policy = google_compute_region_security_policy.security_policy.name @@ -334,3 +334,20 @@ resource "google_compute_region_security_policy_rule" "pre_configured_rules" { } +##### Default Rule + +resource "google_compute_region_security_policy_rule" "default_rule" { + provider = google-beta + region = var.region + project = var.project_id + security_policy = google_compute_region_security_policy.security_policy.name + description = "default rule" + action = var.default_rule_action + priority = "2147483647" + match { + versioned_expr = "SRC_IPS_V1" + config { + src_ip_ranges = ["*"] + } + } +} \ No newline at end of file diff --git a/modules/regional-backend-security-policy/variables.tf b/modules/regional-backend-security-policy/variables.tf index 4b8e2ad..8e0335d 100644 --- a/modules/regional-backend-security-policy/variables.tf +++ b/modules/regional-backend-security-policy/variables.tf @@ -170,3 +170,9 @@ variable "custom_rules" { })) default = {} } + +variable "default_rule_action" { + description = "default rule that allows/denies all traffic with the lowest priority (2,147,483,647)." + type = string + default = "allow" +} diff --git a/modules/regional-backend-security-policy/versions.tf b/modules/regional-backend-security-policy/versions.tf index 997d50f..d56ec33 100644 --- a/modules/regional-backend-security-policy/versions.tf +++ b/modules/regional-backend-security-policy/versions.tf @@ -19,11 +19,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.29, < 7" + version = ">= 6.10, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.29, < 7" + version = ">= 6.10, < 7" } } provider_meta "google" {