Skip to content

Commit

Permalink
fix: add auto_deploy_config block (#84)
Browse files Browse the repository at this point in the history
  • Loading branch information
imrannayer authored Dec 7, 2023
1 parent 12fb99a commit 468c904
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 29 deletions.
22 changes: 11 additions & 11 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -278,23 +278,23 @@ module "security_policy" {

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| adaptive\_protection\_auto\_deploy | Configuration for Automatically deploy Cloud Armor Adaptive Protection suggested rules. priority and action fields are required if enable is set to true | <pre>object({<br> enable = bool<br> priority = optional(number, null)<br> action = optional(string, null)<br> preview = optional(bool, false)<br> description = optional(string, "Adaptive Protection auto-deploy")<br> load_threshold = optional(number, 0.1)<br> confidence_threshold = optional(number, 0.5)<br> impacted_baseline_threshold = optional(number, 0.01)<br> expiration_sec = optional(number, 7200)<br> redirect_type = optional(string)<br> redirect_target = optional(string)<br><br> rate_limit_options = optional(object({<br> enforce_on_key = optional(string)<br> enforce_on_key_name = optional(string)<br><br> enforce_on_key_configs = optional(list(object({<br> enforce_on_key_name = optional(string)<br> enforce_on_key_type = optional(string)<br> })))<br><br> exceed_action = optional(string)<br> rate_limit_http_request_count = optional(number)<br> rate_limit_http_request_interval_sec = optional(number)<br> ban_duration_sec = optional(number)<br> ban_http_request_count = optional(number)<br> ban_http_request_interval_sec = optional(number)<br> }), {})<br> })</pre> | <pre>{<br> "enable": false<br>}</pre> | no |
| adaptive\_protection\_auto\_deploy | Configuration for Automatically deploy Cloud Armor Adaptive Protection suggested rules. `priority` and `action` fields are required if `enable` is set to true. Requires `layer_7_ddos_defense_enable` set to `true`. | <pre>object({<br> enable = bool<br> priority = optional(number, null)<br> action = optional(string, null)<br> preview = optional(bool, false)<br> description = optional(string, "Adaptive Protection auto-deploy")<br> load_threshold = optional(number)<br> confidence_threshold = optional(number)<br> impacted_baseline_threshold = optional(number)<br> expiration_sec = optional(number)<br> redirect_type = optional(string)<br> redirect_target = optional(string)<br><br> rate_limit_options = optional(object({<br> enforce_on_key = optional(string)<br> enforce_on_key_name = optional(string)<br><br> enforce_on_key_configs = optional(list(object({<br> enforce_on_key_name = optional(string)<br> enforce_on_key_type = optional(string)<br> })))<br><br> exceed_action = optional(string)<br> rate_limit_http_request_count = optional(number)<br> rate_limit_http_request_interval_sec = optional(number)<br> ban_duration_sec = optional(number)<br> ban_http_request_count = optional(number)<br> ban_http_request_interval_sec = optional(number)<br> }), {})<br> })</pre> | <pre>{<br> "enable": false<br>}</pre> | no |
| custom\_rules | Custome security rules | <pre>map(object({<br> action = string<br> priority = number<br> description = optional(string)<br> preview = optional(bool, false)<br> expression = string<br> redirect_type = optional(string, null)<br> redirect_target = optional(string, null)<br> rate_limit_options = optional(object({<br> enforce_on_key = optional(string)<br> enforce_on_key_name = optional(string)<br> enforce_on_key_configs = optional(list(object({<br> enforce_on_key_name = optional(string)<br> enforce_on_key_type = optional(string)<br> })))<br> exceed_action = optional(string)<br> rate_limit_http_request_count = optional(number)<br> rate_limit_http_request_interval_sec = optional(number)<br> ban_duration_sec = optional(number)<br> ban_http_request_count = optional(number)<br> ban_http_request_interval_sec = optional(number)<br> }),<br> {})<br> header_action = optional(list(object({<br> header_name = optional(string)<br> header_value = optional(string)<br> })), [])<br><br> preconfigured_waf_config_exclusion = optional(object({<br> target_rule_set = string<br> target_rule_ids = optional(list(string), [])<br> request_header = optional(list(object({<br> operator = string<br> value = optional(string)<br> })))<br> request_cookie = optional(list(object({<br> operator = string<br> value = optional(string)<br> })))<br> request_uri = optional(list(object({<br> operator = string<br> value = optional(string)<br> })))<br> request_query_param = optional(list(object({<br> operator = string<br> value = optional(string)<br> })))<br> }), { target_rule_set = null })<br><br> }))</pre> | `{}` | no |
| default\_rule\_action | default rule that allows/denies all traffic with the lowest priority (2,147,483,647) | `string` | `"allow"` | no |
| default\_rule\_action | default rule that allows/denies all traffic with the lowest priority (2,147,483,647). | `string` | `"allow"` | no |
| description | An optional description of this security policy. Max size is 2048. | `string` | `null` | no |
| json\_custom\_config\_content\_types | A list of custom Content-Type header values to apply the JSON parsing. Only applicable when json\_parsing is set to STANDARD. Not supported for CLOUD\_ARMOR\_EDGE policy type | `list(string)` | `[]` | no |
| json\_parsing | Whether or not to JSON parse the payload body. Possible values are DISABLED and STANDARD. Not supported for CLOUD\_ARMOR\_EDGE policy type | `string` | `"DISABLED"` | no |
| layer\_7\_ddos\_defense\_enable | (Optional) If set to true, enables Cloud Armor Adaptive Protection for L7 DDoS detection. Cloud Armor Adaptive Protection is only supported in Global Security Policies of type CLOUD\_ARMOR | `bool` | `false` | no |
| json\_custom\_config\_content\_types | A list of custom Content-Type header values to apply the JSON parsing. Only applicable when json\_parsing is set to STANDARD. Not supported for CLOUD\_ARMOR\_EDGE policy type. | `list(string)` | `[]` | no |
| json\_parsing | Whether or not to JSON parse the payload body. Possible values are DISABLED and STANDARD. Not supported for CLOUD\_ARMOR\_EDGE policy type. | `string` | `"DISABLED"` | no |
| layer\_7\_ddos\_defense\_enable | (Optional) If set to true, enables Cloud Armor Adaptive Protection for L7 DDoS detection. Cloud Armor Adaptive Protection is only supported in Global Security Policies of type CLOUD\_ARMOR. Set this variable `true` for Adaptive Protection Auto Deploy. | `bool` | `false` | no |
| layer\_7\_ddos\_defense\_rule\_visibility | (Optional) Rule visibility can be one of the following: STANDARD - opaque rules. PREMIUM - transparent rules. This field is only supported in Global Security Policies of type CLOUD\_ARMOR. | `string` | `"STANDARD"` | no |
| log\_level | Log level to use. Possible values are NORMAL and VERBOSE. Not supported for CLOUD\_ARMOR\_EDGE policy type | `string` | `"NORMAL"` | no |
| log\_level | Log level to use. Possible values are NORMAL and VERBOSE. Not supported for CLOUD\_ARMOR\_EDGE policy type. | `string` | `"NORMAL"` | no |
| name | Name of the security policy. | `string` | n/a | yes |
| pre\_configured\_rules | Map of pre-configured rules Sensitivity levels | <pre>map(object({<br> action = string<br> priority = number<br> description = optional(string)<br> preview = optional(bool, false)<br> redirect_type = optional(string, null)<br> redirect_target = optional(string, null)<br> target_rule_set = string<br> sensitivity_level = optional(number, 4)<br> include_target_rule_ids = optional(list(string), [])<br> exclude_target_rule_ids = optional(list(string), [])<br> rate_limit_options = optional(object({<br> enforce_on_key = optional(string)<br> enforce_on_key_name = optional(string)<br> enforce_on_key_configs = optional(list(object({<br> enforce_on_key_name = optional(string)<br> enforce_on_key_type = optional(string)<br> })))<br> exceed_action = optional(string)<br> rate_limit_http_request_count = optional(number)<br> rate_limit_http_request_interval_sec = optional(number)<br> ban_duration_sec = optional(number)<br> ban_http_request_count = optional(number)<br> ban_http_request_interval_sec = optional(number)<br> }), {})<br><br> header_action = optional(list(object({<br> header_name = optional(string)<br> header_value = optional(string)<br> })), [])<br><br> preconfigured_waf_config_exclusion = optional(object({<br> target_rule_set = string<br> target_rule_ids = optional(list(string), [])<br> request_header = optional(list(object({<br> operator = string<br> value = optional(string)<br> })))<br> request_cookie = optional(list(object({<br> operator = string<br> value = optional(string)<br> })))<br> request_uri = optional(list(object({<br> operator = string<br> value = optional(string)<br> })))<br> request_query_param = optional(list(object({<br> operator = string<br> value = optional(string)<br> })))<br> }), { target_rule_set = null })<br><br> }))</pre> | `{}` | no |
| project\_id | The project in which the resource belongs | `string` | n/a | yes |
| recaptcha\_redirect\_site\_key | reCAPTCHA site key to be used for all the rules using the redirect action with the redirect type of GOOGLE\_RECAPTCHA | `string` | `null` | no |
| security\_rules | Map of Security rules with list of IP addresses to block or unblock | <pre>map(object({<br> action = string<br> priority = number<br> description = optional(string)<br> preview = optional(bool, false)<br> redirect_type = optional(string, null)<br> redirect_target = optional(string, null)<br> src_ip_ranges = list(string)<br> rate_limit_options = optional(object({<br> enforce_on_key = optional(string)<br> enforce_on_key_name = optional(string)<br> enforce_on_key_configs = optional(list(object({<br> enforce_on_key_name = optional(string)<br> enforce_on_key_type = optional(string)<br> })))<br> exceed_action = optional(string)<br> rate_limit_http_request_count = optional(number)<br> rate_limit_http_request_interval_sec = optional(number)<br> ban_duration_sec = optional(number)<br> ban_http_request_count = optional(number)<br> ban_http_request_interval_sec = optional(number)<br> }),<br> {})<br> header_action = optional(list(object({<br> header_name = optional(string)<br> header_value = optional(string)<br> })), [])<br> }))</pre> | `{}` | no |
| project\_id | The project in which the resource belongs. | `string` | n/a | yes |
| recaptcha\_redirect\_site\_key | reCAPTCHA site key to be used for all the rules using the redirect action with the redirect type of GOOGLE\_RECAPTCHA. | `string` | `null` | no |
| security\_rules | Map of Security rules with list of IP addresses to block or unblock. | <pre>map(object({<br> action = string<br> priority = number<br> description = optional(string)<br> preview = optional(bool, false)<br> redirect_type = optional(string, null)<br> redirect_target = optional(string, null)<br> src_ip_ranges = list(string)<br> rate_limit_options = optional(object({<br> enforce_on_key = optional(string)<br> enforce_on_key_name = optional(string)<br> enforce_on_key_configs = optional(list(object({<br> enforce_on_key_name = optional(string)<br> enforce_on_key_type = optional(string)<br> })))<br> exceed_action = optional(string)<br> rate_limit_http_request_count = optional(number)<br> rate_limit_http_request_interval_sec = optional(number)<br> ban_duration_sec = optional(number)<br> ban_http_request_count = optional(number)<br> ban_http_request_interval_sec = optional(number)<br> }),<br> {})<br> header_action = optional(list(object({<br> header_name = optional(string)<br> header_value = optional(string)<br> })), [])<br> }))</pre> | `{}` | no |
| threat\_intelligence\_rules | Map of Threat Intelligence Feed rules | <pre>map(object({<br> action = string<br> priority = number<br> description = optional(string)<br> preview = optional(bool, false)<br> feed = string<br> exclude_ip = optional(string)<br> rate_limit_options = optional(object({<br> enforce_on_key = optional(string)<br> enforce_on_key_name = optional(string)<br> enforce_on_key_configs = optional(list(object({<br> enforce_on_key_name = optional(string)<br> enforce_on_key_type = optional(string)<br> })))<br> exceed_action = optional(string)<br> rate_limit_http_request_count = optional(number)<br> rate_limit_http_request_interval_sec = optional(number)<br> ban_duration_sec = optional(number)<br> ban_http_request_count = optional(number)<br> ban_http_request_interval_sec = optional(number)<br> }),<br> {})<br> header_action = optional(list(object({<br> header_name = optional(string)<br> header_value = optional(string)<br> })), [])<br> }))</pre> | `{}` | no |
| type | Type indicates the intended use of the security policy. Possible values are CLOUD\_ARMOR and CLOUD\_ARMOR\_EDGE | `string` | `"CLOUD_ARMOR"` | no |
| user\_ip\_request\_headers | An optional list of case-insensitive request header names to use for resolving the callers client IP address | `list(string)` | `[]` | no |
| type | Type indicates the intended use of the security policy. Possible values are CLOUD\_ARMOR and CLOUD\_ARMOR\_EDGE. | `string` | `"CLOUD_ARMOR"` | no |
| user\_ip\_request\_headers | An optional list of case-insensitive request header names to use for resolving the callers client IP address. | `list(string)` | `[]` | no |

## Outputs

Expand Down
8 changes: 5 additions & 3 deletions examples/security-policy-managed-protection-plus/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,11 @@ module "cloud_armor" {

## This is an example of deny policy. Examples for redirect and throttle policies are in README.
adaptive_protection_auto_deploy = {
enable = true
priority = 100000
action = "deny(403)"
enable = true
priority = 100000
action = "deny(403)"
load_threshold = 0.3
confidence_threshold = 0.6
}

threat_intelligence_rules = {
Expand Down
10 changes: 10 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -502,6 +502,16 @@ resource "google_compute_security_policy" "policy" {
enable = var.layer_7_ddos_defense_enable
rule_visibility = var.layer_7_ddos_defense_rule_visibility
}
dynamic "auto_deploy_config" {
for_each = var.adaptive_protection_auto_deploy.enable ? { auto_deploy = var.adaptive_protection_auto_deploy } : {}
content {
load_threshold = auto_deploy_config.value["load_threshold"]
confidence_threshold = auto_deploy_config.value["confidence_threshold"]
impacted_baseline_threshold = auto_deploy_config.value["impacted_baseline_threshold"]
expiration_sec = auto_deploy_config.value["expiration_sec"]
}

}
}
}

Expand Down
Loading

0 comments on commit 468c904

Please sign in to comment.