feat(TPG >= 4.79)!: added preconfigured_waf_config block in custom_ru…

…le (#71)

README.md

@@ -278,7 +278,7 @@ module "security_policy" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | adaptive\_protection\_auto\_deploy | Configuration for Automatically deploy Cloud Armor Adaptive Protection suggested rules. priority and action fields are required if enable is set to true | <pre>object({<br>    enable                      = bool<br>    priority                    = optional(number, null)<br>    action                      = optional(string, null)<br>    preview                     = optional(bool, false)<br>    description                 = optional(string, "Adaptive Protection auto-deploy")<br>    load_threshold              = optional(number, 0.1)<br>    confidence_threshold        = optional(number, 0.5)<br>    impacted_baseline_threshold = optional(number, 0.01)<br>    expiration_sec              = optional(number, 7200)<br>    redirect_type               = optional(string)<br>    redirect_target             = optional(string)<br><br>    rate_limit_options = optional(object({<br>      enforce_on_key      = optional(string)<br>      enforce_on_key_name = optional(string)<br><br>      enforce_on_key_configs = optional(list(object({<br>        enforce_on_key_name = optional(string)<br>        enforce_on_key_type = optional(string)<br>      })))<br><br>      exceed_action                        = optional(string)<br>      rate_limit_http_request_count        = optional(number)<br>      rate_limit_http_request_interval_sec = optional(number)<br>      ban_duration_sec                     = optional(number)<br>      ban_http_request_count               = optional(number)<br>      ban_http_request_interval_sec        = optional(number)<br>    }), {})<br>  })</pre> | <pre>{<br>  "enable": false<br>}</pre> | no |
-| custom\_rules | Custome security rules | <pre>map(object({<br>    action          = string<br>    priority        = number<br>    description     = optional(string)<br>    preview         = optional(bool, false)<br>    expression      = string<br>    redirect_type   = optional(string, null)<br>    redirect_target = optional(string, null)<br>    rate_limit_options = optional(object({<br>      enforce_on_key      = optional(string)<br>      enforce_on_key_name = optional(string)<br>      enforce_on_key_configs = optional(list(object({<br>        enforce_on_key_name = optional(string)<br>        enforce_on_key_type = optional(string)<br>      })))<br>      exceed_action                        = optional(string)<br>      rate_limit_http_request_count        = optional(number)<br>      rate_limit_http_request_interval_sec = optional(number)<br>      ban_duration_sec                     = optional(number)<br>      ban_http_request_count               = optional(number)<br>      ban_http_request_interval_sec        = optional(number)<br>      }),<br>    {})<br>    header_action = optional(list(object({<br>      header_name  = optional(string)<br>      header_value = optional(string)<br>    })), [])<br>  }))</pre> | `{}` | no |
+| custom\_rules | Custome security rules | <pre>map(object({<br>    action          = string<br>    priority        = number<br>    description     = optional(string)<br>    preview         = optional(bool, false)<br>    expression      = string<br>    redirect_type   = optional(string, null)<br>    redirect_target = optional(string, null)<br>    rate_limit_options = optional(object({<br>      enforce_on_key      = optional(string)<br>      enforce_on_key_name = optional(string)<br>      enforce_on_key_configs = optional(list(object({<br>        enforce_on_key_name = optional(string)<br>        enforce_on_key_type = optional(string)<br>      })))<br>      exceed_action                        = optional(string)<br>      rate_limit_http_request_count        = optional(number)<br>      rate_limit_http_request_interval_sec = optional(number)<br>      ban_duration_sec                     = optional(number)<br>      ban_http_request_count               = optional(number)<br>      ban_http_request_interval_sec        = optional(number)<br>      }),<br>    {})<br>    header_action = optional(list(object({<br>      header_name  = optional(string)<br>      header_value = optional(string)<br>    })), [])<br><br>    preconfigured_waf_config_exclusion = optional(object({<br>      target_rule_set = string<br>      target_rule_ids = optional(list(string), [])<br>      request_header = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_cookie = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_uri = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_query_param = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>    }), { target_rule_set = null })<br><br>  }))</pre> | `{}` | no |
 | default\_rule\_action | default rule that allows/denies all traffic with the lowest priority (2,147,483,647) | `string` | `"allow"` | no |
 | description | An optional description of this security policy. Max size is 2048. | `string` | `null` | no |
 | json\_custom\_config\_content\_types | A list of custom Content-Type header values to apply the JSON parsing. Only applicable when json\_parsing is set to STANDARD. Not supported for CLOUD\_ARMOR\_EDGE policy type | `list(string)` | `[]` | no |

examples/simple-example/main.tf

@@ -285,6 +285,25 @@ module "cloud_armor" {
 
     }
 
+    "methodenforcement-v33-stable_level_1" = {
+      action      = "deny(403)"
+      priority    = 6
+      description = "Method enforcement Level 1"
+      preview     = true
+      expression  = "evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1}) && !request.path.matches('/keyword/here/')"
+
+      preconfigured_waf_config_exclusion = {
+        target_rule_set = "methodenforcement-v33-stable"
+        target_rule_ids = ["owasp-crs-v030301-id911100-methodenforcement"]
+        request_uri = [
+          {
+            operator = "CONTAINS"
+            value    = "/keyword/here/"
+          },
+        ]
+      }
+    }
+
   }
 
 }

main.tf

@@ -367,6 +367,46 @@ resource "google_compute_security_policy" "policy" {
         }
       }
 
+      # Optional preconfigured_waf_config Block if preconfigured_waf_config_exclusion is provided
+      dynamic "preconfigured_waf_config" {
+        for_each = rule.value.preconfigured_waf_config_exclusion.target_rule_set == null ? [] : ["preconfigured_waf_config_exclusion"]
+        content {
+          exclusion {
+            target_rule_set = rule.value.preconfigured_waf_config_exclusion.target_rule_set
+            target_rule_ids = rule.value.preconfigured_waf_config_exclusion.target_rule_ids
+            dynamic "request_header" {
+              for_each = rule.value.preconfigured_waf_config_exclusion.request_header == null ? {} : { for x in rule.value.preconfigured_waf_config_exclusion.request_header : "${x.operator}-${base64encode(coalesce(x.value, "test"))}" => x }
+              content {
+                operator = request_header.value.operator
+                value    = request_header.value.operator == "EQUALS_ANY" ? null : request_header.value.value
+              }
+            }
+            dynamic "request_cookie" {
+              for_each = rule.value.preconfigured_waf_config_exclusion.request_cookie == null ? {} : { for x in rule.value.preconfigured_waf_config_exclusion.request_cookie : "${x.operator}-${base64encode(coalesce(x.value, "test"))}" => x }
+              content {
+                operator = request_cookie.value.operator
+                value    = request_cookie.value.operator == "EQUALS_ANY" ? null : request_cookie.value.value
+              }
+            }
+            dynamic "request_uri" {
+              for_each = rule.value.preconfigured_waf_config_exclusion.request_uri == null ? {} : { for x in rule.value.preconfigured_waf_config_exclusion.request_uri : "${x.operator}-${base64encode(coalesce(x.value, "test"))}" => x }
+              content {
+                operator = request_uri.value.operator
+                value    = request_uri.value.operator == "EQUALS_ANY" ? null : request_uri.value.value
+              }
+            }
+            dynamic "request_query_param" {
+              for_each = rule.value.preconfigured_waf_config_exclusion.request_query_param == null ? {} : { for x in rule.value.preconfigured_waf_config_exclusion.request_query_param : "${x.operator}-${base64encode(coalesce(x.value, "test"))}" => x }
+              content {
+                operator = request_query_param.value.operator
+                value    = request_query_param.value.operator == "EQUALS_ANY" ? null : request_query_param.value.value
+              }
+            }
+          }
+        }
+      }
+
+
     }
   }
 

variables.tf

@@ -164,6 +164,28 @@ variable "custom_rules" {
       header_name  = optional(string)
       header_value = optional(string)
     })), [])
+
+    preconfigured_waf_config_exclusion = optional(object({
+      target_rule_set = string
+      target_rule_ids = optional(list(string), [])
+      request_header = optional(list(object({
+        operator = string
+        value    = optional(string)
+      })))
+      request_cookie = optional(list(object({
+        operator = string
+        value    = optional(string)
+      })))
+      request_uri = optional(list(object({
+        operator = string
+        value    = optional(string)
+      })))
+      request_query_param = optional(list(object({
+        operator = string
+        value    = optional(string)
+      })))
+    }), { target_rule_set = null })
+
   }))
   default = {}
 }

versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.59.0, < 5.0"
+      version = ">= 4.79.0, < 5.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.59.0, < 5.0"
+      version = ">= 4.79.0, < 5.0"
     }
   }
   provider_meta "google" {