feat!: added option to override default security rule action in regio…

…nal backend security policy (#142)

README.md

@@ -62,7 +62,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
 ```
 module "security_policy" {
   source   = "GoogleCloudPlatform/cloud-armor/google"
-  version  = "~> 3.0"
+  version  = "~> 4.0"
 
   project_id                           = var.project_id
   name                                 = "my-test-security-policy"

docs/upgrading_to_v4.0.md

@@ -0,0 +1,9 @@
+# Upgrading to v4.0.0
+
+The v4.0 release contains backwards-incompatible changes.
+
+### TPG max version is bumped to 6.10 for regional-backend-security-policy module
+TPG 6.10 added support for overriding default security rule
+
+### Added default rule at priority 2147483647
+Before this version a default security rule with priority 2147483647 was created behind the scene but was not part of TF state file. This update will override that rule so users can manage it in terraform

examples/global-backend-security-policy-complete/main.tf

@@ -24,7 +24,7 @@ resource "random_id" "suffix" {
 }
 module "cloud_armor" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id                           = var.project_id
   name                                 = "test-casp-policy-${random_id.suffix.hex}"

examples/global-backend-security-policy-enterprise/main.tf

@@ -19,7 +19,7 @@ resource "random_id" "suffix" {
 }
 module "cloud_armor" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id                  = var.project_id
   name                        = "test-camp-policy-${random_id.suffix.hex}"

examples/global-backend-security-policy-example/main.tf

@@ -34,7 +34,7 @@ resource "google_network_security_address_group" "address_group" {
 
 module "cloud_armor" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id                           = var.project_id
   name                                 = "test-casp-policy-${random_id.suffix.hex}"

examples/global-backend-security-policy-recaptcha/main.tf

@@ -36,7 +36,7 @@ resource "random_id" "suffix" {
 
 module "cloud_armor" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id                  = var.project_id
   name                        = "test-policy-recaptcha-${random_id.suffix.hex}"

examples/global-edge-security-policy/main.tf

@@ -19,7 +19,7 @@ resource "random_id" "suffix" {
 }
 module "cloud_armor" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id          = var.project_id
   name                = "test-casp-edge-policy-${random_id.suffix.hex}"

examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf

@@ -25,7 +25,7 @@ resource "random_id" "suffix" {
 
 module "advanced_network_ddos_protection" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id                         = var.project_id
   regions                            = [local.primary_region, local.secondary_region]
@@ -35,7 +35,7 @@ module "advanced_network_ddos_protection" {
 
 module "network_edge_security_policy" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   region      = local.primary_region

examples/regional-advanced-network-ddos-protection-enterprise/main.tf

@@ -20,7 +20,7 @@ resource "random_id" "suffix" {
 
 module "advanced_network_ddos_protection" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id                         = var.project_id
   regions                            = ["us-central1", "us-east1"]

examples/regional-backend-security-policy-example/main.tf

@@ -20,7 +20,7 @@ resource "random_id" "suffix" {
 
 module "cloud_armor_regional_security_policy" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/regional-backend-security-policy"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   name        = "test-regional-external-sp-${random_id.suffix.hex}"

examples/regional-network-edge-security-policy-enterprise/main.tf

@@ -20,7 +20,7 @@ resource "random_id" "suffix" {
 
 module "network_edge_security_policy" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   region      = "us-central1"
@@ -85,7 +85,7 @@ module "network_edge_security_policy" {
 
 module "network_edge_security_policy_no_rules" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   region      = "us-central1"

modules/advanced-network-ddos-protection/README.md

@@ -16,7 +16,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
 ```
 module "advanced_network_ddos_protection" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   regions     = ["us-central1", "us-east1"]

modules/network-edge-security-policy/README.md

@@ -8,7 +8,7 @@ You can attch network edge security policy to backend services of [external pass
 ```
 module "network_edge_security_policy" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   region      = "us-central1"
@@ -35,7 +35,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
 ```
 module "network_edge_security_policy" {
   source  = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   region      = "us-central1"

modules/regional-backend-security-policy/README.md

@@ -34,7 +34,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
 ```
 module "cloud_armor_regional_security_policy" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id  = var.project_id
   name        = "test-regional-external-sp-${random_id.suffix.hex}"
@@ -194,6 +194,7 @@ module "cloud_armor_regional_security_policy" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | custom\_rules | Custome security rules | <pre>map(object({<br>    action      = string<br>    priority    = number<br>    description = optional(string)<br>    preview     = optional(bool, false)<br>    expression  = string<br>    rate_limit_options = optional(object({<br>      enforce_on_key      = optional(string)<br>      enforce_on_key_name = optional(string)<br>      enforce_on_key_configs = optional(list(object({<br>        enforce_on_key_name = optional(string)<br>        enforce_on_key_type = optional(string)<br>      })))<br>      exceed_action                        = optional(string)<br>      rate_limit_http_request_count        = optional(number)<br>      rate_limit_http_request_interval_sec = optional(number)<br>      ban_duration_sec                     = optional(number)<br>      ban_http_request_count               = optional(number)<br>      ban_http_request_interval_sec        = optional(number)<br>      }),<br>    {})<br><br>    preconfigured_waf_config_exclusions = optional(map(object({<br>      target_rule_set = string<br>      target_rule_ids = optional(list(string), [])<br>      request_header = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_cookie = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_uri = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_query_param = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>    })), null)<br><br>  }))</pre> | `{}` | no |
+| default\_rule\_action | default rule that allows/denies all traffic with the lowest priority (2,147,483,647). | `string` | `"allow"` | no |
 | description | An optional description of advanced network ddos protection security policy | `string` | `"CA Advance DDoS protection"` | no |
 | name | Name of regional security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | `string` | `"adv-network-ddos-protection"` | no |
 | pre\_configured\_rules | Map of pre-configured rules with Sensitivity levels | <pre>map(object({<br>    action                  = string<br>    priority                = number<br>    description             = optional(string)<br>    preview                 = optional(bool, false)<br>    target_rule_set         = string<br>    sensitivity_level       = optional(number, 4)<br>    include_target_rule_ids = optional(list(string), [])<br>    exclude_target_rule_ids = optional(list(string), [])<br>    rate_limit_options = optional(object({<br>      enforce_on_key      = optional(string)<br>      enforce_on_key_name = optional(string)<br>      enforce_on_key_configs = optional(list(object({<br>        enforce_on_key_name = optional(string)<br>        enforce_on_key_type = optional(string)<br>      })))<br>      exceed_action                        = optional(string)<br>      rate_limit_http_request_count        = optional(number)<br>      rate_limit_http_request_interval_sec = optional(number)<br>      ban_duration_sec                     = optional(number)<br>      ban_http_request_count               = optional(number)<br>      ban_http_request_interval_sec        = optional(number)<br>    }), {})<br><br>    preconfigured_waf_config_exclusions = optional(map(object({<br>      target_rule_set = string<br>      target_rule_ids = optional(list(string), [])<br>      request_header = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_cookie = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_uri = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_query_param = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>    })), null)<br><br>  }))</pre> | `{}` | no |

modules/regional-backend-security-policy/main.tf

@@ -237,7 +237,7 @@ resource "google_compute_region_security_policy_rule" "custom_rules" {
 
 resource "google_compute_region_security_policy_rule" "pre_configured_rules" {
   provider        = google-beta
-  for_each        = var.pre_configured_rules #var.pre_configured_rules == null ? {} : { for x in var.pre_configured_rules : x.priority => x }
+  for_each        = var.pre_configured_rules
   project         = var.project_id
   region          = var.region
   security_policy = google_compute_region_security_policy.security_policy.name
@@ -334,3 +334,20 @@ resource "google_compute_region_security_policy_rule" "pre_configured_rules" {
 
 }
 
+##### Default Rule
+
+resource "google_compute_region_security_policy_rule" "default_rule" {
+  provider        = google-beta
+  region          = var.region
+  project         = var.project_id
+  security_policy = google_compute_region_security_policy.security_policy.name
+  description     = "default rule"
+  action          = var.default_rule_action
+  priority        = "2147483647"
+  match {
+    versioned_expr = "SRC_IPS_V1"
+    config {
+      src_ip_ranges = ["*"]
+    }
+  }
+}

modules/regional-backend-security-policy/variables.tf

@@ -170,3 +170,9 @@ variable "custom_rules" {
   }))
   default = {}
 }
+
+variable "default_rule_action" {
+  description = "default rule that allows/denies all traffic with the lowest priority (2,147,483,647)."
+  type        = string
+  default     = "allow"
+}

modules/regional-backend-security-policy/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.29, < 7"
+      version = ">= 6.10, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.29, < 7"
+      version = ">= 6.10, < 7"
     }
   }
   provider_meta "google" {