From 6d32a7c0ccb4b1ed3b2dfe732bf9b1ff381f236d Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Thu, 5 Dec 2024 11:27:46 -0600 Subject: [PATCH] feat!: added option to override default security rule action in regional backend security policy (#142) --- README.md | 2 +- docs/upgrading_to_v4.0.md | 9 +++++++++ .../main.tf | 2 +- .../main.tf | 2 +- .../main.tf | 2 +- .../main.tf | 2 +- examples/global-edge-security-policy/main.tf | 2 +- .../main.tf | 4 ++-- .../main.tf | 2 +- .../main.tf | 2 +- .../main.tf | 4 ++-- .../README.md | 2 +- .../network-edge-security-policy/README.md | 4 ++-- .../README.md | 3 ++- .../regional-backend-security-policy/main.tf | 19 ++++++++++++++++++- .../variables.tf | 6 ++++++ .../versions.tf | 4 ++-- 17 files changed, 52 insertions(+), 19 deletions(-) create mode 100644 docs/upgrading_to_v4.0.md diff --git a/README.md b/README.md index 095563f..8c58614 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "security_policy" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "my-test-security-policy" diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md new file mode 100644 index 0000000..370ef27 --- /dev/null +++ b/docs/upgrading_to_v4.0.md @@ -0,0 +1,9 @@ +# Upgrading to v4.0.0 + +The v4.0 release contains backwards-incompatible changes. + +### TPG max version is bumped to 6.10 for regional-backend-security-policy module +TPG 6.10 added support for overriding default security rule + +### Added default rule at priority 2147483647 +Before this version a default security rule with priority 2147483647 was created behind the scene but was not part of TF state file. This update will override that rule so users can manage it in terraform diff --git a/examples/global-backend-security-policy-complete/main.tf b/examples/global-backend-security-policy-complete/main.tf index dbbc455..c940e07 100644 --- a/examples/global-backend-security-policy-complete/main.tf +++ b/examples/global-backend-security-policy-complete/main.tf @@ -24,7 +24,7 @@ resource "random_id" "suffix" { } module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-casp-policy-${random_id.suffix.hex}" diff --git a/examples/global-backend-security-policy-enterprise/main.tf b/examples/global-backend-security-policy-enterprise/main.tf index e675492..255c774 100644 --- a/examples/global-backend-security-policy-enterprise/main.tf +++ b/examples/global-backend-security-policy-enterprise/main.tf @@ -19,7 +19,7 @@ resource "random_id" "suffix" { } module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-camp-policy-${random_id.suffix.hex}" diff --git a/examples/global-backend-security-policy-example/main.tf b/examples/global-backend-security-policy-example/main.tf index f2ab7d9..aaa7472 100644 --- a/examples/global-backend-security-policy-example/main.tf +++ b/examples/global-backend-security-policy-example/main.tf @@ -34,7 +34,7 @@ resource "google_network_security_address_group" "address_group" { module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-casp-policy-${random_id.suffix.hex}" diff --git a/examples/global-backend-security-policy-recaptcha/main.tf b/examples/global-backend-security-policy-recaptcha/main.tf index cd0767f..f17a30f 100644 --- a/examples/global-backend-security-policy-recaptcha/main.tf +++ b/examples/global-backend-security-policy-recaptcha/main.tf @@ -36,7 +36,7 @@ resource "random_id" "suffix" { module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-policy-recaptcha-${random_id.suffix.hex}" diff --git a/examples/global-edge-security-policy/main.tf b/examples/global-edge-security-policy/main.tf index c800213..5bb31b4 100644 --- a/examples/global-edge-security-policy/main.tf +++ b/examples/global-edge-security-policy/main.tf @@ -19,7 +19,7 @@ resource "random_id" "suffix" { } module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-casp-edge-policy-${random_id.suffix.hex}" diff --git a/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf b/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf index 864d18d..078229b 100644 --- a/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf +++ b/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf @@ -25,7 +25,7 @@ resource "random_id" "suffix" { module "advanced_network_ddos_protection" { source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id regions = [local.primary_region, local.secondary_region] @@ -35,7 +35,7 @@ module "advanced_network_ddos_protection" { module "network_edge_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = local.primary_region diff --git a/examples/regional-advanced-network-ddos-protection-enterprise/main.tf b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf index 07d4cfa..60c8176 100644 --- a/examples/regional-advanced-network-ddos-protection-enterprise/main.tf +++ b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf @@ -20,7 +20,7 @@ resource "random_id" "suffix" { module "advanced_network_ddos_protection" { source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id regions = ["us-central1", "us-east1"] diff --git a/examples/regional-backend-security-policy-example/main.tf b/examples/regional-backend-security-policy-example/main.tf index db0f8e8..eafb560 100644 --- a/examples/regional-backend-security-policy-example/main.tf +++ b/examples/regional-backend-security-policy-example/main.tf @@ -20,7 +20,7 @@ resource "random_id" "suffix" { module "cloud_armor_regional_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/regional-backend-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-regional-external-sp-${random_id.suffix.hex}" diff --git a/examples/regional-network-edge-security-policy-enterprise/main.tf b/examples/regional-network-edge-security-policy-enterprise/main.tf index 0eb0902..1bf7ccc 100644 --- a/examples/regional-network-edge-security-policy-enterprise/main.tf +++ b/examples/regional-network-edge-security-policy-enterprise/main.tf @@ -20,7 +20,7 @@ resource "random_id" "suffix" { module "network_edge_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = "us-central1" @@ -85,7 +85,7 @@ module "network_edge_security_policy" { module "network_edge_security_policy_no_rules" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = "us-central1" diff --git a/modules/advanced-network-ddos-protection/README.md b/modules/advanced-network-ddos-protection/README.md index fee24c9..9686d36 100644 --- a/modules/advanced-network-ddos-protection/README.md +++ b/modules/advanced-network-ddos-protection/README.md @@ -16,7 +16,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "advanced_network_ddos_protection" { source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id regions = ["us-central1", "us-east1"] diff --git a/modules/network-edge-security-policy/README.md b/modules/network-edge-security-policy/README.md index c1b8621..f34179a 100644 --- a/modules/network-edge-security-policy/README.md +++ b/modules/network-edge-security-policy/README.md @@ -8,7 +8,7 @@ You can attch network edge security policy to backend services of [external pass ``` module "network_edge_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = "us-central1" @@ -35,7 +35,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "network_edge_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = "us-central1" diff --git a/modules/regional-backend-security-policy/README.md b/modules/regional-backend-security-policy/README.md index 95c397d..8cffeeb 100644 --- a/modules/regional-backend-security-policy/README.md +++ b/modules/regional-backend-security-policy/README.md @@ -34,7 +34,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "cloud_armor_regional_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-regional-external-sp-${random_id.suffix.hex}" @@ -194,6 +194,7 @@ module "cloud_armor_regional_security_policy" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | custom\_rules | Custome security rules |
map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
expression = string
rate_limit_options = optional(object({
enforce_on_key = optional(string)
enforce_on_key_name = optional(string)
enforce_on_key_configs = optional(list(object({
enforce_on_key_name = optional(string)
enforce_on_key_type = optional(string)
})))
exceed_action = optional(string)
rate_limit_http_request_count = optional(number)
rate_limit_http_request_interval_sec = optional(number)
ban_duration_sec = optional(number)
ban_http_request_count = optional(number)
ban_http_request_interval_sec = optional(number)
}),
{})

preconfigured_waf_config_exclusions = optional(map(object({
target_rule_set = string
target_rule_ids = optional(list(string), [])
request_header = optional(list(object({
operator = string
value = optional(string)
})))
request_cookie = optional(list(object({
operator = string
value = optional(string)
})))
request_uri = optional(list(object({
operator = string
value = optional(string)
})))
request_query_param = optional(list(object({
operator = string
value = optional(string)
})))
})), null)

}))
| `{}` | no | +| default\_rule\_action | default rule that allows/denies all traffic with the lowest priority (2,147,483,647). | `string` | `"allow"` | no | | description | An optional description of advanced network ddos protection security policy | `string` | `"CA Advance DDoS protection"` | no | | name | Name of regional security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | `string` | `"adv-network-ddos-protection"` | no | | pre\_configured\_rules | Map of pre-configured rules with Sensitivity levels |
map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
target_rule_set = string
sensitivity_level = optional(number, 4)
include_target_rule_ids = optional(list(string), [])
exclude_target_rule_ids = optional(list(string), [])
rate_limit_options = optional(object({
enforce_on_key = optional(string)
enforce_on_key_name = optional(string)
enforce_on_key_configs = optional(list(object({
enforce_on_key_name = optional(string)
enforce_on_key_type = optional(string)
})))
exceed_action = optional(string)
rate_limit_http_request_count = optional(number)
rate_limit_http_request_interval_sec = optional(number)
ban_duration_sec = optional(number)
ban_http_request_count = optional(number)
ban_http_request_interval_sec = optional(number)
}), {})

preconfigured_waf_config_exclusions = optional(map(object({
target_rule_set = string
target_rule_ids = optional(list(string), [])
request_header = optional(list(object({
operator = string
value = optional(string)
})))
request_cookie = optional(list(object({
operator = string
value = optional(string)
})))
request_uri = optional(list(object({
operator = string
value = optional(string)
})))
request_query_param = optional(list(object({
operator = string
value = optional(string)
})))
})), null)

}))
| `{}` | no | diff --git a/modules/regional-backend-security-policy/main.tf b/modules/regional-backend-security-policy/main.tf index 7b3f3c8..8d6b883 100644 --- a/modules/regional-backend-security-policy/main.tf +++ b/modules/regional-backend-security-policy/main.tf @@ -237,7 +237,7 @@ resource "google_compute_region_security_policy_rule" "custom_rules" { resource "google_compute_region_security_policy_rule" "pre_configured_rules" { provider = google-beta - for_each = var.pre_configured_rules #var.pre_configured_rules == null ? {} : { for x in var.pre_configured_rules : x.priority => x } + for_each = var.pre_configured_rules project = var.project_id region = var.region security_policy = google_compute_region_security_policy.security_policy.name @@ -334,3 +334,20 @@ resource "google_compute_region_security_policy_rule" "pre_configured_rules" { } +##### Default Rule + +resource "google_compute_region_security_policy_rule" "default_rule" { + provider = google-beta + region = var.region + project = var.project_id + security_policy = google_compute_region_security_policy.security_policy.name + description = "default rule" + action = var.default_rule_action + priority = "2147483647" + match { + versioned_expr = "SRC_IPS_V1" + config { + src_ip_ranges = ["*"] + } + } +} diff --git a/modules/regional-backend-security-policy/variables.tf b/modules/regional-backend-security-policy/variables.tf index 4b8e2ad..8e0335d 100644 --- a/modules/regional-backend-security-policy/variables.tf +++ b/modules/regional-backend-security-policy/variables.tf @@ -170,3 +170,9 @@ variable "custom_rules" { })) default = {} } + +variable "default_rule_action" { + description = "default rule that allows/denies all traffic with the lowest priority (2,147,483,647)." + type = string + default = "allow" +} diff --git a/modules/regional-backend-security-policy/versions.tf b/modules/regional-backend-security-policy/versions.tf index 997d50f..d56ec33 100644 --- a/modules/regional-backend-security-policy/versions.tf +++ b/modules/regional-backend-security-policy/versions.tf @@ -19,11 +19,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.29, < 7" + version = ">= 6.10, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.29, < 7" + version = ">= 6.10, < 7" } } provider_meta "google" {