feat: added advanced_options_config (#26)

GoogleCloudPlatform · Mar 16, 2023 · af1d34e · af1d34e
1 parent ff4197f
commit af1d34e
Show file tree

Hide file tree

Showing 9 changed files with 113 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -235,8 +235,11 @@ module "security_policy" {
 | custom\_rules | Custome security rules | <pre>map(object({<br>    action          = string<br>    priority        = number<br>    description     = optional(string)<br>    preview         = optional(bool, false)<br>    expression      = string<br>    redirect_type   = optional(string, null)<br>    redirect_target = optional(string, null)<br>    rate_limit_options = optional(object({<br>      enforce_on_key                       = optional(string)<br>      exceed_action                        = optional(string)<br>      rate_limit_http_request_count        = optional(number)<br>      rate_limit_http_request_interval_sec = optional(number)<br>      ban_duration_sec                     = optional(number)<br>      ban_http_request_count               = optional(number)<br>      ban_http_request_interval_sec        = optional(number)<br>      }),<br>    {})<br>    header_action = optional(list(object({<br>      header_name  = optional(string)<br>      header_value = optional(string)<br>    })), [])<br>  }))</pre> | `{}` | no |
 | default\_rule\_action | default rule that allows/denies all traffic with the lowest priority (2,147,483,647) | `string` | `"allow"` | no |
 | description | An optional description of this security policy. Max size is 2048. | `string` | `null` | no |
+| json\_custom\_config\_content\_types | A list of custom Content-Type header values to apply the JSON parsing. Only applicable when json\_parsing is set to STANDARD | `list(string)` | `[]` | no |
+| json\_parsing | Whether or not to JSON parse the payload body. Possible values are DISABLED and STANDARD. Defaults to DISABLED | `string` | `"DISABLED"` | no |
 | layer\_7\_ddos\_defense\_enable | (Optional) If set to true, enables CAAP for L7 DDoS detection | `bool` | `false` | no |
 | layer\_7\_ddos\_defense\_rule\_visibility | (Optional) Rule visibility can be one of the following: STANDARD - opaque rules. PREMIUM - transparent rules | `string` | `"STANDARD"` | no |
+| log\_level | Log level to use. Possible values are NORMAL and VERBOSE. Defaults to NORMAL | `string` | `"NORMAL"` | no |
 | name | Name of the security policy. | `string` | n/a | yes |
 | pre\_configured\_rules | Map of pre-configured rules Sensitivity levels | <pre>map(object({<br>    action                  = string<br>    priority                = number<br>    description             = optional(string)<br>    preview                 = optional(bool, false)<br>    redirect_type           = optional(string, null)<br>    redirect_target         = optional(string, null)<br>    target_rule_set         = string<br>    sensitivity_level       = optional(number, 4)<br>    include_target_rule_ids = optional(list(string), [])<br>    exclude_target_rule_ids = optional(list(string), [])<br>    rate_limit_options = optional(object({<br>      enforce_on_key                       = optional(string)<br>      exceed_action                        = optional(string)<br>      rate_limit_http_request_count        = optional(number)<br>      rate_limit_http_request_interval_sec = optional(number)<br>      ban_duration_sec                     = optional(number)<br>      ban_http_request_count               = optional(number)<br>      ban_http_request_interval_sec        = optional(number)<br>      }),<br>    {})<br>    header_action = optional(list(object({<br>      header_name  = optional(string)<br>      header_value = optional(string)<br>    })), [])<br>  }))</pre> | `{}` | no |
 | project\_id | The project in which the resource belongs | `string` | n/a | yes |

diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
@@ -21,21 +21,48 @@ steps:
   - 'TF_VAR_org_id=$_ORG_ID'
   - 'TF_VAR_folder_id=$_FOLDER_ID'
   - 'TF_VAR_billing_account=$_BILLING_ACCOUNT'
-- id: security-policy-all-init
+
+- id: init-all
+  waitFor:
+    - prepare
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicy --stage init --verbose']
+  args: ['/bin/bash', '-c', 'cft test run all --stage init --verbose']
+
 - id: security-policy-all-apply
+  waitFor:
+    - init-all
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicy --stage apply --verbose']
 - id: security-policy-all-verify
+  waitFor:
+    - security-policy-all-apply
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicy --stage verify --verbose']
 - id: security-policy-all-teardown
+  waitFor:
+    - security-policy-all-verify
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicy --stage teardown --verbose']
+
+- id: simple-example-apply
+  waitFor:
+    - init-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleExample --stage apply --verbose']
+- id: simple-example-verify
+  waitFor:
+    - simple-example-apply
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleExample --stage verify --verbose']
+- id: simple-example-teardown
+  waitFor:
+    - simple-example-verify
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleExample --stage teardown --verbose']
+
 tags:
 - 'ci'
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10'
diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml
@@ -21,4 +21,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10'
diff --git a/examples/simple-example/main.tf b/examples/simple-example/main.tf
@@ -45,6 +45,8 @@ module "cloud_armor" {
   layer_7_ddos_defense_enable          = true
   layer_7_ddos_defense_rule_visibility = "STANDARD"
   recaptcha_redirect_site_key          = google_recaptcha_enterprise_key.primary.name
+  json_parsing                         = "STANDARD"
+  log_level                            = "VERBOSE"
 
   pre_configured_rules = {
 

diff --git a/main.tf b/main.tf
@@ -75,6 +75,17 @@ resource "google_compute_security_policy" "policy" {
     }
   }
 
+  advanced_options_config {
+    json_parsing = var.json_parsing
+    log_level    = var.log_level
+    dynamic "json_custom_config" {
+      for_each = var.json_parsing == "STANDARD" && length(var.json_custom_config_content_types) > 0 ? ["json_custom_config"] : []
+      content {
+        content_types = var.json_custom_config_content_types
+      }
+    }
+  }
+
   ##### Preconfigured Rules Sensitivity level
 
   dynamic "rule" {

diff --git a/test/integration/go.mod b/test/integration/go.mod
@@ -1,4 +1,4 @@
-module github.com/terraform-google-modules/terraform-google-cloud-storage/test/integration
+module github.com/GoogleCloudPlatform/terraform-google-cloud-armor/test/integration
 
 go 1.18
 

diff --git a/test/integration/simple-example/simple_example_test.go b/test/integration/simple-example/simple_example_test.go
@@ -0,0 +1,45 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package simple_example
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud"
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSimpleExample(t *testing.T) {
+	casp := tft.NewTFBlueprintTest(t)
+
+	casp.DefineVerify(func(assert *assert.Assertions) {
+		casp.DefaultVerify(assert)
+
+		projectId := casp.GetStringOutput("project_id")
+		policyName := casp.GetStringOutput("policy_name")
+
+		sp_name := gcloud.Run(t, fmt.Sprintf("compute security-policies describe %s --project %s", policyName, projectId))
+		for _, sp := range sp_name.Array() {
+			assert.Equal(policyName, sp.Get("name").String(), "has expected name")
+			assert.Equal("STANDARD", sp.Get("advancedOptionsConfig.jsonParsing").String(), "has value STANDARD")
+			assert.Equal("VERBOSE", sp.Get("advancedOptionsConfig.logLevel").String(), "has value VERBOSE")
+			assert.Equal("STANDARD", sp.Get("adaptiveProtectionConfig.layer7DdosDefenseConfig.ruleVisibility").String(), "has value STANDARD")
+			assert.True(sp.Get("adaptiveProtectionConfig.layer7DdosDefenseConfig.enable").Bool(), "layer7DdosDefenseConfig.enable set to True")
+		}
+	})
+	casp.Test()
+}
diff --git a/variables.tf b/variables.tf
@@ -152,3 +152,21 @@ variable "layer_7_ddos_defense_rule_visibility" {
   type        = string
   default     = "STANDARD"
 }
+
+variable "json_parsing" {
+  description = "Whether or not to JSON parse the payload body. Possible values are DISABLED and STANDARD. Defaults to DISABLED"
+  type        = string
+  default     = "DISABLED"
+}
+
+variable "log_level" {
+  description = "Log level to use. Possible values are NORMAL and VERBOSE. Defaults to NORMAL"
+  type        = string
+  default     = "NORMAL"
+}
+
+variable "json_custom_config_content_types" {
+  description = "A list of custom Content-Type header values to apply the JSON parsing. Only applicable when json_parsing is set to STANDARD"
+  type        = list(string)
+  default     = []
+}
diff --git a/versions.tf b/versions.tf
@@ -27,9 +27,9 @@ terraform {
     }
   }
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-google-cloud-armor/0.1.0"
+    module_name = "blueprints/terraform/terraform-google-cloud-armor/v0.3.0"
   }
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-google-cloud-armor/0.1.0"
+    module_name = "blueprints/terraform/terraform-google-cloud-armor/v0.3.0"
   }
 }