fix: add auto_deploy_config block

GoogleCloudPlatform · Dec 7, 2023 · f5080a8 · f5080a8
1 parent 12fb99a
commit f5080a8
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -278,13 +278,13 @@ module "security_policy" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| adaptive\_protection\_auto\_deploy | Configuration for Automatically deploy Cloud Armor Adaptive Protection suggested rules. priority and action fields are required if enable is set to true | <pre>object({<br>    enable                      = bool<br>    priority                    = optional(number, null)<br>    action                      = optional(string, null)<br>    preview                     = optional(bool, false)<br>    description                 = optional(string, "Adaptive Protection auto-deploy")<br>    load_threshold              = optional(number, 0.1)<br>    confidence_threshold        = optional(number, 0.5)<br>    impacted_baseline_threshold = optional(number, 0.01)<br>    expiration_sec              = optional(number, 7200)<br>    redirect_type               = optional(string)<br>    redirect_target             = optional(string)<br><br>    rate_limit_options = optional(object({<br>      enforce_on_key      = optional(string)<br>      enforce_on_key_name = optional(string)<br><br>      enforce_on_key_configs = optional(list(object({<br>        enforce_on_key_name = optional(string)<br>        enforce_on_key_type = optional(string)<br>      })))<br><br>      exceed_action                        = optional(string)<br>      rate_limit_http_request_count        = optional(number)<br>      rate_limit_http_request_interval_sec = optional(number)<br>      ban_duration_sec                     = optional(number)<br>      ban_http_request_count               = optional(number)<br>      ban_http_request_interval_sec        = optional(number)<br>    }), {})<br>  })</pre> | <pre>{<br>  "enable": false<br>}</pre> | no |
+| adaptive\_protection\_auto\_deploy | Configuration for Automatically deploy Cloud Armor Adaptive Protection suggested rules. `priority` and `action` fields are required if `enable` is set to true. Requires `layer_7_ddos_defense_enable` set to `true` | <pre>object({<br>    enable                      = bool<br>    priority                    = optional(number, null)<br>    action                      = optional(string, null)<br>    preview                     = optional(bool, false)<br>    description                 = optional(string, "Adaptive Protection auto-deploy")<br>    load_threshold              = optional(number)<br>    confidence_threshold        = optional(number)<br>    impacted_baseline_threshold = optional(number)<br>    expiration_sec              = optional(number)<br>    redirect_type               = optional(string)<br>    redirect_target             = optional(string)<br><br>    rate_limit_options = optional(object({<br>      enforce_on_key      = optional(string)<br>      enforce_on_key_name = optional(string)<br><br>      enforce_on_key_configs = optional(list(object({<br>        enforce_on_key_name = optional(string)<br>        enforce_on_key_type = optional(string)<br>      })))<br><br>      exceed_action                        = optional(string)<br>      rate_limit_http_request_count        = optional(number)<br>      rate_limit_http_request_interval_sec = optional(number)<br>      ban_duration_sec                     = optional(number)<br>      ban_http_request_count               = optional(number)<br>      ban_http_request_interval_sec        = optional(number)<br>    }), {})<br>  })</pre> | <pre>{<br>  "enable": false<br>}</pre> | no |
 | custom\_rules | Custome security rules | <pre>map(object({<br>    action          = string<br>    priority        = number<br>    description     = optional(string)<br>    preview         = optional(bool, false)<br>    expression      = string<br>    redirect_type   = optional(string, null)<br>    redirect_target = optional(string, null)<br>    rate_limit_options = optional(object({<br>      enforce_on_key      = optional(string)<br>      enforce_on_key_name = optional(string)<br>      enforce_on_key_configs = optional(list(object({<br>        enforce_on_key_name = optional(string)<br>        enforce_on_key_type = optional(string)<br>      })))<br>      exceed_action                        = optional(string)<br>      rate_limit_http_request_count        = optional(number)<br>      rate_limit_http_request_interval_sec = optional(number)<br>      ban_duration_sec                     = optional(number)<br>      ban_http_request_count               = optional(number)<br>      ban_http_request_interval_sec        = optional(number)<br>      }),<br>    {})<br>    header_action = optional(list(object({<br>      header_name  = optional(string)<br>      header_value = optional(string)<br>    })), [])<br><br>    preconfigured_waf_config_exclusion = optional(object({<br>      target_rule_set = string<br>      target_rule_ids = optional(list(string), [])<br>      request_header = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_cookie = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_uri = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>      request_query_param = optional(list(object({<br>        operator = string<br>        value    = optional(string)<br>      })))<br>    }), { target_rule_set = null })<br><br>  }))</pre> | `{}` | no |
 | default\_rule\_action | default rule that allows/denies all traffic with the lowest priority (2,147,483,647) | `string` | `"allow"` | no |
 | description | An optional description of this security policy. Max size is 2048. | `string` | `null` | no |
 | json\_custom\_config\_content\_types | A list of custom Content-Type header values to apply the JSON parsing. Only applicable when json\_parsing is set to STANDARD. Not supported for CLOUD\_ARMOR\_EDGE policy type | `list(string)` | `[]` | no |
 | json\_parsing | Whether or not to JSON parse the payload body. Possible values are DISABLED and STANDARD. Not supported for CLOUD\_ARMOR\_EDGE policy type | `string` | `"DISABLED"` | no |
-| layer\_7\_ddos\_defense\_enable | (Optional) If set to true, enables Cloud Armor Adaptive Protection for L7 DDoS detection. Cloud Armor Adaptive Protection is only supported in Global Security Policies of type CLOUD\_ARMOR | `bool` | `false` | no |
+| layer\_7\_ddos\_defense\_enable | (Optional) If set to true, enables Cloud Armor Adaptive Protection for L7 DDoS detection. Cloud Armor Adaptive Protection is only supported in Global Security Policies of type CLOUD\_ARMOR. Set this variable `true` for Adaptive Protection Auto Deploy | `bool` | `false` | no |
 | layer\_7\_ddos\_defense\_rule\_visibility | (Optional) Rule visibility can be one of the following: STANDARD - opaque rules. PREMIUM - transparent rules. This field is only supported in Global Security Policies of type CLOUD\_ARMOR. | `string` | `"STANDARD"` | no |
 | log\_level | Log level to use. Possible values are NORMAL and VERBOSE. Not supported for CLOUD\_ARMOR\_EDGE policy type | `string` | `"NORMAL"` | no |
 | name | Name of the security policy. | `string` | n/a | yes |

diff --git a/examples/security-policy-managed-protection-plus/main.tf b/examples/security-policy-managed-protection-plus/main.tf
@@ -30,9 +30,11 @@ module "cloud_armor" {
 
   ## This is an example of deny policy. Examples for redirect and throttle policies are in README.
   adaptive_protection_auto_deploy = {
-    enable   = true
-    priority = 100000
-    action   = "deny(403)"
+    enable               = true
+    priority             = 100000
+    action               = "deny(403)"
+    load_threshold       = 0.3
+    confidence_threshold = 0.6
   }
 
   threat_intelligence_rules = {

diff --git a/main.tf b/main.tf
@@ -502,6 +502,16 @@ resource "google_compute_security_policy" "policy" {
         enable          = var.layer_7_ddos_defense_enable
         rule_visibility = var.layer_7_ddos_defense_rule_visibility
       }
+      dynamic "auto_deploy_config" {
+        for_each = var.adaptive_protection_auto_deploy.enable ? { auto_deploy = var.adaptive_protection_auto_deploy } : {}
+        content {
+          load_threshold              = auto_deploy_config.value["load_threshold"]
+          confidence_threshold        = auto_deploy_config.value["confidence_threshold"]
+          impacted_baseline_threshold = auto_deploy_config.value["impacted_baseline_threshold"]
+          expiration_sec              = auto_deploy_config.value["expiration_sec"]
+        }
+
+      }
     }
   }
 

diff --git a/variables.tf b/variables.tf
@@ -229,7 +229,7 @@ variable "type" {
 }
 
 variable "layer_7_ddos_defense_enable" {
-  description = "(Optional) If set to true, enables Cloud Armor Adaptive Protection for L7 DDoS detection. Cloud Armor Adaptive Protection is only supported in Global Security Policies of type CLOUD_ARMOR"
+  description = "(Optional) If set to true, enables Cloud Armor Adaptive Protection for L7 DDoS detection. Cloud Armor Adaptive Protection is only supported in Global Security Policies of type CLOUD_ARMOR. Set this variable `true` for Adaptive Protection Auto Deploy"
   type        = bool
   default     = false
 }
@@ -241,17 +241,17 @@ variable "layer_7_ddos_defense_rule_visibility" {
 }
 
 variable "adaptive_protection_auto_deploy" {
-  description = "Configuration for Automatically deploy Cloud Armor Adaptive Protection suggested rules. priority and action fields are required if enable is set to true"
+  description = "Configuration for Automatically deploy Cloud Armor Adaptive Protection suggested rules. `priority` and `action` fields are required if `enable` is set to true. Requires `layer_7_ddos_defense_enable` set to `true`"
   type = object({
     enable                      = bool
     priority                    = optional(number, null)
     action                      = optional(string, null)
     preview                     = optional(bool, false)
     description                 = optional(string, "Adaptive Protection auto-deploy")
-    load_threshold              = optional(number, 0.1)
-    confidence_threshold        = optional(number, 0.5)
-    impacted_baseline_threshold = optional(number, 0.01)
-    expiration_sec              = optional(number, 7200)
+    load_threshold              = optional(number)
+    confidence_threshold        = optional(number)
+    impacted_baseline_threshold = optional(number)
+    expiration_sec              = optional(number)
     redirect_type               = optional(string)
     redirect_target             = optional(string)
 
@@ -272,6 +272,7 @@ variable "adaptive_protection_auto_deploy" {
       ban_http_request_interval_sec        = optional(number)
     }), {})
   })
+
   default = {
     enable = false
   }