feat!: add sub-module for regional backend security policy (#126)

build/int.cloudbuild.yaml

@@ -31,53 +31,114 @@ steps:
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run all --stage init --verbose']
 
-- id: security-policy-all-apply
+- id: global-backend-security-policy-complete-apply
   waitFor:
     - init-all
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage apply --verbose']
-- id: security-policy-all-verify
+- id: global-backend-security-policy-complete-verify
   waitFor:
-    - security-policy-all-apply
+    - global-backend-security-policy-complete-apply
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage verify --verbose']
-- id: security-policy-all-teardown
+- id: global-backend-security-policy-complete-teardown
   waitFor:
-    - security-policy-all-verify
+    - global-backend-security-policy-complete-verify
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyComplete --stage teardown --verbose']
 
-- id: simple-example-apply
+- id: global-backend-security-policy-example-apply
   waitFor:
-    - security-policy-all-teardown
+    - global-backend-security-policy-complete-teardown
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSimpleExample --stage apply --verbose']
-- id: simple-example-verify
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyExample --stage apply --verbose']
+- id: global-backend-security-policy-example-verify
   waitFor:
-    - simple-example-apply
+    - global-backend-security-policy-example-apply
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSimpleExample --stage verify --verbose']
-- id: simple-example-teardown
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyExample --stage verify --verbose']
+- id: global-backend-security-policy-example-teardown
   waitFor:
-    - simple-example-verify
+    - global-backend-security-policy-example-verify
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSimpleExample --stage teardown --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyExample --stage teardown --verbose']
 
-- id: security-policy-edge-apply
+- id: global-edge-security-policy-apply
   waitFor:
-    - simple-example-teardown
+    - global-backend-security-policy-example-teardown
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyEdge --stage apply --verbose']
-- id: security-policy-edge-verify
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyEdge --stage apply --verbose']
+- id: global-edge-security-policy-verify
   waitFor:
-    - security-policy-edge-apply
+    - global-edge-security-policy-apply
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyEdge --stage verify --verbose']
-- id: security-policy-edge-teardown
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyEdge --stage verify --verbose']
+- id: global-edge-security-policy-teardown
   waitFor:
-    - security-policy-edge-verify
+    - global-edge-security-policy-verify
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestSecurityPolicyEdge --stage teardown --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyEdge --stage teardown --verbose']
+
+- id: global-backend-security-policy-recaptcha-apply
+  waitFor:
+    - global-backend-security-policy-example-teardown
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyRecaptcha --stage apply --verbose']
+- id: global-backend-security-policy-recaptcha-verify
+  waitFor:
+    - global-backend-security-policy-recaptcha-apply
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyRecaptcha --stage verify --verbose']
+- id: global-backend-security-policy-recaptcha-teardown
+  waitFor:
+    - global-backend-security-policy-recaptcha-verify
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyRecaptcha --stage teardown --verbose']
+- id: global-backend-security-policy-enterprise-apply
+  waitFor:
+    - global-backend-security-policy-example-teardown
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyEnterprise --stage apply --verbose']
+- id: global-backend-security-policy-enterprise-verify
+  waitFor:
+    - global-backend-security-policy-enterprise-apply
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyEnterprise --stage verify --verbose']
+- id: global-backend-security-policy-enterprise-teardown
+  waitFor:
+    - global-backend-security-policy-enterprise-verify
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestGlobalSecurityPolicyEnterprise --stage teardown --verbose']
+- id: regional-adv-ddos-and-edge-security-policy-complete-apply
+  waitFor:
+    - global-backend-security-policy-example-teardown
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestRegionalNetworkEdgePolicy --stage apply --verbose']
+- id: regional-adv-ddos-and-edge-security-policy-complete-verify
+  waitFor:
+    - regional-adv-ddos-and-edge-security-policy-complete-apply
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestRegionalNetworkEdgePolicy --stage verify --verbose']
+- id: regional-adv-ddos-and-edge-security-policy-complete-teardown
+  waitFor:
+    - regional-adv-ddos-and-edge-security-policy-complete-verify
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestRegionalNetworkEdgePolicy --stage teardown --verbose']
+- id: regional-backend-security-policy-example-apply
+  waitFor:
+    - global-backend-security-policy-example-teardown
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestRegionalBackendPolicy --stage apply --verbose']
+- id: regional-backend-security-policy-example-verify
+  waitFor:
+    - regional-backend-security-policy-example-apply
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestRegionalBackendPolicy --stage verify --verbose']
+- id: regional-backend-security-policy-example-teardown
+  waitFor:
+    - regional-backend-security-policy-example-verify
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestRegionalBackendPolicy --stage teardown --verbose']
 
 tags:
 - 'ci'

docs/upgrading_to_v3.0.md

@@ -0,0 +1,79 @@
+# Upgrading to v3.0.0
+
+The v3.0 release contains backwards-incompatible changes.
+
+This update changed max provider version from `5.X` to `6.X`.
+
+### TPG max version is bumped to 6.x
+There is no known breaking change for Cloud Armor in 6.X.
+
+### Remove preconfigured_waf_config_exclusion
+`preconfigured_waf_config_exclusion` was deprecated in [v2.1](./upgrading_to_v2.1.md). It is now removed from the module. Before upgrading to 3.X move `preconfigured_waf_config_exclusion` settings to `preconfigured_waf_config_exclusions`. Here is an example:
+
+
+```tf
+"sqli_sensitivity_level_4" = {
+  action            = "deny(502)"
+  priority          = 1
+  target_rule_set   = "sqli-v33-stable"
+  sensitivity_level = 4
+  description       = "sqli-v33-stable Sensitivity Level 4 and 2 preconfigured_waf_config_exclusions"
+
+-  preconfigured_waf_config_exclusion = {
+-      target_rule_set = "sqli-v33-stable"
+-      target_rule_ids = ["owasp-crs-v030301-id942120-sqli", "owasp-crs-v030301-id942130-sqli"]
+-      request_cookie = [
+-        {
+-          operator = "STARTS_WITH"
+-          value    = "abc"
+-        }
+-      ]
+-      request_header = [
+-        {
+-          operator = "STARTS_WITH"
+-          value    = "xyz"
+-        },
+-        {
+-          operator = "STARTS_WITH"
+-          value    = "uvw"
+-        }
+-      ]
+-  }
+}
+```
+
+```tf
+"sqli_sensitivity_level_4" = {
+  action            = "deny(502)"
+  priority          = 1
+  target_rule_set   = "sqli-v33-stable"
+  sensitivity_level = 4
+  description       = "sqli-v33-stable Sensitivity Level 4 and 2 preconfigured_waf_config_exclusions"
+
+  # 2 exclusions
++  preconfigured_waf_config_exclusions = {
++    exclusion_1 = {
++      target_rule_set = "sqli-v33-stable"
++      target_rule_ids = ["owasp-crs-v030301-id942120-sqli", "owasp-crs-v030301-id942130-sqli"]
++      request_cookie = [
++        {
++          operator = "STARTS_WITH"
++          value    = "abc"
++        }
++      ]
++      request_header = [
++        {
++          operator = "STARTS_WITH"
++          value    = "xyz"
++        },
++        {
++          operator = "STARTS_WITH"
++          value    = "uvw"
++        }
++      ]
++    }
++
++  }
+}
+```
+

examples/global-backend-security-policy-complete/README.md

@@ -1,9 +1,14 @@
-# Cloud Armor Policy with preconfigured rules, custom rules and security rules
+# Cloud Armor Policy end to end example
 
 This example performs the following:
 - Network (VPC/Subnets/Firewall-rules/NAT).
-- Creates a `global cloud armor security policy`.
-- Creates a VM instance behind a `global external application load balancer`.
+- A `global cloud armor security policy` with following types of rules.
+  - Threat Intelligence Rules (Requires [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview). Remove these rules if you dont have Cloud Armor Enterprise enabled for your project)
+  - Rule for Automatically deploying Adaptive Protection suggested rules (Requires [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview). Remove these rules if you dont have Cloud Armor Enterprise enabled for your project)
+  - Pre-configured rules
+  - Custom rules
+  - Security rules
+- A VM instance behind a `global external application load balancer`.
 - Attaches `security policy` to the backend service  by passing security policy link in `security_policy` parameter in `google_compute_backend_service` resource.
 
 ## Usage
@@ -32,7 +37,6 @@ terraform apply
 | Name | Description |
 |------|-------------|
 | policy\_name | Security Policy name |
-| project\_id | The project ID |
 | security\_policy | Cloud Armor security policy created |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/global-backend-security-policy-complete/main.tf

@@ -24,7 +24,7 @@ resource "random_id" "suffix" {
 }
 module "cloud_armor" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 2.0"
+  version = "~> 3.0"
 
   project_id                           = var.project_id
   name                                 = "test-casp-policy-${random_id.suffix.hex}"
@@ -35,6 +35,30 @@ module "cloud_armor" {
   layer_7_ddos_defense_rule_visibility = "STANDARD"
   user_ip_request_headers              = ["True-Client-IP", ]
 
+  # preconfigured WAF rules
+  pre_configured_rules = {
+
+    "xss-stable_level_2_with_exclude" = {
+      action                  = "deny(502)"
+      priority                = 2
+      preview                 = true
+      target_rule_set         = "xss-v33-stable"
+      sensitivity_level       = 2
+      exclude_target_rule_ids = ["owasp-crs-v030301-id941380-xss", "owasp-crs-v030301-id941280-xss"]
+    }
+
+    "php-stable_level_0_with_include" = {
+      action                  = "deny(502)"
+      priority                = 3
+      description             = "PHP Sensitivity Level 0 with included rules"
+      target_rule_set         = "php-v33-stable"
+      include_target_rule_ids = ["owasp-crs-v030301-id933190-php", "owasp-crs-v030301-id933111-php"]
+    }
+
+  }
+
+
+  # Security Rules for blocking IP addresses
   security_rules = {
     "allow_whitelisted_ip_ranges" = {
       action        = "allow"
@@ -82,6 +106,7 @@ module "cloud_armor" {
 
   }
 
+  #Custom Rules
   custom_rules = {
     allow_specific_regions = {
       action      = "allow"
@@ -132,4 +157,34 @@ module "cloud_armor" {
 
   }
 
+  #adaptive protection auto deploy rules
+  adaptive_protection_auto_deploy = {
+    enable               = true
+    priority             = 100000
+    action               = "deny(403)"
+    load_threshold       = 0.3
+    confidence_threshold = 0.6
+  }
+
+  # Rules based on threat intelligence
+  threat_intelligence_rules = {
+
+    deny_malicious_ips = {
+      action      = "deny(502)"
+      priority    = 300
+      description = "Deny IP addresses known to attack web applications"
+      preview     = false
+      feed        = "iplist-known-malicious-ips"
+      exclude_ip  = "['47.100.100.100', '47.189.12.139']"
+    }
+
+    deny_tor_exit_ips = {
+      action      = "deny(502)"
+      priority    = 400
+      description = "Deny Tor exit nodes IP addresses"
+      preview     = false
+      feed        = "iplist-tor-exit-nodes"
+    }
+  }
+
 }

examples/global-backend-security-policy-complete/outputs.tf

@@ -19,11 +19,6 @@ output "security_policy" {
   description = "Cloud Armor security policy created"
 }
 
-output "project_id" {
-  value       = var.project_id
-  description = "The project ID"
-}
-
 output "policy_name" {
   value       = module.cloud_armor.policy.name
   description = "Security Policy name"

examples/global-backend-security-policy-enterprise/README.md

@@ -1,6 +1,6 @@
 # Cloud Armor Policy with rules supported by [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview)
 
-This example configures a single cloud armor policy with following types of rules which are only availalable to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview):
+This example configures a single cloud armor policy with following types of rules which are only available to projects enrolled in [Cloud Armor Enterprise](https://cloud.google.com/armor/docs/armor-enterprise-overview):
 
 - Threat Intelligence Rules
 - Rule for Automatically deploying Adaptive Protection suggested rules
@@ -32,7 +32,6 @@ terraform apply
 | Name | Description |
 |------|-------------|
 | policy\_name | Security Policy name |
-| project\_id | The project ID |
 | security\_policy | Cloud Armor security policy created |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/global-backend-security-policy-enterprise/main.tf

@@ -19,15 +19,15 @@ resource "random_id" "suffix" {
 }
 module "cloud_armor" {
   source  = "GoogleCloudPlatform/cloud-armor/google"
-  version = "~> 2.0"
-
-  project_id                           = var.project_id
-  name                                 = "test-camp-policy-${random_id.suffix.hex}"
-  description                          = "Test Cloud Armor security policy with with rules supported by Cloud Armor Managed Protection Plus (CAMP+)"
-  default_rule_action                  = "allow"
-  type                                 = "CLOUD_ARMOR"
-  layer_7_ddos_defense_enable          = true
-  layer_7_ddos_defense_rule_visibility = "PREMIUM"
+  version = "~> 3.0"
+
+  project_id                  = var.project_id
+  name                        = "test-camp-policy-${random_id.suffix.hex}"
+  description                 = "Test Cloud Armor security policy with with rules supported by Cloud Armor Enterprise (Former Managed Protection Plus - CAMP+)"
+  default_rule_action         = "allow"
+  type                        = "CLOUD_ARMOR"
+  layer_7_ddos_defense_enable = true
+  user_ip_request_headers     = ["True-Client-IP", ]
 
   ## This is an example of deny policy. Examples for redirect and throttle policies are in README.
   adaptive_protection_auto_deploy = {

examples/global-backend-security-policy-enterprise/outputs.tf

@@ -19,11 +19,6 @@ output "security_policy" {
   description = "Cloud Armor security policy created"
 }
 
-output "project_id" {
-  value       = var.project_id
-  description = "The project ID"
-}
-
 output "policy_name" {
   value       = module.cloud_armor.policy.name
   description = "Security Policy name"