diff --git a/README.md b/README.md
index 095563f..8c58614 100644
--- a/README.md
+++ b/README.md
@@ -62,7 +62,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
```
module "security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "my-test-security-policy"
diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md
new file mode 100644
index 0000000..370ef27
--- /dev/null
+++ b/docs/upgrading_to_v4.0.md
@@ -0,0 +1,9 @@
+# Upgrading to v4.0.0
+
+The v4.0 release contains backwards-incompatible changes.
+
+### TPG max version is bumped to 6.10 for regional-backend-security-policy module
+TPG 6.10 added support for overriding default security rule
+
+### Added default rule at priority 2147483647
+Before this version a default security rule with priority 2147483647 was created behind the scene but was not part of TF state file. This update will override that rule so users can manage it in terraform
diff --git a/examples/global-backend-security-policy-complete/main.tf b/examples/global-backend-security-policy-complete/main.tf
index dbbc455..c940e07 100644
--- a/examples/global-backend-security-policy-complete/main.tf
+++ b/examples/global-backend-security-policy-complete/main.tf
@@ -24,7 +24,7 @@ resource "random_id" "suffix" {
}
module "cloud_armor" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-casp-policy-${random_id.suffix.hex}"
diff --git a/examples/global-backend-security-policy-enterprise/main.tf b/examples/global-backend-security-policy-enterprise/main.tf
index e675492..255c774 100644
--- a/examples/global-backend-security-policy-enterprise/main.tf
+++ b/examples/global-backend-security-policy-enterprise/main.tf
@@ -19,7 +19,7 @@ resource "random_id" "suffix" {
}
module "cloud_armor" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-camp-policy-${random_id.suffix.hex}"
diff --git a/examples/global-backend-security-policy-example/main.tf b/examples/global-backend-security-policy-example/main.tf
index f2ab7d9..aaa7472 100644
--- a/examples/global-backend-security-policy-example/main.tf
+++ b/examples/global-backend-security-policy-example/main.tf
@@ -34,7 +34,7 @@ resource "google_network_security_address_group" "address_group" {
module "cloud_armor" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-casp-policy-${random_id.suffix.hex}"
diff --git a/examples/global-backend-security-policy-recaptcha/main.tf b/examples/global-backend-security-policy-recaptcha/main.tf
index cd0767f..f17a30f 100644
--- a/examples/global-backend-security-policy-recaptcha/main.tf
+++ b/examples/global-backend-security-policy-recaptcha/main.tf
@@ -36,7 +36,7 @@ resource "random_id" "suffix" {
module "cloud_armor" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-policy-recaptcha-${random_id.suffix.hex}"
diff --git a/examples/global-edge-security-policy/main.tf b/examples/global-edge-security-policy/main.tf
index c800213..5bb31b4 100644
--- a/examples/global-edge-security-policy/main.tf
+++ b/examples/global-edge-security-policy/main.tf
@@ -19,7 +19,7 @@ resource "random_id" "suffix" {
}
module "cloud_armor" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-casp-edge-policy-${random_id.suffix.hex}"
diff --git a/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf b/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf
index 864d18d..078229b 100644
--- a/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf
+++ b/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf
@@ -25,7 +25,7 @@ resource "random_id" "suffix" {
module "advanced_network_ddos_protection" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
regions = [local.primary_region, local.secondary_region]
@@ -35,7 +35,7 @@ module "advanced_network_ddos_protection" {
module "network_edge_security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
region = local.primary_region
diff --git a/examples/regional-advanced-network-ddos-protection-enterprise/main.tf b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf
index 07d4cfa..60c8176 100644
--- a/examples/regional-advanced-network-ddos-protection-enterprise/main.tf
+++ b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf
@@ -20,7 +20,7 @@ resource "random_id" "suffix" {
module "advanced_network_ddos_protection" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
regions = ["us-central1", "us-east1"]
diff --git a/examples/regional-backend-security-policy-example/main.tf b/examples/regional-backend-security-policy-example/main.tf
index db0f8e8..eafb560 100644
--- a/examples/regional-backend-security-policy-example/main.tf
+++ b/examples/regional-backend-security-policy-example/main.tf
@@ -20,7 +20,7 @@ resource "random_id" "suffix" {
module "cloud_armor_regional_security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/regional-backend-security-policy"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-regional-external-sp-${random_id.suffix.hex}"
diff --git a/examples/regional-network-edge-security-policy-enterprise/main.tf b/examples/regional-network-edge-security-policy-enterprise/main.tf
index 0eb0902..1bf7ccc 100644
--- a/examples/regional-network-edge-security-policy-enterprise/main.tf
+++ b/examples/regional-network-edge-security-policy-enterprise/main.tf
@@ -20,7 +20,7 @@ resource "random_id" "suffix" {
module "network_edge_security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
region = "us-central1"
@@ -85,7 +85,7 @@ module "network_edge_security_policy" {
module "network_edge_security_policy_no_rules" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
region = "us-central1"
diff --git a/modules/advanced-network-ddos-protection/README.md b/modules/advanced-network-ddos-protection/README.md
index fee24c9..9686d36 100644
--- a/modules/advanced-network-ddos-protection/README.md
+++ b/modules/advanced-network-ddos-protection/README.md
@@ -16,7 +16,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
```
module "advanced_network_ddos_protection" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
regions = ["us-central1", "us-east1"]
diff --git a/modules/network-edge-security-policy/README.md b/modules/network-edge-security-policy/README.md
index c1b8621..f34179a 100644
--- a/modules/network-edge-security-policy/README.md
+++ b/modules/network-edge-security-policy/README.md
@@ -8,7 +8,7 @@ You can attch network edge security policy to backend services of [external pass
```
module "network_edge_security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
region = "us-central1"
@@ -35,7 +35,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
```
module "network_edge_security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
region = "us-central1"
diff --git a/modules/regional-backend-security-policy/README.md b/modules/regional-backend-security-policy/README.md
index 95c397d..8cffeeb 100644
--- a/modules/regional-backend-security-policy/README.md
+++ b/modules/regional-backend-security-policy/README.md
@@ -34,7 +34,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat
```
module "cloud_armor_regional_security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
name = "test-regional-external-sp-${random_id.suffix.hex}"
@@ -194,6 +194,7 @@ module "cloud_armor_regional_security_policy" {
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| custom\_rules | Custome security rules | map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
expression = string
rate_limit_options = optional(object({
enforce_on_key = optional(string)
enforce_on_key_name = optional(string)
enforce_on_key_configs = optional(list(object({
enforce_on_key_name = optional(string)
enforce_on_key_type = optional(string)
})))
exceed_action = optional(string)
rate_limit_http_request_count = optional(number)
rate_limit_http_request_interval_sec = optional(number)
ban_duration_sec = optional(number)
ban_http_request_count = optional(number)
ban_http_request_interval_sec = optional(number)
}),
{})
preconfigured_waf_config_exclusions = optional(map(object({
target_rule_set = string
target_rule_ids = optional(list(string), [])
request_header = optional(list(object({
operator = string
value = optional(string)
})))
request_cookie = optional(list(object({
operator = string
value = optional(string)
})))
request_uri = optional(list(object({
operator = string
value = optional(string)
})))
request_query_param = optional(list(object({
operator = string
value = optional(string)
})))
})), null)
})) | `{}` | no |
+| default\_rule\_action | default rule that allows/denies all traffic with the lowest priority (2,147,483,647). | `string` | `"allow"` | no |
| description | An optional description of advanced network ddos protection security policy | `string` | `"CA Advance DDoS protection"` | no |
| name | Name of regional security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | `string` | `"adv-network-ddos-protection"` | no |
| pre\_configured\_rules | Map of pre-configured rules with Sensitivity levels | map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
target_rule_set = string
sensitivity_level = optional(number, 4)
include_target_rule_ids = optional(list(string), [])
exclude_target_rule_ids = optional(list(string), [])
rate_limit_options = optional(object({
enforce_on_key = optional(string)
enforce_on_key_name = optional(string)
enforce_on_key_configs = optional(list(object({
enforce_on_key_name = optional(string)
enforce_on_key_type = optional(string)
})))
exceed_action = optional(string)
rate_limit_http_request_count = optional(number)
rate_limit_http_request_interval_sec = optional(number)
ban_duration_sec = optional(number)
ban_http_request_count = optional(number)
ban_http_request_interval_sec = optional(number)
}), {})
preconfigured_waf_config_exclusions = optional(map(object({
target_rule_set = string
target_rule_ids = optional(list(string), [])
request_header = optional(list(object({
operator = string
value = optional(string)
})))
request_cookie = optional(list(object({
operator = string
value = optional(string)
})))
request_uri = optional(list(object({
operator = string
value = optional(string)
})))
request_query_param = optional(list(object({
operator = string
value = optional(string)
})))
})), null)
})) | `{}` | no |
diff --git a/modules/regional-backend-security-policy/main.tf b/modules/regional-backend-security-policy/main.tf
index 7b3f3c8..8d6b883 100644
--- a/modules/regional-backend-security-policy/main.tf
+++ b/modules/regional-backend-security-policy/main.tf
@@ -237,7 +237,7 @@ resource "google_compute_region_security_policy_rule" "custom_rules" {
resource "google_compute_region_security_policy_rule" "pre_configured_rules" {
provider = google-beta
- for_each = var.pre_configured_rules #var.pre_configured_rules == null ? {} : { for x in var.pre_configured_rules : x.priority => x }
+ for_each = var.pre_configured_rules
project = var.project_id
region = var.region
security_policy = google_compute_region_security_policy.security_policy.name
@@ -334,3 +334,20 @@ resource "google_compute_region_security_policy_rule" "pre_configured_rules" {
}
+##### Default Rule
+
+resource "google_compute_region_security_policy_rule" "default_rule" {
+ provider = google-beta
+ region = var.region
+ project = var.project_id
+ security_policy = google_compute_region_security_policy.security_policy.name
+ description = "default rule"
+ action = var.default_rule_action
+ priority = "2147483647"
+ match {
+ versioned_expr = "SRC_IPS_V1"
+ config {
+ src_ip_ranges = ["*"]
+ }
+ }
+}
diff --git a/modules/regional-backend-security-policy/variables.tf b/modules/regional-backend-security-policy/variables.tf
index 4b8e2ad..8e0335d 100644
--- a/modules/regional-backend-security-policy/variables.tf
+++ b/modules/regional-backend-security-policy/variables.tf
@@ -170,3 +170,9 @@ variable "custom_rules" {
}))
default = {}
}
+
+variable "default_rule_action" {
+ description = "default rule that allows/denies all traffic with the lowest priority (2,147,483,647)."
+ type = string
+ default = "allow"
+}
diff --git a/modules/regional-backend-security-policy/versions.tf b/modules/regional-backend-security-policy/versions.tf
index 997d50f..d56ec33 100644
--- a/modules/regional-backend-security-policy/versions.tf
+++ b/modules/regional-backend-security-policy/versions.tf
@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.29, < 7"
+ version = ">= 6.10, < 7"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.29, < 7"
+ version = ">= 6.10, < 7"
}
}
provider_meta "google" {