From 3f313882017ca329c1073b7014b595e0ae12880a Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Wed, 4 Dec 2024 18:07:00 +0000 Subject: [PATCH 1/3] added option to override default security rule in regional backend security policy --- README.md | 2 +- docs/upgrading_to_v4.0.md | 9 +++++++++ .../main.tf | 2 +- .../main.tf | 2 +- .../main.tf | 2 +- .../main.tf | 2 +- examples/global-edge-security-policy/main.tf | 2 +- .../main.tf | 4 ++-- .../main.tf | 2 +- .../main.tf | 2 +- .../main.tf | 4 ++-- .../README.md | 2 +- .../network-edge-security-policy/README.md | 4 ++-- .../README.md | 3 ++- .../regional-backend-security-policy/main.tf | 19 ++++++++++++++++++- .../variables.tf | 6 ++++++ .../versions.tf | 4 ++-- 17 files changed, 52 insertions(+), 19 deletions(-) create mode 100644 docs/upgrading_to_v4.0.md diff --git a/README.md b/README.md index 095563f..8c58614 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "security_policy" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "my-test-security-policy" diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md new file mode 100644 index 0000000..3169f72 --- /dev/null +++ b/docs/upgrading_to_v4.0.md @@ -0,0 +1,9 @@ +# Upgrading to v4.0.0 + +The v4.0 release contains backwards-incompatible changes. + +### TPG max version is bumped to 6.10 for regional-backend-security-policy module +There is no known breaking change for Cloud Armor in 6.X. + +### Added default rule at priority 2147483647 +Before this version a default security rule with priority 2147483647 was created. This update will override that rule so users can manage it in terraform diff --git a/examples/global-backend-security-policy-complete/main.tf b/examples/global-backend-security-policy-complete/main.tf index dbbc455..c940e07 100644 --- a/examples/global-backend-security-policy-complete/main.tf +++ b/examples/global-backend-security-policy-complete/main.tf @@ -24,7 +24,7 @@ resource "random_id" "suffix" { } module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-casp-policy-${random_id.suffix.hex}" diff --git a/examples/global-backend-security-policy-enterprise/main.tf b/examples/global-backend-security-policy-enterprise/main.tf index e675492..255c774 100644 --- a/examples/global-backend-security-policy-enterprise/main.tf +++ b/examples/global-backend-security-policy-enterprise/main.tf @@ -19,7 +19,7 @@ resource "random_id" "suffix" { } module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-camp-policy-${random_id.suffix.hex}" diff --git a/examples/global-backend-security-policy-example/main.tf b/examples/global-backend-security-policy-example/main.tf index f2ab7d9..aaa7472 100644 --- a/examples/global-backend-security-policy-example/main.tf +++ b/examples/global-backend-security-policy-example/main.tf @@ -34,7 +34,7 @@ resource "google_network_security_address_group" "address_group" { module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-casp-policy-${random_id.suffix.hex}" diff --git a/examples/global-backend-security-policy-recaptcha/main.tf b/examples/global-backend-security-policy-recaptcha/main.tf index cd0767f..f17a30f 100644 --- a/examples/global-backend-security-policy-recaptcha/main.tf +++ b/examples/global-backend-security-policy-recaptcha/main.tf @@ -36,7 +36,7 @@ resource "random_id" "suffix" { module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-policy-recaptcha-${random_id.suffix.hex}" diff --git a/examples/global-edge-security-policy/main.tf b/examples/global-edge-security-policy/main.tf index c800213..5bb31b4 100644 --- a/examples/global-edge-security-policy/main.tf +++ b/examples/global-edge-security-policy/main.tf @@ -19,7 +19,7 @@ resource "random_id" "suffix" { } module "cloud_armor" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-casp-edge-policy-${random_id.suffix.hex}" diff --git a/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf b/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf index 864d18d..078229b 100644 --- a/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf +++ b/examples/regional-adv-ddos-and-network-edge-security-policy-complete/main.tf @@ -25,7 +25,7 @@ resource "random_id" "suffix" { module "advanced_network_ddos_protection" { source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id regions = [local.primary_region, local.secondary_region] @@ -35,7 +35,7 @@ module "advanced_network_ddos_protection" { module "network_edge_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = local.primary_region diff --git a/examples/regional-advanced-network-ddos-protection-enterprise/main.tf b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf index 07d4cfa..60c8176 100644 --- a/examples/regional-advanced-network-ddos-protection-enterprise/main.tf +++ b/examples/regional-advanced-network-ddos-protection-enterprise/main.tf @@ -20,7 +20,7 @@ resource "random_id" "suffix" { module "advanced_network_ddos_protection" { source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id regions = ["us-central1", "us-east1"] diff --git a/examples/regional-backend-security-policy-example/main.tf b/examples/regional-backend-security-policy-example/main.tf index db0f8e8..eafb560 100644 --- a/examples/regional-backend-security-policy-example/main.tf +++ b/examples/regional-backend-security-policy-example/main.tf @@ -20,7 +20,7 @@ resource "random_id" "suffix" { module "cloud_armor_regional_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/regional-backend-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-regional-external-sp-${random_id.suffix.hex}" diff --git a/examples/regional-network-edge-security-policy-enterprise/main.tf b/examples/regional-network-edge-security-policy-enterprise/main.tf index 0eb0902..1bf7ccc 100644 --- a/examples/regional-network-edge-security-policy-enterprise/main.tf +++ b/examples/regional-network-edge-security-policy-enterprise/main.tf @@ -20,7 +20,7 @@ resource "random_id" "suffix" { module "network_edge_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = "us-central1" @@ -85,7 +85,7 @@ module "network_edge_security_policy" { module "network_edge_security_policy_no_rules" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = "us-central1" diff --git a/modules/advanced-network-ddos-protection/README.md b/modules/advanced-network-ddos-protection/README.md index fee24c9..9686d36 100644 --- a/modules/advanced-network-ddos-protection/README.md +++ b/modules/advanced-network-ddos-protection/README.md @@ -16,7 +16,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "advanced_network_ddos_protection" { source = "GoogleCloudPlatform/cloud-armor/google//modules/advanced-network-ddos-protection" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id regions = ["us-central1", "us-east1"] diff --git a/modules/network-edge-security-policy/README.md b/modules/network-edge-security-policy/README.md index c1b8621..f34179a 100644 --- a/modules/network-edge-security-policy/README.md +++ b/modules/network-edge-security-policy/README.md @@ -8,7 +8,7 @@ You can attch network edge security policy to backend services of [external pass ``` module "network_edge_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = "us-central1" @@ -35,7 +35,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "network_edge_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google//modules/network-edge-security-policy" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id region = "us-central1" diff --git a/modules/regional-backend-security-policy/README.md b/modules/regional-backend-security-policy/README.md index 95c397d..8cffeeb 100644 --- a/modules/regional-backend-security-policy/README.md +++ b/modules/regional-backend-security-policy/README.md @@ -34,7 +34,7 @@ There are examples included in the [examples](https://github.com/GoogleCloudPlat ``` module "cloud_armor_regional_security_policy" { source = "GoogleCloudPlatform/cloud-armor/google" - version = "~> 3.0" + version = "~> 4.0" project_id = var.project_id name = "test-regional-external-sp-${random_id.suffix.hex}" @@ -194,6 +194,7 @@ module "cloud_armor_regional_security_policy" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | custom\_rules | Custome security rules |
map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
expression = string
rate_limit_options = optional(object({
enforce_on_key = optional(string)
enforce_on_key_name = optional(string)
enforce_on_key_configs = optional(list(object({
enforce_on_key_name = optional(string)
enforce_on_key_type = optional(string)
})))
exceed_action = optional(string)
rate_limit_http_request_count = optional(number)
rate_limit_http_request_interval_sec = optional(number)
ban_duration_sec = optional(number)
ban_http_request_count = optional(number)
ban_http_request_interval_sec = optional(number)
}),
{})

preconfigured_waf_config_exclusions = optional(map(object({
target_rule_set = string
target_rule_ids = optional(list(string), [])
request_header = optional(list(object({
operator = string
value = optional(string)
})))
request_cookie = optional(list(object({
operator = string
value = optional(string)
})))
request_uri = optional(list(object({
operator = string
value = optional(string)
})))
request_query_param = optional(list(object({
operator = string
value = optional(string)
})))
})), null)

}))
| `{}` | no | +| default\_rule\_action | default rule that allows/denies all traffic with the lowest priority (2,147,483,647). | `string` | `"allow"` | no | | description | An optional description of advanced network ddos protection security policy | `string` | `"CA Advance DDoS protection"` | no | | name | Name of regional security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | `string` | `"adv-network-ddos-protection"` | no | | pre\_configured\_rules | Map of pre-configured rules with Sensitivity levels |
map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
target_rule_set = string
sensitivity_level = optional(number, 4)
include_target_rule_ids = optional(list(string), [])
exclude_target_rule_ids = optional(list(string), [])
rate_limit_options = optional(object({
enforce_on_key = optional(string)
enforce_on_key_name = optional(string)
enforce_on_key_configs = optional(list(object({
enforce_on_key_name = optional(string)
enforce_on_key_type = optional(string)
})))
exceed_action = optional(string)
rate_limit_http_request_count = optional(number)
rate_limit_http_request_interval_sec = optional(number)
ban_duration_sec = optional(number)
ban_http_request_count = optional(number)
ban_http_request_interval_sec = optional(number)
}), {})

preconfigured_waf_config_exclusions = optional(map(object({
target_rule_set = string
target_rule_ids = optional(list(string), [])
request_header = optional(list(object({
operator = string
value = optional(string)
})))
request_cookie = optional(list(object({
operator = string
value = optional(string)
})))
request_uri = optional(list(object({
operator = string
value = optional(string)
})))
request_query_param = optional(list(object({
operator = string
value = optional(string)
})))
})), null)

}))
| `{}` | no | diff --git a/modules/regional-backend-security-policy/main.tf b/modules/regional-backend-security-policy/main.tf index 7b3f3c8..3e3a8f4 100644 --- a/modules/regional-backend-security-policy/main.tf +++ b/modules/regional-backend-security-policy/main.tf @@ -237,7 +237,7 @@ resource "google_compute_region_security_policy_rule" "custom_rules" { resource "google_compute_region_security_policy_rule" "pre_configured_rules" { provider = google-beta - for_each = var.pre_configured_rules #var.pre_configured_rules == null ? {} : { for x in var.pre_configured_rules : x.priority => x } + for_each = var.pre_configured_rules project = var.project_id region = var.region security_policy = google_compute_region_security_policy.security_policy.name @@ -334,3 +334,20 @@ resource "google_compute_region_security_policy_rule" "pre_configured_rules" { } +##### Default Rule + +resource "google_compute_region_security_policy_rule" "default_rule" { + provider = google-beta + region = var.region + project = var.project_id + security_policy = google_compute_region_security_policy.security_policy.name + description = "default rule" + action = var.default_rule_action + priority = "2147483647" + match { + versioned_expr = "SRC_IPS_V1" + config { + src_ip_ranges = ["*"] + } + } +} \ No newline at end of file diff --git a/modules/regional-backend-security-policy/variables.tf b/modules/regional-backend-security-policy/variables.tf index 4b8e2ad..8e0335d 100644 --- a/modules/regional-backend-security-policy/variables.tf +++ b/modules/regional-backend-security-policy/variables.tf @@ -170,3 +170,9 @@ variable "custom_rules" { })) default = {} } + +variable "default_rule_action" { + description = "default rule that allows/denies all traffic with the lowest priority (2,147,483,647)." + type = string + default = "allow" +} diff --git a/modules/regional-backend-security-policy/versions.tf b/modules/regional-backend-security-policy/versions.tf index 997d50f..d56ec33 100644 --- a/modules/regional-backend-security-policy/versions.tf +++ b/modules/regional-backend-security-policy/versions.tf @@ -19,11 +19,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.29, < 7" + version = ">= 6.10, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.29, < 7" + version = ">= 6.10, < 7" } } provider_meta "google" { From c0c0d415206b0f88a06e21fd6496c6f99586c9fa Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Wed, 4 Dec 2024 18:42:39 +0000 Subject: [PATCH 2/3] fixed lint issues --- modules/regional-backend-security-policy/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/regional-backend-security-policy/main.tf b/modules/regional-backend-security-policy/main.tf index 3e3a8f4..8d6b883 100644 --- a/modules/regional-backend-security-policy/main.tf +++ b/modules/regional-backend-security-policy/main.tf @@ -350,4 +350,4 @@ resource "google_compute_region_security_policy_rule" "default_rule" { src_ip_ranges = ["*"] } } -} \ No newline at end of file +} From 51e31337e7e57fb2ae998eb864249de5ff2824cb Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Thu, 5 Dec 2024 16:58:39 +0000 Subject: [PATCH 3/3] udpated upgrade doc --- docs/upgrading_to_v4.0.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md index 3169f72..370ef27 100644 --- a/docs/upgrading_to_v4.0.md +++ b/docs/upgrading_to_v4.0.md @@ -3,7 +3,7 @@ The v4.0 release contains backwards-incompatible changes. ### TPG max version is bumped to 6.10 for regional-backend-security-policy module -There is no known breaking change for Cloud Armor in 6.X. +TPG 6.10 added support for overriding default security rule ### Added default rule at priority 2147483647 -Before this version a default security rule with priority 2147483647 was created. This update will override that rule so users can manage it in terraform +Before this version a default security rule with priority 2147483647 was created behind the scene but was not part of TF state file. This update will override that rule so users can manage it in terraform