From 5b0aa2ba243a02f4a6bf7819cb643db7b4818b9a Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 17 Oct 2023 09:33:40 -0500 Subject: [PATCH 1/8] fix: upgraded versions.tf to include minor bumps from tpg v5 --- examples/security-policy-all/versions.tf | 4 ++-- examples/security-policy-edge/versions.tf | 4 ++-- examples/security-policy-managed-protection-plus/versions.tf | 4 ++-- examples/security-policy-recaptcha/versions.tf | 4 ++-- examples/simple-example/versions.tf | 4 ++-- versions.tf | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/examples/security-policy-all/versions.tf b/examples/security-policy-all/versions.tf index e220e27..8c033ed 100644 --- a/examples/security-policy-all/versions.tf +++ b/examples/security-policy-all/versions.tf @@ -18,11 +18,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 4.0" + version = ">= 4.0" } google-beta = { source = "hashicorp/google-beta" - version = "~> 4.0" + version = ">= 4.0" } } } diff --git a/examples/security-policy-edge/versions.tf b/examples/security-policy-edge/versions.tf index e220e27..8c033ed 100644 --- a/examples/security-policy-edge/versions.tf +++ b/examples/security-policy-edge/versions.tf @@ -18,11 +18,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 4.0" + version = ">= 4.0" } google-beta = { source = "hashicorp/google-beta" - version = "~> 4.0" + version = ">= 4.0" } } } diff --git a/examples/security-policy-managed-protection-plus/versions.tf b/examples/security-policy-managed-protection-plus/versions.tf index e220e27..8c033ed 100644 --- a/examples/security-policy-managed-protection-plus/versions.tf +++ b/examples/security-policy-managed-protection-plus/versions.tf @@ -18,11 +18,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 4.0" + version = ">= 4.0" } google-beta = { source = "hashicorp/google-beta" - version = "~> 4.0" + version = ">= 4.0" } } } diff --git a/examples/security-policy-recaptcha/versions.tf b/examples/security-policy-recaptcha/versions.tf index e220e27..8c033ed 100644 --- a/examples/security-policy-recaptcha/versions.tf +++ b/examples/security-policy-recaptcha/versions.tf @@ -18,11 +18,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 4.0" + version = ">= 4.0" } google-beta = { source = "hashicorp/google-beta" - version = "~> 4.0" + version = ">= 4.0" } } } diff --git a/examples/simple-example/versions.tf b/examples/simple-example/versions.tf index e220e27..8c033ed 100644 --- a/examples/simple-example/versions.tf +++ b/examples/simple-example/versions.tf @@ -18,11 +18,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 4.0" + version = ">= 4.0" } google-beta = { source = "hashicorp/google-beta" - version = "~> 4.0" + version = ">= 4.0" } } } diff --git a/versions.tf b/versions.tf index 16c87b0..933c215 100644 --- a/versions.tf +++ b/versions.tf @@ -19,11 +19,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.79.0, < 5.0" + version = ">= 4.79.0, < 6.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.79.0, < 5.0" + version = ">= 4.79.0, < 6.0" } } provider_meta "google" { From 8ecf52bcb5c0579a3db9db00ca49049f616146ac Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 17 Oct 2023 10:51:37 -0500 Subject: [PATCH 2/8] fix test for rule.rate_limit_options.enforce_on_key --- docs/upgrading_to_v2.0.md | 3 +++ examples/security-policy-all/main.tf | 1 + test/integration/security-policy-all/security_policy_test.go | 2 +- versions.tf | 4 ++-- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/upgrading_to_v2.0.md b/docs/upgrading_to_v2.0.md index 1133233..4a3052c 100644 --- a/docs/upgrading_to_v2.0.md +++ b/docs/upgrading_to_v2.0.md @@ -3,3 +3,6 @@ The v2.0 release contains backwards-incompatible changes. This update requires upgrading the minimum provider version to `4.79`. + +### TPG max version is bumped to 5.x. +In `4.X`, the default value for `rule.rate_limit_options.enforce_on_key` is `ALL`. In `5.X` this field no longer has a default value. If you need `All` you will need to set it explicitly. See [Rule 2](https://github.com/GoogleCloudPlatform/terraform-google-cloud-armor/blob/main/examples/security-policy-all/main.tf) in `examples/security-policy-all` folder for reference. diff --git a/examples/security-policy-all/main.tf b/examples/security-policy-all/main.tf index c2cd610..a9a1df2 100644 --- a/examples/security-policy-all/main.tf +++ b/examples/security-policy-all/main.tf @@ -48,6 +48,7 @@ module "cloud_armor" { exceed_action = "deny(502)" rate_limit_http_request_count = 10 rate_limit_http_request_interval_sec = 60 + enforce_on_key = "ALL" } } diff --git a/test/integration/security-policy-all/security_policy_test.go b/test/integration/security-policy-all/security_policy_test.go index 330bb50..8a727d4 100644 --- a/test/integration/security-policy-all/security_policy_test.go +++ b/test/integration/security-policy-all/security_policy_test.go @@ -67,7 +67,7 @@ func TestSecurityPolicyAll(t *testing.T) { assert.Equal("rate_based_ban", sp.Get("action").String(), "priority 3 rule has expected action") assert.Equal("PHP Sensitivity Level 1 with included rules", sp.Get("description").String(), "priority 3 rule has expected description") assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 3 rule has expected Rate limit confirm action") - assert.Equal("ALL", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 3 rule has expected Rate limit enforce on key") + assert.Equal("", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 3 rule has expected Rate limit enforce on key") assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 3 rule has expected Rate limit exceed action") assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 3 rule has expected Rate limit threshold count") assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 3 rule has expected Rate limit threshold interval") diff --git a/versions.tf b/versions.tf index 933c215..9fdd977 100644 --- a/versions.tf +++ b/versions.tf @@ -19,11 +19,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.79.0, < 6.0" + version = ">= 4.79.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.79.0, < 6.0" + version = ">= 4.79.0, < 6" } } provider_meta "google" { From a1cc7488049cdfb553d3718d1d36022101b637dc Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 17 Oct 2023 11:00:47 -0500 Subject: [PATCH 3/8] fix test for rule.rate_limit_options.enforce_on_key --- docs/upgrading_to_v2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/upgrading_to_v2.0.md b/docs/upgrading_to_v2.0.md index 4a3052c..bb465c1 100644 --- a/docs/upgrading_to_v2.0.md +++ b/docs/upgrading_to_v2.0.md @@ -4,5 +4,5 @@ The v2.0 release contains backwards-incompatible changes. This update requires upgrading the minimum provider version to `4.79`. -### TPG max version is bumped to 5.x. +### TPG max version is bumped to 5.x In `4.X`, the default value for `rule.rate_limit_options.enforce_on_key` is `ALL`. In `5.X` this field no longer has a default value. If you need `All` you will need to set it explicitly. See [Rule 2](https://github.com/GoogleCloudPlatform/terraform-google-cloud-armor/blob/main/examples/security-policy-all/main.tf) in `examples/security-policy-all` folder for reference. From 6e88f91b1fd803afd676ef4dd4128949228c84b1 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 17 Oct 2023 11:03:40 -0500 Subject: [PATCH 4/8] fix test for rule.rate_limit_options.enforce_on_key --- examples/security-policy-all/versions.tf | 28 ------------------- examples/security-policy-edge/versions.tf | 28 ------------------- .../versions.tf | 28 ------------------- .../security-policy-recaptcha/versions.tf | 28 ------------------- 4 files changed, 112 deletions(-) delete mode 100644 examples/security-policy-all/versions.tf delete mode 100644 examples/security-policy-edge/versions.tf delete mode 100644 examples/security-policy-managed-protection-plus/versions.tf delete mode 100644 examples/security-policy-recaptcha/versions.tf diff --git a/examples/security-policy-all/versions.tf b/examples/security-policy-all/versions.tf deleted file mode 100644 index 8c033ed..0000000 --- a/examples/security-policy-all/versions.tf +++ /dev/null @@ -1,28 +0,0 @@ -/** - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = ">= 4.0" - } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 4.0" - } - } -} diff --git a/examples/security-policy-edge/versions.tf b/examples/security-policy-edge/versions.tf deleted file mode 100644 index 8c033ed..0000000 --- a/examples/security-policy-edge/versions.tf +++ /dev/null @@ -1,28 +0,0 @@ -/** - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = ">= 4.0" - } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 4.0" - } - } -} diff --git a/examples/security-policy-managed-protection-plus/versions.tf b/examples/security-policy-managed-protection-plus/versions.tf deleted file mode 100644 index 8c033ed..0000000 --- a/examples/security-policy-managed-protection-plus/versions.tf +++ /dev/null @@ -1,28 +0,0 @@ -/** - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = ">= 4.0" - } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 4.0" - } - } -} diff --git a/examples/security-policy-recaptcha/versions.tf b/examples/security-policy-recaptcha/versions.tf deleted file mode 100644 index 8c033ed..0000000 --- a/examples/security-policy-recaptcha/versions.tf +++ /dev/null @@ -1,28 +0,0 @@ -/** - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = ">= 4.0" - } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 4.0" - } - } -} From d950c1d4f937a249cc2dd0148b462adbabaaa20b Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 17 Oct 2023 12:02:21 -0500 Subject: [PATCH 5/8] fix test for rule.rate_limit_options.enforce_on_key --- examples/security-policy-all/main.tf | 1 - .../integration/security-policy-all/security_policy_test.go | 6 +++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/examples/security-policy-all/main.tf b/examples/security-policy-all/main.tf index a9a1df2..c2cd610 100644 --- a/examples/security-policy-all/main.tf +++ b/examples/security-policy-all/main.tf @@ -48,7 +48,6 @@ module "cloud_armor" { exceed_action = "deny(502)" rate_limit_http_request_count = 10 rate_limit_http_request_interval_sec = 60 - enforce_on_key = "ALL" } } diff --git a/test/integration/security-policy-all/security_policy_test.go b/test/integration/security-policy-all/security_policy_test.go index 8a727d4..d75b084 100644 --- a/test/integration/security-policy-all/security_policy_test.go +++ b/test/integration/security-policy-all/security_policy_test.go @@ -67,7 +67,7 @@ func TestSecurityPolicyAll(t *testing.T) { assert.Equal("rate_based_ban", sp.Get("action").String(), "priority 3 rule has expected action") assert.Equal("PHP Sensitivity Level 1 with included rules", sp.Get("description").String(), "priority 3 rule has expected description") assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 3 rule has expected Rate limit confirm action") - assert.Equal("", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 3 rule has expected Rate limit enforce on key") + assert.Equal("ALL", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 3 rule has expected Rate limit enforce on key") assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 3 rule has expected Rate limit exceed action") assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 3 rule has expected Rate limit threshold count") assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 3 rule has expected Rate limit threshold interval") @@ -170,7 +170,7 @@ func TestSecurityPolicyAll(t *testing.T) { assert.Equal(srcIpRanges[0].String(), "45.116.227.71", "priority 15 rule found first valid cidr range") assert.Equal(srcIpRanges[1].String(), "190.217.68.214", "priority 15 rule found second valid cidr range") assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 15 rule has Rate limit confirm action") - assert.Equal("ALL", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 15 rule has Rate limit Enforce on key") + assert.Equal("", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 15 rule has Rate limit Enforce on key") assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 15 rule has Rate limit exceed action") assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 15 rule has Rate limit threshold count") assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 15 rule has Rate limit threshold interval") @@ -202,7 +202,7 @@ func TestSecurityPolicyAll(t *testing.T) { assert.Equal("Throttle specific IP address in US Region", sp.Get("description").String(), "priority 23 rule has expected description") assert.Equal("origin.region_code == \"US\" && inIpRange(origin.ip, '47.185.201.159/32')\n", sp.Get("match.expr.expression").String(), "priority 23 rule has expected expression") assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 23 rule has Rate limit confirm action") - assert.Equal("ALL", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 23 rule has Rate limit Enforce on key") + assert.Equal("", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 23 rule has Rate limit Enforce on key") assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 23 rule has Rate limit exceed action") assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 23 rule has Rate limit threshold count") assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 23 rule has Rate limit threshold interval") From c360e9c18f9a93e34884fb6ee51c739f19e9280c Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 17 Oct 2023 13:37:28 -0500 Subject: [PATCH 6/8] fix test for rule.rate_limit_options.enforce_on_key --- test/integration/security-policy-all/security_policy_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/security-policy-all/security_policy_test.go b/test/integration/security-policy-all/security_policy_test.go index d75b084..c4e0fd7 100644 --- a/test/integration/security-policy-all/security_policy_test.go +++ b/test/integration/security-policy-all/security_policy_test.go @@ -54,7 +54,7 @@ func TestSecurityPolicyAll(t *testing.T) { assert.Equal("throttle", sp.Get("action").String(), "priority 2 rule has expected action") assert.Equal("XSS Sensitivity Level 2 with excluded rules", sp.Get("description").String(), "priority 2 rule has expected description") assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 2 rule has expected Rate limit confirm action") - assert.Equal("ALL", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 2 rule has expected Rate limit enforce on key") + assert.Equal("", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 2 rule has expected Rate limit enforce on key") assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 2 rule has expected Rate limit exceed action") assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 2 rule has expected Rate limit threshold count") assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 2 rule has expected Rate limit threshold interval") From 219435fc6b516ef9568e33eb755e3a4b785d0fce Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 17 Oct 2023 14:35:11 -0500 Subject: [PATCH 7/8] fix test for rule.rate_limit_options.enforce_on_key --- test/integration/simple-example/simple_example_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/simple-example/simple_example_test.go b/test/integration/simple-example/simple_example_test.go index a4680da..3b42c2e 100644 --- a/test/integration/simple-example/simple_example_test.go +++ b/test/integration/simple-example/simple_example_test.go @@ -205,7 +205,7 @@ func TestSimpleExample(t *testing.T) { assert.Equal("Throttle specific IP address in US Region", sp.Get("description").String(), "priority 23 rule has expected description") assert.Equal("origin.region_code == \"US\" && inIpRange(origin.ip, '47.185.201.159/32')\n", sp.Get("match.expr.expression").String(), "priority 23 rule has expected expression") assert.Equal("allow", sp.Get("rateLimitOptions.conformAction").String(), "priority 23 rule has Rate limit confirm action") - assert.Equal("ALL", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 23 rule has Rate limit Enforce on key") + assert.Equal("", sp.Get("rateLimitOptions.enforceOnKey").String(), "priority 23 rule has Rate limit Enforce on key") assert.Equal("deny(502)", sp.Get("rateLimitOptions.exceedAction").String(), "priority 23 rule has Rate limit exceed action") assert.Equal("10", sp.Get("rateLimitOptions.rateLimitThreshold.count").String(), "priority 23 rule has Rate limit threshold count") assert.Equal("60", sp.Get("rateLimitOptions.rateLimitThreshold.intervalSec").String(), "priority 23 rule has Rate limit threshold interval") From 7e6b1f86576695657e34d4535f6a7ca64a24a175 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 24 Oct 2023 14:29:22 -0400 Subject: [PATCH 8/8] Delete examples/simple-example/versions.tf --- examples/simple-example/versions.tf | 28 ---------------------------- 1 file changed, 28 deletions(-) delete mode 100644 examples/simple-example/versions.tf diff --git a/examples/simple-example/versions.tf b/examples/simple-example/versions.tf deleted file mode 100644 index 8c033ed..0000000 --- a/examples/simple-example/versions.tf +++ /dev/null @@ -1,28 +0,0 @@ -/** - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = ">= 4.0" - } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 4.0" - } - } -}