Comments (7)
@nhu-nguyen27 can u plz post an example code for edge policy so I can also add a test for it.
from terraform-google-cloud-armor.
Here's how I'm using the module. I'm trying to use CLOUD_ARMOR_EDGE since I want to apply this policy to GCS backend
module "edge_security_policy" {
source = "GoogleCloudPlatform/cloud-armor/google"
project_id = var.gcp_project_id
name = "geolocation-allowlist"
description = "Only certain regions can access"
default_rule_action = "deny(403)"
type = "CLOUD_ARMOR_EDGE"
layer_7_ddos_defense_enable = true
layer_7_ddos_defense_rule_visibility = "STANDARD"
# these parameters can only be enable in Advanced options for security policies with CLOUD_ARMOR type
# trying to set these to null to bypass advanced_options_config block
#json_parsing = null
#log_level = null
#json_custom_config_content_types = []
custom_rules = {
allow_specific_regions = {
action = "allow"
priority = 1
# prod then allow US
# non-prod then allow US and Canada
description = var.env == "production" ? "Only allow from US : "Only allow from US, Canada"
expression = var.env == "production" ? "origin.region_code == 'US'" : "origin.region_code == 'US' || origin.region_code == 'CA'"
}
}
}`
This is what Terraform Plan looks like
# module.rx2.module.edge_security_policy.google_compute_security_policy.policy will be created
+ resource "google_compute_security_policy" "policy" {
+ description = "Only certain regions can access"
+ fingerprint = (known after apply)
+ id = (known after apply)
+ name = "geolocation-allowlist"
+ project = "staging-service"
+ self_link = (known after apply)
+ type = "CLOUD_ARMOR_EDGE"
+ adaptive_protection_config {
+ layer_7_ddos_defense_config {
+ enable = true
+ rule_visibility = "STANDARD"
}
}
+ advanced_options_config {
+ json_parsing = "DISABLED"
+ log_level = "NORMAL"
+ json_custom_config {
+ content_types = (known after apply)
}
}
+ rule {
+ action = "allow"
+ description = "Only allow from US, Canada"
+ preview = false
+ priority = 1
+ match {
+ expr {
+ expression = "origin.region_code == 'CA' || origin.region_code == 'US'"
}
}
}
+ rule {
+ action = "deny(403)"
+ description = "Default rule, higher priority overrides it"
+ preview = (known after apply)
+ priority = 2147483647
+ match {
+ versioned_expr = "SRC_IPS_V1"
+ config {
+ src_ip_ranges = [
+ "*",
]
}
}
}
}
from terraform-google-cloud-armor.
@nhu-nguyen27 Issue will be fixed with PR #39. adaptive_protection_config
block is also not supported for edge policies. You can remove layer_7_ddos_defense_enable
from your code. Module will ignore this value if policy type is set to CLOUD_ARMOR_EDGE
. Thanks for the example.
from terraform-google-cloud-armor.
Wait for the PR merge. PR review is needed.
from terraform-google-cloud-armor.
@imrannayer any ETA on when the PR #39 will get review and merged to main?
from terraform-google-cloud-armor.
@nhu-nguyen27 done. If it is urgent you can access updated module by pointing to main branch directly. It will be available through terraform registry after the release.
Example for edge policy in in example folder
from terraform-google-cloud-armor.
@imrannayer its working now, thank you so much for updating the module!
from terraform-google-cloud-armor.
Related Issues (20)
- How to apply to a target backend HOT 2
- The module doesn't support using TLS_JA3_FINGERPRINT in enforce on key HOT 7
- create an end to end example show how to attach WAF policy to a LB backend service HOT 3
- Add labels on resource level "google_compute_security_policy" HOT 3
- Does not update preconfigured_waf_config_exclusions when exclusions added HOT 3
- add support for rate limiting on multiple keys
- Variable layer_7_ddos_defense_enable is marked as optional but is not HOT 2
- Add threat intelligence exclusion list HOT 6
- In-place update is not working while using enfore_on_key_configs HOT 15
- removing security_rules tries to delete the policy and fails HOT 3
- Add support for Automatically deploy Adaptive Protection suggested rules
- Add support of regional security policy HOT 5
- Unsupported argument error with 1.2.0 release HOT 6
- update preconfig waf rules block to support path matches HOT 5
- add preconfigured_waf_config_exclusion in custom_rules block HOT 1
- Auto deploy settings are not being applied.
- Seems like `preconfigured_waf_config` is causing rules to be recreated every time. HOT 5
- Got 400 error when adding a rule to a list of custom rules using this module HOT 4
- Separation of request field exclusion and target IDs needed HOT 11
- No option to turn on GraphQL parsing via TF HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-google-cloud-armor.