Giter Club home page Giter Club logo

Comments (7)

imrannayer avatar imrannayer commented on June 3, 2024

@nhu-nguyen27 can u plz post an example code for edge policy so I can also add a test for it.

from terraform-google-cloud-armor.

nhu-nguyen27 avatar nhu-nguyen27 commented on June 3, 2024

Here's how I'm using the module. I'm trying to use CLOUD_ARMOR_EDGE since I want to apply this policy to GCS backend

module "edge_security_policy" {
  source = "GoogleCloudPlatform/cloud-armor/google"

  project_id                           = var.gcp_project_id
  name                                 = "geolocation-allowlist"
  description                          = "Only certain regions can access"
  default_rule_action                  = "deny(403)"
  type                                 = "CLOUD_ARMOR_EDGE"
  layer_7_ddos_defense_enable          = true
  layer_7_ddos_defense_rule_visibility = "STANDARD"
  # these parameters can only be enable in Advanced options for security policies with CLOUD_ARMOR type
  # trying to set these to null to bypass advanced_options_config block
  #json_parsing                         = null
  #log_level                            = null
  #json_custom_config_content_types =  []
  
  custom_rules = {
    allow_specific_regions = {
      action   = "allow"
      priority = 1
      # prod then allow US 
      # non-prod then allow US and Canada
      description = var.env == "production" ? "Only allow from US  : "Only allow from US, Canada"
      expression  = var.env == "production" ? "origin.region_code == 'US'" :   "origin.region_code == 'US' || origin.region_code == 'CA'"
    }
  }
}`

This is what Terraform Plan looks like

 # module.rx2.module.edge_security_policy.google_compute_security_policy.policy will be created
  + resource "google_compute_security_policy" "policy" {
      + description = "Only certain regions can access"
      + fingerprint = (known after apply)
      + id          = (known after apply)
      + name        = "geolocation-allowlist"
      + project     = "staging-service"
      + self_link   = (known after apply)
      + type        = "CLOUD_ARMOR_EDGE"

      + adaptive_protection_config {

          + layer_7_ddos_defense_config {
              + enable          = true
              + rule_visibility = "STANDARD"
            }
        }

      + advanced_options_config {
          + json_parsing = "DISABLED"
          + log_level    = "NORMAL"

          + json_custom_config {
              + content_types = (known after apply)
            }
        }

      + rule {
          + action      = "allow"
          + description = "Only allow from US, Canada"
          + preview     = false
          + priority    = 1

          + match {

              + expr {
                  + expression = "origin.region_code == 'CA' || origin.region_code == 'US'"
                }
            }
        }
      + rule {
          + action      = "deny(403)"
          + description = "Default rule, higher priority overrides it"
          + preview     = (known after apply)
          + priority    = 2147483647

          + match {
              + versioned_expr = "SRC_IPS_V1"

              + config {
                  + src_ip_ranges = [
                      + "*",
                    ]
                }
            }
        }
    }

from terraform-google-cloud-armor.

imrannayer avatar imrannayer commented on June 3, 2024

@nhu-nguyen27 Issue will be fixed with PR #39. adaptive_protection_config block is also not supported for edge policies. You can remove layer_7_ddos_defense_enable from your code. Module will ignore this value if policy type is set to CLOUD_ARMOR_EDGE. Thanks for the example.

from terraform-google-cloud-armor.

imrannayer avatar imrannayer commented on June 3, 2024

Wait for the PR merge. PR review is needed.

from terraform-google-cloud-armor.

nhu-nguyen27 avatar nhu-nguyen27 commented on June 3, 2024

@imrannayer any ETA on when the PR #39 will get review and merged to main?

from terraform-google-cloud-armor.

imrannayer avatar imrannayer commented on June 3, 2024

@nhu-nguyen27 done. If it is urgent you can access updated module by pointing to main branch directly. It will be available through terraform registry after the release.
Example for edge policy in in example folder

from terraform-google-cloud-armor.

nhu-nguyen27 avatar nhu-nguyen27 commented on June 3, 2024

@imrannayer its working now, thank you so much for updating the module!

from terraform-google-cloud-armor.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.