googlecloudplatform / terraform-google-cloud-armor Goto Github PK

Thank you the module. Any plans on adding the json parsing block?
Ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_security_policy#advanced_options_config

When setting redirect type to "EXTERNAL_302" the following error occurs

│ Error: Invalid index
│
│   on .terraform/modules/security_polcy/main.tf line 206, in resource "google_compute_security_policy" "policy":
│  206:           target = rule.value["redirect_type"] == "EXTERNAL_302" ? rule.value["redirect_target"] : null
│     ├────────────────
│     │ rule.value is object with 7 attributes
│
│ The given key does not identify an element in this collection value.

variables.tf seems to be missing redirect_target for rule values.

Add support of regional security policy and regional security policy rule.

• google_compute_region_security_policy
• google_compute_region_security_policy_rule

Add support for rate limiting on multiple keys

https://cloud.google.com/armor/docs/rate-limiting-overview#identifying_clients_for_rate_limiting

https://cloud.google.com/armor/docs/configure-security-policies#multiple-keys

https://cloud.google.com/armor/docs/configure-security-policies#multiple-keys

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): Update go modules and/or dev-tools (github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test, go)
• chore(deps): Update Terraform terraform-google-modules/project-factory/google to v15

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Add support to add headers to requests that the resource supports with the header_actions block

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_security_policy#example-usage---with-header-actions

Hi, I saw in the README that this module does support log_level modification. However, when I do

module "cloud_armor_policy" {
  source = "GoogleCloudPlatform/cloud-armor/google"

  version    = "0.2.0"
  project_id = var.project_id
  name       = "cloud-armor-policy-${terraform.workspace}"
  log_level  = "VERBOSE"
}

I got

Error: Unsupported argument

  on main.tf line 7, in module "cloud_armor_policy":
   7:   log_level  = "VERBOSE"

An argument named "log_level" is not expected here.

I wonder if I am missing anything here. Thank you!

[NOT A CONTRIBUTION]

It seems the module doesn't support setting TLS_JA3_FINGERPRINT, while the documentation [1] and examples [2] show it's possible.

│ Error: expected rule.60.rate_limit_options.0.enforce_on_key to be one of ["ALL" "IP" "HTTP_HEADER" "XFF_IP" "HTTP_COOKIE" "HTTP_PATH" "SNI" "REGION_CODE" ""], got TLS_JA3_FINGERPRINT

│ Error: expected rule.60.rate_limit_options.0.enforce_on_key_configs.0.enforce_on_key_type to be one of ["ALL" "IP" "HTTP_HEADER" "XFF_IP" "HTTP_COOKIE" "HTTP_PATH" "SNI" "REGION_CODE"], got TLS_JA3_FINGERPRINT

Would it be possible to extend the module to support that as well? Thank you

[1] https://cloud.google.com/armor/docs/rate-limiting-overview#identifying_clients_for_rate_limiting
[2] https://cloud.google.com/armor/docs/configure-rate-limiting#ja3

I've encountered this issue during a deployment-

Error 400: Invalid value for field 'resource.preconfiguredWafConfig': '*** "exclusions": [*** "targetRuleSet": "sqli-v33-stable", "targetRuleIds": ["owasp-crs-v030301-i...'. The number of request query parameters to exclude for the target sqli-v33-stable:owasp-crs-v030301-id942220-sqli exceeds the limit of 10., invalid

Which is probably a fine limit if I was able to state specific target_rule_ids for each value I want, like below in the GCP console -

• but as it stands it looks like I can only state a list of target_rule_ids and all the exclusions are applied to that list.

Add support for Automatically deploy Adaptive Protection suggested rules

https://cloud.google.com/armor/docs/adaptive-protection-auto-deploy

This advanced_options_config block is only supported for CLOUD_ARMOR type.

advanced_options_config {
    json_parsing = var.json_parsing
    log_level    = var.log_level
    dynamic "json_custom_config" {
      for_each = var.json_parsing == "STANDARD" && length(var.json_custom_config_content_types) > 0 ? ["json_custom_config"] : []
      content {
        content_types = var.json_custom_config_content_types
      }
    }
  }

I'm getting the following error when I try to use this module to setup a security policy for CLOUD_ARMOR_EDGE
│ Error: Error creating SecurityPolicy: googleapi: Error 400: Invalid value for field 'resource.advancedOptionsConfig': '{ "jsonCustomConfig": { }}'. Advanced options for Cloud Armor are currently only supported for security policies with CLOUD_ARMOR type., invalid

I've try to passed in null values for those variables, but its not skipping that block. It's still trying to provision it.

This must have occurred in an update as my Cloud Armor config has not changed a lot but now every Terraform apply is causing many rules that have not been changed to be deleted and recreated. When I look at the plan diff the only change I see is the preconfigured_waf_config property which is not set and not an option on these rules.

For example, even with the default rule I get the following in a Terraform apply. The only difference I can see is the rule being destroyed has an empty preconfigured_waf_config setting which isn't even an option when setting the default rule. But this applies to other types of rules as well I just choose the default as an example.

Rule being destroyed:

    - rule ***
        - action      = "allow" -> null
        - description = "Default rule, higher priority overrides it" -> null
        - preview     = false -> null
        - priority    = 2147483647 -> null

        - match ***
            - versioned_expr = "SRC_IPS_V1" -> null

            - config ***
                - src_ip_ranges = [
                    - "*",
                  ] -> null
              ***
          ***

        - preconfigured_waf_config ***
          ***
      ***

Replacement rule being created:

    + rule ***
        + action      = "allow"
        + description = "Default rule, higher priority overrides it"
        + preview     = (known after apply)
        + priority    = 2147483647

        + match ***
            + versioned_expr = "SRC_IPS_V1"

            + config ***
                + src_ip_ranges = [
                    + "*",
                  ]
              ***
          ***
      ***

Google Provider Version: 5.9.0

Add support for preconfigured_waf_config block in custom_rules variable. This will help in creating pre configured waf rule described in #65 which cannot be created using pre_configured_rules variable.

custom_rules = {

  "methodenforcement-v33-stable_level_1" = {
    action            = "deny(403)"
    priority          = 6
    description       = "Method enforcement Level 1"
    preview           = true
    expression        = "evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1}) && !request.path.matches('/keyword/here/')"

    preconfigured_waf_config_exclusion = {
      target_rule_set = "methodenforcement-v33-stable"
      target_rule_ids = ["owasp-crs-v030301-id911100-methodenforcement"]
      request_uri = [
        {
          operator = "CONTAINS"
          value    = "/keyword/here/"
        },
      ]
    }
  }

}

enforce_on_key_name is defined for the rules

However it is missing from variables.tf under the definitons for rate_limit_options so it is not applied:

Terraform:

  security_rules = {
    "throttle_api_reqs_xapikey" = {
      action        = "throttle"
      priority      = 15
      description   = "Throttle requests on X-API-KEY header"
      src_ip_ranges = ["*"]
      preview       = false
      rate_limit_options = {
        exceed_action                        = local.exceed_action
        rate_limit_http_request_count        = local.rate_limit_http_request_count
        rate_limit_http_request_interval_sec = local.rate_limit_http_request_interval_sec
        enforce_on_key                       = "HTTP_HEADER"
        enforce_on_key_name                  = "X-API-KEY"
      }
    }
}

Output of terraform plan

rule {
          + action      = "throttle"
          + description = "Throttle requests on X-API-KEY header"
          + preview     = false
          + priority    = 15

          + match {
              + versioned_expr = "SRC_IPS_V1"

              + config {
                  + src_ip_ranges = [
                      + "*",
                    ]
                }
            }

          + rate_limit_options {
              + conform_action = "allow"
              + enforce_on_key = "HTTP_HEADER"
              + exceed_action  = "deny(429)"

              + rate_limit_threshold {
                  + count        = 500
                  + interval_sec = 60
                }
            }
        }

Adding this to the variables block is working when cloned locally. Happy to raise a PR for this if needed.

Does the Cloud Armor Terraform module support the threat intelligence exclusion list specified at the bottom of the TI Google documentation? I don't see a field for the exclusion list in the module.

https://cloud.google.com/armor/docs/threat-intelligence

evaluateThreatIntelligence('iplist-known-malicious-ips', ['ADDRESS'])

Hello,

my name is Carine . I am fairly new to GCP. I have tasks at work to configure WAF rule policy and attach to our backend service. I just need help on doing this. I have created the rule but I have no clue how to attach it to the backend Load Balancer

Hi Team,

We are calling terraform-google-cloud-armor module and resource "google_compute_security_policy", but there are no resource labels available in this resource. We also enforced hard-mandatory sentinel policies which check resource labels are attached to each and every resource.

main.tf

module "security_policy_default" {
  source                               = "git::https://github.com/GoogleCloudPlatform/terraform-google-cloud-armor.git?ref=v2.0.1"
  project_id                           = "project-1"
  name                                 = "sample-default-policy"
  description                          = "Test Cloud Armor security policy with preconfigured rules, security rules and custom rules"
  default_rule_action                  = "deny(403)"
  type                                 = "CLOUD_ARMOR"
  layer_7_ddos_defense_rule_visibility = "STANDARD"
  json_parsing                         = "STANDARD"
}

I would like to
Report that we are experiencing Unsupported Argument errors with the newly released 1.2.0 version, the exact error string is in the below code block.

In order to
Ensure the provider works as intended

Other Information:
Module version: 1.2.0
Provider version: v4.73.2

Cannot find this argument in the provider either: https://github.com/hashicorp/terraform-provider-google/blob/main/google/services/compute/resource_compute_security_policy.go

Error Message:

╷
│ Error: Unsupported argument
│
│   on .terraform/modules/cloud-armor/main.tf line 84, in resource "google_compute_security_policy" "policy":
│   84:       user_ip_request_headers = var.user_ip_request_headers
│
│ An argument named "user_ip_request_headers" is not expected here.
╵

Is it possible to get the self_link reference added as an output?

output "self_link" {
  description = "The URI of the created resource"
  value       = google_compute_security_policy.policy.self_link
}

What I'm expecting to happened - Delete a specific rule from the rules in the policy, similar to how we can add/remove from the UI.

What happens - seems like terraform tries to delete and recreate the whole policy and fails.

After removing security_rules section, we're getting the following error when applying the changes:
Error: Error waiting for Deleting SecurityPolicy: The security_policy resource '...' is already being used by '...'

This means we need to remove the policy from being used by other resources each time we change a specific rules.

I am trying to create google_compute_security_policy. But terraform apply is not successful with the below error.
google_compute_security_policy.policy: Creating...
╷
│ Error: Error creating SecurityPolicy: unexpected EOF
│
│ with google_compute_security_policy.policy,
│ on main.tf line 47, in resource "google_compute_security_policy" "policy":
│ 47: resource "google_compute_security_policy" "policy" {

This is my configuration:-

####################--main.tf--##############################
locals {

find all the preconfigured rule with no include or exclude expression
pre_configured_rules_no_cond_expr = { for name, policy in var.pre_configured_rules : name => {
expression = "evaluatePreconfiguredWaf('${policy["target_rule_set"]}', {'sensitivity': ${policy["sensitivity_level"]}})"
} if length(policy["include_target_rule_ids"]) == 0 && length(policy["exclude_target_rule_ids"]) == 0
}

find all the preconfigured rule with include (Opt In rules) expression
pre_configured_rules_include = { for name, policy in var.pre_configured_rules : name => {
target_rule_set = policy.target_rule_set
include_target_rule_ids = replace(join(",", policy.include_target_rule_ids), ",", "','")
sensitivity_level = policy.sensitivity_level
action = policy.action
priority = 0
description = policy.description
preview = policy.preview
redirect_type = policy.redirect_type
rate_limit_options = policy.rate_limit_options
} if length(policy["include_target_rule_ids"]) > 0
}

pre_configured_rules_include_expr = { for name, policy in local.pre_configured_rules_include : name => {
expression = "evaluatePreconfiguredWaf('${policy["target_rule_set"]}', {'sensitivity': 0, 'opt_in_rule_ids': ['${policy.include_target_rule_ids}']})"
}
}

find all the preconfigured rule with Exclude (Opt out rules) expression
pre_configured_rules_exclude = { for name, policy in var.pre_configured_rules : name => {
target_rule_set = policy.target_rule_set
exclude_target_rule_ids = replace(join(",", policy.exclude_target_rule_ids), ",", "','")
sensitivity_level = policy.sensitivity_level
action = policy.action
priority = policy.priority
description = policy.description
preview = policy.preview
redirect_type = policy.redirect_type
rate_limit_options = policy.rate_limit_options
} if length(policy["include_target_rule_ids"]) == 0 && length(policy["exclude_target_rule_ids"]) > 0
}
pre_configured_rules_exclude_expr = { for name, policy in local.pre_configured_rules_exclude : name => {
expression = "evaluatePreconfiguredWaf('${policy["target_rule_set"]}', {'sensitivity':
{policy.exclude_target_rule_ids}']})"
}
}

Combine all the preconfigured rules
pre_configured_rules_expr = merge(local.pre_configured_rules_no_cond_expr, local.pre_configured_rules_include_expr, local.pre_configured_rules_exclude_expr)
}
resource "google_compute_security_policy" "policy" {
name = "my-policy"
project = "######"

dynamic "rule" {
for_each = var.security_rules
content {
action = rule.value["action"]
priority = rule.value["priority"]
preview = rule.value["preview"]
description = rule.value["description"]
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = rule.value["src_ip_ranges"]
}
}

}
}

Preconfigured Rules Sensitivity level
dynamic "rule" {
for_each = var.pre_configured_rules
content {
action = rule.value["action"]
priority = rule.value["priority"]
preview = rule.value["preview"]
description = rule.value["description"]

match {
expr {
expression = local.pre_configured_rules_expr[rule.key].expression
}
}

Redirect option

dynamic "redirect_options" {
for_each = rule.value["action"] == "redirect" ? ["redirect"] : []
content {
type = rule.value["redirect_type"]
target = rule.value["redirect_type"] == "EXTERNAL_302" ? rule.value["redirect_target"] : null
}
}
}
}

}

###################----variables.tf-----###############################

rule 1 =
action: "allow" or "deny"
preview : boolean
priority : ""
source_ip_range: list
description : "text"
variable "rules" {
description = "list of values to assign to rules"
type = list(object({
action = string
preview = string
priority = number
versioned_expr = string
src_ip_ranges = list
expression = string
description = string
}))
}
variable "project" {
type = string
description = "Project name where policy is getting created"
default = ""
}

variable "name" {
type = string
description = "Name of the policy"
default = ""
}
variable "security_rules" {
description = "Map of Security rules with list of IP addresses to block or unblock"
type = map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
src_ip_ranges = list(string)
}))
default = {}
}
variable "pre_configured_rules" {
description = "Map of pre-configured rules Sensitivity levels"
type = map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
redirect_type = optional(string, null)
redirect_target = optional(string, null)
target_rule_set = string
sensitivity_level = optional(number, 4)
include_target_rule_ids = optional(list(string), [])
exclude_target_rule_ids = optional(list(string), [])
rate_limit_options = optional(object({
enforce_on_key = optional(string)
exceed_action = optional(string)
rate_limit_http_request_count = optional(number)
rate_limit_http_request_interval_sec = optional(number)
ban_duration_sec = optional(number)
ban_http_request_count = optional(number)
ban_http_request_interval_sec = optional(number)
}),
{})
}))
default = {}
}
#########################---terraform.tfvars---###########################
project = ""
name = ""
pre_configured_rules = {

"php-stable_level_1_with_include" = {
action = "deny(502)"
priority = 3
description = "PHP Sensitivity Level 1 with included rules"
target_rule_set = "xss-v33-stable"
sensitivity_level = 0
include_target_rule_ids = ["owasp-crs-v030301-id933190-php", "owasp-crs-v030301-id933111-php"]
}

"rfi_sensitivity_level_4" = {
action = "redirect"
priority = 4
description = "Remote file inclusion 4"
preview = true
redirect_type = "GOOGLE_RECAPTCHA"
target_rule_set = "rfi-v33-stable"
sensitivity_level = 4
}
"sqli_sensitivity_level_4" = {
action = "deny(502)"
priority = 1
target_rule_set = "sqli-v33-stable"
}

"xss-stable_level_2_with_exclude" = {
action = "deny(502)"
priority = 2
description = "XSS Sensitivity Level 2 with excluded rules"
preview = true
target_rule_set = "xss-v33-stable"
sensitivity_level = 2
exclude_target_rule_ids = ["owasp-crs-v030301-id941380-xss", "owasp-crs-v030301-id941280-xss"]
}

"php-stable_level_0_with_include" = {
action = "deny(502)"
priority = 14
description = "PHP Sensitivity Level 0 with included rules"
target_rule_set = "php-v33-stable"
include_target_rule_ids = ["owasp-crs-v030301-id933190-php", "owasp-crs-v030301-id933111-php"]
}
}
security_rules = {
"default_rule" = {
action = "allow"
priority = 2147483647
description = "Default rule"
src_ip_ranges = ["*"]
}
"rule_deny_1" = {
action = "deny(502)"
priority = 10
description = "Deny Malicious IP address from project bad_actor"
src_ip_ranges = ["190.217.68.211", "45.116.227.68", "103.43.141.122", "123.11.215.36", ]
preview = false
}

"rule_allow_1" = {
action = "allow"
priority = 15
description = "Throttle IP addresses from project bad_actor4"
src_ip_ranges = ["190.217.68.214", "45.116.227.71", ]
preview = true
}

"rule_allow_2" = {
action = "allow"
priority = 100
description = "Throttle IP addresses from project bad_actor4"
src_ip_ranges = ["190.217.0.0/24", "45.116.0.0/24", ]
preview = true
}

"rule_allow_3" = {
action = "allow"
priority = 16
description = "Throttle IP addresses from project bad_actor4"
src_ip_ranges = ["190.215.68.214", "45.116.221.71", ]
preview = true
}

"rule_allow_4" = {
action = "allow"
priority = 101
description = "Throttle IP addresses from project bad_actor4"
src_ip_ranges = ["190.216.0.0/24", "45.116.1.0/24", ]
preview = true
}

}

One of the requirements for enabling advanced DDoS protection is to use the security policy type CLOUD_ARMOR_NETWORK.

When I try to use that type, though, I get the following error from the Google provider, whether I use google or google-beta:

-Error: expected type to be one of [CLOUD_ARMOR CLOUD_ARMOR_EDGE CLOUD_ARMOR_INTERNAL_SERVICE], got CLOUD_ARMOR_NETWORK

  on waf_enforced_security_policy.tf line 3, in resource "google_compute_security_policy" "policy-waf-enforced":
   3:   type = "CLOUD_ARMOR_NETWORK"

Error: Invalid type specification
│
│ on variables.tf line 45, in variable "pre_configured_rules":
│ 45: preview = optional(bool, false)
│
│ Optional attribute modifier expects only one argument: the attribute type.

While adding new or changing below rule, my entire policy is getting recreated instead of in-place update. This is only happening while using enforce_on_key_configs.

throttle_501 = {
action = "throttle"
priority = 502
description = "test-description"
expression = <<-EOT
(request.path.startsWith('/test/')) && (has(request.headers['x-api-key']) && request.headers['x-api-key'] != "") && !(request.path.contains('/test/123/'))
EOT
rate_limit_options = {
exceed_action = "deny(429)"
rate_limit_http_request_count = 1000
rate_limit_http_request_interval_sec = 60
enforce_on_key = ""
enforce_on_key_configs = [
{
enforce_on_key_type = "HTTP_HEADER"
enforce_on_key_name = "x-api-key"
}
]
}
}

This preconfig waf rule is being trigger whenever there's certain keywords in the URI. We have try the following to exclude the alert from being trigger using the preconfig waf exclusion parameter:

"methodenforcement-v33-stable_level_1" = {
      action            = "deny(403)"
      preview           = true
      priority          = 6
      description       = "Method enforcement Level 1"
      target_rule_set   = "methodenforcement-v33-stable"
      sensitivity_level = 1
      preconfigured_waf_config_exclusion = {
        target_rule_set = "methodenforcement-v33-stable"
        target_rule_ids = ["owasp-crs-v030301-id911100-methodenforcement"]
        request_uri = [
          {
            operator = "CONTAINS"
            value    = "/keyword/here/"
          },
        ]
      }

Whenever its not working and after talking to Google support rep, they suggest we try something like this

evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1}) && !request.path.matches('/keyword/here/')

But from the current module, it doesnt look like we can pass in path matches etc?

When setting the adaptive_protection_auto_deploy block, certain settings are not being processed by the module.

For a policy like this:

module "security_policy" {
  source = "GoogleCloudPlatform/cloud-armor/google"
  version = "~> 2.0"
  ...
  layer_7_ddos_defense_enable  = true
  ...
  adaptive_protection_auto_deploy = {
    enable   = true
    priority = 3000
    action   = "deny(403)"
    description                 = "Automatically deploy Adaptive Protection suggested rules"
    preview                     = false
    load_threshold              = 0.8
    confidence_threshold        = 0.5
    impacted_baseline_threshold = 0.01
    expiration_sec              = 3600
  }
}

The fields load_threshold, confidence_threshold, impacted_baseline_threshold & expiration_sec are simply not being processed by the module. I had a look at the source code and can't find a reference for those fields.

They are declared in the variables properly, just not used as far as I can tell.

Can you please add an example to show how we can use Threat Intelligence feeds using Terraform?
For example, an equivalent of "evaluateThreatIntelligence('iplist-known-malicious-ips')" @imrannayer

Add Recaptcha recaptcha_options_config.redirect_site_key option to cloud armor module.

resource "google_compute_security_policy" "policy" {
  name        = "my-policy"
  description = "basic security policy"
  type        = "CLOUD_ARMOR"

  recaptcha_options_config {
    redirect_site_key = google_recaptcha_enterprise_key.primary.name
  }
}

Cloud Armor allows GraphQL parsing via the JSON parsing field -

but STANDARD_WITH_GRAPHQL doesn't seem to be an option via TF

Confirmed as STANDARD_WITH_GRAPHQL not working when in the json_parsing parameter in terraform deployment

Thank you for making this module available. I am using it successfully to set the d armor policy. However, I can't figure out how to apply the policy to a specific target backend using terraform..

Hello,

I got this error:

│ Error: Operation failed
│ 
│   on .terraform/modules/cloud-armor/main.tf line 458, in resource "google_compute_security_policy" "policy":
│  458:     for_each = var.layer_7_ddos_defense_enable && var.type != "CLOUD_ARMOR_EDGE" ? ["adaptive_protection_config"] : []
│     ├────────────────
│     │ var.layer_7_ddos_defense_enable is null
│     │ var.type is "CLOUD_ARMOR_EDGE"
│ 
│ Error during operation: argument must not be null.

With these variables:

        name        = "second-test"
        type        = "CLOUD_ARMOR_EDGE"

        default_rule_action = "allow"

        layer_7_ddos_defense_enable = null
        recaptcha_redirect_site_key = null

        pre_configured_rules = {}
        security_rules = {}
        threat_intelligence_rules = {}
        custom_rules = {}

The layer_7_ddos_defense_enable variable is marked as optional AND unsuported for CLOUD_ARMOR_EDGE type in the documentation, but does not appear to be actually so.
Same problem with type CLOUD_ARMOR.

Regards,

Hi,

WE have encountered a problem when updating/.modifying the preconfigured_waf_config_exclusions in our Cloud Armor configurations.

We have already deployed the new module updates as per new enhancement request raised by @Nathan01110011. Recently, We are facing an issue when updating Cloud armor exclusions configuration via IaC.

When we are trying to update ad rule_ids, request_query_param or request_cookie, Terraform does not identify the updates in the rules and when terraform perform tf plan, it says

No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

This is a weird behaviour we have seen. it does show custom rules and other rules but anything gets modified within preconfigured_waf_config_exclusions doesnt get picked by tf plan.

Could anyone please share some thoughts here?

Hi,
Is there a plan to add preconfigured_waf_config block to the module?

Still happening with latest version 2.0.1.

How to reproduce the error:

      - rule {
          - action      = "rate_based_ban" -> null
          - description = "rate-limit/ban test" -> null
          - preview     = false -> null
          - priority    = 40008 -> null

          - match {
              - expr {
                  - expression = <<-EOT
                        request.path.matches('(?i)^/some-path/')
                    EOT -> null
                }
            }

          - rate_limit_options {
              - ban_duration_sec = 600 -> null
              - conform_action   = "allow" -> null
              - exceed_action    = "deny(403)" -> null

              - ban_threshold {
                  - count        = 100 -> null
                  - interval_sec = 600 -> null
                }

              - enforce_on_key_configs {
                  - enforce_on_key_type = "IP" -> null
                }

              - rate_limit_threshold {
                  - count        = 50 -> null
                  - interval_sec = 600 -> null
                }
            }
        }
      + rule {
          + action      = "deny(403)"
          + description = "Deny test"
          + preview     = false
          + priority    = 40008

          + match {
              + expr {
                  + expression = <<-EOT
                        request.path.matches('(?i)^//[^/]+/\\.\\.;/css')
                    EOT
                }
            }
        }
...
│ Error: Error updating SecurityPolicy "public": googleapi: Error 400: Invalid value for field 'resource.rateLimitOptions': ''. Rate limit options must be specified if the action is 'fairshare', 'rate_based_ban' or 'throttle'. It cannot be specified for any other actions, invalid
│
│   with module.security_policies["gumtree-au-prod"].google_compute_security_policy.policy,
│   on .terraform/modules/security_policies/main.tf line 64, in resource "google_compute_security_policy" "policy":
│   64: resource "google_compute_security_policy" "policy" {
│

Note the new rule (deny) replacing the old rule (rate based ban) with the same priority.