I am trying to create google_compute_security_policy. But terraform apply is not successful with the below error.
google_compute_security_policy.policy: Creating...
╷
│ Error: Error creating SecurityPolicy: unexpected EOF
│
│ with google_compute_security_policy.policy,
│ on main.tf line 47, in resource "google_compute_security_policy" "policy":
│ 47: resource "google_compute_security_policy" "policy" {
This is my configuration:-
####################--main.tf--##############################
locals {
find all the preconfigured rule with no include or exclude expression
pre_configured_rules_no_cond_expr = { for name, policy in var.pre_configured_rules : name => {
expression = "evaluatePreconfiguredWaf('${policy["target_rule_set"]}', {'sensitivity': ${policy["sensitivity_level"]}})"
} if length(policy["include_target_rule_ids"]) == 0 && length(policy["exclude_target_rule_ids"]) == 0
}
find all the preconfigured rule with include (Opt In rules) expression
pre_configured_rules_include = { for name, policy in var.pre_configured_rules : name => {
target_rule_set = policy.target_rule_set
include_target_rule_ids = replace(join(",", policy.include_target_rule_ids), ",", "','")
sensitivity_level = policy.sensitivity_level
action = policy.action
priority = 0
description = policy.description
preview = policy.preview
redirect_type = policy.redirect_type
rate_limit_options = policy.rate_limit_options
} if length(policy["include_target_rule_ids"]) > 0
}
pre_configured_rules_include_expr = { for name, policy in local.pre_configured_rules_include : name => {
expression = "evaluatePreconfiguredWaf('${policy["target_rule_set"]}', {'sensitivity': 0, 'opt_in_rule_ids': ['${policy.include_target_rule_ids}']})"
}
}
find all the preconfigured rule with Exclude (Opt out rules) expression
pre_configured_rules_exclude = { for name, policy in var.pre_configured_rules : name => {
target_rule_set = policy.target_rule_set
exclude_target_rule_ids = replace(join(",", policy.exclude_target_rule_ids), ",", "','")
sensitivity_level = policy.sensitivity_level
action = policy.action
priority = policy.priority
description = policy.description
preview = policy.preview
redirect_type = policy.redirect_type
rate_limit_options = policy.rate_limit_options
} if length(policy["include_target_rule_ids"]) == 0 && length(policy["exclude_target_rule_ids"]) > 0
}
pre_configured_rules_exclude_expr = { for name, policy in local.pre_configured_rules_exclude : name => {
expression = "evaluatePreconfiguredWaf('${policy["target_rule_set"]}', {'sensitivity':
{policy.exclude_target_rule_ids}']})"
}
}
Combine all the preconfigured rules
pre_configured_rules_expr = merge(local.pre_configured_rules_no_cond_expr, local.pre_configured_rules_include_expr, local.pre_configured_rules_exclude_expr)
}
resource "google_compute_security_policy" "policy" {
name = "my-policy"
project = "######"
dynamic "rule" {
for_each = var.security_rules
content {
action = rule.value["action"]
priority = rule.value["priority"]
preview = rule.value["preview"]
description = rule.value["description"]
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = rule.value["src_ip_ranges"]
}
}
}
}
Preconfigured Rules Sensitivity level
dynamic "rule" {
for_each = var.pre_configured_rules
content {
action = rule.value["action"]
priority = rule.value["priority"]
preview = rule.value["preview"]
description = rule.value["description"]
match {
expr {
expression = local.pre_configured_rules_expr[rule.key].expression
}
}
Redirect option
dynamic "redirect_options" {
for_each = rule.value["action"] == "redirect" ? ["redirect"] : []
content {
type = rule.value["redirect_type"]
target = rule.value["redirect_type"] == "EXTERNAL_302" ? rule.value["redirect_target"] : null
}
}
}
}
}
###################----variables.tf-----###############################
rule 1 =
action: "allow" or "deny"
preview : boolean
priority : ""
source_ip_range: list
description : "text"
variable "rules" {
description = "list of values to assign to rules"
type = list(object({
action = string
preview = string
priority = number
versioned_expr = string
src_ip_ranges = list
expression = string
description = string
}))
}
variable "project" {
type = string
description = "Project name where policy is getting created"
default = ""
}
variable "name" {
type = string
description = "Name of the policy"
default = ""
}
variable "security_rules" {
description = "Map of Security rules with list of IP addresses to block or unblock"
type = map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
src_ip_ranges = list(string)
}))
default = {}
}
variable "pre_configured_rules" {
description = "Map of pre-configured rules Sensitivity levels"
type = map(object({
action = string
priority = number
description = optional(string)
preview = optional(bool, false)
redirect_type = optional(string, null)
redirect_target = optional(string, null)
target_rule_set = string
sensitivity_level = optional(number, 4)
include_target_rule_ids = optional(list(string), [])
exclude_target_rule_ids = optional(list(string), [])
rate_limit_options = optional(object({
enforce_on_key = optional(string)
exceed_action = optional(string)
rate_limit_http_request_count = optional(number)
rate_limit_http_request_interval_sec = optional(number)
ban_duration_sec = optional(number)
ban_http_request_count = optional(number)
ban_http_request_interval_sec = optional(number)
}),
{})
}))
default = {}
}
#########################---terraform.tfvars---###########################
project = ""
name = ""
pre_configured_rules = {
"php-stable_level_1_with_include" = {
action = "deny(502)"
priority = 3
description = "PHP Sensitivity Level 1 with included rules"
target_rule_set = "xss-v33-stable"
sensitivity_level = 0
include_target_rule_ids = ["owasp-crs-v030301-id933190-php", "owasp-crs-v030301-id933111-php"]
}
"rfi_sensitivity_level_4" = {
action = "redirect"
priority = 4
description = "Remote file inclusion 4"
preview = true
redirect_type = "GOOGLE_RECAPTCHA"
target_rule_set = "rfi-v33-stable"
sensitivity_level = 4
}
"sqli_sensitivity_level_4" = {
action = "deny(502)"
priority = 1
target_rule_set = "sqli-v33-stable"
}
"xss-stable_level_2_with_exclude" = {
action = "deny(502)"
priority = 2
description = "XSS Sensitivity Level 2 with excluded rules"
preview = true
target_rule_set = "xss-v33-stable"
sensitivity_level = 2
exclude_target_rule_ids = ["owasp-crs-v030301-id941380-xss", "owasp-crs-v030301-id941280-xss"]
}
"php-stable_level_0_with_include" = {
action = "deny(502)"
priority = 14
description = "PHP Sensitivity Level 0 with included rules"
target_rule_set = "php-v33-stable"
include_target_rule_ids = ["owasp-crs-v030301-id933190-php", "owasp-crs-v030301-id933111-php"]
}
}
security_rules = {
"default_rule" = {
action = "allow"
priority = 2147483647
description = "Default rule"
src_ip_ranges = ["*"]
}
"rule_deny_1" = {
action = "deny(502)"
priority = 10
description = "Deny Malicious IP address from project bad_actor"
src_ip_ranges = ["190.217.68.211", "45.116.227.68", "103.43.141.122", "123.11.215.36", ]
preview = false
}
"rule_allow_1" = {
action = "allow"
priority = 15
description = "Throttle IP addresses from project bad_actor4"
src_ip_ranges = ["190.217.68.214", "45.116.227.71", ]
preview = true
}
"rule_allow_2" = {
action = "allow"
priority = 100
description = "Throttle IP addresses from project bad_actor4"
src_ip_ranges = ["190.217.0.0/24", "45.116.0.0/24", ]
preview = true
}
"rule_allow_3" = {
action = "allow"
priority = 16
description = "Throttle IP addresses from project bad_actor4"
src_ip_ranges = ["190.215.68.214", "45.116.221.71", ]
preview = true
}
"rule_allow_4" = {
action = "allow"
priority = 101
description = "Throttle IP addresses from project bad_actor4"
src_ip_ranges = ["190.216.0.0/24", "45.116.1.0/24", ]
preview = true
}
}