google_compute_security_policy

A Security Policy defines an IP blacklist or whitelist that protects load balanced Google Cloud services by denying or permitting traffic from specified IP ranges. For more information see the official documentation and the API.

Security Policy is used by google_compute_backend_service.

Example Usage

resource "google_compute_security_policy" "policy" {
  name = "my-policy"

  rule {
    action   = "deny(403)"
    priority = "1000"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["9.9.9.0/24"]
      }
    }
    description = "Deny access to IPs in 9.9.9.0/24"
  }

  rule {
    action   = "allow"
    priority = "2147483647"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
      }
    }
    description = "default rule"
  }
}

Example Usage - With reCAPTCHA configuration options

resource "google_recaptcha_enterprise_key" "primary" {
  display_name = "display-name"

  labels = {
    label-one = "value-one"
   }

  project = "my-project-name"

  web_settings {
    integration_type  = "INVISIBLE"
    allow_all_domains = true
    allowed_domains   = ["localhost"]
  }
}

resource "google_compute_security_policy" "policy" {
  name        = "my-policy"
  description = "basic security policy"
  type        = "CLOUD_ARMOR"

  recaptcha_options_config {
    redirect_site_key = google_recaptcha_enterprise_key.primary.name
  }
}

Example Usage - With header actions

resource "google_compute_security_policy" "policy" {
    name = "my-policy"

  rule {
    action   = "allow"
    priority = "2147483647"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
      }
    }
    description = "default rule"
  }

  rule {
    action   = "allow"
    priority = "1000"
    match {
      expr {
        expression = "request.path.matches(\"/login.html\") && token.recaptcha_session.score < 0.2"
      }
    }

    header_action {
      request_headers_to_adds {
        header_name  = "reCAPTCHA-Warning"
        header_value = "high"
      }

      request_headers_to_adds {
        header_name  = "X-Resource"
        header_value = "test"
      }
    }
  }
}

Example Usage - With enforceOnKey value as empty string

A scenario example that won't cause any conflict between enforce_on_key and enforce_on_key_configs, because enforce_on_key was specified as an empty string:

resource "google_compute_security_policy" "policy" {
    name        = "%s"
    description = "throttle rule with enforce_on_key_configs"

    rule {
        action   = "throttle"
        priority = "2147483647"
        match {
            versioned_expr = "SRC_IPS_V1"
            config {
                src_ip_ranges = ["*"]
            }
        }
        description = "default rule"

        rate_limit_options {
            conform_action = "allow"
            exceed_action = "redirect"

            enforce_on_key = ""

            enforce_on_key_configs {
                enforce_on_key_type = "IP"
            }
            exceed_redirect_options {
                type = "EXTERNAL_302"
                target = "<https://www.example.com>"
            }

            rate_limit_threshold {
                count = 10
                interval_sec = 60
            }
        }
    }
}

Argument Reference

The following arguments are supported:


The advanced_options_config block supports:

The json_custom_config block supports:

The rule block supports:

The match block supports:

The config block supports:

The expr block supports:

The preconfigured_waf_config block supports:

The exclusion block supports:

The request_header, request_cookie, request_uri and request_query_param blocks support:

The rate_limit_options block supports:

The enforce_on_key_configs block supports:

The {ban/rate_limit}_threshold block supports:

The redirect_options block supports:

The header_action block supports:

The request_headers_to_adds block supports:

The adaptive_protection_config block supports:

The layer_7_ddos_defense_config block supports:

The auto_deploy_config block supports:

The recaptcha_options_config block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Import

Security policies can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import security policies using one of the formats above. For example:

import {
  id = "projects/{{project}}/global/securityPolicies/{{name}}"
  to = google_compute_security_policy.default
}

When using the terraform import command, security policies can be imported using one of the formats above. For example:

$ terraform import google_compute_security_policy.default projects/{{project}}/global/securityPolicies/{{name}}
$ terraform import google_compute_security_policy.default {{project}}/{{name}}
$ terraform import google_compute_security_policy.default {{name}}