/** * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ variable "project_id" { description = "The project in which the resource belongs." type = string } variable "region" { description = "The region in which security policy is created" type = string } variable "name" { description = "Name of regional security policy. Name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash" type = string default = "adv-network-ddos-protection" } variable "type" { description = "Type indicates the intended use of the security policy. Possible values are CLOUD_ARMOR and CLOUD_ARMOR_EDGE." type = string default = "CLOUD_ARMOR" } variable "description" { description = "An optional description of advanced network ddos protection security policy" type = string default = "CA Advance DDoS protection" } variable "pre_configured_rules" { description = "Map of pre-configured rules with Sensitivity levels" type = map(object({ action = string priority = number description = optional(string) preview = optional(bool, false) target_rule_set = string sensitivity_level = optional(number, 4) include_target_rule_ids = optional(list(string), []) exclude_target_rule_ids = optional(list(string), []) rate_limit_options = optional(object({ enforce_on_key = optional(string) enforce_on_key_name = optional(string) enforce_on_key_configs = optional(list(object({ enforce_on_key_name = optional(string) enforce_on_key_type = optional(string) }))) exceed_action = optional(string) rate_limit_http_request_count = optional(number) rate_limit_http_request_interval_sec = optional(number) ban_duration_sec = optional(number) ban_http_request_count = optional(number) ban_http_request_interval_sec = optional(number) }), {}) preconfigured_waf_config_exclusions = optional(map(object({ target_rule_set = string target_rule_ids = optional(list(string), []) request_header = optional(list(object({ operator = string value = optional(string) }))) request_cookie = optional(list(object({ operator = string value = optional(string) }))) request_uri = optional(list(object({ operator = string value = optional(string) }))) request_query_param = optional(list(object({ operator = string value = optional(string) }))) })), null) })) default = {} } variable "security_rules" { description = "Map of Security rules with list of IP addresses to block or unblock." type = map(object({ action = string priority = number description = optional(string) preview = optional(bool, false) src_ip_ranges = list(string) rate_limit_options = optional(object({ enforce_on_key = optional(string) enforce_on_key_name = optional(string) enforce_on_key_configs = optional(list(object({ enforce_on_key_name = optional(string) enforce_on_key_type = optional(string) }))) exceed_action = optional(string) rate_limit_http_request_count = optional(number) rate_limit_http_request_interval_sec = optional(number) ban_duration_sec = optional(number) ban_http_request_count = optional(number) ban_http_request_interval_sec = optional(number) }), {}) })) default = {} } variable "custom_rules" { description = "Custome security rules" type = map(object({ action = string priority = number description = optional(string) preview = optional(bool, false) expression = string rate_limit_options = optional(object({ enforce_on_key = optional(string) enforce_on_key_name = optional(string) enforce_on_key_configs = optional(list(object({ enforce_on_key_name = optional(string) enforce_on_key_type = optional(string) }))) exceed_action = optional(string) rate_limit_http_request_count = optional(number) rate_limit_http_request_interval_sec = optional(number) ban_duration_sec = optional(number) ban_http_request_count = optional(number) ban_http_request_interval_sec = optional(number) }), {}) preconfigured_waf_config_exclusions = optional(map(object({ target_rule_set = string target_rule_ids = optional(list(string), []) request_header = optional(list(object({ operator = string value = optional(string) }))) request_cookie = optional(list(object({ operator = string value = optional(string) }))) request_uri = optional(list(object({ operator = string value = optional(string) }))) request_query_param = optional(list(object({ operator = string value = optional(string) }))) })), null) })) default = {} } variable "default_rule_action" { description = "default rule that allows/denies all traffic with the lowest priority (2,147,483,647)." type = string default = "allow" }