Skip to content

preconfigured_waf_config_exclusion doesn't take any effect #22494

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hampusrosvall opened this issue Apr 24, 2025 · 0 comments
Open

preconfigured_waf_config_exclusion doesn't take any effect #22494

hampusrosvall opened this issue Apr 24, 2025 · 0 comments
Labels
bug forward/review In review; remove label to forward service/compute-security-policy

Comments

@hampusrosvall
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to a user, that user is claiming responsibility for the issue.
  • Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.11.2
on Apple M4

  • provider registry.terraform.io/hashicorp/google v6.24.0
  • provider registry.terraform.io/hashicorp/google-beta v6.24.0

Affected Resource(s)

google_compute_security_policy

Terraform Configuration

locals {
  request_query_param = [
    { operator = "ENDS_WITH", value = "text" },
    { operator = "EQUALS", value = "payload" },
    { operator = "ENDS_WITH", value = "name" },
    { operator = "EQUALS", value = "input" },
    { operator = "STARTS_WITH", value = "assistant.data" },
  ]
}
module "security_policy_core" {
  source  = "GoogleCloudPlatform/cloud-armor/google"
  version = "5.0.0"

  project_id                           = var.project_id
  default_rule_action                  = "allow"
  type                                 = "CLOUD_ARMOR"
  layer_7_ddos_defense_enable          = true
  layer_7_ddos_defense_rule_visibility = "STANDARD"
  json_parsing                         = "STANDARD"
  log_level                            = "VERBOSE"

  pre_configured_rules = {
    "sqli-injection" = {
      action            = "deny(502)"
      priority          = 100
      description       = "SQL injection"
      target_rule_set   = "sqli-v33-stable"
      sensitivity_level = 1
      exclude_target_rule_ids = [
        "owasp-crs-v030301-id942160-sqli",
        "owasp-crs-v030301-id942360-sqli",
      ]
      preconfigured_waf_config_exclusion = {
        target_rule_set     = "sqli-v33-stable"
        request_query_param = local.request_query_param
      }
    }
}

Debug Output

No response

Expected Behavior

It's expected that the preconfigured_waf_config_exclusion takes effect on the cloud armor security policy rule.

Actual Behavior

Nothing happens, the preconfigured rule is deployed but without the exclusions. I need the exclusions, so I add them manually on the rule which leads to object has changed outside of Terraform diffs on every plan which makes it very hard to see other changes in the same state.

Steps to reproduce

No response

Important Factoids

No response

References

No response
@github-actions github-actions bot added forward/review In review; remove label to forward service/compute-security-policy labels Apr 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug forward/review In review; remove label to forward service/compute-security-policy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hampusrosvall