search

GoogleCloudPlatform / terraform-google-cloud-armor

Deploy Cloud Armor security policy
https://registry.terraform.io/modules/GoogleCloudPlatform/cloud-armor/google
Apache License 2.0
35 stars 27 forks source link

Exclusions not working as expected #122

Closed siva273 closed 1 month ago

siva273 commented 4 months ago

Hi, I am trying to exclude some paths from being blocked by cloud armor, still being blocked

my config


module "security_policy" {
  source  = "GoogleCloudPlatform/cloud-armor/google"
  version = "~> 2.2.0"

  project_id                           = var.project_id
  name                                 = "security-policy"
  description                          = "Security Policy"
  default_rule_action                  = "allow"
  type                                 = "CLOUD_ARMOR"
  layer_7_ddos_defense_enable          = false # If set to true, enables Cloud Armor Adaptive Protection for L7 DDoS detection
  layer_7_ddos_defense_rule_visibility = "STANDARD"

  pre_configured_rules = {

    "sqli_sensitivity_level_1" = {
      action                  = "deny(403)"
      priority                = 1
      sensitivity_level       = 1
      preview                 = true
      description             = "SQLI sensitivity level 1 with exclude rules"
      target_rule_set         = "sqli-v33-stable"
      exclude_target_rule_ids = []
      preconfigured_waf_config_exclusions = {
        exclusion_user_task_list = {
          target_rule_set = "sqli-v33-stable"
          target_rule_ids = [
            "owasp-crs-v030301-id942100-sqli",
          ]
          request_uri = [
            {
              operator = "CONTAINS"
              value    = "/api/v1/user_tasks/user_task_list"
            },
          ]
        }
        exclusion_questionnaire_template = {
          target_rule_set = "sqli-v33-stable"
          target_rule_ids = [
            "owasp-crs-v030301-id942190-sqli",
          ]
          request_uri = [
            {
              operator = "CONTAINS"
              value    = "/api/v2/questionnaire/template"
            },
          ]
        }
        exclusion_questionnaire_section = {
          target_rule_set = "sqli-v33-stable"
          target_rule_ids = [
            "owasp-crs-v030301-id942190-sqli",
          ]
          request_uri = [
            {
              operator = "CONTAINS"
              value    = "/api/v2/questionnaire/section/"
            },
          ]
        }
      }
    }
}
}

all the paths excluder for specific rule id's are failing and blocked by same rule id's which are supposed to be exclude, Please let me know if I am doing something wrong here

imrannayer commented 4 months ago

@siva273 can u plz contact support for this issue?

github-actions[bot] commented 2 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days