search

pulumi / pulumi-gcp

A Google Cloud Platform (GCP) Pulumi resource package, providing multi-language access to GCP
Apache License 2.0
178 stars 52 forks source link

Error 400: Invalid value for field 'resource.rateLimitOptions' #1432

Open ringods opened 8 months ago

ringods commented 8 months ago

What happened?

Customer updated Cloud Armor rules but bumped into this error:

Error 400: Invalid value for field 'resource.rateLimitOptions': ''. Rate limit options must be specified if the action is 'fairshare', 'rate_based_ban' or 'throttle'. It cannot be specified for any other actions, invalid

Example

Example of a rule being updated:

{
    action: "deny(403)",
    description: `Block requests if their reCAPTCHA Enterprise score is <= ${minimumScore} for ${path}`,
    priority: getPriority(),
    match: {
      expr: {
        expression: `request.path == '${path}' && token.recaptcha_action.score <= ${minimumScore}`,
      },
    },
}

Output of pulumi about

Customer tried with latest @pulumi/gcp v7.2.2.

Additional context

This maps to this upstream TF issue:

https://github.com/hashicorp/terraform-provider-google/issues/12739

The upstream issue was closed due to inactivity, not because a fix was made.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

VenelinMartinov commented 8 months ago

Hi @ringods, thanks for raising the issue. I just tested the following program and it ran successfully:

"""A Google Cloud Python Pulumi program"""

import pulumi
import pulumi_gcp as gcp

path = "my-path"
minimumScore = 0.5

policy = gcp.compute.SecurityPolicy(
    "policy",
    rules=[
        gcp.compute.SecurityPolicyRuleArgs(
            action="deny(403)",
            description=f"Block requests if their reCAPTCHA Enterprise score is <= {minimumScore} for {path}",
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                expr=gcp.compute.SecurityPolicyRuleMatchExprArgs(
                    expression=f"request.path == '{path}' && token.recaptcha_action.score <= {minimumScore}"
                )
            ),
            priority=1000,
        ),
        gcp.compute.SecurityPolicyRuleArgs(
            action="allow",
            description="default rule",
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                config=gcp.compute.SecurityPolicyRuleMatchConfigArgs(
                    src_ip_ranges=["*"],
                ),
                versioned_expr="SRC_IPS_V1",
            ),
            priority=2147483647,
        ),
    ],
)

I am using pulumi-gcp version 7.2.2.

Can you help me reproduce this issue the customer is having?

VenelinMartinov commented 8 months ago

I also ran the following example from the upstream issue successfully. Perhaps this was fixed upstream? Note that for both the examples I also tried to update them and faced no issues. Edit: just noticed the version you reported is the same as the one I tested. I must have missed something here...

"""A Google Cloud Python Pulumi program"""

import pulumi
import pulumi_gcp as gcp

path = "my-path"
minimumScore = 0.5

policy = gcp.compute.SecurityPolicy(
    "policy",
    rules=[
        gcp.compute.SecurityPolicyRuleArgs(
            action="redirect",
            description=f"Redirect to reCAPTCHA on malice",
            preview=True,
            priority=500,
            redirect_options=gcp.compute.SecurityPolicyRuleRedirectOptionsArgs(
                type="GOOGLE_RECAPTCHA"
            ),
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                expr=gcp.compute.SecurityPolicyRuleMatchExprArgs(
                    expression="evaluatePreconfiguredExpr('scannerdetection-v33-canary',['owasp-crs-v030301-id913102-scannerdetection','owasp-crs-v030301-id913101-scannerdetection']) || evaluatePreconfiguredExpr('rfi-v33-canary', ['owasp-crs-v030301-id931130-rfi']) || evaluatePreconfiguredExpr('sqli-v33-stable', ['owasp-crs-v030301-id942251-sqli','owasp-crs-v030301-id942420-sqli','owasp-crs-v030301-id942431-sqli','owasp-crs-v030301-id942200-sqli','owasp-crs-v030301-id942460-sqli','owasp-crs-v030301-id942101-sqli','owasp-crs-v030301-id942421-sqli','owasp-crs-v030301-id942260-sqli','owasp-crs-v030301-id942330-sqli','owasp-crs-v030301-id942190-sqli','owasp-crs-v030301-id942180-sqli','owasp-crs-v030301-id942340-sqli','owasp-crs-v030301-id942432-sqli']) || evaluatePreconfiguredExpr('rce-v33-canary') || evaluatePreconfiguredExpr('cve-canary')"
                ),
            ),
        ),
        gcp.compute.SecurityPolicyRuleArgs(
            action="deny(403)",
            description=f"Block requests if their reCAPTCHA Enterprise score is <= {minimumScore} for {path}",
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                expr=gcp.compute.SecurityPolicyRuleMatchExprArgs(
                    expression=f"request.path == '{path}' && token.recaptcha_action.score <= {minimumScore}"
                )
            ),
            priority=1000,
        ),
        gcp.compute.SecurityPolicyRuleArgs(
            action="allow",
            description="default rule",
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                config=gcp.compute.SecurityPolicyRuleMatchConfigArgs(
                    src_ip_ranges=["*"],
                ),
                versioned_expr="SRC_IPS_V1",
            ),
            priority=2147483647,
        ),
    ],
)
ringods commented 7 months ago

@VenelinMartinov I can't reproduce this too. I'll check with the customer if they bumped into this again in the meantime.

VenelinMartinov commented 7 months ago

Looks like the TF issue might be unrelated.

There was another bit from the user which helped me repro this:

alright just deleting all the rules manually in the UI and then running pulumi up again fixed it, I think it had to do with changing a rule that already existed to a different type

Here is the program:

import pulumi
import pulumi_gcp as gcp

path = "my-path"
minimumScore = 0.5

throttle_enabled = pulumi.Config().get_bool("throttle_enabled", True)

policy = gcp.compute.SecurityPolicy(
    "policy",
    rules=[
        gcp.compute.SecurityPolicyRuleArgs(
            action="throttle" if throttle_enabled else "deny(403)",
            description=f"Block requests if their reCAPTCHA Enterprise score is <= {minimumScore} for {path}",
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                expr=gcp.compute.SecurityPolicyRuleMatchExprArgs(
                    expression=f"request.path == '{path}' && token.recaptcha_action.score <= {minimumScore}"
                )
            ),
            rate_limit_options=gcp.compute.SecurityPolicyRuleRateLimitOptionsArgs(
                conform_action="allow",
                exceed_action="deny(403)",
                rate_limit_threshold=gcp.compute.SecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs(
                    count=10, interval_sec=10
                ),
            )
            if throttle_enabled
            else None,
            priority=1000,
        ),
        gcp.compute.SecurityPolicyRuleArgs(
            action="allow",
            description="default rule",
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                config=gcp.compute.SecurityPolicyRuleMatchConfigArgs(
                    src_ip_ranges=["*"],
                ),
                versioned_expr="SRC_IPS_V1",
            ),
            priority=2147483647,
        ),
    ],
)

steps:

  1. pulumi up
  2. pulumi config set throttle_enabled false
  3. pulumi up
  4. Observe error
ringods commented 6 months ago

Filed as https://github.com/hashicorp/terraform-provider-google/issues/17275 in upstream GCP TF provider.