Open ringods opened 8 months ago
Hi @ringods, thanks for raising the issue. I just tested the following program and it ran successfully:
"""A Google Cloud Python Pulumi program"""
import pulumi
import pulumi_gcp as gcp
path = "my-path"
minimumScore = 0.5
policy = gcp.compute.SecurityPolicy(
"policy",
rules=[
gcp.compute.SecurityPolicyRuleArgs(
action="deny(403)",
description=f"Block requests if their reCAPTCHA Enterprise score is <= {minimumScore} for {path}",
match=gcp.compute.SecurityPolicyRuleMatchArgs(
expr=gcp.compute.SecurityPolicyRuleMatchExprArgs(
expression=f"request.path == '{path}' && token.recaptcha_action.score <= {minimumScore}"
)
),
priority=1000,
),
gcp.compute.SecurityPolicyRuleArgs(
action="allow",
description="default rule",
match=gcp.compute.SecurityPolicyRuleMatchArgs(
config=gcp.compute.SecurityPolicyRuleMatchConfigArgs(
src_ip_ranges=["*"],
),
versioned_expr="SRC_IPS_V1",
),
priority=2147483647,
),
],
)
I am using pulumi-gcp
version 7.2.2
.
Can you help me reproduce this issue the customer is having?
I also ran the following example from the upstream issue successfully. Perhaps this was fixed upstream? Note that for both the examples I also tried to update them and faced no issues. Edit: just noticed the version you reported is the same as the one I tested. I must have missed something here...
"""A Google Cloud Python Pulumi program"""
import pulumi
import pulumi_gcp as gcp
path = "my-path"
minimumScore = 0.5
policy = gcp.compute.SecurityPolicy(
"policy",
rules=[
gcp.compute.SecurityPolicyRuleArgs(
action="redirect",
description=f"Redirect to reCAPTCHA on malice",
preview=True,
priority=500,
redirect_options=gcp.compute.SecurityPolicyRuleRedirectOptionsArgs(
type="GOOGLE_RECAPTCHA"
),
match=gcp.compute.SecurityPolicyRuleMatchArgs(
expr=gcp.compute.SecurityPolicyRuleMatchExprArgs(
expression="evaluatePreconfiguredExpr('scannerdetection-v33-canary',['owasp-crs-v030301-id913102-scannerdetection','owasp-crs-v030301-id913101-scannerdetection']) || evaluatePreconfiguredExpr('rfi-v33-canary', ['owasp-crs-v030301-id931130-rfi']) || evaluatePreconfiguredExpr('sqli-v33-stable', ['owasp-crs-v030301-id942251-sqli','owasp-crs-v030301-id942420-sqli','owasp-crs-v030301-id942431-sqli','owasp-crs-v030301-id942200-sqli','owasp-crs-v030301-id942460-sqli','owasp-crs-v030301-id942101-sqli','owasp-crs-v030301-id942421-sqli','owasp-crs-v030301-id942260-sqli','owasp-crs-v030301-id942330-sqli','owasp-crs-v030301-id942190-sqli','owasp-crs-v030301-id942180-sqli','owasp-crs-v030301-id942340-sqli','owasp-crs-v030301-id942432-sqli']) || evaluatePreconfiguredExpr('rce-v33-canary') || evaluatePreconfiguredExpr('cve-canary')"
),
),
),
gcp.compute.SecurityPolicyRuleArgs(
action="deny(403)",
description=f"Block requests if their reCAPTCHA Enterprise score is <= {minimumScore} for {path}",
match=gcp.compute.SecurityPolicyRuleMatchArgs(
expr=gcp.compute.SecurityPolicyRuleMatchExprArgs(
expression=f"request.path == '{path}' && token.recaptcha_action.score <= {minimumScore}"
)
),
priority=1000,
),
gcp.compute.SecurityPolicyRuleArgs(
action="allow",
description="default rule",
match=gcp.compute.SecurityPolicyRuleMatchArgs(
config=gcp.compute.SecurityPolicyRuleMatchConfigArgs(
src_ip_ranges=["*"],
),
versioned_expr="SRC_IPS_V1",
),
priority=2147483647,
),
],
)
@VenelinMartinov I can't reproduce this too. I'll check with the customer if they bumped into this again in the meantime.
Looks like the TF issue might be unrelated.
There was another bit from the user which helped me repro this:
alright just deleting all the rules manually in the UI and then running pulumi up again fixed it, I think it had to do with changing a rule that already existed to a different type
Here is the program:
import pulumi
import pulumi_gcp as gcp
path = "my-path"
minimumScore = 0.5
throttle_enabled = pulumi.Config().get_bool("throttle_enabled", True)
policy = gcp.compute.SecurityPolicy(
"policy",
rules=[
gcp.compute.SecurityPolicyRuleArgs(
action="throttle" if throttle_enabled else "deny(403)",
description=f"Block requests if their reCAPTCHA Enterprise score is <= {minimumScore} for {path}",
match=gcp.compute.SecurityPolicyRuleMatchArgs(
expr=gcp.compute.SecurityPolicyRuleMatchExprArgs(
expression=f"request.path == '{path}' && token.recaptcha_action.score <= {minimumScore}"
)
),
rate_limit_options=gcp.compute.SecurityPolicyRuleRateLimitOptionsArgs(
conform_action="allow",
exceed_action="deny(403)",
rate_limit_threshold=gcp.compute.SecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs(
count=10, interval_sec=10
),
)
if throttle_enabled
else None,
priority=1000,
),
gcp.compute.SecurityPolicyRuleArgs(
action="allow",
description="default rule",
match=gcp.compute.SecurityPolicyRuleMatchArgs(
config=gcp.compute.SecurityPolicyRuleMatchConfigArgs(
src_ip_ranges=["*"],
),
versioned_expr="SRC_IPS_V1",
),
priority=2147483647,
),
],
)
steps:
pulumi up
pulumi config set throttle_enabled false
pulumi up
Filed as https://github.com/hashicorp/terraform-provider-google/issues/17275 in upstream GCP TF provider.
What happened?
Customer updated Cloud Armor rules but bumped into this error:
Example
Example of a rule being updated:
Output of
pulumi about
Customer tried with latest
@pulumi/gcp
v7.2.2.Additional context
This maps to this upstream TF issue:
https://github.com/hashicorp/terraform-provider-google/issues/12739
The upstream issue was closed due to inactivity, not because a fix was made.
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).