From bd7dc11e3f5b7356bf3d1de5d4db1b2f1aa2fff5 Mon Sep 17 00:00:00 2001 From: Modular Magician Date: Mon, 31 Jan 2022 20:49:15 +0000 Subject: [PATCH] Add rate limit options for compute resource security policy rules (#5413) Co-authored-by: Riley Karson Signed-off-by: Modular Magician --- .../google/provider/.changelog/5413.txt | 3 ++ .../resource_compute_security_policy.go | 2 +- .../r/compute_security_policy.html.markdown | 32 +++++++++++++++++++ 3 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 converters/google/provider/.changelog/5413.txt diff --git a/converters/google/provider/.changelog/5413.txt b/converters/google/provider/.changelog/5413.txt new file mode 100644 index 000000000..f193c5237 --- /dev/null +++ b/converters/google/provider/.changelog/5413.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +compute: Added field `rate_limit_options` to `google_compute_security_policy` rules (beta) +``` diff --git a/converters/google/provider/google/resource_compute_security_policy.go b/converters/google/provider/google/resource_compute_security_policy.go index 978f00162..0c390d882 100644 --- a/converters/google/provider/google/resource_compute_security_policy.go +++ b/converters/google/provider/google/resource_compute_security_policy.go @@ -62,7 +62,7 @@ func resourceComputeSecurityPolicy() *schema.Resource { "action": { Type: schema.TypeString, Required: true, - ValidateFunc: validation.StringInSlice([]string{"allow", "deny(403)", "deny(404)", "deny(502)"}, false), + ValidateFunc: validation.StringInSlice([]string{"allow", "deny(403)", "deny(404)", "deny(502)", "rate_based_ban", "throttle"}, false), Description: `Action to take when match matches the request. Valid values: "allow" : allow access to target, "deny(status)" : deny access to target, returns the HTTP response code specified (valid values are 403, 404 and 502)`, }, diff --git a/converters/google/provider/website/docs/r/compute_security_policy.html.markdown b/converters/google/provider/website/docs/r/compute_security_policy.html.markdown index ce6a1d262..6f039d16f 100644 --- a/converters/google/provider/website/docs/r/compute_security_policy.html.markdown +++ b/converters/google/provider/website/docs/r/compute_security_policy.html.markdown @@ -71,6 +71,8 @@ The following arguments are supported: * `action` - (Required) Action to take when `match` matches the request. Valid values: * "allow" : allow access to target * "deny(status)" : deny access to target, returns the HTTP response code specified (valid values are 403, 404 and 502) + * "rate_based_ban" : limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set. + * "threshold" : limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this. * `priority` - (Required) An unique positive integer indicating the priority of evaluation for a rule. Rules are evaluated from highest priority (lowest numerically) to lowest priority (highest numerically) in order. @@ -83,6 +85,9 @@ The following arguments are supported: * `preview` - (Optional) When set to true, the `action` specified above is not enforced. Stackdriver logs for requests that trigger a preview action are annotated as such. +* `rate_limit_options` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) + Must be specified if the `action` is "rate_based_bad" or "throttle". Cannot be specified for other actions. Structure is [documented below](#nested_rate_limit_options). + The `match` block supports: * `config` - (Optional) The configuration options available when specifying `versioned_expr`. @@ -108,6 +113,33 @@ The following arguments are supported: * `expression` - (Required) Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported. +The `rate_limit_options` block supports: + +* `ban_duration_sec` - (Optional) Can only be specified if the `action` for the rule is "rate_based_ban". + If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold. + +* `ban_threshold` - (Optional) Can only be specified if the `action` for the rule is "rate_based_ban". + If specified, the key will be banned for the configured 'ban_duration_sec' when the number of requests that exceed the 'rate_limit_threshold' also + exceed this 'ban_threshold'. Structure is [documented below](#nested_threshold). + +* `conform_action` - (Optional) Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only. + +* `enforce_on_key` - (Optional) Determines the key to enforce the rate_limit_threshold on. + Possible values incude "ALL", "ALL_IPS", "HTTP_HEADER", "IP", "XFF_IP". If not specified, defaults to "ALL". + +* `enforce_on_key_name` - (Optional) Rate limit key name applicable only for HTTP_HEADER key types. Name of the HTTP header whose value is taken as the key value. + +* `exceed_action` - (Optional) When a request is denied, returns the HTTP response code specified. + Valid options are "deny()" where valid values for status are 403, 404, 429, and 502. + +* `rate_limit_threshold` - (Optional) Threshold at which to begin ratelimiting. Structure is [documented below](#nested_threshold). + +The `{ban/rate_limit}_threshold` block supports: + +* `count` - (Optional) Number of HTTP(S) requests for calculating the threshold. + +* `interval_sec` - (Optional) Interval over which the threshold is computed. + The `adaptive_protection_config` block supports: * `layer_7_ddos_defense_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Configuration for [Google Cloud Armor Adaptive Protection Layer 7 DDoS Defense](https://cloud.google.com/armor/docs/adaptive-protection-overview?hl=en). Structure is [documented below](#nested_layer_7_ddos_defense_config).