Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to activate adaptive protection on Security Policy #717

Closed
hjorth opened this issue Jan 4, 2022 · 4 comments
Closed

Unable to activate adaptive protection on Security Policy #717

hjorth opened this issue Jan 4, 2022 · 4 comments
Assignees
@mikhailshilkov
Labels
kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed

Comments

@hjorth
Copy link

hjorth commented Jan 4, 2022 

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/compute"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := compute.NewSecurityPolicy(ctx, "my-policy", &compute.SecurityPolicyArgs{
			Name: pulumi.String("my-policy"),
			AdaptiveProtectionConfig: &compute.SecurityPolicyAdaptiveProtectionConfigArgs{
				Layer7DdosDefenseConfig: &compute.SecurityPolicyAdaptiveProtectionConfigLayer7DdosDefenseConfigArgs{
					Enable: pulumi.Bool(true),
				},
			},
			Rules: compute.SecurityPolicyRuleArray{
				&compute.SecurityPolicyRuleArgs{
					Action:      pulumi.String("deny(403)"),
					Description: pulumi.String("Deny access to IPs in 9.9.9.0/24"),
					Match: &compute.SecurityPolicyRuleMatchArgs{
						Config: &compute.SecurityPolicyRuleMatchConfigArgs{
							SrcIpRanges: pulumi.StringArray{
								pulumi.String("9.9.9.0/24"),
							},
						},
						VersionedExpr: pulumi.String("SRC_IPS_V1"),
					},
					Priority: pulumi.Int(1000),
				},
				&compute.SecurityPolicyRuleArgs{
					Action:      pulumi.String("allow"),
					Description: pulumi.String("default rule"),
					Match: &compute.SecurityPolicyRuleMatchArgs{
						Config: &compute.SecurityPolicyRuleMatchConfigArgs{
							SrcIpRanges: pulumi.StringArray{
								pulumi.String("*"),
							},
						},
						VersionedExpr: pulumi.String("SRC_IPS_V1"),
					},
					Priority: pulumi.Int(2147483647),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

This code does not work

Fails with:

    error: gcp:compute/securityPolicy:SecurityPolicy resource 'my-policy' has a problem: Invalid or unknown key. Examine values at 'SecurityPolicy.AdaptiveProtectionConfig.Layer7DdosDefenseConfig'.

Similar code in python also fails.

It works in google-native - but Rules cannot be updated in that - so that is useless for my case.
@hjorth hjorth added the kind/bug Some behavior is incorrect or out of spec label Jan 4, 2022
@leezen
Copy link
Contributor

leezen commented Jan 8, 2022

I commented on the google-native side with a potential workaround using replaceOnChanges

@hjorth
Copy link
Author

hjorth commented Jan 8, 2022

Doesn't really makes pulumi-gcp work :-)

@geekflyer
Copy link

running into exact same error message with the typescript SDK/API. Is there any workaround to enable adaptive protection?

@mikhailshilkov mikhailshilkov added the resolution/fixed This issue was fixed label Oct 27, 2023
@mikhailshilkov mikhailshilkov self-assigned this Oct 27, 2023
@mikhailshilkov
Copy link
Member

Tried reproducing today with

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

new gcp.compute.SecurityPolicy("my-policy", {
    adaptiveProtectionConfig: {
        layer7DdosDefenseConfig: {
            enable: true,
        },
    },
    rules: [
        {
            action: "deny(403)",
            description: "Deny access to IPs in 9.9.9.0/24",
            match: {
                config: {
                    srcIpRanges: ["9.9.9.0/24"]
                },
                versionedExpr: "SRC_IPS_V1",
            },
            priority: 1000,
        },
        {
            action: "allow",
            description: "default rule",
            match: {
                config: {
                    srcIpRanges: ["*"],
                },
                versionedExpr: "SRC_IPS_V1",
            },
            priority: 2147483647,
        },
    ],
});

and it worked fine. I think this has been fixed upstream in hashicorp/terraform-provider-google#12554.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikhailshilkov mikhailshilkov

Labels
kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@leezen @geekflyer @mikhailshilkov @hjorth