Support Preconfigured ModSecuirty rules with evaluatePreconfiguredExpr in Terraform

[phydroxide]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

GCP Provides a powerful and easy way to define pre-configured WAF rules into compute security policy.
This is available with gcloud cli, https://cloud.google.com/armor/docs/rule-tuning
But Terraform currently only supports versioned expressions and source ip ranges
https://registry.terraform.io/providers/hashicorp/google/3.0.0/docs/resources/compute_security_policy#versioned_expr

Incorporating this into terraform will promote security configuration as code. It makes robust boundary security defense a first class citizen in our continuous deployment pipeline. It prevents security configuration from being a feature detached from the environment state or an afterthought bolted on.

Defining this with Terraform has the added benefit of toggling rules from preview to enforced, deny to allow, adjusting the priority, or amending exceptions as iterative and small changes, maintaining prior state to avoid errors from removing and re-applying former rules. Errors are less likely to be be introduced, might be sanity-checked by the provider (such as priority collisions), and rollback becomes simple Config as Code tweaks.

New or Affected Resource(s)

• google_compute_security_policy

Potential Terraform Configuration

  rule {
    action      = "deny"
    description = "SQLi sensitivity level 1"
    match  {
      config  {
          expression = "evaluatePreconfiguredExpr('sqli-stable',
                           ['owasp-crs-v030001-id942120-sqli',
                           'owasp-crs-v030001-id942150-sqli',
                           'owasp-crs-v030001-id942180-sqli',
                           'owasp-crs-v030001-id942200-sqli',
                           'owasp-crs-v030001-id942210-sqli',
                           'owasp-crs-v030001-id942260-sqli',
                           'owasp-crs-v030001-id942300-sqli',
                           'owasp-crs-v030001-id942310-sqli',
                           'owasp-crs-v030001-id942330-sqli',
                           'owasp-crs-v030001-id942340-sqli',
                           'owasp-crs-v030001-id942380-sqli',
                           'owasp-crs-v030001-id942390-sqli',
                           'owasp-crs-v030001-id942400-sqli',
                           'owasp-crs-v030001-id942410-sqli',
                           'owasp-crs-v030001-id942430-sqli',
                           'owasp-crs-v030001-id942440-sqli',
                           'owasp-crs-v030001-id942450-sqli',
                           'owasp-crs-v030001-id942251-sqli',
                           'owasp-crs-v030001-id942420-sqli',
                           'owasp-crs-v030001-id942431-sqli',
                           'owasp-crs-v030001-id942460-sqli',
                           'owasp-crs-v030001-id942421-sqli',
                           'owasp-crs-v030001-id942432-sqli']]"
          }
    }
    preview = "true"
    priority = "1400440800"
  }
    rule {
    action      = "deny"
    description = "PHP Injection Attack sensitivity level 2"
    match  {
      config  {
          expression = "evaluatePreconfiguredExpr('php-stable')"
          }
    }
    preview = "true"
    priority = "1400440900"
  }

References

#8984
#10020

[rileykarson]

I noticed you linked the 3.0.0 documentation. Newer versions of the provider support an expr field alongside version_expr, is that what you're looking for?

[phydroxide]

I will look at this. I have not been able to determine how to use the user defined CEVAL expression to achieve the desired result.
https://registry.terraform.io/providers/hashicorp/google/4.0.0/docs/resources/compute_security_policy#versioned_expr

[phydroxide]

Newbie PEBKAC

terraform {
  required_providers {
    google = {
      source = "hashicorp/google"
      version = "~> 4.0.0"
    } ...
    

terraform init --upgrade

rule {
    action      = "deny(404)"
    priority = "1400440800"
    description = "SQLi sensitivity level 1"
    preview = "true"
    match  {
          expr {
                expression = <<-EOT
                     evaluatePreconfiguredExpr('sqli-stable',
                           ['owasp-crs-v030001-id942120-sqli',
                           'owasp-crs-v030001-id942150-sqli',
                           'owasp-crs-v030001-id942180-sqli',
                           'owasp-crs-v030001-id942200-sqli',
                           'owasp-crs-v030001-id942210-sqli',
                           'owasp-crs-v030001-id942260-sqli',
                           'owasp-crs-v030001-id942300-sqli',
                           'owasp-crs-v030001-id942310-sqli',
                           'owasp-crs-v030001-id942330-sqli',
                           'owasp-crs-v030001-id942340-sqli',
                           'owasp-crs-v030001-id942380-sqli',
                           'owasp-crs-v030001-id942390-sqli',
                           'owasp-crs-v030001-id942400-sqli',
                           'owasp-crs-v030001-id942410-sqli',
                           'owasp-crs-v030001-id942430-sqli',
                           'owasp-crs-v030001-id942440-sqli',
                           'owasp-crs-v030001-id942450-sqli',
                           'owasp-crs-v030001-id942251-sqli',
                           'owasp-crs-v030001-id942420-sqli',
                           'owasp-crs-v030001-id942431-sqli',
                           'owasp-crs-v030001-id942460-sqli',
                           'owasp-crs-v030001-id942421-sqli',
                           'owasp-crs-v030001-id942432-sqli'])
EOT
rule {
    action      = "deny(404)"
    priority = "1400440800"
    description = "Preconfigured Rules SQLI Least Aggressive"
    preview = "true"
    match  {
          expr {
                expression = "evaluatePreconfiguredExpr('sqli-stable',['owasp-crs-v030001-id942120-sqli'])"
               }
    }
  }

terraform plan
I will still want to verify that the policy resolves as I expect, but the terraform applied correcty. You are correct. This appears to be supported in 4.0.0. Thank you.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.