Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Preconfigured ModSecuirty rules with evaluatePreconfiguredExpr in Terraform #10953

Closed
phydroxide opened this issue Jan 21, 2022 · 4 comments

Comments

@phydroxide
Copy link

phydroxide commented Jan 21, 2022

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

GCP Provides a powerful and easy way to define pre-configured WAF rules into compute security policy.
This is available with gcloud cli, https://cloud.google.com/armor/docs/rule-tuning
But Terraform currently only supports versioned expressions and source ip ranges
https://registry.terraform.io/providers/hashicorp/google/3.0.0/docs/resources/compute_security_policy#versioned_expr

Incorporating this into terraform will promote security configuration as code. It makes robust boundary security defense a first class citizen in our continuous deployment pipeline. It prevents security configuration from being a feature detached from the environment state or an afterthought bolted on.

Defining this with Terraform has the added benefit of toggling rules from preview to enforced, deny to allow, adjusting the priority, or amending exceptions as iterative and small changes, maintaining prior state to avoid errors from removing and re-applying former rules. Errors are less likely to be be introduced, might be sanity-checked by the provider (such as priority collisions), and rollback becomes simple Config as Code tweaks.

New or Affected Resource(s)

  • google_compute_security_policy

Potential Terraform Configuration

  rule {
    action      = "deny"
    description = "SQLi sensitivity level 1"
    match  {
      config  {
          expression = "evaluatePreconfiguredExpr('sqli-stable',
                           ['owasp-crs-v030001-id942120-sqli',
                           'owasp-crs-v030001-id942150-sqli',
                           'owasp-crs-v030001-id942180-sqli',
                           'owasp-crs-v030001-id942200-sqli',
                           'owasp-crs-v030001-id942210-sqli',
                           'owasp-crs-v030001-id942260-sqli',
                           'owasp-crs-v030001-id942300-sqli',
                           'owasp-crs-v030001-id942310-sqli',
                           'owasp-crs-v030001-id942330-sqli',
                           'owasp-crs-v030001-id942340-sqli',
                           'owasp-crs-v030001-id942380-sqli',
                           'owasp-crs-v030001-id942390-sqli',
                           'owasp-crs-v030001-id942400-sqli',
                           'owasp-crs-v030001-id942410-sqli',
                           'owasp-crs-v030001-id942430-sqli',
                           'owasp-crs-v030001-id942440-sqli',
                           'owasp-crs-v030001-id942450-sqli',
                           'owasp-crs-v030001-id942251-sqli',
                           'owasp-crs-v030001-id942420-sqli',
                           'owasp-crs-v030001-id942431-sqli',
                           'owasp-crs-v030001-id942460-sqli',
                           'owasp-crs-v030001-id942421-sqli',
                           'owasp-crs-v030001-id942432-sqli']]"
          }
    }
    preview = "true"
    priority = "1400440800"
  }
    rule {
    action      = "deny"
    description = "PHP Injection Attack sensitivity level 2"
    match  {
      config  {
          expression = "evaluatePreconfiguredExpr('php-stable')"
          }
    }
    preview = "true"
    priority = "1400440900"
  }

References

#8984
#10020

@rileykarson
Copy link
Collaborator

I noticed you linked the 3.0.0 documentation. Newer versions of the provider support an expr field alongside version_expr, is that what you're looking for?

@phydroxide
Copy link
Author

I will look at this. I have not been able to determine how to use the user defined CEVAL expression to achieve the desired result.
https://registry.terraform.io/providers/hashicorp/google/4.0.0/docs/resources/compute_security_policy#versioned_expr

@phydroxide
Copy link
Author

phydroxide commented Jan 25, 2022

Newbie PEBKAC

terraform {
  required_providers {
    google = {
      source = "hashicorp/google"
      version = "~> 4.0.0"
    } ...
    

terraform init --upgrade

rule {
    action      = "deny(404)"
    priority = "1400440800"
    description = "SQLi sensitivity level 1"
    preview = "true"
    match  {
          expr {
                expression = <<-EOT
                     evaluatePreconfiguredExpr('sqli-stable',
                           ['owasp-crs-v030001-id942120-sqli',
                           'owasp-crs-v030001-id942150-sqli',
                           'owasp-crs-v030001-id942180-sqli',
                           'owasp-crs-v030001-id942200-sqli',
                           'owasp-crs-v030001-id942210-sqli',
                           'owasp-crs-v030001-id942260-sqli',
                           'owasp-crs-v030001-id942300-sqli',
                           'owasp-crs-v030001-id942310-sqli',
                           'owasp-crs-v030001-id942330-sqli',
                           'owasp-crs-v030001-id942340-sqli',
                           'owasp-crs-v030001-id942380-sqli',
                           'owasp-crs-v030001-id942390-sqli',
                           'owasp-crs-v030001-id942400-sqli',
                           'owasp-crs-v030001-id942410-sqli',
                           'owasp-crs-v030001-id942430-sqli',
                           'owasp-crs-v030001-id942440-sqli',
                           'owasp-crs-v030001-id942450-sqli',
                           'owasp-crs-v030001-id942251-sqli',
                           'owasp-crs-v030001-id942420-sqli',
                           'owasp-crs-v030001-id942431-sqli',
                           'owasp-crs-v030001-id942460-sqli',
                           'owasp-crs-v030001-id942421-sqli',
                           'owasp-crs-v030001-id942432-sqli'])
EOT
rule {
    action      = "deny(404)"
    priority = "1400440800"
    description = "Preconfigured Rules SQLI Least Aggressive"
    preview = "true"
    match  {
          expr {
                expression = "evaluatePreconfiguredExpr('sqli-stable',['owasp-crs-v030001-id942120-sqli'])"
               }
    }
  }

terraform plan
I will still want to verify that the policy resolves as I expect, but the terraform applied correcty. You are correct. This appears to be supported in 4.0.0. Thank you.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 25, 2022
@github-actions github-actions bot added forward/review In review; remove label to forward service/compute-security-policy labels Jan 14, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants