CODEWITHSUNDEEP
google-cloud-platformterraformterraform-provider-gcpgoogle-cloud-armor
sainadh vennapusa
sainadh vennapusa

Reputation: 19

Terraform GCP Security Policy throwing "An argument named "enforce_on_key_configs" is not expected here."

I am writing terraform scripts for the security policy (GCP cloud armor) for an already existing policy "cloudarmor". i did import using terraform import but when i try to run the terraform plan. I am encountering an error "An argument named "enforce_on_key_configs" is not expected here"

first question: when i imported the already existing policy, the terraform state doesn't have any information related ton "enforce_on_key_configs". In the GCP cloud armor, i can see that the policy have some enforced key configurations set to "IP".

Doesn't make any sense. i thought of adding them as an extra in the terraform script and try running the terraform plan.

│ 29: enforce_on_key_configs = { │ │ An argument named "enforce_on_key_configs" is not expected here. ╵

Here is the terraform script:

resource "google_compute_security_policy" "throttle_api" {
    name        = "throttle-api"
    type        = "CLOUD_ARMOR"

    adaptive_protection_config {
        layer_7_ddos_defense_config {
            enable = true
        }
    }
    rule {
        action   = "rate_based_ban"
        preview  = true
        priority = 100

        match {
            versioned_expr = "SRC_IPS_V1"

            config {
                src_ip_ranges = [
                    "0.0.0.0/0",
                ]
            }
        }
        rate_limit_options {
            conform_action   = "allow"
            enforce_on_key_configs = {
                enforce_on_key_type="IP",
            }
            exceed_action    = "deny(479)"
            rate_limit_threshold {
                count        = 80
                interval_sec = 60
            }
            ban_duration_sec = 60
        }
    }
    rule {
        action      = "allow"
        description = "Default rule, higher priority overrides it"
        preview     = false
        priority    = 2147483647
        match {
            versioned_expr = "SRC_IPS_V1"

            config {
                src_ip_ranges = [
                    "*",
                ]
            }
        }
    }
    timeouts {}
}

Upvotes: 1

Views: 711

Answers (2)

Lord-Y
Lord-Y

Reputation: 157

what's weird is it's supposed to be into the version 4.70.0 https://registry.terraform.io/providers/hashicorp/google/4.70.0/docs/resources/compute_security_policy.html but it's not. Anyway, I have to use the google-beta provider to make it works.

Upvotes: 0

John Hanley
John Hanley

Reputation: 81386

You must use the google-beta provider to use that feature.

Upvotes: 1

Related Questions