SECURITY RISK: Google Compute Regional Security Policy doesn't implement default deny

[cyber-francis]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform vX.X.X
on

• provider registry.terraform.io/hashicorp/google vX.X.X
• provider registry.terraform.io/hashicorp/google-beta vX.X.X

Affected Resource(s)

GOOGLE COMPUTE REGIONAL SECURITY POLICY POLICY

Terraform Configuration

Debug Output

No response

Expected Behavior

GOOGLE COMPUTE REGIONAL SECURITY POLICY POLICY doesn't implement default deny, instead it implements default allow which is a security risk

Actual Behavior

No response

Steps to reproduce

1. terraform apply

Important Factoids

No response

References

No response

[ggtisc]

Hi @cyber-francis!

To replicate this issue it is necessary to have the next:

• Your Terraform version
• Your Google provider version
• The affected resource name (GOOGLE COMPUTE REGIONAL SECURITY POLICY POLICY doesn't appear in terraform registry. Are you talking about google_compute_region_security_policy?)
• Your terraform configuration (code, environment variables, locals, etc)
• Debug output (message returned by your terminal)

[cyber-francis]

Yes, the resource is: google_compute_region_security_policy
terraform v1.7.5
google provider beta 5.30.0

[ggtisc]

You miss sharing the terraform code.

After executing a terraform apply with this code example the result was successful without errors with a deny value on the action argument. And the deny value was implemented successfully. If you have a different code please share it.

provider "google" {
  project = "my-project"
}

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google-beta"
      version = "5.30.0"
    }
  }
}

resource "google_compute_region_security_policy" "security_policy_18427" {
  region      = "us-central1"
  name        = "security-policy-18427"
  description = "basic region security policy"
  type        = "CLOUD_ARMOR"
}

resource "google_compute_region_security_policy_rule" "policy_rule" {
  region          = "us-central1"
  security_policy = google_compute_region_security_policy.security_policy_18427.name
  description     = "new rule"
  priority        = 100
  match {
    versioned_expr = "SRC_IPS_V1"
    config {
      src_ip_ranges = ["10.10.0.0/16"]
    }
  }
  action          = "deny"
  preview         = true
}

[cyber-francis]

This is not the issue I am referring to. I am referring to the "default" rule created when a security policy is created. When you checked your cloud armor policy via gcp console did you see a default deny or default allow?

[ggtisc]

@cyber-francis yes, the policy rule was created successfully according to the terraform code. Did you try to run it with the provided guide, or the shared example?

[cyber-francis]

When I created mine, DEFAULT ALLOW was created, so I had to explicitly add a RULE FOR DENY ALL.
So, if DEFAULT DENY was created for you, then why is the behavior NOT DETERMINISTIC?

[ggtisc]

@cyber-francis in the steps to reproduce you specified just a terraform apply like if this is a resource created from scratch. Then just to confirm:

1. The google_compute_region_security_policy and google_compute_region_security_policy_rule already exists and were created as an allow rule
2. Then you are attempting to change the existing resources rule from allow to deny?

Please be more specific because from the beginning unfortunately you aren't sharing all the necessary information to reproduce the issue.

[cyber-francis]

This is the issue I have in my org, so I can't copy and paste (cos I am reporting it via my pc). This is the scenario:

1. You are creating a new security policy for a new backend (cloudfunctionv2, MIG or GKE)
2. The security policy does not exists, because you are about to create them.
3. The security policy is created and attached to the backend (When we do this, a DEFAULT ALLOW is CREATED BY TERRAFORM, I DID NOT CREATE THIS)
4. Because DEFAULT ALLOW is automatically added, I had to add a NEW RULE to DENY ALL TRAFFIC.

[ggtisc]

You can share just the code of the affected resource without sensitive information like:

project = "my-project"

Due to the lack of code and information, so far with the code that we have shared with you, after some attempts the result is the same, successful and without errors.

Also you could create a separate project with just the involved resource to test it.

[cyber-francis]

@ggtisc When I use

resource "google_compute_security_policy" "policy" {
  name = "my-policy"
}

DEFAULT DENY is automatically created even though there is no rule.

When I use this

resource "google_compute_region_security_policy" "region-sec-policy" {
  provider    = google-beta  

  name        = "my-sec-policy"
  type        = "CLOUD_ARMOR_NETWORK"

}

DEFAULT ALLOW is created even though there is no rule

The REGIONAL SECURITY POLICY IS PROBLEMATIC

[cyber-francis]

@ggtisc Please, can you confirm this statement below. I think it has something to do with it:

A list of rules that belong to this policy. There must always be a default rule which is a rule with priority 2147483647 and match all condition (for the match condition this means match "*" for srcIpRanges and for the networkMatch condition every field must be either match "*" or not set). If no rules are provided when creating a security policy, a default rule with action "allow" will be added.
https://cloud.google.com/compute/docs/reference/rest/beta/securityPolicies

[ggtisc]

@cyber-francis after create both resources "google_compute_security_policy" "policy" and "google_compute_region_security_policy" "region-sec-policy" the result was the same, successful and without errors one more time. both resources created a default ALLOW rule as expected after their creation according with your shared link this is the normal behavior so there is no bug. You could find the same information here.

The unique thing that doesn't match is the type = "CLOUD_ARMOR_NETWORK" since this is not valid, but you could find more information here about all the available types.

[cyber-francis]

@ggtisc does creating DEFAULT ALLOW not go against the SECURITY BY DESIGN principles? So, for someone who doesn't know what they are doing, once they create this construct, they open the app to the whole internet. This is such an anti-security pattern. Please, what is the process to get this fixed or addressed?

[ggtisc]

@cyber-francis for this reason the documentation exists, both in Terraform registry and Google Cloud documentation. I suggest you to read the documentation is a good practice before starting to use any technology.

Remember that you can report any bug you find, for now this topic will be closed since it is normal behavior in accordance with everything that has been demonstrated based on the documentation