4

https://www.terraform.io/docs/providers/google/r/compute_security_policy.html

rules are embedded in the google_compute_security_policy resource

And Cloud armor has a dumb limitation that only allows for up to 5 IPs in a rule- I have about 15 IPs i want to whitelist

I want this to be dynamic and not have to manually break those up into 3 rules that are statically defined in the google_compute_security_policy

I want to have a terraform var that is a list of all 15 IPs. Then loop over that var and just create 15 rules and apply to the google_compute_security_policy resource.

Is something like this possible?

red888
  • 27,709
  • 55
  • 204
  • 392

2 Answers2

9

You can use the builtin chunklist function:

chunklist splits a single list into fixed-size chunks, returning a list of lists.

So in your case we'd have something along these lines:

resource "google_compute_security_policy" "default" {

  dynamic "rule" {
    for_each = chunklist(var.my_ip_array, 5)

    content {
      action   = "allow"
      priority = rule.key+1

      match {
        versioned_expr = "SRC_IPS_V1"

        config {
          src_ip_ranges = rule.value
        }
      }
    }
  }
Dani
  • 3
  • 3
Aleksi
  • 4,483
  • 33
  • 45
  • that is very cool. I was hoping there was a 0.12 feature that could make this easy. what if I have them defined in two lists? Is there a way to merge lists inline (without creating another variable) and chunk that? – red888 Aug 07 '19 at 13:45
  • 1
    Yup, use [`concat`](https://www.terraform.io/docs/configuration/functions/concat.html). – Aleksi Aug 07 '19 at 13:47
  • Since you're clearly a wizard, do you know if it's possible to do something similar with Terraform 0.11? I've not been able to upgrade all the modules we're using, but have the same problem with the 5 IP limit in Cloud Armor. – aodj Mar 20 '20 at 10:55
  • I had to add 256 IP addresses and ranges whitelist in Cloud Armor for a specific environment, so the current 10 IP addresses or IP address ranges limitation was really an issue for us. Thanks for that solution, exactly what we needed to bypass this limitation. – Jean-Frederic Mainville Jul 05 '23 at 13:05
0

According to official GCP documentation (https://cloud.google.com/armor/docs/security-policy-concepts#limits) Cloud Armor has a hard limit of 5 IP addresses or IP address ranges and there is no way to change it.

You could try to split those 15 IPs on 3 different rules inside the same compute security policy to bypass this limitation.

Arcosphere
  • 26
  • 1
  • like i said i want to avoid breaking up those rules statically and want to use a list variable to create them – red888 Jul 12 '19 at 16:45
  • Is this still valid imitation, can't find it there – Reza Jun 16 '22 at 14:36
  • the limitation is 10 ips now `You can put up to 10 IP addresses or ranges per rule. Use comma to separate IP address/ranges.` – Reza Jun 16 '22 at 14:42