How to add targets (GKE Nodes) to Google Cloud Armor through Terraform?

Question

resource "google_compute_security_policy" "my_security_policy" {
  name    = "my-security-policy"
  project = var.project_id

Whitelist rule for your specific IP address

  rule {
    action     = "allow"
    priority   = 1000
    description = "Whitelist Your IP"

    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["x.x.x.x"]
      }
    }
  }

Blacklist rule for all other traffic

  rule {
    action     = "deny(403)"
    priority   = 2000
    description = "Block All Other Traffic"

    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["x.x.x.x"]
      }
    }
  }

Default rule to allow other traffic

  rule {
    action     = "allow"
    priority   = 2147483647
    description = "Default allow-all rule"

    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
      }
    }
  }
}

       I created a GKE cluster and deployed a couple of workloads along with their services (node ports).  Created an Ingress (which created a load balancer) before the node ports.  Now I created a cloud armor and want to associate with GKE. Below is my Cloud Armor configuration.  I could add targets (GKE nodes) to Cloud armor manually with a couple of clicks.  But I don't find any option to add through Terraform

it's the same request as i.e. https://github.com/hashicorp/terraform-provider-google/issues/4973. But I don't find any solution

Answer 1

You need to link the security policy resource my_security_policy to a backend resource (which then redirect to some GKE nodes) by adding the line security_policy.

By example:

resource "google_compute_backend_service" "my_backend" {
  provider = google

  name            = "backend-pool"
  port_name       = "http"
  protocol        = "HTTP"
  timeout_sec     = 60
  security_policy = google_compute_security_policy.my_security_policy
  ...
}