Cloud Armor Security Policy (WAF)
A global Cloud Armor WAF policy with preconfigured OWASP SQLi and XSS rules enforcing by default, an optional per-client rate limit, and custom IP allow/deny rules — attachable to many backends.
Verification
Live-testedReally deployed, verified, idempotent and destroyed in a cloud sandbox.
Conformance
- Static validation (fmt · validate · tflint)
- Security scan (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live-tested — applied, verified, destroyed
Last verified 2026-06-30 · how we verify
Documentation
gcp-cloud-armor
A standalone Cloud Armor security policy — a global WAF for HTTP(S) backend
services — with a mandatory default rule and the preconfigured OWASP Core Rule
Set WAF rules (SQL injection and cross-site scripting) wired in, plus an
optional per-client rate-limit rule. The policy is not attached to any
backend; reference its name from a backend service's security_policy field so
one policy can guard many backends. Works with Terraform and OpenTofu
(>= 1.6), Google provider >= 7.0, < 8.0.
Secure defaults:
- SQLi and XSS preconfigured WAF rules on and enforcing (
deny(403)), not in preview — flipwaf_preview = trueto tune sensitivity first. - Default rule allows traffic so attaching the policy never black-holes a
backend; switch
default_rule_actionto a deny for a default-deny allowlist. - Adaptive Protection (L7 DDoS) is opt-in — it needs Cloud Armor Enterprise.
Requirements
| Requirement | Version |
|---|---|
| Terraform / OpenTofu | >= 1.6 |
hashicorp/google | >= 7.0, < 8.0 |
The Compute Engine API (compute.googleapis.com) must be enabled in the
project.
Verification
Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.
License
Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).
Usage code & full reference unlock after purchase
The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.
- Usage
- Inputs
- Outputs