IaC Bazaar
Google CloudLive-tested

Cloud Armor Security Policy (WAF)

A global Cloud Armor WAF policy with preconfigured OWASP SQLi and XSS rules enforcing by default, an optional per-client rate limit, and custom IP allow/deny rules — attachable to many backends.

terraformGoogle Cloud#gcp
gcp-cloud-armorterraform v1.7

Verification

Live-tested

Really deployed, verified, idempotent and destroyed in a cloud sandbox.

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live-tested — applied, verified, destroyed

Last verified 2026-06-30 · how we verify

Documentation

gcp-cloud-armor

A standalone Cloud Armor security policy — a global WAF for HTTP(S) backend services — with a mandatory default rule and the preconfigured OWASP Core Rule Set WAF rules (SQL injection and cross-site scripting) wired in, plus an optional per-client rate-limit rule. The policy is not attached to any backend; reference its name from a backend service's security_policy field so one policy can guard many backends. Works with Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.

Secure defaults:

  • SQLi and XSS preconfigured WAF rules on and enforcing (deny(403)), not in preview — flip waf_preview = true to tune sensitivity first.
  • Default rule allows traffic so attaching the policy never black-holes a backend; switch default_rule_action to a deny for a default-deny allowlist.
  • Adaptive Protection (L7 DDoS) is opt-in — it needs Cloud Armor Enterprise.

Requirements

RequirementVersion
Terraform / OpenTofu>= 1.6
hashicorp/google>= 7.0, < 8.0

The Compute Engine API (compute.googleapis.com) must be enabled in the project.

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Inputs
  • Outputs