From 70b27cfbb1fef52472d77c32a8c7d835b89da3c5 Mon Sep 17 00:00:00 2001 From: sunny2895 Date: Wed, 11 Mar 2026 12:43:39 -0600 Subject: [PATCH 1/3] feat(google_fastly_waf): add baseline protection variable and adjust immediate block logic --- google_fastly_waf/main.tf | 14 +++++++++++++- google_fastly_waf/variables.tf | 6 ++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/google_fastly_waf/main.tf b/google_fastly_waf/main.tf index ff2f26e5..c142a83c 100644 --- a/google_fastly_waf/main.tf +++ b/google_fastly_waf/main.tf @@ -310,7 +310,19 @@ resource "sigsci_site" "ngwaf_edge_site" { block_duration_seconds = 86400 agent_anon_mode = "" agent_level = var.ngwaf_agent_level # this setting dictates blocking mode - immediate_block = var.ngwaf_immediate_block + immediate_block = var.ngwaf_baseline_protection ? false : var.ngwaf_immediate_block + + dynamic "attack_threshold" { + for_each = var.ngwaf_baseline_protection ? [ + { interval = 1, threshold = 3 }, + { interval = 10, threshold = 10 }, + { interval = 60, threshold = 60 }, + ] : [] + content { + interval = attack_threshold.value.interval + threshold = attack_threshold.value.threshold + } + } } resource "sigsci_edge_deployment_service_backend" "ngwaf_edge_service_backend_sync" { diff --git a/google_fastly_waf/variables.tf b/google_fastly_waf/variables.tf index e2af3459..aa8be6dc 100644 --- a/google_fastly_waf/variables.tf +++ b/google_fastly_waf/variables.tf @@ -133,3 +133,9 @@ variable "ngwaf_percent_enabled" { type = number default = 100 } + +variable "ngwaf_baseline_protection" { + type = bool + default = false + description = "When true, disables immediate blocking and enables baseline attack threshold alerts." +} From d6d07c4b38c2bf60f6e26967e8ee83ff4d9e8051 Mon Sep 17 00:00:00 2001 From: DimitriKirchner Date: Thu, 12 Mar 2026 10:44:28 -0400 Subject: [PATCH 2/3] Add possibility of customizing thresholds if necessary --- google_fastly_waf/main.tf | 6 +----- google_fastly_waf/variables.tf | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/google_fastly_waf/main.tf b/google_fastly_waf/main.tf index c142a83c..99185f1c 100644 --- a/google_fastly_waf/main.tf +++ b/google_fastly_waf/main.tf @@ -313,11 +313,7 @@ resource "sigsci_site" "ngwaf_edge_site" { immediate_block = var.ngwaf_baseline_protection ? false : var.ngwaf_immediate_block dynamic "attack_threshold" { - for_each = var.ngwaf_baseline_protection ? [ - { interval = 1, threshold = 3 }, - { interval = 10, threshold = 10 }, - { interval = 60, threshold = 60 }, - ] : [] + for_each = var.ngwaf_baseline_protection ? var.ngwaf_attack_thresholds : [] content { interval = attack_threshold.value.interval threshold = attack_threshold.value.threshold diff --git a/google_fastly_waf/variables.tf b/google_fastly_waf/variables.tf index aa8be6dc..ad58af90 100644 --- a/google_fastly_waf/variables.tf +++ b/google_fastly_waf/variables.tf @@ -139,3 +139,22 @@ variable "ngwaf_baseline_protection" { default = false description = "When true, disables immediate blocking and enables baseline attack threshold alerts." } + +variable "ngwaf_attack_thresholds" { + type = list(object({ + interval = number + threshold = number + })) + # To override the default thresholds, pass a custom list. Example: + # ngwaf_attack_thresholds = [ + # { interval = 1, threshold = 50 }, + # { interval = 10, threshold = 200 }, + # { interval = 60, threshold = 1000 }, + # ] + default = [ + { interval = 1, threshold = 10 }, + { interval = 10, threshold = 100 }, + { interval = 60, threshold = 600 }, + ] + description = "Attack threshold configurations applied when ngwaf_baseline_protection is enabled." +} From 955a836ed65918c33d40b88b466247272d2b0327 Mon Sep 17 00:00:00 2001 From: DimitriKirchner Date: Thu, 12 Mar 2026 11:40:19 -0400 Subject: [PATCH 3/3] Add validation rule --- google_fastly_waf/variables.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/google_fastly_waf/variables.tf b/google_fastly_waf/variables.tf index ad58af90..d2952032 100644 --- a/google_fastly_waf/variables.tf +++ b/google_fastly_waf/variables.tf @@ -157,4 +157,8 @@ variable "ngwaf_attack_thresholds" { { interval = 60, threshold = 600 }, ] description = "Attack threshold configurations applied when ngwaf_baseline_protection is enabled." + validation { + condition = length(var.ngwaf_attack_thresholds) == 3 + error_message = "ngwaf_attack_thresholds must contain exactly 3 entries (one each for the 1, 10, and 60 minute intervals)." + } }