How to create GCP Armor with Terraform(Blocks of type "expr" are not expected here.)

sasaki000 · December 9, 2022, 2:03am

To create Cloud Armor on Google Cloud Platform,
I refer to https://runble1.com/gcp-terraform-cloud-armor/,
when I created the following Terraform file (*.tf) and do terraform plan command,

terraform {
  required_version = "~> 1.3.6"
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 3.5.0"
    }
  }
}

provider "google" {
  credentials = file("../xxxx-xxxx.json")
  project     = "xxxxx-999999"
  region      = "asia-northeast1"
}

# Armor
resource "google_compute_security_policy" "test_policy" {
  name = "xxxx-devxxxx-armor-01"

  rule {
    action = "deny(403)"
    match {
      expr {
        expression = "request.path.matches('/auth/realms/master/*')"
      }
    }
    preview  = false
    priority = 0
  }
}

Then an error occurred that expr cannot be written in the match block as shown below.
How can I resolve this error?
(Where can I refer for clues?)

(venv) sasaki@kXXXXXXXXX:~/workspace/terraform-dp/terraform_test$ terraform plan
╷
│ Error: Unsupported block type
│
│   on main.tf line 25, in resource "google_compute_security_policy" "test_policy":
│   25:       expr {
│
│ Blocks of type "expr" are not expected here.

OS is WSL2 Ubuntu 20.04.5 LTS (Focal Fossa)
Terraform version is v1.3.6
GCP provider version is Terraform Registry v3.5.0

Neutrollized · December 9, 2022, 3:26am

I’m using GCP provider v4.42.1 and at a glance the resource definition/structure doesn’t seem to have changed. But I guess the error msg isn’t that clear on what it might be missing.

With Cloud Armor, you need to specify a default (allow) rule of the lowest priority, which I don’t see you having, so try adding the following rule in there as well:

  rule {
    action   = "allow"
    priority = "2147483647"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
      }
    }
    description = "default rule"
  }

sasaki000 · December 12, 2022, 12:32am

Thank you for your reply.
After adding the default rule above, I ran the terraform plan command and got the same error.
Blocks of type “expr” are not expected here.

If there’s anything else I should try, please let me know.

valentin.tanasi · December 16, 2022, 12:35pm

Hello, there,
I don’t know how to change this in TF, but using the UI; I noticed that “Blocks of type “expr” are not expected here.” is thrown when you try to create basic mode rule instead of Advanced Mode.

sasaki000 · December 28, 2022, 11:42pm

I changed Terraform’s GCP plugin version to v4.5 and it worked fine.
Thank you very much.
TerraformのGCPプラグインのバージョンをv4.5にしましたら、うまく動作しました。
ありがとうございました。

xxxx/terraform_test$ terraform --version
Terraform v1.3.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v4.5.0

resource "google_compute_security_policy" "armor_01" {
  name = "test-terraform-armor-01"
  rule {
    action      = "allow"
    description = "Default rule, higher priority overrides it"
    match {
      config {
        src_ip_ranges = ["*"]
      }
      versioned_expr = "SRC_IPS_V1"
    }
    priority = 2147483647
  }
  rule {
    action = "deny(403)"
    match {
      expr {
        expression = "request.path.matches('xxxxxxxx'.contains(origin.ip))"
      }
    }
    priority = 100
  }
}