resource "google_compute_security_policy" "cloud_armor_policy" { name = "supay-website-perca" adaptive_protection_config { layer_7_ddos_defense_config { enable = true } } rule { priority = 1000 description = "Throttle per-client IP: 100 req / 60s" match { expr { expression = "true" } } action = "throttle" rate_limit_options { conform_action = "allow" exceed_action = "deny(429)" enforce_on_key = "IP" rate_limit_threshold { count = 100 interval_sec = 60 } } preview = true } rule { priority = 1100 description = "CRS v3.3 — SQLi (preview, sensitivity=1)" match { expr { expression = "evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 1})" } } action = "deny(403)" preview = true } rule { priority = 1110 description = "CRS v3.3 — XSS (preview, sensitivity=1)" match { expr { expression = "evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 1})" } } action = "deny(403)" preview = true } rule { priority = 1120 description = "CRS v3.3 — Method Enforcement (preview, sensitivity=1)" match { expr { expression = "evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1})" } } action = "deny(403)" preview = true } rule { priority = 1130 description = "CRS v3.3 — Protocol Attack (preview, sensitivity=1)" match { expr { expression = "evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 1})" } } action = "deny(403)" preview = true } rule { priority = 1140 description = "CRS v3.3 — Session Fixation (preview, sensitivity=1)" match { expr { expression = "evaluatePreconfiguredWaf('sessionfixation-v33-stable', {'sensitivity': 1})" } } action = "deny(403)" preview = true } rule { priority = 1150 description = "CRS v3.3 — PHP signatures (preview, sensitivity=2)" match { expr { expression = "evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 2})" } } action = "deny(403)" preview = true } rule { action = "allow" priority = 2147483647 match { versioned_expr = "SRC_IPS_V1" config { src_ip_ranges = ["*"] } } } }