remove unsupported ttl config and reset cloud armor

Signed-off-by: Max Ostapenko <1611259+max-ostapenko@users.noreply.github.com>

Author: max-ostapenko

terraform/modules/cdn-glb/cloud_armor.tf

@@ -6,59 +6,6 @@ resource "google_compute_security_policy" "security_policy" {
   type        = "CLOUD_ARMOR"
 }
 
-# Deny non-GET methods - priority 2147483625
-resource "google_compute_security_policy_rule" "deny_non_get" {
-  security_policy = google_compute_security_policy.security_policy.name
-  project         = var.project
-  action          = "deny(403)"
-  priority        = 2147483625
-  preview         = false
-  description     = "Deny non-GET methods"
-
-  match {
-    expr {
-      expression = "request.method.upper() != 'GET'"
-    }
-  }
-}
-
-# Block requests except whitelisted hosts - priority 2147483635
-resource "google_compute_security_policy_rule" "block_non_whitelisted_hosts" {
-  security_policy = google_compute_security_policy.security_policy.name
-  project         = var.project
-  action          = "deny(403)"
-  priority        = 2147483635
-  preview         = false
-  description     = "Block requests except whitelisted hosts"
-
-  match {
-    expr {
-      expression = "request.headers['host'].lower() != '${var.domain}'"
-    }
-  }
-}
-
-# Blacklisted user-agents - priority 2147483640
-resource "google_compute_security_policy_rule" "block_user_agents" {
-  security_policy = google_compute_security_policy.security_policy.name
-  project         = var.project
-  action          = "deny(403)"
-  priority        = 2147483640
-  preview         = false
-  description     = "Black-listed user-agents"
-
-  match {
-    expr {
-      expression = <<-EOT
-        has(request.headers['user-agent']) && (
-            request.headers['user-agent'].contains('GenomeCrawler') ||
-            request.headers['user-agent'].contains('AhrefsBot')
-        )
-      EOT
-    }
-  }
-}
-
 # Default rate limiting rule - priority 2147483646
 resource "google_compute_security_policy_rule" "rate_limit" {
   security_policy = google_compute_security_policy.security_policy.name

terraform/modules/cdn-glb/main.tf

@@ -28,9 +28,6 @@ resource "google_compute_backend_service" "backend" {
     for_each = var.enable_cdn ? [1] : []
     content {
       cache_mode                   = var.cdn_cache_mode
-      default_ttl                  = var.cdn_default_ttl
-      max_ttl                      = var.cdn_max_ttl
-      client_ttl                   = var.cdn_client_ttl
       serve_while_stale            = var.cdn_serve_while_stale
       negative_caching             = var.cdn_negative_caching
       signed_url_cache_max_age_sec = 0
@@ -84,6 +81,10 @@ resource "google_compute_managed_ssl_certificate" "ssl_cert" {
   managed {
     domains = [var.domain]
   }
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }
 
 # HTTPS Target Proxy
@@ -93,6 +94,10 @@ resource "google_compute_target_https_proxy" "https_proxy" {
   url_map          = google_compute_url_map.url_map.id
   ssl_certificates = [google_compute_managed_ssl_certificate.ssl_cert.id]
   quic_override    = "ENABLE"
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }
 
 

terraform/modules/cdn-glb/variables.tf

@@ -40,21 +40,6 @@ variable "cdn_cache_mode" {
   type        = string
   default     = "USE_ORIGIN_HEADERS"
 }
-variable "cdn_default_ttl" {
-  description = "Default TTL for cached content in seconds"
-  type        = number
-  default     = 2592000 # 30 days
-}
-variable "cdn_max_ttl" {
-  description = "Maximum TTL for cached content in seconds"
-  type        = number
-  default     = 2592000 # 30 days
-}
-variable "cdn_client_ttl" {
-  description = "Client TTL for cached content in seconds (browser cache)"
-  type        = number
-  default     = 3600 # 1 hour
-}
 variable "cdn_serve_while_stale" {
   description = "Time to serve stale content while revalidating in seconds"
   type        = number