google_compute_organization_security_policy_rule is missing support for several features

[jay617904]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

Cloud Armor's Hierarchical security policies were GA on October 15th.

We can see that Google's API used to modify a Cloud Armor policy supports the use of expressions but the Terraform resource (google_compute_organization_security_policy_rule) does not.

The idea behind Hierarchical security policies is that this can be a centralized location where we can enforce security policies across the entire organization, folders, or multiple projects. Currently, without support for expressions, this Terraform resource can only be used to manage basic allow/deny rules and cannot leverage advanced features such as Threat Intelligence, Address Groups, Adaptive Protection, etc.

Currently this functionality does exist in gcloud:

gcloud beta compute org-security-policies rules add-preconfig-waf-exclusion 1000 
--security-policy=1234567890 
--target-rule-set=sqli-stable 
--target-rule-ids=owasp-crs-v030001-id942110-sqli,owasp-crs-v030001-id942120-sqli 
--request-header-to-exclude='op=EQUALS,val=abc' 
--request-header-to-exclude='op=STARTS_WITH,val=xyz' 
--request-uri-to-exclude='op=EQUALS_ANY'

New or Affected Resource(s)

google_compute_organization_security_policy_rule

Potential Terraform Configuration

I believe it should be configured similarly to google_compute_security_policy_rule which is used to create Cloud Armor policies at the project level.

An example of a simple expression for geo-blocking:

match {
     expr {
          expression = "origin.region_code != 'US' && origin.region_code != 'CA' 
     }
}

Example of an expression with evaluatePreconfiguredWaf

match {
      expr {
        expression = "evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 2})"
      }
    }

       preconfigured_waf_config {
      exclusion {
        request_header {
          operator = "STARTS_WITH"
          value    = "User-Agent:"
        }

        request_cookie {
          operator = "EQUALS_ANY"
        }

        request_uri {
          operator = "CONTAINS"
          value    = "/admin/"
        }

        request_query_param {
          operator = "EQUALS"
          value    = "api_key"
        }

        target_rule_set = "sqli-stable"
      }

      exclusion {
        request_query_param {
          operator = "EQUALS"
          value    = "user_input"
        }

        target_rule_set = "sqli-stable"
        target_rule_ids = [
          "owasp-crs-v030001-id942100-sqli",
          "owasp-crs-v030001-id942110-sqli"
        ]
      }

References

GA Announcement - https://docs.cloud.google.com/armor/docs/release-notes#October_15_2025
API Reference - https://docs.cloud.google.com/compute/docs/reference/rest/beta/organizationSecurityPolicies/addRule
gcloud Reference - https://docs.cloud.google.com/sdk/gcloud/reference/beta/compute/org-security-policies/rules/add-preconfig-waf-exclusion