feat(google_fastly_waf): add baseline protection variable and adjust immediate block logic (#447)

sseehra · Tibap · web-flow · commit f7cfb265e932 · 2026-03-12T13:48:05.000-04:00
* add baseline protection variable and adjust immediate block logic
* Add possibility of customizing thresholds if necessary
* Add validation rule

---------

Co-authored-by: DimitriKirchner &lt;dimitri.kirchner@gmail.com&gt;
diff --git a/google_fastly_waf/main.tf b/google_fastly_waf/main.tf
@@ -310,7 +310,15 @@ resource "sigsci_site" "ngwaf_edge_site" {
   block_duration_seconds = 86400
   agent_anon_mode        = ""
   agent_level            = var.ngwaf_agent_level # this setting dictates blocking mode
-  immediate_block        = var.ngwaf_immediate_block
+  immediate_block        = var.ngwaf_baseline_protection ? false : var.ngwaf_immediate_block
+
+  dynamic "attack_threshold" {
+    for_each = var.ngwaf_baseline_protection ? var.ngwaf_attack_thresholds : []
+    content {
+      interval  = attack_threshold.value.interval
+      threshold = attack_threshold.value.threshold
+    }
+  }
 }
 
 resource "sigsci_edge_deployment_service_backend" "ngwaf_edge_service_backend_sync" {
diff --git a/google_fastly_waf/variables.tf b/google_fastly_waf/variables.tf
@@ -133,3 +133,32 @@ variable "ngwaf_percent_enabled" {
   type    = number
   default = 100
 }
+
+variable "ngwaf_baseline_protection" {
+  type        = bool
+  default     = false
+  description = "When true, disables immediate blocking and enables baseline attack threshold alerts."
+}
+
+variable "ngwaf_attack_thresholds" {
+  type = list(object({
+    interval  = number
+    threshold = number
+  }))
+  # To override the default thresholds, pass a custom list. Example:
+  # ngwaf_attack_thresholds = [
+  #   { interval = 1,  threshold = 50  },
+  #   { interval = 10, threshold = 200 },
+  #   { interval = 60, threshold = 1000 },
+  # ]
+  default = [
+    { interval = 1, threshold = 10 },
+    { interval = 10, threshold = 100 },
+    { interval = 60, threshold = 600 },
+  ]
+  description = "Attack threshold configurations applied when ngwaf_baseline_protection is enabled."
+  validation {
+    condition     = length(var.ngwaf_attack_thresholds) == 3
+    error_message = "ngwaf_attack_thresholds must contain exactly 3 entries (one each for the 1, 10, and 60 minute intervals)."
+  }
+}
