How to Import an Google Cloud Armor Security Policy into Terraform
terraback gcp import --method bulk. Terraback writes the matching google_compute_security_policy resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the full path projects/{project}/global/securityPolicies/{name} (for example, projects/my-project/global/securityPolicies/edge-armor).Import Google Cloud Armor Security Policy with Terraback (recommended)
Terraback reverse-engineers your live infrastructure: it reads the Cloud Armor resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live Google Cloud Armor Security Policy to managed Terraform.
Scan your Google Cloud account
terraback scan all gcp --project my-gcp-projectGenerate import blocks and import into state
terraback gcp import --method bulkThe Terraform import block
Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.
import {
to = google_compute_security_policy.edge
id = "projects/my-project/global/securityPolicies/edge-armor"
}Example google_compute_security_policy configuration
Here is a realistic Google Cloud Armor Security Policy block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.
resource "google_compute_security_policy" "edge" {
name = "edge-armor"
rule {
action = "deny(403)"
priority = 1000
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["192.0.2.0/24"]
}
}
}
rule {
action = "allow"
priority = 2147483647
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["*"]
}
}
}
}Gotchas when importing a Google Cloud Armor Security Policy
- Cloud Armor policies are global resources; the import path uses global/securityPolicies.
- The default rule at priority 2147483647 always exists and must be present in your config, or Terraform plans to remove it.
- All rules import inline as rule blocks; copy every priority and match expression exactly to avoid reordering churn.
- adaptive_protection_config and rate-limit options are nested settings that may need re-specifying after import.
Doing it manually with terraform import
The native approach is to write the google_compute_security_policy block by hand, then run terraform import google_compute_security_policy.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.
Import other Google Cloud resources
Import your whole Google Cloud account in minutes
Terraback scans 80+ Google Cloud resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.