Google Cloud Native is in preview. Google Cloud Classic is fully supported.
Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi
google-native.compute/alpha.getRegionSecurityPolicy
Explore with Pulumi AI
Google Cloud Native is in preview. Google Cloud Classic is fully supported.
Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi
List all of the ordered rules present in a single specified policy.
Using getRegionSecurityPolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getRegionSecurityPolicy(args: GetRegionSecurityPolicyArgs, opts?: InvokeOptions): Promise<GetRegionSecurityPolicyResult>
function getRegionSecurityPolicyOutput(args: GetRegionSecurityPolicyOutputArgs, opts?: InvokeOptions): Output<GetRegionSecurityPolicyResult>
def get_region_security_policy(project: Optional[str] = None,
region: Optional[str] = None,
security_policy: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetRegionSecurityPolicyResult
def get_region_security_policy_output(project: Optional[pulumi.Input[str]] = None,
region: Optional[pulumi.Input[str]] = None,
security_policy: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetRegionSecurityPolicyResult]
func LookupRegionSecurityPolicy(ctx *Context, args *LookupRegionSecurityPolicyArgs, opts ...InvokeOption) (*LookupRegionSecurityPolicyResult, error)
func LookupRegionSecurityPolicyOutput(ctx *Context, args *LookupRegionSecurityPolicyOutputArgs, opts ...InvokeOption) LookupRegionSecurityPolicyResultOutput
> Note: This function is named LookupRegionSecurityPolicy
in the Go SDK.
public static class GetRegionSecurityPolicy
{
public static Task<GetRegionSecurityPolicyResult> InvokeAsync(GetRegionSecurityPolicyArgs args, InvokeOptions? opts = null)
public static Output<GetRegionSecurityPolicyResult> Invoke(GetRegionSecurityPolicyInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetRegionSecurityPolicyResult> getRegionSecurityPolicy(GetRegionSecurityPolicyArgs args, InvokeOptions options)
public static Output<GetRegionSecurityPolicyResult> getRegionSecurityPolicy(GetRegionSecurityPolicyArgs args, InvokeOptions options)
fn::invoke:
function: google-native:compute/alpha:getRegionSecurityPolicy
arguments:
# arguments dictionary
The following arguments are supported:
- Region
This property is required. string - Security
Policy This property is required. string - Project string
- Region
This property is required. string - Security
Policy This property is required. string - Project string
- region
This property is required. String - security
Policy This property is required. String - project String
- region
This property is required. string - security
Policy This property is required. string - project string
- region
This property is required. str - security_
policy This property is required. str - project str
- region
This property is required. String - security
Policy This property is required. String - project String
getRegionSecurityPolicy Result
The following output properties are available:
- Adaptive
Protection Pulumi.Config Google Native. Compute. Alpha. Outputs. Security Policy Adaptive Protection Config Response - Advanced
Options Pulumi.Config Google Native. Compute. Alpha. Outputs. Security Policy Advanced Options Config Response - Associations
List<Pulumi.
Google Native. Compute. Alpha. Outputs. Security Policy Association Response> - A list of associations that belong to this policy.
- Cloud
Armor Pulumi.Config Google Native. Compute. Alpha. Outputs. Security Policy Cloud Armor Config Response - Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Ddos
Protection Pulumi.Config Google Native. Compute. Alpha. Outputs. Security Policy Ddos Protection Config Response - Description string
- An optional description of this resource. Provide this property when you create the resource.
- Display
Name string - User-provided name of the Organization security plicy. The name should be unique in the organization in which the security policy is created. This should only be used when SecurityPolicyType is FIREWALL. The name must be 1-63 characters long, and comply with https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 characters long and match the regular expression
[a-z]([-a-z0-9]*[a-z0-9])?
which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. - Fingerprint string
- Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the security policy.
- Kind string
- [Output only] Type of the resource. Always compute#securityPolicyfor security policies
- Label
Fingerprint string - A fingerprint for the labels being applied to this security policy, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels. To see the latest fingerprint, make get() request to the security policy.
- Labels Dictionary<string, string>
- Labels for this resource. These can only be added or modified by the setLabels method. Each label key/value pair must comply with RFC1035. Label values may be empty.
- Name string
- Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression
[a-z]([-a-z0-9]*[a-z0-9])?
which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. - Parent string
- The parent of the security policy.
- Recaptcha
Options Pulumi.Config Google Native. Compute. Alpha. Outputs. Security Policy Recaptcha Options Config Response - Region string
- URL of the region where the regional security policy resides. This field is not applicable to global security policies.
- Rule
Tuple intCount - Total count of all security policy rule tuples. A security policy can not exceed a set number of tuples.
- Rules
List<Pulumi.
Google Native. Compute. Alpha. Outputs. Security Policy Rule Response> - A list of rules that belong to this policy. There must always be a default rule which is a rule with priority 2147483647 and match all condition (for the match condition this means match "" for srcIpRanges and for the networkMatch condition every field must be either match "" or not set). If no rules are provided when creating a security policy, a default rule with action "allow" will be added.
- Self
Link string - Server-defined URL for the resource.
- Self
Link stringWith Id - Server-defined URL for this resource with the resource id.
- Type string
- The type indicates the intended use of the security policy. - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache. - CLOUD_ARMOR_INTERNAL_SERVICE: Cloud Armor internal service policies can be configured to filter HTTP requests targeting services managed by Traffic Director in a service mesh. They filter requests before the request is served from the application. - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application. This field can be set only at resource creation time.
- User
Defined List<Pulumi.Fields Google Native. Compute. Alpha. Outputs. Security Policy User Defined Field Response> - Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits. Rules may then specify matching values for these fields. Example: userDefinedFields: - name: "ipv4_fragment_offset" base: IPV4 offset: 6 size: 2 mask: "0x1fff"
- Adaptive
Protection SecurityConfig Policy Adaptive Protection Config Response - Advanced
Options SecurityConfig Policy Advanced Options Config Response - Associations
[]Security
Policy Association Response - A list of associations that belong to this policy.
- Cloud
Armor SecurityConfig Policy Cloud Armor Config Response - Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Ddos
Protection SecurityConfig Policy Ddos Protection Config Response - Description string
- An optional description of this resource. Provide this property when you create the resource.
- Display
Name string - User-provided name of the Organization security plicy. The name should be unique in the organization in which the security policy is created. This should only be used when SecurityPolicyType is FIREWALL. The name must be 1-63 characters long, and comply with https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 characters long and match the regular expression
[a-z]([-a-z0-9]*[a-z0-9])?
which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. - Fingerprint string
- Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the security policy.
- Kind string
- [Output only] Type of the resource. Always compute#securityPolicyfor security policies
- Label
Fingerprint string - A fingerprint for the labels being applied to this security policy, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels. To see the latest fingerprint, make get() request to the security policy.
- Labels map[string]string
- Labels for this resource. These can only be added or modified by the setLabels method. Each label key/value pair must comply with RFC1035. Label values may be empty.
- Name string
- Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression
[a-z]([-a-z0-9]*[a-z0-9])?
which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. - Parent string
- The parent of the security policy.
- Recaptcha
Options SecurityConfig Policy Recaptcha Options Config Response - Region string
- URL of the region where the regional security policy resides. This field is not applicable to global security policies.
- Rule
Tuple intCount - Total count of all security policy rule tuples. A security policy can not exceed a set number of tuples.
- Rules
[]Security
Policy Rule Response - A list of rules that belong to this policy. There must always be a default rule which is a rule with priority 2147483647 and match all condition (for the match condition this means match "" for srcIpRanges and for the networkMatch condition every field must be either match "" or not set). If no rules are provided when creating a security policy, a default rule with action "allow" will be added.
- Self
Link string - Server-defined URL for the resource.
- Self
Link stringWith Id - Server-defined URL for this resource with the resource id.
- Type string
- The type indicates the intended use of the security policy. - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache. - CLOUD_ARMOR_INTERNAL_SERVICE: Cloud Armor internal service policies can be configured to filter HTTP requests targeting services managed by Traffic Director in a service mesh. They filter requests before the request is served from the application. - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application. This field can be set only at resource creation time.
- User
Defined []SecurityFields Policy User Defined Field Response - Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits. Rules may then specify matching values for these fields. Example: userDefinedFields: - name: "ipv4_fragment_offset" base: IPV4 offset: 6 size: 2 mask: "0x1fff"
- adaptive
Protection SecurityConfig Policy Adaptive Protection Config Response - advanced
Options SecurityConfig Policy Advanced Options Config Response - associations
List<Security
Policy Association Response> - A list of associations that belong to this policy.
- cloud
Armor SecurityConfig Policy Cloud Armor Config Response - creation
Timestamp String - Creation timestamp in RFC3339 text format.
- ddos
Protection SecurityConfig Policy Ddos Protection Config Response - description String
- An optional description of this resource. Provide this property when you create the resource.
- display
Name String - User-provided name of the Organization security plicy. The name should be unique in the organization in which the security policy is created. This should only be used when SecurityPolicyType is FIREWALL. The name must be 1-63 characters long, and comply with https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 characters long and match the regular expression
[a-z]([-a-z0-9]*[a-z0-9])?
which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. - fingerprint String
- Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the security policy.
- kind String
- [Output only] Type of the resource. Always compute#securityPolicyfor security policies
- label
Fingerprint String - A fingerprint for the labels being applied to this security policy, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels. To see the latest fingerprint, make get() request to the security policy.
- labels Map<String,String>
- Labels for this resource. These can only be added or modified by the setLabels method. Each label key/value pair must comply with RFC1035. Label values may be empty.
- name String
- Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression
[a-z]([-a-z0-9]*[a-z0-9])?
which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. - parent String
- The parent of the security policy.
- recaptcha
Options SecurityConfig Policy Recaptcha Options Config Response - region String
- URL of the region where the regional security policy resides. This field is not applicable to global security policies.
- rule
Tuple IntegerCount - Total count of all security policy rule tuples. A security policy can not exceed a set number of tuples.
- rules
List<Security
Policy Rule Response> - A list of rules that belong to this policy. There must always be a default rule which is a rule with priority 2147483647 and match all condition (for the match condition this means match "" for srcIpRanges and for the networkMatch condition every field must be either match "" or not set). If no rules are provided when creating a security policy, a default rule with action "allow" will be added.
- self
Link String - Server-defined URL for the resource.
- self
Link StringWith Id - Server-defined URL for this resource with the resource id.
- type String
- The type indicates the intended use of the security policy. - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache. - CLOUD_ARMOR_INTERNAL_SERVICE: Cloud Armor internal service policies can be configured to filter HTTP requests targeting services managed by Traffic Director in a service mesh. They filter requests before the request is served from the application. - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application. This field can be set only at resource creation time.
- user
Defined List<SecurityFields Policy User Defined Field Response> - Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits. Rules may then specify matching values for these fields. Example: userDefinedFields: - name: "ipv4_fragment_offset" base: IPV4 offset: 6 size: 2 mask: "0x1fff"
- adaptive
Protection SecurityConfig Policy Adaptive Protection Config Response - advanced
Options SecurityConfig Policy Advanced Options Config Response - associations
Security
Policy Association Response[] - A list of associations that belong to this policy.
- cloud
Armor SecurityConfig Policy Cloud Armor Config Response - creation
Timestamp string - Creation timestamp in RFC3339 text format.
- ddos
Protection SecurityConfig Policy Ddos Protection Config Response - description string
- An optional description of this resource. Provide this property when you create the resource.
- display
Name string - User-provided name of the Organization security plicy. The name should be unique in the organization in which the security policy is created. This should only be used when SecurityPolicyType is FIREWALL. The name must be 1-63 characters long, and comply with https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 characters long and match the regular expression
[a-z]([-a-z0-9]*[a-z0-9])?
which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. - fingerprint string
- Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the security policy.
- kind string
- [Output only] Type of the resource. Always compute#securityPolicyfor security policies
- label
Fingerprint string - A fingerprint for the labels being applied to this security policy, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels. To see the latest fingerprint, make get() request to the security policy.
- labels {[key: string]: string}
- Labels for this resource. These can only be added or modified by the setLabels method. Each label key/value pair must comply with RFC1035. Label values may be empty.
- name string
- Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression
[a-z]([-a-z0-9]*[a-z0-9])?
which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. - parent string
- The parent of the security policy.
- recaptcha
Options SecurityConfig Policy Recaptcha Options Config Response - region string
- URL of the region where the regional security policy resides. This field is not applicable to global security policies.
- rule
Tuple numberCount - Total count of all security policy rule tuples. A security policy can not exceed a set number of tuples.
- rules
Security
Policy Rule Response[] - A list of rules that belong to this policy. There must always be a default rule which is a rule with priority 2147483647 and match all condition (for the match condition this means match "" for srcIpRanges and for the networkMatch condition every field must be either match "" or not set). If no rules are provided when creating a security policy, a default rule with action "allow" will be added.
- self
Link string - Server-defined URL for the resource.
- self
Link stringWith Id - Server-defined URL for this resource with the resource id.
- type string
- The type indicates the intended use of the security policy. - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache. - CLOUD_ARMOR_INTERNAL_SERVICE: Cloud Armor internal service policies can be configured to filter HTTP requests targeting services managed by Traffic Director in a service mesh. They filter requests before the request is served from the application. - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application. This field can be set only at resource creation time.
- user
Defined SecurityFields Policy User Defined Field Response[] - Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits. Rules may then specify matching values for these fields. Example: userDefinedFields: - name: "ipv4_fragment_offset" base: IPV4 offset: 6 size: 2 mask: "0x1fff"
- adaptive_
protection_ Securityconfig Policy Adaptive Protection Config Response - advanced_
options_ Securityconfig Policy Advanced Options Config Response - associations
Sequence[Security
Policy Association Response] - A list of associations that belong to this policy.
- cloud_
armor_ Securityconfig Policy Cloud Armor Config Response - creation_
timestamp str - Creation timestamp in RFC3339 text format.
- ddos_
protection_ Securityconfig Policy Ddos Protection Config Response - description str
- An optional description of this resource. Provide this property when you create the resource.
- display_
name str - User-provided name of the Organization security plicy. The name should be unique in the organization in which the security policy is created. This should only be used when SecurityPolicyType is FIREWALL. The name must be 1-63 characters long, and comply with https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 characters long and match the regular expression
[a-z]([-a-z0-9]*[a-z0-9])?
which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. - fingerprint str
- Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the security policy.
- kind str
- [Output only] Type of the resource. Always compute#securityPolicyfor security policies
- label_
fingerprint str - A fingerprint for the labels being applied to this security policy, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels. To see the latest fingerprint, make get() request to the security policy.
- labels Mapping[str, str]
- Labels for this resource. These can only be added or modified by the setLabels method. Each label key/value pair must comply with RFC1035. Label values may be empty.
- name str
- Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression
[a-z]([-a-z0-9]*[a-z0-9])?
which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. - parent str
- The parent of the security policy.
- recaptcha_
options_ Securityconfig Policy Recaptcha Options Config Response - region str
- URL of the region where the regional security policy resides. This field is not applicable to global security policies.
- rule_
tuple_ intcount - Total count of all security policy rule tuples. A security policy can not exceed a set number of tuples.
- rules
Sequence[Security
Policy Rule Response] - A list of rules that belong to this policy. There must always be a default rule which is a rule with priority 2147483647 and match all condition (for the match condition this means match "" for srcIpRanges and for the networkMatch condition every field must be either match "" or not set). If no rules are provided when creating a security policy, a default rule with action "allow" will be added.
- self_
link str - Server-defined URL for the resource.
- self_
link_ strwith_ id - Server-defined URL for this resource with the resource id.
- type str
- The type indicates the intended use of the security policy. - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache. - CLOUD_ARMOR_INTERNAL_SERVICE: Cloud Armor internal service policies can be configured to filter HTTP requests targeting services managed by Traffic Director in a service mesh. They filter requests before the request is served from the application. - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application. This field can be set only at resource creation time.
- user_
defined_ Sequence[Securityfields Policy User Defined Field Response] - Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits. Rules may then specify matching values for these fields. Example: userDefinedFields: - name: "ipv4_fragment_offset" base: IPV4 offset: 6 size: 2 mask: "0x1fff"
- adaptive
Protection Property MapConfig - advanced
Options Property MapConfig - associations List<Property Map>
- A list of associations that belong to this policy.
- cloud
Armor Property MapConfig - creation
Timestamp String - Creation timestamp in RFC3339 text format.
- ddos
Protection Property MapConfig - description String
- An optional description of this resource. Provide this property when you create the resource.
- display
Name String - User-provided name of the Organization security plicy. The name should be unique in the organization in which the security policy is created. This should only be used when SecurityPolicyType is FIREWALL. The name must be 1-63 characters long, and comply with https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 characters long and match the regular expression
[a-z]([-a-z0-9]*[a-z0-9])?
which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. - fingerprint String
- Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the security policy.
- kind String
- [Output only] Type of the resource. Always compute#securityPolicyfor security policies
- label
Fingerprint String - A fingerprint for the labels being applied to this security policy, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels. To see the latest fingerprint, make get() request to the security policy.
- labels Map<String>
- Labels for this resource. These can only be added or modified by the setLabels method. Each label key/value pair must comply with RFC1035. Label values may be empty.
- name String
- Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression
[a-z]([-a-z0-9]*[a-z0-9])?
which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. - parent String
- The parent of the security policy.
- recaptcha
Options Property MapConfig - region String
- URL of the region where the regional security policy resides. This field is not applicable to global security policies.
- rule
Tuple NumberCount - Total count of all security policy rule tuples. A security policy can not exceed a set number of tuples.
- rules List<Property Map>
- A list of rules that belong to this policy. There must always be a default rule which is a rule with priority 2147483647 and match all condition (for the match condition this means match "" for srcIpRanges and for the networkMatch condition every field must be either match "" or not set). If no rules are provided when creating a security policy, a default rule with action "allow" will be added.
- self
Link String - Server-defined URL for the resource.
- self
Link StringWith Id - Server-defined URL for this resource with the resource id.
- type String
- The type indicates the intended use of the security policy. - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache. - CLOUD_ARMOR_INTERNAL_SERVICE: Cloud Armor internal service policies can be configured to filter HTTP requests targeting services managed by Traffic Director in a service mesh. They filter requests before the request is served from the application. - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application. This field can be set only at resource creation time.
- user
Defined List<Property Map>Fields - Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits. Rules may then specify matching values for these fields. Example: userDefinedFields: - name: "ipv4_fragment_offset" base: IPV4 offset: 6 size: 2 mask: "0x1fff"
Supporting Types
ExprResponse
- Description
This property is required. string - Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- Expression
This property is required. string - Textual representation of an expression in Common Expression Language syntax.
- Location
This property is required. string - Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- Title
This property is required. string - Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- Description
This property is required. string - Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- Expression
This property is required. string - Textual representation of an expression in Common Expression Language syntax.
- Location
This property is required. string - Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- Title
This property is required. string - Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- description
This property is required. String - Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- expression
This property is required. String - Textual representation of an expression in Common Expression Language syntax.
- location
This property is required. String - Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title
This property is required. String - Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- description
This property is required. string - Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- expression
This property is required. string - Textual representation of an expression in Common Expression Language syntax.
- location
This property is required. string - Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title
This property is required. string - Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- description
This property is required. str - Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- expression
This property is required. str - Textual representation of an expression in Common Expression Language syntax.
- location
This property is required. str - Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title
This property is required. str - Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- description
This property is required. String - Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- expression
This property is required. String - Textual representation of an expression in Common Expression Language syntax.
- location
This property is required. String - Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title
This property is required. String - Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
SecurityPolicyAdaptiveProtectionConfigAutoDeployConfigResponse
- Confidence
Threshold This property is required. double - Expiration
Sec This property is required. int - Impacted
Baseline Threshold This property is required. double - Load
Threshold This property is required. double
- Confidence
Threshold This property is required. float64 - Expiration
Sec This property is required. int - Impacted
Baseline Threshold This property is required. float64 - Load
Threshold This property is required. float64
- confidence
Threshold This property is required. Double - expiration
Sec This property is required. Integer - impacted
Baseline Threshold This property is required. Double - load
Threshold This property is required. Double
- confidence
Threshold This property is required. number - expiration
Sec This property is required. number - impacted
Baseline Threshold This property is required. number - load
Threshold This property is required. number
- confidence_
threshold This property is required. float - expiration_
sec This property is required. int - impacted_
baseline_ threshold This property is required. float - load_
threshold This property is required. float
- confidence
Threshold This property is required. Number - expiration
Sec This property is required. Number - impacted
Baseline Threshold This property is required. Number - load
Threshold This property is required. Number
SecurityPolicyAdaptiveProtectionConfigLayer7DdosDefenseConfigResponse
- Enable
This property is required. bool - If set to true, enables CAAP for L7 DDoS detection. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- Rule
Visibility This property is required. string - Rule visibility can be one of the following: STANDARD - opaque rules. (default) PREMIUM - transparent rules. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- Threshold
Configs This property is required. List<Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Adaptive Protection Config Layer7Ddos Defense Config Threshold Config Response> - Configuration options for layer7 adaptive protection for various customizable thresholds.
- Enable
This property is required. bool - If set to true, enables CAAP for L7 DDoS detection. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- Rule
Visibility This property is required. string - Rule visibility can be one of the following: STANDARD - opaque rules. (default) PREMIUM - transparent rules. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- Threshold
Configs This property is required. []SecurityPolicy Adaptive Protection Config Layer7Ddos Defense Config Threshold Config Response - Configuration options for layer7 adaptive protection for various customizable thresholds.
- enable
This property is required. Boolean - If set to true, enables CAAP for L7 DDoS detection. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- rule
Visibility This property is required. String - Rule visibility can be one of the following: STANDARD - opaque rules. (default) PREMIUM - transparent rules. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- threshold
Configs This property is required. List<SecurityPolicy Adaptive Protection Config Layer7Ddos Defense Config Threshold Config Response> - Configuration options for layer7 adaptive protection for various customizable thresholds.
- enable
This property is required. boolean - If set to true, enables CAAP for L7 DDoS detection. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- rule
Visibility This property is required. string - Rule visibility can be one of the following: STANDARD - opaque rules. (default) PREMIUM - transparent rules. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- threshold
Configs This property is required. SecurityPolicy Adaptive Protection Config Layer7Ddos Defense Config Threshold Config Response[] - Configuration options for layer7 adaptive protection for various customizable thresholds.
- enable
This property is required. bool - If set to true, enables CAAP for L7 DDoS detection. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- rule_
visibility This property is required. str - Rule visibility can be one of the following: STANDARD - opaque rules. (default) PREMIUM - transparent rules. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- threshold_
configs This property is required. Sequence[SecurityPolicy Adaptive Protection Config Layer7Ddos Defense Config Threshold Config Response] - Configuration options for layer7 adaptive protection for various customizable thresholds.
- enable
This property is required. Boolean - If set to true, enables CAAP for L7 DDoS detection. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- rule
Visibility This property is required. String - Rule visibility can be one of the following: STANDARD - opaque rules. (default) PREMIUM - transparent rules. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- threshold
Configs This property is required. List<Property Map> - Configuration options for layer7 adaptive protection for various customizable thresholds.
SecurityPolicyAdaptiveProtectionConfigLayer7DdosDefenseConfigThresholdConfigResponse
- Auto
Deploy Confidence Threshold This property is required. double - Auto
Deploy Expiration Sec This property is required. int - Auto
Deploy Impacted Baseline Threshold This property is required. double - Auto
Deploy Load Threshold This property is required. double - Name
This property is required. string - The name must be 1-63 characters long, and comply with RFC1035. The name must be unique within the security policy.
- Auto
Deploy Confidence Threshold This property is required. float64 - Auto
Deploy Expiration Sec This property is required. int - Auto
Deploy Impacted Baseline Threshold This property is required. float64 - Auto
Deploy Load Threshold This property is required. float64 - Name
This property is required. string - The name must be 1-63 characters long, and comply with RFC1035. The name must be unique within the security policy.
- auto
Deploy Confidence Threshold This property is required. Double - auto
Deploy Expiration Sec This property is required. Integer - auto
Deploy Impacted Baseline Threshold This property is required. Double - auto
Deploy Load Threshold This property is required. Double - name
This property is required. String - The name must be 1-63 characters long, and comply with RFC1035. The name must be unique within the security policy.
- auto
Deploy Confidence Threshold This property is required. number - auto
Deploy Expiration Sec This property is required. number - auto
Deploy Impacted Baseline Threshold This property is required. number - auto
Deploy Load Threshold This property is required. number - name
This property is required. string - The name must be 1-63 characters long, and comply with RFC1035. The name must be unique within the security policy.
- auto_
deploy_ confidence_ threshold This property is required. float - auto_
deploy_ expiration_ sec This property is required. int - auto_
deploy_ impacted_ baseline_ threshold This property is required. float - auto_
deploy_ load_ threshold This property is required. float - name
This property is required. str - The name must be 1-63 characters long, and comply with RFC1035. The name must be unique within the security policy.
- auto
Deploy Confidence Threshold This property is required. Number - auto
Deploy Expiration Sec This property is required. Number - auto
Deploy Impacted Baseline Threshold This property is required. Number - auto
Deploy Load Threshold This property is required. Number - name
This property is required. String - The name must be 1-63 characters long, and comply with RFC1035. The name must be unique within the security policy.
SecurityPolicyAdaptiveProtectionConfigResponse
- Auto
Deploy Config This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Adaptive Protection Config Auto Deploy Config Response - Layer7Ddos
Defense Config This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Adaptive Protection Config Layer7Ddos Defense Config Response - If set to true, enables Cloud Armor Machine Learning.
- Auto
Deploy Config This property is required. SecurityPolicy Adaptive Protection Config Auto Deploy Config Response - Layer7Ddos
Defense Config This property is required. SecurityPolicy Adaptive Protection Config Layer7Ddos Defense Config Response - If set to true, enables Cloud Armor Machine Learning.
- auto
Deploy Config This property is required. SecurityPolicy Adaptive Protection Config Auto Deploy Config Response - layer7Ddos
Defense Config This property is required. SecurityPolicy Adaptive Protection Config Layer7Ddos Defense Config Response - If set to true, enables Cloud Armor Machine Learning.
- auto
Deploy Config This property is required. SecurityPolicy Adaptive Protection Config Auto Deploy Config Response - layer7Ddos
Defense Config This property is required. SecurityPolicy Adaptive Protection Config Layer7Ddos Defense Config Response - If set to true, enables Cloud Armor Machine Learning.
- auto_
deploy_ config This property is required. SecurityPolicy Adaptive Protection Config Auto Deploy Config Response - layer7_
ddos_ defense_ config This property is required. SecurityPolicy Adaptive Protection Config Layer7Ddos Defense Config Response - If set to true, enables Cloud Armor Machine Learning.
- auto
Deploy Config This property is required. Property Map - layer7Ddos
Defense Config This property is required. Property Map - If set to true, enables Cloud Armor Machine Learning.
SecurityPolicyAdvancedOptionsConfigJsonCustomConfigResponse
- Content
Types This property is required. List<string> - A list of custom Content-Type header values to apply the JSON parsing. As per RFC 1341, a Content-Type header value has the following format: Content-Type := type "/" subtype *[";" parameter] When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.
- Content
Types This property is required. []string - A list of custom Content-Type header values to apply the JSON parsing. As per RFC 1341, a Content-Type header value has the following format: Content-Type := type "/" subtype *[";" parameter] When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.
- content
Types This property is required. List<String> - A list of custom Content-Type header values to apply the JSON parsing. As per RFC 1341, a Content-Type header value has the following format: Content-Type := type "/" subtype *[";" parameter] When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.
- content
Types This property is required. string[] - A list of custom Content-Type header values to apply the JSON parsing. As per RFC 1341, a Content-Type header value has the following format: Content-Type := type "/" subtype *[";" parameter] When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.
- content_
types This property is required. Sequence[str] - A list of custom Content-Type header values to apply the JSON parsing. As per RFC 1341, a Content-Type header value has the following format: Content-Type := type "/" subtype *[";" parameter] When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.
- content
Types This property is required. List<String> - A list of custom Content-Type header values to apply the JSON parsing. As per RFC 1341, a Content-Type header value has the following format: Content-Type := type "/" subtype *[";" parameter] When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.
SecurityPolicyAdvancedOptionsConfigResponse
- Json
Custom Config This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Advanced Options Config Json Custom Config Response - Custom configuration to apply the JSON parsing. Only applicable when json_parsing is set to STANDARD.
- Json
Parsing This property is required. string - Log
Level This property is required. string - User
Ip Request Headers This property is required. List<string> - An optional list of case-insensitive request header names to use for resolving the callers client IP address.
- Json
Custom Config This property is required. SecurityPolicy Advanced Options Config Json Custom Config Response - Custom configuration to apply the JSON parsing. Only applicable when json_parsing is set to STANDARD.
- Json
Parsing This property is required. string - Log
Level This property is required. string - User
Ip Request Headers This property is required. []string - An optional list of case-insensitive request header names to use for resolving the callers client IP address.
- json
Custom Config This property is required. SecurityPolicy Advanced Options Config Json Custom Config Response - Custom configuration to apply the JSON parsing. Only applicable when json_parsing is set to STANDARD.
- json
Parsing This property is required. String - log
Level This property is required. String - user
Ip Request Headers This property is required. List<String> - An optional list of case-insensitive request header names to use for resolving the callers client IP address.
- json
Custom Config This property is required. SecurityPolicy Advanced Options Config Json Custom Config Response - Custom configuration to apply the JSON parsing. Only applicable when json_parsing is set to STANDARD.
- json
Parsing This property is required. string - log
Level This property is required. string - user
Ip Request Headers This property is required. string[] - An optional list of case-insensitive request header names to use for resolving the callers client IP address.
- json_
custom_ config This property is required. SecurityPolicy Advanced Options Config Json Custom Config Response - Custom configuration to apply the JSON parsing. Only applicable when json_parsing is set to STANDARD.
- json_
parsing This property is required. str - log_
level This property is required. str - user_
ip_ request_ headers This property is required. Sequence[str] - An optional list of case-insensitive request header names to use for resolving the callers client IP address.
- json
Custom Config This property is required. Property Map - Custom configuration to apply the JSON parsing. Only applicable when json_parsing is set to STANDARD.
- json
Parsing This property is required. String - log
Level This property is required. String - user
Ip Request Headers This property is required. List<String> - An optional list of case-insensitive request header names to use for resolving the callers client IP address.
SecurityPolicyAssociationResponse
- Attachment
Id This property is required. string - The resource that the security policy is attached to.
- Display
Name This property is required. string - The display name of the security policy of the association.
- Name
This property is required. string - The name for an association.
- Security
Policy Id This property is required. string - The security policy ID of the association.
- Attachment
Id This property is required. string - The resource that the security policy is attached to.
- Display
Name This property is required. string - The display name of the security policy of the association.
- Name
This property is required. string - The name for an association.
- Security
Policy Id This property is required. string - The security policy ID of the association.
- attachment
Id This property is required. String - The resource that the security policy is attached to.
- display
Name This property is required. String - The display name of the security policy of the association.
- name
This property is required. String - The name for an association.
- security
Policy Id This property is required. String - The security policy ID of the association.
- attachment
Id This property is required. string - The resource that the security policy is attached to.
- display
Name This property is required. string - The display name of the security policy of the association.
- name
This property is required. string - The name for an association.
- security
Policy Id This property is required. string - The security policy ID of the association.
- attachment_
id This property is required. str - The resource that the security policy is attached to.
- display_
name This property is required. str - The display name of the security policy of the association.
- name
This property is required. str - The name for an association.
- security_
policy_ id This property is required. str - The security policy ID of the association.
- attachment
Id This property is required. String - The resource that the security policy is attached to.
- display
Name This property is required. String - The display name of the security policy of the association.
- name
This property is required. String - The name for an association.
- security
Policy Id This property is required. String - The security policy ID of the association.
SecurityPolicyCloudArmorConfigResponse
- Enable
Ml This property is required. bool - If set to true, enables Cloud Armor Machine Learning.
- Enable
Ml This property is required. bool - If set to true, enables Cloud Armor Machine Learning.
- enable
Ml This property is required. Boolean - If set to true, enables Cloud Armor Machine Learning.
- enable
Ml This property is required. boolean - If set to true, enables Cloud Armor Machine Learning.
- enable_
ml This property is required. bool - If set to true, enables Cloud Armor Machine Learning.
- enable
Ml This property is required. Boolean - If set to true, enables Cloud Armor Machine Learning.
SecurityPolicyDdosProtectionConfigResponse
- Ddos
Protection This property is required. string
- Ddos
Protection This property is required. string
- ddos
Protection This property is required. String
- ddos
Protection This property is required. string
- ddos_
protection This property is required. str
- ddos
Protection This property is required. String
SecurityPolicyRecaptchaOptionsConfigResponse
- Redirect
Site Key This property is required. string - An optional field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- Redirect
Site Key This property is required. string - An optional field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- redirect
Site Key This property is required. String - An optional field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- redirect
Site Key This property is required. string - An optional field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- redirect_
site_ key This property is required. str - An optional field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- redirect
Site Key This property is required. String - An optional field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
SecurityPolicyRuleHttpHeaderActionHttpHeaderOptionResponse
- Header
Name This property is required. string - The name of the header to set.
- Header
Value This property is required. string - The value to set the named header to.
- Header
Name This property is required. string - The name of the header to set.
- Header
Value This property is required. string - The value to set the named header to.
- header
Name This property is required. String - The name of the header to set.
- header
Value This property is required. String - The value to set the named header to.
- header
Name This property is required. string - The name of the header to set.
- header
Value This property is required. string - The value to set the named header to.
- header_
name This property is required. str - The name of the header to set.
- header_
value This property is required. str - The value to set the named header to.
- header
Name This property is required. String - The name of the header to set.
- header
Value This property is required. String - The value to set the named header to.
SecurityPolicyRuleHttpHeaderActionResponse
- Request
Headers To Adds This property is required. List<Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Http Header Action Http Header Option Response> - The list of request headers to add or overwrite if they're already present.
- Request
Headers To Adds This property is required. []SecurityPolicy Rule Http Header Action Http Header Option Response - The list of request headers to add or overwrite if they're already present.
- request
Headers To Adds This property is required. List<SecurityPolicy Rule Http Header Action Http Header Option Response> - The list of request headers to add or overwrite if they're already present.
- request
Headers To Adds This property is required. SecurityPolicy Rule Http Header Action Http Header Option Response[] - The list of request headers to add or overwrite if they're already present.
- request_
headers_ to_ adds This property is required. Sequence[SecurityPolicy Rule Http Header Action Http Header Option Response] - The list of request headers to add or overwrite if they're already present.
- request
Headers To Adds This property is required. List<Property Map> - The list of request headers to add or overwrite if they're already present.
SecurityPolicyRuleMatcherConfigDestinationPortResponse
- Ip
Protocol This property is required. string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- Ports
This property is required. List<string> - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL.
- Ip
Protocol This property is required. string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- Ports
This property is required. []string - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL.
- ip
Protocol This property is required. String - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports
This property is required. List<String> - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL.
- ip
Protocol This property is required. string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports
This property is required. string[] - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL.
- ip_
protocol This property is required. str - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports
This property is required. Sequence[str] - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL.
- ip
Protocol This property is required. String - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports
This property is required. List<String> - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL.
SecurityPolicyRuleMatcherConfigLayer4ConfigResponse
- Ip
Protocol This property is required. string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- Ports
This property is required. List<string> - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL.
- Ip
Protocol This property is required. string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- Ports
This property is required. []string - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL.
- ip
Protocol This property is required. String - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports
This property is required. List<String> - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL.
- ip
Protocol This property is required. string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports
This property is required. string[] - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL.
- ip_
protocol This property is required. str - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports
This property is required. Sequence[str] - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL.
- ip
Protocol This property is required. String - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports
This property is required. List<String> - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL.
SecurityPolicyRuleMatcherConfigResponse
- Dest
Ip Ranges This property is required. List<string> - CIDR IP address range. This field may only be specified when versioned_expr is set to FIREWALL.
- Dest
Ports This property is required. List<Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Matcher Config Destination Port Response> - Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL.
- Layer4Configs
This property is required. List<Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Matcher Config Layer4Config Response> - Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL.
- Src
Ip Ranges This property is required. List<string> - CIDR IP address range. Maximum number of src_ip_ranges allowed is 10.
- Dest
Ip Ranges This property is required. []string - CIDR IP address range. This field may only be specified when versioned_expr is set to FIREWALL.
- Dest
Ports This property is required. []SecurityPolicy Rule Matcher Config Destination Port Response - Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL.
- Layer4Configs
This property is required. []SecurityPolicy Rule Matcher Config Layer4Config Response - Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL.
- Src
Ip Ranges This property is required. []string - CIDR IP address range. Maximum number of src_ip_ranges allowed is 10.
- dest
Ip Ranges This property is required. List<String> - CIDR IP address range. This field may only be specified when versioned_expr is set to FIREWALL.
- dest
Ports This property is required. List<SecurityPolicy Rule Matcher Config Destination Port Response> - Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL.
- layer4Configs
This property is required. List<SecurityPolicy Rule Matcher Config Layer4Config Response> - Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL.
- src
Ip Ranges This property is required. List<String> - CIDR IP address range. Maximum number of src_ip_ranges allowed is 10.
- dest
Ip Ranges This property is required. string[] - CIDR IP address range. This field may only be specified when versioned_expr is set to FIREWALL.
- dest
Ports This property is required. SecurityPolicy Rule Matcher Config Destination Port Response[] - Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL.
- layer4Configs
This property is required. SecurityPolicy Rule Matcher Config Layer4Config Response[] - Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL.
- src
Ip Ranges This property is required. string[] - CIDR IP address range. Maximum number of src_ip_ranges allowed is 10.
- dest_
ip_ ranges This property is required. Sequence[str] - CIDR IP address range. This field may only be specified when versioned_expr is set to FIREWALL.
- dest_
ports This property is required. Sequence[SecurityPolicy Rule Matcher Config Destination Port Response] - Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL.
- layer4_
configs This property is required. Sequence[SecurityPolicy Rule Matcher Config Layer4Config Response] - Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL.
- src_
ip_ ranges This property is required. Sequence[str] - CIDR IP address range. Maximum number of src_ip_ranges allowed is 10.
- dest
Ip Ranges This property is required. List<String> - CIDR IP address range. This field may only be specified when versioned_expr is set to FIREWALL.
- dest
Ports This property is required. List<Property Map> - Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL.
- layer4Configs
This property is required. List<Property Map> - Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL.
- src
Ip Ranges This property is required. List<String> - CIDR IP address range. Maximum number of src_ip_ranges allowed is 10.
SecurityPolicyRuleMatcherExprOptionsRecaptchaOptionsResponse
- Action
Token Site Keys This property is required. List<string> - A list of site keys to be used during the validation of reCAPTCHA action-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
- Session
Token Site Keys This property is required. List<string> - A list of site keys to be used during the validation of reCAPTCHA session-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
- Action
Token Site Keys This property is required. []string - A list of site keys to be used during the validation of reCAPTCHA action-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
- Session
Token Site Keys This property is required. []string - A list of site keys to be used during the validation of reCAPTCHA session-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
- action
Token Site Keys This property is required. List<String> - A list of site keys to be used during the validation of reCAPTCHA action-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
- session
Token Site Keys This property is required. List<String> - A list of site keys to be used during the validation of reCAPTCHA session-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
- action
Token Site Keys This property is required. string[] - A list of site keys to be used during the validation of reCAPTCHA action-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
- session
Token Site Keys This property is required. string[] - A list of site keys to be used during the validation of reCAPTCHA session-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
- action_
token_ site_ keys This property is required. Sequence[str] - A list of site keys to be used during the validation of reCAPTCHA action-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
- session_
token_ site_ keys This property is required. Sequence[str] - A list of site keys to be used during the validation of reCAPTCHA session-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
- action
Token Site Keys This property is required. List<String> - A list of site keys to be used during the validation of reCAPTCHA action-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
- session
Token Site Keys This property is required. List<String> - A list of site keys to be used during the validation of reCAPTCHA session-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
SecurityPolicyRuleMatcherExprOptionsResponse
- Recaptcha
Options This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Matcher Expr Options Recaptcha Options Response - reCAPTCHA configuration options to be applied for the rule. If the rule does not evaluate reCAPTCHA tokens, this field will have no effect.
- Recaptcha
Options This property is required. SecurityPolicy Rule Matcher Expr Options Recaptcha Options Response - reCAPTCHA configuration options to be applied for the rule. If the rule does not evaluate reCAPTCHA tokens, this field will have no effect.
- recaptcha
Options This property is required. SecurityPolicy Rule Matcher Expr Options Recaptcha Options Response - reCAPTCHA configuration options to be applied for the rule. If the rule does not evaluate reCAPTCHA tokens, this field will have no effect.
- recaptcha
Options This property is required. SecurityPolicy Rule Matcher Expr Options Recaptcha Options Response - reCAPTCHA configuration options to be applied for the rule. If the rule does not evaluate reCAPTCHA tokens, this field will have no effect.
- recaptcha_
options This property is required. SecurityPolicy Rule Matcher Expr Options Recaptcha Options Response - reCAPTCHA configuration options to be applied for the rule. If the rule does not evaluate reCAPTCHA tokens, this field will have no effect.
- recaptcha
Options This property is required. Property Map - reCAPTCHA configuration options to be applied for the rule. If the rule does not evaluate reCAPTCHA tokens, this field will have no effect.
SecurityPolicyRuleMatcherResponse
- Config
This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Matcher Config Response - The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified.
- Expr
This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Expr Response - User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Expressions containing
evaluateThreatIntelligence
require Cloud Armor Managed Protection Plus tier and are not supported in Edge Policies nor in Regional Policies. Expressions containingevaluatePreconfiguredExpr('sourceiplist-*')
require Cloud Armor Managed Protection Plus tier and are only supported in Global Security Policies. - Expr
Options This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Matcher Expr Options Response - The configuration options available when specifying a user defined CEVAL expression (i.e., 'expr').
- Versioned
Expr This property is required. string - Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding src_ip_range field in config.
- Config
This property is required. SecurityPolicy Rule Matcher Config Response - The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified.
- Expr
This property is required. ExprResponse - User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Expressions containing
evaluateThreatIntelligence
require Cloud Armor Managed Protection Plus tier and are not supported in Edge Policies nor in Regional Policies. Expressions containingevaluatePreconfiguredExpr('sourceiplist-*')
require Cloud Armor Managed Protection Plus tier and are only supported in Global Security Policies. - Expr
Options This property is required. SecurityPolicy Rule Matcher Expr Options Response - The configuration options available when specifying a user defined CEVAL expression (i.e., 'expr').
- Versioned
Expr This property is required. string - Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding src_ip_range field in config.
- config
This property is required. SecurityPolicy Rule Matcher Config Response - The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified.
- expr
This property is required. ExprResponse - User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Expressions containing
evaluateThreatIntelligence
require Cloud Armor Managed Protection Plus tier and are not supported in Edge Policies nor in Regional Policies. Expressions containingevaluatePreconfiguredExpr('sourceiplist-*')
require Cloud Armor Managed Protection Plus tier and are only supported in Global Security Policies. - expr
Options This property is required. SecurityPolicy Rule Matcher Expr Options Response - The configuration options available when specifying a user defined CEVAL expression (i.e., 'expr').
- versioned
Expr This property is required. String - Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding src_ip_range field in config.
- config
This property is required. SecurityPolicy Rule Matcher Config Response - The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified.
- expr
This property is required. ExprResponse - User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Expressions containing
evaluateThreatIntelligence
require Cloud Armor Managed Protection Plus tier and are not supported in Edge Policies nor in Regional Policies. Expressions containingevaluatePreconfiguredExpr('sourceiplist-*')
require Cloud Armor Managed Protection Plus tier and are only supported in Global Security Policies. - expr
Options This property is required. SecurityPolicy Rule Matcher Expr Options Response - The configuration options available when specifying a user defined CEVAL expression (i.e., 'expr').
- versioned
Expr This property is required. string - Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding src_ip_range field in config.
- config
This property is required. SecurityPolicy Rule Matcher Config Response - The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified.
- expr
This property is required. ExprResponse - User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Expressions containing
evaluateThreatIntelligence
require Cloud Armor Managed Protection Plus tier and are not supported in Edge Policies nor in Regional Policies. Expressions containingevaluatePreconfiguredExpr('sourceiplist-*')
require Cloud Armor Managed Protection Plus tier and are only supported in Global Security Policies. - expr_
options This property is required. SecurityPolicy Rule Matcher Expr Options Response - The configuration options available when specifying a user defined CEVAL expression (i.e., 'expr').
- versioned_
expr This property is required. str - Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding src_ip_range field in config.
- config
This property is required. Property Map - The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified.
- expr
This property is required. Property Map - User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Expressions containing
evaluateThreatIntelligence
require Cloud Armor Managed Protection Plus tier and are not supported in Edge Policies nor in Regional Policies. Expressions containingevaluatePreconfiguredExpr('sourceiplist-*')
require Cloud Armor Managed Protection Plus tier and are only supported in Global Security Policies. - expr
Options This property is required. Property Map - The configuration options available when specifying a user defined CEVAL expression (i.e., 'expr').
- versioned
Expr This property is required. String - Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding src_ip_range field in config.
SecurityPolicyRuleNetworkMatcherResponse
- Dest
Ip Ranges This property is required. List<string> - Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- Dest
Ports This property is required. List<string> - Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- Ip
Protocols This property is required. List<string> - IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp".
- Src
Asns This property is required. List<int> - BGP Autonomous System Number associated with the source IP address.
- Src
Ip Ranges This property is required. List<string> - Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- Src
Ports This property is required. List<string> - Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- Src
Region Codes This property is required. List<string> - Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address.
- User
Defined Fields This property is required. List<Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Network Matcher User Defined Field Match Response> - User-defined fields. Each element names a defined field and lists the matching values for that field.
- Dest
Ip Ranges This property is required. []string - Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- Dest
Ports This property is required. []string - Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- Ip
Protocols This property is required. []string - IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp".
- Src
Asns This property is required. []int - BGP Autonomous System Number associated with the source IP address.
- Src
Ip Ranges This property is required. []string - Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- Src
Ports This property is required. []string - Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- Src
Region Codes This property is required. []string - Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address.
- User
Defined Fields This property is required. []SecurityPolicy Rule Network Matcher User Defined Field Match Response - User-defined fields. Each element names a defined field and lists the matching values for that field.
- dest
Ip Ranges This property is required. List<String> - Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- dest
Ports This property is required. List<String> - Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- ip
Protocols This property is required. List<String> - IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp".
- src
Asns This property is required. List<Integer> - BGP Autonomous System Number associated with the source IP address.
- src
Ip Ranges This property is required. List<String> - Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- src
Ports This property is required. List<String> - Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- src
Region Codes This property is required. List<String> - Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address.
- user
Defined Fields This property is required. List<SecurityPolicy Rule Network Matcher User Defined Field Match Response> - User-defined fields. Each element names a defined field and lists the matching values for that field.
- dest
Ip Ranges This property is required. string[] - Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- dest
Ports This property is required. string[] - Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- ip
Protocols This property is required. string[] - IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp".
- src
Asns This property is required. number[] - BGP Autonomous System Number associated with the source IP address.
- src
Ip Ranges This property is required. string[] - Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- src
Ports This property is required. string[] - Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- src
Region Codes This property is required. string[] - Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address.
- user
Defined Fields This property is required. SecurityPolicy Rule Network Matcher User Defined Field Match Response[] - User-defined fields. Each element names a defined field and lists the matching values for that field.
- dest_
ip_ ranges This property is required. Sequence[str] - Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- dest_
ports This property is required. Sequence[str] - Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- ip_
protocols This property is required. Sequence[str] - IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp".
- src_
asns This property is required. Sequence[int] - BGP Autonomous System Number associated with the source IP address.
- src_
ip_ ranges This property is required. Sequence[str] - Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- src_
ports This property is required. Sequence[str] - Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- src_
region_ codes This property is required. Sequence[str] - Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address.
- user_
defined_ fields This property is required. Sequence[SecurityPolicy Rule Network Matcher User Defined Field Match Response] - User-defined fields. Each element names a defined field and lists the matching values for that field.
- dest
Ip Ranges This property is required. List<String> - Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- dest
Ports This property is required. List<String> - Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- ip
Protocols This property is required. List<String> - IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp".
- src
Asns This property is required. List<Number> - BGP Autonomous System Number associated with the source IP address.
- src
Ip Ranges This property is required. List<String> - Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- src
Ports This property is required. List<String> - Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- src
Region Codes This property is required. List<String> - Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address.
- user
Defined Fields This property is required. List<Property Map> - User-defined fields. Each element names a defined field and lists the matching values for that field.
SecurityPolicyRuleNetworkMatcherUserDefinedFieldMatchResponse
- Name
This property is required. string - Name of the user-defined field, as given in the definition.
- Values
This property is required. List<string> - Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff").
- Name
This property is required. string - Name of the user-defined field, as given in the definition.
- Values
This property is required. []string - Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff").
- name
This property is required. String - Name of the user-defined field, as given in the definition.
- values
This property is required. List<String> - Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff").
- name
This property is required. string - Name of the user-defined field, as given in the definition.
- values
This property is required. string[] - Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff").
- name
This property is required. str - Name of the user-defined field, as given in the definition.
- values
This property is required. Sequence[str] - Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff").
- name
This property is required. String - Name of the user-defined field, as given in the definition.
- values
This property is required. List<String> - Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff").
SecurityPolicyRulePreconfiguredWafConfigExclusionFieldParamsResponse
SecurityPolicyRulePreconfiguredWafConfigExclusionResponse
This property is required. List<Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Preconfigured Waf Config Exclusion Field Params Response> - A list of request cookie names whose value will be excluded from inspection during preconfigured WAF evaluation.
- Request
Headers To Exclude This property is required. List<Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Preconfigured Waf Config Exclusion Field Params Response> - A list of request header names whose value will be excluded from inspection during preconfigured WAF evaluation.
- Request
Query Params To Exclude This property is required. List<Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Preconfigured Waf Config Exclusion Field Params Response> - A list of request query parameter names whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body.
- Request
Uris To Exclude This property is required. List<Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Preconfigured Waf Config Exclusion Field Params Response> - A list of request URIs from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded.
- Target
Rule Ids This property is required. List<string> - A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.
- Target
Rule Set This property is required. string - Target WAF rule set to apply the preconfigured WAF exclusion.
This property is required. []SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response - A list of request cookie names whose value will be excluded from inspection during preconfigured WAF evaluation.
- Request
Headers To Exclude This property is required. []SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response - A list of request header names whose value will be excluded from inspection during preconfigured WAF evaluation.
- Request
Query Params To Exclude This property is required. []SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response - A list of request query parameter names whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body.
- Request
Uris To Exclude This property is required. []SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response - A list of request URIs from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded.
- Target
Rule Ids This property is required. []string - A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.
- Target
Rule Set This property is required. string - Target WAF rule set to apply the preconfigured WAF exclusion.
This property is required. List<SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response> - A list of request cookie names whose value will be excluded from inspection during preconfigured WAF evaluation.
- request
Headers To Exclude This property is required. List<SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response> - A list of request header names whose value will be excluded from inspection during preconfigured WAF evaluation.
- request
Query Params To Exclude This property is required. List<SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response> - A list of request query parameter names whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body.
- request
Uris To Exclude This property is required. List<SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response> - A list of request URIs from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded.
- target
Rule Ids This property is required. List<String> - A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.
- target
Rule Set This property is required. String - Target WAF rule set to apply the preconfigured WAF exclusion.
This property is required. SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response[] - A list of request cookie names whose value will be excluded from inspection during preconfigured WAF evaluation.
- request
Headers To Exclude This property is required. SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response[] - A list of request header names whose value will be excluded from inspection during preconfigured WAF evaluation.
- request
Query Params To Exclude This property is required. SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response[] - A list of request query parameter names whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body.
- request
Uris To Exclude This property is required. SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response[] - A list of request URIs from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded.
- target
Rule Ids This property is required. string[] - A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.
- target
Rule Set This property is required. string - Target WAF rule set to apply the preconfigured WAF exclusion.
This property is required. Sequence[SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response] - A list of request cookie names whose value will be excluded from inspection during preconfigured WAF evaluation.
- request_
headers_ to_ exclude This property is required. Sequence[SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response] - A list of request header names whose value will be excluded from inspection during preconfigured WAF evaluation.
- request_
query_ params_ to_ exclude This property is required. Sequence[SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response] - A list of request query parameter names whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body.
- request_
uris_ to_ exclude This property is required. Sequence[SecurityPolicy Rule Preconfigured Waf Config Exclusion Field Params Response] - A list of request URIs from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded.
- target_
rule_ ids This property is required. Sequence[str] - A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.
- target_
rule_ set This property is required. str - Target WAF rule set to apply the preconfigured WAF exclusion.
This property is required. List<Property Map>- A list of request cookie names whose value will be excluded from inspection during preconfigured WAF evaluation.
- request
Headers To Exclude This property is required. List<Property Map> - A list of request header names whose value will be excluded from inspection during preconfigured WAF evaluation.
- request
Query Params To Exclude This property is required. List<Property Map> - A list of request query parameter names whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body.
- request
Uris To Exclude This property is required. List<Property Map> - A list of request URIs from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded.
- target
Rule Ids This property is required. List<String> - A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.
- target
Rule Set This property is required. String - Target WAF rule set to apply the preconfigured WAF exclusion.
SecurityPolicyRulePreconfiguredWafConfigResponse
- Exclusions
This property is required. List<Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Preconfigured Waf Config Exclusion Response> - A list of exclusions to apply during preconfigured WAF evaluation.
- Exclusions
This property is required. []SecurityPolicy Rule Preconfigured Waf Config Exclusion Response - A list of exclusions to apply during preconfigured WAF evaluation.
- exclusions
This property is required. List<SecurityPolicy Rule Preconfigured Waf Config Exclusion Response> - A list of exclusions to apply during preconfigured WAF evaluation.
- exclusions
This property is required. SecurityPolicy Rule Preconfigured Waf Config Exclusion Response[] - A list of exclusions to apply during preconfigured WAF evaluation.
- exclusions
This property is required. Sequence[SecurityPolicy Rule Preconfigured Waf Config Exclusion Response] - A list of exclusions to apply during preconfigured WAF evaluation.
- exclusions
This property is required. List<Property Map> - A list of exclusions to apply during preconfigured WAF evaluation.
SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigResponse
- Enforce
On Key Name This property is required. string - Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
- Enforce
On Key Type This property is required. string - Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates.
- Enforce
On Key Name This property is required. string - Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
- Enforce
On Key Type This property is required. string - Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates.
- enforce
On Key Name This property is required. String - Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
- enforce
On Key Type This property is required. String - Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates.
- enforce
On Key Name This property is required. string - Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
- enforce
On Key Type This property is required. string - Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates.
- enforce_
on_ key_ name This property is required. str - Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
- enforce_
on_ key_ type This property is required. str - Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates.
- enforce
On Key Name This property is required. String - Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
- enforce
On Key Type This property is required. String - Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates.
SecurityPolicyRuleRateLimitOptionsResponse
- Ban
Duration Sec This property is required. int - Can only be specified if the action for the rule is "rate_based_ban". If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.
- Ban
Threshold This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Rate Limit Options Threshold Response - Can only be specified if the action for the rule is "rate_based_ban". If specified, the key will be banned for the configured 'ban_duration_sec' when the number of requests that exceed the 'rate_limit_threshold' also exceed this 'ban_threshold'.
- Conform
Action This property is required. string - Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only.
- Enforce
On Key This property is required. string - Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates.
- Enforce
On Key Configs This property is required. List<Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Rate Limit Options Enforce On Key Config Response> - If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which ratelimit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If enforce_on_key_configs is specified, enforce_on_key must not be specified.
- Enforce
On Key Name This property is required. string - Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
- Exceed
Action This property is required. string - Action to take for requests that are above the configured rate limit threshold, to either deny with a specified HTTP response code, or redirect to a different endpoint. Valid options are
deny(STATUS)
, where valid values forSTATUS
are 403, 404, 429, and 502, andredirect
, where the redirect parameters come fromexceedRedirectOptions
below. Theredirect
action is only supported in Global Security Policies of type CLOUD_ARMOR. - Exceed
Action Rpc Status This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Rate Limit Options Rpc Status Response - Specified gRPC response status for proxyless gRPC requests that are above the configured rate limit threshold
- Exceed
Redirect Options This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Redirect Options Response - Parameters defining the redirect action that is used as the exceed action. Cannot be specified if the exceed action is not redirect. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- Rate
Limit Threshold This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Rate Limit Options Threshold Response - Threshold at which to begin ratelimiting.
- Ban
Duration Sec This property is required. int - Can only be specified if the action for the rule is "rate_based_ban". If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.
- Ban
Threshold This property is required. SecurityPolicy Rule Rate Limit Options Threshold Response - Can only be specified if the action for the rule is "rate_based_ban". If specified, the key will be banned for the configured 'ban_duration_sec' when the number of requests that exceed the 'rate_limit_threshold' also exceed this 'ban_threshold'.
- Conform
Action This property is required. string - Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only.
- Enforce
On Key This property is required. string - Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates.
- Enforce
On Key Configs This property is required. []SecurityPolicy Rule Rate Limit Options Enforce On Key Config Response - If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which ratelimit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If enforce_on_key_configs is specified, enforce_on_key must not be specified.
- Enforce
On Key Name This property is required. string - Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
- Exceed
Action This property is required. string - Action to take for requests that are above the configured rate limit threshold, to either deny with a specified HTTP response code, or redirect to a different endpoint. Valid options are
deny(STATUS)
, where valid values forSTATUS
are 403, 404, 429, and 502, andredirect
, where the redirect parameters come fromexceedRedirectOptions
below. Theredirect
action is only supported in Global Security Policies of type CLOUD_ARMOR. - Exceed
Action Rpc Status This property is required. SecurityPolicy Rule Rate Limit Options Rpc Status Response - Specified gRPC response status for proxyless gRPC requests that are above the configured rate limit threshold
- Exceed
Redirect Options This property is required. SecurityPolicy Rule Redirect Options Response - Parameters defining the redirect action that is used as the exceed action. Cannot be specified if the exceed action is not redirect. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- Rate
Limit Threshold This property is required. SecurityPolicy Rule Rate Limit Options Threshold Response - Threshold at which to begin ratelimiting.
- ban
Duration Sec This property is required. Integer - Can only be specified if the action for the rule is "rate_based_ban". If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.
- ban
Threshold This property is required. SecurityPolicy Rule Rate Limit Options Threshold Response - Can only be specified if the action for the rule is "rate_based_ban". If specified, the key will be banned for the configured 'ban_duration_sec' when the number of requests that exceed the 'rate_limit_threshold' also exceed this 'ban_threshold'.
- conform
Action This property is required. String - Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only.
- enforce
On Key This property is required. String - Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates.
- enforce
On Key Configs This property is required. List<SecurityPolicy Rule Rate Limit Options Enforce On Key Config Response> - If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which ratelimit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If enforce_on_key_configs is specified, enforce_on_key must not be specified.
- enforce
On Key Name This property is required. String - Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
- exceed
Action This property is required. String - Action to take for requests that are above the configured rate limit threshold, to either deny with a specified HTTP response code, or redirect to a different endpoint. Valid options are
deny(STATUS)
, where valid values forSTATUS
are 403, 404, 429, and 502, andredirect
, where the redirect parameters come fromexceedRedirectOptions
below. Theredirect
action is only supported in Global Security Policies of type CLOUD_ARMOR. - exceed
Action Rpc Status This property is required. SecurityPolicy Rule Rate Limit Options Rpc Status Response - Specified gRPC response status for proxyless gRPC requests that are above the configured rate limit threshold
- exceed
Redirect Options This property is required. SecurityPolicy Rule Redirect Options Response - Parameters defining the redirect action that is used as the exceed action. Cannot be specified if the exceed action is not redirect. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- rate
Limit Threshold This property is required. SecurityPolicy Rule Rate Limit Options Threshold Response - Threshold at which to begin ratelimiting.
- ban
Duration Sec This property is required. number - Can only be specified if the action for the rule is "rate_based_ban". If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.
- ban
Threshold This property is required. SecurityPolicy Rule Rate Limit Options Threshold Response - Can only be specified if the action for the rule is "rate_based_ban". If specified, the key will be banned for the configured 'ban_duration_sec' when the number of requests that exceed the 'rate_limit_threshold' also exceed this 'ban_threshold'.
- conform
Action This property is required. string - Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only.
- enforce
On Key This property is required. string - Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates.
- enforce
On Key Configs This property is required. SecurityPolicy Rule Rate Limit Options Enforce On Key Config Response[] - If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which ratelimit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If enforce_on_key_configs is specified, enforce_on_key must not be specified.
- enforce
On Key Name This property is required. string - Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
- exceed
Action This property is required. string - Action to take for requests that are above the configured rate limit threshold, to either deny with a specified HTTP response code, or redirect to a different endpoint. Valid options are
deny(STATUS)
, where valid values forSTATUS
are 403, 404, 429, and 502, andredirect
, where the redirect parameters come fromexceedRedirectOptions
below. Theredirect
action is only supported in Global Security Policies of type CLOUD_ARMOR. - exceed
Action Rpc Status This property is required. SecurityPolicy Rule Rate Limit Options Rpc Status Response - Specified gRPC response status for proxyless gRPC requests that are above the configured rate limit threshold
- exceed
Redirect Options This property is required. SecurityPolicy Rule Redirect Options Response - Parameters defining the redirect action that is used as the exceed action. Cannot be specified if the exceed action is not redirect. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- rate
Limit Threshold This property is required. SecurityPolicy Rule Rate Limit Options Threshold Response - Threshold at which to begin ratelimiting.
- ban_
duration_ sec This property is required. int - Can only be specified if the action for the rule is "rate_based_ban". If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.
- ban_
threshold This property is required. SecurityPolicy Rule Rate Limit Options Threshold Response - Can only be specified if the action for the rule is "rate_based_ban". If specified, the key will be banned for the configured 'ban_duration_sec' when the number of requests that exceed the 'rate_limit_threshold' also exceed this 'ban_threshold'.
- conform_
action This property is required. str - Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only.
- enforce_
on_ key This property is required. str - Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates.
- enforce_
on_ key_ configs This property is required. Sequence[SecurityPolicy Rule Rate Limit Options Enforce On Key Config Response] - If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which ratelimit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If enforce_on_key_configs is specified, enforce_on_key must not be specified.
- enforce_
on_ key_ name This property is required. str - Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
- exceed_
action This property is required. str - Action to take for requests that are above the configured rate limit threshold, to either deny with a specified HTTP response code, or redirect to a different endpoint. Valid options are
deny(STATUS)
, where valid values forSTATUS
are 403, 404, 429, and 502, andredirect
, where the redirect parameters come fromexceedRedirectOptions
below. Theredirect
action is only supported in Global Security Policies of type CLOUD_ARMOR. - exceed_
action_ rpc_ status This property is required. SecurityPolicy Rule Rate Limit Options Rpc Status Response - Specified gRPC response status for proxyless gRPC requests that are above the configured rate limit threshold
- exceed_
redirect_ options This property is required. SecurityPolicy Rule Redirect Options Response - Parameters defining the redirect action that is used as the exceed action. Cannot be specified if the exceed action is not redirect. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- rate_
limit_ threshold This property is required. SecurityPolicy Rule Rate Limit Options Threshold Response - Threshold at which to begin ratelimiting.
- ban
Duration Sec This property is required. Number - Can only be specified if the action for the rule is "rate_based_ban". If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.
- ban
Threshold This property is required. Property Map - Can only be specified if the action for the rule is "rate_based_ban". If specified, the key will be banned for the configured 'ban_duration_sec' when the number of requests that exceed the 'rate_limit_threshold' also exceed this 'ban_threshold'.
- conform
Action This property is required. String - Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only.
- enforce
On Key This property is required. String - Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates.
- enforce
On Key Configs This property is required. List<Property Map> - If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which ratelimit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If enforce_on_key_configs is specified, enforce_on_key must not be specified.
- enforce
On Key Name This property is required. String - Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
- exceed
Action This property is required. String - Action to take for requests that are above the configured rate limit threshold, to either deny with a specified HTTP response code, or redirect to a different endpoint. Valid options are
deny(STATUS)
, where valid values forSTATUS
are 403, 404, 429, and 502, andredirect
, where the redirect parameters come fromexceedRedirectOptions
below. Theredirect
action is only supported in Global Security Policies of type CLOUD_ARMOR. - exceed
Action Rpc Status This property is required. Property Map - Specified gRPC response status for proxyless gRPC requests that are above the configured rate limit threshold
- exceed
Redirect Options This property is required. Property Map - Parameters defining the redirect action that is used as the exceed action. Cannot be specified if the exceed action is not redirect. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- rate
Limit Threshold This property is required. Property Map - Threshold at which to begin ratelimiting.
SecurityPolicyRuleRateLimitOptionsRpcStatusResponse
SecurityPolicyRuleRateLimitOptionsThresholdResponse
- Count
This property is required. int - Number of HTTP(S) requests for calculating the threshold.
- Interval
Sec This property is required. int - Interval over which the threshold is computed.
- Count
This property is required. int - Number of HTTP(S) requests for calculating the threshold.
- Interval
Sec This property is required. int - Interval over which the threshold is computed.
- count
This property is required. Integer - Number of HTTP(S) requests for calculating the threshold.
- interval
Sec This property is required. Integer - Interval over which the threshold is computed.
- count
This property is required. number - Number of HTTP(S) requests for calculating the threshold.
- interval
Sec This property is required. number - Interval over which the threshold is computed.
- count
This property is required. int - Number of HTTP(S) requests for calculating the threshold.
- interval_
sec This property is required. int - Interval over which the threshold is computed.
- count
This property is required. Number - Number of HTTP(S) requests for calculating the threshold.
- interval
Sec This property is required. Number - Interval over which the threshold is computed.
SecurityPolicyRuleRedirectOptionsResponse
SecurityPolicyRuleResponse
- Action
This property is required. string - The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for
STATUS
are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this. - Description
This property is required. string - An optional description of this resource. Provide this property when you create the resource.
- Direction
This property is required. string - The direction in which this rule applies. This field may only be specified when versioned_expr is set to FIREWALL.
- Enable
Logging This property is required. bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules. This field may only be specified when the versioned_expr is set to FIREWALL.
- Header
Action This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Http Header Action Response - Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- Kind
This property is required. string - [Output only] Type of the resource. Always compute#securityPolicyRule for security policy rules
- Match
This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Matcher Response - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- Network
Match This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Network Matcher Response - A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. Example: networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4_fragment_offset" values: - "1-0x1fff" The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive.
- Preconfigured
Waf Config This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Preconfigured Waf Config Response - Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.
- Preview
This property is required. bool - If set to true, the specified action is not enforced.
- Priority
This property is required. int - An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- Rate
Limit Options This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Rate Limit Options Response - Must be specified if the action is "rate_based_ban" or "throttle". Cannot be specified for any other actions.
- Redirect
Options This property is required. Pulumi.Google Native. Compute. Alpha. Inputs. Security Policy Rule Redirect Options Response - Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- Redirect
Target This property is required. string - This must be specified for redirect actions. Cannot be specified for any other actions.
- Rule
Managed Protection Tier This property is required. string - The minimum managed protection tier required for this rule. [Deprecated] Use requiredManagedProtectionTiers instead.
- Rule
Number This property is required. string - Identifier for the rule. This is only unique within the given security policy. This can only be set during rule creation, if rule number is not specified it will be generated by the server.
- Rule
Tuple Count This property is required. int - Calculation of the complexity of a single firewall security policy rule.
- Target
Resources This property is required. List<string> - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule. This field may only be specified when versioned_expr is set to FIREWALL.
- Target
Service Accounts This property is required. List<string> - A list of service accounts indicating the sets of instances that are applied with this rule.
- Action
This property is required. string - The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for
STATUS
are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this. - Description
This property is required. string - An optional description of this resource. Provide this property when you create the resource.
- Direction
This property is required. string - The direction in which this rule applies. This field may only be specified when versioned_expr is set to FIREWALL.
- Enable
Logging This property is required. bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules. This field may only be specified when the versioned_expr is set to FIREWALL.
- Header
Action This property is required. SecurityPolicy Rule Http Header Action Response - Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- Kind
This property is required. string - [Output only] Type of the resource. Always compute#securityPolicyRule for security policy rules
- Match
This property is required. SecurityPolicy Rule Matcher Response - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- Network
Match This property is required. SecurityPolicy Rule Network Matcher Response - A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. Example: networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4_fragment_offset" values: - "1-0x1fff" The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive.
- Preconfigured
Waf Config This property is required. SecurityPolicy Rule Preconfigured Waf Config Response - Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.
- Preview
This property is required. bool - If set to true, the specified action is not enforced.
- Priority
This property is required. int - An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- Rate
Limit Options This property is required. SecurityPolicy Rule Rate Limit Options Response - Must be specified if the action is "rate_based_ban" or "throttle". Cannot be specified for any other actions.
- Redirect
Options This property is required. SecurityPolicy Rule Redirect Options Response - Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- Redirect
Target This property is required. string - This must be specified for redirect actions. Cannot be specified for any other actions.
- Rule
Managed Protection Tier This property is required. string - The minimum managed protection tier required for this rule. [Deprecated] Use requiredManagedProtectionTiers instead.
- Rule
Number This property is required. string - Identifier for the rule. This is only unique within the given security policy. This can only be set during rule creation, if rule number is not specified it will be generated by the server.
- Rule
Tuple Count This property is required. int - Calculation of the complexity of a single firewall security policy rule.
- Target
Resources This property is required. []string - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule. This field may only be specified when versioned_expr is set to FIREWALL.
- Target
Service Accounts This property is required. []string - A list of service accounts indicating the sets of instances that are applied with this rule.
- action
This property is required. String - The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for
STATUS
are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this. - description
This property is required. String - An optional description of this resource. Provide this property when you create the resource.
- direction
This property is required. String - The direction in which this rule applies. This field may only be specified when versioned_expr is set to FIREWALL.
- enable
Logging This property is required. Boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules. This field may only be specified when the versioned_expr is set to FIREWALL.
- header
Action This property is required. SecurityPolicy Rule Http Header Action Response - Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- kind
This property is required. String - [Output only] Type of the resource. Always compute#securityPolicyRule for security policy rules
- match
This property is required. SecurityPolicy Rule Matcher Response - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- network
Match This property is required. SecurityPolicy Rule Network Matcher Response - A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. Example: networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4_fragment_offset" values: - "1-0x1fff" The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive.
- preconfigured
Waf Config This property is required. SecurityPolicy Rule Preconfigured Waf Config Response - Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.
- preview
This property is required. Boolean - If set to true, the specified action is not enforced.
- priority
This property is required. Integer - An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- rate
Limit Options This property is required. SecurityPolicy Rule Rate Limit Options Response - Must be specified if the action is "rate_based_ban" or "throttle". Cannot be specified for any other actions.
- redirect
Options This property is required. SecurityPolicy Rule Redirect Options Response - Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- redirect
Target This property is required. String - This must be specified for redirect actions. Cannot be specified for any other actions.
- rule
Managed Protection Tier This property is required. String - The minimum managed protection tier required for this rule. [Deprecated] Use requiredManagedProtectionTiers instead.
- rule
Number This property is required. String - Identifier for the rule. This is only unique within the given security policy. This can only be set during rule creation, if rule number is not specified it will be generated by the server.
- rule
Tuple Count This property is required. Integer - Calculation of the complexity of a single firewall security policy rule.
- target
Resources This property is required. List<String> - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule. This field may only be specified when versioned_expr is set to FIREWALL.
- target
Service Accounts This property is required. List<String> - A list of service accounts indicating the sets of instances that are applied with this rule.
- action
This property is required. string - The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for
STATUS
are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this. - description
This property is required. string - An optional description of this resource. Provide this property when you create the resource.
- direction
This property is required. string - The direction in which this rule applies. This field may only be specified when versioned_expr is set to FIREWALL.
- enable
Logging This property is required. boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules. This field may only be specified when the versioned_expr is set to FIREWALL.
- header
Action This property is required. SecurityPolicy Rule Http Header Action Response - Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- kind
This property is required. string - [Output only] Type of the resource. Always compute#securityPolicyRule for security policy rules
- match
This property is required. SecurityPolicy Rule Matcher Response - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- network
Match This property is required. SecurityPolicy Rule Network Matcher Response - A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. Example: networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4_fragment_offset" values: - "1-0x1fff" The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive.
- preconfigured
Waf Config This property is required. SecurityPolicy Rule Preconfigured Waf Config Response - Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.
- preview
This property is required. boolean - If set to true, the specified action is not enforced.
- priority
This property is required. number - An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- rate
Limit Options This property is required. SecurityPolicy Rule Rate Limit Options Response - Must be specified if the action is "rate_based_ban" or "throttle". Cannot be specified for any other actions.
- redirect
Options This property is required. SecurityPolicy Rule Redirect Options Response - Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- redirect
Target This property is required. string - This must be specified for redirect actions. Cannot be specified for any other actions.
- rule
Managed Protection Tier This property is required. string - The minimum managed protection tier required for this rule. [Deprecated] Use requiredManagedProtectionTiers instead.
- rule
Number This property is required. string - Identifier for the rule. This is only unique within the given security policy. This can only be set during rule creation, if rule number is not specified it will be generated by the server.
- rule
Tuple Count This property is required. number - Calculation of the complexity of a single firewall security policy rule.
- target
Resources This property is required. string[] - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule. This field may only be specified when versioned_expr is set to FIREWALL.
- target
Service Accounts This property is required. string[] - A list of service accounts indicating the sets of instances that are applied with this rule.
- action
This property is required. str - The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for
STATUS
are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this. - description
This property is required. str - An optional description of this resource. Provide this property when you create the resource.
- direction
This property is required. str - The direction in which this rule applies. This field may only be specified when versioned_expr is set to FIREWALL.
- enable_
logging This property is required. bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules. This field may only be specified when the versioned_expr is set to FIREWALL.
- header_
action This property is required. SecurityPolicy Rule Http Header Action Response - Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- kind
This property is required. str - [Output only] Type of the resource. Always compute#securityPolicyRule for security policy rules
- match
This property is required. SecurityPolicy Rule Matcher Response - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- network_
match This property is required. SecurityPolicy Rule Network Matcher Response - A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. Example: networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4_fragment_offset" values: - "1-0x1fff" The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive.
- preconfigured_
waf_ config This property is required. SecurityPolicy Rule Preconfigured Waf Config Response - Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.
- preview
This property is required. bool - If set to true, the specified action is not enforced.
- priority
This property is required. int - An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- rate_
limit_ options This property is required. SecurityPolicy Rule Rate Limit Options Response - Must be specified if the action is "rate_based_ban" or "throttle". Cannot be specified for any other actions.
- redirect_
options This property is required. SecurityPolicy Rule Redirect Options Response - Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- redirect_
target This property is required. str - This must be specified for redirect actions. Cannot be specified for any other actions.
- rule_
managed_ protection_ tier This property is required. str - The minimum managed protection tier required for this rule. [Deprecated] Use requiredManagedProtectionTiers instead.
- rule_
number This property is required. str - Identifier for the rule. This is only unique within the given security policy. This can only be set during rule creation, if rule number is not specified it will be generated by the server.
- rule_
tuple_ count This property is required. int - Calculation of the complexity of a single firewall security policy rule.
- target_
resources This property is required. Sequence[str] - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule. This field may only be specified when versioned_expr is set to FIREWALL.
- target_
service_ accounts This property is required. Sequence[str] - A list of service accounts indicating the sets of instances that are applied with this rule.
- action
This property is required. String - The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for
STATUS
are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this. - description
This property is required. String - An optional description of this resource. Provide this property when you create the resource.
- direction
This property is required. String - The direction in which this rule applies. This field may only be specified when versioned_expr is set to FIREWALL.
- enable
Logging This property is required. Boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules. This field may only be specified when the versioned_expr is set to FIREWALL.
- header
Action This property is required. Property Map - Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- kind
This property is required. String - [Output only] Type of the resource. Always compute#securityPolicyRule for security policy rules
- match
This property is required. Property Map - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- network
Match This property is required. Property Map - A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. Example: networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4_fragment_offset" values: - "1-0x1fff" The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive.
- preconfigured
Waf Config This property is required. Property Map - Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.
- preview
This property is required. Boolean - If set to true, the specified action is not enforced.
- priority
This property is required. Number - An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- rate
Limit Options This property is required. Property Map - Must be specified if the action is "rate_based_ban" or "throttle". Cannot be specified for any other actions.
- redirect
Options This property is required. Property Map - Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- redirect
Target This property is required. String - This must be specified for redirect actions. Cannot be specified for any other actions.
- rule
Managed Protection Tier This property is required. String - The minimum managed protection tier required for this rule. [Deprecated] Use requiredManagedProtectionTiers instead.
- rule
Number This property is required. String - Identifier for the rule. This is only unique within the given security policy. This can only be set during rule creation, if rule number is not specified it will be generated by the server.
- rule
Tuple Count This property is required. Number - Calculation of the complexity of a single firewall security policy rule.
- target
Resources This property is required. List<String> - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule. This field may only be specified when versioned_expr is set to FIREWALL.
- target
Service Accounts This property is required. List<String> - A list of service accounts indicating the sets of instances that are applied with this rule.
SecurityPolicyUserDefinedFieldResponse
- Base
This property is required. string - The base relative to which 'offset' is measured. Possible values are: - IPV4: Points to the beginning of the IPv4 header. - IPV6: Points to the beginning of the IPv6 header. - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. required
- Mask
This property is required. string - If specified, apply this mask (bitwise AND) to the field to ignore bits before matching. Encoded as a hexadecimal number (starting with "0x"). The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.
- Name
This property is required. string - The name of this field. Must be unique within the policy.
- Offset
This property is required. int - Offset of the first byte of the field (in network byte order) relative to 'base'.
- Size
This property is required. int - Size of the field in bytes. Valid values: 1-4.
- Base
This property is required. string - The base relative to which 'offset' is measured. Possible values are: - IPV4: Points to the beginning of the IPv4 header. - IPV6: Points to the beginning of the IPv6 header. - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. required
- Mask
This property is required. string - If specified, apply this mask (bitwise AND) to the field to ignore bits before matching. Encoded as a hexadecimal number (starting with "0x"). The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.
- Name
This property is required. string - The name of this field. Must be unique within the policy.
- Offset
This property is required. int - Offset of the first byte of the field (in network byte order) relative to 'base'.
- Size
This property is required. int - Size of the field in bytes. Valid values: 1-4.
- base
This property is required. String - The base relative to which 'offset' is measured. Possible values are: - IPV4: Points to the beginning of the IPv4 header. - IPV6: Points to the beginning of the IPv6 header. - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. required
- mask
This property is required. String - If specified, apply this mask (bitwise AND) to the field to ignore bits before matching. Encoded as a hexadecimal number (starting with "0x"). The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.
- name
This property is required. String - The name of this field. Must be unique within the policy.
- offset
This property is required. Integer - Offset of the first byte of the field (in network byte order) relative to 'base'.
- size
This property is required. Integer - Size of the field in bytes. Valid values: 1-4.
- base
This property is required. string - The base relative to which 'offset' is measured. Possible values are: - IPV4: Points to the beginning of the IPv4 header. - IPV6: Points to the beginning of the IPv6 header. - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. required
- mask
This property is required. string - If specified, apply this mask (bitwise AND) to the field to ignore bits before matching. Encoded as a hexadecimal number (starting with "0x"). The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.
- name
This property is required. string - The name of this field. Must be unique within the policy.
- offset
This property is required. number - Offset of the first byte of the field (in network byte order) relative to 'base'.
- size
This property is required. number - Size of the field in bytes. Valid values: 1-4.
- base
This property is required. str - The base relative to which 'offset' is measured. Possible values are: - IPV4: Points to the beginning of the IPv4 header. - IPV6: Points to the beginning of the IPv6 header. - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. required
- mask
This property is required. str - If specified, apply this mask (bitwise AND) to the field to ignore bits before matching. Encoded as a hexadecimal number (starting with "0x"). The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.
- name
This property is required. str - The name of this field. Must be unique within the policy.
- offset
This property is required. int - Offset of the first byte of the field (in network byte order) relative to 'base'.
- size
This property is required. int - Size of the field in bytes. Valid values: 1-4.
- base
This property is required. String - The base relative to which 'offset' is measured. Possible values are: - IPV4: Points to the beginning of the IPv4 header. - IPV6: Points to the beginning of the IPv6 header. - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. required
- mask
This property is required. String - If specified, apply this mask (bitwise AND) to the field to ignore bits before matching. Encoded as a hexadecimal number (starting with "0x"). The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.
- name
This property is required. String - The name of this field. Must be unique within the policy.
- offset
This property is required. Number - Offset of the first byte of the field (in network byte order) relative to 'base'.
- size
This property is required. Number - Size of the field in bytes. Valid values: 1-4.
Package Details
- Repository
- Google Cloud Native pulumi/pulumi-google-native
- License
- Apache-2.0
Google Cloud Native is in preview. Google Cloud Classic is fully supported.
Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi