UNPKG

@pulumi/gcp

Version:

A Pulumi package for creating and managing Google Cloud Platform resources.

pulumi.io

pulumi/pulumi-gcp

267 lines (266 loc) • 12.1 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * AuthzPolicy is a resource that allows to forward traffic to a callout backend designed to scan the traffic for security purposes. * * To get more information about AuthzPolicy, see: * * * [API documentation](https://cloud.google.com/load-balancing/docs/reference/network-security/rest/v1beta1/projects.locations.authzPolicies) * * ## Example Usage * * ## Import * * AuthzPolicy can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/{{location}}/authzPolicies/{{name}}` * * * `{{project}}/{{location}}/{{name}}` * * * `{{location}}/{{name}}` * * * `{{name}}` * * When using the `pulumi import` command, AuthzPolicy can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:networksecurity/authzPolicy:AuthzPolicy default projects/{{project}}/locations/{{location}}/authzPolicies/{{name}} * ``` * * ```sh * $ pulumi import gcp:networksecurity/authzPolicy:AuthzPolicy default {{project}}/{{location}}/{{name}} * ``` * * ```sh * $ pulumi import gcp:networksecurity/authzPolicy:AuthzPolicy default {{location}}/{{name}} * ``` * * ```sh * $ pulumi import gcp:networksecurity/authzPolicy:AuthzPolicy default {{name}} * ``` */ export declare class AuthzPolicy extends pulumi.CustomResource { /** * Get an existing AuthzPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthzPolicyState, opts?: pulumi.CustomResourceOptions): AuthzPolicy; /** * Returns true if the given object is an instance of AuthzPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is AuthzPolicy; /** * When the action is CUSTOM, customProvider must be specified. * When the action is ALLOW, only requests matching the policy will be allowed. * When the action is DENY, only requests matching the policy will be denied. * When a request arrives, the policies are evaluated in the following order: * 1. If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request. * 2. If there are any DENY policies that match the request, the request is denied. * 3. If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed. * 4. Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request. * Possible values are: `ALLOW`, `DENY`, `CUSTOM`. */ readonly action: pulumi.Output<string>; /** * The timestamp when the resource was created. */ readonly createTime: pulumi.Output<string>; /** * Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One * of cloudIap or authzExtension must be specified. */ readonly customProvider: pulumi.Output<outputs.networksecurity.AuthzPolicyCustomProvider | undefined>; /** * A human-readable description of the resource. */ readonly description: pulumi.Output<string | undefined>; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP * rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow * or Deny Action. Limited to 5 rules. */ readonly httpRules: pulumi.Output<outputs.networksecurity.AuthzPolicyHttpRule[] | undefined>; /** * Set of labels associated with the AuthzExtension resource. **Note**: This field is non-authoritative, and will only * manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels * present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The location of the resource. */ readonly location: pulumi.Output<string>; /** * Identifier. Name of the AuthzPolicy resource. */ readonly name: pulumi.Output<string>; readonly project: pulumi.Output<string>; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * Specifies the set of resources to which this policy should be applied to. * Structure is documented below. */ readonly target: pulumi.Output<outputs.networksecurity.AuthzPolicyTarget>; /** * The timestamp when the resource was updated. */ readonly updateTime: pulumi.Output<string>; /** * Create a AuthzPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: AuthzPolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering AuthzPolicy resources. */ export interface AuthzPolicyState { /** * When the action is CUSTOM, customProvider must be specified. * When the action is ALLOW, only requests matching the policy will be allowed. * When the action is DENY, only requests matching the policy will be denied. * When a request arrives, the policies are evaluated in the following order: * 1. If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request. * 2. If there are any DENY policies that match the request, the request is denied. * 3. If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed. * 4. Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request. * Possible values are: `ALLOW`, `DENY`, `CUSTOM`. */ action?: pulumi.Input<string>; /** * The timestamp when the resource was created. */ createTime?: pulumi.Input<string>; /** * Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One * of cloudIap or authzExtension must be specified. */ customProvider?: pulumi.Input<inputs.networksecurity.AuthzPolicyCustomProvider>; /** * A human-readable description of the resource. */ description?: pulumi.Input<string>; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP * rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow * or Deny Action. Limited to 5 rules. */ httpRules?: pulumi.Input<pulumi.Input<inputs.networksecurity.AuthzPolicyHttpRule>[]>; /** * Set of labels associated with the AuthzExtension resource. **Note**: This field is non-authoritative, and will only * manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels * present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The location of the resource. */ location?: pulumi.Input<string>; /** * Identifier. Name of the AuthzPolicy resource. */ name?: pulumi.Input<string>; project?: pulumi.Input<string>; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * Specifies the set of resources to which this policy should be applied to. * Structure is documented below. */ target?: pulumi.Input<inputs.networksecurity.AuthzPolicyTarget>; /** * The timestamp when the resource was updated. */ updateTime?: pulumi.Input<string>; } /** * The set of arguments for constructing a AuthzPolicy resource. */ export interface AuthzPolicyArgs { /** * When the action is CUSTOM, customProvider must be specified. * When the action is ALLOW, only requests matching the policy will be allowed. * When the action is DENY, only requests matching the policy will be denied. * When a request arrives, the policies are evaluated in the following order: * 1. If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request. * 2. If there are any DENY policies that match the request, the request is denied. * 3. If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed. * 4. Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request. * Possible values are: `ALLOW`, `DENY`, `CUSTOM`. */ action: pulumi.Input<string>; /** * Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One * of cloudIap or authzExtension must be specified. */ customProvider?: pulumi.Input<inputs.networksecurity.AuthzPolicyCustomProvider>; /** * A human-readable description of the resource. */ description?: pulumi.Input<string>; /** * A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP * rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow * or Deny Action. Limited to 5 rules. */ httpRules?: pulumi.Input<pulumi.Input<inputs.networksecurity.AuthzPolicyHttpRule>[]>; /** * Set of labels associated with the AuthzExtension resource. **Note**: This field is non-authoritative, and will only * manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels * present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The location of the resource. */ location: pulumi.Input<string>; /** * Identifier. Name of the AuthzPolicy resource. */ name?: pulumi.Input<string>; project?: pulumi.Input<string>; /** * Specifies the set of resources to which this policy should be applied to. * Structure is documented below. */ target: pulumi.Input<inputs.networksecurity.AuthzPolicyTarget>; }