@pulumi/gcp

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A rule for the RegionSecurityPolicy. * * To get more information about RegionSecurityPolicyRule, see: * * * [API documentation](https://cloud.google.com/compute/docs/reference/rest/beta/regionSecurityPolicies/addRule) * * How-to Guides * * [Creating region security policy rules](https://cloud.google.com/armor/docs/configure-security-policies) * * ## Example Usage * * ### Region Security Policy Rule Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.compute.RegionSecurityPolicy("default", { * region: "us-west2", * name: "policyruletest", * description: "basic region security policy", * type: "CLOUD_ARMOR", * }); * const policyRule = new gcp.compute.RegionSecurityPolicyRule("policy_rule", { * region: "us-west2", * securityPolicy: _default.name, * description: "new rule", * priority: 100, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["10.10.0.0/16"], * }, * }, * action: "allow", * preview: true, * }); * ``` * ### Region Security Policy Rule Multiple Rules * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.compute.RegionSecurityPolicy("default", { * region: "us-west2", * name: "policywithmultiplerules", * description: "basic region security policy", * type: "CLOUD_ARMOR", * }); * const policyRuleOne = new gcp.compute.RegionSecurityPolicyRule("policy_rule_one", { * region: "us-west2", * securityPolicy: _default.name, * description: "new rule one", * priority: 100, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["10.10.0.0/16"], * }, * }, * action: "allow", * preview: true, * }); * const policyRuleTwo = new gcp.compute.RegionSecurityPolicyRule("policy_rule_two", { * region: "us-west2", * securityPolicy: _default.name, * description: "new rule two", * priority: 101, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: [ * "192.168.0.0/16", * "10.0.0.0/8", * ], * }, * }, * action: "allow", * preview: true, * }); * ``` * ### Region Security Policy Rule Default Rule * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.compute.RegionSecurityPolicy("default", { * region: "us-west2", * name: "policywithdefaultrule", * description: "basic region security policy", * type: "CLOUD_ARMOR", * }); * const defaultRule = new gcp.compute.RegionSecurityPolicyRule("default_rule", { * region: "us-west2", * securityPolicy: _default.name, * description: "new rule", * action: "deny", * priority: 2147483647, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["*"], * }, * }, * }); * const policyRule = new gcp.compute.RegionSecurityPolicyRule("policy_rule", { * region: "us-west2", * securityPolicy: _default.name, * description: "new rule", * priority: 100, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["10.10.0.0/16"], * }, * }, * action: "allow", * preview: true, * }); * ``` * ### Region Security Policy Rule With Preconfigured Waf Config * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.compute.RegionSecurityPolicy("default", { * region: "asia-southeast1", * name: "policyruletest", * description: "basic region security policy", * type: "CLOUD_ARMOR", * }); * const policyRule = new gcp.compute.RegionSecurityPolicyRule("policy_rule", { * region: "asia-southeast1", * securityPolicy: _default.name, * description: "new rule", * priority: 100, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["10.10.0.0/16"], * }, * }, * preconfiguredWafConfig: { * exclusions: [ * { * requestUris: [{ * operator: "STARTS_WITH", * value: "/admin", * }], * targetRuleSet: "rce-stable", * }, * { * requestQueryParams: [ * { * operator: "CONTAINS", * value: "password", * }, * { * operator: "STARTS_WITH", * value: "freeform", * }, * { * operator: "EQUALS", * value: "description", * }, * ], * targetRuleSet: "xss-stable", * targetRuleIds: [ * "owasp-crs-v030001-id941330-xss", * "owasp-crs-v030001-id941340-xss", * ], * }, * ], * }, * action: "allow", * preview: true, * }); * ``` * ### Region Security Policy Rule With Network Match * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * // First activate advanced network DDoS protection for the desired region * const policyddosprotection = new gcp.compute.RegionSecurityPolicy("policyddosprotection", { * region: "us-west2", * name: "policyddosprotection", * description: "policy for activating network DDoS protection for the desired region", * type: "CLOUD_ARMOR_NETWORK", * ddosProtectionConfig: { * ddosProtection: "ADVANCED_PREVIEW", * }, * }); * const edgeSecService = new gcp.compute.NetworkEdgeSecurityService("edge_sec_service", { * region: "us-west2", * name: "edgesecservice", * description: "linking policy to edge security service", * securityPolicy: policyddosprotection.selfLink, * }); * // Add the desired policy and custom rule. * const policynetworkmatch = new gcp.compute.RegionSecurityPolicy("policynetworkmatch", { * region: "us-west2", * name: "policyfornetworkmatch", * description: "region security policy for network match", * type: "CLOUD_ARMOR_NETWORK", * userDefinedFields: [{ * name: "SIG1_AT_0", * base: "TCP", * offset: 8, * size: 2, * mask: "0x8F00", * }], * }, { * dependsOn: [edgeSecService], * }); * const policyRuleNetworkMatch = new gcp.compute.RegionSecurityPolicyRule("policy_rule_network_match", { * region: "us-west2", * securityPolicy: policynetworkmatch.name, * description: "custom rule for network match", * priority: 100, * networkMatch: { * srcIpRanges: ["10.10.0.0/16"], * userDefinedFields: [{ * name: "SIG1_AT_0", * values: ["0x8F00"], * }], * }, * action: "allow", * preview: true, * }); * ``` * * ## Import * * RegionSecurityPolicyRule can be imported using any of these accepted formats: * * * `projects/{{project}}/regions/{{region}}/securityPolicies/{{security_policy}}/priority/{{priority}}` * * * `{{project}}/{{region}}/{{security_policy}}/{{priority}}` * * * `{{region}}/{{security_policy}}/{{priority}}` * * * `{{security_policy}}/{{priority}}` * * When using the `pulumi import` command, RegionSecurityPolicyRule can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:compute/regionSecurityPolicyRule:RegionSecurityPolicyRule default projects/{{project}}/regions/{{region}}/securityPolicies/{{security_policy}}/priority/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/regionSecurityPolicyRule:RegionSecurityPolicyRule default {{project}}/{{region}}/{{security_policy}}/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/regionSecurityPolicyRule:RegionSecurityPolicyRule default {{region}}/{{security_policy}}/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/regionSecurityPolicyRule:RegionSecurityPolicyRule default {{security_policy}}/{{priority}} * ``` */ export declare class RegionSecurityPolicyRule extends pulumi.CustomResource { /** * Get an existing RegionSecurityPolicyRule resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: RegionSecurityPolicyRuleState, opts?: pulumi.CustomResourceOptions): RegionSecurityPolicyRule; /** * Returns true if the given object is an instance of RegionSecurityPolicyRule. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is RegionSecurityPolicyRule; /** * The Action to perform when the rule is matched. The following are the valid actions: * * allow: allow access to target. * * deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. * * rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set. * * redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. * * throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this. */ readonly action: pulumi.Output<string>; /** * An optional description of this resource. Provide this property when you create the resource. */ readonly description: pulumi.Output<string | undefined>; /** * A match condition that incoming traffic is evaluated against. * If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ readonly match: pulumi.Output<outputs.compute.RegionSecurityPolicyRuleMatch | undefined>; /** * A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. * The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). * Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. * Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. * For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. * Example: * networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4FragmentOffset" values: - "1-0x1fff" * The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4FragmentOffset" with a value between 1 and 0x1fff inclusive * Structure is documented below. */ readonly networkMatch: pulumi.Output<outputs.compute.RegionSecurityPolicyRuleNetworkMatch | undefined>; /** * Preconfigured WAF configuration to be applied for the rule. * If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. * Structure is documented below. */ readonly preconfiguredWafConfig: pulumi.Output<outputs.compute.RegionSecurityPolicyRulePreconfiguredWafConfig | undefined>; /** * If set to true, the specified action is not enforced. */ readonly preview: pulumi.Output<boolean | undefined>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. */ readonly priority: pulumi.Output<number>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output<string>; /** * Must be specified if the action is "rateBasedBan" or "throttle". Cannot be specified for any other actions. * Structure is documented below. */ readonly rateLimitOptions: pulumi.Output<outputs.compute.RegionSecurityPolicyRuleRateLimitOptions | undefined>; /** * The Region in which the created Region Security Policy rule should reside. */ readonly region: pulumi.Output<string>; /** * The name of the security policy this rule belongs to. */ readonly securityPolicy: pulumi.Output<string>; /** * Create a RegionSecurityPolicyRule resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: RegionSecurityPolicyRuleArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering RegionSecurityPolicyRule resources. */ export interface RegionSecurityPolicyRuleState { /** * The Action to perform when the rule is matched. The following are the valid actions: * * allow: allow access to target. * * deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. * * rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set. * * redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. * * throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this. */ action?: pulumi.Input<string>; /** * An optional description of this resource. Provide this property when you create the resource. */ description?: pulumi.Input<string>; /** * A match condition that incoming traffic is evaluated against. * If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match?: pulumi.Input<inputs.compute.RegionSecurityPolicyRuleMatch>; /** * A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. * The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). * Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. * Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. * For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. * Example: * networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4FragmentOffset" values: - "1-0x1fff" * The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4FragmentOffset" with a value between 1 and 0x1fff inclusive * Structure is documented below. */ networkMatch?: pulumi.Input<inputs.compute.RegionSecurityPolicyRuleNetworkMatch>; /** * Preconfigured WAF configuration to be applied for the rule. * If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. * Structure is documented below. */ preconfiguredWafConfig?: pulumi.Input<inputs.compute.RegionSecurityPolicyRulePreconfiguredWafConfig>; /** * If set to true, the specified action is not enforced. */ preview?: pulumi.Input<boolean>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. */ priority?: pulumi.Input<number>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * Must be specified if the action is "rateBasedBan" or "throttle". Cannot be specified for any other actions. * Structure is documented below. */ rateLimitOptions?: pulumi.Input<inputs.compute.RegionSecurityPolicyRuleRateLimitOptions>; /** * The Region in which the created Region Security Policy rule should reside. */ region?: pulumi.Input<string>; /** * The name of the security policy this rule belongs to. */ securityPolicy?: pulumi.Input<string>; } /** * The set of arguments for constructing a RegionSecurityPolicyRule resource. */ export interface RegionSecurityPolicyRuleArgs { /** * The Action to perform when the rule is matched. The following are the valid actions: * * allow: allow access to target. * * deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. * * rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set. * * redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. * * throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this. */ action: pulumi.Input<string>; /** * An optional description of this resource. Provide this property when you create the resource. */ description?: pulumi.Input<string>; /** * A match condition that incoming traffic is evaluated against. * If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match?: pulumi.Input<inputs.compute.RegionSecurityPolicyRuleMatch>; /** * A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. * The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). * Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. * Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. * For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. * Example: * networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4FragmentOffset" values: - "1-0x1fff" * The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4FragmentOffset" with a value between 1 and 0x1fff inclusive * Structure is documented below. */ networkMatch?: pulumi.Input<inputs.compute.RegionSecurityPolicyRuleNetworkMatch>; /** * Preconfigured WAF configuration to be applied for the rule. * If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. * Structure is documented below. */ preconfiguredWafConfig?: pulumi.Input<inputs.compute.RegionSecurityPolicyRulePreconfiguredWafConfig>; /** * If set to true, the specified action is not enforced. */ preview?: pulumi.Input<boolean>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. */ priority: pulumi.Input<number>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * Must be specified if the action is "rateBasedBan" or "throttle". Cannot be specified for any other actions. * Structure is documented below. */ rateLimitOptions?: pulumi.Input<inputs.compute.RegionSecurityPolicyRuleRateLimitOptions>; /** * The Region in which the created Region Security Policy rule should reside. */ region: pulumi.Input<string>; /** * The name of the security policy this rule belongs to. */ securityPolicy: pulumi.Input<string>; }