@pulumi/gcp

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A rule for the SecurityPolicy. * * To get more information about SecurityPolicyRule, see: * * * [API documentation](https://cloud.google.com/compute/docs/reference/rest/v1/securityPolicies/addRule) * * How-to Guides * * [Creating global security policy rules](https://cloud.google.com/armor/docs/configure-security-policies) * * ## Example Usage * * ### Security Policy Rule Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.compute.SecurityPolicy("default", { * name: "policyruletest", * description: "basic global security policy", * type: "CLOUD_ARMOR", * }); * const policyRule = new gcp.compute.SecurityPolicyRule("policy_rule", { * securityPolicy: _default.name, * description: "new rule", * priority: 100, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["10.10.0.0/16"], * }, * }, * action: "allow", * preview: true, * }); * ``` * ### Security Policy Rule Default Rule * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.compute.SecurityPolicy("default", { * name: "policyruletest", * description: "basic global security policy", * type: "CLOUD_ARMOR", * }); * const defaultRule = new gcp.compute.SecurityPolicyRule("default_rule", { * securityPolicy: _default.name, * description: "default rule", * action: "deny", * priority: 2147483647, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["*"], * }, * }, * }); * const policyRule = new gcp.compute.SecurityPolicyRule("policy_rule", { * securityPolicy: _default.name, * description: "new rule", * priority: 100, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["10.10.0.0/16"], * }, * }, * action: "allow", * preview: true, * }); * ``` * ### Security Policy Rule Multiple Rules * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.compute.SecurityPolicy("default", { * name: "policywithmultiplerules", * description: "basic global security policy", * type: "CLOUD_ARMOR", * }); * const policyRuleOne = new gcp.compute.SecurityPolicyRule("policy_rule_one", { * securityPolicy: _default.name, * description: "new rule one", * priority: 100, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["10.10.0.0/16"], * }, * }, * action: "allow", * preview: true, * }); * const policyRuleTwo = new gcp.compute.SecurityPolicyRule("policy_rule_two", { * securityPolicy: _default.name, * description: "new rule two", * priority: 101, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: [ * "192.168.0.0/16", * "10.0.0.0/8", * ], * }, * }, * action: "allow", * preview: true, * }); * ``` * * ## Import * * SecurityPolicyRule can be imported using any of these accepted formats: * * * `projects/{{project}}/global/securityPolicies/{{security_policy}}/priority/{{priority}}` * * * `{{project}}/{{security_policy}}/{{priority}}` * * * `{{security_policy}}/{{priority}}` * * When using the `pulumi import` command, SecurityPolicyRule can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:compute/securityPolicyRule:SecurityPolicyRule default projects/{{project}}/global/securityPolicies/{{security_policy}}/priority/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/securityPolicyRule:SecurityPolicyRule default {{project}}/{{security_policy}}/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/securityPolicyRule:SecurityPolicyRule default {{security_policy}}/{{priority}} * ``` */ export declare class SecurityPolicyRule extends pulumi.CustomResource { /** * Get an existing SecurityPolicyRule resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecurityPolicyRuleState, opts?: pulumi.CustomResourceOptions): SecurityPolicyRule; /** * Returns true if the given object is an instance of SecurityPolicyRule. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is SecurityPolicyRule; /** * The Action to perform when the rule is matched. The following are the valid actions: * * allow: allow access to target. * * deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. * * rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set. * * redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. * * throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this. */ readonly action: pulumi.Output<string>; /** * An optional description of this resource. Provide this property when you create the resource. */ readonly description: pulumi.Output<string | undefined>; /** * Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR. * Structure is documented below. */ readonly headerAction: pulumi.Output<outputs.compute.SecurityPolicyRuleHeaderAction | undefined>; /** * A match condition that incoming traffic is evaluated against. * If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ readonly match: pulumi.Output<outputs.compute.SecurityPolicyRuleMatch | undefined>; /** * Preconfigured WAF configuration to be applied for the rule. * If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. * Structure is documented below. */ readonly preconfiguredWafConfig: pulumi.Output<outputs.compute.SecurityPolicyRulePreconfiguredWafConfig | undefined>; /** * If set to true, the specified action is not enforced. */ readonly preview: pulumi.Output<boolean | undefined>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. */ readonly priority: pulumi.Output<number>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output<string>; /** * Must be specified if the action is "rateBasedBan" or "throttle". Cannot be specified for any other actions. * Structure is documented below. */ readonly rateLimitOptions: pulumi.Output<outputs.compute.SecurityPolicyRuleRateLimitOptions | undefined>; /** * Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR. * Structure is documented below. */ readonly redirectOptions: pulumi.Output<outputs.compute.SecurityPolicyRuleRedirectOptions | undefined>; /** * The name of the security policy this rule belongs to. */ readonly securityPolicy: pulumi.Output<string>; /** * Create a SecurityPolicyRule resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: SecurityPolicyRuleArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering SecurityPolicyRule resources. */ export interface SecurityPolicyRuleState { /** * The Action to perform when the rule is matched. The following are the valid actions: * * allow: allow access to target. * * deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. * * rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set. * * redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. * * throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this. */ action?: pulumi.Input<string>; /** * An optional description of this resource. Provide this property when you create the resource. */ description?: pulumi.Input<string>; /** * Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR. * Structure is documented below. */ headerAction?: pulumi.Input<inputs.compute.SecurityPolicyRuleHeaderAction>; /** * A match condition that incoming traffic is evaluated against. * If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match?: pulumi.Input<inputs.compute.SecurityPolicyRuleMatch>; /** * Preconfigured WAF configuration to be applied for the rule. * If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. * Structure is documented below. */ preconfiguredWafConfig?: pulumi.Input<inputs.compute.SecurityPolicyRulePreconfiguredWafConfig>; /** * If set to true, the specified action is not enforced. */ preview?: pulumi.Input<boolean>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. */ priority?: pulumi.Input<number>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * Must be specified if the action is "rateBasedBan" or "throttle". Cannot be specified for any other actions. * Structure is documented below. */ rateLimitOptions?: pulumi.Input<inputs.compute.SecurityPolicyRuleRateLimitOptions>; /** * Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR. * Structure is documented below. */ redirectOptions?: pulumi.Input<inputs.compute.SecurityPolicyRuleRedirectOptions>; /** * The name of the security policy this rule belongs to. */ securityPolicy?: pulumi.Input<string>; } /** * The set of arguments for constructing a SecurityPolicyRule resource. */ export interface SecurityPolicyRuleArgs { /** * The Action to perform when the rule is matched. The following are the valid actions: * * allow: allow access to target. * * deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. * * rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set. * * redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. * * throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this. */ action: pulumi.Input<string>; /** * An optional description of this resource. Provide this property when you create the resource. */ description?: pulumi.Input<string>; /** * Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR. * Structure is documented below. */ headerAction?: pulumi.Input<inputs.compute.SecurityPolicyRuleHeaderAction>; /** * A match condition that incoming traffic is evaluated against. * If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match?: pulumi.Input<inputs.compute.SecurityPolicyRuleMatch>; /** * Preconfigured WAF configuration to be applied for the rule. * If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. * Structure is documented below. */ preconfiguredWafConfig?: pulumi.Input<inputs.compute.SecurityPolicyRulePreconfiguredWafConfig>; /** * If set to true, the specified action is not enforced. */ preview?: pulumi.Input<boolean>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. */ priority: pulumi.Input<number>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * Must be specified if the action is "rateBasedBan" or "throttle". Cannot be specified for any other actions. * Structure is documented below. */ rateLimitOptions?: pulumi.Input<inputs.compute.SecurityPolicyRuleRateLimitOptions>; /** * Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR. * Structure is documented below. */ redirectOptions?: pulumi.Input<inputs.compute.SecurityPolicyRuleRedirectOptions>; /** * The name of the security policy this rule belongs to. */ securityPolicy: pulumi.Input<string>; }