@pulumi/gcp

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A rule for the OrganizationSecurityPolicy. * * To get more information about OrganizationSecurityPolicyRule, see: * * * [API documentation](https://cloud.google.com/compute/docs/reference/rest/beta/organizationSecurityPolicies/addRule) * * How-to Guides * * [Configure hierarchical security policies](https://docs.cloud.google.com/armor/docs/hierarchical-policies-using) * * ## Example Usage * * ### Organization Security Policy Rule Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const policy = new gcp.compute.OrganizationSecurityPolicy("policy", { * shortName: "tf-test_56730", * parent: "organizations/123456789", * type: "CLOUD_ARMOR", * }); * const policyOrganizationSecurityPolicyRule = new gcp.compute.OrganizationSecurityPolicyRule("policy", { * policyId: policy.id, * action: "allow", * match: { * config: { * srcIpRanges: ["192.168.0.0/16"], * }, * versionedExpr: "SRC_IPS_V1", * }, * priority: 100, * }); * ``` * ### Organization Security Policy Rule Expression * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const policy = new gcp.compute.OrganizationSecurityPolicy("policy", { * shortName: "tf-test_95154", * parent: "organizations/123456789", * type: "CLOUD_ARMOR", * }); * const policyOrganizationSecurityPolicyRule = new gcp.compute.OrganizationSecurityPolicyRule("policy", { * policyId: policy.id, * action: "allow", * match: { * expr: { * expression: "request.path.contains('/folder/test/')", * }, * versionedExpr: "", * }, * priority: 100, * }); * ``` * ### Organization Security Policy Rule With Preconfigured Waf Config * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const policy = new gcp.compute.OrganizationSecurityPolicy("policy", { * shortName: "tf-test_64336", * parent: "organizations/123456789", * type: "CLOUD_ARMOR", * }); * const policyOrganizationSecurityPolicyRule = new gcp.compute.OrganizationSecurityPolicyRule("policy", { * policyId: policy.id, * action: "allow", * match: { * expr: { * expression: "evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 2})", * }, * versionedExpr: "", * }, * preconfiguredWafConfig: { * exclusions: [ * { * requestHeaders: [{ * operator: "STARTS_WITH", * value: "User-Agent", * }], * requestUris: [{ * operator: "CONTAINS", * value: "/admin/", * }], * targetRuleSet: "sqli-stable", * }, * { * requestQueryParams: [{ * operator: "EQUALS", * value: "user_input", * }], * targetRuleSet: "sqli-stable", * }, * ], * }, * priority: 100, * }); * ``` * ### Organization Security Policy Rule With Header Action * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const policy = new gcp.compute.OrganizationSecurityPolicy("policy", { * shortName: "tf-test_34962", * parent: "organizations/123456789", * type: "CLOUD_ARMOR", * }); * const policyOrganizationSecurityPolicyRule = new gcp.compute.OrganizationSecurityPolicyRule("policy", { * policyId: policy.id, * action: "allow", * match: { * expr: { * expression: "request.path.contains('/login/')", * }, * versionedExpr: "", * }, * headerAction: { * requestHeadersToAdds: [ * { * headerName: "X-Forwarded-For", * headerValue: "true", * }, * { * headerName: "X-Custom-Header", * headerValue: "custom-value", * }, * ], * }, * priority: 100, * }); * ``` * ### Organization Security Policy Rule With Redirect * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const policy = new gcp.compute.OrganizationSecurityPolicy("policy", { * shortName: "tf-test_74000", * parent: "organizations/123456789", * type: "CLOUD_ARMOR", * }); * const policyOrganizationSecurityPolicyRule = new gcp.compute.OrganizationSecurityPolicyRule("policy", { * policyId: policy.id, * action: "redirect", * match: { * config: { * srcIpRanges: ["10.0.1.0/24"], * }, * versionedExpr: "SRC_IPS_V1", * }, * redirectOptions: { * type: "EXTERNAL_302", * target: "https://www.example.com/blocked", * }, * priority: 100, * }); * ``` * ### Organization Security Policy Rule Firewall * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const policy = new gcp.compute.OrganizationSecurityPolicy("policy", { * displayName: "tf-test", * parent: "organizations/123456789", * type: "FIREWALL", * }); * const policyOrganizationSecurityPolicyRule = new gcp.compute.OrganizationSecurityPolicyRule("policy", { * policyId: policy.id, * action: "allow", * direction: "INGRESS", * enableLogging: true, * match: { * config: { * srcIpRanges: [ * "192.168.0.0/16", * "10.0.0.0/8", * ], * layer4Configs: [ * { * ipProtocol: "tcp", * ports: ["22"], * }, * { * ipProtocol: "icmp", * }, * ], * }, * }, * priority: 100, * }); * ``` * * ## Import * * OrganizationSecurityPolicyRule can be imported using any of these accepted formats: * * * `{{policy_id}}/priority/{{priority}}` * * When using the `pulumi import` command, OrganizationSecurityPolicyRule can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:compute/organizationSecurityPolicyRule:OrganizationSecurityPolicyRule default {{policy_id}}/priority/{{priority}} * ``` */ export declare class OrganizationSecurityPolicyRule extends pulumi.CustomResource { /** * Get an existing OrganizationSecurityPolicyRule resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: OrganizationSecurityPolicyRuleState, opts?: pulumi.CustomResourceOptions): OrganizationSecurityPolicyRule; /** * Returns true if the given object is an instance of OrganizationSecurityPolicyRule. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is OrganizationSecurityPolicyRule; /** * The Action to perform when the client connection triggers the rule. Valid actions are: * "allow": allow access to target. * "deny": deny access to target. * "gotoNext": forward the request to the next hierarchical policy for evaluation. * "redirect": redirect to a different target. Parameters for this action can be configured via redirectOptions. Only EXTERNAL_302 redirect type is supported for organization security policies. */ readonly action: pulumi.Output<string>; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ readonly deletionPolicy: pulumi.Output<string>; /** * A description of the rule. */ readonly description: pulumi.Output<string | undefined>; /** * (Optional, Beta) * The direction in which this rule applies. If unspecified an INGRESS rule is created. * This field may only be specified when the versionedExpr is set to FIREWALL. * Possible values are: `INGRESS`, `EGRESS`. */ readonly direction: pulumi.Output<string | undefined>; /** * (Optional, Beta) * Denotes whether to enable logging for a particular rule. * If logging is enabled, logs will be exported to the * configured export destination in Stackdriver. * This field may only be specified when the versionedExpr is set to FIREWALL. */ readonly enableLogging: pulumi.Output<boolean | undefined>; /** * Optional, additional actions that are performed on headers. * Structure is documented below. */ readonly headerAction: pulumi.Output<outputs.compute.OrganizationSecurityPolicyRuleHeaderAction | undefined>; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ readonly match: pulumi.Output<outputs.compute.OrganizationSecurityPolicyRuleMatch>; /** * The ID of the OrganizationSecurityPolicy this rule applies to. */ readonly policyId: pulumi.Output<string>; /** * Preconfigured WAF configuration to be applied for the rule. * If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. * Structure is documented below. */ readonly preconfiguredWafConfig: pulumi.Output<outputs.compute.OrganizationSecurityPolicyRulePreconfiguredWafConfig | undefined>; /** * If set to true, the specified action is not enforced. */ readonly preview: pulumi.Output<boolean | undefined>; /** * An integer indicating the priority of a rule in the list. The priority must be a value * between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the * highest priority and 2147483647 is the lowest prority. */ readonly priority: pulumi.Output<number>; /** * Parameters defining the redirect action. Cannot be specified for any other actions. * Note: For organization security policies, only EXTERNAL_302 redirect type is supported. GOOGLE_RECAPTCHA is not supported. * Structure is documented below. */ readonly redirectOptions: pulumi.Output<outputs.compute.OrganizationSecurityPolicyRuleRedirectOptions | undefined>; /** * (Optional, Beta) * A list of network resource URLs to which this rule applies. * This field allows you to control which network's VMs get * this rule. If this field is left blank, all VMs * within the organization will receive the rule. */ readonly targetResources: pulumi.Output<string[] | undefined>; /** * (Optional, Beta) * A list of service accounts indicating the sets of * instances that are applied with this rule. */ readonly targetServiceAccounts: pulumi.Output<string[] | undefined>; /** * Create a OrganizationSecurityPolicyRule resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: OrganizationSecurityPolicyRuleArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering OrganizationSecurityPolicyRule resources. */ export interface OrganizationSecurityPolicyRuleState { /** * The Action to perform when the client connection triggers the rule. Valid actions are: * "allow": allow access to target. * "deny": deny access to target. * "gotoNext": forward the request to the next hierarchical policy for evaluation. * "redirect": redirect to a different target. Parameters for this action can be configured via redirectOptions. Only EXTERNAL_302 redirect type is supported for organization security policies. */ action?: pulumi.Input<string | undefined>; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input<string | undefined>; /** * A description of the rule. */ description?: pulumi.Input<string | undefined>; /** * (Optional, Beta) * The direction in which this rule applies. If unspecified an INGRESS rule is created. * This field may only be specified when the versionedExpr is set to FIREWALL. * Possible values are: `INGRESS`, `EGRESS`. */ direction?: pulumi.Input<string | undefined>; /** * (Optional, Beta) * Denotes whether to enable logging for a particular rule. * If logging is enabled, logs will be exported to the * configured export destination in Stackdriver. * This field may only be specified when the versionedExpr is set to FIREWALL. */ enableLogging?: pulumi.Input<boolean | undefined>; /** * Optional, additional actions that are performed on headers. * Structure is documented below. */ headerAction?: pulumi.Input<inputs.compute.OrganizationSecurityPolicyRuleHeaderAction | undefined>; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match?: pulumi.Input<inputs.compute.OrganizationSecurityPolicyRuleMatch | undefined>; /** * The ID of the OrganizationSecurityPolicy this rule applies to. */ policyId?: pulumi.Input<string | undefined>; /** * Preconfigured WAF configuration to be applied for the rule. * If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. * Structure is documented below. */ preconfiguredWafConfig?: pulumi.Input<inputs.compute.OrganizationSecurityPolicyRulePreconfiguredWafConfig | undefined>; /** * If set to true, the specified action is not enforced. */ preview?: pulumi.Input<boolean | undefined>; /** * An integer indicating the priority of a rule in the list. The priority must be a value * between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the * highest priority and 2147483647 is the lowest prority. */ priority?: pulumi.Input<number | undefined>; /** * Parameters defining the redirect action. Cannot be specified for any other actions. * Note: For organization security policies, only EXTERNAL_302 redirect type is supported. GOOGLE_RECAPTCHA is not supported. * Structure is documented below. */ redirectOptions?: pulumi.Input<inputs.compute.OrganizationSecurityPolicyRuleRedirectOptions | undefined>; /** * (Optional, Beta) * A list of network resource URLs to which this rule applies. * This field allows you to control which network's VMs get * this rule. If this field is left blank, all VMs * within the organization will receive the rule. */ targetResources?: pulumi.Input<pulumi.Input<string>[] | undefined>; /** * (Optional, Beta) * A list of service accounts indicating the sets of * instances that are applied with this rule. */ targetServiceAccounts?: pulumi.Input<pulumi.Input<string>[] | undefined>; } /** * The set of arguments for constructing a OrganizationSecurityPolicyRule resource. */ export interface OrganizationSecurityPolicyRuleArgs { /** * The Action to perform when the client connection triggers the rule. Valid actions are: * "allow": allow access to target. * "deny": deny access to target. * "gotoNext": forward the request to the next hierarchical policy for evaluation. * "redirect": redirect to a different target. Parameters for this action can be configured via redirectOptions. Only EXTERNAL_302 redirect type is supported for organization security policies. */ action: pulumi.Input<string>; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input<string | undefined>; /** * A description of the rule. */ description?: pulumi.Input<string | undefined>; /** * (Optional, Beta) * The direction in which this rule applies. If unspecified an INGRESS rule is created. * This field may only be specified when the versionedExpr is set to FIREWALL. * Possible values are: `INGRESS`, `EGRESS`. */ direction?: pulumi.Input<string | undefined>; /** * (Optional, Beta) * Denotes whether to enable logging for a particular rule. * If logging is enabled, logs will be exported to the * configured export destination in Stackdriver. * This field may only be specified when the versionedExpr is set to FIREWALL. */ enableLogging?: pulumi.Input<boolean | undefined>; /** * Optional, additional actions that are performed on headers. * Structure is documented below. */ headerAction?: pulumi.Input<inputs.compute.OrganizationSecurityPolicyRuleHeaderAction | undefined>; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match: pulumi.Input<inputs.compute.OrganizationSecurityPolicyRuleMatch>; /** * The ID of the OrganizationSecurityPolicy this rule applies to. */ policyId: pulumi.Input<string>; /** * Preconfigured WAF configuration to be applied for the rule. * If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. * Structure is documented below. */ preconfiguredWafConfig?: pulumi.Input<inputs.compute.OrganizationSecurityPolicyRulePreconfiguredWafConfig | undefined>; /** * If set to true, the specified action is not enforced. */ preview?: pulumi.Input<boolean | undefined>; /** * An integer indicating the priority of a rule in the list. The priority must be a value * between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the * highest priority and 2147483647 is the lowest prority. */ priority: pulumi.Input<number>; /** * Parameters defining the redirect action. Cannot be specified for any other actions. * Note: For organization security policies, only EXTERNAL_302 redirect type is supported. GOOGLE_RECAPTCHA is not supported. * Structure is documented below. */ redirectOptions?: pulumi.Input<inputs.compute.OrganizationSecurityPolicyRuleRedirectOptions | undefined>; /** * (Optional, Beta) * A list of network resource URLs to which this rule applies. * This field allows you to control which network's VMs get * this rule. If this field is left blank, all VMs * within the organization will receive the rule. */ targetResources?: pulumi.Input<pulumi.Input<string>[] | undefined>; /** * (Optional, Beta) * A list of service accounts indicating the sets of * instances that are applied with this rule. */ targetServiceAccounts?: pulumi.Input<pulumi.Input<string>[] | undefined>; } //# sourceMappingURL=organizationSecurityPolicyRule.d.ts.map