@pulumi/gcp

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A rule for the SecurityPolicy. * * To get more information about SecurityPolicyRule, see: * * * [API documentation](https://cloud.google.com/compute/docs/reference/rest/v1/securityPolicies/addRule) * * How-to Guides * * [Creating global security policy rules](https://cloud.google.com/armor/docs/configure-security-policies) * * ## Example Usage * * ### Security Policy Rule Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.compute.SecurityPolicy("default", { * name: "policyruletest", * description: "basic global security policy", * type: "CLOUD_ARMOR", * }); * const policyRule = new gcp.compute.SecurityPolicyRule("policy_rule", { * securityPolicy: _default.name, * description: "new rule", * priority: 100, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["10.10.0.0/16"], * }, * }, * action: "allow", * preview: true, * }); * ``` * ### Security Policy Rule Default Rule * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.compute.SecurityPolicy("default", { * name: "policyruletest", * description: "basic global security policy", * type: "CLOUD_ARMOR", * }); * const defaultRule = new gcp.compute.SecurityPolicyRule("default_rule", { * securityPolicy: _default.name, * description: "default rule", * action: "deny", * priority: 2147483647, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["*"], * }, * }, * }); * const policyRule = new gcp.compute.SecurityPolicyRule("policy_rule", { * securityPolicy: _default.name, * description: "new rule", * priority: 100, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["10.10.0.0/16"], * }, * }, * action: "allow", * preview: true, * }); * ``` * ### Security Policy Rule Multiple Rules * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.compute.SecurityPolicy("default", { * name: "policywithmultiplerules", * description: "basic global security policy", * type: "CLOUD_ARMOR", * }); * const policyRuleOne = new gcp.compute.SecurityPolicyRule("policy_rule_one", { * securityPolicy: _default.name, * description: "new rule one", * priority: 100, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["10.10.0.0/16"], * }, * }, * action: "allow", * preview: true, * }); * const policyRuleTwo = new gcp.compute.SecurityPolicyRule("policy_rule_two", { * securityPolicy: _default.name, * description: "new rule two", * priority: 101, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: [ * "192.168.0.0/16", * "10.0.0.0/8", * ], * }, * }, * action: "allow", * preview: true, * }); * ``` * ### Security Policy Rule Advanced Features * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const policy = new gcp.compute.SecurityPolicy("policy", { * name: "policyruletest", * description: "Security policy with WAF exclusions, Headers, and Redirect", * }); * const policySecurityPolicyRule = new gcp.compute.SecurityPolicyRule("policy", { * securityPolicy: policy.name, * description: "Complex rule using advanced features: WAF config, header actions, and redirect options", * priority: 100, * action: "allow", * match: { * expr: { * expression: "request.path.matches('/api/v1/.*')", * }, * }, * preconfiguredWafConfig: { * exclusions: [{ * targetRuleSet: "sqli-v33-stable", * targetRuleIds: ["owasp-crs-v030301-id942100-sqli"], * requestHeaders: [{ * operator: "EQUALS", * value: "internal-scan", * }], * }], * }, * headerAction: { * requestHeadersToAdds: [{ * headerName: "X-Added-By-Armor", * headerValue: "Verified-Traffic", * }], * }, * }); * ``` * ### Security Policy Rule With Body Exclude * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.compute.Network("default", { * name: "test-network", * autoCreateSubnetworks: false, * }); * const defaultSubnetwork = new gcp.compute.Subnetwork("default", { * name: "test-subnet", * region: "us-west2", * network: _default.id, * ipCidrRange: "10.10.0.0/24", * }); * const defaultHealthCheck = new gcp.compute.HealthCheck("default", { * name: "test-health-check", * httpHealthCheck: { * port: 80, * }, * }); * const defaultSecurityPolicy = new gcp.compute.SecurityPolicy("default", { * name: "policyruletest", * description: "global security policy with body inspection", * type: "CLOUD_ARMOR", * advancedOptionsConfig: { * jsonParsing: "STANDARD", * logLevel: "VERBOSE", * }, * }); * const defaultInstanceTemplate = new gcp.compute.InstanceTemplate("default", { * networkInterfaces: [{ * accessConfigs: [{}], * subnetwork: defaultSubnetwork.id, * }], * name: "backendpolicy", * machineType: "e2-micro", * disks: [{ * sourceImage: "projects/debian-cloud/global/images/family/debian-11", * autoDelete: true, * boot: true, * }], * }); * const defaultInstanceGroupManager = new gcp.compute.InstanceGroupManager("default", { * name: "backendpolicy", * baseInstanceName: "backend", * zone: "us-west2-a", * versions: [{ * instanceTemplate: defaultInstanceTemplate.id, * }], * targetSize: 1, * }); * const defaultBackendService = new gcp.compute.BackendService("default", { * name: "backendpolicy", * protocol: "HTTP", * loadBalancingScheme: "EXTERNAL_MANAGED", * timeoutSec: 30, * healthChecks: defaultHealthCheck.id, * backends: [{ * group: defaultInstanceGroupManager.instanceGroup, * }], * securityPolicy: defaultSecurityPolicy.id, * }); * const policyRuleOne = new gcp.compute.SecurityPolicyRule("policy_rule_one", { * securityPolicy: defaultSecurityPolicy.name, * description: "waf body rule", * action: "deny(403)", * priority: 100, * preview: true, * match: { * expr: { * expression: "evaluatePreconfiguredWaf('sqli-v33-stable')", * }, * }, * preconfiguredWafConfig: { * exclusions: [{ * targetRuleSet: "sqli-v33-stable", * requestBodies: [{ * operator: "EQUALS", * value: "safe-field", * }], * }], * }, * }, { * dependsOn: [defaultBackendService], * }); * ``` * * ## Import * * SecurityPolicyRule can be imported using any of these accepted formats: * * * `projects/{{project}}/global/securityPolicies/{{security_policy}}/priority/{{priority}}` * * `{{project}}/{{security_policy}}/{{priority}}` * * `{{security_policy}}/{{priority}}` * * When using the `pulumi import` command, SecurityPolicyRule can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:compute/securityPolicyRule:SecurityPolicyRule default projects/{{project}}/global/securityPolicies/{{security_policy}}/priority/{{priority}} * $ pulumi import gcp:compute/securityPolicyRule:SecurityPolicyRule default {{project}}/{{security_policy}}/{{priority}} * $ pulumi import gcp:compute/securityPolicyRule:SecurityPolicyRule default {{security_policy}}/{{priority}} * ``` */ export declare class SecurityPolicyRule extends pulumi.CustomResource { /** * Get an existing SecurityPolicyRule resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecurityPolicyRuleState, opts?: pulumi.CustomResourceOptions): SecurityPolicyRule; /** * Returns true if the given object is an instance of SecurityPolicyRule. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is SecurityPolicyRule; /** * The Action to perform when the rule is matched. The following are the valid actions: * * allow: allow access to target. * * deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. * * rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set. * * redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. * * throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this. */ readonly action: pulumi.Output<string>; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ readonly deletionPolicy: pulumi.Output<string>; /** * An optional description of this resource. Provide this property when you create the resource. */ readonly description: pulumi.Output<string | undefined>; /** * Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR. * Structure is documented below. */ readonly headerAction: pulumi.Output<outputs.compute.SecurityPolicyRuleHeaderAction | undefined>; /** * A match condition that incoming traffic is evaluated against. * If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ readonly match: pulumi.Output<outputs.compute.SecurityPolicyRuleMatch | undefined>; /** * Preconfigured WAF configuration to be applied for the rule. * If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. * Structure is documented below. */ readonly preconfiguredWafConfig: pulumi.Output<outputs.compute.SecurityPolicyRulePreconfiguredWafConfig | undefined>; /** * If set to true, the specified action is not enforced. */ readonly preview: pulumi.Output<boolean | undefined>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. */ readonly priority: pulumi.Output<number>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output<string>; /** * Must be specified if the action is "rateBasedBan" or "throttle". Cannot be specified for any other actions. * Structure is documented below. */ readonly rateLimitOptions: pulumi.Output<outputs.compute.SecurityPolicyRuleRateLimitOptions | undefined>; /** * Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR. * Structure is documented below. */ readonly redirectOptions: pulumi.Output<outputs.compute.SecurityPolicyRuleRedirectOptions | undefined>; /** * The name of the security policy this rule belongs to. */ readonly securityPolicy: pulumi.Output<string>; /** * Create a SecurityPolicyRule resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: SecurityPolicyRuleArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering SecurityPolicyRule resources. */ export interface SecurityPolicyRuleState { /** * The Action to perform when the rule is matched. The following are the valid actions: * * allow: allow access to target. * * deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. * * rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set. * * redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. * * throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this. */ action?: pulumi.Input<string | undefined>; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input<string | undefined>; /** * An optional description of this resource. Provide this property when you create the resource. */ description?: pulumi.Input<string | undefined>; /** * Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR. * Structure is documented below. */ headerAction?: pulumi.Input<inputs.compute.SecurityPolicyRuleHeaderAction | undefined>; /** * A match condition that incoming traffic is evaluated against. * If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match?: pulumi.Input<inputs.compute.SecurityPolicyRuleMatch | undefined>; /** * Preconfigured WAF configuration to be applied for the rule. * If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. * Structure is documented below. */ preconfiguredWafConfig?: pulumi.Input<inputs.compute.SecurityPolicyRulePreconfiguredWafConfig | undefined>; /** * If set to true, the specified action is not enforced. */ preview?: pulumi.Input<boolean | undefined>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. */ priority?: pulumi.Input<number | undefined>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string | undefined>; /** * Must be specified if the action is "rateBasedBan" or "throttle". Cannot be specified for any other actions. * Structure is documented below. */ rateLimitOptions?: pulumi.Input<inputs.compute.SecurityPolicyRuleRateLimitOptions | undefined>; /** * Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR. * Structure is documented below. */ redirectOptions?: pulumi.Input<inputs.compute.SecurityPolicyRuleRedirectOptions | undefined>; /** * The name of the security policy this rule belongs to. */ securityPolicy?: pulumi.Input<string | undefined>; } /** * The set of arguments for constructing a SecurityPolicyRule resource. */ export interface SecurityPolicyRuleArgs { /** * The Action to perform when the rule is matched. The following are the valid actions: * * allow: allow access to target. * * deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. * * rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set. * * redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. * * throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this. */ action: pulumi.Input<string>; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input<string | undefined>; /** * An optional description of this resource. Provide this property when you create the resource. */ description?: pulumi.Input<string | undefined>; /** * Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR. * Structure is documented below. */ headerAction?: pulumi.Input<inputs.compute.SecurityPolicyRuleHeaderAction | undefined>; /** * A match condition that incoming traffic is evaluated against. * If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match?: pulumi.Input<inputs.compute.SecurityPolicyRuleMatch | undefined>; /** * Preconfigured WAF configuration to be applied for the rule. * If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. * Structure is documented below. */ preconfiguredWafConfig?: pulumi.Input<inputs.compute.SecurityPolicyRulePreconfiguredWafConfig | undefined>; /** * If set to true, the specified action is not enforced. */ preview?: pulumi.Input<boolean | undefined>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. */ priority: pulumi.Input<number>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string | undefined>; /** * Must be specified if the action is "rateBasedBan" or "throttle". Cannot be specified for any other actions. * Structure is documented below. */ rateLimitOptions?: pulumi.Input<inputs.compute.SecurityPolicyRuleRateLimitOptions | undefined>; /** * Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR. * Structure is documented below. */ redirectOptions?: pulumi.Input<inputs.compute.SecurityPolicyRuleRedirectOptions | undefined>; /** * The name of the security policy this rule belongs to. */ securityPolicy: pulumi.Input<string>; } //# sourceMappingURL=securityPolicyRule.d.ts.map