@pulumi/scm
Version:
A Pulumi package for managing resources on Strata Cloud Manager.. Based on terraform-provider-scm: version v0.2.1
697 lines (696 loc) • 20.5 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "./types/input";
import * as outputs from "./types/output";
/**
* SecurityRule resource
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as scm from "@pulumi/scm";
*
* // First, create the tag objects that you will reference.
* const outboundTag = new scm.Tag("outbound_tag", {
* folder: "All",
* name: "outbound143",
* color: "Red",
* });
* const webTag = new scm.Tag("web_tag", {
* folder: "All",
* name: "web143",
* color: "Blue",
* });
* // --- Existing Rules (Backward Compatibility) ---
* const standardWebAccess = new scm.SecurityRule("standard_web_access", {
* folder: "All",
* name: "Allow Standard Web Access143",
* description: "Allow outbound web traffic to any destination...",
* position: "pre",
* action: "allow",
* categories: ["any"],
* applications: [
* "web-browsing",
* "ssl",
* ],
* services: [
* "service-http",
* "service-https",
* ],
* froms: [
* "untrust",
* "trust",
* ],
* tos: ["trust"],
* sources: ["any"],
* destinations: ["any"],
* negateSource: false,
* negateDestination: false,
* sourceUsers: ["any"],
* sourceHips: ["any"],
* destinationHips: ["any"],
* logStart: true,
* logEnd: true,
* disabled: false,
* tags: [
* outboundTag.name,
* webTag.name,
* ],
* });
* const blockRiskySaas = new scm.SecurityRule("block_risky_saas", {
* folder: "All",
* name: "Block Risky SaaS Applications143",
* description: "Prevent data exfiltration by blocking risky SaaS apps...",
* action: "deny",
* policyType: "Internet",
* securitySettings: {
* antiSpyware: "yes",
* vulnerability: "yes",
* virusAndWildfireAnalysis: "yes",
* },
* blockWebApplications: ["facebook-posting"],
* logSettings: {
* logSessions: true,
* },
* froms: ["any"],
* tos: ["any"],
* sources: ["any"],
* destinations: ["any"],
* sourceUsers: ["any"],
* disabled: false,
* tags: [
* outboundTag.name,
* webTag.name,
* ],
* });
* // --- NEW Examples Demonstrating Rule Ordering ---
* // Example 1: Place a critical block rule at the absolute top
* const criticalBlockTop = new scm.SecurityRule("critical_block_top", {
* folder: "All",
* name: "CRITICAL Block Malicious IPs Top143",
* description: "Always block known malicious IPs first.",
* relativePosition: "top",
* action: "deny",
* froms: ["any"],
* tos: ["any"],
* sources: ["any"],
* destinations: ["any"],
* sourceUsers: ["any"],
* categories: ["any"],
* applications: ["any"],
* services: ["any"],
* logEnd: true,
* tags: [outboundTag.name],
* });
* // Example 2: Place a cleanup rule at the absolute bottom
* const cleanupDenyBottom = new scm.SecurityRule("cleanup_deny_bottom", {
* folder: "All",
* name: "Cleanup Deny All Bottom143",
* description: "Deny any traffic not explicitly allowed.",
* relativePosition: "bottom",
* action: "deny",
* froms: ["any"],
* tos: ["any"],
* sources: ["any"],
* destinations: ["any"],
* sourceUsers: ["any"],
* categories: ["any"],
* applications: ["any"],
* services: ["any"],
* logEnd: true,
* tags: [outboundTag.name],
* });
* // Example 3: Place a rule *before* the standard web access rule
* const allowUpdatesBeforeWeb = new scm.SecurityRule("allow_updates_before_web", {
* folder: "All",
* name: "Allow OS Updates Before Web143",
* description: "Allow specific OS update traffic before general web access.",
* relativePosition: "before",
* targetRule: standardWebAccess.id,
* action: "allow",
* froms: ["trust"],
* tos: ["untrust"],
* sources: ["any"],
* destinations: ["any"],
* sourceUsers: ["any"],
* categories: ["any"],
* applications: [
* "ms-update",
* "apple-update",
* ],
* services: ["service-https"],
* logEnd: true,
* tags: [outboundTag.name],
* });
* // Example 4: Place a rule *after* the standard web access rule
* const allowCorpAppsAfterWeb = new scm.SecurityRule("allow_corp_apps_after_web", {
* folder: "All",
* name: "Allow Corp Apps After Web143",
* description: "Allow access to specific corporate apps after general web access.",
* relativePosition: "after",
* targetRule: standardWebAccess.id,
* action: "allow",
* froms: ["trust"],
* tos: ["untrust"],
* sources: ["any"],
* destinations: ["any"],
* sourceUsers: ["any"],
* categories: ["any"],
* applications: ["ms-update"],
* services: ["service-https"],
* logEnd: true,
* tags: [webTag.name],
* });
* ```
*
* ## Import
*
* The following command can be used to import a resource not managed by Terraform:
*
* bash
*
* ```sh
* $ pulumi import scm:index/securityRule:SecurityRule example folder:::id
* ```
*
* or
*
* bash
*
* ```sh
* $ pulumi import scm:index/securityRule:SecurityRule example :snippet::id
* ```
*
* or
*
* bash
*
* ```sh
* $ pulumi import scm:index/securityRule:SecurityRule example ::device:id
* ```
*/
export declare class SecurityRule extends pulumi.CustomResource {
/**
* Get an existing SecurityRule resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecurityRuleState, opts?: pulumi.CustomResourceOptions): SecurityRule;
/**
* Returns true if the given object is an instance of SecurityRule. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is SecurityRule;
/**
* The action to be taken when the rule is matched
*/
readonly action: pulumi.Output<string | undefined>;
/**
* Allow url category
*/
readonly allowUrlCategories: pulumi.Output<outputs.SecurityRuleAllowUrlCategory[]>;
/**
* Allow web application
*/
readonly allowWebApplications: pulumi.Output<outputs.SecurityRuleAllowWebApplication[]>;
/**
* The application(s) being accessed
*/
readonly applications: pulumi.Output<string[]>;
/**
* Block url category
*/
readonly blockUrlCategories: pulumi.Output<string[]>;
/**
* Block web application
*/
readonly blockWebApplications: pulumi.Output<string[]>;
/**
* The URL categories being accessed
*/
readonly categories: pulumi.Output<string[]>;
/**
* Default profile settings
*/
readonly defaultProfileSettings: pulumi.Output<outputs.SecurityRuleDefaultProfileSettings>;
/**
* The description of the security rule
*/
readonly description: pulumi.Output<string | undefined>;
/**
* The destination Host Integrity Profile(s)
*/
readonly destinationHips: pulumi.Output<string[]>;
/**
* The destination address(es)
*/
readonly destinations: pulumi.Output<string[] | undefined>;
/**
* The device in which the resource is defined
*/
readonly device: pulumi.Output<string | undefined>;
/**
* Devices
*/
readonly devices: pulumi.Output<string[]>;
/**
* Is the security rule disabled?
*/
readonly disabled: pulumi.Output<boolean>;
/**
* The folder in which the resource is defined
*/
readonly folder: pulumi.Output<string | undefined>;
/**
* The source security zone(s)
*/
readonly froms: pulumi.Output<string[] | undefined>;
/**
* Log at session end?
*/
readonly logEnd: pulumi.Output<boolean>;
/**
* The external log forwarding profile
*/
readonly logSetting: pulumi.Output<string>;
/**
* Log settings
*/
readonly logSettings: pulumi.Output<outputs.SecurityRuleLogSettings>;
/**
* Log at session start?
*/
readonly logStart: pulumi.Output<boolean>;
/**
* The name of the security rule
*/
readonly name: pulumi.Output<string>;
/**
* Negate the destination addresses(es)?
*/
readonly negateDestination: pulumi.Output<boolean>;
/**
* Negate the source address(es)?
*/
readonly negateSource: pulumi.Output<boolean>;
/**
* Negate user
*/
readonly negateUser: pulumi.Output<boolean>;
/**
* Policy type
*/
readonly policyType: pulumi.Output<string>;
/**
* The position of a security rule
*/
readonly position: pulumi.Output<string>;
/**
* The security profile object
*/
readonly profileSetting: pulumi.Output<outputs.SecurityRuleProfileSetting>;
/**
* Relative positioning rule. String must be one of these: `"before"`, `"after"`, `"top"`, `"bottom"`. If not specified, rule is created at the bottom of the ruleset.
*/
readonly relativePosition: pulumi.Output<string | undefined>;
/**
* Schedule in which this rule will be applied
*/
readonly schedule: pulumi.Output<string | undefined>;
/**
* Security settings
*/
readonly securitySettings: pulumi.Output<outputs.SecurityRuleSecuritySettings>;
/**
* The service(s) being accessed
*/
readonly services: pulumi.Output<string[] | undefined>;
/**
* The snippet in which the resource is defined
*/
readonly snippet: pulumi.Output<string | undefined>;
/**
* The source Host Integrity Profile(s)
*/
readonly sourceHips: pulumi.Output<string[]>;
/**
* List of source users and/or groups. Reserved words include `any`, `pre-login`, `known-user`, and `unknown`.
*/
readonly sourceUsers: pulumi.Output<string[] | undefined>;
/**
* The source addresses(es)
*/
readonly sources: pulumi.Output<string[] | undefined>;
/**
* The tags associated with the security rule
*/
readonly tags: pulumi.Output<string[] | undefined>;
/**
* The name or UUID of the rule to position this rule relative to. Required when `relativePosition` is `"before"` or `"after"`.
*/
readonly targetRule: pulumi.Output<string | undefined>;
/**
* Tenant restrictions
*/
readonly tenantRestrictions: pulumi.Output<string[]>;
readonly tfid: pulumi.Output<string>;
/**
* The destination security zone(s)
*/
readonly tos: pulumi.Output<string[] | undefined>;
/**
* Create a SecurityRule resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args?: SecurityRuleArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering SecurityRule resources.
*/
export interface SecurityRuleState {
/**
* The action to be taken when the rule is matched
*/
action?: pulumi.Input<string>;
/**
* Allow url category
*/
allowUrlCategories?: pulumi.Input<pulumi.Input<inputs.SecurityRuleAllowUrlCategory>[]>;
/**
* Allow web application
*/
allowWebApplications?: pulumi.Input<pulumi.Input<inputs.SecurityRuleAllowWebApplication>[]>;
/**
* The application(s) being accessed
*/
applications?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Block url category
*/
blockUrlCategories?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Block web application
*/
blockWebApplications?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The URL categories being accessed
*/
categories?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Default profile settings
*/
defaultProfileSettings?: pulumi.Input<inputs.SecurityRuleDefaultProfileSettings>;
/**
* The description of the security rule
*/
description?: pulumi.Input<string>;
/**
* The destination Host Integrity Profile(s)
*/
destinationHips?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The destination address(es)
*/
destinations?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The device in which the resource is defined
*/
device?: pulumi.Input<string>;
/**
* Devices
*/
devices?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Is the security rule disabled?
*/
disabled?: pulumi.Input<boolean>;
/**
* The folder in which the resource is defined
*/
folder?: pulumi.Input<string>;
/**
* The source security zone(s)
*/
froms?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Log at session end?
*/
logEnd?: pulumi.Input<boolean>;
/**
* The external log forwarding profile
*/
logSetting?: pulumi.Input<string>;
/**
* Log settings
*/
logSettings?: pulumi.Input<inputs.SecurityRuleLogSettings>;
/**
* Log at session start?
*/
logStart?: pulumi.Input<boolean>;
/**
* The name of the security rule
*/
name?: pulumi.Input<string>;
/**
* Negate the destination addresses(es)?
*/
negateDestination?: pulumi.Input<boolean>;
/**
* Negate the source address(es)?
*/
negateSource?: pulumi.Input<boolean>;
/**
* Negate user
*/
negateUser?: pulumi.Input<boolean>;
/**
* Policy type
*/
policyType?: pulumi.Input<string>;
/**
* The position of a security rule
*/
position?: pulumi.Input<string>;
/**
* The security profile object
*/
profileSetting?: pulumi.Input<inputs.SecurityRuleProfileSetting>;
/**
* Relative positioning rule. String must be one of these: `"before"`, `"after"`, `"top"`, `"bottom"`. If not specified, rule is created at the bottom of the ruleset.
*/
relativePosition?: pulumi.Input<string>;
/**
* Schedule in which this rule will be applied
*/
schedule?: pulumi.Input<string>;
/**
* Security settings
*/
securitySettings?: pulumi.Input<inputs.SecurityRuleSecuritySettings>;
/**
* The service(s) being accessed
*/
services?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The snippet in which the resource is defined
*/
snippet?: pulumi.Input<string>;
/**
* The source Host Integrity Profile(s)
*/
sourceHips?: pulumi.Input<pulumi.Input<string>[]>;
/**
* List of source users and/or groups. Reserved words include `any`, `pre-login`, `known-user`, and `unknown`.
*/
sourceUsers?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The source addresses(es)
*/
sources?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The tags associated with the security rule
*/
tags?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The name or UUID of the rule to position this rule relative to. Required when `relativePosition` is `"before"` or `"after"`.
*/
targetRule?: pulumi.Input<string>;
/**
* Tenant restrictions
*/
tenantRestrictions?: pulumi.Input<pulumi.Input<string>[]>;
tfid?: pulumi.Input<string>;
/**
* The destination security zone(s)
*/
tos?: pulumi.Input<pulumi.Input<string>[]>;
}
/**
* The set of arguments for constructing a SecurityRule resource.
*/
export interface SecurityRuleArgs {
/**
* The action to be taken when the rule is matched
*/
action?: pulumi.Input<string>;
/**
* Allow url category
*/
allowUrlCategories?: pulumi.Input<pulumi.Input<inputs.SecurityRuleAllowUrlCategory>[]>;
/**
* Allow web application
*/
allowWebApplications?: pulumi.Input<pulumi.Input<inputs.SecurityRuleAllowWebApplication>[]>;
/**
* The application(s) being accessed
*/
applications?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Block url category
*/
blockUrlCategories?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Block web application
*/
blockWebApplications?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The URL categories being accessed
*/
categories?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Default profile settings
*/
defaultProfileSettings?: pulumi.Input<inputs.SecurityRuleDefaultProfileSettings>;
/**
* The description of the security rule
*/
description?: pulumi.Input<string>;
/**
* The destination Host Integrity Profile(s)
*/
destinationHips?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The destination address(es)
*/
destinations?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The device in which the resource is defined
*/
device?: pulumi.Input<string>;
/**
* Devices
*/
devices?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Is the security rule disabled?
*/
disabled?: pulumi.Input<boolean>;
/**
* The folder in which the resource is defined
*/
folder?: pulumi.Input<string>;
/**
* The source security zone(s)
*/
froms?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Log at session end?
*/
logEnd?: pulumi.Input<boolean>;
/**
* The external log forwarding profile
*/
logSetting?: pulumi.Input<string>;
/**
* Log settings
*/
logSettings?: pulumi.Input<inputs.SecurityRuleLogSettings>;
/**
* Log at session start?
*/
logStart?: pulumi.Input<boolean>;
/**
* The name of the security rule
*/
name?: pulumi.Input<string>;
/**
* Negate the destination addresses(es)?
*/
negateDestination?: pulumi.Input<boolean>;
/**
* Negate the source address(es)?
*/
negateSource?: pulumi.Input<boolean>;
/**
* Negate user
*/
negateUser?: pulumi.Input<boolean>;
/**
* Policy type
*/
policyType?: pulumi.Input<string>;
/**
* The position of a security rule
*/
position?: pulumi.Input<string>;
/**
* The security profile object
*/
profileSetting?: pulumi.Input<inputs.SecurityRuleProfileSetting>;
/**
* Relative positioning rule. String must be one of these: `"before"`, `"after"`, `"top"`, `"bottom"`. If not specified, rule is created at the bottom of the ruleset.
*/
relativePosition?: pulumi.Input<string>;
/**
* Schedule in which this rule will be applied
*/
schedule?: pulumi.Input<string>;
/**
* Security settings
*/
securitySettings?: pulumi.Input<inputs.SecurityRuleSecuritySettings>;
/**
* The service(s) being accessed
*/
services?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The snippet in which the resource is defined
*/
snippet?: pulumi.Input<string>;
/**
* The source Host Integrity Profile(s)
*/
sourceHips?: pulumi.Input<pulumi.Input<string>[]>;
/**
* List of source users and/or groups. Reserved words include `any`, `pre-login`, `known-user`, and `unknown`.
*/
sourceUsers?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The source addresses(es)
*/
sources?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The tags associated with the security rule
*/
tags?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The name or UUID of the rule to position this rule relative to. Required when `relativePosition` is `"before"` or `"after"`.
*/
targetRule?: pulumi.Input<string>;
/**
* Tenant restrictions
*/
tenantRestrictions?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The destination security zone(s)
*/
tos?: pulumi.Input<pulumi.Input<string>[]>;
}