gcp.compute.getRegionSecurityPolicy

Google Cloud v9.10.0, Jan 16 26

Google Cloud v9.10.0 published on Friday, Jan 16, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

Google Cloud v9.10.0 published on Friday, Jan 16, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const _default = gcp.compute.getRegionSecurityPolicy({
    name: "my-region-security-policy",
    region: "us-west2",
});

import pulumi
import pulumi_gcp as gcp

default = gcp.compute.get_region_security_policy(name="my-region-security-policy",
    region="us-west2")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := compute.LookupRegionSecurityPolicy(ctx, &compute.LookupRegionSecurityPolicyArgs{
			Name:   "my-region-security-policy",
			Region: pulumi.StringRef("us-west2"),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var @default = Gcp.Compute.GetRegionSecurityPolicy.Invoke(new()
    {
        Name = "my-region-security-policy",
        Region = "us-west2",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.ComputeFunctions;
import com.pulumi.gcp.compute.inputs.GetRegionSecurityPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var default = ComputeFunctions.getRegionSecurityPolicy(GetRegionSecurityPolicyArgs.builder()
            .name("my-region-security-policy")
            .region("us-west2")
            .build());

    }
}

variables:
  default:
    fn::invoke:
      function: gcp:compute:getRegionSecurityPolicy
      arguments:
        name: my-region-security-policy
        region: us-west2

Using getRegionSecurityPolicy

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getRegionSecurityPolicy(args: GetRegionSecurityPolicyArgs, opts?: InvokeOptions): Promise<GetRegionSecurityPolicyResult>
function getRegionSecurityPolicyOutput(args: GetRegionSecurityPolicyOutputArgs, opts?: InvokeOptions): Output<GetRegionSecurityPolicyResult>

def get_region_security_policy(name: Optional[str] = None,
                               project: Optional[str] = None,
                               region: Optional[str] = None,
                               opts: Optional[InvokeOptions] = None) -> GetRegionSecurityPolicyResult
def get_region_security_policy_output(name: Optional[pulumi.Input[str]] = None,
                               project: Optional[pulumi.Input[str]] = None,
                               region: Optional[pulumi.Input[str]] = None,
                               opts: Optional[InvokeOptions] = None) -> Output[GetRegionSecurityPolicyResult]

func LookupRegionSecurityPolicy(ctx *Context, args *LookupRegionSecurityPolicyArgs, opts ...InvokeOption) (*LookupRegionSecurityPolicyResult, error)
func LookupRegionSecurityPolicyOutput(ctx *Context, args *LookupRegionSecurityPolicyOutputArgs, opts ...InvokeOption) LookupRegionSecurityPolicyResultOutput

> Note: This function is named LookupRegionSecurityPolicy in the Go SDK.

public static class GetRegionSecurityPolicy 
{
    public static Task<GetRegionSecurityPolicyResult> InvokeAsync(GetRegionSecurityPolicyArgs args, InvokeOptions? opts = null)
    public static Output<GetRegionSecurityPolicyResult> Invoke(GetRegionSecurityPolicyInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetRegionSecurityPolicyResult> getRegionSecurityPolicy(GetRegionSecurityPolicyArgs args, InvokeOptions options)
public static Output<GetRegionSecurityPolicyResult> getRegionSecurityPolicy(GetRegionSecurityPolicyArgs args, InvokeOptions options)

fn::invoke:
  function: gcp:compute/getRegionSecurityPolicy:getRegionSecurityPolicy
  arguments:
    # arguments dictionary

The following arguments are supported:

Name string: The name of the Region Security Policy.
Project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
Region string: The region in which the Region Security Policy resides. If not specified, the provider region is used.

Name string: The name of the Region Security Policy.
Project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
Region string: The region in which the Region Security Policy resides. If not specified, the provider region is used.

name String: The name of the Region Security Policy.
project String: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
region String: The region in which the Region Security Policy resides. If not specified, the provider region is used.

name string: The name of the Region Security Policy.
project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
region string: The region in which the Region Security Policy resides. If not specified, the provider region is used.

name str: The name of the Region Security Policy.
project str: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
region str: The region in which the Region Security Policy resides. If not specified, the provider region is used.

name String: The name of the Region Security Policy.
project String: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
region String: The region in which the Region Security Policy resides. If not specified, the provider region is used.

getRegionSecurityPolicy Result

The following output properties are available:

AdvancedOptionsConfigs List<GetRegionSecurityPolicyAdvancedOptionsConfig>
DdosProtectionConfigs List<GetRegionSecurityPolicyDdosProtectionConfig>
Description string
Fingerprint string
Id string: The provider-assigned unique ID for this managed resource.
Name string
PolicyId string
Rules List<GetRegionSecurityPolicyRule>
SelfLink string
SelfLinkWithPolicyId string
Type string
UserDefinedFields List<GetRegionSecurityPolicyUserDefinedField>
Project string
Region string

AdvancedOptionsConfigs []GetRegionSecurityPolicyAdvancedOptionsConfig
DdosProtectionConfigs []GetRegionSecurityPolicyDdosProtectionConfig
Description string
Fingerprint string
Id string: The provider-assigned unique ID for this managed resource.
Name string
PolicyId string
Rules []GetRegionSecurityPolicyRuleType
SelfLink string
SelfLinkWithPolicyId string
Type string
UserDefinedFields []GetRegionSecurityPolicyUserDefinedField
Project string
Region string

advancedOptionsConfigs List<GetRegionSecurityPolicyAdvancedOptionsConfig>
ddosProtectionConfigs List<GetRegionSecurityPolicyDdosProtectionConfig>
description String
fingerprint String
id String: The provider-assigned unique ID for this managed resource.
name String
policyId String
rules List<GetRegionSecurityPolicyRule>
selfLink String
selfLinkWithPolicyId String
type String
userDefinedFields List<GetRegionSecurityPolicyUserDefinedField>
project String
region String

advancedOptionsConfigs GetRegionSecurityPolicyAdvancedOptionsConfig[]
ddosProtectionConfigs GetRegionSecurityPolicyDdosProtectionConfig[]
description string
fingerprint string
id string: The provider-assigned unique ID for this managed resource.
name string
policyId string
rules GetRegionSecurityPolicyRule[]
selfLink string
selfLinkWithPolicyId string
type string
userDefinedFields GetRegionSecurityPolicyUserDefinedField[]
project string
region string

advanced_options_configs Sequence[GetRegionSecurityPolicyAdvancedOptionsConfig]
ddos_protection_configs Sequence[GetRegionSecurityPolicyDdosProtectionConfig]
description str
fingerprint str
id str: The provider-assigned unique ID for this managed resource.
name str
policy_id str
rules Sequence[GetRegionSecurityPolicyRule]
self_link str
self_link_with_policy_id str
type str
user_defined_fields Sequence[GetRegionSecurityPolicyUserDefinedField]
project str
region str

advancedOptionsConfigs List<Property Map>
ddosProtectionConfigs List<Property Map>
description String
fingerprint String
id String: The provider-assigned unique ID for this managed resource.
name String
policyId String
rules List<Property Map>
selfLink String
selfLinkWithPolicyId String
type String
userDefinedFields List<Property Map>
project String
region String

Supporting Types

GetRegionSecurityPolicyAdvancedOptionsConfig

JsonCustomConfigs List<GetRegionSecurityPolicyAdvancedOptionsConfigJsonCustomConfig>: Custom configuration to apply the JSON parsing. Only applicable when JSON parsing is set to STANDARD.
JsonParsing string: JSON body parsing. Supported values include: "DISABLED", "STANDARD", "STANDARD_WITH_GRAPHQL". Possible values: ["DISABLED", "STANDARD", "STANDARD_WITH_GRAPHQL"]
LogLevel string: Logging level. Supported values include: "NORMAL", "VERBOSE". Possible values: ["NORMAL", "VERBOSE"]
RequestBodyInspectionSize string: The maximum request size chosen by the customer with Waf enabled. Values supported are "8KB", "16KB, "32KB", "48KB" and "64KB". Values are case insensitive. Possible values: ["8KB", "16KB", "32KB", "48KB", "64KB"]
UserIpRequestHeaders List<string>: An optional list of case-insensitive request header names to use for resolving the callers client IP address.

JsonCustomConfigs []GetRegionSecurityPolicyAdvancedOptionsConfigJsonCustomConfig: Custom configuration to apply the JSON parsing. Only applicable when JSON parsing is set to STANDARD.
JsonParsing string: JSON body parsing. Supported values include: "DISABLED", "STANDARD", "STANDARD_WITH_GRAPHQL". Possible values: ["DISABLED", "STANDARD", "STANDARD_WITH_GRAPHQL"]
LogLevel string: Logging level. Supported values include: "NORMAL", "VERBOSE". Possible values: ["NORMAL", "VERBOSE"]
RequestBodyInspectionSize string: The maximum request size chosen by the customer with Waf enabled. Values supported are "8KB", "16KB, "32KB", "48KB" and "64KB". Values are case insensitive. Possible values: ["8KB", "16KB", "32KB", "48KB", "64KB"]
UserIpRequestHeaders []string: An optional list of case-insensitive request header names to use for resolving the callers client IP address.

jsonCustomConfigs List<GetRegionSecurityPolicyAdvancedOptionsConfigJsonCustomConfig>: Custom configuration to apply the JSON parsing. Only applicable when JSON parsing is set to STANDARD.
jsonParsing String: JSON body parsing. Supported values include: "DISABLED", "STANDARD", "STANDARD_WITH_GRAPHQL". Possible values: ["DISABLED", "STANDARD", "STANDARD_WITH_GRAPHQL"]
logLevel String: Logging level. Supported values include: "NORMAL", "VERBOSE". Possible values: ["NORMAL", "VERBOSE"]
requestBodyInspectionSize String: The maximum request size chosen by the customer with Waf enabled. Values supported are "8KB", "16KB, "32KB", "48KB" and "64KB". Values are case insensitive. Possible values: ["8KB", "16KB", "32KB", "48KB", "64KB"]
userIpRequestHeaders List<String>: An optional list of case-insensitive request header names to use for resolving the callers client IP address.

jsonCustomConfigs GetRegionSecurityPolicyAdvancedOptionsConfigJsonCustomConfig[]: Custom configuration to apply the JSON parsing. Only applicable when JSON parsing is set to STANDARD.
jsonParsing string: JSON body parsing. Supported values include: "DISABLED", "STANDARD", "STANDARD_WITH_GRAPHQL". Possible values: ["DISABLED", "STANDARD", "STANDARD_WITH_GRAPHQL"]
logLevel string: Logging level. Supported values include: "NORMAL", "VERBOSE". Possible values: ["NORMAL", "VERBOSE"]
requestBodyInspectionSize string: The maximum request size chosen by the customer with Waf enabled. Values supported are "8KB", "16KB, "32KB", "48KB" and "64KB". Values are case insensitive. Possible values: ["8KB", "16KB", "32KB", "48KB", "64KB"]
userIpRequestHeaders string[]: An optional list of case-insensitive request header names to use for resolving the callers client IP address.

json_custom_configs Sequence[GetRegionSecurityPolicyAdvancedOptionsConfigJsonCustomConfig]: Custom configuration to apply the JSON parsing. Only applicable when JSON parsing is set to STANDARD.
json_parsing str: JSON body parsing. Supported values include: "DISABLED", "STANDARD", "STANDARD_WITH_GRAPHQL". Possible values: ["DISABLED", "STANDARD", "STANDARD_WITH_GRAPHQL"]
log_level str: Logging level. Supported values include: "NORMAL", "VERBOSE". Possible values: ["NORMAL", "VERBOSE"]
request_body_inspection_size str: The maximum request size chosen by the customer with Waf enabled. Values supported are "8KB", "16KB, "32KB", "48KB" and "64KB". Values are case insensitive. Possible values: ["8KB", "16KB", "32KB", "48KB", "64KB"]
user_ip_request_headers Sequence[str]: An optional list of case-insensitive request header names to use for resolving the callers client IP address.

jsonCustomConfigs List<Property Map>: Custom configuration to apply the JSON parsing. Only applicable when JSON parsing is set to STANDARD.
jsonParsing String: JSON body parsing. Supported values include: "DISABLED", "STANDARD", "STANDARD_WITH_GRAPHQL". Possible values: ["DISABLED", "STANDARD", "STANDARD_WITH_GRAPHQL"]
logLevel String: Logging level. Supported values include: "NORMAL", "VERBOSE". Possible values: ["NORMAL", "VERBOSE"]
requestBodyInspectionSize String: The maximum request size chosen by the customer with Waf enabled. Values supported are "8KB", "16KB, "32KB", "48KB" and "64KB". Values are case insensitive. Possible values: ["8KB", "16KB", "32KB", "48KB", "64KB"]
userIpRequestHeaders List<String>: An optional list of case-insensitive request header names to use for resolving the callers client IP address.

GetRegionSecurityPolicyAdvancedOptionsConfigJsonCustomConfig

ContentTypes List<string>: A list of custom Content-Type header values to apply the JSON parsing.

ContentTypes []string: A list of custom Content-Type header values to apply the JSON parsing.

contentTypes List<String>: A list of custom Content-Type header values to apply the JSON parsing.

contentTypes string[]: A list of custom Content-Type header values to apply the JSON parsing.

content_types Sequence[str]: A list of custom Content-Type header values to apply the JSON parsing.

contentTypes List<String>: A list of custom Content-Type header values to apply the JSON parsing.

GetRegionSecurityPolicyDdosProtectionConfig

DdosProtection string

Google Cloud Armor offers the following options to help protect systems against DDoS attacks:

STANDARD: basic always-on protection for network load balancers, protocol forwarding, or VMs with public IP addresses.
ADVANCED: additional protections for Managed Protection Plus subscribers who use network load balancers, protocol forwarding, or VMs with public IP addresses.
ADVANCED_PREVIEW: flag to enable the security policy in preview mode. Possible values: ["ADVANCED", "ADVANCED_PREVIEW", "STANDARD"]

DdosProtection string

Google Cloud Armor offers the following options to help protect systems against DDoS attacks:

STANDARD: basic always-on protection for network load balancers, protocol forwarding, or VMs with public IP addresses.
ADVANCED: additional protections for Managed Protection Plus subscribers who use network load balancers, protocol forwarding, or VMs with public IP addresses.
ADVANCED_PREVIEW: flag to enable the security policy in preview mode. Possible values: ["ADVANCED", "ADVANCED_PREVIEW", "STANDARD"]

ddosProtection String

Google Cloud Armor offers the following options to help protect systems against DDoS attacks:

STANDARD: basic always-on protection for network load balancers, protocol forwarding, or VMs with public IP addresses.
ADVANCED: additional protections for Managed Protection Plus subscribers who use network load balancers, protocol forwarding, or VMs with public IP addresses.
ADVANCED_PREVIEW: flag to enable the security policy in preview mode. Possible values: ["ADVANCED", "ADVANCED_PREVIEW", "STANDARD"]

ddosProtection string

Google Cloud Armor offers the following options to help protect systems against DDoS attacks:

STANDARD: basic always-on protection for network load balancers, protocol forwarding, or VMs with public IP addresses.
ADVANCED: additional protections for Managed Protection Plus subscribers who use network load balancers, protocol forwarding, or VMs with public IP addresses.
ADVANCED_PREVIEW: flag to enable the security policy in preview mode. Possible values: ["ADVANCED", "ADVANCED_PREVIEW", "STANDARD"]

ddos_protection str

Google Cloud Armor offers the following options to help protect systems against DDoS attacks:

STANDARD: basic always-on protection for network load balancers, protocol forwarding, or VMs with public IP addresses.
ADVANCED: additional protections for Managed Protection Plus subscribers who use network load balancers, protocol forwarding, or VMs with public IP addresses.
ADVANCED_PREVIEW: flag to enable the security policy in preview mode. Possible values: ["ADVANCED", "ADVANCED_PREVIEW", "STANDARD"]

ddosProtection String

Google Cloud Armor offers the following options to help protect systems against DDoS attacks:

STANDARD: basic always-on protection for network load balancers, protocol forwarding, or VMs with public IP addresses.
ADVANCED: additional protections for Managed Protection Plus subscribers who use network load balancers, protocol forwarding, or VMs with public IP addresses.
ADVANCED_PREVIEW: flag to enable the security policy in preview mode. Possible values: ["ADVANCED", "ADVANCED_PREVIEW", "STANDARD"]

GetRegionSecurityPolicyRule

Action string

The Action to perform when the rule is matched. The following are the valid actions:

allow: allow access to target.
deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502.
rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set.
redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR.
throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this.

Description string

An optional description of this resource. Provide this property when you create the resource.

Matches List<GetRegionSecurityPolicyRuleMatch>

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.

NetworkMatches List<GetRegionSecurityPolicyRuleNetworkMatch>

A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. Example: networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: <span pulumi-lang-nodejs=""ipv4FragmentOffset"" pulumi-lang-dotnet=""Ipv4FragmentOffset"" pulumi-lang-go=""ipv4FragmentOffset"" pulumi-lang-python=""ipv4_fragment_offset"" pulumi-lang-yaml=""ipv4FragmentOffset"" pulumi-lang-java=""ipv4FragmentOffset"">"ipv4_fragment_offset" values: - "1-0x1fff" The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named <span pulumi-lang-nodejs=""ipv4FragmentOffset"" pulumi-lang-dotnet=""Ipv4FragmentOffset"" pulumi-lang-go=""ipv4FragmentOffset"" pulumi-lang-python=""ipv4_fragment_offset"" pulumi-lang-yaml=""ipv4FragmentOffset"" pulumi-lang-java=""ipv4FragmentOffset"">"ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive

PreconfiguredWafConfigs List<GetRegionSecurityPolicyRulePreconfiguredWafConfig>

Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.

Preview bool

If set to true, the specified action is not enforced.

Priority int

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.

RateLimitOptions List<GetRegionSecurityPolicyRuleRateLimitOption>

Must be specified if the action is <span pulumi-lang-nodejs=""rateBasedBan"" pulumi-lang-dotnet=""RateBasedBan"" pulumi-lang-go=""rateBasedBan"" pulumi-lang-python=""rate_based_ban"" pulumi-lang-yaml=""rateBasedBan"" pulumi-lang-java=""rateBasedBan"">"rate_based_ban" or "throttle". Cannot be specified for any other actions.

Action string

The Action to perform when the rule is matched. The following are the valid actions:

allow: allow access to target.
deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502.
rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set.
redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR.
throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this.

Description string

An optional description of this resource. Provide this property when you create the resource.

Matches []GetRegionSecurityPolicyRuleMatch

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.

NetworkMatches []GetRegionSecurityPolicyRuleNetworkMatch

PreconfiguredWafConfigs []GetRegionSecurityPolicyRulePreconfiguredWafConfig

Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.

Preview bool

If set to true, the specified action is not enforced.

Priority int

RateLimitOptions []GetRegionSecurityPolicyRuleRateLimitOption

action String

The Action to perform when the rule is matched. The following are the valid actions:

allow: allow access to target.
deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502.
rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set.
redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR.
throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this.

description String

An optional description of this resource. Provide this property when you create the resource.

matches List<GetRegionSecurityPolicyRuleMatch>

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.

networkMatches List<GetRegionSecurityPolicyRuleNetworkMatch>

preconfiguredWafConfigs List<GetRegionSecurityPolicyRulePreconfiguredWafConfig>

Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.

preview Boolean

If set to true, the specified action is not enforced.

priority Integer

rateLimitOptions List<GetRegionSecurityPolicyRuleRateLimitOption>

action string

The Action to perform when the rule is matched. The following are the valid actions:

allow: allow access to target.
deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502.
rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set.
redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR.
throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this.

description string

An optional description of this resource. Provide this property when you create the resource.

matches GetRegionSecurityPolicyRuleMatch[]

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.

networkMatches GetRegionSecurityPolicyRuleNetworkMatch[]

preconfiguredWafConfigs GetRegionSecurityPolicyRulePreconfiguredWafConfig[]

Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.

preview boolean

If set to true, the specified action is not enforced.

priority number

rateLimitOptions GetRegionSecurityPolicyRuleRateLimitOption[]

action str

The Action to perform when the rule is matched. The following are the valid actions:

allow: allow access to target.
deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502.
rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set.
redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR.
throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this.

description str

An optional description of this resource. Provide this property when you create the resource.

matches Sequence[GetRegionSecurityPolicyRuleMatch]

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.

network_matches Sequence[GetRegionSecurityPolicyRuleNetworkMatch]

preconfigured_waf_configs Sequence[GetRegionSecurityPolicyRulePreconfiguredWafConfig]

Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.

preview bool

If set to true, the specified action is not enforced.

priority int

rate_limit_options Sequence[GetRegionSecurityPolicyRuleRateLimitOption]

action String

The Action to perform when the rule is matched. The following are the valid actions:

allow: allow access to target.
deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502.
rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rateLimitOptions to be set.
redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR.
throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rateLimitOptions to be set for this.

description String

An optional description of this resource. Provide this property when you create the resource.

matches List<Property Map>

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.

networkMatches List<Property Map>

preconfiguredWafConfigs List<Property Map>

Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.

preview Boolean

If set to true, the specified action is not enforced.

priority Number

rateLimitOptions List<Property Map>

GetRegionSecurityPolicyRuleMatch

Configs List<GetRegionSecurityPolicyRuleMatchConfig>: The configuration options available when specifying versionedExpr. This field must be specified if versionedExpr is specified and cannot be specified if versionedExpr is not specified.
Exprs List<GetRegionSecurityPolicyRuleMatchExpr>: User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. See Sample expressions for examples.
VersionedExpr string: Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding srcIpRange field in config. Possible values: ["SRC_IPS_V1"]

Configs []GetRegionSecurityPolicyRuleMatchConfig: The configuration options available when specifying versionedExpr. This field must be specified if versionedExpr is specified and cannot be specified if versionedExpr is not specified.
Exprs []GetRegionSecurityPolicyRuleMatchExpr: User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. See Sample expressions for examples.
VersionedExpr string: Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding srcIpRange field in config. Possible values: ["SRC_IPS_V1"]

configs List<GetRegionSecurityPolicyRuleMatchConfig>: The configuration options available when specifying versionedExpr. This field must be specified if versionedExpr is specified and cannot be specified if versionedExpr is not specified.
exprs List<GetRegionSecurityPolicyRuleMatchExpr>: User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. See Sample expressions for examples.
versionedExpr String: Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding srcIpRange field in config. Possible values: ["SRC_IPS_V1"]

configs GetRegionSecurityPolicyRuleMatchConfig[]: The configuration options available when specifying versionedExpr. This field must be specified if versionedExpr is specified and cannot be specified if versionedExpr is not specified.
exprs GetRegionSecurityPolicyRuleMatchExpr[]: User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. See Sample expressions for examples.
versionedExpr string: Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding srcIpRange field in config. Possible values: ["SRC_IPS_V1"]

configs Sequence[GetRegionSecurityPolicyRuleMatchConfig]: The configuration options available when specifying versionedExpr. This field must be specified if versionedExpr is specified and cannot be specified if versionedExpr is not specified.
exprs Sequence[GetRegionSecurityPolicyRuleMatchExpr]: User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. See Sample expressions for examples.
versioned_expr str: Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding srcIpRange field in config. Possible values: ["SRC_IPS_V1"]

configs List<Property Map>: The configuration options available when specifying versionedExpr. This field must be specified if versionedExpr is specified and cannot be specified if versionedExpr is not specified.
exprs List<Property Map>: User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. See Sample expressions for examples.
versionedExpr String: Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding srcIpRange field in config. Possible values: ["SRC_IPS_V1"]

GetRegionSecurityPolicyRuleMatchConfig

SrcIpRanges List<string>: CIDR IP address range. Maximum number of srcIpRanges allowed is 10.

SrcIpRanges []string: CIDR IP address range. Maximum number of srcIpRanges allowed is 10.

srcIpRanges List<String>: CIDR IP address range. Maximum number of srcIpRanges allowed is 10.

srcIpRanges string[]: CIDR IP address range. Maximum number of srcIpRanges allowed is 10.

src_ip_ranges Sequence[str]: CIDR IP address range. Maximum number of srcIpRanges allowed is 10.

srcIpRanges List<String>: CIDR IP address range. Maximum number of srcIpRanges allowed is 10.

GetRegionSecurityPolicyRuleMatchExpr

Expression string: Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

Expression string: Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

expression String: Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

expression string: Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

expression str: Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

expression String: Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

GetRegionSecurityPolicyRuleNetworkMatch

DestIpRanges List<string>: Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
DestPorts List<string>: Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
IpProtocols List<string>: IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp".
SrcAsns List<int>: BGP Autonomous System Number associated with the source IP address.
SrcIpRanges List<string>: Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
SrcPorts List<string>: Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
SrcRegionCodes List<string>: Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address.
UserDefinedFields List<GetRegionSecurityPolicyRuleNetworkMatchUserDefinedField>: User-defined fields. Each element names a defined field and lists the matching values for that field.

DestIpRanges []string: Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
DestPorts []string: Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
IpProtocols []string: IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp".
SrcAsns []int: BGP Autonomous System Number associated with the source IP address.
SrcIpRanges []string: Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
SrcPorts []string: Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
SrcRegionCodes []string: Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address.
UserDefinedFields []GetRegionSecurityPolicyRuleNetworkMatchUserDefinedField: User-defined fields. Each element names a defined field and lists the matching values for that field.

destIpRanges List<String>: Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
destPorts List<String>: Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
ipProtocols List<String>: IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp".
srcAsns List<Integer>: BGP Autonomous System Number associated with the source IP address.
srcIpRanges List<String>: Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
srcPorts List<String>: Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
srcRegionCodes List<String>: Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address.
userDefinedFields List<GetRegionSecurityPolicyRuleNetworkMatchUserDefinedField>: User-defined fields. Each element names a defined field and lists the matching values for that field.

destIpRanges string[]: Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
destPorts string[]: Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
ipProtocols string[]: IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp".
srcAsns number[]: BGP Autonomous System Number associated with the source IP address.
srcIpRanges string[]: Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
srcPorts string[]: Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
srcRegionCodes string[]: Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address.
userDefinedFields GetRegionSecurityPolicyRuleNetworkMatchUserDefinedField[]: User-defined fields. Each element names a defined field and lists the matching values for that field.

dest_ip_ranges Sequence[str]: Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
dest_ports Sequence[str]: Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
ip_protocols Sequence[str]: IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp".
src_asns Sequence[int]: BGP Autonomous System Number associated with the source IP address.
src_ip_ranges Sequence[str]: Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
src_ports Sequence[str]: Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
src_region_codes Sequence[str]: Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address.
user_defined_fields Sequence[GetRegionSecurityPolicyRuleNetworkMatchUserDefinedField]: User-defined fields. Each element names a defined field and lists the matching values for that field.

destIpRanges List<String>: Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
destPorts List<String>: Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
ipProtocols List<String>: IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp".
srcAsns List<Number>: BGP Autonomous System Number associated with the source IP address.
srcIpRanges List<String>: Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
srcPorts List<String>: Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
srcRegionCodes List<String>: Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address.
userDefinedFields List<Property Map>: User-defined fields. Each element names a defined field and lists the matching values for that field.

GetRegionSecurityPolicyRuleNetworkMatchUserDefinedField

Name string: The name of the Region Security Policy.
Values List<string>: Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff").

Name string: The name of the Region Security Policy.
Values []string: Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff").

name String: The name of the Region Security Policy.
values List<String>: Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff").

name string: The name of the Region Security Policy.
values string[]: Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff").

name str: The name of the Region Security Policy.
values Sequence[str]: Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff").

name String: The name of the Region Security Policy.
values List<String>: Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff").

GetRegionSecurityPolicyRulePreconfiguredWafConfig

Exclusions List<GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusion>: An exclusion to apply during preconfigured WAF evaluation.

Exclusions []GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusion: An exclusion to apply during preconfigured WAF evaluation.

exclusions List<GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusion>: An exclusion to apply during preconfigured WAF evaluation.

exclusions GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusion[]: An exclusion to apply during preconfigured WAF evaluation.

exclusions Sequence[GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusion]: An exclusion to apply during preconfigured WAF evaluation.

exclusions List<Property Map>: An exclusion to apply during preconfigured WAF evaluation.

GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusion

RequestCookies List<GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestCooky>: Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation.
RequestHeaders List<GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeader>: Request header whose value will be excluded from inspection during preconfigured WAF evaluation.
RequestQueryParams List<GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam>: Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body.
RequestUris List<GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri>: Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded.
TargetRuleIds List<string>: A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.
TargetRuleSet string: Target WAF rule set to apply the preconfigured WAF exclusion.

RequestCookies []GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestCooky: Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation.
RequestHeaders []GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeader: Request header whose value will be excluded from inspection during preconfigured WAF evaluation.
RequestQueryParams []GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam: Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body.
RequestUris []GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri: Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded.
TargetRuleIds []string: A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.
TargetRuleSet string: Target WAF rule set to apply the preconfigured WAF exclusion.

requestCookies List<GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestCooky>: Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation.
requestHeaders List<GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeader>: Request header whose value will be excluded from inspection during preconfigured WAF evaluation.
requestQueryParams List<GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam>: Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body.
requestUris List<GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri>: Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded.
targetRuleIds List<String>: A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.
targetRuleSet String: Target WAF rule set to apply the preconfigured WAF exclusion.

requestCookies GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestCooky[]: Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation.
requestHeaders GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeader[]: Request header whose value will be excluded from inspection during preconfigured WAF evaluation.
requestQueryParams GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam[]: Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body.
requestUris GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri[]: Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded.
targetRuleIds string[]: A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.
targetRuleSet string: Target WAF rule set to apply the preconfigured WAF exclusion.

request_cookies Sequence[GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestCooky]: Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation.
request_headers Sequence[GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeader]: Request header whose value will be excluded from inspection during preconfigured WAF evaluation.
request_query_params Sequence[GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam]: Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body.
request_uris Sequence[GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri]: Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded.
target_rule_ids Sequence[str]: A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.
target_rule_set str: Target WAF rule set to apply the preconfigured WAF exclusion.

requestCookies List<Property Map>: Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation.
requestHeaders List<Property Map>: Request header whose value will be excluded from inspection during preconfigured WAF evaluation.
requestQueryParams List<Property Map>: Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body.
requestUris List<Property Map>: Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded.
targetRuleIds List<String>: A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.
targetRuleSet String: Target WAF rule set to apply the preconfigured WAF exclusion.

GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestCooky

Operator string: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
Value string: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

Operator string: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
Value string: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator String: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value String: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator string: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value string: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator str: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value str: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator String: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value String: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeader

Operator string: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
Value string: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

Operator string: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
Value string: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator String: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value String: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator string: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value string: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator str: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value str: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator String: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value String: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam

Operator string: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
Value string: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

Operator string: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
Value string: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator String: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value String: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator string: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value string: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator str: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value str: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator String: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value String: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri

Operator string: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
Value string: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

Operator string: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
Value string: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator String: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value String: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator string: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value string: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator str: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value str: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

operator String: You can specify an exact match or a partial match by using a field operator and a field value. Available options: EQUALS: The operator matches if the field value equals the specified value. STARTS_WITH: The operator matches if the field value starts with the specified value. ENDS_WITH: The operator matches if the field value ends with the specified value. CONTAINS: The operator matches if the field value contains the specified value. EQUALS_ANY: The operator matches if the field value is any value. Possible values: ["CONTAINS", "ENDS_WITH", "EQUALS", "EQUALS_ANY", "STARTS_WITH"]
value String: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

GetRegionSecurityPolicyRuleRateLimitOption

BanDurationSec int

Can only be specified if the action for the rule is <span pulumi-lang-nodejs=""rateBasedBan"" pulumi-lang-dotnet=""RateBasedBan"" pulumi-lang-go=""rateBasedBan"" pulumi-lang-python=""rate_based_ban"" pulumi-lang-yaml=""rateBasedBan"" pulumi-lang-java=""rateBasedBan"">"rate_based_ban". If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.

BanThresholds List<GetRegionSecurityPolicyRuleRateLimitOptionBanThreshold>

Can only be specified if the action for the rule is <span pulumi-lang-nodejs=""rateBasedBan"" pulumi-lang-dotnet=""RateBasedBan"" pulumi-lang-go=""rateBasedBan"" pulumi-lang-python=""rate_based_ban"" pulumi-lang-yaml=""rateBasedBan"" pulumi-lang-java=""rateBasedBan"">"rate_based_ban". If specified, the key will be banned for the configured 'banDurationSec' when the number of requests that exceed the 'rateLimitThreshold' also exceed this 'banThreshold'.

ConformAction string

Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only.

EnforceOnKey string

Determines the key to enforce the rateLimitThreshold on. Possible values are:

ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured.
IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
REGION_CODE: The country/region from which the request originates.
TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. Possible values: ["ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE", "HTTP_PATH", "SNI", "REGION_CODE", "TLS_JA3_FINGERPRINT", "TLS_JA4_FINGERPRINT", "USER_IP"]

EnforceOnKeyConfigs List<GetRegionSecurityPolicyRuleRateLimitOptionEnforceOnKeyConfig>

If specified, any combination of values of enforceOnKeyType/enforceOnKeyName is treated as the key on which ratelimit threshold/action is enforced. You can specify up to 3 enforceOnKeyConfigs. If enforceOnKeyConfigs is specified, enforceOnKey must not be specified.

EnforceOnKeyName string

Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.

ExceedAction string

Action to take for requests that are above the configured rate limit threshold, to deny with a specified HTTP response code. Valid options are deny(STATUS), where valid values for STATUS are 403, 404, 429, and 502.

RateLimitThresholds List<GetRegionSecurityPolicyRuleRateLimitOptionRateLimitThreshold>

Threshold at which to begin ratelimiting.

BanDurationSec int

BanThresholds []GetRegionSecurityPolicyRuleRateLimitOptionBanThreshold

Can only be specified if the action for the rule is <span pulumi-lang-nodejs=""rateBasedBan"" pulumi-lang-dotnet=""RateBasedBan"" pulumi-lang-go=""rateBasedBan"" pulumi-lang-python=""rate_based_ban"" pulumi-lang-yaml=""rateBasedBan"" pulumi-lang-java=""rateBasedBan"">"rate_based_ban". If specified, the key will be banned for the configured 'banDurationSec' when the number of requests that exceed the 'rateLimitThreshold' also exceed this 'banThreshold'.

ConformAction string

Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only.

EnforceOnKey string

Determines the key to enforce the rateLimitThreshold on. Possible values are:

ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured.
IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
REGION_CODE: The country/region from which the request originates.
TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. Possible values: ["ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE", "HTTP_PATH", "SNI", "REGION_CODE", "TLS_JA3_FINGERPRINT", "TLS_JA4_FINGERPRINT", "USER_IP"]

EnforceOnKeyConfigs []GetRegionSecurityPolicyRuleRateLimitOptionEnforceOnKeyConfig

EnforceOnKeyName string

ExceedAction string

RateLimitThresholds []GetRegionSecurityPolicyRuleRateLimitOptionRateLimitThreshold

Threshold at which to begin ratelimiting.

banDurationSec Integer

banThresholds List<GetRegionSecurityPolicyRuleRateLimitOptionBanThreshold>

Can only be specified if the action for the rule is <span pulumi-lang-nodejs=""rateBasedBan"" pulumi-lang-dotnet=""RateBasedBan"" pulumi-lang-go=""rateBasedBan"" pulumi-lang-python=""rate_based_ban"" pulumi-lang-yaml=""rateBasedBan"" pulumi-lang-java=""rateBasedBan"">"rate_based_ban". If specified, the key will be banned for the configured 'banDurationSec' when the number of requests that exceed the 'rateLimitThreshold' also exceed this 'banThreshold'.

conformAction String

Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only.

enforceOnKey String

Determines the key to enforce the rateLimitThreshold on. Possible values are:

ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured.
IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
REGION_CODE: The country/region from which the request originates.
TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. Possible values: ["ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE", "HTTP_PATH", "SNI", "REGION_CODE", "TLS_JA3_FINGERPRINT", "TLS_JA4_FINGERPRINT", "USER_IP"]

enforceOnKeyConfigs List<GetRegionSecurityPolicyRuleRateLimitOptionEnforceOnKeyConfig>

enforceOnKeyName String

exceedAction String

rateLimitThresholds List<GetRegionSecurityPolicyRuleRateLimitOptionRateLimitThreshold>

Threshold at which to begin ratelimiting.

banDurationSec number

banThresholds GetRegionSecurityPolicyRuleRateLimitOptionBanThreshold[]

Can only be specified if the action for the rule is <span pulumi-lang-nodejs=""rateBasedBan"" pulumi-lang-dotnet=""RateBasedBan"" pulumi-lang-go=""rateBasedBan"" pulumi-lang-python=""rate_based_ban"" pulumi-lang-yaml=""rateBasedBan"" pulumi-lang-java=""rateBasedBan"">"rate_based_ban". If specified, the key will be banned for the configured 'banDurationSec' when the number of requests that exceed the 'rateLimitThreshold' also exceed this 'banThreshold'.

conformAction string

Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only.

enforceOnKey string

Determines the key to enforce the rateLimitThreshold on. Possible values are:

ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured.
IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
REGION_CODE: The country/region from which the request originates.
TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. Possible values: ["ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE", "HTTP_PATH", "SNI", "REGION_CODE", "TLS_JA3_FINGERPRINT", "TLS_JA4_FINGERPRINT", "USER_IP"]

enforceOnKeyConfigs GetRegionSecurityPolicyRuleRateLimitOptionEnforceOnKeyConfig[]

enforceOnKeyName string

exceedAction string

rateLimitThresholds GetRegionSecurityPolicyRuleRateLimitOptionRateLimitThreshold[]

Threshold at which to begin ratelimiting.

ban_duration_sec int

ban_thresholds Sequence[GetRegionSecurityPolicyRuleRateLimitOptionBanThreshold]

Can only be specified if the action for the rule is <span pulumi-lang-nodejs=""rateBasedBan"" pulumi-lang-dotnet=""RateBasedBan"" pulumi-lang-go=""rateBasedBan"" pulumi-lang-python=""rate_based_ban"" pulumi-lang-yaml=""rateBasedBan"" pulumi-lang-java=""rateBasedBan"">"rate_based_ban". If specified, the key will be banned for the configured 'banDurationSec' when the number of requests that exceed the 'rateLimitThreshold' also exceed this 'banThreshold'.

conform_action str

Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only.

enforce_on_key str

Determines the key to enforce the rateLimitThreshold on. Possible values are:

ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured.
IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
REGION_CODE: The country/region from which the request originates.
TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. Possible values: ["ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE", "HTTP_PATH", "SNI", "REGION_CODE", "TLS_JA3_FINGERPRINT", "TLS_JA4_FINGERPRINT", "USER_IP"]

enforce_on_key_configs Sequence[GetRegionSecurityPolicyRuleRateLimitOptionEnforceOnKeyConfig]

enforce_on_key_name str

exceed_action str

rate_limit_thresholds Sequence[GetRegionSecurityPolicyRuleRateLimitOptionRateLimitThreshold]

Threshold at which to begin ratelimiting.

banDurationSec Number

banThresholds List<Property Map>

Can only be specified if the action for the rule is <span pulumi-lang-nodejs=""rateBasedBan"" pulumi-lang-dotnet=""RateBasedBan"" pulumi-lang-go=""rateBasedBan"" pulumi-lang-python=""rate_based_ban"" pulumi-lang-yaml=""rateBasedBan"" pulumi-lang-java=""rateBasedBan"">"rate_based_ban". If specified, the key will be banned for the configured 'banDurationSec' when the number of requests that exceed the 'rateLimitThreshold' also exceed this 'banThreshold'.

conformAction String

Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only.

enforceOnKey String

Determines the key to enforce the rateLimitThreshold on. Possible values are:

ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured.
IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
REGION_CODE: The country/region from which the request originates.
TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. Possible values: ["ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE", "HTTP_PATH", "SNI", "REGION_CODE", "TLS_JA3_FINGERPRINT", "TLS_JA4_FINGERPRINT", "USER_IP"]

enforceOnKeyConfigs List<Property Map>

enforceOnKeyName String

exceedAction String

rateLimitThresholds List<Property Map>

Threshold at which to begin ratelimiting.

GetRegionSecurityPolicyRuleRateLimitOptionBanThreshold

Count int: Number of HTTP(S) requests for calculating the threshold.
IntervalSec int: Interval over which the threshold is computed.

Count int: Number of HTTP(S) requests for calculating the threshold.
IntervalSec int: Interval over which the threshold is computed.

count Integer: Number of HTTP(S) requests for calculating the threshold.
intervalSec Integer: Interval over which the threshold is computed.

count number: Number of HTTP(S) requests for calculating the threshold.
intervalSec number: Interval over which the threshold is computed.

count int: Number of HTTP(S) requests for calculating the threshold.
interval_sec int: Interval over which the threshold is computed.

count Number: Number of HTTP(S) requests for calculating the threshold.
intervalSec Number: Interval over which the threshold is computed.

GetRegionSecurityPolicyRuleRateLimitOptionEnforceOnKeyConfig

EnforceOnKeyName string

EnforceOnKeyType string

Determines the key to enforce the rateLimitThreshold on. Possible values are:

ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured.
IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
REGION_CODE: The country/region from which the request originates.
TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. Possible values: ["ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE", "HTTP_PATH", "SNI", "REGION_CODE", "TLS_JA3_FINGERPRINT", "TLS_JA4_FINGERPRINT", "USER_IP"]

EnforceOnKeyName string

EnforceOnKeyType string

Determines the key to enforce the rateLimitThreshold on. Possible values are:

ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured.
IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
REGION_CODE: The country/region from which the request originates.
TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. Possible values: ["ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE", "HTTP_PATH", "SNI", "REGION_CODE", "TLS_JA3_FINGERPRINT", "TLS_JA4_FINGERPRINT", "USER_IP"]

enforceOnKeyName String

enforceOnKeyType String

Determines the key to enforce the rateLimitThreshold on. Possible values are:

ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured.
IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
REGION_CODE: The country/region from which the request originates.
TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. Possible values: ["ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE", "HTTP_PATH", "SNI", "REGION_CODE", "TLS_JA3_FINGERPRINT", "TLS_JA4_FINGERPRINT", "USER_IP"]

enforceOnKeyName string

enforceOnKeyType string

Determines the key to enforce the rateLimitThreshold on. Possible values are:

ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured.
IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
REGION_CODE: The country/region from which the request originates.
TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. Possible values: ["ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE", "HTTP_PATH", "SNI", "REGION_CODE", "TLS_JA3_FINGERPRINT", "TLS_JA4_FINGERPRINT", "USER_IP"]

enforce_on_key_name str

enforce_on_key_type str

Determines the key to enforce the rateLimitThreshold on. Possible values are:

ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured.
IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
REGION_CODE: The country/region from which the request originates.
TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. Possible values: ["ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE", "HTTP_PATH", "SNI", "REGION_CODE", "TLS_JA3_FINGERPRINT", "TLS_JA4_FINGERPRINT", "USER_IP"]

enforceOnKeyName String

enforceOnKeyType String

Determines the key to enforce the rateLimitThreshold on. Possible values are:

ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured.
IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
REGION_CODE: The country/region from which the request originates.
TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. Possible values: ["ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE", "HTTP_PATH", "SNI", "REGION_CODE", "TLS_JA3_FINGERPRINT", "TLS_JA4_FINGERPRINT", "USER_IP"]

GetRegionSecurityPolicyRuleRateLimitOptionRateLimitThreshold

Count int: Number of HTTP(S) requests for calculating the threshold.
IntervalSec int: Interval over which the threshold is computed.

Count int: Number of HTTP(S) requests for calculating the threshold.
IntervalSec int: Interval over which the threshold is computed.

count Integer: Number of HTTP(S) requests for calculating the threshold.
intervalSec Integer: Interval over which the threshold is computed.

count number: Number of HTTP(S) requests for calculating the threshold.
intervalSec number: Interval over which the threshold is computed.

count int: Number of HTTP(S) requests for calculating the threshold.
interval_sec int: Interval over which the threshold is computed.

count Number: Number of HTTP(S) requests for calculating the threshold.
intervalSec Number: Interval over which the threshold is computed.

GetRegionSecurityPolicyUserDefinedField

Base string

The base relative to which 'offset' is measured. Possible values are:

IPV4: Points to the beginning of the IPv4 header.
IPV6: Points to the beginning of the IPv6 header.
TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. Possible values: ["IPV4", "IPV6", "TCP", "UDP"]

Mask string

If specified, apply this mask (bitwise AND) to the field to ignore bits before matching. Encoded as a hexadecimal number (starting with "0x"). The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.

Name string

The name of the Region Security Policy.

Offset int

Offset of the first byte of the field (in network byte order) relative to 'base'.

Size int

Size of the field in bytes. Valid values: 1-4.

Base string

The base relative to which 'offset' is measured. Possible values are:

IPV4: Points to the beginning of the IPv4 header.
IPV6: Points to the beginning of the IPv6 header.
TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. Possible values: ["IPV4", "IPV6", "TCP", "UDP"]

Mask string

Name string

The name of the Region Security Policy.

Offset int

Offset of the first byte of the field (in network byte order) relative to 'base'.

Size int

Size of the field in bytes. Valid values: 1-4.

base String

The base relative to which 'offset' is measured. Possible values are:

IPV4: Points to the beginning of the IPv4 header.
IPV6: Points to the beginning of the IPv6 header.
TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. Possible values: ["IPV4", "IPV6", "TCP", "UDP"]

mask String

name String

The name of the Region Security Policy.

offset Integer

Offset of the first byte of the field (in network byte order) relative to 'base'.

size Integer

Size of the field in bytes. Valid values: 1-4.

base string

The base relative to which 'offset' is measured. Possible values are:

IPV4: Points to the beginning of the IPv4 header.
IPV6: Points to the beginning of the IPv6 header.
TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. Possible values: ["IPV4", "IPV6", "TCP", "UDP"]

mask string

name string

The name of the Region Security Policy.

offset number

Offset of the first byte of the field (in network byte order) relative to 'base'.

size number

Size of the field in bytes. Valid values: 1-4.

base str

The base relative to which 'offset' is measured. Possible values are:

IPV4: Points to the beginning of the IPv4 header.
IPV6: Points to the beginning of the IPv6 header.
TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. Possible values: ["IPV4", "IPV6", "TCP", "UDP"]

mask str

name str

The name of the Region Security Policy.

offset int

Offset of the first byte of the field (in network byte order) relative to 'base'.

size int

Size of the field in bytes. Valid values: 1-4.

base String

The base relative to which 'offset' is measured. Possible values are:

IPV4: Points to the beginning of the IPv4 header.
IPV6: Points to the beginning of the IPv6 header.
TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. Possible values: ["IPV4", "IPV6", "TCP", "UDP"]

mask String

name String

The name of the Region Security Policy.

offset Number

Offset of the first byte of the field (in network byte order) relative to 'base'.

size Number

Size of the field in bytes. Valid values: 1-4.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Google Cloud v9.10.0 published on Friday, Jan 16, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

gcp.compute.getRegionSecurityPolicy

On this page

On this page

Example Usage

Using getRegionSecurityPolicy

getRegionSecurityPolicy Result

Supporting Types

GetRegionSecurityPolicyAdvancedOptionsConfig

GetRegionSecurityPolicyAdvancedOptionsConfigJsonCustomConfig

GetRegionSecurityPolicyDdosProtectionConfig

GetRegionSecurityPolicyRule

GetRegionSecurityPolicyRuleMatch

GetRegionSecurityPolicyRuleMatchConfig

GetRegionSecurityPolicyRuleMatchExpr

GetRegionSecurityPolicyRuleNetworkMatch

GetRegionSecurityPolicyRuleNetworkMatchUserDefinedField

GetRegionSecurityPolicyRulePreconfiguredWafConfig

GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusion

GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestCooky

GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeader

GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam

GetRegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri

GetRegionSecurityPolicyRuleRateLimitOption

GetRegionSecurityPolicyRuleRateLimitOptionBanThreshold

GetRegionSecurityPolicyRuleRateLimitOptionEnforceOnKeyConfig

GetRegionSecurityPolicyRuleRateLimitOptionRateLimitThreshold

GetRegionSecurityPolicyUserDefinedField

Package Details

On this page

On this page