1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. compute
  5. SecurityPolicy
Google Cloud Classic v7.2.2 published on Monday, Jan 1, 0001 by Pulumi

gcp.compute.SecurityPolicy

Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.2.2 published on Monday, Jan 1, 0001 by Pulumi

    A Security Policy defines an IP blacklist or whitelist that protects load balanced Google Cloud services by denying or permitting traffic from specified IP ranges. For more information see the official documentation and the API.

    Security Policy is used by google_compute_backend_service.

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var policy = new Gcp.Compute.SecurityPolicy("policy", new()
        {
            Rules = new[]
            {
                new Gcp.Compute.Inputs.SecurityPolicyRuleArgs
                {
                    Action = "deny(403)",
                    Description = "Deny access to IPs in 9.9.9.0/24",
                    Match = new Gcp.Compute.Inputs.SecurityPolicyRuleMatchArgs
                    {
                        Config = new Gcp.Compute.Inputs.SecurityPolicyRuleMatchConfigArgs
                        {
                            SrcIpRanges = new[]
                            {
                                "9.9.9.0/24",
                            },
                        },
                        VersionedExpr = "SRC_IPS_V1",
                    },
                    Priority = 1000,
                },
                new Gcp.Compute.Inputs.SecurityPolicyRuleArgs
                {
                    Action = "allow",
                    Description = "default rule",
                    Match = new Gcp.Compute.Inputs.SecurityPolicyRuleMatchArgs
                    {
                        Config = new Gcp.Compute.Inputs.SecurityPolicyRuleMatchConfigArgs
                        {
                            SrcIpRanges = new[]
                            {
                                "*",
                            },
                        },
                        VersionedExpr = "SRC_IPS_V1",
                    },
                    Priority = 2147483647,
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := compute.NewSecurityPolicy(ctx, "policy", &compute.SecurityPolicyArgs{
    			Rules: compute.SecurityPolicyRuleArray{
    				&compute.SecurityPolicyRuleArgs{
    					Action:      pulumi.String("deny(403)"),
    					Description: pulumi.String("Deny access to IPs in 9.9.9.0/24"),
    					Match: &compute.SecurityPolicyRuleMatchArgs{
    						Config: &compute.SecurityPolicyRuleMatchConfigArgs{
    							SrcIpRanges: pulumi.StringArray{
    								pulumi.String("9.9.9.0/24"),
    							},
    						},
    						VersionedExpr: pulumi.String("SRC_IPS_V1"),
    					},
    					Priority: pulumi.Int(1000),
    				},
    				&compute.SecurityPolicyRuleArgs{
    					Action:      pulumi.String("allow"),
    					Description: pulumi.String("default rule"),
    					Match: &compute.SecurityPolicyRuleMatchArgs{
    						Config: &compute.SecurityPolicyRuleMatchConfigArgs{
    							SrcIpRanges: pulumi.StringArray{
    								pulumi.String("*"),
    							},
    						},
    						VersionedExpr: pulumi.String("SRC_IPS_V1"),
    					},
    					Priority: pulumi.Int(2147483647),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.compute.SecurityPolicy;
    import com.pulumi.gcp.compute.SecurityPolicyArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchConfigArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var policy = new SecurityPolicy("policy", SecurityPolicyArgs.builder()        
                .rules(            
                    SecurityPolicyRuleArgs.builder()
                        .action("deny(403)")
                        .description("Deny access to IPs in 9.9.9.0/24")
                        .match(SecurityPolicyRuleMatchArgs.builder()
                            .config(SecurityPolicyRuleMatchConfigArgs.builder()
                                .srcIpRanges("9.9.9.0/24")
                                .build())
                            .versionedExpr("SRC_IPS_V1")
                            .build())
                        .priority("1000")
                        .build(),
                    SecurityPolicyRuleArgs.builder()
                        .action("allow")
                        .description("default rule")
                        .match(SecurityPolicyRuleMatchArgs.builder()
                            .config(SecurityPolicyRuleMatchConfigArgs.builder()
                                .srcIpRanges("*")
                                .build())
                            .versionedExpr("SRC_IPS_V1")
                            .build())
                        .priority("2147483647")
                        .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_gcp as gcp
    
    policy = gcp.compute.SecurityPolicy("policy", rules=[
        gcp.compute.SecurityPolicyRuleArgs(
            action="deny(403)",
            description="Deny access to IPs in 9.9.9.0/24",
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                config=gcp.compute.SecurityPolicyRuleMatchConfigArgs(
                    src_ip_ranges=["9.9.9.0/24"],
                ),
                versioned_expr="SRC_IPS_V1",
            ),
            priority=1000,
        ),
        gcp.compute.SecurityPolicyRuleArgs(
            action="allow",
            description="default rule",
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                config=gcp.compute.SecurityPolicyRuleMatchConfigArgs(
                    src_ip_ranges=["*"],
                ),
                versioned_expr="SRC_IPS_V1",
            ),
            priority=2147483647,
        ),
    ])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const policy = new gcp.compute.SecurityPolicy("policy", {rules: [
        {
            action: "deny(403)",
            description: "Deny access to IPs in 9.9.9.0/24",
            match: {
                config: {
                    srcIpRanges: ["9.9.9.0/24"],
                },
                versionedExpr: "SRC_IPS_V1",
            },
            priority: 1000,
        },
        {
            action: "allow",
            description: "default rule",
            match: {
                config: {
                    srcIpRanges: ["*"],
                },
                versionedExpr: "SRC_IPS_V1",
            },
            priority: 2147483647,
        },
    ]});
    
    resources:
      policy:
        type: gcp:compute:SecurityPolicy
        properties:
          rules:
            - action: deny(403)
              description: Deny access to IPs in 9.9.9.0/24
              match:
                config:
                  srcIpRanges:
                    - 9.9.9.0/24
                versionedExpr: SRC_IPS_V1
              priority: '1000'
            - action: allow
              description: default rule
              match:
                config:
                  srcIpRanges:
                    - '*'
                versionedExpr: SRC_IPS_V1
              priority: '2147483647'
    

    With ReCAPTCHA Configuration Options

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var primary = new Gcp.Recaptcha.EnterpriseKey("primary", new()
        {
            DisplayName = "display-name",
            Labels = 
            {
                { "label-one", "value-one" },
            },
            Project = "my-project-name",
            WebSettings = new Gcp.Recaptcha.Inputs.EnterpriseKeyWebSettingsArgs
            {
                IntegrationType = "INVISIBLE",
                AllowAllDomains = true,
                AllowedDomains = new[]
                {
                    "localhost",
                },
            },
        });
    
        var policy = new Gcp.Compute.SecurityPolicy("policy", new()
        {
            Description = "basic security policy",
            Type = "CLOUD_ARMOR",
            RecaptchaOptionsConfig = new Gcp.Compute.Inputs.SecurityPolicyRecaptchaOptionsConfigArgs
            {
                RedirectSiteKey = primary.Name,
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/recaptcha"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		primary, err := recaptcha.NewEnterpriseKey(ctx, "primary", &recaptcha.EnterpriseKeyArgs{
    			DisplayName: pulumi.String("display-name"),
    			Labels: pulumi.StringMap{
    				"label-one": pulumi.String("value-one"),
    			},
    			Project: pulumi.String("my-project-name"),
    			WebSettings: &recaptcha.EnterpriseKeyWebSettingsArgs{
    				IntegrationType: pulumi.String("INVISIBLE"),
    				AllowAllDomains: pulumi.Bool(true),
    				AllowedDomains: pulumi.StringArray{
    					pulumi.String("localhost"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = compute.NewSecurityPolicy(ctx, "policy", &compute.SecurityPolicyArgs{
    			Description: pulumi.String("basic security policy"),
    			Type:        pulumi.String("CLOUD_ARMOR"),
    			RecaptchaOptionsConfig: &compute.SecurityPolicyRecaptchaOptionsConfigArgs{
    				RedirectSiteKey: primary.Name,
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.recaptcha.EnterpriseKey;
    import com.pulumi.gcp.recaptcha.EnterpriseKeyArgs;
    import com.pulumi.gcp.recaptcha.inputs.EnterpriseKeyWebSettingsArgs;
    import com.pulumi.gcp.compute.SecurityPolicy;
    import com.pulumi.gcp.compute.SecurityPolicyArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRecaptchaOptionsConfigArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var primary = new EnterpriseKey("primary", EnterpriseKeyArgs.builder()        
                .displayName("display-name")
                .labels(Map.of("label-one", "value-one"))
                .project("my-project-name")
                .webSettings(EnterpriseKeyWebSettingsArgs.builder()
                    .integrationType("INVISIBLE")
                    .allowAllDomains(true)
                    .allowedDomains("localhost")
                    .build())
                .build());
    
            var policy = new SecurityPolicy("policy", SecurityPolicyArgs.builder()        
                .description("basic security policy")
                .type("CLOUD_ARMOR")
                .recaptchaOptionsConfig(SecurityPolicyRecaptchaOptionsConfigArgs.builder()
                    .redirectSiteKey(primary.name())
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_gcp as gcp
    
    primary = gcp.recaptcha.EnterpriseKey("primary",
        display_name="display-name",
        labels={
            "label-one": "value-one",
        },
        project="my-project-name",
        web_settings=gcp.recaptcha.EnterpriseKeyWebSettingsArgs(
            integration_type="INVISIBLE",
            allow_all_domains=True,
            allowed_domains=["localhost"],
        ))
    policy = gcp.compute.SecurityPolicy("policy",
        description="basic security policy",
        type="CLOUD_ARMOR",
        recaptcha_options_config=gcp.compute.SecurityPolicyRecaptchaOptionsConfigArgs(
            redirect_site_key=primary.name,
        ))
    
    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const primary = new gcp.recaptcha.EnterpriseKey("primary", {
        displayName: "display-name",
        labels: {
            "label-one": "value-one",
        },
        project: "my-project-name",
        webSettings: {
            integrationType: "INVISIBLE",
            allowAllDomains: true,
            allowedDomains: ["localhost"],
        },
    });
    const policy = new gcp.compute.SecurityPolicy("policy", {
        description: "basic security policy",
        type: "CLOUD_ARMOR",
        recaptchaOptionsConfig: {
            redirectSiteKey: primary.name,
        },
    });
    
    resources:
      primary:
        type: gcp:recaptcha:EnterpriseKey
        properties:
          displayName: display-name
          labels:
            label-one: value-one
          project: my-project-name
          webSettings:
            integrationType: INVISIBLE
            allowAllDomains: true
            allowedDomains:
              - localhost
      policy:
        type: gcp:compute:SecurityPolicy
        properties:
          description: basic security policy
          type: CLOUD_ARMOR
          recaptchaOptionsConfig:
            redirectSiteKey: ${primary.name}
    

    With Header Actions

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var policy = new Gcp.Compute.SecurityPolicy("policy", new()
        {
            Rules = new[]
            {
                new Gcp.Compute.Inputs.SecurityPolicyRuleArgs
                {
                    Action = "allow",
                    Description = "default rule",
                    Match = new Gcp.Compute.Inputs.SecurityPolicyRuleMatchArgs
                    {
                        Config = new Gcp.Compute.Inputs.SecurityPolicyRuleMatchConfigArgs
                        {
                            SrcIpRanges = new[]
                            {
                                "*",
                            },
                        },
                        VersionedExpr = "SRC_IPS_V1",
                    },
                    Priority = 2147483647,
                },
                new Gcp.Compute.Inputs.SecurityPolicyRuleArgs
                {
                    Action = "allow",
                    HeaderAction = new Gcp.Compute.Inputs.SecurityPolicyRuleHeaderActionArgs
                    {
                        RequestHeadersToAdds = new[]
                        {
                            new Gcp.Compute.Inputs.SecurityPolicyRuleHeaderActionRequestHeadersToAddArgs
                            {
                                HeaderName = "reCAPTCHA-Warning",
                                HeaderValue = "high",
                            },
                            new Gcp.Compute.Inputs.SecurityPolicyRuleHeaderActionRequestHeadersToAddArgs
                            {
                                HeaderName = "X-Resource",
                                HeaderValue = "test",
                            },
                        },
                    },
                    Match = new Gcp.Compute.Inputs.SecurityPolicyRuleMatchArgs
                    {
                        Expr = new Gcp.Compute.Inputs.SecurityPolicyRuleMatchExprArgs
                        {
                            Expression = "request.path.matches(\"/login.html\") && token.recaptcha_session.score < 0.2",
                        },
                    },
                    Priority = 1000,
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := compute.NewSecurityPolicy(ctx, "policy", &compute.SecurityPolicyArgs{
    			Rules: compute.SecurityPolicyRuleArray{
    				&compute.SecurityPolicyRuleArgs{
    					Action:      pulumi.String("allow"),
    					Description: pulumi.String("default rule"),
    					Match: &compute.SecurityPolicyRuleMatchArgs{
    						Config: &compute.SecurityPolicyRuleMatchConfigArgs{
    							SrcIpRanges: pulumi.StringArray{
    								pulumi.String("*"),
    							},
    						},
    						VersionedExpr: pulumi.String("SRC_IPS_V1"),
    					},
    					Priority: pulumi.Int(2147483647),
    				},
    				&compute.SecurityPolicyRuleArgs{
    					Action: pulumi.String("allow"),
    					HeaderAction: &compute.SecurityPolicyRuleHeaderActionArgs{
    						RequestHeadersToAdds: compute.SecurityPolicyRuleHeaderActionRequestHeadersToAddArray{
    							&compute.SecurityPolicyRuleHeaderActionRequestHeadersToAddArgs{
    								HeaderName:  pulumi.String("reCAPTCHA-Warning"),
    								HeaderValue: pulumi.String("high"),
    							},
    							&compute.SecurityPolicyRuleHeaderActionRequestHeadersToAddArgs{
    								HeaderName:  pulumi.String("X-Resource"),
    								HeaderValue: pulumi.String("test"),
    							},
    						},
    					},
    					Match: &compute.SecurityPolicyRuleMatchArgs{
    						Expr: &compute.SecurityPolicyRuleMatchExprArgs{
    							Expression: pulumi.String("request.path.matches(\"/login.html\") && token.recaptcha_session.score < 0.2"),
    						},
    					},
    					Priority: pulumi.Int(1000),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.compute.SecurityPolicy;
    import com.pulumi.gcp.compute.SecurityPolicyArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchConfigArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleHeaderActionArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchExprArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var policy = new SecurityPolicy("policy", SecurityPolicyArgs.builder()        
                .rules(            
                    SecurityPolicyRuleArgs.builder()
                        .action("allow")
                        .description("default rule")
                        .match(SecurityPolicyRuleMatchArgs.builder()
                            .config(SecurityPolicyRuleMatchConfigArgs.builder()
                                .srcIpRanges("*")
                                .build())
                            .versionedExpr("SRC_IPS_V1")
                            .build())
                        .priority("2147483647")
                        .build(),
                    SecurityPolicyRuleArgs.builder()
                        .action("allow")
                        .headerAction(SecurityPolicyRuleHeaderActionArgs.builder()
                            .requestHeadersToAdds(                        
                                SecurityPolicyRuleHeaderActionRequestHeadersToAddArgs.builder()
                                    .headerName("reCAPTCHA-Warning")
                                    .headerValue("high")
                                    .build(),
                                SecurityPolicyRuleHeaderActionRequestHeadersToAddArgs.builder()
                                    .headerName("X-Resource")
                                    .headerValue("test")
                                    .build())
                            .build())
                        .match(SecurityPolicyRuleMatchArgs.builder()
                            .expr(SecurityPolicyRuleMatchExprArgs.builder()
                                .expression("request.path.matches(\"/login.html\") && token.recaptcha_session.score < 0.2")
                                .build())
                            .build())
                        .priority("1000")
                        .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_gcp as gcp
    
    policy = gcp.compute.SecurityPolicy("policy", rules=[
        gcp.compute.SecurityPolicyRuleArgs(
            action="allow",
            description="default rule",
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                config=gcp.compute.SecurityPolicyRuleMatchConfigArgs(
                    src_ip_ranges=["*"],
                ),
                versioned_expr="SRC_IPS_V1",
            ),
            priority=2147483647,
        ),
        gcp.compute.SecurityPolicyRuleArgs(
            action="allow",
            header_action=gcp.compute.SecurityPolicyRuleHeaderActionArgs(
                request_headers_to_adds=[
                    gcp.compute.SecurityPolicyRuleHeaderActionRequestHeadersToAddArgs(
                        header_name="reCAPTCHA-Warning",
                        header_value="high",
                    ),
                    gcp.compute.SecurityPolicyRuleHeaderActionRequestHeadersToAddArgs(
                        header_name="X-Resource",
                        header_value="test",
                    ),
                ],
            ),
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                expr=gcp.compute.SecurityPolicyRuleMatchExprArgs(
                    expression="request.path.matches(\"/login.html\") && token.recaptcha_session.score < 0.2",
                ),
            ),
            priority=1000,
        ),
    ])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const policy = new gcp.compute.SecurityPolicy("policy", {rules: [
        {
            action: "allow",
            description: "default rule",
            match: {
                config: {
                    srcIpRanges: ["*"],
                },
                versionedExpr: "SRC_IPS_V1",
            },
            priority: 2147483647,
        },
        {
            action: "allow",
            headerAction: {
                requestHeadersToAdds: [
                    {
                        headerName: "reCAPTCHA-Warning",
                        headerValue: "high",
                    },
                    {
                        headerName: "X-Resource",
                        headerValue: "test",
                    },
                ],
            },
            match: {
                expr: {
                    expression: "request.path.matches(\"/login.html\") && token.recaptcha_session.score < 0.2",
                },
            },
            priority: 1000,
        },
    ]});
    
    resources:
      policy:
        type: gcp:compute:SecurityPolicy
        properties:
          rules:
            - action: allow
              description: default rule
              match:
                config:
                  srcIpRanges:
                    - '*'
                versionedExpr: SRC_IPS_V1
              priority: '2147483647'
            - action: allow
              headerAction:
                requestHeadersToAdds:
                  - headerName: reCAPTCHA-Warning
                    headerValue: high
                  - headerName: X-Resource
                    headerValue: test
              match:
                expr:
                  expression: request.path.matches("/login.html") && token.recaptcha_session.score < 0.2
              priority: '1000'
    

    With EnforceOnKey Value As Empty String

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var policy = new Gcp.Compute.SecurityPolicy("policy", new()
        {
            Description = "throttle rule with enforce_on_key_configs",
            Rules = new[]
            {
                new Gcp.Compute.Inputs.SecurityPolicyRuleArgs
                {
                    Action = "throttle",
                    Description = "default rule",
                    Match = new Gcp.Compute.Inputs.SecurityPolicyRuleMatchArgs
                    {
                        Config = new Gcp.Compute.Inputs.SecurityPolicyRuleMatchConfigArgs
                        {
                            SrcIpRanges = new[]
                            {
                                "*",
                            },
                        },
                        VersionedExpr = "SRC_IPS_V1",
                    },
                    Priority = 2147483647,
                    RateLimitOptions = new Gcp.Compute.Inputs.SecurityPolicyRuleRateLimitOptionsArgs
                    {
                        ConformAction = "allow",
                        EnforceOnKey = "",
                        EnforceOnKeyConfigs = new[]
                        {
                            new Gcp.Compute.Inputs.SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs
                            {
                                EnforceOnKeyType = "IP",
                            },
                        },
                        ExceedAction = "redirect",
                        ExceedRedirectOptions = new Gcp.Compute.Inputs.SecurityPolicyRuleRateLimitOptionsExceedRedirectOptionsArgs
                        {
                            Target = "<https://www.example.com>",
                            Type = "EXTERNAL_302",
                        },
                        RateLimitThreshold = new Gcp.Compute.Inputs.SecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs
                        {
                            Count = 10,
                            IntervalSec = 60,
                        },
                    },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := compute.NewSecurityPolicy(ctx, "policy", &compute.SecurityPolicyArgs{
    			Description: pulumi.String("throttle rule with enforce_on_key_configs"),
    			Rules: compute.SecurityPolicyRuleArray{
    				&compute.SecurityPolicyRuleArgs{
    					Action:      pulumi.String("throttle"),
    					Description: pulumi.String("default rule"),
    					Match: &compute.SecurityPolicyRuleMatchArgs{
    						Config: &compute.SecurityPolicyRuleMatchConfigArgs{
    							SrcIpRanges: pulumi.StringArray{
    								pulumi.String("*"),
    							},
    						},
    						VersionedExpr: pulumi.String("SRC_IPS_V1"),
    					},
    					Priority: pulumi.Int(2147483647),
    					RateLimitOptions: &compute.SecurityPolicyRuleRateLimitOptionsArgs{
    						ConformAction: pulumi.String("allow"),
    						EnforceOnKey:  pulumi.String(""),
    						EnforceOnKeyConfigs: compute.SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArray{
    							&compute.SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs{
    								EnforceOnKeyType: pulumi.String("IP"),
    							},
    						},
    						ExceedAction: pulumi.String("redirect"),
    						ExceedRedirectOptions: &compute.SecurityPolicyRuleRateLimitOptionsExceedRedirectOptionsArgs{
    							Target: pulumi.String("<https://www.example.com>"),
    							Type:   pulumi.String("EXTERNAL_302"),
    						},
    						RateLimitThreshold: &compute.SecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs{
    							Count:       pulumi.Int(10),
    							IntervalSec: pulumi.Int(60),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.compute.SecurityPolicy;
    import com.pulumi.gcp.compute.SecurityPolicyArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchConfigArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleRateLimitOptionsArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleRateLimitOptionsExceedRedirectOptionsArgs;
    import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var policy = new SecurityPolicy("policy", SecurityPolicyArgs.builder()        
                .description("throttle rule with enforce_on_key_configs")
                .rules(SecurityPolicyRuleArgs.builder()
                    .action("throttle")
                    .description("default rule")
                    .match(SecurityPolicyRuleMatchArgs.builder()
                        .config(SecurityPolicyRuleMatchConfigArgs.builder()
                            .srcIpRanges("*")
                            .build())
                        .versionedExpr("SRC_IPS_V1")
                        .build())
                    .priority("2147483647")
                    .rateLimitOptions(SecurityPolicyRuleRateLimitOptionsArgs.builder()
                        .conformAction("allow")
                        .enforceOnKey("")
                        .enforceOnKeyConfigs(SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs.builder()
                            .enforceOnKeyType("IP")
                            .build())
                        .exceedAction("redirect")
                        .exceedRedirectOptions(SecurityPolicyRuleRateLimitOptionsExceedRedirectOptionsArgs.builder()
                            .target("<https://www.example.com>")
                            .type("EXTERNAL_302")
                            .build())
                        .rateLimitThreshold(SecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs.builder()
                            .count(10)
                            .intervalSec(60)
                            .build())
                        .build())
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_gcp as gcp
    
    policy = gcp.compute.SecurityPolicy("policy",
        description="throttle rule with enforce_on_key_configs",
        rules=[gcp.compute.SecurityPolicyRuleArgs(
            action="throttle",
            description="default rule",
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                config=gcp.compute.SecurityPolicyRuleMatchConfigArgs(
                    src_ip_ranges=["*"],
                ),
                versioned_expr="SRC_IPS_V1",
            ),
            priority=2147483647,
            rate_limit_options=gcp.compute.SecurityPolicyRuleRateLimitOptionsArgs(
                conform_action="allow",
                enforce_on_key="",
                enforce_on_key_configs=[gcp.compute.SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs(
                    enforce_on_key_type="IP",
                )],
                exceed_action="redirect",
                exceed_redirect_options=gcp.compute.SecurityPolicyRuleRateLimitOptionsExceedRedirectOptionsArgs(
                    target="<https://www.example.com>",
                    type="EXTERNAL_302",
                ),
                rate_limit_threshold=gcp.compute.SecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs(
                    count=10,
                    interval_sec=60,
                ),
            ),
        )])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const policy = new gcp.compute.SecurityPolicy("policy", {
        description: "throttle rule with enforce_on_key_configs",
        rules: [{
            action: "throttle",
            description: "default rule",
            match: {
                config: {
                    srcIpRanges: ["*"],
                },
                versionedExpr: "SRC_IPS_V1",
            },
            priority: 2147483647,
            rateLimitOptions: {
                conformAction: "allow",
                enforceOnKey: "",
                enforceOnKeyConfigs: [{
                    enforceOnKeyType: "IP",
                }],
                exceedAction: "redirect",
                exceedRedirectOptions: {
                    target: "<https://www.example.com>",
                    type: "EXTERNAL_302",
                },
                rateLimitThreshold: {
                    count: 10,
                    intervalSec: 60,
                },
            },
        }],
    });
    
    resources:
      policy:
        type: gcp:compute:SecurityPolicy
        properties:
          description: throttle rule with enforce_on_key_configs
          rules:
            - action: throttle
              description: default rule
              match:
                config:
                  srcIpRanges:
                    - '*'
                versionedExpr: SRC_IPS_V1
              priority: '2147483647'
              rateLimitOptions:
                conformAction: allow
                enforceOnKey:
                enforceOnKeyConfigs:
                  - enforceOnKeyType: IP
                exceedAction: redirect
                exceedRedirectOptions:
                  target: <https://www.example.com>
                  type: EXTERNAL_302
                rateLimitThreshold:
                  count: 10
                  intervalSec: 60
    

    Create SecurityPolicy Resource

    new SecurityPolicy(name: string, args?: SecurityPolicyArgs, opts?: CustomResourceOptions);
    @overload
    def SecurityPolicy(resource_name: str,
                       opts: Optional[ResourceOptions] = None,
                       adaptive_protection_config: Optional[SecurityPolicyAdaptiveProtectionConfigArgs] = None,
                       advanced_options_config: Optional[SecurityPolicyAdvancedOptionsConfigArgs] = None,
                       description: Optional[str] = None,
                       name: Optional[str] = None,
                       project: Optional[str] = None,
                       recaptcha_options_config: Optional[SecurityPolicyRecaptchaOptionsConfigArgs] = None,
                       rules: Optional[Sequence[SecurityPolicyRuleArgs]] = None,
                       type: Optional[str] = None)
    @overload
    def SecurityPolicy(resource_name: str,
                       args: Optional[SecurityPolicyArgs] = None,
                       opts: Optional[ResourceOptions] = None)
    func NewSecurityPolicy(ctx *Context, name string, args *SecurityPolicyArgs, opts ...ResourceOption) (*SecurityPolicy, error)
    public SecurityPolicy(string name, SecurityPolicyArgs? args = null, CustomResourceOptions? opts = null)
    public SecurityPolicy(String name, SecurityPolicyArgs args)
    public SecurityPolicy(String name, SecurityPolicyArgs args, CustomResourceOptions options)
    
    type: gcp:compute:SecurityPolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args SecurityPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecurityPolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecurityPolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecurityPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecurityPolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    SecurityPolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The SecurityPolicy resource accepts the following input properties:

    AdaptiveProtectionConfig SecurityPolicyAdaptiveProtectionConfig

    Configuration for Google Cloud Armor Adaptive Protection. Structure is documented below.

    AdvancedOptionsConfig SecurityPolicyAdvancedOptionsConfig

    Advanced Configuration Options. Structure is documented below.

    Description string

    An optional description of this security policy. Max size is 2048.

    Name string

    The name of the security policy.


    Project string

    The project in which the resource belongs. If it is not provided, the provider project is used.

    RecaptchaOptionsConfig SecurityPolicyRecaptchaOptionsConfig

    reCAPTCHA Configuration Options. Structure is documented below.

    Rules List<SecurityPolicyRule>

    The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.

    Type string

    The type indicates the intended use of the security policy. This field can be set only at resource creation time.

    AdaptiveProtectionConfig SecurityPolicyAdaptiveProtectionConfigArgs

    Configuration for Google Cloud Armor Adaptive Protection. Structure is documented below.

    AdvancedOptionsConfig SecurityPolicyAdvancedOptionsConfigArgs

    Advanced Configuration Options. Structure is documented below.

    Description string

    An optional description of this security policy. Max size is 2048.

    Name string

    The name of the security policy.


    Project string

    The project in which the resource belongs. If it is not provided, the provider project is used.

    RecaptchaOptionsConfig SecurityPolicyRecaptchaOptionsConfigArgs

    reCAPTCHA Configuration Options. Structure is documented below.

    Rules []SecurityPolicyRuleArgs

    The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.

    Type string

    The type indicates the intended use of the security policy. This field can be set only at resource creation time.

    adaptiveProtectionConfig SecurityPolicyAdaptiveProtectionConfig

    Configuration for Google Cloud Armor Adaptive Protection. Structure is documented below.

    advancedOptionsConfig SecurityPolicyAdvancedOptionsConfig

    Advanced Configuration Options. Structure is documented below.

    description String

    An optional description of this security policy. Max size is 2048.

    name String

    The name of the security policy.


    project String

    The project in which the resource belongs. If it is not provided, the provider project is used.

    recaptchaOptionsConfig SecurityPolicyRecaptchaOptionsConfig

    reCAPTCHA Configuration Options. Structure is documented below.

    rules List<SecurityPolicyRule>

    The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.

    type String

    The type indicates the intended use of the security policy. This field can be set only at resource creation time.

    adaptiveProtectionConfig SecurityPolicyAdaptiveProtectionConfig

    Configuration for Google Cloud Armor Adaptive Protection. Structure is documented below.

    advancedOptionsConfig SecurityPolicyAdvancedOptionsConfig

    Advanced Configuration Options. Structure is documented below.

    description string

    An optional description of this security policy. Max size is 2048.

    name string

    The name of the security policy.


    project string

    The project in which the resource belongs. If it is not provided, the provider project is used.

    recaptchaOptionsConfig SecurityPolicyRecaptchaOptionsConfig

    reCAPTCHA Configuration Options. Structure is documented below.

    rules SecurityPolicyRule[]

    The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.

    type string

    The type indicates the intended use of the security policy. This field can be set only at resource creation time.

    adaptive_protection_config SecurityPolicyAdaptiveProtectionConfigArgs

    Configuration for Google Cloud Armor Adaptive Protection. Structure is documented below.

    advanced_options_config SecurityPolicyAdvancedOptionsConfigArgs

    Advanced Configuration Options. Structure is documented below.

    description str

    An optional description of this security policy. Max size is 2048.

    name str

    The name of the security policy.


    project str

    The project in which the resource belongs. If it is not provided, the provider project is used.

    recaptcha_options_config SecurityPolicyRecaptchaOptionsConfigArgs

    reCAPTCHA Configuration Options. Structure is documented below.

    rules Sequence[SecurityPolicyRuleArgs]

    The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.

    type str

    The type indicates the intended use of the security policy. This field can be set only at resource creation time.

    adaptiveProtectionConfig Property Map

    Configuration for Google Cloud Armor Adaptive Protection. Structure is documented below.

    advancedOptionsConfig Property Map

    Advanced Configuration Options. Structure is documented below.

    description String

    An optional description of this security policy. Max size is 2048.

    name String

    The name of the security policy.


    project String

    The project in which the resource belongs. If it is not provided, the provider project is used.

    recaptchaOptionsConfig Property Map

    reCAPTCHA Configuration Options. Structure is documented below.

    rules List<Property Map>

    The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.

    type String

    The type indicates the intended use of the security policy. This field can be set only at resource creation time.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecurityPolicy resource produces the following output properties:

    Fingerprint string

    Fingerprint of this resource.

    Id string

    The provider-assigned unique ID for this managed resource.

    SelfLink string

    The URI of the created resource.

    Fingerprint string

    Fingerprint of this resource.

    Id string

    The provider-assigned unique ID for this managed resource.

    SelfLink string

    The URI of the created resource.

    fingerprint String

    Fingerprint of this resource.

    id String

    The provider-assigned unique ID for this managed resource.

    selfLink String

    The URI of the created resource.

    fingerprint string

    Fingerprint of this resource.

    id string

    The provider-assigned unique ID for this managed resource.

    selfLink string

    The URI of the created resource.

    fingerprint str

    Fingerprint of this resource.

    id str

    The provider-assigned unique ID for this managed resource.

    self_link str

    The URI of the created resource.

    fingerprint String

    Fingerprint of this resource.

    id String

    The provider-assigned unique ID for this managed resource.

    selfLink String

    The URI of the created resource.

    Look up Existing SecurityPolicy Resource

    Get an existing SecurityPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecurityPolicyState, opts?: CustomResourceOptions): SecurityPolicy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            adaptive_protection_config: Optional[SecurityPolicyAdaptiveProtectionConfigArgs] = None,
            advanced_options_config: Optional[SecurityPolicyAdvancedOptionsConfigArgs] = None,
            description: Optional[str] = None,
            fingerprint: Optional[str] = None,
            name: Optional[str] = None,
            project: Optional[str] = None,
            recaptcha_options_config: Optional[SecurityPolicyRecaptchaOptionsConfigArgs] = None,
            rules: Optional[Sequence[SecurityPolicyRuleArgs]] = None,
            self_link: Optional[str] = None,
            type: Optional[str] = None) -> SecurityPolicy
    func GetSecurityPolicy(ctx *Context, name string, id IDInput, state *SecurityPolicyState, opts ...ResourceOption) (*SecurityPolicy, error)
    public static SecurityPolicy Get(string name, Input<string> id, SecurityPolicyState? state, CustomResourceOptions? opts = null)
    public static SecurityPolicy get(String name, Output<String> id, SecurityPolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AdaptiveProtectionConfig SecurityPolicyAdaptiveProtectionConfig

    Configuration for Google Cloud Armor Adaptive Protection. Structure is documented below.

    AdvancedOptionsConfig SecurityPolicyAdvancedOptionsConfig

    Advanced Configuration Options. Structure is documented below.

    Description string

    An optional description of this security policy. Max size is 2048.

    Fingerprint string

    Fingerprint of this resource.

    Name string

    The name of the security policy.


    Project string

    The project in which the resource belongs. If it is not provided, the provider project is used.

    RecaptchaOptionsConfig SecurityPolicyRecaptchaOptionsConfig

    reCAPTCHA Configuration Options. Structure is documented below.

    Rules List<SecurityPolicyRule>

    The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.

    SelfLink string

    The URI of the created resource.

    Type string

    The type indicates the intended use of the security policy. This field can be set only at resource creation time.

    AdaptiveProtectionConfig SecurityPolicyAdaptiveProtectionConfigArgs

    Configuration for Google Cloud Armor Adaptive Protection. Structure is documented below.

    AdvancedOptionsConfig SecurityPolicyAdvancedOptionsConfigArgs

    Advanced Configuration Options. Structure is documented below.

    Description string

    An optional description of this security policy. Max size is 2048.

    Fingerprint string

    Fingerprint of this resource.

    Name string

    The name of the security policy.


    Project string

    The project in which the resource belongs. If it is not provided, the provider project is used.

    RecaptchaOptionsConfig SecurityPolicyRecaptchaOptionsConfigArgs

    reCAPTCHA Configuration Options. Structure is documented below.

    Rules []SecurityPolicyRuleArgs

    The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.

    SelfLink string

    The URI of the created resource.

    Type string

    The type indicates the intended use of the security policy. This field can be set only at resource creation time.

    adaptiveProtectionConfig SecurityPolicyAdaptiveProtectionConfig

    Configuration for Google Cloud Armor Adaptive Protection. Structure is documented below.

    advancedOptionsConfig SecurityPolicyAdvancedOptionsConfig

    Advanced Configuration Options. Structure is documented below.

    description String

    An optional description of this security policy. Max size is 2048.

    fingerprint String

    Fingerprint of this resource.

    name String

    The name of the security policy.


    project String

    The project in which the resource belongs. If it is not provided, the provider project is used.

    recaptchaOptionsConfig SecurityPolicyRecaptchaOptionsConfig

    reCAPTCHA Configuration Options. Structure is documented below.

    rules List<SecurityPolicyRule>

    The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.

    selfLink String

    The URI of the created resource.

    type String

    The type indicates the intended use of the security policy. This field can be set only at resource creation time.

    adaptiveProtectionConfig SecurityPolicyAdaptiveProtectionConfig

    Configuration for Google Cloud Armor Adaptive Protection. Structure is documented below.

    advancedOptionsConfig SecurityPolicyAdvancedOptionsConfig

    Advanced Configuration Options. Structure is documented below.

    description string

    An optional description of this security policy. Max size is 2048.

    fingerprint string

    Fingerprint of this resource.

    name string

    The name of the security policy.


    project string

    The project in which the resource belongs. If it is not provided, the provider project is used.

    recaptchaOptionsConfig SecurityPolicyRecaptchaOptionsConfig

    reCAPTCHA Configuration Options. Structure is documented below.

    rules SecurityPolicyRule[]

    The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.

    selfLink string

    The URI of the created resource.

    type string

    The type indicates the intended use of the security policy. This field can be set only at resource creation time.

    adaptive_protection_config SecurityPolicyAdaptiveProtectionConfigArgs

    Configuration for Google Cloud Armor Adaptive Protection. Structure is documented below.

    advanced_options_config SecurityPolicyAdvancedOptionsConfigArgs

    Advanced Configuration Options. Structure is documented below.

    description str

    An optional description of this security policy. Max size is 2048.

    fingerprint str

    Fingerprint of this resource.

    name str

    The name of the security policy.


    project str

    The project in which the resource belongs. If it is not provided, the provider project is used.

    recaptcha_options_config SecurityPolicyRecaptchaOptionsConfigArgs

    reCAPTCHA Configuration Options. Structure is documented below.

    rules Sequence[SecurityPolicyRuleArgs]

    The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.

    self_link str

    The URI of the created resource.

    type str

    The type indicates the intended use of the security policy. This field can be set only at resource creation time.

    adaptiveProtectionConfig Property Map

    Configuration for Google Cloud Armor Adaptive Protection. Structure is documented below.

    advancedOptionsConfig Property Map

    Advanced Configuration Options. Structure is documented below.

    description String

    An optional description of this security policy. Max size is 2048.

    fingerprint String

    Fingerprint of this resource.

    name String

    The name of the security policy.


    project String

    The project in which the resource belongs. If it is not provided, the provider project is used.

    recaptchaOptionsConfig Property Map

    reCAPTCHA Configuration Options. Structure is documented below.

    rules List<Property Map>

    The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.

    selfLink String

    The URI of the created resource.

    type String

    The type indicates the intended use of the security policy. This field can be set only at resource creation time.

    Supporting Types

    SecurityPolicyAdaptiveProtectionConfig, SecurityPolicyAdaptiveProtectionConfigArgs

    autoDeployConfig Property Map

    ) Configuration for Automatically deploy Adaptive Protection suggested rules. Structure is documented below.

    The layer_7_ddos_defense_config block supports:

    layer7DdosDefenseConfig Property Map

    Configuration for Google Cloud Armor Adaptive Protection Layer 7 DDoS Defense. Structure is documented below.

    SecurityPolicyAdaptiveProtectionConfigAutoDeployConfig, SecurityPolicyAdaptiveProtectionConfigAutoDeployConfigArgs

    ConfidenceThreshold double

    Rules are only automatically deployed for alerts on potential attacks with confidence scores greater than this threshold.

    ExpirationSec int

    Google Cloud Armor stops applying the action in the automatically deployed rule to an identified attacker after this duration. The rule continues to operate against new requests.

    ImpactedBaselineThreshold double

    Rules are only automatically deployed when the estimated impact to baseline traffic from the suggested mitigation is below this threshold.

    LoadThreshold double

    Identifies new attackers only when the load to the backend service that is under attack exceeds this threshold.

    ConfidenceThreshold float64

    Rules are only automatically deployed for alerts on potential attacks with confidence scores greater than this threshold.

    ExpirationSec int

    Google Cloud Armor stops applying the action in the automatically deployed rule to an identified attacker after this duration. The rule continues to operate against new requests.

    ImpactedBaselineThreshold float64

    Rules are only automatically deployed when the estimated impact to baseline traffic from the suggested mitigation is below this threshold.

    LoadThreshold float64

    Identifies new attackers only when the load to the backend service that is under attack exceeds this threshold.

    confidenceThreshold Double

    Rules are only automatically deployed for alerts on potential attacks with confidence scores greater than this threshold.

    expirationSec Integer

    Google Cloud Armor stops applying the action in the automatically deployed rule to an identified attacker after this duration. The rule continues to operate against new requests.

    impactedBaselineThreshold Double

    Rules are only automatically deployed when the estimated impact to baseline traffic from the suggested mitigation is below this threshold.

    loadThreshold Double

    Identifies new attackers only when the load to the backend service that is under attack exceeds this threshold.

    confidenceThreshold number

    Rules are only automatically deployed for alerts on potential attacks with confidence scores greater than this threshold.

    expirationSec number

    Google Cloud Armor stops applying the action in the automatically deployed rule to an identified attacker after this duration. The rule continues to operate against new requests.

    impactedBaselineThreshold number

    Rules are only automatically deployed when the estimated impact to baseline traffic from the suggested mitigation is below this threshold.

    loadThreshold number

    Identifies new attackers only when the load to the backend service that is under attack exceeds this threshold.

    confidence_threshold float

    Rules are only automatically deployed for alerts on potential attacks with confidence scores greater than this threshold.

    expiration_sec int

    Google Cloud Armor stops applying the action in the automatically deployed rule to an identified attacker after this duration. The rule continues to operate against new requests.

    impacted_baseline_threshold float

    Rules are only automatically deployed when the estimated impact to baseline traffic from the suggested mitigation is below this threshold.

    load_threshold float

    Identifies new attackers only when the load to the backend service that is under attack exceeds this threshold.

    confidenceThreshold Number

    Rules are only automatically deployed for alerts on potential attacks with confidence scores greater than this threshold.

    expirationSec Number

    Google Cloud Armor stops applying the action in the automatically deployed rule to an identified attacker after this duration. The rule continues to operate against new requests.

    impactedBaselineThreshold Number

    Rules are only automatically deployed when the estimated impact to baseline traffic from the suggested mitigation is below this threshold.

    loadThreshold Number

    Identifies new attackers only when the load to the backend service that is under attack exceeds this threshold.

    SecurityPolicyAdaptiveProtectionConfigLayer7DdosDefenseConfig, SecurityPolicyAdaptiveProtectionConfigLayer7DdosDefenseConfigArgs

    Enable bool

    If set to true, enables CAAP for L7 DDoS detection.

    RuleVisibility string

    Rule visibility can be one of the following:

    Enable bool

    If set to true, enables CAAP for L7 DDoS detection.

    RuleVisibility string

    Rule visibility can be one of the following:

    enable Boolean

    If set to true, enables CAAP for L7 DDoS detection.

    ruleVisibility String

    Rule visibility can be one of the following:

    enable boolean

    If set to true, enables CAAP for L7 DDoS detection.

    ruleVisibility string

    Rule visibility can be one of the following:

    enable bool

    If set to true, enables CAAP for L7 DDoS detection.

    rule_visibility str

    Rule visibility can be one of the following:

    enable Boolean

    If set to true, enables CAAP for L7 DDoS detection.

    ruleVisibility String

    Rule visibility can be one of the following:

    SecurityPolicyAdvancedOptionsConfig, SecurityPolicyAdvancedOptionsConfigArgs

    JsonCustomConfig SecurityPolicyAdvancedOptionsConfigJsonCustomConfig

    Custom configuration to apply the JSON parsing. Only applicable when json_parsing is set to STANDARD. Structure is documented below.

    JsonParsing string

    Whether or not to JSON parse the payload body. Defaults to DISABLED.

    LogLevel string

    Log level to use. Defaults to NORMAL.

    UserIpRequestHeaders List<string>

    ) An optional list of case-insensitive request header names to use for resolving the callers client IP address.

    JsonCustomConfig SecurityPolicyAdvancedOptionsConfigJsonCustomConfig

    Custom configuration to apply the JSON parsing. Only applicable when json_parsing is set to STANDARD. Structure is documented below.

    JsonParsing string

    Whether or not to JSON parse the payload body. Defaults to DISABLED.

    LogLevel string

    Log level to use. Defaults to NORMAL.

    UserIpRequestHeaders []string

    ) An optional list of case-insensitive request header names to use for resolving the callers client IP address.

    jsonCustomConfig SecurityPolicyAdvancedOptionsConfigJsonCustomConfig

    Custom configuration to apply the JSON parsing. Only applicable when json_parsing is set to STANDARD. Structure is documented below.

    jsonParsing String

    Whether or not to JSON parse the payload body. Defaults to DISABLED.

    logLevel String

    Log level to use. Defaults to NORMAL.

    userIpRequestHeaders List<String>

    ) An optional list of case-insensitive request header names to use for resolving the callers client IP address.

    jsonCustomConfig SecurityPolicyAdvancedOptionsConfigJsonCustomConfig

    Custom configuration to apply the JSON parsing. Only applicable when json_parsing is set to STANDARD. Structure is documented below.

    jsonParsing string

    Whether or not to JSON parse the payload body. Defaults to DISABLED.

    logLevel string

    Log level to use. Defaults to NORMAL.

    userIpRequestHeaders string[]

    ) An optional list of case-insensitive request header names to use for resolving the callers client IP address.

    json_custom_config SecurityPolicyAdvancedOptionsConfigJsonCustomConfig

    Custom configuration to apply the JSON parsing. Only applicable when json_parsing is set to STANDARD. Structure is documented below.

    json_parsing str

    Whether or not to JSON parse the payload body. Defaults to DISABLED.

    log_level str

    Log level to use. Defaults to NORMAL.

    user_ip_request_headers Sequence[str]

    ) An optional list of case-insensitive request header names to use for resolving the callers client IP address.

    jsonCustomConfig Property Map

    Custom configuration to apply the JSON parsing. Only applicable when json_parsing is set to STANDARD. Structure is documented below.

    jsonParsing String

    Whether or not to JSON parse the payload body. Defaults to DISABLED.

    logLevel String

    Log level to use. Defaults to NORMAL.

    userIpRequestHeaders List<String>

    ) An optional list of case-insensitive request header names to use for resolving the callers client IP address.

    SecurityPolicyAdvancedOptionsConfigJsonCustomConfig, SecurityPolicyAdvancedOptionsConfigJsonCustomConfigArgs

    ContentTypes List<string>

    A list of custom Content-Type header values to apply the JSON parsing. The format of the Content-Type header values is defined in RFC 1341. When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.

    ContentTypes []string

    A list of custom Content-Type header values to apply the JSON parsing. The format of the Content-Type header values is defined in RFC 1341. When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.

    contentTypes List<String>

    A list of custom Content-Type header values to apply the JSON parsing. The format of the Content-Type header values is defined in RFC 1341. When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.

    contentTypes string[]

    A list of custom Content-Type header values to apply the JSON parsing. The format of the Content-Type header values is defined in RFC 1341. When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.

    content_types Sequence[str]

    A list of custom Content-Type header values to apply the JSON parsing. The format of the Content-Type header values is defined in RFC 1341. When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.

    contentTypes List<String>

    A list of custom Content-Type header values to apply the JSON parsing. The format of the Content-Type header values is defined in RFC 1341. When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.

    SecurityPolicyRecaptchaOptionsConfig, SecurityPolicyRecaptchaOptionsConfigArgs

    RedirectSiteKey string

    A field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used.

    RedirectSiteKey string

    A field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used.

    redirectSiteKey String

    A field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used.

    redirectSiteKey string

    A field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used.

    redirect_site_key str

    A field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used.

    redirectSiteKey String

    A field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used.

    SecurityPolicyRule, SecurityPolicyRuleArgs

    Action string

    Action to take when match matches the request. Valid values:

    Match SecurityPolicyRuleMatch

    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding action is enforced. Structure is documented below.

    Priority int

    An unique positive integer indicating the priority of evaluation for a rule. Rules are evaluated from highest priority (lowest numerically) to lowest priority (highest numerically) in order.

    Description string

    An optional description of this rule. Max size is 64.

    HeaderAction SecurityPolicyRuleHeaderAction

    Additional actions that are performed on headers. Structure is documented below.

    PreconfiguredWafConfig SecurityPolicyRulePreconfiguredWafConfig

    ) Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. Structure is documented below.

    Preview bool

    When set to true, the action specified above is not enforced. Stackdriver logs for requests that trigger a preview action are annotated as such.

    RateLimitOptions SecurityPolicyRuleRateLimitOptions

    Must be specified if the action is rate_based_ban or throttle. Cannot be specified for other actions. Structure is documented below.

    RedirectOptions SecurityPolicyRuleRedirectOptions

    Can be specified if the action is redirect. Cannot be specified for other actions. Structure is documented below.

    Action string

    Action to take when match matches the request. Valid values:

    Match SecurityPolicyRuleMatch

    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding action is enforced. Structure is documented below.

    Priority int

    An unique positive integer indicating the priority of evaluation for a rule. Rules are evaluated from highest priority (lowest numerically) to lowest priority (highest numerically) in order.

    Description string

    An optional description of this rule. Max size is 64.

    HeaderAction SecurityPolicyRuleHeaderAction

    Additional actions that are performed on headers. Structure is documented below.

    PreconfiguredWafConfig SecurityPolicyRulePreconfiguredWafConfig

    ) Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. Structure is documented below.

    Preview bool

    When set to true, the action specified above is not enforced. Stackdriver logs for requests that trigger a preview action are annotated as such.

    RateLimitOptions SecurityPolicyRuleRateLimitOptions

    Must be specified if the action is rate_based_ban or throttle. Cannot be specified for other actions. Structure is documented below.

    RedirectOptions SecurityPolicyRuleRedirectOptions

    Can be specified if the action is redirect. Cannot be specified for other actions. Structure is documented below.

    action String

    Action to take when match matches the request. Valid values:

    match SecurityPolicyRuleMatch

    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding action is enforced. Structure is documented below.

    priority Integer

    An unique positive integer indicating the priority of evaluation for a rule. Rules are evaluated from highest priority (lowest numerically) to lowest priority (highest numerically) in order.

    description String

    An optional description of this rule. Max size is 64.

    headerAction SecurityPolicyRuleHeaderAction

    Additional actions that are performed on headers. Structure is documented below.

    preconfiguredWafConfig SecurityPolicyRulePreconfiguredWafConfig

    ) Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. Structure is documented below.

    preview Boolean

    When set to true, the action specified above is not enforced. Stackdriver logs for requests that trigger a preview action are annotated as such.

    rateLimitOptions SecurityPolicyRuleRateLimitOptions

    Must be specified if the action is rate_based_ban or throttle. Cannot be specified for other actions. Structure is documented below.

    redirectOptions SecurityPolicyRuleRedirectOptions

    Can be specified if the action is redirect. Cannot be specified for other actions. Structure is documented below.

    action string

    Action to take when match matches the request. Valid values:

    match SecurityPolicyRuleMatch

    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding action is enforced. Structure is documented below.

    priority number

    An unique positive integer indicating the priority of evaluation for a rule. Rules are evaluated from highest priority (lowest numerically) to lowest priority (highest numerically) in order.

    description string

    An optional description of this rule. Max size is 64.

    headerAction SecurityPolicyRuleHeaderAction

    Additional actions that are performed on headers. Structure is documented below.

    preconfiguredWafConfig SecurityPolicyRulePreconfiguredWafConfig

    ) Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. Structure is documented below.

    preview boolean

    When set to true, the action specified above is not enforced. Stackdriver logs for requests that trigger a preview action are annotated as such.

    rateLimitOptions SecurityPolicyRuleRateLimitOptions

    Must be specified if the action is rate_based_ban or throttle. Cannot be specified for other actions. Structure is documented below.

    redirectOptions SecurityPolicyRuleRedirectOptions

    Can be specified if the action is redirect. Cannot be specified for other actions. Structure is documented below.

    action str

    Action to take when match matches the request. Valid values:

    match SecurityPolicyRuleMatch

    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding action is enforced. Structure is documented below.

    priority int

    An unique positive integer indicating the priority of evaluation for a rule. Rules are evaluated from highest priority (lowest numerically) to lowest priority (highest numerically) in order.

    description str

    An optional description of this rule. Max size is 64.

    header_action SecurityPolicyRuleHeaderAction

    Additional actions that are performed on headers. Structure is documented below.

    preconfigured_waf_config SecurityPolicyRulePreconfiguredWafConfig

    ) Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. Structure is documented below.

    preview bool

    When set to true, the action specified above is not enforced. Stackdriver logs for requests that trigger a preview action are annotated as such.

    rate_limit_options SecurityPolicyRuleRateLimitOptions

    Must be specified if the action is rate_based_ban or throttle. Cannot be specified for other actions. Structure is documented below.

    redirect_options SecurityPolicyRuleRedirectOptions

    Can be specified if the action is redirect. Cannot be specified for other actions. Structure is documented below.

    action String

    Action to take when match matches the request. Valid values:

    match Property Map

    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding action is enforced. Structure is documented below.

    priority Number

    An unique positive integer indicating the priority of evaluation for a rule. Rules are evaluated from highest priority (lowest numerically) to lowest priority (highest numerically) in order.

    description String

    An optional description of this rule. Max size is 64.

    headerAction Property Map

    Additional actions that are performed on headers. Structure is documented below.

    preconfiguredWafConfig Property Map

    ) Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. Structure is documented below.

    preview Boolean

    When set to true, the action specified above is not enforced. Stackdriver logs for requests that trigger a preview action are annotated as such.

    rateLimitOptions Property Map

    Must be specified if the action is rate_based_ban or throttle. Cannot be specified for other actions. Structure is documented below.

    redirectOptions Property Map

    Can be specified if the action is redirect. Cannot be specified for other actions. Structure is documented below.

    SecurityPolicyRuleHeaderAction, SecurityPolicyRuleHeaderActionArgs

    RequestHeadersToAdds List<SecurityPolicyRuleHeaderActionRequestHeadersToAdd>

    The list of request headers to add or overwrite if they're already present. Structure is documented below.

    RequestHeadersToAdds []SecurityPolicyRuleHeaderActionRequestHeadersToAdd

    The list of request headers to add or overwrite if they're already present. Structure is documented below.

    requestHeadersToAdds List<SecurityPolicyRuleHeaderActionRequestHeadersToAdd>

    The list of request headers to add or overwrite if they're already present. Structure is documented below.

    requestHeadersToAdds SecurityPolicyRuleHeaderActionRequestHeadersToAdd[]

    The list of request headers to add or overwrite if they're already present. Structure is documented below.

    request_headers_to_adds Sequence[SecurityPolicyRuleHeaderActionRequestHeadersToAdd]

    The list of request headers to add or overwrite if they're already present. Structure is documented below.

    requestHeadersToAdds List<Property Map>

    The list of request headers to add or overwrite if they're already present. Structure is documented below.

    SecurityPolicyRuleHeaderActionRequestHeadersToAdd, SecurityPolicyRuleHeaderActionRequestHeadersToAddArgs

    HeaderName string

    The name of the header to set.

    HeaderValue string

    The value to set the named header to.

    HeaderName string

    The name of the header to set.

    HeaderValue string

    The value to set the named header to.

    headerName String

    The name of the header to set.

    headerValue String

    The value to set the named header to.

    headerName string

    The name of the header to set.

    headerValue string

    The value to set the named header to.

    header_name str

    The name of the header to set.

    header_value str

    The value to set the named header to.

    headerName String

    The name of the header to set.

    headerValue String

    The value to set the named header to.

    SecurityPolicyRuleMatch, SecurityPolicyRuleMatchArgs

    Config SecurityPolicyRuleMatchConfig

    The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified. Structure is documented below.

    Expr SecurityPolicyRuleMatchExpr

    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.

    VersionedExpr string

    Predefined rule expression. If this field is specified, config must also be specified. Available options:

    Config SecurityPolicyRuleMatchConfig

    The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified. Structure is documented below.

    Expr SecurityPolicyRuleMatchExpr

    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.

    VersionedExpr string

    Predefined rule expression. If this field is specified, config must also be specified. Available options:

    config SecurityPolicyRuleMatchConfig

    The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified. Structure is documented below.

    expr SecurityPolicyRuleMatchExpr

    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.

    versionedExpr String

    Predefined rule expression. If this field is specified, config must also be specified. Available options:

    config SecurityPolicyRuleMatchConfig

    The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified. Structure is documented below.

    expr SecurityPolicyRuleMatchExpr

    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.

    versionedExpr string

    Predefined rule expression. If this field is specified, config must also be specified. Available options:

    config SecurityPolicyRuleMatchConfig

    The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified. Structure is documented below.

    expr SecurityPolicyRuleMatchExpr

    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.

    versioned_expr str

    Predefined rule expression. If this field is specified, config must also be specified. Available options:

    config Property Map

    The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified. Structure is documented below.

    expr Property Map

    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.

    versionedExpr String

    Predefined rule expression. If this field is specified, config must also be specified. Available options:

    SecurityPolicyRuleMatchConfig, SecurityPolicyRuleMatchConfigArgs

    SrcIpRanges List<string>

    Set of IP addresses or ranges (IPV4 or IPV6) in CIDR notation to match against inbound traffic. There is a limit of 10 IP ranges per rule. A value of * matches all IPs (can be used to override the default behavior).

    SrcIpRanges []string

    Set of IP addresses or ranges (IPV4 or IPV6) in CIDR notation to match against inbound traffic. There is a limit of 10 IP ranges per rule. A value of * matches all IPs (can be used to override the default behavior).

    srcIpRanges List<String>

    Set of IP addresses or ranges (IPV4 or IPV6) in CIDR notation to match against inbound traffic. There is a limit of 10 IP ranges per rule. A value of * matches all IPs (can be used to override the default behavior).

    srcIpRanges string[]

    Set of IP addresses or ranges (IPV4 or IPV6) in CIDR notation to match against inbound traffic. There is a limit of 10 IP ranges per rule. A value of * matches all IPs (can be used to override the default behavior).

    src_ip_ranges Sequence[str]

    Set of IP addresses or ranges (IPV4 or IPV6) in CIDR notation to match against inbound traffic. There is a limit of 10 IP ranges per rule. A value of * matches all IPs (can be used to override the default behavior).

    srcIpRanges List<String>

    Set of IP addresses or ranges (IPV4 or IPV6) in CIDR notation to match against inbound traffic. There is a limit of 10 IP ranges per rule. A value of * matches all IPs (can be used to override the default behavior).

    SecurityPolicyRuleMatchExpr, SecurityPolicyRuleMatchExprArgs

    Expression string

    Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

    Expression string

    Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

    expression String

    Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

    expression string

    Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

    expression str

    Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

    expression String

    Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

    SecurityPolicyRulePreconfiguredWafConfig, SecurityPolicyRulePreconfiguredWafConfigArgs

    Exclusions List<SecurityPolicyRulePreconfiguredWafConfigExclusion>

    An exclusion to apply during preconfigured WAF evaluation. Structure is documented below.

    Exclusions []SecurityPolicyRulePreconfiguredWafConfigExclusion

    An exclusion to apply during preconfigured WAF evaluation. Structure is documented below.

    exclusions List<SecurityPolicyRulePreconfiguredWafConfigExclusion>

    An exclusion to apply during preconfigured WAF evaluation. Structure is documented below.

    exclusions SecurityPolicyRulePreconfiguredWafConfigExclusion[]

    An exclusion to apply during preconfigured WAF evaluation. Structure is documented below.

    exclusions Sequence[SecurityPolicyRulePreconfiguredWafConfigExclusion]

    An exclusion to apply during preconfigured WAF evaluation. Structure is documented below.

    exclusions List<Property Map>

    An exclusion to apply during preconfigured WAF evaluation. Structure is documented below.

    SecurityPolicyRulePreconfiguredWafConfigExclusion, SecurityPolicyRulePreconfiguredWafConfigExclusionArgs

    TargetRuleSet string

    Target WAF rule set to apply the preconfigured WAF exclusion.

    RequestCookies List<SecurityPolicyRulePreconfiguredWafConfigExclusionRequestCooky>

    Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation. Structure is documented below.

    RequestHeaders List<SecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeader>

    Request header whose value will be excluded from inspection during preconfigured WAF evaluation. Structure is documented below.

    RequestQueryParams List<SecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam>

    Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded. Structure is documented below.

    RequestUris List<SecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri>

    Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body. Structure is documented below.

    TargetRuleIds List<string>

    A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.

    The request_header, request_cookie, request_uri and request_query_param blocks support:

    TargetRuleSet string

    Target WAF rule set to apply the preconfigured WAF exclusion.

    RequestCookies []SecurityPolicyRulePreconfiguredWafConfigExclusionRequestCooky

    Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation. Structure is documented below.

    RequestHeaders []SecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeader

    Request header whose value will be excluded from inspection during preconfigured WAF evaluation. Structure is documented below.

    RequestQueryParams []SecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam

    Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded. Structure is documented below.

    RequestUris []SecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri

    Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body. Structure is documented below.

    TargetRuleIds []string

    A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.

    The request_header, request_cookie, request_uri and request_query_param blocks support:

    targetRuleSet String

    Target WAF rule set to apply the preconfigured WAF exclusion.

    requestCookies List<SecurityPolicyRulePreconfiguredWafConfigExclusionRequestCooky>

    Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation. Structure is documented below.

    requestHeaders List<SecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeader>

    Request header whose value will be excluded from inspection during preconfigured WAF evaluation. Structure is documented below.

    requestQueryParams List<SecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam>

    Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded. Structure is documented below.

    requestUris List<SecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri>

    Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body. Structure is documented below.

    targetRuleIds List<String>

    A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.

    The request_header, request_cookie, request_uri and request_query_param blocks support:

    targetRuleSet string

    Target WAF rule set to apply the preconfigured WAF exclusion.

    requestCookies SecurityPolicyRulePreconfiguredWafConfigExclusionRequestCooky[]

    Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation. Structure is documented below.

    requestHeaders SecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeader[]

    Request header whose value will be excluded from inspection during preconfigured WAF evaluation. Structure is documented below.

    requestQueryParams SecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam[]

    Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded. Structure is documented below.

    requestUris SecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri[]

    Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body. Structure is documented below.

    targetRuleIds string[]

    A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.

    The request_header, request_cookie, request_uri and request_query_param blocks support:

    target_rule_set str

    Target WAF rule set to apply the preconfigured WAF exclusion.

    request_cookies Sequence[SecurityPolicyRulePreconfiguredWafConfigExclusionRequestCooky]

    Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation. Structure is documented below.

    request_headers Sequence[SecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeader]

    Request header whose value will be excluded from inspection during preconfigured WAF evaluation. Structure is documented below.

    request_query_params Sequence[SecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam]

    Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded. Structure is documented below.

    request_uris Sequence[SecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri]

    Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body. Structure is documented below.

    target_rule_ids Sequence[str]

    A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.

    The request_header, request_cookie, request_uri and request_query_param blocks support:

    targetRuleSet String

    Target WAF rule set to apply the preconfigured WAF exclusion.

    requestCookies List<Property Map>

    Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation. Structure is documented below.

    requestHeaders List<Property Map>

    Request header whose value will be excluded from inspection during preconfigured WAF evaluation. Structure is documented below.

    requestQueryParams List<Property Map>

    Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded. Structure is documented below.

    requestUris List<Property Map>

    Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body. Structure is documented below.

    targetRuleIds List<String>

    A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set.

    The request_header, request_cookie, request_uri and request_query_param blocks support:

    SecurityPolicyRulePreconfiguredWafConfigExclusionRequestCooky, SecurityPolicyRulePreconfiguredWafConfigExclusionRequestCookyArgs

    Operator string

    You can specify an exact match or a partial match by using a field operator and a field value.

    Value string

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    Operator string

    You can specify an exact match or a partial match by using a field operator and a field value.

    Value string

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator String

    You can specify an exact match or a partial match by using a field operator and a field value.

    value String

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator string

    You can specify an exact match or a partial match by using a field operator and a field value.

    value string

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator str

    You can specify an exact match or a partial match by using a field operator and a field value.

    value str

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator String

    You can specify an exact match or a partial match by using a field operator and a field value.

    value String

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    SecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeader, SecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeaderArgs

    Operator string

    You can specify an exact match or a partial match by using a field operator and a field value.

    Value string

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    Operator string

    You can specify an exact match or a partial match by using a field operator and a field value.

    Value string

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator String

    You can specify an exact match or a partial match by using a field operator and a field value.

    value String

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator string

    You can specify an exact match or a partial match by using a field operator and a field value.

    value string

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator str

    You can specify an exact match or a partial match by using a field operator and a field value.

    value str

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator String

    You can specify an exact match or a partial match by using a field operator and a field value.

    value String

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    SecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam, SecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParamArgs

    Operator string

    You can specify an exact match or a partial match by using a field operator and a field value.

    Value string

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    Operator string

    You can specify an exact match or a partial match by using a field operator and a field value.

    Value string

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator String

    You can specify an exact match or a partial match by using a field operator and a field value.

    value String

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator string

    You can specify an exact match or a partial match by using a field operator and a field value.

    value string

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator str

    You can specify an exact match or a partial match by using a field operator and a field value.

    value str

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator String

    You can specify an exact match or a partial match by using a field operator and a field value.

    value String

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    SecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri, SecurityPolicyRulePreconfiguredWafConfigExclusionRequestUriArgs

    Operator string

    You can specify an exact match or a partial match by using a field operator and a field value.

    Value string

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    Operator string

    You can specify an exact match or a partial match by using a field operator and a field value.

    Value string

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator String

    You can specify an exact match or a partial match by using a field operator and a field value.

    value String

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator string

    You can specify an exact match or a partial match by using a field operator and a field value.

    value string

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator str

    You can specify an exact match or a partial match by using a field operator and a field value.

    value str

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    operator String

    You can specify an exact match or a partial match by using a field operator and a field value.

    value String

    A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation. The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.

    SecurityPolicyRuleRateLimitOptions, SecurityPolicyRuleRateLimitOptionsArgs

    ConformAction string

    Action to take for requests that are under the configured rate limit threshold. Valid option is allow only.

    ExceedAction string

    When a request is denied, returns the HTTP response code specified. Valid options are deny() where valid values for status are 403, 404, 429, and 502.

    RateLimitThreshold SecurityPolicyRuleRateLimitOptionsRateLimitThreshold

    Threshold at which to begin ratelimiting. Structure is documented below.

    BanDurationSec int

    Can only be specified if the action for the rule is rate_based_ban. If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.

    BanThreshold SecurityPolicyRuleRateLimitOptionsBanThreshold

    Can only be specified if the action for the rule is rate_based_ban. If specified, the key will be banned for the configured ban_duration_sec when the number of requests that exceed the rate_limit_threshold also exceed this ban_threshold. Structure is documented below.

    EnforceOnKey string

    Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to ALL.

    EnforceOnKeyConfigs List<SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfig>

    ) If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which rate limit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If enforce_on_key_configs is specified, enforce_on_key must be set to an empty string. Structure is documented below.

    Note: To avoid the conflict between enforce_on_key and enforce_on_key_configs, the field enforce_on_key needs to be set to an empty string.

    EnforceOnKeyName string

    Rate limit key name applicable only for the following key types:

    ExceedRedirectOptions SecurityPolicyRuleRateLimitOptionsExceedRedirectOptions

    Parameters defining the redirect action that is used as the exceed action. Cannot be specified if the exceed action is not redirect. Structure is documented below.

    The {ban/rate_limit}_threshold block supports:

    ConformAction string

    Action to take for requests that are under the configured rate limit threshold. Valid option is allow only.

    ExceedAction string

    When a request is denied, returns the HTTP response code specified. Valid options are deny() where valid values for status are 403, 404, 429, and 502.

    RateLimitThreshold SecurityPolicyRuleRateLimitOptionsRateLimitThreshold

    Threshold at which to begin ratelimiting. Structure is documented below.

    BanDurationSec int

    Can only be specified if the action for the rule is rate_based_ban. If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.

    BanThreshold SecurityPolicyRuleRateLimitOptionsBanThreshold

    Can only be specified if the action for the rule is rate_based_ban. If specified, the key will be banned for the configured ban_duration_sec when the number of requests that exceed the rate_limit_threshold also exceed this ban_threshold. Structure is documented below.

    EnforceOnKey string

    Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to ALL.

    EnforceOnKeyConfigs []SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfig

    ) If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which rate limit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If enforce_on_key_configs is specified, enforce_on_key must be set to an empty string. Structure is documented below.

    Note: To avoid the conflict between enforce_on_key and enforce_on_key_configs, the field enforce_on_key needs to be set to an empty string.

    EnforceOnKeyName string

    Rate limit key name applicable only for the following key types:

    ExceedRedirectOptions SecurityPolicyRuleRateLimitOptionsExceedRedirectOptions

    Parameters defining the redirect action that is used as the exceed action. Cannot be specified if the exceed action is not redirect. Structure is documented below.

    The {ban/rate_limit}_threshold block supports:

    conformAction String

    Action to take for requests that are under the configured rate limit threshold. Valid option is allow only.

    exceedAction String

    When a request is denied, returns the HTTP response code specified. Valid options are deny() where valid values for status are 403, 404, 429, and 502.

    rateLimitThreshold SecurityPolicyRuleRateLimitOptionsRateLimitThreshold

    Threshold at which to begin ratelimiting. Structure is documented below.

    banDurationSec Integer

    Can only be specified if the action for the rule is rate_based_ban. If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.

    banThreshold SecurityPolicyRuleRateLimitOptionsBanThreshold

    Can only be specified if the action for the rule is rate_based_ban. If specified, the key will be banned for the configured ban_duration_sec when the number of requests that exceed the rate_limit_threshold also exceed this ban_threshold. Structure is documented below.

    enforceOnKey String

    Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to ALL.

    enforceOnKeyConfigs List<SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfig>

    ) If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which rate limit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If enforce_on_key_configs is specified, enforce_on_key must be set to an empty string. Structure is documented below.

    Note: To avoid the conflict between enforce_on_key and enforce_on_key_configs, the field enforce_on_key needs to be set to an empty string.

    enforceOnKeyName String

    Rate limit key name applicable only for the following key types:

    exceedRedirectOptions SecurityPolicyRuleRateLimitOptionsExceedRedirectOptions

    Parameters defining the redirect action that is used as the exceed action. Cannot be specified if the exceed action is not redirect. Structure is documented below.

    The {ban/rate_limit}_threshold block supports:

    conformAction string

    Action to take for requests that are under the configured rate limit threshold. Valid option is allow only.

    exceedAction string

    When a request is denied, returns the HTTP response code specified. Valid options are deny() where valid values for status are 403, 404, 429, and 502.

    rateLimitThreshold SecurityPolicyRuleRateLimitOptionsRateLimitThreshold

    Threshold at which to begin ratelimiting. Structure is documented below.

    banDurationSec number

    Can only be specified if the action for the rule is rate_based_ban. If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.

    banThreshold SecurityPolicyRuleRateLimitOptionsBanThreshold

    Can only be specified if the action for the rule is rate_based_ban. If specified, the key will be banned for the configured ban_duration_sec when the number of requests that exceed the rate_limit_threshold also exceed this ban_threshold. Structure is documented below.

    enforceOnKey string

    Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to ALL.

    enforceOnKeyConfigs SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfig[]

    ) If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which rate limit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If enforce_on_key_configs is specified, enforce_on_key must be set to an empty string. Structure is documented below.

    Note: To avoid the conflict between enforce_on_key and enforce_on_key_configs, the field enforce_on_key needs to be set to an empty string.

    enforceOnKeyName string

    Rate limit key name applicable only for the following key types:

    exceedRedirectOptions SecurityPolicyRuleRateLimitOptionsExceedRedirectOptions

    Parameters defining the redirect action that is used as the exceed action. Cannot be specified if the exceed action is not redirect. Structure is documented below.

    The {ban/rate_limit}_threshold block supports:

    conform_action str

    Action to take for requests that are under the configured rate limit threshold. Valid option is allow only.

    exceed_action str

    When a request is denied, returns the HTTP response code specified. Valid options are deny() where valid values for status are 403, 404, 429, and 502.

    rate_limit_threshold SecurityPolicyRuleRateLimitOptionsRateLimitThreshold

    Threshold at which to begin ratelimiting. Structure is documented below.

    ban_duration_sec int

    Can only be specified if the action for the rule is rate_based_ban. If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.

    ban_threshold SecurityPolicyRuleRateLimitOptionsBanThreshold

    Can only be specified if the action for the rule is rate_based_ban. If specified, the key will be banned for the configured ban_duration_sec when the number of requests that exceed the rate_limit_threshold also exceed this ban_threshold. Structure is documented below.

    enforce_on_key str

    Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to ALL.

    enforce_on_key_configs Sequence[SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfig]

    ) If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which rate limit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If enforce_on_key_configs is specified, enforce_on_key must be set to an empty string. Structure is documented below.

    Note: To avoid the conflict between enforce_on_key and enforce_on_key_configs, the field enforce_on_key needs to be set to an empty string.

    enforce_on_key_name str

    Rate limit key name applicable only for the following key types:

    exceed_redirect_options SecurityPolicyRuleRateLimitOptionsExceedRedirectOptions

    Parameters defining the redirect action that is used as the exceed action. Cannot be specified if the exceed action is not redirect. Structure is documented below.

    The {ban/rate_limit}_threshold block supports:

    conformAction String

    Action to take for requests that are under the configured rate limit threshold. Valid option is allow only.

    exceedAction String

    When a request is denied, returns the HTTP response code specified. Valid options are deny() where valid values for status are 403, 404, 429, and 502.

    rateLimitThreshold Property Map

    Threshold at which to begin ratelimiting. Structure is documented below.

    banDurationSec Number

    Can only be specified if the action for the rule is rate_based_ban. If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.

    banThreshold Property Map

    Can only be specified if the action for the rule is rate_based_ban. If specified, the key will be banned for the configured ban_duration_sec when the number of requests that exceed the rate_limit_threshold also exceed this ban_threshold. Structure is documented below.

    enforceOnKey String

    Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to ALL.

    enforceOnKeyConfigs List<Property Map>

    ) If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which rate limit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If enforce_on_key_configs is specified, enforce_on_key must be set to an empty string. Structure is documented below.

    Note: To avoid the conflict between enforce_on_key and enforce_on_key_configs, the field enforce_on_key needs to be set to an empty string.

    enforceOnKeyName String

    Rate limit key name applicable only for the following key types:

    exceedRedirectOptions Property Map

    Parameters defining the redirect action that is used as the exceed action. Cannot be specified if the exceed action is not redirect. Structure is documented below.

    The {ban/rate_limit}_threshold block supports:

    SecurityPolicyRuleRateLimitOptionsBanThreshold, SecurityPolicyRuleRateLimitOptionsBanThresholdArgs

    Count int

    Number of HTTP(S) requests for calculating the threshold.

    IntervalSec int

    Interval over which the threshold is computed.

    Count int

    Number of HTTP(S) requests for calculating the threshold.

    IntervalSec int

    Interval over which the threshold is computed.

    count Integer

    Number of HTTP(S) requests for calculating the threshold.

    intervalSec Integer

    Interval over which the threshold is computed.

    count number

    Number of HTTP(S) requests for calculating the threshold.

    intervalSec number

    Interval over which the threshold is computed.

    count int

    Number of HTTP(S) requests for calculating the threshold.

    interval_sec int

    Interval over which the threshold is computed.

    count Number

    Number of HTTP(S) requests for calculating the threshold.

    intervalSec Number

    Interval over which the threshold is computed.

    SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfig, SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs

    EnforceOnKeyName string

    Rate limit key name applicable only for the following key types:

    EnforceOnKeyType string

    Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to ALL.

    EnforceOnKeyName string

    Rate limit key name applicable only for the following key types:

    EnforceOnKeyType string

    Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to ALL.

    enforceOnKeyName String

    Rate limit key name applicable only for the following key types:

    enforceOnKeyType String

    Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to ALL.

    enforceOnKeyName string

    Rate limit key name applicable only for the following key types:

    enforceOnKeyType string

    Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to ALL.

    enforce_on_key_name str

    Rate limit key name applicable only for the following key types:

    enforce_on_key_type str

    Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to ALL.

    enforceOnKeyName String

    Rate limit key name applicable only for the following key types:

    enforceOnKeyType String

    Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to ALL.

    SecurityPolicyRuleRateLimitOptionsExceedRedirectOptions, SecurityPolicyRuleRateLimitOptionsExceedRedirectOptionsArgs

    Type string

    Type of the redirect action.

    Target string

    Target for the redirect action. This is required if the type is EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA.

    Type string

    Type of the redirect action.

    Target string

    Target for the redirect action. This is required if the type is EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA.

    type String

    Type of the redirect action.

    target String

    Target for the redirect action. This is required if the type is EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA.

    type string

    Type of the redirect action.

    target string

    Target for the redirect action. This is required if the type is EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA.

    type str

    Type of the redirect action.

    target str

    Target for the redirect action. This is required if the type is EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA.

    type String

    Type of the redirect action.

    target String

    Target for the redirect action. This is required if the type is EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA.

    SecurityPolicyRuleRateLimitOptionsRateLimitThreshold, SecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs

    Count int

    Number of HTTP(S) requests for calculating the threshold.

    IntervalSec int

    Interval over which the threshold is computed.

    Count int

    Number of HTTP(S) requests for calculating the threshold.

    IntervalSec int

    Interval over which the threshold is computed.

    count Integer

    Number of HTTP(S) requests for calculating the threshold.

    intervalSec Integer

    Interval over which the threshold is computed.

    count number

    Number of HTTP(S) requests for calculating the threshold.

    intervalSec number

    Interval over which the threshold is computed.

    count int

    Number of HTTP(S) requests for calculating the threshold.

    interval_sec int

    Interval over which the threshold is computed.

    count Number

    Number of HTTP(S) requests for calculating the threshold.

    intervalSec Number

    Interval over which the threshold is computed.

    SecurityPolicyRuleRedirectOptions, SecurityPolicyRuleRedirectOptionsArgs

    Type string

    Type of redirect action.

    Target string

    External redirection target when EXTERNAL_302 is set in type.

    Type string

    Type of redirect action.

    Target string

    External redirection target when EXTERNAL_302 is set in type.

    type String

    Type of redirect action.

    target String

    External redirection target when EXTERNAL_302 is set in type.

    type string

    Type of redirect action.

    target string

    External redirection target when EXTERNAL_302 is set in type.

    type str

    Type of redirect action.

    target str

    External redirection target when EXTERNAL_302 is set in type.

    type String

    Type of redirect action.

    target String

    External redirection target when EXTERNAL_302 is set in type.

    Import

    Security policies can be imported using any of these accepted formats* projects/{{project}}/global/securityPolicies/{{name}} * {{project}}/{{name}} * {{name}} In Terraform v1.5.0 and later, use an import block to import security policies using one of the formats above. For exampletf import {

    id = “projects/{{project}}/global/securityPolicies/{{name}}”

    to = google_compute_security_policy.default }

     $ pulumi import gcp:compute/securityPolicy:SecurityPolicy When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), security policies can be imported using one of the formats above. For example
    
     $ pulumi import gcp:compute/securityPolicy:SecurityPolicy default projects/{{project}}/global/securityPolicies/{{name}}
    
     $ pulumi import gcp:compute/securityPolicy:SecurityPolicy default {{project}}/{{name}}
    
     $ pulumi import gcp:compute/securityPolicy:SecurityPolicy default {{name}}
    

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the google-beta Terraform Provider.

    gcp logo
    Google Cloud Classic v7.2.2 published on Monday, Jan 1, 0001 by Pulumi