gcp.networksecurity.AuthzPolicy
Explore with Pulumi AI
AuthzPolicy is a resource that allows to forward traffic to a callout backend designed to scan the traffic for security purposes.
To get more information about AuthzPolicy, see:
Example Usage
Network Services Authz Policy Advanced
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.compute.Network("default", {
name: "lb-network",
project: "my-project-name",
autoCreateSubnetworks: false,
});
const defaultSubnetwork = new gcp.compute.Subnetwork("default", {
name: "backend-subnet",
project: "my-project-name",
region: "us-west1",
ipCidrRange: "10.1.2.0/24",
network: _default.id,
});
const proxyOnly = new gcp.compute.Subnetwork("proxy_only", {
name: "proxy-only-subnet",
project: "my-project-name",
region: "us-west1",
ipCidrRange: "10.129.0.0/23",
purpose: "REGIONAL_MANAGED_PROXY",
role: "ACTIVE",
network: _default.id,
});
const defaultAddress = new gcp.compute.Address("default", {
name: "l7-ilb-ip-address",
project: "my-project-name",
region: "us-west1",
subnetwork: defaultSubnetwork.id,
addressType: "INTERNAL",
purpose: "GCE_ENDPOINT",
});
const defaultRegionHealthCheck = new gcp.compute.RegionHealthCheck("default", {
name: "l7-ilb-basic-check",
project: "my-project-name",
region: "us-west1",
httpHealthCheck: {
portSpecification: "USE_SERVING_PORT",
},
});
const urlMap = new gcp.compute.RegionBackendService("url_map", {
name: "l7-ilb-backend-service",
project: "my-project-name",
region: "us-west1",
loadBalancingScheme: "INTERNAL_MANAGED",
healthChecks: defaultRegionHealthCheck.id,
});
const defaultRegionUrlMap = new gcp.compute.RegionUrlMap("default", {
name: "l7-ilb-map",
project: "my-project-name",
region: "us-west1",
defaultService: urlMap.id,
});
const defaultRegionTargetHttpProxy = new gcp.compute.RegionTargetHttpProxy("default", {
name: "l7-ilb-proxy",
project: "my-project-name",
region: "us-west1",
urlMap: defaultRegionUrlMap.id,
});
const defaultForwardingRule = new gcp.compute.ForwardingRule("default", {
name: "l7-ilb-forwarding-rule",
project: "my-project-name",
region: "us-west1",
loadBalancingScheme: "INTERNAL_MANAGED",
network: _default.id,
subnetwork: defaultSubnetwork.id,
ipProtocol: "TCP",
portRange: "80",
target: defaultRegionTargetHttpProxy.id,
ipAddress: defaultAddress.id,
}, {
dependsOn: [proxyOnly],
});
const authzExtension = new gcp.compute.RegionBackendService("authz_extension", {
name: "authz-service",
project: "my-project-name",
region: "us-west1",
protocol: "HTTP2",
loadBalancingScheme: "INTERNAL_MANAGED",
portName: "grpc",
});
const defaultAuthzExtension = new gcp.networkservices.AuthzExtension("default", {
name: "my-authz-ext",
project: "my-project-name",
location: "us-west1",
description: "my description",
loadBalancingScheme: "INTERNAL_MANAGED",
authority: "ext11.com",
service: authzExtension.selfLink,
timeout: "0.1s",
failOpen: false,
forwardHeaders: ["Authorization"],
});
const defaultAuthzPolicy = new gcp.networksecurity.AuthzPolicy("default", {
name: "my-authz-policy",
project: "my-project-name",
location: "us-west1",
description: "my description",
target: {
loadBalancingScheme: "INTERNAL_MANAGED",
resources: [defaultForwardingRule.selfLink],
},
action: "CUSTOM",
customProvider: {
authzExtension: {
resources: [defaultAuthzExtension.id],
},
},
});
import pulumi
import pulumi_gcp as gcp
default = gcp.compute.Network("default",
name="lb-network",
project="my-project-name",
auto_create_subnetworks=False)
default_subnetwork = gcp.compute.Subnetwork("default",
name="backend-subnet",
project="my-project-name",
region="us-west1",
ip_cidr_range="10.1.2.0/24",
network=default.id)
proxy_only = gcp.compute.Subnetwork("proxy_only",
name="proxy-only-subnet",
project="my-project-name",
region="us-west1",
ip_cidr_range="10.129.0.0/23",
purpose="REGIONAL_MANAGED_PROXY",
role="ACTIVE",
network=default.id)
default_address = gcp.compute.Address("default",
name="l7-ilb-ip-address",
project="my-project-name",
region="us-west1",
subnetwork=default_subnetwork.id,
address_type="INTERNAL",
purpose="GCE_ENDPOINT")
default_region_health_check = gcp.compute.RegionHealthCheck("default",
name="l7-ilb-basic-check",
project="my-project-name",
region="us-west1",
http_health_check={
"port_specification": "USE_SERVING_PORT",
})
url_map = gcp.compute.RegionBackendService("url_map",
name="l7-ilb-backend-service",
project="my-project-name",
region="us-west1",
load_balancing_scheme="INTERNAL_MANAGED",
health_checks=default_region_health_check.id)
default_region_url_map = gcp.compute.RegionUrlMap("default",
name="l7-ilb-map",
project="my-project-name",
region="us-west1",
default_service=url_map.id)
default_region_target_http_proxy = gcp.compute.RegionTargetHttpProxy("default",
name="l7-ilb-proxy",
project="my-project-name",
region="us-west1",
url_map=default_region_url_map.id)
default_forwarding_rule = gcp.compute.ForwardingRule("default",
name="l7-ilb-forwarding-rule",
project="my-project-name",
region="us-west1",
load_balancing_scheme="INTERNAL_MANAGED",
network=default.id,
subnetwork=default_subnetwork.id,
ip_protocol="TCP",
port_range="80",
target=default_region_target_http_proxy.id,
ip_address=default_address.id,
opts = pulumi.ResourceOptions(depends_on=[proxy_only]))
authz_extension = gcp.compute.RegionBackendService("authz_extension",
name="authz-service",
project="my-project-name",
region="us-west1",
protocol="HTTP2",
load_balancing_scheme="INTERNAL_MANAGED",
port_name="grpc")
default_authz_extension = gcp.networkservices.AuthzExtension("default",
name="my-authz-ext",
project="my-project-name",
location="us-west1",
description="my description",
load_balancing_scheme="INTERNAL_MANAGED",
authority="ext11.com",
service=authz_extension.self_link,
timeout="0.1s",
fail_open=False,
forward_headers=["Authorization"])
default_authz_policy = gcp.networksecurity.AuthzPolicy("default",
name="my-authz-policy",
project="my-project-name",
location="us-west1",
description="my description",
target={
"load_balancing_scheme": "INTERNAL_MANAGED",
"resources": [default_forwarding_rule.self_link],
},
action="CUSTOM",
custom_provider={
"authz_extension": {
"resources": [default_authz_extension.id],
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/networksecurity"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/networkservices"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewNetwork(ctx, "default", &compute.NetworkArgs{
Name: pulumi.String("lb-network"),
Project: pulumi.String("my-project-name"),
AutoCreateSubnetworks: pulumi.Bool(false),
})
if err != nil {
return err
}
defaultSubnetwork, err := compute.NewSubnetwork(ctx, "default", &compute.SubnetworkArgs{
Name: pulumi.String("backend-subnet"),
Project: pulumi.String("my-project-name"),
Region: pulumi.String("us-west1"),
IpCidrRange: pulumi.String("10.1.2.0/24"),
Network: _default.ID(),
})
if err != nil {
return err
}
proxyOnly, err := compute.NewSubnetwork(ctx, "proxy_only", &compute.SubnetworkArgs{
Name: pulumi.String("proxy-only-subnet"),
Project: pulumi.String("my-project-name"),
Region: pulumi.String("us-west1"),
IpCidrRange: pulumi.String("10.129.0.0/23"),
Purpose: pulumi.String("REGIONAL_MANAGED_PROXY"),
Role: pulumi.String("ACTIVE"),
Network: _default.ID(),
})
if err != nil {
return err
}
defaultAddress, err := compute.NewAddress(ctx, "default", &compute.AddressArgs{
Name: pulumi.String("l7-ilb-ip-address"),
Project: pulumi.String("my-project-name"),
Region: pulumi.String("us-west1"),
Subnetwork: defaultSubnetwork.ID(),
AddressType: pulumi.String("INTERNAL"),
Purpose: pulumi.String("GCE_ENDPOINT"),
})
if err != nil {
return err
}
defaultRegionHealthCheck, err := compute.NewRegionHealthCheck(ctx, "default", &compute.RegionHealthCheckArgs{
Name: pulumi.String("l7-ilb-basic-check"),
Project: pulumi.String("my-project-name"),
Region: pulumi.String("us-west1"),
HttpHealthCheck: &compute.RegionHealthCheckHttpHealthCheckArgs{
PortSpecification: pulumi.String("USE_SERVING_PORT"),
},
})
if err != nil {
return err
}
urlMap, err := compute.NewRegionBackendService(ctx, "url_map", &compute.RegionBackendServiceArgs{
Name: pulumi.String("l7-ilb-backend-service"),
Project: pulumi.String("my-project-name"),
Region: pulumi.String("us-west1"),
LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
HealthChecks: defaultRegionHealthCheck.ID(),
})
if err != nil {
return err
}
defaultRegionUrlMap, err := compute.NewRegionUrlMap(ctx, "default", &compute.RegionUrlMapArgs{
Name: pulumi.String("l7-ilb-map"),
Project: pulumi.String("my-project-name"),
Region: pulumi.String("us-west1"),
DefaultService: urlMap.ID(),
})
if err != nil {
return err
}
defaultRegionTargetHttpProxy, err := compute.NewRegionTargetHttpProxy(ctx, "default", &compute.RegionTargetHttpProxyArgs{
Name: pulumi.String("l7-ilb-proxy"),
Project: pulumi.String("my-project-name"),
Region: pulumi.String("us-west1"),
UrlMap: defaultRegionUrlMap.ID(),
})
if err != nil {
return err
}
defaultForwardingRule, err := compute.NewForwardingRule(ctx, "default", &compute.ForwardingRuleArgs{
Name: pulumi.String("l7-ilb-forwarding-rule"),
Project: pulumi.String("my-project-name"),
Region: pulumi.String("us-west1"),
LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
Network: _default.ID(),
Subnetwork: defaultSubnetwork.ID(),
IpProtocol: pulumi.String("TCP"),
PortRange: pulumi.String("80"),
Target: defaultRegionTargetHttpProxy.ID(),
IpAddress: defaultAddress.ID(),
}, pulumi.DependsOn([]pulumi.Resource{
proxyOnly,
}))
if err != nil {
return err
}
authzExtension, err := compute.NewRegionBackendService(ctx, "authz_extension", &compute.RegionBackendServiceArgs{
Name: pulumi.String("authz-service"),
Project: pulumi.String("my-project-name"),
Region: pulumi.String("us-west1"),
Protocol: pulumi.String("HTTP2"),
LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
PortName: pulumi.String("grpc"),
})
if err != nil {
return err
}
defaultAuthzExtension, err := networkservices.NewAuthzExtension(ctx, "default", &networkservices.AuthzExtensionArgs{
Name: pulumi.String("my-authz-ext"),
Project: pulumi.String("my-project-name"),
Location: pulumi.String("us-west1"),
Description: pulumi.String("my description"),
LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
Authority: pulumi.String("ext11.com"),
Service: authzExtension.SelfLink,
Timeout: pulumi.String("0.1s"),
FailOpen: pulumi.Bool(false),
ForwardHeaders: pulumi.StringArray{
pulumi.String("Authorization"),
},
})
if err != nil {
return err
}
_, err = networksecurity.NewAuthzPolicy(ctx, "default", &networksecurity.AuthzPolicyArgs{
Name: pulumi.String("my-authz-policy"),
Project: pulumi.String("my-project-name"),
Location: pulumi.String("us-west1"),
Description: pulumi.String("my description"),
Target: &networksecurity.AuthzPolicyTargetArgs{
LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
Resources: pulumi.StringArray{
defaultForwardingRule.SelfLink,
},
},
Action: pulumi.String("CUSTOM"),
CustomProvider: &networksecurity.AuthzPolicyCustomProviderArgs{
AuthzExtension: &networksecurity.AuthzPolicyCustomProviderAuthzExtensionArgs{
Resources: pulumi.StringArray{
defaultAuthzExtension.ID(),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.Compute.Network("default", new()
{
Name = "lb-network",
Project = "my-project-name",
AutoCreateSubnetworks = false,
});
var defaultSubnetwork = new Gcp.Compute.Subnetwork("default", new()
{
Name = "backend-subnet",
Project = "my-project-name",
Region = "us-west1",
IpCidrRange = "10.1.2.0/24",
Network = @default.Id,
});
var proxyOnly = new Gcp.Compute.Subnetwork("proxy_only", new()
{
Name = "proxy-only-subnet",
Project = "my-project-name",
Region = "us-west1",
IpCidrRange = "10.129.0.0/23",
Purpose = "REGIONAL_MANAGED_PROXY",
Role = "ACTIVE",
Network = @default.Id,
});
var defaultAddress = new Gcp.Compute.Address("default", new()
{
Name = "l7-ilb-ip-address",
Project = "my-project-name",
Region = "us-west1",
Subnetwork = defaultSubnetwork.Id,
AddressType = "INTERNAL",
Purpose = "GCE_ENDPOINT",
});
var defaultRegionHealthCheck = new Gcp.Compute.RegionHealthCheck("default", new()
{
Name = "l7-ilb-basic-check",
Project = "my-project-name",
Region = "us-west1",
HttpHealthCheck = new Gcp.Compute.Inputs.RegionHealthCheckHttpHealthCheckArgs
{
PortSpecification = "USE_SERVING_PORT",
},
});
var urlMap = new Gcp.Compute.RegionBackendService("url_map", new()
{
Name = "l7-ilb-backend-service",
Project = "my-project-name",
Region = "us-west1",
LoadBalancingScheme = "INTERNAL_MANAGED",
HealthChecks = defaultRegionHealthCheck.Id,
});
var defaultRegionUrlMap = new Gcp.Compute.RegionUrlMap("default", new()
{
Name = "l7-ilb-map",
Project = "my-project-name",
Region = "us-west1",
DefaultService = urlMap.Id,
});
var defaultRegionTargetHttpProxy = new Gcp.Compute.RegionTargetHttpProxy("default", new()
{
Name = "l7-ilb-proxy",
Project = "my-project-name",
Region = "us-west1",
UrlMap = defaultRegionUrlMap.Id,
});
var defaultForwardingRule = new Gcp.Compute.ForwardingRule("default", new()
{
Name = "l7-ilb-forwarding-rule",
Project = "my-project-name",
Region = "us-west1",
LoadBalancingScheme = "INTERNAL_MANAGED",
Network = @default.Id,
Subnetwork = defaultSubnetwork.Id,
IpProtocol = "TCP",
PortRange = "80",
Target = defaultRegionTargetHttpProxy.Id,
IpAddress = defaultAddress.Id,
}, new CustomResourceOptions
{
DependsOn =
{
proxyOnly,
},
});
var authzExtension = new Gcp.Compute.RegionBackendService("authz_extension", new()
{
Name = "authz-service",
Project = "my-project-name",
Region = "us-west1",
Protocol = "HTTP2",
LoadBalancingScheme = "INTERNAL_MANAGED",
PortName = "grpc",
});
var defaultAuthzExtension = new Gcp.NetworkServices.AuthzExtension("default", new()
{
Name = "my-authz-ext",
Project = "my-project-name",
Location = "us-west1",
Description = "my description",
LoadBalancingScheme = "INTERNAL_MANAGED",
Authority = "ext11.com",
Service = authzExtension.SelfLink,
Timeout = "0.1s",
FailOpen = false,
ForwardHeaders = new[]
{
"Authorization",
},
});
var defaultAuthzPolicy = new Gcp.NetworkSecurity.AuthzPolicy("default", new()
{
Name = "my-authz-policy",
Project = "my-project-name",
Location = "us-west1",
Description = "my description",
Target = new Gcp.NetworkSecurity.Inputs.AuthzPolicyTargetArgs
{
LoadBalancingScheme = "INTERNAL_MANAGED",
Resources = new[]
{
defaultForwardingRule.SelfLink,
},
},
Action = "CUSTOM",
CustomProvider = new Gcp.NetworkSecurity.Inputs.AuthzPolicyCustomProviderArgs
{
AuthzExtension = new Gcp.NetworkSecurity.Inputs.AuthzPolicyCustomProviderAuthzExtensionArgs
{
Resources = new[]
{
defaultAuthzExtension.Id,
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.Subnetwork;
import com.pulumi.gcp.compute.SubnetworkArgs;
import com.pulumi.gcp.compute.Address;
import com.pulumi.gcp.compute.AddressArgs;
import com.pulumi.gcp.compute.RegionHealthCheck;
import com.pulumi.gcp.compute.RegionHealthCheckArgs;
import com.pulumi.gcp.compute.inputs.RegionHealthCheckHttpHealthCheckArgs;
import com.pulumi.gcp.compute.RegionBackendService;
import com.pulumi.gcp.compute.RegionBackendServiceArgs;
import com.pulumi.gcp.compute.RegionUrlMap;
import com.pulumi.gcp.compute.RegionUrlMapArgs;
import com.pulumi.gcp.compute.RegionTargetHttpProxy;
import com.pulumi.gcp.compute.RegionTargetHttpProxyArgs;
import com.pulumi.gcp.compute.ForwardingRule;
import com.pulumi.gcp.compute.ForwardingRuleArgs;
import com.pulumi.gcp.networkservices.AuthzExtension;
import com.pulumi.gcp.networkservices.AuthzExtensionArgs;
import com.pulumi.gcp.networksecurity.AuthzPolicy;
import com.pulumi.gcp.networksecurity.AuthzPolicyArgs;
import com.pulumi.gcp.networksecurity.inputs.AuthzPolicyTargetArgs;
import com.pulumi.gcp.networksecurity.inputs.AuthzPolicyCustomProviderArgs;
import com.pulumi.gcp.networksecurity.inputs.AuthzPolicyCustomProviderAuthzExtensionArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new Network("default", NetworkArgs.builder()
.name("lb-network")
.project("my-project-name")
.autoCreateSubnetworks(false)
.build());
var defaultSubnetwork = new Subnetwork("defaultSubnetwork", SubnetworkArgs.builder()
.name("backend-subnet")
.project("my-project-name")
.region("us-west1")
.ipCidrRange("10.1.2.0/24")
.network(default_.id())
.build());
var proxyOnly = new Subnetwork("proxyOnly", SubnetworkArgs.builder()
.name("proxy-only-subnet")
.project("my-project-name")
.region("us-west1")
.ipCidrRange("10.129.0.0/23")
.purpose("REGIONAL_MANAGED_PROXY")
.role("ACTIVE")
.network(default_.id())
.build());
var defaultAddress = new Address("defaultAddress", AddressArgs.builder()
.name("l7-ilb-ip-address")
.project("my-project-name")
.region("us-west1")
.subnetwork(defaultSubnetwork.id())
.addressType("INTERNAL")
.purpose("GCE_ENDPOINT")
.build());
var defaultRegionHealthCheck = new RegionHealthCheck("defaultRegionHealthCheck", RegionHealthCheckArgs.builder()
.name("l7-ilb-basic-check")
.project("my-project-name")
.region("us-west1")
.httpHealthCheck(RegionHealthCheckHttpHealthCheckArgs.builder()
.portSpecification("USE_SERVING_PORT")
.build())
.build());
var urlMap = new RegionBackendService("urlMap", RegionBackendServiceArgs.builder()
.name("l7-ilb-backend-service")
.project("my-project-name")
.region("us-west1")
.loadBalancingScheme("INTERNAL_MANAGED")
.healthChecks(defaultRegionHealthCheck.id())
.build());
var defaultRegionUrlMap = new RegionUrlMap("defaultRegionUrlMap", RegionUrlMapArgs.builder()
.name("l7-ilb-map")
.project("my-project-name")
.region("us-west1")
.defaultService(urlMap.id())
.build());
var defaultRegionTargetHttpProxy = new RegionTargetHttpProxy("defaultRegionTargetHttpProxy", RegionTargetHttpProxyArgs.builder()
.name("l7-ilb-proxy")
.project("my-project-name")
.region("us-west1")
.urlMap(defaultRegionUrlMap.id())
.build());
var defaultForwardingRule = new ForwardingRule("defaultForwardingRule", ForwardingRuleArgs.builder()
.name("l7-ilb-forwarding-rule")
.project("my-project-name")
.region("us-west1")
.loadBalancingScheme("INTERNAL_MANAGED")
.network(default_.id())
.subnetwork(defaultSubnetwork.id())
.ipProtocol("TCP")
.portRange("80")
.target(defaultRegionTargetHttpProxy.id())
.ipAddress(defaultAddress.id())
.build(), CustomResourceOptions.builder()
.dependsOn(proxyOnly)
.build());
var authzExtension = new RegionBackendService("authzExtension", RegionBackendServiceArgs.builder()
.name("authz-service")
.project("my-project-name")
.region("us-west1")
.protocol("HTTP2")
.loadBalancingScheme("INTERNAL_MANAGED")
.portName("grpc")
.build());
var defaultAuthzExtension = new AuthzExtension("defaultAuthzExtension", AuthzExtensionArgs.builder()
.name("my-authz-ext")
.project("my-project-name")
.location("us-west1")
.description("my description")
.loadBalancingScheme("INTERNAL_MANAGED")
.authority("ext11.com")
.service(authzExtension.selfLink())
.timeout("0.1s")
.failOpen(false)
.forwardHeaders("Authorization")
.build());
var defaultAuthzPolicy = new AuthzPolicy("defaultAuthzPolicy", AuthzPolicyArgs.builder()
.name("my-authz-policy")
.project("my-project-name")
.location("us-west1")
.description("my description")
.target(AuthzPolicyTargetArgs.builder()
.loadBalancingScheme("INTERNAL_MANAGED")
.resources(defaultForwardingRule.selfLink())
.build())
.action("CUSTOM")
.customProvider(AuthzPolicyCustomProviderArgs.builder()
.authzExtension(AuthzPolicyCustomProviderAuthzExtensionArgs.builder()
.resources(defaultAuthzExtension.id())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:compute:Network
properties:
name: lb-network
project: my-project-name
autoCreateSubnetworks: false
defaultSubnetwork:
type: gcp:compute:Subnetwork
name: default
properties:
name: backend-subnet
project: my-project-name
region: us-west1
ipCidrRange: 10.1.2.0/24
network: ${default.id}
proxyOnly:
type: gcp:compute:Subnetwork
name: proxy_only
properties:
name: proxy-only-subnet
project: my-project-name
region: us-west1
ipCidrRange: 10.129.0.0/23
purpose: REGIONAL_MANAGED_PROXY
role: ACTIVE
network: ${default.id}
defaultAddress:
type: gcp:compute:Address
name: default
properties:
name: l7-ilb-ip-address
project: my-project-name
region: us-west1
subnetwork: ${defaultSubnetwork.id}
addressType: INTERNAL
purpose: GCE_ENDPOINT
defaultRegionHealthCheck:
type: gcp:compute:RegionHealthCheck
name: default
properties:
name: l7-ilb-basic-check
project: my-project-name
region: us-west1
httpHealthCheck:
portSpecification: USE_SERVING_PORT
urlMap:
type: gcp:compute:RegionBackendService
name: url_map
properties:
name: l7-ilb-backend-service
project: my-project-name
region: us-west1
loadBalancingScheme: INTERNAL_MANAGED
healthChecks: ${defaultRegionHealthCheck.id}
defaultRegionUrlMap:
type: gcp:compute:RegionUrlMap
name: default
properties:
name: l7-ilb-map
project: my-project-name
region: us-west1
defaultService: ${urlMap.id}
defaultRegionTargetHttpProxy:
type: gcp:compute:RegionTargetHttpProxy
name: default
properties:
name: l7-ilb-proxy
project: my-project-name
region: us-west1
urlMap: ${defaultRegionUrlMap.id}
defaultForwardingRule:
type: gcp:compute:ForwardingRule
name: default
properties:
name: l7-ilb-forwarding-rule
project: my-project-name
region: us-west1
loadBalancingScheme: INTERNAL_MANAGED
network: ${default.id}
subnetwork: ${defaultSubnetwork.id}
ipProtocol: TCP
portRange: '80'
target: ${defaultRegionTargetHttpProxy.id}
ipAddress: ${defaultAddress.id}
options:
dependsOn:
- ${proxyOnly}
authzExtension:
type: gcp:compute:RegionBackendService
name: authz_extension
properties:
name: authz-service
project: my-project-name
region: us-west1
protocol: HTTP2
loadBalancingScheme: INTERNAL_MANAGED
portName: grpc
defaultAuthzExtension:
type: gcp:networkservices:AuthzExtension
name: default
properties:
name: my-authz-ext
project: my-project-name
location: us-west1
description: my description
loadBalancingScheme: INTERNAL_MANAGED
authority: ext11.com
service: ${authzExtension.selfLink}
timeout: 0.1s
failOpen: false
forwardHeaders:
- Authorization
defaultAuthzPolicy:
type: gcp:networksecurity:AuthzPolicy
name: default
properties:
name: my-authz-policy
project: my-project-name
location: us-west1
description: my description
target:
loadBalancingScheme: INTERNAL_MANAGED
resources:
- ${defaultForwardingRule.selfLink}
action: CUSTOM
customProvider:
authzExtension:
resources:
- ${defaultAuthzExtension.id}
Create AuthzPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AuthzPolicy(name: string, args: AuthzPolicyArgs, opts?: CustomResourceOptions);
@overload
def AuthzPolicy(resource_name: str,
args: AuthzPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def AuthzPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
location: Optional[str] = None,
target: Optional[AuthzPolicyTargetArgs] = None,
custom_provider: Optional[AuthzPolicyCustomProviderArgs] = None,
description: Optional[str] = None,
http_rules: Optional[Sequence[AuthzPolicyHttpRuleArgs]] = None,
labels: Optional[Mapping[str, str]] = None,
name: Optional[str] = None,
project: Optional[str] = None)
func NewAuthzPolicy(ctx *Context, name string, args AuthzPolicyArgs, opts ...ResourceOption) (*AuthzPolicy, error)
public AuthzPolicy(string name, AuthzPolicyArgs args, CustomResourceOptions? opts = null)
public AuthzPolicy(String name, AuthzPolicyArgs args)
public AuthzPolicy(String name, AuthzPolicyArgs args, CustomResourceOptions options)
type: gcp:networksecurity:AuthzPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AuthzPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AuthzPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AuthzPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AuthzPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AuthzPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var authzPolicyResource = new Gcp.NetworkSecurity.AuthzPolicy("authzPolicyResource", new()
{
Action = "string",
Location = "string",
Target = new Gcp.NetworkSecurity.Inputs.AuthzPolicyTargetArgs
{
LoadBalancingScheme = "string",
Resources = new[]
{
"string",
},
},
CustomProvider = new Gcp.NetworkSecurity.Inputs.AuthzPolicyCustomProviderArgs
{
AuthzExtension = new Gcp.NetworkSecurity.Inputs.AuthzPolicyCustomProviderAuthzExtensionArgs
{
Resources = new[]
{
"string",
},
},
CloudIap = new Gcp.NetworkSecurity.Inputs.AuthzPolicyCustomProviderCloudIapArgs
{
Enabled = false,
},
},
Description = "string",
HttpRules = new[]
{
new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleArgs
{
From = new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleFromArgs
{
NotSources = new[]
{
new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleFromNotSourceArgs
{
Principals = new[]
{
new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleFromNotSourcePrincipalArgs
{
Contains = "string",
Exact = "string",
IgnoreCase = false,
Prefix = "string",
Suffix = "string",
},
},
Resources = new[]
{
new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleFromNotSourceResourceArgs
{
IamServiceAccount = new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleFromNotSourceResourceIamServiceAccountArgs
{
Contains = "string",
Exact = "string",
IgnoreCase = false,
Prefix = "string",
Suffix = "string",
},
TagValueIdSet = new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleFromNotSourceResourceTagValueIdSetArgs
{
Ids = new[]
{
"string",
},
},
},
},
},
},
Sources = new[]
{
new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleFromSourceArgs
{
Principals = new[]
{
new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleFromSourcePrincipalArgs
{
Contains = "string",
Exact = "string",
IgnoreCase = false,
Prefix = "string",
Suffix = "string",
},
},
Resources = new[]
{
new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleFromSourceResourceArgs
{
IamServiceAccount = new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleFromSourceResourceIamServiceAccountArgs
{
Contains = "string",
Exact = "string",
IgnoreCase = false,
Prefix = "string",
Suffix = "string",
},
TagValueIdSet = new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleFromSourceResourceTagValueIdSetArgs
{
Ids = new[]
{
"string",
},
},
},
},
},
},
},
To = new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleToArgs
{
Operations = new[]
{
new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleToOperationArgs
{
HeaderSet = new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleToOperationHeaderSetArgs
{
Headers = new[]
{
new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs
{
Name = "string",
Value = new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs
{
Contains = "string",
Exact = "string",
IgnoreCase = false,
Prefix = "string",
Suffix = "string",
},
},
},
},
Hosts = new[]
{
new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleToOperationHostArgs
{
Contains = "string",
Exact = "string",
IgnoreCase = false,
Prefix = "string",
Suffix = "string",
},
},
Methods = new[]
{
"string",
},
Paths = new[]
{
new Gcp.NetworkSecurity.Inputs.AuthzPolicyHttpRuleToOperationPathArgs
{
Contains = "string",
Exact = "string",
IgnoreCase = false,
Prefix = "string",
Suffix = "string",
},
},
},
},
},
When = "string",
},
},
Labels =
{
{ "string", "string" },
},
Name = "string",
Project = "string",
});
example, err := networksecurity.NewAuthzPolicy(ctx, "authzPolicyResource", &networksecurity.AuthzPolicyArgs{
Action: pulumi.String("string"),
Location: pulumi.String("string"),
Target: &networksecurity.AuthzPolicyTargetArgs{
LoadBalancingScheme: pulumi.String("string"),
Resources: pulumi.StringArray{
pulumi.String("string"),
},
},
CustomProvider: &networksecurity.AuthzPolicyCustomProviderArgs{
AuthzExtension: &networksecurity.AuthzPolicyCustomProviderAuthzExtensionArgs{
Resources: pulumi.StringArray{
pulumi.String("string"),
},
},
CloudIap: &networksecurity.AuthzPolicyCustomProviderCloudIapArgs{
Enabled: pulumi.Bool(false),
},
},
Description: pulumi.String("string"),
HttpRules: networksecurity.AuthzPolicyHttpRuleArray{
&networksecurity.AuthzPolicyHttpRuleArgs{
From: &networksecurity.AuthzPolicyHttpRuleFromArgs{
NotSources: networksecurity.AuthzPolicyHttpRuleFromNotSourceArray{
&networksecurity.AuthzPolicyHttpRuleFromNotSourceArgs{
Principals: networksecurity.AuthzPolicyHttpRuleFromNotSourcePrincipalArray{
&networksecurity.AuthzPolicyHttpRuleFromNotSourcePrincipalArgs{
Contains: pulumi.String("string"),
Exact: pulumi.String("string"),
IgnoreCase: pulumi.Bool(false),
Prefix: pulumi.String("string"),
Suffix: pulumi.String("string"),
},
},
Resources: networksecurity.AuthzPolicyHttpRuleFromNotSourceResourceArray{
&networksecurity.AuthzPolicyHttpRuleFromNotSourceResourceArgs{
IamServiceAccount: &networksecurity.AuthzPolicyHttpRuleFromNotSourceResourceIamServiceAccountArgs{
Contains: pulumi.String("string"),
Exact: pulumi.String("string"),
IgnoreCase: pulumi.Bool(false),
Prefix: pulumi.String("string"),
Suffix: pulumi.String("string"),
},
TagValueIdSet: &networksecurity.AuthzPolicyHttpRuleFromNotSourceResourceTagValueIdSetArgs{
Ids: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
},
Sources: networksecurity.AuthzPolicyHttpRuleFromSourceArray{
&networksecurity.AuthzPolicyHttpRuleFromSourceArgs{
Principals: networksecurity.AuthzPolicyHttpRuleFromSourcePrincipalArray{
&networksecurity.AuthzPolicyHttpRuleFromSourcePrincipalArgs{
Contains: pulumi.String("string"),
Exact: pulumi.String("string"),
IgnoreCase: pulumi.Bool(false),
Prefix: pulumi.String("string"),
Suffix: pulumi.String("string"),
},
},
Resources: networksecurity.AuthzPolicyHttpRuleFromSourceResourceArray{
&networksecurity.AuthzPolicyHttpRuleFromSourceResourceArgs{
IamServiceAccount: &networksecurity.AuthzPolicyHttpRuleFromSourceResourceIamServiceAccountArgs{
Contains: pulumi.String("string"),
Exact: pulumi.String("string"),
IgnoreCase: pulumi.Bool(false),
Prefix: pulumi.String("string"),
Suffix: pulumi.String("string"),
},
TagValueIdSet: &networksecurity.AuthzPolicyHttpRuleFromSourceResourceTagValueIdSetArgs{
Ids: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
},
},
To: &networksecurity.AuthzPolicyHttpRuleToArgs{
Operations: networksecurity.AuthzPolicyHttpRuleToOperationArray{
&networksecurity.AuthzPolicyHttpRuleToOperationArgs{
HeaderSet: &networksecurity.AuthzPolicyHttpRuleToOperationHeaderSetArgs{
Headers: networksecurity.AuthzPolicyHttpRuleToOperationHeaderSetHeaderArray{
&networksecurity.AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs{
Name: pulumi.String("string"),
Value: &networksecurity.AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs{
Contains: pulumi.String("string"),
Exact: pulumi.String("string"),
IgnoreCase: pulumi.Bool(false),
Prefix: pulumi.String("string"),
Suffix: pulumi.String("string"),
},
},
},
},
Hosts: networksecurity.AuthzPolicyHttpRuleToOperationHostArray{
&networksecurity.AuthzPolicyHttpRuleToOperationHostArgs{
Contains: pulumi.String("string"),
Exact: pulumi.String("string"),
IgnoreCase: pulumi.Bool(false),
Prefix: pulumi.String("string"),
Suffix: pulumi.String("string"),
},
},
Methods: pulumi.StringArray{
pulumi.String("string"),
},
Paths: networksecurity.AuthzPolicyHttpRuleToOperationPathArray{
&networksecurity.AuthzPolicyHttpRuleToOperationPathArgs{
Contains: pulumi.String("string"),
Exact: pulumi.String("string"),
IgnoreCase: pulumi.Bool(false),
Prefix: pulumi.String("string"),
Suffix: pulumi.String("string"),
},
},
},
},
},
When: pulumi.String("string"),
},
},
Labels: pulumi.StringMap{
"string": pulumi.String("string"),
},
Name: pulumi.String("string"),
Project: pulumi.String("string"),
})
var authzPolicyResource = new AuthzPolicy("authzPolicyResource", AuthzPolicyArgs.builder()
.action("string")
.location("string")
.target(AuthzPolicyTargetArgs.builder()
.loadBalancingScheme("string")
.resources("string")
.build())
.customProvider(AuthzPolicyCustomProviderArgs.builder()
.authzExtension(AuthzPolicyCustomProviderAuthzExtensionArgs.builder()
.resources("string")
.build())
.cloudIap(AuthzPolicyCustomProviderCloudIapArgs.builder()
.enabled(false)
.build())
.build())
.description("string")
.httpRules(AuthzPolicyHttpRuleArgs.builder()
.from(AuthzPolicyHttpRuleFromArgs.builder()
.notSources(AuthzPolicyHttpRuleFromNotSourceArgs.builder()
.principals(AuthzPolicyHttpRuleFromNotSourcePrincipalArgs.builder()
.contains("string")
.exact("string")
.ignoreCase(false)
.prefix("string")
.suffix("string")
.build())
.resources(AuthzPolicyHttpRuleFromNotSourceResourceArgs.builder()
.iamServiceAccount(AuthzPolicyHttpRuleFromNotSourceResourceIamServiceAccountArgs.builder()
.contains("string")
.exact("string")
.ignoreCase(false)
.prefix("string")
.suffix("string")
.build())
.tagValueIdSet(AuthzPolicyHttpRuleFromNotSourceResourceTagValueIdSetArgs.builder()
.ids("string")
.build())
.build())
.build())
.sources(AuthzPolicyHttpRuleFromSourceArgs.builder()
.principals(AuthzPolicyHttpRuleFromSourcePrincipalArgs.builder()
.contains("string")
.exact("string")
.ignoreCase(false)
.prefix("string")
.suffix("string")
.build())
.resources(AuthzPolicyHttpRuleFromSourceResourceArgs.builder()
.iamServiceAccount(AuthzPolicyHttpRuleFromSourceResourceIamServiceAccountArgs.builder()
.contains("string")
.exact("string")
.ignoreCase(false)
.prefix("string")
.suffix("string")
.build())
.tagValueIdSet(AuthzPolicyHttpRuleFromSourceResourceTagValueIdSetArgs.builder()
.ids("string")
.build())
.build())
.build())
.build())
.to(AuthzPolicyHttpRuleToArgs.builder()
.operations(AuthzPolicyHttpRuleToOperationArgs.builder()
.headerSet(AuthzPolicyHttpRuleToOperationHeaderSetArgs.builder()
.headers(AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs.builder()
.name("string")
.value(AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs.builder()
.contains("string")
.exact("string")
.ignoreCase(false)
.prefix("string")
.suffix("string")
.build())
.build())
.build())
.hosts(AuthzPolicyHttpRuleToOperationHostArgs.builder()
.contains("string")
.exact("string")
.ignoreCase(false)
.prefix("string")
.suffix("string")
.build())
.methods("string")
.paths(AuthzPolicyHttpRuleToOperationPathArgs.builder()
.contains("string")
.exact("string")
.ignoreCase(false)
.prefix("string")
.suffix("string")
.build())
.build())
.build())
.when("string")
.build())
.labels(Map.of("string", "string"))
.name("string")
.project("string")
.build());
authz_policy_resource = gcp.networksecurity.AuthzPolicy("authzPolicyResource",
action="string",
location="string",
target={
"load_balancing_scheme": "string",
"resources": ["string"],
},
custom_provider={
"authz_extension": {
"resources": ["string"],
},
"cloud_iap": {
"enabled": False,
},
},
description="string",
http_rules=[{
"from_": {
"not_sources": [{
"principals": [{
"contains": "string",
"exact": "string",
"ignore_case": False,
"prefix": "string",
"suffix": "string",
}],
"resources": [{
"iam_service_account": {
"contains": "string",
"exact": "string",
"ignore_case": False,
"prefix": "string",
"suffix": "string",
},
"tag_value_id_set": {
"ids": ["string"],
},
}],
}],
"sources": [{
"principals": [{
"contains": "string",
"exact": "string",
"ignore_case": False,
"prefix": "string",
"suffix": "string",
}],
"resources": [{
"iam_service_account": {
"contains": "string",
"exact": "string",
"ignore_case": False,
"prefix": "string",
"suffix": "string",
},
"tag_value_id_set": {
"ids": ["string"],
},
}],
}],
},
"to": {
"operations": [{
"header_set": {
"headers": [{
"name": "string",
"value": {
"contains": "string",
"exact": "string",
"ignore_case": False,
"prefix": "string",
"suffix": "string",
},
}],
},
"hosts": [{
"contains": "string",
"exact": "string",
"ignore_case": False,
"prefix": "string",
"suffix": "string",
}],
"methods": ["string"],
"paths": [{
"contains": "string",
"exact": "string",
"ignore_case": False,
"prefix": "string",
"suffix": "string",
}],
}],
},
"when": "string",
}],
labels={
"string": "string",
},
name="string",
project="string")
const authzPolicyResource = new gcp.networksecurity.AuthzPolicy("authzPolicyResource", {
action: "string",
location: "string",
target: {
loadBalancingScheme: "string",
resources: ["string"],
},
customProvider: {
authzExtension: {
resources: ["string"],
},
cloudIap: {
enabled: false,
},
},
description: "string",
httpRules: [{
from: {
notSources: [{
principals: [{
contains: "string",
exact: "string",
ignoreCase: false,
prefix: "string",
suffix: "string",
}],
resources: [{
iamServiceAccount: {
contains: "string",
exact: "string",
ignoreCase: false,
prefix: "string",
suffix: "string",
},
tagValueIdSet: {
ids: ["string"],
},
}],
}],
sources: [{
principals: [{
contains: "string",
exact: "string",
ignoreCase: false,
prefix: "string",
suffix: "string",
}],
resources: [{
iamServiceAccount: {
contains: "string",
exact: "string",
ignoreCase: false,
prefix: "string",
suffix: "string",
},
tagValueIdSet: {
ids: ["string"],
},
}],
}],
},
to: {
operations: [{
headerSet: {
headers: [{
name: "string",
value: {
contains: "string",
exact: "string",
ignoreCase: false,
prefix: "string",
suffix: "string",
},
}],
},
hosts: [{
contains: "string",
exact: "string",
ignoreCase: false,
prefix: "string",
suffix: "string",
}],
methods: ["string"],
paths: [{
contains: "string",
exact: "string",
ignoreCase: false,
prefix: "string",
suffix: "string",
}],
}],
},
when: "string",
}],
labels: {
string: "string",
},
name: "string",
project: "string",
});
type: gcp:networksecurity:AuthzPolicy
properties:
action: string
customProvider:
authzExtension:
resources:
- string
cloudIap:
enabled: false
description: string
httpRules:
- from:
notSources:
- principals:
- contains: string
exact: string
ignoreCase: false
prefix: string
suffix: string
resources:
- iamServiceAccount:
contains: string
exact: string
ignoreCase: false
prefix: string
suffix: string
tagValueIdSet:
ids:
- string
sources:
- principals:
- contains: string
exact: string
ignoreCase: false
prefix: string
suffix: string
resources:
- iamServiceAccount:
contains: string
exact: string
ignoreCase: false
prefix: string
suffix: string
tagValueIdSet:
ids:
- string
to:
operations:
- headerSet:
headers:
- name: string
value:
contains: string
exact: string
ignoreCase: false
prefix: string
suffix: string
hosts:
- contains: string
exact: string
ignoreCase: false
prefix: string
suffix: string
methods:
- string
paths:
- contains: string
exact: string
ignoreCase: false
prefix: string
suffix: string
when: string
labels:
string: string
location: string
name: string
project: string
target:
loadBalancingScheme: string
resources:
- string
AuthzPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The AuthzPolicy resource accepts the following input properties:
- Action string
- When the action is CUSTOM, customProvider must be specified.
When the action is ALLOW, only requests matching the policy will be allowed.
When the action is DENY, only requests matching the policy will be denied.
When a request arrives, the policies are evaluated in the following order:
- If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
- If there are any DENY policies that match the request, the request is denied.
- If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
- Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
Possible values are:
ALLOW
,DENY
,CUSTOM
.
- Location string
- The location of the resource.
- Target
Authz
Policy Target - Specifies the set of resources to which this policy should be applied to. Structure is documented below.
- Custom
Provider AuthzPolicy Custom Provider - Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.
- Description string
- A human-readable description of the resource.
- Http
Rules List<AuthzPolicy Http Rule> - A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
- Labels Dictionary<string, string>
- Set of labels associated with the AuthzExtension resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
- Name string
- Identifier. Name of the AuthzPolicy resource.
- Project string
- Action string
- When the action is CUSTOM, customProvider must be specified.
When the action is ALLOW, only requests matching the policy will be allowed.
When the action is DENY, only requests matching the policy will be denied.
When a request arrives, the policies are evaluated in the following order:
- If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
- If there are any DENY policies that match the request, the request is denied.
- If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
- Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
Possible values are:
ALLOW
,DENY
,CUSTOM
.
- Location string
- The location of the resource.
- Target
Authz
Policy Target Args - Specifies the set of resources to which this policy should be applied to. Structure is documented below.
- Custom
Provider AuthzPolicy Custom Provider Args - Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.
- Description string
- A human-readable description of the resource.
- Http
Rules []AuthzPolicy Http Rule Args - A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
- Labels map[string]string
- Set of labels associated with the AuthzExtension resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
- Name string
- Identifier. Name of the AuthzPolicy resource.
- Project string
- action String
- When the action is CUSTOM, customProvider must be specified.
When the action is ALLOW, only requests matching the policy will be allowed.
When the action is DENY, only requests matching the policy will be denied.
When a request arrives, the policies are evaluated in the following order:
- If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
- If there are any DENY policies that match the request, the request is denied.
- If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
- Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
Possible values are:
ALLOW
,DENY
,CUSTOM
.
- location String
- The location of the resource.
- target
Authz
Policy Target - Specifies the set of resources to which this policy should be applied to. Structure is documented below.
- custom
Provider AuthzPolicy Custom Provider - Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.
- description String
- A human-readable description of the resource.
- http
Rules List<AuthzPolicy Http Rule> - A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
- labels Map<String,String>
- Set of labels associated with the AuthzExtension resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
- name String
- Identifier. Name of the AuthzPolicy resource.
- project String
- action string
- When the action is CUSTOM, customProvider must be specified.
When the action is ALLOW, only requests matching the policy will be allowed.
When the action is DENY, only requests matching the policy will be denied.
When a request arrives, the policies are evaluated in the following order:
- If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
- If there are any DENY policies that match the request, the request is denied.
- If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
- Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
Possible values are:
ALLOW
,DENY
,CUSTOM
.
- location string
- The location of the resource.
- target
Authz
Policy Target - Specifies the set of resources to which this policy should be applied to. Structure is documented below.
- custom
Provider AuthzPolicy Custom Provider - Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.
- description string
- A human-readable description of the resource.
- http
Rules AuthzPolicy Http Rule[] - A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
- labels {[key: string]: string}
- Set of labels associated with the AuthzExtension resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
- name string
- Identifier. Name of the AuthzPolicy resource.
- project string
- action str
- When the action is CUSTOM, customProvider must be specified.
When the action is ALLOW, only requests matching the policy will be allowed.
When the action is DENY, only requests matching the policy will be denied.
When a request arrives, the policies are evaluated in the following order:
- If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
- If there are any DENY policies that match the request, the request is denied.
- If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
- Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
Possible values are:
ALLOW
,DENY
,CUSTOM
.
- location str
- The location of the resource.
- target
Authz
Policy Target Args - Specifies the set of resources to which this policy should be applied to. Structure is documented below.
- custom_
provider AuthzPolicy Custom Provider Args - Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.
- description str
- A human-readable description of the resource.
- http_
rules Sequence[AuthzPolicy Http Rule Args] - A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
- labels Mapping[str, str]
- Set of labels associated with the AuthzExtension resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
- name str
- Identifier. Name of the AuthzPolicy resource.
- project str
- action String
- When the action is CUSTOM, customProvider must be specified.
When the action is ALLOW, only requests matching the policy will be allowed.
When the action is DENY, only requests matching the policy will be denied.
When a request arrives, the policies are evaluated in the following order:
- If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
- If there are any DENY policies that match the request, the request is denied.
- If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
- Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
Possible values are:
ALLOW
,DENY
,CUSTOM
.
- location String
- The location of the resource.
- target Property Map
- Specifies the set of resources to which this policy should be applied to. Structure is documented below.
- custom
Provider Property Map - Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.
- description String
- A human-readable description of the resource.
- http
Rules List<Property Map> - A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
- labels Map<String>
- Set of labels associated with the AuthzExtension resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
- name String
- Identifier. Name of the AuthzPolicy resource.
- project String
Outputs
All input properties are implicitly available as output properties. Additionally, the AuthzPolicy resource produces the following output properties:
- Create
Time string - The timestamp when the resource was created.
- Effective
Labels Dictionary<string, string> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Id string
- The provider-assigned unique ID for this managed resource.
- Pulumi
Labels Dictionary<string, string> - The combination of labels configured directly on the resource and default labels configured on the provider.
- Update
Time string - The timestamp when the resource was updated.
- Create
Time string - The timestamp when the resource was created.
- Effective
Labels map[string]string - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Id string
- The provider-assigned unique ID for this managed resource.
- Pulumi
Labels map[string]string - The combination of labels configured directly on the resource and default labels configured on the provider.
- Update
Time string - The timestamp when the resource was updated.
- create
Time String - The timestamp when the resource was created.
- effective
Labels Map<String,String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id String
- The provider-assigned unique ID for this managed resource.
- pulumi
Labels Map<String,String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- update
Time String - The timestamp when the resource was updated.
- create
Time string - The timestamp when the resource was created.
- effective
Labels {[key: string]: string} - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id string
- The provider-assigned unique ID for this managed resource.
- pulumi
Labels {[key: string]: string} - The combination of labels configured directly on the resource and default labels configured on the provider.
- update
Time string - The timestamp when the resource was updated.
- create_
time str - The timestamp when the resource was created.
- effective_
labels Mapping[str, str] - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id str
- The provider-assigned unique ID for this managed resource.
- pulumi_
labels Mapping[str, str] - The combination of labels configured directly on the resource and default labels configured on the provider.
- update_
time str - The timestamp when the resource was updated.
- create
Time String - The timestamp when the resource was created.
- effective
Labels Map<String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id String
- The provider-assigned unique ID for this managed resource.
- pulumi
Labels Map<String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- update
Time String - The timestamp when the resource was updated.
Look up Existing AuthzPolicy Resource
Get an existing AuthzPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AuthzPolicyState, opts?: CustomResourceOptions): AuthzPolicy
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
create_time: Optional[str] = None,
custom_provider: Optional[AuthzPolicyCustomProviderArgs] = None,
description: Optional[str] = None,
effective_labels: Optional[Mapping[str, str]] = None,
http_rules: Optional[Sequence[AuthzPolicyHttpRuleArgs]] = None,
labels: Optional[Mapping[str, str]] = None,
location: Optional[str] = None,
name: Optional[str] = None,
project: Optional[str] = None,
pulumi_labels: Optional[Mapping[str, str]] = None,
target: Optional[AuthzPolicyTargetArgs] = None,
update_time: Optional[str] = None) -> AuthzPolicy
func GetAuthzPolicy(ctx *Context, name string, id IDInput, state *AuthzPolicyState, opts ...ResourceOption) (*AuthzPolicy, error)
public static AuthzPolicy Get(string name, Input<string> id, AuthzPolicyState? state, CustomResourceOptions? opts = null)
public static AuthzPolicy get(String name, Output<String> id, AuthzPolicyState state, CustomResourceOptions options)
resources: _: type: gcp:networksecurity:AuthzPolicy get: id: ${id}
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Action string
- When the action is CUSTOM, customProvider must be specified.
When the action is ALLOW, only requests matching the policy will be allowed.
When the action is DENY, only requests matching the policy will be denied.
When a request arrives, the policies are evaluated in the following order:
- If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
- If there are any DENY policies that match the request, the request is denied.
- If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
- Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
Possible values are:
ALLOW
,DENY
,CUSTOM
.
- Create
Time string - The timestamp when the resource was created.
- Custom
Provider AuthzPolicy Custom Provider - Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.
- Description string
- A human-readable description of the resource.
- Effective
Labels Dictionary<string, string> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Http
Rules List<AuthzPolicy Http Rule> - A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
- Labels Dictionary<string, string>
- Set of labels associated with the AuthzExtension resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
- Location string
- The location of the resource.
- Name string
- Identifier. Name of the AuthzPolicy resource.
- Project string
- Pulumi
Labels Dictionary<string, string> - The combination of labels configured directly on the resource and default labels configured on the provider.
- Target
Authz
Policy Target - Specifies the set of resources to which this policy should be applied to. Structure is documented below.
- Update
Time string - The timestamp when the resource was updated.
- Action string
- When the action is CUSTOM, customProvider must be specified.
When the action is ALLOW, only requests matching the policy will be allowed.
When the action is DENY, only requests matching the policy will be denied.
When a request arrives, the policies are evaluated in the following order:
- If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
- If there are any DENY policies that match the request, the request is denied.
- If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
- Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
Possible values are:
ALLOW
,DENY
,CUSTOM
.
- Create
Time string - The timestamp when the resource was created.
- Custom
Provider AuthzPolicy Custom Provider Args - Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.
- Description string
- A human-readable description of the resource.
- Effective
Labels map[string]string - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Http
Rules []AuthzPolicy Http Rule Args - A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
- Labels map[string]string
- Set of labels associated with the AuthzExtension resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
- Location string
- The location of the resource.
- Name string
- Identifier. Name of the AuthzPolicy resource.
- Project string
- Pulumi
Labels map[string]string - The combination of labels configured directly on the resource and default labels configured on the provider.
- Target
Authz
Policy Target Args - Specifies the set of resources to which this policy should be applied to. Structure is documented below.
- Update
Time string - The timestamp when the resource was updated.
- action String
- When the action is CUSTOM, customProvider must be specified.
When the action is ALLOW, only requests matching the policy will be allowed.
When the action is DENY, only requests matching the policy will be denied.
When a request arrives, the policies are evaluated in the following order:
- If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
- If there are any DENY policies that match the request, the request is denied.
- If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
- Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
Possible values are:
ALLOW
,DENY
,CUSTOM
.
- create
Time String - The timestamp when the resource was created.
- custom
Provider AuthzPolicy Custom Provider - Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.
- description String
- A human-readable description of the resource.
- effective
Labels Map<String,String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- http
Rules List<AuthzPolicy Http Rule> - A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
- labels Map<String,String>
- Set of labels associated with the AuthzExtension resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
- location String
- The location of the resource.
- name String
- Identifier. Name of the AuthzPolicy resource.
- project String
- pulumi
Labels Map<String,String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- target
Authz
Policy Target - Specifies the set of resources to which this policy should be applied to. Structure is documented below.
- update
Time String - The timestamp when the resource was updated.
- action string
- When the action is CUSTOM, customProvider must be specified.
When the action is ALLOW, only requests matching the policy will be allowed.
When the action is DENY, only requests matching the policy will be denied.
When a request arrives, the policies are evaluated in the following order:
- If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
- If there are any DENY policies that match the request, the request is denied.
- If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
- Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
Possible values are:
ALLOW
,DENY
,CUSTOM
.
- create
Time string - The timestamp when the resource was created.
- custom
Provider AuthzPolicy Custom Provider - Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.
- description string
- A human-readable description of the resource.
- effective
Labels {[key: string]: string} - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- http
Rules AuthzPolicy Http Rule[] - A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
- labels {[key: string]: string}
- Set of labels associated with the AuthzExtension resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
- location string
- The location of the resource.
- name string
- Identifier. Name of the AuthzPolicy resource.
- project string
- pulumi
Labels {[key: string]: string} - The combination of labels configured directly on the resource and default labels configured on the provider.
- target
Authz
Policy Target - Specifies the set of resources to which this policy should be applied to. Structure is documented below.
- update
Time string - The timestamp when the resource was updated.
- action str
- When the action is CUSTOM, customProvider must be specified.
When the action is ALLOW, only requests matching the policy will be allowed.
When the action is DENY, only requests matching the policy will be denied.
When a request arrives, the policies are evaluated in the following order:
- If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
- If there are any DENY policies that match the request, the request is denied.
- If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
- Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
Possible values are:
ALLOW
,DENY
,CUSTOM
.
- create_
time str - The timestamp when the resource was created.
- custom_
provider AuthzPolicy Custom Provider Args - Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.
- description str
- A human-readable description of the resource.
- effective_
labels Mapping[str, str] - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- http_
rules Sequence[AuthzPolicy Http Rule Args] - A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
- labels Mapping[str, str]
- Set of labels associated with the AuthzExtension resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
- location str
- The location of the resource.
- name str
- Identifier. Name of the AuthzPolicy resource.
- project str
- pulumi_
labels Mapping[str, str] - The combination of labels configured directly on the resource and default labels configured on the provider.
- target
Authz
Policy Target Args - Specifies the set of resources to which this policy should be applied to. Structure is documented below.
- update_
time str - The timestamp when the resource was updated.
- action String
- When the action is CUSTOM, customProvider must be specified.
When the action is ALLOW, only requests matching the policy will be allowed.
When the action is DENY, only requests matching the policy will be denied.
When a request arrives, the policies are evaluated in the following order:
- If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
- If there are any DENY policies that match the request, the request is denied.
- If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
- Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
Possible values are:
ALLOW
,DENY
,CUSTOM
.
- create
Time String - The timestamp when the resource was created.
- custom
Provider Property Map - Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.
- description String
- A human-readable description of the resource.
- effective
Labels Map<String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- http
Rules List<Property Map> - A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
- labels Map<String>
- Set of labels associated with the AuthzExtension resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
- location String
- The location of the resource.
- name String
- Identifier. Name of the AuthzPolicy resource.
- project String
- pulumi
Labels Map<String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- target Property Map
- Specifies the set of resources to which this policy should be applied to. Structure is documented below.
- update
Time String - The timestamp when the resource was updated.
Supporting Types
AuthzPolicyCustomProvider, AuthzPolicyCustomProviderArgs
- Authz
Extension AuthzPolicy Custom Provider Authz Extension - Delegate authorization decision to user authored Service Extension. Only one of cloudIap or authzExtension can be specified. Structure is documented below.
- Cloud
Iap AuthzPolicy Custom Provider Cloud Iap - Delegates authorization decisions to Cloud IAP. Applicable only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy level is not compatible with Cloud IAP settings in the BackendService. Enabling IAP in both places will result in request failure. Ensure that IAP is enabled in either the AuthzPolicy or the BackendService but not in both places. Structure is documented below.
- Authz
Extension AuthzPolicy Custom Provider Authz Extension - Delegate authorization decision to user authored Service Extension. Only one of cloudIap or authzExtension can be specified. Structure is documented below.
- Cloud
Iap AuthzPolicy Custom Provider Cloud Iap - Delegates authorization decisions to Cloud IAP. Applicable only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy level is not compatible with Cloud IAP settings in the BackendService. Enabling IAP in both places will result in request failure. Ensure that IAP is enabled in either the AuthzPolicy or the BackendService but not in both places. Structure is documented below.
- authz
Extension AuthzPolicy Custom Provider Authz Extension - Delegate authorization decision to user authored Service Extension. Only one of cloudIap or authzExtension can be specified. Structure is documented below.
- cloud
Iap AuthzPolicy Custom Provider Cloud Iap - Delegates authorization decisions to Cloud IAP. Applicable only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy level is not compatible with Cloud IAP settings in the BackendService. Enabling IAP in both places will result in request failure. Ensure that IAP is enabled in either the AuthzPolicy or the BackendService but not in both places. Structure is documented below.
- authz
Extension AuthzPolicy Custom Provider Authz Extension - Delegate authorization decision to user authored Service Extension. Only one of cloudIap or authzExtension can be specified. Structure is documented below.
- cloud
Iap AuthzPolicy Custom Provider Cloud Iap - Delegates authorization decisions to Cloud IAP. Applicable only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy level is not compatible with Cloud IAP settings in the BackendService. Enabling IAP in both places will result in request failure. Ensure that IAP is enabled in either the AuthzPolicy or the BackendService but not in both places. Structure is documented below.
- authz_
extension AuthzPolicy Custom Provider Authz Extension - Delegate authorization decision to user authored Service Extension. Only one of cloudIap or authzExtension can be specified. Structure is documented below.
- cloud_
iap AuthzPolicy Custom Provider Cloud Iap - Delegates authorization decisions to Cloud IAP. Applicable only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy level is not compatible with Cloud IAP settings in the BackendService. Enabling IAP in both places will result in request failure. Ensure that IAP is enabled in either the AuthzPolicy or the BackendService but not in both places. Structure is documented below.
- authz
Extension Property Map - Delegate authorization decision to user authored Service Extension. Only one of cloudIap or authzExtension can be specified. Structure is documented below.
- cloud
Iap Property Map - Delegates authorization decisions to Cloud IAP. Applicable only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy level is not compatible with Cloud IAP settings in the BackendService. Enabling IAP in both places will result in request failure. Ensure that IAP is enabled in either the AuthzPolicy or the BackendService but not in both places. Structure is documented below.
AuthzPolicyCustomProviderAuthzExtension, AuthzPolicyCustomProviderAuthzExtensionArgs
- Resources List<string>
- A list of references to authorization extensions that will be invoked for requests matching this policy. Limited to 1 custom provider.
- Resources []string
- A list of references to authorization extensions that will be invoked for requests matching this policy. Limited to 1 custom provider.
- resources List<String>
- A list of references to authorization extensions that will be invoked for requests matching this policy. Limited to 1 custom provider.
- resources string[]
- A list of references to authorization extensions that will be invoked for requests matching this policy. Limited to 1 custom provider.
- resources Sequence[str]
- A list of references to authorization extensions that will be invoked for requests matching this policy. Limited to 1 custom provider.
- resources List<String>
- A list of references to authorization extensions that will be invoked for requests matching this policy. Limited to 1 custom provider.
AuthzPolicyCustomProviderCloudIap, AuthzPolicyCustomProviderCloudIapArgs
- Enabled bool
- Enable Cloud IAP at the AuthzPolicy level.
- Enabled bool
- Enable Cloud IAP at the AuthzPolicy level.
- enabled Boolean
- Enable Cloud IAP at the AuthzPolicy level.
- enabled boolean
- Enable Cloud IAP at the AuthzPolicy level.
- enabled bool
- Enable Cloud IAP at the AuthzPolicy level.
- enabled Boolean
- Enable Cloud IAP at the AuthzPolicy level.
AuthzPolicyHttpRule, AuthzPolicyHttpRuleArgs
- From
Authz
Policy Http Rule From - Describes properties of one or more sources of a request. Structure is documented below.
- To
Authz
Policy Http Rule To - Describes properties of one or more targets of a request Structure is documented below.
- When string
- CEL expression that describes the conditions to be satisfied for the action. The result of the CEL expression is ANDed with the from and to. Refer to the CEL language reference for a list of available attributes.
- From
Authz
Policy Http Rule From - Describes properties of one or more sources of a request. Structure is documented below.
- To
Authz
Policy Http Rule To - Describes properties of one or more targets of a request Structure is documented below.
- When string
- CEL expression that describes the conditions to be satisfied for the action. The result of the CEL expression is ANDed with the from and to. Refer to the CEL language reference for a list of available attributes.
- from
Authz
Policy Http Rule From - Describes properties of one or more sources of a request. Structure is documented below.
- to
Authz
Policy Http Rule To - Describes properties of one or more targets of a request Structure is documented below.
- when String
- CEL expression that describes the conditions to be satisfied for the action. The result of the CEL expression is ANDed with the from and to. Refer to the CEL language reference for a list of available attributes.
- from
Authz
Policy Http Rule From - Describes properties of one or more sources of a request. Structure is documented below.
- to
Authz
Policy Http Rule To - Describes properties of one or more targets of a request Structure is documented below.
- when string
- CEL expression that describes the conditions to be satisfied for the action. The result of the CEL expression is ANDed with the from and to. Refer to the CEL language reference for a list of available attributes.
- from_
Authz
Policy Http Rule From - Describes properties of one or more sources of a request. Structure is documented below.
- to
Authz
Policy Http Rule To - Describes properties of one or more targets of a request Structure is documented below.
- when str
- CEL expression that describes the conditions to be satisfied for the action. The result of the CEL expression is ANDed with the from and to. Refer to the CEL language reference for a list of available attributes.
- from Property Map
- Describes properties of one or more sources of a request. Structure is documented below.
- to Property Map
- Describes properties of one or more targets of a request Structure is documented below.
- when String
- CEL expression that describes the conditions to be satisfied for the action. The result of the CEL expression is ANDed with the from and to. Refer to the CEL language reference for a list of available attributes.
AuthzPolicyHttpRuleFrom, AuthzPolicyHttpRuleFromArgs
- Not
Sources List<AuthzPolicy Http Rule From Not Source> - Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. Structure is documented below.
- Sources
List<Authz
Policy Http Rule From Source> - Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. Structure is documented below.
- Not
Sources []AuthzPolicy Http Rule From Not Source - Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. Structure is documented below.
- Sources
[]Authz
Policy Http Rule From Source - Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. Structure is documented below.
- not
Sources List<AuthzPolicy Http Rule From Not Source> - Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. Structure is documented below.
- sources
List<Authz
Policy Http Rule From Source> - Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. Structure is documented below.
- not
Sources AuthzPolicy Http Rule From Not Source[] - Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. Structure is documented below.
- sources
Authz
Policy Http Rule From Source[] - Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. Structure is documented below.
- not_
sources Sequence[AuthzPolicy Http Rule From Not Source] - Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. Structure is documented below.
- sources
Sequence[Authz
Policy Http Rule From Source] - Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. Structure is documented below.
- not
Sources List<Property Map> - Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. Structure is documented below.
- sources List<Property Map>
- Describes the properties of a request's sources. At least one of sources or notSources must be specified. Limited to 5 sources. A match occurs when ANY source (in sources or notSources) matches the request. Within a single source, the match follows AND semantics across fields and OR semantics within a single field, i.e. a match occurs when ANY principal matches AND ANY ipBlocks match. Structure is documented below.
AuthzPolicyHttpRuleFromNotSource, AuthzPolicyHttpRuleFromNotSourceArgs
- Principals
List<Authz
Policy Http Rule From Not Source Principal> - A list of identities derived from the client's certificate. This field will not match on a request unless mutual TLS is enabled for the Forwarding rule or Gateway. Each identity is a string whose value is matched against the URI SAN, or DNS SAN or the subject field in the client's certificate. The match can be exact, prefix, suffix or a substring match. One of exact, prefix, suffix or contains must be specified. Limited to 5 principals. Structure is documented below.
- Resources
List<Authz
Policy Http Rule From Not Source Resource> - A list of resources to match against the resource of the source VM of a request. Limited to 5 resources. Structure is documented below.
- Principals
[]Authz
Policy Http Rule From Not Source Principal - A list of identities derived from the client's certificate. This field will not match on a request unless mutual TLS is enabled for the Forwarding rule or Gateway. Each identity is a string whose value is matched against the URI SAN, or DNS SAN or the subject field in the client's certificate. The match can be exact, prefix, suffix or a substring match. One of exact, prefix, suffix or contains must be specified. Limited to 5 principals. Structure is documented below.
- Resources
[]Authz
Policy Http Rule From Not Source Resource - A list of resources to match against the resource of the source VM of a request. Limited to 5 resources. Structure is documented below.
- principals
List<Authz
Policy Http Rule From Not Source Principal> - A list of identities derived from the client's certificate. This field will not match on a request unless mutual TLS is enabled for the Forwarding rule or Gateway. Each identity is a string whose value is matched against the URI SAN, or DNS SAN or the subject field in the client's certificate. The match can be exact, prefix, suffix or a substring match. One of exact, prefix, suffix or contains must be specified. Limited to 5 principals. Structure is documented below.
- resources
List<Authz
Policy Http Rule From Not Source Resource> - A list of resources to match against the resource of the source VM of a request. Limited to 5 resources. Structure is documented below.
- principals
Authz
Policy Http Rule From Not Source Principal[] - A list of identities derived from the client's certificate. This field will not match on a request unless mutual TLS is enabled for the Forwarding rule or Gateway. Each identity is a string whose value is matched against the URI SAN, or DNS SAN or the subject field in the client's certificate. The match can be exact, prefix, suffix or a substring match. One of exact, prefix, suffix or contains must be specified. Limited to 5 principals. Structure is documented below.
- resources
Authz
Policy Http Rule From Not Source Resource[] - A list of resources to match against the resource of the source VM of a request. Limited to 5 resources. Structure is documented below.
- principals
Sequence[Authz
Policy Http Rule From Not Source Principal] - A list of identities derived from the client's certificate. This field will not match on a request unless mutual TLS is enabled for the Forwarding rule or Gateway. Each identity is a string whose value is matched against the URI SAN, or DNS SAN or the subject field in the client's certificate. The match can be exact, prefix, suffix or a substring match. One of exact, prefix, suffix or contains must be specified. Limited to 5 principals. Structure is documented below.
- resources
Sequence[Authz
Policy Http Rule From Not Source Resource] - A list of resources to match against the resource of the source VM of a request. Limited to 5 resources. Structure is documented below.
- principals List<Property Map>
- A list of identities derived from the client's certificate. This field will not match on a request unless mutual TLS is enabled for the Forwarding rule or Gateway. Each identity is a string whose value is matched against the URI SAN, or DNS SAN or the subject field in the client's certificate. The match can be exact, prefix, suffix or a substring match. One of exact, prefix, suffix or contains must be specified. Limited to 5 principals. Structure is documented below.
- resources List<Property Map>
- A list of resources to match against the resource of the source VM of a request. Limited to 5 resources. Structure is documented below.
AuthzPolicyHttpRuleFromNotSourcePrincipal, AuthzPolicyHttpRuleFromNotSourcePrincipalArgs
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains str
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact str
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore_
case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix str
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix str
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
AuthzPolicyHttpRuleFromNotSourceResource, AuthzPolicyHttpRuleFromNotSourceResourceArgs
- Iam
Service AuthzAccount Policy Http Rule From Not Source Resource Iam Service Account - An IAM service account to match against the source service account of the VM sending the request. Structure is documented below.
- Tag
Value AuthzId Set Policy Http Rule From Not Source Resource Tag Value Id Set - A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. Structure is documented below.
- Iam
Service AuthzAccount Policy Http Rule From Not Source Resource Iam Service Account - An IAM service account to match against the source service account of the VM sending the request. Structure is documented below.
- Tag
Value AuthzId Set Policy Http Rule From Not Source Resource Tag Value Id Set - A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. Structure is documented below.
- iam
Service AuthzAccount Policy Http Rule From Not Source Resource Iam Service Account - An IAM service account to match against the source service account of the VM sending the request. Structure is documented below.
- tag
Value AuthzId Set Policy Http Rule From Not Source Resource Tag Value Id Set - A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. Structure is documented below.
- iam
Service AuthzAccount Policy Http Rule From Not Source Resource Iam Service Account - An IAM service account to match against the source service account of the VM sending the request. Structure is documented below.
- tag
Value AuthzId Set Policy Http Rule From Not Source Resource Tag Value Id Set - A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. Structure is documented below.
- iam_
service_ Authzaccount Policy Http Rule From Not Source Resource Iam Service Account - An IAM service account to match against the source service account of the VM sending the request. Structure is documented below.
- tag_
value_ Authzid_ set Policy Http Rule From Not Source Resource Tag Value Id Set - A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. Structure is documented below.
- iam
Service Property MapAccount - An IAM service account to match against the source service account of the VM sending the request. Structure is documented below.
- tag
Value Property MapId Set - A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. Structure is documented below.
AuthzPolicyHttpRuleFromNotSourceResourceIamServiceAccount, AuthzPolicyHttpRuleFromNotSourceResourceIamServiceAccountArgs
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains str
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact str
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore_
case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix str
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix str
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
AuthzPolicyHttpRuleFromNotSourceResourceTagValueIdSet, AuthzPolicyHttpRuleFromNotSourceResourceTagValueIdSetArgs
- Ids List<string>
- A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. The match follows AND semantics which means all the ids must match. Limited to 5 matches.
- Ids []string
- A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. The match follows AND semantics which means all the ids must match. Limited to 5 matches.
- ids List<String>
- A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. The match follows AND semantics which means all the ids must match. Limited to 5 matches.
- ids string[]
- A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. The match follows AND semantics which means all the ids must match. Limited to 5 matches.
- ids Sequence[str]
- A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. The match follows AND semantics which means all the ids must match. Limited to 5 matches.
- ids List<String>
- A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. The match follows AND semantics which means all the ids must match. Limited to 5 matches.
AuthzPolicyHttpRuleFromSource, AuthzPolicyHttpRuleFromSourceArgs
- Principals
List<Authz
Policy Http Rule From Source Principal> - A list of identities derived from the client's certificate. This field will not match on a request unless mutual TLS is enabled for the Forwarding rule or Gateway. Each identity is a string whose value is matched against the URI SAN, or DNS SAN or the subject field in the client's certificate. The match can be exact, prefix, suffix or a substring match. One of exact, prefix, suffix or contains must be specified. Limited to 5 principals. Structure is documented below.
- Resources
List<Authz
Policy Http Rule From Source Resource> - A list of resources to match against the resource of the source VM of a request. Limited to 5 resources. Structure is documented below.
- Principals
[]Authz
Policy Http Rule From Source Principal - A list of identities derived from the client's certificate. This field will not match on a request unless mutual TLS is enabled for the Forwarding rule or Gateway. Each identity is a string whose value is matched against the URI SAN, or DNS SAN or the subject field in the client's certificate. The match can be exact, prefix, suffix or a substring match. One of exact, prefix, suffix or contains must be specified. Limited to 5 principals. Structure is documented below.
- Resources
[]Authz
Policy Http Rule From Source Resource - A list of resources to match against the resource of the source VM of a request. Limited to 5 resources. Structure is documented below.
- principals
List<Authz
Policy Http Rule From Source Principal> - A list of identities derived from the client's certificate. This field will not match on a request unless mutual TLS is enabled for the Forwarding rule or Gateway. Each identity is a string whose value is matched against the URI SAN, or DNS SAN or the subject field in the client's certificate. The match can be exact, prefix, suffix or a substring match. One of exact, prefix, suffix or contains must be specified. Limited to 5 principals. Structure is documented below.
- resources
List<Authz
Policy Http Rule From Source Resource> - A list of resources to match against the resource of the source VM of a request. Limited to 5 resources. Structure is documented below.
- principals
Authz
Policy Http Rule From Source Principal[] - A list of identities derived from the client's certificate. This field will not match on a request unless mutual TLS is enabled for the Forwarding rule or Gateway. Each identity is a string whose value is matched against the URI SAN, or DNS SAN or the subject field in the client's certificate. The match can be exact, prefix, suffix or a substring match. One of exact, prefix, suffix or contains must be specified. Limited to 5 principals. Structure is documented below.
- resources
Authz
Policy Http Rule From Source Resource[] - A list of resources to match against the resource of the source VM of a request. Limited to 5 resources. Structure is documented below.
- principals
Sequence[Authz
Policy Http Rule From Source Principal] - A list of identities derived from the client's certificate. This field will not match on a request unless mutual TLS is enabled for the Forwarding rule or Gateway. Each identity is a string whose value is matched against the URI SAN, or DNS SAN or the subject field in the client's certificate. The match can be exact, prefix, suffix or a substring match. One of exact, prefix, suffix or contains must be specified. Limited to 5 principals. Structure is documented below.
- resources
Sequence[Authz
Policy Http Rule From Source Resource] - A list of resources to match against the resource of the source VM of a request. Limited to 5 resources. Structure is documented below.
- principals List<Property Map>
- A list of identities derived from the client's certificate. This field will not match on a request unless mutual TLS is enabled for the Forwarding rule or Gateway. Each identity is a string whose value is matched against the URI SAN, or DNS SAN or the subject field in the client's certificate. The match can be exact, prefix, suffix or a substring match. One of exact, prefix, suffix or contains must be specified. Limited to 5 principals. Structure is documented below.
- resources List<Property Map>
- A list of resources to match against the resource of the source VM of a request. Limited to 5 resources. Structure is documented below.
AuthzPolicyHttpRuleFromSourcePrincipal, AuthzPolicyHttpRuleFromSourcePrincipalArgs
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains str
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact str
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore_
case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix str
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix str
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
AuthzPolicyHttpRuleFromSourceResource, AuthzPolicyHttpRuleFromSourceResourceArgs
- Iam
Service AuthzAccount Policy Http Rule From Source Resource Iam Service Account - An IAM service account to match against the source service account of the VM sending the request. Structure is documented below.
- Tag
Value AuthzId Set Policy Http Rule From Source Resource Tag Value Id Set - A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. Structure is documented below.
- Iam
Service AuthzAccount Policy Http Rule From Source Resource Iam Service Account - An IAM service account to match against the source service account of the VM sending the request. Structure is documented below.
- Tag
Value AuthzId Set Policy Http Rule From Source Resource Tag Value Id Set - A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. Structure is documented below.
- iam
Service AuthzAccount Policy Http Rule From Source Resource Iam Service Account - An IAM service account to match against the source service account of the VM sending the request. Structure is documented below.
- tag
Value AuthzId Set Policy Http Rule From Source Resource Tag Value Id Set - A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. Structure is documented below.
- iam
Service AuthzAccount Policy Http Rule From Source Resource Iam Service Account - An IAM service account to match against the source service account of the VM sending the request. Structure is documented below.
- tag
Value AuthzId Set Policy Http Rule From Source Resource Tag Value Id Set - A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. Structure is documented below.
- iam_
service_ Authzaccount Policy Http Rule From Source Resource Iam Service Account - An IAM service account to match against the source service account of the VM sending the request. Structure is documented below.
- tag_
value_ Authzid_ set Policy Http Rule From Source Resource Tag Value Id Set - A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. Structure is documented below.
- iam
Service Property MapAccount - An IAM service account to match against the source service account of the VM sending the request. Structure is documented below.
- tag
Value Property MapId Set - A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. Structure is documented below.
AuthzPolicyHttpRuleFromSourceResourceIamServiceAccount, AuthzPolicyHttpRuleFromSourceResourceIamServiceAccountArgs
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains str
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact str
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore_
case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix str
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix str
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
AuthzPolicyHttpRuleFromSourceResourceTagValueIdSet, AuthzPolicyHttpRuleFromSourceResourceTagValueIdSetArgs
- Ids List<string>
- A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. The match follows AND semantics which means all the ids must match. Limited to 5 matches.
- Ids []string
- A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. The match follows AND semantics which means all the ids must match. Limited to 5 matches.
- ids List<String>
- A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. The match follows AND semantics which means all the ids must match. Limited to 5 matches.
- ids string[]
- A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. The match follows AND semantics which means all the ids must match. Limited to 5 matches.
- ids Sequence[str]
- A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. The match follows AND semantics which means all the ids must match. Limited to 5 matches.
- ids List<String>
- A list of resource tag value permanent IDs to match against the resource manager tags value associated with the source VM of a request. The match follows AND semantics which means all the ids must match. Limited to 5 matches.
AuthzPolicyHttpRuleTo, AuthzPolicyHttpRuleToArgs
- Operations
List<Authz
Policy Http Rule To Operation> - Describes properties of one or more targets of a request. At least one of operations or notOperations must be specified. Limited to 5 operations. A match occurs when ANY operation (in operations or notOperations) matches. Within an operation, the match follows AND semantics across fields and OR semantics within a field, i.e. a match occurs when ANY path matches AND ANY header matches and ANY method matches. Structure is documented below.
- Operations
[]Authz
Policy Http Rule To Operation - Describes properties of one or more targets of a request. At least one of operations or notOperations must be specified. Limited to 5 operations. A match occurs when ANY operation (in operations or notOperations) matches. Within an operation, the match follows AND semantics across fields and OR semantics within a field, i.e. a match occurs when ANY path matches AND ANY header matches and ANY method matches. Structure is documented below.
- operations
List<Authz
Policy Http Rule To Operation> - Describes properties of one or more targets of a request. At least one of operations or notOperations must be specified. Limited to 5 operations. A match occurs when ANY operation (in operations or notOperations) matches. Within an operation, the match follows AND semantics across fields and OR semantics within a field, i.e. a match occurs when ANY path matches AND ANY header matches and ANY method matches. Structure is documented below.
- operations
Authz
Policy Http Rule To Operation[] - Describes properties of one or more targets of a request. At least one of operations or notOperations must be specified. Limited to 5 operations. A match occurs when ANY operation (in operations or notOperations) matches. Within an operation, the match follows AND semantics across fields and OR semantics within a field, i.e. a match occurs when ANY path matches AND ANY header matches and ANY method matches. Structure is documented below.
- operations
Sequence[Authz
Policy Http Rule To Operation] - Describes properties of one or more targets of a request. At least one of operations or notOperations must be specified. Limited to 5 operations. A match occurs when ANY operation (in operations or notOperations) matches. Within an operation, the match follows AND semantics across fields and OR semantics within a field, i.e. a match occurs when ANY path matches AND ANY header matches and ANY method matches. Structure is documented below.
- operations List<Property Map>
- Describes properties of one or more targets of a request. At least one of operations or notOperations must be specified. Limited to 5 operations. A match occurs when ANY operation (in operations or notOperations) matches. Within an operation, the match follows AND semantics across fields and OR semantics within a field, i.e. a match occurs when ANY path matches AND ANY header matches and ANY method matches. Structure is documented below.
AuthzPolicyHttpRuleToOperation, AuthzPolicyHttpRuleToOperationArgs
- Header
Set AuthzPolicy Http Rule To Operation Header Set - A list of headers to match against in http header. Structure is documented below.
- Hosts
List<Authz
Policy Http Rule To Operation Host> - A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Structure is documented below.
- Methods List<string>
- A list of HTTP methods to match against. Each entry must be a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, OPTIONS). It only allows exact match and is always case sensitive.
- Paths
List<Authz
Policy Http Rule To Operation Path> - A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Note that this path match includes the query parameters. For gRPC services, this should be a fully-qualified name of the form /package.service/method. Structure is documented below.
- Header
Set AuthzPolicy Http Rule To Operation Header Set - A list of headers to match against in http header. Structure is documented below.
- Hosts
[]Authz
Policy Http Rule To Operation Host - A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Structure is documented below.
- Methods []string
- A list of HTTP methods to match against. Each entry must be a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, OPTIONS). It only allows exact match and is always case sensitive.
- Paths
[]Authz
Policy Http Rule To Operation Path - A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Note that this path match includes the query parameters. For gRPC services, this should be a fully-qualified name of the form /package.service/method. Structure is documented below.
- header
Set AuthzPolicy Http Rule To Operation Header Set - A list of headers to match against in http header. Structure is documented below.
- hosts
List<Authz
Policy Http Rule To Operation Host> - A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Structure is documented below.
- methods List<String>
- A list of HTTP methods to match against. Each entry must be a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, OPTIONS). It only allows exact match and is always case sensitive.
- paths
List<Authz
Policy Http Rule To Operation Path> - A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Note that this path match includes the query parameters. For gRPC services, this should be a fully-qualified name of the form /package.service/method. Structure is documented below.
- header
Set AuthzPolicy Http Rule To Operation Header Set - A list of headers to match against in http header. Structure is documented below.
- hosts
Authz
Policy Http Rule To Operation Host[] - A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Structure is documented below.
- methods string[]
- A list of HTTP methods to match against. Each entry must be a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, OPTIONS). It only allows exact match and is always case sensitive.
- paths
Authz
Policy Http Rule To Operation Path[] - A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Note that this path match includes the query parameters. For gRPC services, this should be a fully-qualified name of the form /package.service/method. Structure is documented below.
- header_
set AuthzPolicy Http Rule To Operation Header Set - A list of headers to match against in http header. Structure is documented below.
- hosts
Sequence[Authz
Policy Http Rule To Operation Host] - A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Structure is documented below.
- methods Sequence[str]
- A list of HTTP methods to match against. Each entry must be a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, OPTIONS). It only allows exact match and is always case sensitive.
- paths
Sequence[Authz
Policy Http Rule To Operation Path] - A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Note that this path match includes the query parameters. For gRPC services, this should be a fully-qualified name of the form /package.service/method. Structure is documented below.
- header
Set Property Map - A list of headers to match against in http header. Structure is documented below.
- hosts List<Property Map>
- A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Structure is documented below.
- methods List<String>
- A list of HTTP methods to match against. Each entry must be a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, OPTIONS). It only allows exact match and is always case sensitive.
- paths List<Property Map>
- A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Note that this path match includes the query parameters. For gRPC services, this should be a fully-qualified name of the form /package.service/method. Structure is documented below.
AuthzPolicyHttpRuleToOperationHeaderSet, AuthzPolicyHttpRuleToOperationHeaderSetArgs
- Headers
List<Authz
Policy Http Rule To Operation Header Set Header> - A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Structure is documented below.
- Headers
[]Authz
Policy Http Rule To Operation Header Set Header - A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Structure is documented below.
- headers
List<Authz
Policy Http Rule To Operation Header Set Header> - A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Structure is documented below.
- headers
Authz
Policy Http Rule To Operation Header Set Header[] - A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Structure is documented below.
- headers
Sequence[Authz
Policy Http Rule To Operation Header Set Header] - A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Structure is documented below.
- headers List<Property Map>
- A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches. Structure is documented below.
AuthzPolicyHttpRuleToOperationHeaderSetHeader, AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs
- Name string
- Specifies the name of the header in the request.
- Value
Authz
Policy Http Rule To Operation Header Set Header Value - Specifies how the header match will be performed. Structure is documented below.
- Name string
- Specifies the name of the header in the request.
- Value
Authz
Policy Http Rule To Operation Header Set Header Value - Specifies how the header match will be performed. Structure is documented below.
- name String
- Specifies the name of the header in the request.
- value
Authz
Policy Http Rule To Operation Header Set Header Value - Specifies how the header match will be performed. Structure is documented below.
- name string
- Specifies the name of the header in the request.
- value
Authz
Policy Http Rule To Operation Header Set Header Value - Specifies how the header match will be performed. Structure is documented below.
- name str
- Specifies the name of the header in the request.
- value
Authz
Policy Http Rule To Operation Header Set Header Value - Specifies how the header match will be performed. Structure is documented below.
- name String
- Specifies the name of the header in the request.
- value Property Map
- Specifies how the header match will be performed. Structure is documented below.
AuthzPolicyHttpRuleToOperationHeaderSetHeaderValue, AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains str
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact str
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore_
case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix str
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix str
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
AuthzPolicyHttpRuleToOperationHost, AuthzPolicyHttpRuleToOperationHostArgs
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains str
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact str
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore_
case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix str
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix str
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
AuthzPolicyHttpRuleToOperationPath, AuthzPolicyHttpRuleToOperationPathArgs
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- Contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- Exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- Ignore
Case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- Prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- Suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains string
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact string
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix string
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix string
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains str
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact str
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore_
case bool - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix str
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix str
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
- contains String
- The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc.def
- exact String
- The input string must match exactly the string specified here.
Examples:
- abc only matches the value abc.
- ignore
Case Boolean - If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
- prefix String
- The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value abc.xyz
- suffix String
- The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
Examples:
- abc matches the value xyz.abc
AuthzPolicyTarget, AuthzPolicyTargetArgs
- Load
Balancing stringScheme - All gateways and forwarding rules referenced by this policy and extensions must share the same load balancing scheme.
For more information, refer to Backend services overview.
Possible values are:
INTERNAL_MANAGED
,EXTERNAL_MANAGED
,INTERNAL_SELF_MANAGED
. - Resources List<string>
- A list of references to the Forwarding Rules on which this policy will be applied.
- Load
Balancing stringScheme - All gateways and forwarding rules referenced by this policy and extensions must share the same load balancing scheme.
For more information, refer to Backend services overview.
Possible values are:
INTERNAL_MANAGED
,EXTERNAL_MANAGED
,INTERNAL_SELF_MANAGED
. - Resources []string
- A list of references to the Forwarding Rules on which this policy will be applied.
- load
Balancing StringScheme - All gateways and forwarding rules referenced by this policy and extensions must share the same load balancing scheme.
For more information, refer to Backend services overview.
Possible values are:
INTERNAL_MANAGED
,EXTERNAL_MANAGED
,INTERNAL_SELF_MANAGED
. - resources List<String>
- A list of references to the Forwarding Rules on which this policy will be applied.
- load
Balancing stringScheme - All gateways and forwarding rules referenced by this policy and extensions must share the same load balancing scheme.
For more information, refer to Backend services overview.
Possible values are:
INTERNAL_MANAGED
,EXTERNAL_MANAGED
,INTERNAL_SELF_MANAGED
. - resources string[]
- A list of references to the Forwarding Rules on which this policy will be applied.
- load_
balancing_ strscheme - All gateways and forwarding rules referenced by this policy and extensions must share the same load balancing scheme.
For more information, refer to Backend services overview.
Possible values are:
INTERNAL_MANAGED
,EXTERNAL_MANAGED
,INTERNAL_SELF_MANAGED
. - resources Sequence[str]
- A list of references to the Forwarding Rules on which this policy will be applied.
- load
Balancing StringScheme - All gateways and forwarding rules referenced by this policy and extensions must share the same load balancing scheme.
For more information, refer to Backend services overview.
Possible values are:
INTERNAL_MANAGED
,EXTERNAL_MANAGED
,INTERNAL_SELF_MANAGED
. - resources List<String>
- A list of references to the Forwarding Rules on which this policy will be applied.
Import
AuthzPolicy can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/authzPolicies/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}
{{name}}
When using the pulumi import
command, AuthzPolicy can be imported using one of the formats above. For example:
$ pulumi import gcp:networksecurity/authzPolicy:AuthzPolicy default projects/{{project}}/locations/{{location}}/authzPolicies/{{name}}
$ pulumi import gcp:networksecurity/authzPolicy:AuthzPolicy default {{project}}/{{location}}/{{name}}
$ pulumi import gcp:networksecurity/authzPolicy:AuthzPolicy default {{location}}/{{name}}
$ pulumi import gcp:networksecurity/authzPolicy:AuthzPolicy default {{name}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-beta
Terraform Provider.