import * as pulumi from "@pulumi/pulumi"; /** * AuthzExtension is a resource that allows traffic forwarding to a callout backend service to make an authorization decision. * * To get more information about AuthzExtension, see: * * * [API documentation](https://cloud.google.com/service-extensions/docs/reference/rest/v1beta1/projects.locations.authzExtensions) * * ## Example Usage * * ### Network Services Authz Extension Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.compute.RegionBackendService("default", { * name: "authz-service", * project: "my-project-name", * region: "us-west1", * protocol: "HTTP2", * loadBalancingScheme: "INTERNAL_MANAGED", * portName: "grpc", * }); * const defaultAuthzExtension = new gcp.networkservices.AuthzExtension("default", { * name: "my-authz-ext", * project: "my-project-name", * location: "us-west1", * description: "my description", * loadBalancingScheme: "INTERNAL_MANAGED", * authority: "ext11.com", * service: _default.selfLink, * timeout: "0.1s", * failOpen: false, * forwardHeaders: ["Authorization"], * }); * ``` * ### Network Services Authz Extension Basic With Auth Grpc * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.compute.RegionBackendService("default", { * name: "authz-service-grpc", * project: "my-project-name", * region: "us-west1", * protocol: "HTTP2", * loadBalancingScheme: "INTERNAL_MANAGED", * portName: "grpc", * }); * const defaultAuthzExtension = new gcp.networkservices.AuthzExtension("default", { * name: "my-authz-ext-with-grpc", * project: "my-project-name", * location: "us-west1", * description: "my description", * loadBalancingScheme: "INTERNAL_MANAGED", * wireFormat: "EXT_AUTHZ_GRPC", * authority: "ext11.com", * service: _default.selfLink, * timeout: "0.1s", * failOpen: false, * forwardHeaders: ["Authorization"], * }); * ``` * ### Network Services Authz Extension Iap * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.networkservices.AuthzExtension("default", { * name: "my-authz-ext", * location: "us-west1", * authority: "ext11.com", * service: "iap.googleapis.com", * timeout: "0.1s", * }); * ``` * * ## Import * * AuthzExtension can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/{{location}}/authzExtensions/{{name}}` * * `{{project}}/{{location}}/{{name}}` * * `{{location}}/{{name}}` * * `{{name}}` * * When using the `pulumi import` command, AuthzExtension can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:networkservices/authzExtension:AuthzExtension default projects/{{project}}/locations/{{location}}/authzExtensions/{{name}} * $ pulumi import gcp:networkservices/authzExtension:AuthzExtension default {{project}}/{{location}}/{{name}} * $ pulumi import gcp:networkservices/authzExtension:AuthzExtension default {{location}}/{{name}} * $ pulumi import gcp:networkservices/authzExtension:AuthzExtension default {{name}} * ``` */ export declare class AuthzExtension extends pulumi.CustomResource { /** * Get an existing AuthzExtension resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: AuthzExtensionState, opts?: pulumi.CustomResourceOptions): AuthzExtension; /** * Returns true if the given object is an instance of AuthzExtension. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is AuthzExtension; /** * The :authority header in the gRPC request sent from Envoy to the extension service. */ readonly authority: pulumi.Output; /** * The timestamp when the resource was created. */ readonly createTime: pulumi.Output; /** * A human-readable description of the resource. */ readonly description: pulumi.Output; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * Determines how the proxy behaves if the call to the extension fails or times out. * When set to TRUE, request or response processing continues without error. Any subsequent extensions in the extension chain are also executed. When set to FALSE or the default setting of FALSE is used, one of the following happens: * * If response headers have not been delivered to the downstream client, a generic 500 error is returned to the client. The error response can be tailored by configuring a custom error response in the load balancer. * * If response headers have been delivered, then the HTTP stream to the downstream client is reset. */ readonly failOpen: pulumi.Output; /** * List of the HTTP headers to forward to the extension (from the client). If omitted, all headers are sent. Each element is a string indicating the header name. */ readonly forwardHeaders: pulumi.Output; /** * Set of labels associated with the AuthzExtension resource. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * Required when the service points to a backend service. All backend services and forwarding rules referenced by * this extension must share the same load balancing scheme. For more information, refer to * [Backend services overview](https://cloud.google.com/load-balancing/docs/backend-service). * Possible values are: `INTERNAL_MANAGED`, `EXTERNAL_MANAGED`. */ readonly loadBalancingScheme: pulumi.Output; /** * The location of the resource. */ readonly location: pulumi.Output; /** * The metadata provided here is included as part of the metadataContext (of type google.protobuf.Struct) in the ProcessingRequest message sent to the extension server. The metadata is available under the namespace com.google.authz_extension.. The following variables are supported in the metadata Struct: * {forwarding_rule_id} - substituted with the forwarding rule's fully qualified resource name. */ readonly metadata: pulumi.Output<{ [key: string]: string; } | undefined>; /** * Identifier. Name of the AuthzExtension resource. */ readonly name: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * The service that runs the extension. * The following values and formats are accepted: * * `iap.googleapis.com` when the policyProfile is set to REQUEST_AUTHZ * * `modelarmor.{{region}}.rep.googleapis.com` when the policyProfile is set to CONTENT_AUTHZ * * A fully qualified domain name that can be resolved by the dataplane * * Backend service resource URI of the form `https://www.googleapis.com/compute/v1/projects/{{project}}/regions/{{region}}/backendServices/{{name}}` or `https://www.googleapis.com/compute/v1/projects/{{project}}/global/backendServices/{{name}}}}` */ readonly service: pulumi.Output; /** * Specifies the timeout for each individual message on the stream. The timeout must be between 10-10000 milliseconds. */ readonly timeout: pulumi.Output; /** * The timestamp when the resource was updated. */ readonly updateTime: pulumi.Output; /** * The format of communication supported by the callout extension. Applicable only when the policyProfile is REQUEST_AUTHZ. * This field is supported only for regional AuthzExtension resources. If not specified, the default value * EXT_PROC_GRPC is used. Global AuthzExtension resources use the EXT_PROC_GRPC wire format. * Supported values: * - WIRE_FORMAT_UNSPECIFIED: * No wire format is explicitly specified. The backend automatically * defaults this value to EXT_PROC_GRPC. * - EXT_PROC_GRPC: * Uses Envoy's External Processing (ext_proc) gRPC API over a single * gRPC stream. The backend service must support HTTP/2 or H2C. * All supported events for a client request are sent over the same * gRPC stream. This is the default wire format. * - EXT_AUTHZ_GRPC: * Uses Envoy's external authorization (ext_authz) gRPC API. * The backend service must support HTTP/2 or H2C. * This option is only supported for regional AuthzExtension resources. * Possible values are: `WIRE_FORMAT_UNSPECIFIED`, `EXT_PROC_GRPC`, `EXT_AUTHZ_GRPC`. */ readonly wireFormat: pulumi.Output; /** * Create a AuthzExtension resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: AuthzExtensionArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering AuthzExtension resources. */ export interface AuthzExtensionState { /** * The :authority header in the gRPC request sent from Envoy to the extension service. */ authority?: pulumi.Input; /** * The timestamp when the resource was created. */ createTime?: pulumi.Input; /** * A human-readable description of the resource. */ description?: pulumi.Input; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Determines how the proxy behaves if the call to the extension fails or times out. * When set to TRUE, request or response processing continues without error. Any subsequent extensions in the extension chain are also executed. When set to FALSE or the default setting of FALSE is used, one of the following happens: * * If response headers have not been delivered to the downstream client, a generic 500 error is returned to the client. The error response can be tailored by configuring a custom error response in the load balancer. * * If response headers have been delivered, then the HTTP stream to the downstream client is reset. */ failOpen?: pulumi.Input; /** * List of the HTTP headers to forward to the extension (from the client). If omitted, all headers are sent. Each element is a string indicating the header name. */ forwardHeaders?: pulumi.Input[]>; /** * Set of labels associated with the AuthzExtension resource. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Required when the service points to a backend service. All backend services and forwarding rules referenced by * this extension must share the same load balancing scheme. For more information, refer to * [Backend services overview](https://cloud.google.com/load-balancing/docs/backend-service). * Possible values are: `INTERNAL_MANAGED`, `EXTERNAL_MANAGED`. */ loadBalancingScheme?: pulumi.Input; /** * The location of the resource. */ location?: pulumi.Input; /** * The metadata provided here is included as part of the metadataContext (of type google.protobuf.Struct) in the ProcessingRequest message sent to the extension server. The metadata is available under the namespace com.google.authz_extension.. The following variables are supported in the metadata Struct: * {forwarding_rule_id} - substituted with the forwarding rule's fully qualified resource name. */ metadata?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Identifier. Name of the AuthzExtension resource. */ name?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The service that runs the extension. * The following values and formats are accepted: * * `iap.googleapis.com` when the policyProfile is set to REQUEST_AUTHZ * * `modelarmor.{{region}}.rep.googleapis.com` when the policyProfile is set to CONTENT_AUTHZ * * A fully qualified domain name that can be resolved by the dataplane * * Backend service resource URI of the form `https://www.googleapis.com/compute/v1/projects/{{project}}/regions/{{region}}/backendServices/{{name}}` or `https://www.googleapis.com/compute/v1/projects/{{project}}/global/backendServices/{{name}}}}` */ service?: pulumi.Input; /** * Specifies the timeout for each individual message on the stream. The timeout must be between 10-10000 milliseconds. */ timeout?: pulumi.Input; /** * The timestamp when the resource was updated. */ updateTime?: pulumi.Input; /** * The format of communication supported by the callout extension. Applicable only when the policyProfile is REQUEST_AUTHZ. * This field is supported only for regional AuthzExtension resources. If not specified, the default value * EXT_PROC_GRPC is used. Global AuthzExtension resources use the EXT_PROC_GRPC wire format. * Supported values: * - WIRE_FORMAT_UNSPECIFIED: * No wire format is explicitly specified. The backend automatically * defaults this value to EXT_PROC_GRPC. * - EXT_PROC_GRPC: * Uses Envoy's External Processing (ext_proc) gRPC API over a single * gRPC stream. The backend service must support HTTP/2 or H2C. * All supported events for a client request are sent over the same * gRPC stream. This is the default wire format. * - EXT_AUTHZ_GRPC: * Uses Envoy's external authorization (ext_authz) gRPC API. * The backend service must support HTTP/2 or H2C. * This option is only supported for regional AuthzExtension resources. * Possible values are: `WIRE_FORMAT_UNSPECIFIED`, `EXT_PROC_GRPC`, `EXT_AUTHZ_GRPC`. */ wireFormat?: pulumi.Input; } /** * The set of arguments for constructing a AuthzExtension resource. */ export interface AuthzExtensionArgs { /** * The :authority header in the gRPC request sent from Envoy to the extension service. */ authority: pulumi.Input; /** * A human-readable description of the resource. */ description?: pulumi.Input; /** * Determines how the proxy behaves if the call to the extension fails or times out. * When set to TRUE, request or response processing continues without error. Any subsequent extensions in the extension chain are also executed. When set to FALSE or the default setting of FALSE is used, one of the following happens: * * If response headers have not been delivered to the downstream client, a generic 500 error is returned to the client. The error response can be tailored by configuring a custom error response in the load balancer. * * If response headers have been delivered, then the HTTP stream to the downstream client is reset. */ failOpen?: pulumi.Input; /** * List of the HTTP headers to forward to the extension (from the client). If omitted, all headers are sent. Each element is a string indicating the header name. */ forwardHeaders?: pulumi.Input[]>; /** * Set of labels associated with the AuthzExtension resource. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Required when the service points to a backend service. All backend services and forwarding rules referenced by * this extension must share the same load balancing scheme. For more information, refer to * [Backend services overview](https://cloud.google.com/load-balancing/docs/backend-service). * Possible values are: `INTERNAL_MANAGED`, `EXTERNAL_MANAGED`. */ loadBalancingScheme?: pulumi.Input; /** * The location of the resource. */ location: pulumi.Input; /** * The metadata provided here is included as part of the metadataContext (of type google.protobuf.Struct) in the ProcessingRequest message sent to the extension server. The metadata is available under the namespace com.google.authz_extension.. The following variables are supported in the metadata Struct: * {forwarding_rule_id} - substituted with the forwarding rule's fully qualified resource name. */ metadata?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Identifier. Name of the AuthzExtension resource. */ name?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The service that runs the extension. * The following values and formats are accepted: * * `iap.googleapis.com` when the policyProfile is set to REQUEST_AUTHZ * * `modelarmor.{{region}}.rep.googleapis.com` when the policyProfile is set to CONTENT_AUTHZ * * A fully qualified domain name that can be resolved by the dataplane * * Backend service resource URI of the form `https://www.googleapis.com/compute/v1/projects/{{project}}/regions/{{region}}/backendServices/{{name}}` or `https://www.googleapis.com/compute/v1/projects/{{project}}/global/backendServices/{{name}}}}` */ service: pulumi.Input; /** * Specifies the timeout for each individual message on the stream. The timeout must be between 10-10000 milliseconds. */ timeout: pulumi.Input; /** * The format of communication supported by the callout extension. Applicable only when the policyProfile is REQUEST_AUTHZ. * This field is supported only for regional AuthzExtension resources. If not specified, the default value * EXT_PROC_GRPC is used. Global AuthzExtension resources use the EXT_PROC_GRPC wire format. * Supported values: * - WIRE_FORMAT_UNSPECIFIED: * No wire format is explicitly specified. The backend automatically * defaults this value to EXT_PROC_GRPC. * - EXT_PROC_GRPC: * Uses Envoy's External Processing (ext_proc) gRPC API over a single * gRPC stream. The backend service must support HTTP/2 or H2C. * All supported events for a client request are sent over the same * gRPC stream. This is the default wire format. * - EXT_AUTHZ_GRPC: * Uses Envoy's external authorization (ext_authz) gRPC API. * The backend service must support HTTP/2 or H2C. * This option is only supported for regional AuthzExtension resources. * Possible values are: `WIRE_FORMAT_UNSPECIFIED`, `EXT_PROC_GRPC`, `EXT_AUTHZ_GRPC`. */ wireFormat?: pulumi.Input; }