import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Represents a Region Cloud Armor Security Policy resource. * * To get more information about RegionSecurityPolicy, see: * * * [API documentation](https://cloud.google.com/compute/docs/reference/rest/v1/regionSecurityPolicies) * * How-to Guides * * [Official Documentation](https://cloud.google.com/armor/docs/security-policy-concepts) * * ## Example Usage * * ### Region Security Policy Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const region_sec_policy_basic = new gcp.compute.RegionSecurityPolicy("region-sec-policy-basic", { * name: "my-sec-policy-basic", * description: "basic region security policy", * type: "CLOUD_ARMOR", * }); * ``` * ### Region Security Policy With Ddos Protection Config * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const region_sec_policy_ddos_protection = new gcp.compute.RegionSecurityPolicy("region-sec-policy-ddos-protection", { * name: "my-sec-policy-ddos-protection", * description: "with ddos protection config", * type: "CLOUD_ARMOR_NETWORK", * ddosProtectionConfig: { * ddosProtection: "ADVANCED_PREVIEW", * }, * }); * ``` * ### Region Security Policy With User Defined Fields * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const region_sec_policy_user_defined_fields = new gcp.compute.RegionSecurityPolicy("region-sec-policy-user-defined-fields", { * name: "my-sec-policy-user-defined-fields", * description: "with user defined fields", * type: "CLOUD_ARMOR_NETWORK", * userDefinedFields: [ * { * name: "SIG1_AT_0", * base: "UDP", * offset: 8, * size: 2, * mask: "0x8F00", * }, * { * name: "SIG2_AT_8", * base: "UDP", * offset: 16, * size: 4, * mask: "0xFFFFFFFF", * }, * ], * }); * ``` * ### Region Security Policy With Rules * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const region_sec_policy_with_rules = new gcp.compute.RegionSecurityPolicy("region-sec-policy-with-rules", { * name: "my-sec-policy-with-rules", * description: "basic region security policy with multiple rules", * type: "CLOUD_ARMOR", * rules: [ * { * action: "deny", * priority: 1000, * match: { * expr: { * expression: "request.path.matches(\"/login.html\") && token.recaptcha_session.score < 0.2", * }, * }, * }, * { * action: "deny", * priority: 2147483647, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["*"], * }, * }, * description: "default rule", * }, * ], * }); * ``` * * ## Import * * RegionSecurityPolicy can be imported using any of these accepted formats: * * * `projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}` * * * `{{project}}/{{region}}/{{name}}` * * * `{{region}}/{{name}}` * * * `{{name}}` * * When using the `pulumi import` command, RegionSecurityPolicy can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:compute/regionSecurityPolicy:RegionSecurityPolicy default projects/{{project}}/regions/{{region}}/securityPolicies/{{name}} * ``` * * ```sh * $ pulumi import gcp:compute/regionSecurityPolicy:RegionSecurityPolicy default {{project}}/{{region}}/{{name}} * ``` * * ```sh * $ pulumi import gcp:compute/regionSecurityPolicy:RegionSecurityPolicy default {{region}}/{{name}} * ``` * * ```sh * $ pulumi import gcp:compute/regionSecurityPolicy:RegionSecurityPolicy default {{name}} * ``` */ export declare class RegionSecurityPolicy extends pulumi.CustomResource { /** * Get an existing RegionSecurityPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: RegionSecurityPolicyState, opts?: pulumi.CustomResourceOptions): RegionSecurityPolicy; /** * Returns true if the given object is an instance of RegionSecurityPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is RegionSecurityPolicy; /** * Advanced Options Config of this security policy. * Structure is documented below. */ readonly advancedOptionsConfig: pulumi.Output; /** * Configuration for Google Cloud Armor DDOS Proctection Config. * Structure is documented below. */ readonly ddosProtectionConfig: pulumi.Output; /** * An optional description of this resource. Provide this property when you create the resource. */ readonly description: pulumi.Output; /** * Fingerprint of this resource. This field is used internally during * updates of this resource. */ readonly fingerprint: pulumi.Output; /** * Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. * Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. */ readonly name: pulumi.Output; /** * The unique identifier for the resource. This identifier is defined by the server. */ readonly policyId: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * The Region in which the created Region Security Policy should reside. * If it is not provided, the provider region is used. */ readonly region: pulumi.Output; /** * The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. * Structure is documented below. */ readonly rules: pulumi.Output; /** * Server-defined URL for the resource. */ readonly selfLink: pulumi.Output; /** * Server-defined URL for this resource with the resource id. */ readonly selfLinkWithPolicyId: pulumi.Output; /** * The type indicates the intended use of the security policy. * - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. * - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache. * - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application. * This field can be set only at resource creation time. * Possible values are: `CLOUD_ARMOR`, `CLOUD_ARMOR_EDGE`, `CLOUD_ARMOR_NETWORK`. */ readonly type: pulumi.Output; /** * Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. * A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits. * Rules may then specify matching values for these fields. * Structure is documented below. */ readonly userDefinedFields: pulumi.Output; /** * Create a RegionSecurityPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args?: RegionSecurityPolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering RegionSecurityPolicy resources. */ export interface RegionSecurityPolicyState { /** * Advanced Options Config of this security policy. * Structure is documented below. */ advancedOptionsConfig?: pulumi.Input; /** * Configuration for Google Cloud Armor DDOS Proctection Config. * Structure is documented below. */ ddosProtectionConfig?: pulumi.Input; /** * An optional description of this resource. Provide this property when you create the resource. */ description?: pulumi.Input; /** * Fingerprint of this resource. This field is used internally during * updates of this resource. */ fingerprint?: pulumi.Input; /** * Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. * Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. */ name?: pulumi.Input; /** * The unique identifier for the resource. This identifier is defined by the server. */ policyId?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The Region in which the created Region Security Policy should reside. * If it is not provided, the provider region is used. */ region?: pulumi.Input; /** * The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. * Structure is documented below. */ rules?: pulumi.Input[]>; /** * Server-defined URL for the resource. */ selfLink?: pulumi.Input; /** * Server-defined URL for this resource with the resource id. */ selfLinkWithPolicyId?: pulumi.Input; /** * The type indicates the intended use of the security policy. * - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. * - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache. * - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application. * This field can be set only at resource creation time. * Possible values are: `CLOUD_ARMOR`, `CLOUD_ARMOR_EDGE`, `CLOUD_ARMOR_NETWORK`. */ type?: pulumi.Input; /** * Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. * A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits. * Rules may then specify matching values for these fields. * Structure is documented below. */ userDefinedFields?: pulumi.Input[]>; } /** * The set of arguments for constructing a RegionSecurityPolicy resource. */ export interface RegionSecurityPolicyArgs { /** * Advanced Options Config of this security policy. * Structure is documented below. */ advancedOptionsConfig?: pulumi.Input; /** * Configuration for Google Cloud Armor DDOS Proctection Config. * Structure is documented below. */ ddosProtectionConfig?: pulumi.Input; /** * An optional description of this resource. Provide this property when you create the resource. */ description?: pulumi.Input; /** * Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. * Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. */ name?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The Region in which the created Region Security Policy should reside. * If it is not provided, the provider region is used. */ region?: pulumi.Input; /** * The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. * Structure is documented below. */ rules?: pulumi.Input[]>; /** * The type indicates the intended use of the security policy. * - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. * - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache. * - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application. * This field can be set only at resource creation time. * Possible values are: `CLOUD_ARMOR`, `CLOUD_ARMOR_EDGE`, `CLOUD_ARMOR_NETWORK`. */ type?: pulumi.Input; /** * Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. * A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits. * Rules may then specify matching values for these fields. * Structure is documented below. */ userDefinedFields?: pulumi.Input[]>; }