import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A Security Policy defines an IP blacklist or whitelist that protects load balanced Google Cloud services by denying or permitting traffic from specified IP ranges. For more information * see the [official documentation](https://cloud.google.com/armor/docs/configure-security-policies) * and the [API](https://cloud.google.com/compute/docs/reference/rest/beta/securityPolicies). * * Security Policy is used by google_compute_backend_service. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const policy = new gcp.compute.SecurityPolicy("policy", { * name: "my-policy", * rules: [ * { * action: "deny(403)", * priority: 1000, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["9.9.9.0/24"], * }, * }, * description: "Deny access to IPs in 9.9.9.0/24", * }, * { * action: "allow", * priority: 2147483647, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["*"], * }, * }, * description: "default rule", * }, * ], * }); * ``` * * ### With ReCAPTCHA Configuration Options * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const primary = new gcp.recaptcha.EnterpriseKey("primary", { * displayName: "display-name", * labels: { * "label-one": "value-one", * }, * project: "my-project-name", * webSettings: { * integrationType: "INVISIBLE", * allowAllDomains: true, * allowedDomains: ["localhost"], * }, * }); * const policy = new gcp.compute.SecurityPolicy("policy", { * name: "my-policy", * description: "basic security policy", * type: "CLOUD_ARMOR", * recaptchaOptionsConfig: { * redirectSiteKey: primary.name, * }, * }); * ``` * * ### With Header Actions * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const policy = new gcp.compute.SecurityPolicy("policy", { * name: "my-policy", * rules: [ * { * action: "allow", * priority: 2147483647, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["*"], * }, * }, * description: "default rule", * }, * { * action: "allow", * priority: 1000, * match: { * expr: { * expression: "request.path.matches(\"/login.html\") && token.recaptcha_session.score < 0.2", * }, * }, * headerAction: { * requestHeadersToAdds: [ * { * headerName: "reCAPTCHA-Warning", * headerValue: "high", * }, * { * headerName: "X-Resource", * headerValue: "test", * }, * ], * }, * }, * ], * }); * ``` * * ### With EnforceOnKey Value As Empty String * A scenario example that won't cause any conflict between `enforceOnKey` and `enforceOnKeyConfigs`, because `enforceOnKey` was specified as an empty string: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const policy = new gcp.compute.SecurityPolicy("policy", { * name: "%s", * description: "throttle rule with enforce_on_key_configs", * rules: [{ * action: "throttle", * priority: 2147483647, * match: { * versionedExpr: "SRC_IPS_V1", * config: { * srcIpRanges: ["*"], * }, * }, * description: "default rule", * rateLimitOptions: { * conformAction: "allow", * exceedAction: "redirect", * enforceOnKey: "", * enforceOnKeyConfigs: [{ * enforceOnKeyType: "IP", * }], * exceedRedirectOptions: { * type: "EXTERNAL_302", * target: "", * }, * rateLimitThreshold: { * count: 10, * intervalSec: 60, * }, * }, * }], * }); * ``` * * ## Import * * Security policies can be imported using any of these accepted formats: * * * `projects/{{project}}/global/securityPolicies/{{name}}` * * * `{{project}}/{{name}}` * * * `{{name}}` * * When using the `pulumi import` command, security policies can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:compute/securityPolicy:SecurityPolicy default projects/{{project}}/global/securityPolicies/{{name}} * ``` * * ```sh * $ pulumi import gcp:compute/securityPolicy:SecurityPolicy default {{project}}/{{name}} * ``` * * ```sh * $ pulumi import gcp:compute/securityPolicy:SecurityPolicy default {{name}} * ``` */ export declare class SecurityPolicy extends pulumi.CustomResource { /** * Get an existing SecurityPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: SecurityPolicyState, opts?: pulumi.CustomResourceOptions): SecurityPolicy; /** * Returns true if the given object is an instance of SecurityPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is SecurityPolicy; /** * Configuration for [Google Cloud Armor Adaptive Protection](https://cloud.google.com/armor/docs/adaptive-protection-overview?hl=en). Structure is documented below. */ readonly adaptiveProtectionConfig: pulumi.Output; /** * [Advanced Configuration Options](https://cloud.google.com/armor/docs/security-policy-overview#json-parsing). * Structure is documented below. */ readonly advancedOptionsConfig: pulumi.Output; /** * An optional description of this security policy. Max size is 2048. */ readonly description: pulumi.Output; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * Fingerprint of this resource. */ readonly fingerprint: pulumi.Output; /** * The unique fingerprint of the labels. */ readonly labelFingerprint: pulumi.Output; /** * Labels to apply to this address. A list of key->value pairs. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The name of the security policy. * * - - - */ readonly name: pulumi.Output; /** * The project in which the resource belongs. If it * is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * The combination of labels configured directly on the resource and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * [reCAPTCHA Configuration Options](https://cloud.google.com/armor/docs/configure-security-policies?hl=en#use_a_manual_challenge_to_distinguish_between_human_or_automated_clients). Structure is documented below. */ readonly recaptchaOptionsConfig: pulumi.Output; /** * The set of rules that belong to this policy. There must always be a default * rule (rule with priority 2147483647 and match "\*"). If no rules are provided when creating a * security policy, a default rule with action "allow" will be added. Structure is documented below. */ readonly rules: pulumi.Output; /** * The URI of the created resource. */ readonly selfLink: pulumi.Output; /** * The type indicates the intended use of the security policy. This field can be set only at resource creation time. * * `CLOUD_ARMOR` - Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. * They filter requests before they hit the origin servers. * * `CLOUD_ARMOR_EDGE` - Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services * (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). * They filter requests before the request is served from Google's cache. * * `CLOUD_ARMOR_INTERNAL_SERVICE` - Cloud Armor internal service policies can be configured to filter HTTP requests targeting services * managed by Traffic Director in a service mesh. They filter requests before the request is served from the application. */ readonly type: pulumi.Output; /** * Create a SecurityPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args?: SecurityPolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering SecurityPolicy resources. */ export interface SecurityPolicyState { /** * Configuration for [Google Cloud Armor Adaptive Protection](https://cloud.google.com/armor/docs/adaptive-protection-overview?hl=en). Structure is documented below. */ adaptiveProtectionConfig?: pulumi.Input; /** * [Advanced Configuration Options](https://cloud.google.com/armor/docs/security-policy-overview#json-parsing). * Structure is documented below. */ advancedOptionsConfig?: pulumi.Input; /** * An optional description of this security policy. Max size is 2048. */ description?: pulumi.Input; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Fingerprint of this resource. */ fingerprint?: pulumi.Input; /** * The unique fingerprint of the labels. */ labelFingerprint?: pulumi.Input; /** * Labels to apply to this address. A list of key->value pairs. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The name of the security policy. * * - - - */ name?: pulumi.Input; /** * The project in which the resource belongs. If it * is not provided, the provider project is used. */ project?: pulumi.Input; /** * The combination of labels configured directly on the resource and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * [reCAPTCHA Configuration Options](https://cloud.google.com/armor/docs/configure-security-policies?hl=en#use_a_manual_challenge_to_distinguish_between_human_or_automated_clients). Structure is documented below. */ recaptchaOptionsConfig?: pulumi.Input; /** * The set of rules that belong to this policy. There must always be a default * rule (rule with priority 2147483647 and match "\*"). If no rules are provided when creating a * security policy, a default rule with action "allow" will be added. Structure is documented below. */ rules?: pulumi.Input[]>; /** * The URI of the created resource. */ selfLink?: pulumi.Input; /** * The type indicates the intended use of the security policy. This field can be set only at resource creation time. * * `CLOUD_ARMOR` - Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. * They filter requests before they hit the origin servers. * * `CLOUD_ARMOR_EDGE` - Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services * (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). * They filter requests before the request is served from Google's cache. * * `CLOUD_ARMOR_INTERNAL_SERVICE` - Cloud Armor internal service policies can be configured to filter HTTP requests targeting services * managed by Traffic Director in a service mesh. They filter requests before the request is served from the application. */ type?: pulumi.Input; } /** * The set of arguments for constructing a SecurityPolicy resource. */ export interface SecurityPolicyArgs { /** * Configuration for [Google Cloud Armor Adaptive Protection](https://cloud.google.com/armor/docs/adaptive-protection-overview?hl=en). Structure is documented below. */ adaptiveProtectionConfig?: pulumi.Input; /** * [Advanced Configuration Options](https://cloud.google.com/armor/docs/security-policy-overview#json-parsing). * Structure is documented below. */ advancedOptionsConfig?: pulumi.Input; /** * An optional description of this security policy. Max size is 2048. */ description?: pulumi.Input; /** * Labels to apply to this address. A list of key->value pairs. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The name of the security policy. * * - - - */ name?: pulumi.Input; /** * The project in which the resource belongs. If it * is not provided, the provider project is used. */ project?: pulumi.Input; /** * [reCAPTCHA Configuration Options](https://cloud.google.com/armor/docs/configure-security-policies?hl=en#use_a_manual_challenge_to_distinguish_between_human_or_automated_clients). Structure is documented below. */ recaptchaOptionsConfig?: pulumi.Input; /** * The set of rules that belong to this policy. There must always be a default * rule (rule with priority 2147483647 and match "\*"). If no rules are provided when creating a * security policy, a default rule with action "allow" will be added. Structure is documented below. */ rules?: pulumi.Input[]>; /** * The type indicates the intended use of the security policy. This field can be set only at resource creation time. * * `CLOUD_ARMOR` - Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. * They filter requests before they hit the origin servers. * * `CLOUD_ARMOR_EDGE` - Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services * (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). * They filter requests before the request is served from Google's cache. * * `CLOUD_ARMOR_INTERNAL_SERVICE` - Cloud Armor internal service policies can be configured to filter HTTP requests targeting services * managed by Traffic Director in a service mesh. They filter requests before the request is served from the application. */ type?: pulumi.Input; }