google::compute-security-policy¶

Creates a security policy.

Example¶

google::compute-security-policy security-policy-example
    name: "security-policy-example"
    description: "security-policy-example-desc"

    rule
        description: "security-policy-example-rule-desc"
        priority: 2
        action: 'allow'
        preview: true

        match
            versioned-expr: 'SRC_IPS_V1'
            config
                src-ip-ranges: ['*']
            end
        end
    end
end

Example full scope¶

google::compute-security-policy security-policy-example
   name: "security-policy-example"
   description: "security-policy-example-desc"

   adaptive-protection-config
       enabled: true
       rule-visibility: 'STANDARD'
   end

   rule
       description: "allow-rule-match-ip-example"
       priority: 2
       action: 'allow'
       preview: true

       match
           versioned-expr: 'SRC_IPS_V1'
           config
               src-ip-ranges: ['1.1.1.0/24']
           end
       end
   end

   rule
       description: "allow-rule-match-expression-example"
       priority: 3
       action: 'allow'

       match
           expression-config
               expression: "origin.asn == 1234"
           end
       end
   end

   rule
       description: "allow-rule-match-expression-with-headers-example"
       priority: 4
       action: 'allow'

       match
           expression-config
               expression: "origin.asn == 1234"
           end
       end

       header-action
           headers: {
               'X-Goog-Test' : 'test',
               'X-Goog-Test2' : 'test2'
           }
       end
   end

   rule
       description: "redirect-rule-google-captcha-example"
       priority: 5
       action: 'redirect'

       match
           expression-config
               expression: "origin.asn == 1234"
           end
       end

       redirect-config
           type: 'GOOGLE_RECAPTCHA'
       end
   end

   rule
       description: "redirect-rule-external-address-example"
       priority: 6
       action: 'redirect'

       match
           expression-config
               expression: "origin.asn == 1234"
           end
       end

       redirect-config
           type: 'EXTERNAL_302'
           target: 'https://www.google.com'
       end
   end

   rule
       description: "throttle-rule-example"
       priority: 7
       action: 'throttle'

       match
           versioned-expr: 'SRC_IPS_V1'
           config
               src-ip-ranges: ['1.1.1.0/24']
           end
       end

       rate-limit-config
           rate-limit-threshold
               count: 10
               interval-sec: 120
           end

           exceed-action: 'deny(403)'
       end
   end

   rule
       description: "rate-based-ban-rule-example"
       priority: 8
       action: 'rate_based_ban'

       match
           versioned-expr: 'SRC_IPS_V1'
           config
               src-ip-ranges: ['1.1.1.0/24']
           end
       end

       rate-limit-config
           rate-limit-threshold
               count: 10
               interval-sec: 60
           end

           ban-threshold
               count: 10
               interval-sec: 60
           end

           ban-duration-sec: 120

           exceed-action: 'deny(429)'
       end
   end

end

Attributes¶

Attribute	Description
name	The name of the security policy. Must be a string 1-63 characters long and the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. Valid values satisfy the regex: `[(?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}\|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?))]`. (Required)
description	The description of the security policy.
rule list subresource	The rule of the security policy. description The description of the security policy rule. priority The priority of the security policy rule. (Required) action The action to take for this rule. Valid values are `allow`, `deny(403)`, `deny(404)`, `deny(502)`, `rate_based_ban`, `redirect` or `throttle`. (Required) preview The preview flag indicates that this rule is not enforced. Defaults to `false`. match subresource The match condition that incoming traffic is evaluated against for this rule. (Required) config subresource The configuration for the security policy rule matcher. Can only be set if `versioned-expr` is set. src-ip-ranges list The ip ranges for this security policy rule matcher configuration. (Required) versioned-expr The versioned expression of the security policy rule matcher. Currently only supported value is `SRC_IPS_V1`. Currently the only supported value is `SRC_IPS_V1`. Can only be set if `config` is set. expression-config subresource The configuration for the security policy rule matcher expression. Cannot be set if any of `config` or `versioned-expr` is set. expression The expression that is evaluated to determine if the request should be matched. (Required) location The optional location of the expression for error reporting, e.g. line number or column number. description An optional description of the expression. header-action subresource The header action to take for this rule. headers map The list of header names and values that will be added. (Required) redirect-config subresource The redirect configuration for this rule. target The target of the redirect. Only valid when the redirect type is `EXTERNAL_302`. type The type of the redirect. Valid values are `GOOGLE_RECAPTCHA` or `EXTERNAL_302`. (Required) rate-limit-config subresource The rate limit configuration for this rule. ban-threshold subresource The ban threshold config. Only valid when rule `action` is set to `rate_based_ban`. count The number of requests per interval_sec that triggers a ban. (Required) interval-sec The interval in seconds over which the count applies. (Required) ban-duration-sec The ban duration in seconds. Only valid when rule `action` is set to `rate_based_ban`. rate-limit-threshold subresource The rate limit threshold config. (Required) count The number of requests per interval_sec that triggers a ban. (Required) interval-sec The interval in seconds over which the count applies. (Required) conform-action The action to take when requests are under the threshold. Default is `allow`. Currently the only supported value is `allow`. (Required) exceed-action The action to take when requests are over the threshold. Valid values are `deny(403)`, `deny(404)`, `deny(429)`, `deny(502)` or `redirect`. (Required) enforce-on-key The key to enforce the rate limit on. Valid values are `ALL`, `IP`, `HTTP_HEADER`, `XFF_IP`, `HTTP_COOKIE`, `HTTP_PATH`, `SNI` or `REGION_CODE`. enforce-on-key-name The name of the key to enforce the rate limit on. Can only be set if `enforce-on-key` is set. exceed-redirect-config subresource The redirect config when requests exceed the threshold. Only valid when `exceed-action` is set to `redirect`. target The target of the redirect. Only valid when the redirect type is `EXTERNAL_302`. type The type of the redirect. Valid values are `GOOGLE_RECAPTCHA` or `EXTERNAL_302`. (Required)
fingerprint	The fingerprint for this security policy.
adaptive-protection-config subresource	Adaptive protection config for this security policy. enabled When set to `true`, enable adaptive protection. Defaults to `false`. (Required) rule-visibility The visibility of the rules. Valid values are `STANDARD` or `PREMIUM`.
advanced-options-config subresource	Advanced option config for this security policy. log-level The log level. Valid values are `NORMAL` or `VERBOSE`. (Required) json-parsing The JSON parsing. Defaults to `DISABLED`. Valid values are `STANDARD` or `DISABLED`.
security-policy-type	The type of the security policy. Valid values are `CLOUD_ARMOR`, `CLOUD_ARMOR_EDGE`, `CLOUD_ARMOR_INTERNAL_SERVICE` or `CLOUD_ARMOR_NETWORK`. (Required)

Outputs¶

Attribute	Description
self-link	The fully-qualified URL of the security policy.
default-rule subresource	The default rule for this security policy.