google::compute-security-policy

Creates a security policy.

Example

google::compute-security-policy security-policy-example
    name: "security-policy-example"
    description: "security-policy-example-desc"

    rule
        description: "security-policy-example-rule-desc"
        priority: 2
        action: 'allow'
        preview: true

        match
            versioned-expr: 'SRC_IPS_V1'
            config
                src-ip-ranges: ['*']
            end
        end
    end
end

Example full scope

google::compute-security-policy security-policy-example
   name: "security-policy-example"
   description: "security-policy-example-desc"

   adaptive-protection-config
       enabled: true
       rule-visibility: 'STANDARD'
   end

   rule
       description: "allow-rule-match-ip-example"
       priority: 2
       action: 'allow'
       preview: true

       match
           versioned-expr: 'SRC_IPS_V1'
           config
               src-ip-ranges: ['1.1.1.0/24']
           end
       end
   end

   rule
       description: "allow-rule-match-expression-example"
       priority: 3
       action: 'allow'

       match
           expression-config
               expression: "origin.asn == 1234"
           end
       end
   end

   rule
       description: "allow-rule-match-expression-with-headers-example"
       priority: 4
       action: 'allow'

       match
           expression-config
               expression: "origin.asn == 1234"
           end
       end

       header-action
           headers: {
               'X-Goog-Test' : 'test',
               'X-Goog-Test2' : 'test2'
           }
       end
   end

   rule
       description: "redirect-rule-google-captcha-example"
       priority: 5
       action: 'redirect'

       match
           expression-config
               expression: "origin.asn == 1234"
           end
       end

       redirect-config
           type: 'GOOGLE_RECAPTCHA'
       end
   end

   rule
       description: "redirect-rule-external-address-example"
       priority: 6
       action: 'redirect'

       match
           expression-config
               expression: "origin.asn == 1234"
           end
       end

       redirect-config
           type: 'EXTERNAL_302'
           target: 'https://www.google.com'
       end
   end

   rule
       description: "throttle-rule-example"
       priority: 7
       action: 'throttle'

       match
           versioned-expr: 'SRC_IPS_V1'
           config
               src-ip-ranges: ['1.1.1.0/24']
           end
       end

       rate-limit-config
           rate-limit-threshold
               count: 10
               interval-sec: 120
           end

           exceed-action: 'deny(403)'
       end
   end

   rule
       description: "rate-based-ban-rule-example"
       priority: 8
       action: 'rate_based_ban'

       match
           versioned-expr: 'SRC_IPS_V1'
           config
               src-ip-ranges: ['1.1.1.0/24']
           end
       end

       rate-limit-config
           rate-limit-threshold
               count: 10
               interval-sec: 60
           end

           ban-threshold
               count: 10
               interval-sec: 60
           end

           ban-duration-sec: 120

           exceed-action: 'deny(429)'
       end
   end

end

Attributes

Attribute Description
name The name of the security policy. Must be a string 1-63 characters long and the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. Valid values satisfy the regex: [(?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?))]. (Required)
description The description of the security policy.
rule list subresource

The rule of the security policy.

description
The description of the security policy rule.
priority
The priority of the security policy rule. (Required)
action
The action to take for this rule. Valid values are allow, deny(403), deny(404), deny(502), rate_based_ban, redirect or throttle. (Required)
preview
The preview flag indicates that this rule is not enforced. Defaults to false.
match subresource

The match condition that incoming traffic is evaluated against for this rule. (Required)

config subresource

The configuration for the security policy rule matcher. Can only be set if versioned-expr is set.

src-ip-ranges list
The ip ranges for this security policy rule matcher configuration. (Required)
versioned-expr
The versioned expression of the security policy rule matcher. Currently only supported value is SRC_IPS_V1. Currently the only supported value is SRC_IPS_V1. Can only be set if config is set.
expression-config subresource

The configuration for the security policy rule matcher expression. Cannot be set if any of config or versioned-expr is set.

expression
The expression that is evaluated to determine if the request should be matched. (Required)
location
The optional location of the expression for error reporting, e.g. line number or column number.
description
An optional description of the expression.
header-action subresource

The header action to take for this rule.

headers map
The list of header names and values that will be added. (Required)
redirect-config subresource

The redirect configuration for this rule.

target
The target of the redirect. Only valid when the redirect type is EXTERNAL_302.
type
The type of the redirect. Valid values are GOOGLE_RECAPTCHA or EXTERNAL_302. (Required)
rate-limit-config subresource

The rate limit configuration for this rule.

ban-threshold subresource

The ban threshold config. Only valid when rule action is set to rate_based_ban.

count
The number of requests per interval_sec that triggers a ban. (Required)
interval-sec
The interval in seconds over which the count applies. (Required)
ban-duration-sec
The ban duration in seconds. Only valid when rule action is set to rate_based_ban.
rate-limit-threshold subresource

The rate limit threshold config. (Required)

count
The number of requests per interval_sec that triggers a ban. (Required)
interval-sec
The interval in seconds over which the count applies. (Required)
conform-action
The action to take when requests are under the threshold. Default is allow. Currently the only supported value is allow. (Required)
exceed-action
The action to take when requests are over the threshold. Valid values are deny(403), deny(404), deny(429), deny(502) or redirect. (Required)
enforce-on-key
The key to enforce the rate limit on. Valid values are ALL, IP, HTTP_HEADER, XFF_IP, HTTP_COOKIE, HTTP_PATH, SNI or REGION_CODE.
enforce-on-key-name
The name of the key to enforce the rate limit on. Can only be set if enforce-on-key is set.
exceed-redirect-config subresource

The redirect config when requests exceed the threshold. Only valid when exceed-action is set to redirect.

target
The target of the redirect. Only valid when the redirect type is EXTERNAL_302.
type
The type of the redirect. Valid values are GOOGLE_RECAPTCHA or EXTERNAL_302. (Required)
fingerprint The fingerprint for this security policy.
adaptive-protection-config subresource

Adaptive protection config for this security policy.

enabled
When set to true, enable adaptive protection. Defaults to false. (Required)
rule-visibility
The visibility of the rules. Valid values are STANDARD or PREMIUM.
advanced-options-config subresource

Advanced option config for this security policy.

log-level
The log level. Valid values are NORMAL or VERBOSE. (Required)
json-parsing
The JSON parsing. Defaults to DISABLED. Valid values are STANDARD or DISABLED.
security-policy-type The type of the security policy. Valid values are CLOUD_ARMOR, CLOUD_ARMOR_EDGE, CLOUD_ARMOR_INTERNAL_SERVICE or CLOUD_ARMOR_NETWORK. (Required)

Outputs

Attribute Description
self-link The fully-qualified URL of the security policy.
default-rule subresource The default rule for this security policy.