Expand description
§Example Usage
§Region Security Policy Rule Basic
ⓘ
use pulumi_wasm_rust::Output;
use pulumi_wasm_rust::{add_export, pulumi_main};
#[pulumi_main]
fn test_main() -> Result<(), Error> {
let default = region_security_policy::create(
"default",
RegionSecurityPolicyArgs::builder()
.description("basic region security policy")
.name("policyruletest")
.region("us-west2")
.type_("CLOUD_ARMOR")
.build_struct(),
);
let policyRule = region_security_policy_rule::create(
"policyRule",
RegionSecurityPolicyRuleArgs::builder()
.action("allow")
.description("new rule")
.match_(
RegionSecurityPolicyRuleMatch::builder()
.config(
RegionSecurityPolicyRuleMatchConfig::builder()
.srcIpRanges(vec!["10.10.0.0/16",])
.build_struct(),
)
.versionedExpr("SRC_IPS_V1")
.build_struct(),
)
.preview(true)
.priority(100)
.region("us-west2")
.security_policy("${default.name}")
.build_struct(),
);
}§Region Security Policy Rule Multiple Rules
ⓘ
use pulumi_wasm_rust::Output;
use pulumi_wasm_rust::{add_export, pulumi_main};
#[pulumi_main]
fn test_main() -> Result<(), Error> {
let default = region_security_policy::create(
"default",
RegionSecurityPolicyArgs::builder()
.description("basic region security policy")
.name("policywithmultiplerules")
.region("us-west2")
.type_("CLOUD_ARMOR")
.build_struct(),
);
let policyRuleOne = region_security_policy_rule::create(
"policyRuleOne",
RegionSecurityPolicyRuleArgs::builder()
.action("allow")
.description("new rule one")
.match_(
RegionSecurityPolicyRuleMatch::builder()
.config(
RegionSecurityPolicyRuleMatchConfig::builder()
.srcIpRanges(vec!["10.10.0.0/16",])
.build_struct(),
)
.versionedExpr("SRC_IPS_V1")
.build_struct(),
)
.preview(true)
.priority(100)
.region("us-west2")
.security_policy("${default.name}")
.build_struct(),
);
let policyRuleTwo = region_security_policy_rule::create(
"policyRuleTwo",
RegionSecurityPolicyRuleArgs::builder()
.action("allow")
.description("new rule two")
.match_(
RegionSecurityPolicyRuleMatch::builder()
.config(
RegionSecurityPolicyRuleMatchConfig::builder()
.srcIpRanges(vec!["192.168.0.0/16", "10.0.0.0/8",])
.build_struct(),
)
.versionedExpr("SRC_IPS_V1")
.build_struct(),
)
.preview(true)
.priority(101)
.region("us-west2")
.security_policy("${default.name}")
.build_struct(),
);
}§Region Security Policy Rule Default Rule
resources:
default:
type: gcp:compute:RegionSecurityPolicy
properties:
region: us-west2
name: policywithdefaultrule
description: basic region security policy
type: CLOUD_ARMOR
defaultRule:
type: gcp:compute:RegionSecurityPolicyRule
name: default_rule
properties:
region: us-west2
securityPolicy: ${default.name}
description: new rule
action: deny
priority: '2147483647'
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- '*'
policyRule:
type: gcp:compute:RegionSecurityPolicyRule
name: policy_rule
properties:
region: us-west2
securityPolicy: ${default.name}
description: new rule
priority: 100
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- 10.10.0.0/16
action: allow
preview: true§Region Security Policy Rule With Preconfigured Waf Config
ⓘ
use pulumi_wasm_rust::Output;
use pulumi_wasm_rust::{add_export, pulumi_main};
#[pulumi_main]
fn test_main() -> Result<(), Error> {
let default = region_security_policy::create(
"default",
RegionSecurityPolicyArgs::builder()
.description("basic region security policy")
.name("policyruletest")
.region("asia-southeast1")
.type_("CLOUD_ARMOR")
.build_struct(),
);
let policyRule = region_security_policy_rule::create(
"policyRule",
RegionSecurityPolicyRuleArgs::builder()
.action("allow")
.description("new rule")
.match_(
RegionSecurityPolicyRuleMatch::builder()
.config(
RegionSecurityPolicyRuleMatchConfig::builder()
.srcIpRanges(vec!["10.10.0.0/16",])
.build_struct(),
)
.versionedExpr("SRC_IPS_V1")
.build_struct(),
)
.preconfigured_waf_config(
RegionSecurityPolicyRulePreconfiguredWafConfig::builder()
.exclusions(
vec![
RegionSecurityPolicyRulePreconfiguredWafConfigExclusion::builder()
.requestUris(vec![RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUri::builder()
.operator("STARTS_WITH").value("/admin").build_struct(),])
.targetRuleSet("rce-stable").build_struct(),
RegionSecurityPolicyRulePreconfiguredWafConfigExclusion::builder()
.requestQueryParams(vec![RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam::builder()
.operator("CONTAINS").value("password").build_struct(),
RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam::builder()
.operator("STARTS_WITH").value("freeform").build_struct(),
RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParam::builder()
.operator("EQUALS").value("description").build_struct(),])
.targetRuleIds(vec!["owasp-crs-v030001-id941330-xss",
"owasp-crs-v030001-id941340-xss",])
.targetRuleSet("xss-stable").build_struct(),
],
)
.build_struct(),
)
.preview(true)
.priority(100)
.region("asia-southeast1")
.security_policy("${default.name}")
.build_struct(),
);
}§Region Security Policy Rule With Network Match
resources:
# First activate advanced network DDoS protection for the desired region
policyddosprotection:
type: gcp:compute:RegionSecurityPolicy
properties:
region: us-west2
name: policyddosprotection
description: policy for activating network DDoS protection for the desired region
type: CLOUD_ARMOR_NETWORK
ddosProtectionConfig:
ddosProtection: ADVANCED_PREVIEW
edgeSecService:
type: gcp:compute:NetworkEdgeSecurityService
name: edge_sec_service
properties:
region: us-west2
name: edgesecservice
description: linking policy to edge security service
securityPolicy: ${policyddosprotection.selfLink}
# Add the desired policy and custom rule.
policynetworkmatch:
type: gcp:compute:RegionSecurityPolicy
properties:
region: us-west2
name: policyfornetworkmatch
description: region security policy for network match
type: CLOUD_ARMOR_NETWORK
userDefinedFields:
- name: SIG1_AT_0
base: TCP
offset: 8
size: 2
mask: 0x8F00
options:
dependsOn:
- ${edgeSecService}
policyRuleNetworkMatch:
type: gcp:compute:RegionSecurityPolicyRule
name: policy_rule_network_match
properties:
region: us-west2
securityPolicy: ${policynetworkmatch.name}
description: custom rule for network match
priority: 100
networkMatch:
srcIpRanges:
- 10.10.0.0/16
userDefinedFields:
- name: SIG1_AT_0
values:
- 0x8F00
action: allow
preview: true§Import
RegionSecurityPolicyRule can be imported using any of these accepted formats:
-
projects/{{project}}/regions/{{region}}/securityPolicies/{{security_policy}}/priority/{{priority}} -
{{project}}/{{region}}/{{security_policy}}/{{priority}} -
{{region}}/{{security_policy}}/{{priority}} -
{{security_policy}}/{{priority}}
When using the pulumi import command, RegionSecurityPolicyRule can be imported using one of the formats above. For example:
$ pulumi import gcp:compute/regionSecurityPolicyRule:RegionSecurityPolicyRule default projects/{{project}}/regions/{{region}}/securityPolicies/{{security_policy}}/priority/{{priority}}$ pulumi import gcp:compute/regionSecurityPolicyRule:RegionSecurityPolicyRule default {{project}}/{{region}}/{{security_policy}}/{{priority}}$ pulumi import gcp:compute/regionSecurityPolicyRule:RegionSecurityPolicyRule default {{region}}/{{security_policy}}/{{priority}}$ pulumi import gcp:compute/regionSecurityPolicyRule:RegionSecurityPolicyRule default {{security_policy}}/{{priority}}Structs§
- Use builder syntax to set the inputs and finish with
build_struct().
Functions§
- Registers a new resource with the given unique name and arguments