Module security_policy

Expand description

A Security Policy defines an IP blacklist or whitelist that protects load balanced Google Cloud services by denying or permitting traffic from specified IP ranges. For more information see the official documentation and the API.

Security Policy is used by google_compute_backend_service.

§Example Usage

resources:
  policy:
    type: gcp:compute:SecurityPolicy
    properties:
      name: my-policy
      rules:
        - action: deny(403)
          priority: '1000'
          match:
            versionedExpr: SRC_IPS_V1
            config:
              srcIpRanges:
                - 9.9.9.0/24
          description: Deny access to IPs in 9.9.9.0/24
        - action: allow
          priority: '2147483647'
          match:
            versionedExpr: SRC_IPS_V1
            config:
              srcIpRanges:
                - '*'
          description: default rule

§With ReCAPTCHA Configuration Options

resources:
  primary:
    type: gcp:recaptcha:EnterpriseKey
    properties:
      displayName: display-name
      labels:
        label-one: value-one
      project: my-project-name
      webSettings:
        integrationType: INVISIBLE
        allowAllDomains: true
        allowedDomains:
          - localhost
  policy:
    type: gcp:compute:SecurityPolicy
    properties:
      name: my-policy
      description: basic security policy
      type: CLOUD_ARMOR
      recaptchaOptionsConfig:
        redirectSiteKey: ${primary.name}

§With Header Actions

resources:
  policy:
    type: gcp:compute:SecurityPolicy
    properties:
      name: my-policy
      rules:
        - action: allow
          priority: '2147483647'
          match:
            versionedExpr: SRC_IPS_V1
            config:
              srcIpRanges:
                - '*'
          description: default rule
        - action: allow
          priority: '1000'
          match:
            expr:
              expression: request.path.matches("/login.html") && token.recaptcha_session.score < 0.2
          headerAction:
            requestHeadersToAdds:
              - headerName: reCAPTCHA-Warning
                headerValue: high
              - headerName: X-Resource
                headerValue: test

§With EnforceOnKey Value As Empty String

A scenario example that won’t cause any conflict between enforce_on_key and enforce_on_key_configs, because enforce_on_key was specified as an empty string:

resources:
  policy:
    type: gcp:compute:SecurityPolicy
    properties:
      name: '%s'
      description: throttle rule with enforce_on_key_configs
      rules:
        - action: throttle
          priority: '2147483647'
          match:
            versionedExpr: SRC_IPS_V1
            config:
              srcIpRanges:
                - '*'
          description: default rule
          rateLimitOptions:
            conformAction: allow
            exceedAction: redirect
            enforceOnKey: ""
            enforceOnKeyConfigs:
              - enforceOnKeyType: IP
            exceedRedirectOptions:
              type: EXTERNAL_302
              target: <https://www.example.com>
            rateLimitThreshold:
              count: 10
              intervalSec: 60

§Import

Security policies can be imported using any of these accepted formats:

projects/{{project}}/global/securityPolicies/{{name}}
{{project}}/{{name}}
{{name}}

When using the pulumi import command, security policies can be imported using one of the formats above. For example:

$ pulumi import gcp:compute/securityPolicy:SecurityPolicy default projects/{{project}}/global/securityPolicies/{{name}}

$ pulumi import gcp:compute/securityPolicy:SecurityPolicy default {{project}}/{{name}}

$ pulumi import gcp:compute/securityPolicy:SecurityPolicy default {{name}}

Structs§

SecurityPolicyArgs
SecurityPolicyArgsBuilder
Use builder syntax to set the inputs and finish with build_struct().
SecurityPolicyResult

Functions§

create
Registers a new resource with the given unique name and arguments

Module security_policyCopy item path