Security
A Security Policy defines an IP blacklist or whitelist that protects load balanced Google Cloud services by denying or permitting traffic from specified IP ranges. For more information see the official documentation and the API. Security Policy is used by google_compute_backend_service.
Example Usage
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.SecurityPolicy;
import com.pulumi.gcp.compute.SecurityPolicyArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policy = new SecurityPolicy("policy", SecurityPolicyArgs.builder()
.rules(
SecurityPolicyRuleArgs.builder()
.action("deny(403)")
.description("Deny access to IPs in 9.9.9.0/24")
.match(SecurityPolicyRuleMatchArgs.builder()
.config(SecurityPolicyRuleMatchConfigArgs.builder()
.srcIpRanges("9.9.9.0/24")
.build())
.versionedExpr("SRC_IPS_V1")
.build())
.priority("1000")
.build(),
SecurityPolicyRuleArgs.builder()
.action("allow")
.description("default rule")
.match(SecurityPolicyRuleMatchArgs.builder()
.config(SecurityPolicyRuleMatchConfigArgs.builder()
.srcIpRanges("*")
.build())
.versionedExpr("SRC_IPS_V1")
.build())
.priority("2147483647")
.build())
.build());
}
}Content copied to clipboard
With ReCAPTCHA Configuration Options
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.recaptcha.EnterpriseKey;
import com.pulumi.gcp.recaptcha.EnterpriseKeyArgs;
import com.pulumi.gcp.recaptcha.inputs.EnterpriseKeyWebSettingsArgs;
import com.pulumi.gcp.compute.SecurityPolicy;
import com.pulumi.gcp.compute.SecurityPolicyArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRecaptchaOptionsConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var primary = new EnterpriseKey("primary", EnterpriseKeyArgs.builder()
.displayName("display-name")
.labels(Map.of("label-one", "value-one"))
.project("my-project-name")
.webSettings(EnterpriseKeyWebSettingsArgs.builder()
.integrationType("INVISIBLE")
.allowAllDomains(true)
.allowedDomains("localhost")
.build())
.build());
var policy = new SecurityPolicy("policy", SecurityPolicyArgs.builder()
.description("basic security policy")
.type("CLOUD_ARMOR")
.recaptchaOptionsConfig(SecurityPolicyRecaptchaOptionsConfigArgs.builder()
.redirectSiteKey(primary.name())
.build())
.build());
}
}Content copied to clipboard
With Header Actions
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.SecurityPolicy;
import com.pulumi.gcp.compute.SecurityPolicyArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchConfigArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleHeaderActionArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchExprArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policy = new SecurityPolicy("policy", SecurityPolicyArgs.builder()
.rules(
SecurityPolicyRuleArgs.builder()
.action("allow")
.description("default rule")
.match(SecurityPolicyRuleMatchArgs.builder()
.config(SecurityPolicyRuleMatchConfigArgs.builder()
.srcIpRanges("*")
.build())
.versionedExpr("SRC_IPS_V1")
.build())
.priority("2147483647")
.build(),
SecurityPolicyRuleArgs.builder()
.action("allow")
.headerAction(SecurityPolicyRuleHeaderActionArgs.builder()
.requestHeadersToAdds(
SecurityPolicyRuleHeaderActionRequestHeadersToAddArgs.builder()
.headerName("reCAPTCHA-Warning")
.headerValue("high")
.build(),
SecurityPolicyRuleHeaderActionRequestHeadersToAddArgs.builder()
.headerName("X-Resource")
.headerValue("test")
.build())
.build())
.match(SecurityPolicyRuleMatchArgs.builder()
.expr(SecurityPolicyRuleMatchExprArgs.builder()
.expression("request.path.matches(\"/login.html\") && token.recaptcha_session.score < 0.2")
.build())
.build())
.priority("1000")
.build())
.build());
}
}Content copied to clipboard
With EnforceOnKey Value As Empty String
A scenario example that won't cause any conflict between enforce_on_key and enforce_on_key_configs, because enforce_on_key was specified as an empty string:
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.SecurityPolicy;
import com.pulumi.gcp.compute.SecurityPolicyArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleMatchConfigArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleRateLimitOptionsArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleRateLimitOptionsExceedRedirectOptionsArgs;
import com.pulumi.gcp.compute.inputs.SecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policy = new SecurityPolicy("policy", SecurityPolicyArgs.builder()
.description("throttle rule with enforce_on_key_configs")
.rules(SecurityPolicyRuleArgs.builder()
.action("throttle")
.description("default rule")
.match(SecurityPolicyRuleMatchArgs.builder()
.config(SecurityPolicyRuleMatchConfigArgs.builder()
.srcIpRanges("*")
.build())
.versionedExpr("SRC_IPS_V1")
.build())
.priority("2147483647")
.rateLimitOptions(SecurityPolicyRuleRateLimitOptionsArgs.builder()
.conformAction("allow")
.enforceOnKey("")
.enforceOnKeyConfigs(SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs.builder()
.enforceOnKeyType("IP")
.build())
.exceedAction("redirect")
.exceedRedirectOptions(SecurityPolicyRuleRateLimitOptionsExceedRedirectOptionsArgs.builder()
.target("<https://www.example.com>")
.type("EXTERNAL_302")
.build())
.rateLimitThreshold(SecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs.builder()
.count(10)
.intervalSec(60)
.build())
.build())
.build())
.build());
}
}Content copied to clipboard
Properties
Link copied to clipboard
Configuration for Google Cloud Armor Adaptive Protection. Structure is documented below.
Link copied to clipboard
Advanced Configuration Options. Structure is documented below.
Link copied to clipboard
An optional description of this security policy. Max size is 2048.
Link copied to clipboard
Fingerprint of this resource.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
reCAPTCHA Configuration Options. Structure is documented below.
Link copied to clipboard
The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "\*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.