SecurityPolicyRuleArgs

data class SecurityPolicyRuleArgs(val action: Output<String>? = null, val description: Output<String>? = null, val direction: Output<SecurityPolicyRuleDirection>? = null, val enableLogging: Output<Boolean>? = null, val headerAction: Output<SecurityPolicyRuleHttpHeaderActionArgs>? = null, val match: Output<SecurityPolicyRuleMatcherArgs>? = null, val networkMatch: Output<SecurityPolicyRuleNetworkMatcherArgs>? = null, val preconfiguredWafConfig: Output<SecurityPolicyRulePreconfiguredWafConfigArgs>? = null, val preview: Output<Boolean>? = null, val priority: Output<Int>? = null, val rateLimitOptions: Output<SecurityPolicyRuleRateLimitOptionsArgs>? = null, val redirectOptions: Output<SecurityPolicyRuleRedirectOptionsArgs>? = null, val ruleNumber: Output<String>? = null, val targetResources: Output<List<String>>? = null, val targetServiceAccounts: Output<List<String>>? = null) : ConvertibleToJava<SecurityPolicyRuleArgs>

Represents a rule that describes one or more match conditions along with the action to be taken when traffic matches this condition (allow or deny).

Constructors

Link copied to clipboard
fun SecurityPolicyRuleArgs(action: Output<String>? = null, description: Output<String>? = null, direction: Output<SecurityPolicyRuleDirection>? = null, enableLogging: Output<Boolean>? = null, headerAction: Output<SecurityPolicyRuleHttpHeaderActionArgs>? = null, match: Output<SecurityPolicyRuleMatcherArgs>? = null, networkMatch: Output<SecurityPolicyRuleNetworkMatcherArgs>? = null, preconfiguredWafConfig: Output<SecurityPolicyRulePreconfiguredWafConfigArgs>? = null, preview: Output<Boolean>? = null, priority: Output<Int>? = null, rateLimitOptions: Output<SecurityPolicyRuleRateLimitOptionsArgs>? = null, redirectOptions: Output<SecurityPolicyRuleRedirectOptionsArgs>? = null, ruleNumber: Output<String>? = null, targetResources: Output<List<String>>? = null, targetServiceAccounts: Output<List<String>>? = null)

Functions

Link copied to clipboard
open override fun toJava(): SecurityPolicyRuleArgs

Properties

Link copied to clipboard
val action: Output<String>? = null

The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this.

Link copied to clipboard
val description: Output<String>? = null

An optional description of this resource. Provide this property when you create the resource.

Link copied to clipboard

The direction in which this rule applies. This field may only be specified when versioned_expr is set to FIREWALL.

Link copied to clipboard
val enableLogging: Output<Boolean>? = null

Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules. This field may only be specified when the versioned_expr is set to FIREWALL.

Link copied to clipboard

Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR.

Link copied to clipboard

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.

Link copied to clipboard

A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. Example: networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4_fragment_offset" values: - "1-0x1fff" The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive.

Link copied to clipboard

Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.

Link copied to clipboard
val preview: Output<Boolean>? = null

If set to true, the specified action is not enforced.

Link copied to clipboard
val priority: Output<Int>? = null

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.

Link copied to clipboard

Must be specified if the action is "rate_based_ban" or "throttle". Cannot be specified for any other actions.

Link copied to clipboard

Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR.

Link copied to clipboard
val ruleNumber: Output<String>? = null

Identifier for the rule. This is only unique within the given security policy. This can only be set during rule creation, if rule number is not specified it will be generated by the server.

Link copied to clipboard
val targetResources: Output<List<String>>? = null

A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule. This field may only be specified when versioned_expr is set to FIREWALL.

Link copied to clipboard
val targetServiceAccounts: Output<List<String>>? = null

A list of service accounts indicating the sets of instances that are applied with this rule.