AuthorizationPolicy is a resource that specifies how a server should authorize incoming connections. This resource in itself does not change the configuration unless it's attached to a target https proxy or endpoint config selector resource.
To get more information about AuthorizationPolicy, see:
resource "google_network_security_authorization_policy" "default" {
provider = google-beta
name = "my-authorization-policy"
labels = {
foo = "bar"
}
description = "my description"
action = "ALLOW"
rules {
sources {
principals = ["namespace/*"]
ip_blocks = ["1.2.3.0/24"]
}
}
}
resource "google_network_security_authorization_policy" "default" {
provider = google-beta
name = "my-authorization-policy"
labels = {
foo = "bar"
}
description = "my description"
action = "ALLOW"
rules {
sources {
principals = ["namespace/*"]
ip_blocks = ["1.2.3.0/24"]
}
destinations {
hosts = ["mydomain.*"]
ports = [8080]
methods = ["GET"]
http_header_match {
header_name = ":method"
regex_match = "GET"
}
}
}
}
The following arguments are supported:
action
-
(Required)
The action to take when a rule match is found. Possible values are "ALLOW" or "DENY".
Possible values are: ALLOW
, DENY
.
name
-
(Required)
Name of the AuthorizationPolicy resource.
labels
-
(Optional)
Set of label tags associated with the AuthorizationPolicy resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field effective_labels
for all of the labels present on the resource.
description
-
(Optional)
A free-text description of the resource. Max length 1024 characters.
rules
-
(Optional)
List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken.
A rule is a match if there is a matching source and destination. If left blank, the action specified in the action field will be applied on every request.
Structure is documented below.
location
-
(Optional)
The location of the authorization policy.
The default value is global
.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
sources
-
(Optional)
List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ipBlocks match.
If not set, the action specified in the 'action' field will be applied without any rule checks for the source.
Structure is documented below.
destinations
-
(Optional)
List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers.
If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.
Structure is documented below.
principals
-
(Optional)
List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*".
Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.
ip_blocks
-
(Optional)
List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided.
The IP addresses of any load balancers or proxies should be considered untrusted.
The destinations
block supports:
hosts
-
(Required)
List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
ports
-
(Required)
List of destination ports to match. At least one port should match.
methods
-
(Required)
A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.
http_header_match
-
(Optional)
Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match.
Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.
Structure is documented below.
The http_header_match
block supports:
header_name
-
(Required)
The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
regex_match
-
(Required)
The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/locations/{{location}}/authorizationPolicies/{{name}}
create_time
-
Time the AuthorizationPolicy was created in UTC.
update_time
-
Time the AuthorizationPolicy was updated in UTC.
terraform_labels
-
The combination of labels configured directly on the resource
and default labels configured on the provider.
effective_labels
-
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
This resource provides the following Timeouts configuration options:
create
- Default is 30 minutes.update
- Default is 30 minutes.delete
- Default is 30 minutes.AuthorizationPolicy can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/authorizationPolicies/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import AuthorizationPolicy using one of the formats above. For example:
import {
id = "projects/{{project}}/locations/{{location}}/authorizationPolicies/{{name}}"
to = google_network_security_authorization_policy.default
}
When using the terraform import
command, AuthorizationPolicy can be imported using one of the formats above. For example:
$ terraform import google_network_security_authorization_policy.default projects/{{project}}/locations/{{location}}/authorizationPolicies/{{name}}
$ terraform import google_network_security_authorization_policy.default {{project}}/{{location}}/{{name}}
$ terraform import google_network_security_authorization_policy.default {{location}}/{{name}}
This resource supports User Project Overrides.