A rule for the SecurityPolicy.
To get more information about SecurityPolicyRule, see:
resource "google_compute_security_policy" "default" {
name = "policyruletest"
description = "basic global security policy"
type = "CLOUD_ARMOR"
}
resource "google_compute_security_policy_rule" "policy_rule" {
security_policy = google_compute_security_policy.default.name
description = "new rule"
priority = 100
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["10.10.0.0/16"]
}
}
action = "allow"
preview = true
}
resource "google_compute_security_policy" "default" {
name = "policyruletest"
description = "basic global security policy"
type = "CLOUD_ARMOR"
}
# A default rule is generated when creating the security_policy resource, import is needed to patch it
# import {
# id = "projects//global/securityPolicies/policyruletest/priority/2147483647"
# to = google_compute_security_policy_rule.default_rule
# }
resource "google_compute_security_policy_rule" "default_rule" {
security_policy = google_compute_security_policy.default.name
description = "default rule"
action = "allow"
priority = "2147483647"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["*"]
}
}
}
resource "google_compute_security_policy_rule" "policy_rule" {
security_policy = google_compute_security_policy.default.name
description = "new rule"
priority = 100
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["10.10.0.0/16"]
}
}
action = "allow"
preview = true
}
resource "google_compute_security_policy" "default" {
name = "policywithmultiplerules"
description = "basic global security policy"
type = "CLOUD_ARMOR"
}
resource "google_compute_security_policy_rule" "policy_rule_one" {
security_policy = google_compute_security_policy.default.name
description = "new rule one"
priority = 100
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["10.10.0.0/16"]
}
}
action = "allow"
preview = true
}
resource "google_compute_security_policy_rule" "policy_rule_two" {
security_policy = google_compute_security_policy.default.name
description = "new rule two"
priority = 101
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["192.168.0.0/16", "10.0.0.0/8"]
}
}
action = "allow"
preview = true
}
The following arguments are supported:
priority
-
(Required)
An integer indicating the priority of a rule in the list.
The priority must be a positive value between 0 and 2147483647.
Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
action
-
(Required)
The Action to perform when the rule is matched. The following are the valid actions:
security_policy
-
(Required)
The name of the security policy this rule belongs to.
description
-
(Optional)
An optional description of this resource. Provide this property when you create the resource.
match
-
(Optional)
A match condition that incoming traffic is evaluated against.
If it evaluates to true, the corresponding 'action' is enforced.
Structure is documented below.
preconfigured_waf_config
-
(Optional)
Preconfigured WAF configuration to be applied for the rule.
If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.
Structure is documented below.
preview
-
(Optional)
If set to true, the specified action is not enforced.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
versioned_expr
-
(Optional)
Preconfigured versioned expression. If this field is specified, config must also be specified.
Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding srcIpRange field in config.
Possible values are: SRC_IPS_V1
.
expr
-
(Optional)
User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header.
Structure is documented below.
config
-
(Optional)
The configuration options available when specifying versionedExpr.
This field must be specified if versionedExpr is specified and cannot be specified if versionedExpr is not specified.
Structure is documented below.
expression
-
(Required)
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.src_ip_ranges
-
(Optional)
CIDR IP address range. Maximum number of srcIpRanges allowed is 10.The preconfigured_waf_config
block supports:
exclusion
-
(Optional)
An exclusion to apply during preconfigured WAF evaluation.
Structure is documented below.request_header
-
(Optional)
Request header whose value will be excluded from inspection during preconfigured WAF evaluation.
Structure is documented below.
request_cookie
-
(Optional)
Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation.
Structure is documented below.
request_uri
-
(Optional)
Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation.
When specifying this field, the query or fragment part should be excluded.
Structure is documented below.
request_query_param
-
(Optional)
Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation.
Note that the parameter can be in the query string or in the POST body.
Structure is documented below.
target_rule_set
-
(Required)
Target WAF rule set to apply the preconfigured WAF exclusion.
target_rule_ids
-
(Optional)
A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion.
If omitted, it refers to all the rule IDs under the WAF rule set.
The request_header
block supports:
operator
-
(Required)
You can specify an exact match or a partial match by using a field operator and a field value.
Available options:
EQUALS: The operator matches if the field value equals the specified value.
STARTS_WITH: The operator matches if the field value starts with the specified value.
ENDS_WITH: The operator matches if the field value ends with the specified value.
CONTAINS: The operator matches if the field value contains the specified value.
EQUALS_ANY: The operator matches if the field value is any value.
value
-
(Optional)
A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation.
The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.
The request_cookie
block supports:
operator
-
(Required)
You can specify an exact match or a partial match by using a field operator and a field value.
Available options:
EQUALS: The operator matches if the field value equals the specified value.
STARTS_WITH: The operator matches if the field value starts with the specified value.
ENDS_WITH: The operator matches if the field value ends with the specified value.
CONTAINS: The operator matches if the field value contains the specified value.
EQUALS_ANY: The operator matches if the field value is any value.
value
-
(Optional)
A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation.
The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.
The request_uri
block supports:
operator
-
(Required)
You can specify an exact match or a partial match by using a field operator and a field value.
Available options:
EQUALS: The operator matches if the field value equals the specified value.
STARTS_WITH: The operator matches if the field value starts with the specified value.
ENDS_WITH: The operator matches if the field value ends with the specified value.
CONTAINS: The operator matches if the field value contains the specified value.
EQUALS_ANY: The operator matches if the field value is any value.
value
-
(Optional)
A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation.
The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.
The request_query_param
block supports:
operator
-
(Required)
You can specify an exact match or a partial match by using a field operator and a field value.
Available options:
EQUALS: The operator matches if the field value equals the specified value.
STARTS_WITH: The operator matches if the field value starts with the specified value.
ENDS_WITH: The operator matches if the field value ends with the specified value.
CONTAINS: The operator matches if the field value contains the specified value.
EQUALS_ANY: The operator matches if the field value is any value.
value
-
(Optional)
A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation.
The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/global/securityPolicies/{{security_policy}}/priority/{{priority}}
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.SecurityPolicyRule can be imported using any of these accepted formats:
projects/{{project}}/global/securityPolicies/{{security_policy}}/priority/{{priority}}
{{project}}/{{security_policy}}/{{priority}}
{{security_policy}}/{{priority}}
In Terraform v1.5.0 and later, use an import
block to import SecurityPolicyRule using one of the formats above. For example:
import {
id = "projects/{{project}}/global/securityPolicies/{{security_policy}}/priority/{{priority}}"
to = google_compute_security_policy_rule.default
}
When using the terraform import
command, SecurityPolicyRule can be imported using one of the formats above. For example:
$ terraform import google_compute_security_policy_rule.default projects/{{project}}/global/securityPolicies/{{security_policy}}/priority/{{priority}}
$ terraform import google_compute_security_policy_rule.default {{project}}/{{security_policy}}/{{priority}}
$ terraform import google_compute_security_policy_rule.default {{security_policy}}/{{priority}}
This resource supports User Project Overrides.