Represents a Region Cloud Armor Security Policy resource.
To get more information about RegionSecurityPolicy, see:
resource "google_compute_region_security_policy" "region-sec-policy-basic" {
provider = google-beta
name = "my-sec-policy-basic"
description = "basic region security policy"
type = "CLOUD_ARMOR"
}
resource "google_compute_region_security_policy" "region-sec-policy-ddos-protection" {
provider = google-beta
name = "my-sec-policy-ddos-protection"
description = "with ddos protection config"
type = "CLOUD_ARMOR_NETWORK"
ddos_protection_config {
ddos_protection = "ADVANCED_PREVIEW"
}
}
resource "google_compute_region_security_policy" "region-sec-policy-user-defined-fields" {
provider = google-beta
name = "my-sec-policy-user-defined-fields"
description = "with user defined fields"
type = "CLOUD_ARMOR_NETWORK"
user_defined_fields {
name = "SIG1_AT_0"
base = "UDP"
offset = 8
size = 2
mask = "0x8F00"
}
user_defined_fields {
name = "SIG2_AT_8"
base = "UDP"
offset = 16
size = 4
mask = "0xFFFFFFFF"
}
}
The following arguments are supported:
name
-
(Required)
Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035.
Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.description
-
(Optional)
An optional description of this resource. Provide this property when you create the resource.
type
-
(Optional)
The type indicates the intended use of the security policy.
CLOUD_ARMOR
, CLOUD_ARMOR_EDGE
, CLOUD_ARMOR_NETWORK
.ddos_protection_config
-
(Optional)
Configuration for Google Cloud Armor DDOS Proctection Config.
Structure is documented below.
user_defined_fields
-
(Optional)
Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies.
A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits.
Rules may then specify matching values for these fields.
Structure is documented below.
region
-
(Optional)
The Region in which the created Region Security Policy should reside.
If it is not provided, the provider region is used.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
The ddos_protection_config
block supports:
ddos_protection
-
(Required)
Google Cloud Armor offers the following options to help protect systems against DDoS attacks:
ADVANCED
, ADVANCED_PREVIEW
, STANDARD
.The user_defined_fields
block supports:
name
-
(Optional)
The name of this field. Must be unique within the policy.
base
-
(Required)
The base relative to which 'offset' is measured. Possible values are:
IPV4
, IPV6
, TCP
, UDP
.offset
-
(Optional)
Offset of the first byte of the field (in network byte order) relative to 'base'.
size
-
(Optional)
Size of the field in bytes. Valid values: 1-4.
mask
-
(Optional)
If specified, apply this mask (bitwise AND) to the field to ignore bits before matching.
Encoded as a hexadecimal number (starting with "0x").
The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}
policy_id
-
The unique identifier for the resource. This identifier is defined by the server.
fingerprint
-
Fingerprint of this resource. This field is used internally during
updates of this resource.
self_link
-
Server-defined URL for the resource.
self_link_with_policy_id
-
Server-defined URL for this resource with the resource id.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.RegionSecurityPolicy can be imported using any of these accepted formats:
projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}
{{project}}/{{region}}/{{name}}
{{region}}/{{name}}
{{name}}
In Terraform v1.5.0 and later, use an import
block to import RegionSecurityPolicy using one of the formats above. For example:
import {
id = "projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}"
to = google_compute_region_security_policy.default
}
When using the terraform import
command, RegionSecurityPolicy can be imported using one of the formats above. For example:
$ terraform import google_compute_region_security_policy.default projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}
$ terraform import google_compute_region_security_policy.default {{project}}/{{region}}/{{name}}
$ terraform import google_compute_region_security_policy.default {{region}}/{{name}}
$ terraform import google_compute_region_security_policy.default {{name}}
This resource supports User Project Overrides.