google_compute_region_security_policy_rule

A rule for the RegionSecurityPolicy.

To get more information about RegionSecurityPolicyRule, see:

Open in Cloud Shell

Example Usage - Region Security Policy Rule Basic

resource "google_compute_region_security_policy" "default" {
  provider    = google-beta

  region      = "us-west2"
  name        = "policyruletest"
  description = "basic region security policy"
  type        = "CLOUD_ARMOR"
}

resource "google_compute_region_security_policy_rule" "policy_rule" {
  provider = google-beta

  region          = "us-west2"
  security_policy = google_compute_region_security_policy.default.name
  description     = "new rule"
  priority        = 100
  match {
    versioned_expr = "SRC_IPS_V1"
    config {
      src_ip_ranges = ["10.10.0.0/16"]
    }
  }
  action          = "allow"
  preview         = true
}
Open in Cloud Shell

Example Usage - Region Security Policy Rule Multiple Rules

resource "google_compute_region_security_policy" "default" {
  provider    = google-beta

  region      = "us-west2"
  name        = "policywithmultiplerules"
  description = "basic region security policy"
  type        = "CLOUD_ARMOR"
}

resource "google_compute_region_security_policy_rule" "policy_rule_one" {
  provider = google-beta

  region          = "us-west2"
  security_policy = google_compute_region_security_policy.default.name
  description     = "new rule one"
  priority        = 100
  match {
    versioned_expr = "SRC_IPS_V1"
    config {
      src_ip_ranges = ["10.10.0.0/16"]
    }
  }
  action          = "allow"
  preview         = true
}

resource "google_compute_region_security_policy_rule" "policy_rule_two" {
  provider = google-beta

  region          = "us-west2"
  security_policy = google_compute_region_security_policy.default.name
  description     = "new rule two"
  priority        = 101
  match {
    versioned_expr = "SRC_IPS_V1"
    config {
      src_ip_ranges = ["192.168.0.0/16", "10.0.0.0/8"]
    }
  }
  action          = "allow"
  preview         = true
}

Example Usage - Region Security Policy Rule With Network Match

# First activate advanced network DDoS protection for the desired region
resource "google_compute_region_security_policy" "policyddosprotection" {
  provider    = google-beta

  region      = "us-west2"
  name        = "policyddosprotection"
  description = "policy for activating network DDoS protection for the desired region"
  type        = "CLOUD_ARMOR_NETWORK"
  ddos_protection_config {
    ddos_protection = "ADVANCED_PREVIEW"
  }
}

resource "google_compute_network_edge_security_service" "edge_sec_service" {
  provider        = google-beta

  region          = "us-west2"
  name            = "edgesecservice"
  description     = "linking policy to edge security service"
  security_policy = google_compute_region_security_policy.policyddosprotection.self_link
}

# Add the desired policy and custom rule.
resource "google_compute_region_security_policy" "policynetworkmatch" {
  provider    = google-beta

  region      = "us-west2"
  name        = "policyfornetworkmatch"
  description = "region security policy for network match"
  type        = "CLOUD_ARMOR_NETWORK"
  user_defined_fields {
    name = "SIG1_AT_0"
    base = "TCP"
    offset = 8
    size = 2
    mask = "0x8F00"
  }
  depends_on  = [google_compute_network_edge_security_service.edge_sec_service]
}

resource "google_compute_region_security_policy_rule" "policy_rule_network_match" {
  provider        = google-beta

  region          = "us-west2"
  security_policy = google_compute_region_security_policy.policynetworkmatch.name
  description     = "custom rule for network match"
  priority        = 100
  network_match {
    src_ip_ranges = ["10.10.0.0/16"]
    user_defined_fields {
      name = "SIG1_AT_0"
      values = ["0x8F00"]
    }
  }
  action          = "allow"
  preview         = true
}

Argument Reference

The following arguments are supported:


The match block supports:

The config block supports:

The network_match block supports:

The user_defined_fields block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

RegionSecurityPolicyRule can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import RegionSecurityPolicyRule using one of the formats above. For example:

import {
  id = "projects/{{project}}/regions/{{region}}/securityPolicies/{{security_policy}}/priority/{{priority}}"
  to = google_compute_region_security_policy_rule.default
}

When using the terraform import command, RegionSecurityPolicyRule can be imported using one of the formats above. For example:

$ terraform import google_compute_region_security_policy_rule.default projects/{{project}}/regions/{{region}}/securityPolicies/{{security_policy}}/priority/{{priority}}
$ terraform import google_compute_region_security_policy_rule.default {{project}}/{{region}}/{{security_policy}}/{{priority}}
$ terraform import google_compute_region_security_policy_rule.default {{region}}/{{security_policy}}/{{priority}}
$ terraform import google_compute_region_security_policy_rule.default {{security_policy}}/{{priority}}

User Project Overrides

This resource supports User Project Overrides.