1. Packages
  2. Google Cloud Native
  3. API Docs
  4. networksecurity
  5. networksecurity/v1beta1
  6. AuthorizationPolicy

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

google-native.networksecurity/v1beta1.AuthorizationPolicy

Explore with Pulumi AI

google-native logo

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

    Creates a new AuthorizationPolicy in a given project and location.

    Create AuthorizationPolicy Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new AuthorizationPolicy(name: string, args: AuthorizationPolicyArgs, opts?: CustomResourceOptions);
    @overload
    def AuthorizationPolicy(resource_name: str,
                            args: AuthorizationPolicyArgs,
                            opts: Optional[ResourceOptions] = None)
    
    @overload
    def AuthorizationPolicy(resource_name: str,
                            opts: Optional[ResourceOptions] = None,
                            action: Optional[AuthorizationPolicyAction] = None,
                            authorization_policy_id: Optional[str] = None,
                            description: Optional[str] = None,
                            labels: Optional[Mapping[str, str]] = None,
                            location: Optional[str] = None,
                            name: Optional[str] = None,
                            project: Optional[str] = None,
                            rules: Optional[Sequence[RuleArgs]] = None)
    func NewAuthorizationPolicy(ctx *Context, name string, args AuthorizationPolicyArgs, opts ...ResourceOption) (*AuthorizationPolicy, error)
    public AuthorizationPolicy(string name, AuthorizationPolicyArgs args, CustomResourceOptions? opts = null)
    public AuthorizationPolicy(String name, AuthorizationPolicyArgs args)
    public AuthorizationPolicy(String name, AuthorizationPolicyArgs args, CustomResourceOptions options)
    
    type: google-native:networksecurity/v1beta1:AuthorizationPolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args AuthorizationPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AuthorizationPolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AuthorizationPolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AuthorizationPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AuthorizationPolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var google_nativeAuthorizationPolicyResource = new GoogleNative.NetworkSecurity.V1Beta1.AuthorizationPolicy("google-nativeAuthorizationPolicyResource", new()
    {
        Action = GoogleNative.NetworkSecurity.V1Beta1.AuthorizationPolicyAction.ActionUnspecified,
        AuthorizationPolicyId = "string",
        Description = "string",
        Labels = 
        {
            { "string", "string" },
        },
        Location = "string",
        Name = "string",
        Project = "string",
        Rules = new[]
        {
            new GoogleNative.NetworkSecurity.V1Beta1.Inputs.RuleArgs
            {
                Destinations = new[]
                {
                    new GoogleNative.NetworkSecurity.V1Beta1.Inputs.DestinationArgs
                    {
                        Hosts = new[]
                        {
                            "string",
                        },
                        Ports = new[]
                        {
                            0,
                        },
                        HttpHeaderMatch = new GoogleNative.NetworkSecurity.V1Beta1.Inputs.HttpHeaderMatchArgs
                        {
                            HeaderName = "string",
                            RegexMatch = "string",
                        },
                        Methods = new[]
                        {
                            "string",
                        },
                    },
                },
                Sources = new[]
                {
                    new GoogleNative.NetworkSecurity.V1Beta1.Inputs.SourceArgs
                    {
                        IpBlocks = new[]
                        {
                            "string",
                        },
                        Principals = new[]
                        {
                            "string",
                        },
                    },
                },
            },
        },
    });
    
    example, err := networksecurityv1beta1.NewAuthorizationPolicy(ctx, "google-nativeAuthorizationPolicyResource", &networksecurityv1beta1.AuthorizationPolicyArgs{
    	Action:                networksecurityv1beta1.AuthorizationPolicyActionActionUnspecified,
    	AuthorizationPolicyId: pulumi.String("string"),
    	Description:           pulumi.String("string"),
    	Labels: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	Location: pulumi.String("string"),
    	Name:     pulumi.String("string"),
    	Project:  pulumi.String("string"),
    	Rules: networksecurity.RuleTypeArray{
    		&networksecurity.RuleTypeArgs{
    			Destinations: networksecurity.DestinationArray{
    				&networksecurity.DestinationArgs{
    					Hosts: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    					Ports: pulumi.IntArray{
    						pulumi.Int(0),
    					},
    					HttpHeaderMatch: &networksecurity.HttpHeaderMatchArgs{
    						HeaderName: pulumi.String("string"),
    						RegexMatch: pulumi.String("string"),
    					},
    					Methods: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    				},
    			},
    			Sources: networksecurity.SourceArray{
    				&networksecurity.SourceArgs{
    					IpBlocks: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    					Principals: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    				},
    			},
    		},
    	},
    })
    
    var google_nativeAuthorizationPolicyResource = new AuthorizationPolicy("google-nativeAuthorizationPolicyResource", AuthorizationPolicyArgs.builder()
        .action("ACTION_UNSPECIFIED")
        .authorizationPolicyId("string")
        .description("string")
        .labels(Map.of("string", "string"))
        .location("string")
        .name("string")
        .project("string")
        .rules(RuleArgs.builder()
            .destinations(DestinationArgs.builder()
                .hosts("string")
                .ports(0)
                .httpHeaderMatch(HttpHeaderMatchArgs.builder()
                    .headerName("string")
                    .regexMatch("string")
                    .build())
                .methods("string")
                .build())
            .sources(SourceArgs.builder()
                .ipBlocks("string")
                .principals("string")
                .build())
            .build())
        .build());
    
    google_native_authorization_policy_resource = google_native.networksecurity.v1beta1.AuthorizationPolicy("google-nativeAuthorizationPolicyResource",
        action=google_native.networksecurity.v1beta1.AuthorizationPolicyAction.ACTION_UNSPECIFIED,
        authorization_policy_id="string",
        description="string",
        labels={
            "string": "string",
        },
        location="string",
        name="string",
        project="string",
        rules=[{
            "destinations": [{
                "hosts": ["string"],
                "ports": [0],
                "http_header_match": {
                    "header_name": "string",
                    "regex_match": "string",
                },
                "methods": ["string"],
            }],
            "sources": [{
                "ip_blocks": ["string"],
                "principals": ["string"],
            }],
        }])
    
    const google_nativeAuthorizationPolicyResource = new google_native.networksecurity.v1beta1.AuthorizationPolicy("google-nativeAuthorizationPolicyResource", {
        action: google_native.networksecurity.v1beta1.AuthorizationPolicyAction.ActionUnspecified,
        authorizationPolicyId: "string",
        description: "string",
        labels: {
            string: "string",
        },
        location: "string",
        name: "string",
        project: "string",
        rules: [{
            destinations: [{
                hosts: ["string"],
                ports: [0],
                httpHeaderMatch: {
                    headerName: "string",
                    regexMatch: "string",
                },
                methods: ["string"],
            }],
            sources: [{
                ipBlocks: ["string"],
                principals: ["string"],
            }],
        }],
    });
    
    type: google-native:networksecurity/v1beta1:AuthorizationPolicy
    properties:
        action: ACTION_UNSPECIFIED
        authorizationPolicyId: string
        description: string
        labels:
            string: string
        location: string
        name: string
        project: string
        rules:
            - destinations:
                - hosts:
                    - string
                  httpHeaderMatch:
                    headerName: string
                    regexMatch: string
                  methods:
                    - string
                  ports:
                    - 0
              sources:
                - ipBlocks:
                    - string
                  principals:
                    - string
    

    AuthorizationPolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The AuthorizationPolicy resource accepts the following input properties:

    Action Pulumi.GoogleNative.NetworkSecurity.V1Beta1.AuthorizationPolicyAction
    The action to take when a rule match is found. Possible values are "ALLOW" or "DENY".
    AuthorizationPolicyId string
    Required. Short name of the AuthorizationPolicy resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "authz_policy".
    Description string
    Optional. Free-text description of the resource.
    Labels Dictionary<string, string>
    Optional. Set of label tags associated with the AuthorizationPolicy resource.
    Location string
    Name string
    Name of the AuthorizationPolicy resource. It matches pattern projects/{project}/locations/{location}/authorizationPolicies/.
    Project string
    Rules List<Pulumi.GoogleNative.NetworkSecurity.V1Beta1.Inputs.Rule>
    Optional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the action field will be applied on every request.
    Action AuthorizationPolicyAction
    The action to take when a rule match is found. Possible values are "ALLOW" or "DENY".
    AuthorizationPolicyId string
    Required. Short name of the AuthorizationPolicy resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "authz_policy".
    Description string
    Optional. Free-text description of the resource.
    Labels map[string]string
    Optional. Set of label tags associated with the AuthorizationPolicy resource.
    Location string
    Name string
    Name of the AuthorizationPolicy resource. It matches pattern projects/{project}/locations/{location}/authorizationPolicies/.
    Project string
    Rules []RuleTypeArgs
    Optional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the action field will be applied on every request.
    action AuthorizationPolicyAction
    The action to take when a rule match is found. Possible values are "ALLOW" or "DENY".
    authorizationPolicyId String
    Required. Short name of the AuthorizationPolicy resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "authz_policy".
    description String
    Optional. Free-text description of the resource.
    labels Map<String,String>
    Optional. Set of label tags associated with the AuthorizationPolicy resource.
    location String
    name String
    Name of the AuthorizationPolicy resource. It matches pattern projects/{project}/locations/{location}/authorizationPolicies/.
    project String
    rules List<Rule>
    Optional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the action field will be applied on every request.
    action AuthorizationPolicyAction
    The action to take when a rule match is found. Possible values are "ALLOW" or "DENY".
    authorizationPolicyId string
    Required. Short name of the AuthorizationPolicy resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "authz_policy".
    description string
    Optional. Free-text description of the resource.
    labels {[key: string]: string}
    Optional. Set of label tags associated with the AuthorizationPolicy resource.
    location string
    name string
    Name of the AuthorizationPolicy resource. It matches pattern projects/{project}/locations/{location}/authorizationPolicies/.
    project string
    rules Rule[]
    Optional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the action field will be applied on every request.
    action AuthorizationPolicyAction
    The action to take when a rule match is found. Possible values are "ALLOW" or "DENY".
    authorization_policy_id str
    Required. Short name of the AuthorizationPolicy resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "authz_policy".
    description str
    Optional. Free-text description of the resource.
    labels Mapping[str, str]
    Optional. Set of label tags associated with the AuthorizationPolicy resource.
    location str
    name str
    Name of the AuthorizationPolicy resource. It matches pattern projects/{project}/locations/{location}/authorizationPolicies/.
    project str
    rules Sequence[RuleArgs]
    Optional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the action field will be applied on every request.
    action "ACTION_UNSPECIFIED" | "ALLOW" | "DENY"
    The action to take when a rule match is found. Possible values are "ALLOW" or "DENY".
    authorizationPolicyId String
    Required. Short name of the AuthorizationPolicy resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "authz_policy".
    description String
    Optional. Free-text description of the resource.
    labels Map<String>
    Optional. Set of label tags associated with the AuthorizationPolicy resource.
    location String
    name String
    Name of the AuthorizationPolicy resource. It matches pattern projects/{project}/locations/{location}/authorizationPolicies/.
    project String
    rules List<Property Map>
    Optional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the action field will be applied on every request.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the AuthorizationPolicy resource produces the following output properties:

    CreateTime string
    The timestamp when the resource was created.
    Id string
    The provider-assigned unique ID for this managed resource.
    UpdateTime string
    The timestamp when the resource was updated.
    CreateTime string
    The timestamp when the resource was created.
    Id string
    The provider-assigned unique ID for this managed resource.
    UpdateTime string
    The timestamp when the resource was updated.
    createTime String
    The timestamp when the resource was created.
    id String
    The provider-assigned unique ID for this managed resource.
    updateTime String
    The timestamp when the resource was updated.
    createTime string
    The timestamp when the resource was created.
    id string
    The provider-assigned unique ID for this managed resource.
    updateTime string
    The timestamp when the resource was updated.
    create_time str
    The timestamp when the resource was created.
    id str
    The provider-assigned unique ID for this managed resource.
    update_time str
    The timestamp when the resource was updated.
    createTime String
    The timestamp when the resource was created.
    id String
    The provider-assigned unique ID for this managed resource.
    updateTime String
    The timestamp when the resource was updated.

    Supporting Types

    AuthorizationPolicyAction, AuthorizationPolicyActionArgs

    ActionUnspecified
    ACTION_UNSPECIFIEDDefault value.
    Allow
    ALLOWGrant access.
    Deny
    DENYDeny access. Deny rules should be avoided unless they are used to provide a default "deny all" fallback.
    AuthorizationPolicyActionActionUnspecified
    ACTION_UNSPECIFIEDDefault value.
    AuthorizationPolicyActionAllow
    ALLOWGrant access.
    AuthorizationPolicyActionDeny
    DENYDeny access. Deny rules should be avoided unless they are used to provide a default "deny all" fallback.
    ActionUnspecified
    ACTION_UNSPECIFIEDDefault value.
    Allow
    ALLOWGrant access.
    Deny
    DENYDeny access. Deny rules should be avoided unless they are used to provide a default "deny all" fallback.
    ActionUnspecified
    ACTION_UNSPECIFIEDDefault value.
    Allow
    ALLOWGrant access.
    Deny
    DENYDeny access. Deny rules should be avoided unless they are used to provide a default "deny all" fallback.
    ACTION_UNSPECIFIED
    ACTION_UNSPECIFIEDDefault value.
    ALLOW
    ALLOWGrant access.
    DENY
    DENYDeny access. Deny rules should be avoided unless they are used to provide a default "deny all" fallback.
    "ACTION_UNSPECIFIED"
    ACTION_UNSPECIFIEDDefault value.
    "ALLOW"
    ALLOWGrant access.
    "DENY"
    DENYDeny access. Deny rules should be avoided unless they are used to provide a default "deny all" fallback.

    Destination, DestinationArgs

    Hosts List<string>
    List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
    Ports List<int>
    List of destination ports to match. At least one port should match.
    HttpHeaderMatch Pulumi.GoogleNative.NetworkSecurity.V1Beta1.Inputs.HttpHeaderMatch
    Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.
    Methods List<string>
    Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.
    Hosts []string
    List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
    Ports []int
    List of destination ports to match. At least one port should match.
    HttpHeaderMatch HttpHeaderMatch
    Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.
    Methods []string
    Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.
    hosts List<String>
    List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
    ports List<Integer>
    List of destination ports to match. At least one port should match.
    httpHeaderMatch HttpHeaderMatch
    Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.
    methods List<String>
    Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.
    hosts string[]
    List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
    ports number[]
    List of destination ports to match. At least one port should match.
    httpHeaderMatch HttpHeaderMatch
    Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.
    methods string[]
    Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.
    hosts Sequence[str]
    List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
    ports Sequence[int]
    List of destination ports to match. At least one port should match.
    http_header_match HttpHeaderMatch
    Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.
    methods Sequence[str]
    Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.
    hosts List<String>
    List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
    ports List<Number>
    List of destination ports to match. At least one port should match.
    httpHeaderMatch Property Map
    Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.
    methods List<String>
    Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.

    DestinationResponse, DestinationResponseArgs

    Hosts List<string>
    List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
    HttpHeaderMatch Pulumi.GoogleNative.NetworkSecurity.V1Beta1.Inputs.HttpHeaderMatchResponse
    Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.
    Methods List<string>
    Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.
    Ports List<int>
    List of destination ports to match. At least one port should match.
    Hosts []string
    List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
    HttpHeaderMatch HttpHeaderMatchResponse
    Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.
    Methods []string
    Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.
    Ports []int
    List of destination ports to match. At least one port should match.
    hosts List<String>
    List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
    httpHeaderMatch HttpHeaderMatchResponse
    Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.
    methods List<String>
    Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.
    ports List<Integer>
    List of destination ports to match. At least one port should match.
    hosts string[]
    List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
    httpHeaderMatch HttpHeaderMatchResponse
    Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.
    methods string[]
    Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.
    ports number[]
    List of destination ports to match. At least one port should match.
    hosts Sequence[str]
    List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
    http_header_match HttpHeaderMatchResponse
    Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.
    methods Sequence[str]
    Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.
    ports Sequence[int]
    List of destination ports to match. At least one port should match.
    hosts List<String>
    List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
    httpHeaderMatch Property Map
    Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.
    methods List<String>
    Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.
    ports List<Number>
    List of destination ports to match. At least one port should match.

    HttpHeaderMatch, HttpHeaderMatchArgs

    HeaderName string
    The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
    RegexMatch string
    The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.
    HeaderName string
    The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
    RegexMatch string
    The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.
    headerName String
    The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
    regexMatch String
    The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.
    headerName string
    The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
    regexMatch string
    The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.
    header_name str
    The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
    regex_match str
    The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.
    headerName String
    The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
    regexMatch String
    The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.

    HttpHeaderMatchResponse, HttpHeaderMatchResponseArgs

    HeaderName string
    The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
    RegexMatch string
    The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.
    HeaderName string
    The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
    RegexMatch string
    The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.
    headerName String
    The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
    regexMatch String
    The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.
    headerName string
    The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
    regexMatch string
    The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.
    header_name str
    The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
    regex_match str
    The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.
    headerName String
    The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
    regexMatch String
    The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.

    Rule, RuleArgs

    Destinations List<Pulumi.GoogleNative.NetworkSecurity.V1Beta1.Inputs.Destination>
    Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.
    Sources List<Pulumi.GoogleNative.NetworkSecurity.V1Beta1.Inputs.Source>
    Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.
    Destinations []Destination
    Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.
    Sources []Source
    Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.
    destinations List<Destination>
    Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.
    sources List<Source>
    Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.
    destinations Destination[]
    Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.
    sources Source[]
    Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.
    destinations Sequence[Destination]
    Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.
    sources Sequence[Source]
    Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.
    destinations List<Property Map>
    Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.
    sources List<Property Map>
    Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.

    RuleResponse, RuleResponseArgs

    Destinations List<Pulumi.GoogleNative.NetworkSecurity.V1Beta1.Inputs.DestinationResponse>
    Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.
    Sources List<Pulumi.GoogleNative.NetworkSecurity.V1Beta1.Inputs.SourceResponse>
    Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.
    Destinations []DestinationResponse
    Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.
    Sources []SourceResponse
    Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.
    destinations List<DestinationResponse>
    Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.
    sources List<SourceResponse>
    Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.
    destinations DestinationResponse[]
    Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.
    sources SourceResponse[]
    Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.
    destinations Sequence[DestinationResponse]
    Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.
    sources Sequence[SourceResponse]
    Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.
    destinations List<Property Map>
    Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.
    sources List<Property Map>
    Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.

    Source, SourceArgs

    IpBlocks List<string>
    Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.
    Principals List<string>
    Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.
    IpBlocks []string
    Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.
    Principals []string
    Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.
    ipBlocks List<String>
    Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.
    principals List<String>
    Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.
    ipBlocks string[]
    Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.
    principals string[]
    Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.
    ip_blocks Sequence[str]
    Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.
    principals Sequence[str]
    Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.
    ipBlocks List<String>
    Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.
    principals List<String>
    Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.

    SourceResponse, SourceResponseArgs

    IpBlocks List<string>
    Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.
    Principals List<string>
    Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.
    IpBlocks []string
    Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.
    Principals []string
    Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.
    ipBlocks List<String>
    Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.
    principals List<String>
    Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.
    ipBlocks string[]
    Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.
    principals string[]
    Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.
    ip_blocks Sequence[str]
    Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.
    principals Sequence[str]
    Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.
    ipBlocks List<String>
    Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.
    principals List<String>
    Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.

    Package Details

    Repository
    Google Cloud Native pulumi/pulumi-google-native
    License
    Apache-2.0
    google-native logo

    Google Cloud Native is in preview. Google Cloud Classic is fully supported.

    Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi