security_policies_rule
Creates, updates, deletes, gets or lists a security_policies_rule resource.
Overview
| Name | security_policies_rule |
| Type | Resource |
| Id | google.compute.security_policies_rule |
Fields
The following fields are returned by SELECT queries:
- get_rule
Successful response
| Name | Datatype | Description |
|---|---|---|
action | string | The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this. - fairshare (preview only): when traffic reaches the threshold limit, requests from the clients matching this rule begin to be rate-limited using the Fair Share algorithm. This action is only allowed in security policies of type CLOUD_ARMOR_INTERNAL_SERVICE. |
description | string | An optional description of this resource. Provide this property when you create the resource. |
headerAction | object | Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR. (id: SecurityPolicyRuleHttpHeaderAction) |
kind | string | [Output only] Type of the resource. Always compute#securityPolicyRule for security policy rules (default: compute#securityPolicyRule) |
match | object | A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. (id: SecurityPolicyRuleMatcher) |
networkMatch | object | A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. Example: networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4_fragment_offset" values: - "1-0x1fff" The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive. (id: SecurityPolicyRuleNetworkMatcher) |
preconfiguredWafConfig | object | Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect. (id: SecurityPolicyRulePreconfiguredWafConfig) |
preview | boolean | If set to true, the specified action is not enforced. |
priority | integer (int32) | An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. |
rateLimitOptions | object | Must be specified if the action is "rate_based_ban" or "throttle" or "fairshare". Cannot be specified for any other actions. (id: SecurityPolicyRuleRateLimitOptions) |
redirectOptions | object | Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR. (id: SecurityPolicyRuleRedirectOptions) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get_rule | select | project, region, securityPolicy | priority | Gets a rule at the specified priority. |
add_rule | insert | project, region, securityPolicy | validateOnly | Inserts a rule into a security policy. |
remove_rule | delete | project, region, securityPolicy | priority | Deletes a rule at the specified priority. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
project | string | |
region | string | |
securityPolicy | string | |
priority | integer (int32) | |
validateOnly | boolean |
SELECT examples
- get_rule
Gets a rule at the specified priority.
SELECT
action,
description,
headerAction,
kind,
match,
networkMatch,
preconfiguredWafConfig,
preview,
priority,
rateLimitOptions,
redirectOptions
FROM google.compute.security_policies_rule
WHERE project = '{{ project }}' -- required
AND region = '{{ region }}' -- required
AND securityPolicy = '{{ securityPolicy }}' -- required
AND priority = '{{ priority }}';
INSERT examples
- add_rule
- Manifest
Inserts a rule into a security policy.
INSERT INTO google.compute.security_policies_rule (
data__kind,
data__description,
data__priority,
data__match,
data__networkMatch,
data__action,
data__preview,
data__rateLimitOptions,
data__headerAction,
data__redirectOptions,
data__preconfiguredWafConfig,
project,
region,
securityPolicy,
validateOnly
)
SELECT
'{{ kind }}',
'{{ description }}',
{{ priority }},
'{{ match }}',
'{{ networkMatch }}',
'{{ action }}',
{{ preview }},
'{{ rateLimitOptions }}',
'{{ headerAction }}',
'{{ redirectOptions }}',
'{{ preconfiguredWafConfig }}',
'{{ project }}',
'{{ region }}',
'{{ securityPolicy }}',
'{{ validateOnly }}'
RETURNING
id,
name,
clientOperationId,
creationTimestamp,
description,
endTime,
error,
httpErrorMessage,
httpErrorStatusCode,
insertTime,
instancesBulkInsertOperationMetadata,
kind,
operationGroupId,
operationType,
progress,
region,
selfLink,
setCommonInstanceMetadataOperationMetadata,
startTime,
status,
statusMessage,
targetId,
targetLink,
user,
warnings,
zone
;
# Description fields are for documentation purposes
- name: security_policies_rule
props:
- name: project
value: string
description: Required parameter for the security_policies_rule resource.
- name: region
value: string
description: Required parameter for the security_policies_rule resource.
- name: securityPolicy
value: string
description: Required parameter for the security_policies_rule resource.
- name: kind
value: string
description: >
[Output only] Type of the resource. Always compute#securityPolicyRule for security policy rules
default: compute#securityPolicyRule
- name: description
value: string
description: >
An optional description of this resource. Provide this property when you create the resource.
- name: priority
value: integer
description: >
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- name: match
value: object
description: >
A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- name: networkMatch
value: object
description: >
A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. Example: networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4_fragment_offset" values: - "1-0x1fff" The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive.
- name: action
value: string
description: >
The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for `STATUS` are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this. - fairshare (preview only): when traffic reaches the threshold limit, requests from the clients matching this rule begin to be rate-limited using the Fair Share algorithm. This action is only allowed in security policies of type `CLOUD_ARMOR_INTERNAL_SERVICE`.
- name: preview
value: boolean
description: >
If set to true, the specified action is not enforced.
- name: rateLimitOptions
value: object
description: >
Must be specified if the action is "rate_based_ban" or "throttle" or "fairshare". Cannot be specified for any other actions.
- name: headerAction
value: object
description: >
Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- name: redirectOptions
value: object
description: >
Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
- name: preconfiguredWafConfig
value: object
description: >
Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.
- name: validateOnly
value: boolean
DELETE examples
- remove_rule
Deletes a rule at the specified priority.
DELETE FROM google.compute.security_policies_rule
WHERE project = '{{ project }}' --required
AND region = '{{ region }}' --required
AND securityPolicy = '{{ securityPolicy }}' --required
AND priority = '{{ priority }}';