» google_compute_security_policy
A Security Policy defines an IP blacklist or whitelist that protects load balanced Google Cloud services by denying or permitting traffic from specified IP ranges. For more information see the official documentation and the API.
» Example Usage
resource "google_compute_security_policy" "policy" {
name = "my-policy"
rule {
action = "deny(403)"
priority = "1000"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["9.9.9.0/24"]
}
}
description = "Deny access to IPs in 9.9.9.0/24"
}
rule {
action = "allow"
priority = "2147483647"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["*"]
}
}
description = "default rule"
}
}
» Argument Reference
The following arguments are supported:
-
name
- (Required) The name of the security policy.
-
description
- (Optional) An optional description of this security policy. Max size is 2048. -
project
- (Optional) The project in which the resource belongs. If it is not provided, the provider project is used. -
rule
- (Optional) The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.
The rule
block supports:
-
action
- (Required) Action to take whenmatch
matches the request. Valid values:- "allow" : allow access to target
- "deny(status)" : deny access to target, returns the HTTP response code specified (valid values are 403, 404 and 502)
-
priority
- (Required) An unique positive integer indicating the priority of evaluation for a rule. Rules are evaluated from highest priority (lowest numerically) to lowest priority (highest numerically) in order. -
match
- (Required) A match condition that incoming traffic is evaluated against. If it evaluates to true, the correspondingaction
is enforced. Structure is documented below. -
description
- (Optional) An optional description of this rule. Max size is 64. -
preview
- (Optional) When set to true, theaction
specified above is not enforced. Stackdriver logs for requests that trigger a preview action are annotated as such.
The match
block supports:
-
config
- (Required) The configuration options available when specifyingversioned_expr
. Structure is documented below. -
versioned_expr
- (Required) Predefined rule expression. Available options:- SRC_IPS_V1: Must specify the corresponding
src_ip_ranges
field inconfig
.
- SRC_IPS_V1: Must specify the corresponding
The config
block supports:
-
src_ip_ranges
- (Required) Set of IP addresses or ranges (IPV4 or IPV6) in CIDR notation to match against inbound traffic. There is a limit of 5 IP ranges per rule. A value of '*' matches all IPs (can be used to override the default behavior).
» Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
-
fingerprint
- Fingerprint of this resource. -
self_link
- The URI of the created resource.
» Import
Security policies can be imported using the name
, e.g.
$ terraform import google_compute_security_policy.policy my-policy