Inserts a rule into a security policy.
Scopes
You will need authorization for at least one of the following scopes to make a valid call:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/compute
If unset, the scope for this method defaults to https://www.googleapis.com/auth/cloud-platform.
You can set the scope for this method like this: compute1 --scope <scope> region-security-policies add-rule ...
Required Scalar Arguments
- <project> (string)
- Project ID for this request.
- <region> (string)
- Name of the region scoping this request.
- <security-policy> (string)
- Name of the security policy to update.
Required Request Value
The request value is a data-structure with various fields. Each field may be a simple scalar or another data-structure. In the latter case it is advised to set the field-cursor to the data-structure's field to specify values more concisely.
For example, a structure like this:
SecurityPolicyRule:
action: string
description: string
kind: string
match:
config:
src-ip-ranges: [string]
expr:
description: string
expression: string
location: string
title: string
expr-options:
recaptcha-options:
action-token-site-keys: [string]
session-token-site-keys: [string]
versioned-expr: string
network-match:
dest-ip-ranges: [string]
dest-ports: [string]
ip-protocols: [string]
src-asns: [integer]
src-ip-ranges: [string]
src-ports: [string]
src-region-codes: [string]
preview: boolean
priority: integer
rate-limit-options:
ban-duration-sec: integer
ban-threshold:
count: integer
interval-sec: integer
conform-action: string
enforce-on-key: string
enforce-on-key-name: string
exceed-action: string
exceed-redirect-options:
target: string
type: string
rate-limit-threshold:
count: integer
interval-sec: integer
redirect-options:
target: string
type: string
can be set completely with the following arguments which are assumed to be executed in the given order. Note how the cursor position is adjusted to the respective structures, allowing simple field names to be used most of the time.
-r . action=sed
- The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for
STATUS
are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this.
- The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for
description=sit
- An optional description of this resource. Provide this property when you create the resource.
kind=labore
- [Output only] Type of the resource. Always compute#securityPolicyRule for security policy rules
-
match.config src-ip-ranges=et
- CIDR IP address range. Maximum number of src_ip_ranges allowed is 10.
- Each invocation of this argument appends the given value to the array.
-
..expr description=stet
- Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression=sit
- Textual representation of an expression in Common Expression Language syntax.
location=dolores
- Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
-
title=kasd
- Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
-
..expr-options.recaptcha-options action-token-site-keys=magna
- A list of site keys to be used during the validation of reCAPTCHA action-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
- Each invocation of this argument appends the given value to the array.
-
session-token-site-keys=dolores
- A list of site keys to be used during the validation of reCAPTCHA session-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created.
- Each invocation of this argument appends the given value to the array.
-
... versioned-expr=lorem
- Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding src_ip_range field in config.
-
..network-match dest-ip-ranges=lorem
- Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- Each invocation of this argument appends the given value to the array.
dest-ports=clita
- Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- Each invocation of this argument appends the given value to the array.
ip-protocols=sadipscing
- IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp".
- Each invocation of this argument appends the given value to the array.
src-asns=34
- BGP Autonomous System Number associated with the source IP address.
- Each invocation of this argument appends the given value to the array.
src-ip-ranges=sit
- Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format.
- Each invocation of this argument appends the given value to the array.
src-ports=no
- Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023").
- Each invocation of this argument appends the given value to the array.
-
src-region-codes=ea
- Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address.
- Each invocation of this argument appends the given value to the array.
-
.. preview=false
- If set to true, the specified action is not enforced.
priority=50
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
rate-limit-options ban-duration-sec=1
- Can only be specified if the action for the rule is "rate_based_ban". If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.
ban-threshold count=80
- Number of HTTP(S) requests for calculating the threshold.
-
interval-sec=73
- Interval over which the threshold is computed.
-
.. conform-action=elitr
- Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only.
enforce-on-key=elitr
- Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates. - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL. - USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP.
enforce-on-key-name=duo
- Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
exceed-action=voluptua.
- Action to take for requests that are above the configured rate limit threshold, to either deny with a specified HTTP response code, or redirect to a different endpoint. Valid options are
deny(STATUS)
, where valid values forSTATUS
are 403, 404, 429, and 502, andredirect
, where the redirect parameters come fromexceedRedirectOptions
below. Theredirect
action is only supported in Global Security Policies of type CLOUD_ARMOR.
- Action to take for requests that are above the configured rate limit threshold, to either deny with a specified HTTP response code, or redirect to a different endpoint. Valid options are
exceed-redirect-options target=eos
- Target for the redirect action. This is required if the type is EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA.
-
type=tempor
- Type of the redirect action.
-
..rate-limit-threshold count=68
- Number of HTTP(S) requests for calculating the threshold.
-
interval-sec=16
- Interval over which the threshold is computed.
-
...redirect-options target=invidunt
- Target for the redirect action. This is required if the type is EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA.
type=ipsum
- Type of the redirect action.
About Cursors
The cursor position is key to comfortably set complex nested structures. The following rules apply:
- The cursor position is always set relative to the current one, unless the field name starts with the
.
character. Fields can be nested such as in-r f.s.o
. - The cursor position is set relative to the top-level structure if it starts with
.
, e.g.-r .s.s
- You can also set nested fields without setting the cursor explicitly. For example, to set a value relative to the current cursor position, you would specify
-r struct.sub_struct=bar
. - You can move the cursor one level up by using
..
. Each additional.
moves it up one additional level. E.g....
would go three levels up.
Optional Output Flags
The method's return value a JSON encoded structure, which will be written to standard output by default.
- -o out
- out specifies the destination to which to write the server's result to.
It will be a JSON-encoded structure.
The destination may be
-
to indicate standard output, or a filepath that is to contain the received bytes. If unset, it defaults to standard output.
- out specifies the destination to which to write the server's result to.
It will be a JSON-encoded structure.
The destination may be
Optional Method Properties
You may set the following properties to further configure the call. Please note that -p
is followed by one
or more key-value-pairs, and is called like this -p k1=v1 k2=v2
even though the listing below repeats the
-p
for completeness.
- -p validate-only=boolean
- If true, the request will not be committed.
Optional General Properties
The following properties can configure any call, and are not specific to this method.
-
-p $-xgafv=string
- V1 error format.
-
-p access-token=string
- OAuth access token.
-
-p alt=string
- Data format for response.
-
-p callback=string
- JSONP
-
-p fields=string
- Selector specifying which fields to include in a partial response.
-
-p key=string
- API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
-
-p oauth-token=string
- OAuth 2.0 token for the current user.
-
-p pretty-print=boolean
- Returns response with indentations and line breaks.
-
-p quota-user=string
- Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
-
-p upload-type=string
- Legacy upload protocol for media (e.g. "media", "multipart").
-
-p upload-protocol=string
- Upload protocol for media (e.g. "raw", "multipart").
-
-p user-ip=string
- Legacy name for parameter that has been superseded by
quotaUser
.
- Legacy name for parameter that has been superseded by