| <html><body> |
| <style> |
| |
| body, h1, h2, h3, div, span, p, pre, a { |
| margin: 0; |
| padding: 0; |
| border: 0; |
| font-weight: inherit; |
| font-style: inherit; |
| font-size: 100%; |
| font-family: inherit; |
| vertical-align: baseline; |
| } |
| |
| body { |
| font-size: 13px; |
| padding: 1em; |
| } |
| |
| h1 { |
| font-size: 26px; |
| margin-bottom: 1em; |
| } |
| |
| h2 { |
| font-size: 24px; |
| margin-bottom: 1em; |
| } |
| |
| h3 { |
| font-size: 20px; |
| margin-bottom: 1em; |
| margin-top: 1em; |
| } |
| |
| pre, code { |
| line-height: 1.5; |
| font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| } |
| |
| pre { |
| margin-top: 0.5em; |
| } |
| |
| h1, h2, h3, p { |
| font-family: Arial, sans serif; |
| } |
| |
| h1, h2, h3 { |
| border-bottom: solid #CCC 1px; |
| } |
| |
| .toc_element { |
| margin-top: 0.5em; |
| } |
| |
| .firstline { |
| margin-left: 2 em; |
| } |
| |
| .method { |
| margin-top: 1em; |
| border: solid 1px #CCC; |
| padding: 1em; |
| background: #EEE; |
| } |
| |
| .details { |
| font-weight: bold; |
| font-size: 14px; |
| } |
| |
| </style> |
| |
| <h1><a href="compute_v1.html">Compute Engine API</a> . <a href="compute_v1.regionNetworkFirewallPolicies.html">regionNetworkFirewallPolicies</a></h1> |
| <h2>Instance Methods</h2> |
| <p class="toc_element"> |
| <code><a href="#addAssociation">addAssociation(project, region, firewallPolicy, body=None, replaceExistingAssociation=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Inserts an association for the specified network firewall policy.</p> |
| <p class="toc_element"> |
| <code><a href="#addRule">addRule(project, region, firewallPolicy, body=None, maxPriority=None, minPriority=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Inserts a rule into a network firewall policy.</p> |
| <p class="toc_element"> |
| <code><a href="#cloneRules">cloneRules(project, region, firewallPolicy, requestId=None, sourceFirewallPolicy=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Copies rules to the specified network firewall policy.</p> |
| <p class="toc_element"> |
| <code><a href="#close">close()</a></code></p> |
| <p class="firstline">Close httplib2 connections.</p> |
| <p class="toc_element"> |
| <code><a href="#delete">delete(project, region, firewallPolicy, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Deletes the specified network firewall policy.</p> |
| <p class="toc_element"> |
| <code><a href="#get">get(project, region, firewallPolicy, x__xgafv=None)</a></code></p> |
| <p class="firstline">Returns the specified network firewall policy.</p> |
| <p class="toc_element"> |
| <code><a href="#getAssociation">getAssociation(project, region, firewallPolicy, name=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets an association with the specified name.</p> |
| <p class="toc_element"> |
| <code><a href="#getEffectiveFirewalls">getEffectiveFirewalls(project, region, network, x__xgafv=None)</a></code></p> |
| <p class="firstline">Returns the effective firewalls on a given network.</p> |
| <p class="toc_element"> |
| <code><a href="#getIamPolicy">getIamPolicy(project, region, resource, optionsRequestedPolicyVersion=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets the access control policy for a resource. May be empty if no such</p> |
| <p class="toc_element"> |
| <code><a href="#getRule">getRule(project, region, firewallPolicy, priority=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets a rule of the specified priority.</p> |
| <p class="toc_element"> |
| <code><a href="#insert">insert(project, region, body=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Creates a new network firewall policy in the specified project and region.</p> |
| <p class="toc_element"> |
| <code><a href="#list">list(project, region, filter=None, maxResults=None, orderBy=None, pageToken=None, returnPartialSuccess=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Lists all the network firewall policies that have been configured</p> |
| <p class="toc_element"> |
| <code><a href="#list_next">list_next()</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#patch">patch(project, region, firewallPolicy, body=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Patches the specified network firewall policy.</p> |
| <p class="toc_element"> |
| <code><a href="#patchRule">patchRule(project, region, firewallPolicy, body=None, priority=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Patches a rule of the specified priority.</p> |
| <p class="toc_element"> |
| <code><a href="#removeAssociation">removeAssociation(project, region, firewallPolicy, name=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Removes an association for the specified network firewall policy.</p> |
| <p class="toc_element"> |
| <code><a href="#removeRule">removeRule(project, region, firewallPolicy, priority=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Deletes a rule of the specified priority.</p> |
| <p class="toc_element"> |
| <code><a href="#setIamPolicy">setIamPolicy(project, region, resource, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Sets the access control policy on the specified resource.</p> |
| <p class="toc_element"> |
| <code><a href="#testIamPermissions">testIamPermissions(project, region, resource, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Returns permissions that a caller has on the specified resource.</p> |
| <h3>Method Details</h3> |
| <div class="method"> |
| <code class="details" id="addAssociation">addAssociation(project, region, firewallPolicy, body=None, replaceExistingAssociation=None, requestId=None, x__xgafv=None)</code> |
| <pre>Inserts an association for the specified network firewall policy. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| firewallPolicy: string, Name of the firewall policy to update. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { |
| "attachmentTarget": "A String", # The target that the firewall policy is attached to. |
| "displayName": "A String", # [Output Only] Deprecated, please use short name instead. The display name |
| # of the firewall policy of the association. |
| "firewallPolicyId": "A String", # [Output Only] The firewall policy ID of the association. |
| "name": "A String", # The name for an association. |
| "shortName": "A String", # [Output Only] The short name of the firewall policy of the association. |
| } |
| |
| replaceExistingAssociation: boolean, Indicates whether or not to replace it if an association already exists. |
| This is false by default, in which case an error will be returned if an |
| association already exists. |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="addRule">addRule(project, region, firewallPolicy, body=None, maxPriority=None, minPriority=None, requestId=None, x__xgafv=None)</code> |
| <pre>Inserts a rule into a network firewall policy. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| firewallPolicy: string, Name of the firewall policy to update. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the client connection triggers the rule. |
| # Valid actions for firewall rules are: "allow", "deny", |
| # "apply_security_profile_group" and "goto_next". |
| # Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" |
| # and "goto_next". |
| "description": "A String", # An optional description for this resource. |
| "direction": "A String", # The direction in which this rule applies. |
| "disabled": True or False, # Denotes whether the firewall policy rule is disabled. When set to true, |
| # the firewall policy rule is not enforced and traffic behaves as if it did |
| # not exist. If this is unspecified, the firewall policy rule will be |
| # enabled. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| "kind": "compute#firewallPolicyRule", # [Output only] Type of the resource. Returnscompute#firewallPolicyRule for firewall rules andcompute#packetMirroringRule for packet mirroring rules. |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "destAddressGroups": [ # Address groups which should be matched against the traffic destination. |
| # Maximum number of destination address groups is 10. |
| "A String", |
| ], |
| "destFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic destination. |
| # Maximum number of destination fqdn allowed is 100. |
| "A String", |
| ], |
| "destIpRanges": [ # CIDR IP address range. |
| # Maximum number of destination CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "destNetworkType": "A String", # Network type of the traffic destination. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - NON_INTERNET |
| "destRegionCodes": [ # Region codes whose IP addresses will be used to match for destination |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of dest region codes allowed is 5000. |
| "A String", |
| ], |
| "destThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic destination. |
| "A String", |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "srcAddressGroups": [ # Address groups which should be matched against the traffic source. |
| # Maximum number of source address groups is 10. |
| "A String", |
| ], |
| "srcFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic source. |
| # Maximum number of source fqdn allowed is 100. |
| "A String", |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of source CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "srcNetworkType": "A String", # Network type of the traffic source. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - INTRA_VPC |
| # - NON_INTERNET |
| # - VPC_NETWORKS |
| "srcNetworks": [ # Networks of the traffic source. It can be either a full or partial url. |
| "A String", |
| ], |
| "srcRegionCodes": [ # Region codes whose IP addresses will be used to match for source |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of source region codes allowed is 5000. |
| "A String", |
| ], |
| "srcSecureTags": [ # List of secure tag values, which should be matched at the source |
| # of the traffic. |
| # For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, |
| # and there is no srcIpRange, this rule will be ignored. |
| # Maximum number of source tag values allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "srcThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic source. |
| "A String", |
| ], |
| }, |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "ruleName": "A String", # An optional name for the rule. This field is not a unique identifier |
| # and can be updated. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall policy |
| # rule. |
| "securityProfileGroup": "A String", # A fully-qualified URL of a SecurityProfile resource instance. |
| # Example: |
| # https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group |
| # Must be specified if action is one of 'apply_security_profile_group' or |
| # 'mirror'. Cannot be specified for other actions. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| "A String", |
| ], |
| "targetSecureTags": [ # A list of secure tags that controls which instances the firewall rule |
| # applies to. If targetSecureTag are specified, then the |
| # firewall rule applies only to instances in the VPC network that have one |
| # of those EFFECTIVE secure tags, if all the target_secure_tag are in |
| # INEFFECTIVE state, then this rule will be ignored.targetSecureTag may not be set at the same time astargetServiceAccounts. |
| # If neither targetServiceAccounts nortargetSecureTag are specified, the firewall rule applies |
| # to all instances on the specified network. |
| # Maximum number of target label tags allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| "tlsInspect": True or False, # Boolean flag indicating if the traffic should be TLS decrypted. |
| # Can be set only if action = 'apply_security_profile_group' and cannot |
| # be set for other actions. |
| } |
| |
| maxPriority: integer, When rule.priority is not specified, auto choose a unused priority betweenminPriority and maxPriority>. |
| This field is exclusive with rule.priority. |
| minPriority: integer, When rule.priority is not specified, auto choose a unused priority betweenminPriority and maxPriority>. |
| This field is exclusive with rule.priority. |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="cloneRules">cloneRules(project, region, firewallPolicy, requestId=None, sourceFirewallPolicy=None, x__xgafv=None)</code> |
| <pre>Copies rules to the specified network firewall policy. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| firewallPolicy: string, Name of the firewall policy to update. (required) |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| sourceFirewallPolicy: string, The firewall policy from which to copy rules. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="close">close()</code> |
| <pre>Close httplib2 connections.</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="delete">delete(project, region, firewallPolicy, requestId=None, x__xgafv=None)</code> |
| <pre>Deletes the specified network firewall policy. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| firewallPolicy: string, Name of the firewall policy to delete. (required) |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="get">get(project, region, firewallPolicy, x__xgafv=None)</code> |
| <pre>Returns the specified network firewall policy. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| firewallPolicy: string, Name of the firewall policy to get. (required) |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents a Firewall Policy resource. |
| "associations": [ # A list of associations that belong to this firewall policy. |
| { |
| "attachmentTarget": "A String", # The target that the firewall policy is attached to. |
| "displayName": "A String", # [Output Only] Deprecated, please use short name instead. The display name |
| # of the firewall policy of the association. |
| "firewallPolicyId": "A String", # [Output Only] The firewall policy ID of the association. |
| "name": "A String", # The name for an association. |
| "shortName": "A String", # [Output Only] The short name of the firewall policy of the association. |
| }, |
| ], |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "displayName": "A String", # Deprecated, please use short name instead. User-provided name of the |
| # Organization firewall policy. The name should be unique in the organization |
| # in which the firewall policy is created. |
| # This field is not applicable to network firewall policies. |
| # This name must be set on creation and cannot be changed. |
| # The name must be 1-63 characters long, and comply |
| # with RFC1035. Specifically, the name must be 1-63 characters |
| # long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which |
| # means the first character must be a lowercase letter, and all following |
| # characters must be a dash, lowercase letter, or digit, except the last |
| # character, which cannot be a dash. |
| "fingerprint": "A String", # Specifies a fingerprint for this resource, which is essentially a hash of |
| # the metadata's contents and used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update metadata. You must always provide an |
| # up-to-date fingerprint hash in order to update or change metadata, |
| # otherwise the request will fail with error412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # firewall policy. |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "kind": "compute#firewallPolicy", # [Output only] Type of the resource. Alwayscompute#firewallPolicyfor firewall policies |
| "name": "A String", # Name of the resource. For Organization Firewall Policies it's a |
| # [Output Only] numeric ID allocated by Google Cloud which uniquely |
| # identifies the Organization Firewall Policy. |
| "packetMirroringRules": [ # A list of packet mirroring rules that belong to this policy. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the client connection triggers the rule. |
| # Valid actions for firewall rules are: "allow", "deny", |
| # "apply_security_profile_group" and "goto_next". |
| # Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" |
| # and "goto_next". |
| "description": "A String", # An optional description for this resource. |
| "direction": "A String", # The direction in which this rule applies. |
| "disabled": True or False, # Denotes whether the firewall policy rule is disabled. When set to true, |
| # the firewall policy rule is not enforced and traffic behaves as if it did |
| # not exist. If this is unspecified, the firewall policy rule will be |
| # enabled. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| "kind": "compute#firewallPolicyRule", # [Output only] Type of the resource. Returnscompute#firewallPolicyRule for firewall rules andcompute#packetMirroringRule for packet mirroring rules. |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "destAddressGroups": [ # Address groups which should be matched against the traffic destination. |
| # Maximum number of destination address groups is 10. |
| "A String", |
| ], |
| "destFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic destination. |
| # Maximum number of destination fqdn allowed is 100. |
| "A String", |
| ], |
| "destIpRanges": [ # CIDR IP address range. |
| # Maximum number of destination CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "destNetworkType": "A String", # Network type of the traffic destination. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - NON_INTERNET |
| "destRegionCodes": [ # Region codes whose IP addresses will be used to match for destination |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of dest region codes allowed is 5000. |
| "A String", |
| ], |
| "destThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic destination. |
| "A String", |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "srcAddressGroups": [ # Address groups which should be matched against the traffic source. |
| # Maximum number of source address groups is 10. |
| "A String", |
| ], |
| "srcFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic source. |
| # Maximum number of source fqdn allowed is 100. |
| "A String", |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of source CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "srcNetworkType": "A String", # Network type of the traffic source. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - INTRA_VPC |
| # - NON_INTERNET |
| # - VPC_NETWORKS |
| "srcNetworks": [ # Networks of the traffic source. It can be either a full or partial url. |
| "A String", |
| ], |
| "srcRegionCodes": [ # Region codes whose IP addresses will be used to match for source |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of source region codes allowed is 5000. |
| "A String", |
| ], |
| "srcSecureTags": [ # List of secure tag values, which should be matched at the source |
| # of the traffic. |
| # For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, |
| # and there is no srcIpRange, this rule will be ignored. |
| # Maximum number of source tag values allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "srcThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic source. |
| "A String", |
| ], |
| }, |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "ruleName": "A String", # An optional name for the rule. This field is not a unique identifier |
| # and can be updated. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall policy |
| # rule. |
| "securityProfileGroup": "A String", # A fully-qualified URL of a SecurityProfile resource instance. |
| # Example: |
| # https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group |
| # Must be specified if action is one of 'apply_security_profile_group' or |
| # 'mirror'. Cannot be specified for other actions. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| "A String", |
| ], |
| "targetSecureTags": [ # A list of secure tags that controls which instances the firewall rule |
| # applies to. If targetSecureTag are specified, then the |
| # firewall rule applies only to instances in the VPC network that have one |
| # of those EFFECTIVE secure tags, if all the target_secure_tag are in |
| # INEFFECTIVE state, then this rule will be ignored.targetSecureTag may not be set at the same time astargetServiceAccounts. |
| # If neither targetServiceAccounts nortargetSecureTag are specified, the firewall rule applies |
| # to all instances on the specified network. |
| # Maximum number of target label tags allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| "tlsInspect": True or False, # Boolean flag indicating if the traffic should be TLS decrypted. |
| # Can be set only if action = 'apply_security_profile_group' and cannot |
| # be set for other actions. |
| }, |
| ], |
| "parent": "A String", # [Output Only] The parent of the firewall policy. |
| # This field is not applicable to network firewall policies. |
| "policyType": "A String", # The type of the firewall policy. This field can be eitherVPC_POLICY or RDMA_ROCE_POLICY. |
| # |
| # Note: if not specified then VPC_POLICY will be used. |
| "region": "A String", # [Output Only] URL of the region where the regional firewall policy resides. |
| # This field is not applicable to global firewall policies. |
| # You must specify this field as part of the HTTP request URL. It is |
| # not settable as a field in the request body. |
| "ruleTupleCount": 42, # [Output Only] Total count of all firewall policy rule tuples. A firewall |
| # policy can not exceed a set number of tuples. |
| "rules": [ # A list of rules that belong to this policy. |
| # There must always be a default rule (rule with priority 2147483647 and |
| # match "*"). If no rules are provided when creating a firewall policy, a |
| # default rule with action "allow" will be added. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the client connection triggers the rule. |
| # Valid actions for firewall rules are: "allow", "deny", |
| # "apply_security_profile_group" and "goto_next". |
| # Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" |
| # and "goto_next". |
| "description": "A String", # An optional description for this resource. |
| "direction": "A String", # The direction in which this rule applies. |
| "disabled": True or False, # Denotes whether the firewall policy rule is disabled. When set to true, |
| # the firewall policy rule is not enforced and traffic behaves as if it did |
| # not exist. If this is unspecified, the firewall policy rule will be |
| # enabled. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| "kind": "compute#firewallPolicyRule", # [Output only] Type of the resource. Returnscompute#firewallPolicyRule for firewall rules andcompute#packetMirroringRule for packet mirroring rules. |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "destAddressGroups": [ # Address groups which should be matched against the traffic destination. |
| # Maximum number of destination address groups is 10. |
| "A String", |
| ], |
| "destFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic destination. |
| # Maximum number of destination fqdn allowed is 100. |
| "A String", |
| ], |
| "destIpRanges": [ # CIDR IP address range. |
| # Maximum number of destination CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "destNetworkType": "A String", # Network type of the traffic destination. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - NON_INTERNET |
| "destRegionCodes": [ # Region codes whose IP addresses will be used to match for destination |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of dest region codes allowed is 5000. |
| "A String", |
| ], |
| "destThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic destination. |
| "A String", |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "srcAddressGroups": [ # Address groups which should be matched against the traffic source. |
| # Maximum number of source address groups is 10. |
| "A String", |
| ], |
| "srcFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic source. |
| # Maximum number of source fqdn allowed is 100. |
| "A String", |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of source CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "srcNetworkType": "A String", # Network type of the traffic source. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - INTRA_VPC |
| # - NON_INTERNET |
| # - VPC_NETWORKS |
| "srcNetworks": [ # Networks of the traffic source. It can be either a full or partial url. |
| "A String", |
| ], |
| "srcRegionCodes": [ # Region codes whose IP addresses will be used to match for source |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of source region codes allowed is 5000. |
| "A String", |
| ], |
| "srcSecureTags": [ # List of secure tag values, which should be matched at the source |
| # of the traffic. |
| # For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, |
| # and there is no srcIpRange, this rule will be ignored. |
| # Maximum number of source tag values allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "srcThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic source. |
| "A String", |
| ], |
| }, |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "ruleName": "A String", # An optional name for the rule. This field is not a unique identifier |
| # and can be updated. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall policy |
| # rule. |
| "securityProfileGroup": "A String", # A fully-qualified URL of a SecurityProfile resource instance. |
| # Example: |
| # https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group |
| # Must be specified if action is one of 'apply_security_profile_group' or |
| # 'mirror'. Cannot be specified for other actions. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| "A String", |
| ], |
| "targetSecureTags": [ # A list of secure tags that controls which instances the firewall rule |
| # applies to. If targetSecureTag are specified, then the |
| # firewall rule applies only to instances in the VPC network that have one |
| # of those EFFECTIVE secure tags, if all the target_secure_tag are in |
| # INEFFECTIVE state, then this rule will be ignored.targetSecureTag may not be set at the same time astargetServiceAccounts. |
| # If neither targetServiceAccounts nortargetSecureTag are specified, the firewall rule applies |
| # to all instances on the specified network. |
| # Maximum number of target label tags allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| "tlsInspect": True or False, # Boolean flag indicating if the traffic should be TLS decrypted. |
| # Can be set only if action = 'apply_security_profile_group' and cannot |
| # be set for other actions. |
| }, |
| ], |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "shortName": "A String", # User-provided name of the Organization firewall policy. The name should be |
| # unique in the organization in which the firewall policy is created. |
| # This field is not applicable to network firewall policies. |
| # This name must be set on creation and cannot be changed. The name must be |
| # 1-63 characters long, and comply with RFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getAssociation">getAssociation(project, region, firewallPolicy, name=None, x__xgafv=None)</code> |
| <pre>Gets an association with the specified name. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| firewallPolicy: string, Name of the firewall policy to which the queried association belongs. (required) |
| name: string, The name of the association to get from the firewall policy. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { |
| "attachmentTarget": "A String", # The target that the firewall policy is attached to. |
| "displayName": "A String", # [Output Only] Deprecated, please use short name instead. The display name |
| # of the firewall policy of the association. |
| "firewallPolicyId": "A String", # [Output Only] The firewall policy ID of the association. |
| "name": "A String", # The name for an association. |
| "shortName": "A String", # [Output Only] The short name of the firewall policy of the association. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getEffectiveFirewalls">getEffectiveFirewalls(project, region, network, x__xgafv=None)</code> |
| <pre>Returns the effective firewalls on a given network. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| network: string, Network reference (required) |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { |
| "firewallPolicys": [ # [Output only] Effective firewalls from firewall policy. It applies to |
| # Regional Network Firewall Policies in the specified region, Global Network |
| # Firewall Policies and Hierachial Firewall Policies which are associated |
| # with the network. |
| { |
| "displayName": "A String", # [Output Only] The display name of the firewall policy. |
| "name": "A String", # [Output Only] The name of the firewall policy. |
| "packetMirroringRules": [ # [Output only] The packet mirroring rules that apply to the network. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the client connection triggers the rule. |
| # Valid actions for firewall rules are: "allow", "deny", |
| # "apply_security_profile_group" and "goto_next". |
| # Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" |
| # and "goto_next". |
| "description": "A String", # An optional description for this resource. |
| "direction": "A String", # The direction in which this rule applies. |
| "disabled": True or False, # Denotes whether the firewall policy rule is disabled. When set to true, |
| # the firewall policy rule is not enforced and traffic behaves as if it did |
| # not exist. If this is unspecified, the firewall policy rule will be |
| # enabled. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| "kind": "compute#firewallPolicyRule", # [Output only] Type of the resource. Returnscompute#firewallPolicyRule for firewall rules andcompute#packetMirroringRule for packet mirroring rules. |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "destAddressGroups": [ # Address groups which should be matched against the traffic destination. |
| # Maximum number of destination address groups is 10. |
| "A String", |
| ], |
| "destFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic destination. |
| # Maximum number of destination fqdn allowed is 100. |
| "A String", |
| ], |
| "destIpRanges": [ # CIDR IP address range. |
| # Maximum number of destination CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "destNetworkType": "A String", # Network type of the traffic destination. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - NON_INTERNET |
| "destRegionCodes": [ # Region codes whose IP addresses will be used to match for destination |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of dest region codes allowed is 5000. |
| "A String", |
| ], |
| "destThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic destination. |
| "A String", |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "srcAddressGroups": [ # Address groups which should be matched against the traffic source. |
| # Maximum number of source address groups is 10. |
| "A String", |
| ], |
| "srcFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic source. |
| # Maximum number of source fqdn allowed is 100. |
| "A String", |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of source CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "srcNetworkType": "A String", # Network type of the traffic source. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - INTRA_VPC |
| # - NON_INTERNET |
| # - VPC_NETWORKS |
| "srcNetworks": [ # Networks of the traffic source. It can be either a full or partial url. |
| "A String", |
| ], |
| "srcRegionCodes": [ # Region codes whose IP addresses will be used to match for source |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of source region codes allowed is 5000. |
| "A String", |
| ], |
| "srcSecureTags": [ # List of secure tag values, which should be matched at the source |
| # of the traffic. |
| # For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, |
| # and there is no srcIpRange, this rule will be ignored. |
| # Maximum number of source tag values allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "srcThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic source. |
| "A String", |
| ], |
| }, |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "ruleName": "A String", # An optional name for the rule. This field is not a unique identifier |
| # and can be updated. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall policy |
| # rule. |
| "securityProfileGroup": "A String", # A fully-qualified URL of a SecurityProfile resource instance. |
| # Example: |
| # https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group |
| # Must be specified if action is one of 'apply_security_profile_group' or |
| # 'mirror'. Cannot be specified for other actions. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| "A String", |
| ], |
| "targetSecureTags": [ # A list of secure tags that controls which instances the firewall rule |
| # applies to. If targetSecureTag are specified, then the |
| # firewall rule applies only to instances in the VPC network that have one |
| # of those EFFECTIVE secure tags, if all the target_secure_tag are in |
| # INEFFECTIVE state, then this rule will be ignored.targetSecureTag may not be set at the same time astargetServiceAccounts. |
| # If neither targetServiceAccounts nortargetSecureTag are specified, the firewall rule applies |
| # to all instances on the specified network. |
| # Maximum number of target label tags allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| "tlsInspect": True or False, # Boolean flag indicating if the traffic should be TLS decrypted. |
| # Can be set only if action = 'apply_security_profile_group' and cannot |
| # be set for other actions. |
| }, |
| ], |
| "priority": 42, # [Output only] Priority of firewall policy association. Not applicable for |
| # type=HIERARCHY. |
| "rules": [ # [Output only] The rules that apply to the network. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the client connection triggers the rule. |
| # Valid actions for firewall rules are: "allow", "deny", |
| # "apply_security_profile_group" and "goto_next". |
| # Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" |
| # and "goto_next". |
| "description": "A String", # An optional description for this resource. |
| "direction": "A String", # The direction in which this rule applies. |
| "disabled": True or False, # Denotes whether the firewall policy rule is disabled. When set to true, |
| # the firewall policy rule is not enforced and traffic behaves as if it did |
| # not exist. If this is unspecified, the firewall policy rule will be |
| # enabled. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| "kind": "compute#firewallPolicyRule", # [Output only] Type of the resource. Returnscompute#firewallPolicyRule for firewall rules andcompute#packetMirroringRule for packet mirroring rules. |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "destAddressGroups": [ # Address groups which should be matched against the traffic destination. |
| # Maximum number of destination address groups is 10. |
| "A String", |
| ], |
| "destFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic destination. |
| # Maximum number of destination fqdn allowed is 100. |
| "A String", |
| ], |
| "destIpRanges": [ # CIDR IP address range. |
| # Maximum number of destination CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "destNetworkType": "A String", # Network type of the traffic destination. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - NON_INTERNET |
| "destRegionCodes": [ # Region codes whose IP addresses will be used to match for destination |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of dest region codes allowed is 5000. |
| "A String", |
| ], |
| "destThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic destination. |
| "A String", |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "srcAddressGroups": [ # Address groups which should be matched against the traffic source. |
| # Maximum number of source address groups is 10. |
| "A String", |
| ], |
| "srcFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic source. |
| # Maximum number of source fqdn allowed is 100. |
| "A String", |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of source CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "srcNetworkType": "A String", # Network type of the traffic source. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - INTRA_VPC |
| # - NON_INTERNET |
| # - VPC_NETWORKS |
| "srcNetworks": [ # Networks of the traffic source. It can be either a full or partial url. |
| "A String", |
| ], |
| "srcRegionCodes": [ # Region codes whose IP addresses will be used to match for source |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of source region codes allowed is 5000. |
| "A String", |
| ], |
| "srcSecureTags": [ # List of secure tag values, which should be matched at the source |
| # of the traffic. |
| # For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, |
| # and there is no srcIpRange, this rule will be ignored. |
| # Maximum number of source tag values allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "srcThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic source. |
| "A String", |
| ], |
| }, |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "ruleName": "A String", # An optional name for the rule. This field is not a unique identifier |
| # and can be updated. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall policy |
| # rule. |
| "securityProfileGroup": "A String", # A fully-qualified URL of a SecurityProfile resource instance. |
| # Example: |
| # https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group |
| # Must be specified if action is one of 'apply_security_profile_group' or |
| # 'mirror'. Cannot be specified for other actions. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| "A String", |
| ], |
| "targetSecureTags": [ # A list of secure tags that controls which instances the firewall rule |
| # applies to. If targetSecureTag are specified, then the |
| # firewall rule applies only to instances in the VPC network that have one |
| # of those EFFECTIVE secure tags, if all the target_secure_tag are in |
| # INEFFECTIVE state, then this rule will be ignored.targetSecureTag may not be set at the same time astargetServiceAccounts. |
| # If neither targetServiceAccounts nortargetSecureTag are specified, the firewall rule applies |
| # to all instances on the specified network. |
| # Maximum number of target label tags allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| "tlsInspect": True or False, # Boolean flag indicating if the traffic should be TLS decrypted. |
| # Can be set only if action = 'apply_security_profile_group' and cannot |
| # be set for other actions. |
| }, |
| ], |
| "type": "A String", # [Output Only] The type of the firewall policy. Can be one of HIERARCHY, |
| # NETWORK, NETWORK_REGIONAL, SYSTEM_GLOBAL, SYSTEM_REGIONAL. |
| }, |
| ], |
| "firewalls": [ # Effective firewalls on the network. |
| { # Represents a Firewall Rule resource. |
| # |
| # Firewall rules allow or deny ingress traffic to, and egress traffic from your |
| # instances. For more information, readFirewall rules. |
| "allowed": [ # The list of ALLOW rules specified by this firewall. Each rule specifies a |
| # protocol and port-range tuple that describes a permitted connection. |
| { |
| "IPProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be one of the |
| # following well known protocol strings (tcp, udp,icmp, esp, ah, ipip,sctp) or the IP protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. |
| # This field is only applicable for the UDP or TCP protocol. |
| # Each entry must be either an integer or a range. |
| # If not specified, this rule applies to connections through any port. |
| # |
| # Example inputs include: ["22"], ["80","443"], |
| # and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "denied": [ # The list of DENY rules specified by this firewall. Each rule specifies a |
| # protocol and port-range tuple that describes a denied connection. |
| { |
| "IPProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be one of the |
| # following well known protocol strings (tcp, udp,icmp, esp, ah, ipip,sctp) or the IP protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. |
| # This field is only applicable for the UDP or TCP protocol. |
| # Each entry must be either an integer or a range. |
| # If not specified, this rule applies to connections through any port. |
| # |
| # Example inputs include: ["22"], ["80","443"], |
| # and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "description": "A String", # An optional description of this resource. Provide this field when you |
| # create the resource. |
| "destinationRanges": [ # If destination ranges are specified, the firewall rule applies only to |
| # traffic that has destination IP address in these ranges. These ranges must |
| # be expressed inCIDR format. Both IPv4 and IPv6 are supported. |
| "A String", |
| ], |
| "direction": "A String", # Direction of traffic to which this firewall applies, either `INGRESS` or |
| # `EGRESS`. The default is `INGRESS`. For `EGRESS` traffic, you cannot |
| # specify the sourceTags fields. |
| "disabled": True or False, # Denotes whether the firewall rule is disabled. When set to true, the |
| # firewall rule is not enforced and the network behaves as if it did not |
| # exist. If this is unspecified, the firewall rule will be enabled. |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "kind": "compute#firewall", # [Output Only] Type of the resource. Always compute#firewall |
| # for firewall rules. |
| "logConfig": { # The available logging options for a firewall rule. # This field denotes the logging options for a particular firewall rule. If |
| # logging is enabled, logs will be exported to Cloud Logging. |
| "enable": True or False, # This field denotes whether to enable logging for a particular firewall |
| # rule. |
| "metadata": "A String", # This field can only be specified for a particular firewall rule if |
| # logging is enabled for that rule. This field denotes whether to include |
| # or exclude metadata for firewall logs. |
| }, |
| "name": "A String", # Name of the resource; provided by the client when the resource is created. |
| # The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?`. The first character |
| # must be a lowercase letter, and all following characters (except for the |
| # last character) must be a dash, lowercase letter, or digit. The last |
| # character must be a lowercase letter or digit. |
| "network": "A String", # URL of the network resource for this firewall rule. If not |
| # specified when creating a firewall rule, the default network |
| # is used: |
| # |
| # global/networks/default |
| # |
| # If you choose to specify this field, you can specify the network as a full |
| # or partial URL. For example, the following are all valid URLs: |
| # |
| # - |
| # https://www.googleapis.com/compute/v1/projects/myproject/global/networks/my-network |
| # - projects/myproject/global/networks/my-network |
| # - global/networks/default |
| "params": { # Additional firewall parameters. # Input only. [Input Only] Additional params passed with the request, but not persisted |
| # as part of resource payload. |
| "resourceManagerTags": { # Tag keys/values directly bound to this resource. |
| # Tag keys and values have the same definition as resource |
| # manager tags. The field is allowed for INSERT |
| # only. The keys/values to set on the resource should be specified in |
| # either ID { : } or Namespaced format |
| # { : }. |
| # For example the following are valid inputs: |
| # * {"tagKeys/333" : "tagValues/444", "tagKeys/123" : "tagValues/456"} |
| # * {"123/environment" : "production", "345/abc" : "xyz"} |
| # Note: |
| # * Invalid combinations of ID & namespaced format is not supported. For |
| # instance: {"123/environment" : "tagValues/444"} is invalid. |
| "a_key": "A String", |
| }, |
| }, |
| "priority": 42, # Priority for this rule. |
| # This is an integer between `0` and `65535`, both inclusive. |
| # The default value is `1000`. |
| # Relative priorities determine which rule takes effect if multiple rules |
| # apply. Lower values indicate higher priority. For example, a rule with |
| # priority `0` has higher precedence than a rule with priority `1`. |
| # DENY rules take precedence over ALLOW rules if they have equal priority. |
| # Note that VPC networks have implied |
| # rules with a priority of `65535`. To avoid conflicts with the implied |
| # rules, use a priority number less than `65535`. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "sourceRanges": [ # If source ranges are specified, the firewall rule applies only to traffic |
| # that has a source IP address in these ranges. These ranges must be |
| # expressed inCIDR format. One or both of sourceRanges |
| # and sourceTags may be set. |
| # If both fields are set, the rule applies to traffic that has a |
| # source IP address within sourceRanges OR a source IP |
| # from a resource with a matching tag listed in thesourceTags field. The connection does not need to match |
| # both fields for the rule to |
| # apply. Both IPv4 and IPv6 are supported. |
| "A String", |
| ], |
| "sourceServiceAccounts": [ # If source service accounts are specified, the firewall rules apply only to |
| # traffic originating from an instance with a service account in this list. |
| # Source service accounts cannot be used to control traffic to an instance's |
| # external IP address because service accounts are associated with an |
| # instance, not an IP address.sourceRanges can be set at the same time assourceServiceAccounts. |
| # If both are set, the firewall applies to traffic that |
| # has a source IP address within the sourceRanges OR a source |
| # IP that belongs to an instance with service account listed insourceServiceAccount. The connection does not need to match |
| # both fields for the firewall to apply.sourceServiceAccounts cannot be used at the same time assourceTags or targetTags. |
| "A String", |
| ], |
| "sourceTags": [ # If source tags are specified, the firewall rule applies only to traffic |
| # with source IPs that match the primary network interfaces of VM instances |
| # that have the tag and are in the same VPC network. |
| # Source tags cannot be used to control traffic to an instance's external IP |
| # address, it only applies to traffic between instances in the same virtual |
| # network. Because tags are associated with instances, not IP addresses. |
| # One or both of sourceRanges and sourceTags may be |
| # set. If both fields are set, the firewall applies to traffic that has a |
| # source IP address within sourceRanges OR a source IP from a |
| # resource with a matching tag listed in the sourceTags |
| # field. The connection does not need to match both fields for the |
| # firewall to apply. |
| "A String", |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating sets of instances located in the |
| # network that may make network connections as specified inallowed[].targetServiceAccounts cannot be used at the same time astargetTags or sourceTags. |
| # If neither targetServiceAccounts nor targetTags |
| # are specified, the firewall rule applies to all instances on the specified |
| # network. |
| "A String", |
| ], |
| "targetTags": [ # A list of tags that controls which instances the firewall rule |
| # applies to. If targetTags are specified, then the firewall |
| # rule applies only to instances in the VPC network that have one of those |
| # tags. If no targetTags are specified, the firewall rule |
| # applies to all instances on the specified network. |
| "A String", |
| ], |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getIamPolicy">getIamPolicy(project, region, resource, optionsRequestedPolicyVersion=None, x__xgafv=None)</code> |
| <pre>Gets the access control policy for a resource. May be empty if no such |
| policy or resource exists. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, The name of the region for this request. (required) |
| resource: string, Name or id of the resource for this request. (required) |
| optionsRequestedPolicyVersion: integer, Requested IAM Policy version. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # An Identity and Access Management (IAM) policy, which specifies access |
| # controls for Google Cloud resources. |
| # |
| # |
| # A `Policy` is a collection of `bindings`. A `binding` binds one or more |
| # `members`, or principals, to a single `role`. Principals can be user |
| # accounts, service accounts, Google groups, and domains (such as G Suite). A |
| # `role` is a named list of permissions; each `role` can be an IAM predefined |
| # role or a user-created custom role. |
| # |
| # For some types of Google Cloud resources, a `binding` can also specify a |
| # `condition`, which is a logical expression that allows access to a resource |
| # only if the expression evaluates to `true`. A condition can add constraints |
| # based on attributes of the request, the resource, or both. To learn which |
| # resources support conditions in their IAM policies, see the |
| # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # |
| # **JSON example:** |
| # |
| # ``` |
| # { |
| # "bindings": [ |
| # { |
| # "role": "roles/resourcemanager.organizationAdmin", |
| # "members": [ |
| # "user:[email protected]", |
| # "group:[email protected]", |
| # "domain:google.com", |
| # "serviceAccount:[email protected]" |
| # ] |
| # }, |
| # { |
| # "role": "roles/resourcemanager.organizationViewer", |
| # "members": [ |
| # "user:[email protected]" |
| # ], |
| # "condition": { |
| # "title": "expirable access", |
| # "description": "Does not grant access after Sep 2020", |
| # "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", |
| # } |
| # } |
| # ], |
| # "etag": "BwWWja0YfJA=", |
| # "version": 3 |
| # } |
| # ``` |
| # |
| # **YAML example:** |
| # |
| # ``` |
| # bindings: |
| # - members: |
| # - user:[email protected] |
| # - group:[email protected] |
| # - domain:google.com |
| # - serviceAccount:[email protected] |
| # role: roles/resourcemanager.organizationAdmin |
| # - members: |
| # - user:[email protected] |
| # role: roles/resourcemanager.organizationViewer |
| # condition: |
| # title: expirable access |
| # description: Does not grant access after Sep 2020 |
| # expression: request.time < timestamp('2020-10-01T00:00:00.000Z') |
| # etag: BwWWja0YfJA= |
| # version: 3 |
| # ``` |
| # |
| # For a description of IAM and its features, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/). |
| "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| { # Specifies the audit configuration for a service. |
| # The configuration determines which permission types are logged, and what |
| # identities, if any, are exempted from logging. |
| # An AuditConfig must have one or more AuditLogConfigs. |
| # |
| # If there are AuditConfigs for both `allServices` and a specific service, |
| # the union of the two AuditConfigs is used for that service: the log_types |
| # specified in each AuditConfig are enabled, and the exempted_members in each |
| # AuditLogConfig are exempted. |
| # |
| # Example Policy with multiple AuditConfigs: |
| # |
| # { |
| # "audit_configs": [ |
| # { |
| # "service": "allServices", |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE" |
| # }, |
| # { |
| # "log_type": "ADMIN_READ" |
| # } |
| # ] |
| # }, |
| # { |
| # "service": "sampleservice.googleapis.com", |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ" |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # } |
| # ] |
| # } |
| # ] |
| # } |
| # |
| # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| # logging. It also exempts `[email protected]` from DATA_READ logging, and |
| # `[email protected]` from DATA_WRITE logging. |
| "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| { # Provides the configuration for logging a type of permissions. |
| # Example: |
| # |
| # { |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE" |
| # } |
| # ] |
| # } |
| # |
| # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| # [email protected] from DATA_READ logging. |
| "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| # permission. |
| # Follows the same format of Binding.members. |
| "A String", |
| ], |
| "logType": "A String", # The log type that this config enables. |
| }, |
| ], |
| "service": "A String", # Specifies a service that will be enabled for audit logging. |
| # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| # `allServices` is a special value that covers all services. |
| }, |
| ], |
| "bindings": [ # Associates a list of `members`, or principals, with a `role`. Optionally, |
| # may specify a `condition` that determines how and when the `bindings` are |
| # applied. Each of the `bindings` must contain at least one principal. |
| # |
| # The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 |
| # of these principals can be Google groups. Each occurrence of a principal |
| # counts towards these limits. For example, if the `bindings` grant 50 |
| # different roles to `user:[email protected]`, and not to any other |
| # principal, then you can add another 1,450 principals to the `bindings` in |
| # the `Policy`. |
| { # Associates `members`, or principals, with a `role`. |
| "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding. |
| # |
| # If the condition evaluates to `true`, then this binding applies to the |
| # current request. |
| # |
| # If the condition evaluates to `false`, then this binding does not apply to |
| # the current request. However, a different role binding might grant the same |
| # role to one or more of the principals in this binding. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM |
| # documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "members": [ # Specifies the principals requesting access for a Google Cloud resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # Does not include identities that come from external identity providers |
| # (IdPs) through identity federation. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `[email protected]` . |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a Google |
| # service account. For example, |
| # `[email protected]`. |
| # |
| # * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An |
| # identifier for a |
| # [Kubernetes service |
| # account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). |
| # For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `[email protected]`. |
| # |
| # |
| # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| # |
| # |
| # |
| # * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workforce identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: |
| # All workforce identities in a group. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All workforce identities with a specific attribute value. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: |
| # All identities in a workforce identity pool. |
| # |
| # * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workload identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: |
| # A workload identity pool group. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All identities in a workload identity pool with a certain attribute. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: |
| # All identities in a workload identity pool. |
| # |
| # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a user that has been recently deleted. For |
| # example, `[email protected]?uid=123456789012345678901`. If the user is |
| # recovered, this value reverts to `user:{emailid}` and the recovered user |
| # retains the role in the binding. |
| # |
| # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus |
| # unique identifier) representing a service account that has been recently |
| # deleted. For example, |
| # `[email protected]?uid=123456789012345678901`. |
| # If the service account is undeleted, this value reverts to |
| # `serviceAccount:{emailid}` and the undeleted service account retains the |
| # role in the binding. |
| # |
| # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a Google group that has been recently |
| # deleted. For example, `[email protected]?uid=123456789012345678901`. If |
| # the group is recovered, this value reverts to `group:{emailid}` and the |
| # recovered group retains the role in the binding. |
| # |
| # * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # Deleted single identity in a workforce identity pool. For example, |
| # `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`. |
| "A String", |
| ], |
| "role": "A String", # Role that is assigned to the list of `members`, or principals. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| # |
| # For an overview of the IAM roles and permissions, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For |
| # a list of the available pre-defined roles, see |
| # [here](https://cloud.google.com/iam/docs/understanding-roles). |
| }, |
| ], |
| "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| # prevent simultaneous updates of a policy from overwriting each other. |
| # It is strongly suggested that systems make use of the `etag` in the |
| # read-modify-write cycle to perform policy updates in order to avoid race |
| # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| # systems are expected to put that etag in the request to `setIamPolicy` to |
| # ensure that their change will be applied to the same version of the policy. |
| # |
| # **Important:** If you use IAM Conditions, you must include the `etag` field |
| # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| # you to overwrite a version `3` policy with a version `1` policy, and all of |
| # the conditions in the version `3` policy are lost. |
| "version": 42, # Specifies the format of the policy. |
| # |
| # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value |
| # are rejected. |
| # |
| # Any operation that affects conditional role bindings must specify version |
| # `3`. This requirement applies to the following operations: |
| # |
| # * Getting a policy that includes a conditional role binding |
| # * Adding a conditional role binding to a policy |
| # * Changing a conditional role binding in a policy |
| # * Removing any role binding, with or without a condition, from a policy |
| # that includes conditions |
| # |
| # **Important:** If you use IAM Conditions, you must include the `etag` field |
| # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| # you to overwrite a version `3` policy with a version `1` policy, and all of |
| # the conditions in the version `3` policy are lost. |
| # |
| # If a policy does not include any conditions, operations on that policy may |
| # specify any valid version or leave the field unset. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getRule">getRule(project, region, firewallPolicy, priority=None, x__xgafv=None)</code> |
| <pre>Gets a rule of the specified priority. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| firewallPolicy: string, Name of the firewall policy to which the queried rule belongs. (required) |
| priority: integer, The priority of the rule to get from the firewall policy. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the client connection triggers the rule. |
| # Valid actions for firewall rules are: "allow", "deny", |
| # "apply_security_profile_group" and "goto_next". |
| # Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" |
| # and "goto_next". |
| "description": "A String", # An optional description for this resource. |
| "direction": "A String", # The direction in which this rule applies. |
| "disabled": True or False, # Denotes whether the firewall policy rule is disabled. When set to true, |
| # the firewall policy rule is not enforced and traffic behaves as if it did |
| # not exist. If this is unspecified, the firewall policy rule will be |
| # enabled. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| "kind": "compute#firewallPolicyRule", # [Output only] Type of the resource. Returnscompute#firewallPolicyRule for firewall rules andcompute#packetMirroringRule for packet mirroring rules. |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "destAddressGroups": [ # Address groups which should be matched against the traffic destination. |
| # Maximum number of destination address groups is 10. |
| "A String", |
| ], |
| "destFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic destination. |
| # Maximum number of destination fqdn allowed is 100. |
| "A String", |
| ], |
| "destIpRanges": [ # CIDR IP address range. |
| # Maximum number of destination CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "destNetworkType": "A String", # Network type of the traffic destination. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - NON_INTERNET |
| "destRegionCodes": [ # Region codes whose IP addresses will be used to match for destination |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of dest region codes allowed is 5000. |
| "A String", |
| ], |
| "destThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic destination. |
| "A String", |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "srcAddressGroups": [ # Address groups which should be matched against the traffic source. |
| # Maximum number of source address groups is 10. |
| "A String", |
| ], |
| "srcFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic source. |
| # Maximum number of source fqdn allowed is 100. |
| "A String", |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of source CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "srcNetworkType": "A String", # Network type of the traffic source. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - INTRA_VPC |
| # - NON_INTERNET |
| # - VPC_NETWORKS |
| "srcNetworks": [ # Networks of the traffic source. It can be either a full or partial url. |
| "A String", |
| ], |
| "srcRegionCodes": [ # Region codes whose IP addresses will be used to match for source |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of source region codes allowed is 5000. |
| "A String", |
| ], |
| "srcSecureTags": [ # List of secure tag values, which should be matched at the source |
| # of the traffic. |
| # For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, |
| # and there is no srcIpRange, this rule will be ignored. |
| # Maximum number of source tag values allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "srcThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic source. |
| "A String", |
| ], |
| }, |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "ruleName": "A String", # An optional name for the rule. This field is not a unique identifier |
| # and can be updated. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall policy |
| # rule. |
| "securityProfileGroup": "A String", # A fully-qualified URL of a SecurityProfile resource instance. |
| # Example: |
| # https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group |
| # Must be specified if action is one of 'apply_security_profile_group' or |
| # 'mirror'. Cannot be specified for other actions. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| "A String", |
| ], |
| "targetSecureTags": [ # A list of secure tags that controls which instances the firewall rule |
| # applies to. If targetSecureTag are specified, then the |
| # firewall rule applies only to instances in the VPC network that have one |
| # of those EFFECTIVE secure tags, if all the target_secure_tag are in |
| # INEFFECTIVE state, then this rule will be ignored.targetSecureTag may not be set at the same time astargetServiceAccounts. |
| # If neither targetServiceAccounts nortargetSecureTag are specified, the firewall rule applies |
| # to all instances on the specified network. |
| # Maximum number of target label tags allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| "tlsInspect": True or False, # Boolean flag indicating if the traffic should be TLS decrypted. |
| # Can be set only if action = 'apply_security_profile_group' and cannot |
| # be set for other actions. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="insert">insert(project, region, body=None, requestId=None, x__xgafv=None)</code> |
| <pre>Creates a new network firewall policy in the specified project and region. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Represents a Firewall Policy resource. |
| "associations": [ # A list of associations that belong to this firewall policy. |
| { |
| "attachmentTarget": "A String", # The target that the firewall policy is attached to. |
| "displayName": "A String", # [Output Only] Deprecated, please use short name instead. The display name |
| # of the firewall policy of the association. |
| "firewallPolicyId": "A String", # [Output Only] The firewall policy ID of the association. |
| "name": "A String", # The name for an association. |
| "shortName": "A String", # [Output Only] The short name of the firewall policy of the association. |
| }, |
| ], |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "displayName": "A String", # Deprecated, please use short name instead. User-provided name of the |
| # Organization firewall policy. The name should be unique in the organization |
| # in which the firewall policy is created. |
| # This field is not applicable to network firewall policies. |
| # This name must be set on creation and cannot be changed. |
| # The name must be 1-63 characters long, and comply |
| # with RFC1035. Specifically, the name must be 1-63 characters |
| # long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which |
| # means the first character must be a lowercase letter, and all following |
| # characters must be a dash, lowercase letter, or digit, except the last |
| # character, which cannot be a dash. |
| "fingerprint": "A String", # Specifies a fingerprint for this resource, which is essentially a hash of |
| # the metadata's contents and used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update metadata. You must always provide an |
| # up-to-date fingerprint hash in order to update or change metadata, |
| # otherwise the request will fail with error412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # firewall policy. |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "kind": "compute#firewallPolicy", # [Output only] Type of the resource. Alwayscompute#firewallPolicyfor firewall policies |
| "name": "A String", # Name of the resource. For Organization Firewall Policies it's a |
| # [Output Only] numeric ID allocated by Google Cloud which uniquely |
| # identifies the Organization Firewall Policy. |
| "packetMirroringRules": [ # A list of packet mirroring rules that belong to this policy. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the client connection triggers the rule. |
| # Valid actions for firewall rules are: "allow", "deny", |
| # "apply_security_profile_group" and "goto_next". |
| # Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" |
| # and "goto_next". |
| "description": "A String", # An optional description for this resource. |
| "direction": "A String", # The direction in which this rule applies. |
| "disabled": True or False, # Denotes whether the firewall policy rule is disabled. When set to true, |
| # the firewall policy rule is not enforced and traffic behaves as if it did |
| # not exist. If this is unspecified, the firewall policy rule will be |
| # enabled. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| "kind": "compute#firewallPolicyRule", # [Output only] Type of the resource. Returnscompute#firewallPolicyRule for firewall rules andcompute#packetMirroringRule for packet mirroring rules. |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "destAddressGroups": [ # Address groups which should be matched against the traffic destination. |
| # Maximum number of destination address groups is 10. |
| "A String", |
| ], |
| "destFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic destination. |
| # Maximum number of destination fqdn allowed is 100. |
| "A String", |
| ], |
| "destIpRanges": [ # CIDR IP address range. |
| # Maximum number of destination CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "destNetworkType": "A String", # Network type of the traffic destination. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - NON_INTERNET |
| "destRegionCodes": [ # Region codes whose IP addresses will be used to match for destination |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of dest region codes allowed is 5000. |
| "A String", |
| ], |
| "destThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic destination. |
| "A String", |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "srcAddressGroups": [ # Address groups which should be matched against the traffic source. |
| # Maximum number of source address groups is 10. |
| "A String", |
| ], |
| "srcFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic source. |
| # Maximum number of source fqdn allowed is 100. |
| "A String", |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of source CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "srcNetworkType": "A String", # Network type of the traffic source. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - INTRA_VPC |
| # - NON_INTERNET |
| # - VPC_NETWORKS |
| "srcNetworks": [ # Networks of the traffic source. It can be either a full or partial url. |
| "A String", |
| ], |
| "srcRegionCodes": [ # Region codes whose IP addresses will be used to match for source |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of source region codes allowed is 5000. |
| "A String", |
| ], |
| "srcSecureTags": [ # List of secure tag values, which should be matched at the source |
| # of the traffic. |
| # For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, |
| # and there is no srcIpRange, this rule will be ignored. |
| # Maximum number of source tag values allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "srcThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic source. |
| "A String", |
| ], |
| }, |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "ruleName": "A String", # An optional name for the rule. This field is not a unique identifier |
| # and can be updated. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall policy |
| # rule. |
| "securityProfileGroup": "A String", # A fully-qualified URL of a SecurityProfile resource instance. |
| # Example: |
| # https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group |
| # Must be specified if action is one of 'apply_security_profile_group' or |
| # 'mirror'. Cannot be specified for other actions. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| "A String", |
| ], |
| "targetSecureTags": [ # A list of secure tags that controls which instances the firewall rule |
| # applies to. If targetSecureTag are specified, then the |
| # firewall rule applies only to instances in the VPC network that have one |
| # of those EFFECTIVE secure tags, if all the target_secure_tag are in |
| # INEFFECTIVE state, then this rule will be ignored.targetSecureTag may not be set at the same time astargetServiceAccounts. |
| # If neither targetServiceAccounts nortargetSecureTag are specified, the firewall rule applies |
| # to all instances on the specified network. |
| # Maximum number of target label tags allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| "tlsInspect": True or False, # Boolean flag indicating if the traffic should be TLS decrypted. |
| # Can be set only if action = 'apply_security_profile_group' and cannot |
| # be set for other actions. |
| }, |
| ], |
| "parent": "A String", # [Output Only] The parent of the firewall policy. |
| # This field is not applicable to network firewall policies. |
| "policyType": "A String", # The type of the firewall policy. This field can be eitherVPC_POLICY or RDMA_ROCE_POLICY. |
| # |
| # Note: if not specified then VPC_POLICY will be used. |
| "region": "A String", # [Output Only] URL of the region where the regional firewall policy resides. |
| # This field is not applicable to global firewall policies. |
| # You must specify this field as part of the HTTP request URL. It is |
| # not settable as a field in the request body. |
| "ruleTupleCount": 42, # [Output Only] Total count of all firewall policy rule tuples. A firewall |
| # policy can not exceed a set number of tuples. |
| "rules": [ # A list of rules that belong to this policy. |
| # There must always be a default rule (rule with priority 2147483647 and |
| # match "*"). If no rules are provided when creating a firewall policy, a |
| # default rule with action "allow" will be added. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the client connection triggers the rule. |
| # Valid actions for firewall rules are: "allow", "deny", |
| # "apply_security_profile_group" and "goto_next". |
| # Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" |
| # and "goto_next". |
| "description": "A String", # An optional description for this resource. |
| "direction": "A String", # The direction in which this rule applies. |
| "disabled": True or False, # Denotes whether the firewall policy rule is disabled. When set to true, |
| # the firewall policy rule is not enforced and traffic behaves as if it did |
| # not exist. If this is unspecified, the firewall policy rule will be |
| # enabled. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| "kind": "compute#firewallPolicyRule", # [Output only] Type of the resource. Returnscompute#firewallPolicyRule for firewall rules andcompute#packetMirroringRule for packet mirroring rules. |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "destAddressGroups": [ # Address groups which should be matched against the traffic destination. |
| # Maximum number of destination address groups is 10. |
| "A String", |
| ], |
| "destFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic destination. |
| # Maximum number of destination fqdn allowed is 100. |
| "A String", |
| ], |
| "destIpRanges": [ # CIDR IP address range. |
| # Maximum number of destination CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "destNetworkType": "A String", # Network type of the traffic destination. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - NON_INTERNET |
| "destRegionCodes": [ # Region codes whose IP addresses will be used to match for destination |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of dest region codes allowed is 5000. |
| "A String", |
| ], |
| "destThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic destination. |
| "A String", |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "srcAddressGroups": [ # Address groups which should be matched against the traffic source. |
| # Maximum number of source address groups is 10. |
| "A String", |
| ], |
| "srcFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic source. |
| # Maximum number of source fqdn allowed is 100. |
| "A String", |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of source CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "srcNetworkType": "A String", # Network type of the traffic source. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - INTRA_VPC |
| # - NON_INTERNET |
| # - VPC_NETWORKS |
| "srcNetworks": [ # Networks of the traffic source. It can be either a full or partial url. |
| "A String", |
| ], |
| "srcRegionCodes": [ # Region codes whose IP addresses will be used to match for source |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of source region codes allowed is 5000. |
| "A String", |
| ], |
| "srcSecureTags": [ # List of secure tag values, which should be matched at the source |
| # of the traffic. |
| # For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, |
| # and there is no srcIpRange, this rule will be ignored. |
| # Maximum number of source tag values allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "srcThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic source. |
| "A String", |
| ], |
| }, |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "ruleName": "A String", # An optional name for the rule. This field is not a unique identifier |
| # and can be updated. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall policy |
| # rule. |
| "securityProfileGroup": "A String", # A fully-qualified URL of a SecurityProfile resource instance. |
| # Example: |
| # https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group |
| # Must be specified if action is one of 'apply_security_profile_group' or |
| # 'mirror'. Cannot be specified for other actions. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| "A String", |
| ], |
| "targetSecureTags": [ # A list of secure tags that controls which instances the firewall rule |
| # applies to. If targetSecureTag are specified, then the |
| # firewall rule applies only to instances in the VPC network that have one |
| # of those EFFECTIVE secure tags, if all the target_secure_tag are in |
| # INEFFECTIVE state, then this rule will be ignored.targetSecureTag may not be set at the same time astargetServiceAccounts. |
| # If neither targetServiceAccounts nortargetSecureTag are specified, the firewall rule applies |
| # to all instances on the specified network. |
| # Maximum number of target label tags allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| "tlsInspect": True or False, # Boolean flag indicating if the traffic should be TLS decrypted. |
| # Can be set only if action = 'apply_security_profile_group' and cannot |
| # be set for other actions. |
| }, |
| ], |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "shortName": "A String", # User-provided name of the Organization firewall policy. The name should be |
| # unique in the organization in which the firewall policy is created. |
| # This field is not applicable to network firewall policies. |
| # This name must be set on creation and cannot be changed. The name must be |
| # 1-63 characters long, and comply with RFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| } |
| |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID |
| so that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="list">list(project, region, filter=None, maxResults=None, orderBy=None, pageToken=None, returnPartialSuccess=None, x__xgafv=None)</code> |
| <pre>Lists all the network firewall policies that have been configured |
| for the specified project in the given region. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| filter: string, A filter expression that filters resources listed in the response. Most |
| Compute resources support two types of filter expressions: |
| expressions that support regular expressions and expressions that follow |
| API improvement proposal AIP-160. |
| These two types of filter expressions cannot be mixed in one request. |
| |
| If you want to use AIP-160, your expression must specify the field name, an |
| operator, and the value that you want to use for filtering. The value |
| must be a string, a number, or a boolean. The operator |
| must be either `=`, `!=`, `>`, `<`, `<=`, `>=` or `:`. |
| |
| For example, if you are filtering Compute Engine instances, you can |
| exclude instances named `example-instance` by specifying |
| `name != example-instance`. |
| |
| The `:*` comparison can be used to test whether a key has been defined. |
| For example, to find all objects with `owner` label use: |
| ``` |
| labels.owner:* |
| ``` |
| |
| You can also filter nested fields. For example, you could specify |
| `scheduling.automaticRestart = false` to include instances only |
| if they are not scheduled for automatic restarts. You can use filtering |
| on nested fields to filter based onresource labels. |
| |
| To filter on multiple expressions, provide each separate expression within |
| parentheses. For example: |
| ``` |
| (scheduling.automaticRestart = true) |
| (cpuPlatform = "Intel Skylake") |
| ``` |
| By default, each expression is an `AND` expression. However, you |
| can include `AND` and `OR` expressions explicitly. |
| For example: |
| ``` |
| (cpuPlatform = "Intel Skylake") OR |
| (cpuPlatform = "Intel Broadwell") AND |
| (scheduling.automaticRestart = true) |
| ``` |
| |
| If you want to use a regular expression, use the `eq` (equal) or `ne` |
| (not equal) operator against a single un-parenthesized expression with or |
| without quotes or against multiple parenthesized expressions. Examples: |
| |
| `fieldname eq unquoted literal` |
| `fieldname eq 'single quoted literal'` |
| `fieldname eq "double quoted literal"` |
| `(fieldname1 eq literal) (fieldname2 ne "literal")` |
| |
| The literal value is interpreted as a regular expression using GoogleRE2 library syntax. |
| The literal value must match the entire field. |
| |
| For example, to filter for instances that do not end with name "instance", |
| you would use `name ne .*instance`. |
| |
| You cannot combine constraints on multiple fields using regular |
| expressions. |
| maxResults: integer, The maximum number of results per page that should be returned. |
| If the number of available results is larger than `maxResults`, |
| Compute Engine returns a `nextPageToken` that can be used to get |
| the next page of results in subsequent list requests. Acceptable values are |
| `0` to `500`, inclusive. (Default: `500`) |
| orderBy: string, Sorts list results by a certain order. By default, results |
| are returned in alphanumerical order based on the resource name. |
| |
| You can also sort results in descending order based on the creation |
| timestamp using `orderBy="creationTimestamp desc"`. This sorts |
| results based on the `creationTimestamp` field in |
| reverse chronological order (newest result first). Use this to sort |
| resources like operations so that the newest operation is returned first. |
| |
| Currently, only sorting by `name` or |
| `creationTimestamp desc` is supported. |
| pageToken: string, Specifies a page token to use. Set `pageToken` to the |
| `nextPageToken` returned by a previous list request to get |
| the next page of results. |
| returnPartialSuccess: boolean, Opt-in for partial success behavior which provides partial results in case |
| of failure. The default value is false. |
| |
| For example, when partial success behavior is enabled, aggregatedList for a |
| single zone scope either returns all resources in the zone or no resources, |
| with an error code. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { |
| "id": "A String", # [Output Only] Unique identifier for the resource; defined by the server. |
| "items": [ # A list of FirewallPolicy resources. |
| { # Represents a Firewall Policy resource. |
| "associations": [ # A list of associations that belong to this firewall policy. |
| { |
| "attachmentTarget": "A String", # The target that the firewall policy is attached to. |
| "displayName": "A String", # [Output Only] Deprecated, please use short name instead. The display name |
| # of the firewall policy of the association. |
| "firewallPolicyId": "A String", # [Output Only] The firewall policy ID of the association. |
| "name": "A String", # The name for an association. |
| "shortName": "A String", # [Output Only] The short name of the firewall policy of the association. |
| }, |
| ], |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "displayName": "A String", # Deprecated, please use short name instead. User-provided name of the |
| # Organization firewall policy. The name should be unique in the organization |
| # in which the firewall policy is created. |
| # This field is not applicable to network firewall policies. |
| # This name must be set on creation and cannot be changed. |
| # The name must be 1-63 characters long, and comply |
| # with RFC1035. Specifically, the name must be 1-63 characters |
| # long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which |
| # means the first character must be a lowercase letter, and all following |
| # characters must be a dash, lowercase letter, or digit, except the last |
| # character, which cannot be a dash. |
| "fingerprint": "A String", # Specifies a fingerprint for this resource, which is essentially a hash of |
| # the metadata's contents and used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update metadata. You must always provide an |
| # up-to-date fingerprint hash in order to update or change metadata, |
| # otherwise the request will fail with error412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # firewall policy. |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "kind": "compute#firewallPolicy", # [Output only] Type of the resource. Alwayscompute#firewallPolicyfor firewall policies |
| "name": "A String", # Name of the resource. For Organization Firewall Policies it's a |
| # [Output Only] numeric ID allocated by Google Cloud which uniquely |
| # identifies the Organization Firewall Policy. |
| "packetMirroringRules": [ # A list of packet mirroring rules that belong to this policy. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the client connection triggers the rule. |
| # Valid actions for firewall rules are: "allow", "deny", |
| # "apply_security_profile_group" and "goto_next". |
| # Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" |
| # and "goto_next". |
| "description": "A String", # An optional description for this resource. |
| "direction": "A String", # The direction in which this rule applies. |
| "disabled": True or False, # Denotes whether the firewall policy rule is disabled. When set to true, |
| # the firewall policy rule is not enforced and traffic behaves as if it did |
| # not exist. If this is unspecified, the firewall policy rule will be |
| # enabled. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| "kind": "compute#firewallPolicyRule", # [Output only] Type of the resource. Returnscompute#firewallPolicyRule for firewall rules andcompute#packetMirroringRule for packet mirroring rules. |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "destAddressGroups": [ # Address groups which should be matched against the traffic destination. |
| # Maximum number of destination address groups is 10. |
| "A String", |
| ], |
| "destFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic destination. |
| # Maximum number of destination fqdn allowed is 100. |
| "A String", |
| ], |
| "destIpRanges": [ # CIDR IP address range. |
| # Maximum number of destination CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "destNetworkType": "A String", # Network type of the traffic destination. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - NON_INTERNET |
| "destRegionCodes": [ # Region codes whose IP addresses will be used to match for destination |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of dest region codes allowed is 5000. |
| "A String", |
| ], |
| "destThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic destination. |
| "A String", |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "srcAddressGroups": [ # Address groups which should be matched against the traffic source. |
| # Maximum number of source address groups is 10. |
| "A String", |
| ], |
| "srcFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic source. |
| # Maximum number of source fqdn allowed is 100. |
| "A String", |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of source CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "srcNetworkType": "A String", # Network type of the traffic source. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - INTRA_VPC |
| # - NON_INTERNET |
| # - VPC_NETWORKS |
| "srcNetworks": [ # Networks of the traffic source. It can be either a full or partial url. |
| "A String", |
| ], |
| "srcRegionCodes": [ # Region codes whose IP addresses will be used to match for source |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of source region codes allowed is 5000. |
| "A String", |
| ], |
| "srcSecureTags": [ # List of secure tag values, which should be matched at the source |
| # of the traffic. |
| # For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, |
| # and there is no srcIpRange, this rule will be ignored. |
| # Maximum number of source tag values allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "srcThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic source. |
| "A String", |
| ], |
| }, |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "ruleName": "A String", # An optional name for the rule. This field is not a unique identifier |
| # and can be updated. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall policy |
| # rule. |
| "securityProfileGroup": "A String", # A fully-qualified URL of a SecurityProfile resource instance. |
| # Example: |
| # https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group |
| # Must be specified if action is one of 'apply_security_profile_group' or |
| # 'mirror'. Cannot be specified for other actions. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| "A String", |
| ], |
| "targetSecureTags": [ # A list of secure tags that controls which instances the firewall rule |
| # applies to. If targetSecureTag are specified, then the |
| # firewall rule applies only to instances in the VPC network that have one |
| # of those EFFECTIVE secure tags, if all the target_secure_tag are in |
| # INEFFECTIVE state, then this rule will be ignored.targetSecureTag may not be set at the same time astargetServiceAccounts. |
| # If neither targetServiceAccounts nortargetSecureTag are specified, the firewall rule applies |
| # to all instances on the specified network. |
| # Maximum number of target label tags allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| "tlsInspect": True or False, # Boolean flag indicating if the traffic should be TLS decrypted. |
| # Can be set only if action = 'apply_security_profile_group' and cannot |
| # be set for other actions. |
| }, |
| ], |
| "parent": "A String", # [Output Only] The parent of the firewall policy. |
| # This field is not applicable to network firewall policies. |
| "policyType": "A String", # The type of the firewall policy. This field can be eitherVPC_POLICY or RDMA_ROCE_POLICY. |
| # |
| # Note: if not specified then VPC_POLICY will be used. |
| "region": "A String", # [Output Only] URL of the region where the regional firewall policy resides. |
| # This field is not applicable to global firewall policies. |
| # You must specify this field as part of the HTTP request URL. It is |
| # not settable as a field in the request body. |
| "ruleTupleCount": 42, # [Output Only] Total count of all firewall policy rule tuples. A firewall |
| # policy can not exceed a set number of tuples. |
| "rules": [ # A list of rules that belong to this policy. |
| # There must always be a default rule (rule with priority 2147483647 and |
| # match "*"). If no rules are provided when creating a firewall policy, a |
| # default rule with action "allow" will be added. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the client connection triggers the rule. |
| # Valid actions for firewall rules are: "allow", "deny", |
| # "apply_security_profile_group" and "goto_next". |
| # Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" |
| # and "goto_next". |
| "description": "A String", # An optional description for this resource. |
| "direction": "A String", # The direction in which this rule applies. |
| "disabled": True or False, # Denotes whether the firewall policy rule is disabled. When set to true, |
| # the firewall policy rule is not enforced and traffic behaves as if it did |
| # not exist. If this is unspecified, the firewall policy rule will be |
| # enabled. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| "kind": "compute#firewallPolicyRule", # [Output only] Type of the resource. Returnscompute#firewallPolicyRule for firewall rules andcompute#packetMirroringRule for packet mirroring rules. |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "destAddressGroups": [ # Address groups which should be matched against the traffic destination. |
| # Maximum number of destination address groups is 10. |
| "A String", |
| ], |
| "destFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic destination. |
| # Maximum number of destination fqdn allowed is 100. |
| "A String", |
| ], |
| "destIpRanges": [ # CIDR IP address range. |
| # Maximum number of destination CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "destNetworkType": "A String", # Network type of the traffic destination. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - NON_INTERNET |
| "destRegionCodes": [ # Region codes whose IP addresses will be used to match for destination |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of dest region codes allowed is 5000. |
| "A String", |
| ], |
| "destThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic destination. |
| "A String", |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "srcAddressGroups": [ # Address groups which should be matched against the traffic source. |
| # Maximum number of source address groups is 10. |
| "A String", |
| ], |
| "srcFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic source. |
| # Maximum number of source fqdn allowed is 100. |
| "A String", |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of source CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "srcNetworkType": "A String", # Network type of the traffic source. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - INTRA_VPC |
| # - NON_INTERNET |
| # - VPC_NETWORKS |
| "srcNetworks": [ # Networks of the traffic source. It can be either a full or partial url. |
| "A String", |
| ], |
| "srcRegionCodes": [ # Region codes whose IP addresses will be used to match for source |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of source region codes allowed is 5000. |
| "A String", |
| ], |
| "srcSecureTags": [ # List of secure tag values, which should be matched at the source |
| # of the traffic. |
| # For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, |
| # and there is no srcIpRange, this rule will be ignored. |
| # Maximum number of source tag values allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "srcThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic source. |
| "A String", |
| ], |
| }, |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "ruleName": "A String", # An optional name for the rule. This field is not a unique identifier |
| # and can be updated. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall policy |
| # rule. |
| "securityProfileGroup": "A String", # A fully-qualified URL of a SecurityProfile resource instance. |
| # Example: |
| # https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group |
| # Must be specified if action is one of 'apply_security_profile_group' or |
| # 'mirror'. Cannot be specified for other actions. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| "A String", |
| ], |
| "targetSecureTags": [ # A list of secure tags that controls which instances the firewall rule |
| # applies to. If targetSecureTag are specified, then the |
| # firewall rule applies only to instances in the VPC network that have one |
| # of those EFFECTIVE secure tags, if all the target_secure_tag are in |
| # INEFFECTIVE state, then this rule will be ignored.targetSecureTag may not be set at the same time astargetServiceAccounts. |
| # If neither targetServiceAccounts nortargetSecureTag are specified, the firewall rule applies |
| # to all instances on the specified network. |
| # Maximum number of target label tags allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| "tlsInspect": True or False, # Boolean flag indicating if the traffic should be TLS decrypted. |
| # Can be set only if action = 'apply_security_profile_group' and cannot |
| # be set for other actions. |
| }, |
| ], |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "shortName": "A String", # User-provided name of the Organization firewall policy. The name should be |
| # unique in the organization in which the firewall policy is created. |
| # This field is not applicable to network firewall policies. |
| # This name must be set on creation and cannot be changed. The name must be |
| # 1-63 characters long, and comply with RFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| }, |
| ], |
| "kind": "compute#firewallPolicyList", # [Output Only] Type of resource. Alwayscompute#firewallPolicyList for listsof FirewallPolicies |
| "nextPageToken": "A String", # [Output Only] This token allows you to get the next page of results for |
| # list requests. If the number of results is larger thanmaxResults, use the nextPageToken as a value for |
| # the query parameter pageToken in the next list request. |
| # Subsequent list requests will have their own nextPageToken to |
| # continue paging through the results. |
| "warning": { # [Output Only] Informational warning message. |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="list_next">list_next()</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="patch">patch(project, region, firewallPolicy, body=None, requestId=None, x__xgafv=None)</code> |
| <pre>Patches the specified network firewall policy. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| firewallPolicy: string, Name of the firewall policy to update. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Represents a Firewall Policy resource. |
| "associations": [ # A list of associations that belong to this firewall policy. |
| { |
| "attachmentTarget": "A String", # The target that the firewall policy is attached to. |
| "displayName": "A String", # [Output Only] Deprecated, please use short name instead. The display name |
| # of the firewall policy of the association. |
| "firewallPolicyId": "A String", # [Output Only] The firewall policy ID of the association. |
| "name": "A String", # The name for an association. |
| "shortName": "A String", # [Output Only] The short name of the firewall policy of the association. |
| }, |
| ], |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "displayName": "A String", # Deprecated, please use short name instead. User-provided name of the |
| # Organization firewall policy. The name should be unique in the organization |
| # in which the firewall policy is created. |
| # This field is not applicable to network firewall policies. |
| # This name must be set on creation and cannot be changed. |
| # The name must be 1-63 characters long, and comply |
| # with RFC1035. Specifically, the name must be 1-63 characters |
| # long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which |
| # means the first character must be a lowercase letter, and all following |
| # characters must be a dash, lowercase letter, or digit, except the last |
| # character, which cannot be a dash. |
| "fingerprint": "A String", # Specifies a fingerprint for this resource, which is essentially a hash of |
| # the metadata's contents and used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update metadata. You must always provide an |
| # up-to-date fingerprint hash in order to update or change metadata, |
| # otherwise the request will fail with error412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # firewall policy. |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "kind": "compute#firewallPolicy", # [Output only] Type of the resource. Alwayscompute#firewallPolicyfor firewall policies |
| "name": "A String", # Name of the resource. For Organization Firewall Policies it's a |
| # [Output Only] numeric ID allocated by Google Cloud which uniquely |
| # identifies the Organization Firewall Policy. |
| "packetMirroringRules": [ # A list of packet mirroring rules that belong to this policy. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the client connection triggers the rule. |
| # Valid actions for firewall rules are: "allow", "deny", |
| # "apply_security_profile_group" and "goto_next". |
| # Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" |
| # and "goto_next". |
| "description": "A String", # An optional description for this resource. |
| "direction": "A String", # The direction in which this rule applies. |
| "disabled": True or False, # Denotes whether the firewall policy rule is disabled. When set to true, |
| # the firewall policy rule is not enforced and traffic behaves as if it did |
| # not exist. If this is unspecified, the firewall policy rule will be |
| # enabled. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| "kind": "compute#firewallPolicyRule", # [Output only] Type of the resource. Returnscompute#firewallPolicyRule for firewall rules andcompute#packetMirroringRule for packet mirroring rules. |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "destAddressGroups": [ # Address groups which should be matched against the traffic destination. |
| # Maximum number of destination address groups is 10. |
| "A String", |
| ], |
| "destFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic destination. |
| # Maximum number of destination fqdn allowed is 100. |
| "A String", |
| ], |
| "destIpRanges": [ # CIDR IP address range. |
| # Maximum number of destination CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "destNetworkType": "A String", # Network type of the traffic destination. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - NON_INTERNET |
| "destRegionCodes": [ # Region codes whose IP addresses will be used to match for destination |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of dest region codes allowed is 5000. |
| "A String", |
| ], |
| "destThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic destination. |
| "A String", |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "srcAddressGroups": [ # Address groups which should be matched against the traffic source. |
| # Maximum number of source address groups is 10. |
| "A String", |
| ], |
| "srcFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic source. |
| # Maximum number of source fqdn allowed is 100. |
| "A String", |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of source CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "srcNetworkType": "A String", # Network type of the traffic source. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - INTRA_VPC |
| # - NON_INTERNET |
| # - VPC_NETWORKS |
| "srcNetworks": [ # Networks of the traffic source. It can be either a full or partial url. |
| "A String", |
| ], |
| "srcRegionCodes": [ # Region codes whose IP addresses will be used to match for source |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of source region codes allowed is 5000. |
| "A String", |
| ], |
| "srcSecureTags": [ # List of secure tag values, which should be matched at the source |
| # of the traffic. |
| # For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, |
| # and there is no srcIpRange, this rule will be ignored. |
| # Maximum number of source tag values allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "srcThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic source. |
| "A String", |
| ], |
| }, |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "ruleName": "A String", # An optional name for the rule. This field is not a unique identifier |
| # and can be updated. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall policy |
| # rule. |
| "securityProfileGroup": "A String", # A fully-qualified URL of a SecurityProfile resource instance. |
| # Example: |
| # https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group |
| # Must be specified if action is one of 'apply_security_profile_group' or |
| # 'mirror'. Cannot be specified for other actions. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| "A String", |
| ], |
| "targetSecureTags": [ # A list of secure tags that controls which instances the firewall rule |
| # applies to. If targetSecureTag are specified, then the |
| # firewall rule applies only to instances in the VPC network that have one |
| # of those EFFECTIVE secure tags, if all the target_secure_tag are in |
| # INEFFECTIVE state, then this rule will be ignored.targetSecureTag may not be set at the same time astargetServiceAccounts. |
| # If neither targetServiceAccounts nortargetSecureTag are specified, the firewall rule applies |
| # to all instances on the specified network. |
| # Maximum number of target label tags allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| "tlsInspect": True or False, # Boolean flag indicating if the traffic should be TLS decrypted. |
| # Can be set only if action = 'apply_security_profile_group' and cannot |
| # be set for other actions. |
| }, |
| ], |
| "parent": "A String", # [Output Only] The parent of the firewall policy. |
| # This field is not applicable to network firewall policies. |
| "policyType": "A String", # The type of the firewall policy. This field can be eitherVPC_POLICY or RDMA_ROCE_POLICY. |
| # |
| # Note: if not specified then VPC_POLICY will be used. |
| "region": "A String", # [Output Only] URL of the region where the regional firewall policy resides. |
| # This field is not applicable to global firewall policies. |
| # You must specify this field as part of the HTTP request URL. It is |
| # not settable as a field in the request body. |
| "ruleTupleCount": 42, # [Output Only] Total count of all firewall policy rule tuples. A firewall |
| # policy can not exceed a set number of tuples. |
| "rules": [ # A list of rules that belong to this policy. |
| # There must always be a default rule (rule with priority 2147483647 and |
| # match "*"). If no rules are provided when creating a firewall policy, a |
| # default rule with action "allow" will be added. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the client connection triggers the rule. |
| # Valid actions for firewall rules are: "allow", "deny", |
| # "apply_security_profile_group" and "goto_next". |
| # Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" |
| # and "goto_next". |
| "description": "A String", # An optional description for this resource. |
| "direction": "A String", # The direction in which this rule applies. |
| "disabled": True or False, # Denotes whether the firewall policy rule is disabled. When set to true, |
| # the firewall policy rule is not enforced and traffic behaves as if it did |
| # not exist. If this is unspecified, the firewall policy rule will be |
| # enabled. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| "kind": "compute#firewallPolicyRule", # [Output only] Type of the resource. Returnscompute#firewallPolicyRule for firewall rules andcompute#packetMirroringRule for packet mirroring rules. |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "destAddressGroups": [ # Address groups which should be matched against the traffic destination. |
| # Maximum number of destination address groups is 10. |
| "A String", |
| ], |
| "destFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic destination. |
| # Maximum number of destination fqdn allowed is 100. |
| "A String", |
| ], |
| "destIpRanges": [ # CIDR IP address range. |
| # Maximum number of destination CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "destNetworkType": "A String", # Network type of the traffic destination. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - NON_INTERNET |
| "destRegionCodes": [ # Region codes whose IP addresses will be used to match for destination |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of dest region codes allowed is 5000. |
| "A String", |
| ], |
| "destThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic destination. |
| "A String", |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "srcAddressGroups": [ # Address groups which should be matched against the traffic source. |
| # Maximum number of source address groups is 10. |
| "A String", |
| ], |
| "srcFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic source. |
| # Maximum number of source fqdn allowed is 100. |
| "A String", |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of source CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "srcNetworkType": "A String", # Network type of the traffic source. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - INTRA_VPC |
| # - NON_INTERNET |
| # - VPC_NETWORKS |
| "srcNetworks": [ # Networks of the traffic source. It can be either a full or partial url. |
| "A String", |
| ], |
| "srcRegionCodes": [ # Region codes whose IP addresses will be used to match for source |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of source region codes allowed is 5000. |
| "A String", |
| ], |
| "srcSecureTags": [ # List of secure tag values, which should be matched at the source |
| # of the traffic. |
| # For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, |
| # and there is no srcIpRange, this rule will be ignored. |
| # Maximum number of source tag values allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "srcThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic source. |
| "A String", |
| ], |
| }, |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "ruleName": "A String", # An optional name for the rule. This field is not a unique identifier |
| # and can be updated. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall policy |
| # rule. |
| "securityProfileGroup": "A String", # A fully-qualified URL of a SecurityProfile resource instance. |
| # Example: |
| # https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group |
| # Must be specified if action is one of 'apply_security_profile_group' or |
| # 'mirror'. Cannot be specified for other actions. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| "A String", |
| ], |
| "targetSecureTags": [ # A list of secure tags that controls which instances the firewall rule |
| # applies to. If targetSecureTag are specified, then the |
| # firewall rule applies only to instances in the VPC network that have one |
| # of those EFFECTIVE secure tags, if all the target_secure_tag are in |
| # INEFFECTIVE state, then this rule will be ignored.targetSecureTag may not be set at the same time astargetServiceAccounts. |
| # If neither targetServiceAccounts nortargetSecureTag are specified, the firewall rule applies |
| # to all instances on the specified network. |
| # Maximum number of target label tags allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| "tlsInspect": True or False, # Boolean flag indicating if the traffic should be TLS decrypted. |
| # Can be set only if action = 'apply_security_profile_group' and cannot |
| # be set for other actions. |
| }, |
| ], |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "shortName": "A String", # User-provided name of the Organization firewall policy. The name should be |
| # unique in the organization in which the firewall policy is created. |
| # This field is not applicable to network firewall policies. |
| # This name must be set on creation and cannot be changed. The name must be |
| # 1-63 characters long, and comply with RFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| } |
| |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="patchRule">patchRule(project, region, firewallPolicy, body=None, priority=None, requestId=None, x__xgafv=None)</code> |
| <pre>Patches a rule of the specified priority. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| firewallPolicy: string, Name of the firewall policy to update. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the client connection triggers the rule. |
| # Valid actions for firewall rules are: "allow", "deny", |
| # "apply_security_profile_group" and "goto_next". |
| # Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" |
| # and "goto_next". |
| "description": "A String", # An optional description for this resource. |
| "direction": "A String", # The direction in which this rule applies. |
| "disabled": True or False, # Denotes whether the firewall policy rule is disabled. When set to true, |
| # the firewall policy rule is not enforced and traffic behaves as if it did |
| # not exist. If this is unspecified, the firewall policy rule will be |
| # enabled. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| "kind": "compute#firewallPolicyRule", # [Output only] Type of the resource. Returnscompute#firewallPolicyRule for firewall rules andcompute#packetMirroringRule for packet mirroring rules. |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "destAddressGroups": [ # Address groups which should be matched against the traffic destination. |
| # Maximum number of destination address groups is 10. |
| "A String", |
| ], |
| "destFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic destination. |
| # Maximum number of destination fqdn allowed is 100. |
| "A String", |
| ], |
| "destIpRanges": [ # CIDR IP address range. |
| # Maximum number of destination CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "destNetworkType": "A String", # Network type of the traffic destination. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - NON_INTERNET |
| "destRegionCodes": [ # Region codes whose IP addresses will be used to match for destination |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of dest region codes allowed is 5000. |
| "A String", |
| ], |
| "destThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic destination. |
| "A String", |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| "A String", |
| ], |
| }, |
| ], |
| "srcAddressGroups": [ # Address groups which should be matched against the traffic source. |
| # Maximum number of source address groups is 10. |
| "A String", |
| ], |
| "srcFqdns": [ # Fully Qualified Domain Name (FQDN) which should be matched against |
| # traffic source. |
| # Maximum number of source fqdn allowed is 100. |
| "A String", |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of source CIDR IP ranges allowed is 5000. |
| "A String", |
| ], |
| "srcNetworkType": "A String", # Network type of the traffic source. Allowed values are: |
| # |
| # |
| # - UNSPECIFIED |
| # - INTERNET |
| # - INTRA_VPC |
| # - NON_INTERNET |
| # - VPC_NETWORKS |
| "srcNetworks": [ # Networks of the traffic source. It can be either a full or partial url. |
| "A String", |
| ], |
| "srcRegionCodes": [ # Region codes whose IP addresses will be used to match for source |
| # of traffic. Should be specified as 2 letter country code defined as per |
| # ISO 3166 alpha-2 country codes. ex."US" |
| # Maximum number of source region codes allowed is 5000. |
| "A String", |
| ], |
| "srcSecureTags": [ # List of secure tag values, which should be matched at the source |
| # of the traffic. |
| # For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, |
| # and there is no srcIpRange, this rule will be ignored. |
| # Maximum number of source tag values allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "srcThreatIntelligences": [ # Names of Network Threat Intelligence lists. |
| # The IPs in these lists will be matched against traffic source. |
| "A String", |
| ], |
| }, |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "ruleName": "A String", # An optional name for the rule. This field is not a unique identifier |
| # and can be updated. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall policy |
| # rule. |
| "securityProfileGroup": "A String", # A fully-qualified URL of a SecurityProfile resource instance. |
| # Example: |
| # https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group |
| # Must be specified if action is one of 'apply_security_profile_group' or |
| # 'mirror'. Cannot be specified for other actions. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| "A String", |
| ], |
| "targetSecureTags": [ # A list of secure tags that controls which instances the firewall rule |
| # applies to. If targetSecureTag are specified, then the |
| # firewall rule applies only to instances in the VPC network that have one |
| # of those EFFECTIVE secure tags, if all the target_secure_tag are in |
| # INEFFECTIVE state, then this rule will be ignored.targetSecureTag may not be set at the same time astargetServiceAccounts. |
| # If neither targetServiceAccounts nortargetSecureTag are specified, the firewall rule applies |
| # to all instances on the specified network. |
| # Maximum number of target label tags allowed is 256. |
| { |
| "name": "A String", # Name of the secure tag, created with TagManager's TagValue API. |
| "state": "A String", # [Output Only] State of the secure tag, either `EFFECTIVE` or |
| # `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted |
| # or its network is deleted. |
| }, |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| "tlsInspect": True or False, # Boolean flag indicating if the traffic should be TLS decrypted. |
| # Can be set only if action = 'apply_security_profile_group' and cannot |
| # be set for other actions. |
| } |
| |
| priority: integer, The priority of the rule to patch. |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="removeAssociation">removeAssociation(project, region, firewallPolicy, name=None, requestId=None, x__xgafv=None)</code> |
| <pre>Removes an association for the specified network firewall policy. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| firewallPolicy: string, Name of the firewall policy to update. (required) |
| name: string, Name for the association that will be removed. |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="removeRule">removeRule(project, region, firewallPolicy, priority=None, requestId=None, x__xgafv=None)</code> |
| <pre>Deletes a rule of the specified priority. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| firewallPolicy: string, Name of the firewall policy to update. (required) |
| priority: integer, The priority of the rule to remove from the firewall policy. |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="setIamPolicy">setIamPolicy(project, region, resource, body=None, x__xgafv=None)</code> |
| <pre>Sets the access control policy on the specified resource. |
| Replaces any existing policy. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, The name of the region for this request. (required) |
| resource: string, Name or id of the resource for this request. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { |
| "bindings": [ # Flatten Policy to create a backwacd compatible wire-format. |
| # Deprecated. Use 'policy' to specify bindings. |
| { # Associates `members`, or principals, with a `role`. |
| "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding. |
| # |
| # If the condition evaluates to `true`, then this binding applies to the |
| # current request. |
| # |
| # If the condition evaluates to `false`, then this binding does not apply to |
| # the current request. However, a different role binding might grant the same |
| # role to one or more of the principals in this binding. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM |
| # documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "members": [ # Specifies the principals requesting access for a Google Cloud resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # Does not include identities that come from external identity providers |
| # (IdPs) through identity federation. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `[email protected]` . |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a Google |
| # service account. For example, |
| # `[email protected]`. |
| # |
| # * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An |
| # identifier for a |
| # [Kubernetes service |
| # account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). |
| # For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `[email protected]`. |
| # |
| # |
| # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| # |
| # |
| # |
| # * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workforce identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: |
| # All workforce identities in a group. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All workforce identities with a specific attribute value. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: |
| # All identities in a workforce identity pool. |
| # |
| # * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workload identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: |
| # A workload identity pool group. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All identities in a workload identity pool with a certain attribute. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: |
| # All identities in a workload identity pool. |
| # |
| # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a user that has been recently deleted. For |
| # example, `[email protected]?uid=123456789012345678901`. If the user is |
| # recovered, this value reverts to `user:{emailid}` and the recovered user |
| # retains the role in the binding. |
| # |
| # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus |
| # unique identifier) representing a service account that has been recently |
| # deleted. For example, |
| # `[email protected]?uid=123456789012345678901`. |
| # If the service account is undeleted, this value reverts to |
| # `serviceAccount:{emailid}` and the undeleted service account retains the |
| # role in the binding. |
| # |
| # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a Google group that has been recently |
| # deleted. For example, `[email protected]?uid=123456789012345678901`. If |
| # the group is recovered, this value reverts to `group:{emailid}` and the |
| # recovered group retains the role in the binding. |
| # |
| # * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # Deleted single identity in a workforce identity pool. For example, |
| # `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`. |
| "A String", |
| ], |
| "role": "A String", # Role that is assigned to the list of `members`, or principals. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| # |
| # For an overview of the IAM roles and permissions, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For |
| # a list of the available pre-defined roles, see |
| # [here](https://cloud.google.com/iam/docs/understanding-roles). |
| }, |
| ], |
| "etag": "A String", # Flatten Policy to create a backward compatible wire-format. |
| # Deprecated. Use 'policy' to specify the etag. |
| "policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the 'resource'. The size of |
| # the policy is limited to a few 10s of KB. An empty policy is in general a |
| # valid policy but certain services (like Projects) might reject them. |
| # controls for Google Cloud resources. |
| # |
| # |
| # A `Policy` is a collection of `bindings`. A `binding` binds one or more |
| # `members`, or principals, to a single `role`. Principals can be user |
| # accounts, service accounts, Google groups, and domains (such as G Suite). A |
| # `role` is a named list of permissions; each `role` can be an IAM predefined |
| # role or a user-created custom role. |
| # |
| # For some types of Google Cloud resources, a `binding` can also specify a |
| # `condition`, which is a logical expression that allows access to a resource |
| # only if the expression evaluates to `true`. A condition can add constraints |
| # based on attributes of the request, the resource, or both. To learn which |
| # resources support conditions in their IAM policies, see the |
| # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # |
| # **JSON example:** |
| # |
| # ``` |
| # { |
| # "bindings": [ |
| # { |
| # "role": "roles/resourcemanager.organizationAdmin", |
| # "members": [ |
| # "user:[email protected]", |
| # "group:[email protected]", |
| # "domain:google.com", |
| # "serviceAccount:[email protected]" |
| # ] |
| # }, |
| # { |
| # "role": "roles/resourcemanager.organizationViewer", |
| # "members": [ |
| # "user:[email protected]" |
| # ], |
| # "condition": { |
| # "title": "expirable access", |
| # "description": "Does not grant access after Sep 2020", |
| # "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", |
| # } |
| # } |
| # ], |
| # "etag": "BwWWja0YfJA=", |
| # "version": 3 |
| # } |
| # ``` |
| # |
| # **YAML example:** |
| # |
| # ``` |
| # bindings: |
| # - members: |
| # - user:[email protected] |
| # - group:[email protected] |
| # - domain:google.com |
| # - serviceAccount:[email protected] |
| # role: roles/resourcemanager.organizationAdmin |
| # - members: |
| # - user:[email protected] |
| # role: roles/resourcemanager.organizationViewer |
| # condition: |
| # title: expirable access |
| # description: Does not grant access after Sep 2020 |
| # expression: request.time < timestamp('2020-10-01T00:00:00.000Z') |
| # etag: BwWWja0YfJA= |
| # version: 3 |
| # ``` |
| # |
| # For a description of IAM and its features, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/). |
| "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| { # Specifies the audit configuration for a service. |
| # The configuration determines which permission types are logged, and what |
| # identities, if any, are exempted from logging. |
| # An AuditConfig must have one or more AuditLogConfigs. |
| # |
| # If there are AuditConfigs for both `allServices` and a specific service, |
| # the union of the two AuditConfigs is used for that service: the log_types |
| # specified in each AuditConfig are enabled, and the exempted_members in each |
| # AuditLogConfig are exempted. |
| # |
| # Example Policy with multiple AuditConfigs: |
| # |
| # { |
| # "audit_configs": [ |
| # { |
| # "service": "allServices", |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE" |
| # }, |
| # { |
| # "log_type": "ADMIN_READ" |
| # } |
| # ] |
| # }, |
| # { |
| # "service": "sampleservice.googleapis.com", |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ" |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # } |
| # ] |
| # } |
| # ] |
| # } |
| # |
| # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| # logging. It also exempts `[email protected]` from DATA_READ logging, and |
| # `[email protected]` from DATA_WRITE logging. |
| "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| { # Provides the configuration for logging a type of permissions. |
| # Example: |
| # |
| # { |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE" |
| # } |
| # ] |
| # } |
| # |
| # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| # [email protected] from DATA_READ logging. |
| "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| # permission. |
| # Follows the same format of Binding.members. |
| "A String", |
| ], |
| "logType": "A String", # The log type that this config enables. |
| }, |
| ], |
| "service": "A String", # Specifies a service that will be enabled for audit logging. |
| # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| # `allServices` is a special value that covers all services. |
| }, |
| ], |
| "bindings": [ # Associates a list of `members`, or principals, with a `role`. Optionally, |
| # may specify a `condition` that determines how and when the `bindings` are |
| # applied. Each of the `bindings` must contain at least one principal. |
| # |
| # The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 |
| # of these principals can be Google groups. Each occurrence of a principal |
| # counts towards these limits. For example, if the `bindings` grant 50 |
| # different roles to `user:[email protected]`, and not to any other |
| # principal, then you can add another 1,450 principals to the `bindings` in |
| # the `Policy`. |
| { # Associates `members`, or principals, with a `role`. |
| "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding. |
| # |
| # If the condition evaluates to `true`, then this binding applies to the |
| # current request. |
| # |
| # If the condition evaluates to `false`, then this binding does not apply to |
| # the current request. However, a different role binding might grant the same |
| # role to one or more of the principals in this binding. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM |
| # documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "members": [ # Specifies the principals requesting access for a Google Cloud resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # Does not include identities that come from external identity providers |
| # (IdPs) through identity federation. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `[email protected]` . |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a Google |
| # service account. For example, |
| # `[email protected]`. |
| # |
| # * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An |
| # identifier for a |
| # [Kubernetes service |
| # account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). |
| # For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `[email protected]`. |
| # |
| # |
| # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| # |
| # |
| # |
| # * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workforce identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: |
| # All workforce identities in a group. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All workforce identities with a specific attribute value. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: |
| # All identities in a workforce identity pool. |
| # |
| # * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workload identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: |
| # A workload identity pool group. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All identities in a workload identity pool with a certain attribute. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: |
| # All identities in a workload identity pool. |
| # |
| # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a user that has been recently deleted. For |
| # example, `[email protected]?uid=123456789012345678901`. If the user is |
| # recovered, this value reverts to `user:{emailid}` and the recovered user |
| # retains the role in the binding. |
| # |
| # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus |
| # unique identifier) representing a service account that has been recently |
| # deleted. For example, |
| # `[email protected]?uid=123456789012345678901`. |
| # If the service account is undeleted, this value reverts to |
| # `serviceAccount:{emailid}` and the undeleted service account retains the |
| # role in the binding. |
| # |
| # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a Google group that has been recently |
| # deleted. For example, `[email protected]?uid=123456789012345678901`. If |
| # the group is recovered, this value reverts to `group:{emailid}` and the |
| # recovered group retains the role in the binding. |
| # |
| # * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # Deleted single identity in a workforce identity pool. For example, |
| # `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`. |
| "A String", |
| ], |
| "role": "A String", # Role that is assigned to the list of `members`, or principals. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| # |
| # For an overview of the IAM roles and permissions, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For |
| # a list of the available pre-defined roles, see |
| # [here](https://cloud.google.com/iam/docs/understanding-roles). |
| }, |
| ], |
| "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| # prevent simultaneous updates of a policy from overwriting each other. |
| # It is strongly suggested that systems make use of the `etag` in the |
| # read-modify-write cycle to perform policy updates in order to avoid race |
| # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| # systems are expected to put that etag in the request to `setIamPolicy` to |
| # ensure that their change will be applied to the same version of the policy. |
| # |
| # **Important:** If you use IAM Conditions, you must include the `etag` field |
| # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| # you to overwrite a version `3` policy with a version `1` policy, and all of |
| # the conditions in the version `3` policy are lost. |
| "version": 42, # Specifies the format of the policy. |
| # |
| # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value |
| # are rejected. |
| # |
| # Any operation that affects conditional role bindings must specify version |
| # `3`. This requirement applies to the following operations: |
| # |
| # * Getting a policy that includes a conditional role binding |
| # * Adding a conditional role binding to a policy |
| # * Changing a conditional role binding in a policy |
| # * Removing any role binding, with or without a condition, from a policy |
| # that includes conditions |
| # |
| # **Important:** If you use IAM Conditions, you must include the `etag` field |
| # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| # you to overwrite a version `3` policy with a version `1` policy, and all of |
| # the conditions in the version `3` policy are lost. |
| # |
| # If a policy does not include any conditions, operations on that policy may |
| # specify any valid version or leave the field unset. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| }, |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # An Identity and Access Management (IAM) policy, which specifies access |
| # controls for Google Cloud resources. |
| # |
| # |
| # A `Policy` is a collection of `bindings`. A `binding` binds one or more |
| # `members`, or principals, to a single `role`. Principals can be user |
| # accounts, service accounts, Google groups, and domains (such as G Suite). A |
| # `role` is a named list of permissions; each `role` can be an IAM predefined |
| # role or a user-created custom role. |
| # |
| # For some types of Google Cloud resources, a `binding` can also specify a |
| # `condition`, which is a logical expression that allows access to a resource |
| # only if the expression evaluates to `true`. A condition can add constraints |
| # based on attributes of the request, the resource, or both. To learn which |
| # resources support conditions in their IAM policies, see the |
| # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # |
| # **JSON example:** |
| # |
| # ``` |
| # { |
| # "bindings": [ |
| # { |
| # "role": "roles/resourcemanager.organizationAdmin", |
| # "members": [ |
| # "user:[email protected]", |
| # "group:[email protected]", |
| # "domain:google.com", |
| # "serviceAccount:[email protected]" |
| # ] |
| # }, |
| # { |
| # "role": "roles/resourcemanager.organizationViewer", |
| # "members": [ |
| # "user:[email protected]" |
| # ], |
| # "condition": { |
| # "title": "expirable access", |
| # "description": "Does not grant access after Sep 2020", |
| # "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", |
| # } |
| # } |
| # ], |
| # "etag": "BwWWja0YfJA=", |
| # "version": 3 |
| # } |
| # ``` |
| # |
| # **YAML example:** |
| # |
| # ``` |
| # bindings: |
| # - members: |
| # - user:[email protected] |
| # - group:[email protected] |
| # - domain:google.com |
| # - serviceAccount:[email protected] |
| # role: roles/resourcemanager.organizationAdmin |
| # - members: |
| # - user:[email protected] |
| # role: roles/resourcemanager.organizationViewer |
| # condition: |
| # title: expirable access |
| # description: Does not grant access after Sep 2020 |
| # expression: request.time < timestamp('2020-10-01T00:00:00.000Z') |
| # etag: BwWWja0YfJA= |
| # version: 3 |
| # ``` |
| # |
| # For a description of IAM and its features, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/). |
| "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| { # Specifies the audit configuration for a service. |
| # The configuration determines which permission types are logged, and what |
| # identities, if any, are exempted from logging. |
| # An AuditConfig must have one or more AuditLogConfigs. |
| # |
| # If there are AuditConfigs for both `allServices` and a specific service, |
| # the union of the two AuditConfigs is used for that service: the log_types |
| # specified in each AuditConfig are enabled, and the exempted_members in each |
| # AuditLogConfig are exempted. |
| # |
| # Example Policy with multiple AuditConfigs: |
| # |
| # { |
| # "audit_configs": [ |
| # { |
| # "service": "allServices", |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE" |
| # }, |
| # { |
| # "log_type": "ADMIN_READ" |
| # } |
| # ] |
| # }, |
| # { |
| # "service": "sampleservice.googleapis.com", |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ" |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # } |
| # ] |
| # } |
| # ] |
| # } |
| # |
| # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| # logging. It also exempts `[email protected]` from DATA_READ logging, and |
| # `[email protected]` from DATA_WRITE logging. |
| "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| { # Provides the configuration for logging a type of permissions. |
| # Example: |
| # |
| # { |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE" |
| # } |
| # ] |
| # } |
| # |
| # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| # [email protected] from DATA_READ logging. |
| "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| # permission. |
| # Follows the same format of Binding.members. |
| "A String", |
| ], |
| "logType": "A String", # The log type that this config enables. |
| }, |
| ], |
| "service": "A String", # Specifies a service that will be enabled for audit logging. |
| # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| # `allServices` is a special value that covers all services. |
| }, |
| ], |
| "bindings": [ # Associates a list of `members`, or principals, with a `role`. Optionally, |
| # may specify a `condition` that determines how and when the `bindings` are |
| # applied. Each of the `bindings` must contain at least one principal. |
| # |
| # The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 |
| # of these principals can be Google groups. Each occurrence of a principal |
| # counts towards these limits. For example, if the `bindings` grant 50 |
| # different roles to `user:[email protected]`, and not to any other |
| # principal, then you can add another 1,450 principals to the `bindings` in |
| # the `Policy`. |
| { # Associates `members`, or principals, with a `role`. |
| "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding. |
| # |
| # If the condition evaluates to `true`, then this binding applies to the |
| # current request. |
| # |
| # If the condition evaluates to `false`, then this binding does not apply to |
| # the current request. However, a different role binding might grant the same |
| # role to one or more of the principals in this binding. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM |
| # documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "members": [ # Specifies the principals requesting access for a Google Cloud resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # Does not include identities that come from external identity providers |
| # (IdPs) through identity federation. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `[email protected]` . |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a Google |
| # service account. For example, |
| # `[email protected]`. |
| # |
| # * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An |
| # identifier for a |
| # [Kubernetes service |
| # account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). |
| # For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `[email protected]`. |
| # |
| # |
| # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| # |
| # |
| # |
| # * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workforce identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: |
| # All workforce identities in a group. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All workforce identities with a specific attribute value. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: |
| # All identities in a workforce identity pool. |
| # |
| # * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workload identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: |
| # A workload identity pool group. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All identities in a workload identity pool with a certain attribute. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: |
| # All identities in a workload identity pool. |
| # |
| # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a user that has been recently deleted. For |
| # example, `[email protected]?uid=123456789012345678901`. If the user is |
| # recovered, this value reverts to `user:{emailid}` and the recovered user |
| # retains the role in the binding. |
| # |
| # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus |
| # unique identifier) representing a service account that has been recently |
| # deleted. For example, |
| # `[email protected]?uid=123456789012345678901`. |
| # If the service account is undeleted, this value reverts to |
| # `serviceAccount:{emailid}` and the undeleted service account retains the |
| # role in the binding. |
| # |
| # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a Google group that has been recently |
| # deleted. For example, `[email protected]?uid=123456789012345678901`. If |
| # the group is recovered, this value reverts to `group:{emailid}` and the |
| # recovered group retains the role in the binding. |
| # |
| # * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # Deleted single identity in a workforce identity pool. For example, |
| # `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`. |
| "A String", |
| ], |
| "role": "A String", # Role that is assigned to the list of `members`, or principals. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| # |
| # For an overview of the IAM roles and permissions, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For |
| # a list of the available pre-defined roles, see |
| # [here](https://cloud.google.com/iam/docs/understanding-roles). |
| }, |
| ], |
| "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| # prevent simultaneous updates of a policy from overwriting each other. |
| # It is strongly suggested that systems make use of the `etag` in the |
| # read-modify-write cycle to perform policy updates in order to avoid race |
| # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| # systems are expected to put that etag in the request to `setIamPolicy` to |
| # ensure that their change will be applied to the same version of the policy. |
| # |
| # **Important:** If you use IAM Conditions, you must include the `etag` field |
| # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| # you to overwrite a version `3` policy with a version `1` policy, and all of |
| # the conditions in the version `3` policy are lost. |
| "version": 42, # Specifies the format of the policy. |
| # |
| # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value |
| # are rejected. |
| # |
| # Any operation that affects conditional role bindings must specify version |
| # `3`. This requirement applies to the following operations: |
| # |
| # * Getting a policy that includes a conditional role binding |
| # * Adding a conditional role binding to a policy |
| # * Changing a conditional role binding in a policy |
| # * Removing any role binding, with or without a condition, from a policy |
| # that includes conditions |
| # |
| # **Important:** If you use IAM Conditions, you must include the `etag` field |
| # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| # you to overwrite a version `3` policy with a version `1` policy, and all of |
| # the conditions in the version `3` policy are lost. |
| # |
| # If a policy does not include any conditions, operations on that policy may |
| # specify any valid version or leave the field unset. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="testIamPermissions">testIamPermissions(project, region, resource, body=None, x__xgafv=None)</code> |
| <pre>Returns permissions that a caller has on the specified resource. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, The name of the region for this request. (required) |
| resource: string, Name or id of the resource for this request. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { |
| "permissions": [ # The set of permissions to check for the 'resource'. Permissions with |
| # wildcards (such as '*' or 'storage.*') are not allowed. |
| "A String", |
| ], |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { |
| "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is |
| # allowed. |
| "A String", |
| ], |
| }</pre> |
| </div> |
| |
| </body></html> |
