| <html><body> |
| <style> |
| |
| body, h1, h2, h3, div, span, p, pre, a { |
| margin: 0; |
| padding: 0; |
| border: 0; |
| font-weight: inherit; |
| font-style: inherit; |
| font-size: 100%; |
| font-family: inherit; |
| vertical-align: baseline; |
| } |
| |
| body { |
| font-size: 13px; |
| padding: 1em; |
| } |
| |
| h1 { |
| font-size: 26px; |
| margin-bottom: 1em; |
| } |
| |
| h2 { |
| font-size: 24px; |
| margin-bottom: 1em; |
| } |
| |
| h3 { |
| font-size: 20px; |
| margin-bottom: 1em; |
| margin-top: 1em; |
| } |
| |
| pre, code { |
| line-height: 1.5; |
| font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| } |
| |
| pre { |
| margin-top: 0.5em; |
| } |
| |
| h1, h2, h3, p { |
| font-family: Arial, sans serif; |
| } |
| |
| h1, h2, h3 { |
| border-bottom: solid #CCC 1px; |
| } |
| |
| .toc_element { |
| margin-top: 0.5em; |
| } |
| |
| .firstline { |
| margin-left: 2 em; |
| } |
| |
| .method { |
| margin-top: 1em; |
| border: solid 1px #CCC; |
| padding: 1em; |
| background: #EEE; |
| } |
| |
| .details { |
| font-weight: bold; |
| font-size: 14px; |
| } |
| |
| </style> |
| |
| <h1><a href="compute_v1.html">Compute Engine API</a> . <a href="compute_v1.regionSecurityPolicies.html">regionSecurityPolicies</a></h1> |
| <h2>Instance Methods</h2> |
| <p class="toc_element"> |
| <code><a href="#addRule">addRule(project, region, securityPolicy, body=None, validateOnly=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Inserts a rule into a security policy.</p> |
| <p class="toc_element"> |
| <code><a href="#close">close()</a></code></p> |
| <p class="firstline">Close httplib2 connections.</p> |
| <p class="toc_element"> |
| <code><a href="#delete">delete(project, region, securityPolicy, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Deletes the specified policy.</p> |
| <p class="toc_element"> |
| <code><a href="#get">get(project, region, securityPolicy, x__xgafv=None)</a></code></p> |
| <p class="firstline">List all of the ordered rules present in a single specified policy.</p> |
| <p class="toc_element"> |
| <code><a href="#getRule">getRule(project, region, securityPolicy, priority=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets a rule at the specified priority.</p> |
| <p class="toc_element"> |
| <code><a href="#insert">insert(project, region, body=None, requestId=None, validateOnly=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Creates a new policy in the specified project using the data included in</p> |
| <p class="toc_element"> |
| <code><a href="#list">list(project, region, filter=None, maxResults=None, orderBy=None, pageToken=None, returnPartialSuccess=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">List all the policies that have been configured for the specified project</p> |
| <p class="toc_element"> |
| <code><a href="#list_next">list_next()</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#patch">patch(project, region, securityPolicy, body=None, requestId=None, updateMask=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Patches the specified policy with the data included in the request. To</p> |
| <p class="toc_element"> |
| <code><a href="#patchRule">patchRule(project, region, securityPolicy, body=None, priority=None, updateMask=None, validateOnly=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Patches a rule at the specified priority. To clear fields in the rule,</p> |
| <p class="toc_element"> |
| <code><a href="#removeRule">removeRule(project, region, securityPolicy, priority=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Deletes a rule at the specified priority.</p> |
| <p class="toc_element"> |
| <code><a href="#setLabels">setLabels(project, region, resource, body=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Sets the labels on a security policy. To learn more about labels,</p> |
| <h3>Method Details</h3> |
| <div class="method"> |
| <code class="details" id="addRule">addRule(project, region, securityPolicy, body=None, validateOnly=None, x__xgafv=None)</code> |
| <pre>Inserts a rule into a security policy. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| securityPolicy: string, Name of the security policy to update. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the rule is matched. |
| # The following are the valid actions: |
| # |
| # - allow: allow access to target. |
| # - deny(STATUS): deny access to target, returns the |
| # HTTP response code specified. Valid values for `STATUS` |
| # are 403, 404, and 502. |
| # - rate_based_ban: limit client traffic to the configured |
| # threshold and ban the client if the traffic exceeds the threshold. |
| # Configure parameters for this action in RateLimitOptions. Requires |
| # rate_limit_options to be set. |
| # - redirect: redirect to a different target. This can |
| # either be an internal reCAPTCHA redirect, or an external URL-based |
| # redirect via a 302 response. Parameters for this action can be configured |
| # via redirectOptions. This action is only supported in Global Security |
| # Policies of type CLOUD_ARMOR. |
| # - throttle: limit |
| # client traffic to the configured threshold. Configure parameters for this |
| # action in rateLimitOptions. Requires rate_limit_options to be set for |
| # this. |
| # - fairshare (preview only): when traffic reaches the |
| # threshold limit, requests from the clients matching this rule begin to be |
| # rate-limited using the Fair Share algorithm. This action is only allowed |
| # in security policies of type `CLOUD_ARMOR_INTERNAL_SERVICE`. |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "headerAction": { # Optional, additional actions that are performed on headers. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "requestHeadersToAdds": [ # The list of request headers to add or overwrite if they're already |
| # present. |
| { |
| "headerName": "A String", # The name of the header to set. |
| "headerValue": "A String", # The value to set the named header to. |
| }, |
| ], |
| }, |
| "kind": "compute#securityPolicyRule", # [Output only] Type of the resource. Alwayscompute#securityPolicyRule for security policy rules |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "config": { # The configuration options available when specifying versioned_expr. |
| # This field must be specified if versioned_expr is specified and cannot |
| # be specified if versioned_expr is not specified. |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of src_ip_ranges allowed is 10. |
| "A String", |
| ], |
| }, |
| "expr": { # Represents a textual expression in the Common Expression Language (CEL) # User defined CEVAL expression. |
| # A CEVAL expression is used to specify match criteria such as origin.ip, |
| # source.region_code and contents in the request header. |
| # Expressions containing `evaluateThreatIntelligence` require a Cloud |
| # Armor Enterprise subscription and are not supported in Edge Policies |
| # nor in Regional Policies. Expressions containing |
| # `evaluatePreconfiguredExpr('sourceiplist-*')` require a Cloud Armor |
| # Enterprise subscription and are only supported in Global Security |
| # Policies. |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "exprOptions": { # The configuration options available when specifying a user defined |
| # CEVAL expression (i.e., 'expr'). |
| "recaptchaOptions": { # reCAPTCHA configuration options to be applied for the rule. If the |
| # rule does not evaluate reCAPTCHA tokens, this field has no effect. |
| "actionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # action-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| "sessionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # session-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| }, |
| }, |
| "versionedExpr": "A String", # Preconfigured versioned expression. |
| # If this field is specified, config must also be specified. |
| # Available preconfigured expressions along with their requirements are: |
| # SRC_IPS_V1 - must specify the corresponding src_ip_range field in |
| # config. |
| }, |
| "networkMatch": { # Represents a match condition that incoming network traffic is evaluated # A match condition that incoming packets are evaluated against for |
| # CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding |
| # 'action' is enforced. |
| # |
| # The match criteria for a rule consists of built-in match fields (like |
| # 'srcIpRanges') and potentially multiple user-defined match fields |
| # ('userDefinedFields'). |
| # |
| # Field values may be extracted directly from the packet or derived from it |
| # (e.g. 'srcRegionCodes'). Some fields may not be present in every packet |
| # (e.g. 'srcPorts'). A user-defined field is only present if the base |
| # header is found in the packet and the entire field is in bounds. |
| # |
| # Each match field may specify which values can match it, listing one or |
| # more ranges, prefixes, or exact values that are considered a match for |
| # the field. A field value must be present in order to match a specified |
| # match field. If no match values are specified for a match field, then any |
| # field value is considered to match it, and it's not required to be |
| # present. For strings specifying '*' is also equivalent to match all. |
| # |
| # For a packet to match a rule, all specified match fields must match the |
| # corresponding field values derived from the packet. |
| # |
| # Example: |
| # |
| # networkMatch: |
| # srcIpRanges: |
| # - "192.0.2.0/24" |
| # - "198.51.100.0/24" |
| # userDefinedFields: |
| # - name: "ipv4_fragment_offset" |
| # values: |
| # - "1-0x1fff" |
| # |
| # The above match condition matches packets with a source IP in |
| # 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named |
| # "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive. |
| # against. |
| "destIpRanges": [ # Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text |
| # format. |
| "A String", |
| ], |
| "destPorts": [ # Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "ipProtocols": [ # IPv4 protocol / IPv6 next header (after extension headers). Each |
| # element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. |
| # "253-254"), or one of the following protocol names: "tcp", "udp", |
| # "icmp", "esp", "ah", "ipip", or "sctp". |
| "A String", |
| ], |
| "srcAsns": [ # BGP Autonomous System Number associated with the source IP address. |
| 42, |
| ], |
| "srcIpRanges": [ # Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format. |
| "A String", |
| ], |
| "srcPorts": [ # Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "srcRegionCodes": [ # Two-letter ISO 3166-1 alpha-2 country code associated with the source |
| # IP address. |
| "A String", |
| ], |
| "userDefinedFields": [ # User-defined fields. Each element names a defined field and lists the |
| # matching values for that field. |
| { |
| "name": "A String", # Name of the user-defined field, as given in the definition. |
| "values": [ # Matching values of the field. Each element can be a 32-bit unsigned |
| # decimal or hexadecimal (starting with "0x") number (e.g. "64") or |
| # range (e.g. "0x400-0x7ff"). |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| "preconfiguredWafConfig": { # Preconfigured WAF configuration to be applied for the rule. If the rule |
| # does not evaluate preconfigured WAF rules, i.e., if |
| # evaluatePreconfiguredWaf() is not used, this field will have no effect. |
| "exclusions": [ # A list of exclusions to apply during preconfigured WAF evaluation. |
| { |
| "requestCookiesToExclude": [ # A list of request cookie names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestHeadersToExclude": [ # A list of request header names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestQueryParamsToExclude": [ # A list of request query parameter names whose value will be excluded |
| # from inspection during preconfigured WAF evaluation. Note that the |
| # parameter can be in the query string or in the POST body. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestUrisToExclude": [ # A list of request URIs from the request line to be excluded from |
| # inspection during preconfigured WAF evaluation. When specifying this |
| # field, the query or fragment part should be excluded. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "targetRuleIds": [ # A list of target rule IDs under the WAF rule set to apply the |
| # preconfigured WAF exclusion. If omitted, it refers to all the rule |
| # IDs under the WAF rule set. |
| "A String", |
| ], |
| "targetRuleSet": "A String", # Target WAF rule set to apply the preconfigured WAF exclusion. |
| }, |
| ], |
| }, |
| "preview": True or False, # If set to true, the specified action is not enforced. |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "rateLimitOptions": { # Must be specified if the action is "rate_based_ban" or "throttle" or |
| # "fairshare". Cannot be specified for any other actions. |
| "banDurationSec": 42, # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, determines the time (in seconds) |
| # the traffic will continue to be banned by the rate limit after the |
| # rate falls below the threshold. |
| "banThreshold": { # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, the key will be banned for the |
| # configured 'ban_duration_sec' when the number of requests that exceed |
| # the 'rate_limit_threshold' also exceed this 'ban_threshold'. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| "conformAction": "A String", # Action to take for requests that are under the configured rate limit |
| # threshold. Valid option is "allow" only. |
| "enforceOnKey": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKey" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the value |
| # is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of the |
| # HTTPS request. The key value is truncated to the first 128 bytes. The |
| # key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the request |
| # originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration or |
| # an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # For "fairshare" action, this value is limited to ALL i.e. a single rate |
| # limit threshold is enforced for all the requests matching the rule. |
| "enforceOnKeyConfigs": [ # If specified, any combination of values of |
| # enforce_on_key_type/enforce_on_key_name is treated as the key on which |
| # ratelimit threshold/action is enforced. You can specify up to 3 |
| # enforce_on_key_configs. If enforce_on_key_configs is specified, |
| # enforce_on_key must not be specified. |
| { |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the |
| # key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is |
| # taken as the key value. |
| "enforceOnKeyType": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKeyConfigs" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the |
| # value is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of |
| # the HTTPS request. The key value is truncated to the first 128 bytes. |
| # The key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the |
| # request originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration |
| # or an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| }, |
| ], |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the key |
| # value. |
| # HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key |
| # value. |
| "exceedAction": "A String", # Action to take for requests that are above the configured rate limit |
| # threshold, to either deny with a specified HTTP response code, or |
| # redirect to a different endpoint. |
| # Valid options are `deny(STATUS)`, where valid values for |
| # `STATUS` are 403, 404, 429, and 502, and |
| # `redirect`, where the redirect parameters come from |
| # `exceedRedirectOptions` below. |
| # The `redirect` action is only supported in Global Security Policies of |
| # type CLOUD_ARMOR. |
| "exceedRedirectOptions": { # Parameters defining the redirect action that is used as the exceed |
| # action. Cannot be specified if the exceed action is not redirect. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| "rateLimitThreshold": { # Threshold at which to begin ratelimiting. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| }, |
| "redirectOptions": { # Parameters defining the redirect action. Cannot be specified for any |
| # other actions. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| } |
| |
| validateOnly: boolean, If true, the request will not be committed. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="close">close()</code> |
| <pre>Close httplib2 connections.</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="delete">delete(project, region, securityPolicy, requestId=None, x__xgafv=None)</code> |
| <pre>Deletes the specified policy. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| securityPolicy: string, Name of the security policy to delete. (required) |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="get">get(project, region, securityPolicy, x__xgafv=None)</code> |
| <pre>List all of the ordered rules present in a single specified policy. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| securityPolicy: string, Name of the security policy to get. (required) |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents a Google Cloud Armor security policy resource. |
| # |
| # Only external backend services that use load balancers can |
| # reference a security policy. For more information, see |
| # Google Cloud Armor security policy overview. |
| "adaptiveProtectionConfig": { # Configuration options for Cloud Armor Adaptive Protection (CAAP). |
| "layer7DdosDefenseConfig": { # Configuration options for L7 DDoS detection. # If set to true, enables Cloud Armor Machine Learning. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "enable": True or False, # If set to true, enables CAAP for L7 DDoS detection. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "ruleVisibility": "A String", # Rule visibility can be one of the following: |
| # STANDARD - opaque rules. (default) |
| # PREMIUM - transparent rules. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "thresholdConfigs": [ # Configuration options for layer7 adaptive protection for various |
| # customizable thresholds. |
| { |
| "autoDeployConfidenceThreshold": 3.14, |
| "autoDeployExpirationSec": 42, |
| "autoDeployImpactedBaselineThreshold": 3.14, |
| "autoDeployLoadThreshold": 3.14, |
| "detectionAbsoluteQps": 3.14, |
| "detectionLoadThreshold": 3.14, |
| "detectionRelativeToBaselineQps": 3.14, |
| "name": "A String", # The name must be 1-63 characters long, and comply withRFC1035. |
| # The name must be unique within the security policy. |
| "trafficGranularityConfigs": [ # Configuration options for enabling Adaptive Protection to operate |
| # on specified granular traffic units. |
| { # Configurations to specifc granular traffic units processed by |
| # Adaptive Protection. |
| "enableEachUniqueValue": True or False, # If enabled, traffic matching each unique value for the specified |
| # type constitutes a separate traffic unit. |
| # It can only be set to true if `value` is empty. |
| "type": "A String", # Type of this configuration. |
| "value": "A String", # Requests that match this value constitute a granular traffic unit. |
| }, |
| ], |
| }, |
| ], |
| }, |
| }, |
| "advancedOptionsConfig": { |
| "jsonCustomConfig": { # Custom configuration to apply the JSON parsing. Only applicable when |
| # json_parsing is set to STANDARD. |
| "contentTypes": [ # A list of custom Content-Type header values to apply the JSON parsing. |
| # |
| # As per RFC 1341, a Content-Type header value has the following format: |
| # |
| # Content-Type := type "/" subtype *[";" parameter] |
| # |
| # When configuring a custom Content-Type header value, only the |
| # type/subtype needs to be specified, and the parameters should be |
| # excluded. |
| "A String", |
| ], |
| }, |
| "jsonParsing": "A String", |
| "logLevel": "A String", |
| "userIpRequestHeaders": [ # An optional list of case-insensitive request header names to use for |
| # resolving the callers client IP address. |
| "A String", |
| ], |
| }, |
| "associations": [ # A list of associations that belong to this policy. |
| { |
| "attachmentId": "A String", # The resource that the security policy is attached to. |
| "displayName": "A String", # [Output Only] The display name of the security policy of the association. |
| "excludedFolders": [ # A list of folders to exclude from the security policy. |
| "A String", |
| ], |
| "excludedProjects": [ # A list of projects to exclude from the security policy. |
| "A String", |
| ], |
| "name": "A String", # The name for an association. |
| "securityPolicyId": "A String", # [Output Only] The security policy ID of the association. |
| "shortName": "A String", # [Output Only] The short name of the security policy of the association. |
| }, |
| ], |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "ddosProtectionConfig": { |
| "ddosProtection": "A String", |
| }, |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "fingerprint": "A String", # Specifies a fingerprint for this resource, which is essentially a hash of |
| # the metadata's contents and used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update metadata. You must always provide an |
| # up-to-date fingerprint hash in order to update or change metadata, |
| # otherwise the request will fail with error412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # security policy. |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "kind": "compute#securityPolicy", # [Output only] Type of the resource. Alwayscompute#securityPolicyfor security policies |
| "labelFingerprint": "A String", # A fingerprint for the labels being applied to this security policy, which |
| # is essentially a hash of the labels set used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update labels. You must always provide an |
| # up-to-date fingerprint hash in order to update or change labels. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # security policy. |
| "labels": { # Labels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. |
| # Label values may be empty. |
| "a_key": "A String", |
| }, |
| "name": "A String", # Name of the resource. Provided by the client when the resource is created. |
| # The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| "recaptchaOptionsConfig": { |
| "redirectSiteKey": "A String", # An optional field to supply a reCAPTCHA site key to be used for all the |
| # rules using the redirect action with the type of GOOGLE_RECAPTCHA under |
| # the security policy. The specified site key needs to be created from the |
| # reCAPTCHA API. The user is responsible for the validity of the specified |
| # site key. If not specified, a Google-managed site key is used. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| }, |
| "region": "A String", # [Output Only] URL of the region where the regional security policy |
| # resides. This field is not applicable to global security policies. |
| "rules": [ # A list of rules that belong to this policy. |
| # There must always be a default rule which is a rule with priority |
| # 2147483647 and match all condition (for the match condition this means |
| # match "*" for srcIpRanges and for the networkMatch condition every field |
| # must be either match "*" or not set). If no rules are provided when |
| # creating a security policy, a default rule with action "allow" will be |
| # added. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the rule is matched. |
| # The following are the valid actions: |
| # |
| # - allow: allow access to target. |
| # - deny(STATUS): deny access to target, returns the |
| # HTTP response code specified. Valid values for `STATUS` |
| # are 403, 404, and 502. |
| # - rate_based_ban: limit client traffic to the configured |
| # threshold and ban the client if the traffic exceeds the threshold. |
| # Configure parameters for this action in RateLimitOptions. Requires |
| # rate_limit_options to be set. |
| # - redirect: redirect to a different target. This can |
| # either be an internal reCAPTCHA redirect, or an external URL-based |
| # redirect via a 302 response. Parameters for this action can be configured |
| # via redirectOptions. This action is only supported in Global Security |
| # Policies of type CLOUD_ARMOR. |
| # - throttle: limit |
| # client traffic to the configured threshold. Configure parameters for this |
| # action in rateLimitOptions. Requires rate_limit_options to be set for |
| # this. |
| # - fairshare (preview only): when traffic reaches the |
| # threshold limit, requests from the clients matching this rule begin to be |
| # rate-limited using the Fair Share algorithm. This action is only allowed |
| # in security policies of type `CLOUD_ARMOR_INTERNAL_SERVICE`. |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "headerAction": { # Optional, additional actions that are performed on headers. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "requestHeadersToAdds": [ # The list of request headers to add or overwrite if they're already |
| # present. |
| { |
| "headerName": "A String", # The name of the header to set. |
| "headerValue": "A String", # The value to set the named header to. |
| }, |
| ], |
| }, |
| "kind": "compute#securityPolicyRule", # [Output only] Type of the resource. Alwayscompute#securityPolicyRule for security policy rules |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "config": { # The configuration options available when specifying versioned_expr. |
| # This field must be specified if versioned_expr is specified and cannot |
| # be specified if versioned_expr is not specified. |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of src_ip_ranges allowed is 10. |
| "A String", |
| ], |
| }, |
| "expr": { # Represents a textual expression in the Common Expression Language (CEL) # User defined CEVAL expression. |
| # A CEVAL expression is used to specify match criteria such as origin.ip, |
| # source.region_code and contents in the request header. |
| # Expressions containing `evaluateThreatIntelligence` require a Cloud |
| # Armor Enterprise subscription and are not supported in Edge Policies |
| # nor in Regional Policies. Expressions containing |
| # `evaluatePreconfiguredExpr('sourceiplist-*')` require a Cloud Armor |
| # Enterprise subscription and are only supported in Global Security |
| # Policies. |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "exprOptions": { # The configuration options available when specifying a user defined |
| # CEVAL expression (i.e., 'expr'). |
| "recaptchaOptions": { # reCAPTCHA configuration options to be applied for the rule. If the |
| # rule does not evaluate reCAPTCHA tokens, this field has no effect. |
| "actionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # action-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| "sessionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # session-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| }, |
| }, |
| "versionedExpr": "A String", # Preconfigured versioned expression. |
| # If this field is specified, config must also be specified. |
| # Available preconfigured expressions along with their requirements are: |
| # SRC_IPS_V1 - must specify the corresponding src_ip_range field in |
| # config. |
| }, |
| "networkMatch": { # Represents a match condition that incoming network traffic is evaluated # A match condition that incoming packets are evaluated against for |
| # CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding |
| # 'action' is enforced. |
| # |
| # The match criteria for a rule consists of built-in match fields (like |
| # 'srcIpRanges') and potentially multiple user-defined match fields |
| # ('userDefinedFields'). |
| # |
| # Field values may be extracted directly from the packet or derived from it |
| # (e.g. 'srcRegionCodes'). Some fields may not be present in every packet |
| # (e.g. 'srcPorts'). A user-defined field is only present if the base |
| # header is found in the packet and the entire field is in bounds. |
| # |
| # Each match field may specify which values can match it, listing one or |
| # more ranges, prefixes, or exact values that are considered a match for |
| # the field. A field value must be present in order to match a specified |
| # match field. If no match values are specified for a match field, then any |
| # field value is considered to match it, and it's not required to be |
| # present. For strings specifying '*' is also equivalent to match all. |
| # |
| # For a packet to match a rule, all specified match fields must match the |
| # corresponding field values derived from the packet. |
| # |
| # Example: |
| # |
| # networkMatch: |
| # srcIpRanges: |
| # - "192.0.2.0/24" |
| # - "198.51.100.0/24" |
| # userDefinedFields: |
| # - name: "ipv4_fragment_offset" |
| # values: |
| # - "1-0x1fff" |
| # |
| # The above match condition matches packets with a source IP in |
| # 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named |
| # "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive. |
| # against. |
| "destIpRanges": [ # Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text |
| # format. |
| "A String", |
| ], |
| "destPorts": [ # Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "ipProtocols": [ # IPv4 protocol / IPv6 next header (after extension headers). Each |
| # element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. |
| # "253-254"), or one of the following protocol names: "tcp", "udp", |
| # "icmp", "esp", "ah", "ipip", or "sctp". |
| "A String", |
| ], |
| "srcAsns": [ # BGP Autonomous System Number associated with the source IP address. |
| 42, |
| ], |
| "srcIpRanges": [ # Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format. |
| "A String", |
| ], |
| "srcPorts": [ # Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "srcRegionCodes": [ # Two-letter ISO 3166-1 alpha-2 country code associated with the source |
| # IP address. |
| "A String", |
| ], |
| "userDefinedFields": [ # User-defined fields. Each element names a defined field and lists the |
| # matching values for that field. |
| { |
| "name": "A String", # Name of the user-defined field, as given in the definition. |
| "values": [ # Matching values of the field. Each element can be a 32-bit unsigned |
| # decimal or hexadecimal (starting with "0x") number (e.g. "64") or |
| # range (e.g. "0x400-0x7ff"). |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| "preconfiguredWafConfig": { # Preconfigured WAF configuration to be applied for the rule. If the rule |
| # does not evaluate preconfigured WAF rules, i.e., if |
| # evaluatePreconfiguredWaf() is not used, this field will have no effect. |
| "exclusions": [ # A list of exclusions to apply during preconfigured WAF evaluation. |
| { |
| "requestCookiesToExclude": [ # A list of request cookie names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestHeadersToExclude": [ # A list of request header names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestQueryParamsToExclude": [ # A list of request query parameter names whose value will be excluded |
| # from inspection during preconfigured WAF evaluation. Note that the |
| # parameter can be in the query string or in the POST body. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestUrisToExclude": [ # A list of request URIs from the request line to be excluded from |
| # inspection during preconfigured WAF evaluation. When specifying this |
| # field, the query or fragment part should be excluded. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "targetRuleIds": [ # A list of target rule IDs under the WAF rule set to apply the |
| # preconfigured WAF exclusion. If omitted, it refers to all the rule |
| # IDs under the WAF rule set. |
| "A String", |
| ], |
| "targetRuleSet": "A String", # Target WAF rule set to apply the preconfigured WAF exclusion. |
| }, |
| ], |
| }, |
| "preview": True or False, # If set to true, the specified action is not enforced. |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "rateLimitOptions": { # Must be specified if the action is "rate_based_ban" or "throttle" or |
| # "fairshare". Cannot be specified for any other actions. |
| "banDurationSec": 42, # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, determines the time (in seconds) |
| # the traffic will continue to be banned by the rate limit after the |
| # rate falls below the threshold. |
| "banThreshold": { # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, the key will be banned for the |
| # configured 'ban_duration_sec' when the number of requests that exceed |
| # the 'rate_limit_threshold' also exceed this 'ban_threshold'. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| "conformAction": "A String", # Action to take for requests that are under the configured rate limit |
| # threshold. Valid option is "allow" only. |
| "enforceOnKey": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKey" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the value |
| # is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of the |
| # HTTPS request. The key value is truncated to the first 128 bytes. The |
| # key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the request |
| # originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration or |
| # an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # For "fairshare" action, this value is limited to ALL i.e. a single rate |
| # limit threshold is enforced for all the requests matching the rule. |
| "enforceOnKeyConfigs": [ # If specified, any combination of values of |
| # enforce_on_key_type/enforce_on_key_name is treated as the key on which |
| # ratelimit threshold/action is enforced. You can specify up to 3 |
| # enforce_on_key_configs. If enforce_on_key_configs is specified, |
| # enforce_on_key must not be specified. |
| { |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the |
| # key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is |
| # taken as the key value. |
| "enforceOnKeyType": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKeyConfigs" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the |
| # value is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of |
| # the HTTPS request. The key value is truncated to the first 128 bytes. |
| # The key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the |
| # request originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration |
| # or an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| }, |
| ], |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the key |
| # value. |
| # HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key |
| # value. |
| "exceedAction": "A String", # Action to take for requests that are above the configured rate limit |
| # threshold, to either deny with a specified HTTP response code, or |
| # redirect to a different endpoint. |
| # Valid options are `deny(STATUS)`, where valid values for |
| # `STATUS` are 403, 404, 429, and 502, and |
| # `redirect`, where the redirect parameters come from |
| # `exceedRedirectOptions` below. |
| # The `redirect` action is only supported in Global Security Policies of |
| # type CLOUD_ARMOR. |
| "exceedRedirectOptions": { # Parameters defining the redirect action that is used as the exceed |
| # action. Cannot be specified if the exceed action is not redirect. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| "rateLimitThreshold": { # Threshold at which to begin ratelimiting. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| }, |
| "redirectOptions": { # Parameters defining the redirect action. Cannot be specified for any |
| # other actions. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| }, |
| ], |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "shortName": "A String", # User-provided name of the organization security policy. The name should be |
| # unique in the organization in which the security policy is created. This |
| # should only be used when SecurityPolicyType is CLOUD_ARMOR. |
| # The name must be 1-63 characters long, and comply with |
| # https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 |
| # characters long and match the regular expression |
| # `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a |
| # lowercase letter, and all following characters must be a dash, lowercase |
| # letter, or digit, except the last character, which cannot be a dash. |
| "type": "A String", # The type indicates the intended use of the security policy. |
| # |
| # - CLOUD_ARMOR: Cloud Armor backend security policies can |
| # be configured to filter incoming HTTP requests targeting backend services. |
| # They filter requests before they hit the origin servers. |
| # - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can |
| # be configured to filter incoming HTTP requests targeting backend services |
| # (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). |
| # They filter requests before the request is served from Google's cache. |
| # - CLOUD_ARMOR_INTERNAL_SERVICE (preview only): Cloud Armor |
| # internal service policies can be configured to filter HTTP requests |
| # targeting services managed by Traffic Director in a service mesh. They |
| # filter requests before the request is served from the application. |
| # |
| # - CLOUD_ARMOR_NETWORK: Cloud Armor network policies |
| # can be configured to filter packets targeting network load balancing |
| # resources such as backend services, target pools, target instances, and |
| # instances with external IPs. They filter requests before the request is |
| # served from the application. |
| # |
| # |
| # This field can be set only at resource creation time. |
| "userDefinedFields": [ # Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A |
| # user-defined field consists of up to 4 bytes extracted from a fixed offset |
| # in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an |
| # optional mask to select certain bits. Rules may then specify matching |
| # values for these fields. |
| # |
| # Example: |
| # |
| # userDefinedFields: |
| # - name: "ipv4_fragment_offset" |
| # base: IPV4 |
| # offset: 6 |
| # size: 2 |
| # mask: "0x1fff" |
| { |
| "base": "A String", # The base relative to which 'offset' is measured. Possible values are: |
| # |
| # - IPV4: Points to the beginning of the IPv4 header. |
| # - IPV6: Points to the beginning of the IPv6 header. |
| # - TCP: Points to the beginning of the TCP header, skipping |
| # over any IPv4 options or IPv6 extension headers. Not present for |
| # non-first fragments. |
| # - UDP: Points to the beginning of the UDP header, skipping |
| # over any IPv4 options or IPv6 extension headers. Not present for |
| # non-first fragments. |
| # |
| # |
| # required |
| "mask": "A String", # If specified, apply this mask (bitwise AND) to the field to ignore bits |
| # before matching. Encoded as a hexadecimal number (starting with "0x"). |
| # The last byte of the field (in network byte order) corresponds to the |
| # least significant byte of the mask. |
| "name": "A String", # The name of this field. Must be unique within the policy. |
| "offset": 42, # Offset of the first byte of the field (in network byte order) relative to |
| # 'base'. |
| "size": 42, # Size of the field in bytes. Valid values: 1-4. |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getRule">getRule(project, region, securityPolicy, priority=None, x__xgafv=None)</code> |
| <pre>Gets a rule at the specified priority. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| securityPolicy: string, Name of the security policy to which the queried rule belongs. (required) |
| priority: integer, The priority of the rule to get from the security policy. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the rule is matched. |
| # The following are the valid actions: |
| # |
| # - allow: allow access to target. |
| # - deny(STATUS): deny access to target, returns the |
| # HTTP response code specified. Valid values for `STATUS` |
| # are 403, 404, and 502. |
| # - rate_based_ban: limit client traffic to the configured |
| # threshold and ban the client if the traffic exceeds the threshold. |
| # Configure parameters for this action in RateLimitOptions. Requires |
| # rate_limit_options to be set. |
| # - redirect: redirect to a different target. This can |
| # either be an internal reCAPTCHA redirect, or an external URL-based |
| # redirect via a 302 response. Parameters for this action can be configured |
| # via redirectOptions. This action is only supported in Global Security |
| # Policies of type CLOUD_ARMOR. |
| # - throttle: limit |
| # client traffic to the configured threshold. Configure parameters for this |
| # action in rateLimitOptions. Requires rate_limit_options to be set for |
| # this. |
| # - fairshare (preview only): when traffic reaches the |
| # threshold limit, requests from the clients matching this rule begin to be |
| # rate-limited using the Fair Share algorithm. This action is only allowed |
| # in security policies of type `CLOUD_ARMOR_INTERNAL_SERVICE`. |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "headerAction": { # Optional, additional actions that are performed on headers. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "requestHeadersToAdds": [ # The list of request headers to add or overwrite if they're already |
| # present. |
| { |
| "headerName": "A String", # The name of the header to set. |
| "headerValue": "A String", # The value to set the named header to. |
| }, |
| ], |
| }, |
| "kind": "compute#securityPolicyRule", # [Output only] Type of the resource. Alwayscompute#securityPolicyRule for security policy rules |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "config": { # The configuration options available when specifying versioned_expr. |
| # This field must be specified if versioned_expr is specified and cannot |
| # be specified if versioned_expr is not specified. |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of src_ip_ranges allowed is 10. |
| "A String", |
| ], |
| }, |
| "expr": { # Represents a textual expression in the Common Expression Language (CEL) # User defined CEVAL expression. |
| # A CEVAL expression is used to specify match criteria such as origin.ip, |
| # source.region_code and contents in the request header. |
| # Expressions containing `evaluateThreatIntelligence` require a Cloud |
| # Armor Enterprise subscription and are not supported in Edge Policies |
| # nor in Regional Policies. Expressions containing |
| # `evaluatePreconfiguredExpr('sourceiplist-*')` require a Cloud Armor |
| # Enterprise subscription and are only supported in Global Security |
| # Policies. |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "exprOptions": { # The configuration options available when specifying a user defined |
| # CEVAL expression (i.e., 'expr'). |
| "recaptchaOptions": { # reCAPTCHA configuration options to be applied for the rule. If the |
| # rule does not evaluate reCAPTCHA tokens, this field has no effect. |
| "actionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # action-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| "sessionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # session-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| }, |
| }, |
| "versionedExpr": "A String", # Preconfigured versioned expression. |
| # If this field is specified, config must also be specified. |
| # Available preconfigured expressions along with their requirements are: |
| # SRC_IPS_V1 - must specify the corresponding src_ip_range field in |
| # config. |
| }, |
| "networkMatch": { # Represents a match condition that incoming network traffic is evaluated # A match condition that incoming packets are evaluated against for |
| # CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding |
| # 'action' is enforced. |
| # |
| # The match criteria for a rule consists of built-in match fields (like |
| # 'srcIpRanges') and potentially multiple user-defined match fields |
| # ('userDefinedFields'). |
| # |
| # Field values may be extracted directly from the packet or derived from it |
| # (e.g. 'srcRegionCodes'). Some fields may not be present in every packet |
| # (e.g. 'srcPorts'). A user-defined field is only present if the base |
| # header is found in the packet and the entire field is in bounds. |
| # |
| # Each match field may specify which values can match it, listing one or |
| # more ranges, prefixes, or exact values that are considered a match for |
| # the field. A field value must be present in order to match a specified |
| # match field. If no match values are specified for a match field, then any |
| # field value is considered to match it, and it's not required to be |
| # present. For strings specifying '*' is also equivalent to match all. |
| # |
| # For a packet to match a rule, all specified match fields must match the |
| # corresponding field values derived from the packet. |
| # |
| # Example: |
| # |
| # networkMatch: |
| # srcIpRanges: |
| # - "192.0.2.0/24" |
| # - "198.51.100.0/24" |
| # userDefinedFields: |
| # - name: "ipv4_fragment_offset" |
| # values: |
| # - "1-0x1fff" |
| # |
| # The above match condition matches packets with a source IP in |
| # 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named |
| # "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive. |
| # against. |
| "destIpRanges": [ # Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text |
| # format. |
| "A String", |
| ], |
| "destPorts": [ # Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "ipProtocols": [ # IPv4 protocol / IPv6 next header (after extension headers). Each |
| # element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. |
| # "253-254"), or one of the following protocol names: "tcp", "udp", |
| # "icmp", "esp", "ah", "ipip", or "sctp". |
| "A String", |
| ], |
| "srcAsns": [ # BGP Autonomous System Number associated with the source IP address. |
| 42, |
| ], |
| "srcIpRanges": [ # Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format. |
| "A String", |
| ], |
| "srcPorts": [ # Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "srcRegionCodes": [ # Two-letter ISO 3166-1 alpha-2 country code associated with the source |
| # IP address. |
| "A String", |
| ], |
| "userDefinedFields": [ # User-defined fields. Each element names a defined field and lists the |
| # matching values for that field. |
| { |
| "name": "A String", # Name of the user-defined field, as given in the definition. |
| "values": [ # Matching values of the field. Each element can be a 32-bit unsigned |
| # decimal or hexadecimal (starting with "0x") number (e.g. "64") or |
| # range (e.g. "0x400-0x7ff"). |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| "preconfiguredWafConfig": { # Preconfigured WAF configuration to be applied for the rule. If the rule |
| # does not evaluate preconfigured WAF rules, i.e., if |
| # evaluatePreconfiguredWaf() is not used, this field will have no effect. |
| "exclusions": [ # A list of exclusions to apply during preconfigured WAF evaluation. |
| { |
| "requestCookiesToExclude": [ # A list of request cookie names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestHeadersToExclude": [ # A list of request header names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestQueryParamsToExclude": [ # A list of request query parameter names whose value will be excluded |
| # from inspection during preconfigured WAF evaluation. Note that the |
| # parameter can be in the query string or in the POST body. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestUrisToExclude": [ # A list of request URIs from the request line to be excluded from |
| # inspection during preconfigured WAF evaluation. When specifying this |
| # field, the query or fragment part should be excluded. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "targetRuleIds": [ # A list of target rule IDs under the WAF rule set to apply the |
| # preconfigured WAF exclusion. If omitted, it refers to all the rule |
| # IDs under the WAF rule set. |
| "A String", |
| ], |
| "targetRuleSet": "A String", # Target WAF rule set to apply the preconfigured WAF exclusion. |
| }, |
| ], |
| }, |
| "preview": True or False, # If set to true, the specified action is not enforced. |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "rateLimitOptions": { # Must be specified if the action is "rate_based_ban" or "throttle" or |
| # "fairshare". Cannot be specified for any other actions. |
| "banDurationSec": 42, # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, determines the time (in seconds) |
| # the traffic will continue to be banned by the rate limit after the |
| # rate falls below the threshold. |
| "banThreshold": { # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, the key will be banned for the |
| # configured 'ban_duration_sec' when the number of requests that exceed |
| # the 'rate_limit_threshold' also exceed this 'ban_threshold'. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| "conformAction": "A String", # Action to take for requests that are under the configured rate limit |
| # threshold. Valid option is "allow" only. |
| "enforceOnKey": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKey" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the value |
| # is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of the |
| # HTTPS request. The key value is truncated to the first 128 bytes. The |
| # key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the request |
| # originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration or |
| # an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # For "fairshare" action, this value is limited to ALL i.e. a single rate |
| # limit threshold is enforced for all the requests matching the rule. |
| "enforceOnKeyConfigs": [ # If specified, any combination of values of |
| # enforce_on_key_type/enforce_on_key_name is treated as the key on which |
| # ratelimit threshold/action is enforced. You can specify up to 3 |
| # enforce_on_key_configs. If enforce_on_key_configs is specified, |
| # enforce_on_key must not be specified. |
| { |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the |
| # key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is |
| # taken as the key value. |
| "enforceOnKeyType": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKeyConfigs" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the |
| # value is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of |
| # the HTTPS request. The key value is truncated to the first 128 bytes. |
| # The key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the |
| # request originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration |
| # or an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| }, |
| ], |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the key |
| # value. |
| # HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key |
| # value. |
| "exceedAction": "A String", # Action to take for requests that are above the configured rate limit |
| # threshold, to either deny with a specified HTTP response code, or |
| # redirect to a different endpoint. |
| # Valid options are `deny(STATUS)`, where valid values for |
| # `STATUS` are 403, 404, 429, and 502, and |
| # `redirect`, where the redirect parameters come from |
| # `exceedRedirectOptions` below. |
| # The `redirect` action is only supported in Global Security Policies of |
| # type CLOUD_ARMOR. |
| "exceedRedirectOptions": { # Parameters defining the redirect action that is used as the exceed |
| # action. Cannot be specified if the exceed action is not redirect. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| "rateLimitThreshold": { # Threshold at which to begin ratelimiting. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| }, |
| "redirectOptions": { # Parameters defining the redirect action. Cannot be specified for any |
| # other actions. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="insert">insert(project, region, body=None, requestId=None, validateOnly=None, x__xgafv=None)</code> |
| <pre>Creates a new policy in the specified project using the data included in |
| the request. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Represents a Google Cloud Armor security policy resource. |
| # |
| # Only external backend services that use load balancers can |
| # reference a security policy. For more information, see |
| # Google Cloud Armor security policy overview. |
| "adaptiveProtectionConfig": { # Configuration options for Cloud Armor Adaptive Protection (CAAP). |
| "layer7DdosDefenseConfig": { # Configuration options for L7 DDoS detection. # If set to true, enables Cloud Armor Machine Learning. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "enable": True or False, # If set to true, enables CAAP for L7 DDoS detection. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "ruleVisibility": "A String", # Rule visibility can be one of the following: |
| # STANDARD - opaque rules. (default) |
| # PREMIUM - transparent rules. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "thresholdConfigs": [ # Configuration options for layer7 adaptive protection for various |
| # customizable thresholds. |
| { |
| "autoDeployConfidenceThreshold": 3.14, |
| "autoDeployExpirationSec": 42, |
| "autoDeployImpactedBaselineThreshold": 3.14, |
| "autoDeployLoadThreshold": 3.14, |
| "detectionAbsoluteQps": 3.14, |
| "detectionLoadThreshold": 3.14, |
| "detectionRelativeToBaselineQps": 3.14, |
| "name": "A String", # The name must be 1-63 characters long, and comply withRFC1035. |
| # The name must be unique within the security policy. |
| "trafficGranularityConfigs": [ # Configuration options for enabling Adaptive Protection to operate |
| # on specified granular traffic units. |
| { # Configurations to specifc granular traffic units processed by |
| # Adaptive Protection. |
| "enableEachUniqueValue": True or False, # If enabled, traffic matching each unique value for the specified |
| # type constitutes a separate traffic unit. |
| # It can only be set to true if `value` is empty. |
| "type": "A String", # Type of this configuration. |
| "value": "A String", # Requests that match this value constitute a granular traffic unit. |
| }, |
| ], |
| }, |
| ], |
| }, |
| }, |
| "advancedOptionsConfig": { |
| "jsonCustomConfig": { # Custom configuration to apply the JSON parsing. Only applicable when |
| # json_parsing is set to STANDARD. |
| "contentTypes": [ # A list of custom Content-Type header values to apply the JSON parsing. |
| # |
| # As per RFC 1341, a Content-Type header value has the following format: |
| # |
| # Content-Type := type "/" subtype *[";" parameter] |
| # |
| # When configuring a custom Content-Type header value, only the |
| # type/subtype needs to be specified, and the parameters should be |
| # excluded. |
| "A String", |
| ], |
| }, |
| "jsonParsing": "A String", |
| "logLevel": "A String", |
| "userIpRequestHeaders": [ # An optional list of case-insensitive request header names to use for |
| # resolving the callers client IP address. |
| "A String", |
| ], |
| }, |
| "associations": [ # A list of associations that belong to this policy. |
| { |
| "attachmentId": "A String", # The resource that the security policy is attached to. |
| "displayName": "A String", # [Output Only] The display name of the security policy of the association. |
| "excludedFolders": [ # A list of folders to exclude from the security policy. |
| "A String", |
| ], |
| "excludedProjects": [ # A list of projects to exclude from the security policy. |
| "A String", |
| ], |
| "name": "A String", # The name for an association. |
| "securityPolicyId": "A String", # [Output Only] The security policy ID of the association. |
| "shortName": "A String", # [Output Only] The short name of the security policy of the association. |
| }, |
| ], |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "ddosProtectionConfig": { |
| "ddosProtection": "A String", |
| }, |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "fingerprint": "A String", # Specifies a fingerprint for this resource, which is essentially a hash of |
| # the metadata's contents and used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update metadata. You must always provide an |
| # up-to-date fingerprint hash in order to update or change metadata, |
| # otherwise the request will fail with error412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # security policy. |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "kind": "compute#securityPolicy", # [Output only] Type of the resource. Alwayscompute#securityPolicyfor security policies |
| "labelFingerprint": "A String", # A fingerprint for the labels being applied to this security policy, which |
| # is essentially a hash of the labels set used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update labels. You must always provide an |
| # up-to-date fingerprint hash in order to update or change labels. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # security policy. |
| "labels": { # Labels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. |
| # Label values may be empty. |
| "a_key": "A String", |
| }, |
| "name": "A String", # Name of the resource. Provided by the client when the resource is created. |
| # The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| "recaptchaOptionsConfig": { |
| "redirectSiteKey": "A String", # An optional field to supply a reCAPTCHA site key to be used for all the |
| # rules using the redirect action with the type of GOOGLE_RECAPTCHA under |
| # the security policy. The specified site key needs to be created from the |
| # reCAPTCHA API. The user is responsible for the validity of the specified |
| # site key. If not specified, a Google-managed site key is used. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| }, |
| "region": "A String", # [Output Only] URL of the region where the regional security policy |
| # resides. This field is not applicable to global security policies. |
| "rules": [ # A list of rules that belong to this policy. |
| # There must always be a default rule which is a rule with priority |
| # 2147483647 and match all condition (for the match condition this means |
| # match "*" for srcIpRanges and for the networkMatch condition every field |
| # must be either match "*" or not set). If no rules are provided when |
| # creating a security policy, a default rule with action "allow" will be |
| # added. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the rule is matched. |
| # The following are the valid actions: |
| # |
| # - allow: allow access to target. |
| # - deny(STATUS): deny access to target, returns the |
| # HTTP response code specified. Valid values for `STATUS` |
| # are 403, 404, and 502. |
| # - rate_based_ban: limit client traffic to the configured |
| # threshold and ban the client if the traffic exceeds the threshold. |
| # Configure parameters for this action in RateLimitOptions. Requires |
| # rate_limit_options to be set. |
| # - redirect: redirect to a different target. This can |
| # either be an internal reCAPTCHA redirect, or an external URL-based |
| # redirect via a 302 response. Parameters for this action can be configured |
| # via redirectOptions. This action is only supported in Global Security |
| # Policies of type CLOUD_ARMOR. |
| # - throttle: limit |
| # client traffic to the configured threshold. Configure parameters for this |
| # action in rateLimitOptions. Requires rate_limit_options to be set for |
| # this. |
| # - fairshare (preview only): when traffic reaches the |
| # threshold limit, requests from the clients matching this rule begin to be |
| # rate-limited using the Fair Share algorithm. This action is only allowed |
| # in security policies of type `CLOUD_ARMOR_INTERNAL_SERVICE`. |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "headerAction": { # Optional, additional actions that are performed on headers. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "requestHeadersToAdds": [ # The list of request headers to add or overwrite if they're already |
| # present. |
| { |
| "headerName": "A String", # The name of the header to set. |
| "headerValue": "A String", # The value to set the named header to. |
| }, |
| ], |
| }, |
| "kind": "compute#securityPolicyRule", # [Output only] Type of the resource. Alwayscompute#securityPolicyRule for security policy rules |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "config": { # The configuration options available when specifying versioned_expr. |
| # This field must be specified if versioned_expr is specified and cannot |
| # be specified if versioned_expr is not specified. |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of src_ip_ranges allowed is 10. |
| "A String", |
| ], |
| }, |
| "expr": { # Represents a textual expression in the Common Expression Language (CEL) # User defined CEVAL expression. |
| # A CEVAL expression is used to specify match criteria such as origin.ip, |
| # source.region_code and contents in the request header. |
| # Expressions containing `evaluateThreatIntelligence` require a Cloud |
| # Armor Enterprise subscription and are not supported in Edge Policies |
| # nor in Regional Policies. Expressions containing |
| # `evaluatePreconfiguredExpr('sourceiplist-*')` require a Cloud Armor |
| # Enterprise subscription and are only supported in Global Security |
| # Policies. |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "exprOptions": { # The configuration options available when specifying a user defined |
| # CEVAL expression (i.e., 'expr'). |
| "recaptchaOptions": { # reCAPTCHA configuration options to be applied for the rule. If the |
| # rule does not evaluate reCAPTCHA tokens, this field has no effect. |
| "actionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # action-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| "sessionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # session-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| }, |
| }, |
| "versionedExpr": "A String", # Preconfigured versioned expression. |
| # If this field is specified, config must also be specified. |
| # Available preconfigured expressions along with their requirements are: |
| # SRC_IPS_V1 - must specify the corresponding src_ip_range field in |
| # config. |
| }, |
| "networkMatch": { # Represents a match condition that incoming network traffic is evaluated # A match condition that incoming packets are evaluated against for |
| # CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding |
| # 'action' is enforced. |
| # |
| # The match criteria for a rule consists of built-in match fields (like |
| # 'srcIpRanges') and potentially multiple user-defined match fields |
| # ('userDefinedFields'). |
| # |
| # Field values may be extracted directly from the packet or derived from it |
| # (e.g. 'srcRegionCodes'). Some fields may not be present in every packet |
| # (e.g. 'srcPorts'). A user-defined field is only present if the base |
| # header is found in the packet and the entire field is in bounds. |
| # |
| # Each match field may specify which values can match it, listing one or |
| # more ranges, prefixes, or exact values that are considered a match for |
| # the field. A field value must be present in order to match a specified |
| # match field. If no match values are specified for a match field, then any |
| # field value is considered to match it, and it's not required to be |
| # present. For strings specifying '*' is also equivalent to match all. |
| # |
| # For a packet to match a rule, all specified match fields must match the |
| # corresponding field values derived from the packet. |
| # |
| # Example: |
| # |
| # networkMatch: |
| # srcIpRanges: |
| # - "192.0.2.0/24" |
| # - "198.51.100.0/24" |
| # userDefinedFields: |
| # - name: "ipv4_fragment_offset" |
| # values: |
| # - "1-0x1fff" |
| # |
| # The above match condition matches packets with a source IP in |
| # 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named |
| # "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive. |
| # against. |
| "destIpRanges": [ # Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text |
| # format. |
| "A String", |
| ], |
| "destPorts": [ # Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "ipProtocols": [ # IPv4 protocol / IPv6 next header (after extension headers). Each |
| # element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. |
| # "253-254"), or one of the following protocol names: "tcp", "udp", |
| # "icmp", "esp", "ah", "ipip", or "sctp". |
| "A String", |
| ], |
| "srcAsns": [ # BGP Autonomous System Number associated with the source IP address. |
| 42, |
| ], |
| "srcIpRanges": [ # Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format. |
| "A String", |
| ], |
| "srcPorts": [ # Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "srcRegionCodes": [ # Two-letter ISO 3166-1 alpha-2 country code associated with the source |
| # IP address. |
| "A String", |
| ], |
| "userDefinedFields": [ # User-defined fields. Each element names a defined field and lists the |
| # matching values for that field. |
| { |
| "name": "A String", # Name of the user-defined field, as given in the definition. |
| "values": [ # Matching values of the field. Each element can be a 32-bit unsigned |
| # decimal or hexadecimal (starting with "0x") number (e.g. "64") or |
| # range (e.g. "0x400-0x7ff"). |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| "preconfiguredWafConfig": { # Preconfigured WAF configuration to be applied for the rule. If the rule |
| # does not evaluate preconfigured WAF rules, i.e., if |
| # evaluatePreconfiguredWaf() is not used, this field will have no effect. |
| "exclusions": [ # A list of exclusions to apply during preconfigured WAF evaluation. |
| { |
| "requestCookiesToExclude": [ # A list of request cookie names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestHeadersToExclude": [ # A list of request header names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestQueryParamsToExclude": [ # A list of request query parameter names whose value will be excluded |
| # from inspection during preconfigured WAF evaluation. Note that the |
| # parameter can be in the query string or in the POST body. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestUrisToExclude": [ # A list of request URIs from the request line to be excluded from |
| # inspection during preconfigured WAF evaluation. When specifying this |
| # field, the query or fragment part should be excluded. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "targetRuleIds": [ # A list of target rule IDs under the WAF rule set to apply the |
| # preconfigured WAF exclusion. If omitted, it refers to all the rule |
| # IDs under the WAF rule set. |
| "A String", |
| ], |
| "targetRuleSet": "A String", # Target WAF rule set to apply the preconfigured WAF exclusion. |
| }, |
| ], |
| }, |
| "preview": True or False, # If set to true, the specified action is not enforced. |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "rateLimitOptions": { # Must be specified if the action is "rate_based_ban" or "throttle" or |
| # "fairshare". Cannot be specified for any other actions. |
| "banDurationSec": 42, # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, determines the time (in seconds) |
| # the traffic will continue to be banned by the rate limit after the |
| # rate falls below the threshold. |
| "banThreshold": { # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, the key will be banned for the |
| # configured 'ban_duration_sec' when the number of requests that exceed |
| # the 'rate_limit_threshold' also exceed this 'ban_threshold'. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| "conformAction": "A String", # Action to take for requests that are under the configured rate limit |
| # threshold. Valid option is "allow" only. |
| "enforceOnKey": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKey" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the value |
| # is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of the |
| # HTTPS request. The key value is truncated to the first 128 bytes. The |
| # key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the request |
| # originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration or |
| # an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # For "fairshare" action, this value is limited to ALL i.e. a single rate |
| # limit threshold is enforced for all the requests matching the rule. |
| "enforceOnKeyConfigs": [ # If specified, any combination of values of |
| # enforce_on_key_type/enforce_on_key_name is treated as the key on which |
| # ratelimit threshold/action is enforced. You can specify up to 3 |
| # enforce_on_key_configs. If enforce_on_key_configs is specified, |
| # enforce_on_key must not be specified. |
| { |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the |
| # key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is |
| # taken as the key value. |
| "enforceOnKeyType": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKeyConfigs" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the |
| # value is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of |
| # the HTTPS request. The key value is truncated to the first 128 bytes. |
| # The key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the |
| # request originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration |
| # or an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| }, |
| ], |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the key |
| # value. |
| # HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key |
| # value. |
| "exceedAction": "A String", # Action to take for requests that are above the configured rate limit |
| # threshold, to either deny with a specified HTTP response code, or |
| # redirect to a different endpoint. |
| # Valid options are `deny(STATUS)`, where valid values for |
| # `STATUS` are 403, 404, 429, and 502, and |
| # `redirect`, where the redirect parameters come from |
| # `exceedRedirectOptions` below. |
| # The `redirect` action is only supported in Global Security Policies of |
| # type CLOUD_ARMOR. |
| "exceedRedirectOptions": { # Parameters defining the redirect action that is used as the exceed |
| # action. Cannot be specified if the exceed action is not redirect. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| "rateLimitThreshold": { # Threshold at which to begin ratelimiting. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| }, |
| "redirectOptions": { # Parameters defining the redirect action. Cannot be specified for any |
| # other actions. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| }, |
| ], |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "shortName": "A String", # User-provided name of the organization security policy. The name should be |
| # unique in the organization in which the security policy is created. This |
| # should only be used when SecurityPolicyType is CLOUD_ARMOR. |
| # The name must be 1-63 characters long, and comply with |
| # https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 |
| # characters long and match the regular expression |
| # `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a |
| # lowercase letter, and all following characters must be a dash, lowercase |
| # letter, or digit, except the last character, which cannot be a dash. |
| "type": "A String", # The type indicates the intended use of the security policy. |
| # |
| # - CLOUD_ARMOR: Cloud Armor backend security policies can |
| # be configured to filter incoming HTTP requests targeting backend services. |
| # They filter requests before they hit the origin servers. |
| # - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can |
| # be configured to filter incoming HTTP requests targeting backend services |
| # (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). |
| # They filter requests before the request is served from Google's cache. |
| # - CLOUD_ARMOR_INTERNAL_SERVICE (preview only): Cloud Armor |
| # internal service policies can be configured to filter HTTP requests |
| # targeting services managed by Traffic Director in a service mesh. They |
| # filter requests before the request is served from the application. |
| # |
| # - CLOUD_ARMOR_NETWORK: Cloud Armor network policies |
| # can be configured to filter packets targeting network load balancing |
| # resources such as backend services, target pools, target instances, and |
| # instances with external IPs. They filter requests before the request is |
| # served from the application. |
| # |
| # |
| # This field can be set only at resource creation time. |
| "userDefinedFields": [ # Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A |
| # user-defined field consists of up to 4 bytes extracted from a fixed offset |
| # in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an |
| # optional mask to select certain bits. Rules may then specify matching |
| # values for these fields. |
| # |
| # Example: |
| # |
| # userDefinedFields: |
| # - name: "ipv4_fragment_offset" |
| # base: IPV4 |
| # offset: 6 |
| # size: 2 |
| # mask: "0x1fff" |
| { |
| "base": "A String", # The base relative to which 'offset' is measured. Possible values are: |
| # |
| # - IPV4: Points to the beginning of the IPv4 header. |
| # - IPV6: Points to the beginning of the IPv6 header. |
| # - TCP: Points to the beginning of the TCP header, skipping |
| # over any IPv4 options or IPv6 extension headers. Not present for |
| # non-first fragments. |
| # - UDP: Points to the beginning of the UDP header, skipping |
| # over any IPv4 options or IPv6 extension headers. Not present for |
| # non-first fragments. |
| # |
| # |
| # required |
| "mask": "A String", # If specified, apply this mask (bitwise AND) to the field to ignore bits |
| # before matching. Encoded as a hexadecimal number (starting with "0x"). |
| # The last byte of the field (in network byte order) corresponds to the |
| # least significant byte of the mask. |
| "name": "A String", # The name of this field. Must be unique within the policy. |
| "offset": 42, # Offset of the first byte of the field (in network byte order) relative to |
| # 'base'. |
| "size": 42, # Size of the field in bytes. Valid values: 1-4. |
| }, |
| ], |
| } |
| |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| validateOnly: boolean, If true, the request will not be committed. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="list">list(project, region, filter=None, maxResults=None, orderBy=None, pageToken=None, returnPartialSuccess=None, x__xgafv=None)</code> |
| <pre>List all the policies that have been configured for the specified project |
| and region. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| filter: string, A filter expression that filters resources listed in the response. Most |
| Compute resources support two types of filter expressions: |
| expressions that support regular expressions and expressions that follow |
| API improvement proposal AIP-160. |
| These two types of filter expressions cannot be mixed in one request. |
| |
| If you want to use AIP-160, your expression must specify the field name, an |
| operator, and the value that you want to use for filtering. The value |
| must be a string, a number, or a boolean. The operator |
| must be either `=`, `!=`, `>`, `<`, `<=`, `>=` or `:`. |
| |
| For example, if you are filtering Compute Engine instances, you can |
| exclude instances named `example-instance` by specifying |
| `name != example-instance`. |
| |
| The `:*` comparison can be used to test whether a key has been defined. |
| For example, to find all objects with `owner` label use: |
| ``` |
| labels.owner:* |
| ``` |
| |
| You can also filter nested fields. For example, you could specify |
| `scheduling.automaticRestart = false` to include instances only |
| if they are not scheduled for automatic restarts. You can use filtering |
| on nested fields to filter based onresource labels. |
| |
| To filter on multiple expressions, provide each separate expression within |
| parentheses. For example: |
| ``` |
| (scheduling.automaticRestart = true) |
| (cpuPlatform = "Intel Skylake") |
| ``` |
| By default, each expression is an `AND` expression. However, you |
| can include `AND` and `OR` expressions explicitly. |
| For example: |
| ``` |
| (cpuPlatform = "Intel Skylake") OR |
| (cpuPlatform = "Intel Broadwell") AND |
| (scheduling.automaticRestart = true) |
| ``` |
| |
| If you want to use a regular expression, use the `eq` (equal) or `ne` |
| (not equal) operator against a single un-parenthesized expression with or |
| without quotes or against multiple parenthesized expressions. Examples: |
| |
| `fieldname eq unquoted literal` |
| `fieldname eq 'single quoted literal'` |
| `fieldname eq "double quoted literal"` |
| `(fieldname1 eq literal) (fieldname2 ne "literal")` |
| |
| The literal value is interpreted as a regular expression using GoogleRE2 library syntax. |
| The literal value must match the entire field. |
| |
| For example, to filter for instances that do not end with name "instance", |
| you would use `name ne .*instance`. |
| |
| You cannot combine constraints on multiple fields using regular |
| expressions. |
| maxResults: integer, The maximum number of results per page that should be returned. |
| If the number of available results is larger than `maxResults`, |
| Compute Engine returns a `nextPageToken` that can be used to get |
| the next page of results in subsequent list requests. Acceptable values are |
| `0` to `500`, inclusive. (Default: `500`) |
| orderBy: string, Sorts list results by a certain order. By default, results |
| are returned in alphanumerical order based on the resource name. |
| |
| You can also sort results in descending order based on the creation |
| timestamp using `orderBy="creationTimestamp desc"`. This sorts |
| results based on the `creationTimestamp` field in |
| reverse chronological order (newest result first). Use this to sort |
| resources like operations so that the newest operation is returned first. |
| |
| Currently, only sorting by `name` or |
| `creationTimestamp desc` is supported. |
| pageToken: string, Specifies a page token to use. Set `pageToken` to the |
| `nextPageToken` returned by a previous list request to get |
| the next page of results. |
| returnPartialSuccess: boolean, Opt-in for partial success behavior which provides partial results in case |
| of failure. The default value is false. |
| |
| For example, when partial success behavior is enabled, aggregatedList for a |
| single zone scope either returns all resources in the zone or no resources, |
| with an error code. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { |
| "id": "A String", # [Output Only] Unique identifier for the resource; defined by the server. |
| "items": [ # A list of SecurityPolicy resources. |
| { # Represents a Google Cloud Armor security policy resource. |
| # |
| # Only external backend services that use load balancers can |
| # reference a security policy. For more information, see |
| # Google Cloud Armor security policy overview. |
| "adaptiveProtectionConfig": { # Configuration options for Cloud Armor Adaptive Protection (CAAP). |
| "layer7DdosDefenseConfig": { # Configuration options for L7 DDoS detection. # If set to true, enables Cloud Armor Machine Learning. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "enable": True or False, # If set to true, enables CAAP for L7 DDoS detection. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "ruleVisibility": "A String", # Rule visibility can be one of the following: |
| # STANDARD - opaque rules. (default) |
| # PREMIUM - transparent rules. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "thresholdConfigs": [ # Configuration options for layer7 adaptive protection for various |
| # customizable thresholds. |
| { |
| "autoDeployConfidenceThreshold": 3.14, |
| "autoDeployExpirationSec": 42, |
| "autoDeployImpactedBaselineThreshold": 3.14, |
| "autoDeployLoadThreshold": 3.14, |
| "detectionAbsoluteQps": 3.14, |
| "detectionLoadThreshold": 3.14, |
| "detectionRelativeToBaselineQps": 3.14, |
| "name": "A String", # The name must be 1-63 characters long, and comply withRFC1035. |
| # The name must be unique within the security policy. |
| "trafficGranularityConfigs": [ # Configuration options for enabling Adaptive Protection to operate |
| # on specified granular traffic units. |
| { # Configurations to specifc granular traffic units processed by |
| # Adaptive Protection. |
| "enableEachUniqueValue": True or False, # If enabled, traffic matching each unique value for the specified |
| # type constitutes a separate traffic unit. |
| # It can only be set to true if `value` is empty. |
| "type": "A String", # Type of this configuration. |
| "value": "A String", # Requests that match this value constitute a granular traffic unit. |
| }, |
| ], |
| }, |
| ], |
| }, |
| }, |
| "advancedOptionsConfig": { |
| "jsonCustomConfig": { # Custom configuration to apply the JSON parsing. Only applicable when |
| # json_parsing is set to STANDARD. |
| "contentTypes": [ # A list of custom Content-Type header values to apply the JSON parsing. |
| # |
| # As per RFC 1341, a Content-Type header value has the following format: |
| # |
| # Content-Type := type "/" subtype *[";" parameter] |
| # |
| # When configuring a custom Content-Type header value, only the |
| # type/subtype needs to be specified, and the parameters should be |
| # excluded. |
| "A String", |
| ], |
| }, |
| "jsonParsing": "A String", |
| "logLevel": "A String", |
| "userIpRequestHeaders": [ # An optional list of case-insensitive request header names to use for |
| # resolving the callers client IP address. |
| "A String", |
| ], |
| }, |
| "associations": [ # A list of associations that belong to this policy. |
| { |
| "attachmentId": "A String", # The resource that the security policy is attached to. |
| "displayName": "A String", # [Output Only] The display name of the security policy of the association. |
| "excludedFolders": [ # A list of folders to exclude from the security policy. |
| "A String", |
| ], |
| "excludedProjects": [ # A list of projects to exclude from the security policy. |
| "A String", |
| ], |
| "name": "A String", # The name for an association. |
| "securityPolicyId": "A String", # [Output Only] The security policy ID of the association. |
| "shortName": "A String", # [Output Only] The short name of the security policy of the association. |
| }, |
| ], |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "ddosProtectionConfig": { |
| "ddosProtection": "A String", |
| }, |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "fingerprint": "A String", # Specifies a fingerprint for this resource, which is essentially a hash of |
| # the metadata's contents and used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update metadata. You must always provide an |
| # up-to-date fingerprint hash in order to update or change metadata, |
| # otherwise the request will fail with error412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # security policy. |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "kind": "compute#securityPolicy", # [Output only] Type of the resource. Alwayscompute#securityPolicyfor security policies |
| "labelFingerprint": "A String", # A fingerprint for the labels being applied to this security policy, which |
| # is essentially a hash of the labels set used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update labels. You must always provide an |
| # up-to-date fingerprint hash in order to update or change labels. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # security policy. |
| "labels": { # Labels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. |
| # Label values may be empty. |
| "a_key": "A String", |
| }, |
| "name": "A String", # Name of the resource. Provided by the client when the resource is created. |
| # The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| "recaptchaOptionsConfig": { |
| "redirectSiteKey": "A String", # An optional field to supply a reCAPTCHA site key to be used for all the |
| # rules using the redirect action with the type of GOOGLE_RECAPTCHA under |
| # the security policy. The specified site key needs to be created from the |
| # reCAPTCHA API. The user is responsible for the validity of the specified |
| # site key. If not specified, a Google-managed site key is used. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| }, |
| "region": "A String", # [Output Only] URL of the region where the regional security policy |
| # resides. This field is not applicable to global security policies. |
| "rules": [ # A list of rules that belong to this policy. |
| # There must always be a default rule which is a rule with priority |
| # 2147483647 and match all condition (for the match condition this means |
| # match "*" for srcIpRanges and for the networkMatch condition every field |
| # must be either match "*" or not set). If no rules are provided when |
| # creating a security policy, a default rule with action "allow" will be |
| # added. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the rule is matched. |
| # The following are the valid actions: |
| # |
| # - allow: allow access to target. |
| # - deny(STATUS): deny access to target, returns the |
| # HTTP response code specified. Valid values for `STATUS` |
| # are 403, 404, and 502. |
| # - rate_based_ban: limit client traffic to the configured |
| # threshold and ban the client if the traffic exceeds the threshold. |
| # Configure parameters for this action in RateLimitOptions. Requires |
| # rate_limit_options to be set. |
| # - redirect: redirect to a different target. This can |
| # either be an internal reCAPTCHA redirect, or an external URL-based |
| # redirect via a 302 response. Parameters for this action can be configured |
| # via redirectOptions. This action is only supported in Global Security |
| # Policies of type CLOUD_ARMOR. |
| # - throttle: limit |
| # client traffic to the configured threshold. Configure parameters for this |
| # action in rateLimitOptions. Requires rate_limit_options to be set for |
| # this. |
| # - fairshare (preview only): when traffic reaches the |
| # threshold limit, requests from the clients matching this rule begin to be |
| # rate-limited using the Fair Share algorithm. This action is only allowed |
| # in security policies of type `CLOUD_ARMOR_INTERNAL_SERVICE`. |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "headerAction": { # Optional, additional actions that are performed on headers. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "requestHeadersToAdds": [ # The list of request headers to add or overwrite if they're already |
| # present. |
| { |
| "headerName": "A String", # The name of the header to set. |
| "headerValue": "A String", # The value to set the named header to. |
| }, |
| ], |
| }, |
| "kind": "compute#securityPolicyRule", # [Output only] Type of the resource. Alwayscompute#securityPolicyRule for security policy rules |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "config": { # The configuration options available when specifying versioned_expr. |
| # This field must be specified if versioned_expr is specified and cannot |
| # be specified if versioned_expr is not specified. |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of src_ip_ranges allowed is 10. |
| "A String", |
| ], |
| }, |
| "expr": { # Represents a textual expression in the Common Expression Language (CEL) # User defined CEVAL expression. |
| # A CEVAL expression is used to specify match criteria such as origin.ip, |
| # source.region_code and contents in the request header. |
| # Expressions containing `evaluateThreatIntelligence` require a Cloud |
| # Armor Enterprise subscription and are not supported in Edge Policies |
| # nor in Regional Policies. Expressions containing |
| # `evaluatePreconfiguredExpr('sourceiplist-*')` require a Cloud Armor |
| # Enterprise subscription and are only supported in Global Security |
| # Policies. |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "exprOptions": { # The configuration options available when specifying a user defined |
| # CEVAL expression (i.e., 'expr'). |
| "recaptchaOptions": { # reCAPTCHA configuration options to be applied for the rule. If the |
| # rule does not evaluate reCAPTCHA tokens, this field has no effect. |
| "actionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # action-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| "sessionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # session-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| }, |
| }, |
| "versionedExpr": "A String", # Preconfigured versioned expression. |
| # If this field is specified, config must also be specified. |
| # Available preconfigured expressions along with their requirements are: |
| # SRC_IPS_V1 - must specify the corresponding src_ip_range field in |
| # config. |
| }, |
| "networkMatch": { # Represents a match condition that incoming network traffic is evaluated # A match condition that incoming packets are evaluated against for |
| # CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding |
| # 'action' is enforced. |
| # |
| # The match criteria for a rule consists of built-in match fields (like |
| # 'srcIpRanges') and potentially multiple user-defined match fields |
| # ('userDefinedFields'). |
| # |
| # Field values may be extracted directly from the packet or derived from it |
| # (e.g. 'srcRegionCodes'). Some fields may not be present in every packet |
| # (e.g. 'srcPorts'). A user-defined field is only present if the base |
| # header is found in the packet and the entire field is in bounds. |
| # |
| # Each match field may specify which values can match it, listing one or |
| # more ranges, prefixes, or exact values that are considered a match for |
| # the field. A field value must be present in order to match a specified |
| # match field. If no match values are specified for a match field, then any |
| # field value is considered to match it, and it's not required to be |
| # present. For strings specifying '*' is also equivalent to match all. |
| # |
| # For a packet to match a rule, all specified match fields must match the |
| # corresponding field values derived from the packet. |
| # |
| # Example: |
| # |
| # networkMatch: |
| # srcIpRanges: |
| # - "192.0.2.0/24" |
| # - "198.51.100.0/24" |
| # userDefinedFields: |
| # - name: "ipv4_fragment_offset" |
| # values: |
| # - "1-0x1fff" |
| # |
| # The above match condition matches packets with a source IP in |
| # 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named |
| # "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive. |
| # against. |
| "destIpRanges": [ # Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text |
| # format. |
| "A String", |
| ], |
| "destPorts": [ # Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "ipProtocols": [ # IPv4 protocol / IPv6 next header (after extension headers). Each |
| # element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. |
| # "253-254"), or one of the following protocol names: "tcp", "udp", |
| # "icmp", "esp", "ah", "ipip", or "sctp". |
| "A String", |
| ], |
| "srcAsns": [ # BGP Autonomous System Number associated with the source IP address. |
| 42, |
| ], |
| "srcIpRanges": [ # Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format. |
| "A String", |
| ], |
| "srcPorts": [ # Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "srcRegionCodes": [ # Two-letter ISO 3166-1 alpha-2 country code associated with the source |
| # IP address. |
| "A String", |
| ], |
| "userDefinedFields": [ # User-defined fields. Each element names a defined field and lists the |
| # matching values for that field. |
| { |
| "name": "A String", # Name of the user-defined field, as given in the definition. |
| "values": [ # Matching values of the field. Each element can be a 32-bit unsigned |
| # decimal or hexadecimal (starting with "0x") number (e.g. "64") or |
| # range (e.g. "0x400-0x7ff"). |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| "preconfiguredWafConfig": { # Preconfigured WAF configuration to be applied for the rule. If the rule |
| # does not evaluate preconfigured WAF rules, i.e., if |
| # evaluatePreconfiguredWaf() is not used, this field will have no effect. |
| "exclusions": [ # A list of exclusions to apply during preconfigured WAF evaluation. |
| { |
| "requestCookiesToExclude": [ # A list of request cookie names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestHeadersToExclude": [ # A list of request header names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestQueryParamsToExclude": [ # A list of request query parameter names whose value will be excluded |
| # from inspection during preconfigured WAF evaluation. Note that the |
| # parameter can be in the query string or in the POST body. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestUrisToExclude": [ # A list of request URIs from the request line to be excluded from |
| # inspection during preconfigured WAF evaluation. When specifying this |
| # field, the query or fragment part should be excluded. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "targetRuleIds": [ # A list of target rule IDs under the WAF rule set to apply the |
| # preconfigured WAF exclusion. If omitted, it refers to all the rule |
| # IDs under the WAF rule set. |
| "A String", |
| ], |
| "targetRuleSet": "A String", # Target WAF rule set to apply the preconfigured WAF exclusion. |
| }, |
| ], |
| }, |
| "preview": True or False, # If set to true, the specified action is not enforced. |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "rateLimitOptions": { # Must be specified if the action is "rate_based_ban" or "throttle" or |
| # "fairshare". Cannot be specified for any other actions. |
| "banDurationSec": 42, # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, determines the time (in seconds) |
| # the traffic will continue to be banned by the rate limit after the |
| # rate falls below the threshold. |
| "banThreshold": { # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, the key will be banned for the |
| # configured 'ban_duration_sec' when the number of requests that exceed |
| # the 'rate_limit_threshold' also exceed this 'ban_threshold'. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| "conformAction": "A String", # Action to take for requests that are under the configured rate limit |
| # threshold. Valid option is "allow" only. |
| "enforceOnKey": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKey" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the value |
| # is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of the |
| # HTTPS request. The key value is truncated to the first 128 bytes. The |
| # key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the request |
| # originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration or |
| # an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # For "fairshare" action, this value is limited to ALL i.e. a single rate |
| # limit threshold is enforced for all the requests matching the rule. |
| "enforceOnKeyConfigs": [ # If specified, any combination of values of |
| # enforce_on_key_type/enforce_on_key_name is treated as the key on which |
| # ratelimit threshold/action is enforced. You can specify up to 3 |
| # enforce_on_key_configs. If enforce_on_key_configs is specified, |
| # enforce_on_key must not be specified. |
| { |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the |
| # key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is |
| # taken as the key value. |
| "enforceOnKeyType": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKeyConfigs" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the |
| # value is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of |
| # the HTTPS request. The key value is truncated to the first 128 bytes. |
| # The key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the |
| # request originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration |
| # or an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| }, |
| ], |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the key |
| # value. |
| # HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key |
| # value. |
| "exceedAction": "A String", # Action to take for requests that are above the configured rate limit |
| # threshold, to either deny with a specified HTTP response code, or |
| # redirect to a different endpoint. |
| # Valid options are `deny(STATUS)`, where valid values for |
| # `STATUS` are 403, 404, 429, and 502, and |
| # `redirect`, where the redirect parameters come from |
| # `exceedRedirectOptions` below. |
| # The `redirect` action is only supported in Global Security Policies of |
| # type CLOUD_ARMOR. |
| "exceedRedirectOptions": { # Parameters defining the redirect action that is used as the exceed |
| # action. Cannot be specified if the exceed action is not redirect. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| "rateLimitThreshold": { # Threshold at which to begin ratelimiting. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| }, |
| "redirectOptions": { # Parameters defining the redirect action. Cannot be specified for any |
| # other actions. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| }, |
| ], |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "shortName": "A String", # User-provided name of the organization security policy. The name should be |
| # unique in the organization in which the security policy is created. This |
| # should only be used when SecurityPolicyType is CLOUD_ARMOR. |
| # The name must be 1-63 characters long, and comply with |
| # https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 |
| # characters long and match the regular expression |
| # `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a |
| # lowercase letter, and all following characters must be a dash, lowercase |
| # letter, or digit, except the last character, which cannot be a dash. |
| "type": "A String", # The type indicates the intended use of the security policy. |
| # |
| # - CLOUD_ARMOR: Cloud Armor backend security policies can |
| # be configured to filter incoming HTTP requests targeting backend services. |
| # They filter requests before they hit the origin servers. |
| # - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can |
| # be configured to filter incoming HTTP requests targeting backend services |
| # (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). |
| # They filter requests before the request is served from Google's cache. |
| # - CLOUD_ARMOR_INTERNAL_SERVICE (preview only): Cloud Armor |
| # internal service policies can be configured to filter HTTP requests |
| # targeting services managed by Traffic Director in a service mesh. They |
| # filter requests before the request is served from the application. |
| # |
| # - CLOUD_ARMOR_NETWORK: Cloud Armor network policies |
| # can be configured to filter packets targeting network load balancing |
| # resources such as backend services, target pools, target instances, and |
| # instances with external IPs. They filter requests before the request is |
| # served from the application. |
| # |
| # |
| # This field can be set only at resource creation time. |
| "userDefinedFields": [ # Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A |
| # user-defined field consists of up to 4 bytes extracted from a fixed offset |
| # in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an |
| # optional mask to select certain bits. Rules may then specify matching |
| # values for these fields. |
| # |
| # Example: |
| # |
| # userDefinedFields: |
| # - name: "ipv4_fragment_offset" |
| # base: IPV4 |
| # offset: 6 |
| # size: 2 |
| # mask: "0x1fff" |
| { |
| "base": "A String", # The base relative to which 'offset' is measured. Possible values are: |
| # |
| # - IPV4: Points to the beginning of the IPv4 header. |
| # - IPV6: Points to the beginning of the IPv6 header. |
| # - TCP: Points to the beginning of the TCP header, skipping |
| # over any IPv4 options or IPv6 extension headers. Not present for |
| # non-first fragments. |
| # - UDP: Points to the beginning of the UDP header, skipping |
| # over any IPv4 options or IPv6 extension headers. Not present for |
| # non-first fragments. |
| # |
| # |
| # required |
| "mask": "A String", # If specified, apply this mask (bitwise AND) to the field to ignore bits |
| # before matching. Encoded as a hexadecimal number (starting with "0x"). |
| # The last byte of the field (in network byte order) corresponds to the |
| # least significant byte of the mask. |
| "name": "A String", # The name of this field. Must be unique within the policy. |
| "offset": 42, # Offset of the first byte of the field (in network byte order) relative to |
| # 'base'. |
| "size": 42, # Size of the field in bytes. Valid values: 1-4. |
| }, |
| ], |
| }, |
| ], |
| "kind": "compute#securityPolicyList", # [Output Only] Type of resource. Alwayscompute#securityPolicyList for listsof securityPolicies |
| "nextPageToken": "A String", # [Output Only] This token allows you to get the next page of results for |
| # list requests. If the number of results is larger thanmaxResults, use the nextPageToken as a value for |
| # the query parameter pageToken in the next list request. |
| # Subsequent list requests will have their own nextPageToken to |
| # continue paging through the results. |
| "warning": { # [Output Only] Informational warning message. |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="list_next">list_next()</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="patch">patch(project, region, securityPolicy, body=None, requestId=None, updateMask=None, x__xgafv=None)</code> |
| <pre>Patches the specified policy with the data included in the request. To |
| clear fields in the policy, leave the fields empty and specify them in the |
| updateMask. This cannot be used to be update the rules in the policy. |
| Please use the per rule methods like addRule, patchRule, and removeRule |
| instead. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| securityPolicy: string, Name of the security policy to update. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Represents a Google Cloud Armor security policy resource. |
| # |
| # Only external backend services that use load balancers can |
| # reference a security policy. For more information, see |
| # Google Cloud Armor security policy overview. |
| "adaptiveProtectionConfig": { # Configuration options for Cloud Armor Adaptive Protection (CAAP). |
| "layer7DdosDefenseConfig": { # Configuration options for L7 DDoS detection. # If set to true, enables Cloud Armor Machine Learning. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "enable": True or False, # If set to true, enables CAAP for L7 DDoS detection. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "ruleVisibility": "A String", # Rule visibility can be one of the following: |
| # STANDARD - opaque rules. (default) |
| # PREMIUM - transparent rules. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "thresholdConfigs": [ # Configuration options for layer7 adaptive protection for various |
| # customizable thresholds. |
| { |
| "autoDeployConfidenceThreshold": 3.14, |
| "autoDeployExpirationSec": 42, |
| "autoDeployImpactedBaselineThreshold": 3.14, |
| "autoDeployLoadThreshold": 3.14, |
| "detectionAbsoluteQps": 3.14, |
| "detectionLoadThreshold": 3.14, |
| "detectionRelativeToBaselineQps": 3.14, |
| "name": "A String", # The name must be 1-63 characters long, and comply withRFC1035. |
| # The name must be unique within the security policy. |
| "trafficGranularityConfigs": [ # Configuration options for enabling Adaptive Protection to operate |
| # on specified granular traffic units. |
| { # Configurations to specifc granular traffic units processed by |
| # Adaptive Protection. |
| "enableEachUniqueValue": True or False, # If enabled, traffic matching each unique value for the specified |
| # type constitutes a separate traffic unit. |
| # It can only be set to true if `value` is empty. |
| "type": "A String", # Type of this configuration. |
| "value": "A String", # Requests that match this value constitute a granular traffic unit. |
| }, |
| ], |
| }, |
| ], |
| }, |
| }, |
| "advancedOptionsConfig": { |
| "jsonCustomConfig": { # Custom configuration to apply the JSON parsing. Only applicable when |
| # json_parsing is set to STANDARD. |
| "contentTypes": [ # A list of custom Content-Type header values to apply the JSON parsing. |
| # |
| # As per RFC 1341, a Content-Type header value has the following format: |
| # |
| # Content-Type := type "/" subtype *[";" parameter] |
| # |
| # When configuring a custom Content-Type header value, only the |
| # type/subtype needs to be specified, and the parameters should be |
| # excluded. |
| "A String", |
| ], |
| }, |
| "jsonParsing": "A String", |
| "logLevel": "A String", |
| "userIpRequestHeaders": [ # An optional list of case-insensitive request header names to use for |
| # resolving the callers client IP address. |
| "A String", |
| ], |
| }, |
| "associations": [ # A list of associations that belong to this policy. |
| { |
| "attachmentId": "A String", # The resource that the security policy is attached to. |
| "displayName": "A String", # [Output Only] The display name of the security policy of the association. |
| "excludedFolders": [ # A list of folders to exclude from the security policy. |
| "A String", |
| ], |
| "excludedProjects": [ # A list of projects to exclude from the security policy. |
| "A String", |
| ], |
| "name": "A String", # The name for an association. |
| "securityPolicyId": "A String", # [Output Only] The security policy ID of the association. |
| "shortName": "A String", # [Output Only] The short name of the security policy of the association. |
| }, |
| ], |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "ddosProtectionConfig": { |
| "ddosProtection": "A String", |
| }, |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "fingerprint": "A String", # Specifies a fingerprint for this resource, which is essentially a hash of |
| # the metadata's contents and used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update metadata. You must always provide an |
| # up-to-date fingerprint hash in order to update or change metadata, |
| # otherwise the request will fail with error412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # security policy. |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "kind": "compute#securityPolicy", # [Output only] Type of the resource. Alwayscompute#securityPolicyfor security policies |
| "labelFingerprint": "A String", # A fingerprint for the labels being applied to this security policy, which |
| # is essentially a hash of the labels set used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update labels. You must always provide an |
| # up-to-date fingerprint hash in order to update or change labels. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # security policy. |
| "labels": { # Labels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. |
| # Label values may be empty. |
| "a_key": "A String", |
| }, |
| "name": "A String", # Name of the resource. Provided by the client when the resource is created. |
| # The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| "recaptchaOptionsConfig": { |
| "redirectSiteKey": "A String", # An optional field to supply a reCAPTCHA site key to be used for all the |
| # rules using the redirect action with the type of GOOGLE_RECAPTCHA under |
| # the security policy. The specified site key needs to be created from the |
| # reCAPTCHA API. The user is responsible for the validity of the specified |
| # site key. If not specified, a Google-managed site key is used. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| }, |
| "region": "A String", # [Output Only] URL of the region where the regional security policy |
| # resides. This field is not applicable to global security policies. |
| "rules": [ # A list of rules that belong to this policy. |
| # There must always be a default rule which is a rule with priority |
| # 2147483647 and match all condition (for the match condition this means |
| # match "*" for srcIpRanges and for the networkMatch condition every field |
| # must be either match "*" or not set). If no rules are provided when |
| # creating a security policy, a default rule with action "allow" will be |
| # added. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the rule is matched. |
| # The following are the valid actions: |
| # |
| # - allow: allow access to target. |
| # - deny(STATUS): deny access to target, returns the |
| # HTTP response code specified. Valid values for `STATUS` |
| # are 403, 404, and 502. |
| # - rate_based_ban: limit client traffic to the configured |
| # threshold and ban the client if the traffic exceeds the threshold. |
| # Configure parameters for this action in RateLimitOptions. Requires |
| # rate_limit_options to be set. |
| # - redirect: redirect to a different target. This can |
| # either be an internal reCAPTCHA redirect, or an external URL-based |
| # redirect via a 302 response. Parameters for this action can be configured |
| # via redirectOptions. This action is only supported in Global Security |
| # Policies of type CLOUD_ARMOR. |
| # - throttle: limit |
| # client traffic to the configured threshold. Configure parameters for this |
| # action in rateLimitOptions. Requires rate_limit_options to be set for |
| # this. |
| # - fairshare (preview only): when traffic reaches the |
| # threshold limit, requests from the clients matching this rule begin to be |
| # rate-limited using the Fair Share algorithm. This action is only allowed |
| # in security policies of type `CLOUD_ARMOR_INTERNAL_SERVICE`. |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "headerAction": { # Optional, additional actions that are performed on headers. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "requestHeadersToAdds": [ # The list of request headers to add or overwrite if they're already |
| # present. |
| { |
| "headerName": "A String", # The name of the header to set. |
| "headerValue": "A String", # The value to set the named header to. |
| }, |
| ], |
| }, |
| "kind": "compute#securityPolicyRule", # [Output only] Type of the resource. Alwayscompute#securityPolicyRule for security policy rules |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "config": { # The configuration options available when specifying versioned_expr. |
| # This field must be specified if versioned_expr is specified and cannot |
| # be specified if versioned_expr is not specified. |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of src_ip_ranges allowed is 10. |
| "A String", |
| ], |
| }, |
| "expr": { # Represents a textual expression in the Common Expression Language (CEL) # User defined CEVAL expression. |
| # A CEVAL expression is used to specify match criteria such as origin.ip, |
| # source.region_code and contents in the request header. |
| # Expressions containing `evaluateThreatIntelligence` require a Cloud |
| # Armor Enterprise subscription and are not supported in Edge Policies |
| # nor in Regional Policies. Expressions containing |
| # `evaluatePreconfiguredExpr('sourceiplist-*')` require a Cloud Armor |
| # Enterprise subscription and are only supported in Global Security |
| # Policies. |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "exprOptions": { # The configuration options available when specifying a user defined |
| # CEVAL expression (i.e., 'expr'). |
| "recaptchaOptions": { # reCAPTCHA configuration options to be applied for the rule. If the |
| # rule does not evaluate reCAPTCHA tokens, this field has no effect. |
| "actionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # action-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| "sessionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # session-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| }, |
| }, |
| "versionedExpr": "A String", # Preconfigured versioned expression. |
| # If this field is specified, config must also be specified. |
| # Available preconfigured expressions along with their requirements are: |
| # SRC_IPS_V1 - must specify the corresponding src_ip_range field in |
| # config. |
| }, |
| "networkMatch": { # Represents a match condition that incoming network traffic is evaluated # A match condition that incoming packets are evaluated against for |
| # CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding |
| # 'action' is enforced. |
| # |
| # The match criteria for a rule consists of built-in match fields (like |
| # 'srcIpRanges') and potentially multiple user-defined match fields |
| # ('userDefinedFields'). |
| # |
| # Field values may be extracted directly from the packet or derived from it |
| # (e.g. 'srcRegionCodes'). Some fields may not be present in every packet |
| # (e.g. 'srcPorts'). A user-defined field is only present if the base |
| # header is found in the packet and the entire field is in bounds. |
| # |
| # Each match field may specify which values can match it, listing one or |
| # more ranges, prefixes, or exact values that are considered a match for |
| # the field. A field value must be present in order to match a specified |
| # match field. If no match values are specified for a match field, then any |
| # field value is considered to match it, and it's not required to be |
| # present. For strings specifying '*' is also equivalent to match all. |
| # |
| # For a packet to match a rule, all specified match fields must match the |
| # corresponding field values derived from the packet. |
| # |
| # Example: |
| # |
| # networkMatch: |
| # srcIpRanges: |
| # - "192.0.2.0/24" |
| # - "198.51.100.0/24" |
| # userDefinedFields: |
| # - name: "ipv4_fragment_offset" |
| # values: |
| # - "1-0x1fff" |
| # |
| # The above match condition matches packets with a source IP in |
| # 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named |
| # "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive. |
| # against. |
| "destIpRanges": [ # Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text |
| # format. |
| "A String", |
| ], |
| "destPorts": [ # Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "ipProtocols": [ # IPv4 protocol / IPv6 next header (after extension headers). Each |
| # element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. |
| # "253-254"), or one of the following protocol names: "tcp", "udp", |
| # "icmp", "esp", "ah", "ipip", or "sctp". |
| "A String", |
| ], |
| "srcAsns": [ # BGP Autonomous System Number associated with the source IP address. |
| 42, |
| ], |
| "srcIpRanges": [ # Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format. |
| "A String", |
| ], |
| "srcPorts": [ # Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "srcRegionCodes": [ # Two-letter ISO 3166-1 alpha-2 country code associated with the source |
| # IP address. |
| "A String", |
| ], |
| "userDefinedFields": [ # User-defined fields. Each element names a defined field and lists the |
| # matching values for that field. |
| { |
| "name": "A String", # Name of the user-defined field, as given in the definition. |
| "values": [ # Matching values of the field. Each element can be a 32-bit unsigned |
| # decimal or hexadecimal (starting with "0x") number (e.g. "64") or |
| # range (e.g. "0x400-0x7ff"). |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| "preconfiguredWafConfig": { # Preconfigured WAF configuration to be applied for the rule. If the rule |
| # does not evaluate preconfigured WAF rules, i.e., if |
| # evaluatePreconfiguredWaf() is not used, this field will have no effect. |
| "exclusions": [ # A list of exclusions to apply during preconfigured WAF evaluation. |
| { |
| "requestCookiesToExclude": [ # A list of request cookie names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestHeadersToExclude": [ # A list of request header names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestQueryParamsToExclude": [ # A list of request query parameter names whose value will be excluded |
| # from inspection during preconfigured WAF evaluation. Note that the |
| # parameter can be in the query string or in the POST body. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestUrisToExclude": [ # A list of request URIs from the request line to be excluded from |
| # inspection during preconfigured WAF evaluation. When specifying this |
| # field, the query or fragment part should be excluded. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "targetRuleIds": [ # A list of target rule IDs under the WAF rule set to apply the |
| # preconfigured WAF exclusion. If omitted, it refers to all the rule |
| # IDs under the WAF rule set. |
| "A String", |
| ], |
| "targetRuleSet": "A String", # Target WAF rule set to apply the preconfigured WAF exclusion. |
| }, |
| ], |
| }, |
| "preview": True or False, # If set to true, the specified action is not enforced. |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "rateLimitOptions": { # Must be specified if the action is "rate_based_ban" or "throttle" or |
| # "fairshare". Cannot be specified for any other actions. |
| "banDurationSec": 42, # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, determines the time (in seconds) |
| # the traffic will continue to be banned by the rate limit after the |
| # rate falls below the threshold. |
| "banThreshold": { # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, the key will be banned for the |
| # configured 'ban_duration_sec' when the number of requests that exceed |
| # the 'rate_limit_threshold' also exceed this 'ban_threshold'. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| "conformAction": "A String", # Action to take for requests that are under the configured rate limit |
| # threshold. Valid option is "allow" only. |
| "enforceOnKey": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKey" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the value |
| # is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of the |
| # HTTPS request. The key value is truncated to the first 128 bytes. The |
| # key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the request |
| # originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration or |
| # an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # For "fairshare" action, this value is limited to ALL i.e. a single rate |
| # limit threshold is enforced for all the requests matching the rule. |
| "enforceOnKeyConfigs": [ # If specified, any combination of values of |
| # enforce_on_key_type/enforce_on_key_name is treated as the key on which |
| # ratelimit threshold/action is enforced. You can specify up to 3 |
| # enforce_on_key_configs. If enforce_on_key_configs is specified, |
| # enforce_on_key must not be specified. |
| { |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the |
| # key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is |
| # taken as the key value. |
| "enforceOnKeyType": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKeyConfigs" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the |
| # value is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of |
| # the HTTPS request. The key value is truncated to the first 128 bytes. |
| # The key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the |
| # request originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration |
| # or an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| }, |
| ], |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the key |
| # value. |
| # HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key |
| # value. |
| "exceedAction": "A String", # Action to take for requests that are above the configured rate limit |
| # threshold, to either deny with a specified HTTP response code, or |
| # redirect to a different endpoint. |
| # Valid options are `deny(STATUS)`, where valid values for |
| # `STATUS` are 403, 404, 429, and 502, and |
| # `redirect`, where the redirect parameters come from |
| # `exceedRedirectOptions` below. |
| # The `redirect` action is only supported in Global Security Policies of |
| # type CLOUD_ARMOR. |
| "exceedRedirectOptions": { # Parameters defining the redirect action that is used as the exceed |
| # action. Cannot be specified if the exceed action is not redirect. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| "rateLimitThreshold": { # Threshold at which to begin ratelimiting. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| }, |
| "redirectOptions": { # Parameters defining the redirect action. Cannot be specified for any |
| # other actions. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| }, |
| ], |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "shortName": "A String", # User-provided name of the organization security policy. The name should be |
| # unique in the organization in which the security policy is created. This |
| # should only be used when SecurityPolicyType is CLOUD_ARMOR. |
| # The name must be 1-63 characters long, and comply with |
| # https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 |
| # characters long and match the regular expression |
| # `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a |
| # lowercase letter, and all following characters must be a dash, lowercase |
| # letter, or digit, except the last character, which cannot be a dash. |
| "type": "A String", # The type indicates the intended use of the security policy. |
| # |
| # - CLOUD_ARMOR: Cloud Armor backend security policies can |
| # be configured to filter incoming HTTP requests targeting backend services. |
| # They filter requests before they hit the origin servers. |
| # - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can |
| # be configured to filter incoming HTTP requests targeting backend services |
| # (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). |
| # They filter requests before the request is served from Google's cache. |
| # - CLOUD_ARMOR_INTERNAL_SERVICE (preview only): Cloud Armor |
| # internal service policies can be configured to filter HTTP requests |
| # targeting services managed by Traffic Director in a service mesh. They |
| # filter requests before the request is served from the application. |
| # |
| # - CLOUD_ARMOR_NETWORK: Cloud Armor network policies |
| # can be configured to filter packets targeting network load balancing |
| # resources such as backend services, target pools, target instances, and |
| # instances with external IPs. They filter requests before the request is |
| # served from the application. |
| # |
| # |
| # This field can be set only at resource creation time. |
| "userDefinedFields": [ # Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A |
| # user-defined field consists of up to 4 bytes extracted from a fixed offset |
| # in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an |
| # optional mask to select certain bits. Rules may then specify matching |
| # values for these fields. |
| # |
| # Example: |
| # |
| # userDefinedFields: |
| # - name: "ipv4_fragment_offset" |
| # base: IPV4 |
| # offset: 6 |
| # size: 2 |
| # mask: "0x1fff" |
| { |
| "base": "A String", # The base relative to which 'offset' is measured. Possible values are: |
| # |
| # - IPV4: Points to the beginning of the IPv4 header. |
| # - IPV6: Points to the beginning of the IPv6 header. |
| # - TCP: Points to the beginning of the TCP header, skipping |
| # over any IPv4 options or IPv6 extension headers. Not present for |
| # non-first fragments. |
| # - UDP: Points to the beginning of the UDP header, skipping |
| # over any IPv4 options or IPv6 extension headers. Not present for |
| # non-first fragments. |
| # |
| # |
| # required |
| "mask": "A String", # If specified, apply this mask (bitwise AND) to the field to ignore bits |
| # before matching. Encoded as a hexadecimal number (starting with "0x"). |
| # The last byte of the field (in network byte order) corresponds to the |
| # least significant byte of the mask. |
| "name": "A String", # The name of this field. Must be unique within the policy. |
| "offset": 42, # Offset of the first byte of the field (in network byte order) relative to |
| # 'base'. |
| "size": 42, # Size of the field in bytes. Valid values: 1-4. |
| }, |
| ], |
| } |
| |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| updateMask: string, Indicates fields to be cleared as part of this request. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="patchRule">patchRule(project, region, securityPolicy, body=None, priority=None, updateMask=None, validateOnly=None, x__xgafv=None)</code> |
| <pre>Patches a rule at the specified priority. To clear fields in the rule, |
| leave the fields empty and specify them in the updateMask. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| securityPolicy: string, Name of the security policy to update. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the rule is matched. |
| # The following are the valid actions: |
| # |
| # - allow: allow access to target. |
| # - deny(STATUS): deny access to target, returns the |
| # HTTP response code specified. Valid values for `STATUS` |
| # are 403, 404, and 502. |
| # - rate_based_ban: limit client traffic to the configured |
| # threshold and ban the client if the traffic exceeds the threshold. |
| # Configure parameters for this action in RateLimitOptions. Requires |
| # rate_limit_options to be set. |
| # - redirect: redirect to a different target. This can |
| # either be an internal reCAPTCHA redirect, or an external URL-based |
| # redirect via a 302 response. Parameters for this action can be configured |
| # via redirectOptions. This action is only supported in Global Security |
| # Policies of type CLOUD_ARMOR. |
| # - throttle: limit |
| # client traffic to the configured threshold. Configure parameters for this |
| # action in rateLimitOptions. Requires rate_limit_options to be set for |
| # this. |
| # - fairshare (preview only): when traffic reaches the |
| # threshold limit, requests from the clients matching this rule begin to be |
| # rate-limited using the Fair Share algorithm. This action is only allowed |
| # in security policies of type `CLOUD_ARMOR_INTERNAL_SERVICE`. |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "headerAction": { # Optional, additional actions that are performed on headers. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "requestHeadersToAdds": [ # The list of request headers to add or overwrite if they're already |
| # present. |
| { |
| "headerName": "A String", # The name of the header to set. |
| "headerValue": "A String", # The value to set the named header to. |
| }, |
| ], |
| }, |
| "kind": "compute#securityPolicyRule", # [Output only] Type of the resource. Alwayscompute#securityPolicyRule for security policy rules |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "config": { # The configuration options available when specifying versioned_expr. |
| # This field must be specified if versioned_expr is specified and cannot |
| # be specified if versioned_expr is not specified. |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of src_ip_ranges allowed is 10. |
| "A String", |
| ], |
| }, |
| "expr": { # Represents a textual expression in the Common Expression Language (CEL) # User defined CEVAL expression. |
| # A CEVAL expression is used to specify match criteria such as origin.ip, |
| # source.region_code and contents in the request header. |
| # Expressions containing `evaluateThreatIntelligence` require a Cloud |
| # Armor Enterprise subscription and are not supported in Edge Policies |
| # nor in Regional Policies. Expressions containing |
| # `evaluatePreconfiguredExpr('sourceiplist-*')` require a Cloud Armor |
| # Enterprise subscription and are only supported in Global Security |
| # Policies. |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "exprOptions": { # The configuration options available when specifying a user defined |
| # CEVAL expression (i.e., 'expr'). |
| "recaptchaOptions": { # reCAPTCHA configuration options to be applied for the rule. If the |
| # rule does not evaluate reCAPTCHA tokens, this field has no effect. |
| "actionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # action-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| "sessionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # session-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| }, |
| }, |
| "versionedExpr": "A String", # Preconfigured versioned expression. |
| # If this field is specified, config must also be specified. |
| # Available preconfigured expressions along with their requirements are: |
| # SRC_IPS_V1 - must specify the corresponding src_ip_range field in |
| # config. |
| }, |
| "networkMatch": { # Represents a match condition that incoming network traffic is evaluated # A match condition that incoming packets are evaluated against for |
| # CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding |
| # 'action' is enforced. |
| # |
| # The match criteria for a rule consists of built-in match fields (like |
| # 'srcIpRanges') and potentially multiple user-defined match fields |
| # ('userDefinedFields'). |
| # |
| # Field values may be extracted directly from the packet or derived from it |
| # (e.g. 'srcRegionCodes'). Some fields may not be present in every packet |
| # (e.g. 'srcPorts'). A user-defined field is only present if the base |
| # header is found in the packet and the entire field is in bounds. |
| # |
| # Each match field may specify which values can match it, listing one or |
| # more ranges, prefixes, or exact values that are considered a match for |
| # the field. A field value must be present in order to match a specified |
| # match field. If no match values are specified for a match field, then any |
| # field value is considered to match it, and it's not required to be |
| # present. For strings specifying '*' is also equivalent to match all. |
| # |
| # For a packet to match a rule, all specified match fields must match the |
| # corresponding field values derived from the packet. |
| # |
| # Example: |
| # |
| # networkMatch: |
| # srcIpRanges: |
| # - "192.0.2.0/24" |
| # - "198.51.100.0/24" |
| # userDefinedFields: |
| # - name: "ipv4_fragment_offset" |
| # values: |
| # - "1-0x1fff" |
| # |
| # The above match condition matches packets with a source IP in |
| # 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named |
| # "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive. |
| # against. |
| "destIpRanges": [ # Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text |
| # format. |
| "A String", |
| ], |
| "destPorts": [ # Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "ipProtocols": [ # IPv4 protocol / IPv6 next header (after extension headers). Each |
| # element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. |
| # "253-254"), or one of the following protocol names: "tcp", "udp", |
| # "icmp", "esp", "ah", "ipip", or "sctp". |
| "A String", |
| ], |
| "srcAsns": [ # BGP Autonomous System Number associated with the source IP address. |
| 42, |
| ], |
| "srcIpRanges": [ # Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format. |
| "A String", |
| ], |
| "srcPorts": [ # Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "srcRegionCodes": [ # Two-letter ISO 3166-1 alpha-2 country code associated with the source |
| # IP address. |
| "A String", |
| ], |
| "userDefinedFields": [ # User-defined fields. Each element names a defined field and lists the |
| # matching values for that field. |
| { |
| "name": "A String", # Name of the user-defined field, as given in the definition. |
| "values": [ # Matching values of the field. Each element can be a 32-bit unsigned |
| # decimal or hexadecimal (starting with "0x") number (e.g. "64") or |
| # range (e.g. "0x400-0x7ff"). |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| "preconfiguredWafConfig": { # Preconfigured WAF configuration to be applied for the rule. If the rule |
| # does not evaluate preconfigured WAF rules, i.e., if |
| # evaluatePreconfiguredWaf() is not used, this field will have no effect. |
| "exclusions": [ # A list of exclusions to apply during preconfigured WAF evaluation. |
| { |
| "requestCookiesToExclude": [ # A list of request cookie names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestHeadersToExclude": [ # A list of request header names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestQueryParamsToExclude": [ # A list of request query parameter names whose value will be excluded |
| # from inspection during preconfigured WAF evaluation. Note that the |
| # parameter can be in the query string or in the POST body. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestUrisToExclude": [ # A list of request URIs from the request line to be excluded from |
| # inspection during preconfigured WAF evaluation. When specifying this |
| # field, the query or fragment part should be excluded. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "targetRuleIds": [ # A list of target rule IDs under the WAF rule set to apply the |
| # preconfigured WAF exclusion. If omitted, it refers to all the rule |
| # IDs under the WAF rule set. |
| "A String", |
| ], |
| "targetRuleSet": "A String", # Target WAF rule set to apply the preconfigured WAF exclusion. |
| }, |
| ], |
| }, |
| "preview": True or False, # If set to true, the specified action is not enforced. |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "rateLimitOptions": { # Must be specified if the action is "rate_based_ban" or "throttle" or |
| # "fairshare". Cannot be specified for any other actions. |
| "banDurationSec": 42, # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, determines the time (in seconds) |
| # the traffic will continue to be banned by the rate limit after the |
| # rate falls below the threshold. |
| "banThreshold": { # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, the key will be banned for the |
| # configured 'ban_duration_sec' when the number of requests that exceed |
| # the 'rate_limit_threshold' also exceed this 'ban_threshold'. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| "conformAction": "A String", # Action to take for requests that are under the configured rate limit |
| # threshold. Valid option is "allow" only. |
| "enforceOnKey": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKey" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the value |
| # is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of the |
| # HTTPS request. The key value is truncated to the first 128 bytes. The |
| # key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the request |
| # originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration or |
| # an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # For "fairshare" action, this value is limited to ALL i.e. a single rate |
| # limit threshold is enforced for all the requests matching the rule. |
| "enforceOnKeyConfigs": [ # If specified, any combination of values of |
| # enforce_on_key_type/enforce_on_key_name is treated as the key on which |
| # ratelimit threshold/action is enforced. You can specify up to 3 |
| # enforce_on_key_configs. If enforce_on_key_configs is specified, |
| # enforce_on_key must not be specified. |
| { |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the |
| # key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is |
| # taken as the key value. |
| "enforceOnKeyType": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKeyConfigs" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the |
| # value is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of |
| # the HTTPS request. The key value is truncated to the first 128 bytes. |
| # The key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the |
| # request originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration |
| # or an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| }, |
| ], |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the key |
| # value. |
| # HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key |
| # value. |
| "exceedAction": "A String", # Action to take for requests that are above the configured rate limit |
| # threshold, to either deny with a specified HTTP response code, or |
| # redirect to a different endpoint. |
| # Valid options are `deny(STATUS)`, where valid values for |
| # `STATUS` are 403, 404, 429, and 502, and |
| # `redirect`, where the redirect parameters come from |
| # `exceedRedirectOptions` below. |
| # The `redirect` action is only supported in Global Security Policies of |
| # type CLOUD_ARMOR. |
| "exceedRedirectOptions": { # Parameters defining the redirect action that is used as the exceed |
| # action. Cannot be specified if the exceed action is not redirect. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| "rateLimitThreshold": { # Threshold at which to begin ratelimiting. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| }, |
| "redirectOptions": { # Parameters defining the redirect action. Cannot be specified for any |
| # other actions. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| } |
| |
| priority: integer, The priority of the rule to patch. |
| updateMask: string, Indicates fields to be cleared as part of this request. |
| validateOnly: boolean, If true, the request will not be committed. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="removeRule">removeRule(project, region, securityPolicy, priority=None, x__xgafv=None)</code> |
| <pre>Deletes a rule at the specified priority. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, Name of the region scoping this request. (required) |
| securityPolicy: string, Name of the security policy to update. (required) |
| priority: integer, The priority of the rule to remove from the security policy. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="setLabels">setLabels(project, region, resource, body=None, requestId=None, x__xgafv=None)</code> |
| <pre>Sets the labels on a security policy. To learn more about labels, |
| read the Labeling Resources |
| documentation. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| region: string, The region for this request. (required) |
| resource: string, Name or id of the resource for this request. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { |
| "labelFingerprint": "A String", # The fingerprint of the previous set of labels for this resource, |
| # used to detect conflicts. The fingerprint is initially generated by Compute |
| # Engine and changes after every request to modify or update labels. You must |
| # always provide an up-to-date fingerprint hash in order to update or change |
| # labels. Make a get() request to the resource to get the latest |
| # fingerprint. |
| "labels": { # The labels to set for this resource. |
| "a_key": "A String", |
| }, |
| } |
| |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/v1/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/v1/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/v1/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| </body></html> |
