v5.18.0/website/docs/r/compute_region_security_policy.html.markdown - terraform-provider-google-beta - Git at Google

 ---
 # ----------------------------------------------------------------------------
 #
 #     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
 #
 # ----------------------------------------------------------------------------
 #
 #     This file is automatically generated by Magic Modules and manual
 #     changes will be clobbered when the file is regenerated.
 #
 #     Please read more about how to change this file in
 #     .github/CONTRIBUTING.md.
 #
 # ----------------------------------------------------------------------------
 subcategory: "Compute Engine"
 description: |-
   Represents a Region Cloud Armor Security Policy resource.
 ---

 # google\_compute\_region\_security\_policy

 Represents a Region Cloud Armor Security Policy resource.

 ~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider.
 See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.

 To get more information about RegionSecurityPolicy, see:

 * [API documentation](https://cloud.google.com/compute/docs/reference/rest/v1/regionSecurityPolicies)
 * How-to Guides
     * [Official Documentation](https://cloud.google.com/armor/docs/security-policy-concepts)

 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=region_security_policy_basic&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
 ## Example Usage - Region Security Policy Basic


 ```hcl
 resource "google_compute_region_security_policy" "region-sec-policy-basic" {
   provider    = google-beta

   name        = "my-sec-policy-basic"
   description = "basic region security policy"
   type        = "CLOUD_ARMOR"
 }
 ```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=region_security_policy_with_ddos_protection_config&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
 ## Example Usage - Region Security Policy With Ddos Protection Config


 ```hcl
 resource "google_compute_region_security_policy" "region-sec-policy-ddos-protection" {
   provider    = google-beta

   name        = "my-sec-policy-ddos-protection"
   description = "with ddos protection config"
   type        = "CLOUD_ARMOR_NETWORK"

   ddos_protection_config {
     ddos_protection = "ADVANCED_PREVIEW"
   }
 }
 ```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=region_security_policy_with_user_defined_fields&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
 ## Example Usage - Region Security Policy With User Defined Fields


 ```hcl
 resource "google_compute_region_security_policy" "region-sec-policy-user-defined-fields" {
   provider    = google-beta

   name        = "my-sec-policy-user-defined-fields"
   description = "with user defined fields"
   type        = "CLOUD_ARMOR_NETWORK"
   user_defined_fields {
     name = "SIG1_AT_0"
     base = "UDP"
     offset = 8
     size = 2
     mask = "0x8F00"
   }
   user_defined_fields {
     name = "SIG2_AT_8"
     base = "UDP"
     offset = 16
     size = 4
     mask = "0xFFFFFFFF"
   }
 }
 ```

 ## Argument Reference

 The following arguments are supported:


 * `name` -
   (Required)
   Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035.
   Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.


 - - -


 * `description` -
   (Optional)
   An optional description of this resource. Provide this property when you create the resource.

 * `type` -
   (Optional)
   The type indicates the intended use of the security policy.
   - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers.
   - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache.
   - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application.
   This field can be set only at resource creation time.
   Possible values are: `CLOUD_ARMOR`, `CLOUD_ARMOR_EDGE`, `CLOUD_ARMOR_NETWORK`.

 * `ddos_protection_config` -
   (Optional)
   Configuration for Google Cloud Armor DDOS Proctection Config.
   Structure is [documented below](#nested_ddos_protection_config).

 * `user_defined_fields` -
   (Optional)
   Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies.
   A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits.
   Rules may then specify matching values for these fields.
   Structure is [documented below](#nested_user_defined_fields).

 * `region` -
   (Optional)
   The Region in which the created Region Security Policy should reside.
   If it is not provided, the provider region is used.

 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.


 <a name="nested_ddos_protection_config"></a>The `ddos_protection_config` block supports:

 * `ddos_protection` -
   (Required)
   Google Cloud Armor offers the following options to help protect systems against DDoS attacks:
   - STANDARD: basic always-on protection for network load balancers, protocol forwarding, or VMs with public IP addresses.
   - ADVANCED: additional protections for Managed Protection Plus subscribers who use network load balancers, protocol forwarding, or VMs with public IP addresses.
   - ADVANCED_PREVIEW: flag to enable the security policy in preview mode.
   Possible values are: `ADVANCED`, `ADVANCED_PREVIEW`, `STANDARD`.

 <a name="nested_user_defined_fields"></a>The `user_defined_fields` block supports:

 * `name` -
   (Optional)
   The name of this field. Must be unique within the policy.

 * `base` -
   (Required)
   The base relative to which 'offset' is measured. Possible values are:
   - IPV4: Points to the beginning of the IPv4 header.
   - IPV6: Points to the beginning of the IPv6 header.
   - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
   - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
   Possible values are: `IPV4`, `IPV6`, `TCP`, `UDP`.

 * `offset` -
   (Optional)
   Offset of the first byte of the field (in network byte order) relative to 'base'.

 * `size` -
   (Optional)
   Size of the field in bytes. Valid values: 1-4.

 * `mask` -
   (Optional)
   If specified, apply this mask (bitwise AND) to the field to ignore bits before matching.
   Encoded as a hexadecimal number (starting with "0x").
   The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.

 ## Attributes Reference

 In addition to the arguments listed above, the following computed attributes are exported:

 * `id` - an identifier for the resource with format `projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}`

 * `policy_id` -
   The unique identifier for the resource. This identifier is defined by the server.

 * `fingerprint` -
   Fingerprint of this resource. This field is used internally during
   updates of this resource.

 * `self_link` -
   Server-defined URL for the resource.

 * `self_link_with_policy_id` -
   Server-defined URL for this resource with the resource id.


 ## Timeouts

 This resource provides the following
 [Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

 - `create` - Default is 20 minutes.
 - `update` - Default is 20 minutes.
 - `delete` - Default is 20 minutes.

 ## Import


 RegionSecurityPolicy can be imported using any of these accepted formats:

 * `projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}`
 * `{{project}}/{{region}}/{{name}}`
 * `{{region}}/{{name}}`
 * `{{name}}`


 In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import RegionSecurityPolicy using one of the formats above. For example:

 ```tf
 import {
   id = "projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}"
   to = google_compute_region_security_policy.default
 }
 ```

 When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), RegionSecurityPolicy can be imported using one of the formats above. For example:

 ```
 $ terraform import google_compute_region_security_policy.default projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}
 $ terraform import google_compute_region_security_policy.default {{project}}/{{region}}/{{name}}
 $ terraform import google_compute_region_security_policy.default {{region}}/{{name}}
 $ terraform import google_compute_region_security_policy.default {{name}}
 ```

 ## User Project Overrides

 This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).
	---
	# ----------------------------------------------------------------------------
	#
	# * AUTO GENERATED CODE * Type: MMv1 ***
	#
	# ----------------------------------------------------------------------------
	#
	# This file is automatically generated by Magic Modules and manual
	# changes will be clobbered when the file is regenerated.
	#
	# Please read more about how to change this file in
	# .github/CONTRIBUTING.md.
	#
	# ----------------------------------------------------------------------------
	subcategory: "Compute Engine"
	description: \|-
	Represents a Region Cloud Armor Security Policy resource.
	---

	# google\_compute\_region\_security\_policy

	Represents a Region Cloud Armor Security Policy resource.

	~> Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider.
	See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.

	To get more information about RegionSecurityPolicy, see:

	* [API documentation](https://cloud.google.com/compute/docs/reference/rest/v1/regionSecurityPolicies)
	* How-to Guides
	* [Official Documentation](https://cloud.google.com/armor/docs/security-policy-concepts)

	<div class = "oics-button" style="float: right; margin: 0 0 -15px">
	<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=region_security_policy_basic&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
	<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
	</a>
	</div>
	## Example Usage - Region Security Policy Basic


	```hcl
	resource "google_compute_region_security_policy" "region-sec-policy-basic" {
	provider = google-beta

	name = "my-sec-policy-basic"
	description = "basic region security policy"
	type = "CLOUD_ARMOR"
	}
	```
	<div class = "oics-button" style="float: right; margin: 0 0 -15px">
	<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=region_security_policy_with_ddos_protection_config&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
	<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
	</a>
	</div>
	## Example Usage - Region Security Policy With Ddos Protection Config


	```hcl
	resource "google_compute_region_security_policy" "region-sec-policy-ddos-protection" {
	provider = google-beta

	name = "my-sec-policy-ddos-protection"
	description = "with ddos protection config"
	type = "CLOUD_ARMOR_NETWORK"

	ddos_protection_config {
	ddos_protection = "ADVANCED_PREVIEW"
	}
	}
	```
	<div class = "oics-button" style="float: right; margin: 0 0 -15px">
	<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=region_security_policy_with_user_defined_fields&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
	<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
	</a>
	</div>
	## Example Usage - Region Security Policy With User Defined Fields


	```hcl
	resource "google_compute_region_security_policy" "region-sec-policy-user-defined-fields" {
	provider = google-beta

	name = "my-sec-policy-user-defined-fields"
	description = "with user defined fields"
	type = "CLOUD_ARMOR_NETWORK"
	user_defined_fields {
	name = "SIG1_AT_0"
	base = "UDP"
	offset = 8
	size = 2
	mask = "0x8F00"
	}
	user_defined_fields {
	name = "SIG2_AT_8"
	base = "UDP"
	offset = 16
	size = 4
	mask = "0xFFFFFFFF"
	}
	}
	```

	## Argument Reference

	The following arguments are supported:


	* `name` -
	(Required)
	Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035.
	Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.


	- - -


	* `description` -
	(Optional)
	An optional description of this resource. Provide this property when you create the resource.

	* `type` -
	(Optional)
	The type indicates the intended use of the security policy.
	- CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers.
	- CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache.
	- CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application.
	This field can be set only at resource creation time.
	Possible values are: `CLOUD_ARMOR`, `CLOUD_ARMOR_EDGE`, `CLOUD_ARMOR_NETWORK`.

	* `ddos_protection_config` -
	(Optional)
	Configuration for Google Cloud Armor DDOS Proctection Config.
	Structure is [documented below](#nested_ddos_protection_config).

	* `user_defined_fields` -
	(Optional)
	Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies.
	A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits.
	Rules may then specify matching values for these fields.
	Structure is [documented below](#nested_user_defined_fields).

	* `region` -
	(Optional)
	The Region in which the created Region Security Policy should reside.
	If it is not provided, the provider region is used.

	* `project` - (Optional) The ID of the project in which the resource belongs.
	If it is not provided, the provider project is used.


	<a name="nested_ddos_protection_config"></a>The `ddos_protection_config` block supports:

	* `ddos_protection` -
	(Required)
	Google Cloud Armor offers the following options to help protect systems against DDoS attacks:
	- STANDARD: basic always-on protection for network load balancers, protocol forwarding, or VMs with public IP addresses.
	- ADVANCED: additional protections for Managed Protection Plus subscribers who use network load balancers, protocol forwarding, or VMs with public IP addresses.
	- ADVANCED_PREVIEW: flag to enable the security policy in preview mode.
	Possible values are: `ADVANCED`, `ADVANCED_PREVIEW`, `STANDARD`.

	<a name="nested_user_defined_fields"></a>The `user_defined_fields` block supports:

	* `name` -
	(Optional)
	The name of this field. Must be unique within the policy.

	* `base` -
	(Required)
	The base relative to which 'offset' is measured. Possible values are:
	- IPV4: Points to the beginning of the IPv4 header.
	- IPV6: Points to the beginning of the IPv6 header.
	- TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
	- UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
	Possible values are: `IPV4`, `IPV6`, `TCP`, `UDP`.

	* `offset` -
	(Optional)
	Offset of the first byte of the field (in network byte order) relative to 'base'.

	* `size` -
	(Optional)
	Size of the field in bytes. Valid values: 1-4.

	* `mask` -
	(Optional)
	If specified, apply this mask (bitwise AND) to the field to ignore bits before matching.
	Encoded as a hexadecimal number (starting with "0x").
	The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.

	## Attributes Reference

	In addition to the arguments listed above, the following computed attributes are exported:

	* `id` - an identifier for the resource with format `projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}`

	* `policy_id` -
	The unique identifier for the resource. This identifier is defined by the server.

	* `fingerprint` -
	Fingerprint of this resource. This field is used internally during
	updates of this resource.

	* `self_link` -
	Server-defined URL for the resource.

	* `self_link_with_policy_id` -
	Server-defined URL for this resource with the resource id.


	## Timeouts

	This resource provides the following
	[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

	- `create` - Default is 20 minutes.
	- `update` - Default is 20 minutes.
	- `delete` - Default is 20 minutes.

	## Import


	RegionSecurityPolicy can be imported using any of these accepted formats:

	* `projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}`
	* `{{project}}/{{region}}/{{name}}`
	* `{{region}}/{{name}}`
	* `{{name}}`


	In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import RegionSecurityPolicy using one of the formats above. For example:

	```tf
	import {
	id = "projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}"
	to = google_compute_region_security_policy.default
	}
	```

	When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), RegionSecurityPolicy can be imported using one of the formats above. For example:

	```
	$ terraform import google_compute_region_security_policy.default projects/{{project}}/regions/{{region}}/securityPolicies/{{name}}
	$ terraform import google_compute_region_security_policy.default {{project}}/{{region}}/{{name}}
	$ terraform import google_compute_region_security_policy.default {{region}}/{{name}}
	$ terraform import google_compute_region_security_policy.default {{name}}
	```

	## User Project Overrides

	This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).