ComputeSecurityPolicySecurityPolicyRule class

One entry in rule[]. Rules are evaluated from highest priority (lowest numeric value) to lowest priority. The first match wins and its action is enforced. Cloud Armor REQUIRES a default rule at priority 2147483647 matching all traffic ('*') -- if you omit it the provider injects one with SecurityPolicyRuleAction.allow, which silently disables a deny-list policy. Always author the default rule explicitly.

Annotations
  • @immutable

Properties

action SecurityPolicyRuleAction
What Cloud Armor does when this rule matches. Certain actions require sibling blocks: rateBasedBan / throttle need rateLimitOptions, redirect needs redirectOptions.
final
description → TfArg<String>?
Free-form description. Max 64 chars per the schema.
final
hashCode int
The hash code for this object.
no setterinherited
headerAction ComputeSecurityPolicySecurityPolicyRuleHeaderAction?
Optional header rewrites applied alongside the match action (e.g. tagging a request with an internal X-Cloud-Armor-Rule header for downstream observability).
final
match ComputeSecurityPolicySecurityPolicyRuleMatch
Match condition. Pick exactly one of ComputeSecurityPolicySecurityPolicyRuleMatch.config (versioned predicate over source IPs) or ComputeSecurityPolicySecurityPolicyRuleMatch.expr (CEL expression).
final
preview → TfArg<bool>?
Staging flag. When true, the rule's action is NOT enforced but matches are logged with a preview: true annotation -- use to validate a new rule against production traffic before flipping it live.
final
priority → TfArg<int>
Unique positive integer indicating evaluation order. Lower = higher priority. Reserve 2147483647 for the default rule.
final
rateLimitOptions ComputeSecurityPolicySecurityPolicyRuleRateLimitOptions?
Required when action is SecurityPolicyRuleAction.rateBasedBan or SecurityPolicyRuleAction.throttle; forbidden otherwise.
final
redirectOptions ComputeSecurityPolicySecurityPolicyRuleRedirectOptions?
Required when action is SecurityPolicyRuleAction.redirect; forbidden otherwise.
final
runtimeType Type
A representation of the runtime type of the object.
no setterinherited

Methods

noSuchMethod(Invocation invocation) → dynamic
Invoked when a nonexistent method or property is accessed.
inherited
toArgMap() Map<String, Object?>
toString() String
A string representation of this object.
inherited

Operators

operator ==(Object other) bool
The equality operator.
inherited