compute library

Compute Engine resources: instances, addresses, firewalls, networks, subnetworks.

Classes

AccessConfig
One entry inside network_interface.access_config. An access config gives the interface an external IPv4 address (ephemeral when natIp is null, static when it's a reserved IP).
AdvancedMachineFeatures
advanced_machine_features block (max_items=1). Per-CPU tuning knobs.
AliasIpRange
One entry inside network_interface.alias_ip_range. Alias IPs let pods / containers running on the instance use secondary CIDR ranges from the attached subnetwork.
AttachedDisk
One entry inside attached_disk. Attaches an existing persistent disk to the instance.
AutoscalerAutoscalingPolicy
autoscaling_policy block — the heart of the autoscaler. Combines a replica range (minReplicas..maxReplicas) with one or more signal sub-blocks (cpuUtilization, loadBalancingUtilization, metrics) and optional smoothing controls (cooldownPeriod, scaleInControl, scalingSchedules).
AutoscalerCpuUtilization
cpu_utilization block. Drives autoscaling against the average CPU usage of instances in the target MIG.
AutoscalerLoadBalancingUtilization
load_balancing_utilization block. Drives autoscaling against backend-capacity utilization (HTTP(S) load balancer with utilization balancing mode).
AutoscalerMetric
One metric entry — a custom Stackdriver / Cloud Monitoring signal. Exactly one of target / singleInstanceAssignment is typically set; the GCP API enforces the constraint at apply time.
AutoscalerScaleInControl
scale_in_control block. Caps how aggressively the autoscaler may shed replicas inside a timeWindowSec-second sliding window — useful for stateful workloads that need warm capacity to drain gracefully.
AutoscalerScaleInReplicas
max_scaled_in_replicas sub-block. Express the cap as either a fixed count or a percent of the current MIG size; the schema requires at least one of the two.
AutoscalerScalingSchedule
One scaling_schedules entry. The Dart Map<String, _> key becomes the schedule's name on the wire (the schema models this as a set of blocks with name baked in).
BackendBucketCdnBypassCacheOnRequestHeader
Cache-bypass rule keyed on a request header name (one entry in cdn_policy.bypass_cache_on_request_headers, max 5 entries).
BackendBucketCdnCacheKeyPolicy
cdn_policy.cache_key_policy (max_items=1). Buckets only expose the queryStringWhitelist / includeHttpHeaders axes — unlike BackendServiceCdnCacheKeyPolicy, there is no host / protocol / query-string-as-a-whole toggle.
BackendBucketCdnNegativeCachingPolicy
One row in cdn_policy.negative_caching_policy.
BackendBucketCdnPolicy
cdn_policy block — Cloud CDN configuration for this backend bucket. Only honored when GoogleComputeBackendBucket.enableCdn is true. Distinct type from BackendServiceCdnPolicy: the shape is similar but the schema has bucket-specific quirks (no cacheKeyPolicy.includeHost / includeProtocol / includeQueryString — buckets only expose the queryStringWhitelist / includeHttpHeaders axes).
BackendBucketParams
params block — currently only carries resource-manager tags applied at creation time. Immutable: changes force replacement.
BackendServiceAwsV4Authentication
security_settings.aws_v4_authentication (max_items=1). accessKey is sensitive.
BackendServiceBackend
One entry in the backends set. The backend's group is the self-link of an Instance Group, Network Endpoint Group, or backend bucket — all backends in a single service must share the same kind (no mixing IG with NEG).
BackendServiceBackendCustomMetric
One entry under backend.custom_metrics — a signal exported by the backend that the load balancer should consider when balancingMode is BackendServiceBalancingMode.customMetrics.
BackendServiceCdnBypassCacheOnRequestHeader
Cache-bypass rule keyed on a request header name.
BackendServiceCdnCacheKeyPolicy
cdn_policy.cache_key_policy (max_items=1).
BackendServiceCdnNegativeCachingPolicy
One row in cdn_policy.negative_caching_policy.
BackendServiceCdnPolicy
cdn_policy block. Only honored when enableCdn is true.
BackendServiceCircuitBreakers
circuit_breakers block — caps on simultaneous activity per backend before the load balancer trips. Only honored for INTERNAL_SELF_MANAGED / INTERNAL_MANAGED / EXTERNAL_MANAGED schemes.
BackendServiceConsistentHash
consistent_hash block. Only meaningful when LocalityLbPolicy is ringHash or maglev.
BackendServiceConsistentHashHttpCookie
consistent_hash.http_cookie (max_items=1).
BackendServiceCustomMetric
One entry under the top-level custom_metrics. Mirrors BackendServiceBackendCustomMetric but without maxUtilization (schema only models name + dry_run at this scope).
BackendServiceDuration
google.protobuf.Duration-shaped value used by several sub-blocks (consistent_hash.http_cookie.ttl, strong_session_affinity_cookie.ttl, outlier_detection.base_ejection_time, etc.).
BackendServiceIap
iap block. Wraps the backend service in Cloud IAP, which gates requests on an authenticated end-user identity / IAM check before they reach the backend.
BackendServiceLocalityLbBuiltinPolicy
Built-in locality_lb_policies[].policy (max_items=1).
BackendServiceLocalityLbCustomPolicy
Caller-supplied xDS locality_lb_policies[].custom_policy (max_items=1).
BackendServiceLocalityLbPolicyEntry
One entry under locality_lb_policies. Exactly one of policy / customPolicy should be set per entry.
BackendServiceLogConfig
log_config block — Cloud Logging export configuration for the backend service.
BackendServiceMaxStreamDuration
max_stream_duration block. Schema quirk: the seconds attribute is typed as a string (not a number) — pass a decimal string like "30" or "30.500".
BackendServiceOutlierDetection
outlier_detection block — passive health checking. Hosts that exceed the configured failure thresholds are ejected from the load balancing pool for base_ejection_time * consecutive-ejection-count.
BackendServiceParams
params block — currently only carries resource-manager tags.
BackendServiceSecuritySettings
security_settings block — mTLS / TLS policy used when dialing backends.
BackendServiceStrongSessionAffinityCookie
strong_session_affinity_cookie block. Used only when sessionAffinity is SessionAffinity.strongCookieAffinity.
BackendServiceTlsSettings
tls_settings block — newer (TLS 1.3 / authentication-config-based) TLS configuration; preferred over security_settings when both would otherwise apply.
BackendServiceTlsSubjectAltName
One entry under tls_settings.subject_alt_names. Exactly one of dnsName / uniformResourceIdentifier should be set.
BootDisk
boot_disk block (single, required by GCP). At least one of initializeParams (create a new disk) or source (attach an existing disk) is required by Terraform; this helper does not enforce that because both are nullable in the schema.
ConfidentialInstanceConfig
confidential_instance_config block (max_items=1). Enables Confidential VM. Requires scheduling.on_host_maintenance = TERMINATE.
FirewallAllowRule
One allow entry: an IP protocol plus optional list of port specs.
FirewallDenyRule
One deny entry. Same shape as FirewallAllowRule; kept separate so caller intent is obvious at the call site (allow: vs deny: lists are mutually exclusive per GCP API).
FirewallLogConfig
Firewall logging configuration (single block, max_items=1). Setting this enables Cloud Logging export for matched traffic.
ForwardingRuleServiceDirectoryRegistration
One entry in service_directory_registrations. The schema caps the list at one entry; populated only for forwarding rules whose loadBalancingScheme is INTERNAL or INTERNAL_MANAGED so other consumers in the same project can resolve the rule by Service Directory name.
GlobalForwardingRuleMetadataFilter
One entry in metadata_filters. Only consulted by Traffic Director (loadBalancingScheme: INTERNAL_SELF_MANAGED) forwarding rules — silently ignored for every other scheme. xDS clients present node metadata in their config request; this filter gates which routing config gets returned to which client.
GlobalForwardingRuleMetadataFilterLabel
One metadata_filters[*].filter_labels[*] entry. Both name and value are required by the provider schema; lengths are capped at 1024 characters by the API (not enforced here).
GlobalForwardingRuleServiceDirectoryRegistration
One entry in service_directory_registrations. The schema caps the list at one entry; populated only for Private Service Connect forwarding rules that target Google APIs (so other consumers in the same project can resolve the rule by Service Directory name).
GoogleComputeAddress
Factory wrapper for google_compute_address (provider hashicorp/google ~> 7.0).
GoogleComputeAutoscaler
Factory wrapper for google_compute_autoscaler (provider hashicorp/google ~> 7.0).
GoogleComputeBackendBucket
Factory wrapper for google_compute_backend_bucket (provider hashicorp/google ~> 7.0).
GoogleComputeBackendService
Factory wrapper for google_compute_backend_service (provider hashicorp/google ~> 7.0).
GoogleComputeDiskIamMember
Factory wrapper for google_compute_disk_iam_member.
GoogleComputeFirewall
Factory wrapper for google_compute_firewall (provider hashicorp/google ~> 7.0).
GoogleComputeForwardingRule
Factory wrapper for google_compute_forwarding_rule (provider hashicorp/google ~> 7.0).
GoogleComputeGlobalAddress
Factory wrapper for google_compute_global_address (provider hashicorp/google ~> 7.0).
GoogleComputeGlobalForwardingRule
Factory wrapper for google_compute_global_forwarding_rule (provider hashicorp/google ~> 7.0).
GoogleComputeGlobalNetworkEndpointGroup
Factory wrapper for google_compute_global_network_endpoint_group (provider hashicorp/google ~> 7.0).
GoogleComputeHealthCheck
Factory wrapper for google_compute_health_check (provider hashicorp/google ~> 7.0).
GoogleComputeInstance
Factory wrapper for google_compute_instance (provider hashicorp/google ~> 7.0).
GoogleComputeInstanceGroupManager
Factory wrapper for google_compute_instance_group_manager (provider hashicorp/google ~> 7.0).
GoogleComputeInstanceIamMember
Factory wrapper for google_compute_instance_iam_member.
GoogleComputeInstanceTemplate
Factory wrapper for google_compute_instance_template (provider hashicorp/google ~> 7.0).
GoogleComputeManagedSslCertificate
Factory wrapper for google_compute_managed_ssl_certificate (provider hashicorp/google ~> 7.0).
GoogleComputeNetwork
Factory wrapper for google_compute_network (provider hashicorp/google ~> 7.0).
GoogleComputeNetworkEndpointGroup
Factory wrapper for google_compute_network_endpoint_group (provider hashicorp/google ~> 7.0).
GoogleComputeRegionAutoscaler
Factory wrapper for google_compute_region_autoscaler (provider hashicorp/google ~> 7.0).
GoogleComputeRegionBackendService
Factory wrapper for google_compute_region_backend_service (provider hashicorp/google ~> 7.0).
GoogleComputeRegionHealthCheck
Factory wrapper for google_compute_region_health_check (provider hashicorp/google ~> 7.0).
GoogleComputeRegionInstanceGroupManager
Factory wrapper for google_compute_region_instance_group_manager (provider hashicorp/google ~> 7.0).
GoogleComputeRegionNetworkEndpointGroup
Factory wrapper for google_compute_region_network_endpoint_group (provider hashicorp/google ~> 7.0).
GoogleComputeRegionTargetHttpProxy
Factory wrapper for google_compute_region_target_http_proxy (provider hashicorp/google ~> 7.0).
GoogleComputeRegionTargetHttpsProxy
Factory wrapper for google_compute_region_target_https_proxy (provider hashicorp/google ~> 7.0).
GoogleComputeRegionUrlMap
Factory wrapper for google_compute_region_url_map (provider hashicorp/google ~> 7.0).
GoogleComputeSecurityPolicy
Factory wrapper for google_compute_security_policy (provider hashicorp/google ~> 7.0). This is Google Cloud Armor: a layer-7 WAF / DDoS / rate-limiting policy that attaches to one or more google_compute_backend_service (via that resource's securityPolicy field) or to backend buckets for edge variants.
GoogleComputeSslCertificate
Factory wrapper for google_compute_ssl_certificate (provider hashicorp/google ~> 7.0).
GoogleComputeSslPolicy
Factory wrapper for google_compute_ssl_policy (provider hashicorp/google ~> 7.0).
GoogleComputeSubnetwork
Factory wrapper for google_compute_subnetwork (provider hashicorp/google ~> 7.0).
GoogleComputeSubnetworkIamMember
Factory wrapper for google_compute_subnetwork_iam_member.
GoogleComputeTargetHttpProxy
Factory wrapper for google_compute_target_http_proxy (provider hashicorp/google ~> 7.0).
GoogleComputeTargetHttpsProxy
Factory wrapper for google_compute_target_https_proxy (provider hashicorp/google ~> 7.0).
GoogleComputeUrlMap
Factory wrapper for google_compute_url_map (provider hashicorp/google ~> 7.0).
GrpcHealthCheckConfig
grpc_health_check block. Probes via the gRPC Health Checking Protocol (grpc.health.v1.Health/Check).
GuestAccelerator
One entry inside guest_accelerator. Attaches a GPU / TPU to the VM.
HealthCheckLogConfig
log_config block. Toggles Cloud Logging export of probe results.
Http2HealthCheckConfig
http2_health_check block.
HttpHealthCheckConfig
http_health_check block. Set this (and only this) to make the resource an HTTP health check.
HttpsHealthCheckConfig
https_health_check block.
InitializeParams
boot_disk.initialize_params block. Creates a new disk inline at instance-create time. Mutually exclusive with bootDisk.source (which attaches an existing disk).
InstanceGroupManagerAllInstancesConfig
all_instances_config block. Patches labels and metadata onto every VM the MIG manages, overlaying the instance template's values.
InstanceGroupManagerAutoHealingPolicy
auto_healing_policies block. When a VM fails its healthCheck for longer than the initial-delay window, the MIG recreates it. Schema marks both fields as required.
InstanceGroupManagerInstanceLifecyclePolicy
instance_lifecycle_policy block — fine-grained behavior on failures and template updates.
InstanceGroupManagerNamedPort
One entry in namedPorts. Backend services that reference this MIG by port_name look up the matching port number here.
InstanceGroupManagerResourcePolicies
resource_policies block — wires the MIG to a google_compute_resource_policy workload policy.
InstanceGroupManagerStandbyPolicy
standby_policy block — controls how the MIG resumes VMs from a standby pool during scale-out.
InstanceGroupManagerStatefulDisk
One entry in statefulDisks. Marks a disk attached at deviceName as stateful — the MIG preserves the disk across VM recreates per deleteRule.
InstanceGroupManagerStatefulIp
One entry in statefulInternalIps / statefulExternalIps. Both blocks share the same shape.
InstanceGroupManagerTargetSizePolicy
One entry in targetSizePolicies. Configures whether the MIG creates VMs individually or all at once to reach GoogleComputeInstanceGroupManager.targetSize.
InstanceGroupManagerUpdatePolicy
update_policy block. Drives how the MIG rolls a new InstanceGroupManagerVersion across its members.
InstanceGroupManagerVersion
One entry in versions. Each version pins an instanceTemplate (a google_compute_instance_template self-link, typically a within-batch sibling) and optionally caps how many instances run that version via targetSize.
InstanceGroupManagerVersionTargetSize
version.target_size (max_items=1). Exactly one of fixed or percent should be set.
InstanceParams
params block (max_items=1). Carries request-side parameters that are not persisted on the resource (currently only resource manager tags applied at instance-create time).
InstanceTemplateAccessConfig
One entry inside network_interface.access_config. An access config gives the interface an external IPv4 address (ephemeral when natIp is null, static when it's a reserved IP).
InstanceTemplateAdvancedMachineFeatures
advanced_machine_features block (max_items=1). Per-CPU tuning knobs.
InstanceTemplateAliasIpRange
One entry inside network_interface.alias_ip_range. Alias IPs let pods / containers running on instances created from this template use secondary CIDR ranges from the attached subnetwork.
InstanceTemplateConfidentialInstanceConfig
confidential_instance_config block (max_items=1). Enables Confidential VM. Requires scheduling.on_host_maintenance = TERMINATE.
InstanceTemplateDisk
One entry inside disk. Templates require min_items=1. Each disk either initializes a new disk inline (sourceImage / sourceSnapshot) or attaches an existing one (source).
InstanceTemplateDiskEncryptionKey
disk.disk_encryption_key block (max_items=1). Customer-managed KMS CryptoKey used to encrypt the disk at rest.
InstanceTemplateGuestAccelerator
One entry inside guest_accelerator. Attaches a GPU / TPU to instances created from this template. Both fields are required by the schema.
InstanceTemplateIpv6AccessConfig
One entry inside network_interface.ipv6_access_config. GCP currently allows at most one IPv6 access config per interface; only PREMIUM tier is valid for IPv6 today.
InstanceTemplateNetworkInterface
One entry inside network_interface. At least one is required by GCP.
InstanceTemplateNetworkPerformanceConfig
network_performance_config block (max_items=1). Selects the Tier 1 network egress profile.
InstanceTemplateNodeAffinity
One entry inside scheduling.node_affinities. Sole-tenant placement uses this to bind instances to a node group with matching labels.
InstanceTemplateOnInstanceStopAction
scheduling.on_instance_stop_action block (max_items=1). Defines extra behaviour applied when the chosen instance_termination_action runs.
InstanceTemplateReservationAffinity
reservation_affinity block (max_items=1). Controls whether and how instances created from this template consume capacity from a Compute Engine reservation.
InstanceTemplateScheduling
scheduling block (max_items=1). Controls preemptibility, host maintenance, max run duration, and sole-tenant affinities.
InstanceTemplateSchedulingDuration
scheduling.max_run_duration / scheduling.local_ssd_recovery_timeout sub-block (Duration shape). Both fields take this same shape.
InstanceTemplateServiceAccount
service_account block (max_items=1). When set, instances created from this template expose a Google service account credential to the guest via the metadata service.
InstanceTemplateShieldedInstanceConfig
shielded_instance_config block (max_items=1). Enables Shielded VM features (secure boot / vTPM / integrity monitoring).
InstanceTemplateSourceImageEncryptionKey
disk.source_image_encryption_key block (max_items=1). Customer-supplied key that decrypted the source image. Instance templates do not persist customer-supplied keys, so MIGs cannot create disks from images encrypted with your own keys via a template.
InstanceTemplateSourceSnapshotEncryptionKey
disk.source_snapshot_encryption_key block (max_items=1). Customer- supplied key that decrypted the source snapshot.
InstanceTemplateSpecificReservation
reservation_affinity.specific_reservation sub-block (max_items=1). Only meaningful when InstanceTemplateReservationAffinity.type is InstanceTemplateReservationAffinityType.specificReservation.
Ipv6AccessConfig
One entry inside network_interface.ipv6_access_config. GCP currently allows at most one IPv6 access config per interface.
ManagedSslCertificateConfig
managed block payload (single block, max_items=1). Carries the list of domains Google should issue the certificate for.
NetworkInterface
One entry inside network_interface. At least one is required by GCP.
NetworkPerformanceConfig
network_performance_config block (max_items=1). Selects the Tier 1 network egress profile.
NodeAffinity
One entry inside scheduling.node_affinities. Sole-tenant placement uses this to bind the VM to a node group with matching labels.
RegionAutoscalerAutoscalingPolicy
autoscaling_policy block — the heart of the autoscaler. Combines a replica range (minReplicas..maxReplicas) with one or more signal sub-blocks (cpuUtilization, loadBalancingUtilization, metrics) and optional smoothing controls (cooldownPeriod, scaleInControl, scalingSchedules).
RegionAutoscalerCpuUtilization
cpu_utilization block. Drives autoscaling against the average CPU usage of instances in the target regional MIG.
RegionAutoscalerLoadBalancingUtilization
load_balancing_utilization block. Drives autoscaling against backend-capacity utilization (HTTP(S) load balancer with utilization balancing mode).
RegionAutoscalerMetric
One metric entry — a custom Stackdriver / Cloud Monitoring signal. Exactly one of target / singleInstanceAssignment is typically set; the GCP API enforces the constraint at apply time.
RegionAutoscalerScaleInControl
scale_in_control block. Caps how aggressively the autoscaler may shed replicas inside a timeWindowSec-second sliding window — useful for stateful workloads that need warm capacity to drain gracefully.
RegionAutoscalerScaleInReplicas
max_scaled_in_replicas sub-block. Express the cap as either a fixed count or a percent of the current MIG size; the schema requires at least one of the two.
RegionAutoscalerScalingSchedule
One scaling_schedules entry. The Dart Map<String, _> key becomes the schedule's name on the wire (the schema models this as a set of blocks with name baked in).
RegionBackendServiceBackend
One entry in the backends set. The backend's group is the self-link of an Instance Group, regional MIG, or regional Network Endpoint Group — all backends in a single service must share the same kind (no mixing IG with NEG). Note: regional backends carry a failover flag (used by RegionBackendServiceFailoverPolicy) and do not support the global resource's preference field.
RegionBackendServiceBackendCustomMetric
One entry under backend.custom_metrics — a signal exported by the backend that the load balancer should consider when balancingMode is RegionBackendServiceBalancingMode.customMetrics.
RegionBackendServiceCdnCacheKeyPolicy
cdn_policy.cache_key_policy (max_items=1).
RegionBackendServiceCdnNegativeCachingPolicy
One row in cdn_policy.negative_caching_policy. The regional schema does not model the ttl attribute (status-code key only).
RegionBackendServiceCdnPolicy
cdn_policy block. Only honored when enableCdn is true. The regional schema omits the global resource's bypass_cache_on_request_headers and request_coalescing fields.
RegionBackendServiceCircuitBreakers
circuit_breakers block — caps on simultaneous activity per backend before the load balancer trips. Only honored for INTERNAL_SELF_MANAGED / INTERNAL_MANAGED / EXTERNAL_MANAGED schemes.
RegionBackendServiceConsistentHash
consistent_hash block. Only meaningful when RegionBackendServiceLocalityLbPolicy is ringHash or maglev.
RegionBackendServiceConsistentHashHttpCookie
consistent_hash.http_cookie (max_items=1).
RegionBackendServiceCustomMetric
One entry under the top-level custom_metrics. Mirrors RegionBackendServiceBackendCustomMetric but without maxUtilization (schema only models name + dry_run at this scope).
RegionBackendServiceDuration
google.protobuf.Duration-shaped value used by several sub-blocks (consistent_hash.http_cookie.ttl, strong_session_affinity_cookie.ttl, outlier_detection.base_ejection_time, outlier_detection.interval).
RegionBackendServiceFailoverPolicy
failover_policy block — only meaningful for Internal Passthrough NLBs. Backends are split into primary / failover pools (see RegionBackendServiceBackend.failover); when the primary pool's healthy fraction drops below failoverRatio, traffic is shifted to the failover pool.
RegionBackendServiceHaPolicy
ha_policy block — self-managed HA for External / Internal Passthrough NLBs. Conflicts with sessionAffinity, failoverPolicy, and healthChecks — when haPolicy is set, the caller is responsible for tracking endpoint health and electing a leader.
RegionBackendServiceHaPolicyLeader
ha_policy.leader (max_items=1).
RegionBackendServiceHaPolicyLeaderNetworkEndpoint
ha_policy.leader.network_endpoint (max_items=1).
RegionBackendServiceIap
iap block. Wraps the regional backend service in Cloud IAP, which gates requests on an authenticated end-user identity / IAM check before they reach the backend.
RegionBackendServiceLogConfig
log_config block — Cloud Logging export configuration for the regional backend service.
RegionBackendServiceNetworkPassThroughLbTrafficPolicy
network_pass_through_lb_traffic_policy block — traffic steering for Internal Passthrough NLBs (currently only zonal-affinity).
RegionBackendServiceOutlierDetection
outlier_detection block — passive health checking. Hosts that exceed the configured failure thresholds are ejected from the load balancing pool for base_ejection_time * consecutive-ejection-count.
RegionBackendServiceParams
params block — currently only carries resource-manager tags.
RegionBackendServiceStrongSessionAffinityCookie
strong_session_affinity_cookie block. Used only when sessionAffinity is RegionBackendServiceSessionAffinity.strongCookieAffinity.
RegionBackendServiceTlsSettings
tls_settings block — TLS / mTLS configuration used when dialing backends. Only meaningful when protocol is SSL, HTTPS, or HTTP2. The regional resource does not surface security_settings — this is the only TLS-config block available here.
RegionBackendServiceTlsSubjectAltName
One entry under tls_settings.subject_alt_names. Exactly one of dnsName / uniformResourceIdentifier should be set.
RegionBackendServiceZonalAffinity
network_pass_through_lb_traffic_policy.zonal_affinity (max_items=1). New connections are load balanced across healthy backend endpoints in the local zone first; behavior when the in-zone healthy fraction drops below spilloverRatio is governed by spillover.
RegionHealthCheckGrpcConfig
grpc_health_check block. Probes via the gRPC Health Checking Protocol (grpc.health.v1.Health/Check).
RegionHealthCheckHttp2Config
http2_health_check block.
RegionHealthCheckHttpConfig
http_health_check block. Set this (and only this) to make the resource an HTTP health check.
RegionHealthCheckHttpsConfig
https_health_check block.
RegionHealthCheckLogConfig
log_config block. Toggles Cloud Logging export of probe results.
RegionHealthCheckSslConfig
ssl_health_check block. Pure SSL/TLS probe.
RegionHealthCheckTcpConfig
tcp_health_check block. Pure TCP connect-or-payload probe.
RegionInstanceGroupManagerAllInstancesConfig
all_instances_config block. Patches labels and metadata onto every VM the MIG manages, overlaying the instance template's values.
RegionInstanceGroupManagerAutoHealingPolicy
auto_healing_policies block. When a VM fails its healthCheck for longer than the initial-delay window, the MIG recreates it. Schema marks both fields as required.
RegionInstanceGroupManagerInstanceFlexibilityPolicy
instance_flexibility_policy block — regional only. Lets the MIG pick from multiple machine types when creating new VMs, instead of the single machine type set on the instance template.
RegionInstanceGroupManagerInstanceLifecyclePolicy
instance_lifecycle_policy block — fine-grained behavior on failures and template updates.
RegionInstanceGroupManagerInstanceSelection
One entry in RegionInstanceGroupManagerInstanceFlexibilityPolicy.instanceSelections.
RegionInstanceGroupManagerNamedPort
One entry in namedPorts. Backend services that reference this MIG by port_name look up the matching port number here.
RegionInstanceGroupManagerResourcePolicies
resource_policies block — wires the MIG to a google_compute_resource_policy workload policy.
RegionInstanceGroupManagerStandbyPolicy
standby_policy block — controls how the MIG resumes VMs from a standby pool during scale-out.
RegionInstanceGroupManagerStatefulDisk
One entry in statefulDisks. Marks a disk attached at deviceName as stateful — the MIG preserves the disk across VM recreates per deleteRule. Note: cross-zone instance redistribution must be disabled (set RegionInstanceGroupManagerUpdatePolicy.instanceRedistributionType to RegionInstanceGroupManagerInstanceRedistributionType.none) before updating stateful disks on an existing regional MIG.
RegionInstanceGroupManagerStatefulIp
One entry in statefulInternalIps / statefulExternalIps. Both blocks share the same shape.
RegionInstanceGroupManagerTargetSizePolicy
One entry in targetSizePolicies. Configures whether the MIG creates VMs individually or all at once to reach GoogleComputeRegionInstanceGroupManager.targetSize.
RegionInstanceGroupManagerUpdatePolicy
update_policy block. Drives how the regional MIG rolls a new RegionInstanceGroupManagerVersion across its members and how aggressively it rebalances across distributionPolicyZones.
RegionInstanceGroupManagerVersion
One entry in versions. Each version pins an instanceTemplate (a google_compute_instance_template self-link, typically a within-batch sibling) and optionally caps how many instances run that version via targetSize.
RegionInstanceGroupManagerVersionTargetSize
version.target_size (max_items=1). Exactly one of fixed or percent should be set.
RegionNetworkEndpointGroupAppEngine
app_engine slot of google_compute_region_network_endpoint_group. Only valid when networkEndpointType is RegionNetworkEndpointGroupType.serverless and mutually exclusive with cloudRun / cloudFunction.
RegionNetworkEndpointGroupCloudFunction
cloud_function slot of google_compute_region_network_endpoint_group. Only valid when networkEndpointType is RegionNetworkEndpointGroupType.serverless and mutually exclusive with cloudRun / appEngine.
RegionNetworkEndpointGroupCloudRun
cloud_run slot of google_compute_region_network_endpoint_group. Only valid when networkEndpointType is RegionNetworkEndpointGroupType.serverless and mutually exclusive with cloudFunction / appEngine.
RegionUrlMapHeaderAction
header_action block. Adds / removes headers on requests forwarded to the backend and / or responses returned to the client. Used at the top-level URL-map slot and inside RegionUrlMapRouteRule.headerAction.
RegionUrlMapHeaderMatch
One match_rules[].header_matches[] entry. The schema permits one of exactMatch / prefixMatch / suffixMatch / regexMatch / presentMatch / rangeMatch per entry; invertMatch negates the outcome. Validation is left to the GCP API.
RegionUrlMapHeaderMatchRange
header_matches.range_match block. Both bounds required by the schema.
RegionUrlMapHeaderToAdd
One entry in RegionUrlMapHeaderAction.requestHeadersToAdd / RegionUrlMapHeaderAction.responseHeadersToAdd. All three fields are required by the schema at the top-level header_action slot.
RegionUrlMapHostRule
One host_rule entry. Binds a set of Host: header values to a RegionUrlMapPathMatcher by name. Multiple host_rule entries can point at the same pathMatcher.
RegionUrlMapPathMatcher
One path_matcher entry. Each path matcher is named (so RegionUrlMapHostRule can reference it) and carries a fallback defaultService plus the path-based routing rules.
RegionUrlMapPathRule
One path_matcher.path_rule[] entry. Matches request paths against the paths glob list (e.g. ['/login', '/login/*']) and dispatches to either a service OR an inline urlRedirect -- exactly one of the two must be set per the GCP API.
RegionUrlMapQueryParameterMatch
One match_rules[].query_parameter_matches[] entry. Matches a single query parameter by name with a chosen predicate.
RegionUrlMapRouteRule
One path_matcher.route_rules[] entry. Priority-ordered routing with header / query / regex match support; the GCP equivalent of an Envoy route_config.
RegionUrlMapRouteRuleMatch
One route_rules[].match_rules[] entry. Carries the actual matching predicates (one or more of full path / prefix / regex / path template, optionally further refined by header / query / metadata filters).
RegionUrlMapTest
One test[] entry. Each test states "a request to host+path should resolve to service" and is evaluated by GCP at apply time -- if the routing pipeline produces a different service, the apply FAILS. Effectively a contract test for the URL map's routing table.
RegionUrlMapTestHeader
One entry in RegionUrlMapTest.headers. Both fields required by the schema.
RegionUrlMapUrlRedirect
default_url_redirect / path_rule.url_redirect / route_rules.url_redirect block. Returns an HTTP redirect to the client instead of forwarding to a backend.
ReservationAffinity
reservation_affinity block (max_items=1). Controls whether and how the VM consumes capacity from a Compute Engine reservation.
Scheduling
scheduling block (max_items=1). Controls preemptibility, host maintenance, max run duration, and sole-tenant affinities.
SchedulingDuration
scheduling.max_run_duration / scheduling.local_ssd_recovery_timeout sub-block (Duration shape). Both fields take this same shape.
ScratchDisk
One entry inside scratch_disk. Local SSD scratch disks are instance-lifetime only -- contents are lost on stop/start.
SecondaryIpRange
One secondary_ip_range entry. Defines an alias IP range usable by instances in this subnetwork (typically consumed by GKE pods/services).
SecurityPolicyAdaptiveProtectionConfig
adaptive_protection_config -- Google's ML-driven layer-7 DDoS auto-mitigation. When enabled, Cloud Armor watches traffic patterns and proposes / auto-deploys rules during a suspected attack.
SecurityPolicyAdaptiveProtectionThresholdConfig
One entry in threshold_configs. The numeric knobs are passed through verbatim -- consult the Cloud Armor adaptive-protection docs for tuning guidance.
SecurityPolicyAdvancedOptionsConfig
advanced_options_config -- knobs that apply across the whole policy: JSON-body inspection for preconfigured WAF rules, log verbosity, and client-IP resolution headers.
SecurityPolicyJsonCustomConfig
advanced_options_config.json_custom_config -- list of additional Content-Type values Cloud Armor should treat as JSON for WAF body inspection (beyond the default application/json).
SecurityPolicyLayer7DdosDefenseConfig
layer_7_ddos_defense_config block. Pair enable with ruleVisibility (typically 'STANDARD'); per-segment thresholds can be tuned via thresholdConfigs for tenants with predictable traffic shape.
SecurityPolicyRecaptchaOptionsConfig
recaptcha_options_config -- policy-wide reCAPTCHA site key used for redirect-to-reCAPTCHA actions. Only the redirect site key is exposed by Terraform today; if unset, Cloud Armor uses a Google- managed key.
SecurityPolicyRule
One entry in rule[]. Rules are evaluated from highest priority (lowest numeric value) to lowest priority. The first match wins and its action is enforced. Cloud Armor REQUIRES a default rule at priority 2147483647 matching all traffic ('*') -- if you omit it the provider injects one with SecurityPolicyRuleAction.allow, which silently disables a deny-list policy. Always author the default rule explicitly.
SecurityPolicyRuleEnforceOnKeyConfig
One entry in rate_limit_options.enforce_on_key_configs. Lets a rule key on a composite of attributes (e.g. "(client IP, region)").
SecurityPolicyRuleHeaderAction
rule.header_action -- request-header rewrites applied alongside the rule's match action. Useful for tagging matched requests so downstream services (or Cloud Logging) can see which Cloud Armor rule fired.
SecurityPolicyRuleHeaderAdd
One header rewrite in SecurityPolicyRuleHeaderAction.requestHeadersToAdds. headerValue is optional -- omitting it adds the header with an empty string value.
SecurityPolicyRuleMatch
rule.match -- the condition under which a rule fires. Mutually-exclusive variants:
SecurityPolicyRuleMatchConfig
match.config -- payload for the SRC_IPS_V1 predicate. The only field today is srcIpRanges; the schema limits this to 10 entries per rule. Pass ['*'] to match ALL inbound IPs (the canonical default-deny / default-allow shape).
SecurityPolicyRuleMatchExpr
match.expr -- a user-defined Common Expression Language (CEL) predicate evaluated against the request. The expression is passed to Cloud Armor as an opaque string; the Dart wrapper does NOT type-check CEL syntax, so callers are responsible for matching Cloud Armor's CEL dialect (see https://cloud.google.com/armor/docs/rules-language-reference).
SecurityPolicyRuleRateLimitOptions
rule.rate_limit_options -- threshold + action plumbing for SecurityPolicyRuleAction.throttle and SecurityPolicyRuleAction.rateBasedBan. Throttle simply rejects requests over the threshold; rate-based ban additionally locks the offending key out for banDurationSec seconds once it trips banThreshold.
SecurityPolicyRuleRateLimitThreshold
rate_limit_threshold / ban_threshold shape. Count of requests per fixed intervalSec window.
SecurityPolicyRuleRedirectOptions
rule.redirect_options -- redirect target shape, also reused as rate_limit_options.exceed_redirect_options. Two flavors: 'EXTERNAL_302' requires target (an HTTPS URL Cloud Armor 302s to); 'GOOGLE_RECAPTCHA' swaps the request for a Google-hosted reCAPTCHA challenge and MUST NOT set target.
SecurityPolicyTrafficGranularityConfig
One entry in traffic_granularity_configs. enableEachUniqueValue (true) and value (non-empty string) are mutually exclusive: the schema rejects setting both.
ServiceAccount
service_account block (max_items=1). When set, the VM's metadata exposes a Google service account credential to the guest.
ShieldedInstanceConfig
shielded_instance_config block (max_items=1). Enables Shielded VM features (secure boot / vTPM / integrity monitoring).
SpecificReservation
reservation_affinity.specific_reservation sub-block (max_items=1). Only meaningful when ReservationAffinity.type is ReservationAffinityType.specificReservation.
SslHealthCheckConfig
ssl_health_check block. Pure SSL/TLS probe.
SubnetworkLogConfig
log_config block. Enables VPC flow logs for the subnetwork. Flow logging is not supported when the subnetwork purpose is REGIONAL_MANAGED_PROXY or GLOBAL_MANAGED_PROXY.
TcpHealthCheckConfig
tcp_health_check block. Pure TCP connect-or-payload probe.
UrlMapHeaderAction
header_action block. Adds / removes headers on requests forwarded to the backend and / or responses returned to the client. Used at the top-level URL-map slot and inside UrlMapRouteRule.headerAction.
UrlMapHeaderMatch
One match_rules[].header_matches[] entry. The schema permits one of exactMatch / prefixMatch / suffixMatch / regexMatch / presentMatch / rangeMatch per entry; invertMatch negates the outcome. Validation is left to the GCP API.
UrlMapHeaderMatchRange
header_matches.range_match block. Both bounds required by the schema.
UrlMapHeaderToAdd
One entry in UrlMapHeaderAction.requestHeadersToAdd / UrlMapHeaderAction.responseHeadersToAdd. All three fields are required by the schema at the top-level header_action slot.
UrlMapHostRule
One host_rule entry. Binds a set of Host: header values to a UrlMapPathMatcher by name. Multiple host_rule entries can point at the same pathMatcher.
UrlMapPathMatcher
One path_matcher entry. Each path matcher is named (so UrlMapHostRule can reference it) and carries a fallback defaultService plus the path-based routing rules.
UrlMapPathRule
One path_matcher.path_rule[] entry. Matches request paths against the paths glob list (e.g. ['/login', '/login/*']) and dispatches to either a service OR an inline urlRedirect -- exactly one of the two must be set per the GCP API.
UrlMapQueryParameterMatch
One match_rules[].query_parameter_matches[] entry. Matches a single query parameter by name with a chosen predicate.
UrlMapRouteRule
One path_matcher.route_rules[] entry. Priority-ordered routing with header / query / regex match support; the GCP equivalent of an Envoy route_config.
UrlMapRouteRuleMatch
One route_rules[].match_rules[] entry. Carries the actual matching predicates (one or more of full path / prefix / regex / path template, optionally further refined by header / query / metadata filters).
UrlMapTest
One test[] entry. Each test states "a request to host+path should resolve to service" and is evaluated by GCP at apply time -- if the routing pipeline produces a different service, the apply FAILS. Effectively a contract test for the URL map's routing table.
UrlMapTestHeader
One entry in UrlMapTest.headers. Both fields required by the schema.
UrlMapUrlRedirect
default_url_redirect / path_rule.url_redirect / route_rules.url_redirect block. Returns an HTTP redirect to the client instead of forwarding to a backend.

Enums

AccessConfigNetworkTier
network_interface.access_config.network_tier -- service tier for the external IP. STANDARD is regional; PREMIUM is global.
AddressType
Address allocation scope: INTERNAL (VPC-private) or EXTERNAL (public IP).
AutoscalerCpuPredictiveMethod
Predictive autoscaling method for AutoscalerCpuUtilization.
AutoscalerMetricType
Defines how a custom-metric value is interpreted by the autoscaler. Mirrors the API's utilizationTargetType enum.
AutoscalerMode
Operating mode for the autoscaling policy. The schema declares this as a free-form string — the enum below pins the API-accepted set so callers cannot mis-spell it. Default is on when the field is omitted from the request.
BackendBucketCacheMode
cdn_policy.cache_mode. Enabling CDN (enable_cdn = true) without setting this defaults to CACHE_ALL_STATIC. Note: this is a distinct type from BackendServiceCacheMode — bucket-side CDN policies are not interchangeable with service-side policies.
BackendBucketCompressionMode
compression_mode — Brotli / gzip negotiation based on the client's Accept-Encoding header. Note: this is a distinct type from BackendServiceCompressionMode even though the wire values (AUTOMATIC / DISABLED) coincide.
BackendBucketLoadBalancingScheme
load_balancing_scheme. The bucket can be left scheme-less (the usual case — works with classic global external and global application external load balancers) or set to internalManaged for cross-region internal layer-7 load balancing. Important: when internalManaged is set, enable_cdn must be false (Cloud CDN is not available for internal schemes).
BackendServiceBalancingMode
Per-backend balancing mode. See BackendServiceBackend.balancingMode.
BackendServiceCacheMode
cdn_policy.cache_mode. Enabling CDN (enable_cdn = true) without setting this defaults to CACHE_ALL_STATIC.
BackendServiceCompressionMode
compression_mode. Brotli / gzip negotiation based on the client's Accept-Encoding header.
BackendServiceLogOptionalMode
log_config.optional_mode. Controls which optional access-log fields are exported when BackendServiceLogConfig.enable is true.
BackendServicePreference
backend.preference. Cannot be set when load_balancing_scheme is EXTERNAL.
BackendServiceProtocol
Wire protocol the backend service uses to talk to backends. HTTP2 and H2C require an HTTP(S)-class load balancer; TCP, SSL, and UDP are for Network Load Balancing / Traffic Director TCP routing. GRPC is required when the URL map is bound to a target gRPC proxy.
BgpBestPathSelectionMode
BGP best-path selection algorithm for the VPC.
BgpInterRegionCost
BGP inter-region cost calculation behaviour. Used when bgpBestPathSelectionMode == standard.
ConfidentialInstanceType
confidential_instance_config.confidential_instance_type -- confidential computing technology. SEV and SEV_SNP require AMD CPUs (the latter also requires min_cpu_platform = "AMD Milan"). TDX requires Intel.
ExternalManagedMigrationState
external_managed_migration_state. Drives the Classic ALB → Application Load Balancer migration. State must transition PREPARE → optional TEST_BY_PERCENTAGETEST_ALL_TRAFFIC before the load balancing scheme can flip from EXTERNAL to EXTERNAL_MANAGED; same order in reverse to roll back.
FirewallDirection
Direction of traffic this firewall rule applies to. For ingress, at least one of sourceRanges / sourceTags / sourceServiceAccounts is required by GCP.
FirewallLogMetadata
Whether to include or exclude metadata for firewall logs. Used as the metadata field of FirewallLogConfig.
ForwardingRuleIpProtocol
IP protocol for google_compute_forwarding_rule.ip_protocol. The set of protocols accepted at apply time depends on the load balancing scheme and target type — Application Load Balancers want tcp; protocol forwarding rules may also pick udp / esp / ah / sctp / icmp.
ForwardingRuleIpVersion
IP version for the regional forwarding rule's VIP. Default IPV4. Selecting ipv6 requires a regional IPv6 GoogleComputeAddress for GoogleComputeForwardingRule.ipAddress, and (for external IPv6 NetLB rules) typically pairs with GoogleComputeForwardingRule.ipCollection pointing at a PublicDelegatedPrefix in EXTERNAL_IPV6_FORWARDING_RULE_CREATION mode.
ForwardingRuleLoadBalancingScheme
load_balancing_scheme. Picks which regional load balancer variant this forwarding rule fronts.
ForwardingRuleNetworkTier
network_tier. Unlike global forwarding rules (which only accept PREMIUM), regional forwarding rules accept both tiers. The tier must match the tier of the referenced GoogleComputeForwardingRule.ipAddress when one is supplied. Leave null to inherit the provider default (PREMIUM).
GlobalAddressIpVersion
IP protocol version for the global address. Default ipv4.
GlobalAddressPurpose
purpose for google_compute_global_address. Selects the role the reserved range plays.
GlobalAddressType
address_type for google_compute_global_address. Default external (public IP). Use internal for in-VPC ranges (private-services peering, internal load balancer VIPs).
GlobalForwardingRuleIpProtocol
IP protocol for google_compute_global_forwarding_rule.ip_protocol. The set of protocols accepted at apply time depends on the load balancing scheme and target type — Application Load Balancers want tcp; protocol forwarding rules may also pick udp / esp / ah / sctp / icmp.
GlobalForwardingRuleIpVersion
IP version for the global forwarding rule's VIP. Default IPV4. Selecting ipv6 requires a global IPv6 GoogleComputeGlobalAddress for GoogleComputeGlobalForwardingRule.ipAddress.
GlobalForwardingRuleLoadBalancingScheme
load_balancing_scheme. Picks which load balancer variant this forwarding rule fronts.
GlobalForwardingRuleMetadataFilterMatchCriteria
metadata_filters[*].filter_match_criteria. Controls how the nested GlobalForwardingRuleMetadataFilterLabel entries combine.
GlobalForwardingRuleMigrationState
external_managed_backend_bucket_migration_state. Drives the canary migration of backend buckets attached to this forwarding rule from EXTERNAL (Classic ALB) to EXTERNAL_MANAGED (modern global external ALB).
GlobalForwardingRuleNetworkTier
network_tier. For global forwarding rules GCP only accepts PREMIUM at apply time — the schema lists STANDARD for symmetry with the regional resource, but supplying it on a global rule errors out. Leave the field null (provider default = PREMIUM) unless overriding is explicitly needed.
GlobalNetworkEndpointGroupType
network_endpoint_type for google_compute_global_network_endpoint_group.
HealthCheckPortSpecification
port_specification value shared by every per-protocol config block.
HealthCheckProxyHeader
proxy_header value used inside every per-protocol HTTP-shaped block (HTTP, HTTPS, HTTP2, TCP, SSL). Defaults to none on the GCP API.
HealthCheckType
Health-check protocol. Computed on the resource (the GCP API derives it from which per-protocol config block was set), so callers don't set this directly — they pick the matching *HealthCheck block. Listed here for use in == comparisons against typeRef reads.
InstanceGroupManagerUpdatePolicyAction
update_policy.minimal_action / update_policy.most_disruptive_allowed_action. Shared enum — both fields accept the same value set.
InstanceGroupManagerUpdatePolicyReplacementMethod
update_policy.replacement_method. SUBSTITUTE (default) replaces VMs with newly-named ones; RECREATE preserves instance names but requires max_unavailable_* > 0.
InstanceGroupManagerUpdatePolicyType
update_policy.type. Controls whether the MIG actively performs the rolling update or waits for an external action (resize, recreate-instances) to apply it.
InstanceTemplateAccessConfigNetworkTier
network_interface.access_config.network_tier -- service tier for the external IP. STANDARD is regional; PREMIUM is global.
InstanceTemplateConfidentialInstanceType
confidential_instance_config.confidential_instance_type -- confidential computing technology. SEV and SEV_SNP require AMD CPUs (the latter also requires min_cpu_platform = "AMD Milan"). TDX requires Intel.
InstanceTemplateDiskMode
disk.mode -- read / write mode for an attached or boot disk. Boot disks must be READ_WRITE.
InstanceTemplateInstanceTerminationAction
scheduling.instance_termination_action -- action when a SPOT VM is preempted or max_run_duration elapses.
InstanceTemplateNicType
network_interface.nic_type -- vNIC family used for the interface.
InstanceTemplateOnHostMaintenance
scheduling.on_host_maintenance -- behaviour during host maintenance. MIGRATE (live migration) is the default for standard VMs; preemptible / SPOT / confidential VMs must use TERMINATE.
InstanceTemplatePerformanceMonitoringUnit
advanced_machine_features.performance_monitoring_unit -- PMU level exposed to the guest. ARCHITECTURAL is the minimum stable subset; ENHANCED exposes the broadest set of counters.
InstanceTemplateProvisioningModel
scheduling.provisioning_model -- VM provisioning model. STANDARD runs at on-demand prices with no termination guarantees from GCP; SPOT runs at preemptible prices and may be reclaimed at any time.
InstanceTemplateReservationAffinityType
reservation_affinity.type -- reservation consumption mode. Pair specificReservation with InstanceTemplateReservationAffinityType.specificReservation to target a named reservation; noReservation opts out.
InstanceTerminationAction
scheduling.instance_termination_action -- action when a SPOT VM is preempted or max_run_duration elapses.
IpAddressSelectionPolicy
ip_address_selection_policy. Controls IPv4-vs-IPv6 preference when the load balancer dials a backend (or when a proxyless gRPC client dials directly).
Ipv6EndpointType
IPv6 endpoint type. Used when GoogleComputeAddress.ipVersion is IpVersion.ipv6.
IpVersion
IP protocol version for the address.
LoadBalancingScheme
load_balancing_scheme. A backend service of one scheme cannot be repurposed for another — the value is effectively immutable except through the ExternalManagedMigrationState dance.
LocalityLbPolicy
locality_lb_policy. See the schema docstring for the matrix of which values are valid for which combination of protocol and load_balancing_scheme — Cloud Load Balancing silently coerces invalid values to the scheme's default at apply time.
ManagedSslCertificateType
Certificate provisioning mode. The schema for this resource accepts only MANAGED, and that value is the default — the enum exists for symmetry with the legacy unified google_compute_ssl_certificate resource (which historically distinguished MANAGED from SELF_MANAGED). For new code, omit type entirely.
NetworkEndpointGroupType
network_endpoint_type for google_compute_network_endpoint_group.
NetworkFirewallPolicyEnforcementOrder
Order in which a network firewall policy is enforced relative to classic firewall rules.
NetworkTier
Network service tier. PREMIUM uses Google's premium global backbone; STANDARD uses ISP-level routing (cheaper, regional).
NicType
network_interface.nic_type -- vNIC family used for the interface.
OnHostMaintenance
scheduling.on_host_maintenance -- behaviour during host maintenance. MIGRATE (live migration) is the default for standard VMs; preemptible / SPOT / confidential VMs must use TERMINATE.
PerformanceMonitoringUnit
advanced_machine_features.performance_monitoring_unit -- PMU level exposed to the guest. ARCHITECTURAL is the minimum stable subset; ENHANCED exposes the broadest set of counters.
ProvisioningModel
scheduling.provisioning_model -- VM provisioning model. STANDARD runs at on-demand prices with no termination guarantees from GCP; SPOT runs at preemptible prices and may be reclaimed at any time.
QuicOverride
QUIC negotiation policy for the HTTPS target proxy. When set to none (the default), Google manages whether QUIC is offered to clients; enable always offers QUIC; disable never offers it.
RegionAutoscalerCpuPredictiveMethod
Predictive autoscaling method for RegionAutoscalerCpuUtilization.
RegionAutoscalerMetricType
Defines how a custom-metric value is interpreted by the autoscaler. Mirrors the API's utilizationTargetType enum.
RegionAutoscalerMode
Operating mode for the autoscaling policy. The schema declares this as a free-form string — the enum below pins the API-accepted set so callers cannot mis-spell it. Default is on when the field is omitted from the request.
RegionBackendServiceBalancingMode
Per-backend balancing mode. See RegionBackendServiceBackend.balancingMode. Note: the regional resource omits the global IN_FLIGHT mode.
RegionBackendServiceCacheMode
cdn_policy.cache_mode. Enabling CDN (enable_cdn = true) without setting this defaults to CACHE_ALL_STATIC.
RegionBackendServiceFastIpMove
ha_policy.fast_ip_move. Controls fast IP-move behavior for self-managed HA on Passthrough NLBs.
RegionBackendServiceIpAddressSelectionPolicy
ip_address_selection_policy. Controls IPv4-vs-IPv6 preference when the load balancer dials a backend (or when a proxyless gRPC client dials directly).
RegionBackendServiceLoadBalancingScheme
load_balancing_scheme. A backend service of one scheme cannot be repurposed for another — the value is effectively immutable.
RegionBackendServiceLocalityLbPolicy
locality_lb_policy. See the schema docstring for the matrix of which values are valid for which combination of protocol and load_balancing_scheme — Cloud Load Balancing silently coerces invalid values to the scheme's default at apply time. For External Passthrough NLBs only maglev and weightedMaglev are honored; for INTERNAL_MANAGED with HTTP-class protocols the full set is available.
RegionBackendServiceLogOptionalMode
log_config.optional_mode. Controls which optional access-log fields are exported when RegionBackendServiceLogConfig.enable is true.
RegionBackendServiceProtocol
Wire protocol the regional backend service uses to talk to backends. HTTP2 and H2C require an HTTP(S)-class load balancer; TCP, SSL, and UDP are for Passthrough Network Load Balancing / regional internal proxy routing. GRPC is required when the URL map is bound to a regional target gRPC proxy.
RegionBackendServiceSessionAffinity
session_affinity. Applicable only when the locality LB policy is one of MAGLEV, WEIGHTED_MAGLEV, or RING_HASH for HTTP-class balancers; for Passthrough NLBs clientIp and the 5-tuple variants apply directly. The regional resource adds clientIpNoDestination (Passthrough NLB variant that ignores the destination tuple component) versus the global resource.
RegionBackendServiceZonalAffinitySpillover
network_pass_through_lb_traffic_policy.zonal_affinity.spillover. Zonal-affinity selector for Internal Passthrough NLBs.
RegionHealthCheckPortSpecification
port_specification value shared by every per-protocol config block.
RegionHealthCheckProxyHeader
proxy_header value used inside the per-protocol HTTP-shaped blocks (HTTP, HTTPS, HTTP2, TCP, SSL). Defaults to none on the GCP API.
RegionHealthCheckType
Health-check protocol on a regional health check. Computed on the resource (the GCP API derives it from which per-protocol config block was set), so callers don't set this directly — they pick the matching *HealthCheck block. Listed here for use in == comparisons against typeRef reads.
RegionInstanceGroupManagerDistributionPolicyTargetShape
distribution_policy_target_shape. Controls how strictly the MIG converges on an even spread across distributionPolicyZones during proactive or resize-triggered rebalancing.
RegionInstanceGroupManagerInstanceRedistributionType
update_policy.instance_redistribution_type (regional only). PROACTIVE (default) keeps zones balanced as VMs come and go; NONE disables proactive rebalancing.
RegionInstanceGroupManagerUpdatePolicyAction
update_policy.minimal_action / update_policy.most_disruptive_allowed_action. Shared enum — both fields accept the same value set.
RegionInstanceGroupManagerUpdatePolicyReplacementMethod
update_policy.replacement_method. SUBSTITUTE (default) replaces VMs with newly-named ones; RECREATE preserves instance names but requires max_unavailable_* > 0.
RegionInstanceGroupManagerUpdatePolicyType
update_policy.type. Controls whether the MIG actively performs the rolling update or waits for an external action (resize, recreate-instances) to apply it.
RegionNetworkEndpointGroupType
network_endpoint_type for google_compute_region_network_endpoint_group. Defaults to serverless on the API side.
RegionUrlMapRedirectResponseCode
HTTP redirect response code emitted by a default_url_redirect / path_rule.url_redirect / route_rules.url_redirect block. The schema declares this as a free-form string -- the enum below pins the API-accepted set so callers cannot mis-spell it.
ReservationAffinityType
reservation_affinity.type -- reservation consumption mode. Pair specificReservation with a ReservationAffinityType.specificReservation value to target a named reservation; noReservation opts out.
RoutingMode
Routing mode for google_compute_network. Controls how routes are advertised between VPC subnets (regional) or all subnets (global).
ScratchDiskInterface
scratch_disk.interface -- attach bus for the local SSD. Defaults to NVME; SCSI is retained for legacy machine families.
SecurityPolicyJsonParsing
advanced_options_config.json_parsing -- whether Cloud Armor parses JSON request bodies during WAF evaluation. standard is required for the JSON-aware preconfigured WAF rules to inspect body content; otherwise default disabled keeps inspection limited to URI / headers / query string.
SecurityPolicyLogLevel
advanced_options_config.log_level -- verbosity of Cloud Armor's Cloud Logging output. verbose includes preconfigured-WAF rule match details and is the recommended setting during policy tuning; switch back to normal for steady-state to control log volume.
SecurityPolicyRuleAction
rule.action -- what Cloud Armor does when the SecurityPolicyRule matches. The deny(NNN) actions return a fixed HTTP status to the client; rateBasedBan and throttle REQUIRE SecurityPolicyRule.rateLimitOptions; redirect REQUIRES SecurityPolicyRule.redirectOptions. The Terraform value preserves the literal provider strings (parentheses and digits included) -- the Dart variants pick identifier-safe names.
SecurityPolicyRuleMatchVersionedExpr
match.versioned_expr -- Cloud Armor's only built-in predicate today. Pair with SecurityPolicyRuleMatchConfig.srcIpRanges to match by source IP / CIDR. For richer matching (geo, path, headers), use SecurityPolicyRuleMatchExpr (CEL) instead.
SecurityPolicyType
type -- intended use of the security policy. Forces replacement when changed. The default (when unset on create) is SecurityPolicyType.cloudArmor.
SessionAffinity
session_affinity. Applicable only when the locality LB policy is one of MAGLEV, WEIGHTED_MAGLEV, or RING_HASH (otherwise the setting is silently ignored).
SslPolicyMinTlsVersion
min_tls_version — the protocol-version floor. TLS 1.3 is always offered by the load balancer and is not selectable as a minimum here; the API only exposes the 1.0 / 1.1 / 1.2 floors. To force TLS 1.3 only, pair tls12 with SslPolicyProfile.restricted, which drops the legacy 1.x suites from the negotiated set.
SslPolicyProfile
profile — the curated cipher-suite preset. See the class-level security guidance for picking between restricted (compliance default), modern (modern browsers only), compatible (permissive legacy default), fips202205 (FIPS 202205-pinned), and custom (caller-supplied via GoogleComputeSslPolicy.customFeatures).
SubnetworkIpv6AccessType
Access type of the IPv6 address range held by the subnetwork. Immutable after creation. Only meaningful when SubnetworkStackType includes IPv6.
SubnetworkLogConfigAggregationInterval
VPC flow log aggregation interval. The default on GCP is interval5Sec (denser sampling, higher cost).
SubnetworkLogConfigMetadata
VPC flow log metadata-inclusion mode. Pair customMetadata with the SubnetworkLogConfig.metadataFields selector.
SubnetworkPurpose
Purpose of the subnetwork. Defaults to private when unspecified.
SubnetworkResolveSubnetMask
ARP resolution mode for the subnetwork. Controls which ranges respond to ARP requests. Used only by reserved-internal-range subnetworks.
SubnetworkRole
Role of a managed-proxy subnetwork. Only meaningful when purpose is REGIONAL_MANAGED_PROXY or GLOBAL_MANAGED_PROXY.
SubnetworkStackType
IP stack type for the subnetwork. Immutable after creation.
TlsEarlyData
TLS 1.3 0-RTT ("Early Data") acceptance policy. Early Data lets a TLS resumption handshake carry the initial application payload alongside the handshake itself, eliminating the extra round trip at the cost of replay risk.
UrlMapRedirectResponseCode
HTTP redirect response code emitted by a default_url_redirect / path_rule.url_redirect / route_rules.url_redirect block. The schema declares this as a free-form string -- the enum below pins the API-accepted set so callers cannot mis-spell it.