compute library

Compute Engine resources: instances, addresses, firewalls, networks, subnetworks.

Classes

ComputeAutoscalerAutoscalerAutoscalingPolicy: autoscaling_policy block — the heart of the autoscaler. Combines a replica range (minReplicas..maxReplicas) with one or more signal sub-blocks (cpuUtilization, loadBalancingUtilization, metrics) and optional smoothing controls (cooldownPeriod, scaleInControl, scalingSchedules).
ComputeAutoscalerAutoscalerCpuUtilization: cpu_utilization block. Drives autoscaling against the average CPU usage of instances in the target MIG.
ComputeAutoscalerAutoscalerLoadBalancingUtilization: load_balancing_utilization block. Drives autoscaling against backend-capacity utilization (HTTP(S) load balancer with utilization balancing mode).
ComputeAutoscalerAutoscalerMetric: One metric entry — a custom Stackdriver / Cloud Monitoring signal. Exactly one of target / singleInstanceAssignment is typically set; the GCP API enforces the constraint at apply time.
ComputeAutoscalerAutoscalerScaleInControl: scale_in_control block. Caps how aggressively the autoscaler may shed replicas inside a timeWindowSec-second sliding window — useful for stateful workloads that need warm capacity to drain gracefully.
ComputeAutoscalerAutoscalerScaleInReplicas: max_scaled_in_replicas sub-block. Express the cap as either a fixed count or a percent of the current MIG size; the schema requires at least one of the two.
ComputeAutoscalerAutoscalerScalingSchedule: One scaling_schedules entry. The Dart Map<String, _> key becomes the schedule's name on the wire (the schema models this as a set of blocks with name baked in).
ComputeBackendBucketBackendBucketCdnBypassCacheOnRequestHeader: Cache-bypass rule keyed on a request header name (one entry in cdn_policy.bypass_cache_on_request_headers, max 5 entries).
ComputeBackendBucketBackendBucketCdnCacheKeyPolicy: cdn_policy.cache_key_policy (max_items=1). Buckets only expose the queryStringWhitelist / includeHttpHeaders axes — unlike BackendServiceCdnCacheKeyPolicy, there is no host / protocol / query-string-as-a-whole toggle.
ComputeBackendBucketBackendBucketCdnNegativeCachingPolicy: One row in cdn_policy.negative_caching_policy.
ComputeBackendBucketBackendBucketCdnPolicy: cdn_policy block — Cloud CDN configuration for this backend bucket. Only honored when GoogleComputeBackendBucket.enableCdn is true. Distinct type from BackendServiceCdnPolicy: the shape is similar but the schema has bucket-specific quirks (no cacheKeyPolicy.includeHost / includeProtocol / includeQueryString — buckets only expose the queryStringWhitelist / includeHttpHeaders axes).
ComputeBackendBucketBackendBucketParams: params block — currently only carries resource-manager tags applied at creation time. Immutable: changes force replacement.
ComputeBackendServiceBackendServiceAwsV4Authentication: security_settings.aws_v4_authentication (max_items=1). accessKey is sensitive.
ComputeBackendServiceBackendServiceBackend: One entry in the backends set. The backend's group is the self-link of an Instance Group, Network Endpoint Group, or backend bucket — all backends in a single service must share the same kind (no mixing IG with NEG).
ComputeBackendServiceBackendServiceBackendCustomMetric: One entry under backend.custom_metrics — a signal exported by the backend that the load balancer should consider when balancingMode is BackendServiceBalancingMode.customMetrics.
ComputeBackendServiceBackendServiceCdnBypassCacheOnRequestHeader: Cache-bypass rule keyed on a request header name.
ComputeBackendServiceBackendServiceCdnCacheKeyPolicy: cdn_policy.cache_key_policy (max_items=1).
ComputeBackendServiceBackendServiceCdnNegativeCachingPolicy: One row in cdn_policy.negative_caching_policy.
ComputeBackendServiceBackendServiceCdnPolicy: cdn_policy block. Only honored when enableCdn is true.
ComputeBackendServiceBackendServiceCircuitBreakers: circuit_breakers block — caps on simultaneous activity per backend before the load balancer trips. Only honored for INTERNAL_SELF_MANAGED / INTERNAL_MANAGED / EXTERNAL_MANAGED schemes.
ComputeBackendServiceBackendServiceConsistentHash: consistent_hash block. Only meaningful when LocalityLbPolicy is ringHash or maglev.
ComputeBackendServiceBackendServiceConsistentHashHttpCookie: consistent_hash.http_cookie (max_items=1).
ComputeBackendServiceBackendServiceCustomMetric: One entry under the top-level custom_metrics. Mirrors ComputeBackendServiceBackendServiceBackendCustomMetric but without maxUtilization (schema only models name + dry_run at this scope).
ComputeBackendServiceBackendServiceDuration: google.protobuf.Duration-shaped value used by several sub-blocks (consistent_hash.http_cookie.ttl, strong_session_affinity_cookie.ttl, outlier_detection.base_ejection_time, etc.).
ComputeBackendServiceBackendServiceIap: iap block. Wraps the backend service in Cloud IAP, which gates requests on an authenticated end-user identity / IAM check before they reach the backend.
ComputeBackendServiceBackendServiceLocalityLbBuiltinPolicy: Built-in locality_lb_policies[].policy (max_items=1).
ComputeBackendServiceBackendServiceLocalityLbCustomPolicy: Caller-supplied xDS locality_lb_policies[].custom_policy (max_items=1).
ComputeBackendServiceBackendServiceLocalityLbPolicyEntry: One entry under locality_lb_policies. Exactly one of policy / customPolicy should be set per entry.
ComputeBackendServiceBackendServiceLogConfig: log_config block — Cloud Logging export configuration for the backend service.
ComputeBackendServiceBackendServiceMaxStreamDuration: max_stream_duration block. Schema quirk: the seconds attribute is typed as a string (not a number) — pass a decimal string like "30" or "30.500".
ComputeBackendServiceBackendServiceOutlierDetection: outlier_detection block — passive health checking. Hosts that exceed the configured failure thresholds are ejected from the load balancing pool for base_ejection_time * consecutive-ejection-count.
ComputeBackendServiceBackendServiceParams: params block — currently only carries resource-manager tags.
ComputeBackendServiceBackendServiceSecuritySettings: security_settings block — mTLS / TLS policy used when dialing backends.
ComputeBackendServiceBackendServiceStrongSessionAffinityCookie: strong_session_affinity_cookie block. Used only when sessionAffinity is SessionAffinity.strongCookieAffinity.
ComputeBackendServiceBackendServiceTlsSettings: tls_settings block — newer (TLS 1.3 / authentication-config-based) TLS configuration; preferred over security_settings when both would otherwise apply.
ComputeBackendServiceBackendServiceTlsSubjectAltName: One entry under tls_settings.subject_alt_names. Exactly one of dnsName / uniformResourceIdentifier should be set.
ComputeFirewallFirewallAllowRule: One allow entry: an IP protocol plus optional list of port specs.
ComputeFirewallFirewallDenyRule: One deny entry. Same shape as ComputeFirewallFirewallAllowRule; kept separate so caller intent is obvious at the call site (allow: vs deny: lists are mutually exclusive per GCP API).
ComputeFirewallFirewallLogConfig: Firewall logging configuration (single block, max_items=1). Setting this enables Cloud Logging export for matched traffic.
ComputeForwardingRuleForwardingRuleServiceDirectoryRegistration: One entry in service_directory_registrations. The schema caps the list at one entry; populated only for forwarding rules whose loadBalancingScheme is INTERNAL or INTERNAL_MANAGED so other consumers in the same project can resolve the rule by Service Directory name.
ComputeGlobalForwardingRuleGlobalForwardingRuleMetadataFilter: One entry in metadata_filters. Only consulted by Traffic Director (loadBalancingScheme: INTERNAL_SELF_MANAGED) forwarding rules — silently ignored for every other scheme. xDS clients present node metadata in their config request; this filter gates which routing config gets returned to which client.
ComputeGlobalForwardingRuleGlobalForwardingRuleMetadataFilterLabel: One metadata_filters[*].filter_labels[*] entry. Both name and value are required by the provider schema; lengths are capped at 1024 characters by the API (not enforced here).
ComputeGlobalForwardingRuleGlobalForwardingRuleServiceDirectoryRegistration: One entry in service_directory_registrations. The schema caps the list at one entry; populated only for Private Service Connect forwarding rules that target Google APIs (so other consumers in the same project can resolve the rule by Service Directory name).
ComputeHealthCheckGrpcHealthCheckConfig: grpc_health_check block. Probes via the gRPC Health Checking Protocol (grpc.health.v1.Health/Check).
ComputeHealthCheckHealthCheckLogConfig: log_config block. Toggles Cloud Logging export of probe results.
ComputeHealthCheckHttp2HealthCheckConfig: http2_health_check block.
ComputeHealthCheckHttpHealthCheckConfig: http_health_check block. Set this (and only this) to make the resource an HTTP health check.
ComputeHealthCheckHttpsHealthCheckConfig: https_health_check block.
ComputeHealthCheckSslHealthCheckConfig: ssl_health_check block. Pure SSL/TLS probe.
ComputeHealthCheckTcpHealthCheckConfig: tcp_health_check block. Pure TCP connect-or-payload probe.
ComputeInstanceAccessConfig: One entry inside network_interface.access_config. An access config gives the interface an external IPv4 address (ephemeral when natIp is null, static when it's a reserved IP).
ComputeInstanceAdvancedMachineFeatures: advanced_machine_features block (max_items=1). Per-CPU tuning knobs.
ComputeInstanceAliasIpRange: One entry inside network_interface.alias_ip_range. Alias IPs let pods / containers running on the instance use secondary CIDR ranges from the attached subnetwork.
ComputeInstanceAttachedDisk: One entry inside attached_disk. Attaches an existing persistent disk to the instance.
ComputeInstanceBootDisk: boot_disk block (single, required by GCP). At least one of initializeParams (create a new disk) or source (attach an existing disk) is required by Terraform; this helper does not enforce that because both are nullable in the schema.
ComputeInstanceConfidentialInstanceConfig: confidential_instance_config block (max_items=1). Enables Confidential VM. Requires scheduling.on_host_maintenance = TERMINATE.
ComputeInstanceGroupManagerInstanceGroupManagerAllInstancesConfig: all_instances_config block. Patches labels and metadata onto every VM the MIG manages, overlaying the instance template's values.
ComputeInstanceGroupManagerInstanceGroupManagerAutoHealingPolicy: auto_healing_policies block. When a VM fails its healthCheck for longer than the initial-delay window, the MIG recreates it. Schema marks both fields as required.
ComputeInstanceGroupManagerInstanceGroupManagerInstanceLifecyclePolicy: instance_lifecycle_policy block — fine-grained behavior on failures and template updates.
ComputeInstanceGroupManagerInstanceGroupManagerNamedPort: One entry in namedPorts. Backend services that reference this MIG by port_name look up the matching port number here.
ComputeInstanceGroupManagerInstanceGroupManagerResourcePolicies: resource_policies block — wires the MIG to a google_compute_resource_policy workload policy.
ComputeInstanceGroupManagerInstanceGroupManagerStandbyPolicy: standby_policy block — controls how the MIG resumes VMs from a standby pool during scale-out.
ComputeInstanceGroupManagerInstanceGroupManagerStatefulDisk: One entry in statefulDisks. Marks a disk attached at deviceName as stateful — the MIG preserves the disk across VM recreates per deleteRule.
ComputeInstanceGroupManagerInstanceGroupManagerStatefulIp: One entry in statefulInternalIps / statefulExternalIps. Both blocks share the same shape.
ComputeInstanceGroupManagerInstanceGroupManagerTargetSizePolicy: One entry in targetSizePolicies. Configures whether the MIG creates VMs individually or all at once to reach GoogleComputeInstanceGroupManager.targetSize.
ComputeInstanceGroupManagerInstanceGroupManagerUpdatePolicy: update_policy block. Drives how the MIG rolls a new ComputeInstanceGroupManagerInstanceGroupManagerVersion across its members.
ComputeInstanceGroupManagerInstanceGroupManagerVersion: One entry in versions. Each version pins an instanceTemplate (a google_compute_instance_template self-link, typically a within-batch sibling) and optionally caps how many instances run that version via targetSize.
ComputeInstanceGroupManagerInstanceGroupManagerVersionTargetSize: version.target_size (max_items=1). Exactly one of fixed or percent should be set.
ComputeInstanceGuestAccelerator: One entry inside guest_accelerator. Attaches a GPU / TPU to the VM.
ComputeInstanceInitializeParams: boot_disk.initialize_params block. Creates a new disk inline at instance-create time. Mutually exclusive with bootDisk.source (which attaches an existing disk).
ComputeInstanceInstanceParams: params block (max_items=1). Carries request-side parameters that are not persisted on the resource (currently only resource manager tags applied at instance-create time).
ComputeInstanceIpv6AccessConfig: One entry inside network_interface.ipv6_access_config. GCP currently allows at most one IPv6 access config per interface.
ComputeInstanceNetworkInterface: One entry inside network_interface. At least one is required by GCP.
ComputeInstanceNetworkPerformanceConfig: network_performance_config block (max_items=1). Selects the Tier 1 network egress profile.
ComputeInstanceNodeAffinity: One entry inside scheduling.node_affinities. Sole-tenant placement uses this to bind the VM to a node group with matching labels.
ComputeInstanceReservationAffinity: reservation_affinity block (max_items=1). Controls whether and how the VM consumes capacity from a Compute Engine reservation.
ComputeInstanceScheduling: scheduling block (max_items=1). Controls preemptibility, host maintenance, max run duration, and sole-tenant affinities.
ComputeInstanceSchedulingDuration: scheduling.max_run_duration / scheduling.local_ssd_recovery_timeout sub-block (Duration shape). Both fields take this same shape.
ComputeInstanceScratchDisk: One entry inside scratch_disk. Local SSD scratch disks are instance-lifetime only -- contents are lost on stop/start.
ComputeInstanceServiceAccount: service_account block (max_items=1). When set, the VM's metadata exposes a Google service account credential to the guest.
ComputeInstanceShieldedInstanceConfig: shielded_instance_config block (max_items=1). Enables Shielded VM features (secure boot / vTPM / integrity monitoring).
ComputeInstanceSpecificReservation: reservation_affinity.specific_reservation sub-block (max_items=1). Only meaningful when ComputeInstanceReservationAffinity.type is ReservationAffinityType.specificReservation.
ComputeInstanceTemplateInstanceTemplateAccessConfig: One entry inside network_interface.access_config. An access config gives the interface an external IPv4 address (ephemeral when natIp is null, static when it's a reserved IP).
ComputeInstanceTemplateInstanceTemplateAdvancedMachineFeatures: advanced_machine_features block (max_items=1). Per-CPU tuning knobs.
ComputeInstanceTemplateInstanceTemplateAliasIpRange: One entry inside network_interface.alias_ip_range. Alias IPs let pods / containers running on instances created from this template use secondary CIDR ranges from the attached subnetwork.
ComputeInstanceTemplateInstanceTemplateConfidentialInstanceConfig: confidential_instance_config block (max_items=1). Enables Confidential VM. Requires scheduling.on_host_maintenance = TERMINATE.
ComputeInstanceTemplateInstanceTemplateDisk: One entry inside disk. Templates require min_items=1. Each disk either initializes a new disk inline (sourceImage / sourceSnapshot) or attaches an existing one (source).
ComputeInstanceTemplateInstanceTemplateDiskEncryptionKey: disk.disk_encryption_key block (max_items=1). Customer-managed KMS CryptoKey used to encrypt the disk at rest.
ComputeInstanceTemplateInstanceTemplateGuestAccelerator: One entry inside guest_accelerator. Attaches a GPU / TPU to instances created from this template. Both fields are required by the schema.
ComputeInstanceTemplateInstanceTemplateIpv6AccessConfig: One entry inside network_interface.ipv6_access_config. GCP currently allows at most one IPv6 access config per interface; only PREMIUM tier is valid for IPv6 today.
ComputeInstanceTemplateInstanceTemplateNetworkInterface: One entry inside network_interface. At least one is required by GCP.
ComputeInstanceTemplateInstanceTemplateNetworkPerformanceConfig: network_performance_config block (max_items=1). Selects the Tier 1 network egress profile.
ComputeInstanceTemplateInstanceTemplateNodeAffinity: One entry inside scheduling.node_affinities. Sole-tenant placement uses this to bind instances to a node group with matching labels.
ComputeInstanceTemplateInstanceTemplateOnInstanceStopAction: scheduling.on_instance_stop_action block (max_items=1). Defines extra behaviour applied when the chosen instance_termination_action runs.
ComputeInstanceTemplateInstanceTemplateReservationAffinity: reservation_affinity block (max_items=1). Controls whether and how instances created from this template consume capacity from a Compute Engine reservation.
ComputeInstanceTemplateInstanceTemplateScheduling: scheduling block (max_items=1). Controls preemptibility, host maintenance, max run duration, and sole-tenant affinities.
ComputeInstanceTemplateInstanceTemplateSchedulingDuration: scheduling.max_run_duration / scheduling.local_ssd_recovery_timeout sub-block (Duration shape). Both fields take this same shape.
ComputeInstanceTemplateInstanceTemplateServiceAccount: service_account block (max_items=1). When set, instances created from this template expose a Google service account credential to the guest via the metadata service.
ComputeInstanceTemplateInstanceTemplateShieldedInstanceConfig: shielded_instance_config block (max_items=1). Enables Shielded VM features (secure boot / vTPM / integrity monitoring).
ComputeInstanceTemplateInstanceTemplateSourceImageEncryptionKey: disk.source_image_encryption_key block (max_items=1). Customer-supplied key that decrypted the source image. Instance templates do not persist customer-supplied keys, so MIGs cannot create disks from images encrypted with your own keys via a template.
ComputeInstanceTemplateInstanceTemplateSourceSnapshotEncryptionKey: disk.source_snapshot_encryption_key block (max_items=1). Customer- supplied key that decrypted the source snapshot.
ComputeInstanceTemplateInstanceTemplateSpecificReservation: reservation_affinity.specific_reservation sub-block (max_items=1). Only meaningful when ComputeInstanceTemplateInstanceTemplateReservationAffinity.type is InstanceTemplateReservationAffinityType.specificReservation.
ComputeManagedSslCertificateManagedSslCertificateConfig: managed block payload (single block, max_items=1). Carries the list of domains Google should issue the certificate for.
ComputeRegionAutoscalerRegionAutoscalerAutoscalingPolicy: autoscaling_policy block — the heart of the autoscaler. Combines a replica range (minReplicas..maxReplicas) with one or more signal sub-blocks (cpuUtilization, loadBalancingUtilization, metrics) and optional smoothing controls (cooldownPeriod, scaleInControl, scalingSchedules).
ComputeRegionAutoscalerRegionAutoscalerCpuUtilization: cpu_utilization block. Drives autoscaling against the average CPU usage of instances in the target regional MIG.
ComputeRegionAutoscalerRegionAutoscalerLoadBalancingUtilization: load_balancing_utilization block. Drives autoscaling against backend-capacity utilization (HTTP(S) load balancer with utilization balancing mode).
ComputeRegionAutoscalerRegionAutoscalerMetric: One metric entry — a custom Stackdriver / Cloud Monitoring signal. Exactly one of target / singleInstanceAssignment is typically set; the GCP API enforces the constraint at apply time.
ComputeRegionAutoscalerRegionAutoscalerScaleInControl: scale_in_control block. Caps how aggressively the autoscaler may shed replicas inside a timeWindowSec-second sliding window — useful for stateful workloads that need warm capacity to drain gracefully.
ComputeRegionAutoscalerRegionAutoscalerScaleInReplicas: max_scaled_in_replicas sub-block. Express the cap as either a fixed count or a percent of the current MIG size; the schema requires at least one of the two.
ComputeRegionAutoscalerRegionAutoscalerScalingSchedule: One scaling_schedules entry. The Dart Map<String, _> key becomes the schedule's name on the wire (the schema models this as a set of blocks with name baked in).
ComputeRegionBackendServiceRegionBackendServiceBackend: One entry in the backends set. The backend's group is the self-link of an Instance Group, regional MIG, or regional Network Endpoint Group — all backends in a single service must share the same kind (no mixing IG with NEG). Note: regional backends carry a failover flag (used by ComputeRegionBackendServiceRegionBackendServiceFailoverPolicy) and do not support the global resource's preference field.
ComputeRegionBackendServiceRegionBackendServiceBackendCustomMetric: One entry under backend.custom_metrics — a signal exported by the backend that the load balancer should consider when balancingMode is RegionBackendServiceBalancingMode.customMetrics.
ComputeRegionBackendServiceRegionBackendServiceCdnCacheKeyPolicy: cdn_policy.cache_key_policy (max_items=1).
ComputeRegionBackendServiceRegionBackendServiceCdnNegativeCachingPolicy: One row in cdn_policy.negative_caching_policy. The regional schema does not model the ttl attribute (status-code key only).
ComputeRegionBackendServiceRegionBackendServiceCdnPolicy: cdn_policy block. Only honored when enableCdn is true. The regional schema omits the global resource's bypass_cache_on_request_headers and request_coalescing fields.
ComputeRegionBackendServiceRegionBackendServiceCircuitBreakers: circuit_breakers block — caps on simultaneous activity per backend before the load balancer trips. Only honored for INTERNAL_SELF_MANAGED / INTERNAL_MANAGED / EXTERNAL_MANAGED schemes.
ComputeRegionBackendServiceRegionBackendServiceConsistentHash: consistent_hash block. Only meaningful when RegionBackendServiceLocalityLbPolicy is ringHash or maglev.
ComputeRegionBackendServiceRegionBackendServiceConsistentHashHttpCookie: consistent_hash.http_cookie (max_items=1).
ComputeRegionBackendServiceRegionBackendServiceCustomMetric: One entry under the top-level custom_metrics. Mirrors ComputeRegionBackendServiceRegionBackendServiceBackendCustomMetric but without maxUtilization (schema only models name + dry_run at this scope).
ComputeRegionBackendServiceRegionBackendServiceDuration: google.protobuf.Duration-shaped value used by several sub-blocks (consistent_hash.http_cookie.ttl, strong_session_affinity_cookie.ttl, outlier_detection.base_ejection_time, outlier_detection.interval).
ComputeRegionBackendServiceRegionBackendServiceFailoverPolicy: failover_policy block — only meaningful for Internal Passthrough NLBs. Backends are split into primary / failover pools (see ComputeRegionBackendServiceRegionBackendServiceBackend.failover); when the primary pool's healthy fraction drops below failoverRatio, traffic is shifted to the failover pool.
ComputeRegionBackendServiceRegionBackendServiceHaPolicy: ha_policy block — self-managed HA for External / Internal Passthrough NLBs. Conflicts with sessionAffinity, failoverPolicy, and healthChecks — when haPolicy is set, the caller is responsible for tracking endpoint health and electing a leader.
ComputeRegionBackendServiceRegionBackendServiceHaPolicyLeader: ha_policy.leader (max_items=1).
ComputeRegionBackendServiceRegionBackendServiceHaPolicyLeaderNetworkEndpoint: ha_policy.leader.network_endpoint (max_items=1).
ComputeRegionBackendServiceRegionBackendServiceIap: iap block. Wraps the regional backend service in Cloud IAP, which gates requests on an authenticated end-user identity / IAM check before they reach the backend.
ComputeRegionBackendServiceRegionBackendServiceLogConfig: log_config block — Cloud Logging export configuration for the regional backend service.
ComputeRegionBackendServiceRegionBackendServiceNetworkPassThroughLbTrafficPolicy: network_pass_through_lb_traffic_policy block — traffic steering for Internal Passthrough NLBs (currently only zonal-affinity).
ComputeRegionBackendServiceRegionBackendServiceOutlierDetection: outlier_detection block — passive health checking. Hosts that exceed the configured failure thresholds are ejected from the load balancing pool for base_ejection_time * consecutive-ejection-count.
ComputeRegionBackendServiceRegionBackendServiceParams: params block — currently only carries resource-manager tags.
ComputeRegionBackendServiceRegionBackendServiceStrongSessionAffinityCookie: strong_session_affinity_cookie block. Used only when sessionAffinity is RegionBackendServiceSessionAffinity.strongCookieAffinity.
ComputeRegionBackendServiceRegionBackendServiceTlsSettings: tls_settings block — TLS / mTLS configuration used when dialing backends. Only meaningful when protocol is SSL, HTTPS, or HTTP2. The regional resource does not surface security_settings — this is the only TLS-config block available here.
ComputeRegionBackendServiceRegionBackendServiceTlsSubjectAltName: One entry under tls_settings.subject_alt_names. Exactly one of dnsName / uniformResourceIdentifier should be set.
ComputeRegionBackendServiceRegionBackendServiceZonalAffinity: network_pass_through_lb_traffic_policy.zonal_affinity (max_items=1). New connections are load balanced across healthy backend endpoints in the local zone first; behavior when the in-zone healthy fraction drops below spilloverRatio is governed by spillover.
ComputeRegionHealthCheckRegionHealthCheckGrpcConfig: grpc_health_check block. Probes via the gRPC Health Checking Protocol (grpc.health.v1.Health/Check).
ComputeRegionHealthCheckRegionHealthCheckHttp2Config: http2_health_check block.
ComputeRegionHealthCheckRegionHealthCheckHttpConfig: http_health_check block. Set this (and only this) to make the resource an HTTP health check.
ComputeRegionHealthCheckRegionHealthCheckHttpsConfig: https_health_check block.
ComputeRegionHealthCheckRegionHealthCheckLogConfig: log_config block. Toggles Cloud Logging export of probe results.
ComputeRegionHealthCheckRegionHealthCheckSslConfig: ssl_health_check block. Pure SSL/TLS probe.
ComputeRegionHealthCheckRegionHealthCheckTcpConfig: tcp_health_check block. Pure TCP connect-or-payload probe.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerAllInstancesConfig: all_instances_config block. Patches labels and metadata onto every VM the MIG manages, overlaying the instance template's values.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerAutoHealingPolicy: auto_healing_policies block. When a VM fails its healthCheck for longer than the initial-delay window, the MIG recreates it. Schema marks both fields as required.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerInstanceFlexibilityPolicy: instance_flexibility_policy block — regional only. Lets the MIG pick from multiple machine types when creating new VMs, instead of the single machine type set on the instance template.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerInstanceLifecyclePolicy: instance_lifecycle_policy block — fine-grained behavior on failures and template updates.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerInstanceSelection: One entry in ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerInstanceFlexibilityPolicy.instanceSelections.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerNamedPort: One entry in namedPorts. Backend services that reference this MIG by port_name look up the matching port number here.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerResourcePolicies: resource_policies block — wires the MIG to a google_compute_resource_policy workload policy.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerStandbyPolicy: standby_policy block — controls how the MIG resumes VMs from a standby pool during scale-out.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerStatefulDisk: One entry in statefulDisks. Marks a disk attached at deviceName as stateful — the MIG preserves the disk across VM recreates per deleteRule. Note: cross-zone instance redistribution must be disabled (set ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerUpdatePolicy.instanceRedistributionType to RegionInstanceGroupManagerInstanceRedistributionType.none) before updating stateful disks on an existing regional MIG.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerStatefulIp: One entry in statefulInternalIps / statefulExternalIps. Both blocks share the same shape.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerTargetSizePolicy: One entry in targetSizePolicies. Configures whether the MIG creates VMs individually or all at once to reach GoogleComputeRegionInstanceGroupManager.targetSize.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerUpdatePolicy: update_policy block. Drives how the regional MIG rolls a new ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerVersion across its members and how aggressively it rebalances across distributionPolicyZones.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerVersion: One entry in versions. Each version pins an instanceTemplate (a google_compute_instance_template self-link, typically a within-batch sibling) and optionally caps how many instances run that version via targetSize.
ComputeRegionInstanceGroupManagerRegionInstanceGroupManagerVersionTargetSize: version.target_size (max_items=1). Exactly one of fixed or percent should be set.
ComputeRegionNetworkEndpointGroupRegionNetworkEndpointGroupAppEngine: app_engine slot of google_compute_region_network_endpoint_group. Only valid when networkEndpointType is RegionNetworkEndpointGroupType.serverless and mutually exclusive with cloudRun / cloudFunction.
ComputeRegionNetworkEndpointGroupRegionNetworkEndpointGroupCloudFunction: cloud_function slot of google_compute_region_network_endpoint_group. Only valid when networkEndpointType is RegionNetworkEndpointGroupType.serverless and mutually exclusive with cloudRun / appEngine.
ComputeRegionNetworkEndpointGroupRegionNetworkEndpointGroupCloudRun: cloud_run slot of google_compute_region_network_endpoint_group. Only valid when networkEndpointType is RegionNetworkEndpointGroupType.serverless and mutually exclusive with cloudFunction / appEngine.
ComputeRegionUrlMapRegionUrlMapHeaderAction: header_action block. Adds / removes headers on requests forwarded to the backend and / or responses returned to the client. Used at the top-level URL-map slot and inside ComputeRegionUrlMapRegionUrlMapRouteRule.headerAction.
ComputeRegionUrlMapRegionUrlMapHeaderMatch: One match_rules[].header_matches[] entry. The schema permits one of exactMatch / prefixMatch / suffixMatch / regexMatch / presentMatch / rangeMatch per entry; invertMatch negates the outcome. Validation is left to the GCP API.
ComputeRegionUrlMapRegionUrlMapHeaderMatchRange: header_matches.range_match block. Both bounds required by the schema.
ComputeRegionUrlMapRegionUrlMapHeaderToAdd: One entry in ComputeRegionUrlMapRegionUrlMapHeaderAction.requestHeadersToAdd / ComputeRegionUrlMapRegionUrlMapHeaderAction.responseHeadersToAdd. All three fields are required by the schema at the top-level header_action slot.
ComputeRegionUrlMapRegionUrlMapHostRule: One host_rule entry. Binds a set of Host: header values to a ComputeRegionUrlMapRegionUrlMapPathMatcher by name. Multiple host_rule entries can point at the same pathMatcher.
ComputeRegionUrlMapRegionUrlMapPathMatcher: One path_matcher entry. Each path matcher is named (so ComputeRegionUrlMapRegionUrlMapHostRule can reference it) and carries a fallback defaultService plus the path-based routing rules.
ComputeRegionUrlMapRegionUrlMapPathRule: One path_matcher.path_rule[] entry. Matches request paths against the paths glob list (e.g. ['/login', '/login/*']) and dispatches to either a service OR an inline urlRedirect -- exactly one of the two must be set per the GCP API.
ComputeRegionUrlMapRegionUrlMapQueryParameterMatch: One match_rules[].query_parameter_matches[] entry. Matches a single query parameter by name with a chosen predicate.
ComputeRegionUrlMapRegionUrlMapRouteRule: One path_matcher.route_rules[] entry. Priority-ordered routing with header / query / regex match support; the GCP equivalent of an Envoy route_config.
ComputeRegionUrlMapRegionUrlMapRouteRuleMatch: One route_rules[].match_rules[] entry. Carries the actual matching predicates (one or more of full path / prefix / regex / path template, optionally further refined by header / query / metadata filters).
ComputeRegionUrlMapRegionUrlMapTest: One test[] entry. Each test states "a request to host+path should resolve to service" and is evaluated by GCP at apply time -- if the routing pipeline produces a different service, the apply FAILS. Effectively a contract test for the URL map's routing table.
ComputeRegionUrlMapRegionUrlMapTestHeader: One entry in ComputeRegionUrlMapRegionUrlMapTest.headers. Both fields required by the schema.
ComputeRegionUrlMapRegionUrlMapUrlRedirect: default_url_redirect / path_rule.url_redirect / route_rules.url_redirect block. Returns an HTTP redirect to the client instead of forwarding to a backend.
ComputeSecurityPolicySecurityPolicyAdaptiveProtectionConfig: adaptive_protection_config -- Google's ML-driven layer-7 DDoS auto-mitigation. When enabled, Cloud Armor watches traffic patterns and proposes / auto-deploys rules during a suspected attack.
ComputeSecurityPolicySecurityPolicyAdaptiveProtectionThresholdConfig: One entry in threshold_configs. The numeric knobs are passed through verbatim -- consult the Cloud Armor adaptive-protection docs for tuning guidance.
ComputeSecurityPolicySecurityPolicyAdvancedOptionsConfig: advanced_options_config -- knobs that apply across the whole policy: JSON-body inspection for preconfigured WAF rules, log verbosity, and client-IP resolution headers.
ComputeSecurityPolicySecurityPolicyJsonCustomConfig: advanced_options_config.json_custom_config -- list of additional Content-Type values Cloud Armor should treat as JSON for WAF body inspection (beyond the default application/json).
ComputeSecurityPolicySecurityPolicyLayer7DdosDefenseConfig: layer_7_ddos_defense_config block. Pair enable with ruleVisibility (typically 'STANDARD'); per-segment thresholds can be tuned via thresholdConfigs for tenants with predictable traffic shape.
ComputeSecurityPolicySecurityPolicyRecaptchaOptionsConfig: recaptcha_options_config -- policy-wide reCAPTCHA site key used for redirect-to-reCAPTCHA actions. Only the redirect site key is exposed by Terraform today; if unset, Cloud Armor uses a Google- managed key.
ComputeSecurityPolicySecurityPolicyRule: One entry in rule[]. Rules are evaluated from highest priority (lowest numeric value) to lowest priority. The first match wins and its action is enforced. Cloud Armor REQUIRES a default rule at priority 2147483647 matching all traffic ('*') -- if you omit it the provider injects one with SecurityPolicyRuleAction.allow, which silently disables a deny-list policy. Always author the default rule explicitly.
ComputeSecurityPolicySecurityPolicyRuleEnforceOnKeyConfig: One entry in rate_limit_options.enforce_on_key_configs. Lets a rule key on a composite of attributes (e.g. "(client IP, region)").
ComputeSecurityPolicySecurityPolicyRuleHeaderAction: rule.header_action -- request-header rewrites applied alongside the rule's match action. Useful for tagging matched requests so downstream services (or Cloud Logging) can see which Cloud Armor rule fired.
ComputeSecurityPolicySecurityPolicyRuleHeaderAdd: One header rewrite in ComputeSecurityPolicySecurityPolicyRuleHeaderAction.requestHeadersToAdds. headerValue is optional -- omitting it adds the header with an empty string value.
ComputeSecurityPolicySecurityPolicyRuleMatch: rule.match -- the condition under which a rule fires. Mutually-exclusive variants:
ComputeSecurityPolicySecurityPolicyRuleMatchConfig: match.config -- payload for the SRC_IPS_V1 predicate. The only field today is srcIpRanges; the schema limits this to 10 entries per rule. Pass ['*'] to match ALL inbound IPs (the canonical default-deny / default-allow shape).
ComputeSecurityPolicySecurityPolicyRuleMatchExpr: match.expr -- a user-defined Common Expression Language (CEL) predicate evaluated against the request. The expression is passed to Cloud Armor as an opaque string; the Dart wrapper does NOT type-check CEL syntax, so callers are responsible for matching Cloud Armor's CEL dialect (see https://cloud.google.com/armor/docs/rules-language-reference).
ComputeSecurityPolicySecurityPolicyRuleRateLimitOptions: rule.rate_limit_options -- threshold + action plumbing for SecurityPolicyRuleAction.throttle and SecurityPolicyRuleAction.rateBasedBan. Throttle simply rejects requests over the threshold; rate-based ban additionally locks the offending key out for banDurationSec seconds once it trips banThreshold.
ComputeSecurityPolicySecurityPolicyRuleRateLimitThreshold: rate_limit_threshold / ban_threshold shape. Count of requests per fixed intervalSec window.
ComputeSecurityPolicySecurityPolicyRuleRedirectOptions: rule.redirect_options -- redirect target shape, also reused as rate_limit_options.exceed_redirect_options. Two flavors: 'EXTERNAL_302' requires target (an HTTPS URL Cloud Armor 302s to); 'GOOGLE_RECAPTCHA' swaps the request for a Google-hosted reCAPTCHA challenge and MUST NOT set target.
ComputeSecurityPolicySecurityPolicyTrafficGranularityConfig: One entry in traffic_granularity_configs. enableEachUniqueValue (true) and value (non-empty string) are mutually exclusive: the schema rejects setting both.
ComputeSubnetworkSecondaryIpRange: One secondary_ip_range entry. Defines an alias IP range usable by instances in this subnetwork (typically consumed by GKE pods/services).
ComputeSubnetworkSubnetworkLogConfig: log_config block. Enables VPC flow logs for the subnetwork. Flow logging is not supported when the subnetwork purpose is REGIONAL_MANAGED_PROXY or GLOBAL_MANAGED_PROXY.
ComputeUrlMapUrlMapHeaderAction: header_action block. Adds / removes headers on requests forwarded to the backend and / or responses returned to the client. Used at the top-level URL-map slot and inside ComputeUrlMapUrlMapRouteRule.headerAction.
ComputeUrlMapUrlMapHeaderMatch: One match_rules[].header_matches[] entry. The schema permits one of exactMatch / prefixMatch / suffixMatch / regexMatch / presentMatch / rangeMatch per entry; invertMatch negates the outcome. Validation is left to the GCP API.
ComputeUrlMapUrlMapHeaderMatchRange: header_matches.range_match block. Both bounds required by the schema.
ComputeUrlMapUrlMapHeaderToAdd: One entry in ComputeUrlMapUrlMapHeaderAction.requestHeadersToAdd / ComputeUrlMapUrlMapHeaderAction.responseHeadersToAdd. All three fields are required by the schema at the top-level header_action slot.
ComputeUrlMapUrlMapHostRule: One host_rule entry. Binds a set of Host: header values to a ComputeUrlMapUrlMapPathMatcher by name. Multiple host_rule entries can point at the same pathMatcher.
ComputeUrlMapUrlMapPathMatcher: One path_matcher entry. Each path matcher is named (so ComputeUrlMapUrlMapHostRule can reference it) and carries a fallback defaultService plus the path-based routing rules.
ComputeUrlMapUrlMapPathRule: One path_matcher.path_rule[] entry. Matches request paths against the paths glob list (e.g. ['/login', '/login/*']) and dispatches to either a service OR an inline urlRedirect -- exactly one of the two must be set per the GCP API.
ComputeUrlMapUrlMapQueryParameterMatch: One match_rules[].query_parameter_matches[] entry. Matches a single query parameter by name with a chosen predicate.
ComputeUrlMapUrlMapRouteRule: One path_matcher.route_rules[] entry. Priority-ordered routing with header / query / regex match support; the GCP equivalent of an Envoy route_config.
ComputeUrlMapUrlMapRouteRuleMatch: One route_rules[].match_rules[] entry. Carries the actual matching predicates (one or more of full path / prefix / regex / path template, optionally further refined by header / query / metadata filters).
ComputeUrlMapUrlMapTest: One test[] entry. Each test states "a request to host+path should resolve to service" and is evaluated by GCP at apply time -- if the routing pipeline produces a different service, the apply FAILS. Effectively a contract test for the URL map's routing table.
ComputeUrlMapUrlMapTestHeader: One entry in ComputeUrlMapUrlMapTest.headers. Both fields required by the schema.
ComputeUrlMapUrlMapUrlRedirect: default_url_redirect / path_rule.url_redirect / route_rules.url_redirect block. Returns an HTTP redirect to the client instead of forwarding to a backend.
GoogleComputeAddress: Factory wrapper for google_compute_address (provider hashicorp/google ~> 7.0).
GoogleComputeAutoscaler: Factory wrapper for google_compute_autoscaler (provider hashicorp/google ~> 7.0).
GoogleComputeBackendBucket: Factory wrapper for google_compute_backend_bucket (provider hashicorp/google ~> 7.0).
GoogleComputeBackendService: Factory wrapper for google_compute_backend_service (provider hashicorp/google ~> 7.0).
GoogleComputeDiskIamMember: Factory wrapper for google_compute_disk_iam_member.
GoogleComputeFirewall: Factory wrapper for google_compute_firewall (provider hashicorp/google ~> 7.0).
GoogleComputeForwardingRule: Factory wrapper for google_compute_forwarding_rule (provider hashicorp/google ~> 7.0).
GoogleComputeGlobalAddress: Factory wrapper for google_compute_global_address (provider hashicorp/google ~> 7.0).
GoogleComputeGlobalForwardingRule: Factory wrapper for google_compute_global_forwarding_rule (provider hashicorp/google ~> 7.0).
GoogleComputeGlobalNetworkEndpointGroup: Factory wrapper for google_compute_global_network_endpoint_group (provider hashicorp/google ~> 7.0).
GoogleComputeHealthCheck: Factory wrapper for google_compute_health_check (provider hashicorp/google ~> 7.0).
GoogleComputeInstance: Factory wrapper for google_compute_instance (provider hashicorp/google ~> 7.0).
GoogleComputeInstanceGroupManager: Factory wrapper for google_compute_instance_group_manager (provider hashicorp/google ~> 7.0).
GoogleComputeInstanceIamMember: Factory wrapper for google_compute_instance_iam_member.
GoogleComputeInstanceTemplate: Factory wrapper for google_compute_instance_template (provider hashicorp/google ~> 7.0).
GoogleComputeManagedSslCertificate: Factory wrapper for google_compute_managed_ssl_certificate (provider hashicorp/google ~> 7.0).
GoogleComputeNetwork: Factory wrapper for google_compute_network (provider hashicorp/google ~> 7.0).
GoogleComputeNetworkEndpointGroup: Factory wrapper for google_compute_network_endpoint_group (provider hashicorp/google ~> 7.0).
GoogleComputeRegionAutoscaler: Factory wrapper for google_compute_region_autoscaler (provider hashicorp/google ~> 7.0).
GoogleComputeRegionBackendService: Factory wrapper for google_compute_region_backend_service (provider hashicorp/google ~> 7.0).
GoogleComputeRegionHealthCheck: Factory wrapper for google_compute_region_health_check (provider hashicorp/google ~> 7.0).
GoogleComputeRegionInstanceGroupManager: Factory wrapper for google_compute_region_instance_group_manager (provider hashicorp/google ~> 7.0).
GoogleComputeRegionNetworkEndpointGroup: Factory wrapper for google_compute_region_network_endpoint_group (provider hashicorp/google ~> 7.0).
GoogleComputeRegionTargetHttpProxy: Factory wrapper for google_compute_region_target_http_proxy (provider hashicorp/google ~> 7.0).
GoogleComputeRegionTargetHttpsProxy: Factory wrapper for google_compute_region_target_https_proxy (provider hashicorp/google ~> 7.0).
GoogleComputeRegionUrlMap: Factory wrapper for google_compute_region_url_map (provider hashicorp/google ~> 7.0).
GoogleComputeSecurityPolicy: Factory wrapper for google_compute_security_policy (provider hashicorp/google ~> 7.0). This is Google Cloud Armor: a layer-7 WAF / DDoS / rate-limiting policy that attaches to one or more google_compute_backend_service (via that resource's securityPolicy field) or to backend buckets for edge variants.
GoogleComputeSslCertificate: Factory wrapper for google_compute_ssl_certificate (provider hashicorp/google ~> 7.0).
GoogleComputeSslPolicy: Factory wrapper for google_compute_ssl_policy (provider hashicorp/google ~> 7.0).
GoogleComputeSubnetwork: Factory wrapper for google_compute_subnetwork (provider hashicorp/google ~> 7.0).
GoogleComputeSubnetworkIamMember: Factory wrapper for google_compute_subnetwork_iam_member.
GoogleComputeTargetHttpProxy: Factory wrapper for google_compute_target_http_proxy (provider hashicorp/google ~> 7.0).
GoogleComputeTargetHttpsProxy: Factory wrapper for google_compute_target_https_proxy (provider hashicorp/google ~> 7.0).
GoogleComputeUrlMap: Factory wrapper for google_compute_url_map (provider hashicorp/google ~> 7.0).

Enums

AccessConfigNetworkTier: network_interface.access_config.network_tier -- service tier for the external IP. STANDARD is regional; PREMIUM is global.
AddressType: Address allocation scope: INTERNAL (VPC-private) or EXTERNAL (public IP).
AutoscalerCpuPredictiveMethod: Predictive autoscaling method for ComputeAutoscalerAutoscalerCpuUtilization.
AutoscalerMetricType: Defines how a custom-metric value is interpreted by the autoscaler. Mirrors the API's utilizationTargetType enum.
AutoscalerMode: Operating mode for the autoscaling policy. The schema declares this as a free-form string — the enum below pins the API-accepted set so callers cannot mis-spell it. Default is on when the field is omitted from the request.
BackendBucketCacheMode: cdn_policy.cache_mode. Enabling CDN (enable_cdn = true) without setting this defaults to CACHE_ALL_STATIC. Note: this is a distinct type from BackendServiceCacheMode — bucket-side CDN policies are not interchangeable with service-side policies.
BackendBucketCompressionMode: compression_mode — Brotli / gzip negotiation based on the client's Accept-Encoding header. Note: this is a distinct type from BackendServiceCompressionMode even though the wire values (AUTOMATIC / DISABLED) coincide.
BackendBucketLoadBalancingScheme: load_balancing_scheme. The bucket can be left scheme-less (the usual case — works with classic global external and global application external load balancers) or set to internalManaged for cross-region internal layer-7 load balancing. Important: when internalManaged is set, enable_cdn must be false (Cloud CDN is not available for internal schemes).
BackendServiceBalancingMode: Per-backend balancing mode. See ComputeBackendServiceBackendServiceBackend.balancingMode.
BackendServiceCacheMode: cdn_policy.cache_mode. Enabling CDN (enable_cdn = true) without setting this defaults to CACHE_ALL_STATIC.
BackendServiceCompressionMode: compression_mode. Brotli / gzip negotiation based on the client's Accept-Encoding header.
BackendServiceLogOptionalMode: log_config.optional_mode. Controls which optional access-log fields are exported when ComputeBackendServiceBackendServiceLogConfig.enable is true.
BackendServicePreference: backend.preference. Cannot be set when load_balancing_scheme is EXTERNAL.
BackendServiceProtocol: Wire protocol the backend service uses to talk to backends. HTTP2 and H2C require an HTTP(S)-class load balancer; TCP, SSL, and UDP are for Network Load Balancing / Traffic Director TCP routing. GRPC is required when the URL map is bound to a target gRPC proxy.
BgpBestPathSelectionMode: BGP best-path selection algorithm for the VPC.
BgpInterRegionCost: BGP inter-region cost calculation behaviour. Used when bgpBestPathSelectionMode == standard.
ConfidentialInstanceType: confidential_instance_config.confidential_instance_type -- confidential computing technology. SEV and SEV_SNP require AMD CPUs (the latter also requires min_cpu_platform = "AMD Milan"). TDX requires Intel.
ExternalManagedMigrationState: external_managed_migration_state. Drives the Classic ALB → Application Load Balancer migration. State must transition PREPARE → optional TEST_BY_PERCENTAGE → TEST_ALL_TRAFFIC before the load balancing scheme can flip from EXTERNAL to EXTERNAL_MANAGED; same order in reverse to roll back.
FirewallDirection: Direction of traffic this firewall rule applies to. For ingress, at least one of sourceRanges / sourceTags / sourceServiceAccounts is required by GCP.
FirewallLogMetadata: Whether to include or exclude metadata for firewall logs. Used as the metadata field of ComputeFirewallFirewallLogConfig.
ForwardingRuleIpProtocol: IP protocol for google_compute_forwarding_rule.ip_protocol. The set of protocols accepted at apply time depends on the load balancing scheme and target type — Application Load Balancers want tcp; protocol forwarding rules may also pick udp / esp / ah / sctp / icmp.
ForwardingRuleIpVersion: IP version for the regional forwarding rule's VIP. Default IPV4. Selecting ipv6 requires a regional IPv6 GoogleComputeAddress for GoogleComputeForwardingRule.ipAddress, and (for external IPv6 NetLB rules) typically pairs with GoogleComputeForwardingRule.ipCollection pointing at a PublicDelegatedPrefix in EXTERNAL_IPV6_FORWARDING_RULE_CREATION mode.
ForwardingRuleLoadBalancingScheme: load_balancing_scheme. Picks which regional load balancer variant this forwarding rule fronts.
ForwardingRuleNetworkTier: network_tier. Unlike global forwarding rules (which only accept PREMIUM), regional forwarding rules accept both tiers. The tier must match the tier of the referenced GoogleComputeForwardingRule.ipAddress when one is supplied. Leave null to inherit the provider default (PREMIUM).
GlobalAddressIpVersion: IP protocol version for the global address. Default ipv4.
GlobalAddressPurpose: purpose for google_compute_global_address. Selects the role the reserved range plays.
GlobalAddressType: address_type for google_compute_global_address. Default external (public IP). Use internal for in-VPC ranges (private-services peering, internal load balancer VIPs).
GlobalForwardingRuleIpProtocol: IP protocol for google_compute_global_forwarding_rule.ip_protocol. The set of protocols accepted at apply time depends on the load balancing scheme and target type — Application Load Balancers want tcp; protocol forwarding rules may also pick udp / esp / ah / sctp / icmp.
GlobalForwardingRuleIpVersion: IP version for the global forwarding rule's VIP. Default IPV4. Selecting ipv6 requires a global IPv6 GoogleComputeGlobalAddress for GoogleComputeGlobalForwardingRule.ipAddress.
GlobalForwardingRuleLoadBalancingScheme: load_balancing_scheme. Picks which load balancer variant this forwarding rule fronts.
GlobalForwardingRuleMetadataFilterMatchCriteria: metadata_filters[*].filter_match_criteria. Controls how the nested ComputeGlobalForwardingRuleGlobalForwardingRuleMetadataFilterLabel entries combine.
GlobalForwardingRuleMigrationState: external_managed_backend_bucket_migration_state. Drives the canary migration of backend buckets attached to this forwarding rule from EXTERNAL (Classic ALB) to EXTERNAL_MANAGED (modern global external ALB).
GlobalForwardingRuleNetworkTier: network_tier. For global forwarding rules GCP only accepts PREMIUM at apply time — the schema lists STANDARD for symmetry with the regional resource, but supplying it on a global rule errors out. Leave the field null (provider default = PREMIUM) unless overriding is explicitly needed.
GlobalNetworkEndpointGroupType: network_endpoint_type for google_compute_global_network_endpoint_group.
HealthCheckPortSpecification: port_specification value shared by every per-protocol config block.
HealthCheckProxyHeader: proxy_header value used inside every per-protocol HTTP-shaped block (HTTP, HTTPS, HTTP2, TCP, SSL). Defaults to none on the GCP API.
HealthCheckType: Health-check protocol. Computed on the resource (the GCP API derives it from which per-protocol config block was set), so callers don't set this directly — they pick the matching *HealthCheck block. Listed here for use in == comparisons against typeRef reads.
InstanceGroupManagerUpdatePolicyAction: update_policy.minimal_action / update_policy.most_disruptive_allowed_action. Shared enum — both fields accept the same value set.
InstanceGroupManagerUpdatePolicyReplacementMethod: update_policy.replacement_method. SUBSTITUTE (default) replaces VMs with newly-named ones; RECREATE preserves instance names but requires max_unavailable_* > 0.
InstanceGroupManagerUpdatePolicyType: update_policy.type. Controls whether the MIG actively performs the rolling update or waits for an external action (resize, recreate-instances) to apply it.
InstanceTemplateAccessConfigNetworkTier: network_interface.access_config.network_tier -- service tier for the external IP. STANDARD is regional; PREMIUM is global.
InstanceTemplateConfidentialInstanceType: confidential_instance_config.confidential_instance_type -- confidential computing technology. SEV and SEV_SNP require AMD CPUs (the latter also requires min_cpu_platform = "AMD Milan"). TDX requires Intel.
InstanceTemplateDiskMode: disk.mode -- read / write mode for an attached or boot disk. Boot disks must be READ_WRITE.
InstanceTemplateInstanceTerminationAction: scheduling.instance_termination_action -- action when a SPOT VM is preempted or max_run_duration elapses.
InstanceTemplateNicType: network_interface.nic_type -- vNIC family used for the interface.
InstanceTemplateOnHostMaintenance: scheduling.on_host_maintenance -- behaviour during host maintenance. MIGRATE (live migration) is the default for standard VMs; preemptible / SPOT / confidential VMs must use TERMINATE.
InstanceTemplatePerformanceMonitoringUnit: advanced_machine_features.performance_monitoring_unit -- PMU level exposed to the guest. ARCHITECTURAL is the minimum stable subset; ENHANCED exposes the broadest set of counters.
InstanceTemplateProvisioningModel: scheduling.provisioning_model -- VM provisioning model. STANDARD runs at on-demand prices with no termination guarantees from GCP; SPOT runs at preemptible prices and may be reclaimed at any time.
InstanceTemplateReservationAffinityType: reservation_affinity.type -- reservation consumption mode. Pair specificReservation with InstanceTemplateReservationAffinityType.specificReservation to target a named reservation; noReservation opts out.
InstanceTerminationAction: scheduling.instance_termination_action -- action when a SPOT VM is preempted or max_run_duration elapses.
IpAddressSelectionPolicy: ip_address_selection_policy. Controls IPv4-vs-IPv6 preference when the load balancer dials a backend (or when a proxyless gRPC client dials directly).
Ipv6EndpointType: IPv6 endpoint type. Used when GoogleComputeAddress.ipVersion is IpVersion.ipv6.
IpVersion: IP protocol version for the address.
LoadBalancingScheme: load_balancing_scheme. A backend service of one scheme cannot be repurposed for another — the value is effectively immutable except through the ExternalManagedMigrationState dance.
LocalityLbPolicy: locality_lb_policy. See the schema docstring for the matrix of which values are valid for which combination of protocol and load_balancing_scheme — Cloud Load Balancing silently coerces invalid values to the scheme's default at apply time.
ManagedSslCertificateType: Certificate provisioning mode. The schema for this resource accepts only MANAGED, and that value is the default — the enum exists for symmetry with the legacy unified google_compute_ssl_certificate resource (which historically distinguished MANAGED from SELF_MANAGED). For new code, omit type entirely.
NetworkEndpointGroupType: network_endpoint_type for google_compute_network_endpoint_group.
NetworkFirewallPolicyEnforcementOrder: Order in which a network firewall policy is enforced relative to classic firewall rules.
NetworkTier: Network service tier. PREMIUM uses Google's premium global backbone; STANDARD uses ISP-level routing (cheaper, regional).
NicType: network_interface.nic_type -- vNIC family used for the interface.
OnHostMaintenance: scheduling.on_host_maintenance -- behaviour during host maintenance. MIGRATE (live migration) is the default for standard VMs; preemptible / SPOT / confidential VMs must use TERMINATE.
PerformanceMonitoringUnit: advanced_machine_features.performance_monitoring_unit -- PMU level exposed to the guest. ARCHITECTURAL is the minimum stable subset; ENHANCED exposes the broadest set of counters.
ProvisioningModel: scheduling.provisioning_model -- VM provisioning model. STANDARD runs at on-demand prices with no termination guarantees from GCP; SPOT runs at preemptible prices and may be reclaimed at any time.
QuicOverride: QUIC negotiation policy for the HTTPS target proxy. When set to none (the default), Google manages whether QUIC is offered to clients; enable always offers QUIC; disable never offers it.
RegionAutoscalerCpuPredictiveMethod: Predictive autoscaling method for ComputeRegionAutoscalerRegionAutoscalerCpuUtilization.
RegionAutoscalerMetricType: Defines how a custom-metric value is interpreted by the autoscaler. Mirrors the API's utilizationTargetType enum.
RegionAutoscalerMode: Operating mode for the autoscaling policy. The schema declares this as a free-form string — the enum below pins the API-accepted set so callers cannot mis-spell it. Default is on when the field is omitted from the request.
RegionBackendServiceBalancingMode: Per-backend balancing mode. See ComputeRegionBackendServiceRegionBackendServiceBackend.balancingMode. Note: the regional resource omits the global IN_FLIGHT mode.
RegionBackendServiceCacheMode: cdn_policy.cache_mode. Enabling CDN (enable_cdn = true) without setting this defaults to CACHE_ALL_STATIC.
RegionBackendServiceFastIpMove: ha_policy.fast_ip_move. Controls fast IP-move behavior for self-managed HA on Passthrough NLBs.
RegionBackendServiceIpAddressSelectionPolicy: ip_address_selection_policy. Controls IPv4-vs-IPv6 preference when the load balancer dials a backend (or when a proxyless gRPC client dials directly).
RegionBackendServiceLoadBalancingScheme: load_balancing_scheme. A backend service of one scheme cannot be repurposed for another — the value is effectively immutable.
RegionBackendServiceLocalityLbPolicy: locality_lb_policy. See the schema docstring for the matrix of which values are valid for which combination of protocol and load_balancing_scheme — Cloud Load Balancing silently coerces invalid values to the scheme's default at apply time. For External Passthrough NLBs only maglev and weightedMaglev are honored; for INTERNAL_MANAGED with HTTP-class protocols the full set is available.
RegionBackendServiceLogOptionalMode: log_config.optional_mode. Controls which optional access-log fields are exported when ComputeRegionBackendServiceRegionBackendServiceLogConfig.enable is true.
RegionBackendServiceProtocol: Wire protocol the regional backend service uses to talk to backends. HTTP2 and H2C require an HTTP(S)-class load balancer; TCP, SSL, and UDP are for Passthrough Network Load Balancing / regional internal proxy routing. GRPC is required when the URL map is bound to a regional target gRPC proxy.
RegionBackendServiceSessionAffinity: session_affinity. Applicable only when the locality LB policy is one of MAGLEV, WEIGHTED_MAGLEV, or RING_HASH for HTTP-class balancers; for Passthrough NLBs clientIp and the 5-tuple variants apply directly. The regional resource adds clientIpNoDestination (Passthrough NLB variant that ignores the destination tuple component) versus the global resource.
RegionBackendServiceZonalAffinitySpillover: network_pass_through_lb_traffic_policy.zonal_affinity.spillover. Zonal-affinity selector for Internal Passthrough NLBs.
RegionHealthCheckPortSpecification: port_specification value shared by every per-protocol config block.
RegionHealthCheckProxyHeader: proxy_header value used inside the per-protocol HTTP-shaped blocks (HTTP, HTTPS, HTTP2, TCP, SSL). Defaults to none on the GCP API.
RegionHealthCheckType: Health-check protocol on a regional health check. Computed on the resource (the GCP API derives it from which per-protocol config block was set), so callers don't set this directly — they pick the matching *HealthCheck block. Listed here for use in == comparisons against typeRef reads.
RegionInstanceGroupManagerDistributionPolicyTargetShape: distribution_policy_target_shape. Controls how strictly the MIG converges on an even spread across distributionPolicyZones during proactive or resize-triggered rebalancing.
RegionInstanceGroupManagerInstanceRedistributionType: update_policy.instance_redistribution_type (regional only). PROACTIVE (default) keeps zones balanced as VMs come and go; NONE disables proactive rebalancing.
RegionInstanceGroupManagerUpdatePolicyAction: update_policy.minimal_action / update_policy.most_disruptive_allowed_action. Shared enum — both fields accept the same value set.
RegionInstanceGroupManagerUpdatePolicyReplacementMethod: update_policy.replacement_method. SUBSTITUTE (default) replaces VMs with newly-named ones; RECREATE preserves instance names but requires max_unavailable_* > 0.
RegionInstanceGroupManagerUpdatePolicyType: update_policy.type. Controls whether the MIG actively performs the rolling update or waits for an external action (resize, recreate-instances) to apply it.
RegionNetworkEndpointGroupType: network_endpoint_type for google_compute_region_network_endpoint_group. Defaults to serverless on the API side.
RegionUrlMapRedirectResponseCode: HTTP redirect response code emitted by a default_url_redirect / path_rule.url_redirect / route_rules.url_redirect block. The schema declares this as a free-form string -- the enum below pins the API-accepted set so callers cannot mis-spell it.
ReservationAffinityType: reservation_affinity.type -- reservation consumption mode. Pair specificReservation with a ReservationAffinityType.specificReservation value to target a named reservation; noReservation opts out.
RoutingMode: Routing mode for google_compute_network. Controls how routes are advertised between VPC subnets (regional) or all subnets (global).
ScratchDiskInterface: scratch_disk.interface -- attach bus for the local SSD. Defaults to NVME; SCSI is retained for legacy machine families.
SecurityPolicyJsonParsing: advanced_options_config.json_parsing -- whether Cloud Armor parses JSON request bodies during WAF evaluation. standard is required for the JSON-aware preconfigured WAF rules to inspect body content; otherwise default disabled keeps inspection limited to URI / headers / query string.
SecurityPolicyLogLevel: advanced_options_config.log_level -- verbosity of Cloud Armor's Cloud Logging output. verbose includes preconfigured-WAF rule match details and is the recommended setting during policy tuning; switch back to normal for steady-state to control log volume.
SecurityPolicyRuleAction: rule.action -- what Cloud Armor does when the ComputeSecurityPolicySecurityPolicyRule matches. The deny(NNN) actions return a fixed HTTP status to the client; rateBasedBan and throttle REQUIRE ComputeSecurityPolicySecurityPolicyRule.rateLimitOptions; redirect REQUIRES ComputeSecurityPolicySecurityPolicyRule.redirectOptions. The Terraform value preserves the literal provider strings (parentheses and digits included) -- the Dart variants pick identifier-safe names.
SecurityPolicyRuleMatchVersionedExpr: match.versioned_expr -- Cloud Armor's only built-in predicate today. Pair with ComputeSecurityPolicySecurityPolicyRuleMatchConfig.srcIpRanges to match by source IP / CIDR. For richer matching (geo, path, headers), use ComputeSecurityPolicySecurityPolicyRuleMatchExpr (CEL) instead.
SecurityPolicyType: type -- intended use of the security policy. Forces replacement when changed. The default (when unset on create) is SecurityPolicyType.cloudArmor.
SessionAffinity: session_affinity. Applicable only when the locality LB policy is one of MAGLEV, WEIGHTED_MAGLEV, or RING_HASH (otherwise the setting is silently ignored).
SslPolicyMinTlsVersion: min_tls_version — the protocol-version floor. TLS 1.3 is always offered by the load balancer and is not selectable as a minimum here; the API only exposes the 1.0 / 1.1 / 1.2 floors. To force TLS 1.3 only, pair tls12 with SslPolicyProfile.restricted, which drops the legacy 1.x suites from the negotiated set.
SslPolicyProfile: profile — the curated cipher-suite preset. See the class-level security guidance for picking between restricted (compliance default), modern (modern browsers only), compatible (permissive legacy default), fips202205 (FIPS 202205-pinned), and custom (caller-supplied via GoogleComputeSslPolicy.customFeatures).
SubnetworkIpv6AccessType: Access type of the IPv6 address range held by the subnetwork. Immutable after creation. Only meaningful when SubnetworkStackType includes IPv6.
SubnetworkLogConfigAggregationInterval: VPC flow log aggregation interval. The default on GCP is interval5Sec (denser sampling, higher cost).
SubnetworkLogConfigMetadata: VPC flow log metadata-inclusion mode. Pair customMetadata with the ComputeSubnetworkSubnetworkLogConfig.metadataFields selector.
SubnetworkPurpose: Purpose of the subnetwork. Defaults to private when unspecified.
SubnetworkResolveSubnetMask: ARP resolution mode for the subnetwork. Controls which ranges respond to ARP requests. Used only by reserved-internal-range subnetworks.
SubnetworkRole: Role of a managed-proxy subnetwork. Only meaningful when purpose is REGIONAL_MANAGED_PROXY or GLOBAL_MANAGED_PROXY.
SubnetworkStackType: IP stack type for the subnetwork. Immutable after creation.
TlsEarlyData: TLS 1.3 0-RTT ("Early Data") acceptance policy. Early Data lets a TLS resumption handshake carry the initial application payload alongside the handshake itself, eliminating the extra round trip at the cost of replay risk.
UrlMapRedirectResponseCode: HTTP redirect response code emitted by a default_url_redirect / path_rule.url_redirect / route_rules.url_redirect block. The schema declares this as a free-form string -- the enum below pins the API-accepted set so callers cannot mis-spell it.

compute library

Classes

Enums

terradart_google package

compute library