Strata Cloud Manager v0.4.3 published on Saturday, Nov 8, 2025 by Pulumi
Strata Cloud Manager v0.4.3 published on Saturday, Nov 8, 2025 by Pulumi
SecurityRule resource
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as scm from "@pulumi/scm";
// First, create the tag objects that you will reference.
const outboundTag = new scm.Tag("outbound_tag", {
folder: "All",
name: "outbound143",
color: "Red",
});
const webTag = new scm.Tag("web_tag", {
folder: "All",
name: "web143",
color: "Blue",
});
// --- Existing Rules (Backward Compatibility) ---
const standardWebAccess = new scm.SecurityRule("standard_web_access", {
folder: "All",
name: "Allow Standard Web Access143",
description: "Allow outbound web traffic to any destination...",
position: "pre",
action: "allow",
categories: ["any"],
applications: [
"web-browsing",
"ssl",
],
services: [
"service-http",
"service-https",
],
froms: [
"untrust",
"trust",
],
tos: ["trust"],
sources: ["any"],
destinations: ["any"],
negateSource: false,
negateDestination: false,
sourceUsers: ["any"],
sourceHips: ["any"],
destinationHips: ["any"],
logStart: true,
logEnd: true,
disabled: false,
tags: [
outboundTag.name,
webTag.name,
],
});
const blockRiskySaas = new scm.SecurityRule("block_risky_saas", {
folder: "All",
name: "Block Risky SaaS Applications143",
description: "Prevent data exfiltration by blocking risky SaaS apps...",
action: "deny",
policyType: "Internet",
securitySettings: {
antiSpyware: "yes",
vulnerability: "yes",
virusAndWildfireAnalysis: "yes",
},
blockWebApplications: ["facebook-posting"],
logSettings: {
logSessions: true,
},
froms: ["any"],
tos: ["any"],
sources: ["any"],
destinations: ["any"],
sourceUsers: ["any"],
disabled: false,
tags: [
outboundTag.name,
webTag.name,
],
});
// --- NEW Examples Demonstrating Rule Ordering ---
// Example 1: Place a critical block rule at the absolute top
const criticalBlockTop = new scm.SecurityRule("critical_block_top", {
folder: "All",
name: "CRITICAL Block Malicious IPs Top143",
description: "Always block known malicious IPs first.",
relativePosition: "top",
action: "deny",
froms: ["any"],
tos: ["any"],
sources: ["any"],
destinations: ["any"],
sourceUsers: ["any"],
categories: ["any"],
applications: ["any"],
services: ["any"],
logEnd: true,
tags: [outboundTag.name],
});
// Example 2: Place a cleanup rule at the absolute bottom
const cleanupDenyBottom = new scm.SecurityRule("cleanup_deny_bottom", {
folder: "All",
name: "Cleanup Deny All Bottom143",
description: "Deny any traffic not explicitly allowed.",
relativePosition: "bottom",
action: "deny",
froms: ["any"],
tos: ["any"],
sources: ["any"],
destinations: ["any"],
sourceUsers: ["any"],
categories: ["any"],
applications: ["any"],
services: ["any"],
logEnd: true,
tags: [outboundTag.name],
});
// Example 3: Place a rule *before* the standard web access rule
const allowUpdatesBeforeWeb = new scm.SecurityRule("allow_updates_before_web", {
folder: "All",
name: "Allow OS Updates Before Web143",
description: "Allow specific OS update traffic before general web access.",
relativePosition: "before",
targetRule: standardWebAccess.id,
action: "allow",
froms: ["trust"],
tos: ["untrust"],
sources: ["any"],
destinations: ["any"],
sourceUsers: ["any"],
categories: ["any"],
applications: [
"ms-update",
"apple-update",
],
services: ["service-https"],
logEnd: true,
tags: [outboundTag.name],
});
// Example 4: Place a rule *after* the standard web access rule
const allowCorpAppsAfterWeb = new scm.SecurityRule("allow_corp_apps_after_web", {
folder: "All",
name: "Allow Corp Apps After Web143",
description: "Allow access to specific corporate apps after general web access.",
relativePosition: "after",
targetRule: standardWebAccess.id,
action: "allow",
froms: ["trust"],
tos: ["untrust"],
sources: ["any"],
destinations: ["any"],
sourceUsers: ["any"],
categories: ["any"],
applications: ["ms-update"],
services: ["service-https"],
logEnd: true,
tags: [webTag.name],
});
import pulumi
import pulumi_scm as scm
# First, create the tag objects that you will reference.
outbound_tag = scm.Tag("outbound_tag",
folder="All",
name="outbound143",
color="Red")
web_tag = scm.Tag("web_tag",
folder="All",
name="web143",
color="Blue")
# --- Existing Rules (Backward Compatibility) ---
standard_web_access = scm.SecurityRule("standard_web_access",
folder="All",
name="Allow Standard Web Access143",
description="Allow outbound web traffic to any destination...",
position="pre",
action="allow",
categories=["any"],
applications=[
"web-browsing",
"ssl",
],
services=[
"service-http",
"service-https",
],
froms=[
"untrust",
"trust",
],
tos=["trust"],
sources=["any"],
destinations=["any"],
negate_source=False,
negate_destination=False,
source_users=["any"],
source_hips=["any"],
destination_hips=["any"],
log_start=True,
log_end=True,
disabled=False,
tags=[
outbound_tag.name,
web_tag.name,
])
block_risky_saas = scm.SecurityRule("block_risky_saas",
folder="All",
name="Block Risky SaaS Applications143",
description="Prevent data exfiltration by blocking risky SaaS apps...",
action="deny",
policy_type="Internet",
security_settings={
"anti_spyware": "yes",
"vulnerability": "yes",
"virus_and_wildfire_analysis": "yes",
},
block_web_applications=["facebook-posting"],
log_settings={
"log_sessions": True,
},
froms=["any"],
tos=["any"],
sources=["any"],
destinations=["any"],
source_users=["any"],
disabled=False,
tags=[
outbound_tag.name,
web_tag.name,
])
# --- NEW Examples Demonstrating Rule Ordering ---
# Example 1: Place a critical block rule at the absolute top
critical_block_top = scm.SecurityRule("critical_block_top",
folder="All",
name="CRITICAL Block Malicious IPs Top143",
description="Always block known malicious IPs first.",
relative_position="top",
action="deny",
froms=["any"],
tos=["any"],
sources=["any"],
destinations=["any"],
source_users=["any"],
categories=["any"],
applications=["any"],
services=["any"],
log_end=True,
tags=[outbound_tag.name])
# Example 2: Place a cleanup rule at the absolute bottom
cleanup_deny_bottom = scm.SecurityRule("cleanup_deny_bottom",
folder="All",
name="Cleanup Deny All Bottom143",
description="Deny any traffic not explicitly allowed.",
relative_position="bottom",
action="deny",
froms=["any"],
tos=["any"],
sources=["any"],
destinations=["any"],
source_users=["any"],
categories=["any"],
applications=["any"],
services=["any"],
log_end=True,
tags=[outbound_tag.name])
# Example 3: Place a rule *before* the standard web access rule
allow_updates_before_web = scm.SecurityRule("allow_updates_before_web",
folder="All",
name="Allow OS Updates Before Web143",
description="Allow specific OS update traffic before general web access.",
relative_position="before",
target_rule=standard_web_access.id,
action="allow",
froms=["trust"],
tos=["untrust"],
sources=["any"],
destinations=["any"],
source_users=["any"],
categories=["any"],
applications=[
"ms-update",
"apple-update",
],
services=["service-https"],
log_end=True,
tags=[outbound_tag.name])
# Example 4: Place a rule *after* the standard web access rule
allow_corp_apps_after_web = scm.SecurityRule("allow_corp_apps_after_web",
folder="All",
name="Allow Corp Apps After Web143",
description="Allow access to specific corporate apps after general web access.",
relative_position="after",
target_rule=standard_web_access.id,
action="allow",
froms=["trust"],
tos=["untrust"],
sources=["any"],
destinations=["any"],
source_users=["any"],
categories=["any"],
applications=["ms-update"],
services=["service-https"],
log_end=True,
tags=[web_tag.name])
package main
import (
"github.com/pulumi/pulumi-scm/sdk/go/scm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// First, create the tag objects that you will reference.
outboundTag, err := scm.NewTag(ctx, "outbound_tag", &scm.TagArgs{
Folder: pulumi.String("All"),
Name: pulumi.String("outbound143"),
Color: pulumi.String("Red"),
})
if err != nil {
return err
}
webTag, err := scm.NewTag(ctx, "web_tag", &scm.TagArgs{
Folder: pulumi.String("All"),
Name: pulumi.String("web143"),
Color: pulumi.String("Blue"),
})
if err != nil {
return err
}
// --- Existing Rules (Backward Compatibility) ---
standardWebAccess, err := scm.NewSecurityRule(ctx, "standard_web_access", &scm.SecurityRuleArgs{
Folder: pulumi.String("All"),
Name: pulumi.String("Allow Standard Web Access143"),
Description: pulumi.String("Allow outbound web traffic to any destination..."),
Position: pulumi.String("pre"),
Action: pulumi.String("allow"),
Categories: pulumi.StringArray{
pulumi.String("any"),
},
Applications: pulumi.StringArray{
pulumi.String("web-browsing"),
pulumi.String("ssl"),
},
Services: pulumi.StringArray{
pulumi.String("service-http"),
pulumi.String("service-https"),
},
Froms: pulumi.StringArray{
pulumi.String("untrust"),
pulumi.String("trust"),
},
Tos: pulumi.StringArray{
pulumi.String("trust"),
},
Sources: pulumi.StringArray{
pulumi.String("any"),
},
Destinations: pulumi.StringArray{
pulumi.String("any"),
},
NegateSource: pulumi.Bool(false),
NegateDestination: pulumi.Bool(false),
SourceUsers: pulumi.StringArray{
pulumi.String("any"),
},
SourceHips: pulumi.StringArray{
pulumi.String("any"),
},
DestinationHips: pulumi.StringArray{
pulumi.String("any"),
},
LogStart: pulumi.Bool(true),
LogEnd: pulumi.Bool(true),
Disabled: pulumi.Bool(false),
Tags: pulumi.StringArray{
outboundTag.Name,
webTag.Name,
},
})
if err != nil {
return err
}
_, err = scm.NewSecurityRule(ctx, "block_risky_saas", &scm.SecurityRuleArgs{
Folder: pulumi.String("All"),
Name: pulumi.String("Block Risky SaaS Applications143"),
Description: pulumi.String("Prevent data exfiltration by blocking risky SaaS apps..."),
Action: pulumi.String("deny"),
PolicyType: pulumi.String("Internet"),
SecuritySettings: &scm.SecurityRuleSecuritySettingsArgs{
AntiSpyware: pulumi.String("yes"),
Vulnerability: pulumi.String("yes"),
VirusAndWildfireAnalysis: pulumi.String("yes"),
},
BlockWebApplications: pulumi.StringArray{
pulumi.String("facebook-posting"),
},
LogSettings: &scm.SecurityRuleLogSettingsArgs{
LogSessions: pulumi.Bool(true),
},
Froms: pulumi.StringArray{
pulumi.String("any"),
},
Tos: pulumi.StringArray{
pulumi.String("any"),
},
Sources: pulumi.StringArray{
pulumi.String("any"),
},
Destinations: pulumi.StringArray{
pulumi.String("any"),
},
SourceUsers: pulumi.StringArray{
pulumi.String("any"),
},
Disabled: pulumi.Bool(false),
Tags: pulumi.StringArray{
outboundTag.Name,
webTag.Name,
},
})
if err != nil {
return err
}
// Example 1: Place a critical block rule at the absolute top
_, err = scm.NewSecurityRule(ctx, "critical_block_top", &scm.SecurityRuleArgs{
Folder: pulumi.String("All"),
Name: pulumi.String("CRITICAL Block Malicious IPs Top143"),
Description: pulumi.String("Always block known malicious IPs first."),
RelativePosition: pulumi.String("top"),
Action: pulumi.String("deny"),
Froms: pulumi.StringArray{
pulumi.String("any"),
},
Tos: pulumi.StringArray{
pulumi.String("any"),
},
Sources: pulumi.StringArray{
pulumi.String("any"),
},
Destinations: pulumi.StringArray{
pulumi.String("any"),
},
SourceUsers: pulumi.StringArray{
pulumi.String("any"),
},
Categories: pulumi.StringArray{
pulumi.String("any"),
},
Applications: pulumi.StringArray{
pulumi.String("any"),
},
Services: pulumi.StringArray{
pulumi.String("any"),
},
LogEnd: pulumi.Bool(true),
Tags: pulumi.StringArray{
outboundTag.Name,
},
})
if err != nil {
return err
}
// Example 2: Place a cleanup rule at the absolute bottom
_, err = scm.NewSecurityRule(ctx, "cleanup_deny_bottom", &scm.SecurityRuleArgs{
Folder: pulumi.String("All"),
Name: pulumi.String("Cleanup Deny All Bottom143"),
Description: pulumi.String("Deny any traffic not explicitly allowed."),
RelativePosition: pulumi.String("bottom"),
Action: pulumi.String("deny"),
Froms: pulumi.StringArray{
pulumi.String("any"),
},
Tos: pulumi.StringArray{
pulumi.String("any"),
},
Sources: pulumi.StringArray{
pulumi.String("any"),
},
Destinations: pulumi.StringArray{
pulumi.String("any"),
},
SourceUsers: pulumi.StringArray{
pulumi.String("any"),
},
Categories: pulumi.StringArray{
pulumi.String("any"),
},
Applications: pulumi.StringArray{
pulumi.String("any"),
},
Services: pulumi.StringArray{
pulumi.String("any"),
},
LogEnd: pulumi.Bool(true),
Tags: pulumi.StringArray{
outboundTag.Name,
},
})
if err != nil {
return err
}
// Example 3: Place a rule *before* the standard web access rule
_, err = scm.NewSecurityRule(ctx, "allow_updates_before_web", &scm.SecurityRuleArgs{
Folder: pulumi.String("All"),
Name: pulumi.String("Allow OS Updates Before Web143"),
Description: pulumi.String("Allow specific OS update traffic before general web access."),
RelativePosition: pulumi.String("before"),
TargetRule: standardWebAccess.ID(),
Action: pulumi.String("allow"),
Froms: pulumi.StringArray{
pulumi.String("trust"),
},
Tos: pulumi.StringArray{
pulumi.String("untrust"),
},
Sources: pulumi.StringArray{
pulumi.String("any"),
},
Destinations: pulumi.StringArray{
pulumi.String("any"),
},
SourceUsers: pulumi.StringArray{
pulumi.String("any"),
},
Categories: pulumi.StringArray{
pulumi.String("any"),
},
Applications: pulumi.StringArray{
pulumi.String("ms-update"),
pulumi.String("apple-update"),
},
Services: pulumi.StringArray{
pulumi.String("service-https"),
},
LogEnd: pulumi.Bool(true),
Tags: pulumi.StringArray{
outboundTag.Name,
},
})
if err != nil {
return err
}
// Example 4: Place a rule *after* the standard web access rule
_, err = scm.NewSecurityRule(ctx, "allow_corp_apps_after_web", &scm.SecurityRuleArgs{
Folder: pulumi.String("All"),
Name: pulumi.String("Allow Corp Apps After Web143"),
Description: pulumi.String("Allow access to specific corporate apps after general web access."),
RelativePosition: pulumi.String("after"),
TargetRule: standardWebAccess.ID(),
Action: pulumi.String("allow"),
Froms: pulumi.StringArray{
pulumi.String("trust"),
},
Tos: pulumi.StringArray{
pulumi.String("untrust"),
},
Sources: pulumi.StringArray{
pulumi.String("any"),
},
Destinations: pulumi.StringArray{
pulumi.String("any"),
},
SourceUsers: pulumi.StringArray{
pulumi.String("any"),
},
Categories: pulumi.StringArray{
pulumi.String("any"),
},
Applications: pulumi.StringArray{
pulumi.String("ms-update"),
},
Services: pulumi.StringArray{
pulumi.String("service-https"),
},
LogEnd: pulumi.Bool(true),
Tags: pulumi.StringArray{
webTag.Name,
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Scm = Pulumi.Scm;
return await Deployment.RunAsync(() =>
{
// First, create the tag objects that you will reference.
var outboundTag = new Scm.Tag("outbound_tag", new()
{
Folder = "All",
Name = "outbound143",
Color = "Red",
});
var webTag = new Scm.Tag("web_tag", new()
{
Folder = "All",
Name = "web143",
Color = "Blue",
});
// --- Existing Rules (Backward Compatibility) ---
var standardWebAccess = new Scm.SecurityRule("standard_web_access", new()
{
Folder = "All",
Name = "Allow Standard Web Access143",
Description = "Allow outbound web traffic to any destination...",
Position = "pre",
Action = "allow",
Categories = new[]
{
"any",
},
Applications = new[]
{
"web-browsing",
"ssl",
},
Services = new[]
{
"service-http",
"service-https",
},
Froms = new[]
{
"untrust",
"trust",
},
Tos = new[]
{
"trust",
},
Sources = new[]
{
"any",
},
Destinations = new[]
{
"any",
},
NegateSource = false,
NegateDestination = false,
SourceUsers = new[]
{
"any",
},
SourceHips = new[]
{
"any",
},
DestinationHips = new[]
{
"any",
},
LogStart = true,
LogEnd = true,
Disabled = false,
Tags = new[]
{
outboundTag.Name,
webTag.Name,
},
});
var blockRiskySaas = new Scm.SecurityRule("block_risky_saas", new()
{
Folder = "All",
Name = "Block Risky SaaS Applications143",
Description = "Prevent data exfiltration by blocking risky SaaS apps...",
Action = "deny",
PolicyType = "Internet",
SecuritySettings = new Scm.Inputs.SecurityRuleSecuritySettingsArgs
{
AntiSpyware = "yes",
Vulnerability = "yes",
VirusAndWildfireAnalysis = "yes",
},
BlockWebApplications = new[]
{
"facebook-posting",
},
LogSettings = new Scm.Inputs.SecurityRuleLogSettingsArgs
{
LogSessions = true,
},
Froms = new[]
{
"any",
},
Tos = new[]
{
"any",
},
Sources = new[]
{
"any",
},
Destinations = new[]
{
"any",
},
SourceUsers = new[]
{
"any",
},
Disabled = false,
Tags = new[]
{
outboundTag.Name,
webTag.Name,
},
});
// --- NEW Examples Demonstrating Rule Ordering ---
// Example 1: Place a critical block rule at the absolute top
var criticalBlockTop = new Scm.SecurityRule("critical_block_top", new()
{
Folder = "All",
Name = "CRITICAL Block Malicious IPs Top143",
Description = "Always block known malicious IPs first.",
RelativePosition = "top",
Action = "deny",
Froms = new[]
{
"any",
},
Tos = new[]
{
"any",
},
Sources = new[]
{
"any",
},
Destinations = new[]
{
"any",
},
SourceUsers = new[]
{
"any",
},
Categories = new[]
{
"any",
},
Applications = new[]
{
"any",
},
Services = new[]
{
"any",
},
LogEnd = true,
Tags = new[]
{
outboundTag.Name,
},
});
// Example 2: Place a cleanup rule at the absolute bottom
var cleanupDenyBottom = new Scm.SecurityRule("cleanup_deny_bottom", new()
{
Folder = "All",
Name = "Cleanup Deny All Bottom143",
Description = "Deny any traffic not explicitly allowed.",
RelativePosition = "bottom",
Action = "deny",
Froms = new[]
{
"any",
},
Tos = new[]
{
"any",
},
Sources = new[]
{
"any",
},
Destinations = new[]
{
"any",
},
SourceUsers = new[]
{
"any",
},
Categories = new[]
{
"any",
},
Applications = new[]
{
"any",
},
Services = new[]
{
"any",
},
LogEnd = true,
Tags = new[]
{
outboundTag.Name,
},
});
// Example 3: Place a rule *before* the standard web access rule
var allowUpdatesBeforeWeb = new Scm.SecurityRule("allow_updates_before_web", new()
{
Folder = "All",
Name = "Allow OS Updates Before Web143",
Description = "Allow specific OS update traffic before general web access.",
RelativePosition = "before",
TargetRule = standardWebAccess.Id,
Action = "allow",
Froms = new[]
{
"trust",
},
Tos = new[]
{
"untrust",
},
Sources = new[]
{
"any",
},
Destinations = new[]
{
"any",
},
SourceUsers = new[]
{
"any",
},
Categories = new[]
{
"any",
},
Applications = new[]
{
"ms-update",
"apple-update",
},
Services = new[]
{
"service-https",
},
LogEnd = true,
Tags = new[]
{
outboundTag.Name,
},
});
// Example 4: Place a rule *after* the standard web access rule
var allowCorpAppsAfterWeb = new Scm.SecurityRule("allow_corp_apps_after_web", new()
{
Folder = "All",
Name = "Allow Corp Apps After Web143",
Description = "Allow access to specific corporate apps after general web access.",
RelativePosition = "after",
TargetRule = standardWebAccess.Id,
Action = "allow",
Froms = new[]
{
"trust",
},
Tos = new[]
{
"untrust",
},
Sources = new[]
{
"any",
},
Destinations = new[]
{
"any",
},
SourceUsers = new[]
{
"any",
},
Categories = new[]
{
"any",
},
Applications = new[]
{
"ms-update",
},
Services = new[]
{
"service-https",
},
LogEnd = true,
Tags = new[]
{
webTag.Name,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.scm.Tag;
import com.pulumi.scm.TagArgs;
import com.pulumi.scm.SecurityRule;
import com.pulumi.scm.SecurityRuleArgs;
import com.pulumi.scm.inputs.SecurityRuleSecuritySettingsArgs;
import com.pulumi.scm.inputs.SecurityRuleLogSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// First, create the tag objects that you will reference.
var outboundTag = new Tag("outboundTag", TagArgs.builder()
.folder("All")
.name("outbound143")
.color("Red")
.build());
var webTag = new Tag("webTag", TagArgs.builder()
.folder("All")
.name("web143")
.color("Blue")
.build());
// --- Existing Rules (Backward Compatibility) ---
var standardWebAccess = new SecurityRule("standardWebAccess", SecurityRuleArgs.builder()
.folder("All")
.name("Allow Standard Web Access143")
.description("Allow outbound web traffic to any destination...")
.position("pre")
.action("allow")
.categories("any")
.applications(
"web-browsing",
"ssl")
.services(
"service-http",
"service-https")
.froms(
"untrust",
"trust")
.tos("trust")
.sources("any")
.destinations("any")
.negateSource(false)
.negateDestination(false)
.sourceUsers("any")
.sourceHips("any")
.destinationHips("any")
.logStart(true)
.logEnd(true)
.disabled(false)
.tags(
outboundTag.name(),
webTag.name())
.build());
var blockRiskySaas = new SecurityRule("blockRiskySaas", SecurityRuleArgs.builder()
.folder("All")
.name("Block Risky SaaS Applications143")
.description("Prevent data exfiltration by blocking risky SaaS apps...")
.action("deny")
.policyType("Internet")
.securitySettings(SecurityRuleSecuritySettingsArgs.builder()
.antiSpyware("yes")
.vulnerability("yes")
.virusAndWildfireAnalysis("yes")
.build())
.blockWebApplications("facebook-posting")
.logSettings(SecurityRuleLogSettingsArgs.builder()
.logSessions(true)
.build())
.froms("any")
.tos("any")
.sources("any")
.destinations("any")
.sourceUsers("any")
.disabled(false)
.tags(
outboundTag.name(),
webTag.name())
.build());
// --- NEW Examples Demonstrating Rule Ordering ---
// Example 1: Place a critical block rule at the absolute top
var criticalBlockTop = new SecurityRule("criticalBlockTop", SecurityRuleArgs.builder()
.folder("All")
.name("CRITICAL Block Malicious IPs Top143")
.description("Always block known malicious IPs first.")
.relativePosition("top")
.action("deny")
.froms("any")
.tos("any")
.sources("any")
.destinations("any")
.sourceUsers("any")
.categories("any")
.applications("any")
.services("any")
.logEnd(true)
.tags(outboundTag.name())
.build());
// Example 2: Place a cleanup rule at the absolute bottom
var cleanupDenyBottom = new SecurityRule("cleanupDenyBottom", SecurityRuleArgs.builder()
.folder("All")
.name("Cleanup Deny All Bottom143")
.description("Deny any traffic not explicitly allowed.")
.relativePosition("bottom")
.action("deny")
.froms("any")
.tos("any")
.sources("any")
.destinations("any")
.sourceUsers("any")
.categories("any")
.applications("any")
.services("any")
.logEnd(true)
.tags(outboundTag.name())
.build());
// Example 3: Place a rule *before* the standard web access rule
var allowUpdatesBeforeWeb = new SecurityRule("allowUpdatesBeforeWeb", SecurityRuleArgs.builder()
.folder("All")
.name("Allow OS Updates Before Web143")
.description("Allow specific OS update traffic before general web access.")
.relativePosition("before")
.targetRule(standardWebAccess.id())
.action("allow")
.froms("trust")
.tos("untrust")
.sources("any")
.destinations("any")
.sourceUsers("any")
.categories("any")
.applications(
"ms-update",
"apple-update")
.services("service-https")
.logEnd(true)
.tags(outboundTag.name())
.build());
// Example 4: Place a rule *after* the standard web access rule
var allowCorpAppsAfterWeb = new SecurityRule("allowCorpAppsAfterWeb", SecurityRuleArgs.builder()
.folder("All")
.name("Allow Corp Apps After Web143")
.description("Allow access to specific corporate apps after general web access.")
.relativePosition("after")
.targetRule(standardWebAccess.id())
.action("allow")
.froms("trust")
.tos("untrust")
.sources("any")
.destinations("any")
.sourceUsers("any")
.categories("any")
.applications("ms-update")
.services("service-https")
.logEnd(true)
.tags(webTag.name())
.build());
}
}
resources:
# First, create the tag objects that you will reference.
outboundTag:
type: scm:Tag
name: outbound_tag
properties:
folder: All
name: outbound143
color: Red
webTag:
type: scm:Tag
name: web_tag
properties:
folder: All
name: web143
color: Blue
# --- Existing Rules (Backward Compatibility) ---
standardWebAccess:
type: scm:SecurityRule
name: standard_web_access
properties:
folder: All
name: Allow Standard Web Access143
description: Allow outbound web traffic to any destination...
position: pre
action: allow
categories:
- any
applications:
- web-browsing
- ssl
services:
- service-http
- service-https
froms:
- untrust
- trust
tos:
- trust
sources:
- any
destinations:
- any
negateSource: false
negateDestination: false # Identity & Content
sourceUsers: #
- any
sourceHips: # Security-only
- any
destinationHips: # Security-only
- any
logStart: true # Security-only
logEnd: true # Optional fields
disabled: false # Use the names of the tags you just created.
tags: #
- ${outboundTag.name}
- ${webTag.name}
blockRiskySaas: # --- NEW Examples Demonstrating Rule Ordering ---
type: scm:SecurityRule
name: block_risky_saas
properties:
folder: All
name: Block Risky SaaS Applications143
description: Prevent data exfiltration by blocking risky SaaS apps...
action: deny
policyType: Internet
securitySettings:
antiSpyware: yes
vulnerability: yes
virusAndWildfireAnalysis: yes
blockWebApplications:
- facebook-posting
logSettings:
logSessions: true
froms:
- any
tos:
- any
sources:
- any
destinations:
- any
sourceUsers:
- any
disabled: false
tags:
- ${outboundTag.name}
- ${webTag.name}
# Example 1: Place a critical block rule at the absolute top
criticalBlockTop:
type: scm:SecurityRule
name: critical_block_top
properties:
folder: All
name: CRITICAL Block Malicious IPs Top143
description: Always block known malicious IPs first.
relativePosition: top
action: deny
froms:
- any
tos:
- any
sources:
- any
destinations:
- any
sourceUsers:
- any
categories:
- any
applications:
- any
services:
- any
logEnd: true
tags:
- ${outboundTag.name}
# Example 2: Place a cleanup rule at the absolute bottom
cleanupDenyBottom:
type: scm:SecurityRule
name: cleanup_deny_bottom
properties:
folder: All
name: Cleanup Deny All Bottom143
description: Deny any traffic not explicitly allowed.
relativePosition: bottom
action: deny
froms:
- any
tos:
- any
sources:
- any
destinations:
- any
sourceUsers:
- any
categories:
- any
applications:
- any
services:
- any
logEnd: true
tags:
- ${outboundTag.name}
# Example 3: Place a rule *before* the standard web access rule
allowUpdatesBeforeWeb:
type: scm:SecurityRule
name: allow_updates_before_web
properties:
folder: All
name: Allow OS Updates Before Web143
description: Allow specific OS update traffic before general web access.
relativePosition: before
targetRule: ${standardWebAccess.id}
action: allow
froms:
- trust
tos:
- untrust
sources: # Assumes this group exists
- any
destinations: # Assumes this group exists
- any
sourceUsers:
- any
categories:
- any
applications: # Example apps
- ms-update
- apple-update
services:
- service-https
logEnd: true
tags:
- ${outboundTag.name}
# Example 4: Place a rule *after* the standard web access rule
allowCorpAppsAfterWeb:
type: scm:SecurityRule
name: allow_corp_apps_after_web
properties:
folder: All
name: Allow Corp Apps After Web143
description: Allow access to specific corporate apps after general web access.
relativePosition: after
targetRule: ${standardWebAccess.id}
action: allow
froms:
- trust
tos:
- untrust
sources:
- any
destinations: # Assumes this group exists
- any
sourceUsers:
- any
categories:
- any
applications: # Example app
- ms-update
services: # Example services
- service-https
logEnd: true
tags:
- ${webTag.name}
Create SecurityRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SecurityRule(name: string, args?: SecurityRuleArgs, opts?: CustomResourceOptions);@overload
def SecurityRule(resource_name: str,
args: Optional[SecurityRuleArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def SecurityRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
allow_url_categories: Optional[Sequence[SecurityRuleAllowUrlCategoryArgs]] = None,
allow_web_applications: Optional[Sequence[SecurityRuleAllowWebApplicationArgs]] = None,
applications: Optional[Sequence[str]] = None,
block_url_categories: Optional[Sequence[str]] = None,
block_web_applications: Optional[Sequence[str]] = None,
categories: Optional[Sequence[str]] = None,
default_profile_settings: Optional[SecurityRuleDefaultProfileSettingsArgs] = None,
description: Optional[str] = None,
destination_hips: Optional[Sequence[str]] = None,
destinations: Optional[Sequence[str]] = None,
device: Optional[str] = None,
devices: Optional[Sequence[str]] = None,
disabled: Optional[bool] = None,
folder: Optional[str] = None,
froms: Optional[Sequence[str]] = None,
log_end: Optional[bool] = None,
log_setting: Optional[str] = None,
log_settings: Optional[SecurityRuleLogSettingsArgs] = None,
log_start: Optional[bool] = None,
name: Optional[str] = None,
negate_destination: Optional[bool] = None,
negate_source: Optional[bool] = None,
negate_user: Optional[bool] = None,
policy_type: Optional[str] = None,
position: Optional[str] = None,
profile_setting: Optional[SecurityRuleProfileSettingArgs] = None,
relative_position: Optional[str] = None,
schedule: Optional[str] = None,
security_settings: Optional[SecurityRuleSecuritySettingsArgs] = None,
services: Optional[Sequence[str]] = None,
snippet: Optional[str] = None,
source_hips: Optional[Sequence[str]] = None,
source_users: Optional[Sequence[str]] = None,
sources: Optional[Sequence[str]] = None,
tags: Optional[Sequence[str]] = None,
target_rule: Optional[str] = None,
tenant_restrictions: Optional[Sequence[str]] = None,
tos: Optional[Sequence[str]] = None)func NewSecurityRule(ctx *Context, name string, args *SecurityRuleArgs, opts ...ResourceOption) (*SecurityRule, error)public SecurityRule(string name, SecurityRuleArgs? args = null, CustomResourceOptions? opts = null)
public SecurityRule(String name, SecurityRuleArgs args)
public SecurityRule(String name, SecurityRuleArgs args, CustomResourceOptions options)
type: scm:SecurityRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecurityRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecurityRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecurityRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecurityRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecurityRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var securityRuleResource = new Scm.SecurityRule("securityRuleResource", new()
{
Action = "string",
AllowUrlCategories = new[]
{
new Scm.Inputs.SecurityRuleAllowUrlCategoryArgs
{
AdditionalAction = "string",
CredentialEnforcement = "string",
Decryption = "string",
Dlp = "string",
FileControl = new Scm.Inputs.SecurityRuleAllowUrlCategoryFileControlArgs
{
Download = "string",
Upload = "string",
},
IsolationProfiles = "string",
Name = "string",
},
},
AllowWebApplications = new[]
{
new Scm.Inputs.SecurityRuleAllowWebApplicationArgs
{
ApplicationFunctions = new[]
{
"string",
},
Dlp = "string",
FileControl = new Scm.Inputs.SecurityRuleAllowWebApplicationFileControlArgs
{
Download = "string",
Upload = "string",
},
Name = "string",
SaasEnterpriseControl = new Scm.Inputs.SecurityRuleAllowWebApplicationSaasEnterpriseControlArgs
{
ConsumerAccess = new Scm.Inputs.SecurityRuleAllowWebApplicationSaasEnterpriseControlConsumerAccessArgs
{
Enable = "string",
},
EnterpriseAccess = new Scm.Inputs.SecurityRuleAllowWebApplicationSaasEnterpriseControlEnterpriseAccessArgs
{
Enable = "string",
TenantRestrictions = new[]
{
"string",
},
},
},
SaasTenantLists = new[]
{
"string",
},
SaasUserLists = new[]
{
"string",
},
TenantControl = new Scm.Inputs.SecurityRuleAllowWebApplicationTenantControlArgs
{
AllowedActivities = new[]
{
"string",
},
BlockedActivities = new[]
{
"string",
},
ParentApplication = "string",
Tenants = new[]
{
"string",
},
},
Type = "string",
},
},
Applications = new[]
{
"string",
},
BlockUrlCategories = new[]
{
"string",
},
BlockWebApplications = new[]
{
"string",
},
Categories = new[]
{
"string",
},
DefaultProfileSettings = new Scm.Inputs.SecurityRuleDefaultProfileSettingsArgs
{
Dlp = "string",
FileControl = new Scm.Inputs.SecurityRuleDefaultProfileSettingsFileControlArgs
{
Download = "string",
Upload = "string",
},
},
Description = "string",
DestinationHips = new[]
{
"string",
},
Destinations = new[]
{
"string",
},
Device = "string",
Devices = new[]
{
"string",
},
Disabled = false,
Folder = "string",
Froms = new[]
{
"string",
},
LogEnd = false,
LogSetting = "string",
LogSettings = new Scm.Inputs.SecurityRuleLogSettingsArgs
{
LogSessions = false,
},
LogStart = false,
Name = "string",
NegateDestination = false,
NegateSource = false,
NegateUser = false,
PolicyType = "string",
Position = "string",
ProfileSetting = new Scm.Inputs.SecurityRuleProfileSettingArgs
{
Groups = new[]
{
"string",
},
},
RelativePosition = "string",
Schedule = "string",
SecuritySettings = new Scm.Inputs.SecurityRuleSecuritySettingsArgs
{
AntiSpyware = "string",
VirusAndWildfireAnalysis = "string",
Vulnerability = "string",
},
Services = new[]
{
"string",
},
Snippet = "string",
SourceHips = new[]
{
"string",
},
SourceUsers = new[]
{
"string",
},
Sources = new[]
{
"string",
},
Tags = new[]
{
"string",
},
TargetRule = "string",
TenantRestrictions = new[]
{
"string",
},
Tos = new[]
{
"string",
},
});
example, err := scm.NewSecurityRule(ctx, "securityRuleResource", &scm.SecurityRuleArgs{
Action: pulumi.String("string"),
AllowUrlCategories: scm.SecurityRuleAllowUrlCategoryArray{
&scm.SecurityRuleAllowUrlCategoryArgs{
AdditionalAction: pulumi.String("string"),
CredentialEnforcement: pulumi.String("string"),
Decryption: pulumi.String("string"),
Dlp: pulumi.String("string"),
FileControl: &scm.SecurityRuleAllowUrlCategoryFileControlArgs{
Download: pulumi.String("string"),
Upload: pulumi.String("string"),
},
IsolationProfiles: pulumi.String("string"),
Name: pulumi.String("string"),
},
},
AllowWebApplications: scm.SecurityRuleAllowWebApplicationArray{
&scm.SecurityRuleAllowWebApplicationArgs{
ApplicationFunctions: pulumi.StringArray{
pulumi.String("string"),
},
Dlp: pulumi.String("string"),
FileControl: &scm.SecurityRuleAllowWebApplicationFileControlArgs{
Download: pulumi.String("string"),
Upload: pulumi.String("string"),
},
Name: pulumi.String("string"),
SaasEnterpriseControl: &scm.SecurityRuleAllowWebApplicationSaasEnterpriseControlArgs{
ConsumerAccess: &scm.SecurityRuleAllowWebApplicationSaasEnterpriseControlConsumerAccessArgs{
Enable: pulumi.String("string"),
},
EnterpriseAccess: &scm.SecurityRuleAllowWebApplicationSaasEnterpriseControlEnterpriseAccessArgs{
Enable: pulumi.String("string"),
TenantRestrictions: pulumi.StringArray{
pulumi.String("string"),
},
},
},
SaasTenantLists: pulumi.StringArray{
pulumi.String("string"),
},
SaasUserLists: pulumi.StringArray{
pulumi.String("string"),
},
TenantControl: &scm.SecurityRuleAllowWebApplicationTenantControlArgs{
AllowedActivities: pulumi.StringArray{
pulumi.String("string"),
},
BlockedActivities: pulumi.StringArray{
pulumi.String("string"),
},
ParentApplication: pulumi.String("string"),
Tenants: pulumi.StringArray{
pulumi.String("string"),
},
},
Type: pulumi.String("string"),
},
},
Applications: pulumi.StringArray{
pulumi.String("string"),
},
BlockUrlCategories: pulumi.StringArray{
pulumi.String("string"),
},
BlockWebApplications: pulumi.StringArray{
pulumi.String("string"),
},
Categories: pulumi.StringArray{
pulumi.String("string"),
},
DefaultProfileSettings: &scm.SecurityRuleDefaultProfileSettingsArgs{
Dlp: pulumi.String("string"),
FileControl: &scm.SecurityRuleDefaultProfileSettingsFileControlArgs{
Download: pulumi.String("string"),
Upload: pulumi.String("string"),
},
},
Description: pulumi.String("string"),
DestinationHips: pulumi.StringArray{
pulumi.String("string"),
},
Destinations: pulumi.StringArray{
pulumi.String("string"),
},
Device: pulumi.String("string"),
Devices: pulumi.StringArray{
pulumi.String("string"),
},
Disabled: pulumi.Bool(false),
Folder: pulumi.String("string"),
Froms: pulumi.StringArray{
pulumi.String("string"),
},
LogEnd: pulumi.Bool(false),
LogSetting: pulumi.String("string"),
LogSettings: &scm.SecurityRuleLogSettingsArgs{
LogSessions: pulumi.Bool(false),
},
LogStart: pulumi.Bool(false),
Name: pulumi.String("string"),
NegateDestination: pulumi.Bool(false),
NegateSource: pulumi.Bool(false),
NegateUser: pulumi.Bool(false),
PolicyType: pulumi.String("string"),
Position: pulumi.String("string"),
ProfileSetting: &scm.SecurityRuleProfileSettingArgs{
Groups: pulumi.StringArray{
pulumi.String("string"),
},
},
RelativePosition: pulumi.String("string"),
Schedule: pulumi.String("string"),
SecuritySettings: &scm.SecurityRuleSecuritySettingsArgs{
AntiSpyware: pulumi.String("string"),
VirusAndWildfireAnalysis: pulumi.String("string"),
Vulnerability: pulumi.String("string"),
},
Services: pulumi.StringArray{
pulumi.String("string"),
},
Snippet: pulumi.String("string"),
SourceHips: pulumi.StringArray{
pulumi.String("string"),
},
SourceUsers: pulumi.StringArray{
pulumi.String("string"),
},
Sources: pulumi.StringArray{
pulumi.String("string"),
},
Tags: pulumi.StringArray{
pulumi.String("string"),
},
TargetRule: pulumi.String("string"),
TenantRestrictions: pulumi.StringArray{
pulumi.String("string"),
},
Tos: pulumi.StringArray{
pulumi.String("string"),
},
})
var securityRuleResource = new SecurityRule("securityRuleResource", SecurityRuleArgs.builder()
.action("string")
.allowUrlCategories(SecurityRuleAllowUrlCategoryArgs.builder()
.additionalAction("string")
.credentialEnforcement("string")
.decryption("string")
.dlp("string")
.fileControl(SecurityRuleAllowUrlCategoryFileControlArgs.builder()
.download("string")
.upload("string")
.build())
.isolationProfiles("string")
.name("string")
.build())
.allowWebApplications(SecurityRuleAllowWebApplicationArgs.builder()
.applicationFunctions("string")
.dlp("string")
.fileControl(SecurityRuleAllowWebApplicationFileControlArgs.builder()
.download("string")
.upload("string")
.build())
.name("string")
.saasEnterpriseControl(SecurityRuleAllowWebApplicationSaasEnterpriseControlArgs.builder()
.consumerAccess(SecurityRuleAllowWebApplicationSaasEnterpriseControlConsumerAccessArgs.builder()
.enable("string")
.build())
.enterpriseAccess(SecurityRuleAllowWebApplicationSaasEnterpriseControlEnterpriseAccessArgs.builder()
.enable("string")
.tenantRestrictions("string")
.build())
.build())
.saasTenantLists("string")
.saasUserLists("string")
.tenantControl(SecurityRuleAllowWebApplicationTenantControlArgs.builder()
.allowedActivities("string")
.blockedActivities("string")
.parentApplication("string")
.tenants("string")
.build())
.type("string")
.build())
.applications("string")
.blockUrlCategories("string")
.blockWebApplications("string")
.categories("string")
.defaultProfileSettings(SecurityRuleDefaultProfileSettingsArgs.builder()
.dlp("string")
.fileControl(SecurityRuleDefaultProfileSettingsFileControlArgs.builder()
.download("string")
.upload("string")
.build())
.build())
.description("string")
.destinationHips("string")
.destinations("string")
.device("string")
.devices("string")
.disabled(false)
.folder("string")
.froms("string")
.logEnd(false)
.logSetting("string")
.logSettings(SecurityRuleLogSettingsArgs.builder()
.logSessions(false)
.build())
.logStart(false)
.name("string")
.negateDestination(false)
.negateSource(false)
.negateUser(false)
.policyType("string")
.position("string")
.profileSetting(SecurityRuleProfileSettingArgs.builder()
.groups("string")
.build())
.relativePosition("string")
.schedule("string")
.securitySettings(SecurityRuleSecuritySettingsArgs.builder()
.antiSpyware("string")
.virusAndWildfireAnalysis("string")
.vulnerability("string")
.build())
.services("string")
.snippet("string")
.sourceHips("string")
.sourceUsers("string")
.sources("string")
.tags("string")
.targetRule("string")
.tenantRestrictions("string")
.tos("string")
.build());
security_rule_resource = scm.SecurityRule("securityRuleResource",
action="string",
allow_url_categories=[{
"additional_action": "string",
"credential_enforcement": "string",
"decryption": "string",
"dlp": "string",
"file_control": {
"download": "string",
"upload": "string",
},
"isolation_profiles": "string",
"name": "string",
}],
allow_web_applications=[{
"application_functions": ["string"],
"dlp": "string",
"file_control": {
"download": "string",
"upload": "string",
},
"name": "string",
"saas_enterprise_control": {
"consumer_access": {
"enable": "string",
},
"enterprise_access": {
"enable": "string",
"tenant_restrictions": ["string"],
},
},
"saas_tenant_lists": ["string"],
"saas_user_lists": ["string"],
"tenant_control": {
"allowed_activities": ["string"],
"blocked_activities": ["string"],
"parent_application": "string",
"tenants": ["string"],
},
"type": "string",
}],
applications=["string"],
block_url_categories=["string"],
block_web_applications=["string"],
categories=["string"],
default_profile_settings={
"dlp": "string",
"file_control": {
"download": "string",
"upload": "string",
},
},
description="string",
destination_hips=["string"],
destinations=["string"],
device="string",
devices=["string"],
disabled=False,
folder="string",
froms=["string"],
log_end=False,
log_setting="string",
log_settings={
"log_sessions": False,
},
log_start=False,
name="string",
negate_destination=False,
negate_source=False,
negate_user=False,
policy_type="string",
position="string",
profile_setting={
"groups": ["string"],
},
relative_position="string",
schedule="string",
security_settings={
"anti_spyware": "string",
"virus_and_wildfire_analysis": "string",
"vulnerability": "string",
},
services=["string"],
snippet="string",
source_hips=["string"],
source_users=["string"],
sources=["string"],
tags=["string"],
target_rule="string",
tenant_restrictions=["string"],
tos=["string"])
const securityRuleResource = new scm.SecurityRule("securityRuleResource", {
action: "string",
allowUrlCategories: [{
additionalAction: "string",
credentialEnforcement: "string",
decryption: "string",
dlp: "string",
fileControl: {
download: "string",
upload: "string",
},
isolationProfiles: "string",
name: "string",
}],
allowWebApplications: [{
applicationFunctions: ["string"],
dlp: "string",
fileControl: {
download: "string",
upload: "string",
},
name: "string",
saasEnterpriseControl: {
consumerAccess: {
enable: "string",
},
enterpriseAccess: {
enable: "string",
tenantRestrictions: ["string"],
},
},
saasTenantLists: ["string"],
saasUserLists: ["string"],
tenantControl: {
allowedActivities: ["string"],
blockedActivities: ["string"],
parentApplication: "string",
tenants: ["string"],
},
type: "string",
}],
applications: ["string"],
blockUrlCategories: ["string"],
blockWebApplications: ["string"],
categories: ["string"],
defaultProfileSettings: {
dlp: "string",
fileControl: {
download: "string",
upload: "string",
},
},
description: "string",
destinationHips: ["string"],
destinations: ["string"],
device: "string",
devices: ["string"],
disabled: false,
folder: "string",
froms: ["string"],
logEnd: false,
logSetting: "string",
logSettings: {
logSessions: false,
},
logStart: false,
name: "string",
negateDestination: false,
negateSource: false,
negateUser: false,
policyType: "string",
position: "string",
profileSetting: {
groups: ["string"],
},
relativePosition: "string",
schedule: "string",
securitySettings: {
antiSpyware: "string",
virusAndWildfireAnalysis: "string",
vulnerability: "string",
},
services: ["string"],
snippet: "string",
sourceHips: ["string"],
sourceUsers: ["string"],
sources: ["string"],
tags: ["string"],
targetRule: "string",
tenantRestrictions: ["string"],
tos: ["string"],
});
type: scm:SecurityRule
properties:
action: string
allowUrlCategories:
- additionalAction: string
credentialEnforcement: string
decryption: string
dlp: string
fileControl:
download: string
upload: string
isolationProfiles: string
name: string
allowWebApplications:
- applicationFunctions:
- string
dlp: string
fileControl:
download: string
upload: string
name: string
saasEnterpriseControl:
consumerAccess:
enable: string
enterpriseAccess:
enable: string
tenantRestrictions:
- string
saasTenantLists:
- string
saasUserLists:
- string
tenantControl:
allowedActivities:
- string
blockedActivities:
- string
parentApplication: string
tenants:
- string
type: string
applications:
- string
blockUrlCategories:
- string
blockWebApplications:
- string
categories:
- string
defaultProfileSettings:
dlp: string
fileControl:
download: string
upload: string
description: string
destinationHips:
- string
destinations:
- string
device: string
devices:
- string
disabled: false
folder: string
froms:
- string
logEnd: false
logSetting: string
logSettings:
logSessions: false
logStart: false
name: string
negateDestination: false
negateSource: false
negateUser: false
policyType: string
position: string
profileSetting:
groups:
- string
relativePosition: string
schedule: string
securitySettings:
antiSpyware: string
virusAndWildfireAnalysis: string
vulnerability: string
services:
- string
snippet: string
sourceHips:
- string
sourceUsers:
- string
sources:
- string
tags:
- string
targetRule: string
tenantRestrictions:
- string
tos:
- string
SecurityRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SecurityRule resource accepts the following input properties:
- Action string
- The action to be taken when the rule is matched
- Allow
Url List<SecurityCategories Rule Allow Url Category> - Allow url category
- Allow
Web List<SecurityApplications Rule Allow Web Application> - Allow web application
- Applications List<string>
- The application(s) being accessed
- Block
Url List<string>Categories - Block url category
- Block
Web List<string>Applications - Block web application
- Categories List<string>
- The URL categories being accessed
- Default
Profile SecuritySettings Rule Default Profile Settings - Default profile settings
- Description string
- The description of the security rule
- Destination
Hips List<string> - The destination Host Integrity Profile(s)
- Destinations List<string>
- The destination address(es)
- Device string
- The device in which the resource is defined
- Devices List<string>
- Devices
- Disabled bool
- Is the security rule disabled?
- Folder string
- The folder in which the resource is defined
- Froms List<string>
- The source security zone(s)
- Log
End bool - Log at session end?
- Log
Setting string - The external log forwarding profile
- Log
Settings SecurityRule Log Settings - Log settings
- Log
Start bool - Log at session start?
- Name string
- The name of the security rule
- Negate
Destination bool - Negate the destination addresses(es)?
- Negate
Source bool - Negate the source address(es)?
- Negate
User bool - Negate user
- Policy
Type string - Policy type
- Position string
- The position of a security rule
- Profile
Setting SecurityRule Profile Setting - The security profile object
- Relative
Position string - Relative positioning rule. String must be one of these:
"before","after","top","bottom". If not specified, rule is created at the bottom of the ruleset. - Schedule string
- Schedule in which this rule will be applied
- Security
Settings SecurityRule Security Settings - Security settings
- Services List<string>
- The service(s) being accessed
- Snippet string
- The snippet in which the resource is defined
- Source
Hips List<string> - The source Host Integrity Profile(s)
- Source
Users List<string> - List of source users and/or groups. Reserved words include
any,pre-login,known-user, andunknown. - Sources List<string>
- The source addresses(es)
- List<string>
- The tags associated with the security rule
- Target
Rule string - The name or UUID of the rule to position this rule relative to. Required when
relative_positionis"before"or"after". - Tenant
Restrictions List<string> - Tenant restrictions
- Tos List<string>
- The destination security zone(s)
- Action string
- The action to be taken when the rule is matched
- Allow
Url []SecurityCategories Rule Allow Url Category Args - Allow url category
- Allow
Web []SecurityApplications Rule Allow Web Application Args - Allow web application
- Applications []string
- The application(s) being accessed
- Block
Url []stringCategories - Block url category
- Block
Web []stringApplications - Block web application
- Categories []string
- The URL categories being accessed
- Default
Profile SecuritySettings Rule Default Profile Settings Args - Default profile settings
- Description string
- The description of the security rule
- Destination
Hips []string - The destination Host Integrity Profile(s)
- Destinations []string
- The destination address(es)
- Device string
- The device in which the resource is defined
- Devices []string
- Devices
- Disabled bool
- Is the security rule disabled?
- Folder string
- The folder in which the resource is defined
- Froms []string
- The source security zone(s)
- Log
End bool - Log at session end?
- Log
Setting string - The external log forwarding profile
- Log
Settings SecurityRule Log Settings Args - Log settings
- Log
Start bool - Log at session start?
- Name string
- The name of the security rule
- Negate
Destination bool - Negate the destination addresses(es)?
- Negate
Source bool - Negate the source address(es)?
- Negate
User bool - Negate user
- Policy
Type string - Policy type
- Position string
- The position of a security rule
- Profile
Setting SecurityRule Profile Setting Args - The security profile object
- Relative
Position string - Relative positioning rule. String must be one of these:
"before","after","top","bottom". If not specified, rule is created at the bottom of the ruleset. - Schedule string
- Schedule in which this rule will be applied
- Security
Settings SecurityRule Security Settings Args - Security settings
- Services []string
- The service(s) being accessed
- Snippet string
- The snippet in which the resource is defined
- Source
Hips []string - The source Host Integrity Profile(s)
- Source
Users []string - List of source users and/or groups. Reserved words include
any,pre-login,known-user, andunknown. - Sources []string
- The source addresses(es)
- []string
- The tags associated with the security rule
- Target
Rule string - The name or UUID of the rule to position this rule relative to. Required when
relative_positionis"before"or"after". - Tenant
Restrictions []string - Tenant restrictions
- Tos []string
- The destination security zone(s)
- action String
- The action to be taken when the rule is matched
- allow
Url List<SecurityCategories Rule Allow Url Category> - Allow url category
- allow
Web List<SecurityApplications Rule Allow Web Application> - Allow web application
- applications List<String>
- The application(s) being accessed
- block
Url List<String>Categories - Block url category
- block
Web List<String>Applications - Block web application
- categories List<String>
- The URL categories being accessed
- default
Profile SecuritySettings Rule Default Profile Settings - Default profile settings
- description String
- The description of the security rule
- destination
Hips List<String> - The destination Host Integrity Profile(s)
- destinations List<String>
- The destination address(es)
- device String
- The device in which the resource is defined
- devices List<String>
- Devices
- disabled Boolean
- Is the security rule disabled?
- folder String
- The folder in which the resource is defined
- froms List<String>
- The source security zone(s)
- log
End Boolean - Log at session end?
- log
Setting String - The external log forwarding profile
- log
Settings SecurityRule Log Settings - Log settings
- log
Start Boolean - Log at session start?
- name String
- The name of the security rule
- negate
Destination Boolean - Negate the destination addresses(es)?
- negate
Source Boolean - Negate the source address(es)?
- negate
User Boolean - Negate user
- policy
Type String - Policy type
- position String
- The position of a security rule
- profile
Setting SecurityRule Profile Setting - The security profile object
- relative
Position String - Relative positioning rule. String must be one of these:
"before","after","top","bottom". If not specified, rule is created at the bottom of the ruleset. - schedule String
- Schedule in which this rule will be applied
- security
Settings SecurityRule Security Settings - Security settings
- services List<String>
- The service(s) being accessed
- snippet String
- The snippet in which the resource is defined
- source
Hips List<String> - The source Host Integrity Profile(s)
- source
Users List<String> - List of source users and/or groups. Reserved words include
any,pre-login,known-user, andunknown. - sources List<String>
- The source addresses(es)
- List<String>
- The tags associated with the security rule
- target
Rule String - The name or UUID of the rule to position this rule relative to. Required when
relative_positionis"before"or"after". - tenant
Restrictions List<String> - Tenant restrictions
- tos List<String>
- The destination security zone(s)
- action string
- The action to be taken when the rule is matched
- allow
Url SecurityCategories Rule Allow Url Category[] - Allow url category
- allow
Web SecurityApplications Rule Allow Web Application[] - Allow web application
- applications string[]
- The application(s) being accessed
- block
Url string[]Categories - Block url category
- block
Web string[]Applications - Block web application
- categories string[]
- The URL categories being accessed
- default
Profile SecuritySettings Rule Default Profile Settings - Default profile settings
- description string
- The description of the security rule
- destination
Hips string[] - The destination Host Integrity Profile(s)
- destinations string[]
- The destination address(es)
- device string
- The device in which the resource is defined
- devices string[]
- Devices
- disabled boolean
- Is the security rule disabled?
- folder string
- The folder in which the resource is defined
- froms string[]
- The source security zone(s)
- log
End boolean - Log at session end?
- log
Setting string - The external log forwarding profile
- log
Settings SecurityRule Log Settings - Log settings
- log
Start boolean - Log at session start?
- name string
- The name of the security rule
- negate
Destination boolean - Negate the destination addresses(es)?
- negate
Source boolean - Negate the source address(es)?
- negate
User boolean - Negate user
- policy
Type string - Policy type
- position string
- The position of a security rule
- profile
Setting SecurityRule Profile Setting - The security profile object
- relative
Position string - Relative positioning rule. String must be one of these:
"before","after","top","bottom". If not specified, rule is created at the bottom of the ruleset. - schedule string
- Schedule in which this rule will be applied
- security
Settings SecurityRule Security Settings - Security settings
- services string[]
- The service(s) being accessed
- snippet string
- The snippet in which the resource is defined
- source
Hips string[] - The source Host Integrity Profile(s)
- source
Users string[] - List of source users and/or groups. Reserved words include
any,pre-login,known-user, andunknown. - sources string[]
- The source addresses(es)
- string[]
- The tags associated with the security rule
- target
Rule string - The name or UUID of the rule to position this rule relative to. Required when
relative_positionis"before"or"after". - tenant
Restrictions string[] - Tenant restrictions
- tos string[]
- The destination security zone(s)
- action str
- The action to be taken when the rule is matched
- allow_
url_ Sequence[Securitycategories Rule Allow Url Category Args] - Allow url category
- allow_
web_ Sequence[Securityapplications Rule Allow Web Application Args] - Allow web application
- applications Sequence[str]
- The application(s) being accessed
- block_
url_ Sequence[str]categories - Block url category
- block_
web_ Sequence[str]applications - Block web application
- categories Sequence[str]
- The URL categories being accessed
- default_
profile_ Securitysettings Rule Default Profile Settings Args - Default profile settings
- description str
- The description of the security rule
- destination_
hips Sequence[str] - The destination Host Integrity Profile(s)
- destinations Sequence[str]
- The destination address(es)
- device str
- The device in which the resource is defined
- devices Sequence[str]
- Devices
- disabled bool
- Is the security rule disabled?
- folder str
- The folder in which the resource is defined
- froms Sequence[str]
- The source security zone(s)
- log_
end bool - Log at session end?
- log_
setting str - The external log forwarding profile
- log_
settings SecurityRule Log Settings Args - Log settings
- log_
start bool - Log at session start?
- name str
- The name of the security rule
- negate_
destination bool - Negate the destination addresses(es)?
- negate_
source bool - Negate the source address(es)?
- negate_
user bool - Negate user
- policy_
type str - Policy type
- position str
- The position of a security rule
- profile_
setting SecurityRule Profile Setting Args - The security profile object
- relative_
position str - Relative positioning rule. String must be one of these:
"before","after","top","bottom". If not specified, rule is created at the bottom of the ruleset. - schedule str
- Schedule in which this rule will be applied
- security_
settings SecurityRule Security Settings Args - Security settings
- services Sequence[str]
- The service(s) being accessed
- snippet str
- The snippet in which the resource is defined
- source_
hips Sequence[str] - The source Host Integrity Profile(s)
- source_
users Sequence[str] - List of source users and/or groups. Reserved words include
any,pre-login,known-user, andunknown. - sources Sequence[str]
- The source addresses(es)
- Sequence[str]
- The tags associated with the security rule
- target_
rule str - The name or UUID of the rule to position this rule relative to. Required when
relative_positionis"before"or"after". - tenant_
restrictions Sequence[str] - Tenant restrictions
- tos Sequence[str]
- The destination security zone(s)
- action String
- The action to be taken when the rule is matched
- allow
Url List<Property Map>Categories - Allow url category
- allow
Web List<Property Map>Applications - Allow web application
- applications List<String>
- The application(s) being accessed
- block
Url List<String>Categories - Block url category
- block
Web List<String>Applications - Block web application
- categories List<String>
- The URL categories being accessed
- default
Profile Property MapSettings - Default profile settings
- description String
- The description of the security rule
- destination
Hips List<String> - The destination Host Integrity Profile(s)
- destinations List<String>
- The destination address(es)
- device String
- The device in which the resource is defined
- devices List<String>
- Devices
- disabled Boolean
- Is the security rule disabled?
- folder String
- The folder in which the resource is defined
- froms List<String>
- The source security zone(s)
- log
End Boolean - Log at session end?
- log
Setting String - The external log forwarding profile
- log
Settings Property Map - Log settings
- log
Start Boolean - Log at session start?
- name String
- The name of the security rule
- negate
Destination Boolean - Negate the destination addresses(es)?
- negate
Source Boolean - Negate the source address(es)?
- negate
User Boolean - Negate user
- policy
Type String - Policy type
- position String
- The position of a security rule
- profile
Setting Property Map - The security profile object
- relative
Position String - Relative positioning rule. String must be one of these:
"before","after","top","bottom". If not specified, rule is created at the bottom of the ruleset. - schedule String
- Schedule in which this rule will be applied
- security
Settings Property Map - Security settings
- services List<String>
- The service(s) being accessed
- snippet String
- The snippet in which the resource is defined
- source
Hips List<String> - The source Host Integrity Profile(s)
- source
Users List<String> - List of source users and/or groups. Reserved words include
any,pre-login,known-user, andunknown. - sources List<String>
- The source addresses(es)
- List<String>
- The tags associated with the security rule
- target
Rule String - The name or UUID of the rule to position this rule relative to. Required when
relative_positionis"before"or"after". - tenant
Restrictions List<String> - Tenant restrictions
- tos List<String>
- The destination security zone(s)
Outputs
All input properties are implicitly available as output properties. Additionally, the SecurityRule resource produces the following output properties:
Look up Existing SecurityRule Resource
Get an existing SecurityRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecurityRuleState, opts?: CustomResourceOptions): SecurityRule@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
allow_url_categories: Optional[Sequence[SecurityRuleAllowUrlCategoryArgs]] = None,
allow_web_applications: Optional[Sequence[SecurityRuleAllowWebApplicationArgs]] = None,
applications: Optional[Sequence[str]] = None,
block_url_categories: Optional[Sequence[str]] = None,
block_web_applications: Optional[Sequence[str]] = None,
categories: Optional[Sequence[str]] = None,
default_profile_settings: Optional[SecurityRuleDefaultProfileSettingsArgs] = None,
description: Optional[str] = None,
destination_hips: Optional[Sequence[str]] = None,
destinations: Optional[Sequence[str]] = None,
device: Optional[str] = None,
devices: Optional[Sequence[str]] = None,
disabled: Optional[bool] = None,
folder: Optional[str] = None,
froms: Optional[Sequence[str]] = None,
log_end: Optional[bool] = None,
log_setting: Optional[str] = None,
log_settings: Optional[SecurityRuleLogSettingsArgs] = None,
log_start: Optional[bool] = None,
name: Optional[str] = None,
negate_destination: Optional[bool] = None,
negate_source: Optional[bool] = None,
negate_user: Optional[bool] = None,
policy_type: Optional[str] = None,
position: Optional[str] = None,
profile_setting: Optional[SecurityRuleProfileSettingArgs] = None,
relative_position: Optional[str] = None,
schedule: Optional[str] = None,
security_settings: Optional[SecurityRuleSecuritySettingsArgs] = None,
services: Optional[Sequence[str]] = None,
snippet: Optional[str] = None,
source_hips: Optional[Sequence[str]] = None,
source_users: Optional[Sequence[str]] = None,
sources: Optional[Sequence[str]] = None,
tags: Optional[Sequence[str]] = None,
target_rule: Optional[str] = None,
tenant_restrictions: Optional[Sequence[str]] = None,
tfid: Optional[str] = None,
tos: Optional[Sequence[str]] = None) -> SecurityRulefunc GetSecurityRule(ctx *Context, name string, id IDInput, state *SecurityRuleState, opts ...ResourceOption) (*SecurityRule, error)public static SecurityRule Get(string name, Input<string> id, SecurityRuleState? state, CustomResourceOptions? opts = null)public static SecurityRule get(String name, Output<String> id, SecurityRuleState state, CustomResourceOptions options)resources: _: type: scm:SecurityRule get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Action string
- The action to be taken when the rule is matched
- Allow
Url List<SecurityCategories Rule Allow Url Category> - Allow url category
- Allow
Web List<SecurityApplications Rule Allow Web Application> - Allow web application
- Applications List<string>
- The application(s) being accessed
- Block
Url List<string>Categories - Block url category
- Block
Web List<string>Applications - Block web application
- Categories List<string>
- The URL categories being accessed
- Default
Profile SecuritySettings Rule Default Profile Settings - Default profile settings
- Description string
- The description of the security rule
- Destination
Hips List<string> - The destination Host Integrity Profile(s)
- Destinations List<string>
- The destination address(es)
- Device string
- The device in which the resource is defined
- Devices List<string>
- Devices
- Disabled bool
- Is the security rule disabled?
- Folder string
- The folder in which the resource is defined
- Froms List<string>
- The source security zone(s)
- Log
End bool - Log at session end?
- Log
Setting string - The external log forwarding profile
- Log
Settings SecurityRule Log Settings - Log settings
- Log
Start bool - Log at session start?
- Name string
- The name of the security rule
- Negate
Destination bool - Negate the destination addresses(es)?
- Negate
Source bool - Negate the source address(es)?
- Negate
User bool - Negate user
- Policy
Type string - Policy type
- Position string
- The position of a security rule
- Profile
Setting SecurityRule Profile Setting - The security profile object
- Relative
Position string - Relative positioning rule. String must be one of these:
"before","after","top","bottom". If not specified, rule is created at the bottom of the ruleset. - Schedule string
- Schedule in which this rule will be applied
- Security
Settings SecurityRule Security Settings - Security settings
- Services List<string>
- The service(s) being accessed
- Snippet string
- The snippet in which the resource is defined
- Source
Hips List<string> - The source Host Integrity Profile(s)
- Source
Users List<string> - List of source users and/or groups. Reserved words include
any,pre-login,known-user, andunknown. - Sources List<string>
- The source addresses(es)
- List<string>
- The tags associated with the security rule
- Target
Rule string - The name or UUID of the rule to position this rule relative to. Required when
relative_positionis"before"or"after". - Tenant
Restrictions List<string> - Tenant restrictions
- Tfid string
- Tos List<string>
- The destination security zone(s)
- Action string
- The action to be taken when the rule is matched
- Allow
Url []SecurityCategories Rule Allow Url Category Args - Allow url category
- Allow
Web []SecurityApplications Rule Allow Web Application Args - Allow web application
- Applications []string
- The application(s) being accessed
- Block
Url []stringCategories - Block url category
- Block
Web []stringApplications - Block web application
- Categories []string
- The URL categories being accessed
- Default
Profile SecuritySettings Rule Default Profile Settings Args - Default profile settings
- Description string
- The description of the security rule
- Destination
Hips []string - The destination Host Integrity Profile(s)
- Destinations []string
- The destination address(es)
- Device string
- The device in which the resource is defined
- Devices []string
- Devices
- Disabled bool
- Is the security rule disabled?
- Folder string
- The folder in which the resource is defined
- Froms []string
- The source security zone(s)
- Log
End bool - Log at session end?
- Log
Setting string - The external log forwarding profile
- Log
Settings SecurityRule Log Settings Args - Log settings
- Log
Start bool - Log at session start?
- Name string
- The name of the security rule
- Negate
Destination bool - Negate the destination addresses(es)?
- Negate
Source bool - Negate the source address(es)?
- Negate
User bool - Negate user
- Policy
Type string - Policy type
- Position string
- The position of a security rule
- Profile
Setting SecurityRule Profile Setting Args - The security profile object
- Relative
Position string - Relative positioning rule. String must be one of these:
"before","after","top","bottom". If not specified, rule is created at the bottom of the ruleset. - Schedule string
- Schedule in which this rule will be applied
- Security
Settings SecurityRule Security Settings Args - Security settings
- Services []string
- The service(s) being accessed
- Snippet string
- The snippet in which the resource is defined
- Source
Hips []string - The source Host Integrity Profile(s)
- Source
Users []string - List of source users and/or groups. Reserved words include
any,pre-login,known-user, andunknown. - Sources []string
- The source addresses(es)
- []string
- The tags associated with the security rule
- Target
Rule string - The name or UUID of the rule to position this rule relative to. Required when
relative_positionis"before"or"after". - Tenant
Restrictions []string - Tenant restrictions
- Tfid string
- Tos []string
- The destination security zone(s)
- action String
- The action to be taken when the rule is matched
- allow
Url List<SecurityCategories Rule Allow Url Category> - Allow url category
- allow
Web List<SecurityApplications Rule Allow Web Application> - Allow web application
- applications List<String>
- The application(s) being accessed
- block
Url List<String>Categories - Block url category
- block
Web List<String>Applications - Block web application
- categories List<String>
- The URL categories being accessed
- default
Profile SecuritySettings Rule Default Profile Settings - Default profile settings
- description String
- The description of the security rule
- destination
Hips List<String> - The destination Host Integrity Profile(s)
- destinations List<String>
- The destination address(es)
- device String
- The device in which the resource is defined
- devices List<String>
- Devices
- disabled Boolean
- Is the security rule disabled?
- folder String
- The folder in which the resource is defined
- froms List<String>
- The source security zone(s)
- log
End Boolean - Log at session end?
- log
Setting String - The external log forwarding profile
- log
Settings SecurityRule Log Settings - Log settings
- log
Start Boolean - Log at session start?
- name String
- The name of the security rule
- negate
Destination Boolean - Negate the destination addresses(es)?
- negate
Source Boolean - Negate the source address(es)?
- negate
User Boolean - Negate user
- policy
Type String - Policy type
- position String
- The position of a security rule
- profile
Setting SecurityRule Profile Setting - The security profile object
- relative
Position String - Relative positioning rule. String must be one of these:
"before","after","top","bottom". If not specified, rule is created at the bottom of the ruleset. - schedule String
- Schedule in which this rule will be applied
- security
Settings SecurityRule Security Settings - Security settings
- services List<String>
- The service(s) being accessed
- snippet String
- The snippet in which the resource is defined
- source
Hips List<String> - The source Host Integrity Profile(s)
- source
Users List<String> - List of source users and/or groups. Reserved words include
any,pre-login,known-user, andunknown. - sources List<String>
- The source addresses(es)
- List<String>
- The tags associated with the security rule
- target
Rule String - The name or UUID of the rule to position this rule relative to. Required when
relative_positionis"before"or"after". - tenant
Restrictions List<String> - Tenant restrictions
- tfid String
- tos List<String>
- The destination security zone(s)
- action string
- The action to be taken when the rule is matched
- allow
Url SecurityCategories Rule Allow Url Category[] - Allow url category
- allow
Web SecurityApplications Rule Allow Web Application[] - Allow web application
- applications string[]
- The application(s) being accessed
- block
Url string[]Categories - Block url category
- block
Web string[]Applications - Block web application
- categories string[]
- The URL categories being accessed
- default
Profile SecuritySettings Rule Default Profile Settings - Default profile settings
- description string
- The description of the security rule
- destination
Hips string[] - The destination Host Integrity Profile(s)
- destinations string[]
- The destination address(es)
- device string
- The device in which the resource is defined
- devices string[]
- Devices
- disabled boolean
- Is the security rule disabled?
- folder string
- The folder in which the resource is defined
- froms string[]
- The source security zone(s)
- log
End boolean - Log at session end?
- log
Setting string - The external log forwarding profile
- log
Settings SecurityRule Log Settings - Log settings
- log
Start boolean - Log at session start?
- name string
- The name of the security rule
- negate
Destination boolean - Negate the destination addresses(es)?
- negate
Source boolean - Negate the source address(es)?
- negate
User boolean - Negate user
- policy
Type string - Policy type
- position string
- The position of a security rule
- profile
Setting SecurityRule Profile Setting - The security profile object
- relative
Position string - Relative positioning rule. String must be one of these:
"before","after","top","bottom". If not specified, rule is created at the bottom of the ruleset. - schedule string
- Schedule in which this rule will be applied
- security
Settings SecurityRule Security Settings - Security settings
- services string[]
- The service(s) being accessed
- snippet string
- The snippet in which the resource is defined
- source
Hips string[] - The source Host Integrity Profile(s)
- source
Users string[] - List of source users and/or groups. Reserved words include
any,pre-login,known-user, andunknown. - sources string[]
- The source addresses(es)
- string[]
- The tags associated with the security rule
- target
Rule string - The name or UUID of the rule to position this rule relative to. Required when
relative_positionis"before"or"after". - tenant
Restrictions string[] - Tenant restrictions
- tfid string
- tos string[]
- The destination security zone(s)
- action str
- The action to be taken when the rule is matched
- allow_
url_ Sequence[Securitycategories Rule Allow Url Category Args] - Allow url category
- allow_
web_ Sequence[Securityapplications Rule Allow Web Application Args] - Allow web application
- applications Sequence[str]
- The application(s) being accessed
- block_
url_ Sequence[str]categories - Block url category
- block_
web_ Sequence[str]applications - Block web application
- categories Sequence[str]
- The URL categories being accessed
- default_
profile_ Securitysettings Rule Default Profile Settings Args - Default profile settings
- description str
- The description of the security rule
- destination_
hips Sequence[str] - The destination Host Integrity Profile(s)
- destinations Sequence[str]
- The destination address(es)
- device str
- The device in which the resource is defined
- devices Sequence[str]
- Devices
- disabled bool
- Is the security rule disabled?
- folder str
- The folder in which the resource is defined
- froms Sequence[str]
- The source security zone(s)
- log_
end bool - Log at session end?
- log_
setting str - The external log forwarding profile
- log_
settings SecurityRule Log Settings Args - Log settings
- log_
start bool - Log at session start?
- name str
- The name of the security rule
- negate_
destination bool - Negate the destination addresses(es)?
- negate_
source bool - Negate the source address(es)?
- negate_
user bool - Negate user
- policy_
type str - Policy type
- position str
- The position of a security rule
- profile_
setting SecurityRule Profile Setting Args - The security profile object
- relative_
position str - Relative positioning rule. String must be one of these:
"before","after","top","bottom". If not specified, rule is created at the bottom of the ruleset. - schedule str
- Schedule in which this rule will be applied
- security_
settings SecurityRule Security Settings Args - Security settings
- services Sequence[str]
- The service(s) being accessed
- snippet str
- The snippet in which the resource is defined
- source_
hips Sequence[str] - The source Host Integrity Profile(s)
- source_
users Sequence[str] - List of source users and/or groups. Reserved words include
any,pre-login,known-user, andunknown. - sources Sequence[str]
- The source addresses(es)
- Sequence[str]
- The tags associated with the security rule
- target_
rule str - The name or UUID of the rule to position this rule relative to. Required when
relative_positionis"before"or"after". - tenant_
restrictions Sequence[str] - Tenant restrictions
- tfid str
- tos Sequence[str]
- The destination security zone(s)
- action String
- The action to be taken when the rule is matched
- allow
Url List<Property Map>Categories - Allow url category
- allow
Web List<Property Map>Applications - Allow web application
- applications List<String>
- The application(s) being accessed
- block
Url List<String>Categories - Block url category
- block
Web List<String>Applications - Block web application
- categories List<String>
- The URL categories being accessed
- default
Profile Property MapSettings - Default profile settings
- description String
- The description of the security rule
- destination
Hips List<String> - The destination Host Integrity Profile(s)
- destinations List<String>
- The destination address(es)
- device String
- The device in which the resource is defined
- devices List<String>
- Devices
- disabled Boolean
- Is the security rule disabled?
- folder String
- The folder in which the resource is defined
- froms List<String>
- The source security zone(s)
- log
End Boolean - Log at session end?
- log
Setting String - The external log forwarding profile
- log
Settings Property Map - Log settings
- log
Start Boolean - Log at session start?
- name String
- The name of the security rule
- negate
Destination Boolean - Negate the destination addresses(es)?
- negate
Source Boolean - Negate the source address(es)?
- negate
User Boolean - Negate user
- policy
Type String - Policy type
- position String
- The position of a security rule
- profile
Setting Property Map - The security profile object
- relative
Position String - Relative positioning rule. String must be one of these:
"before","after","top","bottom". If not specified, rule is created at the bottom of the ruleset. - schedule String
- Schedule in which this rule will be applied
- security
Settings Property Map - Security settings
- services List<String>
- The service(s) being accessed
- snippet String
- The snippet in which the resource is defined
- source
Hips List<String> - The source Host Integrity Profile(s)
- source
Users List<String> - List of source users and/or groups. Reserved words include
any,pre-login,known-user, andunknown. - sources List<String>
- The source addresses(es)
- List<String>
- The tags associated with the security rule
- target
Rule String - The name or UUID of the rule to position this rule relative to. Required when
relative_positionis"before"or"after". - tenant
Restrictions List<String> - Tenant restrictions
- tfid String
- tos List<String>
- The destination security zone(s)
Supporting Types
SecurityRuleAllowUrlCategory, SecurityRuleAllowUrlCategoryArgs
- Additional
Action string - Additional action
- Credential
Enforcement string - Credential enforcement
- Decryption string
- Decryption
- Dlp string
- Dlp
- File
Control SecurityRule Allow Url Category File Control - File control
- Isolation
Profiles string - Isolation profiles
- Name string
- Name
- Additional
Action string - Additional action
- Credential
Enforcement string - Credential enforcement
- Decryption string
- Decryption
- Dlp string
- Dlp
- File
Control SecurityRule Allow Url Category File Control - File control
- Isolation
Profiles string - Isolation profiles
- Name string
- Name
- additional
Action String - Additional action
- credential
Enforcement String - Credential enforcement
- decryption String
- Decryption
- dlp String
- Dlp
- file
Control SecurityRule Allow Url Category File Control - File control
- isolation
Profiles String - Isolation profiles
- name String
- Name
- additional
Action string - Additional action
- credential
Enforcement string - Credential enforcement
- decryption string
- Decryption
- dlp string
- Dlp
- file
Control SecurityRule Allow Url Category File Control - File control
- isolation
Profiles string - Isolation profiles
- name string
- Name
- additional_
action str - Additional action
- credential_
enforcement str - Credential enforcement
- decryption str
- Decryption
- dlp str
- Dlp
- file_
control SecurityRule Allow Url Category File Control - File control
- isolation_
profiles str - Isolation profiles
- name str
- Name
- additional
Action String - Additional action
- credential
Enforcement String - Credential enforcement
- decryption String
- Decryption
- dlp String
- Dlp
- file
Control Property Map - File control
- isolation
Profiles String - Isolation profiles
- name String
- Name
SecurityRuleAllowUrlCategoryFileControl, SecurityRuleAllowUrlCategoryFileControlArgs
SecurityRuleAllowWebApplication, SecurityRuleAllowWebApplicationArgs
- Application
Functions List<string> - Application function
- Dlp string
- Dlp
- File
Control SecurityRule Allow Web Application File Control - File control
- Name string
- Name
- Saas
Enterprise SecurityControl Rule Allow Web Application Saas Enterprise Control - Saas enterprise control
- Saas
Tenant List<string>Lists - Saas tenant list
- Saas
User List<string>Lists - Saas user list
- Tenant
Control SecurityRule Allow Web Application Tenant Control - Tenant control
- Type string
- Type
- Application
Functions []string - Application function
- Dlp string
- Dlp
- File
Control SecurityRule Allow Web Application File Control - File control
- Name string
- Name
- Saas
Enterprise SecurityControl Rule Allow Web Application Saas Enterprise Control - Saas enterprise control
- Saas
Tenant []stringLists - Saas tenant list
- Saas
User []stringLists - Saas user list
- Tenant
Control SecurityRule Allow Web Application Tenant Control - Tenant control
- Type string
- Type
- application
Functions List<String> - Application function
- dlp String
- Dlp
- file
Control SecurityRule Allow Web Application File Control - File control
- name String
- Name
- saas
Enterprise SecurityControl Rule Allow Web Application Saas Enterprise Control - Saas enterprise control
- saas
Tenant List<String>Lists - Saas tenant list
- saas
User List<String>Lists - Saas user list
- tenant
Control SecurityRule Allow Web Application Tenant Control - Tenant control
- type String
- Type
- application
Functions string[] - Application function
- dlp string
- Dlp
- file
Control SecurityRule Allow Web Application File Control - File control
- name string
- Name
- saas
Enterprise SecurityControl Rule Allow Web Application Saas Enterprise Control - Saas enterprise control
- saas
Tenant string[]Lists - Saas tenant list
- saas
User string[]Lists - Saas user list
- tenant
Control SecurityRule Allow Web Application Tenant Control - Tenant control
- type string
- Type
- application_
functions Sequence[str] - Application function
- dlp str
- Dlp
- file_
control SecurityRule Allow Web Application File Control - File control
- name str
- Name
- saas_
enterprise_ Securitycontrol Rule Allow Web Application Saas Enterprise Control - Saas enterprise control
- saas_
tenant_ Sequence[str]lists - Saas tenant list
- saas_
user_ Sequence[str]lists - Saas user list
- tenant_
control SecurityRule Allow Web Application Tenant Control - Tenant control
- type str
- Type
- application
Functions List<String> - Application function
- dlp String
- Dlp
- file
Control Property Map - File control
- name String
- Name
- saas
Enterprise Property MapControl - Saas enterprise control
- saas
Tenant List<String>Lists - Saas tenant list
- saas
User List<String>Lists - Saas user list
- tenant
Control Property Map - Tenant control
- type String
- Type
SecurityRuleAllowWebApplicationFileControl, SecurityRuleAllowWebApplicationFileControlArgs
SecurityRuleAllowWebApplicationSaasEnterpriseControl, SecurityRuleAllowWebApplicationSaasEnterpriseControlArgs
- consumer
Access Property Map - Consumer access
- enterprise
Access Property Map - Enterprise access
SecurityRuleAllowWebApplicationSaasEnterpriseControlConsumerAccess, SecurityRuleAllowWebApplicationSaasEnterpriseControlConsumerAccessArgs
- Enable string
- Enable
- Enable string
- Enable
- enable String
- Enable
- enable string
- Enable
- enable str
- Enable
- enable String
- Enable
SecurityRuleAllowWebApplicationSaasEnterpriseControlEnterpriseAccess, SecurityRuleAllowWebApplicationSaasEnterpriseControlEnterpriseAccessArgs
- Enable string
- Enable
- Tenant
Restrictions List<string> - Tenant restrictions
- Enable string
- Enable
- Tenant
Restrictions []string - Tenant restrictions
- enable String
- Enable
- tenant
Restrictions List<String> - Tenant restrictions
- enable string
- Enable
- tenant
Restrictions string[] - Tenant restrictions
- enable str
- Enable
- tenant_
restrictions Sequence[str] - Tenant restrictions
- enable String
- Enable
- tenant
Restrictions List<String> - Tenant restrictions
SecurityRuleAllowWebApplicationTenantControl, SecurityRuleAllowWebApplicationTenantControlArgs
- Allowed
Activities List<string> - Allowed activities
- Blocked
Activities List<string> - Blocked activities
- Parent
Application string - Parent application
- Tenants List<string>
- Tenants
- Allowed
Activities []string - Allowed activities
- Blocked
Activities []string - Blocked activities
- Parent
Application string - Parent application
- Tenants []string
- Tenants
- allowed
Activities List<String> - Allowed activities
- blocked
Activities List<String> - Blocked activities
- parent
Application String - Parent application
- tenants List<String>
- Tenants
- allowed
Activities string[] - Allowed activities
- blocked
Activities string[] - Blocked activities
- parent
Application string - Parent application
- tenants string[]
- Tenants
- allowed_
activities Sequence[str] - Allowed activities
- blocked_
activities Sequence[str] - Blocked activities
- parent_
application str - Parent application
- tenants Sequence[str]
- Tenants
- allowed
Activities List<String> - Allowed activities
- blocked
Activities List<String> - Blocked activities
- parent
Application String - Parent application
- tenants List<String>
- Tenants
SecurityRuleDefaultProfileSettings, SecurityRuleDefaultProfileSettingsArgs
- Dlp string
- Dlp
- File
Control SecurityRule Default Profile Settings File Control - File control
- Dlp string
- Dlp
- File
Control SecurityRule Default Profile Settings File Control - File control
- dlp String
- Dlp
- file
Control SecurityRule Default Profile Settings File Control - File control
- dlp string
- Dlp
- file
Control SecurityRule Default Profile Settings File Control - File control
- dlp str
- Dlp
- file_
control SecurityRule Default Profile Settings File Control - File control
- dlp String
- Dlp
- file
Control Property Map - File control
SecurityRuleDefaultProfileSettingsFileControl, SecurityRuleDefaultProfileSettingsFileControlArgs
SecurityRuleLogSettings, SecurityRuleLogSettingsArgs
- Log
Sessions bool - Log sessions
- Log
Sessions bool - Log sessions
- log
Sessions Boolean - Log sessions
- log
Sessions boolean - Log sessions
- log_
sessions bool - Log sessions
- log
Sessions Boolean - Log sessions
SecurityRuleProfileSetting, SecurityRuleProfileSettingArgs
- Groups List<string>
- The security profile group
- Groups []string
- The security profile group
- groups List<String>
- The security profile group
- groups string[]
- The security profile group
- groups Sequence[str]
- The security profile group
- groups List<String>
- The security profile group
SecurityRuleSecuritySettings, SecurityRuleSecuritySettingsArgs
- Anti
Spyware string - Anti spyware
- Virus
And stringWildfire Analysis - Virus and wildfire analysis
- Vulnerability string
- Vulnerability
- Anti
Spyware string - Anti spyware
- Virus
And stringWildfire Analysis - Virus and wildfire analysis
- Vulnerability string
- Vulnerability
- anti
Spyware String - Anti spyware
- virus
And StringWildfire Analysis - Virus and wildfire analysis
- vulnerability String
- Vulnerability
- anti
Spyware string - Anti spyware
- virus
And stringWildfire Analysis - Virus and wildfire analysis
- vulnerability string
- Vulnerability
- anti_
spyware str - Anti spyware
- virus_
and_ strwildfire_ analysis - Virus and wildfire analysis
- vulnerability str
- Vulnerability
- anti
Spyware String - Anti spyware
- virus
And StringWildfire Analysis - Virus and wildfire analysis
- vulnerability String
- Vulnerability
Package Details
- Repository
- scm pulumi/pulumi-scm
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
scmTerraform Provider.
Strata Cloud Manager v0.4.3 published on Saturday, Nov 8, 2025 by Pulumi
