A Security Policy defines an IP blacklist or whitelist that protects load balanced Google Cloud services by denying or permitting traffic from specified IP ranges. For more information see the official documentation and the API.

Example Usage

resource "google_compute_security_policy" "policy" {
  name = "my-policy"

  rule {
    action   = "deny(403)"
    priority = "1000"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = [""]
    description = "Deny access to IPs in"

  rule {
    action   = "allow"
    priority = "2147483647"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
    description = "default rule"

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the security policy.
  • description - (Optional) An optional description of this security policy. Max size is 2048.

  • project - (Optional) The project in which the resource belongs. If it is not provided, the provider project is used.

  • rule - (Optional) The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. Structure is documented below.

The rule block supports:

  • action - (Required) Action to take when match matches the request. Valid values:

    • "allow" : allow access to target
    • "deny(status)" : deny access to target, returns the HTTP response code specified (valid values are 403, 404 and 502)
  • priority - (Required) An unique positive integer indicating the priority of evaluation for a rule. Rules are evaluated from highest priority (lowest numerically) to lowest priority (highest numerically) in order.

  • match - (Required) A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding action is enforced. Structure is documented below.

  • description - (Optional) An optional description of this rule. Max size is 64.

  • preview - (Optional) When set to true, the action specified above is not enforced. Stackdriver logs for requests that trigger a preview action are annotated as such.

The match block supports:

  • config - (Required) The configuration options available when specifying versioned_expr. Structure is documented below.

  • versioned_expr - (Required) Predefined rule expression. Available options:

    • SRC_IPS_V1: Must specify the corresponding src_ip_ranges field in config.

The config block supports:

  • src_ip_ranges - (Required) Set of IP addresses or ranges (IPV4 or IPV6) in CIDR notation to match against inbound traffic. There is a limit of 5 IP ranges per rule. A value of '*' matches all IPs (can be used to override the default behavior).

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:


Security policies can be imported using the name, e.g.

$ terraform import google_compute_security_policy.policy my-policy

© 2018 HashiCorpLicensed under the MPL 2.0 License.