@pulumi/scm 0.4.2-alpha.1760375664 → 0.4.3

package/securityRule.d.ts

@@ -2,7 +2,7 @@ import * as pulumi from "@pulumi/pulumi";
 import * as inputs from "./types/input";
 import * as outputs from "./types/output";
 /**
- * Retrieves a config item.
+ * SecurityRule resource
  *
  * ## Example Usage
  *
@@ -10,7 +10,157 @@ import * as outputs from "./types/output";
  * import * as pulumi from "@pulumi/pulumi";
  * import * as scm from "@pulumi/scm";
  *
- * const example = new scm.SecurityRule("example", {});
+ * // First, create the tag objects that you will reference.
+ * const outboundTag = new scm.Tag("outbound_tag", {
+ *     folder: "All",
+ *     name: "outbound143",
+ *     color: "Red",
+ * });
+ * const webTag = new scm.Tag("web_tag", {
+ *     folder: "All",
+ *     name: "web143",
+ *     color: "Blue",
+ * });
+ * // --- Existing Rules (Backward Compatibility) ---
+ * const standardWebAccess = new scm.SecurityRule("standard_web_access", {
+ *     folder: "All",
+ *     name: "Allow Standard Web Access143",
+ *     description: "Allow outbound web traffic to any destination...",
+ *     position: "pre",
+ *     action: "allow",
+ *     categories: ["any"],
+ *     applications: [
+ *         "web-browsing",
+ *         "ssl",
+ *     ],
+ *     services: [
+ *         "service-http",
+ *         "service-https",
+ *     ],
+ *     froms: [
+ *         "untrust",
+ *         "trust",
+ *     ],
+ *     tos: ["trust"],
+ *     sources: ["any"],
+ *     destinations: ["any"],
+ *     negateSource: false,
+ *     negateDestination: false,
+ *     sourceUsers: ["any"],
+ *     sourceHips: ["any"],
+ *     destinationHips: ["any"],
+ *     logStart: true,
+ *     logEnd: true,
+ *     disabled: false,
+ *     tags: [
+ *         outboundTag.name,
+ *         webTag.name,
+ *     ],
+ * });
+ * const blockRiskySaas = new scm.SecurityRule("block_risky_saas", {
+ *     folder: "All",
+ *     name: "Block Risky SaaS Applications143",
+ *     description: "Prevent data exfiltration by blocking risky SaaS apps...",
+ *     action: "deny",
+ *     policyType: "Internet",
+ *     securitySettings: {
+ *         antiSpyware: "yes",
+ *         vulnerability: "yes",
+ *         virusAndWildfireAnalysis: "yes",
+ *     },
+ *     blockWebApplications: ["facebook-posting"],
+ *     logSettings: {
+ *         logSessions: true,
+ *     },
+ *     froms: ["any"],
+ *     tos: ["any"],
+ *     sources: ["any"],
+ *     destinations: ["any"],
+ *     sourceUsers: ["any"],
+ *     disabled: false,
+ *     tags: [
+ *         outboundTag.name,
+ *         webTag.name,
+ *     ],
+ * });
+ * // --- NEW Examples Demonstrating Rule Ordering ---
+ * // Example 1: Place a critical block rule at the absolute top
+ * const criticalBlockTop = new scm.SecurityRule("critical_block_top", {
+ *     folder: "All",
+ *     name: "CRITICAL Block Malicious IPs Top143",
+ *     description: "Always block known malicious IPs first.",
+ *     relativePosition: "top",
+ *     action: "deny",
+ *     froms: ["any"],
+ *     tos: ["any"],
+ *     sources: ["any"],
+ *     destinations: ["any"],
+ *     sourceUsers: ["any"],
+ *     categories: ["any"],
+ *     applications: ["any"],
+ *     services: ["any"],
+ *     logEnd: true,
+ *     tags: [outboundTag.name],
+ * });
+ * // Example 2: Place a cleanup rule at the absolute bottom
+ * const cleanupDenyBottom = new scm.SecurityRule("cleanup_deny_bottom", {
+ *     folder: "All",
+ *     name: "Cleanup Deny All Bottom143",
+ *     description: "Deny any traffic not explicitly allowed.",
+ *     relativePosition: "bottom",
+ *     action: "deny",
+ *     froms: ["any"],
+ *     tos: ["any"],
+ *     sources: ["any"],
+ *     destinations: ["any"],
+ *     sourceUsers: ["any"],
+ *     categories: ["any"],
+ *     applications: ["any"],
+ *     services: ["any"],
+ *     logEnd: true,
+ *     tags: [outboundTag.name],
+ * });
+ * // Example 3: Place a rule *before* the standard web access rule
+ * const allowUpdatesBeforeWeb = new scm.SecurityRule("allow_updates_before_web", {
+ *     folder: "All",
+ *     name: "Allow OS Updates Before Web143",
+ *     description: "Allow specific OS update traffic before general web access.",
+ *     relativePosition: "before",
+ *     targetRule: standardWebAccess.id,
+ *     action: "allow",
+ *     froms: ["trust"],
+ *     tos: ["untrust"],
+ *     sources: ["any"],
+ *     destinations: ["any"],
+ *     sourceUsers: ["any"],
+ *     categories: ["any"],
+ *     applications: [
+ *         "ms-update",
+ *         "apple-update",
+ *     ],
+ *     services: ["service-https"],
+ *     logEnd: true,
+ *     tags: [outboundTag.name],
+ * });
+ * // Example 4: Place a rule *after* the standard web access rule
+ * const allowCorpAppsAfterWeb = new scm.SecurityRule("allow_corp_apps_after_web", {
+ *     folder: "All",
+ *     name: "Allow Corp Apps After Web143",
+ *     description: "Allow access to specific corporate apps after general web access.",
+ *     relativePosition: "after",
+ *     targetRule: standardWebAccess.id,
+ *     action: "allow",
+ *     froms: ["trust"],
+ *     tos: ["untrust"],
+ *     sources: ["any"],
+ *     destinations: ["any"],
+ *     sourceUsers: ["any"],
+ *     categories: ["any"],
+ *     applications: ["ms-update"],
+ *     services: ["service-https"],
+ *     logEnd: true,
+ *     tags: [webTag.name],
+ * });
  * ```
  */
 export declare class SecurityRule extends pulumi.CustomResource {
@@ -30,98 +180,162 @@ export declare class SecurityRule extends pulumi.CustomResource {
      */
     static isInstance(obj: any): obj is SecurityRule;
     /**
-     * The action to be taken when the rule is matched. String must be one of these: `"allow"`, `"deny"`, `"drop"`, `"reset-client"`, `"reset-server"`, `"reset-both"`.
+     * The action to be taken when the rule is matched
      */
-    readonly action: pulumi.Output<string>;
+    readonly action: pulumi.Output<string | undefined>;
     /**
-     * The application(s) being accessed.
+     * Allow url category
+     */
+    readonly allowUrlCategories: pulumi.Output<outputs.SecurityRuleAllowUrlCategory[]>;
+    /**
+     * Allow web application
+     */
+    readonly allowWebApplications: pulumi.Output<outputs.SecurityRuleAllowWebApplication[]>;
+    /**
+     * The application(s) being accessed
      */
     readonly applications: pulumi.Output<string[]>;
     /**
-     * The URL categories being accessed.
+     * Block url category
+     */
+    readonly blockUrlCategories: pulumi.Output<string[]>;
+    /**
+     * Block web application
+     */
+    readonly blockWebApplications: pulumi.Output<string[]>;
+    /**
+     * The URL categories being accessed
      */
     readonly categories: pulumi.Output<string[]>;
     /**
-     * The description of the security rule.
+     * Default profile settings
+     */
+    readonly defaultProfileSettings: pulumi.Output<outputs.SecurityRuleDefaultProfileSettings>;
+    /**
+     * The description of the security rule
      */
     readonly description: pulumi.Output<string | undefined>;
     /**
-     * The destination Host Integrity Profile(s).
+     * The destination Host Integrity Profile(s)
      */
-    readonly destinationHips: pulumi.Output<string[] | undefined>;
+    readonly destinationHips: pulumi.Output<string[]>;
     /**
-     * The destination address(es).
+     * The destination address(es)
      */
-    readonly destinations: pulumi.Output<string[]>;
+    readonly destinations: pulumi.Output<string[] | undefined>;
     /**
-     * The Device param.
+     * The device in which the resource is defined
      */
     readonly device: pulumi.Output<string | undefined>;
     /**
-     * The state of the security rule. Default: `false`.
+     * Devices
+     */
+    readonly devices: pulumi.Output<string[]>;
+    /**
+     * Is the security rule disabled?
      */
     readonly disabled: pulumi.Output<boolean>;
     /**
-     * The Folder param.
+     * The folder in which the resource is defined
      */
     readonly folder: pulumi.Output<string | undefined>;
     /**
-     * The source security zone(s).
+     * The source security zone(s)
+     */
+    readonly froms: pulumi.Output<string[] | undefined>;
+    /**
+     * Log at session end?
      */
-    readonly froms: pulumi.Output<string[]>;
+    readonly logEnd: pulumi.Output<boolean>;
     /**
-     * The external log forwarding profile.
+     * The external log forwarding profile
      */
-    readonly logSetting: pulumi.Output<string | undefined>;
+    readonly logSetting: pulumi.Output<string>;
     /**
-     * The name of the security rule.
+     * Log settings
+     */
+    readonly logSettings: pulumi.Output<outputs.SecurityRuleLogSettings>;
+    /**
+     * Log at session start?
+     */
+    readonly logStart: pulumi.Output<boolean>;
+    /**
+     * The name of the security rule
      */
     readonly name: pulumi.Output<string>;
     /**
-     * Negate the destination addresses(es). Default: `false`.
+     * Negate the destination addresses(es)?
      */
     readonly negateDestination: pulumi.Output<boolean>;
     /**
-     * Negate the source address(es). Default: `false`.
+     * Negate the source address(es)?
      */
     readonly negateSource: pulumi.Output<boolean>;
     /**
-     * The Position param. String must be one of these: `"pre"`, `"post"`. Default: `"pre"`.
+     * Negate user
+     */
+    readonly negateUser: pulumi.Output<boolean>;
+    /**
+     * Policy type
+     */
+    readonly policyType: pulumi.Output<string>;
+    /**
+     * The position of a security rule
      */
     readonly position: pulumi.Output<string>;
     /**
-     * The security profile object.
+     * The security profile object
+     */
+    readonly profileSetting: pulumi.Output<outputs.SecurityRuleProfileSetting>;
+    /**
+     * Relative positioning rule. String must be one of these: `"before"`, `"after"`, `"top"`, `"bottom"`. If not specified, rule is created at the bottom of the ruleset.
      */
-    readonly profileSetting: pulumi.Output<outputs.SecurityRuleProfileSetting | undefined>;
+    readonly relativePosition: pulumi.Output<string | undefined>;
     /**
-     * The service(s) being accessed.
+     * Schedule in which this rule will be applied
      */
-    readonly services: pulumi.Output<string[]>;
+    readonly schedule: pulumi.Output<string | undefined>;
     /**
-     * The Snippet param.
+     * Security settings
+     */
+    readonly securitySettings: pulumi.Output<outputs.SecurityRuleSecuritySettings>;
+    /**
+     * The service(s) being accessed
+     */
+    readonly services: pulumi.Output<string[] | undefined>;
+    /**
+     * The snippet in which the resource is defined
      */
     readonly snippet: pulumi.Output<string | undefined>;
     /**
-     * The source Host Integrity Profile(s).
+     * The source Host Integrity Profile(s)
      */
-    readonly sourceHips: pulumi.Output<string[] | undefined>;
+    readonly sourceHips: pulumi.Output<string[]>;
     /**
-     * The source user(s) or group(s).
+     * List of source users and/or groups.  Reserved words include `any`, `pre-login`, `known-user`, and `unknown`.
      */
-    readonly sourceUsers: pulumi.Output<string[]>;
+    readonly sourceUsers: pulumi.Output<string[] | undefined>;
     /**
-     * The source address(es).
+     * The source addresses(es)
      */
-    readonly sources: pulumi.Output<string[]>;
+    readonly sources: pulumi.Output<string[] | undefined>;
     /**
-     * The tags associated with the security rule.
+     * The tags associated with the security rule
      */
     readonly tags: pulumi.Output<string[] | undefined>;
+    /**
+     * The name or UUID of the rule to position this rule relative to. Required when `relativePosition` is `"before"` or `"after"`.
+     */
+    readonly targetRule: pulumi.Output<string | undefined>;
+    /**
+     * Tenant restrictions
+     */
+    readonly tenantRestrictions: pulumi.Output<string[]>;
     readonly tfid: pulumi.Output<string>;
     /**
-     * The destination security zone(s).
+     * The destination security zone(s)
      */
-    readonly tos: pulumi.Output<string[]>;
+    readonly tos: pulumi.Output<string[] | undefined>;
     /**
      * Create a SecurityRule resource with the given unique name, arguments, and options.
      *
@@ -129,103 +343,167 @@ export declare class SecurityRule extends pulumi.CustomResource {
      * @param args The arguments to use to populate this resource's properties.
      * @param opts A bag of options that control this resource's behavior.
      */
-    constructor(name: string, args: SecurityRuleArgs, opts?: pulumi.CustomResourceOptions);
+    constructor(name: string, args?: SecurityRuleArgs, opts?: pulumi.CustomResourceOptions);
 }
 /**
  * Input properties used for looking up and filtering SecurityRule resources.
  */
 export interface SecurityRuleState {
     /**
-     * The action to be taken when the rule is matched. String must be one of these: `"allow"`, `"deny"`, `"drop"`, `"reset-client"`, `"reset-server"`, `"reset-both"`.
+     * The action to be taken when the rule is matched
      */
     action?: pulumi.Input<string>;
     /**
-     * The application(s) being accessed.
+     * Allow url category
+     */
+    allowUrlCategories?: pulumi.Input<pulumi.Input<inputs.SecurityRuleAllowUrlCategory>[]>;
+    /**
+     * Allow web application
+     */
+    allowWebApplications?: pulumi.Input<pulumi.Input<inputs.SecurityRuleAllowWebApplication>[]>;
+    /**
+     * The application(s) being accessed
      */
     applications?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The URL categories being accessed.
+     * Block url category
+     */
+    blockUrlCategories?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Block web application
+     */
+    blockWebApplications?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The URL categories being accessed
      */
     categories?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The description of the security rule.
+     * Default profile settings
+     */
+    defaultProfileSettings?: pulumi.Input<inputs.SecurityRuleDefaultProfileSettings>;
+    /**
+     * The description of the security rule
      */
     description?: pulumi.Input<string>;
     /**
-     * The destination Host Integrity Profile(s).
+     * The destination Host Integrity Profile(s)
      */
     destinationHips?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The destination address(es).
+     * The destination address(es)
      */
     destinations?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The Device param.
+     * The device in which the resource is defined
      */
     device?: pulumi.Input<string>;
     /**
-     * The state of the security rule. Default: `false`.
+     * Devices
+     */
+    devices?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Is the security rule disabled?
      */
     disabled?: pulumi.Input<boolean>;
     /**
-     * The Folder param.
+     * The folder in which the resource is defined
      */
     folder?: pulumi.Input<string>;
     /**
-     * The source security zone(s).
+     * The source security zone(s)
      */
     froms?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The external log forwarding profile.
+     * Log at session end?
+     */
+    logEnd?: pulumi.Input<boolean>;
+    /**
+     * The external log forwarding profile
      */
     logSetting?: pulumi.Input<string>;
     /**
-     * The name of the security rule.
+     * Log settings
+     */
+    logSettings?: pulumi.Input<inputs.SecurityRuleLogSettings>;
+    /**
+     * Log at session start?
+     */
+    logStart?: pulumi.Input<boolean>;
+    /**
+     * The name of the security rule
      */
     name?: pulumi.Input<string>;
     /**
-     * Negate the destination addresses(es). Default: `false`.
+     * Negate the destination addresses(es)?
      */
     negateDestination?: pulumi.Input<boolean>;
     /**
-     * Negate the source address(es). Default: `false`.
+     * Negate the source address(es)?
      */
     negateSource?: pulumi.Input<boolean>;
     /**
-     * The Position param. String must be one of these: `"pre"`, `"post"`. Default: `"pre"`.
+     * Negate user
+     */
+    negateUser?: pulumi.Input<boolean>;
+    /**
+     * Policy type
+     */
+    policyType?: pulumi.Input<string>;
+    /**
+     * The position of a security rule
      */
     position?: pulumi.Input<string>;
     /**
-     * The security profile object.
+     * The security profile object
      */
     profileSetting?: pulumi.Input<inputs.SecurityRuleProfileSetting>;
     /**
-     * The service(s) being accessed.
+     * Relative positioning rule. String must be one of these: `"before"`, `"after"`, `"top"`, `"bottom"`. If not specified, rule is created at the bottom of the ruleset.
+     */
+    relativePosition?: pulumi.Input<string>;
+    /**
+     * Schedule in which this rule will be applied
+     */
+    schedule?: pulumi.Input<string>;
+    /**
+     * Security settings
+     */
+    securitySettings?: pulumi.Input<inputs.SecurityRuleSecuritySettings>;
+    /**
+     * The service(s) being accessed
      */
     services?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The Snippet param.
+     * The snippet in which the resource is defined
      */
     snippet?: pulumi.Input<string>;
     /**
-     * The source Host Integrity Profile(s).
+     * The source Host Integrity Profile(s)
      */
     sourceHips?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The source user(s) or group(s).
+     * List of source users and/or groups.  Reserved words include `any`, `pre-login`, `known-user`, and `unknown`.
      */
     sourceUsers?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The source address(es).
+     * The source addresses(es)
      */
     sources?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The tags associated with the security rule.
+     * The tags associated with the security rule
      */
     tags?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The name or UUID of the rule to position this rule relative to. Required when `relativePosition` is `"before"` or `"after"`.
+     */
+    targetRule?: pulumi.Input<string>;
+    /**
+     * Tenant restrictions
+     */
+    tenantRestrictions?: pulumi.Input<pulumi.Input<string>[]>;
     tfid?: pulumi.Input<string>;
     /**
-     * The destination security zone(s).
+     * The destination security zone(s)
      */
     tos?: pulumi.Input<pulumi.Input<string>[]>;
 }
@@ -234,95 +512,159 @@ export interface SecurityRuleState {
  */
 export interface SecurityRuleArgs {
     /**
-     * The action to be taken when the rule is matched. String must be one of these: `"allow"`, `"deny"`, `"drop"`, `"reset-client"`, `"reset-server"`, `"reset-both"`.
+     * The action to be taken when the rule is matched
+     */
+    action?: pulumi.Input<string>;
+    /**
+     * Allow url category
+     */
+    allowUrlCategories?: pulumi.Input<pulumi.Input<inputs.SecurityRuleAllowUrlCategory>[]>;
+    /**
+     * Allow web application
      */
-    action: pulumi.Input<string>;
+    allowWebApplications?: pulumi.Input<pulumi.Input<inputs.SecurityRuleAllowWebApplication>[]>;
     /**
-     * The application(s) being accessed.
+     * The application(s) being accessed
      */
-    applications: pulumi.Input<pulumi.Input<string>[]>;
+    applications?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The URL categories being accessed.
+     * Block url category
      */
-    categories: pulumi.Input<pulumi.Input<string>[]>;
+    blockUrlCategories?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The description of the security rule.
+     * Block web application
+     */
+    blockWebApplications?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The URL categories being accessed
+     */
+    categories?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Default profile settings
+     */
+    defaultProfileSettings?: pulumi.Input<inputs.SecurityRuleDefaultProfileSettings>;
+    /**
+     * The description of the security rule
      */
     description?: pulumi.Input<string>;
     /**
-     * The destination Host Integrity Profile(s).
+     * The destination Host Integrity Profile(s)
      */
     destinationHips?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The destination address(es).
+     * The destination address(es)
      */
-    destinations: pulumi.Input<pulumi.Input<string>[]>;
+    destinations?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The Device param.
+     * The device in which the resource is defined
      */
     device?: pulumi.Input<string>;
     /**
-     * The state of the security rule. Default: `false`.
+     * Devices
+     */
+    devices?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Is the security rule disabled?
      */
     disabled?: pulumi.Input<boolean>;
     /**
-     * The Folder param.
+     * The folder in which the resource is defined
      */
     folder?: pulumi.Input<string>;
     /**
-     * The source security zone(s).
+     * The source security zone(s)
+     */
+    froms?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Log at session end?
      */
-    froms: pulumi.Input<pulumi.Input<string>[]>;
+    logEnd?: pulumi.Input<boolean>;
     /**
-     * The external log forwarding profile.
+     * The external log forwarding profile
      */
     logSetting?: pulumi.Input<string>;
     /**
-     * The name of the security rule.
+     * Log settings
+     */
+    logSettings?: pulumi.Input<inputs.SecurityRuleLogSettings>;
+    /**
+     * Log at session start?
+     */
+    logStart?: pulumi.Input<boolean>;
+    /**
+     * The name of the security rule
      */
     name?: pulumi.Input<string>;
     /**
-     * Negate the destination addresses(es). Default: `false`.
+     * Negate the destination addresses(es)?
      */
     negateDestination?: pulumi.Input<boolean>;
     /**
-     * Negate the source address(es). Default: `false`.
+     * Negate the source address(es)?
      */
     negateSource?: pulumi.Input<boolean>;
     /**
-     * The Position param. String must be one of these: `"pre"`, `"post"`. Default: `"pre"`.
+     * Negate user
+     */
+    negateUser?: pulumi.Input<boolean>;
+    /**
+     * Policy type
+     */
+    policyType?: pulumi.Input<string>;
+    /**
+     * The position of a security rule
      */
     position?: pulumi.Input<string>;
     /**
-     * The security profile object.
+     * The security profile object
      */
     profileSetting?: pulumi.Input<inputs.SecurityRuleProfileSetting>;
     /**
-     * The service(s) being accessed.
+     * Relative positioning rule. String must be one of these: `"before"`, `"after"`, `"top"`, `"bottom"`. If not specified, rule is created at the bottom of the ruleset.
+     */
+    relativePosition?: pulumi.Input<string>;
+    /**
+     * Schedule in which this rule will be applied
+     */
+    schedule?: pulumi.Input<string>;
+    /**
+     * Security settings
      */
-    services: pulumi.Input<pulumi.Input<string>[]>;
+    securitySettings?: pulumi.Input<inputs.SecurityRuleSecuritySettings>;
     /**
-     * The Snippet param.
+     * The service(s) being accessed
+     */
+    services?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The snippet in which the resource is defined
      */
     snippet?: pulumi.Input<string>;
     /**
-     * The source Host Integrity Profile(s).
+     * The source Host Integrity Profile(s)
      */
     sourceHips?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The source user(s) or group(s).
+     * List of source users and/or groups.  Reserved words include `any`, `pre-login`, `known-user`, and `unknown`.
      */
-    sourceUsers: pulumi.Input<pulumi.Input<string>[]>;
+    sourceUsers?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The source address(es).
+     * The source addresses(es)
      */
-    sources: pulumi.Input<pulumi.Input<string>[]>;
+    sources?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The tags associated with the security rule.
+     * The tags associated with the security rule
      */
     tags?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The destination security zone(s).
+     * The name or UUID of the rule to position this rule relative to. Required when `relativePosition` is `"before"` or `"after"`.
+     */
+    targetRule?: pulumi.Input<string>;
+    /**
+     * Tenant restrictions
      */
-    tos: pulumi.Input<pulumi.Input<string>[]>;
+    tenantRestrictions?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The destination security zone(s)
+     */
+    tos?: pulumi.Input<pulumi.Input<string>[]>;
 }