pulumi-gcp 7.23.0a1715695885__py3-none-any.whl → 7.24.0__py3-none-any.whl

pulumi_gcp/compute/_inputs.py

@@ -181,6 +181,10 @@ __all__ = [
     'InstanceTemplateServiceAccountArgs',
     'InstanceTemplateShieldedInstanceConfigArgs',
     'InterconnectAttachmentPrivateInterconnectInfoArgs',
+    'InterconnectCircuitInfoArgs',
+    'InterconnectExpectedOutageArgs',
+    'InterconnectMacsecArgs',
+    'InterconnectMacsecPreSharedKeyArgs',
     'MachineImageIamBindingConditionArgs',
     'MachineImageIamMemberConditionArgs',
     'MachineImageMachineImageEncryptionKeyArgs',
@@ -309,8 +313,19 @@ __all__ = [
     'RegionSecurityPolicyDdosProtectionConfigArgs',
     'RegionSecurityPolicyRuleMatchArgs',
     'RegionSecurityPolicyRuleMatchConfigArgs',
+    'RegionSecurityPolicyRuleMatchExprArgs',
     'RegionSecurityPolicyRuleNetworkMatchArgs',
     'RegionSecurityPolicyRuleNetworkMatchUserDefinedFieldArgs',
+    'RegionSecurityPolicyRulePreconfiguredWafConfigArgs',
+    'RegionSecurityPolicyRulePreconfiguredWafConfigExclusionArgs',
+    'RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestCookyArgs',
+    'RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeaderArgs',
+    'RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParamArgs',
+    'RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUriArgs',
+    'RegionSecurityPolicyRuleRateLimitOptionsArgs',
+    'RegionSecurityPolicyRuleRateLimitOptionsBanThresholdArgs',
+    'RegionSecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs',
+    'RegionSecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs',
     'RegionSecurityPolicyUserDefinedFieldArgs',
     'RegionUrlMapDefaultRouteActionArgs',
     'RegionUrlMapDefaultRouteActionCorsPolicyArgs',
@@ -3006,6 +3021,25 @@ class BackendServiceLocalityLbPolicyPolicyArgs:
                Note that specifying the same policy more than once for a backend is
                not a valid configuration and will be rejected.
                The possible values are:
+               * `ROUND_ROBIN`: This is a simple policy in which each healthy backend
+               is selected in round robin order.
+               * `LEAST_REQUEST`: An O(1) algorithm which selects two random healthy
+               hosts and picks the host which has fewer active requests.
+               * `RING_HASH`: The ring/modulo hash load balancer implements consistent
+               hashing to backends. The algorithm has the property that the
+               addition/removal of a host from a set of N hosts only affects
+               1/N of the requests.
+               * `RANDOM`: The load balancer selects a random healthy host.
+               * `ORIGINAL_DESTINATION`: Backend host is selected based on the client
+               connection metadata, i.e., connections are opened
+               to the same address as the destination address of
+               the incoming connection before the connection
+               was redirected to the load balancer.
+               * `MAGLEV`: used as a drop in replacement for the ring hash load balancer.
+               Maglev is not as stable as ring hash but has faster table lookup
+               build times and host selection times. For more information about
+               Maglev, refer to https://ai.google/research/pubs/pub44824
+               Possible values are: `ROUND_ROBIN`, `LEAST_REQUEST`, `RING_HASH`, `RANDOM`, `ORIGINAL_DESTINATION`, `MAGLEV`.
         """
         pulumi.set(__self__, "name", name)
 
@@ -3021,6 +3055,25 @@ class BackendServiceLocalityLbPolicyPolicyArgs:
         Note that specifying the same policy more than once for a backend is
         not a valid configuration and will be rejected.
         The possible values are:
+        * `ROUND_ROBIN`: This is a simple policy in which each healthy backend
+        is selected in round robin order.
+        * `LEAST_REQUEST`: An O(1) algorithm which selects two random healthy
+        hosts and picks the host which has fewer active requests.
+        * `RING_HASH`: The ring/modulo hash load balancer implements consistent
+        hashing to backends. The algorithm has the property that the
+        addition/removal of a host from a set of N hosts only affects
+        1/N of the requests.
+        * `RANDOM`: The load balancer selects a random healthy host.
+        * `ORIGINAL_DESTINATION`: Backend host is selected based on the client
+        connection metadata, i.e., connections are opened
+        to the same address as the destination address of
+        the incoming connection before the connection
+        was redirected to the load balancer.
+        * `MAGLEV`: used as a drop in replacement for the ring hash load balancer.
+        Maglev is not as stable as ring hash but has faster table lookup
+        build times and host selection times. For more information about
+        Maglev, refer to https://ai.google/research/pubs/pub44824
+        Possible values are: `ROUND_ROBIN`, `LEAST_REQUEST`, `RING_HASH`, `RANDOM`, `ORIGINAL_DESTINATION`, `MAGLEV`.
         """
         return pulumi.get(self, "name")
 
@@ -4573,6 +4626,15 @@ class HealthCheckGrpcHealthCheckArgs:
                port_name are defined, port takes precedence.
         :param pulumi.Input[str] port_specification: Specifies how port is selected for health checking, can be one of the
                following values:
+               * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+               * `USE_NAMED_PORT`: The `portName` is used for health checking.
+               * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+               network endpoint is used for health checking. For other backends, the
+               port or named port specified in the Backend Service is used for health
+               checking.
+               If not specified, gRPC health check follows behavior specified in `port` and
+               `portName` fields.
+               Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         """
         if grpc_service_name is not None:
             pulumi.set(__self__, "grpc_service_name", grpc_service_name)
@@ -4632,6 +4694,15 @@ class HealthCheckGrpcHealthCheckArgs:
         """
         Specifies how port is selected for health checking, can be one of the
         following values:
+        * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+        * `USE_NAMED_PORT`: The `portName` is used for health checking.
+        * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+        network endpoint is used for health checking. For other backends, the
+        port or named port specified in the Backend Service is used for health
+        checking.
+        If not specified, gRPC health check follows behavior specified in `port` and
+        `portName` fields.
+        Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         """
         return pulumi.get(self, "port_specification")
 
@@ -4821,6 +4892,15 @@ class HealthCheckHttpHealthCheckArgs:
                port_name are defined, port takes precedence.
         :param pulumi.Input[str] port_specification: Specifies how port is selected for health checking, can be one of the
                following values:
+               * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+               * `USE_NAMED_PORT`: The `portName` is used for health checking.
+               * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+               network endpoint is used for health checking. For other backends, the
+               port or named port specified in the Backend Service is used for health
+               checking.
+               If not specified, HTTP health check follows behavior specified in `port` and
+               `portName` fields.
+               Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         :param pulumi.Input[str] proxy_header: Specifies the type of proxy header to append before sending data to the
                backend.
                Default value is `NONE`.
@@ -4892,6 +4972,15 @@ class HealthCheckHttpHealthCheckArgs:
         """
         Specifies how port is selected for health checking, can be one of the
         following values:
+        * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+        * `USE_NAMED_PORT`: The `portName` is used for health checking.
+        * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+        network endpoint is used for health checking. For other backends, the
+        port or named port specified in the Backend Service is used for health
+        checking.
+        If not specified, HTTP health check follows behavior specified in `port` and
+        `portName` fields.
+        Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         """
         return pulumi.get(self, "port_specification")
 
@@ -4962,6 +5051,15 @@ class HealthCheckHttpsHealthCheckArgs:
                port_name are defined, port takes precedence.
         :param pulumi.Input[str] port_specification: Specifies how port is selected for health checking, can be one of the
                following values:
+               * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+               * `USE_NAMED_PORT`: The `portName` is used for health checking.
+               * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+               network endpoint is used for health checking. For other backends, the
+               port or named port specified in the Backend Service is used for health
+               checking.
+               If not specified, HTTPS health check follows behavior specified in `port` and
+               `portName` fields.
+               Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         :param pulumi.Input[str] proxy_header: Specifies the type of proxy header to append before sending data to the
                backend.
                Default value is `NONE`.
@@ -5033,6 +5131,15 @@ class HealthCheckHttpsHealthCheckArgs:
         """
         Specifies how port is selected for health checking, can be one of the
         following values:
+        * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+        * `USE_NAMED_PORT`: The `portName` is used for health checking.
+        * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+        network endpoint is used for health checking. For other backends, the
+        port or named port specified in the Backend Service is used for health
+        checking.
+        If not specified, HTTPS health check follows behavior specified in `port` and
+        `portName` fields.
+        Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         """
         return pulumi.get(self, "port_specification")
 
@@ -5124,6 +5231,15 @@ class HealthCheckSslHealthCheckArgs:
                port_name are defined, port takes precedence.
         :param pulumi.Input[str] port_specification: Specifies how port is selected for health checking, can be one of the
                following values:
+               * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+               * `USE_NAMED_PORT`: The `portName` is used for health checking.
+               * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+               network endpoint is used for health checking. For other backends, the
+               port or named port specified in the Backend Service is used for health
+               checking.
+               If not specified, HTTP2 health check follows behavior specified in `port` and
+               `portName` fields.
+               Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         :param pulumi.Input[str] proxy_header: Specifies the type of proxy header to append before sending data to the
                backend.
                Default value is `NONE`.
@@ -5181,6 +5297,15 @@ class HealthCheckSslHealthCheckArgs:
         """
         Specifies how port is selected for health checking, can be one of the
         following values:
+        * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+        * `USE_NAMED_PORT`: The `portName` is used for health checking.
+        * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+        network endpoint is used for health checking. For other backends, the
+        port or named port specified in the Backend Service is used for health
+        checking.
+        If not specified, HTTP2 health check follows behavior specified in `port` and
+        `portName` fields.
+        Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         """
         return pulumi.get(self, "port_specification")
 
@@ -5249,6 +5374,15 @@ class HealthCheckTcpHealthCheckArgs:
                port_name are defined, port takes precedence.
         :param pulumi.Input[str] port_specification: Specifies how port is selected for health checking, can be one of the
                following values:
+               * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+               * `USE_NAMED_PORT`: The `portName` is used for health checking.
+               * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+               network endpoint is used for health checking. For other backends, the
+               port or named port specified in the Backend Service is used for health
+               checking.
+               If not specified, TCP health check follows behavior specified in `port` and
+               `portName` fields.
+               Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         :param pulumi.Input[str] proxy_header: Specifies the type of proxy header to append before sending data to the
                backend.
                Default value is `NONE`.
@@ -5306,6 +5440,15 @@ class HealthCheckTcpHealthCheckArgs:
         """
         Specifies how port is selected for health checking, can be one of the
         following values:
+        * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+        * `USE_NAMED_PORT`: The `portName` is used for health checking.
+        * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+        network endpoint is used for health checking. For other backends, the
+        port or named port specified in the Backend Service is used for health
+        checking.
+        If not specified, TCP health check follows behavior specified in `port` and
+        `portName` fields.
+        Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         """
         return pulumi.get(self, "port_specification")
 
@@ -13112,6 +13255,362 @@ class InterconnectAttachmentPrivateInterconnectInfoArgs:
         pulumi.set(self, "tag8021q", value)
 
 
+@pulumi.input_type
+class InterconnectCircuitInfoArgs:
+    def __init__(__self__, *,
+                 customer_demarc_id: Optional[pulumi.Input[str]] = None,
+                 google_circuit_id: Optional[pulumi.Input[str]] = None,
+                 google_demarc_id: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] customer_demarc_id: (Output)
+               Customer-side demarc ID for this circuit.
+        :param pulumi.Input[str] google_circuit_id: (Output)
+               Google-assigned unique ID for this circuit. Assigned at circuit turn-up.
+        :param pulumi.Input[str] google_demarc_id: (Output)
+               Google-side demarc ID for this circuit. Assigned at circuit turn-up and provided by
+               Google to the customer in the LOA.
+        """
+        if customer_demarc_id is not None:
+            pulumi.set(__self__, "customer_demarc_id", customer_demarc_id)
+        if google_circuit_id is not None:
+            pulumi.set(__self__, "google_circuit_id", google_circuit_id)
+        if google_demarc_id is not None:
+            pulumi.set(__self__, "google_demarc_id", google_demarc_id)
+
+    @property
+    @pulumi.getter(name="customerDemarcId")
+    def customer_demarc_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        (Output)
+        Customer-side demarc ID for this circuit.
+        """
+        return pulumi.get(self, "customer_demarc_id")
+
+    @customer_demarc_id.setter
+    def customer_demarc_id(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "customer_demarc_id", value)
+
+    @property
+    @pulumi.getter(name="googleCircuitId")
+    def google_circuit_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        (Output)
+        Google-assigned unique ID for this circuit. Assigned at circuit turn-up.
+        """
+        return pulumi.get(self, "google_circuit_id")
+
+    @google_circuit_id.setter
+    def google_circuit_id(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "google_circuit_id", value)
+
+    @property
+    @pulumi.getter(name="googleDemarcId")
+    def google_demarc_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        (Output)
+        Google-side demarc ID for this circuit. Assigned at circuit turn-up and provided by
+        Google to the customer in the LOA.
+        """
+        return pulumi.get(self, "google_demarc_id")
+
+    @google_demarc_id.setter
+    def google_demarc_id(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "google_demarc_id", value)
+
+
+@pulumi.input_type
+class InterconnectExpectedOutageArgs:
+    def __init__(__self__, *,
+                 affected_circuits: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 description: Optional[pulumi.Input[str]] = None,
+                 end_time: Optional[pulumi.Input[str]] = None,
+                 issue_type: Optional[pulumi.Input[str]] = None,
+                 name: Optional[pulumi.Input[str]] = None,
+                 source: Optional[pulumi.Input[str]] = None,
+                 start_time: Optional[pulumi.Input[str]] = None,
+                 state: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] affected_circuits: (Output)
+               If issueType is IT_PARTIAL_OUTAGE, a list of the Google-side circuit IDs that will be
+               affected.
+        :param pulumi.Input[str] description: An optional description of this resource. Provide this property when you create the resource.
+        :param pulumi.Input[str] end_time: (Output)
+               Scheduled end time for the outage (milliseconds since Unix epoch).
+        :param pulumi.Input[str] issue_type: (Output)
+               Form this outage is expected to take. Note that the versions of this enum prefixed with
+               "IT_" have been deprecated in favor of the unprefixed values. Can take one of the
+               following values:
+               - OUTAGE: The Interconnect may be completely out of service for some or all of the
+               specified window.
+               - PARTIAL_OUTAGE: Some circuits comprising the Interconnect as a whole should remain
+               up, but with reduced bandwidth.
+        :param pulumi.Input[str] name: Name of the resource. Provided by the client when the resource is created. The name must be
+               1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters
+               long and match the regular expression `a-z?` which means the first
+               character must be a lowercase letter, and all following characters must be a dash,
+               lowercase letter, or digit, except the last character, which cannot be a dash.
+        :param pulumi.Input[str] source: (Output)
+               The party that generated this notification. Note that the value of NSRC_GOOGLE has been
+               deprecated in favor of GOOGLE. Can take the following value:
+               - GOOGLE: this notification as generated by Google.
+        :param pulumi.Input[str] start_time: (Output)
+               Scheduled start time for the outage (milliseconds since Unix epoch).
+        :param pulumi.Input[str] state: (Output)
+               State of this notification. Note that the versions of this enum prefixed with "NS_" have
+               been deprecated in favor of the unprefixed values. Can take one of the following values:
+               - ACTIVE: This outage notification is active. The event could be in the past, present,
+               or future. See startTime and endTime for scheduling.
+               - CANCELLED: The outage associated with this notification was cancelled before the
+               outage was due to start.
+               - COMPLETED: The outage associated with this notification is complete.
+        """
+        if affected_circuits is not None:
+            pulumi.set(__self__, "affected_circuits", affected_circuits)
+        if description is not None:
+            pulumi.set(__self__, "description", description)
+        if end_time is not None:
+            pulumi.set(__self__, "end_time", end_time)
+        if issue_type is not None:
+            pulumi.set(__self__, "issue_type", issue_type)
+        if name is not None:
+            pulumi.set(__self__, "name", name)
+        if source is not None:
+            pulumi.set(__self__, "source", source)
+        if start_time is not None:
+            pulumi.set(__self__, "start_time", start_time)
+        if state is not None:
+            pulumi.set(__self__, "state", state)
+
+    @property
+    @pulumi.getter(name="affectedCircuits")
+    def affected_circuits(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        (Output)
+        If issueType is IT_PARTIAL_OUTAGE, a list of the Google-side circuit IDs that will be
+        affected.
+        """
+        return pulumi.get(self, "affected_circuits")
+
+    @affected_circuits.setter
+    def affected_circuits(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "affected_circuits", value)
+
+    @property
+    @pulumi.getter
+    def description(self) -> Optional[pulumi.Input[str]]:
+        """
+        An optional description of this resource. Provide this property when you create the resource.
+        """
+        return pulumi.get(self, "description")
+
+    @description.setter
+    def description(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "description", value)
+
+    @property
+    @pulumi.getter(name="endTime")
+    def end_time(self) -> Optional[pulumi.Input[str]]:
+        """
+        (Output)
+        Scheduled end time for the outage (milliseconds since Unix epoch).
+        """
+        return pulumi.get(self, "end_time")
+
+    @end_time.setter
+    def end_time(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "end_time", value)
+
+    @property
+    @pulumi.getter(name="issueType")
+    def issue_type(self) -> Optional[pulumi.Input[str]]:
+        """
+        (Output)
+        Form this outage is expected to take. Note that the versions of this enum prefixed with
+        "IT_" have been deprecated in favor of the unprefixed values. Can take one of the
+        following values:
+        - OUTAGE: The Interconnect may be completely out of service for some or all of the
+        specified window.
+        - PARTIAL_OUTAGE: Some circuits comprising the Interconnect as a whole should remain
+        up, but with reduced bandwidth.
+        """
+        return pulumi.get(self, "issue_type")
+
+    @issue_type.setter
+    def issue_type(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "issue_type", value)
+
+    @property
+    @pulumi.getter
+    def name(self) -> Optional[pulumi.Input[str]]:
+        """
+        Name of the resource. Provided by the client when the resource is created. The name must be
+        1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters
+        long and match the regular expression `a-z?` which means the first
+        character must be a lowercase letter, and all following characters must be a dash,
+        lowercase letter, or digit, except the last character, which cannot be a dash.
+        """
+        return pulumi.get(self, "name")
+
+    @name.setter
+    def name(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "name", value)
+
+    @property
+    @pulumi.getter
+    def source(self) -> Optional[pulumi.Input[str]]:
+        """
+        (Output)
+        The party that generated this notification. Note that the value of NSRC_GOOGLE has been
+        deprecated in favor of GOOGLE. Can take the following value:
+        - GOOGLE: this notification as generated by Google.
+        """
+        return pulumi.get(self, "source")
+
+    @source.setter
+    def source(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "source", value)
+
+    @property
+    @pulumi.getter(name="startTime")
+    def start_time(self) -> Optional[pulumi.Input[str]]:
+        """
+        (Output)
+        Scheduled start time for the outage (milliseconds since Unix epoch).
+        """
+        return pulumi.get(self, "start_time")
+
+    @start_time.setter
+    def start_time(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "start_time", value)
+
+    @property
+    @pulumi.getter
+    def state(self) -> Optional[pulumi.Input[str]]:
+        """
+        (Output)
+        State of this notification. Note that the versions of this enum prefixed with "NS_" have
+        been deprecated in favor of the unprefixed values. Can take one of the following values:
+        - ACTIVE: This outage notification is active. The event could be in the past, present,
+        or future. See startTime and endTime for scheduling.
+        - CANCELLED: The outage associated with this notification was cancelled before the
+        outage was due to start.
+        - COMPLETED: The outage associated with this notification is complete.
+        """
+        return pulumi.get(self, "state")
+
+    @state.setter
+    def state(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "state", value)
+
+
+@pulumi.input_type
+class InterconnectMacsecArgs:
+    def __init__(__self__, *,
+                 pre_shared_keys: pulumi.Input[Sequence[pulumi.Input['InterconnectMacsecPreSharedKeyArgs']]]):
+        """
+        :param pulumi.Input[Sequence[pulumi.Input['InterconnectMacsecPreSharedKeyArgs']]] pre_shared_keys: A keychain placeholder describing a set of named key objects along with their
+               start times. A MACsec CKN/CAK is generated for each key in the key chain.
+               Google router automatically picks the key with the most recent startTime when establishing
+               or re-establishing a MACsec secure link.
+               Structure is documented below.
+        """
+        pulumi.set(__self__, "pre_shared_keys", pre_shared_keys)
+
+    @property
+    @pulumi.getter(name="preSharedKeys")
+    def pre_shared_keys(self) -> pulumi.Input[Sequence[pulumi.Input['InterconnectMacsecPreSharedKeyArgs']]]:
+        """
+        A keychain placeholder describing a set of named key objects along with their
+        start times. A MACsec CKN/CAK is generated for each key in the key chain.
+        Google router automatically picks the key with the most recent startTime when establishing
+        or re-establishing a MACsec secure link.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "pre_shared_keys")
+
+    @pre_shared_keys.setter
+    def pre_shared_keys(self, value: pulumi.Input[Sequence[pulumi.Input['InterconnectMacsecPreSharedKeyArgs']]]):
+        pulumi.set(self, "pre_shared_keys", value)
+
+
+@pulumi.input_type
+class InterconnectMacsecPreSharedKeyArgs:
+    def __init__(__self__, *,
+                 name: pulumi.Input[str],
+                 fail_open: Optional[pulumi.Input[bool]] = None,
+                 start_time: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] name: A name for this pre-shared key. The name must be 1-63 characters long, and
+               comply with RFC1035. Specifically, the name must be 1-63 characters long and match
+               the regular expression `a-z?` which means the first character
+               must be a lowercase letter, and all following characters must be a dash, lowercase
+               letter, or digit, except the last character, which cannot be a dash.
+        :param pulumi.Input[bool] fail_open: If set to true, the Interconnect connection is configured with a should-secure
+               MACsec security policy, that allows the Google router to fallback to cleartext
+               traffic if the MKA session cannot be established. By default, the Interconnect
+               connection is configured with a must-secure security policy that drops all traffic
+               if the MKA session cannot be established with your router.
+        :param pulumi.Input[str] start_time: A RFC3339 timestamp on or after which the key is valid. startTime can be in the
+               future. If the keychain has a single key, startTime can be omitted. If the keychain
+               has multiple keys, startTime is mandatory for each key. The start times of keys must
+               be in increasing order. The start times of two consecutive keys must be at least 6
+               hours apart.
+        """
+        pulumi.set(__self__, "name", name)
+        if fail_open is not None:
+            pulumi.set(__self__, "fail_open", fail_open)
+        if start_time is not None:
+            pulumi.set(__self__, "start_time", start_time)
+
+    @property
+    @pulumi.getter
+    def name(self) -> pulumi.Input[str]:
+        """
+        A name for this pre-shared key. The name must be 1-63 characters long, and
+        comply with RFC1035. Specifically, the name must be 1-63 characters long and match
+        the regular expression `a-z?` which means the first character
+        must be a lowercase letter, and all following characters must be a dash, lowercase
+        letter, or digit, except the last character, which cannot be a dash.
+        """
+        return pulumi.get(self, "name")
+
+    @name.setter
+    def name(self, value: pulumi.Input[str]):
+        pulumi.set(self, "name", value)
+
+    @property
+    @pulumi.getter(name="failOpen")
+    def fail_open(self) -> Optional[pulumi.Input[bool]]:
+        """
+        If set to true, the Interconnect connection is configured with a should-secure
+        MACsec security policy, that allows the Google router to fallback to cleartext
+        traffic if the MKA session cannot be established. By default, the Interconnect
+        connection is configured with a must-secure security policy that drops all traffic
+        if the MKA session cannot be established with your router.
+        """
+        return pulumi.get(self, "fail_open")
+
+    @fail_open.setter
+    def fail_open(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "fail_open", value)
+
+    @property
+    @pulumi.getter(name="startTime")
+    def start_time(self) -> Optional[pulumi.Input[str]]:
+        """
+        A RFC3339 timestamp on or after which the key is valid. startTime can be in the
+        future. If the keychain has a single key, startTime can be omitted. If the keychain
+        has multiple keys, startTime is mandatory for each key. The start times of keys must
+        be in increasing order. The start times of two consecutive keys must be at least 6
+        hours apart.
+        """
+        return pulumi.get(self, "start_time")
+
+    @start_time.setter
+    def start_time(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "start_time", value)
+
+
 @pulumi.input_type
 class MachineImageIamBindingConditionArgs:
     def __init__(__self__, *,
@@ -17755,6 +18254,15 @@ class RegionHealthCheckGrpcHealthCheckArgs:
                port_name are defined, port takes precedence.
         :param pulumi.Input[str] port_specification: Specifies how port is selected for health checking, can be one of the
                following values:
+               * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+               * `USE_NAMED_PORT`: The `portName` is used for health checking.
+               * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+               network endpoint is used for health checking. For other backends, the
+               port or named port specified in the Backend Service is used for health
+               checking.
+               If not specified, gRPC health check follows behavior specified in `port` and
+               `portName` fields.
+               Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         """
         if grpc_service_name is not None:
             pulumi.set(__self__, "grpc_service_name", grpc_service_name)
@@ -17814,6 +18322,15 @@ class RegionHealthCheckGrpcHealthCheckArgs:
         """
         Specifies how port is selected for health checking, can be one of the
         following values:
+        * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+        * `USE_NAMED_PORT`: The `portName` is used for health checking.
+        * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+        network endpoint is used for health checking. For other backends, the
+        port or named port specified in the Backend Service is used for health
+        checking.
+        If not specified, gRPC health check follows behavior specified in `port` and
+        `portName` fields.
+        Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         """
         return pulumi.get(self, "port_specification")
 
@@ -18003,6 +18520,15 @@ class RegionHealthCheckHttpHealthCheckArgs:
                port_name are defined, port takes precedence.
         :param pulumi.Input[str] port_specification: Specifies how port is selected for health checking, can be one of the
                following values:
+               * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+               * `USE_NAMED_PORT`: The `portName` is used for health checking.
+               * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+               network endpoint is used for health checking. For other backends, the
+               port or named port specified in the Backend Service is used for health
+               checking.
+               If not specified, HTTP health check follows behavior specified in `port` and
+               `portName` fields.
+               Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         :param pulumi.Input[str] proxy_header: Specifies the type of proxy header to append before sending data to the
                backend.
                Default value is `NONE`.
@@ -18074,6 +18600,15 @@ class RegionHealthCheckHttpHealthCheckArgs:
         """
         Specifies how port is selected for health checking, can be one of the
         following values:
+        * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+        * `USE_NAMED_PORT`: The `portName` is used for health checking.
+        * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+        network endpoint is used for health checking. For other backends, the
+        port or named port specified in the Backend Service is used for health
+        checking.
+        If not specified, HTTP health check follows behavior specified in `port` and
+        `portName` fields.
+        Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         """
         return pulumi.get(self, "port_specification")
 
@@ -18144,6 +18679,15 @@ class RegionHealthCheckHttpsHealthCheckArgs:
                port_name are defined, port takes precedence.
         :param pulumi.Input[str] port_specification: Specifies how port is selected for health checking, can be one of the
                following values:
+               * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+               * `USE_NAMED_PORT`: The `portName` is used for health checking.
+               * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+               network endpoint is used for health checking. For other backends, the
+               port or named port specified in the Backend Service is used for health
+               checking.
+               If not specified, HTTPS health check follows behavior specified in `port` and
+               `portName` fields.
+               Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         :param pulumi.Input[str] proxy_header: Specifies the type of proxy header to append before sending data to the
                backend.
                Default value is `NONE`.
@@ -18215,6 +18759,15 @@ class RegionHealthCheckHttpsHealthCheckArgs:
         """
         Specifies how port is selected for health checking, can be one of the
         following values:
+        * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+        * `USE_NAMED_PORT`: The `portName` is used for health checking.
+        * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+        network endpoint is used for health checking. For other backends, the
+        port or named port specified in the Backend Service is used for health
+        checking.
+        If not specified, HTTPS health check follows behavior specified in `port` and
+        `portName` fields.
+        Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         """
         return pulumi.get(self, "port_specification")
 
@@ -18306,6 +18859,15 @@ class RegionHealthCheckSslHealthCheckArgs:
                port_name are defined, port takes precedence.
         :param pulumi.Input[str] port_specification: Specifies how port is selected for health checking, can be one of the
                following values:
+               * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+               * `USE_NAMED_PORT`: The `portName` is used for health checking.
+               * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+               network endpoint is used for health checking. For other backends, the
+               port or named port specified in the Backend Service is used for health
+               checking.
+               If not specified, HTTP2 health check follows behavior specified in `port` and
+               `portName` fields.
+               Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         :param pulumi.Input[str] proxy_header: Specifies the type of proxy header to append before sending data to the
                backend.
                Default value is `NONE`.
@@ -18363,6 +18925,15 @@ class RegionHealthCheckSslHealthCheckArgs:
         """
         Specifies how port is selected for health checking, can be one of the
         following values:
+        * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+        * `USE_NAMED_PORT`: The `portName` is used for health checking.
+        * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+        network endpoint is used for health checking. For other backends, the
+        port or named port specified in the Backend Service is used for health
+        checking.
+        If not specified, HTTP2 health check follows behavior specified in `port` and
+        `portName` fields.
+        Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         """
         return pulumi.get(self, "port_specification")
 
@@ -18431,6 +19002,15 @@ class RegionHealthCheckTcpHealthCheckArgs:
                port_name are defined, port takes precedence.
         :param pulumi.Input[str] port_specification: Specifies how port is selected for health checking, can be one of the
                following values:
+               * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+               * `USE_NAMED_PORT`: The `portName` is used for health checking.
+               * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+               network endpoint is used for health checking. For other backends, the
+               port or named port specified in the Backend Service is used for health
+               checking.
+               If not specified, TCP health check follows behavior specified in `port` and
+               `portName` fields.
+               Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         :param pulumi.Input[str] proxy_header: Specifies the type of proxy header to append before sending data to the
                backend.
                Default value is `NONE`.
@@ -18488,6 +19068,15 @@ class RegionHealthCheckTcpHealthCheckArgs:
         """
         Specifies how port is selected for health checking, can be one of the
         following values:
+        * `USE_FIXED_PORT`: The port number in `port` is used for health checking.
+        * `USE_NAMED_PORT`: The `portName` is used for health checking.
+        * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each
+        network endpoint is used for health checking. For other backends, the
+        port or named port specified in the Backend Service is used for health
+        checking.
+        If not specified, TCP health check follows behavior specified in `port` and
+        `portName` fields.
+        Possible values are: `USE_FIXED_PORT`, `USE_NAMED_PORT`, `USE_SERVING_PORT`.
         """
         return pulumi.get(self, "port_specification")
 
@@ -21914,17 +22503,22 @@ class RegionSecurityPolicyDdosProtectionConfigArgs:
 class RegionSecurityPolicyRuleMatchArgs:
     def __init__(__self__, *,
                  config: Optional[pulumi.Input['RegionSecurityPolicyRuleMatchConfigArgs']] = None,
+                 expr: Optional[pulumi.Input['RegionSecurityPolicyRuleMatchExprArgs']] = None,
                  versioned_expr: Optional[pulumi.Input[str]] = None):
         """
         :param pulumi.Input['RegionSecurityPolicyRuleMatchConfigArgs'] config: The configuration options available when specifying versionedExpr.
                This field must be specified if versionedExpr is specified and cannot be specified if versionedExpr is not specified.
                Structure is documented below.
+        :param pulumi.Input['RegionSecurityPolicyRuleMatchExprArgs'] expr: User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header.
+               Structure is documented below.
         :param pulumi.Input[str] versioned_expr: Preconfigured versioned expression. If this field is specified, config must also be specified.
                Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding srcIpRange field in config.
                Possible values are: `SRC_IPS_V1`.
         """
         if config is not None:
             pulumi.set(__self__, "config", config)
+        if expr is not None:
+            pulumi.set(__self__, "expr", expr)
         if versioned_expr is not None:
             pulumi.set(__self__, "versioned_expr", versioned_expr)
 
@@ -21942,6 +22536,19 @@ class RegionSecurityPolicyRuleMatchArgs:
     def config(self, value: Optional[pulumi.Input['RegionSecurityPolicyRuleMatchConfigArgs']]):
         pulumi.set(self, "config", value)
 
+    @property
+    @pulumi.getter
+    def expr(self) -> Optional[pulumi.Input['RegionSecurityPolicyRuleMatchExprArgs']]:
+        """
+        User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "expr")
+
+    @expr.setter
+    def expr(self, value: Optional[pulumi.Input['RegionSecurityPolicyRuleMatchExprArgs']]):
+        pulumi.set(self, "expr", value)
+
     @property
     @pulumi.getter(name="versionedExpr")
     def versioned_expr(self) -> Optional[pulumi.Input[str]]:
@@ -21980,6 +22587,28 @@ class RegionSecurityPolicyRuleMatchConfigArgs:
         pulumi.set(self, "src_ip_ranges", value)
 
 
+@pulumi.input_type
+class RegionSecurityPolicyRuleMatchExprArgs:
+    def __init__(__self__, *,
+                 expression: pulumi.Input[str]):
+        """
+        :param pulumi.Input[str] expression: Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
+        """
+        pulumi.set(__self__, "expression", expression)
+
+    @property
+    @pulumi.getter
+    def expression(self) -> pulumi.Input[str]:
+        """
+        Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
+        """
+        return pulumi.get(self, "expression")
+
+    @expression.setter
+    def expression(self, value: pulumi.Input[str]):
+        pulumi.set(self, "expression", value)
+
+
 @pulumi.input_type
 class RegionSecurityPolicyRuleNetworkMatchArgs:
     def __init__(__self__, *,
@@ -22157,58 +22786,737 @@ class RegionSecurityPolicyRuleNetworkMatchUserDefinedFieldArgs:
 
 
 @pulumi.input_type
-class RegionSecurityPolicyUserDefinedFieldArgs:
+class RegionSecurityPolicyRulePreconfiguredWafConfigArgs:
     def __init__(__self__, *,
-                 base: pulumi.Input[str],
-                 mask: Optional[pulumi.Input[str]] = None,
-                 name: Optional[pulumi.Input[str]] = None,
-                 offset: Optional[pulumi.Input[int]] = None,
-                 size: Optional[pulumi.Input[int]] = None):
+                 exclusions: Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionArgs']]]] = None):
         """
-        :param pulumi.Input[str] base: The base relative to which 'offset' is measured. Possible values are:
-               - IPV4: Points to the beginning of the IPv4 header.
-               - IPV6: Points to the beginning of the IPv6 header.
-               - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
-               - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
-               Possible values are: `IPV4`, `IPV6`, `TCP`, `UDP`.
-        :param pulumi.Input[str] mask: If specified, apply this mask (bitwise AND) to the field to ignore bits before matching.
-               Encoded as a hexadecimal number (starting with "0x").
-               The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.
-        :param pulumi.Input[str] name: The name of this field. Must be unique within the policy.
-        :param pulumi.Input[int] offset: Offset of the first byte of the field (in network byte order) relative to 'base'.
-        :param pulumi.Input[int] size: Size of the field in bytes. Valid values: 1-4.
+        :param pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionArgs']]] exclusions: An exclusion to apply during preconfigured WAF evaluation.
+               Structure is documented below.
         """
-        pulumi.set(__self__, "base", base)
-        if mask is not None:
-            pulumi.set(__self__, "mask", mask)
-        if name is not None:
-            pulumi.set(__self__, "name", name)
-        if offset is not None:
-            pulumi.set(__self__, "offset", offset)
-        if size is not None:
-            pulumi.set(__self__, "size", size)
+        if exclusions is not None:
+            pulumi.set(__self__, "exclusions", exclusions)
 
     @property
     @pulumi.getter
-    def base(self) -> pulumi.Input[str]:
+    def exclusions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionArgs']]]]:
         """
-        The base relative to which 'offset' is measured. Possible values are:
-        - IPV4: Points to the beginning of the IPv4 header.
-        - IPV6: Points to the beginning of the IPv6 header.
-        - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
-        - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
-        Possible values are: `IPV4`, `IPV6`, `TCP`, `UDP`.
+        An exclusion to apply during preconfigured WAF evaluation.
+        Structure is documented below.
         """
-        return pulumi.get(self, "base")
+        return pulumi.get(self, "exclusions")
 
-    @base.setter
-    def base(self, value: pulumi.Input[str]):
-        pulumi.set(self, "base", value)
+    @exclusions.setter
+    def exclusions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionArgs']]]]):
+        pulumi.set(self, "exclusions", value)
 
-    @property
-    @pulumi.getter
-    def mask(self) -> Optional[pulumi.Input[str]]:
-        """
+
+@pulumi.input_type
+class RegionSecurityPolicyRulePreconfiguredWafConfigExclusionArgs:
+    def __init__(__self__, *,
+                 target_rule_set: pulumi.Input[str],
+                 request_cookies: Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestCookyArgs']]]] = None,
+                 request_headers: Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeaderArgs']]]] = None,
+                 request_query_params: Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParamArgs']]]] = None,
+                 request_uris: Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUriArgs']]]] = None,
+                 target_rule_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None):
+        """
+        :param pulumi.Input[str] target_rule_set: Target WAF rule set to apply the preconfigured WAF exclusion.
+        :param pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestCookyArgs']]] request_cookies: Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation.
+               Structure is documented below.
+        :param pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeaderArgs']]] request_headers: Request header whose value will be excluded from inspection during preconfigured WAF evaluation.
+               Structure is documented below.
+        :param pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParamArgs']]] request_query_params: Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation.
+               Note that the parameter can be in the query string or in the POST body.
+               Structure is documented below.
+        :param pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUriArgs']]] request_uris: Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation.
+               When specifying this field, the query or fragment part should be excluded.
+               Structure is documented below.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] target_rule_ids: A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion.
+               If omitted, it refers to all the rule IDs under the WAF rule set.
+        """
+        pulumi.set(__self__, "target_rule_set", target_rule_set)
+        if request_cookies is not None:
+            pulumi.set(__self__, "request_cookies", request_cookies)
+        if request_headers is not None:
+            pulumi.set(__self__, "request_headers", request_headers)
+        if request_query_params is not None:
+            pulumi.set(__self__, "request_query_params", request_query_params)
+        if request_uris is not None:
+            pulumi.set(__self__, "request_uris", request_uris)
+        if target_rule_ids is not None:
+            pulumi.set(__self__, "target_rule_ids", target_rule_ids)
+
+    @property
+    @pulumi.getter(name="targetRuleSet")
+    def target_rule_set(self) -> pulumi.Input[str]:
+        """
+        Target WAF rule set to apply the preconfigured WAF exclusion.
+        """
+        return pulumi.get(self, "target_rule_set")
+
+    @target_rule_set.setter
+    def target_rule_set(self, value: pulumi.Input[str]):
+        pulumi.set(self, "target_rule_set", value)
+
+    @property
+    @pulumi.getter(name="requestCookies")
+    def request_cookies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestCookyArgs']]]]:
+        """
+        Request cookie whose value will be excluded from inspection during preconfigured WAF evaluation.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "request_cookies")
+
+    @request_cookies.setter
+    def request_cookies(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestCookyArgs']]]]):
+        pulumi.set(self, "request_cookies", value)
+
+    @property
+    @pulumi.getter(name="requestHeaders")
+    def request_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeaderArgs']]]]:
+        """
+        Request header whose value will be excluded from inspection during preconfigured WAF evaluation.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "request_headers")
+
+    @request_headers.setter
+    def request_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeaderArgs']]]]):
+        pulumi.set(self, "request_headers", value)
+
+    @property
+    @pulumi.getter(name="requestQueryParams")
+    def request_query_params(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParamArgs']]]]:
+        """
+        Request query parameter whose value will be excluded from inspection during preconfigured WAF evaluation.
+        Note that the parameter can be in the query string or in the POST body.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "request_query_params")
+
+    @request_query_params.setter
+    def request_query_params(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParamArgs']]]]):
+        pulumi.set(self, "request_query_params", value)
+
+    @property
+    @pulumi.getter(name="requestUris")
+    def request_uris(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUriArgs']]]]:
+        """
+        Request URI from the request line to be excluded from inspection during preconfigured WAF evaluation.
+        When specifying this field, the query or fragment part should be excluded.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "request_uris")
+
+    @request_uris.setter
+    def request_uris(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUriArgs']]]]):
+        pulumi.set(self, "request_uris", value)
+
+    @property
+    @pulumi.getter(name="targetRuleIds")
+    def target_rule_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion.
+        If omitted, it refers to all the rule IDs under the WAF rule set.
+        """
+        return pulumi.get(self, "target_rule_ids")
+
+    @target_rule_ids.setter
+    def target_rule_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "target_rule_ids", value)
+
+
+@pulumi.input_type
+class RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestCookyArgs:
+    def __init__(__self__, *,
+                 operator: pulumi.Input[str],
+                 value: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] operator: You can specify an exact match or a partial match by using a field operator and a field value.
+               Available options:
+               EQUALS: The operator matches if the field value equals the specified value.
+               STARTS_WITH: The operator matches if the field value starts with the specified value.
+               ENDS_WITH: The operator matches if the field value ends with the specified value.
+               CONTAINS: The operator matches if the field value contains the specified value.
+               EQUALS_ANY: The operator matches if the field value is any value.
+               Possible values are: `CONTAINS`, `ENDS_WITH`, `EQUALS`, `EQUALS_ANY`, `STARTS_WITH`.
+        :param pulumi.Input[str] value: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation.
+               The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.
+        """
+        pulumi.set(__self__, "operator", operator)
+        if value is not None:
+            pulumi.set(__self__, "value", value)
+
+    @property
+    @pulumi.getter
+    def operator(self) -> pulumi.Input[str]:
+        """
+        You can specify an exact match or a partial match by using a field operator and a field value.
+        Available options:
+        EQUALS: The operator matches if the field value equals the specified value.
+        STARTS_WITH: The operator matches if the field value starts with the specified value.
+        ENDS_WITH: The operator matches if the field value ends with the specified value.
+        CONTAINS: The operator matches if the field value contains the specified value.
+        EQUALS_ANY: The operator matches if the field value is any value.
+        Possible values are: `CONTAINS`, `ENDS_WITH`, `EQUALS`, `EQUALS_ANY`, `STARTS_WITH`.
+        """
+        return pulumi.get(self, "operator")
+
+    @operator.setter
+    def operator(self, value: pulumi.Input[str]):
+        pulumi.set(self, "operator", value)
+
+    @property
+    @pulumi.getter
+    def value(self) -> Optional[pulumi.Input[str]]:
+        """
+        A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation.
+        The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.
+        """
+        return pulumi.get(self, "value")
+
+    @value.setter
+    def value(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "value", value)
+
+
+@pulumi.input_type
+class RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestHeaderArgs:
+    def __init__(__self__, *,
+                 operator: pulumi.Input[str],
+                 value: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] operator: You can specify an exact match or a partial match by using a field operator and a field value.
+               Available options:
+               EQUALS: The operator matches if the field value equals the specified value.
+               STARTS_WITH: The operator matches if the field value starts with the specified value.
+               ENDS_WITH: The operator matches if the field value ends with the specified value.
+               CONTAINS: The operator matches if the field value contains the specified value.
+               EQUALS_ANY: The operator matches if the field value is any value.
+               Possible values are: `CONTAINS`, `ENDS_WITH`, `EQUALS`, `EQUALS_ANY`, `STARTS_WITH`.
+        :param pulumi.Input[str] value: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation.
+               The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.
+        """
+        pulumi.set(__self__, "operator", operator)
+        if value is not None:
+            pulumi.set(__self__, "value", value)
+
+    @property
+    @pulumi.getter
+    def operator(self) -> pulumi.Input[str]:
+        """
+        You can specify an exact match or a partial match by using a field operator and a field value.
+        Available options:
+        EQUALS: The operator matches if the field value equals the specified value.
+        STARTS_WITH: The operator matches if the field value starts with the specified value.
+        ENDS_WITH: The operator matches if the field value ends with the specified value.
+        CONTAINS: The operator matches if the field value contains the specified value.
+        EQUALS_ANY: The operator matches if the field value is any value.
+        Possible values are: `CONTAINS`, `ENDS_WITH`, `EQUALS`, `EQUALS_ANY`, `STARTS_WITH`.
+        """
+        return pulumi.get(self, "operator")
+
+    @operator.setter
+    def operator(self, value: pulumi.Input[str]):
+        pulumi.set(self, "operator", value)
+
+    @property
+    @pulumi.getter
+    def value(self) -> Optional[pulumi.Input[str]]:
+        """
+        A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation.
+        The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.
+        """
+        return pulumi.get(self, "value")
+
+    @value.setter
+    def value(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "value", value)
+
+
+@pulumi.input_type
+class RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestQueryParamArgs:
+    def __init__(__self__, *,
+                 operator: pulumi.Input[str],
+                 value: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] operator: You can specify an exact match or a partial match by using a field operator and a field value.
+               Available options:
+               EQUALS: The operator matches if the field value equals the specified value.
+               STARTS_WITH: The operator matches if the field value starts with the specified value.
+               ENDS_WITH: The operator matches if the field value ends with the specified value.
+               CONTAINS: The operator matches if the field value contains the specified value.
+               EQUALS_ANY: The operator matches if the field value is any value.
+               Possible values are: `CONTAINS`, `ENDS_WITH`, `EQUALS`, `EQUALS_ANY`, `STARTS_WITH`.
+        :param pulumi.Input[str] value: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation.
+               The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.
+        """
+        pulumi.set(__self__, "operator", operator)
+        if value is not None:
+            pulumi.set(__self__, "value", value)
+
+    @property
+    @pulumi.getter
+    def operator(self) -> pulumi.Input[str]:
+        """
+        You can specify an exact match or a partial match by using a field operator and a field value.
+        Available options:
+        EQUALS: The operator matches if the field value equals the specified value.
+        STARTS_WITH: The operator matches if the field value starts with the specified value.
+        ENDS_WITH: The operator matches if the field value ends with the specified value.
+        CONTAINS: The operator matches if the field value contains the specified value.
+        EQUALS_ANY: The operator matches if the field value is any value.
+        Possible values are: `CONTAINS`, `ENDS_WITH`, `EQUALS`, `EQUALS_ANY`, `STARTS_WITH`.
+        """
+        return pulumi.get(self, "operator")
+
+    @operator.setter
+    def operator(self, value: pulumi.Input[str]):
+        pulumi.set(self, "operator", value)
+
+    @property
+    @pulumi.getter
+    def value(self) -> Optional[pulumi.Input[str]]:
+        """
+        A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation.
+        The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.
+        """
+        return pulumi.get(self, "value")
+
+    @value.setter
+    def value(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "value", value)
+
+
+@pulumi.input_type
+class RegionSecurityPolicyRulePreconfiguredWafConfigExclusionRequestUriArgs:
+    def __init__(__self__, *,
+                 operator: pulumi.Input[str],
+                 value: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] operator: You can specify an exact match or a partial match by using a field operator and a field value.
+               Available options:
+               EQUALS: The operator matches if the field value equals the specified value.
+               STARTS_WITH: The operator matches if the field value starts with the specified value.
+               ENDS_WITH: The operator matches if the field value ends with the specified value.
+               CONTAINS: The operator matches if the field value contains the specified value.
+               EQUALS_ANY: The operator matches if the field value is any value.
+               Possible values are: `CONTAINS`, `ENDS_WITH`, `EQUALS`, `EQUALS_ANY`, `STARTS_WITH`.
+        :param pulumi.Input[str] value: A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation.
+               The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.
+        """
+        pulumi.set(__self__, "operator", operator)
+        if value is not None:
+            pulumi.set(__self__, "value", value)
+
+    @property
+    @pulumi.getter
+    def operator(self) -> pulumi.Input[str]:
+        """
+        You can specify an exact match or a partial match by using a field operator and a field value.
+        Available options:
+        EQUALS: The operator matches if the field value equals the specified value.
+        STARTS_WITH: The operator matches if the field value starts with the specified value.
+        ENDS_WITH: The operator matches if the field value ends with the specified value.
+        CONTAINS: The operator matches if the field value contains the specified value.
+        EQUALS_ANY: The operator matches if the field value is any value.
+        Possible values are: `CONTAINS`, `ENDS_WITH`, `EQUALS`, `EQUALS_ANY`, `STARTS_WITH`.
+        """
+        return pulumi.get(self, "operator")
+
+    @operator.setter
+    def operator(self, value: pulumi.Input[str]):
+        pulumi.set(self, "operator", value)
+
+    @property
+    @pulumi.getter
+    def value(self) -> Optional[pulumi.Input[str]]:
+        """
+        A request field matching the specified value will be excluded from inspection during preconfigured WAF evaluation.
+        The field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY.
+        """
+        return pulumi.get(self, "value")
+
+    @value.setter
+    def value(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "value", value)
+
+
+@pulumi.input_type
+class RegionSecurityPolicyRuleRateLimitOptionsArgs:
+    def __init__(__self__, *,
+                 ban_duration_sec: Optional[pulumi.Input[int]] = None,
+                 ban_threshold: Optional[pulumi.Input['RegionSecurityPolicyRuleRateLimitOptionsBanThresholdArgs']] = None,
+                 conform_action: Optional[pulumi.Input[str]] = None,
+                 enforce_on_key: Optional[pulumi.Input[str]] = None,
+                 enforce_on_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs']]]] = None,
+                 enforce_on_key_name: Optional[pulumi.Input[str]] = None,
+                 exceed_action: Optional[pulumi.Input[str]] = None,
+                 rate_limit_threshold: Optional[pulumi.Input['RegionSecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs']] = None):
+        """
+        :param pulumi.Input[int] ban_duration_sec: Can only be specified if the action for the rule is "rate_based_ban".
+               If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.
+        :param pulumi.Input['RegionSecurityPolicyRuleRateLimitOptionsBanThresholdArgs'] ban_threshold: Can only be specified if the action for the rule is "rate_based_ban".
+               If specified, the key will be banned for the configured 'banDurationSec' when the number of requests that exceed the 'rateLimitThreshold' also exceed this 'banThreshold'.
+               Structure is documented below.
+        :param pulumi.Input[str] conform_action: Action to take for requests that are under the configured rate limit threshold.
+               Valid option is "allow" only.
+        :param pulumi.Input[str] enforce_on_key: Determines the key to enforce the rateLimitThreshold on. Possible values are:
+               * ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured.
+               * IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
+               * HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
+               * XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
+               * HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
+               * HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
+               * SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
+               * REGION_CODE: The country/region from which the request originates.
+               * TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
+               * USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP.
+               Possible values are: `ALL`, `IP`, `HTTP_HEADER`, `XFF_IP`, `HTTP_COOKIE`, `HTTP_PATH`, `SNI`, `REGION_CODE`, `TLS_JA3_FINGERPRINT`, `USER_IP`.
+        :param pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs']]] enforce_on_key_configs: If specified, any combination of values of enforceOnKeyType/enforceOnKeyName is treated as the key on which ratelimit threshold/action is enforced.
+               You can specify up to 3 enforceOnKeyConfigs.
+               If enforceOnKeyConfigs is specified, enforceOnKey must not be specified.
+               Structure is documented below.
+        :param pulumi.Input[str] enforce_on_key_name: Rate limit key name applicable only for the following key types:
+               HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value.
+               HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
+        :param pulumi.Input[str] exceed_action: Action to take for requests that are above the configured rate limit threshold, to deny with a specified HTTP response code.
+               Valid options are deny(STATUS), where valid values for STATUS are 403, 404, 429, and 502.
+        :param pulumi.Input['RegionSecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs'] rate_limit_threshold: Threshold at which to begin ratelimiting.
+               Structure is documented below.
+        """
+        if ban_duration_sec is not None:
+            pulumi.set(__self__, "ban_duration_sec", ban_duration_sec)
+        if ban_threshold is not None:
+            pulumi.set(__self__, "ban_threshold", ban_threshold)
+        if conform_action is not None:
+            pulumi.set(__self__, "conform_action", conform_action)
+        if enforce_on_key is not None:
+            pulumi.set(__self__, "enforce_on_key", enforce_on_key)
+        if enforce_on_key_configs is not None:
+            pulumi.set(__self__, "enforce_on_key_configs", enforce_on_key_configs)
+        if enforce_on_key_name is not None:
+            pulumi.set(__self__, "enforce_on_key_name", enforce_on_key_name)
+        if exceed_action is not None:
+            pulumi.set(__self__, "exceed_action", exceed_action)
+        if rate_limit_threshold is not None:
+            pulumi.set(__self__, "rate_limit_threshold", rate_limit_threshold)
+
+    @property
+    @pulumi.getter(name="banDurationSec")
+    def ban_duration_sec(self) -> Optional[pulumi.Input[int]]:
+        """
+        Can only be specified if the action for the rule is "rate_based_ban".
+        If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.
+        """
+        return pulumi.get(self, "ban_duration_sec")
+
+    @ban_duration_sec.setter
+    def ban_duration_sec(self, value: Optional[pulumi.Input[int]]):
+        pulumi.set(self, "ban_duration_sec", value)
+
+    @property
+    @pulumi.getter(name="banThreshold")
+    def ban_threshold(self) -> Optional[pulumi.Input['RegionSecurityPolicyRuleRateLimitOptionsBanThresholdArgs']]:
+        """
+        Can only be specified if the action for the rule is "rate_based_ban".
+        If specified, the key will be banned for the configured 'banDurationSec' when the number of requests that exceed the 'rateLimitThreshold' also exceed this 'banThreshold'.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "ban_threshold")
+
+    @ban_threshold.setter
+    def ban_threshold(self, value: Optional[pulumi.Input['RegionSecurityPolicyRuleRateLimitOptionsBanThresholdArgs']]):
+        pulumi.set(self, "ban_threshold", value)
+
+    @property
+    @pulumi.getter(name="conformAction")
+    def conform_action(self) -> Optional[pulumi.Input[str]]:
+        """
+        Action to take for requests that are under the configured rate limit threshold.
+        Valid option is "allow" only.
+        """
+        return pulumi.get(self, "conform_action")
+
+    @conform_action.setter
+    def conform_action(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "conform_action", value)
+
+    @property
+    @pulumi.getter(name="enforceOnKey")
+    def enforce_on_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Determines the key to enforce the rateLimitThreshold on. Possible values are:
+        * ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured.
+        * IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
+        * HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
+        * XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
+        * HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
+        * HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
+        * SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
+        * REGION_CODE: The country/region from which the request originates.
+        * TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
+        * USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP.
+        Possible values are: `ALL`, `IP`, `HTTP_HEADER`, `XFF_IP`, `HTTP_COOKIE`, `HTTP_PATH`, `SNI`, `REGION_CODE`, `TLS_JA3_FINGERPRINT`, `USER_IP`.
+        """
+        return pulumi.get(self, "enforce_on_key")
+
+    @enforce_on_key.setter
+    def enforce_on_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "enforce_on_key", value)
+
+    @property
+    @pulumi.getter(name="enforceOnKeyConfigs")
+    def enforce_on_key_configs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs']]]]:
+        """
+        If specified, any combination of values of enforceOnKeyType/enforceOnKeyName is treated as the key on which ratelimit threshold/action is enforced.
+        You can specify up to 3 enforceOnKeyConfigs.
+        If enforceOnKeyConfigs is specified, enforceOnKey must not be specified.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "enforce_on_key_configs")
+
+    @enforce_on_key_configs.setter
+    def enforce_on_key_configs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['RegionSecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs']]]]):
+        pulumi.set(self, "enforce_on_key_configs", value)
+
+    @property
+    @pulumi.getter(name="enforceOnKeyName")
+    def enforce_on_key_name(self) -> Optional[pulumi.Input[str]]:
+        """
+        Rate limit key name applicable only for the following key types:
+        HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value.
+        HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
+        """
+        return pulumi.get(self, "enforce_on_key_name")
+
+    @enforce_on_key_name.setter
+    def enforce_on_key_name(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "enforce_on_key_name", value)
+
+    @property
+    @pulumi.getter(name="exceedAction")
+    def exceed_action(self) -> Optional[pulumi.Input[str]]:
+        """
+        Action to take for requests that are above the configured rate limit threshold, to deny with a specified HTTP response code.
+        Valid options are deny(STATUS), where valid values for STATUS are 403, 404, 429, and 502.
+        """
+        return pulumi.get(self, "exceed_action")
+
+    @exceed_action.setter
+    def exceed_action(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "exceed_action", value)
+
+    @property
+    @pulumi.getter(name="rateLimitThreshold")
+    def rate_limit_threshold(self) -> Optional[pulumi.Input['RegionSecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs']]:
+        """
+        Threshold at which to begin ratelimiting.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "rate_limit_threshold")
+
+    @rate_limit_threshold.setter
+    def rate_limit_threshold(self, value: Optional[pulumi.Input['RegionSecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs']]):
+        pulumi.set(self, "rate_limit_threshold", value)
+
+
+@pulumi.input_type
+class RegionSecurityPolicyRuleRateLimitOptionsBanThresholdArgs:
+    def __init__(__self__, *,
+                 count: Optional[pulumi.Input[int]] = None,
+                 interval_sec: Optional[pulumi.Input[int]] = None):
+        """
+        :param pulumi.Input[int] count: Number of HTTP(S) requests for calculating the threshold.
+        :param pulumi.Input[int] interval_sec: Interval over which the threshold is computed.
+        """
+        if count is not None:
+            pulumi.set(__self__, "count", count)
+        if interval_sec is not None:
+            pulumi.set(__self__, "interval_sec", interval_sec)
+
+    @property
+    @pulumi.getter
+    def count(self) -> Optional[pulumi.Input[int]]:
+        """
+        Number of HTTP(S) requests for calculating the threshold.
+        """
+        return pulumi.get(self, "count")
+
+    @count.setter
+    def count(self, value: Optional[pulumi.Input[int]]):
+        pulumi.set(self, "count", value)
+
+    @property
+    @pulumi.getter(name="intervalSec")
+    def interval_sec(self) -> Optional[pulumi.Input[int]]:
+        """
+        Interval over which the threshold is computed.
+        """
+        return pulumi.get(self, "interval_sec")
+
+    @interval_sec.setter
+    def interval_sec(self, value: Optional[pulumi.Input[int]]):
+        pulumi.set(self, "interval_sec", value)
+
+
+@pulumi.input_type
+class RegionSecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs:
+    def __init__(__self__, *,
+                 enforce_on_key_name: Optional[pulumi.Input[str]] = None,
+                 enforce_on_key_type: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] enforce_on_key_name: Rate limit key name applicable only for the following key types:
+               HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value.
+               HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
+        :param pulumi.Input[str] enforce_on_key_type: Determines the key to enforce the rateLimitThreshold on. Possible values are:
+               * ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured.
+               * IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
+               * HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
+               * XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
+               * HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
+               * HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
+               * SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
+               * REGION_CODE: The country/region from which the request originates.
+               * TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
+               * USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP.
+               Possible values are: `ALL`, `IP`, `HTTP_HEADER`, `XFF_IP`, `HTTP_COOKIE`, `HTTP_PATH`, `SNI`, `REGION_CODE`, `TLS_JA3_FINGERPRINT`, `USER_IP`.
+        """
+        if enforce_on_key_name is not None:
+            pulumi.set(__self__, "enforce_on_key_name", enforce_on_key_name)
+        if enforce_on_key_type is not None:
+            pulumi.set(__self__, "enforce_on_key_type", enforce_on_key_type)
+
+    @property
+    @pulumi.getter(name="enforceOnKeyName")
+    def enforce_on_key_name(self) -> Optional[pulumi.Input[str]]:
+        """
+        Rate limit key name applicable only for the following key types:
+        HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value.
+        HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value.
+        """
+        return pulumi.get(self, "enforce_on_key_name")
+
+    @enforce_on_key_name.setter
+    def enforce_on_key_name(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "enforce_on_key_name", value)
+
+    @property
+    @pulumi.getter(name="enforceOnKeyType")
+    def enforce_on_key_type(self) -> Optional[pulumi.Input[str]]:
+        """
+        Determines the key to enforce the rateLimitThreshold on. Possible values are:
+        * ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured.
+        * IP: The source IP address of the request is the key. Each IP has this limit enforced separately.
+        * HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL.
+        * XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP.
+        * HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL.
+        * HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes.
+        * SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session.
+        * REGION_CODE: The country/region from which the request originates.
+        * TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
+        * USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP.
+        Possible values are: `ALL`, `IP`, `HTTP_HEADER`, `XFF_IP`, `HTTP_COOKIE`, `HTTP_PATH`, `SNI`, `REGION_CODE`, `TLS_JA3_FINGERPRINT`, `USER_IP`.
+        """
+        return pulumi.get(self, "enforce_on_key_type")
+
+    @enforce_on_key_type.setter
+    def enforce_on_key_type(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "enforce_on_key_type", value)
+
+
+@pulumi.input_type
+class RegionSecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs:
+    def __init__(__self__, *,
+                 count: Optional[pulumi.Input[int]] = None,
+                 interval_sec: Optional[pulumi.Input[int]] = None):
+        """
+        :param pulumi.Input[int] count: Number of HTTP(S) requests for calculating the threshold.
+        :param pulumi.Input[int] interval_sec: Interval over which the threshold is computed.
+        """
+        if count is not None:
+            pulumi.set(__self__, "count", count)
+        if interval_sec is not None:
+            pulumi.set(__self__, "interval_sec", interval_sec)
+
+    @property
+    @pulumi.getter
+    def count(self) -> Optional[pulumi.Input[int]]:
+        """
+        Number of HTTP(S) requests for calculating the threshold.
+        """
+        return pulumi.get(self, "count")
+
+    @count.setter
+    def count(self, value: Optional[pulumi.Input[int]]):
+        pulumi.set(self, "count", value)
+
+    @property
+    @pulumi.getter(name="intervalSec")
+    def interval_sec(self) -> Optional[pulumi.Input[int]]:
+        """
+        Interval over which the threshold is computed.
+        """
+        return pulumi.get(self, "interval_sec")
+
+    @interval_sec.setter
+    def interval_sec(self, value: Optional[pulumi.Input[int]]):
+        pulumi.set(self, "interval_sec", value)
+
+
+@pulumi.input_type
+class RegionSecurityPolicyUserDefinedFieldArgs:
+    def __init__(__self__, *,
+                 base: pulumi.Input[str],
+                 mask: Optional[pulumi.Input[str]] = None,
+                 name: Optional[pulumi.Input[str]] = None,
+                 offset: Optional[pulumi.Input[int]] = None,
+                 size: Optional[pulumi.Input[int]] = None):
+        """
+        :param pulumi.Input[str] base: The base relative to which 'offset' is measured. Possible values are:
+               - IPV4: Points to the beginning of the IPv4 header.
+               - IPV6: Points to the beginning of the IPv6 header.
+               - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
+               - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
+               Possible values are: `IPV4`, `IPV6`, `TCP`, `UDP`.
+        :param pulumi.Input[str] mask: If specified, apply this mask (bitwise AND) to the field to ignore bits before matching.
+               Encoded as a hexadecimal number (starting with "0x").
+               The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.
+        :param pulumi.Input[str] name: The name of this field. Must be unique within the policy.
+        :param pulumi.Input[int] offset: Offset of the first byte of the field (in network byte order) relative to 'base'.
+        :param pulumi.Input[int] size: Size of the field in bytes. Valid values: 1-4.
+        """
+        pulumi.set(__self__, "base", base)
+        if mask is not None:
+            pulumi.set(__self__, "mask", mask)
+        if name is not None:
+            pulumi.set(__self__, "name", name)
+        if offset is not None:
+            pulumi.set(__self__, "offset", offset)
+        if size is not None:
+            pulumi.set(__self__, "size", size)
+
+    @property
+    @pulumi.getter
+    def base(self) -> pulumi.Input[str]:
+        """
+        The base relative to which 'offset' is measured. Possible values are:
+        - IPV4: Points to the beginning of the IPv4 header.
+        - IPV6: Points to the beginning of the IPv6 header.
+        - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
+        - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.
+        Possible values are: `IPV4`, `IPV6`, `TCP`, `UDP`.
+        """
+        return pulumi.get(self, "base")
+
+    @base.setter
+    def base(self, value: pulumi.Input[str]):
+        pulumi.set(self, "base", value)
+
+    @property
+    @pulumi.getter
+    def mask(self) -> Optional[pulumi.Input[str]]:
+        """
         If specified, apply this mask (bitwise AND) to the field to ignore bits before matching.
         Encoded as a hexadecimal number (starting with "0x").
         The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.
@@ -28894,7 +30202,11 @@ class SecurityPolicyAdvancedOptionsConfigArgs:
         :param pulumi.Input['SecurityPolicyAdvancedOptionsConfigJsonCustomConfigArgs'] json_custom_config: Custom configuration to apply the JSON parsing. Only applicable when
                `json_parsing` is set to `STANDARD`. Structure is documented below.
         :param pulumi.Input[str] json_parsing: Whether or not to JSON parse the payload body. Defaults to `DISABLED`.
+               * `DISABLED` - Don't parse JSON payloads in POST bodies.
+               * `STANDARD` - Parse JSON payloads in POST bodies.
         :param pulumi.Input[str] log_level: Log level to use. Defaults to `NORMAL`.
+               * `NORMAL` - Normal log level.
+               * `VERBOSE` - Verbose log level.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] user_ip_request_headers: An optional list of case-insensitive request header names to use for resolving the callers client IP address.
         """
         if json_custom_config is not None:
@@ -28924,6 +30236,8 @@ class SecurityPolicyAdvancedOptionsConfigArgs:
     def json_parsing(self) -> Optional[pulumi.Input[str]]:
         """
         Whether or not to JSON parse the payload body. Defaults to `DISABLED`.
+        * `DISABLED` - Don't parse JSON payloads in POST bodies.
+        * `STANDARD` - Parse JSON payloads in POST bodies.
         """
         return pulumi.get(self, "json_parsing")
 
@@ -28936,6 +30250,8 @@ class SecurityPolicyAdvancedOptionsConfigArgs:
     def log_level(self) -> Optional[pulumi.Input[str]]:
         """
         Log level to use. Defaults to `NORMAL`.
+        * `NORMAL` - Normal log level.
+        * `VERBOSE` - Verbose log level.
         """
         return pulumi.get(self, "log_level")
 
@@ -29702,10 +31018,22 @@ class SecurityPolicyRuleRateLimitOptionsArgs:
                If specified, the key will be banned for the configured `ban_duration_sec` when the number of requests that exceed the `rate_limit_threshold` also
                exceed this `ban_threshold`. Structure is documented below.
         :param pulumi.Input[str] enforce_on_key: Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to `ALL`.
+               
+               * `ALL`: A single rate limit threshold is applied to all the requests matching this rule.
+               * `IP`: The source IP address of the request is the key. Each IP has this limit enforced separately.
+               * `HTTP_HEADER`: The value of the HTTP header whose name is configured under `enforce_on_key_name`. The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to `ALL`.
+               * `XFF_IP`: The first IP address (i.e. the originating client IP address) specified in the list of IPs under `X-Forwarded-For` HTTP header. If no such header is present or the value is not a valid IP, the key type defaults to `ALL`.
+               * `HTTP_COOKIE`: The value of the HTTP cookie whose name is configured under `enforce_on_key_name`. The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to `ALL`.
+               * `HTTP_PATH`: The URL path of the HTTP request. The key value is truncated to the first 128 bytes
+               * `SNI`: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to `ALL` on a HTTP session.
+               * `REGION_CODE`: The country/region from which the request originates.
         :param pulumi.Input[Sequence[pulumi.Input['SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs']]] enforce_on_key_configs: If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which rate limit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If `enforce_on_key_configs` is specified, `enforce_on_key` must be set to an empty string. Structure is documented below.
                
                **Note:** To avoid the conflict between `enforce_on_key` and `enforce_on_key_configs`, the field `enforce_on_key` needs to be set to an empty string.
         :param pulumi.Input[str] enforce_on_key_name: Rate limit key name applicable only for the following key types:
+               
+               * `HTTP_HEADER` -- Name of the HTTP header whose value is taken as the key value.
+               * `HTTP_COOKIE` -- Name of the HTTP cookie whose value is taken as the key value.
         :param pulumi.Input['SecurityPolicyRuleRateLimitOptionsExceedRedirectOptionsArgs'] exceed_redirect_options: Parameters defining the redirect action that is used as the exceed action. Cannot be specified if the exceed action is not redirect.
         """
         pulumi.set(__self__, "conform_action", conform_action)
@@ -29793,6 +31121,15 @@ class SecurityPolicyRuleRateLimitOptionsArgs:
     def enforce_on_key(self) -> Optional[pulumi.Input[str]]:
         """
         Determines the key to enforce the rate_limit_threshold on. If not specified, defaults to `ALL`.
+
+        * `ALL`: A single rate limit threshold is applied to all the requests matching this rule.
+        * `IP`: The source IP address of the request is the key. Each IP has this limit enforced separately.
+        * `HTTP_HEADER`: The value of the HTTP header whose name is configured under `enforce_on_key_name`. The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to `ALL`.
+        * `XFF_IP`: The first IP address (i.e. the originating client IP address) specified in the list of IPs under `X-Forwarded-For` HTTP header. If no such header is present or the value is not a valid IP, the key type defaults to `ALL`.
+        * `HTTP_COOKIE`: The value of the HTTP cookie whose name is configured under `enforce_on_key_name`. The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to `ALL`.
+        * `HTTP_PATH`: The URL path of the HTTP request. The key value is truncated to the first 128 bytes
+        * `SNI`: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to `ALL` on a HTTP session.
+        * `REGION_CODE`: The country/region from which the request originates.
         """
         return pulumi.get(self, "enforce_on_key")
 
@@ -29819,6 +31156,9 @@ class SecurityPolicyRuleRateLimitOptionsArgs:
     def enforce_on_key_name(self) -> Optional[pulumi.Input[str]]:
         """
         Rate limit key name applicable only for the following key types:
+
+        * `HTTP_HEADER` -- Name of the HTTP header whose value is taken as the key value.
+        * `HTTP_COOKIE` -- Name of the HTTP cookie whose value is taken as the key value.
         """
         return pulumi.get(self, "enforce_on_key_name")
 
@@ -29883,7 +31223,19 @@ class SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs:
                  enforce_on_key_type: Optional[pulumi.Input[str]] = None):
         """
         :param pulumi.Input[str] enforce_on_key_name: Rate limit key name applicable only for the following key types:
+               
+               * `HTTP_HEADER` -- Name of the HTTP header whose value is taken as the key value.
+               * `HTTP_COOKIE` -- Name of the HTTP cookie whose value is taken as the key value.
         :param pulumi.Input[str] enforce_on_key_type: Determines the key to enforce the `rate_limit_threshold` on. If not specified, defaults to `ALL`.
+               
+               * `ALL`: A single rate limit threshold is applied to all the requests matching this rule.
+               * `IP`: The source IP address of the request is the key. Each IP has this limit enforced separately.
+               * `HTTP_HEADER`: The value of the HTTP header whose name is configured on `enforce_on_key_name`. The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to `ALL`.
+               * `XFF_IP`: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key type defaults to `ALL`.
+               * `HTTP_COOKIE`: The value of the HTTP cookie whose name is configured under `enforce_on_key_name`. The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to `ALL`.
+               * `HTTP_PATH`: The URL path of the HTTP request. The key value is truncated to the first 128 bytes
+               * `SNI`: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to `ALL` on a HTTP session.
+               * `REGION_CODE`: The country/region from which the request originates.
         """
         if enforce_on_key_name is not None:
             pulumi.set(__self__, "enforce_on_key_name", enforce_on_key_name)
@@ -29895,6 +31247,9 @@ class SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs:
     def enforce_on_key_name(self) -> Optional[pulumi.Input[str]]:
         """
         Rate limit key name applicable only for the following key types:
+
+        * `HTTP_HEADER` -- Name of the HTTP header whose value is taken as the key value.
+        * `HTTP_COOKIE` -- Name of the HTTP cookie whose value is taken as the key value.
         """
         return pulumi.get(self, "enforce_on_key_name")
 
@@ -29907,6 +31262,15 @@ class SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigArgs:
     def enforce_on_key_type(self) -> Optional[pulumi.Input[str]]:
         """
         Determines the key to enforce the `rate_limit_threshold` on. If not specified, defaults to `ALL`.
+
+        * `ALL`: A single rate limit threshold is applied to all the requests matching this rule.
+        * `IP`: The source IP address of the request is the key. Each IP has this limit enforced separately.
+        * `HTTP_HEADER`: The value of the HTTP header whose name is configured on `enforce_on_key_name`. The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to `ALL`.
+        * `XFF_IP`: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key type defaults to `ALL`.
+        * `HTTP_COOKIE`: The value of the HTTP cookie whose name is configured under `enforce_on_key_name`. The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to `ALL`.
+        * `HTTP_PATH`: The URL path of the HTTP request. The key value is truncated to the first 128 bytes
+        * `SNI`: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to `ALL` on a HTTP session.
+        * `REGION_CODE`: The country/region from which the request originates.
         """
         return pulumi.get(self, "enforce_on_key_type")
 
@@ -29997,6 +31361,9 @@ class SecurityPolicyRuleRedirectOptionsArgs:
                  target: Optional[pulumi.Input[str]] = None):
         """
         :param pulumi.Input[str] type: Type of redirect action.
+               
+               * `EXTERNAL_302`: Redirect to an external address, configured in `target`.
+               * `GOOGLE_RECAPTCHA`: Redirect to Google reCAPTCHA.
         :param pulumi.Input[str] target: External redirection target when `EXTERNAL_302` is set in `type`.
         """
         pulumi.set(__self__, "type", type)
@@ -30008,6 +31375,9 @@ class SecurityPolicyRuleRedirectOptionsArgs:
     def type(self) -> pulumi.Input[str]:
         """
         Type of redirect action.
+
+        * `EXTERNAL_302`: Redirect to an external address, configured in `target`.
+        * `GOOGLE_RECAPTCHA`: Redirect to Google reCAPTCHA.
         """
         return pulumi.get(self, "type")