pulumi-gcp 8.23.0a1742538920__py3-none-any.whl → 8.24.0__py3-none-any.whl

pulumi_gcp/networksecurity/_inputs.py

@@ -59,6 +59,18 @@ __all__ = [
     'AuthzPolicyHttpRuleFromSourceResourceTagValueIdSetArgsDict',
     'AuthzPolicyHttpRuleToArgs',
     'AuthzPolicyHttpRuleToArgsDict',
+    'AuthzPolicyHttpRuleToNotOperationArgs',
+    'AuthzPolicyHttpRuleToNotOperationArgsDict',
+    'AuthzPolicyHttpRuleToNotOperationHeaderSetArgs',
+    'AuthzPolicyHttpRuleToNotOperationHeaderSetArgsDict',
+    'AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderArgs',
+    'AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderArgsDict',
+    'AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderValueArgs',
+    'AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderValueArgsDict',
+    'AuthzPolicyHttpRuleToNotOperationHostArgs',
+    'AuthzPolicyHttpRuleToNotOperationHostArgsDict',
+    'AuthzPolicyHttpRuleToNotOperationPathArgs',
+    'AuthzPolicyHttpRuleToNotOperationPathArgsDict',
     'AuthzPolicyHttpRuleToOperationArgs',
     'AuthzPolicyHttpRuleToOperationArgsDict',
     'AuthzPolicyHttpRuleToOperationHeaderSetArgs',
@@ -87,8 +99,18 @@ __all__ = [
     'ClientTlsPolicyServerValidationCaGrpcEndpointArgsDict',
     'InterceptDeploymentGroupConnectedEndpointGroupArgs',
     'InterceptDeploymentGroupConnectedEndpointGroupArgsDict',
+    'InterceptDeploymentGroupLocationArgs',
+    'InterceptDeploymentGroupLocationArgsDict',
+    'InterceptEndpointGroupAssociationArgs',
+    'InterceptEndpointGroupAssociationArgsDict',
+    'InterceptEndpointGroupAssociationLocationArgs',
+    'InterceptEndpointGroupAssociationLocationArgsDict',
     'InterceptEndpointGroupAssociationLocationsDetailArgs',
     'InterceptEndpointGroupAssociationLocationsDetailArgsDict',
+    'InterceptEndpointGroupConnectedDeploymentGroupArgs',
+    'InterceptEndpointGroupConnectedDeploymentGroupArgsDict',
+    'InterceptEndpointGroupConnectedDeploymentGroupLocationArgs',
+    'InterceptEndpointGroupConnectedDeploymentGroupLocationArgsDict',
     'MirroringDeploymentGroupConnectedEndpointGroupArgs',
     'MirroringDeploymentGroupConnectedEndpointGroupArgsDict',
     'MirroringEndpointGroupAssociationLocationsDetailArgs',
@@ -1598,6 +1620,11 @@ class AuthzPolicyHttpRuleFromSourceResourceTagValueIdSetArgs:
 
 if not MYPY:
     class AuthzPolicyHttpRuleToArgsDict(TypedDict):
+        not_operations: NotRequired[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationArgsDict']]]]
+        """
+        Describes the negated properties of the targets of a request. Matches requests for operations that do not match the criteria specified in this field. At least one of operations or notOperations must be specified.
+        Structure is documented below.
+        """
         operations: NotRequired[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationArgsDict']]]]
         """
         Describes properties of one or more targets of a request. At least one of operations or notOperations must be specified. Limited to 5 operations. A match occurs when ANY operation (in operations or notOperations) matches. Within an operation, the match follows AND semantics across fields and OR semantics within a field, i.e. a match occurs when ANY path matches AND ANY header matches and ANY method matches.
@@ -1609,14 +1636,32 @@ elif False:
 @pulumi.input_type
 class AuthzPolicyHttpRuleToArgs:
     def __init__(__self__, *,
+                 not_operations: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationArgs']]]] = None,
                  operations: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationArgs']]]] = None):
         """
+        :param pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationArgs']]] not_operations: Describes the negated properties of the targets of a request. Matches requests for operations that do not match the criteria specified in this field. At least one of operations or notOperations must be specified.
+               Structure is documented below.
         :param pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationArgs']]] operations: Describes properties of one or more targets of a request. At least one of operations or notOperations must be specified. Limited to 5 operations. A match occurs when ANY operation (in operations or notOperations) matches. Within an operation, the match follows AND semantics across fields and OR semantics within a field, i.e. a match occurs when ANY path matches AND ANY header matches and ANY method matches.
                Structure is documented below.
         """
+        if not_operations is not None:
+            pulumi.set(__self__, "not_operations", not_operations)
         if operations is not None:
             pulumi.set(__self__, "operations", operations)
 
+    @property
+    @pulumi.getter(name="notOperations")
+    def not_operations(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationArgs']]]]:
+        """
+        Describes the negated properties of the targets of a request. Matches requests for operations that do not match the criteria specified in this field. At least one of operations or notOperations must be specified.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "not_operations")
+
+    @not_operations.setter
+    def not_operations(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationArgs']]]]):
+        pulumi.set(self, "not_operations", value)
+
     @property
     @pulumi.getter
     def operations(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationArgs']]]]:
@@ -1632,13 +1677,13 @@ class AuthzPolicyHttpRuleToArgs:
 
 
 if not MYPY:
-    class AuthzPolicyHttpRuleToOperationArgsDict(TypedDict):
-        header_set: NotRequired[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetArgsDict']]
+    class AuthzPolicyHttpRuleToNotOperationArgsDict(TypedDict):
+        header_set: NotRequired[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetArgsDict']]
         """
         A list of headers to match against in http header.
         Structure is documented below.
         """
-        hosts: NotRequired[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHostArgsDict']]]]
+        hosts: NotRequired[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHostArgsDict']]]]
         """
         A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
         Limited to 5 matches.
@@ -1648,7 +1693,7 @@ if not MYPY:
         """
         A list of HTTP methods to match against. Each entry must be a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, OPTIONS). It only allows exact match and is always case sensitive.
         """
-        paths: NotRequired[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationPathArgsDict']]]]
+        paths: NotRequired[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationPathArgsDict']]]]
         """
         A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
         Limited to 5 matches.
@@ -1656,23 +1701,23 @@ if not MYPY:
         Structure is documented below.
         """
 elif False:
-    AuthzPolicyHttpRuleToOperationArgsDict: TypeAlias = Mapping[str, Any]
+    AuthzPolicyHttpRuleToNotOperationArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
-class AuthzPolicyHttpRuleToOperationArgs:
+class AuthzPolicyHttpRuleToNotOperationArgs:
     def __init__(__self__, *,
-                 header_set: Optional[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetArgs']] = None,
-                 hosts: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHostArgs']]]] = None,
+                 header_set: Optional[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetArgs']] = None,
+                 hosts: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHostArgs']]]] = None,
                  methods: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 paths: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationPathArgs']]]] = None):
+                 paths: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationPathArgs']]]] = None):
         """
-        :param pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetArgs'] header_set: A list of headers to match against in http header.
+        :param pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetArgs'] header_set: A list of headers to match against in http header.
                Structure is documented below.
-        :param pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHostArgs']]] hosts: A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
+        :param pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHostArgs']]] hosts: A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
                Limited to 5 matches.
                Structure is documented below.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] methods: A list of HTTP methods to match against. Each entry must be a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, OPTIONS). It only allows exact match and is always case sensitive.
-        :param pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationPathArgs']]] paths: A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
+        :param pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationPathArgs']]] paths: A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
                Limited to 5 matches.
                Note that this path match includes the query parameters. For gRPC services, this should be a fully-qualified name of the form /package.service/method.
                Structure is documented below.
@@ -1688,7 +1733,7 @@ class AuthzPolicyHttpRuleToOperationArgs:
 
     @property
     @pulumi.getter(name="headerSet")
-    def header_set(self) -> Optional[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetArgs']]:
+    def header_set(self) -> Optional[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetArgs']]:
         """
         A list of headers to match against in http header.
         Structure is documented below.
@@ -1696,12 +1741,12 @@ class AuthzPolicyHttpRuleToOperationArgs:
         return pulumi.get(self, "header_set")
 
     @header_set.setter
-    def header_set(self, value: Optional[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetArgs']]):
+    def header_set(self, value: Optional[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetArgs']]):
         pulumi.set(self, "header_set", value)
 
     @property
     @pulumi.getter
-    def hosts(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHostArgs']]]]:
+    def hosts(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHostArgs']]]]:
         """
         A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
         Limited to 5 matches.
@@ -1710,7 +1755,7 @@ class AuthzPolicyHttpRuleToOperationArgs:
         return pulumi.get(self, "hosts")
 
     @hosts.setter
-    def hosts(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHostArgs']]]]):
+    def hosts(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHostArgs']]]]):
         pulumi.set(self, "hosts", value)
 
     @property
@@ -1727,7 +1772,7 @@ class AuthzPolicyHttpRuleToOperationArgs:
 
     @property
     @pulumi.getter
-    def paths(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationPathArgs']]]]:
+    def paths(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationPathArgs']]]]:
         """
         A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
         Limited to 5 matches.
@@ -1737,26 +1782,26 @@ class AuthzPolicyHttpRuleToOperationArgs:
         return pulumi.get(self, "paths")
 
     @paths.setter
-    def paths(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationPathArgs']]]]):
+    def paths(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationPathArgs']]]]):
         pulumi.set(self, "paths", value)
 
 
 if not MYPY:
-    class AuthzPolicyHttpRuleToOperationHeaderSetArgsDict(TypedDict):
-        headers: NotRequired[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgsDict']]]]
+    class AuthzPolicyHttpRuleToNotOperationHeaderSetArgsDict(TypedDict):
+        headers: NotRequired[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderArgsDict']]]]
         """
         A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches.
         Structure is documented below.
         """
 elif False:
-    AuthzPolicyHttpRuleToOperationHeaderSetArgsDict: TypeAlias = Mapping[str, Any]
+    AuthzPolicyHttpRuleToNotOperationHeaderSetArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
-class AuthzPolicyHttpRuleToOperationHeaderSetArgs:
+class AuthzPolicyHttpRuleToNotOperationHeaderSetArgs:
     def __init__(__self__, *,
-                 headers: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs']]]] = None):
+                 headers: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderArgs']]]] = None):
         """
-        :param pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs']]] headers: A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches.
+        :param pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderArgs']]] headers: A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches.
                Structure is documented below.
         """
         if headers is not None:
@@ -1764,7 +1809,7 @@ class AuthzPolicyHttpRuleToOperationHeaderSetArgs:
 
     @property
     @pulumi.getter
-    def headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs']]]]:
+    def headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderArgs']]]]:
         """
         A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches.
         Structure is documented below.
@@ -1772,32 +1817,32 @@ class AuthzPolicyHttpRuleToOperationHeaderSetArgs:
         return pulumi.get(self, "headers")
 
     @headers.setter
-    def headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs']]]]):
+    def headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderArgs']]]]):
         pulumi.set(self, "headers", value)
 
 
 if not MYPY:
-    class AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgsDict(TypedDict):
+    class AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderArgsDict(TypedDict):
         name: NotRequired[pulumi.Input[str]]
         """
         Specifies the name of the header in the request.
         """
-        value: NotRequired[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgsDict']]
+        value: NotRequired[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderValueArgsDict']]
         """
         Specifies how the header match will be performed.
         Structure is documented below.
         """
 elif False:
-    AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgsDict: TypeAlias = Mapping[str, Any]
+    AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
-class AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs:
+class AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderArgs:
     def __init__(__self__, *,
                  name: Optional[pulumi.Input[str]] = None,
-                 value: Optional[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs']] = None):
+                 value: Optional[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderValueArgs']] = None):
         """
         :param pulumi.Input[str] name: Specifies the name of the header in the request.
-        :param pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs'] value: Specifies how the header match will be performed.
+        :param pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderValueArgs'] value: Specifies how the header match will be performed.
                Structure is documented below.
         """
         if name is not None:
@@ -1819,7 +1864,7 @@ class AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs:
 
     @property
     @pulumi.getter
-    def value(self) -> Optional[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs']]:
+    def value(self) -> Optional[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderValueArgs']]:
         """
         Specifies how the header match will be performed.
         Structure is documented below.
@@ -1827,12 +1872,12 @@ class AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs:
         return pulumi.get(self, "value")
 
     @value.setter
-    def value(self, value: Optional[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs']]):
+    def value(self, value: Optional[pulumi.Input['AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderValueArgs']]):
         pulumi.set(self, "value", value)
 
 
 if not MYPY:
-    class AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgsDict(TypedDict):
+    class AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderValueArgsDict(TypedDict):
         contains: NotRequired[pulumi.Input[str]]
         """
         The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
@@ -1862,10 +1907,10 @@ if not MYPY:
         * abc matches the value xyz.abc
         """
 elif False:
-    AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgsDict: TypeAlias = Mapping[str, Any]
+    AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderValueArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
-class AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs:
+class AuthzPolicyHttpRuleToNotOperationHeaderSetHeaderValueArgs:
     def __init__(__self__, *,
                  contains: Optional[pulumi.Input[str]] = None,
                  exact: Optional[pulumi.Input[str]] = None,
@@ -1968,7 +2013,7 @@ class AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs:
 
 
 if not MYPY:
-    class AuthzPolicyHttpRuleToOperationHostArgsDict(TypedDict):
+    class AuthzPolicyHttpRuleToNotOperationHostArgsDict(TypedDict):
         contains: NotRequired[pulumi.Input[str]]
         """
         The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
@@ -1998,10 +2043,10 @@ if not MYPY:
         * abc matches the value xyz.abc
         """
 elif False:
-    AuthzPolicyHttpRuleToOperationHostArgsDict: TypeAlias = Mapping[str, Any]
+    AuthzPolicyHttpRuleToNotOperationHostArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
-class AuthzPolicyHttpRuleToOperationHostArgs:
+class AuthzPolicyHttpRuleToNotOperationHostArgs:
     def __init__(__self__, *,
                  contains: Optional[pulumi.Input[str]] = None,
                  exact: Optional[pulumi.Input[str]] = None,
@@ -2104,7 +2149,7 @@ class AuthzPolicyHttpRuleToOperationHostArgs:
 
 
 if not MYPY:
-    class AuthzPolicyHttpRuleToOperationPathArgsDict(TypedDict):
+    class AuthzPolicyHttpRuleToNotOperationPathArgsDict(TypedDict):
         contains: NotRequired[pulumi.Input[str]]
         """
         The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
@@ -2134,10 +2179,10 @@ if not MYPY:
         * abc matches the value xyz.abc
         """
 elif False:
-    AuthzPolicyHttpRuleToOperationPathArgsDict: TypeAlias = Mapping[str, Any]
+    AuthzPolicyHttpRuleToNotOperationPathArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
-class AuthzPolicyHttpRuleToOperationPathArgs:
+class AuthzPolicyHttpRuleToNotOperationPathArgs:
     def __init__(__self__, *,
                  contains: Optional[pulumi.Input[str]] = None,
                  exact: Optional[pulumi.Input[str]] = None,
@@ -2240,143 +2285,871 @@ class AuthzPolicyHttpRuleToOperationPathArgs:
 
 
 if not MYPY:
-    class AuthzPolicyTargetArgsDict(TypedDict):
-        load_balancing_scheme: pulumi.Input[str]
+    class AuthzPolicyHttpRuleToOperationArgsDict(TypedDict):
+        header_set: NotRequired[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetArgsDict']]
         """
-        All gateways and forwarding rules referenced by this policy and extensions must share the same load balancing scheme.
-        For more information, refer to [Backend services overview](https://cloud.google.com/load-balancing/docs/backend-service).
-        Possible values are: `INTERNAL_MANAGED`, `EXTERNAL_MANAGED`, `INTERNAL_SELF_MANAGED`.
+        A list of headers to match against in http header.
+        Structure is documented below.
         """
-        resources: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]]
+        hosts: NotRequired[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHostArgsDict']]]]
         """
-        A list of references to the Forwarding Rules on which this policy will be applied.
-
-        - - -
+        A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
+        Limited to 5 matches.
+        Structure is documented below.
+        """
+        methods: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]]
+        """
+        A list of HTTP methods to match against. Each entry must be a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, OPTIONS). It only allows exact match and is always case sensitive.
+        """
+        paths: NotRequired[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationPathArgsDict']]]]
+        """
+        A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
+        Limited to 5 matches.
+        Note that this path match includes the query parameters. For gRPC services, this should be a fully-qualified name of the form /package.service/method.
+        Structure is documented below.
         """
 elif False:
-    AuthzPolicyTargetArgsDict: TypeAlias = Mapping[str, Any]
+    AuthzPolicyHttpRuleToOperationArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
-class AuthzPolicyTargetArgs:
+class AuthzPolicyHttpRuleToOperationArgs:
     def __init__(__self__, *,
-                 load_balancing_scheme: pulumi.Input[str],
-                 resources: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None):
+                 header_set: Optional[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetArgs']] = None,
+                 hosts: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHostArgs']]]] = None,
+                 methods: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 paths: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationPathArgs']]]] = None):
         """
-        :param pulumi.Input[str] load_balancing_scheme: All gateways and forwarding rules referenced by this policy and extensions must share the same load balancing scheme.
-               For more information, refer to [Backend services overview](https://cloud.google.com/load-balancing/docs/backend-service).
-               Possible values are: `INTERNAL_MANAGED`, `EXTERNAL_MANAGED`, `INTERNAL_SELF_MANAGED`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] resources: A list of references to the Forwarding Rules on which this policy will be applied.
-               
-               - - -
+        :param pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetArgs'] header_set: A list of headers to match against in http header.
+               Structure is documented below.
+        :param pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHostArgs']]] hosts: A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
+               Limited to 5 matches.
+               Structure is documented below.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] methods: A list of HTTP methods to match against. Each entry must be a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, OPTIONS). It only allows exact match and is always case sensitive.
+        :param pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationPathArgs']]] paths: A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
+               Limited to 5 matches.
+               Note that this path match includes the query parameters. For gRPC services, this should be a fully-qualified name of the form /package.service/method.
+               Structure is documented below.
         """
-        pulumi.set(__self__, "load_balancing_scheme", load_balancing_scheme)
-        if resources is not None:
-            pulumi.set(__self__, "resources", resources)
+        if header_set is not None:
+            pulumi.set(__self__, "header_set", header_set)
+        if hosts is not None:
+            pulumi.set(__self__, "hosts", hosts)
+        if methods is not None:
+            pulumi.set(__self__, "methods", methods)
+        if paths is not None:
+            pulumi.set(__self__, "paths", paths)
 
     @property
-    @pulumi.getter(name="loadBalancingScheme")
-    def load_balancing_scheme(self) -> pulumi.Input[str]:
+    @pulumi.getter(name="headerSet")
+    def header_set(self) -> Optional[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetArgs']]:
         """
-        All gateways and forwarding rules referenced by this policy and extensions must share the same load balancing scheme.
-        For more information, refer to [Backend services overview](https://cloud.google.com/load-balancing/docs/backend-service).
-        Possible values are: `INTERNAL_MANAGED`, `EXTERNAL_MANAGED`, `INTERNAL_SELF_MANAGED`.
+        A list of headers to match against in http header.
+        Structure is documented below.
         """
-        return pulumi.get(self, "load_balancing_scheme")
+        return pulumi.get(self, "header_set")
 
-    @load_balancing_scheme.setter
-    def load_balancing_scheme(self, value: pulumi.Input[str]):
-        pulumi.set(self, "load_balancing_scheme", value)
+    @header_set.setter
+    def header_set(self, value: Optional[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetArgs']]):
+        pulumi.set(self, "header_set", value)
 
     @property
     @pulumi.getter
-    def resources(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def hosts(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHostArgs']]]]:
         """
-        A list of references to the Forwarding Rules on which this policy will be applied.
-
-        - - -
+        A list of HTTP Hosts to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
+        Limited to 5 matches.
+        Structure is documented below.
         """
-        return pulumi.get(self, "resources")
+        return pulumi.get(self, "hosts")
 
-    @resources.setter
-    def resources(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
-        pulumi.set(self, "resources", value)
+    @hosts.setter
+    def hosts(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHostArgs']]]]):
+        pulumi.set(self, "hosts", value)
 
+    @property
+    @pulumi.getter
+    def methods(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        A list of HTTP methods to match against. Each entry must be a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, OPTIONS). It only allows exact match and is always case sensitive.
+        """
+        return pulumi.get(self, "methods")
 
-if not MYPY:
-    class ClientTlsPolicyClientCertificateArgsDict(TypedDict):
-        certificate_provider_instance: NotRequired[pulumi.Input['ClientTlsPolicyClientCertificateCertificateProviderInstanceArgsDict']]
+    @methods.setter
+    def methods(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "methods", value)
+
+    @property
+    @pulumi.getter
+    def paths(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationPathArgs']]]]:
         """
-        The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
+        A list of paths to match against. The match can be one of exact, prefix, suffix, or contains (substring match). Matches are always case sensitive unless the ignoreCase is set.
+        Limited to 5 matches.
+        Note that this path match includes the query parameters. For gRPC services, this should be a fully-qualified name of the form /package.service/method.
         Structure is documented below.
         """
-        grpc_endpoint: NotRequired[pulumi.Input['ClientTlsPolicyClientCertificateGrpcEndpointArgsDict']]
+        return pulumi.get(self, "paths")
+
+    @paths.setter
+    def paths(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationPathArgs']]]]):
+        pulumi.set(self, "paths", value)
+
+
+if not MYPY:
+    class AuthzPolicyHttpRuleToOperationHeaderSetArgsDict(TypedDict):
+        headers: NotRequired[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgsDict']]]]
         """
-        gRPC specific configuration to access the gRPC server to obtain the cert and private key.
+        A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches.
         Structure is documented below.
         """
 elif False:
-    ClientTlsPolicyClientCertificateArgsDict: TypeAlias = Mapping[str, Any]
+    AuthzPolicyHttpRuleToOperationHeaderSetArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
-class ClientTlsPolicyClientCertificateArgs:
+class AuthzPolicyHttpRuleToOperationHeaderSetArgs:
     def __init__(__self__, *,
-                 certificate_provider_instance: Optional[pulumi.Input['ClientTlsPolicyClientCertificateCertificateProviderInstanceArgs']] = None,
-                 grpc_endpoint: Optional[pulumi.Input['ClientTlsPolicyClientCertificateGrpcEndpointArgs']] = None):
+                 headers: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs']]]] = None):
         """
-        :param pulumi.Input['ClientTlsPolicyClientCertificateCertificateProviderInstanceArgs'] certificate_provider_instance: The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
-               Structure is documented below.
-        :param pulumi.Input['ClientTlsPolicyClientCertificateGrpcEndpointArgs'] grpc_endpoint: gRPC specific configuration to access the gRPC server to obtain the cert and private key.
+        :param pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs']]] headers: A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches.
                Structure is documented below.
         """
-        if certificate_provider_instance is not None:
-            pulumi.set(__self__, "certificate_provider_instance", certificate_provider_instance)
-        if grpc_endpoint is not None:
-            pulumi.set(__self__, "grpc_endpoint", grpc_endpoint)
-
-    @property
-    @pulumi.getter(name="certificateProviderInstance")
-    def certificate_provider_instance(self) -> Optional[pulumi.Input['ClientTlsPolicyClientCertificateCertificateProviderInstanceArgs']]:
-        """
-        The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
-        Structure is documented below.
-        """
-        return pulumi.get(self, "certificate_provider_instance")
-
-    @certificate_provider_instance.setter
-    def certificate_provider_instance(self, value: Optional[pulumi.Input['ClientTlsPolicyClientCertificateCertificateProviderInstanceArgs']]):
-        pulumi.set(self, "certificate_provider_instance", value)
+        if headers is not None:
+            pulumi.set(__self__, "headers", headers)
 
     @property
-    @pulumi.getter(name="grpcEndpoint")
-    def grpc_endpoint(self) -> Optional[pulumi.Input['ClientTlsPolicyClientCertificateGrpcEndpointArgs']]:
+    @pulumi.getter
+    def headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs']]]]:
         """
-        gRPC specific configuration to access the gRPC server to obtain the cert and private key.
+        A list of headers to match against in http header. The match can be one of exact, prefix, suffix, or contains (substring match). The match follows AND semantics which means all the headers must match. Matches are always case sensitive unless the ignoreCase is set. Limited to 5 matches.
         Structure is documented below.
         """
-        return pulumi.get(self, "grpc_endpoint")
+        return pulumi.get(self, "headers")
 
-    @grpc_endpoint.setter
-    def grpc_endpoint(self, value: Optional[pulumi.Input['ClientTlsPolicyClientCertificateGrpcEndpointArgs']]):
-        pulumi.set(self, "grpc_endpoint", value)
+    @headers.setter
+    def headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs']]]]):
+        pulumi.set(self, "headers", value)
 
 
 if not MYPY:
-    class ClientTlsPolicyClientCertificateCertificateProviderInstanceArgsDict(TypedDict):
-        plugin_instance: pulumi.Input[str]
+    class AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgsDict(TypedDict):
+        name: NotRequired[pulumi.Input[str]]
         """
-        Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.
+        Specifies the name of the header in the request.
+        """
+        value: NotRequired[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgsDict']]
+        """
+        Specifies how the header match will be performed.
+        Structure is documented below.
         """
 elif False:
-    ClientTlsPolicyClientCertificateCertificateProviderInstanceArgsDict: TypeAlias = Mapping[str, Any]
+    AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
-class ClientTlsPolicyClientCertificateCertificateProviderInstanceArgs:
+class AuthzPolicyHttpRuleToOperationHeaderSetHeaderArgs:
     def __init__(__self__, *,
-                 plugin_instance: pulumi.Input[str]):
+                 name: Optional[pulumi.Input[str]] = None,
+                 value: Optional[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs']] = None):
         """
-        :param pulumi.Input[str] plugin_instance: Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.
+        :param pulumi.Input[str] name: Specifies the name of the header in the request.
+        :param pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs'] value: Specifies how the header match will be performed.
+               Structure is documented below.
         """
-        pulumi.set(__self__, "plugin_instance", plugin_instance)
+        if name is not None:
+            pulumi.set(__self__, "name", name)
+        if value is not None:
+            pulumi.set(__self__, "value", value)
+
+    @property
+    @pulumi.getter
+    def name(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies the name of the header in the request.
+        """
+        return pulumi.get(self, "name")
+
+    @name.setter
+    def name(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "name", value)
+
+    @property
+    @pulumi.getter
+    def value(self) -> Optional[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs']]:
+        """
+        Specifies how the header match will be performed.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "value")
+
+    @value.setter
+    def value(self, value: Optional[pulumi.Input['AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs']]):
+        pulumi.set(self, "value", value)
+
+
+if not MYPY:
+    class AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgsDict(TypedDict):
+        contains: NotRequired[pulumi.Input[str]]
+        """
+        The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value xyz.abc.def
+        """
+        exact: NotRequired[pulumi.Input[str]]
+        """
+        The input string must match exactly the string specified here.
+        Examples:
+        * abc only matches the value abc.
+        """
+        ignore_case: NotRequired[pulumi.Input[bool]]
+        """
+        If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
+        """
+        prefix: NotRequired[pulumi.Input[str]]
+        """
+        The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value abc.xyz
+        """
+        suffix: NotRequired[pulumi.Input[str]]
+        """
+        The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value xyz.abc
+        """
+elif False:
+    AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class AuthzPolicyHttpRuleToOperationHeaderSetHeaderValueArgs:
+    def __init__(__self__, *,
+                 contains: Optional[pulumi.Input[str]] = None,
+                 exact: Optional[pulumi.Input[str]] = None,
+                 ignore_case: Optional[pulumi.Input[bool]] = None,
+                 prefix: Optional[pulumi.Input[str]] = None,
+                 suffix: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] contains: The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
+               Examples:
+               * abc matches the value xyz.abc.def
+        :param pulumi.Input[str] exact: The input string must match exactly the string specified here.
+               Examples:
+               * abc only matches the value abc.
+        :param pulumi.Input[bool] ignore_case: If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
+        :param pulumi.Input[str] prefix: The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
+               Examples:
+               * abc matches the value abc.xyz
+        :param pulumi.Input[str] suffix: The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
+               Examples:
+               * abc matches the value xyz.abc
+        """
+        if contains is not None:
+            pulumi.set(__self__, "contains", contains)
+        if exact is not None:
+            pulumi.set(__self__, "exact", exact)
+        if ignore_case is not None:
+            pulumi.set(__self__, "ignore_case", ignore_case)
+        if prefix is not None:
+            pulumi.set(__self__, "prefix", prefix)
+        if suffix is not None:
+            pulumi.set(__self__, "suffix", suffix)
+
+    @property
+    @pulumi.getter
+    def contains(self) -> Optional[pulumi.Input[str]]:
+        """
+        The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value xyz.abc.def
+        """
+        return pulumi.get(self, "contains")
+
+    @contains.setter
+    def contains(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "contains", value)
+
+    @property
+    @pulumi.getter
+    def exact(self) -> Optional[pulumi.Input[str]]:
+        """
+        The input string must match exactly the string specified here.
+        Examples:
+        * abc only matches the value abc.
+        """
+        return pulumi.get(self, "exact")
+
+    @exact.setter
+    def exact(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "exact", value)
+
+    @property
+    @pulumi.getter(name="ignoreCase")
+    def ignore_case(self) -> Optional[pulumi.Input[bool]]:
+        """
+        If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
+        """
+        return pulumi.get(self, "ignore_case")
+
+    @ignore_case.setter
+    def ignore_case(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "ignore_case", value)
+
+    @property
+    @pulumi.getter
+    def prefix(self) -> Optional[pulumi.Input[str]]:
+        """
+        The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value abc.xyz
+        """
+        return pulumi.get(self, "prefix")
+
+    @prefix.setter
+    def prefix(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "prefix", value)
+
+    @property
+    @pulumi.getter
+    def suffix(self) -> Optional[pulumi.Input[str]]:
+        """
+        The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value xyz.abc
+        """
+        return pulumi.get(self, "suffix")
+
+    @suffix.setter
+    def suffix(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "suffix", value)
+
+
+if not MYPY:
+    class AuthzPolicyHttpRuleToOperationHostArgsDict(TypedDict):
+        contains: NotRequired[pulumi.Input[str]]
+        """
+        The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value xyz.abc.def
+        """
+        exact: NotRequired[pulumi.Input[str]]
+        """
+        The input string must match exactly the string specified here.
+        Examples:
+        * abc only matches the value abc.
+        """
+        ignore_case: NotRequired[pulumi.Input[bool]]
+        """
+        If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
+        """
+        prefix: NotRequired[pulumi.Input[str]]
+        """
+        The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value abc.xyz
+        """
+        suffix: NotRequired[pulumi.Input[str]]
+        """
+        The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value xyz.abc
+        """
+elif False:
+    AuthzPolicyHttpRuleToOperationHostArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class AuthzPolicyHttpRuleToOperationHostArgs:
+    def __init__(__self__, *,
+                 contains: Optional[pulumi.Input[str]] = None,
+                 exact: Optional[pulumi.Input[str]] = None,
+                 ignore_case: Optional[pulumi.Input[bool]] = None,
+                 prefix: Optional[pulumi.Input[str]] = None,
+                 suffix: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] contains: The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
+               Examples:
+               * abc matches the value xyz.abc.def
+        :param pulumi.Input[str] exact: The input string must match exactly the string specified here.
+               Examples:
+               * abc only matches the value abc.
+        :param pulumi.Input[bool] ignore_case: If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
+        :param pulumi.Input[str] prefix: The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
+               Examples:
+               * abc matches the value abc.xyz
+        :param pulumi.Input[str] suffix: The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
+               Examples:
+               * abc matches the value xyz.abc
+        """
+        if contains is not None:
+            pulumi.set(__self__, "contains", contains)
+        if exact is not None:
+            pulumi.set(__self__, "exact", exact)
+        if ignore_case is not None:
+            pulumi.set(__self__, "ignore_case", ignore_case)
+        if prefix is not None:
+            pulumi.set(__self__, "prefix", prefix)
+        if suffix is not None:
+            pulumi.set(__self__, "suffix", suffix)
+
+    @property
+    @pulumi.getter
+    def contains(self) -> Optional[pulumi.Input[str]]:
+        """
+        The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value xyz.abc.def
+        """
+        return pulumi.get(self, "contains")
+
+    @contains.setter
+    def contains(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "contains", value)
+
+    @property
+    @pulumi.getter
+    def exact(self) -> Optional[pulumi.Input[str]]:
+        """
+        The input string must match exactly the string specified here.
+        Examples:
+        * abc only matches the value abc.
+        """
+        return pulumi.get(self, "exact")
+
+    @exact.setter
+    def exact(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "exact", value)
+
+    @property
+    @pulumi.getter(name="ignoreCase")
+    def ignore_case(self) -> Optional[pulumi.Input[bool]]:
+        """
+        If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
+        """
+        return pulumi.get(self, "ignore_case")
+
+    @ignore_case.setter
+    def ignore_case(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "ignore_case", value)
+
+    @property
+    @pulumi.getter
+    def prefix(self) -> Optional[pulumi.Input[str]]:
+        """
+        The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value abc.xyz
+        """
+        return pulumi.get(self, "prefix")
+
+    @prefix.setter
+    def prefix(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "prefix", value)
+
+    @property
+    @pulumi.getter
+    def suffix(self) -> Optional[pulumi.Input[str]]:
+        """
+        The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value xyz.abc
+        """
+        return pulumi.get(self, "suffix")
+
+    @suffix.setter
+    def suffix(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "suffix", value)
+
+
+if not MYPY:
+    class AuthzPolicyHttpRuleToOperationPathArgsDict(TypedDict):
+        contains: NotRequired[pulumi.Input[str]]
+        """
+        The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value xyz.abc.def
+        """
+        exact: NotRequired[pulumi.Input[str]]
+        """
+        The input string must match exactly the string specified here.
+        Examples:
+        * abc only matches the value abc.
+        """
+        ignore_case: NotRequired[pulumi.Input[bool]]
+        """
+        If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
+        """
+        prefix: NotRequired[pulumi.Input[str]]
+        """
+        The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value abc.xyz
+        """
+        suffix: NotRequired[pulumi.Input[str]]
+        """
+        The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value xyz.abc
+        """
+elif False:
+    AuthzPolicyHttpRuleToOperationPathArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class AuthzPolicyHttpRuleToOperationPathArgs:
+    def __init__(__self__, *,
+                 contains: Optional[pulumi.Input[str]] = None,
+                 exact: Optional[pulumi.Input[str]] = None,
+                 ignore_case: Optional[pulumi.Input[bool]] = None,
+                 prefix: Optional[pulumi.Input[str]] = None,
+                 suffix: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] contains: The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
+               Examples:
+               * abc matches the value xyz.abc.def
+        :param pulumi.Input[str] exact: The input string must match exactly the string specified here.
+               Examples:
+               * abc only matches the value abc.
+        :param pulumi.Input[bool] ignore_case: If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
+        :param pulumi.Input[str] prefix: The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
+               Examples:
+               * abc matches the value abc.xyz
+        :param pulumi.Input[str] suffix: The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
+               Examples:
+               * abc matches the value xyz.abc
+        """
+        if contains is not None:
+            pulumi.set(__self__, "contains", contains)
+        if exact is not None:
+            pulumi.set(__self__, "exact", exact)
+        if ignore_case is not None:
+            pulumi.set(__self__, "ignore_case", ignore_case)
+        if prefix is not None:
+            pulumi.set(__self__, "prefix", prefix)
+        if suffix is not None:
+            pulumi.set(__self__, "suffix", suffix)
+
+    @property
+    @pulumi.getter
+    def contains(self) -> Optional[pulumi.Input[str]]:
+        """
+        The input string must have the substring specified here. Note: empty contains match is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value xyz.abc.def
+        """
+        return pulumi.get(self, "contains")
+
+    @contains.setter
+    def contains(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "contains", value)
+
+    @property
+    @pulumi.getter
+    def exact(self) -> Optional[pulumi.Input[str]]:
+        """
+        The input string must match exactly the string specified here.
+        Examples:
+        * abc only matches the value abc.
+        """
+        return pulumi.get(self, "exact")
+
+    @exact.setter
+    def exact(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "exact", value)
+
+    @property
+    @pulumi.getter(name="ignoreCase")
+    def ignore_case(self) -> Optional[pulumi.Input[bool]]:
+        """
+        If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. For example, the matcher data will match both input string Data and data if set to true.
+        """
+        return pulumi.get(self, "ignore_case")
+
+    @ignore_case.setter
+    def ignore_case(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "ignore_case", value)
+
+    @property
+    @pulumi.getter
+    def prefix(self) -> Optional[pulumi.Input[str]]:
+        """
+        The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value abc.xyz
+        """
+        return pulumi.get(self, "prefix")
+
+    @prefix.setter
+    def prefix(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "prefix", value)
+
+    @property
+    @pulumi.getter
+    def suffix(self) -> Optional[pulumi.Input[str]]:
+        """
+        The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead.
+        Examples:
+        * abc matches the value xyz.abc
+        """
+        return pulumi.get(self, "suffix")
+
+    @suffix.setter
+    def suffix(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "suffix", value)
+
+
+if not MYPY:
+    class AuthzPolicyTargetArgsDict(TypedDict):
+        load_balancing_scheme: pulumi.Input[str]
+        """
+        All gateways and forwarding rules referenced by this policy and extensions must share the same load balancing scheme.
+        For more information, refer to [Backend services overview](https://cloud.google.com/load-balancing/docs/backend-service).
+        Possible values are: `INTERNAL_MANAGED`, `EXTERNAL_MANAGED`, `INTERNAL_SELF_MANAGED`.
+        """
+        resources: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]]
+        """
+        A list of references to the Forwarding Rules on which this policy will be applied.
+
+        - - -
+        """
+elif False:
+    AuthzPolicyTargetArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class AuthzPolicyTargetArgs:
+    def __init__(__self__, *,
+                 load_balancing_scheme: pulumi.Input[str],
+                 resources: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None):
+        """
+        :param pulumi.Input[str] load_balancing_scheme: All gateways and forwarding rules referenced by this policy and extensions must share the same load balancing scheme.
+               For more information, refer to [Backend services overview](https://cloud.google.com/load-balancing/docs/backend-service).
+               Possible values are: `INTERNAL_MANAGED`, `EXTERNAL_MANAGED`, `INTERNAL_SELF_MANAGED`.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] resources: A list of references to the Forwarding Rules on which this policy will be applied.
+               
+               - - -
+        """
+        pulumi.set(__self__, "load_balancing_scheme", load_balancing_scheme)
+        if resources is not None:
+            pulumi.set(__self__, "resources", resources)
+
+    @property
+    @pulumi.getter(name="loadBalancingScheme")
+    def load_balancing_scheme(self) -> pulumi.Input[str]:
+        """
+        All gateways and forwarding rules referenced by this policy and extensions must share the same load balancing scheme.
+        For more information, refer to [Backend services overview](https://cloud.google.com/load-balancing/docs/backend-service).
+        Possible values are: `INTERNAL_MANAGED`, `EXTERNAL_MANAGED`, `INTERNAL_SELF_MANAGED`.
+        """
+        return pulumi.get(self, "load_balancing_scheme")
+
+    @load_balancing_scheme.setter
+    def load_balancing_scheme(self, value: pulumi.Input[str]):
+        pulumi.set(self, "load_balancing_scheme", value)
+
+    @property
+    @pulumi.getter
+    def resources(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        A list of references to the Forwarding Rules on which this policy will be applied.
+
+        - - -
+        """
+        return pulumi.get(self, "resources")
+
+    @resources.setter
+    def resources(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "resources", value)
+
+
+if not MYPY:
+    class ClientTlsPolicyClientCertificateArgsDict(TypedDict):
+        certificate_provider_instance: NotRequired[pulumi.Input['ClientTlsPolicyClientCertificateCertificateProviderInstanceArgsDict']]
+        """
+        The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
+        Structure is documented below.
+        """
+        grpc_endpoint: NotRequired[pulumi.Input['ClientTlsPolicyClientCertificateGrpcEndpointArgsDict']]
+        """
+        gRPC specific configuration to access the gRPC server to obtain the cert and private key.
+        Structure is documented below.
+        """
+elif False:
+    ClientTlsPolicyClientCertificateArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class ClientTlsPolicyClientCertificateArgs:
+    def __init__(__self__, *,
+                 certificate_provider_instance: Optional[pulumi.Input['ClientTlsPolicyClientCertificateCertificateProviderInstanceArgs']] = None,
+                 grpc_endpoint: Optional[pulumi.Input['ClientTlsPolicyClientCertificateGrpcEndpointArgs']] = None):
+        """
+        :param pulumi.Input['ClientTlsPolicyClientCertificateCertificateProviderInstanceArgs'] certificate_provider_instance: The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
+               Structure is documented below.
+        :param pulumi.Input['ClientTlsPolicyClientCertificateGrpcEndpointArgs'] grpc_endpoint: gRPC specific configuration to access the gRPC server to obtain the cert and private key.
+               Structure is documented below.
+        """
+        if certificate_provider_instance is not None:
+            pulumi.set(__self__, "certificate_provider_instance", certificate_provider_instance)
+        if grpc_endpoint is not None:
+            pulumi.set(__self__, "grpc_endpoint", grpc_endpoint)
+
+    @property
+    @pulumi.getter(name="certificateProviderInstance")
+    def certificate_provider_instance(self) -> Optional[pulumi.Input['ClientTlsPolicyClientCertificateCertificateProviderInstanceArgs']]:
+        """
+        The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "certificate_provider_instance")
+
+    @certificate_provider_instance.setter
+    def certificate_provider_instance(self, value: Optional[pulumi.Input['ClientTlsPolicyClientCertificateCertificateProviderInstanceArgs']]):
+        pulumi.set(self, "certificate_provider_instance", value)
+
+    @property
+    @pulumi.getter(name="grpcEndpoint")
+    def grpc_endpoint(self) -> Optional[pulumi.Input['ClientTlsPolicyClientCertificateGrpcEndpointArgs']]:
+        """
+        gRPC specific configuration to access the gRPC server to obtain the cert and private key.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "grpc_endpoint")
+
+    @grpc_endpoint.setter
+    def grpc_endpoint(self, value: Optional[pulumi.Input['ClientTlsPolicyClientCertificateGrpcEndpointArgs']]):
+        pulumi.set(self, "grpc_endpoint", value)
+
+
+if not MYPY:
+    class ClientTlsPolicyClientCertificateCertificateProviderInstanceArgsDict(TypedDict):
+        plugin_instance: pulumi.Input[str]
+        """
+        Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.
+        """
+elif False:
+    ClientTlsPolicyClientCertificateCertificateProviderInstanceArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class ClientTlsPolicyClientCertificateCertificateProviderInstanceArgs:
+    def __init__(__self__, *,
+                 plugin_instance: pulumi.Input[str]):
+        """
+        :param pulumi.Input[str] plugin_instance: Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.
+        """
+        pulumi.set(__self__, "plugin_instance", plugin_instance)
+
+    @property
+    @pulumi.getter(name="pluginInstance")
+    def plugin_instance(self) -> pulumi.Input[str]:
+        """
+        Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.
+        """
+        return pulumi.get(self, "plugin_instance")
+
+    @plugin_instance.setter
+    def plugin_instance(self, value: pulumi.Input[str]):
+        pulumi.set(self, "plugin_instance", value)
+
+
+if not MYPY:
+    class ClientTlsPolicyClientCertificateGrpcEndpointArgsDict(TypedDict):
+        target_uri: pulumi.Input[str]
+        """
+        The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".
+        """
+elif False:
+    ClientTlsPolicyClientCertificateGrpcEndpointArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class ClientTlsPolicyClientCertificateGrpcEndpointArgs:
+    def __init__(__self__, *,
+                 target_uri: pulumi.Input[str]):
+        """
+        :param pulumi.Input[str] target_uri: The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".
+        """
+        pulumi.set(__self__, "target_uri", target_uri)
+
+    @property
+    @pulumi.getter(name="targetUri")
+    def target_uri(self) -> pulumi.Input[str]:
+        """
+        The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".
+        """
+        return pulumi.get(self, "target_uri")
+
+    @target_uri.setter
+    def target_uri(self, value: pulumi.Input[str]):
+        pulumi.set(self, "target_uri", value)
+
+
+if not MYPY:
+    class ClientTlsPolicyServerValidationCaArgsDict(TypedDict):
+        certificate_provider_instance: NotRequired[pulumi.Input['ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgsDict']]
+        """
+        The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
+        Structure is documented below.
+        """
+        grpc_endpoint: NotRequired[pulumi.Input['ClientTlsPolicyServerValidationCaGrpcEndpointArgsDict']]
+        """
+        gRPC specific configuration to access the gRPC server to obtain the cert and private key.
+        Structure is documented below.
+        """
+elif False:
+    ClientTlsPolicyServerValidationCaArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class ClientTlsPolicyServerValidationCaArgs:
+    def __init__(__self__, *,
+                 certificate_provider_instance: Optional[pulumi.Input['ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgs']] = None,
+                 grpc_endpoint: Optional[pulumi.Input['ClientTlsPolicyServerValidationCaGrpcEndpointArgs']] = None):
+        """
+        :param pulumi.Input['ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgs'] certificate_provider_instance: The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
+               Structure is documented below.
+        :param pulumi.Input['ClientTlsPolicyServerValidationCaGrpcEndpointArgs'] grpc_endpoint: gRPC specific configuration to access the gRPC server to obtain the cert and private key.
+               Structure is documented below.
+        """
+        if certificate_provider_instance is not None:
+            pulumi.set(__self__, "certificate_provider_instance", certificate_provider_instance)
+        if grpc_endpoint is not None:
+            pulumi.set(__self__, "grpc_endpoint", grpc_endpoint)
+
+    @property
+    @pulumi.getter(name="certificateProviderInstance")
+    def certificate_provider_instance(self) -> Optional[pulumi.Input['ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgs']]:
+        """
+        The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "certificate_provider_instance")
+
+    @certificate_provider_instance.setter
+    def certificate_provider_instance(self, value: Optional[pulumi.Input['ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgs']]):
+        pulumi.set(self, "certificate_provider_instance", value)
+
+    @property
+    @pulumi.getter(name="grpcEndpoint")
+    def grpc_endpoint(self) -> Optional[pulumi.Input['ClientTlsPolicyServerValidationCaGrpcEndpointArgs']]:
+        """
+        gRPC specific configuration to access the gRPC server to obtain the cert and private key.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "grpc_endpoint")
+
+    @grpc_endpoint.setter
+    def grpc_endpoint(self, value: Optional[pulumi.Input['ClientTlsPolicyServerValidationCaGrpcEndpointArgs']]):
+        pulumi.set(self, "grpc_endpoint", value)
+
+
+if not MYPY:
+    class ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgsDict(TypedDict):
+        plugin_instance: pulumi.Input[str]
+        """
+        Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.
+        """
+elif False:
+    ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgs:
+    def __init__(__self__, *,
+                 plugin_instance: pulumi.Input[str]):
+        """
+        :param pulumi.Input[str] plugin_instance: Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.
+        """
+        pulumi.set(__self__, "plugin_instance", plugin_instance)
 
     @property
     @pulumi.getter(name="pluginInstance")
@@ -2392,188 +3165,459 @@ class ClientTlsPolicyClientCertificateCertificateProviderInstanceArgs:
 
 
 if not MYPY:
-    class ClientTlsPolicyClientCertificateGrpcEndpointArgsDict(TypedDict):
+    class ClientTlsPolicyServerValidationCaGrpcEndpointArgsDict(TypedDict):
         target_uri: pulumi.Input[str]
         """
-        The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".
+        The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".
+        """
+elif False:
+    ClientTlsPolicyServerValidationCaGrpcEndpointArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class ClientTlsPolicyServerValidationCaGrpcEndpointArgs:
+    def __init__(__self__, *,
+                 target_uri: pulumi.Input[str]):
+        """
+        :param pulumi.Input[str] target_uri: The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".
+        """
+        pulumi.set(__self__, "target_uri", target_uri)
+
+    @property
+    @pulumi.getter(name="targetUri")
+    def target_uri(self) -> pulumi.Input[str]:
+        """
+        The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".
+        """
+        return pulumi.get(self, "target_uri")
+
+    @target_uri.setter
+    def target_uri(self, value: pulumi.Input[str]):
+        pulumi.set(self, "target_uri", value)
+
+
+if not MYPY:
+    class InterceptDeploymentGroupConnectedEndpointGroupArgsDict(TypedDict):
+        name: NotRequired[pulumi.Input[str]]
+        """
+        (Output)
+        The connected endpoint group's resource name, for example:
+        `projects/123456789/locations/global/interceptEndpointGroups/my-eg`.
+        See https://google.aip.dev/124.
+        """
+elif False:
+    InterceptDeploymentGroupConnectedEndpointGroupArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class InterceptDeploymentGroupConnectedEndpointGroupArgs:
+    def __init__(__self__, *,
+                 name: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] name: (Output)
+               The connected endpoint group's resource name, for example:
+               `projects/123456789/locations/global/interceptEndpointGroups/my-eg`.
+               See https://google.aip.dev/124.
+        """
+        if name is not None:
+            pulumi.set(__self__, "name", name)
+
+    @property
+    @pulumi.getter
+    def name(self) -> Optional[pulumi.Input[str]]:
+        """
+        (Output)
+        The connected endpoint group's resource name, for example:
+        `projects/123456789/locations/global/interceptEndpointGroups/my-eg`.
+        See https://google.aip.dev/124.
+        """
+        return pulumi.get(self, "name")
+
+    @name.setter
+    def name(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "name", value)
+
+
+if not MYPY:
+    class InterceptDeploymentGroupLocationArgsDict(TypedDict):
+        location: NotRequired[pulumi.Input[str]]
+        """
+        The cloud location of the deployment group, currently restricted to `global`.
+        """
+        state: NotRequired[pulumi.Input[str]]
+        """
+        (Output)
+        The current state of the association in this location.
+        Possible values:
+        STATE_UNSPECIFIED
+        ACTIVE
+        OUT_OF_SYNC
+        """
+elif False:
+    InterceptDeploymentGroupLocationArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class InterceptDeploymentGroupLocationArgs:
+    def __init__(__self__, *,
+                 location: Optional[pulumi.Input[str]] = None,
+                 state: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] location: The cloud location of the deployment group, currently restricted to `global`.
+        :param pulumi.Input[str] state: (Output)
+               The current state of the association in this location.
+               Possible values:
+               STATE_UNSPECIFIED
+               ACTIVE
+               OUT_OF_SYNC
+        """
+        if location is not None:
+            pulumi.set(__self__, "location", location)
+        if state is not None:
+            pulumi.set(__self__, "state", state)
+
+    @property
+    @pulumi.getter
+    def location(self) -> Optional[pulumi.Input[str]]:
+        """
+        The cloud location of the deployment group, currently restricted to `global`.
+        """
+        return pulumi.get(self, "location")
+
+    @location.setter
+    def location(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "location", value)
+
+    @property
+    @pulumi.getter
+    def state(self) -> Optional[pulumi.Input[str]]:
+        """
+        (Output)
+        The current state of the association in this location.
+        Possible values:
+        STATE_UNSPECIFIED
+        ACTIVE
+        OUT_OF_SYNC
+        """
+        return pulumi.get(self, "state")
+
+    @state.setter
+    def state(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "state", value)
+
+
+if not MYPY:
+    class InterceptEndpointGroupAssociationArgsDict(TypedDict):
+        name: NotRequired[pulumi.Input[str]]
+        """
+        (Output)
+        The connected deployment group's resource name, for example:
+        `projects/123456789/locations/global/interceptDeploymentGroups/my-dg`.
+        See https://google.aip.dev/124.
+        """
+        network: NotRequired[pulumi.Input[str]]
+        """
+        (Output)
+        The associated network, for example:
+        projects/123456789/global/networks/my-network.
+        See https://google.aip.dev/124.
+        """
+        state: NotRequired[pulumi.Input[str]]
+        """
+        (Output)
+        The current state of the association in this location.
+        Possible values:
+        STATE_UNSPECIFIED
+        ACTIVE
+        OUT_OF_SYNC
+        """
+elif False:
+    InterceptEndpointGroupAssociationArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class InterceptEndpointGroupAssociationArgs:
+    def __init__(__self__, *,
+                 name: Optional[pulumi.Input[str]] = None,
+                 network: Optional[pulumi.Input[str]] = None,
+                 state: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] name: (Output)
+               The connected deployment group's resource name, for example:
+               `projects/123456789/locations/global/interceptDeploymentGroups/my-dg`.
+               See https://google.aip.dev/124.
+        :param pulumi.Input[str] network: (Output)
+               The associated network, for example:
+               projects/123456789/global/networks/my-network.
+               See https://google.aip.dev/124.
+        :param pulumi.Input[str] state: (Output)
+               The current state of the association in this location.
+               Possible values:
+               STATE_UNSPECIFIED
+               ACTIVE
+               OUT_OF_SYNC
+        """
+        if name is not None:
+            pulumi.set(__self__, "name", name)
+        if network is not None:
+            pulumi.set(__self__, "network", network)
+        if state is not None:
+            pulumi.set(__self__, "state", state)
+
+    @property
+    @pulumi.getter
+    def name(self) -> Optional[pulumi.Input[str]]:
+        """
+        (Output)
+        The connected deployment group's resource name, for example:
+        `projects/123456789/locations/global/interceptDeploymentGroups/my-dg`.
+        See https://google.aip.dev/124.
         """
-elif False:
-    ClientTlsPolicyClientCertificateGrpcEndpointArgsDict: TypeAlias = Mapping[str, Any]
+        return pulumi.get(self, "name")
 
-@pulumi.input_type
-class ClientTlsPolicyClientCertificateGrpcEndpointArgs:
-    def __init__(__self__, *,
-                 target_uri: pulumi.Input[str]):
+    @name.setter
+    def name(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "name", value)
+
+    @property
+    @pulumi.getter
+    def network(self) -> Optional[pulumi.Input[str]]:
         """
-        :param pulumi.Input[str] target_uri: The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".
+        (Output)
+        The associated network, for example:
+        projects/123456789/global/networks/my-network.
+        See https://google.aip.dev/124.
         """
-        pulumi.set(__self__, "target_uri", target_uri)
+        return pulumi.get(self, "network")
+
+    @network.setter
+    def network(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "network", value)
 
     @property
-    @pulumi.getter(name="targetUri")
-    def target_uri(self) -> pulumi.Input[str]:
+    @pulumi.getter
+    def state(self) -> Optional[pulumi.Input[str]]:
         """
-        The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".
+        (Output)
+        The current state of the association in this location.
+        Possible values:
+        STATE_UNSPECIFIED
+        ACTIVE
+        OUT_OF_SYNC
         """
-        return pulumi.get(self, "target_uri")
+        return pulumi.get(self, "state")
 
-    @target_uri.setter
-    def target_uri(self, value: pulumi.Input[str]):
-        pulumi.set(self, "target_uri", value)
+    @state.setter
+    def state(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "state", value)
 
 
 if not MYPY:
-    class ClientTlsPolicyServerValidationCaArgsDict(TypedDict):
-        certificate_provider_instance: NotRequired[pulumi.Input['ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgsDict']]
+    class InterceptEndpointGroupAssociationLocationArgsDict(TypedDict):
+        location: NotRequired[pulumi.Input[str]]
         """
-        The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
-        Structure is documented below.
+        The cloud location of the association, currently restricted to `global`.
+
+
+        - - -
         """
-        grpc_endpoint: NotRequired[pulumi.Input['ClientTlsPolicyServerValidationCaGrpcEndpointArgsDict']]
+        state: NotRequired[pulumi.Input[str]]
         """
-        gRPC specific configuration to access the gRPC server to obtain the cert and private key.
-        Structure is documented below.
+        (Output)
+        The current state of the association in this location.
+        Possible values:
+        STATE_UNSPECIFIED
+        ACTIVE
+        OUT_OF_SYNC
         """
 elif False:
-    ClientTlsPolicyServerValidationCaArgsDict: TypeAlias = Mapping[str, Any]
+    InterceptEndpointGroupAssociationLocationArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
-class ClientTlsPolicyServerValidationCaArgs:
+class InterceptEndpointGroupAssociationLocationArgs:
     def __init__(__self__, *,
-                 certificate_provider_instance: Optional[pulumi.Input['ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgs']] = None,
-                 grpc_endpoint: Optional[pulumi.Input['ClientTlsPolicyServerValidationCaGrpcEndpointArgs']] = None):
+                 location: Optional[pulumi.Input[str]] = None,
+                 state: Optional[pulumi.Input[str]] = None):
         """
-        :param pulumi.Input['ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgs'] certificate_provider_instance: The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
-               Structure is documented below.
-        :param pulumi.Input['ClientTlsPolicyServerValidationCaGrpcEndpointArgs'] grpc_endpoint: gRPC specific configuration to access the gRPC server to obtain the cert and private key.
-               Structure is documented below.
+        :param pulumi.Input[str] location: The cloud location of the association, currently restricted to `global`.
+               
+               
+               - - -
+        :param pulumi.Input[str] state: (Output)
+               The current state of the association in this location.
+               Possible values:
+               STATE_UNSPECIFIED
+               ACTIVE
+               OUT_OF_SYNC
         """
-        if certificate_provider_instance is not None:
-            pulumi.set(__self__, "certificate_provider_instance", certificate_provider_instance)
-        if grpc_endpoint is not None:
-            pulumi.set(__self__, "grpc_endpoint", grpc_endpoint)
+        if location is not None:
+            pulumi.set(__self__, "location", location)
+        if state is not None:
+            pulumi.set(__self__, "state", state)
 
     @property
-    @pulumi.getter(name="certificateProviderInstance")
-    def certificate_provider_instance(self) -> Optional[pulumi.Input['ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgs']]:
+    @pulumi.getter
+    def location(self) -> Optional[pulumi.Input[str]]:
         """
-        The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
-        Structure is documented below.
+        The cloud location of the association, currently restricted to `global`.
+
+
+        - - -
         """
-        return pulumi.get(self, "certificate_provider_instance")
+        return pulumi.get(self, "location")
 
-    @certificate_provider_instance.setter
-    def certificate_provider_instance(self, value: Optional[pulumi.Input['ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgs']]):
-        pulumi.set(self, "certificate_provider_instance", value)
+    @location.setter
+    def location(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "location", value)
 
     @property
-    @pulumi.getter(name="grpcEndpoint")
-    def grpc_endpoint(self) -> Optional[pulumi.Input['ClientTlsPolicyServerValidationCaGrpcEndpointArgs']]:
+    @pulumi.getter
+    def state(self) -> Optional[pulumi.Input[str]]:
         """
-        gRPC specific configuration to access the gRPC server to obtain the cert and private key.
-        Structure is documented below.
+        (Output)
+        The current state of the association in this location.
+        Possible values:
+        STATE_UNSPECIFIED
+        ACTIVE
+        OUT_OF_SYNC
         """
-        return pulumi.get(self, "grpc_endpoint")
+        return pulumi.get(self, "state")
 
-    @grpc_endpoint.setter
-    def grpc_endpoint(self, value: Optional[pulumi.Input['ClientTlsPolicyServerValidationCaGrpcEndpointArgs']]):
-        pulumi.set(self, "grpc_endpoint", value)
+    @state.setter
+    def state(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "state", value)
 
 
 if not MYPY:
-    class ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgsDict(TypedDict):
-        plugin_instance: pulumi.Input[str]
+    class InterceptEndpointGroupAssociationLocationsDetailArgsDict(TypedDict):
+        location: NotRequired[pulumi.Input[str]]
         """
-        Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.
+        The cloud location of the association, currently restricted to `global`.
+
+
+        - - -
+        """
+        state: NotRequired[pulumi.Input[str]]
+        """
+        (Output)
+        The current state of the association in this location.
+        Possible values:
+        STATE_UNSPECIFIED
+        ACTIVE
+        OUT_OF_SYNC
         """
 elif False:
-    ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgsDict: TypeAlias = Mapping[str, Any]
+    InterceptEndpointGroupAssociationLocationsDetailArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
-class ClientTlsPolicyServerValidationCaCertificateProviderInstanceArgs:
+class InterceptEndpointGroupAssociationLocationsDetailArgs:
     def __init__(__self__, *,
-                 plugin_instance: pulumi.Input[str]):
+                 location: Optional[pulumi.Input[str]] = None,
+                 state: Optional[pulumi.Input[str]] = None):
         """
-        :param pulumi.Input[str] plugin_instance: Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.
+        :param pulumi.Input[str] location: The cloud location of the association, currently restricted to `global`.
+               
+               
+               - - -
+        :param pulumi.Input[str] state: (Output)
+               The current state of the association in this location.
+               Possible values:
+               STATE_UNSPECIFIED
+               ACTIVE
+               OUT_OF_SYNC
         """
-        pulumi.set(__self__, "plugin_instance", plugin_instance)
+        if location is not None:
+            pulumi.set(__self__, "location", location)
+        if state is not None:
+            pulumi.set(__self__, "state", state)
 
     @property
-    @pulumi.getter(name="pluginInstance")
-    def plugin_instance(self) -> pulumi.Input[str]:
-        """
-        Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.
+    @pulumi.getter
+    def location(self) -> Optional[pulumi.Input[str]]:
         """
-        return pulumi.get(self, "plugin_instance")
-
-    @plugin_instance.setter
-    def plugin_instance(self, value: pulumi.Input[str]):
-        pulumi.set(self, "plugin_instance", value)
+        The cloud location of the association, currently restricted to `global`.
 
 
-if not MYPY:
-    class ClientTlsPolicyServerValidationCaGrpcEndpointArgsDict(TypedDict):
-        target_uri: pulumi.Input[str]
-        """
-        The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".
+        - - -
         """
-elif False:
-    ClientTlsPolicyServerValidationCaGrpcEndpointArgsDict: TypeAlias = Mapping[str, Any]
+        return pulumi.get(self, "location")
 
-@pulumi.input_type
-class ClientTlsPolicyServerValidationCaGrpcEndpointArgs:
-    def __init__(__self__, *,
-                 target_uri: pulumi.Input[str]):
-        """
-        :param pulumi.Input[str] target_uri: The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".
-        """
-        pulumi.set(__self__, "target_uri", target_uri)
+    @location.setter
+    def location(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "location", value)
 
     @property
-    @pulumi.getter(name="targetUri")
-    def target_uri(self) -> pulumi.Input[str]:
+    @pulumi.getter
+    def state(self) -> Optional[pulumi.Input[str]]:
         """
-        The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".
+        (Output)
+        The current state of the association in this location.
+        Possible values:
+        STATE_UNSPECIFIED
+        ACTIVE
+        OUT_OF_SYNC
         """
-        return pulumi.get(self, "target_uri")
+        return pulumi.get(self, "state")
 
-    @target_uri.setter
-    def target_uri(self, value: pulumi.Input[str]):
-        pulumi.set(self, "target_uri", value)
+    @state.setter
+    def state(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "state", value)
 
 
 if not MYPY:
-    class InterceptDeploymentGroupConnectedEndpointGroupArgsDict(TypedDict):
+    class InterceptEndpointGroupConnectedDeploymentGroupArgsDict(TypedDict):
+        locations: NotRequired[pulumi.Input[Sequence[pulumi.Input['InterceptEndpointGroupConnectedDeploymentGroupLocationArgsDict']]]]
+        """
+        (Output)
+        The list of locations where the deployment group is present.
+        Structure is documented below.
+        """
         name: NotRequired[pulumi.Input[str]]
         """
         (Output)
-        The connected endpoint group's resource name, for example:
-        `projects/123456789/locations/global/interceptEndpointGroups/my-eg`.
+        The connected deployment group's resource name, for example:
+        `projects/123456789/locations/global/interceptDeploymentGroups/my-dg`.
         See https://google.aip.dev/124.
         """
 elif False:
-    InterceptDeploymentGroupConnectedEndpointGroupArgsDict: TypeAlias = Mapping[str, Any]
+    InterceptEndpointGroupConnectedDeploymentGroupArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
-class InterceptDeploymentGroupConnectedEndpointGroupArgs:
+class InterceptEndpointGroupConnectedDeploymentGroupArgs:
     def __init__(__self__, *,
+                 locations: Optional[pulumi.Input[Sequence[pulumi.Input['InterceptEndpointGroupConnectedDeploymentGroupLocationArgs']]]] = None,
                  name: Optional[pulumi.Input[str]] = None):
         """
+        :param pulumi.Input[Sequence[pulumi.Input['InterceptEndpointGroupConnectedDeploymentGroupLocationArgs']]] locations: (Output)
+               The list of locations where the deployment group is present.
+               Structure is documented below.
         :param pulumi.Input[str] name: (Output)
-               The connected endpoint group's resource name, for example:
-               `projects/123456789/locations/global/interceptEndpointGroups/my-eg`.
+               The connected deployment group's resource name, for example:
+               `projects/123456789/locations/global/interceptDeploymentGroups/my-dg`.
                See https://google.aip.dev/124.
         """
+        if locations is not None:
+            pulumi.set(__self__, "locations", locations)
         if name is not None:
             pulumi.set(__self__, "name", name)
 
+    @property
+    @pulumi.getter
+    def locations(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['InterceptEndpointGroupConnectedDeploymentGroupLocationArgs']]]]:
+        """
+        (Output)
+        The list of locations where the deployment group is present.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "locations")
+
+    @locations.setter
+    def locations(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['InterceptEndpointGroupConnectedDeploymentGroupLocationArgs']]]]):
+        pulumi.set(self, "locations", value)
+
     @property
     @pulumi.getter
     def name(self) -> Optional[pulumi.Input[str]]:
         """
         (Output)
-        The connected endpoint group's resource name, for example:
-        `projects/123456789/locations/global/interceptEndpointGroups/my-eg`.
+        The connected deployment group's resource name, for example:
+        `projects/123456789/locations/global/interceptDeploymentGroups/my-dg`.
         See https://google.aip.dev/124.
         """
         return pulumi.get(self, "name")
@@ -2584,13 +3628,10 @@ class InterceptDeploymentGroupConnectedEndpointGroupArgs:
 
 
 if not MYPY:
-    class InterceptEndpointGroupAssociationLocationsDetailArgsDict(TypedDict):
+    class InterceptEndpointGroupConnectedDeploymentGroupLocationArgsDict(TypedDict):
         location: NotRequired[pulumi.Input[str]]
         """
-        The cloud location of the association, currently restricted to `global`.
-
-
-        - - -
+        The cloud location of the endpoint group, currently restricted to `global`.
         """
         state: NotRequired[pulumi.Input[str]]
         """
@@ -2602,18 +3643,15 @@ if not MYPY:
         OUT_OF_SYNC
         """
 elif False:
-    InterceptEndpointGroupAssociationLocationsDetailArgsDict: TypeAlias = Mapping[str, Any]
+    InterceptEndpointGroupConnectedDeploymentGroupLocationArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
-class InterceptEndpointGroupAssociationLocationsDetailArgs:
+class InterceptEndpointGroupConnectedDeploymentGroupLocationArgs:
     def __init__(__self__, *,
                  location: Optional[pulumi.Input[str]] = None,
                  state: Optional[pulumi.Input[str]] = None):
         """
-        :param pulumi.Input[str] location: The cloud location of the association, currently restricted to `global`.
-               
-               
-               - - -
+        :param pulumi.Input[str] location: The cloud location of the endpoint group, currently restricted to `global`.
         :param pulumi.Input[str] state: (Output)
                The current state of the association in this location.
                Possible values:
@@ -2630,10 +3668,7 @@ class InterceptEndpointGroupAssociationLocationsDetailArgs:
     @pulumi.getter
     def location(self) -> Optional[pulumi.Input[str]]:
         """
-        The cloud location of the association, currently restricted to `global`.
-
-
-        - - -
+        The cloud location of the endpoint group, currently restricted to `global`.
         """
         return pulumi.get(self, "location")