Skip to main content
← back to extensions

@swamp/gcp/networksecurity

v2026.04.23.1

Google Cloud networksecurity infrastructure models

Repository

https://github.com/systeminit/swamp-extensions

Platforms

linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64

Labels

gcpgoogle-cloudnetworksecuritycloudinfrastructure

Contents

models

Quality score

Verified by Swamp

How well-documented and verifiable this extension is.

100%

Grade A

  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types1/1earned
  • Has description1/1earned
  • At least one platform tag (or universal)1/1earned
  • Two or more platform tags (or universal)1/1earned
  • License declared1/1earned
  • Verified public repository2/2earned

Install

$ swamp extension pull @swamp/gcp/networksecurity

@swamp/gcp/networksecurity/addressgroupsv2026.04.23.1addressgroups.ts

Global Arguments

ArgumentTypeDescription
capacity?numberRequired. Capacity of the Address Group
description?stringOptional. Free-text description of the resource.
items?arrayOptional. List of items.
labels?recordOptional. Set of label tags associated with the AddressGroup resource.
name?stringRequired. Name of the AddressGroup resource. It matches pattern `projects/*/locations/{location}/addressGroups/`.
purpose?arrayOptional. List of supported purposes of the Address Group.
type?enumRequired. The type of the Address Group. Possible values are "IPv4" or "IPV6".
addressGroupId?stringRequired. Short name of the AddressGroup resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "authz_policy".
requestId?stringOptional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID w
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
createCreate a addressGroups
getGet a addressGroups
ArgumentTypeDescription
identifierstringThe name of the addressGroups
updateUpdate addressGroups attributes
deleteDelete the addressGroups
ArgumentTypeDescription
identifierstringThe name of the addressGroups
syncSync addressGroups state from GCP
add_itemsadd items
ArgumentTypeDescription
items?any
requestId?any
clone_itemsclone items
ArgumentTypeDescription
requestId?any
sourceAddressGroup?any
list_referenceslist references

Resources

state(infinite)— AddressGroup is a resource that specifies how a collection of IP/DNS used in ...
@swamp/gcp/networksecurity/authorizationpoliciesv2026.04.23.1authorizationpolicies.ts

Global Arguments

ArgumentTypeDescription
action?enumRequired. The action to take when a rule match is found. Possible values are "ALLOW" or "DENY".
description?stringOptional. Free-text description of the resource.
labels?recordOptional. Set of label tags associated with the AuthorizationPolicy resource.
name?stringRequired. Name of the AuthorizationPolicy resource. It matches pattern `projects/{project}/locations/{location}/authorizationPolicies/`.
rules?arrayOptional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the `action` field will be applied on every request.
authorizationPolicyId?stringRequired. Short name of the AuthorizationPolicy resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "authz_policy".
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a authorizationPolicies
getGet a authorizationPolicies
ArgumentTypeDescription
identifierstringThe name of the authorizationPolicies
updateUpdate authorizationPolicies attributes
deleteDelete the authorizationPolicies
ArgumentTypeDescription
identifierstringThe name of the authorizationPolicies
syncSync authorizationPolicies state from GCP

Resources

state(infinite)— AuthorizationPolicy is a resource that specifies how a server should authoriz...
@swamp/gcp/networksecurity/authzpoliciesv2026.04.23.1authzpolicies.ts

Global Arguments

ArgumentTypeDescription
action?enumRequired. Can be one of `ALLOW`, `DENY`, `CUSTOM`. When the action is `CUSTOM`, `customProvider` must be specified. When the action is `ALLOW`, only requests matching the policy will be allowed. When the action is `DENY`, only requests matching the policy will be denied. When a request arrives, the policies are evaluated in the following order: 1. If there is a `CUSTOM` policy that matches the request, the `CUSTOM` policy is evaluated using the custom authorization providers and the request is d
customProvider?objectAllows delegating authorization decisions to Cloud IAP or to Service Extensions.
description?stringOptional. A human-readable description of the resource.
httpRules?arrayOptional. A list of authorization HTTP rules to match against the incoming request. A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
labels?recordOptional. Set of labels associated with the `AuthzPolicy` resource. The format must comply with [the following requirements](/compute/docs/labeling-resources#requirements).
name?stringRequired. Identifier. Name of the `AuthzPolicy` resource in the following format: `projects/{project}/locations/{location}/authzPolicies/{authz_policy}`.
policyProfile?enumOptional. Immutable. Defines the type of authorization being performed. If not specified, `REQUEST_AUTHZ` is applied. This field cannot be changed once AuthzPolicy is created.
target?objectSpecifies the set of targets to which this policy should be applied to.
authzPolicyId?stringRequired. User-provided ID of the `AuthzPolicy` resource to be created.
requestId?stringOptional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server can ignore the request if it has already been completed. The server guarantees that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received,
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a authzPolicies
getGet a authzPolicies
ArgumentTypeDescription
identifierstringThe name of the authzPolicies
updateUpdate authzPolicies attributes
deleteDelete the authzPolicies
ArgumentTypeDescription
identifierstringThe name of the authzPolicies
syncSync authzPolicies state from GCP

Resources

state(infinite)— `AuthzPolicy` is a resource that allows to forward traffic to a callout backe...
@swamp/gcp/networksecurity/backendauthenticationconfigsv2026.04.23.1backendauthenticationconfigs.ts

Global Arguments

ArgumentTypeDescription
clientCertificate?stringOptional. A reference to a certificatemanager.googleapis.com.Certificate resource. This is a relative resource path following the form "projects/{project}/locations/{location}/certificates/{certificate}". Used by a BackendService to negotiate mTLS when the backend connection uses TLS and the backend requests a client certificate. Must have a CLIENT_AUTH scope.
description?stringOptional. Free-text description of the resource.
labels?recordSet of label tags associated with the resource.
name?stringRequired. Name of the BackendAuthenticationConfig resource. It matches the pattern `projects/*/locations/{location}/backendAuthenticationConfigs/{backend_authentication_config}`
trustConfig?stringOptional. A reference to a TrustConfig resource from the certificatemanager.googleapis.com namespace. This is a relative resource path following the form "projects/{project}/locations/{location}/trustConfigs/{trust_config}". A BackendService uses the chain of trust represented by this TrustConfig, if specified, to validate the server certificates presented by the backend. Required unless wellKnownRoots is set to PUBLIC_ROOTS.
wellKnownRoots?enumWell known roots to use for server certificate validation.
backendAuthenticationConfigId?stringRequired. Short name of the BackendAuthenticationConfig resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "backend-auth-config".
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a backendAuthenticationConfigs
getGet a backendAuthenticationConfigs
ArgumentTypeDescription
identifierstringThe name of the backendAuthenticationConfigs
updateUpdate backendAuthenticationConfigs attributes
deleteDelete the backendAuthenticationConfigs
ArgumentTypeDescription
identifierstringThe name of the backendAuthenticationConfigs
syncSync backendAuthenticationConfigs state from GCP

Resources

state(infinite)— BackendAuthenticationConfig message groups the TrustConfig together with othe...
@swamp/gcp/networksecurity/clienttlspoliciesv2026.04.23.1clienttlspolicies.ts

Global Arguments

ArgumentTypeDescription
clientCertificate?objectSpecification of certificate provider. Defines the mechanism to obtain the certificate and private key for peer to peer authentication.
description?stringOptional. Free-text description of the resource.
labels?recordOptional. Set of label tags associated with the resource.
name?stringRequired. Name of the ClientTlsPolicy resource. It matches the pattern `projects/{project}/locations/{location}/clientTlsPolicies/{client_tls_policy}`
serverValidationCa?arrayOptional. Defines the mechanism to obtain the Certificate Authority certificate to validate the server certificate. If empty, client does not validate the server certificate.
sni?stringOptional. Server Name Indication string to present to the server during TLS handshake. E.g: "secure.example.com".
clientTlsPolicyId?stringRequired. Short name of the ClientTlsPolicy resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "client_mtls_policy".
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a clientTlsPolicies
getGet a clientTlsPolicies
ArgumentTypeDescription
identifierstringThe name of the clientTlsPolicies
updateUpdate clientTlsPolicies attributes
deleteDelete the clientTlsPolicies
ArgumentTypeDescription
identifierstringThe name of the clientTlsPolicies
syncSync clientTlsPolicies state from GCP

Resources

state(infinite)— ClientTlsPolicy is a resource that specifies how a client should authenticate...
@swamp/gcp/networksecurity/dnsthreatdetectorsv2026.04.23.1dnsthreatdetectors.ts

Global Arguments

ArgumentTypeDescription
excludedNetworks?arrayOptional. A list of network resource names which aren't monitored by this DnsThreatDetector. Example: `projects/PROJECT_ID/global/networks/NETWORK_NAME`.
labels?recordOptional. Any labels associated with the DnsThreatDetector, listed as key value pairs.
name?stringImmutable. Identifier. Name of the DnsThreatDetector resource.
provider?enumRequired. The provider used for DNS threat analysis.
dnsThreatDetectorId?stringOptional. The ID of the requesting DnsThreatDetector object. If this field is not supplied, the service generates an identifier.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a dnsThreatDetectors
getGet a dnsThreatDetectors
ArgumentTypeDescription
identifierstringThe name of the dnsThreatDetectors
updateUpdate dnsThreatDetectors attributes
deleteDelete the dnsThreatDetectors
ArgumentTypeDescription
identifierstringThe name of the dnsThreatDetectors
syncSync dnsThreatDetectors state from GCP

Resources

state(infinite)— A DNS threat detector sends DNS query logs to a _provider_ that then analyzes...
@swamp/gcp/networksecurity/firewallendpointassociationsv2026.04.23.1firewallendpointassociations.ts

Global Arguments

ArgumentTypeDescription
disabled?booleanOptional. Whether the association is disabled. True indicates that traffic won't be intercepted
firewallEndpoint?stringRequired. The URL of the FirewallEndpoint that is being associated.
labels?recordOptional. Labels as key value pairs
name?stringImmutable. Identifier. name of resource
network?stringRequired. The URL of the network that is being associated.
tlsInspectionPolicy?stringOptional. The URL of the TlsInspectionPolicy that is being associated.
firewallEndpointAssociationId?stringOptional. Id of the requesting object. If auto-generating Id server-side, remove this field and firewall_endpoint_association_id from the method_signature of Create RPC.
requestId?stringOptional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID w
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a firewallEndpointAssociations
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a firewallEndpointAssociations
ArgumentTypeDescription
identifierstringThe name of the firewallEndpointAssociations
updateUpdate firewallEndpointAssociations attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the firewallEndpointAssociations
ArgumentTypeDescription
identifierstringThe name of the firewallEndpointAssociations
syncSync firewallEndpointAssociations state from GCP

Resources

state(infinite)— Message describing Association object
@swamp/gcp/networksecurity/firewallendpointsv2026.04.23.1firewallendpoints.ts

Global Arguments

ArgumentTypeDescription
billingProjectId?stringOptional. Project to charge for the deployed firewall endpoint. This field must be specified when creating the endpoint in the organization scope, and should be omitted otherwise.
description?stringOptional. Description of the firewall endpoint. Max length 2048 characters.
endpointSettings?objectSettings for the endpoint.
labels?recordOptional. Labels as key value pairs
name?stringImmutable. Identifier. Name of resource.
firewallEndpointId?stringRequired. Id of the requesting object. If auto-generating Id server-side, remove this field and firewall_endpoint_id from the method_signature of Create RPC.
requestId?stringOptional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID w
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
createCreate a firewallEndpoints
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a firewallEndpoints
ArgumentTypeDescription
identifierstringThe name of the firewallEndpoints
updateUpdate firewallEndpoints attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the firewallEndpoints
ArgumentTypeDescription
identifierstringThe name of the firewallEndpoints
syncSync firewallEndpoints state from GCP

Resources

state(infinite)— Message describing Endpoint object.
@swamp/gcp/networksecurity/gatewaysecuritypoliciesv2026.04.23.1gatewaysecuritypolicies.ts

Global Arguments

ArgumentTypeDescription
description?stringOptional. Free-text description of the resource.
name?stringRequired. Name of the resource. Name is of the form projects/{project}/locations/{location}/gatewaySecurityPolicies/{gateway_security_policy} gateway_security_policy should match the pattern:(^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$).
tlsInspectionPolicy?stringOptional. Name of a TLS Inspection Policy resource that defines how TLS inspection will be performed for any rule(s) which enables it.
gatewaySecurityPolicyId?stringRequired. Short name of the GatewaySecurityPolicy resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "gateway_security_policy1".
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a gatewaySecurityPolicies
getGet a gatewaySecurityPolicies
ArgumentTypeDescription
identifierstringThe name of the gatewaySecurityPolicies
updateUpdate gatewaySecurityPolicies attributes
deleteDelete the gatewaySecurityPolicies
ArgumentTypeDescription
identifierstringThe name of the gatewaySecurityPolicies
syncSync gatewaySecurityPolicies state from GCP

Resources

state(infinite)— The GatewaySecurityPolicy resource contains a collection of GatewaySecurityPo...
@swamp/gcp/networksecurity/gatewaysecuritypolicies-rulesv2026.04.23.1gatewaysecuritypolicies_rules.ts

Global Arguments

ArgumentTypeDescription
applicationMatcher?stringOptional. CEL expression for matching on L7/application level criteria.
basicProfile?enumRequired. Profile which tells what the primitive action should be.
description?stringOptional. Free-text description of the resource.
enabled?booleanRequired. Whether the rule is enforced.
name?stringRequired. Immutable. Name of the resource. ame is the full resource name so projects/{project}/locations/{location}/gatewaySecurityPolicies/{gateway_security_policy}/rules/{rule} rule should match the pattern: (^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$).
priority?numberRequired. Priority of the rule. Lower number corresponds to higher precedence.
sessionMatcher?stringRequired. CEL expression for matching on session criteria.
tlsInspectionEnabled?booleanOptional. Flag to enable TLS inspection of traffic matching on, can only be true if the parent GatewaySecurityPolicy references a TLSInspectionConfig.
gatewaySecurityPolicyRuleId?stringThe ID to use for the rule, which will become the final component of the rule's resource name. This value should be 4-63 characters, and valid characters are /a-z-/.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a rules
getGet a rules
ArgumentTypeDescription
identifierstringThe name of the rules
updateUpdate rules attributes
deleteDelete the rules
ArgumentTypeDescription
identifierstringThe name of the rules
syncSync rules state from GCP

Resources

state(infinite)— The GatewaySecurityPolicyRule resource is in a nested collection within a Gat...
@swamp/gcp/networksecurity/interceptdeploymentgroupsv2026.04.23.1interceptdeploymentgroups.ts

Global Arguments

ArgumentTypeDescription
description?stringOptional. User-provided description of the deployment group. Used as additional context for the deployment group.
labels?recordOptional. Labels are key/value pairs that help to organize and filter resources.
name?stringImmutable. Identifier. The resource name of this deployment group, for example: `projects/123456789/locations/global/interceptDeploymentGroups/my-dg`. See https://google.aip.dev/122 for more details.
network?stringRequired. Immutable. The network that will be used for all child deployments, for example: `projects/{project}/global/networks/{network}`. See https://google.aip.dev/124.
interceptDeploymentGroupId?stringRequired. The ID to use for the new deployment group, which will become the final component of the deployment group's resource name.
requestId?stringOptional. A unique identifier for this request. Must be a UUID4. This request is only idempotent if a `request_id` is provided. See https://google.aip.dev/155 for more details.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a interceptDeploymentGroups
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a interceptDeploymentGroups
ArgumentTypeDescription
identifierstringThe name of the interceptDeploymentGroups
updateUpdate interceptDeploymentGroups attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the interceptDeploymentGroups
ArgumentTypeDescription
identifierstringThe name of the interceptDeploymentGroups
syncSync interceptDeploymentGroups state from GCP

Resources

state(infinite)— A deployment group aggregates many zonal intercept backends (deployments) int...
@swamp/gcp/networksecurity/interceptdeploymentsv2026.04.23.1interceptdeployments.ts

Global Arguments

ArgumentTypeDescription
description?stringOptional. User-provided description of the deployment. Used as additional context for the deployment.
forwardingRule?stringRequired. Immutable. The regional forwarding rule that fronts the interceptors, for example: `projects/123456789/regions/us-central1/forwardingRules/my-rule`. See https://google.aip.dev/124.
interceptDeploymentGroup?stringRequired. Immutable. The deployment group that this deployment is a part of, for example: `projects/123456789/locations/global/interceptDeploymentGroups/my-dg`. See https://google.aip.dev/124.
labels?recordOptional. Labels are key/value pairs that help to organize and filter resources.
name?stringImmutable. Identifier. The resource name of this deployment, for example: `projects/123456789/locations/us-central1-a/interceptDeployments/my-dep`. See https://google.aip.dev/122 for more details.
interceptDeploymentId?stringRequired. The ID to use for the new deployment, which will become the final component of the deployment's resource name.
requestId?stringOptional. A unique identifier for this request. Must be a UUID4. This request is only idempotent if a `request_id` is provided. See https://google.aip.dev/155 for more details.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a interceptDeployments
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a interceptDeployments
ArgumentTypeDescription
identifierstringThe name of the interceptDeployments
updateUpdate interceptDeployments attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the interceptDeployments
ArgumentTypeDescription
identifierstringThe name of the interceptDeployments
syncSync interceptDeployments state from GCP

Resources

state(infinite)— A deployment represents a zonal intercept backend ready to accept GENEVE-enca...
@swamp/gcp/networksecurity/interceptendpointgroupassociationsv2026.04.23.1interceptendpointgroupassociations.ts

Global Arguments

ArgumentTypeDescription
interceptEndpointGroup?stringRequired. Immutable. The endpoint group that this association is connected to, for example: `projects/123456789/locations/global/interceptEndpointGroups/my-eg`. See https://google.aip.dev/124.
labels?recordOptional. Labels are key/value pairs that help to organize and filter resources.
name?stringImmutable. Identifier. The resource name of this endpoint group association, for example: `projects/123456789/locations/global/interceptEndpointGroupAssociations/my-eg-association`. See https://google.aip.dev/122 for more details.
network?stringRequired. Immutable. The VPC network that is associated. for example: `projects/123456789/global/networks/my-network`. See https://google.aip.dev/124.
interceptEndpointGroupAssociationId?stringOptional. The ID to use for the new association, which will become the final component of the endpoint group's resource name. If not provided, the server will generate a unique ID.
requestId?stringOptional. A unique identifier for this request. Must be a UUID4. This request is only idempotent if a `request_id` is provided. See https://google.aip.dev/155 for more details.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a interceptEndpointGroupAssociations
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a interceptEndpointGroupAssociations
ArgumentTypeDescription
identifierstringThe name of the interceptEndpointGroupAssociations
updateUpdate interceptEndpointGroupAssociations attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the interceptEndpointGroupAssociations
ArgumentTypeDescription
identifierstringThe name of the interceptEndpointGroupAssociations
syncSync interceptEndpointGroupAssociations state from GCP

Resources

state(infinite)— An endpoint group association represents a link between a network and an endp...
@swamp/gcp/networksecurity/interceptendpointgroupsv2026.04.23.1interceptendpointgroups.ts

Global Arguments

ArgumentTypeDescription
connectedDeploymentGroup?objectThe endpoint group's view of a connected deployment group.
description?stringOptional. User-provided description of the endpoint group. Used as additional context for the endpoint group.
interceptDeploymentGroup?stringRequired. Immutable. The deployment group that this endpoint group is connected to, for example: `projects/123456789/locations/global/interceptDeploymentGroups/my-dg`. See https://google.aip.dev/124.
labels?recordOptional. Labels are key/value pairs that help to organize and filter resources.
name?stringImmutable. Identifier. The resource name of this endpoint group, for example: `projects/123456789/locations/global/interceptEndpointGroups/my-eg`. See https://google.aip.dev/122 for more details.
interceptEndpointGroupId?stringRequired. The ID to use for the endpoint group, which will become the final component of the endpoint group's resource name.
requestId?stringOptional. A unique identifier for this request. Must be a UUID4. This request is only idempotent if a `request_id` is provided. See https://google.aip.dev/155 for more details.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a interceptEndpointGroups
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a interceptEndpointGroups
ArgumentTypeDescription
identifierstringThe name of the interceptEndpointGroups
updateUpdate interceptEndpointGroups attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the interceptEndpointGroups
ArgumentTypeDescription
identifierstringThe name of the interceptEndpointGroups
syncSync interceptEndpointGroups state from GCP

Resources

state(infinite)— An endpoint group is a consumer frontend for a deployment group (backend). In...
@swamp/gcp/networksecurity/locationsv2026.04.23.1locations.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a locations
ArgumentTypeDescription
identifierstringThe name of the locations
syncSync locations state from GCP

Resources

state(infinite)— A resource that represents a Google Cloud location.
@swamp/gcp/networksecurity/mirroringdeploymentgroupsv2026.04.23.1mirroringdeploymentgroups.ts

Global Arguments

ArgumentTypeDescription
description?stringOptional. User-provided description of the deployment group. Used as additional context for the deployment group.
labels?recordOptional. Labels are key/value pairs that help to organize and filter resources.
name?stringImmutable. Identifier. The resource name of this deployment group, for example: `projects/123456789/locations/global/mirroringDeploymentGroups/my-dg`. See https://google.aip.dev/122 for more details.
network?stringRequired. Immutable. The network that will be used for all child deployments, for example: `projects/{project}/global/networks/{network}`. See https://google.aip.dev/124.
mirroringDeploymentGroupId?stringRequired. The ID to use for the new deployment group, which will become the final component of the deployment group's resource name.
requestId?stringOptional. A unique identifier for this request. Must be a UUID4. This request is only idempotent if a `request_id` is provided. See https://google.aip.dev/155 for more details.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a mirroringDeploymentGroups
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a mirroringDeploymentGroups
ArgumentTypeDescription
identifierstringThe name of the mirroringDeploymentGroups
updateUpdate mirroringDeploymentGroups attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the mirroringDeploymentGroups
ArgumentTypeDescription
identifierstringThe name of the mirroringDeploymentGroups
syncSync mirroringDeploymentGroups state from GCP

Resources

state(infinite)— A deployment group aggregates many zonal mirroring backends (deployments) int...
@swamp/gcp/networksecurity/mirroringdeploymentsv2026.04.23.1mirroringdeployments.ts

Global Arguments

ArgumentTypeDescription
description?stringOptional. User-provided description of the deployment. Used as additional context for the deployment.
forwardingRule?stringRequired. Immutable. The regional forwarding rule that fronts the mirroring collectors, for example: `projects/123456789/regions/us-central1/forwardingRules/my-rule`. See https://google.aip.dev/124.
labels?recordOptional. Labels are key/value pairs that help to organize and filter resources.
mirroringDeploymentGroup?stringRequired. Immutable. The deployment group that this deployment is a part of, for example: `projects/123456789/locations/global/mirroringDeploymentGroups/my-dg`. See https://google.aip.dev/124.
name?stringImmutable. Identifier. The resource name of this deployment, for example: `projects/123456789/locations/us-central1-a/mirroringDeployments/my-dep`. See https://google.aip.dev/122 for more details.
mirroringDeploymentId?stringRequired. The ID to use for the new deployment, which will become the final component of the deployment's resource name.
requestId?stringOptional. A unique identifier for this request. Must be a UUID4. This request is only idempotent if a `request_id` is provided. See https://google.aip.dev/155 for more details.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a mirroringDeployments
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a mirroringDeployments
ArgumentTypeDescription
identifierstringThe name of the mirroringDeployments
updateUpdate mirroringDeployments attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the mirroringDeployments
ArgumentTypeDescription
identifierstringThe name of the mirroringDeployments
syncSync mirroringDeployments state from GCP

Resources

state(infinite)— A deployment represents a zonal mirroring backend ready to accept GENEVE-enca...
@swamp/gcp/networksecurity/mirroringendpointgroupassociationsv2026.04.23.1mirroringendpointgroupassociations.ts

Global Arguments

ArgumentTypeDescription
labels?recordOptional. Labels are key/value pairs that help to organize and filter resources.
mirroringEndpointGroup?stringImmutable. The endpoint group that this association is connected to, for example: `projects/123456789/locations/global/mirroringEndpointGroups/my-eg`. See https://google.aip.dev/124.
name?stringImmutable. Identifier. The resource name of this endpoint group association, for example: `projects/123456789/locations/global/mirroringEndpointGroupAssociations/my-eg-association`. See https://google.aip.dev/122 for more details.
network?stringImmutable. The VPC network that is associated. for example: `projects/123456789/global/networks/my-network`. See https://google.aip.dev/124.
mirroringEndpointGroupAssociationId?stringOptional. The ID to use for the new association, which will become the final component of the endpoint group's resource name. If not provided, the server will generate a unique ID.
requestId?stringOptional. A unique identifier for this request. Must be a UUID4. This request is only idempotent if a `request_id` is provided. See https://google.aip.dev/155 for more details.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a mirroringEndpointGroupAssociations
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a mirroringEndpointGroupAssociations
ArgumentTypeDescription
identifierstringThe name of the mirroringEndpointGroupAssociations
updateUpdate mirroringEndpointGroupAssociations attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the mirroringEndpointGroupAssociations
ArgumentTypeDescription
identifierstringThe name of the mirroringEndpointGroupAssociations
syncSync mirroringEndpointGroupAssociations state from GCP

Resources

state(infinite)— An endpoint group association represents a link between a network and an endp...
@swamp/gcp/networksecurity/mirroringendpointgroupsv2026.04.23.1mirroringendpointgroups.ts

Global Arguments

ArgumentTypeDescription
description?stringOptional. User-provided description of the endpoint group. Used as additional context for the endpoint group.
labels?recordOptional. Labels are key/value pairs that help to organize and filter resources.
mirroringDeploymentGroup?stringImmutable. The deployment group that this DIRECT endpoint group is connected to, for example: `projects/123456789/locations/global/mirroringDeploymentGroups/my-dg`. See https://google.aip.dev/124.
name?stringImmutable. Identifier. The resource name of this endpoint group, for example: `projects/123456789/locations/global/mirroringEndpointGroups/my-eg`. See https://google.aip.dev/122 for more details.
type?enumImmutable. The type of the endpoint group. If left unspecified, defaults to DIRECT.
mirroringEndpointGroupId?stringRequired. The ID to use for the endpoint group, which will become the final component of the endpoint group's resource name.
requestId?stringOptional. A unique identifier for this request. Must be a UUID4. This request is only idempotent if a `request_id` is provided. See https://google.aip.dev/155 for more details.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a mirroringEndpointGroups
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a mirroringEndpointGroups
ArgumentTypeDescription
identifierstringThe name of the mirroringEndpointGroups
updateUpdate mirroringEndpointGroups attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the mirroringEndpointGroups
ArgumentTypeDescription
identifierstringThe name of the mirroringEndpointGroups
syncSync mirroringEndpointGroups state from GCP

Resources

state(infinite)— An endpoint group is a consumer frontend for a deployment group (backend). In...
@swamp/gcp/networksecurity/securityprofilegroupsv2026.04.23.1securityprofilegroups.ts

Global Arguments

ArgumentTypeDescription
customInterceptProfile?stringOptional. Reference to a SecurityProfile with the CustomIntercept configuration.
customMirroringProfile?stringOptional. Reference to a SecurityProfile with the CustomMirroring configuration.
description?stringOptional. An optional description of the profile group. Max length 2048 characters.
labels?recordOptional. Labels as key value pairs.
name?stringImmutable. Identifier. Name of the SecurityProfileGroup resource. It matches pattern `projects|organizations/*/locations/{location}/securityProfileGroups/{security_profile_group}`.
threatPreventionProfile?stringOptional. Reference to a SecurityProfile with the ThreatPrevention configuration.
urlFilteringProfile?stringOptional. Reference to a SecurityProfile with the UrlFiltering configuration.
securityProfileGroupId?stringRequired. Short name of the SecurityProfileGroup resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "security_profile_group1".
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
createCreate a securityProfileGroups
getGet a securityProfileGroups
ArgumentTypeDescription
identifierstringThe name of the securityProfileGroups
updateUpdate securityProfileGroups attributes
deleteDelete the securityProfileGroups
ArgumentTypeDescription
identifierstringThe name of the securityProfileGroups
syncSync securityProfileGroups state from GCP

Resources

state(infinite)— SecurityProfileGroup is a resource that defines the behavior for various Prof...
@swamp/gcp/networksecurity/securityprofilesv2026.04.23.1securityprofiles.ts

Global Arguments

ArgumentTypeDescription
customInterceptProfile?objectCustomInterceptProfile defines in-band integration behavior (intercept). It is used by firewall rules with an APPLY_SECURITY_PROFILE_GROUP action.
customMirroringProfile?objectCustomMirroringProfile defines out-of-band integration behavior (mirroring). It is used by mirroring rules with a MIRROR action.
description?stringOptional. An optional description of the profile. Max length 512 characters.
labels?recordOptional. Labels as key value pairs.
name?stringImmutable. Identifier. Name of the SecurityProfile resource. It matches pattern `projects|organizations/*/locations/{location}/securityProfiles/{security_profile}`.
threatPreventionProfile?objectThreatPreventionProfile defines an action for specific threat signatures or severity levels.
type?enumImmutable. The single ProfileType that the SecurityProfile resource configures.
urlFilteringProfile?objectUrlFilteringProfile defines filters based on URL.
securityProfileId?stringRequired. Short name of the SecurityProfile resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "security_profile1".
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
createCreate a securityProfiles
getGet a securityProfiles
ArgumentTypeDescription
identifierstringThe name of the securityProfiles
updateUpdate securityProfiles attributes
deleteDelete the securityProfiles
ArgumentTypeDescription
identifierstringThe name of the securityProfiles
syncSync securityProfiles state from GCP

Resources

state(infinite)— SecurityProfile is a resource that defines the behavior for one of many Profi...
@swamp/gcp/networksecurity/servertlspoliciesv2026.04.23.1servertlspolicies.ts

Global Arguments

ArgumentTypeDescription
allowOpen?booleanThis field applies only for Traffic Director policies. It is must be set to false for Application Load Balancer policies. Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if `allow_open` and `mtls_policy` are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility. Consid
description?stringFree-text description of the resource.
labels?recordSet of label tags associated with the resource.
mtlsPolicy?objectSpecification of the MTLSPolicy.
name?stringRequired. Name of the ServerTlsPolicy resource. It matches the pattern `projects/*/locations/{location}/serverTlsPolicies/{server_tls_policy}`
serverCertificate?objectSpecification of certificate provider. Defines the mechanism to obtain the certificate and private key for peer to peer authentication.
serverTlsPolicyId?stringRequired. Short name of the ServerTlsPolicy resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "server_mtls_policy".
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a serverTlsPolicies
getGet a serverTlsPolicies
ArgumentTypeDescription
identifierstringThe name of the serverTlsPolicies
updateUpdate serverTlsPolicies attributes
deleteDelete the serverTlsPolicies
ArgumentTypeDescription
identifierstringThe name of the serverTlsPolicies
syncSync serverTlsPolicies state from GCP

Resources

state(infinite)— ServerTlsPolicy is a resource that specifies how a server should authenticate...
@swamp/gcp/networksecurity/tlsinspectionpoliciesv2026.04.23.1tlsinspectionpolicies.ts

Global Arguments

ArgumentTypeDescription
caPool?stringRequired. A CA pool resource used to issue interception certificates. The CA pool string has a relative resource path following the form "projects/{project}/locations/{location}/caPools/{ca_pool}".
customTlsFeatures?arrayOptional. List of custom TLS cipher suites selected. This field is valid only if the selected tls_feature_profile is CUSTOM. The compute.SslPoliciesService.ListAvailableFeatures method returns the set of features that can be specified in this list. Note that Secure Web Proxy does not yet honor this field.
description?stringOptional. Free-text description of the resource.
excludePublicCaSet?booleanOptional. If FALSE (the default), use our default set of public CAs in addition to any CAs specified in trust_config. These public CAs are currently based on the Mozilla Root Program and are subject to change over time. If TRUE, do not accept our default set of public CAs. Only CAs specified in trust_config will be accepted. This defaults to FALSE (use public CAs in addition to trust_config) for backwards compatibility, but trusting public root CAs is *not recommended* unless the traffic in ques
minTlsVersion?enumOptional. Minimum TLS version that the firewall should use when negotiating connections with both clients and servers. If this is not set, then the default value is to allow the broadest set of clients and servers (TLS 1.0 or higher). Setting this to more restrictive values may improve security, but may also prevent the firewall from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field.
name?stringRequired. Name of the resource. Name is of the form projects/{project}/locations/{location}/tlsInspectionPolicies/{tls_inspection_policy} tls_inspection_policy should match the pattern:(^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$).
tlsFeatureProfile?enumOptional. The selected Profile. If this is not set, then the default value is to allow the broadest set of clients and servers ("PROFILE_COMPATIBLE"). Setting this to more restrictive values may improve security, but may also prevent the TLS inspection proxy from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field.
trustConfig?stringOptional. A TrustConfig resource used when making a connection to the TLS server. This is a relative resource path following the form "projects/{project}/locations/{location}/trustConfigs/{trust_config}". This is necessary to intercept TLS connections to servers with certificates signed by a private CA or self-signed certificates. Note that Secure Web Proxy does not yet honor this field.
tlsInspectionPolicyId?stringRequired. Short name of the TlsInspectionPolicy resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "tls_inspection_policy1".
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a tlsInspectionPolicies
getGet a tlsInspectionPolicies
ArgumentTypeDescription
identifierstringThe name of the tlsInspectionPolicies
updateUpdate tlsInspectionPolicies attributes
deleteDelete the tlsInspectionPolicies
ArgumentTypeDescription
identifierstringThe name of the tlsInspectionPolicies
syncSync tlsInspectionPolicies state from GCP

Resources

state(infinite)— The TlsInspectionPolicy resource contains references to CA pools in Certifica...
@swamp/gcp/networksecurity/urllistsv2026.04.23.1urllists.ts

Global Arguments

ArgumentTypeDescription
description?stringOptional. Free-text description of the resource.
name?stringRequired. Name of the resource provided by the user. Name is of the form projects/{project}/locations/{location}/urlLists/{url_list} url_list should match the pattern:(^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$).
values?arrayRequired. FQDNs and URLs.
urlListId?stringRequired. Short name of the UrlList resource to be created. This value should be 1-63 characters long, containing only letters, numbers, hyphens, and underscores, and should not start with a number. E.g. "url_list".
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a urlLists
getGet a urlLists
ArgumentTypeDescription
identifierstringThe name of the urlLists
updateUpdate urlLists attributes
deleteDelete the urlLists
ArgumentTypeDescription
identifierstringThe name of the urlLists
syncSync urlLists state from GCP

Resources

state(infinite)— UrlList proto helps users to set reusable, independently manageable lists of ...