import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
import * as outputs from "../types/output";
/**
 * AuthzPolicy is a resource that allows to forward traffic to a callout backend designed to scan the traffic for security purposes.
 *
 * To get more information about AuthzPolicy, see:
 *
 * * [API documentation](https://cloud.google.com/load-balancing/docs/reference/network-security/rest/v1beta1/projects.locations.authzPolicies)
 *
 * ## Example Usage
 *
 * ## Import
 *
 * AuthzPolicy can be imported using any of these accepted formats:
 *
 * * `projects/{{project}}/locations/{{location}}/authzPolicies/{{name}}`
 *
 * * `{{project}}/{{location}}/{{name}}`
 *
 * * `{{location}}/{{name}}`
 *
 * * `{{name}}`
 *
 * When using the `pulumi import` command, AuthzPolicy can be imported using one of the formats above. For example:
 *
 * ```sh
 * $ pulumi import gcp:networksecurity/authzPolicy:AuthzPolicy default projects/{{project}}/locations/{{location}}/authzPolicies/{{name}}
 * ```
 *
 * ```sh
 * $ pulumi import gcp:networksecurity/authzPolicy:AuthzPolicy default {{project}}/{{location}}/{{name}}
 * ```
 *
 * ```sh
 * $ pulumi import gcp:networksecurity/authzPolicy:AuthzPolicy default {{location}}/{{name}}
 * ```
 *
 * ```sh
 * $ pulumi import gcp:networksecurity/authzPolicy:AuthzPolicy default {{name}}
 * ```
 */
export declare class AuthzPolicy extends pulumi.CustomResource {
    /**
     * Get an existing AuthzPolicy resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthzPolicyState, opts?: pulumi.CustomResourceOptions): AuthzPolicy;
    /**
     * Returns true if the given object is an instance of AuthzPolicy.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is AuthzPolicy;
    /**
     * When the action is CUSTOM, customProvider must be specified.
     * When the action is ALLOW, only requests matching the policy will be allowed.
     * When the action is DENY, only requests matching the policy will be denied.
     * When a request arrives, the policies are evaluated in the following order:
     * 1. If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
     * 2. If there are any DENY policies that match the request, the request is denied.
     * 3. If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
     * 4. Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
     * Possible values are: `ALLOW`, `DENY`, `CUSTOM`.
     */
    readonly action: pulumi.Output<string>;
    /**
     * The timestamp when the resource was created.
     */
    readonly createTime: pulumi.Output<string>;
    /**
     * Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One
     * of cloudIap or authzExtension must be specified.
     */
    readonly customProvider: pulumi.Output<outputs.networksecurity.AuthzPolicyCustomProvider | undefined>;
    /**
     * A human-readable description of the resource.
     */
    readonly description: pulumi.Output<string | undefined>;
    /**
     * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
     */
    readonly effectiveLabels: pulumi.Output<{
        [key: string]: string;
    }>;
    /**
     * A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP
     * rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow
     * or Deny Action. Limited to 5 rules.
     */
    readonly httpRules: pulumi.Output<outputs.networksecurity.AuthzPolicyHttpRule[] | undefined>;
    /**
     * Set of labels associated with the AuthzExtension resource. **Note**: This field is non-authoritative, and will only
     * manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels
     * present on the resource.
     */
    readonly labels: pulumi.Output<{
        [key: string]: string;
    } | undefined>;
    /**
     * The location of the resource.
     */
    readonly location: pulumi.Output<string>;
    /**
     * Identifier. Name of the AuthzPolicy resource.
     */
    readonly name: pulumi.Output<string>;
    readonly project: pulumi.Output<string>;
    /**
     * The combination of labels configured directly on the resource
     * and default labels configured on the provider.
     */
    readonly pulumiLabels: pulumi.Output<{
        [key: string]: string;
    }>;
    /**
     * Specifies the set of resources to which this policy should be applied to.
     * Structure is documented below.
     */
    readonly target: pulumi.Output<outputs.networksecurity.AuthzPolicyTarget>;
    /**
     * The timestamp when the resource was updated.
     */
    readonly updateTime: pulumi.Output<string>;
    /**
     * Create a AuthzPolicy resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: AuthzPolicyArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering AuthzPolicy resources.
 */
export interface AuthzPolicyState {
    /**
     * When the action is CUSTOM, customProvider must be specified.
     * When the action is ALLOW, only requests matching the policy will be allowed.
     * When the action is DENY, only requests matching the policy will be denied.
     * When a request arrives, the policies are evaluated in the following order:
     * 1. If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
     * 2. If there are any DENY policies that match the request, the request is denied.
     * 3. If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
     * 4. Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
     * Possible values are: `ALLOW`, `DENY`, `CUSTOM`.
     */
    action?: pulumi.Input<string>;
    /**
     * The timestamp when the resource was created.
     */
    createTime?: pulumi.Input<string>;
    /**
     * Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One
     * of cloudIap or authzExtension must be specified.
     */
    customProvider?: pulumi.Input<inputs.networksecurity.AuthzPolicyCustomProvider>;
    /**
     * A human-readable description of the resource.
     */
    description?: pulumi.Input<string>;
    /**
     * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
     */
    effectiveLabels?: pulumi.Input<{
        [key: string]: pulumi.Input<string>;
    }>;
    /**
     * A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP
     * rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow
     * or Deny Action. Limited to 5 rules.
     */
    httpRules?: pulumi.Input<pulumi.Input<inputs.networksecurity.AuthzPolicyHttpRule>[]>;
    /**
     * Set of labels associated with the AuthzExtension resource. **Note**: This field is non-authoritative, and will only
     * manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels
     * present on the resource.
     */
    labels?: pulumi.Input<{
        [key: string]: pulumi.Input<string>;
    }>;
    /**
     * The location of the resource.
     */
    location?: pulumi.Input<string>;
    /**
     * Identifier. Name of the AuthzPolicy resource.
     */
    name?: pulumi.Input<string>;
    project?: pulumi.Input<string>;
    /**
     * The combination of labels configured directly on the resource
     * and default labels configured on the provider.
     */
    pulumiLabels?: pulumi.Input<{
        [key: string]: pulumi.Input<string>;
    }>;
    /**
     * Specifies the set of resources to which this policy should be applied to.
     * Structure is documented below.
     */
    target?: pulumi.Input<inputs.networksecurity.AuthzPolicyTarget>;
    /**
     * The timestamp when the resource was updated.
     */
    updateTime?: pulumi.Input<string>;
}
/**
 * The set of arguments for constructing a AuthzPolicy resource.
 */
export interface AuthzPolicyArgs {
    /**
     * When the action is CUSTOM, customProvider must be specified.
     * When the action is ALLOW, only requests matching the policy will be allowed.
     * When the action is DENY, only requests matching the policy will be denied.
     * When a request arrives, the policies are evaluated in the following order:
     * 1. If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.
     * 2. If there are any DENY policies that match the request, the request is denied.
     * 3. If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.
     * 4. Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.
     * Possible values are: `ALLOW`, `DENY`, `CUSTOM`.
     */
    action: pulumi.Input<string>;
    /**
     * Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One
     * of cloudIap or authzExtension must be specified.
     */
    customProvider?: pulumi.Input<inputs.networksecurity.AuthzPolicyCustomProvider>;
    /**
     * A human-readable description of the resource.
     */
    description?: pulumi.Input<string>;
    /**
     * A list of authorization HTTP rules to match against the incoming request.A policy match occurs when at least one HTTP
     * rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow
     * or Deny Action. Limited to 5 rules.
     */
    httpRules?: pulumi.Input<pulumi.Input<inputs.networksecurity.AuthzPolicyHttpRule>[]>;
    /**
     * Set of labels associated with the AuthzExtension resource. **Note**: This field is non-authoritative, and will only
     * manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels
     * present on the resource.
     */
    labels?: pulumi.Input<{
        [key: string]: pulumi.Input<string>;
    }>;
    /**
     * The location of the resource.
     */
    location: pulumi.Input<string>;
    /**
     * Identifier. Name of the AuthzPolicy resource.
     */
    name?: pulumi.Input<string>;
    project?: pulumi.Input<string>;
    /**
     * Specifies the set of resources to which this policy should be applied to.
     * Structure is documented below.
     */
    target: pulumi.Input<inputs.networksecurity.AuthzPolicyTarget>;
}