Skip to main content
← back to extensions

@swamp/gcp/compute

v2026.04.04.2

Google Cloud compute infrastructure models

Platforms

linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64

Labels

gcpgoogle-cloudcomputecloudinfrastructure

Contents

models

Install

$ swamp extension pull @swamp/gcp/compute

Release Notes

  • Updated: backendbuckets, backendservices, disks, futurereservations, images, instancegroupmanagerresizerequests, instancegroupmanagers, instancetemplates, instances, instantsnapshots, machineimages, networkattachments, regionbackendservices, regioncommitments, regioncompositehealthchecks, regiondisks, regionhealthsources, regioninstancegroupmanagers, regioninstancetemplates, regioninstantsnapshots, reservations, snapshotsettings, snapshots

instancegroupmanagers.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
allInstancesConfig?objectThe label key-value pairs that you want to patch onto the instance.
autoHealingPolicies?arrayThe URL for the health check that signals autohealing.
baseInstanceName?stringThe base instance name is a prefix that you want to attach to the names of all VMs in a MIG. The maximum character length is 58 and the name must comply with RFC1035 format. When a VM is created in the group, the MIG appends a hyphen and a random four-character string to the base instance name. If you want the MIG to assign sequential numbers instead of a random string, then end the base instance name with a hyphen followed by one or more hash symbols. The hash symbols indicate the number of digits. For example, a base instance name of "vm-###" results in "vm-001" as a VM name. @pattern [a-z](([-a-z0-9]{0,57})|([-a-z0-9]{0,51}-#{1,10}(\\\\[[0-9]{1,10}\\\\])?))
currentActions?objectOutput only. [Output Only] The total number of instances in the managed instance group that are scheduled to be abandoned. Abandoning an instance removes it from the managed instance group without deleting it.
description?stringAn optional description of this resource.
distributionPolicy?objectThe distribution shape to which the group converges either proactively or on resize events (depending on the value set inupdatePolicy.instanceRedistributionType).
fingerprint?stringFingerprint of this resource. This field may be used in optimistic locking. It will be ignored when inserting an InstanceGroupManager. An up-to-date fingerprint must be provided in order to update the InstanceGroupManager, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve an InstanceGroupManager.
instanceFlexibilityPolicy?objectFull machine-type names, e.g. "n1-standard-16".
instanceLifecyclePolicy?objectThe action that a MIG performs on a failed or an unhealthy VM. A VM is marked as unhealthy when the application running on that VM fails a health check. Valid values are - REPAIR (default): MIG automatically repairs a failed or an unhealthy VM by recreating it. For more information, see About repairing VMs in a MIG. - DO_NOTHING: MIG does not repair a failed or an unhealthy VM.
instanceTemplate?stringThe URL of the instance template that is specified for this managed instance group. The group uses this template to create all new instances in the managed instance group. The templates for existing instances in the group do not change unless you run recreateInstances, runapplyUpdatesToInstances, or set the group'supdatePolicy.type to PROACTIVE.
listManagedInstancesResults?enumPagination behavior of the listManagedInstances API method for this managed instance group.
namestringThe name of the managed instance group. The name must be 1-63 characters long, and comply withRFC1035.
resourcePolicies?objectThe URL of the workload policy that is specified for this managed instance group. It can be a full or partial URL. For example, the following are all valid URLs to a workload policy: - https://www.googleapis.com/compute/v1/projects/project/regions/region/resourcePolicies/resourcePolicy - projects/project/regions/region/resourcePolicies/resourcePolicy - regions/region/resourcePolicies/resourcePolicy
standbyPolicy?objectSpecifies the number of seconds that the MIG should wait to suspend or stop a VM after that VM was created. The initial delay gives the initialization script the time to prepare your VM for a quick scale out. The value of initial delay must be between 0 and 3600 seconds. The default value is 0.
statefulPolicy?objectThese stateful disks will never be deleted during autohealing, update or VM instance recreate operations. This flag is used to configure if the disk should be deleted after it is no longer used by the group, e.g. when the given instance or the whole group is deleted. Note: disks attached inREAD_ONLY mode cannot be auto-deleted.
status?objectOutput only. [Output Only] Current all-instances configuration revision. This value is in RFC3339 text format.
targetPools?arrayThe URLs for all TargetPool resources to which instances in theinstanceGroup field are added. The target pools automatically apply to all of the instances in the managed instance group.
targetSizenumberThe target number of running instances for this managed instance group. You can reduce this number by using the instanceGroupManager deleteInstances or abandonInstances methods. Resizing the group also changes this number.
targetSizePolicy?objectThe mode of target size policy based on which the MIG creates its VMs individually or all at once.
targetStoppedSize?numberThe target number of stopped instances for this managed instance group. This number changes when you: - Stop instance using the stopInstances method or start instances using the startInstances method. - Manually change the targetStoppedSize using the update method.
targetSuspendedSize?numberThe target number of suspended instances for this managed instance group. This number changes when you: - Suspend instance using the suspendInstances method or resume instances using the resumeInstances method. - Manually change the targetSuspendedSize using the update method.
updatePolicy?objectThe instance redistribution policy for regional managed instance groups. Valid values are: - PROACTIVE (default): The group attempts to maintain an even distribution of VM instances across zones in the region. - NONE: For non-autoscaled groups, proactive redistribution is disabled.
versions?arrayThe URL of the instance template that is specified for this managed instance group. The group uses this template to create new instances in the managed instance group until the `targetSize` for this version is reached. The templates for existing instances in the group do not change unless you run recreateInstances, runapplyUpdatesToInstances, or set the group'supdatePolicy.type to PROACTIVE; in those cases, existing instances are updated until the `targetSize` for this version is reached.
zone?stringOutput only. [Output Only] The URL of azone where the managed instance group is located (for zonal resources).
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a instanceGroupManagers
getGet a instanceGroupManagers
ArgumentTypeDescription
identifierstringThe name of the instanceGroupManagers
updateUpdate instanceGroupManagers attributes
deleteDelete the instanceGroupManagers
ArgumentTypeDescription
identifierstringThe name of the instanceGroupManagers
syncSync instanceGroupManagers state from GCP
abandon_instancesabandon instances
ArgumentTypeDescription
instances?any
apply_updates_to_instancesapply updates to instances
ArgumentTypeDescription
allInstances?any
instances?any
minimalAction?any
mostDisruptiveAllowedAction?any
create_instancescreate instances
ArgumentTypeDescription
instances?any
list_errorslist errors
list_managed_instanceslist managed instances
list_per_instance_configslist per instance configs
patch_per_instance_configspatch per instance configs
ArgumentTypeDescription
perInstanceConfigs?any
recreate_instancesrecreate instances
ArgumentTypeDescription
instances?any
resizeresize
resume_instancesresume instances
ArgumentTypeDescription
instances?any
set_instance_templateset instance template
ArgumentTypeDescription
instanceTemplate?any
set_target_poolsset target pools
ArgumentTypeDescription
fingerprint?any
targetPools?any
start_instancesstart instances
ArgumentTypeDescription
instances?any
stop_instancesstop instances
ArgumentTypeDescription
forceStop?any
instances?any
suspend_instancessuspend instances
ArgumentTypeDescription
forceSuspend?any
instances?any
update_per_instance_configsupdate per instance configs
ArgumentTypeDescription
perInstanceConfigs?any
autoscalers.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
autoscalingPolicy?objectThe number of seconds that your application takes to initialize on a VM instance. This is referred to as the [initialization period](/compute/docs/autoscaler#cool_down_period). Specifying an accurate initialization period improves autoscaler decisions. For example, when scaling out, the autoscaler ignores data from VMs that are still initializing because those VMs might not yet represent normal usage of your application. The default initialization period is 60 seconds. Initialization periods might vary because of numerous factors. We recommend that you test how long your application takes to initialize. To do this, create a VM and time your application's startup process.
description?stringAn optional description of this resource. Provide this property when you create the resource.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
target?stringURL of the managed instance group that this autoscaler will scale. This field is required when creating an autoscaler.
zone?stringOutput only. [Output Only] URL of thezone where the instance group resides (for autoscalers living in zonal scope).
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a autoscalers
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a autoscalers
ArgumentTypeDescription
identifierstringThe name of the autoscalers
updateUpdate autoscalers attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the autoscalers
ArgumentTypeDescription
identifierstringThe name of the autoscalers
syncSync autoscalers state from GCP
regionsslcertificates.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
certificate?stringA value read into memory from a certificate file. The certificate file must be in PEM format. The certificate chain must be no greater than 5 certs long. The chain must include at least one intermediate cert.
description?stringAn optional description of this resource. Provide this property when you create the resource.
managed?objectOutput only. [Output only] Detailed statuses of the domains specified for managed certificate resource.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
privateKey?stringA value read into memory from a write-only private key file. The private key file must be in PEM format. For security, only insert requests include this field.
region?stringOutput only. [Output Only] URL of the region where the regional SSL Certificate resides. This field is not applicable to global SSL Certificate.
selfManaged?objectA local certificate file. The certificate must be in PEM format. The certificate chain must be no greater than 5 certs long. The chain must include at least one intermediate cert.
type?enum(Optional) Specifies the type of SSL certificate, either "SELF_MANAGED" or "MANAGED". If not specified, the certificate is self-managed and the fieldscertificate and private_key are used.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionSslCertificates
getGet a regionSslCertificates
ArgumentTypeDescription
identifierstringThe name of the regionSslCertificates
deleteDelete the regionSslCertificates
ArgumentTypeDescription
identifierstringThe name of the regionSslCertificates
syncSync regionSslCertificates state from GCP
regioninstantsnapshots.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
labelFingerprint?stringA fingerprint for the labels being applied to this InstantSnapshot, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a InstantSnapshot.
labels?recordLabels to apply to this InstantSnapshot. These can be later modified by the setLabels method. Label values may be empty.
name?stringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
params?objectInput only. Resource manager tags to be bound to the instant snapshot. Tag keys and values have the same definition as resource manager tags. Keys and values can be either in numeric format, such as `tagKeys/{tag_key_id}` and `tagValues/{tag_value_id}` or in namespaced format such as `{org_id|project_id}/{tag_key_short_name}` and `{tag_value_short_name}`. The field is ignored (both PUT & PATCH) when empty.
region?stringOutput only. [Output Only] URL of the region where the instant snapshot resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
resourceStatus?object[Output Only] The storage size of this instant snapshot.
sourceDisk?stringURL of the source disk used to create this instant snapshot. Note that the source disk must be in the same zone/region as the instant snapshot to be created. This can be a full or valid partial URL. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/disks/disk - https://www.googleapis.com/compute/v1/projects/project/regions/region/disks/disk - projects/project/zones/zone/disks/disk - projects/project/regions/region/disks/disk - zones/zone/disks/disk - regions/region/disks/disk
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionInstantSnapshots
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a regionInstantSnapshots
ArgumentTypeDescription
identifierstringThe name of the regionInstantSnapshots
deleteDelete the regionInstantSnapshots
ArgumentTypeDescription
identifierstringThe name of the regionInstantSnapshots
syncSync regionInstantSnapshots state from GCP
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
zones.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a zones
ArgumentTypeDescription
identifierstringThe name of the zones
syncSync zones state from GCP
networkfirewallpolicies.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
associations?arrayThe target that the firewall policy is attached to.
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringSpecifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make get() request to the firewall policy.
packetMirroringRules?arrayThe Action to perform when the client connection triggers the rule. Valid actions for firewall rules are: "allow", "deny", "apply_security_profile_group" and "goto_next". Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" and "goto_next".
policyType?enumThe type of the firewall policy. This field can be eitherVPC_POLICY or RDMA_ROCE_POLICY. Note: if not specified then VPC_POLICY will be used.
rules?arrayThe Action to perform when the client connection triggers the rule. Valid actions for firewall rules are: "allow", "deny", "apply_security_profile_group" and "goto_next". Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" and "goto_next".
shortName?stringUser-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a networkFirewallPolicies
getGet a networkFirewallPolicies
ArgumentTypeDescription
identifierstringThe name of the networkFirewallPolicies
updateUpdate networkFirewallPolicies attributes
deleteDelete the networkFirewallPolicies
ArgumentTypeDescription
identifierstringThe name of the networkFirewallPolicies
syncSync networkFirewallPolicies state from GCP
add_associationadd association
ArgumentTypeDescription
attachmentTarget?any
displayName?any
firewallPolicyId?any
name?any
shortName?any
add_packet_mirroring_ruleadd packet mirroring rule
ArgumentTypeDescription
action?any
description?any
direction?any
disabled?any
enableLogging?any
kind?any
match?any
priority?any
ruleName?any
ruleTupleCount?any
securityProfileGroup?any
targetResources?any
targetSecureTags?any
targetServiceAccounts?any
tlsInspect?any
add_ruleadd rule
ArgumentTypeDescription
action?any
description?any
direction?any
disabled?any
enableLogging?any
kind?any
match?any
priority?any
ruleName?any
ruleTupleCount?any
securityProfileGroup?any
targetResources?any
targetSecureTags?any
targetServiceAccounts?any
tlsInspect?any
clone_rulesclone rules
get_associationget association
get_packet_mirroring_ruleget packet mirroring rule
get_ruleget rule
patch_packet_mirroring_rulepatch packet mirroring rule
ArgumentTypeDescription
action?any
description?any
direction?any
disabled?any
enableLogging?any
kind?any
match?any
priority?any
ruleName?any
ruleTupleCount?any
securityProfileGroup?any
targetResources?any
targetSecureTags?any
targetServiceAccounts?any
tlsInspect?any
patch_rulepatch rule
ArgumentTypeDescription
action?any
description?any
direction?any
disabled?any
enableLogging?any
kind?any
match?any
priority?any
ruleName?any
ruleTupleCount?any
securityProfileGroup?any
targetResources?any
targetSecureTags?any
targetServiceAccounts?any
tlsInspect?any
reservationblocks.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a reservationBlocks
ArgumentTypeDescription
identifierstringThe name of the reservationBlocks
syncSync reservationBlocks state from GCP
perform_maintenanceperform maintenance
ArgumentTypeDescription
maintenanceScope?any
projects.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a projects
ArgumentTypeDescription
identifierstringThe name of the projects
syncSync projects state from GCP
disable_xpn_hostdisable xpn host
disable_xpn_resourcedisable xpn resource
ArgumentTypeDescription
xpnResource?any
enable_xpn_hostenable xpn host
enable_xpn_resourceenable xpn resource
ArgumentTypeDescription
xpnResource?any
get_xpn_hostget xpn host
get_xpn_resourcesget xpn resources
list_xpn_hostslist xpn hosts
ArgumentTypeDescription
organization?any
move_diskmove disk
ArgumentTypeDescription
destinationZone?any
targetDisk?any
move_instancemove instance
ArgumentTypeDescription
destinationZone?any
targetInstance?any
set_cloud_armor_tierset cloud armor tier
ArgumentTypeDescription
cloudArmorTier?any
set_common_instance_metadataset common instance metadata
ArgumentTypeDescription
fingerprint?any
items?any
kind?any
set_default_network_tierset default network tier
ArgumentTypeDescription
networkTier?any
set_usage_export_bucketset usage export bucket
ArgumentTypeDescription
bucketName?any
reportNamePrefix?any
nodetemplates.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
accelerators?arrayThe number of the guest accelerator cards exposed to this instance.
cpuOvercommitType?enumCPU overcommit.
description?stringAn optional description of this resource. Provide this property when you create the resource.
disks?arraySpecifies the number of such disks.
name?stringThe name of the resource, provided by the client when initially creating the resource. The resource name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
nodeAffinityLabels?recordLabels to use for node affinity, which will be used in instance scheduling.
nodeType?stringThe node type to use for nodes group that are created from this template.
nodeTypeFlexibility?object
region?stringOutput only. [Output Only] The name of the region where the node template resides, such as us-central1.
serverBinding?object
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a nodeTemplates
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a nodeTemplates
ArgumentTypeDescription
identifierstringThe name of the nodeTemplates
deleteDelete the nodeTemplates
ArgumentTypeDescription
identifierstringThe name of the nodeTemplates
syncSync nodeTemplates state from GCP
disktypes.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a diskTypes
ArgumentTypeDescription
identifierstringThe name of the diskTypes
syncSync diskTypes state from GCP
targettcpproxies.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
proxyBind?booleanThis field only applies when the forwarding rule that references this target proxy has a loadBalancingScheme set toINTERNAL_SELF_MANAGED. When this field is set to true, Envoy proxies set up inbound traffic interception and bind to the IP address and port specified in the forwarding rule. This is generally useful when using Traffic Director to configure Envoy as a gateway or middle proxy (in other words, not a sidecar proxy). The Envoy proxy listens for inbound requests and handles requests when it receives them. The default is false.
proxyHeader?enumSpecifies the type of proxy header to append before sending data to the backend, either NONE or PROXY_V1. The default is NONE.
service?stringURL to the BackendService resource.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a targetTcpProxies
getGet a targetTcpProxies
ArgumentTypeDescription
identifierstringThe name of the targetTcpProxies
deleteDelete the targetTcpProxies
ArgumentTypeDescription
identifierstringThe name of the targetTcpProxies
syncSync targetTcpProxies state from GCP
set_backend_serviceset backend service
ArgumentTypeDescription
service?any
set_proxy_headerset proxy header
ArgumentTypeDescription
proxyHeader?any
forwardingrules.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
IPAddress?stringIP address for which this forwarding rule accepts traffic. When a client sends traffic to this IP address, the forwarding rule directs the traffic to the referenced target or backendService. While creating a forwarding rule, specifying an IPAddress is required under the following circumstances: - When the target is set to targetGrpcProxy andvalidateForProxyless is set to true, theIPAddress should be set to 0.0.0.0. - When the target is a Private Service Connect Google APIs bundle, you must specify an IPAddress. Otherwise, you can optionally specify an IP address that references an existing static (reserved) IP address resource. When omitted, Google Cloud assigns an ephemeral IP address. Use one of the following formats to specify an IP address while creating a forwarding rule: * IP address number, as in `100.1.2.3` * IPv6 address range, as in `2600:1234::/96` * Full resource URL, as inhttps://www.googleapis.com/compute/v1/projects/project_id/regions/region/addresses/address-name * Partial URL or by name, as in: - projects/project_id/regions/region/addresses/address-name - regions/region/addresses/address-name - global/addresses/address-name - address-name The forwarding rule's target or backendService, and in most cases, also the loadBalancingScheme, determine the type of IP address that you can use. For detailed information, see [IP address specifications](https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#ip_address_specifications). When reading an IPAddress, the API always returns the IP address number.
IPProtocol?enumThe IP protocol to which this rule applies. For protocol forwarding, valid options are TCP, UDP, ESP,AH, SCTP, ICMP andL3_DEFAULT. The valid IP protocols are different for different load balancing products as described in [Load balancing features](https://cloud.google.com/load-balancing/docs/features#protocols_from_the_load_balancer_to_the_backends).
allPorts?booleanThe ports, portRange, and allPorts fields are mutually exclusive. Only packets addressed to ports in the specified range will be forwarded to the backends configured with this forwarding rule. The allPorts field has the following limitations: - It requires that the forwarding rule IPProtocol be TCP, UDP, SCTP, or L3_DEFAULT. - It's applicable only to the following products: internal passthrough Network Load Balancers, backend service-based external passthrough Network Load Balancers, and internal and external protocol forwarding. - Set this field to true to allow packets addressed to any port or packets lacking destination port information (for example, UDP fragments after the first fragment) to be forwarded to the backends configured with this forwarding rule. The L3_DEFAULT protocol requiresallPorts be set to true.
allowGlobalAccess?booleanIf set to true, clients can access the internal passthrough Network Load Balancers, the regional internal Application Load Balancer, and the regional internal proxy Network Load Balancer from all regions. If false, only allows access from the local region the load balancer is located at. Note that for INTERNAL_MANAGED forwarding rules, this field cannot be changed after the forwarding rule is created.
allowPscGlobalAccess?booleanThis is used in PSC consumer ForwardingRule to control whether the PSC endpoint can be accessed from another region.
backendService?stringIdentifies the backend service to which the forwarding rule sends traffic. Required for internal and external passthrough Network Load Balancers; must be omitted for all other load balancer types.
description?stringAn optional description of this resource. Provide this property when you create the resource.
externalManagedBackendBucketMigrationState?enumSpecifies the canary migration state for the backend buckets attached to this forwarding rule. Possible values are PREPARE, TEST_BY_PERCENTAGE, and TEST_ALL_TRAFFIC. To begin the migration from EXTERNAL to EXTERNAL_MANAGED, the state must be changed to PREPARE. The state must be changed to TEST_ALL_TRAFFIC before the loadBalancingScheme can be changed to EXTERNAL_MANAGED. Optionally, the TEST_BY_PERCENTAGE state can be used to migrate traffic to backend buckets attached to this forwarding rule by percentage using externalManagedBackendBucketMigrationTestingPercentage. Rolling back a migration requires the states to be set in reverse order. So changing the scheme from EXTERNAL_MANAGED to EXTERNAL requires the state to be set to TEST_ALL_TRAFFIC at the same time. Optionally, the TEST_BY_PERCENTAGE state can be used to migrate some traffic back to EXTERNAL or PREPARE can be used to migrate all traffic back to EXTERNAL.
externalManagedBackendBucketMigrationTestingPercentage?numberDetermines the fraction of requests to backend buckets that should be processed by the global external Application Load Balancer. The value of this field must be in the range [0, 100]. This value can only be set if the loadBalancingScheme in the BackendService is set to EXTERNAL (when using the classic Application Load Balancer) and the migration state is TEST_BY_PERCENTAGE.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a ForwardingRule. Include the fingerprint in patch request to ensure that you do not overwrite changes that were applied from another concurrent request. To see the latest fingerprint, make a get() request to retrieve a ForwardingRule.
ipCollection?stringResource reference of a PublicDelegatedPrefix. The PDP must be a sub-PDP in EXTERNAL_IPV6_FORWARDING_RULE_CREATION mode. Use one of the following formats to specify a sub-PDP when creating an IPv6 NetLB forwarding rule using BYOIP: Full resource URL, as inhttps://www.googleapis.com/compute/v1/projects/project_id/regions/region/publicDelegatedPrefixes/sub-pdp-name Partial URL, as in: - projects/project_id/regions/region/publicDelegatedPrefixes/sub-pdp-name - regions/region/publicDelegatedPrefixes/sub-pdp-name
ipVersion?enumThe IP Version that will be used by this forwarding rule. Valid options are IPV4 or IPV6.
isMirroringCollector?booleanIndicates whether or not this load balancer can be used as a collector for packet mirroring. To prevent mirroring loops, instances behind this load balancer will not have their traffic mirrored even if aPacketMirroring rule applies to them. This can only be set to true for load balancers that have theirloadBalancingScheme set to INTERNAL.
labelFingerprint?stringA fingerprint for the labels being applied to this resource, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a ForwardingRule.
labels?recordLabels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. Label values may be empty.
loadBalancingScheme?enumSpecifies the forwarding rule type. For more information about forwarding rules, refer to Forwarding rule concepts.
metadataFilters?arrayName of metadata label. The name can have a maximum length of 1024 characters and must be at least 1 character long.
name?stringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. For Private Service Connect forwarding rules that forward traffic to Google APIs, the forwarding rule name must be a 1-20 characters string with lowercase letters and numbers and must start with a letter.
network?stringThis field is not used for global external load balancing. For internal passthrough Network Load Balancers, this field identifies the network that the load balanced IP should belong to for this forwarding rule. If the subnetwork is specified, the network of the subnetwork will be used. If neither subnetwork nor this field is specified, the default network will be used. For Private Service Connect forwarding rules that forward traffic to Google APIs, a network must be provided.
networkTier?enumThis signifies the networking tier used for configuring this load balancer and can only take the following values:PREMIUM, STANDARD. For regional ForwardingRule, the valid values are PREMIUM andSTANDARD. For GlobalForwardingRule, the valid value isPREMIUM. If this field is not specified, it is assumed to be PREMIUM. If IPAddress is specified, this value must be equal to the networkTier of the Address.
noAutomateDnsZone?booleanThis is used in PSC consumer ForwardingRule to control whether it should try to auto-generate a DNS zone or not. Non-PSC forwarding rules do not use this field. Once set, this field is not mutable.
portRange?stringThe ports, portRange, and allPorts fields are mutually exclusive. Only packets addressed to ports in the specified range will be forwarded to the backends configured with this forwarding rule. The portRange field has the following limitations: - It requires that the forwarding rule IPProtocol be TCP, UDP, or SCTP, and - It's applicable only to the following products: external passthrough Network Load Balancers, internal and external proxy Network Load Balancers, internal and external Application Load Balancers, external protocol forwarding, and Classic VPN. - Some products have restrictions on what ports can be used. See port specifications for details. For external forwarding rules, two or more forwarding rules cannot use the same [IPAddress, IPProtocol] pair, and cannot have overlappingportRanges. For internal forwarding rules within the same VPC network, two or more forwarding rules cannot use the same [IPAddress, IPProtocol] pair, and cannot have overlapping portRanges. @pattern: \\\\d+(?:-\\\\d+)?
ports?arrayThe ports, portRange, and allPorts fields are mutually exclusive. Only packets addressed to ports in the specified range will be forwarded to the backends configured with this forwarding rule. The ports field has the following limitations: - It requires that the forwarding rule IPProtocol be TCP, UDP, or SCTP, and - It's applicable only to the following products: internal passthrough Network Load Balancers, backend service-based external passthrough Network Load Balancers, and internal protocol forwarding. - You can specify a list of up to five ports by number, separated by commas. The ports can be contiguous or discontiguous. For external forwarding rules, two or more forwarding rules cannot use the same [IPAddress, IPProtocol] pair if they share at least one port number. For internal forwarding rules within the same VPC network, two or more forwarding rules cannot use the same [IPAddress, IPProtocol] pair if they share at least one port number. @pattern: \\\\d+(?:-\\\\d+)?
pscConnectionStatus?enum
region?stringOutput only. [Output Only] URL of the region where the regional forwarding rule resides. This field is not applicable to global forwarding rules. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
serviceDirectoryRegistrations?arrayService Directory namespace to register the forwarding rule under.
serviceLabel?stringAn optional prefix to the service name for this forwarding rule. If specified, the prefix is the first label of the fully qualified service name. The label must be 1-63 characters long, and comply withRFC1035. Specifically, the label must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. This field is only used for internal load balancing.
sourceIpRanges?arrayIf not empty, this forwarding rule will only forward the traffic when the source IP address matches one of the IP addresses or CIDR ranges set here. Note that a forwarding rule can only have up to 64 source IP ranges, and this field can only be used with a regional forwarding rule whose scheme isEXTERNAL. Each source_ip_range entry should be either an IP address (for example, 1.2.3.4) or a CIDR range (for example, 1.2.3.0/24).
subnetwork?stringThis field identifies the subnetwork that the load balanced IP should belong to for this forwarding rule, used with internal load balancers and external passthrough Network Load Balancers with IPv6. If the network specified is in auto subnet mode, this field is optional. However, a subnetwork must be specified if the network is in custom subnet mode or when creating external forwarding rule with IPv6.
target?stringThe URL of the target resource to receive the matched traffic. For regional forwarding rules, this target must be in the same region as the forwarding rule. For global forwarding rules, this target must be a global load balancing resource. The forwarded traffic must be of a type appropriate to the target object. - For load balancers, see the "Target" column in [Port specifications](https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#ip_address_specifications). - For Private Service Connect forwarding rules that forward traffic to Google APIs, provide the name of a supported Google API bundle: - vpc-sc - APIs that support VPC Service Controls. - all-apis - All supported Google APIs. - For Private Service Connect forwarding rules that forward traffic to managed services, the target must be a service attachment. The target is not mutable once set as a service attachment.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a forwardingRules
getGet a forwardingRules
ArgumentTypeDescription
identifierstringThe name of the forwardingRules
updateUpdate forwardingRules attributes
deleteDelete the forwardingRules
ArgumentTypeDescription
identifierstringThe name of the forwardingRules
syncSync forwardingRules state from GCP
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
set_targetset target
ArgumentTypeDescription
target?any
regiontargethttpsproxies.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
authorizationPolicy?stringOptional. A URL referring to a networksecurity.AuthorizationPolicy resource that describes how the proxy should authorize inbound traffic. If left blank, access will not be restricted by an authorization policy. Refer to the AuthorizationPolicy resource for additional details. authorizationPolicy only applies to a globalTargetHttpsProxy attached toglobalForwardingRules with theloadBalancingScheme set to INTERNAL_SELF_MANAGED. Note: This field currently has no impact.
certificateMap?stringURL of a certificate map that identifies a certificate map associated with the given target proxy. This field can only be set for Global external Application Load Balancer or Classic Application Load Balancer. For other products use Certificate Manager Certificates instead. If set, sslCertificates will be ignored. Accepted format is//certificatemanager.googleapis.com/projects/{project}/locations/{location}/certificateMaps/{resourceName}.
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a TargetHttpsProxy. An up-to-date fingerprint must be provided in order to patch the TargetHttpsProxy; otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the TargetHttpsProxy.
httpKeepAliveTimeoutSec?numberSpecifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). If an HTTP keep-alive is not specified, a default value (610 seconds) will be used. For global external Application Load Balancers, the minimum allowed value is 5 seconds and the maximum allowed value is 1200 seconds. For classic Application Load Balancers, this option is not supported.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
proxyBind?booleanThis field only applies when the forwarding rule that references this target proxy has a loadBalancingScheme set toINTERNAL_SELF_MANAGED. When this field is set to true, Envoy proxies set up inbound traffic interception and bind to the IP address and port specified in the forwarding rule. This is generally useful when using Traffic Director to configure Envoy as a gateway or middle proxy (in other words, not a sidecar proxy). The Envoy proxy listens for inbound requests and handles requests when it receives them. The default is false.
quicOverride?enumSpecifies the QUIC override policy for this TargetHttpsProxy resource. This setting determines whether the load balancer attempts to negotiate QUIC with clients. You can specify NONE, ENABLE, orDISABLE. - When quic-override is set to NONE, Google manages whether QUIC is used. - When quic-override is set to ENABLE, the load balancer uses QUIC when possible. - When quic-override is set to DISABLE, the load balancer doesn't use QUIC. - If the quic-override flag is not specified,NONE is implied.
region?stringOutput only. [Output Only] URL of the region where the regional TargetHttpsProxy resides. This field is not applicable to global TargetHttpsProxies.
serverTlsPolicy?stringOptional. A URL referring to a networksecurity.ServerTlsPolicy resource that describes how the proxy should authenticate inbound traffic. serverTlsPolicy only applies to a globalTargetHttpsProxy attached toglobalForwardingRules with theloadBalancingScheme set to INTERNAL_SELF_MANAGED or EXTERNAL orEXTERNAL_MANAGED or INTERNAL_MANAGED. It also applies to a regional TargetHttpsProxy attached to regional forwardingRules with theloadBalancingScheme set to EXTERNAL_MANAGED orINTERNAL_MANAGED. For details whichServerTlsPolicy resources are accepted withINTERNAL_SELF_MANAGED and which with EXTERNAL,INTERNAL_MANAGED, EXTERNAL_MANAGEDloadBalancingScheme consult ServerTlsPolicy documentation. If left blank, communications are not encrypted.
sslCertificates?arrayURLs to SslCertificate resources that are used to authenticate connections between users and the load balancer. At least one SSL certificate must be specified. SslCertificates do not apply when the load balancing scheme is set to INTERNAL_SELF_MANAGED. The URLs should refer to a SSL Certificate resource or Certificate Manager Certificate resource. Mixing Classic Certificates and Certificate Manager Certificates is not allowed. Certificate Manager Certificates must include the certificatemanager API namespace. Using Certificate Manager Certificates in this field is not supported by Global external Application Load Balancer or Classic Application Load Balancer, use certificate_map instead. Currently, you may specify up to 15 Classic SSL Certificates or up to 100 Certificate Manager Certificates. Certificate Manager Certificates accepted formats are: - //certificatemanager.googleapis.com/projects/{project}/locations/{location}/certificates/{resourceName}. - https://certificatemanager.googleapis.com/v1alpha1/projects/{project}/locations/{location}/certificates/{resourceName}.
sslPolicy?stringURL of SslPolicy resource that will be associated with the TargetHttpsProxy resource. If not set, the TargetHttpsProxy resource has no SSL policy configured.
tlsEarlyData?enumSpecifies whether TLS 1.3 0-RTT Data ("Early Data") should be accepted for this service. Early Data allows a TLS resumption handshake to include the initial application payload (a HTTP request) alongside the handshake, reducing the effective round trips to "zero". This applies to TLS 1.3 connections over TCP (HTTP/2) as well as over UDP (QUIC/h3). This can improve application performance, especially on networks where interruptions may be common, such as on mobile. Requests with Early Data will have the "Early-Data" HTTP header set on the request, with a value of "1", to allow the backend to determine whether Early Data was included. Note: TLS Early Data may allow requests to be replayed, as the data is sent to the backend before the handshake has fully completed. Applications that allow idempotent HTTP methods to make non-idempotent changes, such as a GET request updating a database, should not accept Early Data on those requests, and reject requests with the "Early-Data: 1" HTTP header by returning a HTTP 425 (Too Early) status code, in order to remain RFC compliant. The default value is DISABLED.
urlMap?stringA fully-qualified or valid partial URL to the UrlMap resource that defines the mapping from URL to the BackendService. For example, the following are all valid URLs for specifying a URL map: - https://www.googleapis.compute/v1/projects/project/global/urlMaps/url-map - projects/project/global/urlMaps/url-map - global/urlMaps/url-map
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionTargetHttpsProxies
getGet a regionTargetHttpsProxies
ArgumentTypeDescription
identifierstringThe name of the regionTargetHttpsProxies
updateUpdate regionTargetHttpsProxies attributes
deleteDelete the regionTargetHttpsProxies
ArgumentTypeDescription
identifierstringThe name of the regionTargetHttpsProxies
syncSync regionTargetHttpsProxies state from GCP
set_ssl_certificatesset ssl certificates
ArgumentTypeDescription
sslCertificates?any
set_url_mapset url map
ArgumentTypeDescription
urlMap?any
instancegroupmanagerresizerequests.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource.
namestringThe name of this resize request. The name must be 1-63 characters long, and comply withRFC1035.
requestedRunDuration?objectSpan of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive.
resizeBy?numberThe number of instances to be created by this resize request. The group's target size will be increased by this number. This field cannot be used together with 'instances'.
status?object[Output Only] The error type identifier for this error.
zone?stringOutput only. [Output Only] The URL of azone where the resize request is located. Populated only for zonal resize requests.
instanceGroupManagerstringThe name of the managed instance group to which the resize request will be added. Name should conform to RFC1035 or be a resource ID.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a instanceGroupManagerResizeRequests
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a instanceGroupManagerResizeRequests
ArgumentTypeDescription
identifierstringThe name of the instanceGroupManagerResizeRequests
deleteDelete the instanceGroupManagerResizeRequests
ArgumentTypeDescription
identifierstringThe name of the instanceGroupManagerResizeRequests
syncSync instanceGroupManagerResizeRequests state from GCP
cancelcancel
instancesettings.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
fingerprint?stringSpecifies a fingerprint for instance settings, which is essentially a hash of the instance settings resource's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update the instance settings resource. You must always provide an up-to-date fingerprint hash in order to update or change the resource, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the resource.
kind?stringOutput only. [Output Only] Type of the resource. Alwayscompute#instance_settings for instance settings.
metadata?objectA metadata key/value items map. The total size of all keys and values must be less than 512KB.
zone?stringOutput only. [Output Only] URL of the zone where the resource resides You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
getGet a instanceSettings
ArgumentTypeDescription
identifierstringThe name of the instanceSettings
updateUpdate instanceSettings attributes
syncSync instanceSettings state from GCP
instances.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
advancedMachineFeatures?objectWhether to enable nested virtualization or not (default is false).
canIpForward?booleanAllows this instance to send and receive packets with non-matching destination or source IPs. This is required if you plan to use this instance to forward routes. For more information, seeEnabling IP Forwarding.
confidentialInstanceConfig?objectDefines the type of technology used by the confidential instance.
deletionProtection?booleanWhether the resource should be protected against deletion.
description?stringAn optional description of this resource. Provide this property when you create the resource.
disks?arrayOutput only. [Output Only] The architecture of the attached disk. Valid values are ARM64 or X86_64.
displayDevice?objectDefines whether the instance has Display enabled.
fingerprint?stringSpecifies a fingerprint for this resource, which is essentially a hash of the instance's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update the instance. You must always provide an up-to-date fingerprint hash in order to update the instance. To see the latest fingerprint, make get() request to the instance.
guestAccelerators?arrayThe number of the guest accelerator cards exposed to this instance.
hostname?stringSpecifies the hostname of the instance. The specified hostname must be RFC1035 compliant. If hostname is not specified, the default hostname is [INSTANCE_NAME].c.[PROJECT_ID].internal when using the global DNS, and [INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal when using zonal DNS.
instanceEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
keyRevocationActionType?enumKeyRevocationActionType of the instance. Supported options are "STOP" and "NONE". The default value is "NONE" if it is not specified.
labelFingerprint?stringA fingerprint for this request, which is essentially a hash of the label's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels. To see the latest fingerprint, make get() request to the instance.
labels?recordLabels to apply to this instance. These can be later modified by the setLabels method.
machineType?stringFull or partial URL of the machine type resource to use for this instance, in the format:zones/zone/machineTypes/machine-type. This is provided by the client when the instance is created. For example, the following is a valid partial url to a predefined machine type: zones/us-central1-f/machineTypes/n1-standard-1 To create acustom machine type, provide a URL to a machine type in the following format, where CPUS is 1 or an even number up to 32 (2, 4, 6,... 24, etc), and MEMORY is the total memory for this instance. Memory must be a multiple of 256 MB and must be supplied in MB (e.g. 5 GB of memory is 5120 MB): zones/zone/machineTypes/custom-CPUS-MEMORY For example: zones/us-central1-f/machineTypes/custom-4-5120 For a full list of restrictions, read theSpecifications for custom machine types.
metadata?objectSpecifies a fingerprint for this request, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the resource.
minCpuPlatform?stringSpecifies aminimum CPU platform for the VM instance. Applicable values are the friendly names of CPU platforms, such as minCpuPlatform: "Intel Haswell" or minCpuPlatform: "Intel Sandy Bridge".
namestringThe name of the resource, provided by the client when initially creating the resource. The resource name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
networkInterfaces?arrayApplies to ipv6AccessConfigs only. The first IPv6 address of the external IPv6 range associated with this instance, prefix length is stored inexternalIpv6PrefixLength in ipv6AccessConfig. To use a static external IP address, it must be unused and in the same region as the instance's zone. If not specified, Google Cloud will automatically assign an external IPv6 address from the instance's subnetwork.
networkPerformanceConfig?object
params?objectSpan of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive.
privateIpv6GoogleAccess?enumThe private IPv6 google access type for the VM. If not specified, use INHERIT_FROM_SUBNETWORK as default.
reservationAffinity?objectSpecifies the type of reservation from which this instance can consume resources: ANY_RESERVATION (default),SPECIFIC_RESERVATION, or NO_RESERVATION. See Consuming reserved instances for examples.
resourcePolicies?arrayResource policies applied to this instance.
scheduling?objectSpecifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). You can only set the automatic restart option for standard instances.Preemptible instances cannot be automatically restarted. By default, this is set to true so an instance is automatically restarted if it is terminated by Compute Engine.
serviceAccounts?arrayEmail address of the service account.
shieldedInstanceConfig?objectDefines whether the instance has integrity monitoring enabled.Enabled by default.
shieldedInstanceIntegrityPolicy?objectUpdates the integrity policy baseline using the measurements from the VM instance's most recent boot.
sourceMachineImage?stringSource machine image
sourceMachineImageEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
tags?objectSpecifies a fingerprint for this request, which is essentially a hash of the tags' contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update tags. You must always provide an up-to-date fingerprint hash in order to update or change tags. To see the latest fingerprint, make get() request to the instance.
workloadIdentityConfig?object
zone?stringOutput only. [Output Only] URL of the zone where the instance resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
sourceInstanceTemplate?stringSpecifies instance template to create the instance. This field is optional. It can be a full or partial URL. For example, the following are all valid URLs to an instance template: - https://www.googleapis.com/compute/v1/projects/project/global/instanceTemplates/instanceTemplate - projects/project/global/instanceTemplates/instanceTemplate - global/instanceTemplates/instanceTemplate
createCreate a instances
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a instances
ArgumentTypeDescription
identifierstringThe name of the instances
updateUpdate instances attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the instances
ArgumentTypeDescription
identifierstringThe name of the instances
syncSync instances state from GCP
add_access_configadd access config
ArgumentTypeDescription
externalIpv6?any
externalIpv6PrefixLength?any
kind?any
name?any
natIP?any
networkTier?any
publicPtrDomainName?any
securityPolicy?any
setPublicPtr?any
type?any
add_network_interfaceadd network interface
ArgumentTypeDescription
accessConfigs?any
aliasIpRanges?any
enableVpcScopedDns?any
fingerprint?any
igmpQuery?any
internalIpv6PrefixLength?any
ipv6AccessConfigs?any
ipv6AccessType?any
ipv6Address?any
kind?any
name?any
network?any
networkAttachment?any
networkIP?any
nicType?any
parentNicName?any
queueCount?any
stackType?any
subnetwork?any
vlan?any
add_resource_policiesadd resource policies
ArgumentTypeDescription
resourcePolicies?any
attach_diskattach disk
ArgumentTypeDescription
architecture?any
autoDelete?any
boot?any
deviceName?any
diskEncryptionKey?any
diskSizeGb?any
forceAttach?any
guestOsFeatures?any
index?any
initializeParams?any
interface?any
kind?any
licenses?any
mode?any
savedState?any
shieldedInstanceInitialState?any
source?any
type?any
bulk_insertbulk insert
ArgumentTypeDescription
count?any
instanceFlexibilityPolicy?any
instanceProperties?any
locationPolicy?any
minCount?any
namePattern?any
perInstanceProperties?any
sourceInstanceTemplate?any
detach_diskdetach disk
get_effective_firewallsget effective firewalls
get_guest_attributesget guest attributes
get_screenshotget screenshot
get_serial_port_outputget serial port output
get_shielded_instance_identityget shielded instance identity
list_referrerslist referrers
perform_maintenanceperform maintenance
report_host_as_faultyreport host as faulty
ArgumentTypeDescription
disruptionSchedule?any
faultReasons?any
resetreset
resumeresume
send_diagnostic_interruptsend diagnostic interrupt
set_deletion_protectionset deletion protection
set_disk_auto_deleteset disk auto delete
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
set_machine_resourcesset machine resources
ArgumentTypeDescription
guestAccelerators?any
set_machine_typeset machine type
ArgumentTypeDescription
machineType?any
set_metadataset metadata
ArgumentTypeDescription
fingerprint?any
items?any
kind?any
set_min_cpu_platformset min cpu platform
ArgumentTypeDescription
minCpuPlatform?any
set_nameset name
ArgumentTypeDescription
currentName?any
name?any
set_schedulingset scheduling
ArgumentTypeDescription
automaticRestart?any
availabilityDomain?any
hostErrorTimeoutSeconds?any
instanceTerminationAction?any
localSsdRecoveryTimeout?any
locationHint?any
maxRunDuration?any
minNodeCpus?any
nodeAffinities?any
onHostMaintenance?any
onInstanceStopAction?any
preemptible?any
provisioningModel?any
skipGuestOsShutdown?any
terminationTime?any
set_security_policyset security policy
ArgumentTypeDescription
networkInterfaces?any
securityPolicy?any
set_service_accountset service account
ArgumentTypeDescription
email?any
scopes?any
set_shielded_instance_integrity_policyset shielded instance integrity policy
ArgumentTypeDescription
updateAutoLearnPolicy?any
set_tagsset tags
ArgumentTypeDescription
fingerprint?any
items?any
simulate_maintenance_eventsimulate maintenance event
startstart
ArgumentTypeDescription
networkInterfaces?any
securityPolicy?any
start_with_encryption_keystart with encryption key
ArgumentTypeDescription
disks?any
stopstop
suspendsuspend
update_access_configupdate access config
ArgumentTypeDescription
externalIpv6?any
externalIpv6PrefixLength?any
kind?any
name?any
natIP?any
networkTier?any
publicPtrDomainName?any
securityPolicy?any
setPublicPtr?any
type?any
update_display_deviceupdate display device
ArgumentTypeDescription
enableDisplay?any
update_network_interfaceupdate network interface
ArgumentTypeDescription
accessConfigs?any
aliasIpRanges?any
enableVpcScopedDns?any
fingerprint?any
igmpQuery?any
internalIpv6PrefixLength?any
ipv6AccessConfigs?any
ipv6AccessType?any
ipv6Address?any
kind?any
name?any
network?any
networkAttachment?any
networkIP?any
nicType?any
parentNicName?any
queueCount?any
stackType?any
subnetwork?any
vlan?any
update_shielded_instance_configupdate shielded instance config
ArgumentTypeDescription
enableIntegrityMonitoring?any
enableSecureBoot?any
enableVtpm?any
nodegroups.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
autoscalingPolicy?objectThe maximum number of nodes that the group should have. Must be set if autoscaling is enabled. Maximum value allowed is 100.
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?string
locationHint?stringAn opaque location hint used to place the Node close to other resources. This field is for use by internal tools that use the public API. The location hint here on the NodeGroup overrides any location_hint present in the NodeTemplate.
maintenanceInterval?enumSpecifies the frequency of planned maintenance events. The accepted values are: `AS_NEEDED` and `RECURRENT`.
maintenancePolicy?enumSpecifies how to handle instances when a node in the group undergoes maintenance. Set to one of: DEFAULT,RESTART_IN_PLACE, or MIGRATE_WITHIN_NODE_GROUP. The default value is DEFAULT. For more information, see Maintenance policies.
maintenanceWindow?objectSpan of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive.
name?stringThe name of the resource, provided by the client when initially creating the resource. The resource name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
nodeTemplate?stringURL of the node template to create the node group from.
shareSettings?objectThe project ID, should be same as the key of this project config in the parent map.
status?enum
zone?stringOutput only. [Output Only] The name of the zone where the node group resides, such as us-central1-a.
initialNodeCountstringInitial count of nodes in the node group.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a nodeGroups
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a nodeGroups
ArgumentTypeDescription
identifierstringThe name of the nodeGroups
updateUpdate nodeGroups attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the nodeGroups
ArgumentTypeDescription
identifierstringThe name of the nodeGroups
syncSync nodeGroups state from GCP
add_nodesadd nodes
ArgumentTypeDescription
additionalNodeCount?any
list_nodeslist nodes
perform_maintenanceperform maintenance
ArgumentTypeDescription
nodes?any
startTime?any
set_node_templateset node template
ArgumentTypeDescription
nodeTemplate?any
simulate_maintenance_eventsimulate maintenance event
ArgumentTypeDescription
nodes?any
regionurlmaps.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
defaultCustomErrorResponsePolicy?objectValid values include: - A number between 400 and 599: For example 401 or 503, in which case the load balancer applies the policy if the error code exactly matches this value. - 5xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 500 to 599. - 4xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 400 to 499. Values must be unique within matchResponseCodes and across allerrorResponseRules ofCustomErrorResponsePolicy.
defaultRouteAction?objectIn response to a preflight request, setting this to true indicates that the actual request can include user credentials. This field translates to the Access-Control-Allow-Credentials header. Default is false.
defaultService?stringThe full or partial URL of the defaultService resource to which traffic is directed if none of the hostRules match. If defaultRouteAction is also specified, advanced routing actions, such as URL rewrites, take effect before sending the request to the backend. Only one of defaultUrlRedirect, defaultService or defaultRouteAction.weightedBackendService can be set. defaultService has no effect when the URL map is bound to a target gRPC proxy that has the validateForProxyless field set to true.
defaultUrlRedirect?objectThe host that is used in the redirect response instead of the one that was supplied in the request. The value must be from 1 to 255 characters.
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field is ignored when inserting a UrlMap. An up-to-date fingerprint must be provided in order to update the UrlMap, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a UrlMap.
headerAction?objectThe name of the header.
hostRules?arrayAn optional description of this resource. Provide this property when you create the resource.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
pathMatchers?arrayValid values include: - A number between 400 and 599: For example 401 or 503, in which case the load balancer applies the policy if the error code exactly matches this value. - 5xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 500 to 599. - 4xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 400 to 499. Values must be unique within matchResponseCodes and across allerrorResponseRules ofCustomErrorResponsePolicy.
region?stringOutput only. [Output Only] URL of the region where the regional URL map resides. This field is not applicable to global URL maps. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
tests?arrayDescription of this test case.
requestId?stringbegin_interface: MixerMutationRequestBuilder Request ID to support idempotency.
createCreate a regionUrlMaps
getGet a regionUrlMaps
ArgumentTypeDescription
identifierstringThe name of the regionUrlMaps
updateUpdate regionUrlMaps attributes
deleteDelete the regionUrlMaps
ArgumentTypeDescription
identifierstringThe name of the regionUrlMaps
syncSync regionUrlMaps state from GCP
validatevalidate
ArgumentTypeDescription
resource?any
firewalls.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
allowed?arrayThe IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp,icmp, esp, ah, ipip,sctp) or the IP protocol number.
denied?arrayThe IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp,icmp, esp, ah, ipip,sctp) or the IP protocol number.
description?stringAn optional description of this resource. Provide this field when you create the resource.
destinationRanges?arrayIf destination ranges are specified, the firewall rule applies only to traffic that has destination IP address in these ranges. These ranges must be expressed inCIDR format. Both IPv4 and IPv6 are supported.
direction?enumDirection of traffic to which this firewall applies, either `INGRESS` or `EGRESS`. The default is `INGRESS`. For `EGRESS` traffic, you cannot specify the sourceTags fields.
disabled?booleanDenotes whether the firewall rule is disabled. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
logConfig?objectThis field denotes whether to enable logging for a particular firewall rule.
namestringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?`. The first character must be a lowercase letter, and all following characters (except for the last character) must be a dash, lowercase letter, or digit. The last character must be a lowercase letter or digit.
network?stringURL of the network resource for this firewall rule. If not specified when creating a firewall rule, the default network is used: global/networks/default If you choose to specify this field, you can specify the network as a full or partial URL. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/myproject/global/networks/my-network - projects/myproject/global/networks/my-network - global/networks/default
params?objectTag keys/values directly bound to this resource. Tag keys and values have the same definition as resource manager tags. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid.
priority?numberPriority for this rule. This is an integer between `0` and `65535`, both inclusive. The default value is `1000`. Relative priorities determine which rule takes effect if multiple rules apply. Lower values indicate higher priority. For example, a rule with priority `0` has higher precedence than a rule with priority `1`. DENY rules take precedence over ALLOW rules if they have equal priority. Note that VPC networks have implied rules with a priority of `65535`. To avoid conflicts with the implied rules, use a priority number less than `65535`.
sourceRanges?arrayIf source ranges are specified, the firewall rule applies only to traffic that has a source IP address in these ranges. These ranges must be expressed inCIDR format. One or both of sourceRanges and sourceTags may be set. If both fields are set, the rule applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in thesourceTags field. The connection does not need to match both fields for the rule to apply. Both IPv4 and IPv6 are supported.
sourceServiceAccounts?arrayIf source service accounts are specified, the firewall rules apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address.sourceRanges can be set at the same time assourceServiceAccounts. If both are set, the firewall applies to traffic that has a source IP address within the sourceRanges OR a source IP that belongs to an instance with service account listed insourceServiceAccount. The connection does not need to match both fields for the firewall to apply.sourceServiceAccounts cannot be used at the same time assourceTags or targetTags.
sourceTags?arrayIf source tags are specified, the firewall rule applies only to traffic with source IPs that match the primary network interfaces of VM instances that have the tag and are in the same VPC network. Source tags cannot be used to control traffic to an instance's external IP address, it only applies to traffic between instances in the same virtual network. Because tags are associated with instances, not IP addresses. One or both of sourceRanges and sourceTags may be set. If both fields are set, the firewall applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in the sourceTags field. The connection does not need to match both fields for the firewall to apply.
targetServiceAccounts?arrayA list of service accounts indicating sets of instances located in the network that may make network connections as specified inallowed[].targetServiceAccounts cannot be used at the same time astargetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
targetTags?arrayA list of tags that controls which instances the firewall rule applies to. If targetTags are specified, then the firewall rule applies only to instances in the VPC network that have one of those tags. If no targetTags are specified, the firewall rule applies to all instances on the specified network.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a firewalls
getGet a firewalls
ArgumentTypeDescription
identifierstringThe name of the firewalls
updateUpdate firewalls attributes
deleteDelete the firewalls
ArgumentTypeDescription
identifierstringThe name of the firewalls
syncSync firewalls state from GCP
reservationslots.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
creationTimestamp?stringOutput only. [Output Only] The creation timestamp, formatted asRFC3339 text.
id?stringOutput only. [Output Only] The unique identifier for this resource. This identifier is defined by the server.
kind?stringOutput only. [Output Only] The type of resource. Alwayscompute#reservationSlot for reservation slots.
name?stringOutput only. [Output Only] The name of the reservation slot.
physicalTopology?objectThe unique identifier of the capacity block within the cluster.
selfLink?stringOutput only. [Output Only] A server-defined fully-qualified URL for this resource.
selfLinkWithId?stringOutput only. [Output Only] A server-defined URL for this resource with the resource ID.
shareSettings?objectThe project ID, should be same as the key of this project config in the parent map.
state?enumOutput only. [Output Only] The state of the reservation slot.
status?objectThe unique identifier of the capacity block within the cluster.
zone?stringOutput only. [Output Only] The zone in which the reservation slot resides.
getGet a reservationSlots
ArgumentTypeDescription
identifierstringThe name of the reservationSlots
updateUpdate reservationSlots attributes
syncSync reservationSlots state from GCP
get_versionget version
ArgumentTypeDescription
sbomSelections?any
globalpublicdelegatedprefixes.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
allocatablePrefixLength?numberThe allocatable prefix length supported by this public delegated prefix. This field is optional and cannot be set for prefixes in DELEGATION mode. It cannot be set for IPv4 prefixes either, and it always defaults to 32.
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a new PublicDelegatedPrefix. An up-to-date fingerprint must be provided in order to update thePublicDelegatedPrefix, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a PublicDelegatedPrefix.
ipCidrRange?stringThe IP address range, in CIDR format, represented by this public delegated prefix.
isLiveMigration?booleanIf true, the prefix will be live migrated.
mode?enumThe public delegated prefix mode for IPv6 only.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
parentPrefix?stringThe URL of parent prefix. Either PublicAdvertisedPrefix or PublicDelegatedPrefix.
publicDelegatedSubPrefixs?arrayThe allocatable prefix length supported by this PublicDelegatedSubPrefix.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a globalPublicDelegatedPrefixes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a globalPublicDelegatedPrefixes
ArgumentTypeDescription
identifierstringThe name of the globalPublicDelegatedPrefixes
updateUpdate globalPublicDelegatedPrefixes attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the globalPublicDelegatedPrefixes
ArgumentTypeDescription
identifierstringThe name of the globalPublicDelegatedPrefixes
syncSync globalPublicDelegatedPrefixes state from GCP
regiondisks.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
accessMode?enumThe access mode of the disk. - READ_WRITE_SINGLE: The default AccessMode, means the disk can be attached to single instance in RW mode. - READ_WRITE_MANY: The AccessMode means the disk can be attached to multiple instances in RW mode. - READ_ONLY_MANY: The AccessMode means the disk can be attached to multiple instances in RO mode. The AccessMode is only valid for Hyperdisk disk types.
architecture?enumThe architecture of the disk. Valid values are ARM64 or X86_64.
asyncPrimaryDisk?objectOutput only. [Output Only] URL of the DiskConsistencyGroupPolicy if replication was started on the disk as a member of a group.
description?stringAn optional description of this resource. Provide this property when you create the resource.
diskEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
enableConfidentialCompute?booleanWhether this disk is using confidential compute mode.
guestOsFeatures?arrayThe ID of a supported feature. To add multiple values, use commas to separate values. Set to one or more of the following values: - VIRTIO_SCSI_MULTIQUEUE - WINDOWS - MULTI_IP_SUBNET - UEFI_COMPATIBLE - GVNIC - SEV_CAPABLE - SUSPEND_RESUME_COMPATIBLE - SEV_LIVE_MIGRATABLE_V2 - SEV_SNP_CAPABLE - TDX_CAPABLE - IDPF - SNP_SVSM_CAPABLE For more information, see Enabling guest operating system features.
labelFingerprint?stringA fingerprint for the labels being applied to this disk, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a disk.
labels?recordLabels to apply to this disk. These can be later modified by the setLabels method.
licenseCodes?arrayInteger license codes indicating which licenses are attached to this disk.
licenses?arrayA list of publicly visible licenses. Reserved for Google's use.
locationHint?stringAn opaque location hint used to place the disk close to other resources. This field is for use by internal tools that use the public API.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
options?stringInternal use only.
params?objectInput only. Resource manager tags to be bound to the disk. Tag keys and values have the same definition as resource manager tags. Keys and values can be either in numeric format, such as `tagKeys/{tag_key_id}` and `tagValues/456` or in namespaced format such as `{org_id|project_id}/{tag_key_short_name}` and `{tag_value_short_name}`. The field is ignored (both PUT & PATCH) when empty.
physicalBlockSizeBytes?stringPhysical block size of the persistent disk, in bytes. If not present in a request, a default value is used. The currently supported size is 4096, other sizes may be added in the future. If an unsupported value is requested, the error message will list the supported values for the caller's project.
provisionedIops?stringIndicates how many IOPS to provision for the disk. This sets the number of I/O operations per second that the disk can handle. Values must be between 10,000 and 120,000. For more details, see theExtreme persistent disk documentation.
provisionedThroughput?stringIndicates how much throughput to provision for the disk. This sets the number of throughput mb per second that the disk can handle. Values must be greater than or equal to 1.
region?stringOutput only. [Output Only] URL of the region where the disk resides. Only applicable for regional resources. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
replicaZones?arrayURLs of the zones where the disk should be replicated to. Only applicable for regional resources.
resourcePolicies?arrayResource policies applied to this disk for automatic snapshot creations.
resourceStatus?objectKey: disk, value: AsyncReplicationStatus message
sizeGb?stringSize, in GB, of the persistent disk. You can specify this field when creating a persistent disk using thesourceImage, sourceSnapshot, orsourceDisk parameter, or specify it alone to create an empty persistent disk. If you specify this field along with a source, the value ofsizeGb must not be less than the size of the source. Acceptable values are greater than 0.
sourceDisk?stringThe source disk used to create this disk. You can provide this as a partial or full URL to the resource. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/disks/disk - https://www.googleapis.com/compute/v1/projects/project/regions/region/disks/disk - projects/project/zones/zone/disks/disk - projects/project/regions/region/disks/disk - zones/zone/disks/disk - regions/region/disks/disk
sourceImage?stringThe source image used to create this disk. If the source image is deleted, this field will not be set. To create a disk with one of the public operating system images, specify the image by its family name. For example, specifyfamily/debian-9 to use the latest Debian 9 image: projects/debian-cloud/global/images/family/debian-9 Alternatively, use a specific version of a public operating system image: projects/debian-cloud/global/images/debian-9-stretch-vYYYYMMDD To create a disk with a custom image that you created, specify the image name in the following format: global/images/my-custom-image You can also specify a custom image by its image family, which returns the latest version of the image in that family. Replace the image name with family/family-name: global/images/family/my-image-family
sourceImageEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
sourceInstantSnapshot?stringThe source instant snapshot used to create this disk. You can provide this as a partial or full URL to the resource. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/instantSnapshots/instantSnapshot - projects/project/zones/zone/instantSnapshots/instantSnapshot - zones/zone/instantSnapshots/instantSnapshot
sourceSnapshot?stringThe source snapshot used to create this disk. You can provide this as a partial or full URL to the resource. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/global/snapshots/snapshot - projects/project/global/snapshots/snapshot - global/snapshots/snapshot
sourceSnapshotEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
sourceStorageObject?stringThe full Google Cloud Storage URI where the disk image is stored. This file must be a gzip-compressed tarball whose name ends in.tar.gz or virtual machine disk whose name ends in vmdk. Valid URIs may start with gs:// or https://storage.googleapis.com/. This flag is not optimized for creating multiple disks from a source storage object. To create many disks from a source storage object, use gcloud compute images import instead.
storagePool?stringThe storage pool in which the new disk is created. You can provide this as a partial or full URL to the resource. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/storagePools/storagePool - projects/project/zones/zone/storagePools/storagePool - zones/zone/storagePools/storagePool
type?stringURL of the disk type resource describing which disk type to use to create the disk. Provide this when creating the disk. For example:projects/project/zones/zone/diskTypes/pd-ssd. See Persistent disk types.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionDisks
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a regionDisks
ArgumentTypeDescription
identifierstringThe name of the regionDisks
updateUpdate regionDisks attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the regionDisks
ArgumentTypeDescription
identifierstringThe name of the regionDisks
syncSync regionDisks state from GCP
add_resource_policiesadd resource policies
ArgumentTypeDescription
resourcePolicies?any
bulk_insertbulk insert
ArgumentTypeDescription
sourceConsistencyGroupPolicy?any
create_snapshotcreate snapshot
ArgumentTypeDescription
architecture?any
autoCreated?any
chainName?any
creationSizeBytes?any
creationTimestamp?any
description?any
diskSizeGb?any
downloadBytes?any
enableConfidentialCompute?any
guestFlush?any
guestOsFeatures?any
id?any
kind?any
labelFingerprint?any
labels?any
licenseCodes?any
licenses?any
locationHint?any
name?any
params?any
satisfiesPzi?any
satisfiesPzs?any
selfLink?any
snapshotEncryptionKey?any
snapshotType?any
sourceDisk?any
sourceDiskEncryptionKey?any
sourceDiskForRecoveryCheckpoint?any
sourceDiskId?any
sourceInstantSnapshot?any
sourceInstantSnapshotEncryptionKey?any
sourceInstantSnapshotId?any
sourceSnapshotSchedulePolicy?any
sourceSnapshotSchedulePolicyId?any
status?any
storageBytes?any
storageBytesStatus?any
storageLocations?any
resizeresize
ArgumentTypeDescription
sizeGb?any
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
start_async_replicationstart async replication
ArgumentTypeDescription
asyncSecondaryDisk?any
stop_async_replicationstop async replication
stop_group_async_replicationstop group async replication
ArgumentTypeDescription
resourcePolicy?any
images.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
architecture?enumThe architecture of the image. Valid values are ARM64 or X86_64.
archiveSizeBytes?stringSize of the image tar.gz archive stored in Google Cloud Storage (in bytes).
deprecated?objectAn optional RFC3339 timestamp on or after which the state of this resource is intended to change to DELETED. This is only informational and the status will not change unless the client explicitly changes it.
description?stringAn optional description of this resource. Provide this property when you create the resource.
diskSizeGb?stringSize of the image when restored onto a persistent disk (in GB).
family?stringThe name of the image family to which this image belongs. The image family name can be from a publicly managed image family provided by Compute Engine, or from a custom image family you create. For example,centos-stream-9 is a publicly available image family. For more information, see Image family best practices. When creating disks, you can specify an image family instead of a specific image name. The image family always returns its latest image that is not deprecated. The name of the image family must comply with RFC1035.
guestOsFeatures?arrayThe ID of a supported feature. To add multiple values, use commas to separate values. Set to one or more of the following values: - VIRTIO_SCSI_MULTIQUEUE - WINDOWS - MULTI_IP_SUBNET - UEFI_COMPATIBLE - GVNIC - SEV_CAPABLE - SUSPEND_RESUME_COMPATIBLE - SEV_LIVE_MIGRATABLE_V2 - SEV_SNP_CAPABLE - TDX_CAPABLE - IDPF - SNP_SVSM_CAPABLE For more information, see Enabling guest operating system features.
imageEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
labelFingerprint?stringA fingerprint for the labels being applied to this image, which is essentially a hash of the labels used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve an image.
labels?recordLabels to apply to this image. These can be later modified by the setLabels method.
licenseCodes?arrayInteger license codes indicating which licenses are attached to this image.
licenses?arrayAny applicable license URI.
namestringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
params?objectInput only. Resource manager tags to be bound to the image. Tag keys and values have the same definition as resource manager tags. Keys and values can be either in numeric format, such as `tagKeys/{tag_key_id}` and `tagValues/456` or in namespaced format such as `{org_id|project_id}/{tag_key_short_name}` and `{tag_value_short_name}`. The field is ignored (both PUT & PATCH) when empty.
rawDisk?objectThe format used to encode and transmit the block device, which should beTAR. This is just a container and transmission format and not a runtime format. Provided by the client when the disk image is created.
shieldedInstanceInitialState?objectThe raw content in the secure keys file.
sourceDisk?stringURL of the source disk used to create this image. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/disks/disk - projects/project/zones/zone/disks/disk - zones/zone/disks/disk In order to create an image, you must provide the full or partial URL of one of the following: - The rawDisk.source URL - The sourceDisk URL - The sourceImage URL - The sourceSnapshot URL
sourceDiskEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
sourceImage?stringURL of the source image used to create this image. The following are valid formats for the URL: - https://www.googleapis.com/compute/v1/projects/project_id/global/ images/image_name - projects/project_id/global/images/image_name In order to create an image, you must provide the full or partial URL of one of the following: - The rawDisk.source URL - The sourceDisk URL - The sourceImage URL - The sourceSnapshot URL
sourceImageEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
sourceSnapshot?stringURL of the source snapshot used to create this image. The following are valid formats for the URL: - https://www.googleapis.com/compute/v1/projects/project_id/global/ snapshots/snapshot_name - projects/project_id/global/snapshots/snapshot_name In order to create an image, you must provide the full or partial URL of one of the following: - The rawDisk.source URL - The sourceDisk URL - The sourceImage URL - The sourceSnapshot URL
sourceSnapshotEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
sourceType?enumThe type of the image used to create this disk. The default and only valid value is RAW.
storageLocations?arrayCloud Storage bucket storage location of the image (regional or multi-regional).
forceCreate?stringForce image creation if true.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a images
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a images
ArgumentTypeDescription
identifierstringThe name of the images
updateUpdate images attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the images
ArgumentTypeDescription
identifierstringThe name of the images
syncSync images state from GCP
deprecatedeprecate
ArgumentTypeDescription
deleted?any
deprecated?any
obsolete?any
replacement?any
state?any
get_from_familyget from family
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
storagepools.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
capacityProvisioningType?enumProvisioning type of the byte capacity of the pool.
description?stringAn optional description of this resource. Provide this property when you create the resource.
exapoolProvisionedCapacityGb?objectSize, in GiB, of provisioned capacity-optimized capacity for this Exapool
labelFingerprint?stringA fingerprint for the labels being applied to this storage pool, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a storage pool.
labels?recordLabels to apply to this storage pool. These can be later modified by the setLabels method.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
params?objectInput only. Resource manager tags to be bound to the storage pool. Tag keys and values have the same definition as resource manager tags. Keys and values can be either in numeric format, such as `tagKeys/{tag_key_id}` and `tagValues/456` or in namespaced format such as `{org_id|project_id}/{tag_key_short_name}` and `{tag_value_short_name}`. The field is ignored (both PUT & PATCH) when empty.
performanceProvisioningType?enumProvisioning type of the performance-related parameters of the pool, such as throughput and IOPS.
poolProvisionedCapacityGbstringSize of the storage pool in GiB. For more information about the size limits, see https://cloud.google.com/compute/docs/disks/storage-pools.
poolProvisionedIops?stringProvisioned IOPS of the storage pool. Only relevant if the storage pool type is hyperdisk-balanced.
poolProvisionedThroughput?stringProvisioned throughput of the storage pool in MiB/s. Only relevant if the storage pool type is hyperdisk-balanced or hyperdisk-throughput.
storagePoolType?stringType of the storage pool.
zone?stringOutput only. [Output Only] URL of the zone where the storage pool resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a storagePools
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a storagePools
ArgumentTypeDescription
identifierstringThe name of the storagePools
updateUpdate storagePools attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the storagePools
ArgumentTypeDescription
identifierstringThe name of the storagePools
syncSync storagePools state from GCP
list_diskslist disks
regionsslpolicies.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
customFeatures?arrayA list of features enabled when the selected profile is CUSTOM. The method returns the set of features that can be specified in this list. This field must be empty if the profile is notCUSTOM.
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a SslPolicy. An up-to-date fingerprint must be provided in order to update the SslPolicy, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve an SslPolicy.
minTlsVersion?enumThe minimum version of SSL protocol that can be used by the clients to establish a connection with the load balancer. This can be one ofTLS_1_0, TLS_1_1, TLS_1_2,TLS_1_3. When set to TLS_1_3, the profile field must be set to RESTRICTED.
name?stringName of the resource. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
profile?enumProfile specifies the set of SSL features that can be used by the load balancer when negotiating SSL with clients. This can be one ofCOMPATIBLE, MODERN, RESTRICTED,FIPS_202205, or CUSTOM. If usingCUSTOM, the set of SSL features to enable must be specified in the customFeatures field. If using FIPS_202205, the min_tls_version field must be set to TLS_1_2.
region?stringOutput only. [Output Only] URL of the region where the regional SSL policy resides. This field is not applicable to global SSL policies.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionSslPolicies
getGet a regionSslPolicies
ArgumentTypeDescription
identifierstringThe name of the regionSslPolicies
updateUpdate regionSslPolicies attributes
deleteDelete the regionSslPolicies
ArgumentTypeDescription
identifierstringThe name of the regionSslPolicies
syncSync regionSslPolicies state from GCP
list_available_featureslist available features
globaladdresses.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
address?stringThe static IP address represented by this resource.
addressType?enumThe type of address to reserve, either INTERNAL orEXTERNAL. If unspecified, defaults to EXTERNAL.
description?stringAn optional description of this resource. Provide this field when you create the resource.
ipCollection?stringReference to the source of external IPv4 addresses, like a PublicDelegatedPrefix (PDP) for BYOIP. The PDP must support enhanced IPv4 allocations. Use one of the following formats to specify a PDP when reserving an external IPv4 address using BYOIP. - Full resource URL, as inhttps://www.googleapis.com/compute/v1/projects/projectId/regions/region/publicDelegatedPrefixes/pdp-name - Partial URL, as in - projects/projectId/regions/region/publicDelegatedPrefixes/pdp-name - regions/region/publicDelegatedPrefixes/pdp-name
ipVersion?enumThe IP version that will be used by this address. Valid options areIPV4 or IPV6.
ipv6EndpointType?enumThe endpoint type of this address, which should be VM or NETLB. This is used for deciding which type of endpoint this address can be used after the external IPv6 address reservation.
labelFingerprint?stringA fingerprint for the labels being applied to this Address, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve an Address.
labels?recordLabels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. Label values may be empty.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?`. The first character must be a lowercase letter, and all following characters (except for the last character) must be a dash, lowercase letter, or digit. The last character must be a lowercase letter or digit.
network?stringThe URL of the network in which to reserve the address. This field can only be used with INTERNAL type with theVPC_PEERING purpose.
networkTier?enumThis signifies the networking tier used for configuring this address and can only take the following values: PREMIUM orSTANDARD. Internal IP addresses are always Premium Tier; global external IP addresses are always Premium Tier; regional external IP addresses can be either Standard or Premium Tier. If this field is not specified, it is assumed to be PREMIUM.
prefixLength?numberThe prefix length if the resource represents an IP range.
purpose?enumThe purpose of this resource, which can be one of the following values: - GCE_ENDPOINT for addresses that are used by VM instances, alias IP ranges, load balancers, and similar resources. - DNS_RESOLVER for a DNS resolver address in a subnetwork for a Cloud DNS inbound forwarder IP addresses (regional internal IP address in a subnet of a VPC network) - VPC_PEERING for global internal IP addresses used for private services access allocated ranges. - NAT_AUTO for the regional external IP addresses used by Cloud NAT when allocating addresses using automatic NAT IP address allocation. - IPSEC_INTERCONNECT for addresses created from a private IP range that are reserved for a VLAN attachment in an *HA VPN over Cloud Interconnect* configuration. These addresses are regional resources. - `SHARED_LOADBALANCER_VIP` for an internal IP address that is assigned to multiple internal forwarding rules. - `PRIVATE_SERVICE_CONNECT` for a private network address that is used to configure Private Service Connect. Only global internal addresses can use this purpose.
subnetwork?stringThe URL of the subnetwork in which to reserve the address. If an IP address is specified, it must be within the subnetwork's IP range. This field can only be used with INTERNAL type with aGCE_ENDPOINT or DNS_RESOLVER purpose.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a globalAddresses
getGet a globalAddresses
ArgumentTypeDescription
identifierstringThe name of the globalAddresses
deleteDelete the globalAddresses
ArgumentTypeDescription
identifierstringThe name of the globalAddresses
syncSync globalAddresses state from GCP
movemove
ArgumentTypeDescription
description?any
destinationAddress?any
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
snapshots.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
chainName?stringCreates the new snapshot in the snapshot chain labeled with the specified name. The chain name must be 1-63 characters long and comply with RFC1035. This is an uncommon option only for advanced service owners who needs to create separate snapshot chains, for example, for chargeback tracking. When you describe your snapshot resource, this field is visible only if it has a non-empty value.
description?stringAn optional description of this resource. Provide this property when you create the resource.
guestFlush?boolean[Input Only] Whether to attempt an application consistent snapshot by informing the OS to prepare for the snapshot process.
labelFingerprint?stringA fingerprint for the labels being applied to this snapshot, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a snapshot.
labels?recordLabels to apply to this snapshot. These can be later modified by the setLabels method. Label values may be empty.
locationHint?stringAn opaque location hint used to place the snapshot close to other resources. This field is for use by internal tools that use the public API.
namestringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
params?objectInput only. Resource manager tags to be bound to the snapshot. Tag keys and values have the same definition as resource manager tags. Keys and values can be either in numeric format, such as `tagKeys/{tag_key_id}` and `tagValues/456` or in namespaced format such as `{org_id|project_id}/{tag_key_short_name}` and `{tag_value_short_name}`. The field is ignored (both PUT & PATCH) when empty.
snapshotEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
snapshotType?enumIndicates the type of the snapshot.
sourceDisk?stringThe source disk used to create this snapshot.
sourceDiskEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
sourceDiskForRecoveryCheckpoint?stringThe source disk whose recovery checkpoint will be used to create this snapshot.
sourceInstantSnapshot?stringThe source instant snapshot used to create this snapshot. You can provide this as a partial or full URL to the resource. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/instantSnapshots/instantSnapshot - projects/project/zones/zone/instantSnapshots/instantSnapshot - zones/zone/instantSnapshots/instantSnapshot
sourceInstantSnapshotEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
storageLocations?arrayCloud Storage bucket storage location of the snapshot (regional or multi-regional).
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a snapshots
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a snapshots
ArgumentTypeDescription
identifierstringThe name of the snapshots
deleteDelete the snapshots
ArgumentTypeDescription
identifierstringThe name of the snapshots
syncSync snapshots state from GCP
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
targetinstances.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
instance?stringA URL to the virtual machine instance that handles traffic for this target instance. When creating a target instance, you can provide the fully-qualified URL or a valid partial URL to the desired virtual machine. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/instances/instance - projects/project/zones/zone/instances/instance - zones/zone/instances/instance
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
natPolicy?enumMust have a value of NO_NAT. Protocol forwarding delivers packets while preserving the destination IP address of the forwarding rule referencing the target instance.
network?stringThe URL of the network this target instance uses to forward traffic. If not specified, the traffic will be forwarded to the network that the default network interface belongs to.
zone?stringOutput only. [Output Only] URL of the zone where the target instance resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a targetInstances
getGet a targetInstances
ArgumentTypeDescription
identifierstringThe name of the targetInstances
deleteDelete the targetInstances
ArgumentTypeDescription
identifierstringThe name of the targetInstances
syncSync targetInstances state from GCP
set_security_policyset security policy
ArgumentTypeDescription
securityPolicy?any
interconnectgroups.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
intent?objectThe user's intent for this group. This is the only required field besides the name that must be specified on group creation.
interconnects?recordThe URL of an Interconnect in this group. All Interconnects in the group are unique.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). end_interface: MixerMutationRequestBuilder
createCreate a interconnectGroups
getGet a interconnectGroups
ArgumentTypeDescription
identifierstringThe name of the interconnectGroups
updateUpdate interconnectGroups attributes
deleteDelete the interconnectGroups
ArgumentTypeDescription
identifierstringThe name of the interconnectGroups
syncSync interconnectGroups state from GCP
create_memberscreate members
ArgumentTypeDescription
request?any
get_operational_statusget operational status
healthchecks.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
checkIntervalSec?numberHow often (in seconds) to send a health check. The default value is 5 seconds.
description?stringAn optional description of this resource. Provide this property when you create the resource.
grpcHealthCheck?objectThe gRPC service name for the health check. This field is optional. The value of grpc_service_name has the following meanings by convention: - Empty service_name means the overall status of all services at the backend. - Non-empty service_name means the health of that gRPC service, as defined by the owner of the service. The grpc_service_name can only be ASCII.
grpcTlsHealthCheck?objectThe gRPC service name for the health check. This field is optional. The value of grpc_service_name has the following meanings by convention: - Empty service_name means the overall status of all services at the backend. - Non-empty service_name means the health of that gRPC service, as defined by the owner of the service. The grpc_service_name can only be ASCII.
healthyThreshold?numberA so-far unhealthy instance will be marked healthy after this many consecutive successes. The default value is 2.
http2HealthCheck?objectThe value of the host header in the HTTP/2 health check request. If left empty (default value), the host header is set to the destination IP address to which health check packets are sent. The destination IP address depends on the type of load balancer. For details, see: https://cloud.google.com/load-balancing/docs/health-check-concepts#hc-packet-dest
httpHealthCheck?objectThe value of the host header in the HTTP health check request. If left empty (default value), the host header is set to the destination IP address to which health check packets are sent. The destination IP address depends on the type of load balancer. For details, see: https://cloud.google.com/load-balancing/docs/health-check-concepts#hc-packet-dest
httpsHealthCheck?objectThe value of the host header in the HTTPS health check request. If left empty (default value), the host header is set to the destination IP address to which health check packets are sent. The destination IP address depends on the type of load balancer. For details, see: https://cloud.google.com/load-balancing/docs/health-check-concepts#hc-packet-dest
logConfig?objectIndicates whether or not to export logs. This is false by default, which means no health check logging will be done.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. For example, a name that is 1-63 characters long, matches the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?`, and otherwise complies with RFC1035. This regular expression describes a name where the first character is a lowercase letter, and all following characters are a dash, lowercase letter, or digit, except the last character, which isn't a dash.
sourceRegions?arrayThe list of cloud regions from which health checks are performed. If any regions are specified, then exactly 3 regions should be specified. The region names must be valid names of Google Cloud regions. This can only be set for global health check. If this list is non-empty, then there are restrictions on what other health check fields are supported and what other resources can use this health check: - SSL, HTTP2, and GRPC protocols are not supported. - The TCP request field is not supported. - The proxyHeader field for HTTP, HTTPS, and TCP is not supported. - The checkIntervalSec field must be at least 30. - The health check cannot be used with BackendService nor with managed instance group auto-healing.
sslHealthCheck?objectThe TCP port number to which the health check prober sends packets. The default value is 443. Valid values are 1 through65535.
tcpHealthCheck?objectThe TCP port number to which the health check prober sends packets. The default value is 80. Valid values are 1 through65535.
timeoutSec?numberHow long (in seconds) to wait before claiming failure. The default value is 5 seconds. It is invalid for timeoutSec to have greater value than checkIntervalSec.
type?enumSpecifies the type of the healthCheck, either TCP,SSL, HTTP, HTTPS,HTTP2 or GRPC. Exactly one of the protocol-specific health check fields must be specified, which must matchtype field.
unhealthyThreshold?numberA so-far healthy instance will be marked unhealthy after this many consecutive failures. The default value is 2.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a healthChecks
getGet a healthChecks
ArgumentTypeDescription
identifierstringThe name of the healthChecks
updateUpdate healthChecks attributes
deleteDelete the healthChecks
ArgumentTypeDescription
identifierstringThe name of the healthChecks
syncSync healthChecks state from GCP
machinetypes.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a machineTypes
ArgumentTypeDescription
identifierstringThe name of the machineTypes
syncSync machineTypes state from GCP
interconnectattachments.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
adminEnabled?booleanDetermines whether this Attachment will carry packets. Not present for PARTNER_PROVIDER.
candidateCloudRouterIpAddress?stringSingle IPv4 address + prefix length to be configured on the cloud router interface for this interconnect attachment. - Both candidate_cloud_router_ip_address and candidate_customer_router_ip_address fields must be set or both must be unset. - Prefix length of both candidate_cloud_router_ip_address and candidate_customer_router_ip_address must be the same. - Max prefix length is 31.
candidateCloudRouterIpv6Address?stringSingle IPv6 address + prefix length to be configured on the cloud router interface for this interconnect attachment. - Both candidate_cloud_router_ipv6_address and candidate_customer_router_ipv6_address fields must be set or both must be unset. - Prefix length of both candidate_cloud_router_ipv6_address and candidate_customer_router_ipv6_address must be the same. - Max prefix length is 126.
candidateCustomerRouterIpAddress?stringSingle IPv4 address + prefix length to be configured on the customer router interface for this interconnect attachment.
candidateCustomerRouterIpv6Address?stringSingle IPv6 address + prefix length to be configured on the customer router interface for this interconnect attachment.
candidateIpv6Subnets?arrayThis field is not available.
candidateSubnets?arrayInput only. Up to 16 candidate prefixes that can be used to restrict the allocation of cloudRouterIpAddress and customerRouterIpAddress for this attachment. All prefixes must be within link-local address space (169.254.0.0/16) and must be /29 or shorter (/28, /27, etc). Google will attempt to select an unused /29 from the supplied candidate prefix(es). The request will fail if all possible /29s are in use on Google's edge. If not supplied, Google will randomly select an unused /29 from all of link-local space.
cloudRouterIpv6InterfaceId?stringThis field is not available.
configurationConstraints?objectOutput only. [Output Only] Whether the attachment's BGP session requires/allows/disallows BGP MD5 authentication. This can take one of the following values: MD5_OPTIONAL, MD5_REQUIRED, MD5_UNSUPPORTED. For example, a Cross-Cloud Interconnect connection to a remote cloud provider that requires BGP MD5 authentication has the interconnectRemoteLocation attachment_configuration_constraints.bgp_md5 field set to MD5_REQUIRED, and that property is propagated to the attachment. Similarly, if BGP MD5 is MD5_UNSUPPORTED, an error is returned if MD5 is requested.
customerRouterIpv6InterfaceId?stringThis field is not available.
description?stringAn optional description of this resource.
edgeAvailabilityDomain?enumInput only. Desired availability domain for the attachment. Only available for type PARTNER, at creation time, and can take one of the following values: - AVAILABILITY_DOMAIN_ANY - AVAILABILITY_DOMAIN_1 - AVAILABILITY_DOMAIN_2 For improved reliability, customers should configure a pair of attachments, one per availability domain. The selected availability domain will be provided to the Partner via the pairing key, so that the provisioned circuit will lie in the specified domain. If not specified, the value will default to AVAILABILITY_DOMAIN_ANY.
encryption?enumIndicates the user-supplied encryption option of this VLAN attachment (interconnectAttachment). Can only be specified at attachment creation for PARTNER or DEDICATED attachments. Possible values are: - NONE - This is the default value, which means that the VLAN attachment carries unencrypted traffic. VMs are able to send traffic to, or receive traffic from, such a VLAN attachment. - IPSEC - The VLAN attachment carries only encrypted traffic that is encrypted by an IPsec device, such as an HA VPN gateway or third-party IPsec VPN. VMs cannot directly send traffic to, or receive traffic from, such a VLAN attachment. To use *HA VPN over Cloud Interconnect*, the VLAN attachment must be created with this option.
interconnect?stringURL of the underlying Interconnect object that this attachment's traffic will traverse through.
ipsecInternalAddresses?arrayA list of URLs of addresses that have been reserved for the VLAN attachment. Used only for the VLAN attachment that has the encryption option as IPSEC. The addresses must be regional internal IP address ranges. When creating an HA VPN gateway over the VLAN attachment, if the attachment is configured to use a regional internal IP address, then the VPN gateway's IP address is allocated from the IP address range specified here. For example, if the HA VPN gateway's interface 0 is paired to this VLAN attachment, then a regional internal IP address for the VPN gateway interface 0 will be allocated from the IP address specified for this VLAN attachment. If this field is not specified when creating the VLAN attachment, then later on when creating an HA VPN gateway on this VLAN attachment, the HA VPN gateway's IP address is allocated from the regional external IP address pool.
l2Forwarding?objectOptional. A single IPv4 or IPv6 address used as the destination IP address for ingress packets that match on a VLAN tag, but do not match a more specific inner VLAN tag. Unset field (null-value) indicates both VLAN tags are required to be mapped. Otherwise, defaultApplianceIpAddress is used.
labelFingerprint?stringA fingerprint for the labels being applied to this InterconnectAttachment, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve an InterconnectAttachment.
labels?recordLabels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. Label values may be empty.
mtu?numberMaximum Transmission Unit (MTU), in bytes, of packets passing through this interconnect attachment. Valid values are 1440, 1460, 1500, and 8896. If not specified, the value will default to 1440.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
params?objectTag keys/values directly bound to this resource. Tag keys and values have the same definition as resource manager tags. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid. * Inconsistent format is not supported. For instance: {"tagKeys/333": "tagValues/444", "123/env": "prod"} is invalid.
partnerMetadata?objectPlain text name of the Interconnect this attachment is connected to, as displayed in the Partner\'s portal. For instance "Chicago 1". This value may be validated to match approved Partner values.
privateInterconnectInfo?object[Output Only] 802.1q encapsulation tag to be used for traffic between Google and the customer, going to and from this network and region.
region?stringOutput only. [Output Only] URL of the region where the regional interconnect attachment resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
router?stringURL of the Cloud Router to be used for dynamic routing. This router must be in the same region as this InterconnectAttachment. The InterconnectAttachment will automatically connect the Interconnect to the network & region within which the Cloud Router is configured.
stackType?enumThe stack type for this interconnect attachment to identify whether the IPv6 feature is enabled or not. If not specified, IPV4_ONLY will be used. This field can be both set at interconnect attachments creation and update interconnect attachment operations.
subnetLength?numberInput only. Length of the IPv4 subnet mask. Allowed values: - 29 (default) - 30 The default value is 29, except for Cross-Cloud Interconnect connections that use an InterconnectRemoteLocation with a constraints.subnetLengthRange.min equal to 30. For example, connections that use an Azure remote location fall into this category. In these cases, the default value is 30, and requesting 29 returns an error. Where both 29 and 30 are allowed, 29 is preferred, because it gives Google Cloud Support more debugging visibility.
type?enumThe type of interconnect attachment this is, which can take one of the following values: - DEDICATED: an attachment to a Dedicated Interconnect. - PARTNER: an attachment to a Partner Interconnect, created by the customer. - PARTNER_PROVIDER: an attachment to a Partner Interconnect, created by the partner. - L2_DEDICATED: a L2 attachment to a Dedicated Interconnect.
vlanTag8021q?numberThe IEEE 802.1Q VLAN tag for this attachment, in the range 2-4093. Only specified at creation time.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a interconnectAttachments
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a interconnectAttachments
ArgumentTypeDescription
identifierstringThe name of the interconnectAttachments
updateUpdate interconnectAttachments attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the interconnectAttachments
ArgumentTypeDescription
identifierstringThe name of the interconnectAttachments
syncSync interconnectAttachments state from GCP
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
licensecodes.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a licenseCodes
ArgumentTypeDescription
identifierstringThe name of the licenseCodes
syncSync licenseCodes state from GCP
subnetworks.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
allowSubnetCidrRoutesOverlap?booleanWhether this subnetwork's ranges can conflict with existing custom routes. Setting this to true allows this subnetwork's primary and secondary ranges to overlap with (and contain) custom routes that have already been configured on the corresponding network. For example if a static route has range 10.1.0.0/16, a subnet range 10.0.0.0/8 could only be created if allow_conflicting_routes=true. Overlapping is only allowed on subnetwork operations; routes whose ranges conflict with this subnetwork's ranges won't be allowed unless route.allow_conflicting_subnetworks is set to true. Typically packets destined to IPs within the subnetwork (which may contain private/sensitive data) are prevented from leaving the virtual network. Setting this field to true will disable this feature. The default value is false and applies to all existing subnetworks and automatically created subnetworks.
description?stringAn optional description of this resource. Provide this property when you create the resource. This field can be set only at resource creation time.
enableFlowLogs?booleanWhether to enable flow logging for this subnetwork. If this field is not explicitly set, it will not appear in get listings. If not set the default behavior is determined by the org policy, if there is no org policy specified, then it will default to disabled. This field isn't supported if the subnet purpose field is set toREGIONAL_MANAGED_PROXY. It is recommended to uselogConfig.enable field instead.
externalIpv6Prefix?stringThe external IPv6 address range that is owned by this subnetwork.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a Subnetwork. An up-to-date fingerprint must be provided in order to update the Subnetwork, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a Subnetwork.
internalIpv6Prefix?stringThe internal IPv6 address range that is owned by this subnetwork.
ipCidrRange?stringThe range of internal addresses that are owned by this subnetwork. Provide this property when you create the subnetwork. For example,10.0.0.0/8 or 100.64.0.0/10. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. This field is set at resource creation time. The range can be any range listed in theValid ranges list. The range can be expanded after creation usingexpandIpCidrRange.
ipCollection?stringReference to the source of IP, like a PublicDelegatedPrefix (PDP) for BYOIP. The PDP must be a sub-PDP in EXTERNAL_IPV6_SUBNETWORK_CREATION or INTERNAL_IPV6_SUBNETWORK_CREATION mode. Use one of the following formats to specify a sub-PDP when creating a dual stack or IPv6-only subnetwork with external access using BYOIP: - Full resource URL, as inhttps://www.googleapis.com/compute/v1/projects/projectId/regions/region/publicDelegatedPrefixes/sub-pdp-name - Partial URL, as in - projects/projectId/regions/region/publicDelegatedPrefixes/sub-pdp-name - regions/region/publicDelegatedPrefixes/sub-pdp-name
ipv6AccessType?enumThe access type of IPv6 address this subnet holds. It's immutable and can only be specified during creation or the first time the subnet is updated into IPV4_IPV6 dual stack.
logConfig?objectCan only be specified if VPC flow logging for this subnetwork is enabled. Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Default is an interval of 5 seconds per connection.
name?stringThe name of the resource, provided by the client when initially creating the resource. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
network?stringThe URL of the network to which this subnetwork belongs, provided by the client when initially creating the subnetwork. This field can be set only at resource creation time.
params?objectTag keys/values directly bound to this resource. Tag keys and values have the same definition as resource manager tags. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid.
privateIpGoogleAccess?booleanWhether the VMs in this subnet can access Google services without assigned external IP addresses. This field can be both set at resource creation time and updated using setPrivateIpGoogleAccess.
privateIpv6GoogleAccess?enumThis field is for internal use. This field can be both set at resource creation time and updated usingpatch.
purpose?enum
region?stringURL of the region where the Subnetwork resides. This field can be set only at resource creation time.
reservedInternalRange?stringThe URL of the reserved internal range.
resolveSubnetMask?enumConfigures subnet mask resolution for this subnetwork.
role?enumThe role of subnetwork. Currently, this field is only used when purpose is set to GLOBAL_MANAGED_PROXY orREGIONAL_MANAGED_PROXY. The value can be set toACTIVE or BACKUP. An ACTIVE subnetwork is one that is currently being used for Envoy-based load balancers in a region. A BACKUP subnetwork is one that is ready to be promoted to ACTIVE or is currently draining. This field can be updated with a patch request.
secondaryIpRanges?arrayThe range of IP addresses belonging to this subnetwork secondary range. Provide this property when you create the subnetwork. Ranges must be unique and non-overlapping with all primary and secondary IP ranges within a network. Both IPv4 and IPv6 ranges are supported. For IPv4, the range can be any range listed in theValid ranges list. For IPv6: The range must have a /64 prefix length. The range must be omitted, for auto-allocation from Google-defined ULA IPv6 range. For BYOGUA internal IPv6 secondary range, the range may be specified along with the `ipCollection` field. If an `ipCollection` is specified, the requested ip_cidr_range must lie within the range of the PDP referenced by the `ipCollection` field for allocation. If `ipCollection` field is specified, but ip_cidr_range is not, the range is auto-allocated from the PDP referenced by the `ipCollection` field.
stackType?enumThe stack type for the subnet. If set to IPV4_ONLY, new VMs in the subnet are assigned IPv4 addresses only. If set toIPV4_IPV6, new VMs in the subnet can be assigned both IPv4 and IPv6 addresses. If not specified, IPV4_ONLY is used. This field can be both set at resource creation time and updated usingpatch.
utilizationDetails?objectThe IPV6 utilization of a single IP range.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a subnetworks
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a subnetworks
ArgumentTypeDescription
identifierstringThe name of the subnetworks
updateUpdate subnetworks attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the subnetworks
ArgumentTypeDescription
identifierstringThe name of the subnetworks
syncSync subnetworks state from GCP
expand_ip_cidr_rangeexpand ip cidr range
ArgumentTypeDescription
ipCidrRange?any
list_usablelist usable
set_private_ip_google_accessset private ip google access
ArgumentTypeDescription
privateIpGoogleAccess?any
vpngateways.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
gatewayIpVersion?enumThe IP family of the gateway IPs for the HA-VPN gateway interfaces. If not specified, IPV4 will be used.
labelFingerprint?stringA fingerprint for the labels being applied to this VpnGateway, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a VpnGateway.
labels?recordLabels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. Label values may be empty.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
networkstringURL of the network to which this VPN gateway is attached. Provided by the client when the VPN gateway is created.
params?objectTag keys/values directly bound to this resource. Tag keys and values have the same definition as resource manager tags. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid. * Inconsistent format is not supported. For instance: {"tagKeys/333": "tagValues/444", "123/env": "prod"} is invalid.
region?stringOutput only. [Output Only] URL of the region where the VPN gateway resides.
stackType?enumThe stack type for this VPN gateway to identify the IP protocols that are enabled. Possible values are: IPV4_ONLY,IPV4_IPV6, IPV6_ONLY. If not specified,IPV4_ONLY is used if the gateway IP version isIPV4, or IPV4_IPV6 if the gateway IP version isIPV6.
vpnInterfaces?arrayOutput only. [Output Only] Numeric identifier for this VPN interface associated with the VPN gateway.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a vpnGateways
getGet a vpnGateways
ArgumentTypeDescription
identifierstringThe name of the vpnGateways
deleteDelete the vpnGateways
ArgumentTypeDescription
identifierstringThe name of the vpnGateways
syncSync vpnGateways state from GCP
get_statusget status
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
targethttpsproxies.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
authorizationPolicy?stringOptional. A URL referring to a networksecurity.AuthorizationPolicy resource that describes how the proxy should authorize inbound traffic. If left blank, access will not be restricted by an authorization policy. Refer to the AuthorizationPolicy resource for additional details. authorizationPolicy only applies to a globalTargetHttpsProxy attached toglobalForwardingRules with theloadBalancingScheme set to INTERNAL_SELF_MANAGED. Note: This field currently has no impact.
certificateMap?stringURL of a certificate map that identifies a certificate map associated with the given target proxy. This field can only be set for Global external Application Load Balancer or Classic Application Load Balancer. For other products use Certificate Manager Certificates instead. If set, sslCertificates will be ignored. Accepted format is//certificatemanager.googleapis.com/projects/{project}/locations/{location}/certificateMaps/{resourceName}.
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a TargetHttpsProxy. An up-to-date fingerprint must be provided in order to patch the TargetHttpsProxy; otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the TargetHttpsProxy.
httpKeepAliveTimeoutSec?numberSpecifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). If an HTTP keep-alive is not specified, a default value (610 seconds) will be used. For global external Application Load Balancers, the minimum allowed value is 5 seconds and the maximum allowed value is 1200 seconds. For classic Application Load Balancers, this option is not supported.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
proxyBind?booleanThis field only applies when the forwarding rule that references this target proxy has a loadBalancingScheme set toINTERNAL_SELF_MANAGED. When this field is set to true, Envoy proxies set up inbound traffic interception and bind to the IP address and port specified in the forwarding rule. This is generally useful when using Traffic Director to configure Envoy as a gateway or middle proxy (in other words, not a sidecar proxy). The Envoy proxy listens for inbound requests and handles requests when it receives them. The default is false.
quicOverride?enumSpecifies the QUIC override policy for this TargetHttpsProxy resource. This setting determines whether the load balancer attempts to negotiate QUIC with clients. You can specify NONE, ENABLE, orDISABLE. - When quic-override is set to NONE, Google manages whether QUIC is used. - When quic-override is set to ENABLE, the load balancer uses QUIC when possible. - When quic-override is set to DISABLE, the load balancer doesn't use QUIC. - If the quic-override flag is not specified,NONE is implied.
serverTlsPolicy?stringOptional. A URL referring to a networksecurity.ServerTlsPolicy resource that describes how the proxy should authenticate inbound traffic. serverTlsPolicy only applies to a globalTargetHttpsProxy attached toglobalForwardingRules with theloadBalancingScheme set to INTERNAL_SELF_MANAGED or EXTERNAL orEXTERNAL_MANAGED or INTERNAL_MANAGED. It also applies to a regional TargetHttpsProxy attached to regional forwardingRules with theloadBalancingScheme set to EXTERNAL_MANAGED orINTERNAL_MANAGED. For details whichServerTlsPolicy resources are accepted withINTERNAL_SELF_MANAGED and which with EXTERNAL,INTERNAL_MANAGED, EXTERNAL_MANAGEDloadBalancingScheme consult ServerTlsPolicy documentation. If left blank, communications are not encrypted.
sslCertificates?arrayURLs to SslCertificate resources that are used to authenticate connections between users and the load balancer. At least one SSL certificate must be specified. SslCertificates do not apply when the load balancing scheme is set to INTERNAL_SELF_MANAGED. The URLs should refer to a SSL Certificate resource or Certificate Manager Certificate resource. Mixing Classic Certificates and Certificate Manager Certificates is not allowed. Certificate Manager Certificates must include the certificatemanager API namespace. Using Certificate Manager Certificates in this field is not supported by Global external Application Load Balancer or Classic Application Load Balancer, use certificate_map instead. Currently, you may specify up to 15 Classic SSL Certificates or up to 100 Certificate Manager Certificates. Certificate Manager Certificates accepted formats are: - //certificatemanager.googleapis.com/projects/{project}/locations/{location}/certificates/{resourceName}. - https://certificatemanager.googleapis.com/v1alpha1/projects/{project}/locations/{location}/certificates/{resourceName}.
sslPolicy?stringURL of SslPolicy resource that will be associated with the TargetHttpsProxy resource. If not set, the TargetHttpsProxy resource has no SSL policy configured.
tlsEarlyData?enumSpecifies whether TLS 1.3 0-RTT Data ("Early Data") should be accepted for this service. Early Data allows a TLS resumption handshake to include the initial application payload (a HTTP request) alongside the handshake, reducing the effective round trips to "zero". This applies to TLS 1.3 connections over TCP (HTTP/2) as well as over UDP (QUIC/h3). This can improve application performance, especially on networks where interruptions may be common, such as on mobile. Requests with Early Data will have the "Early-Data" HTTP header set on the request, with a value of "1", to allow the backend to determine whether Early Data was included. Note: TLS Early Data may allow requests to be replayed, as the data is sent to the backend before the handshake has fully completed. Applications that allow idempotent HTTP methods to make non-idempotent changes, such as a GET request updating a database, should not accept Early Data on those requests, and reject requests with the "Early-Data: 1" HTTP header by returning a HTTP 425 (Too Early) status code, in order to remain RFC compliant. The default value is DISABLED.
urlMap?stringA fully-qualified or valid partial URL to the UrlMap resource that defines the mapping from URL to the BackendService. For example, the following are all valid URLs for specifying a URL map: - https://www.googleapis.compute/v1/projects/project/global/urlMaps/url-map - projects/project/global/urlMaps/url-map - global/urlMaps/url-map
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a targetHttpsProxies
getGet a targetHttpsProxies
ArgumentTypeDescription
identifierstringThe name of the targetHttpsProxies
updateUpdate targetHttpsProxies attributes
deleteDelete the targetHttpsProxies
ArgumentTypeDescription
identifierstringThe name of the targetHttpsProxies
syncSync targetHttpsProxies state from GCP
set_certificate_mapset certificate map
ArgumentTypeDescription
certificateMap?any
set_quic_overrideset quic override
ArgumentTypeDescription
quicOverride?any
set_ssl_certificatesset ssl certificates
ArgumentTypeDescription
sslCertificates?any
set_ssl_policyset ssl policy
ArgumentTypeDescription
sslPolicy?any
set_url_mapset url map
ArgumentTypeDescription
urlMap?any
regiontargettcpproxies.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
proxyBind?booleanThis field only applies when the forwarding rule that references this target proxy has a loadBalancingScheme set toINTERNAL_SELF_MANAGED. When this field is set to true, Envoy proxies set up inbound traffic interception and bind to the IP address and port specified in the forwarding rule. This is generally useful when using Traffic Director to configure Envoy as a gateway or middle proxy (in other words, not a sidecar proxy). The Envoy proxy listens for inbound requests and handles requests when it receives them. The default is false.
proxyHeader?enumSpecifies the type of proxy header to append before sending data to the backend, either NONE or PROXY_V1. The default is NONE.
region?stringOutput only. [Output Only] URL of the region where the regional TCP proxy resides. This field is not applicable to global TCP proxy.
service?stringURL to the BackendService resource.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionTargetTcpProxies
getGet a regionTargetTcpProxies
ArgumentTypeDescription
identifierstringThe name of the regionTargetTcpProxies
deleteDelete the regionTargetTcpProxies
ArgumentTypeDescription
identifierstringThe name of the regionTargetTcpProxies
syncSync regionTargetTcpProxies state from GCP
wiregroups.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
adminEnabled?booleanIndicates whether the wires in the wire group are enabled. When false, the wires in the wire group are disabled. When true and when there is simultaneously no wire-specific override of `adminEnabled` to false, a given wire is enabled. Defaults to true.
description?stringAn optional description of the wire group.
endpoints?recordRequired. An Interconnect connection. You can specify the connection as a partial or full URL. If the connection is in a different project from the cross-site network, use a format that specifies the project. See the following examples of partial and full URLs: global/interconnects/NAME projects/PROJECT_ID/global/interconnects/NAME - https://compute.googleapis.com/compute/projects/PROJECT_ID/global/interconnects/NAME
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
topology?objectOutput only. The InterconnectLocation.city (metropolitan area designator) that all interconnects are located in.
wireProperties?objectThe configuration of the bandwidth allocation, one of the following: - ALLOCATE_PER_WIRE: configures a separate unmetered bandwidth allocation (and associated charges) for each wire in the group. - SHARED_WITH_WIRE_GROUP: this is the default behavior, which configures one unmetered bandwidth allocation for the wire group. The unmetered bandwidth is divided equally across each wire in the group, but dynamic throttling reallocates unused unmetered bandwidth from unused or underused wires to other wires in the group.
crossSiteNetworkstringThe crossSiteNetwork for this resource
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). end_interface: MixerMutationRequestBuilder
createCreate a wireGroups
getGet a wireGroups
ArgumentTypeDescription
identifierstringThe name of the wireGroups
updateUpdate wireGroups attributes
deleteDelete the wireGroups
ArgumentTypeDescription
identifierstringThe name of the wireGroups
syncSync wireGroups state from GCP
regionhealthsources.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a HealthSource. An up-to-date fingerprint must be provided in order to patch the HealthSource; Otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the HealthSource.
healthAggregationPolicy?stringURL to the HealthAggregationPolicy resource. Must be set. Must be regional and in the same region as the HealthSource. Can be mutated.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
region?stringOutput only. [Output Only] URL of the region where the health source resides. This field applies only to the regional resource. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
sourceType?enumSpecifies the type of the HealthSource. The only allowed value is BACKEND_SERVICE. Must be specified when theHealthSource is created, and cannot be mutated.
sources?arrayURLs to the source resources. Must be size 1. Must be aBackendService if the sourceType is BACKEND_SERVICE. TheBackendService must have load balancing schemeINTERNAL or INTERNAL_MANAGED and must be regional and in the same region as the HealthSource (cross-region deployment for INTERNAL_MANAGED is not supported). TheBackendService may use only IGs, MIGs, or NEGs of typeGCE_VM_IP or GCE_VM_IP_PORT. TheBackendService may not use haPolicy. Can be mutated.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionHealthSources
getGet a regionHealthSources
ArgumentTypeDescription
identifierstringThe name of the regionHealthSources
updateUpdate regionHealthSources attributes
deleteDelete the regionHealthSources
ArgumentTypeDescription
identifierstringThe name of the regionHealthSources
syncSync regionHealthSources state from GCP
regiontargethttpproxies.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a TargetHttpProxy. An up-to-date fingerprint must be provided in order to patch/update the TargetHttpProxy; otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the TargetHttpProxy.
httpKeepAliveTimeoutSec?numberSpecifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). If an HTTP keep-alive is not specified, a default value (610 seconds) will be used. For global external Application Load Balancers, the minimum allowed value is 5 seconds and the maximum allowed value is 1200 seconds. For classic Application Load Balancers, this option is not supported.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
proxyBind?booleanThis field only applies when the forwarding rule that references this target proxy has a loadBalancingScheme set toINTERNAL_SELF_MANAGED. When this field is set to true, Envoy proxies set up inbound traffic interception and bind to the IP address and port specified in the forwarding rule. This is generally useful when using Traffic Director to configure Envoy as a gateway or middle proxy (in other words, not a sidecar proxy). The Envoy proxy listens for inbound requests and handles requests when it receives them. The default is false.
region?stringOutput only. [Output Only] URL of the region where the regional Target HTTP Proxy resides. This field is not applicable to global Target HTTP Proxies.
urlMap?stringURL to the UrlMap resource that defines the mapping from URL to the BackendService.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionTargetHttpProxies
getGet a regionTargetHttpProxies
ArgumentTypeDescription
identifierstringThe name of the regionTargetHttpProxies
deleteDelete the regionTargetHttpProxies
ArgumentTypeDescription
identifierstringThe name of the regionTargetHttpProxies
syncSync regionTargetHttpProxies state from GCP
set_url_mapset url map
ArgumentTypeDescription
urlMap?any
targetpools.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
backupPool?stringThe server-defined URL for the resource. This field is applicable only when the containing target pool is serving a forwarding rule as the primary pool, and its failoverRatio field is properly set to a value between [0, 1].backupPool and failoverRatio together define the fallback behavior of the primary target pool: if the ratio of the healthy instances in the primary pool is at or belowfailoverRatio, traffic arriving at the load-balanced IP will be directed to the backup pool. In case where failoverRatio and backupPool are not set, or all the instances in the backup pool are unhealthy, the traffic will be directed back to the primary pool in the "force" mode, where traffic will be spread to the healthy instances with the best effort, or to all instances when no instance is healthy.
description?stringAn optional description of this resource. Provide this property when you create the resource.
failoverRatio?numberThis field is applicable only when the containing target pool is serving a forwarding rule as the primary pool (i.e., not as a backup pool to some other target pool). The value of the field must be in [0, 1]. If set, backupPool must also be set. They together define the fallback behavior of the primary target pool: if the ratio of the healthy instances in the primary pool is at or below this number, traffic arriving at the load-balanced IP will be directed to the backup pool. In case where failoverRatio is not set or all the instances in the backup pool are unhealthy, the traffic will be directed back to the primary pool in the "force" mode, where traffic will be spread to the healthy instances with the best effort, or to all instances when no instance is healthy.
healthChecks?arrayThe URL of the HttpHealthCheck resource. A member instance in this pool is considered healthy if and only if the health checks pass. Only legacy HttpHealthChecks are supported. Only one health check may be specified.
instances?arrayA list of resource URLs to the virtual machine instances serving this pool. They must live in zones contained in the same region as this pool.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
region?stringOutput only. [Output Only] URL of the region where the target pool resides.
sessionAffinity?enumSession affinity option, must be one of the following values: NONE: Connections from the same client IP may go to any instance in the pool. CLIENT_IP: Connections from the same client IP will go to the same instance in the pool while that instance remains healthy. CLIENT_IP_PROTO: Connections from the same client IP with the same IP protocol will go to the same instance in the pool while that instance remains healthy.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a targetPools
getGet a targetPools
ArgumentTypeDescription
identifierstringThe name of the targetPools
deleteDelete the targetPools
ArgumentTypeDescription
identifierstringThe name of the targetPools
syncSync targetPools state from GCP
add_health_checkadd health check
ArgumentTypeDescription
healthChecks?any
add_instanceadd instance
ArgumentTypeDescription
instances?any
get_healthget health
ArgumentTypeDescription
instance?any
set_backupset backup
ArgumentTypeDescription
target?any
set_security_policyset security policy
ArgumentTypeDescription
securityPolicy?any
reservationsubblocks.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a reservationSubBlocks
ArgumentTypeDescription
identifierstringThe name of the reservationSubBlocks
syncSync reservationSubBlocks state from GCP
get_versionget version
ArgumentTypeDescription
sbomSelections?any
perform_maintenanceperform maintenance
report_faultyreport faulty
ArgumentTypeDescription
disruptionSchedule?any
failureComponent?any
faultReasons?any
regioninstancegroups.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a regionInstanceGroups
ArgumentTypeDescription
identifierstringThe name of the regionInstanceGroups
syncSync regionInstanceGroups state from GCP
list_instanceslist instances
ArgumentTypeDescription
instanceState?any
portName?any
set_named_portsset named ports
ArgumentTypeDescription
fingerprint?any
namedPorts?any
networkattachments.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
connectionPreference?enum
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. An up-to-date fingerprint must be provided in order to patch.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
producerAcceptLists?arrayProjects that are allowed to connect to this network attachment. The project can be specified using its id or number.
producerRejectLists?arrayProjects that are not allowed to connect to this network attachment. The project can be specified using its id or number.
region?stringOutput only. [Output Only] URL of the region where the network attachment resides. This field applies only to the region resource. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
subnetworks?arrayAn array of URLs where each entry is the URL of a subnet provided by the service consumer to use for endpoints in the producers that connect to this network attachment.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). end_interface: MixerMutationRequestBuilder
createCreate a networkAttachments
getGet a networkAttachments
ArgumentTypeDescription
identifierstringThe name of the networkAttachments
updateUpdate networkAttachments attributes
deleteDelete the networkAttachments
ArgumentTypeDescription
identifierstringThe name of the networkAttachments
syncSync networkAttachments state from GCP
routes.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this field when you create the resource.
destRangestringThe destination range of outgoing packets that this route applies to. Both IPv4 and IPv6 are supported. Must specify an IPv4 range (e.g. 192.0.2.0/24) or an IPv6 range in RFC 4291 format (e.g. 2001:db8::/32). IPv6 range will be displayed using RFC 5952 compressed format.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?`. The first character must be a lowercase letter, and all following characters (except for the last character) must be a dash, lowercase letter, or digit. The last character must be a lowercase letter or digit.
networkstringFully-qualified URL of the network that this route applies to.
nextHopGateway?stringThe URL to a gateway that should handle matching packets. You can only specify the internet gateway using a full or partial valid URL: projects/project/global/gateways/default-internet-gateway
nextHopIlb?stringThe URL to a forwarding rule of typeloadBalancingScheme=INTERNAL that should handle matching packets or the IP address of the forwarding Rule. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/project/regions/region/forwardingRules/forwardingRule - regions/region/forwardingRules/forwardingRule If an IP address is provided, must specify an IPv4 address in dot-decimal notation or an IPv6 address in RFC 4291 format. For example, the following are all valid IP addresses: - 10.128.0.56 - 2001:db8::2d9:51:0:0 - 2001:db8:0:0:2d9:51:0:0 IPv6 addresses will be displayed using RFC 5952 compressed format (e.g. 2001:db8::2d9:51:0:0). Should never be an IPv4-mapped IPv6 address.
nextHopInstance?stringThe URL to an instance that should handle matching packets. You can specify this as a full or partial URL. For example: https://www.googleapis.com/compute/v1/projects/project/zones/zone/instances/
nextHopIp?stringThe network IP address of an instance that should handle matching packets. Both IPv6 address and IPv4 addresses are supported. Must specify an IPv4 address in dot-decimal notation (e.g. 192.0.2.99) or an IPv6 address in RFC 4291 format (e.g. 2001:db8::2d9:51:0:0 or 2001:db8:0:0:2d9:51:0:0). IPv6 addresses will be displayed using RFC 5952 compressed format (e.g. 2001:db8::2d9:51:0:0). Should never be an IPv4-mapped IPv6 address.
nextHopNetwork?stringThe URL of the local network if it should handle matching packets.
nextHopVpnTunnel?stringThe URL to a VpnTunnel that should handle matching packets.
params?objectTag keys/values directly bound to this resource. Tag keys and values have the same definition as resource manager tags. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid.
prioritynumberThe priority of this route. Priority is used to break ties in cases where there is more than one matching route of equal prefix length. In cases where multiple routes have equal prefix length, the one with the lowest-numbered priority value wins. The default value is `1000`. The priority value must be from `0` to `65535`, inclusive.
tags?arrayA list of instance tags to which this route applies.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a routes
getGet a routes
ArgumentTypeDescription
identifierstringThe name of the routes
deleteDelete the routes
ArgumentTypeDescription
identifierstringThe name of the routes
syncSync routes state from GCP
regionnetworkfirewallpolicies.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
associations?arrayThe target that the firewall policy is attached to.
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringSpecifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make get() request to the firewall policy.
packetMirroringRules?arrayThe Action to perform when the client connection triggers the rule. Valid actions for firewall rules are: "allow", "deny", "apply_security_profile_group" and "goto_next". Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" and "goto_next".
policyType?enumThe type of the firewall policy. This field can be eitherVPC_POLICY or RDMA_ROCE_POLICY. Note: if not specified then VPC_POLICY will be used.
region?stringOutput only. [Output Only] URL of the region where the regional firewall policy resides. This field is not applicable to global firewall policies. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
rules?arrayThe Action to perform when the client connection triggers the rule. Valid actions for firewall rules are: "allow", "deny", "apply_security_profile_group" and "goto_next". Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" and "goto_next".
shortName?stringUser-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionNetworkFirewallPolicies
getGet a regionNetworkFirewallPolicies
ArgumentTypeDescription
identifierstringThe name of the regionNetworkFirewallPolicies
updateUpdate regionNetworkFirewallPolicies attributes
deleteDelete the regionNetworkFirewallPolicies
ArgumentTypeDescription
identifierstringThe name of the regionNetworkFirewallPolicies
syncSync regionNetworkFirewallPolicies state from GCP
add_associationadd association
ArgumentTypeDescription
attachmentTarget?any
displayName?any
firewallPolicyId?any
name?any
shortName?any
add_ruleadd rule
ArgumentTypeDescription
action?any
description?any
direction?any
disabled?any
enableLogging?any
kind?any
match?any
priority?any
ruleName?any
ruleTupleCount?any
securityProfileGroup?any
targetResources?any
targetSecureTags?any
targetServiceAccounts?any
tlsInspect?any
clone_rulesclone rules
get_associationget association
get_effective_firewallsget effective firewalls
get_ruleget rule
patch_rulepatch rule
ArgumentTypeDescription
action?any
description?any
direction?any
disabled?any
enableLogging?any
kind?any
match?any
priority?any
ruleName?any
ruleTupleCount?any
securityProfileGroup?any
targetResources?any
targetSecureTags?any
targetServiceAccounts?any
tlsInspect?any
licenses.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
allowedReplacementLicenses?arraySpecifies licenseCodes of licenses that can replace this license. Note: such replacements are allowed even if removable_from_disk is false.
appendableToDisk?booleanIf true, this license can be appended to an existing disk's set of licenses.
description?stringAn optional textual description of the resource; provided by the client when the resource is created.
incompatibleLicenses?arraySpecifies licenseCodes of licenses that are incompatible with this license. If a license is incompatible with this license, it cannot be attached to the same disk or image.
minimumRetention?objectSpan of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive.
multiTenantOnly?booleanIf true, this license can only be used on VMs on multi tenant nodes.
name?stringName of the resource. The name must be 1-63 characters long and comply withRFC1035.
osLicense?booleanIf true, indicates this is an OS license. Only one OS license can be attached to a disk or image at a time.
params?objectInput only. Resource manager tags to be bound to the license. Tag keys and values have the same definition as resource manager tags. Keys and values can be either in numeric format, such as `tagKeys/{tag_key_id}` and `tagValues/456` or in namespaced format such as `{org_id|project_id}/{tag_key_short_name}` and `{tag_value_short_name}`. The field is ignored (both PUT & PATCH) when empty.
removableFromDisk?booleanIf true, this license can be removed from a disk's set of licenses, with no replacement license needed.
requiredCoattachedLicenses?arraySpecifies the set of permissible coattached licenseCodes of licenses that satisfy the coattachment requirement of this license. At least one license from the set must be attached to the same disk or image as this license.
resourceRequirements?object[Input Only] Deprecated. This field no longer reflects the minimum number of guest cpus required to use the Instance.
soleTenantOnly?booleanIf true, this license can only be used on VMs on sole tenant nodes.
transferable?booleanIf false, licenses will not be copied from the source resource when creating an image from a disk, disk from snapshot, or snapshot from disk.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a licenses
getGet a licenses
ArgumentTypeDescription
identifierstringThe name of the licenses
updateUpdate licenses attributes
deleteDelete the licenses
ArgumentTypeDescription
identifierstringThe name of the licenses
syncSync licenses state from GCP
regionhealthcheckservices.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a HealthCheckService. An up-to-date fingerprint must be provided in order to patch/update the HealthCheckService; Otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the HealthCheckService.
healthChecks?arrayA list of URLs to the HealthCheck resources. Must have at least one HealthCheck, and not more than 10 for regionalHealthCheckService, and not more than 1 for globalHealthCheckService.HealthCheck resources must haveportSpecification=USE_SERVING_PORT orportSpecification=USE_FIXED_PORT. For regional HealthCheckService, theHealthCheck must be regional and in the same region. For global HealthCheckService,HealthCheck must be global. Mix of regional and globalHealthChecks is not supported. Multiple regionalHealthChecks must belong to the same region. RegionalHealthChecks must belong to the same region as zones ofNetworkEndpointGroups. For globalHealthCheckService using globalINTERNET_IP_PORT NetworkEndpointGroups, the global HealthChecks must specify sourceRegions, and HealthChecks that specify sourceRegions can only be used with global INTERNET_IP_PORTNetworkEndpointGroups.
healthStatusAggregationPolicy?enumOptional. Policy for how the results from multiple health checks for the same endpoint are aggregated. Defaults to NO_AGGREGATION if unspecified. - NO_AGGREGATION. An EndpointHealth message is returned for each pair in the health check service. - AND. If any health check of an endpoint reportsUNHEALTHY, then UNHEALTHY is theHealthState of the endpoint. If all health checks reportHEALTHY, the HealthState of the endpoint isHEALTHY.. This is only allowed with regional HealthCheckService.
name?stringName of the resource. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
networkEndpointGroups?arrayA list of URLs to the NetworkEndpointGroup resources. Must not have more than 100. For regionalHealthCheckService, NEGs must be in zones in the region of the HealthCheckService. For globalHealthCheckServices, the NetworkEndpointGroups must be global INTERNET_IP_PORT.
notificationEndpoints?arrayA list of URLs to the NotificationEndpoint resources. Must not have more than 10. A list of endpoints for receiving notifications of change in health status. For regionalHealthCheckService,NotificationEndpoint must be regional and in the same region. For global HealthCheckService,NotificationEndpoint must be global.
region?stringOutput only. [Output Only] URL of the region where the health check service resides. This field is not applicable to global health check services. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionHealthCheckServices
getGet a regionHealthCheckServices
ArgumentTypeDescription
identifierstringThe name of the regionHealthCheckServices
updateUpdate regionHealthCheckServices attributes
deleteDelete the regionHealthCheckServices
ArgumentTypeDescription
identifierstringThe name of the regionHealthCheckServices
syncSync regionHealthCheckServices state from GCP
backendservices.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
affinityCookieTtlSec?numberLifetime of cookies in seconds. This setting is applicable to Application Load Balancers and Traffic Director and requires GENERATED_COOKIE or HTTP_COOKIE session affinity. If set to 0, the cookie is non-persistent and lasts only until the end of the browser session (or equivalent). The maximum allowed value is two weeks (1,209,600). Not supported when the backend service is referenced by a URL map that is bound to target gRPC proxy that has validateForProxyless field set to true.
backends?arraySpecifies how to determine whether the backend of a load balancer can handle additional traffic or is fully loaded. For usage guidelines, see Connection balancing mode. Backends must use compatible balancing modes. For more information, see Supported balancing modes and target capacity settings and Restrictions and guidance for instance groups. Note: Currently, if you use the API to configure incompatible balancing modes, the configuration might be accepted even though it has no impact and is ignored. Specifically, Backend.maxUtilization is ignored when Backend.balancingMode is RATE. In the future, this incompatible combination will be rejected.
cdnPolicy?objectThe header field name to match on when bypassing cache. Values are case-insensitive.
circuitBreakers?objectThe maximum number of connections to the backend service. If not specified, there is no limit. Not supported when the backend service is referenced by a URL map that is bound to target gRPC proxy that has validateForProxyless field set to true.
compressionMode?enumCompress text responses using Brotli or gzip compression, based on the client's Accept-Encoding header.
connectionDraining?objectConfigures a duration timeout for existing requests on a removed backend instance. For supported load balancers and protocols, as described inEnabling connection draining.
connectionTrackingPolicy?objectSpecifies connection persistence when backends are unhealthy. The default value is DEFAULT_FOR_PROTOCOL. If set to DEFAULT_FOR_PROTOCOL, the existing connections persist on unhealthy backends only for connection-oriented protocols (TCP and SCTP) and only if the Tracking Mode isPER_CONNECTION (default tracking mode) or the Session Affinity is configured for 5-tuple. They do not persist forUDP. If set to NEVER_PERSIST, after a backend becomes unhealthy, the existing connections on the unhealthy backend are never persisted on the unhealthy backend. They are always diverted to newly selected healthy backends (unless all backends are unhealthy). If set to ALWAYS_PERSIST, existing connections always persist on unhealthy backends regardless of protocol and session affinity. It is generally not recommended to use this mode overriding the default. For more details, see [Connection Persistence for Network Load Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#connection-persistence) and [Connection Persistence for Internal TCP/UDP Load Balancing](https://cloud.google.com/load-balancing/docs/internal#connection-persistence).
consistentHash?objectName of the cookie.
customMetrics?arrayIf true, the metric data is not used for load balancing.
customRequestHeaders?arrayHeaders that the load balancer adds to proxied requests. See [Creating custom headers](https://cloud.google.com/load-balancing/docs/custom-headers).
customResponseHeaders?arrayHeaders that the load balancer adds to proxied responses. See [Creating custom headers](https://cloud.google.com/load-balancing/docs/custom-headers).
description?stringAn optional description of this resource. Provide this property when you create the resource.
enableCDN?booleanIf true, enables Cloud CDN for the backend service of a global external Application Load Balancer.
externalManagedMigrationState?enumSpecifies the canary migration state. Possible values are PREPARE, TEST_BY_PERCENTAGE, and TEST_ALL_TRAFFIC. To begin the migration from EXTERNAL to EXTERNAL_MANAGED, the state must be changed to PREPARE. The state must be changed to TEST_ALL_TRAFFIC before the loadBalancingScheme can be changed to EXTERNAL_MANAGED. Optionally, the TEST_BY_PERCENTAGE state can be used to migrate traffic by percentage using externalManagedMigrationTestingPercentage. Rolling back a migration requires the states to be set in reverse order. So changing the scheme from EXTERNAL_MANAGED to EXTERNAL requires the state to be set to TEST_ALL_TRAFFIC at the same time. Optionally, the TEST_BY_PERCENTAGE state can be used to migrate some traffic back to EXTERNAL or PREPARE can be used to migrate all traffic back to EXTERNAL.
externalManagedMigrationTestingPercentage?numberDetermines the fraction of requests that should be processed by the Global external Application Load Balancer. The value of this field must be in the range [0, 100]. Session affinity options will slightly affect this routing behavior, for more details, see:Session Affinity. This value can only be set if the loadBalancingScheme in the BackendService is set to EXTERNAL (when using the classic Application Load Balancer) and the migration state is TEST_BY_PERCENTAGE.
failoverPolicy?objectThis can be set to true if the protocol isTCP, UDP, or UNSPECIFIED. The default is false.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a BackendService. An up-to-date fingerprint must be provided in order to update the BackendService, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a BackendService.
haPolicy?objectSpecifies whether fast IP move is enabled, and if so, the mechanism to achieve it. Supported values are: - DISABLED: Fast IP Move is disabled. You can only use the haPolicy.leader API to update the leader. - >GARP_RA: Provides a method to very quickly define a new network endpoint as the leader. This method is faster than updating the leader using the haPolicy.leader API. Fast IP move works as follows: The VM hosting the network endpoint that should become the new leader sends either a Gratuitous ARP (GARP) packet (IPv4) or an ICMPv6 Router Advertisement(RA) packet (IPv6). Google Cloud immediately but temporarily associates the forwarding rule IP address with that VM, and both new and in-flight packets are quickly delivered to that VM. Note the important properties of the Fast IP Move functionality: - The GARP/RA-initiated re-routing stays active for approximately 20 minutes. After triggering fast failover, you must also appropriately set the haPolicy.leader. - The new leader instance should continue to send GARP/RA packets periodically every 10 seconds until at least 10 minutes after updating the haPolicy.leader (but stop immediately if it is no longer the leader). - After triggering a fast failover, we recommend that you wait at least 3 seconds before sending another GARP/RA packet from a different VM instance to avoid race conditions. - Don't send GARP/RA packets from different VM instances at the same time. If multiple instances continue to send GARP/RA packets, traffic might be routed to different destinations in an alternating order. This condition ceases when a single instance issues a GARP/RA packet. - The GARP/RA request always takes priority over the leader API. Using the haPolicy.leader API to change the leader to a different instance will have no effect until the GARP/RA request becomes inactive. - The GARP/RA packets should follow the GARP/RA Packet Specifications.. - When multiple forwarding rules refer to a regional backend service, you need only send a GARP or RA packet for a single forwarding rule virtual IP. The virtual IPs for all forwarding rules targeting the same backend service will also be moved to the sender of the GARP or RA packet. The following are the Fast IP Move limitations (that is, when fastIPMove is not DISABLED): - Multiple forwarding rules cannot use the same IP address if one of them refers to a regional backend service with fastIPMove. - The regional backend service must set the network field, and all NEGs must belong to that network. However, individual NEGs can belong to different subnetworks of that network. - The maximum number of network endpoints across all backends of a backend service with fastIPMove is 32. - The maximum number of backend services with fastIPMove that can have the same network endpoint attached to one of its backends is 64. - The maximum number of backend services with fastIPMove in a VPC in a region is 64. - The network endpoints that are attached to a backend of a backend service with fastIPMove cannot resolve to Gen3+ machines for IPv6. - Traffic directed to the leader by a static route next hop will not be redirected to a new leader by fast failover. Such traffic will only be redirected once an haPolicy.leader update has taken effect. Only traffic to the forwarding rule's virtual IP will be redirected to a new leader by fast failover. haPolicy.fastIPMove can be set only at backend service creation time. Once set, it cannot be updated. By default, fastIpMove is set to DISABLED.
healthChecks?arrayThe list of URLs to the healthChecks, httpHealthChecks (legacy), or httpsHealthChecks (legacy) resource for health checking this backend service. Not all backend services support legacy health checks. See Load balancer guide. Currently, at most one health check can be specified for each backend service. Backend services with instance group or zonal NEG backends must have a health check unless haPolicy is specified. Backend services with internet or serverless NEG backends must not have a health check. healthChecks[] cannot be specified with haPolicy.
iap?objectWhether the serving infrastructure will authenticate and authorize all incoming requests.
ipAddressSelectionPolicy?enumSpecifies a preference for traffic sent from the proxy to the backend (or from the client to the backend for proxyless gRPC). The possible values are: - IPV4_ONLY: Only send IPv4 traffic to the backends of the backend service (Instance Group, Managed Instance Group, Network Endpoint Group), regardless of traffic from the client to the proxy. Only IPv4 health checks are used to check the health of the backends. This is the default setting. - PREFER_IPV6: Prioritize the connection to the endpoint's IPv6 address over its IPv4 address (provided there is a healthy IPv6 address). - IPV6_ONLY: Only send IPv6 traffic to the backends of the backend service (Instance Group, Managed Instance Group, Network Endpoint Group), regardless of traffic from the client to the proxy. Only IPv6 health checks are used to check the health of the backends. This field is applicable to either: - Advanced global external Application Load Balancer (load balancing scheme EXTERNAL_MANAGED), - Regional external Application Load Balancer, - Internal proxy Network Load Balancer (load balancing scheme INTERNAL_MANAGED), - Regional internal Application Load Balancer (load balancing scheme INTERNAL_MANAGED), - Traffic Director with Envoy proxies and proxyless gRPC (load balancing scheme INTERNAL_SELF_MANAGED).
loadBalancingScheme?enumSpecifies the load balancer type. A backend service created for one type of load balancer cannot be used with another. For more information, refer toChoosing a load balancer.
localityLbPolicies?arrayAn optional, arbitrary JSON object with configuration data, understood by a locally installed custom policy implementation.
localityLbPolicy?enumThe load balancing algorithm used within the scope of the locality. The possible values are: - ROUND_ROBIN: This is a simple policy in which each healthy backend is selected in round robin order. This is the default. - LEAST_REQUEST: An O(1) algorithm which selects two random healthy hosts and picks the host which has fewer active requests. - RING_HASH: The ring/modulo hash load balancer implements consistent hashing to backends. The algorithm has the property that the addition/removal of a host from a set of N hosts only affects 1/N of the requests. - RANDOM: The load balancer selects a random healthy host. - ORIGINAL_DESTINATION: Backend host is selected based on the client connection metadata, i.e., connections are opened to the same address as the destination address of the incoming connection before the connection was redirected to the load balancer. - MAGLEV: used as a drop in replacement for the ring hash load balancer. Maglev is not as stable as ring hash but has faster table lookup build times and host selection times. For more information about Maglev, see Maglev: A Fast and Reliable Software Network Load Balancer. - WEIGHTED_ROUND_ROBIN: Per-endpoint Weighted Round Robin Load Balancing using weights computed from Backend reported Custom Metrics. If set, the Backend Service responses are expected to contain non-standard HTTP response header field Endpoint-Load-Metrics. The reported metrics to use for computing the weights are specified via thecustomMetrics field. This field is applicable to either: - A regional backend service with the service_protocol set to HTTP, HTTPS, HTTP2 or H2C, and load_balancing_scheme set to INTERNAL_MANAGED. - A global backend service with the load_balancing_scheme set to INTERNAL_SELF_MANAGED, INTERNAL_MANAGED, or EXTERNAL_MANAGED. If sessionAffinity is not configured—that is, if session affinity remains at the default value of NONE—then the default value for localityLbPolicy is ROUND_ROBIN. If session affinity is set to a value other than NONE, then the default value for localityLbPolicy isMAGLEV. Only ROUND_ROBIN and RING_HASH are supported when the backend service is referenced by a URL map that is bound to target gRPC proxy that has validateForProxyless field set to true. localityLbPolicy cannot be specified with haPolicy.
logConfig?objectDenotes whether to enable logging for the load balancer traffic served by this backend service. The default value is false.
maxStreamDuration?objectSpan of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive.
metadatas?recordDeployment metadata associated with the resource to be set by a GKE hub controller and read by the backend RCTH
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
network?stringThe URL of the network to which this backend service belongs. This field must be set for Internal Passthrough Network Load Balancers when the haPolicy is enabled, and for External Passthrough Network Load Balancers when the haPolicy fastIpMove is enabled. This field can only be specified when the load balancing scheme is set toINTERNAL, or when the load balancing scheme is set toEXTERNAL and haPolicy fastIpMove is enabled.
networkPassThroughLbTrafficPolicy?objectThis field indicates whether zonal affinity is enabled or not. The possible values are: - ZONAL_AFFINITY_DISABLED: Default Value. Zonal Affinity is disabled. The load balancer distributes new connections to all healthy backend endpoints across all zones. - ZONAL_AFFINITY_STAY_WITHIN_ZONE: Zonal Affinity is enabled. The load balancer distributes new connections to all healthy backend endpoints in the local zone only. If there are no healthy backend endpoints in the local zone, the load balancer distributes new connections to all backend endpoints in the local zone. - ZONAL_AFFINITY_SPILL_CROSS_ZONE: Zonal Affinity is enabled. The load balancer distributes new connections to all healthy backend endpoints in the local zone only. If there aren't enough healthy backend endpoints in the local zone, the load balancer distributes new connections to all healthy backend endpoints across all zones.
orchestrationInfo?objectThe resource URI of the resource or system that manages the backend service.
outlierDetection?objectSpan of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive.
params?objectTag keys/values directly bound to this resource. Tag keys and values have the same definition as resource manager tags. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid.
portName?stringA named port on a backend instance group representing the port for communication to the backend VMs in that group. The named port must be [defined on each backend instance group](https://cloud.google.com/load-balancing/docs/backend-service#named_ports). This parameter has no meaning if the backends are NEGs. For internal passthrough Network Load Balancers and external passthrough Network Load Balancers, omit port_name.
protocol?enumThe protocol this BackendService uses to communicate with backends. Possible values are HTTP, HTTPS, HTTP2, H2C, TCP, SSL, UDP or GRPC. depending on the chosen load balancer or Traffic Director configuration. Refer to the documentation for the load balancers or for Traffic Director for more information. Must be set to GRPC when the backend service is referenced by a URL map that is bound to target gRPC proxy.
securitySettings?objectThe access key used for s3 bucket authentication. Required for updating or creating a backend that uses AWS v4 signature authentication, but will not be returned as part of the configuration when queried with a REST API GET request. @InputOnly
serviceBindings?arrayURLs of networkservices.ServiceBinding resources. Can only be set if load balancing scheme is INTERNAL_SELF_MANAGED. If set, lists of backends and health checks must be both empty.
serviceLbPolicy?stringURL to networkservices.ServiceLbPolicy resource. Can only be set if load balancing scheme is EXTERNAL_MANAGED, INTERNAL_MANAGED or INTERNAL_SELF_MANAGED and the scope is global.
sessionAffinity?enumType of session affinity to use. The default is NONE. Only NONE and HEADER_FIELD are supported when the backend service is referenced by a URL map that is bound to target gRPC proxy that has validateForProxyless field set to true. For more details, see: [Session Affinity](https://cloud.google.com/load-balancing/docs/backend-service#session_affinity). sessionAffinity cannot be specified with haPolicy.
strongSessionAffinityCookie?objectName of the cookie.
subsetting?objectSubsetting configuration for this BackendService. Currently this is applicable only for Internal TCP/UDP load balancing, Internal HTTP(S) load balancing and Traffic Director.
timeoutSec?numberThe backend service timeout has a different meaning depending on the type of load balancer. For more information see, Backend service settings. The default is 30 seconds. The full range of timeout values allowed goes from 1 through 2,147,483,647 seconds. This value can be overridden in the PathMatcher configuration of the UrlMap that references this backend service. Not supported when the backend service is referenced by a URL map that is bound to target gRPC proxy that has validateForProxyless field set to true. Instead, use maxStreamDuration.
tlsSettings?objectReference to the BackendAuthenticationConfig resource from the networksecurity.googleapis.com namespace. Can be used in authenticating TLS connections to the backend, as specified by the authenticationMode field. Can only be specified if authenticationMode is not NONE.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a backendServices
getGet a backendServices
ArgumentTypeDescription
identifierstringThe name of the backendServices
updateUpdate backendServices attributes
deleteDelete the backendServices
ArgumentTypeDescription
identifierstringThe name of the backendServices
syncSync backendServices state from GCP
add_signed_url_keyadd signed url key
ArgumentTypeDescription
keyName?any
keyValue?any
get_effective_security_policiesget effective security policies
get_healthget health
ArgumentTypeDescription
group?any
list_usablelist usable
set_edge_security_policyset edge security policy
ArgumentTypeDescription
securityPolicy?any
set_security_policyset security policy
ArgumentTypeDescription
securityPolicy?any
instantsnapshots.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
labelFingerprint?stringA fingerprint for the labels being applied to this InstantSnapshot, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a InstantSnapshot.
labels?recordLabels to apply to this InstantSnapshot. These can be later modified by the setLabels method. Label values may be empty.
name?stringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
params?objectInput only. Resource manager tags to be bound to the instant snapshot. Tag keys and values have the same definition as resource manager tags. Keys and values can be either in numeric format, such as `tagKeys/{tag_key_id}` and `tagValues/{tag_value_id}` or in namespaced format such as `{org_id|project_id}/{tag_key_short_name}` and `{tag_value_short_name}`. The field is ignored (both PUT & PATCH) when empty.
resourceStatus?object[Output Only] The storage size of this instant snapshot.
sourceDisk?stringURL of the source disk used to create this instant snapshot. Note that the source disk must be in the same zone/region as the instant snapshot to be created. This can be a full or valid partial URL. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/disks/disk - https://www.googleapis.com/compute/v1/projects/project/regions/region/disks/disk - projects/project/zones/zone/disks/disk - projects/project/regions/region/disks/disk - zones/zone/disks/disk - regions/region/disks/disk
zone?stringOutput only. [Output Only] URL of the zone where the instant snapshot resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a instantSnapshots
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a instantSnapshots
ArgumentTypeDescription
identifierstringThe name of the instantSnapshots
deleteDelete the instantSnapshots
ArgumentTypeDescription
identifierstringThe name of the instantSnapshots
syncSync instantSnapshots state from GCP
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
machineimages.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
guestFlush?boolean[Input Only] Whether to attempt an application consistent machine image by informing the OS to prepare for the snapshot process.
instanceProperties?objectWhether to enable nested virtualization or not (default is false).
labelFingerprint?stringA fingerprint for the labels being applied to this machine image, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels. To see the latest fingerprint, make get() request to the machine image.
labels?recordLabels to apply to this machine image. These can be later modified by the setLabels method.
machineImageEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
namestringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
params?objectInput only. Resource manager tags to be bound to the machine image. Tag keys and values have the same definition as resource manager tags. Keys and values can be either in numeric format, such as `tagKeys/{tag_key_id}` and `tagValues/{tag_value_id}` or in namespaced format such as `{org_id|project_id}/{tag_key_short_name}` and `{tag_value_short_name}`. The field is ignored (both PUT & PATCH) when empty.
sourceDiskEncryptionKeys?arrayThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
sourceInstance?stringThe source instance used to create the machine image. You can provide this as a partial or full URL to the resource. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/instances/instance - projects/project/zones/zone/instances/instance
sourceInstanceProperties?objectEnables instances created based on this machine image to send packets with source IP addresses other than their own and receive packets with destination IP addresses other than their own. If these instances will be used as an IP gateway or it will be set as the next-hop in a Route resource, specify true. If unsure, leave this set tofalse. See theEnable IP forwarding documentation for more information.
storageLocations?arrayThe regional or multi-regional Cloud Storage bucket location where themachine image is stored.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a machineImages
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a machineImages
ArgumentTypeDescription
identifierstringThe name of the machineImages
deleteDelete the machineImages
ArgumentTypeDescription
identifierstringThe name of the machineImages
syncSync machineImages state from GCP
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
urlmaps.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
defaultCustomErrorResponsePolicy?objectValid values include: - A number between 400 and 599: For example 401 or 503, in which case the load balancer applies the policy if the error code exactly matches this value. - 5xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 500 to 599. - 4xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 400 to 499. Values must be unique within matchResponseCodes and across allerrorResponseRules ofCustomErrorResponsePolicy.
defaultRouteAction?objectIn response to a preflight request, setting this to true indicates that the actual request can include user credentials. This field translates to the Access-Control-Allow-Credentials header. Default is false.
defaultService?stringThe full or partial URL of the defaultService resource to which traffic is directed if none of the hostRules match. If defaultRouteAction is also specified, advanced routing actions, such as URL rewrites, take effect before sending the request to the backend. Only one of defaultUrlRedirect, defaultService or defaultRouteAction.weightedBackendService can be set. defaultService has no effect when the URL map is bound to a target gRPC proxy that has the validateForProxyless field set to true.
defaultUrlRedirect?objectThe host that is used in the redirect response instead of the one that was supplied in the request. The value must be from 1 to 255 characters.
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field is ignored when inserting a UrlMap. An up-to-date fingerprint must be provided in order to update the UrlMap, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a UrlMap.
headerAction?objectThe name of the header.
hostRules?arrayAn optional description of this resource. Provide this property when you create the resource.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
pathMatchers?arrayValid values include: - A number between 400 and 599: For example 401 or 503, in which case the load balancer applies the policy if the error code exactly matches this value. - 5xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 500 to 599. - 4xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 400 to 499. Values must be unique within matchResponseCodes and across allerrorResponseRules ofCustomErrorResponsePolicy.
tests?arrayDescription of this test case.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a urlMaps
getGet a urlMaps
ArgumentTypeDescription
identifierstringThe name of the urlMaps
updateUpdate urlMaps attributes
deleteDelete the urlMaps
ArgumentTypeDescription
identifierstringThe name of the urlMaps
syncSync urlMaps state from GCP
invalidate_cacheinvalidate cache
ArgumentTypeDescription
cacheTags?any
host?any
path?any
validatevalidate
ArgumentTypeDescription
loadBalancingSchemes?any
resource?any
regioninstancegroupmanagers.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
allInstancesConfig?objectThe label key-value pairs that you want to patch onto the instance.
autoHealingPolicies?arrayThe URL for the health check that signals autohealing.
baseInstanceName?stringThe base instance name is a prefix that you want to attach to the names of all VMs in a MIG. The maximum character length is 58 and the name must comply with RFC1035 format. When a VM is created in the group, the MIG appends a hyphen and a random four-character string to the base instance name. If you want the MIG to assign sequential numbers instead of a random string, then end the base instance name with a hyphen followed by one or more hash symbols. The hash symbols indicate the number of digits. For example, a base instance name of "vm-###" results in "vm-001" as a VM name. @pattern [a-z](([-a-z0-9]{0,57})|([-a-z0-9]{0,51}-#{1,10}(\\\\[[0-9]{1,10}\\\\])?))
currentActions?objectOutput only. [Output Only] The total number of instances in the managed instance group that are scheduled to be abandoned. Abandoning an instance removes it from the managed instance group without deleting it.
description?stringAn optional description of this resource.
distributionPolicy?objectThe distribution shape to which the group converges either proactively or on resize events (depending on the value set inupdatePolicy.instanceRedistributionType).
fingerprint?stringFingerprint of this resource. This field may be used in optimistic locking. It will be ignored when inserting an InstanceGroupManager. An up-to-date fingerprint must be provided in order to update the InstanceGroupManager, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve an InstanceGroupManager.
instanceFlexibilityPolicy?objectFull machine-type names, e.g. "n1-standard-16".
instanceLifecyclePolicy?objectThe action that a MIG performs on a failed or an unhealthy VM. A VM is marked as unhealthy when the application running on that VM fails a health check. Valid values are - REPAIR (default): MIG automatically repairs a failed or an unhealthy VM by recreating it. For more information, see About repairing VMs in a MIG. - DO_NOTHING: MIG does not repair a failed or an unhealthy VM.
instanceTemplate?stringThe URL of the instance template that is specified for this managed instance group. The group uses this template to create all new instances in the managed instance group. The templates for existing instances in the group do not change unless you run recreateInstances, runapplyUpdatesToInstances, or set the group'supdatePolicy.type to PROACTIVE.
listManagedInstancesResults?enumPagination behavior of the listManagedInstances API method for this managed instance group.
namestringThe name of the managed instance group. The name must be 1-63 characters long, and comply withRFC1035.
region?stringOutput only. [Output Only] The URL of theregion where the managed instance group resides (for regional resources).
resourcePolicies?objectThe URL of the workload policy that is specified for this managed instance group. It can be a full or partial URL. For example, the following are all valid URLs to a workload policy: - https://www.googleapis.com/compute/v1/projects/project/regions/region/resourcePolicies/resourcePolicy - projects/project/regions/region/resourcePolicies/resourcePolicy - regions/region/resourcePolicies/resourcePolicy
standbyPolicy?objectSpecifies the number of seconds that the MIG should wait to suspend or stop a VM after that VM was created. The initial delay gives the initialization script the time to prepare your VM for a quick scale out. The value of initial delay must be between 0 and 3600 seconds. The default value is 0.
statefulPolicy?objectThese stateful disks will never be deleted during autohealing, update or VM instance recreate operations. This flag is used to configure if the disk should be deleted after it is no longer used by the group, e.g. when the given instance or the whole group is deleted. Note: disks attached inREAD_ONLY mode cannot be auto-deleted.
status?objectOutput only. [Output Only] Current all-instances configuration revision. This value is in RFC3339 text format.
targetPools?arrayThe URLs for all TargetPool resources to which instances in theinstanceGroup field are added. The target pools automatically apply to all of the instances in the managed instance group.
targetSizenumberThe target number of running instances for this managed instance group. You can reduce this number by using the instanceGroupManager deleteInstances or abandonInstances methods. Resizing the group also changes this number.
targetSizePolicy?objectThe mode of target size policy based on which the MIG creates its VMs individually or all at once.
targetStoppedSize?numberThe target number of stopped instances for this managed instance group. This number changes when you: - Stop instance using the stopInstances method or start instances using the startInstances method. - Manually change the targetStoppedSize using the update method.
targetSuspendedSize?numberThe target number of suspended instances for this managed instance group. This number changes when you: - Suspend instance using the suspendInstances method or resume instances using the resumeInstances method. - Manually change the targetSuspendedSize using the update method.
updatePolicy?objectThe instance redistribution policy for regional managed instance groups. Valid values are: - PROACTIVE (default): The group attempts to maintain an even distribution of VM instances across zones in the region. - NONE: For non-autoscaled groups, proactive redistribution is disabled.
versions?arrayThe URL of the instance template that is specified for this managed instance group. The group uses this template to create new instances in the managed instance group until the `targetSize` for this version is reached. The templates for existing instances in the group do not change unless you run recreateInstances, runapplyUpdatesToInstances, or set the group'supdatePolicy.type to PROACTIVE; in those cases, existing instances are updated until the `targetSize` for this version is reached.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionInstanceGroupManagers
getGet a regionInstanceGroupManagers
ArgumentTypeDescription
identifierstringThe name of the regionInstanceGroupManagers
updateUpdate regionInstanceGroupManagers attributes
deleteDelete the regionInstanceGroupManagers
ArgumentTypeDescription
identifierstringThe name of the regionInstanceGroupManagers
syncSync regionInstanceGroupManagers state from GCP
abandon_instancesabandon instances
ArgumentTypeDescription
instances?any
apply_updates_to_instancesapply updates to instances
ArgumentTypeDescription
allInstances?any
instances?any
minimalAction?any
mostDisruptiveAllowedAction?any
create_instancescreate instances
ArgumentTypeDescription
instances?any
list_errorslist errors
list_managed_instanceslist managed instances
list_per_instance_configslist per instance configs
patch_per_instance_configspatch per instance configs
ArgumentTypeDescription
perInstanceConfigs?any
recreate_instancesrecreate instances
ArgumentTypeDescription
instances?any
resizeresize
resume_instancesresume instances
ArgumentTypeDescription
instances?any
set_instance_templateset instance template
ArgumentTypeDescription
instanceTemplate?any
set_target_poolsset target pools
ArgumentTypeDescription
fingerprint?any
targetPools?any
start_instancesstart instances
ArgumentTypeDescription
instances?any
stop_instancesstop instances
ArgumentTypeDescription
forceStop?any
instances?any
suspend_instancessuspend instances
ArgumentTypeDescription
forceSuspend?any
instances?any
update_per_instance_configsupdate per instance configs
ArgumentTypeDescription
perInstanceConfigs?any
organizationsecuritypolicies.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
adaptiveProtectionConfig?objectIf set to true, enables CAAP for L7 DDoS detection. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
advancedOptionsConfig?objectA list of custom Content-Type header values to apply the JSON parsing. As per RFC 1341, a Content-Type header value has the following format: Content-Type:= type "/" subtype *[";" parameter] When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.
associations?arrayThe resource that the security policy is attached to.
ddosProtectionConfig?object
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringSpecifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make get() request to the security policy.
labelFingerprint?stringA fingerprint for the labels being applied to this security policy, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels. To see the latest fingerprint, make get() request to the security policy.
labels?recordLabels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. Label values may be empty.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
recaptchaOptionsConfig?objectAn optional field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
rules?arrayThe Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for `STATUS` are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this. - fairshare (preview only): when traffic reaches the threshold limit, requests from the clients matching this rule begin to be rate-limited using the Fair Share algorithm. This action is only allowed in security policies of type `CLOUD_ARMOR_INTERNAL_SERVICE`.
shortName?stringUser-provided name of the organization security policy. The name should be unique in the organization in which the security policy is created. This should only be used when SecurityPolicyType is CLOUD_ARMOR. The name must be 1-63 characters long, and comply with https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
type?enumThe type indicates the intended use of the security policy. - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache. - CLOUD_ARMOR_INTERNAL_SERVICE (preview only): Cloud Armor internal service policies can be configured to filter HTTP requests targeting services managed by Traffic Director in a service mesh. They filter requests before the request is served from the application. - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application. This field can be set only at resource creation time.
userDefinedFields?arrayThe base relative to which 'offset' is measured. Possible values are: - IPV4: Points to the beginning of the IPv4 header. - IPV6: Points to the beginning of the IPv6 header. - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. required
parentId?stringParent ID for this request. The ID can be either be "folders/[FOLDER_ID]" if the parent is a folder or "organizations/[ORGANIZATION_ID]" if the parent is an organization.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a organizationSecurityPolicies
getGet a organizationSecurityPolicies
ArgumentTypeDescription
identifierstringThe name of the organizationSecurityPolicies
updateUpdate organizationSecurityPolicies attributes
deleteDelete the organizationSecurityPolicies
ArgumentTypeDescription
identifierstringThe name of the organizationSecurityPolicies
syncSync organizationSecurityPolicies state from GCP
add_associationadd association
ArgumentTypeDescription
attachmentId?any
displayName?any
excludedFolders?any
excludedProjects?any
name?any
securityPolicyId?any
shortName?any
add_ruleadd rule
ArgumentTypeDescription
action?any
description?any
headerAction?any
kind?any
match?any
networkMatch?any
preconfiguredWafConfig?any
preview?any
priority?any
rateLimitOptions?any
redirectOptions?any
copy_rulescopy rules
get_associationget association
get_ruleget rule
list_associationslist associations
list_preconfigured_expression_setslist preconfigured expression sets
movemove
patch_rulepatch rule
ArgumentTypeDescription
action?any
description?any
headerAction?any
kind?any
match?any
networkMatch?any
preconfiguredWafConfig?any
preview?any
priority?any
rateLimitOptions?any
redirectOptions?any
regioncommitments.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
autoRenew?booleanSpecifies whether to automatically renew the commitment at the end of its current term. The default value is false. If you set the field to true, each time your commitment reaches the end of its term, Compute Engine automatically renews it for another term. You can update this field anytime before the commitment expires. For example, if the commitment is set to expire at 12 AM UTC-8 on January 3, 2027, you can update this field until 11:59 PM UTC-8 on January 2, 2027.
category?enumThe category of the commitment; specifies whether the commitment is for hardware or software resources. Category MACHINE specifies that you are committing to hardware machine resources such asVCPU or MEMORY, listed in resources. Category LICENSE specifies that you are committing to software licenses, listed in licenseResources. Note that if you specify MACHINE commitments, then you must also specify a type to indicate the machine series of the hardware resource that you are committing to.
customEndTimestamp?string[Input Only] Optional, specifies the requested commitment end time inRFC3339 text format. Use this option when the desired commitment's end date is later than the start date + term duration.
description?stringAn optional description of the commitment. You can provide this property when you create the resource.
existingReservations?array
licenseResource?objectThe number of licenses you plan to purchase.
mergeSourceCommitments?arrayThe list of source commitments that you are merging to create the new merged commitment. For more information, see Merging commitments.
name?stringName of the commitment. You must specify a name when you purchase the commitment. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
plan?enumThe minimum time duration that you commit to purchasing resources. The plan that you choose determines the preset term length of the commitment (which is 1 year or 3 years) and affects the discount rate that you receive for your resources. Committing to a longer time duration typically gives you a higher discount rate. The supported values for this field are TWELVE_MONTH (1 year), andTHIRTY_SIX_MONTH (3 years).
region?stringOutput only. [Output Only] URL of the region where the commitment and committed resources are located.
reservations?arrayIndicates chosen reservation operational mode for the reservation.
resources?arrayName of the accelerator type or GPU resource. Specify this field only when the type of hardware resource is ACCELERATOR.
splitSourceCommitment?stringThe source commitment from which you are transferring resources to create the new split commitment. For more information, see Split commitments.
type?enumThe type of commitment; specifies the machine series for which you want to commit to purchasing resources. The choice of machine series affects the discount rate and the eligible resource types. The type must be one of the following:ACCELERATOR_OPTIMIZED, ACCELERATOR_OPTIMIZED_A3,ACCELERATOR_OPTIMIZED_A3_MEGA,COMPUTE_OPTIMIZED, COMPUTE_OPTIMIZED_C2D, COMPUTE_OPTIMIZED_C3, COMPUTE_OPTIMIZED_C3D,COMPUTE_OPTIMIZED_H3, GENERAL_PURPOSE,GENERAL_PURPOSE_C4, GENERAL_PURPOSE_E2,GENERAL_PURPOSE_N2, GENERAL_PURPOSE_N2D,GENERAL_PURPOSE_N4, GENERAL_PURPOSE_T2D,GRAPHICS_OPTIMIZED, GRAPHICS_OPTIMIZED_G4,MEMORY_OPTIMIZED, MEMORY_OPTIMIZED_M3,MEMORY_OPTIMIZED_X4, STORAGE_OPTIMIZED_Z3. For example, type MEMORY_OPTIMIZED specifies a commitment that applies only to eligible resources of memory optimized M1 and M2 machine series. Type GENERAL_PURPOSE specifies a commitment that applies only to eligible resources of general purpose N1 machine series.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionCommitments
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a regionCommitments
ArgumentTypeDescription
identifierstringThe name of the regionCommitments
updateUpdate regionCommitments attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
syncSync regionCommitments state from GCP
sslpolicies.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
customFeatures?arrayA list of features enabled when the selected profile is CUSTOM. The method returns the set of features that can be specified in this list. This field must be empty if the profile is notCUSTOM.
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a SslPolicy. An up-to-date fingerprint must be provided in order to update the SslPolicy, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve an SslPolicy.
minTlsVersion?enumThe minimum version of SSL protocol that can be used by the clients to establish a connection with the load balancer. This can be one ofTLS_1_0, TLS_1_1, TLS_1_2,TLS_1_3. When set to TLS_1_3, the profile field must be set to RESTRICTED.
name?stringName of the resource. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
profile?enumProfile specifies the set of SSL features that can be used by the load balancer when negotiating SSL with clients. This can be one ofCOMPATIBLE, MODERN, RESTRICTED,FIPS_202205, or CUSTOM. If usingCUSTOM, the set of SSL features to enable must be specified in the customFeatures field. If using FIPS_202205, the min_tls_version field must be set to TLS_1_2.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a sslPolicies
getGet a sslPolicies
ArgumentTypeDescription
identifierstringThe name of the sslPolicies
updateUpdate sslPolicies attributes
deleteDelete the sslPolicies
ArgumentTypeDescription
identifierstringThe name of the sslPolicies
syncSync sslPolicies state from GCP
list_available_featureslist available features
instancegroups.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
namestringThe name of the instance group. The name must be 1-63 characters long, and comply withRFC1035.
namedPorts?arrayThe name for this named port. The name must be 1-63 characters long, and comply withRFC1035.
zone?stringOutput only. [Output Only] The URL of thezone where the instance group is located (for zonal resources).
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a instanceGroups
getGet a instanceGroups
ArgumentTypeDescription
identifierstringThe name of the instanceGroups
deleteDelete the instanceGroups
ArgumentTypeDescription
identifierstringThe name of the instanceGroups
syncSync instanceGroups state from GCP
add_instancesadd instances
ArgumentTypeDescription
instances?any
list_instanceslist instances
ArgumentTypeDescription
instanceState?any
set_named_portsset named ports
ArgumentTypeDescription
fingerprint?any
namedPorts?any
regionbackendservices.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
affinityCookieTtlSec?numberLifetime of cookies in seconds. This setting is applicable to Application Load Balancers and Traffic Director and requires GENERATED_COOKIE or HTTP_COOKIE session affinity. If set to 0, the cookie is non-persistent and lasts only until the end of the browser session (or equivalent). The maximum allowed value is two weeks (1,209,600). Not supported when the backend service is referenced by a URL map that is bound to target gRPC proxy that has validateForProxyless field set to true.
backends?arraySpecifies how to determine whether the backend of a load balancer can handle additional traffic or is fully loaded. For usage guidelines, see Connection balancing mode. Backends must use compatible balancing modes. For more information, see Supported balancing modes and target capacity settings and Restrictions and guidance for instance groups. Note: Currently, if you use the API to configure incompatible balancing modes, the configuration might be accepted even though it has no impact and is ignored. Specifically, Backend.maxUtilization is ignored when Backend.balancingMode is RATE. In the future, this incompatible combination will be rejected.
cdnPolicy?objectThe header field name to match on when bypassing cache. Values are case-insensitive.
circuitBreakers?objectThe maximum number of connections to the backend service. If not specified, there is no limit. Not supported when the backend service is referenced by a URL map that is bound to target gRPC proxy that has validateForProxyless field set to true.
compressionMode?enumCompress text responses using Brotli or gzip compression, based on the client's Accept-Encoding header.
connectionDraining?objectConfigures a duration timeout for existing requests on a removed backend instance. For supported load balancers and protocols, as described inEnabling connection draining.
connectionTrackingPolicy?objectSpecifies connection persistence when backends are unhealthy. The default value is DEFAULT_FOR_PROTOCOL. If set to DEFAULT_FOR_PROTOCOL, the existing connections persist on unhealthy backends only for connection-oriented protocols (TCP and SCTP) and only if the Tracking Mode isPER_CONNECTION (default tracking mode) or the Session Affinity is configured for 5-tuple. They do not persist forUDP. If set to NEVER_PERSIST, after a backend becomes unhealthy, the existing connections on the unhealthy backend are never persisted on the unhealthy backend. They are always diverted to newly selected healthy backends (unless all backends are unhealthy). If set to ALWAYS_PERSIST, existing connections always persist on unhealthy backends regardless of protocol and session affinity. It is generally not recommended to use this mode overriding the default. For more details, see [Connection Persistence for Network Load Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#connection-persistence) and [Connection Persistence for Internal TCP/UDP Load Balancing](https://cloud.google.com/load-balancing/docs/internal#connection-persistence).
consistentHash?objectName of the cookie.
customMetrics?arrayIf true, the metric data is not used for load balancing.
customRequestHeaders?arrayHeaders that the load balancer adds to proxied requests. See [Creating custom headers](https://cloud.google.com/load-balancing/docs/custom-headers).
customResponseHeaders?arrayHeaders that the load balancer adds to proxied responses. See [Creating custom headers](https://cloud.google.com/load-balancing/docs/custom-headers).
description?stringAn optional description of this resource. Provide this property when you create the resource.
enableCDN?booleanIf true, enables Cloud CDN for the backend service of a global external Application Load Balancer.
externalManagedMigrationState?enumSpecifies the canary migration state. Possible values are PREPARE, TEST_BY_PERCENTAGE, and TEST_ALL_TRAFFIC. To begin the migration from EXTERNAL to EXTERNAL_MANAGED, the state must be changed to PREPARE. The state must be changed to TEST_ALL_TRAFFIC before the loadBalancingScheme can be changed to EXTERNAL_MANAGED. Optionally, the TEST_BY_PERCENTAGE state can be used to migrate traffic by percentage using externalManagedMigrationTestingPercentage. Rolling back a migration requires the states to be set in reverse order. So changing the scheme from EXTERNAL_MANAGED to EXTERNAL requires the state to be set to TEST_ALL_TRAFFIC at the same time. Optionally, the TEST_BY_PERCENTAGE state can be used to migrate some traffic back to EXTERNAL or PREPARE can be used to migrate all traffic back to EXTERNAL.
externalManagedMigrationTestingPercentage?numberDetermines the fraction of requests that should be processed by the Global external Application Load Balancer. The value of this field must be in the range [0, 100]. Session affinity options will slightly affect this routing behavior, for more details, see:Session Affinity. This value can only be set if the loadBalancingScheme in the BackendService is set to EXTERNAL (when using the classic Application Load Balancer) and the migration state is TEST_BY_PERCENTAGE.
failoverPolicy?objectThis can be set to true if the protocol isTCP, UDP, or UNSPECIFIED. The default is false.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a BackendService. An up-to-date fingerprint must be provided in order to update the BackendService, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a BackendService.
haPolicy?objectSpecifies whether fast IP move is enabled, and if so, the mechanism to achieve it. Supported values are: - DISABLED: Fast IP Move is disabled. You can only use the haPolicy.leader API to update the leader. - >GARP_RA: Provides a method to very quickly define a new network endpoint as the leader. This method is faster than updating the leader using the haPolicy.leader API. Fast IP move works as follows: The VM hosting the network endpoint that should become the new leader sends either a Gratuitous ARP (GARP) packet (IPv4) or an ICMPv6 Router Advertisement(RA) packet (IPv6). Google Cloud immediately but temporarily associates the forwarding rule IP address with that VM, and both new and in-flight packets are quickly delivered to that VM. Note the important properties of the Fast IP Move functionality: - The GARP/RA-initiated re-routing stays active for approximately 20 minutes. After triggering fast failover, you must also appropriately set the haPolicy.leader. - The new leader instance should continue to send GARP/RA packets periodically every 10 seconds until at least 10 minutes after updating the haPolicy.leader (but stop immediately if it is no longer the leader). - After triggering a fast failover, we recommend that you wait at least 3 seconds before sending another GARP/RA packet from a different VM instance to avoid race conditions. - Don't send GARP/RA packets from different VM instances at the same time. If multiple instances continue to send GARP/RA packets, traffic might be routed to different destinations in an alternating order. This condition ceases when a single instance issues a GARP/RA packet. - The GARP/RA request always takes priority over the leader API. Using the haPolicy.leader API to change the leader to a different instance will have no effect until the GARP/RA request becomes inactive. - The GARP/RA packets should follow the GARP/RA Packet Specifications.. - When multiple forwarding rules refer to a regional backend service, you need only send a GARP or RA packet for a single forwarding rule virtual IP. The virtual IPs for all forwarding rules targeting the same backend service will also be moved to the sender of the GARP or RA packet. The following are the Fast IP Move limitations (that is, when fastIPMove is not DISABLED): - Multiple forwarding rules cannot use the same IP address if one of them refers to a regional backend service with fastIPMove. - The regional backend service must set the network field, and all NEGs must belong to that network. However, individual NEGs can belong to different subnetworks of that network. - The maximum number of network endpoints across all backends of a backend service with fastIPMove is 32. - The maximum number of backend services with fastIPMove that can have the same network endpoint attached to one of its backends is 64. - The maximum number of backend services with fastIPMove in a VPC in a region is 64. - The network endpoints that are attached to a backend of a backend service with fastIPMove cannot resolve to Gen3+ machines for IPv6. - Traffic directed to the leader by a static route next hop will not be redirected to a new leader by fast failover. Such traffic will only be redirected once an haPolicy.leader update has taken effect. Only traffic to the forwarding rule's virtual IP will be redirected to a new leader by fast failover. haPolicy.fastIPMove can be set only at backend service creation time. Once set, it cannot be updated. By default, fastIpMove is set to DISABLED.
healthChecks?arrayThe list of URLs to the healthChecks, httpHealthChecks (legacy), or httpsHealthChecks (legacy) resource for health checking this backend service. Not all backend services support legacy health checks. See Load balancer guide. Currently, at most one health check can be specified for each backend service. Backend services with instance group or zonal NEG backends must have a health check unless haPolicy is specified. Backend services with internet or serverless NEG backends must not have a health check. healthChecks[] cannot be specified with haPolicy.
iap?objectWhether the serving infrastructure will authenticate and authorize all incoming requests.
ipAddressSelectionPolicy?enumSpecifies a preference for traffic sent from the proxy to the backend (or from the client to the backend for proxyless gRPC). The possible values are: - IPV4_ONLY: Only send IPv4 traffic to the backends of the backend service (Instance Group, Managed Instance Group, Network Endpoint Group), regardless of traffic from the client to the proxy. Only IPv4 health checks are used to check the health of the backends. This is the default setting. - PREFER_IPV6: Prioritize the connection to the endpoint's IPv6 address over its IPv4 address (provided there is a healthy IPv6 address). - IPV6_ONLY: Only send IPv6 traffic to the backends of the backend service (Instance Group, Managed Instance Group, Network Endpoint Group), regardless of traffic from the client to the proxy. Only IPv6 health checks are used to check the health of the backends. This field is applicable to either: - Advanced global external Application Load Balancer (load balancing scheme EXTERNAL_MANAGED), - Regional external Application Load Balancer, - Internal proxy Network Load Balancer (load balancing scheme INTERNAL_MANAGED), - Regional internal Application Load Balancer (load balancing scheme INTERNAL_MANAGED), - Traffic Director with Envoy proxies and proxyless gRPC (load balancing scheme INTERNAL_SELF_MANAGED).
loadBalancingScheme?enumSpecifies the load balancer type. A backend service created for one type of load balancer cannot be used with another. For more information, refer toChoosing a load balancer.
localityLbPolicies?arrayAn optional, arbitrary JSON object with configuration data, understood by a locally installed custom policy implementation.
localityLbPolicy?enumThe load balancing algorithm used within the scope of the locality. The possible values are: - ROUND_ROBIN: This is a simple policy in which each healthy backend is selected in round robin order. This is the default. - LEAST_REQUEST: An O(1) algorithm which selects two random healthy hosts and picks the host which has fewer active requests. - RING_HASH: The ring/modulo hash load balancer implements consistent hashing to backends. The algorithm has the property that the addition/removal of a host from a set of N hosts only affects 1/N of the requests. - RANDOM: The load balancer selects a random healthy host. - ORIGINAL_DESTINATION: Backend host is selected based on the client connection metadata, i.e., connections are opened to the same address as the destination address of the incoming connection before the connection was redirected to the load balancer. - MAGLEV: used as a drop in replacement for the ring hash load balancer. Maglev is not as stable as ring hash but has faster table lookup build times and host selection times. For more information about Maglev, see Maglev: A Fast and Reliable Software Network Load Balancer. - WEIGHTED_ROUND_ROBIN: Per-endpoint Weighted Round Robin Load Balancing using weights computed from Backend reported Custom Metrics. If set, the Backend Service responses are expected to contain non-standard HTTP response header field Endpoint-Load-Metrics. The reported metrics to use for computing the weights are specified via thecustomMetrics field. This field is applicable to either: - A regional backend service with the service_protocol set to HTTP, HTTPS, HTTP2 or H2C, and load_balancing_scheme set to INTERNAL_MANAGED. - A global backend service with the load_balancing_scheme set to INTERNAL_SELF_MANAGED, INTERNAL_MANAGED, or EXTERNAL_MANAGED. If sessionAffinity is not configured—that is, if session affinity remains at the default value of NONE—then the default value for localityLbPolicy is ROUND_ROBIN. If session affinity is set to a value other than NONE, then the default value for localityLbPolicy isMAGLEV. Only ROUND_ROBIN and RING_HASH are supported when the backend service is referenced by a URL map that is bound to target gRPC proxy that has validateForProxyless field set to true. localityLbPolicy cannot be specified with haPolicy.
logConfig?objectDenotes whether to enable logging for the load balancer traffic served by this backend service. The default value is false.
maxStreamDuration?objectSpan of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive.
metadatas?recordDeployment metadata associated with the resource to be set by a GKE hub controller and read by the backend RCTH
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
network?stringThe URL of the network to which this backend service belongs. This field must be set for Internal Passthrough Network Load Balancers when the haPolicy is enabled, and for External Passthrough Network Load Balancers when the haPolicy fastIpMove is enabled. This field can only be specified when the load balancing scheme is set toINTERNAL, or when the load balancing scheme is set toEXTERNAL and haPolicy fastIpMove is enabled.
networkPassThroughLbTrafficPolicy?objectThis field indicates whether zonal affinity is enabled or not. The possible values are: - ZONAL_AFFINITY_DISABLED: Default Value. Zonal Affinity is disabled. The load balancer distributes new connections to all healthy backend endpoints across all zones. - ZONAL_AFFINITY_STAY_WITHIN_ZONE: Zonal Affinity is enabled. The load balancer distributes new connections to all healthy backend endpoints in the local zone only. If there are no healthy backend endpoints in the local zone, the load balancer distributes new connections to all backend endpoints in the local zone. - ZONAL_AFFINITY_SPILL_CROSS_ZONE: Zonal Affinity is enabled. The load balancer distributes new connections to all healthy backend endpoints in the local zone only. If there aren't enough healthy backend endpoints in the local zone, the load balancer distributes new connections to all healthy backend endpoints across all zones.
orchestrationInfo?objectThe resource URI of the resource or system that manages the backend service.
outlierDetection?objectSpan of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive.
params?objectTag keys/values directly bound to this resource. Tag keys and values have the same definition as resource manager tags. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid.
portName?stringA named port on a backend instance group representing the port for communication to the backend VMs in that group. The named port must be [defined on each backend instance group](https://cloud.google.com/load-balancing/docs/backend-service#named_ports). This parameter has no meaning if the backends are NEGs. For internal passthrough Network Load Balancers and external passthrough Network Load Balancers, omit port_name.
protocol?enumThe protocol this BackendService uses to communicate with backends. Possible values are HTTP, HTTPS, HTTP2, H2C, TCP, SSL, UDP or GRPC. depending on the chosen load balancer or Traffic Director configuration. Refer to the documentation for the load balancers or for Traffic Director for more information. Must be set to GRPC when the backend service is referenced by a URL map that is bound to target gRPC proxy.
region?stringOutput only. [Output Only] URL of the region where the regional backend service resides. This field is not applicable to global backend services. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
securitySettings?objectThe access key used for s3 bucket authentication. Required for updating or creating a backend that uses AWS v4 signature authentication, but will not be returned as part of the configuration when queried with a REST API GET request. @InputOnly
serviceBindings?arrayURLs of networkservices.ServiceBinding resources. Can only be set if load balancing scheme is INTERNAL_SELF_MANAGED. If set, lists of backends and health checks must be both empty.
serviceLbPolicy?stringURL to networkservices.ServiceLbPolicy resource. Can only be set if load balancing scheme is EXTERNAL_MANAGED, INTERNAL_MANAGED or INTERNAL_SELF_MANAGED and the scope is global.
sessionAffinity?enumType of session affinity to use. The default is NONE. Only NONE and HEADER_FIELD are supported when the backend service is referenced by a URL map that is bound to target gRPC proxy that has validateForProxyless field set to true. For more details, see: [Session Affinity](https://cloud.google.com/load-balancing/docs/backend-service#session_affinity). sessionAffinity cannot be specified with haPolicy.
strongSessionAffinityCookie?objectName of the cookie.
subsetting?objectSubsetting configuration for this BackendService. Currently this is applicable only for Internal TCP/UDP load balancing, Internal HTTP(S) load balancing and Traffic Director.
timeoutSec?numberThe backend service timeout has a different meaning depending on the type of load balancer. For more information see, Backend service settings. The default is 30 seconds. The full range of timeout values allowed goes from 1 through 2,147,483,647 seconds. This value can be overridden in the PathMatcher configuration of the UrlMap that references this backend service. Not supported when the backend service is referenced by a URL map that is bound to target gRPC proxy that has validateForProxyless field set to true. Instead, use maxStreamDuration.
tlsSettings?objectReference to the BackendAuthenticationConfig resource from the networksecurity.googleapis.com namespace. Can be used in authenticating TLS connections to the backend, as specified by the authenticationMode field. Can only be specified if authenticationMode is not NONE.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionBackendServices
getGet a regionBackendServices
ArgumentTypeDescription
identifierstringThe name of the regionBackendServices
updateUpdate regionBackendServices attributes
deleteDelete the regionBackendServices
ArgumentTypeDescription
identifierstringThe name of the regionBackendServices
syncSync regionBackendServices state from GCP
get_healthget health
ArgumentTypeDescription
group?any
list_usablelist usable
set_security_policyset security policy
ArgumentTypeDescription
securityPolicy?any
regionhealthaggregationpolicies.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a HealthAggregationPolicy. An up-to-date fingerprint must be provided in order to patch the HealthAggregationPolicy; Otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the HealthAggregationPolicy.
healthyPercentThreshold?numberCan only be set if the policyType field isBACKEND_SERVICE_POLICY. Specifies the threshold (as a percentage) of healthy endpoints required in order to consider the aggregated health result HEALTHY. Defaults to 60. Must be in range [0, 100]. Not applicable if the policyType field isDNB_PUBLIC_IP_POLICY. Can be mutated. This field is optional, and will be set to the default if unspecified. Note that both this threshold and minHealthyThreshold must be satisfied in order for HEALTHY to be the aggregated result. "Endpoints" refers to network endpoints within a Network Endpoint Group or instances within an Instance Group.
minHealthyThreshold?numberCan only be set if the policyType field isBACKEND_SERVICE_POLICY. Specifies the minimum number of healthy endpoints required in order to consider the aggregated health result HEALTHY. Defaults to 1. Must be positive. Not applicable if the policyType field isDNB_PUBLIC_IP_POLICY. Can be mutated. This field is optional, and will be set to the default if unspecified. Note that both this threshold and healthyPercentThreshold must be satisfied in order for HEALTHY to be the aggregated result. "Endpoints" refers to network endpoints within a Network Endpoint Group or instances within an Instance Group.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
policyType?enumSpecifies the type of the healthAggregationPolicy. The only allowed value for global resources is DNS_PUBLIC_IP_POLICY. The only allowed value for regional resources is BACKEND_SERVICE_POLICY. Must be specified when the healthAggregationPolicy is created, and cannot be mutated.
region?stringOutput only. [Output Only] URL of the region where the health aggregation policy resides. This field applies only to the regional resource. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionHealthAggregationPolicies
getGet a regionHealthAggregationPolicies
ArgumentTypeDescription
identifierstringThe name of the regionHealthAggregationPolicies
updateUpdate regionHealthAggregationPolicies attributes
deleteDelete the regionHealthAggregationPolicies
ArgumentTypeDescription
identifierstringThe name of the regionHealthAggregationPolicies
syncSync regionHealthAggregationPolicies state from GCP
acceleratortypes.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a acceleratorTypes
ArgumentTypeDescription
identifierstringThe name of the acceleratorTypes
syncSync acceleratorTypes state from GCP
instancetemplates.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
namestringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
properties?objectWhether to enable nested virtualization or not (default is false).
sourceInstance?stringThe source instance used to create the template. You can provide this as a partial or full URL to the resource. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/instances/instance - projects/project/zones/zone/instances/instance
sourceInstanceParams?objectSpecifies whether the disk will be auto-deleted when the instance is deleted (but not when the disk is detached from the instance).
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a instanceTemplates
getGet a instanceTemplates
ArgumentTypeDescription
identifierstringThe name of the instanceTemplates
deleteDelete the instanceTemplates
ArgumentTypeDescription
identifierstringThe name of the instanceTemplates
syncSync instanceTemplates state from GCP
regions.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a regions
ArgumentTypeDescription
identifierstringThe name of the regions
syncSync regions state from GCP
globalforwardingrules.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
IPAddress?stringIP address for which this forwarding rule accepts traffic. When a client sends traffic to this IP address, the forwarding rule directs the traffic to the referenced target or backendService. While creating a forwarding rule, specifying an IPAddress is required under the following circumstances: - When the target is set to targetGrpcProxy andvalidateForProxyless is set to true, theIPAddress should be set to 0.0.0.0. - When the target is a Private Service Connect Google APIs bundle, you must specify an IPAddress. Otherwise, you can optionally specify an IP address that references an existing static (reserved) IP address resource. When omitted, Google Cloud assigns an ephemeral IP address. Use one of the following formats to specify an IP address while creating a forwarding rule: * IP address number, as in `100.1.2.3` * IPv6 address range, as in `2600:1234::/96` * Full resource URL, as inhttps://www.googleapis.com/compute/v1/projects/project_id/regions/region/addresses/address-name * Partial URL or by name, as in: - projects/project_id/regions/region/addresses/address-name - regions/region/addresses/address-name - global/addresses/address-name - address-name The forwarding rule's target or backendService, and in most cases, also the loadBalancingScheme, determine the type of IP address that you can use. For detailed information, see [IP address specifications](https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#ip_address_specifications). When reading an IPAddress, the API always returns the IP address number.
IPProtocol?enumThe IP protocol to which this rule applies. For protocol forwarding, valid options are TCP, UDP, ESP,AH, SCTP, ICMP andL3_DEFAULT. The valid IP protocols are different for different load balancing products as described in [Load balancing features](https://cloud.google.com/load-balancing/docs/features#protocols_from_the_load_balancer_to_the_backends).
allPorts?booleanThe ports, portRange, and allPorts fields are mutually exclusive. Only packets addressed to ports in the specified range will be forwarded to the backends configured with this forwarding rule. The allPorts field has the following limitations: - It requires that the forwarding rule IPProtocol be TCP, UDP, SCTP, or L3_DEFAULT. - It's applicable only to the following products: internal passthrough Network Load Balancers, backend service-based external passthrough Network Load Balancers, and internal and external protocol forwarding. - Set this field to true to allow packets addressed to any port or packets lacking destination port information (for example, UDP fragments after the first fragment) to be forwarded to the backends configured with this forwarding rule. The L3_DEFAULT protocol requiresallPorts be set to true.
allowGlobalAccess?booleanIf set to true, clients can access the internal passthrough Network Load Balancers, the regional internal Application Load Balancer, and the regional internal proxy Network Load Balancer from all regions. If false, only allows access from the local region the load balancer is located at. Note that for INTERNAL_MANAGED forwarding rules, this field cannot be changed after the forwarding rule is created.
allowPscGlobalAccess?booleanThis is used in PSC consumer ForwardingRule to control whether the PSC endpoint can be accessed from another region.
backendService?stringIdentifies the backend service to which the forwarding rule sends traffic. Required for internal and external passthrough Network Load Balancers; must be omitted for all other load balancer types.
description?stringAn optional description of this resource. Provide this property when you create the resource.
externalManagedBackendBucketMigrationState?enumSpecifies the canary migration state for the backend buckets attached to this forwarding rule. Possible values are PREPARE, TEST_BY_PERCENTAGE, and TEST_ALL_TRAFFIC. To begin the migration from EXTERNAL to EXTERNAL_MANAGED, the state must be changed to PREPARE. The state must be changed to TEST_ALL_TRAFFIC before the loadBalancingScheme can be changed to EXTERNAL_MANAGED. Optionally, the TEST_BY_PERCENTAGE state can be used to migrate traffic to backend buckets attached to this forwarding rule by percentage using externalManagedBackendBucketMigrationTestingPercentage. Rolling back a migration requires the states to be set in reverse order. So changing the scheme from EXTERNAL_MANAGED to EXTERNAL requires the state to be set to TEST_ALL_TRAFFIC at the same time. Optionally, the TEST_BY_PERCENTAGE state can be used to migrate some traffic back to EXTERNAL or PREPARE can be used to migrate all traffic back to EXTERNAL.
externalManagedBackendBucketMigrationTestingPercentage?numberDetermines the fraction of requests to backend buckets that should be processed by the global external Application Load Balancer. The value of this field must be in the range [0, 100]. This value can only be set if the loadBalancingScheme in the BackendService is set to EXTERNAL (when using the classic Application Load Balancer) and the migration state is TEST_BY_PERCENTAGE.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a ForwardingRule. Include the fingerprint in patch request to ensure that you do not overwrite changes that were applied from another concurrent request. To see the latest fingerprint, make a get() request to retrieve a ForwardingRule.
ipCollection?stringResource reference of a PublicDelegatedPrefix. The PDP must be a sub-PDP in EXTERNAL_IPV6_FORWARDING_RULE_CREATION mode. Use one of the following formats to specify a sub-PDP when creating an IPv6 NetLB forwarding rule using BYOIP: Full resource URL, as inhttps://www.googleapis.com/compute/v1/projects/project_id/regions/region/publicDelegatedPrefixes/sub-pdp-name Partial URL, as in: - projects/project_id/regions/region/publicDelegatedPrefixes/sub-pdp-name - regions/region/publicDelegatedPrefixes/sub-pdp-name
ipVersion?enumThe IP Version that will be used by this forwarding rule. Valid options are IPV4 or IPV6.
isMirroringCollector?booleanIndicates whether or not this load balancer can be used as a collector for packet mirroring. To prevent mirroring loops, instances behind this load balancer will not have their traffic mirrored even if aPacketMirroring rule applies to them. This can only be set to true for load balancers that have theirloadBalancingScheme set to INTERNAL.
labelFingerprint?stringA fingerprint for the labels being applied to this resource, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a ForwardingRule.
labels?recordLabels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. Label values may be empty.
loadBalancingScheme?enumSpecifies the forwarding rule type. For more information about forwarding rules, refer to Forwarding rule concepts.
metadataFilters?arrayName of metadata label. The name can have a maximum length of 1024 characters and must be at least 1 character long.
name?stringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. For Private Service Connect forwarding rules that forward traffic to Google APIs, the forwarding rule name must be a 1-20 characters string with lowercase letters and numbers and must start with a letter.
network?stringThis field is not used for global external load balancing. For internal passthrough Network Load Balancers, this field identifies the network that the load balanced IP should belong to for this forwarding rule. If the subnetwork is specified, the network of the subnetwork will be used. If neither subnetwork nor this field is specified, the default network will be used. For Private Service Connect forwarding rules that forward traffic to Google APIs, a network must be provided.
networkTier?enumThis signifies the networking tier used for configuring this load balancer and can only take the following values:PREMIUM, STANDARD. For regional ForwardingRule, the valid values are PREMIUM andSTANDARD. For GlobalForwardingRule, the valid value isPREMIUM. If this field is not specified, it is assumed to be PREMIUM. If IPAddress is specified, this value must be equal to the networkTier of the Address.
noAutomateDnsZone?booleanThis is used in PSC consumer ForwardingRule to control whether it should try to auto-generate a DNS zone or not. Non-PSC forwarding rules do not use this field. Once set, this field is not mutable.
portRange?stringThe ports, portRange, and allPorts fields are mutually exclusive. Only packets addressed to ports in the specified range will be forwarded to the backends configured with this forwarding rule. The portRange field has the following limitations: - It requires that the forwarding rule IPProtocol be TCP, UDP, or SCTP, and - It's applicable only to the following products: external passthrough Network Load Balancers, internal and external proxy Network Load Balancers, internal and external Application Load Balancers, external protocol forwarding, and Classic VPN. - Some products have restrictions on what ports can be used. See port specifications for details. For external forwarding rules, two or more forwarding rules cannot use the same [IPAddress, IPProtocol] pair, and cannot have overlappingportRanges. For internal forwarding rules within the same VPC network, two or more forwarding rules cannot use the same [IPAddress, IPProtocol] pair, and cannot have overlapping portRanges. @pattern: \\\\d+(?:-\\\\d+)?
ports?arrayThe ports, portRange, and allPorts fields are mutually exclusive. Only packets addressed to ports in the specified range will be forwarded to the backends configured with this forwarding rule. The ports field has the following limitations: - It requires that the forwarding rule IPProtocol be TCP, UDP, or SCTP, and - It's applicable only to the following products: internal passthrough Network Load Balancers, backend service-based external passthrough Network Load Balancers, and internal protocol forwarding. - You can specify a list of up to five ports by number, separated by commas. The ports can be contiguous or discontiguous. For external forwarding rules, two or more forwarding rules cannot use the same [IPAddress, IPProtocol] pair if they share at least one port number. For internal forwarding rules within the same VPC network, two or more forwarding rules cannot use the same [IPAddress, IPProtocol] pair if they share at least one port number. @pattern: \\\\d+(?:-\\\\d+)?
pscConnectionStatus?enum
serviceDirectoryRegistrations?arrayService Directory namespace to register the forwarding rule under.
serviceLabel?stringAn optional prefix to the service name for this forwarding rule. If specified, the prefix is the first label of the fully qualified service name. The label must be 1-63 characters long, and comply withRFC1035. Specifically, the label must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. This field is only used for internal load balancing.
sourceIpRanges?arrayIf not empty, this forwarding rule will only forward the traffic when the source IP address matches one of the IP addresses or CIDR ranges set here. Note that a forwarding rule can only have up to 64 source IP ranges, and this field can only be used with a regional forwarding rule whose scheme isEXTERNAL. Each source_ip_range entry should be either an IP address (for example, 1.2.3.4) or a CIDR range (for example, 1.2.3.0/24).
subnetwork?stringThis field identifies the subnetwork that the load balanced IP should belong to for this forwarding rule, used with internal load balancers and external passthrough Network Load Balancers with IPv6. If the network specified is in auto subnet mode, this field is optional. However, a subnetwork must be specified if the network is in custom subnet mode or when creating external forwarding rule with IPv6.
target?stringThe URL of the target resource to receive the matched traffic. For regional forwarding rules, this target must be in the same region as the forwarding rule. For global forwarding rules, this target must be a global load balancing resource. The forwarded traffic must be of a type appropriate to the target object. - For load balancers, see the "Target" column in [Port specifications](https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#ip_address_specifications). - For Private Service Connect forwarding rules that forward traffic to Google APIs, provide the name of a supported Google API bundle: - vpc-sc - APIs that support VPC Service Controls. - all-apis - All supported Google APIs. - For Private Service Connect forwarding rules that forward traffic to managed services, the target must be a service attachment. The target is not mutable once set as a service attachment.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a globalForwardingRules
getGet a globalForwardingRules
ArgumentTypeDescription
identifierstringThe name of the globalForwardingRules
updateUpdate globalForwardingRules attributes
deleteDelete the globalForwardingRules
ArgumentTypeDescription
identifierstringThe name of the globalForwardingRules
syncSync globalForwardingRules state from GCP
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
set_targetset target
ArgumentTypeDescription
target?any
backendbuckets.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
bucketName?stringCloud Storage bucket name.
cdnPolicy?objectThe header field name to match on when bypassing cache. Values are case-insensitive.
compressionMode?enumCompress text responses using Brotli or gzip compression, based on the client's Accept-Encoding header.
customResponseHeaders?arrayHeaders that the Application Load Balancer should add to proxied responses.
description?stringAn optional textual description of the resource; provided by the client when the resource is created.
enableCdn?booleanIf true, enable Cloud CDN for this BackendBucket.
loadBalancingScheme?enumThe value can only be INTERNAL_MANAGED for cross-region internal layer 7 load balancer. If loadBalancingScheme is not specified, the backend bucket can be used by classic global external load balancers, or global application external load balancers, or both.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
params?objectTag keys/values directly bound to this resource. Tag keys and values have the same definition as resource manager tags. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a backendBuckets
getGet a backendBuckets
ArgumentTypeDescription
identifierstringThe name of the backendBuckets
updateUpdate backendBuckets attributes
deleteDelete the backendBuckets
ArgumentTypeDescription
identifierstringThe name of the backendBuckets
syncSync backendBuckets state from GCP
add_signed_url_keyadd signed url key
ArgumentTypeDescription
keyName?any
keyValue?any
set_edge_security_policyset edge security policy
ArgumentTypeDescription
securityPolicy?any
interconnectremotelocations.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a interconnectRemoteLocations
ArgumentTypeDescription
identifierstringThe name of the interconnectRemoteLocations
syncSync interconnectRemoteLocations state from GCP
interconnects.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
aaiEnabled?booleanEnable or disable the application awareness feature on this Cloud Interconnect.
adminEnabled?booleanAdministrative status of the interconnect. When this is set to true, the Interconnect is functional and can carry traffic. When set to false, no packets can be carried over the interconnect and no BGP routes are exchanged over it. By default, the status is set to true.
applicationAwareInterconnect?objectBandwidth percentage for a specific traffic class.
customerName?stringCustomer name, to put in the Letter of Authorization as the party authorized to request a crossconnect.
description?stringAn optional description of this resource. Provide this property when you create the resource.
interconnectType?enumType of interconnect, which can take one of the following values: - PARTNER: A partner-managed interconnection shared between customers though a partner. - DEDICATED: A dedicated physical interconnection with the customer. Note that a value IT_PRIVATE has been deprecated in favor of DEDICATED.
labelFingerprint?stringA fingerprint for the labels being applied to this Interconnect, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve an Interconnect.
labels?recordLabels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. Label values may be empty.
linkType?enumType of link requested, which can take one of the following values: - LINK_TYPE_ETHERNET_10G_LR: A 10G Ethernet with LR optics - LINK_TYPE_ETHERNET_100G_LR: A 100G Ethernet with LR optics. - LINK_TYPE_ETHERNET_400G_LR4: A 400G Ethernet with LR4 optics. Note that this field indicates the speed of each of the links in the bundle, not the speed of the entire bundle.
location?stringURL of the InterconnectLocation object that represents where this connection is to be provisioned.
macsec?objectIf set to true, the Interconnect connection is configured with ashould-secure MACsec security policy, that allows the Google router to fallback to cleartext traffic if the MKA session cannot be established. By default, the Interconnect connection is configured with amust-secure security policy that drops all traffic if the MKA session cannot be established with your router.
macsecEnabled?booleanEnable or disable MACsec on this Interconnect connection. MACsec enablement fails if the MACsec object is not specified.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
nocContactEmail?stringEmail address to contact the customer NOC for operations and maintenance notifications regarding this Interconnect. If specified, this will be used for notifications in addition to all other forms described, such as Cloud Monitoring logs alerting and Cloud Notifications. This field is required for users who sign up for Cloud Interconnect using workforce identity federation.
params?objectTag keys/values directly bound to this resource. Tag keys and values have the same definition as resource manager tags. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid. * Inconsistent format is not supported. For instance: {"tagKeys/333": "tagValues/444", "123/env": "prod"} is invalid.
remoteLocation?stringIndicates that this is a Cross-Cloud Interconnect. This field specifies the location outside of Google's network that the interconnect is connected to.
requestedFeatures?arrayOptional. This parameter can be provided only with Interconnect INSERT. It isn't valid for Interconnect PATCH. List of features requested for this Interconnect connection, which can take one of the following values: - IF_MACSEC: If specified, then the connection is created on MACsec capable hardware ports. If not specified, non-MACsec capable ports will also be considered. - IF_CROSS_SITE_NETWORK: If specified, then the connection is created exclusively for Cross-Site Networking. The connection can not be used for Cross-Site Networking unless this feature is specified.
requestedLinkCount?numberTarget number of physical links in the link bundle, as requested by the customer.
subzone?enumTo be deprecated.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a interconnects
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a interconnects
ArgumentTypeDescription
identifierstringThe name of the interconnects
updateUpdate interconnects attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the interconnects
ArgumentTypeDescription
identifierstringThe name of the interconnects
syncSync interconnects state from GCP
get_diagnosticsget diagnostics
get_macsec_configget macsec config
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
serviceattachments.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
connectionPreference?enumThe connection preference of service attachment. The value can be set to ACCEPT_AUTOMATIC. An ACCEPT_AUTOMATIC service attachment is one that always accepts the connection from consumer forwarding rules.
consumerAcceptLists?arrayThe value of the limit to set. For endpoint_url, the limit should be no more than 1.
consumerRejectLists?arraySpecifies a list of projects or networks that are not allowed to connect to this service attachment. The project can be specified using its project ID or project number and the network can be specified using its URL. A given service attachment can manage connections at either the project or network level. Therefore, both the reject and accept lists for a given service attachment must contain either only projects or only networks.
description?stringAn optional description of this resource. Provide this property when you create the resource.
domainNames?arrayIf specified, the domain name will be used during the integration between the PSC connected endpoints and the Cloud DNS. For example, this is a valid domain name: "p.mycompany.com.". Current max number of domain names supported is 1.
enableProxyProtocol?booleanIf true, enable the proxy protocol which is for supplying client TCP/IP address data in TCP connections that traverse proxies on their way to destination servers.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a ServiceAttachment. An up-to-date fingerprint must be provided in order to patch/update the ServiceAttachment; otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the ServiceAttachment.
metadata?recordMetadata of the service attachment.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
natSubnets?arrayAn array of URLs where each entry is the URL of a subnet provided by the service producer to use for NAT in this service attachment.
propagatedConnectionLimit?numberThe number of consumer spokes that connected Private Service Connect endpoints can be propagated to through Network Connectivity Center. This limit lets the service producer limit how many propagated Private Service Connect connections can be established to this service attachment from a single consumer. If the connection preference of the service attachment is ACCEPT_MANUAL, the limit applies to each project or network that is listed in the consumer accept list. If the connection preference of the service attachment is ACCEPT_AUTOMATIC, the limit applies to each project that contains a connected endpoint. If unspecified, the default propagated connection limit is 250.
pscServiceAttachmentId?object
reconcileConnections?booleanThis flag determines whether a consumer accept/reject list change can reconcile the statuses of existing ACCEPTED or REJECTED PSC endpoints. - If false, connection policy update will only affect existing PENDING PSC endpoints. Existing ACCEPTED/REJECTED endpoints will remain untouched regardless how the connection policy is modified. - If true, update will affect both PENDING and ACCEPTED/REJECTED PSC endpoints. For example, an ACCEPTED PSC endpoint will be moved to REJECTED if its project is added to the reject list. For newly created service attachment, this boolean defaults to false.
region?stringOutput only. [Output Only] URL of the region where the service attachment resides. This field applies only to the region resource. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
targetService?stringThe URL of a service serving the endpoint identified by this service attachment.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a serviceAttachments
getGet a serviceAttachments
ArgumentTypeDescription
identifierstringThe name of the serviceAttachments
updateUpdate serviceAttachments attributes
deleteDelete the serviceAttachments
ArgumentTypeDescription
identifierstringThe name of the serviceAttachments
syncSync serviceAttachments state from GCP
nodetypes.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a nodeTypes
ArgumentTypeDescription
identifierstringThe name of the nodeTypes
syncSync nodeTypes state from GCP
regionnotificationendpoints.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
grpcSettings?objectOptional. If specified, this field is used to set the authority header by the sender of notifications. See https://tools.ietf.org/html/rfc7540#section-8.1.2.3
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
region?stringOutput only. [Output Only] URL of the region where the notification endpoint resides. This field applies only to the regional resource. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionNotificationEndpoints
getGet a regionNotificationEndpoints
ArgumentTypeDescription
identifierstringThe name of the regionNotificationEndpoints
deleteDelete the regionNotificationEndpoints
ArgumentTypeDescription
identifierstringThe name of the regionNotificationEndpoints
syncSync regionNotificationEndpoints state from GCP
sslcertificates.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
certificate?stringA value read into memory from a certificate file. The certificate file must be in PEM format. The certificate chain must be no greater than 5 certs long. The chain must include at least one intermediate cert.
description?stringAn optional description of this resource. Provide this property when you create the resource.
managed?objectOutput only. [Output only] Detailed statuses of the domains specified for managed certificate resource.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
privateKey?stringA value read into memory from a write-only private key file. The private key file must be in PEM format. For security, only insert requests include this field.
selfManaged?objectA local certificate file. The certificate must be in PEM format. The certificate chain must be no greater than 5 certs long. The chain must include at least one intermediate cert.
type?enum(Optional) Specifies the type of SSL certificate, either "SELF_MANAGED" or "MANAGED". If not specified, the certificate is self-managed and the fieldscertificate and private_key are used.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a sslCertificates
getGet a sslCertificates
ArgumentTypeDescription
identifierstringThe name of the sslCertificates
deleteDelete the sslCertificates
ArgumentTypeDescription
identifierstringThe name of the sslCertificates
syncSync sslCertificates state from GCP
interconnectlocations.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a interconnectLocations
ArgumentTypeDescription
identifierstringThe name of the interconnectLocations
syncSync interconnectLocations state from GCP
storagepooltypes.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a storagePoolTypes
ArgumentTypeDescription
identifierstringThe name of the storagePoolTypes
syncSync storagePoolTypes state from GCP
previewfeatures.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
activationStatus?enumSpecifies whether the feature is enabled or disabled.
creationTimestamp?stringOutput only. [Output Only] Creation timestamp inRFC3339 text format.
description?stringOutput only. [Output Only] Description of the feature.
id?stringOutput only. [Output Only] The unique identifier for the resource. This identifier is defined by the server.
kind?stringOutput only. [Output only] The type of the feature. Always "compute#previewFeature" for preview features.
name?stringName of the feature.
rolloutOperation?objectThe name of the rollout plan Ex. organizations//locations/global/rolloutPlans/ Ex. folders//locations/global/rolloutPlans/ Ex. projects//locations/global/rolloutPlans/.
selfLink?stringOutput only. [Output Only] Server-defined URL for the resource.
status?objectOutput only. [Output Only] The description of the feature.
getGet a previewFeatures
ArgumentTypeDescription
identifierstringThe name of the previewFeatures
updateUpdate previewFeatures attributes
syncSync previewFeatures state from GCP
publicadvertisedprefixes.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
dnsVerificationIp?stringThe address to be used for reverse DNS verification.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a new PublicAdvertisedPrefix. An up-to-date fingerprint must be provided in order to update thePublicAdvertisedPrefix, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a PublicAdvertisedPrefix.
ipCidrRange?stringThe address range, in CIDR format, represented by this public advertised prefix.
ipv6AccessType?enumThe internet access type for IPv6 Public Advertised Prefixes.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
status?enumThe status of the public advertised prefix. Possible values include: - `INITIAL`: RPKI validation is complete. - `PTR_CONFIGURED`: User has configured the PTR. - `VALIDATED`: Reverse DNS lookup is successful. - `REVERSE_DNS_LOOKUP_FAILED`: Reverse DNS lookup failed. - `PREFIX_CONFIGURATION_IN_PROGRESS`: The prefix is being configured. - `PREFIX_CONFIGURATION_COMPLETE`: The prefix is fully configured. - `PREFIX_REMOVAL_IN_PROGRESS`: The prefix is being removed.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a publicAdvertisedPrefixes
getGet a publicAdvertisedPrefixes
ArgumentTypeDescription
identifierstringThe name of the publicAdvertisedPrefixes
updateUpdate publicAdvertisedPrefixes attributes
deleteDelete the publicAdvertisedPrefixes
ArgumentTypeDescription
identifierstringThe name of the publicAdvertisedPrefixes
syncSync publicAdvertisedPrefixes state from GCP
announceannounce
withdrawwithdraw
routers.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
bgp?objectUser-specified flag to indicate which mode to use for advertisement. The options are DEFAULT or CUSTOM.
bgpPeers?arrayUser-specified flag to indicate which mode to use for advertisement.
description?stringAn optional description of this resource. Provide this property when you create the resource.
encryptedInterconnectRouter?booleanIndicates if a router is dedicated for use with encrypted VLAN attachments (interconnectAttachments).
interfaces?arrayIP address and range of the interface. - For Internet Protocol version 4 (IPv4), the IP range must be in theRFC3927 link-local IP address space. The value must be a CIDR-formatted string, for example, 169.254.0.1/30. Note: Do not truncate the IP address, as it represents the IP address of the interface. - For Internet Protocol version 6 (IPv6), the value must be a unique local address (ULA) range from fdff:1::/64 with a mask length of 126 or less. This value should be a CIDR-formatted string, for example, fdff:1::1/112. Within the router's VPC, this IPv6 prefix will be reserved exclusively for this connection and cannot be used for any other purpose.
md5AuthenticationKeys?array[Input only] Value of the key. For patch and update calls, it can be skipped to copy the value from the previous configuration. This is allowed if the key with the same name existed before the operation. Maximum length is 80 characters. Can only contain printable ASCII characters.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
nats?arrayThe network tier to use when automatically reserving NAT IP addresses. Must be one of: PREMIUM, STANDARD. If not specified, then the current project-level default tier is used.
networkstringURI of the network to which this router belongs.
params?objectTag keys/values directly bound to this resource. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid. * Inconsistent format is not supported. For instance: {"tagKeys/333": "tagValues/444", "123/env": "prod"} is invalid.
region?string[Output Only] URI of the region where the router resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a routers
getGet a routers
ArgumentTypeDescription
identifierstringThe name of the routers
updateUpdate routers attributes
deleteDelete the routers
ArgumentTypeDescription
identifierstringThe name of the routers
syncSync routers state from GCP
get_nat_ip_infoget nat ip info
get_nat_mapping_infoget nat mapping info
get_route_policyget route policy
get_router_statusget router status
list_bgp_routeslist bgp routes
list_route_policieslist route policies
patch_route_policypatch route policy
ArgumentTypeDescription
description?any
fingerprint?any
name?any
terms?any
type?any
previewpreview
ArgumentTypeDescription
bgp?any
bgpPeers?any
creationTimestamp?any
description?any
encryptedInterconnectRouter?any
id?any
interfaces?any
kind?any
md5AuthenticationKeys?any
name?any
nats?any
network?any
params?any
region?any
selfLink?any
update_route_policyupdate route policy
ArgumentTypeDescription
description?any
fingerprint?any
name?any
terms?any
type?any
reservations.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
advancedDeploymentControl?objectIndicates chosen reservation operational mode for the reservation.
aggregateReservation?objectNumber of accelerators of specified type.
deleteAfterDuration?objectSpan of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive.
deleteAtTime?stringAbsolute time in future when the reservation will be auto-deleted by Compute Engine. Timestamp is represented inRFC3339 text format.
deploymentType?enumSpecifies the deployment strategy for this reservation.
description?stringAn optional description of this resource. Provide this property when you create the resource.
earlyAccessMaintenance?enumIndicates the early access maintenance for the reservation. If this field is absent or set to NO_EARLY_ACCESS, the reservation is not enrolled in early access maintenance and the standard notice applies.
enableEmergentMaintenance?booleanIndicates whether Compute Engine allows unplanned maintenance for your VMs; for example, to fix hardware errors.
name?stringThe name of the resource, provided by the client when initially creating the resource. The resource name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
params?objectInput only. Resource manager tags to be bound to the reservation. Tag keys and values have the same definition as resource manager tags. Keys and values can be either in numeric format, such as `tagKeys/{tag_key_id}` and `tagValues/{tag_value_id}` or in namespaced format such as `{org_id|project_id}/{tag_key_short_name}` and `{tag_value_short_name}`. The field is ignored (both PUT & PATCH) when empty.
protectionTier?enumProtection tier for the workload which specifies the workload expectations in the event of infrastructure failures at data center (e.g. power and/or cooling failures).
reservationSharingPolicy?objectSharing config for all Google Cloud services.
resourcePolicies?recordResource policies to be added to this reservation. The key is defined by user, and the value is resource policy url. This is to define placement policy with reservation.
schedulingType?enumThe type of maintenance for the reservation.
shareSettings?objectThe project ID, should be same as the key of this project config in the parent map.
specificReservation?objectOutput only. [Output Only] Indicates how many instances are actually usable currently.
specificReservationRequired?booleanIndicates whether the reservation can be consumed by VMs with affinity for "any" reservation. If the field is set, then only VMs that target the reservation by name can consume from this reservation.
zone?stringZone in which the reservation resides. A zone must be provided if the reservation is created within a commitment.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a reservations
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a reservations
ArgumentTypeDescription
identifierstringThe name of the reservations
updateUpdate reservations attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the reservations
ArgumentTypeDescription
identifierstringThe name of the reservations
syncSync reservations state from GCP
perform_maintenanceperform maintenance
ArgumentTypeDescription
maintenanceScope?any
resizeresize
ArgumentTypeDescription
specificSkuCount?any
publicdelegatedprefixes.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
allocatablePrefixLength?numberThe allocatable prefix length supported by this public delegated prefix. This field is optional and cannot be set for prefixes in DELEGATION mode. It cannot be set for IPv4 prefixes either, and it always defaults to 32.
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a new PublicDelegatedPrefix. An up-to-date fingerprint must be provided in order to update thePublicDelegatedPrefix, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a PublicDelegatedPrefix.
ipCidrRange?stringThe IP address range, in CIDR format, represented by this public delegated prefix.
isLiveMigration?booleanIf true, the prefix will be live migrated.
mode?enumThe public delegated prefix mode for IPv6 only.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
parentPrefix?stringThe URL of parent prefix. Either PublicAdvertisedPrefix or PublicDelegatedPrefix.
publicDelegatedSubPrefixs?arrayThe allocatable prefix length supported by this PublicDelegatedSubPrefix.
region?stringOutput only. [Output Only] URL of the region where the public delegated prefix resides. This field applies only to the region resource. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a publicDelegatedPrefixes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a publicDelegatedPrefixes
ArgumentTypeDescription
identifierstringThe name of the publicDelegatedPrefixes
updateUpdate publicDelegatedPrefixes attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the publicDelegatedPrefixes
ArgumentTypeDescription
identifierstringThe name of the publicDelegatedPrefixes
syncSync publicDelegatedPrefixes state from GCP
announceannounce
withdrawwithdraw
securitypolicies.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
adaptiveProtectionConfig?objectIf set to true, enables CAAP for L7 DDoS detection. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
advancedOptionsConfig?objectA list of custom Content-Type header values to apply the JSON parsing. As per RFC 1341, a Content-Type header value has the following format: Content-Type:= type "/" subtype *[";" parameter] When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.
associations?arrayThe resource that the security policy is attached to.
ddosProtectionConfig?object
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringSpecifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make get() request to the security policy.
labelFingerprint?stringA fingerprint for the labels being applied to this security policy, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels. To see the latest fingerprint, make get() request to the security policy.
labels?recordLabels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. Label values may be empty.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
recaptchaOptionsConfig?objectAn optional field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
rules?arrayThe Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for `STATUS` are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this. - fairshare (preview only): when traffic reaches the threshold limit, requests from the clients matching this rule begin to be rate-limited using the Fair Share algorithm. This action is only allowed in security policies of type `CLOUD_ARMOR_INTERNAL_SERVICE`.
shortName?stringUser-provided name of the organization security policy. The name should be unique in the organization in which the security policy is created. This should only be used when SecurityPolicyType is CLOUD_ARMOR. The name must be 1-63 characters long, and comply with https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
type?enumThe type indicates the intended use of the security policy. - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache. - CLOUD_ARMOR_INTERNAL_SERVICE (preview only): Cloud Armor internal service policies can be configured to filter HTTP requests targeting services managed by Traffic Director in a service mesh. They filter requests before the request is served from the application. - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application. This field can be set only at resource creation time.
userDefinedFields?arrayThe base relative to which 'offset' is measured. Possible values are: - IPV4: Points to the beginning of the IPv4 header. - IPV6: Points to the beginning of the IPv6 header. - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. required
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a securityPolicies
getGet a securityPolicies
ArgumentTypeDescription
identifierstringThe name of the securityPolicies
updateUpdate securityPolicies attributes
deleteDelete the securityPolicies
ArgumentTypeDescription
identifierstringThe name of the securityPolicies
syncSync securityPolicies state from GCP
add_ruleadd rule
ArgumentTypeDescription
action?any
description?any
headerAction?any
kind?any
match?any
networkMatch?any
preconfiguredWafConfig?any
preview?any
priority?any
rateLimitOptions?any
redirectOptions?any
get_ruleget rule
list_preconfigured_expression_setslist preconfigured expression sets
patch_rulepatch rule
ArgumentTypeDescription
action?any
description?any
headerAction?any
kind?any
match?any
networkMatch?any
preconfiguredWafConfig?any
preview?any
priority?any
rateLimitOptions?any
redirectOptions?any
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
regionautoscalers.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
autoscalingPolicy?objectThe number of seconds that your application takes to initialize on a VM instance. This is referred to as the [initialization period](/compute/docs/autoscaler#cool_down_period). Specifying an accurate initialization period improves autoscaler decisions. For example, when scaling out, the autoscaler ignores data from VMs that are still initializing because those VMs might not yet represent normal usage of your application. The default initialization period is 60 seconds. Initialization periods might vary because of numerous factors. We recommend that you test how long your application takes to initialize. To do this, create a VM and time your application's startup process.
description?stringAn optional description of this resource. Provide this property when you create the resource.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
region?stringOutput only. [Output Only] URL of theregion where the instance group resides (for autoscalers living in regional scope).
target?stringURL of the managed instance group that this autoscaler will scale. This field is required when creating an autoscaler.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionAutoscalers
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a regionAutoscalers
ArgumentTypeDescription
identifierstringThe name of the regionAutoscalers
updateUpdate regionAutoscalers attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the regionAutoscalers
ArgumentTypeDescription
identifierstringThe name of the regionAutoscalers
syncSync regionAutoscalers state from GCP
regionnetworkendpointgroups.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
annotations?recordOptional. Metadata defined as annotations on the network endpoint group.
appEngine?objectOptional serving service. The service name is case-sensitive and must be 1-63 characters long. Example value: default, my-service.
cloudFunction?objectA user-defined name of the Cloud Function. The function name is case-sensitive and must be 1-63 characters long. Example value: func1.
cloudRun?objectCloud Run service is the main resource of Cloud Run. The service must be 1-63 characters long, and comply withRFC1035. Example value: "run-service".
defaultPort?numberThe default port used if the port number is not specified in the network endpoint. Optional. If the network endpoint type is either GCE_VM_IP,SERVERLESS or PRIVATE_SERVICE_CONNECT, this field must not be specified.
description?stringAn optional description of this resource. Provide this property when you create the resource.
name?stringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
network?stringThe URL of the network to which all network endpoints in the NEG belong. Uses default project network if unspecified.
networkEndpointType?enumType of network endpoints in this network endpoint group. Can be one ofGCE_VM_IP, GCE_VM_IP_PORT,NON_GCP_PRIVATE_IP_PORT, INTERNET_FQDN_PORT,INTERNET_IP_PORT, SERVERLESS,PRIVATE_SERVICE_CONNECT, GCE_VM_IP_PORTMAP.
pscData?objectOutput only. [Output Only] Address allocated from given subnetwork for PSC. This IP address acts as a VIP for a PSC NEG, allowing it to act as an endpoint in L7 PSC-XLB.
pscTargetService?stringThe target service url used to set up private service connection to a Google API or a PSC Producer Service Attachment. An example value is: asia-northeast3-cloudkms.googleapis.com. Optional. Only valid when networkEndpointType isPRIVATE_SERVICE_CONNECT.
region?stringOutput only. [Output Only] The URL of theregion where the network endpoint group is located.
subnetwork?stringOptional URL of the subnetwork to which all network endpoints in the NEG belong.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionNetworkEndpointGroups
getGet a regionNetworkEndpointGroups
ArgumentTypeDescription
identifierstringThe name of the regionNetworkEndpointGroups
deleteDelete the regionNetworkEndpointGroups
ArgumentTypeDescription
identifierstringThe name of the regionNetworkEndpointGroups
syncSync regionNetworkEndpointGroups state from GCP
attach_network_endpointsattach network endpoints
ArgumentTypeDescription
networkEndpoints?any
detach_network_endpointsdetach network endpoints
ArgumentTypeDescription
networkEndpoints?any
list_network_endpointslist network endpoints
firewallpolicies.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
associations?arrayThe target that the firewall policy is attached to.
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringSpecifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make get() request to the firewall policy.
packetMirroringRules?arrayThe Action to perform when the client connection triggers the rule. Valid actions for firewall rules are: "allow", "deny", "apply_security_profile_group" and "goto_next". Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" and "goto_next".
policyType?enumThe type of the firewall policy. This field can be eitherVPC_POLICY or RDMA_ROCE_POLICY. Note: if not specified then VPC_POLICY will be used.
rules?arrayThe Action to perform when the client connection triggers the rule. Valid actions for firewall rules are: "allow", "deny", "apply_security_profile_group" and "goto_next". Valid actions for packet mirroring rules are: "mirror", "do_not_mirror" and "goto_next".
shortName?stringUser-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
parentId?stringParent ID for this request. The ID can be either be "folders/[FOLDER_ID]" if the parent is a folder or "organizations/[ORGANIZATION_ID]" if the parent is an organization.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a firewallPolicies
getGet a firewallPolicies
ArgumentTypeDescription
identifierstringThe name of the firewallPolicies
updateUpdate firewallPolicies attributes
deleteDelete the firewallPolicies
ArgumentTypeDescription
identifierstringThe name of the firewallPolicies
syncSync firewallPolicies state from GCP
add_associationadd association
ArgumentTypeDescription
attachmentTarget?any
displayName?any
firewallPolicyId?any
name?any
shortName?any
add_ruleadd rule
ArgumentTypeDescription
action?any
description?any
direction?any
disabled?any
enableLogging?any
kind?any
match?any
priority?any
ruleName?any
ruleTupleCount?any
securityProfileGroup?any
targetResources?any
targetSecureTags?any
targetServiceAccounts?any
tlsInspect?any
clone_rulesclone rules
get_associationget association
get_ruleget rule
list_associationslist associations
movemove
patch_rulepatch rule
ArgumentTypeDescription
action?any
description?any
direction?any
disabled?any
enableLogging?any
kind?any
match?any
priority?any
ruleName?any
ruleTupleCount?any
securityProfileGroup?any
targetResources?any
targetSecureTags?any
targetServiceAccounts?any
tlsInspect?any
targethttpproxies.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a TargetHttpProxy. An up-to-date fingerprint must be provided in order to patch/update the TargetHttpProxy; otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the TargetHttpProxy.
httpKeepAliveTimeoutSec?numberSpecifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). If an HTTP keep-alive is not specified, a default value (610 seconds) will be used. For global external Application Load Balancers, the minimum allowed value is 5 seconds and the maximum allowed value is 1200 seconds. For classic Application Load Balancers, this option is not supported.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
proxyBind?booleanThis field only applies when the forwarding rule that references this target proxy has a loadBalancingScheme set toINTERNAL_SELF_MANAGED. When this field is set to true, Envoy proxies set up inbound traffic interception and bind to the IP address and port specified in the forwarding rule. This is generally useful when using Traffic Director to configure Envoy as a gateway or middle proxy (in other words, not a sidecar proxy). The Envoy proxy listens for inbound requests and handles requests when it receives them. The default is false.
urlMap?stringURL to the UrlMap resource that defines the mapping from URL to the BackendService.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a targetHttpProxies
getGet a targetHttpProxies
ArgumentTypeDescription
identifierstringThe name of the targetHttpProxies
updateUpdate targetHttpProxies attributes
deleteDelete the targetHttpProxies
ArgumentTypeDescription
identifierstringThe name of the targetHttpProxies
syncSync targetHttpProxies state from GCP
set_url_mapset url map
ArgumentTypeDescription
urlMap?any
httphealthchecks.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
checkIntervalSec?numberHow often (in seconds) to send a health check. The default value is5 seconds.
description?stringAn optional description of this resource. Provide this property when you create the resource.
healthyThreshold?numberA so-far unhealthy instance will be marked healthy after this many consecutive successes. The default value is 2.
host?stringThe value of the host header in the HTTP health check request. If left empty (default value), the public IP on behalf of which this health check is performed will be used.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
port?numberThe TCP port number for the HTTP health check request. The default value is80.
requestPath?stringThe request path of the HTTP health check request. The default value is/. This field does not support query parameters. Must comply withRFC3986.
timeoutSec?numberHow long (in seconds) to wait before claiming failure. The default value is5 seconds. It is invalid for timeoutSec to have greater value than checkIntervalSec.
unhealthyThreshold?numberA so-far healthy instance will be marked unhealthy after this many consecutive failures. The default value is 2.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a httpHealthChecks
getGet a httpHealthChecks
ArgumentTypeDescription
identifierstringThe name of the httpHealthChecks
updateUpdate httpHealthChecks attributes
deleteDelete the httpHealthChecks
ArgumentTypeDescription
identifierstringThe name of the httpHealthChecks
syncSync httpHealthChecks state from GCP
httpshealthchecks.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
checkIntervalSec?numberHow often (in seconds) to send a health check. The default value is 5 seconds.
description?stringAn optional description of this resource. Provide this property when you create the resource.
healthyThreshold?numberA so-far unhealthy instance will be marked healthy after this many consecutive successes. The default value is 2.
host?stringThe value of the host header in the HTTPS health check request. If left empty (default value), the public IP on behalf of which this health check is performed will be used.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
port?numberThe TCP port number for the HTTPS health check request. The default value is 443.
requestPath?stringThe request path of the HTTPS health check request. The default value is "/". Must comply withRFC3986.
timeoutSec?numberHow long (in seconds) to wait before claiming failure. The default value is 5 seconds. It is invalid for timeoutSec to have a greater value than checkIntervalSec.
unhealthyThreshold?numberA so-far healthy instance will be marked unhealthy after this many consecutive failures. The default value is 2.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a httpsHealthChecks
getGet a httpsHealthChecks
ArgumentTypeDescription
identifierstringThe name of the httpsHealthChecks
updateUpdate httpsHealthChecks attributes
deleteDelete the httpsHealthChecks
ArgumentTypeDescription
identifierstringThe name of the httpsHealthChecks
syncSync httpsHealthChecks state from GCP
crosssitenetworks.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of the cross-site network.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). end_interface: MixerMutationRequestBuilder
createCreate a crossSiteNetworks
getGet a crossSiteNetworks
ArgumentTypeDescription
identifierstringThe name of the crossSiteNetworks
updateUpdate crossSiteNetworks attributes
deleteDelete the crossSiteNetworks
ArgumentTypeDescription
identifierstringThe name of the crossSiteNetworks
syncSync crossSiteNetworks state from GCP
networks.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
autoCreateSubnetworks?booleanMust be set to create a VPC network. If not set, a legacy network is created. When set to true, the VPC network is created in auto mode. When set to false, the VPC network is created in custom mode. An auto mode VPC network starts with one subnet per region. Each subnet has a predetermined range as described inAuto mode VPC network IP ranges. For custom mode VPC networks, you can add subnets using the subnetworksinsert method.
description?stringAn optional description of this resource. Provide this field when you create the resource.
enableUlaInternalIpv6?booleanEnable ULA internal ipv6 on this network. Enabling this feature will assign a /48 from google defined ULA prefix fd20::/20..
internalIpv6Range?stringWhen enabling ula internal ipv6, caller optionally can specify the /48 range they want from the google defined ULA prefix fd20::/20. The input must be a valid /48 ULA IPv6 address and must be within the fd20::/20. Operation will fail if the speficied /48 is already in used by another resource. If the field is not speficied, then a /48 range will be randomly allocated from fd20::/20 and returned via this field..
mtu?numberMaximum Transmission Unit in bytes. The minimum value for this field is 1300 and the maximum value is 8896. The suggested value is 1500, which is the default MTU used on the Internet, or 8896 if you want to use Jumbo frames. If unspecified, the value defaults to 1460.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?`. The first character must be a lowercase letter, and all following characters (except for the last character) must be a dash, lowercase letter, or digit. The last character must be a lowercase letter or digit.
networkFirewallPolicyEnforcementOrder?enumThe network firewall policy enforcement order. Can be either AFTER_CLASSIC_FIREWALL or BEFORE_CLASSIC_FIREWALL. Defaults to AFTER_CLASSIC_FIREWALL if the field is not specified.
networkProfile?stringA full or partial URL of the network profile to apply to this network. This field can be set only at resource creation time. For example, the following are valid URLs: - https://www.googleapis.com/compute/{api_version}/projects/{project_id}/global/networkProfiles/{network_profile_name} - projects/{project_id}/global/networkProfiles/{network_profile_name}
params?objectTag keys/values directly bound to this resource. Tag keys and values have the same definition as resource manager tags. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid.
routingConfig?objectEnable comparison of Multi-Exit Discriminators (MED) across routes with different neighbor ASNs when using the STANDARD BGP best path selection algorithm.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a networks
getGet a networks
ArgumentTypeDescription
identifierstringThe name of the networks
updateUpdate networks attributes
deleteDelete the networks
ArgumentTypeDescription
identifierstringThe name of the networks
syncSync networks state from GCP
add_peeringadd peering
ArgumentTypeDescription
autoCreateRoutes?any
name?any
networkPeering?any
peerNetwork?any
get_effective_firewallsget effective firewalls
list_peering_routeslist peering routes
request_remove_peeringrequest remove peering
ArgumentTypeDescription
name?any
switch_to_custom_modeswitch to custom mode
update_peeringupdate peering
ArgumentTypeDescription
networkPeering?any
regionhealthchecks.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
checkIntervalSec?numberHow often (in seconds) to send a health check. The default value is 5 seconds.
description?stringAn optional description of this resource. Provide this property when you create the resource.
grpcHealthCheck?objectThe gRPC service name for the health check. This field is optional. The value of grpc_service_name has the following meanings by convention: - Empty service_name means the overall status of all services at the backend. - Non-empty service_name means the health of that gRPC service, as defined by the owner of the service. The grpc_service_name can only be ASCII.
grpcTlsHealthCheck?objectThe gRPC service name for the health check. This field is optional. The value of grpc_service_name has the following meanings by convention: - Empty service_name means the overall status of all services at the backend. - Non-empty service_name means the health of that gRPC service, as defined by the owner of the service. The grpc_service_name can only be ASCII.
healthyThreshold?numberA so-far unhealthy instance will be marked healthy after this many consecutive successes. The default value is 2.
http2HealthCheck?objectThe value of the host header in the HTTP/2 health check request. If left empty (default value), the host header is set to the destination IP address to which health check packets are sent. The destination IP address depends on the type of load balancer. For details, see: https://cloud.google.com/load-balancing/docs/health-check-concepts#hc-packet-dest
httpHealthCheck?objectThe value of the host header in the HTTP health check request. If left empty (default value), the host header is set to the destination IP address to which health check packets are sent. The destination IP address depends on the type of load balancer. For details, see: https://cloud.google.com/load-balancing/docs/health-check-concepts#hc-packet-dest
httpsHealthCheck?objectThe value of the host header in the HTTPS health check request. If left empty (default value), the host header is set to the destination IP address to which health check packets are sent. The destination IP address depends on the type of load balancer. For details, see: https://cloud.google.com/load-balancing/docs/health-check-concepts#hc-packet-dest
logConfig?objectIndicates whether or not to export logs. This is false by default, which means no health check logging will be done.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. For example, a name that is 1-63 characters long, matches the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?`, and otherwise complies with RFC1035. This regular expression describes a name where the first character is a lowercase letter, and all following characters are a dash, lowercase letter, or digit, except the last character, which isn't a dash.
region?stringOutput only. [Output Only] Region where the health check resides. Not applicable to global health checks.
sourceRegions?arrayThe list of cloud regions from which health checks are performed. If any regions are specified, then exactly 3 regions should be specified. The region names must be valid names of Google Cloud regions. This can only be set for global health check. If this list is non-empty, then there are restrictions on what other health check fields are supported and what other resources can use this health check: - SSL, HTTP2, and GRPC protocols are not supported. - The TCP request field is not supported. - The proxyHeader field for HTTP, HTTPS, and TCP is not supported. - The checkIntervalSec field must be at least 30. - The health check cannot be used with BackendService nor with managed instance group auto-healing.
sslHealthCheck?objectThe TCP port number to which the health check prober sends packets. The default value is 443. Valid values are 1 through65535.
tcpHealthCheck?objectThe TCP port number to which the health check prober sends packets. The default value is 80. Valid values are 1 through65535.
timeoutSec?numberHow long (in seconds) to wait before claiming failure. The default value is 5 seconds. It is invalid for timeoutSec to have greater value than checkIntervalSec.
type?enumSpecifies the type of the healthCheck, either TCP,SSL, HTTP, HTTPS,HTTP2 or GRPC. Exactly one of the protocol-specific health check fields must be specified, which must matchtype field.
unhealthyThreshold?numberA so-far healthy instance will be marked unhealthy after this many consecutive failures. The default value is 2.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionHealthChecks
getGet a regionHealthChecks
ArgumentTypeDescription
identifierstringThe name of the regionHealthChecks
updateUpdate regionHealthChecks attributes
deleteDelete the regionHealthChecks
ArgumentTypeDescription
identifierstringThe name of the regionHealthChecks
syncSync regionHealthChecks state from GCP
regionsecuritypolicies.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
adaptiveProtectionConfig?objectIf set to true, enables CAAP for L7 DDoS detection. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
advancedOptionsConfig?objectA list of custom Content-Type header values to apply the JSON parsing. As per RFC 1341, a Content-Type header value has the following format: Content-Type:= type "/" subtype *[";" parameter] When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.
associations?arrayThe resource that the security policy is attached to.
ddosProtectionConfig?object
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringSpecifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make get() request to the security policy.
labelFingerprint?stringA fingerprint for the labels being applied to this security policy, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels. To see the latest fingerprint, make get() request to the security policy.
labels?recordLabels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. Label values may be empty.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
recaptchaOptionsConfig?objectAn optional field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
region?stringOutput only. [Output Only] URL of the region where the regional security policy resides. This field is not applicable to global security policies.
rules?arrayThe Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for `STATUS` are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this. - fairshare (preview only): when traffic reaches the threshold limit, requests from the clients matching this rule begin to be rate-limited using the Fair Share algorithm. This action is only allowed in security policies of type `CLOUD_ARMOR_INTERNAL_SERVICE`.
shortName?stringUser-provided name of the organization security policy. The name should be unique in the organization in which the security policy is created. This should only be used when SecurityPolicyType is CLOUD_ARMOR. The name must be 1-63 characters long, and comply with https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
type?enumThe type indicates the intended use of the security policy. - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache. - CLOUD_ARMOR_INTERNAL_SERVICE (preview only): Cloud Armor internal service policies can be configured to filter HTTP requests targeting services managed by Traffic Director in a service mesh. They filter requests before the request is served from the application. - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application. This field can be set only at resource creation time.
userDefinedFields?arrayThe base relative to which 'offset' is measured. Possible values are: - IPV4: Points to the beginning of the IPv4 header. - IPV6: Points to the beginning of the IPv6 header. - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. required
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionSecurityPolicies
getGet a regionSecurityPolicies
ArgumentTypeDescription
identifierstringThe name of the regionSecurityPolicies
updateUpdate regionSecurityPolicies attributes
deleteDelete the regionSecurityPolicies
ArgumentTypeDescription
identifierstringThe name of the regionSecurityPolicies
syncSync regionSecurityPolicies state from GCP
add_ruleadd rule
ArgumentTypeDescription
action?any
description?any
headerAction?any
kind?any
match?any
networkMatch?any
preconfiguredWafConfig?any
preview?any
priority?any
rateLimitOptions?any
redirectOptions?any
get_ruleget rule
patch_rulepatch rule
ArgumentTypeDescription
action?any
description?any
headerAction?any
kind?any
match?any
networkMatch?any
preconfiguredWafConfig?any
preview?any
priority?any
rateLimitOptions?any
redirectOptions?any
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
targetvpngateways.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
labelFingerprint?stringA fingerprint for the labels being applied to this TargetVpnGateway, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a TargetVpnGateway.
labels?recordLabels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. Label values may be empty.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
networkstringURL of the network to which this VPN gateway is attached. Provided by the client when the VPN gateway is created.
params?objectTag keys/values directly bound to this resource. Tag keys and values have the same definition as resource manager tags. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid. * Inconsistent format is not supported. For instance: {"tagKeys/333": "tagValues/444", "123/env": "prod"} is invalid.
region?string[Output Only] URL of the region where the target VPN gateway resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a targetVpnGateways
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a targetVpnGateways
ArgumentTypeDescription
identifierstringThe name of the targetVpnGateways
deleteDelete the targetVpnGateways
ArgumentTypeDescription
identifierstringThe name of the targetVpnGateways
syncSync targetVpnGateways state from GCP
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
futurereservations.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
aggregateReservation?objectNumber of accelerators of specified type.
autoCreatedReservationsDeleteTime?stringFuture timestamp when the FR auto-created reservations will be deleted by Compute Engine. Format of this field must be a valid href="https://www.ietf.org/rfc/rfc3339.txt">RFC3339 value.
autoCreatedReservationsDuration?objectSpan of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive.
autoDeleteAutoCreatedReservations?booleanSetting for enabling or disabling automatic deletion for auto-created reservation. If set to true, auto-created reservations will be deleted at Future Reservation's end time (default) or at user's defined timestamp if any of the [auto_created_reservations_delete_time, auto_created_reservations_duration] values is specified. For keeping auto-created reservation indefinitely, this value should be set to false.
commitmentInfo?objectname of the commitment where capacity is being delivered to.
deploymentType?enumType of the deployment requested as part of future reservation.
description?stringAn optional description of this resource. Provide this property when you create the future reservation.
enableEmergentMaintenance?booleanIndicates if this group of VMs have emergent maintenance enabled.
name?stringThe name of the resource, provided by the client when initially creating the resource. The resource name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
namePrefix?stringName prefix for the reservations to be created at the time of delivery. The name prefix must comply with RFC1035. Maximum allowed length for name prefix is 20. Automatically created reservations name format will be -date-####.
planningStatus?enumPlanning state before being submitted for evaluation
reservationMode?enumThe reservation mode which determines reservation-termination behavior and expected pricing.
reservationName?stringName of reservations where the capacity is provisioned at the time of delivery of future reservations. If the reservation with the given name does not exist already, it is created automatically at the time of Approval with INACTIVE state till specified start-time. Either provide the reservation_name or a name_prefix.
schedulingType?enumMaintenance information for this reservation
shareSettings?objectThe project ID, should be same as the key of this project config in the parent map.
specificReservationRequired?booleanIndicates whether the auto-created reservation can be consumed by VMs with affinity for "any" reservation. If the field is set, then only VMs that target the reservation by name can consume from the delivered reservation.
specificSkuProperties?objectThe number of the guest accelerator cards exposed to this instance.
timeWindow?objectSpan of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive.
zone?stringOutput only. [Output Only] URL of the Zone where this future reservation resides.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a futureReservations
getGet a futureReservations
ArgumentTypeDescription
identifierstringThe name of the futureReservations
updateUpdate futureReservations attributes
deleteDelete the futureReservations
ArgumentTypeDescription
identifierstringThe name of the futureReservations
syncSync futureReservations state from GCP
cancelcancel
globalnetworkendpointgroups.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
annotations?recordOptional. Metadata defined as annotations on the network endpoint group.
appEngine?objectOptional serving service. The service name is case-sensitive and must be 1-63 characters long. Example value: default, my-service.
cloudFunction?objectA user-defined name of the Cloud Function. The function name is case-sensitive and must be 1-63 characters long. Example value: func1.
cloudRun?objectCloud Run service is the main resource of Cloud Run. The service must be 1-63 characters long, and comply withRFC1035. Example value: "run-service".
defaultPort?numberThe default port used if the port number is not specified in the network endpoint. Optional. If the network endpoint type is either GCE_VM_IP,SERVERLESS or PRIVATE_SERVICE_CONNECT, this field must not be specified.
description?stringAn optional description of this resource. Provide this property when you create the resource.
name?stringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
network?stringThe URL of the network to which all network endpoints in the NEG belong. Uses default project network if unspecified.
networkEndpointType?enumType of network endpoints in this network endpoint group. Can be one ofGCE_VM_IP, GCE_VM_IP_PORT,NON_GCP_PRIVATE_IP_PORT, INTERNET_FQDN_PORT,INTERNET_IP_PORT, SERVERLESS,PRIVATE_SERVICE_CONNECT, GCE_VM_IP_PORTMAP.
pscData?objectOutput only. [Output Only] Address allocated from given subnetwork for PSC. This IP address acts as a VIP for a PSC NEG, allowing it to act as an endpoint in L7 PSC-XLB.
pscTargetService?stringThe target service url used to set up private service connection to a Google API or a PSC Producer Service Attachment. An example value is: asia-northeast3-cloudkms.googleapis.com. Optional. Only valid when networkEndpointType isPRIVATE_SERVICE_CONNECT.
subnetwork?stringOptional URL of the subnetwork to which all network endpoints in the NEG belong.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a globalNetworkEndpointGroups
getGet a globalNetworkEndpointGroups
ArgumentTypeDescription
identifierstringThe name of the globalNetworkEndpointGroups
deleteDelete the globalNetworkEndpointGroups
ArgumentTypeDescription
identifierstringThe name of the globalNetworkEndpointGroups
syncSync globalNetworkEndpointGroups state from GCP
attach_network_endpointsattach network endpoints
ArgumentTypeDescription
networkEndpoints?any
detach_network_endpointsdetach network endpoints
ArgumentTypeDescription
networkEndpoints?any
list_network_endpointslist network endpoints
regiondisktypes.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a regionDiskTypes
ArgumentTypeDescription
identifierstringThe name of the regionDiskTypes
syncSync regionDiskTypes state from GCP
targetgrpcproxies.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a TargetGrpcProxy. An up-to-date fingerprint must be provided in order to patch/update the TargetGrpcProxy; otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the TargetGrpcProxy.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
urlMap?stringURL to the UrlMap resource that defines the mapping from URL to the BackendService. The protocol field in the BackendService must be set to GRPC.
validateForProxyless?booleanIf true, indicates that the BackendServices referenced by the urlMap may be accessed by gRPC applications without using a sidecar proxy. This will enable configuration checks on urlMap and its referenced BackendServices to not allow unsupported features. A gRPC application must use "xds:///" scheme in the target URI of the service it is connecting to. If false, indicates that the BackendServices referenced by the urlMap will be accessed by gRPC applications via a sidecar proxy. In this case, a gRPC application must not use "xds:///" scheme in the target URI of the service it is connecting to
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a targetGrpcProxies
getGet a targetGrpcProxies
ArgumentTypeDescription
identifierstringThe name of the targetGrpcProxies
updateUpdate targetGrpcProxies attributes
deleteDelete the targetGrpcProxies
ArgumentTypeDescription
identifierstringThe name of the targetGrpcProxies
syncSync targetGrpcProxies state from GCP
interconnectattachmentgroups.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
attachments?recordAttachments in the AttachmentGroup. Keys are arbitrary user-specified strings. Users are encouraged, but not required, to use their preferred format for resource links as keys. Note that there are add-members and remove-members methods in gcloud. The size of this map is limited by an "Attachments per group" quota.
description?stringAn optional description of this resource. Provide this property when you create the resource.
intent?objectThe user's intent for this AttachmentGroup. This is the only required field besides the name that must be specified on group creation.
interconnectGroup?stringThe URL of an InterconnectGroup that groups these Attachments' Interconnects. Customers do not need to set this unless directed by Google Support.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). end_interface: MixerMutationRequestBuilder
createCreate a interconnectAttachmentGroups
getGet a interconnectAttachmentGroups
ArgumentTypeDescription
identifierstringThe name of the interconnectAttachmentGroups
updateUpdate interconnectAttachmentGroups attributes
deleteDelete the interconnectAttachmentGroups
ArgumentTypeDescription
identifierstringThe name of the interconnectAttachmentGroups
syncSync interconnectAttachmentGroups state from GCP
get_operational_statusget operational status
imagefamilyviews.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a imageFamilyViews
ArgumentTypeDescription
identifierstringThe name of the imageFamilyViews
syncSync imageFamilyViews state from GCP
regioninstancetemplates.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
name?stringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
properties?objectWhether to enable nested virtualization or not (default is false).
region?stringOutput only. [Output Only] URL of the region where the instance template resides. Only applicable for regional resources.
sourceInstance?stringThe source instance used to create the template. You can provide this as a partial or full URL to the resource. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/instances/instance - projects/project/zones/zone/instances/instance
sourceInstanceParams?objectSpecifies whether the disk will be auto-deleted when the instance is deleted (but not when the disk is detached from the instance).
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionInstanceTemplates
getGet a regionInstanceTemplates
ArgumentTypeDescription
identifierstringThe name of the regionInstanceTemplates
deleteDelete the regionInstanceTemplates
ArgumentTypeDescription
identifierstringThe name of the regionInstanceTemplates
syncSync regionInstanceTemplates state from GCP
resourcepolicies.tsv2026.04.04.1

Global Arguments

ArgumentTypeDescription
description?string
diskConsistencyGroupPolicy?objectResource policy for disk consistency groups.
groupPlacementPolicy?objectSpecifies the connection mode for the accelerator topology. If not specified, the default is AUTO_CONNECT.
instanceSchedulePolicy?objectThe expiration time of the schedule. The timestamp is an RFC3339 string.
name?stringThe name of the resource, provided by the client when initially creating the resource. The resource name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
region?string
snapshotSchedulePolicy?objectMaximum age of the snapshot that is allowed to be kept.
workloadPolicy?objectSpecifies the topology required to create a partition for VMs that have interconnected GPUs.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a resourcePolicies
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a resourcePolicies
ArgumentTypeDescription
identifierstringThe name of the resourcePolicies
updateUpdate resourcePolicies attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the resourcePolicies
ArgumentTypeDescription
identifierstringThe name of the resourcePolicies
syncSync resourcePolicies state from GCP
addresses.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
address?stringThe static IP address represented by this resource.
addressType?enumThe type of address to reserve, either INTERNAL orEXTERNAL. If unspecified, defaults to EXTERNAL.
description?stringAn optional description of this resource. Provide this field when you create the resource.
ipCollection?stringReference to the source of external IPv4 addresses, like a PublicDelegatedPrefix (PDP) for BYOIP. The PDP must support enhanced IPv4 allocations. Use one of the following formats to specify a PDP when reserving an external IPv4 address using BYOIP. - Full resource URL, as inhttps://www.googleapis.com/compute/v1/projects/projectId/regions/region/publicDelegatedPrefixes/pdp-name - Partial URL, as in - projects/projectId/regions/region/publicDelegatedPrefixes/pdp-name - regions/region/publicDelegatedPrefixes/pdp-name
ipVersion?enumThe IP version that will be used by this address. Valid options areIPV4 or IPV6.
ipv6EndpointType?enumThe endpoint type of this address, which should be VM or NETLB. This is used for deciding which type of endpoint this address can be used after the external IPv6 address reservation.
labelFingerprint?stringA fingerprint for the labels being applied to this Address, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve an Address.
labels?recordLabels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. Label values may be empty.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?`. The first character must be a lowercase letter, and all following characters (except for the last character) must be a dash, lowercase letter, or digit. The last character must be a lowercase letter or digit.
network?stringThe URL of the network in which to reserve the address. This field can only be used with INTERNAL type with theVPC_PEERING purpose.
networkTier?enumThis signifies the networking tier used for configuring this address and can only take the following values: PREMIUM orSTANDARD. Internal IP addresses are always Premium Tier; global external IP addresses are always Premium Tier; regional external IP addresses can be either Standard or Premium Tier. If this field is not specified, it is assumed to be PREMIUM.
prefixLength?numberThe prefix length if the resource represents an IP range.
purpose?enumThe purpose of this resource, which can be one of the following values: - GCE_ENDPOINT for addresses that are used by VM instances, alias IP ranges, load balancers, and similar resources. - DNS_RESOLVER for a DNS resolver address in a subnetwork for a Cloud DNS inbound forwarder IP addresses (regional internal IP address in a subnet of a VPC network) - VPC_PEERING for global internal IP addresses used for private services access allocated ranges. - NAT_AUTO for the regional external IP addresses used by Cloud NAT when allocating addresses using automatic NAT IP address allocation. - IPSEC_INTERCONNECT for addresses created from a private IP range that are reserved for a VLAN attachment in an *HA VPN over Cloud Interconnect* configuration. These addresses are regional resources. - `SHARED_LOADBALANCER_VIP` for an internal IP address that is assigned to multiple internal forwarding rules. - `PRIVATE_SERVICE_CONNECT` for a private network address that is used to configure Private Service Connect. Only global internal addresses can use this purpose.
region?stringOutput only. [Output Only] The URL of the region where a regional address resides. For regional addresses, you must specify the region as a path parameter in the HTTP request URL. *This field is not applicable to global addresses.*
subnetwork?stringThe URL of the subnetwork in which to reserve the address. If an IP address is specified, it must be within the subnetwork's IP range. This field can only be used with INTERNAL type with aGCE_ENDPOINT or DNS_RESOLVER purpose.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a addresses
getGet a addresses
ArgumentTypeDescription
identifierstringThe name of the addresses
deleteDelete the addresses
ArgumentTypeDescription
identifierstringThe name of the addresses
syncSync addresses state from GCP
movemove
ArgumentTypeDescription
description?any
destinationAddress?any
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
networkedgesecurityservices.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a NetworkEdgeSecurityService. An up-to-date fingerprint must be provided in order to update the NetworkEdgeSecurityService, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a NetworkEdgeSecurityService.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
region?stringOutput only. [Output Only] URL of the region where the resource resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
securityPolicy?stringThe resource URL for the network edge security service associated with this network edge security service.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a networkEdgeSecurityServices
getGet a networkEdgeSecurityServices
ArgumentTypeDescription
identifierstringThe name of the networkEdgeSecurityServices
updateUpdate networkEdgeSecurityServices attributes
deleteDelete the networkEdgeSecurityServices
ArgumentTypeDescription
identifierstringThe name of the networkEdgeSecurityServices
syncSync networkEdgeSecurityServices state from GCP
regioncompositehealthchecks.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
fingerprint?stringFingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a CompositeHealthCheck. An up-to-date fingerprint must be provided in order to patch the CompositeHealthCheck; Otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the CompositeHealthCheck.
healthDestination?stringURL to the destination resource. Must be set. Must be aForwardingRule. The ForwardingRule must have load balancing scheme INTERNAL orINTERNAL_MANAGED and must be regional and in the same region as the CompositeHealthCheck (cross-region deployment forINTERNAL_MANAGED is not supported). Can be mutated.
healthSources?arrayURLs to the HealthSource resources whose results are AND'ed. I.e. he aggregated result is is HEALTHY only if all sources are HEALTHY. Must have at least 1. Must not have more than 10. Must be regional and in the same region as theCompositeHealthCheck. Can be mutated.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
region?stringOutput only. [Output Only] URL of the region where the composite health check resides. This field applies only to the regional resource. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a regionCompositeHealthChecks
getGet a regionCompositeHealthChecks
ArgumentTypeDescription
identifierstringThe name of the regionCompositeHealthChecks
updateUpdate regionCompositeHealthChecks attributes
deleteDelete the regionCompositeHealthChecks
ArgumentTypeDescription
identifierstringThe name of the regionCompositeHealthChecks
syncSync regionCompositeHealthChecks state from GCP
targetsslproxies.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
certificateMap?stringURL of a certificate map that identifies a certificate map associated with the given target proxy. This field can only be set for global target proxies. If set, sslCertificates will be ignored. Accepted format is//certificatemanager.googleapis.com/projects/{project}/locations/{location}/certificateMaps/{resourceName}.
description?stringAn optional description of this resource. Provide this property when you create the resource.
name?stringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
proxyHeader?enumSpecifies the type of proxy header to append before sending data to the backend, either NONE or PROXY_V1. The default is NONE.
service?stringURL to the BackendService resource.
sslCertificates?arrayURLs to SslCertificate resources that are used to authenticate connections to Backends. At least one SSL certificate must be specified. Currently, you may specify up to 15 SSL certificates. sslCertificates do not apply when the load balancing scheme is set to INTERNAL_SELF_MANAGED.
sslPolicy?stringURL of SslPolicy resource that will be associated with the TargetSslProxy resource. If not set, the TargetSslProxy resource will not have any SSL policy configured.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a targetSslProxies
getGet a targetSslProxies
ArgumentTypeDescription
identifierstringThe name of the targetSslProxies
deleteDelete the targetSslProxies
ArgumentTypeDescription
identifierstringThe name of the targetSslProxies
syncSync targetSslProxies state from GCP
set_backend_serviceset backend service
ArgumentTypeDescription
service?any
set_certificate_mapset certificate map
ArgumentTypeDescription
certificateMap?any
set_proxy_headerset proxy header
ArgumentTypeDescription
proxyHeader?any
set_ssl_certificatesset ssl certificates
ArgumentTypeDescription
sslCertificates?any
set_ssl_policyset ssl policy
ArgumentTypeDescription
sslPolicy?any
vpntunnels.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
cipherSuite?object
description?stringAn optional description of this resource. Provide this property when you create the resource.
ikeVersion?numberIKE protocol version to use when establishing the VPN tunnel with the peer VPN gateway. Acceptable IKE versions are 1 or 2. The default version is 2.
labelFingerprint?stringA fingerprint for the labels being applied to this VpnTunnel, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a VpnTunnel.
labels?recordLabels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. Label values may be empty.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
params?objectTag keys/values directly bound to this resource. Tag keys and values have the same definition as resource manager tags. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid. * Inconsistent format is not supported. For instance: {"tagKeys/333": "tagValues/444", "123/env": "prod"} is invalid.
peerExternalGateway?stringURL of the peer side external VPN gateway to which this VPN tunnel is connected. Provided by the client when the VPN tunnel is created. This field is exclusive with the field peerGcpGateway.
peerExternalGatewayInterface?numberThe interface ID of the external VPN gateway to which this VPN tunnel is connected. Provided by the client when the VPN tunnel is created. Possible values are: `0`, `1`, `2`, `3`. The number of IDs in use depends on the external VPN gateway redundancy type.
peerGcpGateway?stringURL of the peer side HA VPN gateway to which this VPN tunnel is connected. Provided by the client when the VPN tunnel is created. This field can be used when creating highly available VPN from VPC network to VPC network, the field is exclusive with the field peerExternalGateway. If provided, the VPN tunnel will automatically use the same vpnGatewayInterface ID in the peer Google Cloud VPN gateway.
peerIp?stringIP address of the peer VPN gateway. Only IPv4 is supported. This field can be set only for Classic VPN tunnels.
region?string[Output Only] URL of the region where the VPN tunnel resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
router?stringURL of the router resource to be used for dynamic routing.
sharedSecret?stringShared secret used to set the secure session between the Cloud VPN gateway and the peer VPN gateway.
sharedSecretHash?stringHash of the shared secret.
targetVpnGateway?stringURL of the Target VPN gateway with which this VPN tunnel is associated. Provided by the client when the VPN tunnel is created. This field can be set only for Classic VPN tunnels.
vpnGateway?stringURL of the VPN gateway with which this VPN tunnel is associated. Provided by the client when the VPN tunnel is created. This must be used (instead of target_vpn_gateway) if a High Availability VPN gateway resource is created.
vpnGatewayInterface?numberThe interface ID of the VPN gateway with which this VPN tunnel is associated. Possible values are: `0`, `1`.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a vpnTunnels
getGet a vpnTunnels
ArgumentTypeDescription
identifierstringThe name of the vpnTunnels
deleteDelete the vpnTunnels
ArgumentTypeDescription
identifierstringThe name of the vpnTunnels
syncSync vpnTunnels state from GCP
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
disks.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
accessMode?enumThe access mode of the disk. - READ_WRITE_SINGLE: The default AccessMode, means the disk can be attached to single instance in RW mode. - READ_WRITE_MANY: The AccessMode means the disk can be attached to multiple instances in RW mode. - READ_ONLY_MANY: The AccessMode means the disk can be attached to multiple instances in RO mode. The AccessMode is only valid for Hyperdisk disk types.
architecture?enumThe architecture of the disk. Valid values are ARM64 or X86_64.
asyncPrimaryDisk?objectOutput only. [Output Only] URL of the DiskConsistencyGroupPolicy if replication was started on the disk as a member of a group.
description?stringAn optional description of this resource. Provide this property when you create the resource.
diskEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
enableConfidentialCompute?booleanWhether this disk is using confidential compute mode.
guestOsFeatures?arrayThe ID of a supported feature. To add multiple values, use commas to separate values. Set to one or more of the following values: - VIRTIO_SCSI_MULTIQUEUE - WINDOWS - MULTI_IP_SUBNET - UEFI_COMPATIBLE - GVNIC - SEV_CAPABLE - SUSPEND_RESUME_COMPATIBLE - SEV_LIVE_MIGRATABLE_V2 - SEV_SNP_CAPABLE - TDX_CAPABLE - IDPF - SNP_SVSM_CAPABLE For more information, see Enabling guest operating system features.
labelFingerprint?stringA fingerprint for the labels being applied to this disk, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a disk.
labels?recordLabels to apply to this disk. These can be later modified by the setLabels method.
licenseCodes?arrayInteger license codes indicating which licenses are attached to this disk.
licenses?arrayA list of publicly visible licenses. Reserved for Google's use.
locationHint?stringAn opaque location hint used to place the disk close to other resources. This field is for use by internal tools that use the public API.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
options?stringInternal use only.
params?objectInput only. Resource manager tags to be bound to the disk. Tag keys and values have the same definition as resource manager tags. Keys and values can be either in numeric format, such as `tagKeys/{tag_key_id}` and `tagValues/456` or in namespaced format such as `{org_id|project_id}/{tag_key_short_name}` and `{tag_value_short_name}`. The field is ignored (both PUT & PATCH) when empty.
physicalBlockSizeBytes?stringPhysical block size of the persistent disk, in bytes. If not present in a request, a default value is used. The currently supported size is 4096, other sizes may be added in the future. If an unsupported value is requested, the error message will list the supported values for the caller's project.
provisionedIops?stringIndicates how many IOPS to provision for the disk. This sets the number of I/O operations per second that the disk can handle. Values must be between 10,000 and 120,000. For more details, see theExtreme persistent disk documentation.
provisionedThroughput?stringIndicates how much throughput to provision for the disk. This sets the number of throughput mb per second that the disk can handle. Values must be greater than or equal to 1.
replicaZones?arrayURLs of the zones where the disk should be replicated to. Only applicable for regional resources.
resourcePolicies?arrayResource policies applied to this disk for automatic snapshot creations.
resourceStatus?objectKey: disk, value: AsyncReplicationStatus message
sizeGb?stringSize, in GB, of the persistent disk. You can specify this field when creating a persistent disk using thesourceImage, sourceSnapshot, orsourceDisk parameter, or specify it alone to create an empty persistent disk. If you specify this field along with a source, the value ofsizeGb must not be less than the size of the source. Acceptable values are greater than 0.
sourceDisk?stringThe source disk used to create this disk. You can provide this as a partial or full URL to the resource. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/disks/disk - https://www.googleapis.com/compute/v1/projects/project/regions/region/disks/disk - projects/project/zones/zone/disks/disk - projects/project/regions/region/disks/disk - zones/zone/disks/disk - regions/region/disks/disk
sourceImage?stringThe source image used to create this disk. If the source image is deleted, this field will not be set. To create a disk with one of the public operating system images, specify the image by its family name. For example, specifyfamily/debian-9 to use the latest Debian 9 image: projects/debian-cloud/global/images/family/debian-9 Alternatively, use a specific version of a public operating system image: projects/debian-cloud/global/images/debian-9-stretch-vYYYYMMDD To create a disk with a custom image that you created, specify the image name in the following format: global/images/my-custom-image You can also specify a custom image by its image family, which returns the latest version of the image in that family. Replace the image name with family/family-name: global/images/family/my-image-family
sourceImageEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
sourceInstantSnapshot?stringThe source instant snapshot used to create this disk. You can provide this as a partial or full URL to the resource. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/instantSnapshots/instantSnapshot - projects/project/zones/zone/instantSnapshots/instantSnapshot - zones/zone/instantSnapshots/instantSnapshot
sourceSnapshot?stringThe source snapshot used to create this disk. You can provide this as a partial or full URL to the resource. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/global/snapshots/snapshot - projects/project/global/snapshots/snapshot - global/snapshots/snapshot
sourceSnapshotEncryptionKey?objectThe name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1
sourceStorageObject?stringThe full Google Cloud Storage URI where the disk image is stored. This file must be a gzip-compressed tarball whose name ends in.tar.gz or virtual machine disk whose name ends in vmdk. Valid URIs may start with gs:// or https://storage.googleapis.com/. This flag is not optimized for creating multiple disks from a source storage object. To create many disks from a source storage object, use gcloud compute images import instead.
storagePool?stringThe storage pool in which the new disk is created. You can provide this as a partial or full URL to the resource. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone/storagePools/storagePool - projects/project/zones/zone/storagePools/storagePool - zones/zone/storagePools/storagePool
type?stringURL of the disk type resource describing which disk type to use to create the disk. Provide this when creating the disk. For example:projects/project/zones/zone/diskTypes/pd-ssd. See Persistent disk types.
zone?stringOutput only. [Output Only] URL of the zone where the disk resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a disks
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a disks
ArgumentTypeDescription
identifierstringThe name of the disks
updateUpdate disks attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the disks
ArgumentTypeDescription
identifierstringThe name of the disks
syncSync disks state from GCP
add_resource_policiesadd resource policies
ArgumentTypeDescription
resourcePolicies?any
bulk_insertbulk insert
ArgumentTypeDescription
sourceConsistencyGroupPolicy?any
bulk_set_labelsbulk set labels
ArgumentTypeDescription
requests?any
create_snapshotcreate snapshot
ArgumentTypeDescription
architecture?any
autoCreated?any
chainName?any
creationSizeBytes?any
creationTimestamp?any
description?any
diskSizeGb?any
downloadBytes?any
enableConfidentialCompute?any
guestFlush?any
guestOsFeatures?any
id?any
kind?any
labelFingerprint?any
labels?any
licenseCodes?any
licenses?any
locationHint?any
name?any
params?any
satisfiesPzi?any
satisfiesPzs?any
selfLink?any
snapshotEncryptionKey?any
snapshotType?any
sourceDisk?any
sourceDiskEncryptionKey?any
sourceDiskForRecoveryCheckpoint?any
sourceDiskId?any
sourceInstantSnapshot?any
sourceInstantSnapshotEncryptionKey?any
sourceInstantSnapshotId?any
sourceSnapshotSchedulePolicy?any
sourceSnapshotSchedulePolicyId?any
status?any
storageBytes?any
storageBytesStatus?any
storageLocations?any
resizeresize
ArgumentTypeDescription
sizeGb?any
set_labelsset labels
ArgumentTypeDescription
requests?any
start_async_replicationstart async replication
ArgumentTypeDescription
asyncSecondaryDisk?any
stop_async_replicationstop async replication
stop_group_async_replicationstop group async replication
ArgumentTypeDescription
resourcePolicy?any
networkendpointgroups.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
annotations?recordOptional. Metadata defined as annotations on the network endpoint group.
appEngine?objectOptional serving service. The service name is case-sensitive and must be 1-63 characters long. Example value: default, my-service.
cloudFunction?objectA user-defined name of the Cloud Function. The function name is case-sensitive and must be 1-63 characters long. Example value: func1.
cloudRun?objectCloud Run service is the main resource of Cloud Run. The service must be 1-63 characters long, and comply withRFC1035. Example value: "run-service".
defaultPort?numberThe default port used if the port number is not specified in the network endpoint. Optional. If the network endpoint type is either GCE_VM_IP,SERVERLESS or PRIVATE_SERVICE_CONNECT, this field must not be specified.
description?stringAn optional description of this resource. Provide this property when you create the resource.
name?stringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
network?stringThe URL of the network to which all network endpoints in the NEG belong. Uses default project network if unspecified.
networkEndpointType?enumType of network endpoints in this network endpoint group. Can be one ofGCE_VM_IP, GCE_VM_IP_PORT,NON_GCP_PRIVATE_IP_PORT, INTERNET_FQDN_PORT,INTERNET_IP_PORT, SERVERLESS,PRIVATE_SERVICE_CONNECT, GCE_VM_IP_PORTMAP.
pscData?objectOutput only. [Output Only] Address allocated from given subnetwork for PSC. This IP address acts as a VIP for a PSC NEG, allowing it to act as an endpoint in L7 PSC-XLB.
pscTargetService?stringThe target service url used to set up private service connection to a Google API or a PSC Producer Service Attachment. An example value is: asia-northeast3-cloudkms.googleapis.com. Optional. Only valid when networkEndpointType isPRIVATE_SERVICE_CONNECT.
subnetwork?stringOptional URL of the subnetwork to which all network endpoints in the NEG belong.
zone?stringOutput only. [Output Only] The URL of thezone where the network endpoint group is located.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a networkEndpointGroups
getGet a networkEndpointGroups
ArgumentTypeDescription
identifierstringThe name of the networkEndpointGroups
deleteDelete the networkEndpointGroups
ArgumentTypeDescription
identifierstringThe name of the networkEndpointGroups
syncSync networkEndpointGroups state from GCP
attach_network_endpointsattach network endpoints
ArgumentTypeDescription
networkEndpoints?any
detach_network_endpointsdetach network endpoints
ArgumentTypeDescription
networkEndpoints?any
list_network_endpointslist network endpoints
ArgumentTypeDescription
healthStatus?any
externalvpngateways.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
description?stringAn optional description of this resource. Provide this property when you create the resource.
interfaces?arrayThe numeric ID of this interface. The allowed input values for this id for different redundancy types of external VPN gateway: - SINGLE_IP_INTERNALLY_REDUNDANT - 0 - TWO_IPS_REDUNDANCY - 0, 1 - FOUR_IPS_REDUNDANCY - 0, 1, 2, 3
labelFingerprint?stringA fingerprint for the labels being applied to this ExternalVpnGateway, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve an ExternalVpnGateway.
labels?recordLabels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. Label values may be empty.
namestringName of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
params?objectTag keys/values directly bound to this resource. Tag keys and values have the same definition as resource manager tags. The field is allowed for INSERT only. The keys/values to set on the resource should be specified in either ID {: } or Namespaced format {: }. For example the following are valid inputs: * {"tagKeys/333": "tagValues/444", "tagKeys/123": "tagValues/456"} * {"123/environment": "production", "345/abc": "xyz"} Note: * Invalid combinations of ID & namespaced format is not supported. For instance: {"123/environment": "tagValues/444"} is invalid. * Inconsistent format is not supported. For instance: {"tagKeys/333": "tagValues/444", "123/env": "prod"} is invalid.
redundancyType?enumIndicates the user-supplied redundancy type of this external VPN gateway.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a externalVpnGateways
getGet a externalVpnGateways
ArgumentTypeDescription
identifierstringThe name of the externalVpnGateways
deleteDelete the externalVpnGateways
ArgumentTypeDescription
identifierstringThe name of the externalVpnGateways
syncSync externalVpnGateways state from GCP
set_labelsset labels
ArgumentTypeDescription
labelFingerprint?any
labels?any
snapshotsettings.tsv2026.04.04.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
storageLocation?objectName of the location. It should be one of the Cloud Storage buckets. Only one location can be specified.
getGet a snapshotSettings
ArgumentTypeDescription
identifierstringThe name of the snapshotSettings
updateUpdate snapshotSettings attributes
syncSync snapshotSettings state from GCP
networkprofiles.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a networkProfiles
ArgumentTypeDescription
identifierstringThe name of the networkProfiles
syncSync networkProfiles state from GCP
packetmirrorings.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
collectorIlb?objectOutput only. [Output Only] Unique identifier for the forwarding rule; defined by the server.
description?stringAn optional description of this resource. Provide this property when you create the resource.
enable?enumIndicates whether or not this packet mirroring takes effect. If set to FALSE, this packet mirroring policy will not be enforced on the network. The default is TRUE.
filter?objectProtocols that apply as filter on mirrored traffic. If no protocols are specified, all traffic that matches the specified CIDR ranges is mirrored. If neither cidrRanges nor IPProtocols is specified, all IPv4 traffic is mirrored.
mirroredResources?objectOutput only. [Output Only] Unique identifier for the instance; defined by the server.
namestringName of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply withRFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
network?objectOutput only. [Output Only] Unique identifier for the network; defined by the server.
priority?numberThe priority of applying this configuration. Priority is used to break ties in cases where there is more than one matching rule. In the case of two rules that apply for a given Instance, the one with the lowest-numbered priority value wins. Default value is 1000. Valid range is 0 through 65535.
region?string[Output Only] URI of the region where the packetMirroring resides.
requestId?stringAn optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
createCreate a packetMirrorings
getGet a packetMirrorings
ArgumentTypeDescription
identifierstringThe name of the packetMirrorings
updateUpdate packetMirrorings attributes
deleteDelete the packetMirrorings
ArgumentTypeDescription
identifierstringThe name of the packetMirrorings
syncSync packetMirrorings state from GCP
regionzones.tsv2026.04.03.3

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a regionZones
ArgumentTypeDescription
identifierstringThe name of the regionZones
syncSync regionZones state from GCP