GS2-Guard Deploy/CDK Reference
The template format used when creating stacks with GS2-Deploy, and implementation examples of template output in various languages using CDK
Entities
Resources managed by the Deploy operation
Namespace
Namespace
A Namespace allows multiple independent instances of the same service within a single project by separating data spaces and usage contexts.
Each GS2 service is managed on a per-namespace basis. Even when using the same service, if the namespace differs, the data is treated as a completely independent data space.
Therefore, you must create a namespace before you can start using each service.
Request
Resource creation and update requests
| Type | Condition | Required | Default | Value Limits | Description | |
|---|---|---|---|---|---|---|
| name | string | ✓ |
~ 128 chars | Namespace name Namespace-specific name. Specified using alphanumeric characters, hyphens (-), underscores (_), and periods (.). |
||
| description | string | ~ 1024 chars | Description | |||
| blockingPolicy | BlockingPolicyModel | ✓ |
Blocking Policy The security policy configuration for this namespace that controls access to GS2 services. Defines which services are accessible, geo-restriction rules, anonymous IP detection, hosting provider IP detection, reputation-based IP filtering, and custom IP address allow/deny lists. |
GetAttr
Resource creation results that can be retrieved using the !GetAttr tag
| Type | Description | |
|---|---|---|
| Item | Namespace | Namespace created |
Implementation Example
Type: GS2::Guard::Namespace
Properties:
Name: namespace-0001
Description: null
BlockingPolicy:
PassServices:
- account
DefaultRestriction: Deny
LocationDetection: Disable
AnonymousIpDetection: Disable
HostingProviderIpDetection: Disable
ReputationIpDetection: Disable
IpAddressesDetection: Enable
IpAddresses:
- 192.168.0.0/24
IpAddressRestriction: Allowimport (
"github.com/gs2io/gs2-golang-cdk/core"
"github.com/gs2io/gs2-golang-cdk/guard"
)
SampleStack := core.NewStack()
guard.NewNamespace(
&SampleStack,
"namespace-0001",
guard.BlockingPolicyModel{
PassServices: []string{
"account",
},
DefaultRestriction: guard.BlockingPolicyModelDefaultRestrictionDeny,
LocationDetection: guard.BlockingPolicyModelLocationDetectionDisable,
AnonymousIpDetection: guard.BlockingPolicyModelAnonymousIpDetectionDisable,
HostingProviderIpDetection: guard.BlockingPolicyModelHostingProviderIpDetectionDisable,
ReputationIpDetection: guard.BlockingPolicyModelReputationIpDetectionDisable,
IpAddressesDetection: guard.BlockingPolicyModelIpAddressesDetectionEnable,
IpAddresses: []string{
"192.168.0.0/24",
},
IpAddressRestriction: guard.BlockingPolicyModelIpAddressRestrictionAllow.Pointer(),
},
guard.NamespaceOptions{},
)
println(SampleStack.Yaml()) // Generate Templateclass SampleStack extends \Gs2Cdk\Core\Model\Stack
{
function __construct() {
parent::__construct();
new \Gs2Cdk\Guard\Model\Namespace_(
stack: $this,
name: "namespace-0001",
blockingPolicy: new \Gs2Cdk\Guard\Model\BlockingPolicyModel(
passServices: [
"account",
],
defaultRestriction: \Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelDefaultRestriction::DENY,
locationDetection: \Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelLocationDetection::DISABLE,
anonymousIpDetection: \Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelAnonymousIpDetection::DISABLE,
hostingProviderIpDetection: \Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelHostingProviderIpDetection::DISABLE,
reputationIpDetection: \Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelReputationIpDetection::DISABLE,
ipAddressesDetection: \Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelIpAddressesDetection::ENABLE,
options: new \Gs2Cdk\Guard\Model\Options\BlockingPolicyModelOptions(
ipAddresses: [
"192.168.0.0/24",
],
ipAddressRestriction: \Gs2Cdk\Guard\Model\Enums\BlockingPolicyModelIpAddressRestriction::ALLOW
)
)
);
}
}
print((new SampleStack())->yaml()); // Generate Templateclass SampleStack extends io.gs2.cdk.core.model.Stack
{
public SampleStack() {
super();
new io.gs2.cdk.guard.model.Namespace(
this,
"namespace-0001",
new io.gs2.cdk.guard.model.BlockingPolicyModel(
Arrays.asList(
"account"
),
io.gs2.cdk.guard.model.enums.BlockingPolicyModelDefaultRestriction.DENY,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelLocationDetection.DISABLE,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelAnonymousIpDetection.DISABLE,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelReputationIpDetection.DISABLE,
io.gs2.cdk.guard.model.enums.BlockingPolicyModelIpAddressesDetection.ENABLE,
new io.gs2.cdk.guard.model.options.BlockingPolicyModelOptions()
.withIpAddresses(
Arrays.asList(
"192.168.0.0/24"
)
)
.withIpAddressRestriction(
io.gs2.cdk.guard.model.enums.BlockingPolicyModelIpAddressRestriction.ALLOW
)
)
);
}
}
System.out.println(new SampleStack().yaml()); // Generate Templatepublic class SampleStack : Gs2Cdk.Core.Model.Stack
{
public SampleStack() {
new Gs2Cdk.Gs2Guard.Model.Namespace(
stack: this,
name: "namespace-0001",
blockingPolicy: new Gs2Cdk.Gs2Guard.Model.BlockingPolicyModel(
passServices: new string[]
{
"account"
},
defaultRestriction: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelDefaultRestriction.Deny,
locationDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelLocationDetection.Disable,
anonymousIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelAnonymousIpDetection.Disable,
hostingProviderIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelHostingProviderIpDetection.Disable,
reputationIpDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelReputationIpDetection.Disable,
ipAddressesDetection: Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelIpAddressesDetection.Enable,
options: new Gs2Cdk.Gs2Guard.Model.Options.BlockingPolicyModelOptions
{
ipAddresses = new string[]
{
"192.168.0.0/24"
},
ipAddressRestriction = Gs2Cdk.Gs2Guard.Model.Enums.BlockingPolicyModelIpAddressRestriction.Allow
}
)
);
}
}
Debug.Log(new SampleStack().Yaml()); // Generate Templateimport core from "@/gs2cdk/core";
import guard from "@/gs2cdk/guard";
class SampleStack extends core.Stack
{
public constructor() {
super();
new guard.model.Namespace(
this,
"namespace-0001",
new guard.model.BlockingPolicyModel(
[
"account",
],
guard.model.BlockingPolicyModelDefaultRestriction.DENY,
guard.model.BlockingPolicyModelLocationDetection.DISABLE,
guard.model.BlockingPolicyModelAnonymousIpDetection.DISABLE,
guard.model.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
guard.model.BlockingPolicyModelReputationIpDetection.DISABLE,
guard.model.BlockingPolicyModelIpAddressesDetection.ENABLE,
{
ipAddresses:
[
"192.168.0.0/24",
],
ipAddressRestriction:
guard.model.BlockingPolicyModelIpAddressRestriction.ALLOW
}
)
);
}
}
console.log(new SampleStack().yaml()); // Generate Templatefrom gs2_cdk import Stack, core, guard
class SampleStack(Stack):
def __init__(self):
super().__init__()
guard.Namespace(
stack=self,
name='namespace-0001',
blocking_policy=guard.BlockingPolicyModel(
pass_services=[
'account',
],
default_restriction=guard.BlockingPolicyModelDefaultRestriction.DENY,
location_detection=guard.BlockingPolicyModelLocationDetection.DISABLE,
anonymous_ip_detection=guard.BlockingPolicyModelAnonymousIpDetection.DISABLE,
hosting_provider_ip_detection=guard.BlockingPolicyModelHostingProviderIpDetection.DISABLE,
reputation_ip_detection=guard.BlockingPolicyModelReputationIpDetection.DISABLE,
ip_addresses_detection=guard.BlockingPolicyModelIpAddressesDetection.ENABLE,
options=guard.BlockingPolicyModelOptions(
ip_addresses=[
'192.168.0.0/24',
],
ip_address_restriction=guard.BlockingPolicyModelIpAddressRestriction.ALLOW,
)
),
)
print(SampleStack().yaml()) # Generate TemplateBlockingPolicyModel
Blocking Policy
Defines the comprehensive access control rules for a GS2-Guard namespace. Combines multiple security layers including service-level access control, geo-restriction by country, anonymous IP detection (Tor/proxy), hosting provider IP detection (VPN/rental servers), IP reputation filtering, and custom IP address allow/deny lists.
| Type | Condition | Required | Default | Value Limits | Description | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| passServices | List<string> | ✓ |
1 ~ 100 items | List of Accessible GS2 Services The list of GS2 services that clients are allowed to access through this guard namespace. Only services included in this list will be protected by the blocking policy. At least one service must be specified. |
||||||||
| defaultRestriction | string (enum) enum { “Allow”, “Deny” } |
“Allow” | Default Restriction The default action applied to requests that do not match any of the configured detection rules. “Allow” permits all unmatched traffic (blocklist approach), while “Deny” blocks all unmatched traffic (allowlist approach).
|
|||||||||
| locationDetection | string (enum) enum { “Enable”, “Disable” } |
“Disable” | Location Detection Enables or disables geo-restriction based on the client’s country of origin. When enabled, access is filtered by country. The specific countries and the allow/deny behavior are configured via the locations and locationRestriction fields.
|
|||||||||
| locations | List<string> | {locationDetection} == “Enable” | [] | 1 ~ 100 items | List of Countries to Detect Access The list of countries used for geo-restriction filtering. Each country is specified using ISO 3166-1 alpha-2 country codes. Whether these countries are allowed or denied is determined by the locationRestriction setting. Only effective when locationDetection is enabled. * Enabled only if locationDetection is “Enable” |
|||||||
| locationRestriction | string (enum) enum { “Allow”, “Deny” } |
{locationDetection} == “Enable” | ✓* |
Location Restriction Action The action to take when a request originates from a country in the locations list. “Allow” permits access only from listed countries (allowlist), while “Deny” blocks access from listed countries (blocklist). Works in conjunction with locationDetection and the locations list.
* Required if locationDetection is “Enable” |
||||||||
| anonymousIpDetection | string (enum) enum { “Enable”, “Disable” } |
“Disable” | Anonymous IP Service Detection Enables or disables detection of access from anonymous IP services such as Tor exit nodes and public proxies. When enabled, requests from these sources are identified and evaluated.
|
|||||||||
| anonymousIpRestriction | string (enum) enum { “Deny” } |
{anonymousIpDetection} == “Enable” | “Deny” | Anonymous IP Restriction Action The action to take when access from an anonymous IP service (Tor/public proxy) is detected. Currently only supports “Deny” to block such access. Only effective when anonymousIpDetection is enabled.
* Enabled only if anonymousIpDetection is “Enable” |
||||||||
| hostingProviderIpDetection | string (enum) enum { “Enable”, “Disable” } |
“Disable” | Hosting Provider IP Detection Enables or disables detection of access from hosting provider IP addresses such as public VPN services and rental servers. When enabled, traffic originating from cloud infrastructure or hosting services rather than end-user devices is identified and evaluated.
|
|||||||||
| hostingProviderIpRestriction | string (enum) enum { “Deny” } |
{hostingProviderIpDetection} == “Enable” | “Deny” | Hosting Provider IP Restriction Action The action to take when access from a hosting provider IP (public VPN/rental server) is detected. Currently only supports “Deny” to block such access. Only effective when hostingProviderIpDetection is enabled.
* Enabled only if hostingProviderIpDetection is “Enable” |
||||||||
| reputationIpDetection | string (enum) enum { “Enable”, “Disable” } |
“Disable” | Reputation IP Detection Enables or disables detection of access from IP addresses with a known bad reputation. When enabled, IPs associated with bots, DDoS attacks, and other malicious activities are identified and evaluated.
|
|||||||||
| reputationIpRestriction | string (enum) enum { “Deny” } |
{reputationIpDetection} == “Enable” | “Deny” | Reputation IP Restriction Action The action to take when access from an IP with a bad reputation is detected. Currently only supports “Deny” to block such access. Only effective when reputationIpDetection is enabled.
* Enabled only if reputationIpDetection is “Enable” |
||||||||
| ipAddressesDetection | string (enum) enum { “Enable”, “Disable” } |
“Disable” | IP Address Detection Enables or disables custom IP address-based access filtering. When enabled, requests are evaluated against the custom IP address list specified in the ipAddresses field. The allow/deny behavior is controlled by ipAddressRestriction.
|
|||||||||
| ipAddresses | List<string> | {ipAddressesDetection} == “Enable” | 0 ~ 100 items | List of IP Address Ranges A list of IP address ranges in CIDR notation used for custom IP-based access filtering. Each incoming request’s source IP is evaluated against these ranges. Whether matching IPs are allowed or denied is controlled by ipAddressRestriction. Only effective when ipAddressesDetection is enabled. * Enabled only if ipAddressesDetection is “Enable” |
||||||||
| ipAddressRestriction | string (enum) enum { “Allow”, “Deny” } |
{ipAddressesDetection} == “Enable” | ✓* |
IP Address Restriction Action The action to take when a request’s source IP matches the custom IP address list. “Allow” permits access only from listed IPs (allowlist), while “Deny” blocks access from listed IPs (blocklist). Only effective when ipAddressesDetection is enabled.
* Required if ipAddressesDetection is “Enable” |