Docs Home
Packages
Google Cloud Classic v8.3.1 published on Wednesday, Sep 25, 2024 by Pulumi
gcp.compute.FirewallPolicyRule
Explore with Pulumi AI
The Compute FirewallPolicyRule resource
Example Usage
Basic_fir_sec_rule
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const basicGlobalNetworksecurityAddressGroup = new gcp.networksecurity.AddressGroup("basic_global_networksecurity_address_group", {
name: "policy",
parent: "organizations/123456789",
description: "Sample global networksecurity_address_group",
location: "global",
items: ["208.80.154.224/32"],
type: "IPV4",
capacity: 100,
});
const folder = new gcp.organizations.Folder("folder", {
displayName: "policy",
parent: "organizations/123456789",
deletionProtection: false,
});
const _default = new gcp.compute.FirewallPolicy("default", {
parent: folder.id,
shortName: "policy",
description: "Resource created for Terraform acceptance testing",
});
const primary = new gcp.compute.FirewallPolicyRule("primary", {
firewallPolicy: _default.name,
description: "Resource created for Terraform acceptance testing",
priority: 9000,
enableLogging: true,
action: "allow",
direction: "EGRESS",
disabled: false,
match: {
layer4Configs: [
{
ipProtocol: "tcp",
ports: ["8080"],
},
{
ipProtocol: "udp",
ports: ["22"],
},
],
destIpRanges: ["11.100.0.1/32"],
destFqdns: [],
destRegionCodes: ["US"],
destThreatIntelligences: ["iplist-known-malicious-ips"],
srcAddressGroups: [],
destAddressGroups: [basicGlobalNetworksecurityAddressGroup.id],
},
targetServiceAccounts: ["my@service-account.com"],
});
import pulumi
import pulumi_gcp as gcp
basic_global_networksecurity_address_group = gcp.networksecurity.AddressGroup("basic_global_networksecurity_address_group",
name="policy",
parent="organizations/123456789",
description="Sample global networksecurity_address_group",
location="global",
items=["208.80.154.224/32"],
type="IPV4",
capacity=100)
folder = gcp.organizations.Folder("folder",
display_name="policy",
parent="organizations/123456789",
deletion_protection=False)
default = gcp.compute.FirewallPolicy("default",
parent=folder.id,
short_name="policy",
description="Resource created for Terraform acceptance testing")
primary = gcp.compute.FirewallPolicyRule("primary",
firewall_policy=default.name,
description="Resource created for Terraform acceptance testing",
priority=9000,
enable_logging=True,
action="allow",
direction="EGRESS",
disabled=False,
match={
"layer4_configs": [
{
"ip_protocol": "tcp",
"ports": ["8080"],
},
{
"ip_protocol": "udp",
"ports": ["22"],
},
],
"dest_ip_ranges": ["11.100.0.1/32"],
"dest_fqdns": [],
"dest_region_codes": ["US"],
"dest_threat_intelligences": ["iplist-known-malicious-ips"],
"src_address_groups": [],
"dest_address_groups": [basic_global_networksecurity_address_group.id],
},
target_service_accounts=["my@service-account.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/networksecurity"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basicGlobalNetworksecurityAddressGroup, err := networksecurity.NewAddressGroup(ctx, "basic_global_networksecurity_address_group", &networksecurity.AddressGroupArgs{
Name: pulumi.String("policy"),
Parent: pulumi.String("organizations/123456789"),
Description: pulumi.String("Sample global networksecurity_address_group"),
Location: pulumi.String("global"),
Items: pulumi.StringArray{
pulumi.String("208.80.154.224/32"),
},
Type: pulumi.String("IPV4"),
Capacity: pulumi.Int(100),
})
if err != nil {
return err
}
folder, err := organizations.NewFolder(ctx, "folder", &organizations.FolderArgs{
DisplayName: pulumi.String("policy"),
Parent: pulumi.String("organizations/123456789"),
DeletionProtection: pulumi.Bool(false),
})
if err != nil {
return err
}
_, err = compute.NewFirewallPolicy(ctx, "default", &compute.FirewallPolicyArgs{
Parent: folder.ID(),
ShortName: pulumi.String("policy"),
Description: pulumi.String("Resource created for Terraform acceptance testing"),
})
if err != nil {
return err
}
_, err = compute.NewFirewallPolicyRule(ctx, "primary", &compute.FirewallPolicyRuleArgs{
FirewallPolicy: _default.Name,
Description: pulumi.String("Resource created for Terraform acceptance testing"),
Priority: pulumi.Int(9000),
EnableLogging: pulumi.Bool(true),
Action: pulumi.String("allow"),
Direction: pulumi.String("EGRESS"),
Disabled: pulumi.Bool(false),
Match: &compute.FirewallPolicyRuleMatchArgs{
Layer4Configs: compute.FirewallPolicyRuleMatchLayer4ConfigArray{
&compute.FirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("tcp"),
Ports: pulumi.StringArray{
pulumi.String("8080"),
},
},
&compute.FirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("udp"),
Ports: pulumi.StringArray{
pulumi.String("22"),
},
},
},
DestIpRanges: pulumi.StringArray{
pulumi.String("11.100.0.1/32"),
},
DestFqdns: pulumi.StringArray{},
DestRegionCodes: pulumi.StringArray{
pulumi.String("US"),
},
DestThreatIntelligences: pulumi.StringArray{
pulumi.String("iplist-known-malicious-ips"),
},
SrcAddressGroups: pulumi.StringArray{},
DestAddressGroups: pulumi.StringArray{
basicGlobalNetworksecurityAddressGroup.ID(),
},
},
TargetServiceAccounts: pulumi.StringArray{
pulumi.String("my@service-account.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var basicGlobalNetworksecurityAddressGroup = new Gcp.NetworkSecurity.AddressGroup("basic_global_networksecurity_address_group", new()
{
Name = "policy",
Parent = "organizations/123456789",
Description = "Sample global networksecurity_address_group",
Location = "global",
Items = new[]
{
"208.80.154.224/32",
},
Type = "IPV4",
Capacity = 100,
});
var folder = new Gcp.Organizations.Folder("folder", new()
{
DisplayName = "policy",
Parent = "organizations/123456789",
DeletionProtection = false,
});
var @default = new Gcp.Compute.FirewallPolicy("default", new()
{
Parent = folder.Id,
ShortName = "policy",
Description = "Resource created for Terraform acceptance testing",
});
var primary = new Gcp.Compute.FirewallPolicyRule("primary", new()
{
FirewallPolicy = @default.Name,
Description = "Resource created for Terraform acceptance testing",
Priority = 9000,
EnableLogging = true,
Action = "allow",
Direction = "EGRESS",
Disabled = false,
Match = new Gcp.Compute.Inputs.FirewallPolicyRuleMatchArgs
{
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.FirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "tcp",
Ports = new[]
{
"8080",
},
},
new Gcp.Compute.Inputs.FirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "udp",
Ports = new[]
{
"22",
},
},
},
DestIpRanges = new[]
{
"11.100.0.1/32",
},
DestFqdns = new() { },
DestRegionCodes = new[]
{
"US",
},
DestThreatIntelligences = new[]
{
"iplist-known-malicious-ips",
},
SrcAddressGroups = new() { },
DestAddressGroups = new[]
{
basicGlobalNetworksecurityAddressGroup.Id,
},
},
TargetServiceAccounts = new[]
{
"my@service-account.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.networksecurity.AddressGroup;
import com.pulumi.gcp.networksecurity.AddressGroupArgs;
import com.pulumi.gcp.organizations.Folder;
import com.pulumi.gcp.organizations.FolderArgs;
import com.pulumi.gcp.compute.FirewallPolicy;
import com.pulumi.gcp.compute.FirewallPolicyArgs;
import com.pulumi.gcp.compute.FirewallPolicyRule;
import com.pulumi.gcp.compute.FirewallPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.FirewallPolicyRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var basicGlobalNetworksecurityAddressGroup = new AddressGroup("basicGlobalNetworksecurityAddressGroup", AddressGroupArgs.builder()
.name("policy")
.parent("organizations/123456789")
.description("Sample global networksecurity_address_group")
.location("global")
.items("208.80.154.224/32")
.type("IPV4")
.capacity(100)
.build());
var folder = new Folder("folder", FolderArgs.builder()
.displayName("policy")
.parent("organizations/123456789")
.deletionProtection(false)
.build());
var default_ = new FirewallPolicy("default", FirewallPolicyArgs.builder()
.parent(folder.id())
.shortName("policy")
.description("Resource created for Terraform acceptance testing")
.build());
var primary = new FirewallPolicyRule("primary", FirewallPolicyRuleArgs.builder()
.firewallPolicy(default_.name())
.description("Resource created for Terraform acceptance testing")
.priority(9000)
.enableLogging(true)
.action("allow")
.direction("EGRESS")
.disabled(false)
.match(FirewallPolicyRuleMatchArgs.builder()
.layer4Configs(
FirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("tcp")
.ports(8080)
.build(),
FirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("udp")
.ports(22)
.build())
.destIpRanges("11.100.0.1/32")
.destFqdns()
.destRegionCodes("US")
.destThreatIntelligences("iplist-known-malicious-ips")
.srcAddressGroups()
.destAddressGroups(basicGlobalNetworksecurityAddressGroup.id())
.build())
.targetServiceAccounts("my@service-account.com")
.build());
}
}
resources:
basicGlobalNetworksecurityAddressGroup:
type: gcp:networksecurity:AddressGroup
name: basic_global_networksecurity_address_group
properties:
name: policy
parent: organizations/123456789
description: Sample global networksecurity_address_group
location: global
items:
- 208.80.154.224/32
type: IPV4
capacity: 100
folder:
type: gcp:organizations:Folder
properties:
displayName: policy
parent: organizations/123456789
deletionProtection: false
default:
type: gcp:compute:FirewallPolicy
properties:
parent: ${folder.id}
shortName: policy
description: Resource created for Terraform acceptance testing
primary:
type: gcp:compute:FirewallPolicyRule
properties:
firewallPolicy: ${default.name}
description: Resource created for Terraform acceptance testing
priority: 9000
enableLogging: true
action: allow
direction: EGRESS
disabled: false
match:
layer4Configs:
- ipProtocol: tcp
ports:
- 8080
- ipProtocol: udp
ports:
- 22
destIpRanges:
- 11.100.0.1/32
destFqdns: []
destRegionCodes:
- US
destThreatIntelligences:
- iplist-known-malicious-ips
srcAddressGroups: []
destAddressGroups:
- ${basicGlobalNetworksecurityAddressGroup.id}
targetServiceAccounts:
- my@service-account.com
Create FirewallPolicyRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new FirewallPolicyRule(name: string, args: FirewallPolicyRuleArgs, opts?: CustomResourceOptions);@overload
def FirewallPolicyRule(resource_name: str,
args: FirewallPolicyRuleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def FirewallPolicyRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
direction: Optional[str] = None,
firewall_policy: Optional[str] = None,
match: Optional[FirewallPolicyRuleMatchArgs] = None,
priority: Optional[int] = None,
description: Optional[str] = None,
disabled: Optional[bool] = None,
enable_logging: Optional[bool] = None,
security_profile_group: Optional[str] = None,
target_resources: Optional[Sequence[str]] = None,
target_service_accounts: Optional[Sequence[str]] = None,
tls_inspect: Optional[bool] = None)func NewFirewallPolicyRule(ctx *Context, name string, args FirewallPolicyRuleArgs, opts ...ResourceOption) (*FirewallPolicyRule, error)public FirewallPolicyRule(string name, FirewallPolicyRuleArgs args, CustomResourceOptions? opts = null)
public FirewallPolicyRule(String name, FirewallPolicyRuleArgs args)
public FirewallPolicyRule(String name, FirewallPolicyRuleArgs args, CustomResourceOptions options)
type: gcp:compute:FirewallPolicyRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args FirewallPolicyRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args FirewallPolicyRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args FirewallPolicyRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args FirewallPolicyRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args FirewallPolicyRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var firewallPolicyRuleResource = new Gcp.Compute.FirewallPolicyRule("firewallPolicyRuleResource", new()
{
Action = "string",
Direction = "string",
FirewallPolicy = "string",
Match = new Gcp.Compute.Inputs.FirewallPolicyRuleMatchArgs
{
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.FirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "string",
Ports = new[]
{
"string",
},
},
},
DestAddressGroups = new[]
{
"string",
},
DestFqdns = new[]
{
"string",
},
DestIpRanges = new[]
{
"string",
},
DestRegionCodes = new[]
{
"string",
},
DestThreatIntelligences = new[]
{
"string",
},
SrcAddressGroups = new[]
{
"string",
},
SrcFqdns = new[]
{
"string",
},
SrcIpRanges = new[]
{
"string",
},
SrcRegionCodes = new[]
{
"string",
},
SrcThreatIntelligences = new[]
{
"string",
},
},
Priority = 0,
Description = "string",
Disabled = false,
EnableLogging = false,
SecurityProfileGroup = "string",
TargetResources = new[]
{
"string",
},
TargetServiceAccounts = new[]
{
"string",
},
TlsInspect = false,
});
example, err := compute.NewFirewallPolicyRule(ctx, "firewallPolicyRuleResource", &compute.FirewallPolicyRuleArgs{
Action: pulumi.String("string"),
Direction: pulumi.String("string"),
FirewallPolicy: pulumi.String("string"),
Match: &compute.FirewallPolicyRuleMatchArgs{
Layer4Configs: compute.FirewallPolicyRuleMatchLayer4ConfigArray{
&compute.FirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("string"),
Ports: pulumi.StringArray{
pulumi.String("string"),
},
},
},
DestAddressGroups: pulumi.StringArray{
pulumi.String("string"),
},
DestFqdns: pulumi.StringArray{
pulumi.String("string"),
},
DestIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
DestRegionCodes: pulumi.StringArray{
pulumi.String("string"),
},
DestThreatIntelligences: pulumi.StringArray{
pulumi.String("string"),
},
SrcAddressGroups: pulumi.StringArray{
pulumi.String("string"),
},
SrcFqdns: pulumi.StringArray{
pulumi.String("string"),
},
SrcIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
SrcRegionCodes: pulumi.StringArray{
pulumi.String("string"),
},
SrcThreatIntelligences: pulumi.StringArray{
pulumi.String("string"),
},
},
Priority: pulumi.Int(0),
Description: pulumi.String("string"),
Disabled: pulumi.Bool(false),
EnableLogging: pulumi.Bool(false),
SecurityProfileGroup: pulumi.String("string"),
TargetResources: pulumi.StringArray{
pulumi.String("string"),
},
TargetServiceAccounts: pulumi.StringArray{
pulumi.String("string"),
},
TlsInspect: pulumi.Bool(false),
})
var firewallPolicyRuleResource = new FirewallPolicyRule("firewallPolicyRuleResource", FirewallPolicyRuleArgs.builder()
.action("string")
.direction("string")
.firewallPolicy("string")
.match(FirewallPolicyRuleMatchArgs.builder()
.layer4Configs(FirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("string")
.ports("string")
.build())
.destAddressGroups("string")
.destFqdns("string")
.destIpRanges("string")
.destRegionCodes("string")
.destThreatIntelligences("string")
.srcAddressGroups("string")
.srcFqdns("string")
.srcIpRanges("string")
.srcRegionCodes("string")
.srcThreatIntelligences("string")
.build())
.priority(0)
.description("string")
.disabled(false)
.enableLogging(false)
.securityProfileGroup("string")
.targetResources("string")
.targetServiceAccounts("string")
.tlsInspect(false)
.build());
firewall_policy_rule_resource = gcp.compute.FirewallPolicyRule("firewallPolicyRuleResource",
action="string",
direction="string",
firewall_policy="string",
match={
"layer4Configs": [{
"ipProtocol": "string",
"ports": ["string"],
}],
"destAddressGroups": ["string"],
"destFqdns": ["string"],
"destIpRanges": ["string"],
"destRegionCodes": ["string"],
"destThreatIntelligences": ["string"],
"srcAddressGroups": ["string"],
"srcFqdns": ["string"],
"srcIpRanges": ["string"],
"srcRegionCodes": ["string"],
"srcThreatIntelligences": ["string"],
},
priority=0,
description="string",
disabled=False,
enable_logging=False,
security_profile_group="string",
target_resources=["string"],
target_service_accounts=["string"],
tls_inspect=False)
const firewallPolicyRuleResource = new gcp.compute.FirewallPolicyRule("firewallPolicyRuleResource", {
action: "string",
direction: "string",
firewallPolicy: "string",
match: {
layer4Configs: [{
ipProtocol: "string",
ports: ["string"],
}],
destAddressGroups: ["string"],
destFqdns: ["string"],
destIpRanges: ["string"],
destRegionCodes: ["string"],
destThreatIntelligences: ["string"],
srcAddressGroups: ["string"],
srcFqdns: ["string"],
srcIpRanges: ["string"],
srcRegionCodes: ["string"],
srcThreatIntelligences: ["string"],
},
priority: 0,
description: "string",
disabled: false,
enableLogging: false,
securityProfileGroup: "string",
targetResources: ["string"],
targetServiceAccounts: ["string"],
tlsInspect: false,
});
type: gcp:compute:FirewallPolicyRule
properties:
action: string
description: string
direction: string
disabled: false
enableLogging: false
firewallPolicy: string
match:
destAddressGroups:
- string
destFqdns:
- string
destIpRanges:
- string
destRegionCodes:
- string
destThreatIntelligences:
- string
layer4Configs:
- ipProtocol: string
ports:
- string
srcAddressGroups:
- string
srcFqdns:
- string
srcIpRanges:
- string
srcRegionCodes:
- string
srcThreatIntelligences:
- string
priority: 0
securityProfileGroup: string
targetResources:
- string
targetServiceAccounts:
- string
tlsInspect: false
FirewallPolicyRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The FirewallPolicyRule resource accepts the following input properties:
- Action string
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- Direction string
- The direction in which this rule applies. Possible values: INGRESS, EGRESS
- Firewall
Policy string - The firewall policy of the resource.
- Match
Firewall
Policy Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- Priority int
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Description string
- An optional description for this resource.
- Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- Target
Resources List<string> - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- Target
Service List<string>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- Action string
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- Direction string
- The direction in which this rule applies. Possible values: INGRESS, EGRESS
- Firewall
Policy string - The firewall policy of the resource.
- Match
Firewall
Policy Rule Match Args - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- Priority int
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Description string
- An optional description for this resource.
- Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- Target
Resources []string - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- Target
Service []stringAccounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action String
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- direction String
- The direction in which this rule applies. Possible values: INGRESS, EGRESS
- firewall
Policy String - The firewall policy of the resource.
- match
Firewall
Policy Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority Integer
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description String
- An optional description for this resource.
- disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- target
Resources List<String> - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target
Service List<String>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action string
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- direction string
- The direction in which this rule applies. Possible values: INGRESS, EGRESS
- firewall
Policy string - The firewall policy of the resource.
- match
Firewall
Policy Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority number
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description string
- An optional description for this resource.
- disabled boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- security
Profile stringGroup - A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- target
Resources string[] - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target
Service string[]Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect boolean - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action str
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- direction str
- The direction in which this rule applies. Possible values: INGRESS, EGRESS
- firewall_
policy str - The firewall policy of the resource.
- match
Firewall
Policy Rule Match Args - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority int
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description str
- An optional description for this resource.
- disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable_
logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- security_
profile_ strgroup - A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- target_
resources Sequence[str] - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target_
service_ Sequence[str]accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls_
inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action String
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- direction String
- The direction in which this rule applies. Possible values: INGRESS, EGRESS
- firewall
Policy String - The firewall policy of the resource.
- match Property Map
- A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority Number
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description String
- An optional description for this resource.
- disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- target
Resources List<String> - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target
Service List<String>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
Outputs
All input properties are implicitly available as output properties. Additionally, the FirewallPolicyRule resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Kind string
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - Rule
Tuple intCount - Calculation of the complexity of a single firewall policy rule.
- Id string
- The provider-assigned unique ID for this managed resource.
- Kind string
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - Rule
Tuple intCount - Calculation of the complexity of a single firewall policy rule.
- id String
- The provider-assigned unique ID for this managed resource.
- kind String
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - rule
Tuple IntegerCount - Calculation of the complexity of a single firewall policy rule.
- id string
- The provider-assigned unique ID for this managed resource.
- kind string
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - rule
Tuple numberCount - Calculation of the complexity of a single firewall policy rule.
- id str
- The provider-assigned unique ID for this managed resource.
- kind str
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - rule_
tuple_ intcount - Calculation of the complexity of a single firewall policy rule.
- id String
- The provider-assigned unique ID for this managed resource.
- kind String
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - rule
Tuple NumberCount - Calculation of the complexity of a single firewall policy rule.
Look up Existing FirewallPolicyRule Resource
Get an existing FirewallPolicyRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: FirewallPolicyRuleState, opts?: CustomResourceOptions): FirewallPolicyRule@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
description: Optional[str] = None,
direction: Optional[str] = None,
disabled: Optional[bool] = None,
enable_logging: Optional[bool] = None,
firewall_policy: Optional[str] = None,
kind: Optional[str] = None,
match: Optional[FirewallPolicyRuleMatchArgs] = None,
priority: Optional[int] = None,
rule_tuple_count: Optional[int] = None,
security_profile_group: Optional[str] = None,
target_resources: Optional[Sequence[str]] = None,
target_service_accounts: Optional[Sequence[str]] = None,
tls_inspect: Optional[bool] = None) -> FirewallPolicyRulefunc GetFirewallPolicyRule(ctx *Context, name string, id IDInput, state *FirewallPolicyRuleState, opts ...ResourceOption) (*FirewallPolicyRule, error)public static FirewallPolicyRule Get(string name, Input<string> id, FirewallPolicyRuleState? state, CustomResourceOptions? opts = null)public static FirewallPolicyRule get(String name, Output<String> id, FirewallPolicyRuleState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Action string
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- Description string
- An optional description for this resource.
- Direction string
- The direction in which this rule applies. Possible values: INGRESS, EGRESS
- Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Firewall
Policy string - The firewall policy of the resource.
- Kind string
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - Match
Firewall
Policy Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- Priority int
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Rule
Tuple intCount - Calculation of the complexity of a single firewall policy rule.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- Target
Resources List<string> - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- Target
Service List<string>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- Action string
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- Description string
- An optional description for this resource.
- Direction string
- The direction in which this rule applies. Possible values: INGRESS, EGRESS
- Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Firewall
Policy string - The firewall policy of the resource.
- Kind string
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - Match
Firewall
Policy Rule Match Args - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- Priority int
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Rule
Tuple intCount - Calculation of the complexity of a single firewall policy rule.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- Target
Resources []string - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- Target
Service []stringAccounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action String
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- description String
- An optional description for this resource.
- direction String
- The direction in which this rule applies. Possible values: INGRESS, EGRESS
- disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall
Policy String - The firewall policy of the resource.
- kind String
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - match
Firewall
Policy Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority Integer
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- rule
Tuple IntegerCount - Calculation of the complexity of a single firewall policy rule.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- target
Resources List<String> - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target
Service List<String>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action string
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- description string
- An optional description for this resource.
- direction string
- The direction in which this rule applies. Possible values: INGRESS, EGRESS
- disabled boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall
Policy string - The firewall policy of the resource.
- kind string
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - match
Firewall
Policy Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority number
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- rule
Tuple numberCount - Calculation of the complexity of a single firewall policy rule.
- security
Profile stringGroup - A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- target
Resources string[] - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target
Service string[]Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect boolean - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action str
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- description str
- An optional description for this resource.
- direction str
- The direction in which this rule applies. Possible values: INGRESS, EGRESS
- disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable_
logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall_
policy str - The firewall policy of the resource.
- kind str
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - match
Firewall
Policy Rule Match Args - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority int
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- rule_
tuple_ intcount - Calculation of the complexity of a single firewall policy rule.
- security_
profile_ strgroup - A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- target_
resources Sequence[str] - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target_
service_ Sequence[str]accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls_
inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action String
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- description String
- An optional description for this resource.
- direction String
- The direction in which this rule applies. Possible values: INGRESS, EGRESS
- disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall
Policy String - The firewall policy of the resource.
- kind String
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - match Property Map
- A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority Number
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- rule
Tuple NumberCount - Calculation of the complexity of a single firewall policy rule.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- target
Resources List<String> - A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target
Service List<String>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
Supporting Types
FirewallPolicyRuleMatch, FirewallPolicyRuleMatchArgs
- Layer4Configs
List<Firewall
Policy Rule Match Layer4Config> - Pairs of IP protocols and ports that the rule should match.
- Dest
Address List<string>Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
- Dest
Fqdns List<string> - Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
- Dest
Ip List<string>Ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.
- Dest
Region List<string>Codes - The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
- Dest
Threat List<string>Intelligences - Name of the Google Cloud Threat Intelligence list.
- Src
Address List<string>Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
- Src
Fqdns List<string> - Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
- Src
Ip List<string>Ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.
- Src
Region List<string>Codes - The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
- Src
Threat List<string>Intelligences Name of the Google Cloud Threat Intelligence list.
The
layer4_configsblock supports:
- Layer4Configs
[]Firewall
Policy Rule Match Layer4Config - Pairs of IP protocols and ports that the rule should match.
- Dest
Address []stringGroups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
- Dest
Fqdns []string - Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
- Dest
Ip []stringRanges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.
- Dest
Region []stringCodes - The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
- Dest
Threat []stringIntelligences - Name of the Google Cloud Threat Intelligence list.
- Src
Address []stringGroups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
- Src
Fqdns []string - Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
- Src
Ip []stringRanges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.
- Src
Region []stringCodes - The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
- Src
Threat []stringIntelligences Name of the Google Cloud Threat Intelligence list.
The
layer4_configsblock supports:
- layer4Configs
List<Firewall
Policy Rule Match Layer4Config> - Pairs of IP protocols and ports that the rule should match.
- dest
Address List<String>Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
- dest
Fqdns List<String> - Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
- dest
Ip List<String>Ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.
- dest
Region List<String>Codes - The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
- dest
Threat List<String>Intelligences - Name of the Google Cloud Threat Intelligence list.
- src
Address List<String>Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
- src
Fqdns List<String> - Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
- src
Ip List<String>Ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.
- src
Region List<String>Codes - The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
- src
Threat List<String>Intelligences Name of the Google Cloud Threat Intelligence list.
The
layer4_configsblock supports:
- layer4Configs
Firewall
Policy Rule Match Layer4Config[] - Pairs of IP protocols and ports that the rule should match.
- dest
Address string[]Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
- dest
Fqdns string[] - Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
- dest
Ip string[]Ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.
- dest
Region string[]Codes - The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
- dest
Threat string[]Intelligences - Name of the Google Cloud Threat Intelligence list.
- src
Address string[]Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
- src
Fqdns string[] - Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
- src
Ip string[]Ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.
- src
Region string[]Codes - The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
- src
Threat string[]Intelligences Name of the Google Cloud Threat Intelligence list.
The
layer4_configsblock supports:
- layer4_
configs Sequence[FirewallPolicy Rule Match Layer4Config] - Pairs of IP protocols and ports that the rule should match.
- dest_
address_ Sequence[str]groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
- dest_
fqdns Sequence[str] - Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
- dest_
ip_ Sequence[str]ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.
- dest_
region_ Sequence[str]codes - The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
- dest_
threat_ Sequence[str]intelligences - Name of the Google Cloud Threat Intelligence list.
- src_
address_ Sequence[str]groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
- src_
fqdns Sequence[str] - Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
- src_
ip_ Sequence[str]ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.
- src_
region_ Sequence[str]codes - The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
- src_
threat_ Sequence[str]intelligences Name of the Google Cloud Threat Intelligence list.
The
layer4_configsblock supports:
- layer4Configs List<Property Map>
- Pairs of IP protocols and ports that the rule should match.
- dest
Address List<String>Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
- dest
Fqdns List<String> - Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
- dest
Ip List<String>Ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.
- dest
Region List<String>Codes - The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
- dest
Threat List<String>Intelligences - Name of the Google Cloud Threat Intelligence list.
- src
Address List<String>Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
- src
Fqdns List<String> - Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
- src
Ip List<String>Ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.
- src
Region List<String>Codes - The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
- src
Threat List<String>Intelligences Name of the Google Cloud Threat Intelligence list.
The
layer4_configsblock supports:
FirewallPolicyRuleMatchLayer4Config, FirewallPolicyRuleMatchLayer4ConfigArgs
- Ip
Protocol string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp,udp,icmp,esp,ah,ipip,sctp), or the IP protocol number. - Ports List<string>
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- Ip
Protocol string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp,udp,icmp,esp,ah,ipip,sctp), or the IP protocol number. - Ports []string
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- ip
Protocol String - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp,udp,icmp,esp,ah,ipip,sctp), or the IP protocol number. - ports List<String>
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- ip
Protocol string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp,udp,icmp,esp,ah,ipip,sctp), or the IP protocol number. - ports string[]
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- ip_
protocol str - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp,udp,icmp,esp,ah,ipip,sctp), or the IP protocol number. - ports Sequence[str]
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- ip
Protocol String - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp,udp,icmp,esp,ah,ipip,sctp), or the IP protocol number. - ports List<String>
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
Import
FirewallPolicyRule can be imported using any of these accepted formats:
locations/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}{{firewall_policy}}/{{priority}}
When using the pulumi import command, FirewallPolicyRule can be imported using one of the formats above. For example:
$ pulumi import gcp:compute/firewallPolicyRule:FirewallPolicyRule default locations/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}
$ pulumi import gcp:compute/firewallPolicyRule:FirewallPolicyRule default {{firewall_policy}}/{{priority}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.