Docs Home
Packages
Google Cloud Classic v8.3.1 published on Wednesday, Sep 25, 2024 by Pulumi
gcp.compute.NetworkFirewallPolicyWithRules
Explore with Pulumi AI
Example Usage
Compute Network Firewall Policy With Rules Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const project = gcp.organizations.getProject({});
const addressGroup1 = new gcp.networksecurity.AddressGroup("address_group_1", {
name: "tf-address-group",
parent: project.then(project => `projects/${project.name}`),
description: "Global address group",
location: "global",
items: ["208.80.154.224/32"],
type: "IPV4",
capacity: 100,
});
const secureTagKey1 = new gcp.tags.TagKey("secure_tag_key_1", {
description: "Tag key",
parent: project.then(project => `projects/${project.name}`),
purpose: "GCE_FIREWALL",
shortName: "tf-tag-key",
purposeData: {
network: project.then(project => `${project.name}/default`),
},
});
const secureTagValue1 = new gcp.tags.TagValue("secure_tag_value_1", {
description: "Tag value",
parent: pulumi.interpolate`tagKeys/${secureTagKey1.name}`,
shortName: "tf-tag-value",
});
const securityProfile1 = new gcp.networksecurity.SecurityProfile("security_profile_1", {
name: "tf-security-profile",
type: "THREAT_PREVENTION",
parent: "organizations/123456789",
location: "global",
});
const securityProfileGroup1 = new gcp.networksecurity.SecurityProfileGroup("security_profile_group_1", {
name: "tf-security-profile-group",
parent: "organizations/123456789",
description: "my description",
threatPreventionProfile: securityProfile1.id,
});
const network_firewall_policy_with_rules = new gcp.compute.NetworkFirewallPolicyWithRules("network-firewall-policy-with-rules", {
name: "tf-fw-policy-with-rules",
description: "Terraform test",
rules: [
{
description: "tcp rule",
priority: 1000,
enableLogging: true,
action: "allow",
direction: "EGRESS",
match: {
layer4Configs: [{
ipProtocol: "tcp",
ports: [
"8080",
"7070",
],
}],
destIpRanges: ["11.100.0.1/32"],
destFqdns: [
"www.yyy.com",
"www.zzz.com",
],
destRegionCodes: [
"HK",
"IN",
],
destThreatIntelligences: [
"iplist-search-engines-crawlers",
"iplist-tor-exit-nodes",
],
destAddressGroups: [addressGroup1.id],
},
targetSecureTags: [{
name: pulumi.interpolate`tagValues/${secureTagValue1.name}`,
}],
},
{
description: "udp rule",
priority: 2000,
enableLogging: false,
action: "deny",
direction: "INGRESS",
match: {
layer4Configs: [{
ipProtocol: "udp",
}],
srcIpRanges: ["0.0.0.0/0"],
srcFqdns: [
"www.abc.com",
"www.def.com",
],
srcRegionCodes: [
"US",
"CA",
],
srcThreatIntelligences: [
"iplist-known-malicious-ips",
"iplist-public-clouds",
],
srcAddressGroups: [addressGroup1.id],
srcSecureTags: [{
name: pulumi.interpolate`tagValues/${secureTagValue1.name}`,
}],
},
disabled: true,
},
{
description: "security profile group rule",
ruleName: "tcp rule",
priority: 3000,
enableLogging: false,
action: "apply_security_profile_group",
direction: "INGRESS",
match: {
layer4Configs: [{
ipProtocol: "tcp",
}],
srcIpRanges: ["0.0.0.0/0"],
},
targetServiceAccounts: ["test@google.com"],
securityProfileGroup: pulumi.interpolate`//networksecurity.googleapis.com/${securityProfileGroup1.id}`,
tlsInspect: true,
},
],
});
import pulumi
import pulumi_gcp as gcp
project = gcp.organizations.get_project()
address_group1 = gcp.networksecurity.AddressGroup("address_group_1",
name="tf-address-group",
parent=f"projects/{project.name}",
description="Global address group",
location="global",
items=["208.80.154.224/32"],
type="IPV4",
capacity=100)
secure_tag_key1 = gcp.tags.TagKey("secure_tag_key_1",
description="Tag key",
parent=f"projects/{project.name}",
purpose="GCE_FIREWALL",
short_name="tf-tag-key",
purpose_data={
"network": f"{project.name}/default",
})
secure_tag_value1 = gcp.tags.TagValue("secure_tag_value_1",
description="Tag value",
parent=secure_tag_key1.name.apply(lambda name: f"tagKeys/{name}"),
short_name="tf-tag-value")
security_profile1 = gcp.networksecurity.SecurityProfile("security_profile_1",
name="tf-security-profile",
type="THREAT_PREVENTION",
parent="organizations/123456789",
location="global")
security_profile_group1 = gcp.networksecurity.SecurityProfileGroup("security_profile_group_1",
name="tf-security-profile-group",
parent="organizations/123456789",
description="my description",
threat_prevention_profile=security_profile1.id)
network_firewall_policy_with_rules = gcp.compute.NetworkFirewallPolicyWithRules("network-firewall-policy-with-rules",
name="tf-fw-policy-with-rules",
description="Terraform test",
rules=[
{
"description": "tcp rule",
"priority": 1000,
"enable_logging": True,
"action": "allow",
"direction": "EGRESS",
"match": {
"layer4_configs": [{
"ip_protocol": "tcp",
"ports": [
"8080",
"7070",
],
}],
"dest_ip_ranges": ["11.100.0.1/32"],
"dest_fqdns": [
"www.yyy.com",
"www.zzz.com",
],
"dest_region_codes": [
"HK",
"IN",
],
"dest_threat_intelligences": [
"iplist-search-engines-crawlers",
"iplist-tor-exit-nodes",
],
"dest_address_groups": [address_group1.id],
},
"target_secure_tags": [{
"name": secure_tag_value1.name.apply(lambda name: f"tagValues/{name}"),
}],
},
{
"description": "udp rule",
"priority": 2000,
"enable_logging": False,
"action": "deny",
"direction": "INGRESS",
"match": {
"layer4_configs": [{
"ip_protocol": "udp",
}],
"src_ip_ranges": ["0.0.0.0/0"],
"src_fqdns": [
"www.abc.com",
"www.def.com",
],
"src_region_codes": [
"US",
"CA",
],
"src_threat_intelligences": [
"iplist-known-malicious-ips",
"iplist-public-clouds",
],
"src_address_groups": [address_group1.id],
"src_secure_tags": [{
"name": secure_tag_value1.name.apply(lambda name: f"tagValues/{name}"),
}],
},
"disabled": True,
},
{
"description": "security profile group rule",
"rule_name": "tcp rule",
"priority": 3000,
"enable_logging": False,
"action": "apply_security_profile_group",
"direction": "INGRESS",
"match": {
"layer4_configs": [{
"ip_protocol": "tcp",
}],
"src_ip_ranges": ["0.0.0.0/0"],
},
"target_service_accounts": ["test@google.com"],
"security_profile_group": security_profile_group1.id.apply(lambda id: f"//networksecurity.googleapis.com/{id}"),
"tls_inspect": True,
},
])
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/networksecurity"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/tags"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
project, err := organizations.LookupProject(ctx, nil, nil)
if err != nil {
return err
}
addressGroup1, err := networksecurity.NewAddressGroup(ctx, "address_group_1", &networksecurity.AddressGroupArgs{
Name: pulumi.String("tf-address-group"),
Parent: pulumi.Sprintf("projects/%v", project.Name),
Description: pulumi.String("Global address group"),
Location: pulumi.String("global"),
Items: pulumi.StringArray{
pulumi.String("208.80.154.224/32"),
},
Type: pulumi.String("IPV4"),
Capacity: pulumi.Int(100),
})
if err != nil {
return err
}
secureTagKey1, err := tags.NewTagKey(ctx, "secure_tag_key_1", &tags.TagKeyArgs{
Description: pulumi.String("Tag key"),
Parent: pulumi.Sprintf("projects/%v", project.Name),
Purpose: pulumi.String("GCE_FIREWALL"),
ShortName: pulumi.String("tf-tag-key"),
PurposeData: pulumi.StringMap{
"network": pulumi.Sprintf("%v/default", project.Name),
},
})
if err != nil {
return err
}
secureTagValue1, err := tags.NewTagValue(ctx, "secure_tag_value_1", &tags.TagValueArgs{
Description: pulumi.String("Tag value"),
Parent: secureTagKey1.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("tagKeys/%v", name), nil
}).(pulumi.StringOutput),
ShortName: pulumi.String("tf-tag-value"),
})
if err != nil {
return err
}
securityProfile1, err := networksecurity.NewSecurityProfile(ctx, "security_profile_1", &networksecurity.SecurityProfileArgs{
Name: pulumi.String("tf-security-profile"),
Type: pulumi.String("THREAT_PREVENTION"),
Parent: pulumi.String("organizations/123456789"),
Location: pulumi.String("global"),
})
if err != nil {
return err
}
securityProfileGroup1, err := networksecurity.NewSecurityProfileGroup(ctx, "security_profile_group_1", &networksecurity.SecurityProfileGroupArgs{
Name: pulumi.String("tf-security-profile-group"),
Parent: pulumi.String("organizations/123456789"),
Description: pulumi.String("my description"),
ThreatPreventionProfile: securityProfile1.ID(),
})
if err != nil {
return err
}
_, err = compute.NewNetworkFirewallPolicyWithRules(ctx, "network-firewall-policy-with-rules", &compute.NetworkFirewallPolicyWithRulesArgs{
Name: pulumi.String("tf-fw-policy-with-rules"),
Description: pulumi.String("Terraform test"),
Rules: compute.NetworkFirewallPolicyWithRulesRuleArray{
&compute.NetworkFirewallPolicyWithRulesRuleArgs{
Description: pulumi.String("tcp rule"),
Priority: pulumi.Int(1000),
EnableLogging: pulumi.Bool(true),
Action: pulumi.String("allow"),
Direction: pulumi.String("EGRESS"),
Match: &compute.NetworkFirewallPolicyWithRulesRuleMatchArgs{
Layer4Configs: compute.NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
&compute.NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("tcp"),
Ports: pulumi.StringArray{
pulumi.String("8080"),
pulumi.String("7070"),
},
},
},
DestIpRanges: pulumi.StringArray{
pulumi.String("11.100.0.1/32"),
},
DestFqdns: pulumi.StringArray{
pulumi.String("www.yyy.com"),
pulumi.String("www.zzz.com"),
},
DestRegionCodes: pulumi.StringArray{
pulumi.String("HK"),
pulumi.String("IN"),
},
DestThreatIntelligences: pulumi.StringArray{
pulumi.String("iplist-search-engines-crawlers"),
pulumi.String("iplist-tor-exit-nodes"),
},
DestAddressGroups: pulumi.StringArray{
addressGroup1.ID(),
},
},
TargetSecureTags: compute.NetworkFirewallPolicyWithRulesRuleTargetSecureTagArray{
&compute.NetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs{
Name: secureTagValue1.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("tagValues/%v", name), nil
}).(pulumi.StringOutput),
},
},
},
&compute.NetworkFirewallPolicyWithRulesRuleArgs{
Description: pulumi.String("udp rule"),
Priority: pulumi.Int(2000),
EnableLogging: pulumi.Bool(false),
Action: pulumi.String("deny"),
Direction: pulumi.String("INGRESS"),
Match: &compute.NetworkFirewallPolicyWithRulesRuleMatchArgs{
Layer4Configs: compute.NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
&compute.NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("udp"),
},
},
SrcIpRanges: pulumi.StringArray{
pulumi.String("0.0.0.0/0"),
},
SrcFqdns: pulumi.StringArray{
pulumi.String("www.abc.com"),
pulumi.String("www.def.com"),
},
SrcRegionCodes: pulumi.StringArray{
pulumi.String("US"),
pulumi.String("CA"),
},
SrcThreatIntelligences: pulumi.StringArray{
pulumi.String("iplist-known-malicious-ips"),
pulumi.String("iplist-public-clouds"),
},
SrcAddressGroups: pulumi.StringArray{
addressGroup1.ID(),
},
SrcSecureTags: compute.NetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArray{
&compute.NetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs{
Name: secureTagValue1.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("tagValues/%v", name), nil
}).(pulumi.StringOutput),
},
},
},
Disabled: pulumi.Bool(true),
},
&compute.NetworkFirewallPolicyWithRulesRuleArgs{
Description: pulumi.String("security profile group rule"),
RuleName: pulumi.String("tcp rule"),
Priority: pulumi.Int(3000),
EnableLogging: pulumi.Bool(false),
Action: pulumi.String("apply_security_profile_group"),
Direction: pulumi.String("INGRESS"),
Match: &compute.NetworkFirewallPolicyWithRulesRuleMatchArgs{
Layer4Configs: compute.NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
&compute.NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("tcp"),
},
},
SrcIpRanges: pulumi.StringArray{
pulumi.String("0.0.0.0/0"),
},
},
TargetServiceAccounts: pulumi.StringArray{
pulumi.String("test@google.com"),
},
SecurityProfileGroup: securityProfileGroup1.ID().ApplyT(func(id string) (string, error) {
return fmt.Sprintf("//networksecurity.googleapis.com/%v", id), nil
}).(pulumi.StringOutput),
TlsInspect: pulumi.Bool(true),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var project = Gcp.Organizations.GetProject.Invoke();
var addressGroup1 = new Gcp.NetworkSecurity.AddressGroup("address_group_1", new()
{
Name = "tf-address-group",
Parent = $"projects/{project.Apply(getProjectResult => getProjectResult.Name)}",
Description = "Global address group",
Location = "global",
Items = new[]
{
"208.80.154.224/32",
},
Type = "IPV4",
Capacity = 100,
});
var secureTagKey1 = new Gcp.Tags.TagKey("secure_tag_key_1", new()
{
Description = "Tag key",
Parent = $"projects/{project.Apply(getProjectResult => getProjectResult.Name)}",
Purpose = "GCE_FIREWALL",
ShortName = "tf-tag-key",
PurposeData =
{
{ "network", $"{project.Apply(getProjectResult => getProjectResult.Name)}/default" },
},
});
var secureTagValue1 = new Gcp.Tags.TagValue("secure_tag_value_1", new()
{
Description = "Tag value",
Parent = secureTagKey1.Name.Apply(name => $"tagKeys/{name}"),
ShortName = "tf-tag-value",
});
var securityProfile1 = new Gcp.NetworkSecurity.SecurityProfile("security_profile_1", new()
{
Name = "tf-security-profile",
Type = "THREAT_PREVENTION",
Parent = "organizations/123456789",
Location = "global",
});
var securityProfileGroup1 = new Gcp.NetworkSecurity.SecurityProfileGroup("security_profile_group_1", new()
{
Name = "tf-security-profile-group",
Parent = "organizations/123456789",
Description = "my description",
ThreatPreventionProfile = securityProfile1.Id,
});
var network_firewall_policy_with_rules = new Gcp.Compute.NetworkFirewallPolicyWithRules("network-firewall-policy-with-rules", new()
{
Name = "tf-fw-policy-with-rules",
Description = "Terraform test",
Rules = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleArgs
{
Description = "tcp rule",
Priority = 1000,
EnableLogging = true,
Action = "allow",
Direction = "EGRESS",
Match = new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleMatchArgs
{
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
{
IpProtocol = "tcp",
Ports = new[]
{
"8080",
"7070",
},
},
},
DestIpRanges = new[]
{
"11.100.0.1/32",
},
DestFqdns = new[]
{
"www.yyy.com",
"www.zzz.com",
},
DestRegionCodes = new[]
{
"HK",
"IN",
},
DestThreatIntelligences = new[]
{
"iplist-search-engines-crawlers",
"iplist-tor-exit-nodes",
},
DestAddressGroups = new[]
{
addressGroup1.Id,
},
},
TargetSecureTags = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs
{
Name = secureTagValue1.Name.Apply(name => $"tagValues/{name}"),
},
},
},
new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleArgs
{
Description = "udp rule",
Priority = 2000,
EnableLogging = false,
Action = "deny",
Direction = "INGRESS",
Match = new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleMatchArgs
{
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
{
IpProtocol = "udp",
},
},
SrcIpRanges = new[]
{
"0.0.0.0/0",
},
SrcFqdns = new[]
{
"www.abc.com",
"www.def.com",
},
SrcRegionCodes = new[]
{
"US",
"CA",
},
SrcThreatIntelligences = new[]
{
"iplist-known-malicious-ips",
"iplist-public-clouds",
},
SrcAddressGroups = new[]
{
addressGroup1.Id,
},
SrcSecureTags = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs
{
Name = secureTagValue1.Name.Apply(name => $"tagValues/{name}"),
},
},
},
Disabled = true,
},
new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleArgs
{
Description = "security profile group rule",
RuleName = "tcp rule",
Priority = 3000,
EnableLogging = false,
Action = "apply_security_profile_group",
Direction = "INGRESS",
Match = new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleMatchArgs
{
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
{
IpProtocol = "tcp",
},
},
SrcIpRanges = new[]
{
"0.0.0.0/0",
},
},
TargetServiceAccounts = new[]
{
"test@google.com",
},
SecurityProfileGroup = securityProfileGroup1.Id.Apply(id => $"//networksecurity.googleapis.com/{id}"),
TlsInspect = true,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.networksecurity.AddressGroup;
import com.pulumi.gcp.networksecurity.AddressGroupArgs;
import com.pulumi.gcp.tags.TagKey;
import com.pulumi.gcp.tags.TagKeyArgs;
import com.pulumi.gcp.tags.TagValue;
import com.pulumi.gcp.tags.TagValueArgs;
import com.pulumi.gcp.networksecurity.SecurityProfile;
import com.pulumi.gcp.networksecurity.SecurityProfileArgs;
import com.pulumi.gcp.networksecurity.SecurityProfileGroup;
import com.pulumi.gcp.networksecurity.SecurityProfileGroupArgs;
import com.pulumi.gcp.compute.NetworkFirewallPolicyWithRules;
import com.pulumi.gcp.compute.NetworkFirewallPolicyWithRulesArgs;
import com.pulumi.gcp.compute.inputs.NetworkFirewallPolicyWithRulesRuleArgs;
import com.pulumi.gcp.compute.inputs.NetworkFirewallPolicyWithRulesRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var project = OrganizationsFunctions.getProject();
var addressGroup1 = new AddressGroup("addressGroup1", AddressGroupArgs.builder()
.name("tf-address-group")
.parent(String.format("projects/%s", project.applyValue(getProjectResult -> getProjectResult.name())))
.description("Global address group")
.location("global")
.items("208.80.154.224/32")
.type("IPV4")
.capacity(100)
.build());
var secureTagKey1 = new TagKey("secureTagKey1", TagKeyArgs.builder()
.description("Tag key")
.parent(String.format("projects/%s", project.applyValue(getProjectResult -> getProjectResult.name())))
.purpose("GCE_FIREWALL")
.shortName("tf-tag-key")
.purposeData(Map.of("network", String.format("%s/default", project.applyValue(getProjectResult -> getProjectResult.name()))))
.build());
var secureTagValue1 = new TagValue("secureTagValue1", TagValueArgs.builder()
.description("Tag value")
.parent(secureTagKey1.name().applyValue(name -> String.format("tagKeys/%s", name)))
.shortName("tf-tag-value")
.build());
var securityProfile1 = new SecurityProfile("securityProfile1", SecurityProfileArgs.builder()
.name("tf-security-profile")
.type("THREAT_PREVENTION")
.parent("organizations/123456789")
.location("global")
.build());
var securityProfileGroup1 = new SecurityProfileGroup("securityProfileGroup1", SecurityProfileGroupArgs.builder()
.name("tf-security-profile-group")
.parent("organizations/123456789")
.description("my description")
.threatPreventionProfile(securityProfile1.id())
.build());
var network_firewall_policy_with_rules = new NetworkFirewallPolicyWithRules("network-firewall-policy-with-rules", NetworkFirewallPolicyWithRulesArgs.builder()
.name("tf-fw-policy-with-rules")
.description("Terraform test")
.rules(
NetworkFirewallPolicyWithRulesRuleArgs.builder()
.description("tcp rule")
.priority(1000)
.enableLogging(true)
.action("allow")
.direction("EGRESS")
.match(NetworkFirewallPolicyWithRulesRuleMatchArgs.builder()
.layer4Configs(NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("tcp")
.ports(
8080,
7070)
.build())
.destIpRanges("11.100.0.1/32")
.destFqdns(
"www.yyy.com",
"www.zzz.com")
.destRegionCodes(
"HK",
"IN")
.destThreatIntelligences(
"iplist-search-engines-crawlers",
"iplist-tor-exit-nodes")
.destAddressGroups(addressGroup1.id())
.build())
.targetSecureTags(NetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs.builder()
.name(secureTagValue1.name().applyValue(name -> String.format("tagValues/%s", name)))
.build())
.build(),
NetworkFirewallPolicyWithRulesRuleArgs.builder()
.description("udp rule")
.priority(2000)
.enableLogging(false)
.action("deny")
.direction("INGRESS")
.match(NetworkFirewallPolicyWithRulesRuleMatchArgs.builder()
.layer4Configs(NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("udp")
.build())
.srcIpRanges("0.0.0.0/0")
.srcFqdns(
"www.abc.com",
"www.def.com")
.srcRegionCodes(
"US",
"CA")
.srcThreatIntelligences(
"iplist-known-malicious-ips",
"iplist-public-clouds")
.srcAddressGroups(addressGroup1.id())
.srcSecureTags(NetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs.builder()
.name(secureTagValue1.name().applyValue(name -> String.format("tagValues/%s", name)))
.build())
.build())
.disabled(true)
.build(),
NetworkFirewallPolicyWithRulesRuleArgs.builder()
.description("security profile group rule")
.ruleName("tcp rule")
.priority(3000)
.enableLogging(false)
.action("apply_security_profile_group")
.direction("INGRESS")
.match(NetworkFirewallPolicyWithRulesRuleMatchArgs.builder()
.layer4Configs(NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("tcp")
.build())
.srcIpRanges("0.0.0.0/0")
.build())
.targetServiceAccounts("test@google.com")
.securityProfileGroup(securityProfileGroup1.id().applyValue(id -> String.format("//networksecurity.googleapis.com/%s", id)))
.tlsInspect(true)
.build())
.build());
}
}
resources:
network-firewall-policy-with-rules:
type: gcp:compute:NetworkFirewallPolicyWithRules
properties:
name: tf-fw-policy-with-rules
description: Terraform test
rules:
- description: tcp rule
priority: 1000
enableLogging: true
action: allow
direction: EGRESS
match:
layer4Configs:
- ipProtocol: tcp
ports:
- 8080
- 7070
destIpRanges:
- 11.100.0.1/32
destFqdns:
- www.yyy.com
- www.zzz.com
destRegionCodes:
- HK
- IN
destThreatIntelligences:
- iplist-search-engines-crawlers
- iplist-tor-exit-nodes
destAddressGroups:
- ${addressGroup1.id}
targetSecureTags:
- name: tagValues/${secureTagValue1.name}
- description: udp rule
priority: 2000
enableLogging: false
action: deny
direction: INGRESS
match:
layer4Configs:
- ipProtocol: udp
srcIpRanges:
- 0.0.0.0/0
srcFqdns:
- www.abc.com
- www.def.com
srcRegionCodes:
- US
- CA
srcThreatIntelligences:
- iplist-known-malicious-ips
- iplist-public-clouds
srcAddressGroups:
- ${addressGroup1.id}
srcSecureTags:
- name: tagValues/${secureTagValue1.name}
disabled: true
- description: security profile group rule
ruleName: tcp rule
priority: 3000
enableLogging: false
action: apply_security_profile_group
direction: INGRESS
match:
layer4Configs:
- ipProtocol: tcp
srcIpRanges:
- 0.0.0.0/0
targetServiceAccounts:
- test@google.com
securityProfileGroup: //networksecurity.googleapis.com/${securityProfileGroup1.id}
tlsInspect: true
addressGroup1:
type: gcp:networksecurity:AddressGroup
name: address_group_1
properties:
name: tf-address-group
parent: projects/${project.name}
description: Global address group
location: global
items:
- 208.80.154.224/32
type: IPV4
capacity: 100
secureTagKey1:
type: gcp:tags:TagKey
name: secure_tag_key_1
properties:
description: Tag key
parent: projects/${project.name}
purpose: GCE_FIREWALL
shortName: tf-tag-key
purposeData:
network: ${project.name}/default
secureTagValue1:
type: gcp:tags:TagValue
name: secure_tag_value_1
properties:
description: Tag value
parent: tagKeys/${secureTagKey1.name}
shortName: tf-tag-value
securityProfileGroup1:
type: gcp:networksecurity:SecurityProfileGroup
name: security_profile_group_1
properties:
name: tf-security-profile-group
parent: organizations/123456789
description: my description
threatPreventionProfile: ${securityProfile1.id}
securityProfile1:
type: gcp:networksecurity:SecurityProfile
name: security_profile_1
properties:
name: tf-security-profile
type: THREAT_PREVENTION
parent: organizations/123456789
location: global
variables:
project:
fn::invoke:
Function: gcp:organizations:getProject
Arguments: {}
Create NetworkFirewallPolicyWithRules Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new NetworkFirewallPolicyWithRules(name: string, args: NetworkFirewallPolicyWithRulesArgs, opts?: CustomResourceOptions);@overload
def NetworkFirewallPolicyWithRules(resource_name: str,
args: NetworkFirewallPolicyWithRulesArgs,
opts: Optional[ResourceOptions] = None)
@overload
def NetworkFirewallPolicyWithRules(resource_name: str,
opts: Optional[ResourceOptions] = None,
rules: Optional[Sequence[NetworkFirewallPolicyWithRulesRuleArgs]] = None,
description: Optional[str] = None,
name: Optional[str] = None,
project: Optional[str] = None)func NewNetworkFirewallPolicyWithRules(ctx *Context, name string, args NetworkFirewallPolicyWithRulesArgs, opts ...ResourceOption) (*NetworkFirewallPolicyWithRules, error)public NetworkFirewallPolicyWithRules(string name, NetworkFirewallPolicyWithRulesArgs args, CustomResourceOptions? opts = null)
public NetworkFirewallPolicyWithRules(String name, NetworkFirewallPolicyWithRulesArgs args)
public NetworkFirewallPolicyWithRules(String name, NetworkFirewallPolicyWithRulesArgs args, CustomResourceOptions options)
type: gcp:compute:NetworkFirewallPolicyWithRules
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args NetworkFirewallPolicyWithRulesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args NetworkFirewallPolicyWithRulesArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args NetworkFirewallPolicyWithRulesArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args NetworkFirewallPolicyWithRulesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args NetworkFirewallPolicyWithRulesArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var networkFirewallPolicyWithRulesResource = new Gcp.Compute.NetworkFirewallPolicyWithRules("networkFirewallPolicyWithRulesResource", new()
{
Rules = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleArgs
{
Action = "string",
Match = new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleMatchArgs
{
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
{
IpProtocol = "string",
Ports = new[]
{
"string",
},
},
},
DestAddressGroups = new[]
{
"string",
},
DestFqdns = new[]
{
"string",
},
DestIpRanges = new[]
{
"string",
},
DestRegionCodes = new[]
{
"string",
},
DestThreatIntelligences = new[]
{
"string",
},
SrcAddressGroups = new[]
{
"string",
},
SrcFqdns = new[]
{
"string",
},
SrcIpRanges = new[]
{
"string",
},
SrcRegionCodes = new[]
{
"string",
},
SrcSecureTags = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs
{
Name = "string",
State = "string",
},
},
SrcThreatIntelligences = new[]
{
"string",
},
},
Priority = 0,
Description = "string",
Direction = "string",
Disabled = false,
EnableLogging = false,
RuleName = "string",
SecurityProfileGroup = "string",
TargetSecureTags = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs
{
Name = "string",
State = "string",
},
},
TargetServiceAccounts = new[]
{
"string",
},
TlsInspect = false,
},
},
Description = "string",
Name = "string",
Project = "string",
});
example, err := compute.NewNetworkFirewallPolicyWithRules(ctx, "networkFirewallPolicyWithRulesResource", &compute.NetworkFirewallPolicyWithRulesArgs{
Rules: compute.NetworkFirewallPolicyWithRulesRuleArray{
&compute.NetworkFirewallPolicyWithRulesRuleArgs{
Action: pulumi.String("string"),
Match: &compute.NetworkFirewallPolicyWithRulesRuleMatchArgs{
Layer4Configs: compute.NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
&compute.NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("string"),
Ports: pulumi.StringArray{
pulumi.String("string"),
},
},
},
DestAddressGroups: pulumi.StringArray{
pulumi.String("string"),
},
DestFqdns: pulumi.StringArray{
pulumi.String("string"),
},
DestIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
DestRegionCodes: pulumi.StringArray{
pulumi.String("string"),
},
DestThreatIntelligences: pulumi.StringArray{
pulumi.String("string"),
},
SrcAddressGroups: pulumi.StringArray{
pulumi.String("string"),
},
SrcFqdns: pulumi.StringArray{
pulumi.String("string"),
},
SrcIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
SrcRegionCodes: pulumi.StringArray{
pulumi.String("string"),
},
SrcSecureTags: compute.NetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArray{
&compute.NetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs{
Name: pulumi.String("string"),
State: pulumi.String("string"),
},
},
SrcThreatIntelligences: pulumi.StringArray{
pulumi.String("string"),
},
},
Priority: pulumi.Int(0),
Description: pulumi.String("string"),
Direction: pulumi.String("string"),
Disabled: pulumi.Bool(false),
EnableLogging: pulumi.Bool(false),
RuleName: pulumi.String("string"),
SecurityProfileGroup: pulumi.String("string"),
TargetSecureTags: compute.NetworkFirewallPolicyWithRulesRuleTargetSecureTagArray{
&compute.NetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs{
Name: pulumi.String("string"),
State: pulumi.String("string"),
},
},
TargetServiceAccounts: pulumi.StringArray{
pulumi.String("string"),
},
TlsInspect: pulumi.Bool(false),
},
},
Description: pulumi.String("string"),
Name: pulumi.String("string"),
Project: pulumi.String("string"),
})
var networkFirewallPolicyWithRulesResource = new NetworkFirewallPolicyWithRules("networkFirewallPolicyWithRulesResource", NetworkFirewallPolicyWithRulesArgs.builder()
.rules(NetworkFirewallPolicyWithRulesRuleArgs.builder()
.action("string")
.match(NetworkFirewallPolicyWithRulesRuleMatchArgs.builder()
.layer4Configs(NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("string")
.ports("string")
.build())
.destAddressGroups("string")
.destFqdns("string")
.destIpRanges("string")
.destRegionCodes("string")
.destThreatIntelligences("string")
.srcAddressGroups("string")
.srcFqdns("string")
.srcIpRanges("string")
.srcRegionCodes("string")
.srcSecureTags(NetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs.builder()
.name("string")
.state("string")
.build())
.srcThreatIntelligences("string")
.build())
.priority(0)
.description("string")
.direction("string")
.disabled(false)
.enableLogging(false)
.ruleName("string")
.securityProfileGroup("string")
.targetSecureTags(NetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs.builder()
.name("string")
.state("string")
.build())
.targetServiceAccounts("string")
.tlsInspect(false)
.build())
.description("string")
.name("string")
.project("string")
.build());
network_firewall_policy_with_rules_resource = gcp.compute.NetworkFirewallPolicyWithRules("networkFirewallPolicyWithRulesResource",
rules=[{
"action": "string",
"match": {
"layer4Configs": [{
"ipProtocol": "string",
"ports": ["string"],
}],
"destAddressGroups": ["string"],
"destFqdns": ["string"],
"destIpRanges": ["string"],
"destRegionCodes": ["string"],
"destThreatIntelligences": ["string"],
"srcAddressGroups": ["string"],
"srcFqdns": ["string"],
"srcIpRanges": ["string"],
"srcRegionCodes": ["string"],
"srcSecureTags": [{
"name": "string",
"state": "string",
}],
"srcThreatIntelligences": ["string"],
},
"priority": 0,
"description": "string",
"direction": "string",
"disabled": False,
"enableLogging": False,
"ruleName": "string",
"securityProfileGroup": "string",
"targetSecureTags": [{
"name": "string",
"state": "string",
}],
"targetServiceAccounts": ["string"],
"tlsInspect": False,
}],
description="string",
name="string",
project="string")
const networkFirewallPolicyWithRulesResource = new gcp.compute.NetworkFirewallPolicyWithRules("networkFirewallPolicyWithRulesResource", {
rules: [{
action: "string",
match: {
layer4Configs: [{
ipProtocol: "string",
ports: ["string"],
}],
destAddressGroups: ["string"],
destFqdns: ["string"],
destIpRanges: ["string"],
destRegionCodes: ["string"],
destThreatIntelligences: ["string"],
srcAddressGroups: ["string"],
srcFqdns: ["string"],
srcIpRanges: ["string"],
srcRegionCodes: ["string"],
srcSecureTags: [{
name: "string",
state: "string",
}],
srcThreatIntelligences: ["string"],
},
priority: 0,
description: "string",
direction: "string",
disabled: false,
enableLogging: false,
ruleName: "string",
securityProfileGroup: "string",
targetSecureTags: [{
name: "string",
state: "string",
}],
targetServiceAccounts: ["string"],
tlsInspect: false,
}],
description: "string",
name: "string",
project: "string",
});
type: gcp:compute:NetworkFirewallPolicyWithRules
properties:
description: string
name: string
project: string
rules:
- action: string
description: string
direction: string
disabled: false
enableLogging: false
match:
destAddressGroups:
- string
destFqdns:
- string
destIpRanges:
- string
destRegionCodes:
- string
destThreatIntelligences:
- string
layer4Configs:
- ipProtocol: string
ports:
- string
srcAddressGroups:
- string
srcFqdns:
- string
srcIpRanges:
- string
srcRegionCodes:
- string
srcSecureTags:
- name: string
state: string
srcThreatIntelligences:
- string
priority: 0
ruleName: string
securityProfileGroup: string
targetSecureTags:
- name: string
state: string
targetServiceAccounts:
- string
tlsInspect: false
NetworkFirewallPolicyWithRules Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The NetworkFirewallPolicyWithRules resource accepts the following input properties:
- Rules
List<Network
Firewall Policy With Rules Rule> - A list of firewall policy rules. Structure is documented below.
- Description string
- (Output) A description of the rule.
- Name string
- User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
- Project string
- Rules
[]Network
Firewall Policy With Rules Rule Args - A list of firewall policy rules. Structure is documented below.
- Description string
- (Output) A description of the rule.
- Name string
- User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
- Project string
- rules
List<Network
Firewall Policy With Rules Rule> - A list of firewall policy rules. Structure is documented below.
- description String
- (Output) A description of the rule.
- name String
- User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
- project String
- rules
Network
Firewall Policy With Rules Rule[] - A list of firewall policy rules. Structure is documented below.
- description string
- (Output) A description of the rule.
- name string
- User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
- project string
- rules
Sequence[Network
Firewall Policy With Rules Rule Args] - A list of firewall policy rules. Structure is documented below.
- description str
- (Output) A description of the rule.
- name str
- User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
- project str
- rules List<Property Map>
- A list of firewall policy rules. Structure is documented below.
- description String
- (Output) A description of the rule.
- name String
- User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
- project String
Outputs
All input properties are implicitly available as output properties. Additionally, the NetworkFirewallPolicyWithRules resource produces the following output properties:
- Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Fingerprint string
- Fingerprint of the resource. This field is used internally during updates of this resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- Network
Firewall stringPolicy Id - The unique identifier for the resource. This identifier is defined by the server.
- Predefined
Rules List<NetworkFirewall Policy With Rules Predefined Rule> - A list of firewall policy pre-defined rules. Structure is documented below.
- Rule
Tuple intCount - Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
- Self
Link string - Server-defined URL for the resource.
- Self
Link stringWith Id - Server-defined URL for this resource with the resource id.
- Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Fingerprint string
- Fingerprint of the resource. This field is used internally during updates of this resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- Network
Firewall stringPolicy Id - The unique identifier for the resource. This identifier is defined by the server.
- Predefined
Rules []NetworkFirewall Policy With Rules Predefined Rule - A list of firewall policy pre-defined rules. Structure is documented below.
- Rule
Tuple intCount - Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
- Self
Link string - Server-defined URL for the resource.
- Self
Link stringWith Id - Server-defined URL for this resource with the resource id.
- creation
Timestamp String - Creation timestamp in RFC3339 text format.
- fingerprint String
- Fingerprint of the resource. This field is used internally during updates of this resource.
- id String
- The provider-assigned unique ID for this managed resource.
- network
Firewall StringPolicy Id - The unique identifier for the resource. This identifier is defined by the server.
- predefined
Rules List<NetworkFirewall Policy With Rules Predefined Rule> - A list of firewall policy pre-defined rules. Structure is documented below.
- rule
Tuple IntegerCount - Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
- self
Link String - Server-defined URL for the resource.
- self
Link StringWith Id - Server-defined URL for this resource with the resource id.
- creation
Timestamp string - Creation timestamp in RFC3339 text format.
- fingerprint string
- Fingerprint of the resource. This field is used internally during updates of this resource.
- id string
- The provider-assigned unique ID for this managed resource.
- network
Firewall stringPolicy Id - The unique identifier for the resource. This identifier is defined by the server.
- predefined
Rules NetworkFirewall Policy With Rules Predefined Rule[] - A list of firewall policy pre-defined rules. Structure is documented below.
- rule
Tuple numberCount - Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
- self
Link string - Server-defined URL for the resource.
- self
Link stringWith Id - Server-defined URL for this resource with the resource id.
- creation_
timestamp str - Creation timestamp in RFC3339 text format.
- fingerprint str
- Fingerprint of the resource. This field is used internally during updates of this resource.
- id str
- The provider-assigned unique ID for this managed resource.
- network_
firewall_ strpolicy_ id - The unique identifier for the resource. This identifier is defined by the server.
- predefined_
rules Sequence[NetworkFirewall Policy With Rules Predefined Rule] - A list of firewall policy pre-defined rules. Structure is documented below.
- rule_
tuple_ intcount - Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
- self_
link str - Server-defined URL for the resource.
- self_
link_ strwith_ id - Server-defined URL for this resource with the resource id.
- creation
Timestamp String - Creation timestamp in RFC3339 text format.
- fingerprint String
- Fingerprint of the resource. This field is used internally during updates of this resource.
- id String
- The provider-assigned unique ID for this managed resource.
- network
Firewall StringPolicy Id - The unique identifier for the resource. This identifier is defined by the server.
- predefined
Rules List<Property Map> - A list of firewall policy pre-defined rules. Structure is documented below.
- rule
Tuple NumberCount - Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
- self
Link String - Server-defined URL for the resource.
- self
Link StringWith Id - Server-defined URL for this resource with the resource id.
Look up Existing NetworkFirewallPolicyWithRules Resource
Get an existing NetworkFirewallPolicyWithRules resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: NetworkFirewallPolicyWithRulesState, opts?: CustomResourceOptions): NetworkFirewallPolicyWithRules@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
creation_timestamp: Optional[str] = None,
description: Optional[str] = None,
fingerprint: Optional[str] = None,
name: Optional[str] = None,
network_firewall_policy_id: Optional[str] = None,
predefined_rules: Optional[Sequence[NetworkFirewallPolicyWithRulesPredefinedRuleArgs]] = None,
project: Optional[str] = None,
rule_tuple_count: Optional[int] = None,
rules: Optional[Sequence[NetworkFirewallPolicyWithRulesRuleArgs]] = None,
self_link: Optional[str] = None,
self_link_with_id: Optional[str] = None) -> NetworkFirewallPolicyWithRulesfunc GetNetworkFirewallPolicyWithRules(ctx *Context, name string, id IDInput, state *NetworkFirewallPolicyWithRulesState, opts ...ResourceOption) (*NetworkFirewallPolicyWithRules, error)public static NetworkFirewallPolicyWithRules Get(string name, Input<string> id, NetworkFirewallPolicyWithRulesState? state, CustomResourceOptions? opts = null)public static NetworkFirewallPolicyWithRules get(String name, Output<String> id, NetworkFirewallPolicyWithRulesState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Description string
- (Output) A description of the rule.
- Fingerprint string
- Fingerprint of the resource. This field is used internally during updates of this resource.
- Name string
- User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
- Network
Firewall stringPolicy Id - The unique identifier for the resource. This identifier is defined by the server.
- Predefined
Rules List<NetworkFirewall Policy With Rules Predefined Rule> - A list of firewall policy pre-defined rules. Structure is documented below.
- Project string
- Rule
Tuple intCount - Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
- Rules
List<Network
Firewall Policy With Rules Rule> - A list of firewall policy rules. Structure is documented below.
- Self
Link string - Server-defined URL for the resource.
- Self
Link stringWith Id - Server-defined URL for this resource with the resource id.
- Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Description string
- (Output) A description of the rule.
- Fingerprint string
- Fingerprint of the resource. This field is used internally during updates of this resource.
- Name string
- User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
- Network
Firewall stringPolicy Id - The unique identifier for the resource. This identifier is defined by the server.
- Predefined
Rules []NetworkFirewall Policy With Rules Predefined Rule Args - A list of firewall policy pre-defined rules. Structure is documented below.
- Project string
- Rule
Tuple intCount - Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
- Rules
[]Network
Firewall Policy With Rules Rule Args - A list of firewall policy rules. Structure is documented below.
- Self
Link string - Server-defined URL for the resource.
- Self
Link stringWith Id - Server-defined URL for this resource with the resource id.
- creation
Timestamp String - Creation timestamp in RFC3339 text format.
- description String
- (Output) A description of the rule.
- fingerprint String
- Fingerprint of the resource. This field is used internally during updates of this resource.
- name String
- User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
- network
Firewall StringPolicy Id - The unique identifier for the resource. This identifier is defined by the server.
- predefined
Rules List<NetworkFirewall Policy With Rules Predefined Rule> - A list of firewall policy pre-defined rules. Structure is documented below.
- project String
- rule
Tuple IntegerCount - Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
- rules
List<Network
Firewall Policy With Rules Rule> - A list of firewall policy rules. Structure is documented below.
- self
Link String - Server-defined URL for the resource.
- self
Link StringWith Id - Server-defined URL for this resource with the resource id.
- creation
Timestamp string - Creation timestamp in RFC3339 text format.
- description string
- (Output) A description of the rule.
- fingerprint string
- Fingerprint of the resource. This field is used internally during updates of this resource.
- name string
- User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
- network
Firewall stringPolicy Id - The unique identifier for the resource. This identifier is defined by the server.
- predefined
Rules NetworkFirewall Policy With Rules Predefined Rule[] - A list of firewall policy pre-defined rules. Structure is documented below.
- project string
- rule
Tuple numberCount - Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
- rules
Network
Firewall Policy With Rules Rule[] - A list of firewall policy rules. Structure is documented below.
- self
Link string - Server-defined URL for the resource.
- self
Link stringWith Id - Server-defined URL for this resource with the resource id.
- creation_
timestamp str - Creation timestamp in RFC3339 text format.
- description str
- (Output) A description of the rule.
- fingerprint str
- Fingerprint of the resource. This field is used internally during updates of this resource.
- name str
- User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
- network_
firewall_ strpolicy_ id - The unique identifier for the resource. This identifier is defined by the server.
- predefined_
rules Sequence[NetworkFirewall Policy With Rules Predefined Rule Args] - A list of firewall policy pre-defined rules. Structure is documented below.
- project str
- rule_
tuple_ intcount - Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
- rules
Sequence[Network
Firewall Policy With Rules Rule Args] - A list of firewall policy rules. Structure is documented below.
- self_
link str - Server-defined URL for the resource.
- self_
link_ strwith_ id - Server-defined URL for this resource with the resource id.
- creation
Timestamp String - Creation timestamp in RFC3339 text format.
- description String
- (Output) A description of the rule.
- fingerprint String
- Fingerprint of the resource. This field is used internally during updates of this resource.
- name String
- User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
- network
Firewall StringPolicy Id - The unique identifier for the resource. This identifier is defined by the server.
- predefined
Rules List<Property Map> - A list of firewall policy pre-defined rules. Structure is documented below.
- project String
- rule
Tuple NumberCount - Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
- rules List<Property Map>
- A list of firewall policy rules. Structure is documented below.
- self
Link String - Server-defined URL for the resource.
- self
Link StringWith Id - Server-defined URL for this resource with the resource id.
Supporting Types
NetworkFirewallPolicyWithRulesPredefinedRule, NetworkFirewallPolicyWithRulesPredefinedRuleArgs
- Action string
- (Output) The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
- Description string
- (Output) A description of the rule.
- Direction string
- (Output) The direction in which this rule applies. If unspecified an INGRESS rule is created.
- Disabled bool
- (Output) Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool - (Output) Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
- Matches
List<Network
Firewall Policy With Rules Predefined Rule Match> - (Output) A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority int
- (Output) An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- Rule
Name string - (Output) An optional name for the rule. This field is not a unique identifier and can be updated.
- Security
Profile stringGroup - (Output) A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
-
List<Network
Firewall Policy With Rules Predefined Rule Target Secure Tag> - (Output) A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
- Target
Service List<string>Accounts - (Output) A list of service accounts indicating the sets of instances that are applied with this rule.
- Tls
Inspect bool - (Output) Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- Action string
- (Output) The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
- Description string
- (Output) A description of the rule.
- Direction string
- (Output) The direction in which this rule applies. If unspecified an INGRESS rule is created.
- Disabled bool
- (Output) Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool - (Output) Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
- Matches
[]Network
Firewall Policy With Rules Predefined Rule Match - (Output) A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority int
- (Output) An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- Rule
Name string - (Output) An optional name for the rule. This field is not a unique identifier and can be updated.
- Security
Profile stringGroup - (Output) A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
-
[]Network
Firewall Policy With Rules Predefined Rule Target Secure Tag - (Output) A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
- Target
Service []stringAccounts - (Output) A list of service accounts indicating the sets of instances that are applied with this rule.
- Tls
Inspect bool - (Output) Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action String
- (Output) The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
- description String
- (Output) A description of the rule.
- direction String
- (Output) The direction in which this rule applies. If unspecified an INGRESS rule is created.
- disabled Boolean
- (Output) Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean - (Output) Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
- matches
List<Network
Firewall Policy With Rules Predefined Rule Match> - (Output) A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority Integer
- (Output) An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- rule
Name String - (Output) An optional name for the rule. This field is not a unique identifier and can be updated.
- security
Profile StringGroup - (Output) A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
-
List<Network
Firewall Policy With Rules Predefined Rule Target Secure Tag> - (Output) A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
- target
Service List<String>Accounts - (Output) A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect Boolean - (Output) Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action string
- (Output) The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
- description string
- (Output) A description of the rule.
- direction string
- (Output) The direction in which this rule applies. If unspecified an INGRESS rule is created.
- disabled boolean
- (Output) Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging boolean - (Output) Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
- matches
Network
Firewall Policy With Rules Predefined Rule Match[] - (Output) A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority number
- (Output) An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- rule
Name string - (Output) An optional name for the rule. This field is not a unique identifier and can be updated.
- security
Profile stringGroup - (Output) A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
-
Network
Firewall Policy With Rules Predefined Rule Target Secure Tag[] - (Output) A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
- target
Service string[]Accounts - (Output) A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect boolean - (Output) Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action str
- (Output) The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
- description str
- (Output) A description of the rule.
- direction str
- (Output) The direction in which this rule applies. If unspecified an INGRESS rule is created.
- disabled bool
- (Output) Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable_
logging bool - (Output) Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
- matches
Sequence[Network
Firewall Policy With Rules Predefined Rule Match] - (Output) A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority int
- (Output) An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- rule_
name str - (Output) An optional name for the rule. This field is not a unique identifier and can be updated.
- security_
profile_ strgroup - (Output) A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
-
Sequence[Network
Firewall Policy With Rules Predefined Rule Target Secure Tag] - (Output) A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
- target_
service_ Sequence[str]accounts - (Output) A list of service accounts indicating the sets of instances that are applied with this rule.
- tls_
inspect bool - (Output) Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action String
- (Output) The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
- description String
- (Output) A description of the rule.
- direction String
- (Output) The direction in which this rule applies. If unspecified an INGRESS rule is created.
- disabled Boolean
- (Output) Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean - (Output) Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
- matches List<Property Map>
- (Output) A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority Number
- (Output) An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- rule
Name String - (Output) An optional name for the rule. This field is not a unique identifier and can be updated.
- security
Profile StringGroup - (Output) A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
- List<Property Map>
- (Output) A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
- target
Service List<String>Accounts - (Output) A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect Boolean - (Output) Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
NetworkFirewallPolicyWithRulesPredefinedRuleMatch, NetworkFirewallPolicyWithRulesPredefinedRuleMatchArgs
- Dest
Address List<string>Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- Dest
Fqdns List<string> - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- Dest
Ip List<string>Ranges - Destination IP address range in CIDR format. Required for EGRESS rules.
- Dest
Region List<string>Codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
- Dest
Threat List<string>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- Layer4Configs
List<Network
Firewall Policy With Rules Predefined Rule Match Layer4Config> - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- Src
Address List<string>Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- Src
Fqdns List<string> - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- Src
Ip List<string>Ranges - Source IP address range in CIDR format. Required for INGRESS rules.
- Src
Region List<string>Codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
List<Network
Firewall Policy With Rules Predefined Rule Match Src Secure Tag> List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
The
layer4_configblock supports:- Src
Threat List<string>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
- Dest
Address []stringGroups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- Dest
Fqdns []string - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- Dest
Ip []stringRanges - Destination IP address range in CIDR format. Required for EGRESS rules.
- Dest
Region []stringCodes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
- Dest
Threat []stringIntelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- Layer4Configs
[]Network
Firewall Policy With Rules Predefined Rule Match Layer4Config - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- Src
Address []stringGroups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- Src
Fqdns []string - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- Src
Ip []stringRanges - Source IP address range in CIDR format. Required for INGRESS rules.
- Src
Region []stringCodes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
[]Network
Firewall Policy With Rules Predefined Rule Match Src Secure Tag List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
The
layer4_configblock supports:- Src
Threat []stringIntelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
- dest
Address List<String>Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- dest
Fqdns List<String> - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- dest
Ip List<String>Ranges - Destination IP address range in CIDR format. Required for EGRESS rules.
- dest
Region List<String>Codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
- dest
Threat List<String>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- layer4Configs
List<Network
Firewall Policy With Rules Predefined Rule Match Layer4Config> - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- src
Address List<String>Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- src
Fqdns List<String> - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- src
Ip List<String>Ranges - Source IP address range in CIDR format. Required for INGRESS rules.
- src
Region List<String>Codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
List<Network
Firewall Policy With Rules Predefined Rule Match Src Secure Tag> List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
The
layer4_configblock supports:- src
Threat List<String>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
- dest
Address string[]Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- dest
Fqdns string[] - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- dest
Ip string[]Ranges - Destination IP address range in CIDR format. Required for EGRESS rules.
- dest
Region string[]Codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
- dest
Threat string[]Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- layer4Configs
Network
Firewall Policy With Rules Predefined Rule Match Layer4Config[] - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- src
Address string[]Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- src
Fqdns string[] - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- src
Ip string[]Ranges - Source IP address range in CIDR format. Required for INGRESS rules.
- src
Region string[]Codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
Network
Firewall Policy With Rules Predefined Rule Match Src Secure Tag[] List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
The
layer4_configblock supports:- src
Threat string[]Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
- dest_
address_ Sequence[str]groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- dest_
fqdns Sequence[str] - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- dest_
ip_ Sequence[str]ranges - Destination IP address range in CIDR format. Required for EGRESS rules.
- dest_
region_ Sequence[str]codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
- dest_
threat_ Sequence[str]intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- layer4_
configs Sequence[NetworkFirewall Policy With Rules Predefined Rule Match Layer4Config] - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- src_
address_ Sequence[str]groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- src_
fqdns Sequence[str] - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- src_
ip_ Sequence[str]ranges - Source IP address range in CIDR format. Required for INGRESS rules.
- src_
region_ Sequence[str]codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
Sequence[Network
Firewall Policy With Rules Predefined Rule Match Src Secure Tag] List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
The
layer4_configblock supports:- src_
threat_ Sequence[str]intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
- dest
Address List<String>Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- dest
Fqdns List<String> - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- dest
Ip List<String>Ranges - Destination IP address range in CIDR format. Required for EGRESS rules.
- dest
Region List<String>Codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
- dest
Threat List<String>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- layer4Configs List<Property Map>
- Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- src
Address List<String>Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- src
Fqdns List<String> - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- src
Ip List<String>Ranges - Source IP address range in CIDR format. Required for INGRESS rules.
- src
Region List<String>Codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
- List<Property Map>
List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
The
layer4_configblock supports:- src
Threat List<String>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
NetworkFirewallPolicyWithRulesPredefinedRuleMatchLayer4Config, NetworkFirewallPolicyWithRulesPredefinedRuleMatchLayer4ConfigArgs
- Ip
Protocol string - (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- Ports List<string>
- (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- Ip
Protocol string - (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- Ports []string
- (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip
Protocol String - (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports List<String>
- (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip
Protocol string - (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports string[]
- (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip_
protocol str - (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports Sequence[str]
- (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip
Protocol String - (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports List<String>
- (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
NetworkFirewallPolicyWithRulesPredefinedRuleMatchSrcSecureTag, NetworkFirewallPolicyWithRulesPredefinedRuleMatchSrcSecureTagArgs
NetworkFirewallPolicyWithRulesPredefinedRuleTargetSecureTag, NetworkFirewallPolicyWithRulesPredefinedRuleTargetSecureTagArgs
NetworkFirewallPolicyWithRulesRule, NetworkFirewallPolicyWithRulesRuleArgs
- Action string
- The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
- Match
Network
Firewall Policy With Rules Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority int
- An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- Description string
- A description of the rule.
- Direction string
- The direction in which this rule applies. If unspecified an INGRESS rule is created.
Possible values are:
INGRESS,EGRESS. - Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
- Rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
-
List<Network
Firewall Policy With Rules Rule Target Secure Tag> - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
- Target
Service List<string>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- Action string
- The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
- Match
Network
Firewall Policy With Rules Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority int
- An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- Description string
- A description of the rule.
- Direction string
- The direction in which this rule applies. If unspecified an INGRESS rule is created.
Possible values are:
INGRESS,EGRESS. - Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
- Rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
-
[]Network
Firewall Policy With Rules Rule Target Secure Tag - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
- Target
Service []stringAccounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action String
- The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
- match
Network
Firewall Policy With Rules Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority Integer
- An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- description String
- A description of the rule.
- direction String
- The direction in which this rule applies. If unspecified an INGRESS rule is created.
Possible values are:
INGRESS,EGRESS. - disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
- rule
Name String - An optional name for the rule. This field is not a unique identifier and can be updated.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
-
List<Network
Firewall Policy With Rules Rule Target Secure Tag> - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
- target
Service List<String>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action string
- The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
- match
Network
Firewall Policy With Rules Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority number
- An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- description string
- A description of the rule.
- direction string
- The direction in which this rule applies. If unspecified an INGRESS rule is created.
Possible values are:
INGRESS,EGRESS. - disabled boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
- rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
-
Network
Firewall Policy With Rules Rule Target Secure Tag[] - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
- target
Service string[]Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect boolean - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action str
- The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
- match
Network
Firewall Policy With Rules Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority int
- An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- description str
- A description of the rule.
- direction str
- The direction in which this rule applies. If unspecified an INGRESS rule is created.
Possible values are:
INGRESS,EGRESS. - disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable_
logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
- rule_
name str - An optional name for the rule. This field is not a unique identifier and can be updated.
- security_
profile_ strgroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
-
Sequence[Network
Firewall Policy With Rules Rule Target Secure Tag] - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
- target_
service_ Sequence[str]accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls_
inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action String
- The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
- match Property Map
- A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority Number
- An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- description String
- A description of the rule.
- direction String
- The direction in which this rule applies. If unspecified an INGRESS rule is created.
Possible values are:
INGRESS,EGRESS. - disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
- rule
Name String - An optional name for the rule. This field is not a unique identifier and can be updated.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
- List<Property Map>
- A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
- target
Service List<String>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
NetworkFirewallPolicyWithRulesRuleMatch, NetworkFirewallPolicyWithRulesRuleMatchArgs
- Layer4Configs
List<Network
Firewall Policy With Rules Rule Match Layer4Config> - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- Dest
Address List<string>Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- Dest
Fqdns List<string> - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- Dest
Ip List<string>Ranges - Destination IP address range in CIDR format. Required for EGRESS rules.
- Dest
Region List<string>Codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
- Dest
Threat List<string>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- Src
Address List<string>Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- Src
Fqdns List<string> - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- Src
Ip List<string>Ranges - Source IP address range in CIDR format. Required for INGRESS rules.
- Src
Region List<string>Codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
List<Network
Firewall Policy With Rules Rule Match Src Secure Tag> List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
The
layer4_configblock supports:- Src
Threat List<string>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
- Layer4Configs
[]Network
Firewall Policy With Rules Rule Match Layer4Config - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- Dest
Address []stringGroups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- Dest
Fqdns []string - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- Dest
Ip []stringRanges - Destination IP address range in CIDR format. Required for EGRESS rules.
- Dest
Region []stringCodes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
- Dest
Threat []stringIntelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- Src
Address []stringGroups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- Src
Fqdns []string - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- Src
Ip []stringRanges - Source IP address range in CIDR format. Required for INGRESS rules.
- Src
Region []stringCodes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
[]Network
Firewall Policy With Rules Rule Match Src Secure Tag List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
The
layer4_configblock supports:- Src
Threat []stringIntelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
- layer4Configs
List<Network
Firewall Policy With Rules Rule Match Layer4Config> - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- dest
Address List<String>Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- dest
Fqdns List<String> - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- dest
Ip List<String>Ranges - Destination IP address range in CIDR format. Required for EGRESS rules.
- dest
Region List<String>Codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
- dest
Threat List<String>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- src
Address List<String>Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- src
Fqdns List<String> - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- src
Ip List<String>Ranges - Source IP address range in CIDR format. Required for INGRESS rules.
- src
Region List<String>Codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
List<Network
Firewall Policy With Rules Rule Match Src Secure Tag> List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
The
layer4_configblock supports:- src
Threat List<String>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
- layer4Configs
Network
Firewall Policy With Rules Rule Match Layer4Config[] - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- dest
Address string[]Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- dest
Fqdns string[] - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- dest
Ip string[]Ranges - Destination IP address range in CIDR format. Required for EGRESS rules.
- dest
Region string[]Codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
- dest
Threat string[]Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- src
Address string[]Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- src
Fqdns string[] - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- src
Ip string[]Ranges - Source IP address range in CIDR format. Required for INGRESS rules.
- src
Region string[]Codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
Network
Firewall Policy With Rules Rule Match Src Secure Tag[] List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
The
layer4_configblock supports:- src
Threat string[]Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
- layer4_
configs Sequence[NetworkFirewall Policy With Rules Rule Match Layer4Config] - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- dest_
address_ Sequence[str]groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- dest_
fqdns Sequence[str] - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- dest_
ip_ Sequence[str]ranges - Destination IP address range in CIDR format. Required for EGRESS rules.
- dest_
region_ Sequence[str]codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
- dest_
threat_ Sequence[str]intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- src_
address_ Sequence[str]groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- src_
fqdns Sequence[str] - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- src_
ip_ Sequence[str]ranges - Source IP address range in CIDR format. Required for INGRESS rules.
- src_
region_ Sequence[str]codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
Sequence[Network
Firewall Policy With Rules Rule Match Src Secure Tag] List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
The
layer4_configblock supports:- src_
threat_ Sequence[str]intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
- layer4Configs List<Property Map>
- Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- dest
Address List<String>Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- dest
Fqdns List<String> - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- dest
Ip List<String>Ranges - Destination IP address range in CIDR format. Required for EGRESS rules.
- dest
Region List<String>Codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
- dest
Threat List<String>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- src
Address List<String>Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- src
Fqdns List<String> - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- src
Ip List<String>Ranges - Source IP address range in CIDR format. Required for INGRESS rules.
- src
Region List<String>Codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
- List<Property Map>
List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
The
layer4_configblock supports:- src
Threat List<String>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
NetworkFirewallPolicyWithRulesRuleMatchLayer4Config, NetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
- Ip
Protocol string - (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- Ports List<string>
- (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- Ip
Protocol string - (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- Ports []string
- (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip
Protocol String - (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports List<String>
- (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip
Protocol string - (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports string[]
- (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip_
protocol str - (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports Sequence[str]
- (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip
Protocol String - (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports List<String>
- (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
NetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag, NetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs
NetworkFirewallPolicyWithRulesRuleTargetSecureTag, NetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs
Import
NetworkFirewallPolicyWithRules can be imported using any of these accepted formats:
projects/{{project}}/global/firewallPolicies/{{name}}{{project}}/{{name}}{{name}}
When using the pulumi import command, NetworkFirewallPolicyWithRules can be imported using one of the formats above. For example:
$ pulumi import gcp:compute/networkFirewallPolicyWithRules:NetworkFirewallPolicyWithRules default projects/{{project}}/global/firewallPolicies/{{name}}
$ pulumi import gcp:compute/networkFirewallPolicyWithRules:NetworkFirewallPolicyWithRules default {{project}}/{{name}}
$ pulumi import gcp:compute/networkFirewallPolicyWithRules:NetworkFirewallPolicyWithRules default {{name}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.