Docs Home
Google Cloud v8.23.0 published on Monday, Mar 24, 2025 by Pulumi
gcp.compute.NetworkFirewallPolicyPacketMirroringRule
Explore with Pulumi AI
Example Usage
Compute Network Firewall Policy Packet Mirroring Rule
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const project = gcp.organizations.getProject({});
const _default = new gcp.compute.Network("default", {
name: "fw-network",
autoCreateSubnetworks: false,
});
const basicNetworkFirewallPolicy = new gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy", {
name: "fw-policy",
description: "Sample global network firewall policy",
project: "my-project-name",
});
const defaultMirroringDeploymentGroup = new gcp.networksecurity.MirroringDeploymentGroup("default", {
mirroringDeploymentGroupId: "deployment-group",
location: "global",
network: _default.id,
});
const defaultMirroringEndpointGroup = new gcp.networksecurity.MirroringEndpointGroup("default", {
mirroringEndpointGroupId: "endpoint-group",
location: "global",
mirroringDeploymentGroup: defaultMirroringDeploymentGroup.id,
});
const defaultSecurityProfile = new gcp.networksecurity.SecurityProfile("default", {
name: "sec-profile",
parent: "organizations/123456789",
description: "my description",
type: "CUSTOM_MIRRORING",
customMirroringProfile: {
mirroringEndpointGroup: defaultMirroringEndpointGroup.id,
},
});
const securityProfileGroup1 = new gcp.networksecurity.SecurityProfileGroup("security_profile_group_1", {
name: "sec-profile-group",
parent: "organizations/123456789",
description: "my description",
customMirroringProfile: defaultSecurityProfile.id,
});
const secureTagKey1 = new gcp.tags.TagKey("secure_tag_key_1", {
description: "Test tag key description",
parent: "organizations/123456789",
purpose: "GCE_FIREWALL",
shortName: "tag-key",
purposeData: {
network: pulumi.interpolate`my-project-name/${_default.name}`,
},
});
const secureTagValue1 = new gcp.tags.TagValue("secure_tag_value_1", {
description: "Test tag value description.",
parent: secureTagKey1.id,
shortName: "tag-value",
});
const primary = new gcp.compute.NetworkFirewallPolicyPacketMirroringRule("primary", {
action: "mirror",
description: "This is a simple packet mirroring rule description",
direction: "INGRESS",
disabled: false,
firewallPolicy: basicNetworkFirewallPolicy.name,
priority: 1000,
ruleName: "test-rule",
match: {
srcIpRanges: ["10.100.0.1/32"],
layer4Configs: [{
ipProtocol: "all",
}],
},
securityProfileGroup: pulumi.interpolate`//networksecurity.googleapis.com/${securityProfileGroup1.id}`,
targetSecureTags: [{
name: pulumi.interpolate`tagValues/${secureTagValue1.name}`,
}],
});
import pulumi
import pulumi_gcp as gcp
project = gcp.organizations.get_project()
default = gcp.compute.Network("default",
name="fw-network",
auto_create_subnetworks=False)
basic_network_firewall_policy = gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy",
name="fw-policy",
description="Sample global network firewall policy",
project="my-project-name")
default_mirroring_deployment_group = gcp.networksecurity.MirroringDeploymentGroup("default",
mirroring_deployment_group_id="deployment-group",
location="global",
network=default.id)
default_mirroring_endpoint_group = gcp.networksecurity.MirroringEndpointGroup("default",
mirroring_endpoint_group_id="endpoint-group",
location="global",
mirroring_deployment_group=default_mirroring_deployment_group.id)
default_security_profile = gcp.networksecurity.SecurityProfile("default",
name="sec-profile",
parent="organizations/123456789",
description="my description",
type="CUSTOM_MIRRORING",
custom_mirroring_profile={
"mirroring_endpoint_group": default_mirroring_endpoint_group.id,
})
security_profile_group1 = gcp.networksecurity.SecurityProfileGroup("security_profile_group_1",
name="sec-profile-group",
parent="organizations/123456789",
description="my description",
custom_mirroring_profile=default_security_profile.id)
secure_tag_key1 = gcp.tags.TagKey("secure_tag_key_1",
description="Test tag key description",
parent="organizations/123456789",
purpose="GCE_FIREWALL",
short_name="tag-key",
purpose_data={
"network": default.name.apply(lambda name: f"my-project-name/{name}"),
})
secure_tag_value1 = gcp.tags.TagValue("secure_tag_value_1",
description="Test tag value description.",
parent=secure_tag_key1.id,
short_name="tag-value")
primary = gcp.compute.NetworkFirewallPolicyPacketMirroringRule("primary",
action="mirror",
description="This is a simple packet mirroring rule description",
direction="INGRESS",
disabled=False,
firewall_policy=basic_network_firewall_policy.name,
priority=1000,
rule_name="test-rule",
match={
"src_ip_ranges": ["10.100.0.1/32"],
"layer4_configs": [{
"ip_protocol": "all",
}],
},
security_profile_group=security_profile_group1.id.apply(lambda id: f"//networksecurity.googleapis.com/{id}"),
target_secure_tags=[{
"name": secure_tag_value1.name.apply(lambda name: f"tagValues/{name}"),
}])
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/networksecurity"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/tags"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
if err != nil {
return err
}
_default, err := compute.NewNetwork(ctx, "default", &compute.NetworkArgs{
Name: pulumi.String("fw-network"),
AutoCreateSubnetworks: pulumi.Bool(false),
})
if err != nil {
return err
}
basicNetworkFirewallPolicy, err := compute.NewNetworkFirewallPolicy(ctx, "basic_network_firewall_policy", &compute.NetworkFirewallPolicyArgs{
Name: pulumi.String("fw-policy"),
Description: pulumi.String("Sample global network firewall policy"),
Project: pulumi.String("my-project-name"),
})
if err != nil {
return err
}
defaultMirroringDeploymentGroup, err := networksecurity.NewMirroringDeploymentGroup(ctx, "default", &networksecurity.MirroringDeploymentGroupArgs{
MirroringDeploymentGroupId: pulumi.String("deployment-group"),
Location: pulumi.String("global"),
Network: _default.ID(),
})
if err != nil {
return err
}
defaultMirroringEndpointGroup, err := networksecurity.NewMirroringEndpointGroup(ctx, "default", &networksecurity.MirroringEndpointGroupArgs{
MirroringEndpointGroupId: pulumi.String("endpoint-group"),
Location: pulumi.String("global"),
MirroringDeploymentGroup: defaultMirroringDeploymentGroup.ID(),
})
if err != nil {
return err
}
defaultSecurityProfile, err := networksecurity.NewSecurityProfile(ctx, "default", &networksecurity.SecurityProfileArgs{
Name: pulumi.String("sec-profile"),
Parent: pulumi.String("organizations/123456789"),
Description: pulumi.String("my description"),
Type: pulumi.String("CUSTOM_MIRRORING"),
CustomMirroringProfile: &networksecurity.SecurityProfileCustomMirroringProfileArgs{
MirroringEndpointGroup: defaultMirroringEndpointGroup.ID(),
},
})
if err != nil {
return err
}
securityProfileGroup1, err := networksecurity.NewSecurityProfileGroup(ctx, "security_profile_group_1", &networksecurity.SecurityProfileGroupArgs{
Name: pulumi.String("sec-profile-group"),
Parent: pulumi.String("organizations/123456789"),
Description: pulumi.String("my description"),
CustomMirroringProfile: defaultSecurityProfile.ID(),
})
if err != nil {
return err
}
secureTagKey1, err := tags.NewTagKey(ctx, "secure_tag_key_1", &tags.TagKeyArgs{
Description: pulumi.String("Test tag key description"),
Parent: pulumi.String("organizations/123456789"),
Purpose: pulumi.String("GCE_FIREWALL"),
ShortName: pulumi.String("tag-key"),
PurposeData: pulumi.StringMap{
"network": _default.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("my-project-name/%v", name), nil
}).(pulumi.StringOutput),
},
})
if err != nil {
return err
}
secureTagValue1, err := tags.NewTagValue(ctx, "secure_tag_value_1", &tags.TagValueArgs{
Description: pulumi.String("Test tag value description."),
Parent: secureTagKey1.ID(),
ShortName: pulumi.String("tag-value"),
})
if err != nil {
return err
}
_, err = compute.NewNetworkFirewallPolicyPacketMirroringRule(ctx, "primary", &compute.NetworkFirewallPolicyPacketMirroringRuleArgs{
Action: pulumi.String("mirror"),
Description: pulumi.String("This is a simple packet mirroring rule description"),
Direction: pulumi.String("INGRESS"),
Disabled: pulumi.Bool(false),
FirewallPolicy: basicNetworkFirewallPolicy.Name,
Priority: pulumi.Int(1000),
RuleName: pulumi.String("test-rule"),
Match: &compute.NetworkFirewallPolicyPacketMirroringRuleMatchArgs{
SrcIpRanges: pulumi.StringArray{
pulumi.String("10.100.0.1/32"),
},
Layer4Configs: compute.NetworkFirewallPolicyPacketMirroringRuleMatchLayer4ConfigArray{
&compute.NetworkFirewallPolicyPacketMirroringRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("all"),
},
},
},
SecurityProfileGroup: securityProfileGroup1.ID().ApplyT(func(id string) (string, error) {
return fmt.Sprintf("//networksecurity.googleapis.com/%v", id), nil
}).(pulumi.StringOutput),
TargetSecureTags: compute.NetworkFirewallPolicyPacketMirroringRuleTargetSecureTagArray{
&compute.NetworkFirewallPolicyPacketMirroringRuleTargetSecureTagArgs{
Name: secureTagValue1.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("tagValues/%v", name), nil
}).(pulumi.StringOutput),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var project = Gcp.Organizations.GetProject.Invoke();
var @default = new Gcp.Compute.Network("default", new()
{
Name = "fw-network",
AutoCreateSubnetworks = false,
});
var basicNetworkFirewallPolicy = new Gcp.Compute.NetworkFirewallPolicy("basic_network_firewall_policy", new()
{
Name = "fw-policy",
Description = "Sample global network firewall policy",
Project = "my-project-name",
});
var defaultMirroringDeploymentGroup = new Gcp.NetworkSecurity.MirroringDeploymentGroup("default", new()
{
MirroringDeploymentGroupId = "deployment-group",
Location = "global",
Network = @default.Id,
});
var defaultMirroringEndpointGroup = new Gcp.NetworkSecurity.MirroringEndpointGroup("default", new()
{
MirroringEndpointGroupId = "endpoint-group",
Location = "global",
MirroringDeploymentGroup = defaultMirroringDeploymentGroup.Id,
});
var defaultSecurityProfile = new Gcp.NetworkSecurity.SecurityProfile("default", new()
{
Name = "sec-profile",
Parent = "organizations/123456789",
Description = "my description",
Type = "CUSTOM_MIRRORING",
CustomMirroringProfile = new Gcp.NetworkSecurity.Inputs.SecurityProfileCustomMirroringProfileArgs
{
MirroringEndpointGroup = defaultMirroringEndpointGroup.Id,
},
});
var securityProfileGroup1 = new Gcp.NetworkSecurity.SecurityProfileGroup("security_profile_group_1", new()
{
Name = "sec-profile-group",
Parent = "organizations/123456789",
Description = "my description",
CustomMirroringProfile = defaultSecurityProfile.Id,
});
var secureTagKey1 = new Gcp.Tags.TagKey("secure_tag_key_1", new()
{
Description = "Test tag key description",
Parent = "organizations/123456789",
Purpose = "GCE_FIREWALL",
ShortName = "tag-key",
PurposeData =
{
{ "network", @default.Name.Apply(name => $"my-project-name/{name}") },
},
});
var secureTagValue1 = new Gcp.Tags.TagValue("secure_tag_value_1", new()
{
Description = "Test tag value description.",
Parent = secureTagKey1.Id,
ShortName = "tag-value",
});
var primary = new Gcp.Compute.NetworkFirewallPolicyPacketMirroringRule("primary", new()
{
Action = "mirror",
Description = "This is a simple packet mirroring rule description",
Direction = "INGRESS",
Disabled = false,
FirewallPolicy = basicNetworkFirewallPolicy.Name,
Priority = 1000,
RuleName = "test-rule",
Match = new Gcp.Compute.Inputs.NetworkFirewallPolicyPacketMirroringRuleMatchArgs
{
SrcIpRanges = new[]
{
"10.100.0.1/32",
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyPacketMirroringRuleMatchLayer4ConfigArgs
{
IpProtocol = "all",
},
},
},
SecurityProfileGroup = securityProfileGroup1.Id.Apply(id => $"//networksecurity.googleapis.com/{id}"),
TargetSecureTags = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyPacketMirroringRuleTargetSecureTagArgs
{
Name = secureTagValue1.Name.Apply(name => $"tagValues/{name}"),
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.NetworkFirewallPolicy;
import com.pulumi.gcp.compute.NetworkFirewallPolicyArgs;
import com.pulumi.gcp.networksecurity.MirroringDeploymentGroup;
import com.pulumi.gcp.networksecurity.MirroringDeploymentGroupArgs;
import com.pulumi.gcp.networksecurity.MirroringEndpointGroup;
import com.pulumi.gcp.networksecurity.MirroringEndpointGroupArgs;
import com.pulumi.gcp.networksecurity.SecurityProfile;
import com.pulumi.gcp.networksecurity.SecurityProfileArgs;
import com.pulumi.gcp.networksecurity.inputs.SecurityProfileCustomMirroringProfileArgs;
import com.pulumi.gcp.networksecurity.SecurityProfileGroup;
import com.pulumi.gcp.networksecurity.SecurityProfileGroupArgs;
import com.pulumi.gcp.tags.TagKey;
import com.pulumi.gcp.tags.TagKeyArgs;
import com.pulumi.gcp.tags.TagValue;
import com.pulumi.gcp.tags.TagValueArgs;
import com.pulumi.gcp.compute.NetworkFirewallPolicyPacketMirroringRule;
import com.pulumi.gcp.compute.NetworkFirewallPolicyPacketMirroringRuleArgs;
import com.pulumi.gcp.compute.inputs.NetworkFirewallPolicyPacketMirroringRuleMatchArgs;
import com.pulumi.gcp.compute.inputs.NetworkFirewallPolicyPacketMirroringRuleTargetSecureTagArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var project = OrganizationsFunctions.getProject();
var default_ = new Network("default", NetworkArgs.builder()
.name("fw-network")
.autoCreateSubnetworks(false)
.build());
var basicNetworkFirewallPolicy = new NetworkFirewallPolicy("basicNetworkFirewallPolicy", NetworkFirewallPolicyArgs.builder()
.name("fw-policy")
.description("Sample global network firewall policy")
.project("my-project-name")
.build());
var defaultMirroringDeploymentGroup = new MirroringDeploymentGroup("defaultMirroringDeploymentGroup", MirroringDeploymentGroupArgs.builder()
.mirroringDeploymentGroupId("deployment-group")
.location("global")
.network(default_.id())
.build());
var defaultMirroringEndpointGroup = new MirroringEndpointGroup("defaultMirroringEndpointGroup", MirroringEndpointGroupArgs.builder()
.mirroringEndpointGroupId("endpoint-group")
.location("global")
.mirroringDeploymentGroup(defaultMirroringDeploymentGroup.id())
.build());
var defaultSecurityProfile = new SecurityProfile("defaultSecurityProfile", SecurityProfileArgs.builder()
.name("sec-profile")
.parent("organizations/123456789")
.description("my description")
.type("CUSTOM_MIRRORING")
.customMirroringProfile(SecurityProfileCustomMirroringProfileArgs.builder()
.mirroringEndpointGroup(defaultMirroringEndpointGroup.id())
.build())
.build());
var securityProfileGroup1 = new SecurityProfileGroup("securityProfileGroup1", SecurityProfileGroupArgs.builder()
.name("sec-profile-group")
.parent("organizations/123456789")
.description("my description")
.customMirroringProfile(defaultSecurityProfile.id())
.build());
var secureTagKey1 = new TagKey("secureTagKey1", TagKeyArgs.builder()
.description("Test tag key description")
.parent("organizations/123456789")
.purpose("GCE_FIREWALL")
.shortName("tag-key")
.purposeData(Map.of("network", default_.name().applyValue(name -> String.format("my-project-name/%s", name))))
.build());
var secureTagValue1 = new TagValue("secureTagValue1", TagValueArgs.builder()
.description("Test tag value description.")
.parent(secureTagKey1.id())
.shortName("tag-value")
.build());
var primary = new NetworkFirewallPolicyPacketMirroringRule("primary", NetworkFirewallPolicyPacketMirroringRuleArgs.builder()
.action("mirror")
.description("This is a simple packet mirroring rule description")
.direction("INGRESS")
.disabled(false)
.firewallPolicy(basicNetworkFirewallPolicy.name())
.priority(1000)
.ruleName("test-rule")
.match(NetworkFirewallPolicyPacketMirroringRuleMatchArgs.builder()
.srcIpRanges("10.100.0.1/32")
.layer4Configs(NetworkFirewallPolicyPacketMirroringRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("all")
.build())
.build())
.securityProfileGroup(securityProfileGroup1.id().applyValue(id -> String.format("//networksecurity.googleapis.com/%s", id)))
.targetSecureTags(NetworkFirewallPolicyPacketMirroringRuleTargetSecureTagArgs.builder()
.name(secureTagValue1.name().applyValue(name -> String.format("tagValues/%s", name)))
.build())
.build());
}
}
resources:
default:
type: gcp:compute:Network
properties:
name: fw-network
autoCreateSubnetworks: false
basicNetworkFirewallPolicy:
type: gcp:compute:NetworkFirewallPolicy
name: basic_network_firewall_policy
properties:
name: fw-policy
description: Sample global network firewall policy
project: my-project-name
primary:
type: gcp:compute:NetworkFirewallPolicyPacketMirroringRule
properties:
action: mirror
description: This is a simple packet mirroring rule description
direction: INGRESS
disabled: false
firewallPolicy: ${basicNetworkFirewallPolicy.name}
priority: 1000
ruleName: test-rule
match:
srcIpRanges:
- 10.100.0.1/32
layer4Configs:
- ipProtocol: all
securityProfileGroup: //networksecurity.googleapis.com/${securityProfileGroup1.id}
targetSecureTags:
- name: tagValues/${secureTagValue1.name}
defaultMirroringDeploymentGroup:
type: gcp:networksecurity:MirroringDeploymentGroup
name: default
properties:
mirroringDeploymentGroupId: deployment-group
location: global
network: ${default.id}
defaultMirroringEndpointGroup:
type: gcp:networksecurity:MirroringEndpointGroup
name: default
properties:
mirroringEndpointGroupId: endpoint-group
location: global
mirroringDeploymentGroup: ${defaultMirroringDeploymentGroup.id}
defaultSecurityProfile:
type: gcp:networksecurity:SecurityProfile
name: default
properties:
name: sec-profile
parent: organizations/123456789
description: my description
type: CUSTOM_MIRRORING
customMirroringProfile:
mirroringEndpointGroup: ${defaultMirroringEndpointGroup.id}
securityProfileGroup1:
type: gcp:networksecurity:SecurityProfileGroup
name: security_profile_group_1
properties:
name: sec-profile-group
parent: organizations/123456789
description: my description
customMirroringProfile: ${defaultSecurityProfile.id}
secureTagKey1:
type: gcp:tags:TagKey
name: secure_tag_key_1
properties:
description: Test tag key description
parent: organizations/123456789
purpose: GCE_FIREWALL
shortName: tag-key
purposeData:
network: my-project-name/${default.name}
secureTagValue1:
type: gcp:tags:TagValue
name: secure_tag_value_1
properties:
description: Test tag value description.
parent: ${secureTagKey1.id}
shortName: tag-value
variables:
project:
fn::invoke:
function: gcp:organizations:getProject
arguments: {}
Create NetworkFirewallPolicyPacketMirroringRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new NetworkFirewallPolicyPacketMirroringRule(name: string, args: NetworkFirewallPolicyPacketMirroringRuleArgs, opts?: CustomResourceOptions);@overload
def NetworkFirewallPolicyPacketMirroringRule(resource_name: str,
args: NetworkFirewallPolicyPacketMirroringRuleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def NetworkFirewallPolicyPacketMirroringRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
direction: Optional[str] = None,
firewall_policy: Optional[str] = None,
match: Optional[NetworkFirewallPolicyPacketMirroringRuleMatchArgs] = None,
priority: Optional[int] = None,
description: Optional[str] = None,
disabled: Optional[bool] = None,
project: Optional[str] = None,
rule_name: Optional[str] = None,
security_profile_group: Optional[str] = None,
target_secure_tags: Optional[Sequence[NetworkFirewallPolicyPacketMirroringRuleTargetSecureTagArgs]] = None,
tls_inspect: Optional[bool] = None)func NewNetworkFirewallPolicyPacketMirroringRule(ctx *Context, name string, args NetworkFirewallPolicyPacketMirroringRuleArgs, opts ...ResourceOption) (*NetworkFirewallPolicyPacketMirroringRule, error)public NetworkFirewallPolicyPacketMirroringRule(string name, NetworkFirewallPolicyPacketMirroringRuleArgs args, CustomResourceOptions? opts = null)
public NetworkFirewallPolicyPacketMirroringRule(String name, NetworkFirewallPolicyPacketMirroringRuleArgs args)
public NetworkFirewallPolicyPacketMirroringRule(String name, NetworkFirewallPolicyPacketMirroringRuleArgs args, CustomResourceOptions options)
type: gcp:compute:NetworkFirewallPolicyPacketMirroringRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args NetworkFirewallPolicyPacketMirroringRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args NetworkFirewallPolicyPacketMirroringRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args NetworkFirewallPolicyPacketMirroringRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args NetworkFirewallPolicyPacketMirroringRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args NetworkFirewallPolicyPacketMirroringRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var networkFirewallPolicyPacketMirroringRuleResource = new Gcp.Compute.NetworkFirewallPolicyPacketMirroringRule("networkFirewallPolicyPacketMirroringRuleResource", new()
{
Action = "string",
Direction = "string",
FirewallPolicy = "string",
Match = new Gcp.Compute.Inputs.NetworkFirewallPolicyPacketMirroringRuleMatchArgs
{
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyPacketMirroringRuleMatchLayer4ConfigArgs
{
IpProtocol = "string",
Ports = new[]
{
"string",
},
},
},
DestIpRanges = new[]
{
"string",
},
SrcIpRanges = new[]
{
"string",
},
},
Priority = 0,
Description = "string",
Disabled = false,
Project = "string",
RuleName = "string",
SecurityProfileGroup = "string",
TargetSecureTags = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyPacketMirroringRuleTargetSecureTagArgs
{
Name = "string",
State = "string",
},
},
TlsInspect = false,
});
example, err := compute.NewNetworkFirewallPolicyPacketMirroringRule(ctx, "networkFirewallPolicyPacketMirroringRuleResource", &compute.NetworkFirewallPolicyPacketMirroringRuleArgs{
Action: pulumi.String("string"),
Direction: pulumi.String("string"),
FirewallPolicy: pulumi.String("string"),
Match: &compute.NetworkFirewallPolicyPacketMirroringRuleMatchArgs{
Layer4Configs: compute.NetworkFirewallPolicyPacketMirroringRuleMatchLayer4ConfigArray{
&compute.NetworkFirewallPolicyPacketMirroringRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("string"),
Ports: pulumi.StringArray{
pulumi.String("string"),
},
},
},
DestIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
SrcIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
},
Priority: pulumi.Int(0),
Description: pulumi.String("string"),
Disabled: pulumi.Bool(false),
Project: pulumi.String("string"),
RuleName: pulumi.String("string"),
SecurityProfileGroup: pulumi.String("string"),
TargetSecureTags: compute.NetworkFirewallPolicyPacketMirroringRuleTargetSecureTagArray{
&compute.NetworkFirewallPolicyPacketMirroringRuleTargetSecureTagArgs{
Name: pulumi.String("string"),
State: pulumi.String("string"),
},
},
TlsInspect: pulumi.Bool(false),
})
var networkFirewallPolicyPacketMirroringRuleResource = new NetworkFirewallPolicyPacketMirroringRule("networkFirewallPolicyPacketMirroringRuleResource", NetworkFirewallPolicyPacketMirroringRuleArgs.builder()
.action("string")
.direction("string")
.firewallPolicy("string")
.match(NetworkFirewallPolicyPacketMirroringRuleMatchArgs.builder()
.layer4Configs(NetworkFirewallPolicyPacketMirroringRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("string")
.ports("string")
.build())
.destIpRanges("string")
.srcIpRanges("string")
.build())
.priority(0)
.description("string")
.disabled(false)
.project("string")
.ruleName("string")
.securityProfileGroup("string")
.targetSecureTags(NetworkFirewallPolicyPacketMirroringRuleTargetSecureTagArgs.builder()
.name("string")
.state("string")
.build())
.tlsInspect(false)
.build());
network_firewall_policy_packet_mirroring_rule_resource = gcp.compute.NetworkFirewallPolicyPacketMirroringRule("networkFirewallPolicyPacketMirroringRuleResource",
action="string",
direction="string",
firewall_policy="string",
match={
"layer4_configs": [{
"ip_protocol": "string",
"ports": ["string"],
}],
"dest_ip_ranges": ["string"],
"src_ip_ranges": ["string"],
},
priority=0,
description="string",
disabled=False,
project="string",
rule_name="string",
security_profile_group="string",
target_secure_tags=[{
"name": "string",
"state": "string",
}],
tls_inspect=False)
const networkFirewallPolicyPacketMirroringRuleResource = new gcp.compute.NetworkFirewallPolicyPacketMirroringRule("networkFirewallPolicyPacketMirroringRuleResource", {
action: "string",
direction: "string",
firewallPolicy: "string",
match: {
layer4Configs: [{
ipProtocol: "string",
ports: ["string"],
}],
destIpRanges: ["string"],
srcIpRanges: ["string"],
},
priority: 0,
description: "string",
disabled: false,
project: "string",
ruleName: "string",
securityProfileGroup: "string",
targetSecureTags: [{
name: "string",
state: "string",
}],
tlsInspect: false,
});
type: gcp:compute:NetworkFirewallPolicyPacketMirroringRule
properties:
action: string
description: string
direction: string
disabled: false
firewallPolicy: string
match:
destIpRanges:
- string
layer4Configs:
- ipProtocol: string
ports:
- string
srcIpRanges:
- string
priority: 0
project: string
ruleName: string
securityProfileGroup: string
targetSecureTags:
- name: string
state: string
tlsInspect: false
NetworkFirewallPolicyPacketMirroringRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The NetworkFirewallPolicyPacketMirroringRule resource accepts the following input properties:
- Action string
- The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".
- Direction string
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - Firewall
Policy string - The firewall policy of the resource.
- Match
Network
Firewall Policy Packet Mirroring Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority int
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- Description string
- An optional description for this resource.
- Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Project string
- Rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'mirror' and cannot be specified for other actions.
-
List<Network
Firewall Policy Packet Mirroring Rule Target Secure Tag> - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions.
- Action string
- The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".
- Direction string
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - Firewall
Policy string - The firewall policy of the resource.
- Match
Network
Firewall Policy Packet Mirroring Rule Match Args - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority int
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- Description string
- An optional description for this resource.
- Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Project string
- Rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'mirror' and cannot be specified for other actions.
-
[]Network
Firewall Policy Packet Mirroring Rule Target Secure Tag Args - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions.
- action String
- The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".
- direction String
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - firewall
Policy String - The firewall policy of the resource.
- match
Network
Firewall Policy Packet Mirroring Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority Integer
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- description String
- An optional description for this resource.
- disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- project String
- rule
Name String - An optional name for the rule. This field is not a unique identifier and can be updated.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'mirror' and cannot be specified for other actions.
-
List<Network
Firewall Policy Packet Mirroring Rule Target Secure Tag> - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions.
- action string
- The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".
- direction string
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - firewall
Policy string - The firewall policy of the resource.
- match
Network
Firewall Policy Packet Mirroring Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority number
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- description string
- An optional description for this resource.
- disabled boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- project string
- rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'mirror' and cannot be specified for other actions.
-
Network
Firewall Policy Packet Mirroring Rule Target Secure Tag[] - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- tls
Inspect boolean - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions.
- action str
- The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".
- direction str
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - firewall_
policy str - The firewall policy of the resource.
- match
Network
Firewall Policy Packet Mirroring Rule Match Args - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority int
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- description str
- An optional description for this resource.
- disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- project str
- rule_
name str - An optional name for the rule. This field is not a unique identifier and can be updated.
- security_
profile_ strgroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'mirror' and cannot be specified for other actions.
-
Sequence[Network
Firewall Policy Packet Mirroring Rule Target Secure Tag Args] - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- tls_
inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions.
- action String
- The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".
- direction String
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - firewall
Policy String - The firewall policy of the resource.
- match Property Map
- A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority Number
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- description String
- An optional description for this resource.
- disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- project String
- rule
Name String - An optional name for the rule. This field is not a unique identifier and can be updated.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'mirror' and cannot be specified for other actions.
- List<Property Map>
- A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions.
Outputs
All input properties are implicitly available as output properties. Additionally, the NetworkFirewallPolicyPacketMirroringRule resource produces the following output properties:
- Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Id string
- The provider-assigned unique ID for this managed resource.
- Kind string
- Type of the resource. Always
compute#packetMirroringRulefor firewall policy packet mirroring rules - Rule
Tuple intCount - Calculation of the complexity of a single firewall policy rule.
- Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Id string
- The provider-assigned unique ID for this managed resource.
- Kind string
- Type of the resource. Always
compute#packetMirroringRulefor firewall policy packet mirroring rules - Rule
Tuple intCount - Calculation of the complexity of a single firewall policy rule.
- creation
Timestamp String - Creation timestamp in RFC3339 text format.
- id String
- The provider-assigned unique ID for this managed resource.
- kind String
- Type of the resource. Always
compute#packetMirroringRulefor firewall policy packet mirroring rules - rule
Tuple IntegerCount - Calculation of the complexity of a single firewall policy rule.
- creation
Timestamp string - Creation timestamp in RFC3339 text format.
- id string
- The provider-assigned unique ID for this managed resource.
- kind string
- Type of the resource. Always
compute#packetMirroringRulefor firewall policy packet mirroring rules - rule
Tuple numberCount - Calculation of the complexity of a single firewall policy rule.
- creation_
timestamp str - Creation timestamp in RFC3339 text format.
- id str
- The provider-assigned unique ID for this managed resource.
- kind str
- Type of the resource. Always
compute#packetMirroringRulefor firewall policy packet mirroring rules - rule_
tuple_ intcount - Calculation of the complexity of a single firewall policy rule.
- creation
Timestamp String - Creation timestamp in RFC3339 text format.
- id String
- The provider-assigned unique ID for this managed resource.
- kind String
- Type of the resource. Always
compute#packetMirroringRulefor firewall policy packet mirroring rules - rule
Tuple NumberCount - Calculation of the complexity of a single firewall policy rule.
Look up Existing NetworkFirewallPolicyPacketMirroringRule Resource
Get an existing NetworkFirewallPolicyPacketMirroringRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: NetworkFirewallPolicyPacketMirroringRuleState, opts?: CustomResourceOptions): NetworkFirewallPolicyPacketMirroringRule@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
creation_timestamp: Optional[str] = None,
description: Optional[str] = None,
direction: Optional[str] = None,
disabled: Optional[bool] = None,
firewall_policy: Optional[str] = None,
kind: Optional[str] = None,
match: Optional[NetworkFirewallPolicyPacketMirroringRuleMatchArgs] = None,
priority: Optional[int] = None,
project: Optional[str] = None,
rule_name: Optional[str] = None,
rule_tuple_count: Optional[int] = None,
security_profile_group: Optional[str] = None,
target_secure_tags: Optional[Sequence[NetworkFirewallPolicyPacketMirroringRuleTargetSecureTagArgs]] = None,
tls_inspect: Optional[bool] = None) -> NetworkFirewallPolicyPacketMirroringRulefunc GetNetworkFirewallPolicyPacketMirroringRule(ctx *Context, name string, id IDInput, state *NetworkFirewallPolicyPacketMirroringRuleState, opts ...ResourceOption) (*NetworkFirewallPolicyPacketMirroringRule, error)public static NetworkFirewallPolicyPacketMirroringRule Get(string name, Input<string> id, NetworkFirewallPolicyPacketMirroringRuleState? state, CustomResourceOptions? opts = null)public static NetworkFirewallPolicyPacketMirroringRule get(String name, Output<String> id, NetworkFirewallPolicyPacketMirroringRuleState state, CustomResourceOptions options)resources: _: type: gcp:compute:NetworkFirewallPolicyPacketMirroringRule get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Action string
- The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".
- Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Description string
- An optional description for this resource.
- Direction string
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Firewall
Policy string - The firewall policy of the resource.
- Kind string
- Type of the resource. Always
compute#packetMirroringRulefor firewall policy packet mirroring rules - Match
Network
Firewall Policy Packet Mirroring Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority int
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- Project string
- Rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- Rule
Tuple intCount - Calculation of the complexity of a single firewall policy rule.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'mirror' and cannot be specified for other actions.
-
List<Network
Firewall Policy Packet Mirroring Rule Target Secure Tag> - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions.
- Action string
- The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".
- Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Description string
- An optional description for this resource.
- Direction string
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Firewall
Policy string - The firewall policy of the resource.
- Kind string
- Type of the resource. Always
compute#packetMirroringRulefor firewall policy packet mirroring rules - Match
Network
Firewall Policy Packet Mirroring Rule Match Args - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority int
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- Project string
- Rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- Rule
Tuple intCount - Calculation of the complexity of a single firewall policy rule.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'mirror' and cannot be specified for other actions.
-
[]Network
Firewall Policy Packet Mirroring Rule Target Secure Tag Args - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions.
- action String
- The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".
- creation
Timestamp String - Creation timestamp in RFC3339 text format.
- description String
- An optional description for this resource.
- direction String
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- firewall
Policy String - The firewall policy of the resource.
- kind String
- Type of the resource. Always
compute#packetMirroringRulefor firewall policy packet mirroring rules - match
Network
Firewall Policy Packet Mirroring Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority Integer
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- project String
- rule
Name String - An optional name for the rule. This field is not a unique identifier and can be updated.
- rule
Tuple IntegerCount - Calculation of the complexity of a single firewall policy rule.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'mirror' and cannot be specified for other actions.
-
List<Network
Firewall Policy Packet Mirroring Rule Target Secure Tag> - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions.
- action string
- The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".
- creation
Timestamp string - Creation timestamp in RFC3339 text format.
- description string
- An optional description for this resource.
- direction string
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - disabled boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- firewall
Policy string - The firewall policy of the resource.
- kind string
- Type of the resource. Always
compute#packetMirroringRulefor firewall policy packet mirroring rules - match
Network
Firewall Policy Packet Mirroring Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority number
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- project string
- rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- rule
Tuple numberCount - Calculation of the complexity of a single firewall policy rule.
- security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'mirror' and cannot be specified for other actions.
-
Network
Firewall Policy Packet Mirroring Rule Target Secure Tag[] - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- tls
Inspect boolean - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions.
- action str
- The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".
- creation_
timestamp str - Creation timestamp in RFC3339 text format.
- description str
- An optional description for this resource.
- direction str
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- firewall_
policy str - The firewall policy of the resource.
- kind str
- Type of the resource. Always
compute#packetMirroringRulefor firewall policy packet mirroring rules - match
Network
Firewall Policy Packet Mirroring Rule Match Args - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority int
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- project str
- rule_
name str - An optional name for the rule. This field is not a unique identifier and can be updated.
- rule_
tuple_ intcount - Calculation of the complexity of a single firewall policy rule.
- security_
profile_ strgroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'mirror' and cannot be specified for other actions.
-
Sequence[Network
Firewall Policy Packet Mirroring Rule Target Secure Tag Args] - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- tls_
inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions.
- action String
- The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".
- creation
Timestamp String - Creation timestamp in RFC3339 text format.
- description String
- An optional description for this resource.
- direction String
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- firewall
Policy String - The firewall policy of the resource.
- kind String
- Type of the resource. Always
compute#packetMirroringRulefor firewall policy packet mirroring rules - match Property Map
- A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority Number
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- project String
- rule
Name String - An optional name for the rule. This field is not a unique identifier and can be updated.
- rule
Tuple NumberCount - Calculation of the complexity of a single firewall policy rule.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'mirror' and cannot be specified for other actions.
- List<Property Map>
- A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set for other actions.
Supporting Types
NetworkFirewallPolicyPacketMirroringRuleMatch, NetworkFirewallPolicyPacketMirroringRuleMatchArgs
- Layer4Configs
List<Network
Firewall Policy Packet Mirroring Rule Match Layer4Config> Pairs of IP protocols and ports that the rule should match. Structure is documented below.
The
layer4_configsblock supports:- Dest
Ip List<string>Ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- Src
Ip List<string>Ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- Layer4Configs
[]Network
Firewall Policy Packet Mirroring Rule Match Layer4Config Pairs of IP protocols and ports that the rule should match. Structure is documented below.
The
layer4_configsblock supports:- Dest
Ip []stringRanges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- Src
Ip []stringRanges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- layer4Configs
List<Network
Firewall Policy Packet Mirroring Rule Match Layer4Config> Pairs of IP protocols and ports that the rule should match. Structure is documented below.
The
layer4_configsblock supports:- dest
Ip List<String>Ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- src
Ip List<String>Ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- layer4Configs
Network
Firewall Policy Packet Mirroring Rule Match Layer4Config[] Pairs of IP protocols and ports that the rule should match. Structure is documented below.
The
layer4_configsblock supports:- dest
Ip string[]Ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- src
Ip string[]Ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- layer4_
configs Sequence[NetworkFirewall Policy Packet Mirroring Rule Match Layer4Config] Pairs of IP protocols and ports that the rule should match. Structure is documented below.
The
layer4_configsblock supports:- dest_
ip_ Sequence[str]ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- src_
ip_ Sequence[str]ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- layer4Configs List<Property Map>
Pairs of IP protocols and ports that the rule should match. Structure is documented below.
The
layer4_configsblock supports:- dest
Ip List<String>Ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- src
Ip List<String>Ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
NetworkFirewallPolicyPacketMirroringRuleMatchLayer4Config, NetworkFirewallPolicyPacketMirroringRuleMatchLayer4ConfigArgs
- Ip
Protocol string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- Ports List<string>
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- Ip
Protocol string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- Ports []string
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip
Protocol String - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports List<String>
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip
Protocol string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports string[]
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip_
protocol str - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports Sequence[str]
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip
Protocol String - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports List<String>
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
NetworkFirewallPolicyPacketMirroringRuleTargetSecureTag, NetworkFirewallPolicyPacketMirroringRuleTargetSecureTagArgs
Import
NetworkFirewallPolicyPacketMirroringRule can be imported using any of these accepted formats:
projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/packetMirroringRules/{{priority}}{{project}}/{{firewall_policy}}/{{priority}}{{firewall_policy}}/{{priority}}
When using the pulumi import command, NetworkFirewallPolicyPacketMirroringRule can be imported using one of the formats above. For example:
$ pulumi import gcp:compute/networkFirewallPolicyPacketMirroringRule:NetworkFirewallPolicyPacketMirroringRule default projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/packetMirroringRules/{{priority}}
$ pulumi import gcp:compute/networkFirewallPolicyPacketMirroringRule:NetworkFirewallPolicyPacketMirroringRule default {{project}}/{{firewall_policy}}/{{priority}}
$ pulumi import gcp:compute/networkFirewallPolicyPacketMirroringRule:NetworkFirewallPolicyPacketMirroringRule default {{firewall_policy}}/{{priority}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.