Docs Home
Google Cloud v8.23.0 published on Monday, Mar 24, 2025 by Pulumi
gcp.compute.NetworkFirewallPolicyRule
Explore with Pulumi AI
- Example Usage
- Network Firewall Policy Rule
- Network Firewall Policy Rule Network Scope Egress
- Network Firewall Policy Rule Network Scope Ingress
- Create NetworkFirewallPolicyRule Resource
- Constructor syntax
- Constructor example
- NetworkFirewallPolicyRule Resource Properties
- Inputs
- Outputs
- Look up Existing NetworkFirewallPolicyRule Resource
- Supporting Types
- Import
- Package Details
Represents a rule that describes one or more match conditions along with the action to be taken when traffic matches this condition (allow or deny).
To get more information about NetworkFirewallPolicyRule, see:
Example Usage
Network Firewall Policy Rule
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const basicGlobalNetworksecurityAddressGroup = new gcp.networksecurity.AddressGroup("basic_global_networksecurity_address_group", {
name: "address-group",
parent: "projects/my-project-name",
description: "Sample global networksecurity_address_group",
location: "global",
items: ["208.80.154.224/32"],
type: "IPV4",
capacity: 100,
});
const basicNetworkFirewallPolicy = new gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy", {
name: "fw-policy",
description: "Sample global network firewall policy",
project: "my-project-name",
});
const basicNetwork = new gcp.compute.Network("basic_network", {name: "network"});
const basicKey = new gcp.tags.TagKey("basic_key", {
description: "For keyname resources.",
parent: "organizations/123456789",
purpose: "GCE_FIREWALL",
shortName: "tag-key",
purposeData: {
network: pulumi.interpolate`my-project-name/${basicNetwork.name}`,
},
});
const basicValue = new gcp.tags.TagValue("basic_value", {
description: "For valuename resources.",
parent: basicKey.id,
shortName: "tag-value",
});
const primary = new gcp.compute.NetworkFirewallPolicyRule("primary", {
action: "allow",
description: "This is a simple rule description",
direction: "INGRESS",
disabled: false,
enableLogging: true,
firewallPolicy: basicNetworkFirewallPolicy.name,
priority: 1000,
ruleName: "test-rule",
targetServiceAccounts: ["my@service-account.com"],
match: {
srcAddressGroups: [basicGlobalNetworksecurityAddressGroup.id],
srcIpRanges: ["10.100.0.1/32"],
srcFqdns: ["google.com"],
srcRegionCodes: ["US"],
srcThreatIntelligences: ["iplist-known-malicious-ips"],
srcSecureTags: [{
name: basicValue.id,
}],
layer4Configs: [{
ipProtocol: "all",
}],
},
});
import pulumi
import pulumi_gcp as gcp
basic_global_networksecurity_address_group = gcp.networksecurity.AddressGroup("basic_global_networksecurity_address_group",
name="address-group",
parent="projects/my-project-name",
description="Sample global networksecurity_address_group",
location="global",
items=["208.80.154.224/32"],
type="IPV4",
capacity=100)
basic_network_firewall_policy = gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy",
name="fw-policy",
description="Sample global network firewall policy",
project="my-project-name")
basic_network = gcp.compute.Network("basic_network", name="network")
basic_key = gcp.tags.TagKey("basic_key",
description="For keyname resources.",
parent="organizations/123456789",
purpose="GCE_FIREWALL",
short_name="tag-key",
purpose_data={
"network": basic_network.name.apply(lambda name: f"my-project-name/{name}"),
})
basic_value = gcp.tags.TagValue("basic_value",
description="For valuename resources.",
parent=basic_key.id,
short_name="tag-value")
primary = gcp.compute.NetworkFirewallPolicyRule("primary",
action="allow",
description="This is a simple rule description",
direction="INGRESS",
disabled=False,
enable_logging=True,
firewall_policy=basic_network_firewall_policy.name,
priority=1000,
rule_name="test-rule",
target_service_accounts=["my@service-account.com"],
match={
"src_address_groups": [basic_global_networksecurity_address_group.id],
"src_ip_ranges": ["10.100.0.1/32"],
"src_fqdns": ["google.com"],
"src_region_codes": ["US"],
"src_threat_intelligences": ["iplist-known-malicious-ips"],
"src_secure_tags": [{
"name": basic_value.id,
}],
"layer4_configs": [{
"ip_protocol": "all",
}],
})
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/networksecurity"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/tags"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basicGlobalNetworksecurityAddressGroup, err := networksecurity.NewAddressGroup(ctx, "basic_global_networksecurity_address_group", &networksecurity.AddressGroupArgs{
Name: pulumi.String("address-group"),
Parent: pulumi.String("projects/my-project-name"),
Description: pulumi.String("Sample global networksecurity_address_group"),
Location: pulumi.String("global"),
Items: pulumi.StringArray{
pulumi.String("208.80.154.224/32"),
},
Type: pulumi.String("IPV4"),
Capacity: pulumi.Int(100),
})
if err != nil {
return err
}
basicNetworkFirewallPolicy, err := compute.NewNetworkFirewallPolicy(ctx, "basic_network_firewall_policy", &compute.NetworkFirewallPolicyArgs{
Name: pulumi.String("fw-policy"),
Description: pulumi.String("Sample global network firewall policy"),
Project: pulumi.String("my-project-name"),
})
if err != nil {
return err
}
basicNetwork, err := compute.NewNetwork(ctx, "basic_network", &compute.NetworkArgs{
Name: pulumi.String("network"),
})
if err != nil {
return err
}
basicKey, err := tags.NewTagKey(ctx, "basic_key", &tags.TagKeyArgs{
Description: pulumi.String("For keyname resources."),
Parent: pulumi.String("organizations/123456789"),
Purpose: pulumi.String("GCE_FIREWALL"),
ShortName: pulumi.String("tag-key"),
PurposeData: pulumi.StringMap{
"network": basicNetwork.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("my-project-name/%v", name), nil
}).(pulumi.StringOutput),
},
})
if err != nil {
return err
}
basicValue, err := tags.NewTagValue(ctx, "basic_value", &tags.TagValueArgs{
Description: pulumi.String("For valuename resources."),
Parent: basicKey.ID(),
ShortName: pulumi.String("tag-value"),
})
if err != nil {
return err
}
_, err = compute.NewNetworkFirewallPolicyRule(ctx, "primary", &compute.NetworkFirewallPolicyRuleArgs{
Action: pulumi.String("allow"),
Description: pulumi.String("This is a simple rule description"),
Direction: pulumi.String("INGRESS"),
Disabled: pulumi.Bool(false),
EnableLogging: pulumi.Bool(true),
FirewallPolicy: basicNetworkFirewallPolicy.Name,
Priority: pulumi.Int(1000),
RuleName: pulumi.String("test-rule"),
TargetServiceAccounts: pulumi.StringArray{
pulumi.String("my@service-account.com"),
},
Match: &compute.NetworkFirewallPolicyRuleMatchArgs{
SrcAddressGroups: pulumi.StringArray{
basicGlobalNetworksecurityAddressGroup.ID(),
},
SrcIpRanges: pulumi.StringArray{
pulumi.String("10.100.0.1/32"),
},
SrcFqdns: pulumi.StringArray{
pulumi.String("google.com"),
},
SrcRegionCodes: pulumi.StringArray{
pulumi.String("US"),
},
SrcThreatIntelligences: pulumi.StringArray{
pulumi.String("iplist-known-malicious-ips"),
},
SrcSecureTags: compute.NetworkFirewallPolicyRuleMatchSrcSecureTagArray{
&compute.NetworkFirewallPolicyRuleMatchSrcSecureTagArgs{
Name: basicValue.ID(),
},
},
Layer4Configs: compute.NetworkFirewallPolicyRuleMatchLayer4ConfigArray{
&compute.NetworkFirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("all"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var basicGlobalNetworksecurityAddressGroup = new Gcp.NetworkSecurity.AddressGroup("basic_global_networksecurity_address_group", new()
{
Name = "address-group",
Parent = "projects/my-project-name",
Description = "Sample global networksecurity_address_group",
Location = "global",
Items = new[]
{
"208.80.154.224/32",
},
Type = "IPV4",
Capacity = 100,
});
var basicNetworkFirewallPolicy = new Gcp.Compute.NetworkFirewallPolicy("basic_network_firewall_policy", new()
{
Name = "fw-policy",
Description = "Sample global network firewall policy",
Project = "my-project-name",
});
var basicNetwork = new Gcp.Compute.Network("basic_network", new()
{
Name = "network",
});
var basicKey = new Gcp.Tags.TagKey("basic_key", new()
{
Description = "For keyname resources.",
Parent = "organizations/123456789",
Purpose = "GCE_FIREWALL",
ShortName = "tag-key",
PurposeData =
{
{ "network", basicNetwork.Name.Apply(name => $"my-project-name/{name}") },
},
});
var basicValue = new Gcp.Tags.TagValue("basic_value", new()
{
Description = "For valuename resources.",
Parent = basicKey.Id,
ShortName = "tag-value",
});
var primary = new Gcp.Compute.NetworkFirewallPolicyRule("primary", new()
{
Action = "allow",
Description = "This is a simple rule description",
Direction = "INGRESS",
Disabled = false,
EnableLogging = true,
FirewallPolicy = basicNetworkFirewallPolicy.Name,
Priority = 1000,
RuleName = "test-rule",
TargetServiceAccounts = new[]
{
"my@service-account.com",
},
Match = new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchArgs
{
SrcAddressGroups = new[]
{
basicGlobalNetworksecurityAddressGroup.Id,
},
SrcIpRanges = new[]
{
"10.100.0.1/32",
},
SrcFqdns = new[]
{
"google.com",
},
SrcRegionCodes = new[]
{
"US",
},
SrcThreatIntelligences = new[]
{
"iplist-known-malicious-ips",
},
SrcSecureTags = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchSrcSecureTagArgs
{
Name = basicValue.Id,
},
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "all",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.networksecurity.AddressGroup;
import com.pulumi.gcp.networksecurity.AddressGroupArgs;
import com.pulumi.gcp.compute.NetworkFirewallPolicy;
import com.pulumi.gcp.compute.NetworkFirewallPolicyArgs;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.tags.TagKey;
import com.pulumi.gcp.tags.TagKeyArgs;
import com.pulumi.gcp.tags.TagValue;
import com.pulumi.gcp.tags.TagValueArgs;
import com.pulumi.gcp.compute.NetworkFirewallPolicyRule;
import com.pulumi.gcp.compute.NetworkFirewallPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.NetworkFirewallPolicyRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var basicGlobalNetworksecurityAddressGroup = new AddressGroup("basicGlobalNetworksecurityAddressGroup", AddressGroupArgs.builder()
.name("address-group")
.parent("projects/my-project-name")
.description("Sample global networksecurity_address_group")
.location("global")
.items("208.80.154.224/32")
.type("IPV4")
.capacity(100)
.build());
var basicNetworkFirewallPolicy = new NetworkFirewallPolicy("basicNetworkFirewallPolicy", NetworkFirewallPolicyArgs.builder()
.name("fw-policy")
.description("Sample global network firewall policy")
.project("my-project-name")
.build());
var basicNetwork = new Network("basicNetwork", NetworkArgs.builder()
.name("network")
.build());
var basicKey = new TagKey("basicKey", TagKeyArgs.builder()
.description("For keyname resources.")
.parent("organizations/123456789")
.purpose("GCE_FIREWALL")
.shortName("tag-key")
.purposeData(Map.of("network", basicNetwork.name().applyValue(name -> String.format("my-project-name/%s", name))))
.build());
var basicValue = new TagValue("basicValue", TagValueArgs.builder()
.description("For valuename resources.")
.parent(basicKey.id())
.shortName("tag-value")
.build());
var primary = new NetworkFirewallPolicyRule("primary", NetworkFirewallPolicyRuleArgs.builder()
.action("allow")
.description("This is a simple rule description")
.direction("INGRESS")
.disabled(false)
.enableLogging(true)
.firewallPolicy(basicNetworkFirewallPolicy.name())
.priority(1000)
.ruleName("test-rule")
.targetServiceAccounts("my@service-account.com")
.match(NetworkFirewallPolicyRuleMatchArgs.builder()
.srcAddressGroups(basicGlobalNetworksecurityAddressGroup.id())
.srcIpRanges("10.100.0.1/32")
.srcFqdns("google.com")
.srcRegionCodes("US")
.srcThreatIntelligences("iplist-known-malicious-ips")
.srcSecureTags(NetworkFirewallPolicyRuleMatchSrcSecureTagArgs.builder()
.name(basicValue.id())
.build())
.layer4Configs(NetworkFirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("all")
.build())
.build())
.build());
}
}
resources:
basicGlobalNetworksecurityAddressGroup:
type: gcp:networksecurity:AddressGroup
name: basic_global_networksecurity_address_group
properties:
name: address-group
parent: projects/my-project-name
description: Sample global networksecurity_address_group
location: global
items:
- 208.80.154.224/32
type: IPV4
capacity: 100
basicNetworkFirewallPolicy:
type: gcp:compute:NetworkFirewallPolicy
name: basic_network_firewall_policy
properties:
name: fw-policy
description: Sample global network firewall policy
project: my-project-name
primary:
type: gcp:compute:NetworkFirewallPolicyRule
properties:
action: allow
description: This is a simple rule description
direction: INGRESS
disabled: false
enableLogging: true
firewallPolicy: ${basicNetworkFirewallPolicy.name}
priority: 1000
ruleName: test-rule
targetServiceAccounts:
- my@service-account.com
match:
srcAddressGroups:
- ${basicGlobalNetworksecurityAddressGroup.id}
srcIpRanges:
- 10.100.0.1/32
srcFqdns:
- google.com
srcRegionCodes:
- US
srcThreatIntelligences:
- iplist-known-malicious-ips
srcSecureTags:
- name: ${basicValue.id}
layer4Configs:
- ipProtocol: all
basicNetwork:
type: gcp:compute:Network
name: basic_network
properties:
name: network
basicKey:
type: gcp:tags:TagKey
name: basic_key
properties:
description: For keyname resources.
parent: organizations/123456789
purpose: GCE_FIREWALL
shortName: tag-key
purposeData:
network: my-project-name/${basicNetwork.name}
basicValue:
type: gcp:tags:TagValue
name: basic_value
properties:
description: For valuename resources.
parent: ${basicKey.id}
shortName: tag-value
Network Firewall Policy Rule Network Scope Egress
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const basicNetworkFirewallPolicy = new gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy", {
name: "fw-policy",
description: "Sample global network firewall policy",
project: "my-project-name",
});
const primary = new gcp.compute.NetworkFirewallPolicyRule("primary", {
action: "allow",
description: "This is a simple rule description",
direction: "EGRESS",
disabled: false,
enableLogging: true,
firewallPolicy: basicNetworkFirewallPolicy.name,
priority: 1000,
ruleName: "test-rule",
match: {
destIpRanges: ["10.100.0.1/32"],
destNetworkScope: "INTERNET",
layer4Configs: [{
ipProtocol: "all",
}],
},
});
import pulumi
import pulumi_gcp as gcp
basic_network_firewall_policy = gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy",
name="fw-policy",
description="Sample global network firewall policy",
project="my-project-name")
primary = gcp.compute.NetworkFirewallPolicyRule("primary",
action="allow",
description="This is a simple rule description",
direction="EGRESS",
disabled=False,
enable_logging=True,
firewall_policy=basic_network_firewall_policy.name,
priority=1000,
rule_name="test-rule",
match={
"dest_ip_ranges": ["10.100.0.1/32"],
"dest_network_scope": "INTERNET",
"layer4_configs": [{
"ip_protocol": "all",
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basicNetworkFirewallPolicy, err := compute.NewNetworkFirewallPolicy(ctx, "basic_network_firewall_policy", &compute.NetworkFirewallPolicyArgs{
Name: pulumi.String("fw-policy"),
Description: pulumi.String("Sample global network firewall policy"),
Project: pulumi.String("my-project-name"),
})
if err != nil {
return err
}
_, err = compute.NewNetworkFirewallPolicyRule(ctx, "primary", &compute.NetworkFirewallPolicyRuleArgs{
Action: pulumi.String("allow"),
Description: pulumi.String("This is a simple rule description"),
Direction: pulumi.String("EGRESS"),
Disabled: pulumi.Bool(false),
EnableLogging: pulumi.Bool(true),
FirewallPolicy: basicNetworkFirewallPolicy.Name,
Priority: pulumi.Int(1000),
RuleName: pulumi.String("test-rule"),
Match: &compute.NetworkFirewallPolicyRuleMatchArgs{
DestIpRanges: pulumi.StringArray{
pulumi.String("10.100.0.1/32"),
},
DestNetworkScope: pulumi.String("INTERNET"),
Layer4Configs: compute.NetworkFirewallPolicyRuleMatchLayer4ConfigArray{
&compute.NetworkFirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("all"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var basicNetworkFirewallPolicy = new Gcp.Compute.NetworkFirewallPolicy("basic_network_firewall_policy", new()
{
Name = "fw-policy",
Description = "Sample global network firewall policy",
Project = "my-project-name",
});
var primary = new Gcp.Compute.NetworkFirewallPolicyRule("primary", new()
{
Action = "allow",
Description = "This is a simple rule description",
Direction = "EGRESS",
Disabled = false,
EnableLogging = true,
FirewallPolicy = basicNetworkFirewallPolicy.Name,
Priority = 1000,
RuleName = "test-rule",
Match = new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchArgs
{
DestIpRanges = new[]
{
"10.100.0.1/32",
},
DestNetworkScope = "INTERNET",
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "all",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.NetworkFirewallPolicy;
import com.pulumi.gcp.compute.NetworkFirewallPolicyArgs;
import com.pulumi.gcp.compute.NetworkFirewallPolicyRule;
import com.pulumi.gcp.compute.NetworkFirewallPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.NetworkFirewallPolicyRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var basicNetworkFirewallPolicy = new NetworkFirewallPolicy("basicNetworkFirewallPolicy", NetworkFirewallPolicyArgs.builder()
.name("fw-policy")
.description("Sample global network firewall policy")
.project("my-project-name")
.build());
var primary = new NetworkFirewallPolicyRule("primary", NetworkFirewallPolicyRuleArgs.builder()
.action("allow")
.description("This is a simple rule description")
.direction("EGRESS")
.disabled(false)
.enableLogging(true)
.firewallPolicy(basicNetworkFirewallPolicy.name())
.priority(1000)
.ruleName("test-rule")
.match(NetworkFirewallPolicyRuleMatchArgs.builder()
.destIpRanges("10.100.0.1/32")
.destNetworkScope("INTERNET")
.layer4Configs(NetworkFirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("all")
.build())
.build())
.build());
}
}
resources:
basicNetworkFirewallPolicy:
type: gcp:compute:NetworkFirewallPolicy
name: basic_network_firewall_policy
properties:
name: fw-policy
description: Sample global network firewall policy
project: my-project-name
primary:
type: gcp:compute:NetworkFirewallPolicyRule
properties:
action: allow
description: This is a simple rule description
direction: EGRESS
disabled: false
enableLogging: true
firewallPolicy: ${basicNetworkFirewallPolicy.name}
priority: 1000
ruleName: test-rule
match:
destIpRanges:
- 10.100.0.1/32
destNetworkScope: INTERNET
layer4Configs:
- ipProtocol: all
Network Firewall Policy Rule Network Scope Ingress
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const basicNetworkFirewallPolicy = new gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy", {
name: "fw-policy",
description: "Sample global network firewall policy",
project: "my-project-name",
});
const network = new gcp.compute.Network("network", {name: "network"});
const primary = new gcp.compute.NetworkFirewallPolicyRule("primary", {
action: "allow",
description: "This is a simple rule description",
direction: "INGRESS",
disabled: false,
enableLogging: true,
firewallPolicy: basicNetworkFirewallPolicy.name,
priority: 1000,
ruleName: "test-rule",
match: {
srcIpRanges: ["11.100.0.1/32"],
srcNetworkScope: "VPC_NETWORKS",
srcNetworks: [network.id],
layer4Configs: [{
ipProtocol: "all",
}],
},
});
import pulumi
import pulumi_gcp as gcp
basic_network_firewall_policy = gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy",
name="fw-policy",
description="Sample global network firewall policy",
project="my-project-name")
network = gcp.compute.Network("network", name="network")
primary = gcp.compute.NetworkFirewallPolicyRule("primary",
action="allow",
description="This is a simple rule description",
direction="INGRESS",
disabled=False,
enable_logging=True,
firewall_policy=basic_network_firewall_policy.name,
priority=1000,
rule_name="test-rule",
match={
"src_ip_ranges": ["11.100.0.1/32"],
"src_network_scope": "VPC_NETWORKS",
"src_networks": [network.id],
"layer4_configs": [{
"ip_protocol": "all",
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basicNetworkFirewallPolicy, err := compute.NewNetworkFirewallPolicy(ctx, "basic_network_firewall_policy", &compute.NetworkFirewallPolicyArgs{
Name: pulumi.String("fw-policy"),
Description: pulumi.String("Sample global network firewall policy"),
Project: pulumi.String("my-project-name"),
})
if err != nil {
return err
}
network, err := compute.NewNetwork(ctx, "network", &compute.NetworkArgs{
Name: pulumi.String("network"),
})
if err != nil {
return err
}
_, err = compute.NewNetworkFirewallPolicyRule(ctx, "primary", &compute.NetworkFirewallPolicyRuleArgs{
Action: pulumi.String("allow"),
Description: pulumi.String("This is a simple rule description"),
Direction: pulumi.String("INGRESS"),
Disabled: pulumi.Bool(false),
EnableLogging: pulumi.Bool(true),
FirewallPolicy: basicNetworkFirewallPolicy.Name,
Priority: pulumi.Int(1000),
RuleName: pulumi.String("test-rule"),
Match: &compute.NetworkFirewallPolicyRuleMatchArgs{
SrcIpRanges: pulumi.StringArray{
pulumi.String("11.100.0.1/32"),
},
SrcNetworkScope: pulumi.String("VPC_NETWORKS"),
SrcNetworks: pulumi.StringArray{
network.ID(),
},
Layer4Configs: compute.NetworkFirewallPolicyRuleMatchLayer4ConfigArray{
&compute.NetworkFirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("all"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var basicNetworkFirewallPolicy = new Gcp.Compute.NetworkFirewallPolicy("basic_network_firewall_policy", new()
{
Name = "fw-policy",
Description = "Sample global network firewall policy",
Project = "my-project-name",
});
var network = new Gcp.Compute.Network("network", new()
{
Name = "network",
});
var primary = new Gcp.Compute.NetworkFirewallPolicyRule("primary", new()
{
Action = "allow",
Description = "This is a simple rule description",
Direction = "INGRESS",
Disabled = false,
EnableLogging = true,
FirewallPolicy = basicNetworkFirewallPolicy.Name,
Priority = 1000,
RuleName = "test-rule",
Match = new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchArgs
{
SrcIpRanges = new[]
{
"11.100.0.1/32",
},
SrcNetworkScope = "VPC_NETWORKS",
SrcNetworks = new[]
{
network.Id,
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "all",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.NetworkFirewallPolicy;
import com.pulumi.gcp.compute.NetworkFirewallPolicyArgs;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.NetworkFirewallPolicyRule;
import com.pulumi.gcp.compute.NetworkFirewallPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.NetworkFirewallPolicyRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var basicNetworkFirewallPolicy = new NetworkFirewallPolicy("basicNetworkFirewallPolicy", NetworkFirewallPolicyArgs.builder()
.name("fw-policy")
.description("Sample global network firewall policy")
.project("my-project-name")
.build());
var network = new Network("network", NetworkArgs.builder()
.name("network")
.build());
var primary = new NetworkFirewallPolicyRule("primary", NetworkFirewallPolicyRuleArgs.builder()
.action("allow")
.description("This is a simple rule description")
.direction("INGRESS")
.disabled(false)
.enableLogging(true)
.firewallPolicy(basicNetworkFirewallPolicy.name())
.priority(1000)
.ruleName("test-rule")
.match(NetworkFirewallPolicyRuleMatchArgs.builder()
.srcIpRanges("11.100.0.1/32")
.srcNetworkScope("VPC_NETWORKS")
.srcNetworks(network.id())
.layer4Configs(NetworkFirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("all")
.build())
.build())
.build());
}
}
resources:
basicNetworkFirewallPolicy:
type: gcp:compute:NetworkFirewallPolicy
name: basic_network_firewall_policy
properties:
name: fw-policy
description: Sample global network firewall policy
project: my-project-name
primary:
type: gcp:compute:NetworkFirewallPolicyRule
properties:
action: allow
description: This is a simple rule description
direction: INGRESS
disabled: false
enableLogging: true
firewallPolicy: ${basicNetworkFirewallPolicy.name}
priority: 1000
ruleName: test-rule
match:
srcIpRanges:
- 11.100.0.1/32
srcNetworkScope: VPC_NETWORKS
srcNetworks:
- ${network.id}
layer4Configs:
- ipProtocol: all
network:
type: gcp:compute:Network
properties:
name: network
Create NetworkFirewallPolicyRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new NetworkFirewallPolicyRule(name: string, args: NetworkFirewallPolicyRuleArgs, opts?: CustomResourceOptions);@overload
def NetworkFirewallPolicyRule(resource_name: str,
args: NetworkFirewallPolicyRuleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def NetworkFirewallPolicyRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
firewall_policy: Optional[str] = None,
priority: Optional[int] = None,
direction: Optional[str] = None,
action: Optional[str] = None,
match: Optional[NetworkFirewallPolicyRuleMatchArgs] = None,
disabled: Optional[bool] = None,
enable_logging: Optional[bool] = None,
description: Optional[str] = None,
project: Optional[str] = None,
rule_name: Optional[str] = None,
security_profile_group: Optional[str] = None,
target_secure_tags: Optional[Sequence[NetworkFirewallPolicyRuleTargetSecureTagArgs]] = None,
target_service_accounts: Optional[Sequence[str]] = None,
tls_inspect: Optional[bool] = None)func NewNetworkFirewallPolicyRule(ctx *Context, name string, args NetworkFirewallPolicyRuleArgs, opts ...ResourceOption) (*NetworkFirewallPolicyRule, error)public NetworkFirewallPolicyRule(string name, NetworkFirewallPolicyRuleArgs args, CustomResourceOptions? opts = null)public NetworkFirewallPolicyRule(String name, NetworkFirewallPolicyRuleArgs args)
public NetworkFirewallPolicyRule(String name, NetworkFirewallPolicyRuleArgs args, CustomResourceOptions options)
type: gcp:compute:NetworkFirewallPolicyRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. NetworkFirewallPolicyRuleArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. NetworkFirewallPolicyRuleArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. NetworkFirewallPolicyRuleArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. NetworkFirewallPolicyRuleArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. NetworkFirewallPolicyRuleArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var networkFirewallPolicyRuleResource = new Gcp.Compute.NetworkFirewallPolicyRule("networkFirewallPolicyRuleResource", new()
{
FirewallPolicy = "string",
Priority = 0,
Direction = "string",
Action = "string",
Match = new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchArgs
{
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "string",
Ports = new[]
{
"string",
},
},
},
DestNetworkScope = "string",
SrcFqdns = new[]
{
"string",
},
DestAddressGroups = new[]
{
"string",
},
DestRegionCodes = new[]
{
"string",
},
DestThreatIntelligences = new[]
{
"string",
},
DestFqdns = new[]
{
"string",
},
SrcAddressGroups = new[]
{
"string",
},
DestIpRanges = new[]
{
"string",
},
SrcIpRanges = new[]
{
"string",
},
SrcNetworkScope = "string",
SrcNetworks = new[]
{
"string",
},
SrcRegionCodes = new[]
{
"string",
},
SrcSecureTags = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchSrcSecureTagArgs
{
Name = "string",
State = "string",
},
},
SrcThreatIntelligences = new[]
{
"string",
},
},
Disabled = false,
EnableLogging = false,
Description = "string",
Project = "string",
RuleName = "string",
SecurityProfileGroup = "string",
TargetSecureTags = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleTargetSecureTagArgs
{
Name = "string",
State = "string",
},
},
TargetServiceAccounts = new[]
{
"string",
},
TlsInspect = false,
});
example, err := compute.NewNetworkFirewallPolicyRule(ctx, "networkFirewallPolicyRuleResource", &compute.NetworkFirewallPolicyRuleArgs{
FirewallPolicy: pulumi.String("string"),
Priority: pulumi.Int(0),
Direction: pulumi.String("string"),
Action: pulumi.String("string"),
Match: &compute.NetworkFirewallPolicyRuleMatchArgs{
Layer4Configs: compute.NetworkFirewallPolicyRuleMatchLayer4ConfigArray{
&compute.NetworkFirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("string"),
Ports: pulumi.StringArray{
pulumi.String("string"),
},
},
},
DestNetworkScope: pulumi.String("string"),
SrcFqdns: pulumi.StringArray{
pulumi.String("string"),
},
DestAddressGroups: pulumi.StringArray{
pulumi.String("string"),
},
DestRegionCodes: pulumi.StringArray{
pulumi.String("string"),
},
DestThreatIntelligences: pulumi.StringArray{
pulumi.String("string"),
},
DestFqdns: pulumi.StringArray{
pulumi.String("string"),
},
SrcAddressGroups: pulumi.StringArray{
pulumi.String("string"),
},
DestIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
SrcIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
SrcNetworkScope: pulumi.String("string"),
SrcNetworks: pulumi.StringArray{
pulumi.String("string"),
},
SrcRegionCodes: pulumi.StringArray{
pulumi.String("string"),
},
SrcSecureTags: compute.NetworkFirewallPolicyRuleMatchSrcSecureTagArray{
&compute.NetworkFirewallPolicyRuleMatchSrcSecureTagArgs{
Name: pulumi.String("string"),
State: pulumi.String("string"),
},
},
SrcThreatIntelligences: pulumi.StringArray{
pulumi.String("string"),
},
},
Disabled: pulumi.Bool(false),
EnableLogging: pulumi.Bool(false),
Description: pulumi.String("string"),
Project: pulumi.String("string"),
RuleName: pulumi.String("string"),
SecurityProfileGroup: pulumi.String("string"),
TargetSecureTags: compute.NetworkFirewallPolicyRuleTargetSecureTagArray{
&compute.NetworkFirewallPolicyRuleTargetSecureTagArgs{
Name: pulumi.String("string"),
State: pulumi.String("string"),
},
},
TargetServiceAccounts: pulumi.StringArray{
pulumi.String("string"),
},
TlsInspect: pulumi.Bool(false),
})
var networkFirewallPolicyRuleResource = new NetworkFirewallPolicyRule("networkFirewallPolicyRuleResource", NetworkFirewallPolicyRuleArgs.builder()
.firewallPolicy("string")
.priority(0)
.direction("string")
.action("string")
.match(NetworkFirewallPolicyRuleMatchArgs.builder()
.layer4Configs(NetworkFirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("string")
.ports("string")
.build())
.destNetworkScope("string")
.srcFqdns("string")
.destAddressGroups("string")
.destRegionCodes("string")
.destThreatIntelligences("string")
.destFqdns("string")
.srcAddressGroups("string")
.destIpRanges("string")
.srcIpRanges("string")
.srcNetworkScope("string")
.srcNetworks("string")
.srcRegionCodes("string")
.srcSecureTags(NetworkFirewallPolicyRuleMatchSrcSecureTagArgs.builder()
.name("string")
.state("string")
.build())
.srcThreatIntelligences("string")
.build())
.disabled(false)
.enableLogging(false)
.description("string")
.project("string")
.ruleName("string")
.securityProfileGroup("string")
.targetSecureTags(NetworkFirewallPolicyRuleTargetSecureTagArgs.builder()
.name("string")
.state("string")
.build())
.targetServiceAccounts("string")
.tlsInspect(false)
.build());
network_firewall_policy_rule_resource = gcp.compute.NetworkFirewallPolicyRule("networkFirewallPolicyRuleResource",
firewall_policy="string",
priority=0,
direction="string",
action="string",
match={
"layer4_configs": [{
"ip_protocol": "string",
"ports": ["string"],
}],
"dest_network_scope": "string",
"src_fqdns": ["string"],
"dest_address_groups": ["string"],
"dest_region_codes": ["string"],
"dest_threat_intelligences": ["string"],
"dest_fqdns": ["string"],
"src_address_groups": ["string"],
"dest_ip_ranges": ["string"],
"src_ip_ranges": ["string"],
"src_network_scope": "string",
"src_networks": ["string"],
"src_region_codes": ["string"],
"src_secure_tags": [{
"name": "string",
"state": "string",
}],
"src_threat_intelligences": ["string"],
},
disabled=False,
enable_logging=False,
description="string",
project="string",
rule_name="string",
security_profile_group="string",
target_secure_tags=[{
"name": "string",
"state": "string",
}],
target_service_accounts=["string"],
tls_inspect=False)
const networkFirewallPolicyRuleResource = new gcp.compute.NetworkFirewallPolicyRule("networkFirewallPolicyRuleResource", {
firewallPolicy: "string",
priority: 0,
direction: "string",
action: "string",
match: {
layer4Configs: [{
ipProtocol: "string",
ports: ["string"],
}],
destNetworkScope: "string",
srcFqdns: ["string"],
destAddressGroups: ["string"],
destRegionCodes: ["string"],
destThreatIntelligences: ["string"],
destFqdns: ["string"],
srcAddressGroups: ["string"],
destIpRanges: ["string"],
srcIpRanges: ["string"],
srcNetworkScope: "string",
srcNetworks: ["string"],
srcRegionCodes: ["string"],
srcSecureTags: [{
name: "string",
state: "string",
}],
srcThreatIntelligences: ["string"],
},
disabled: false,
enableLogging: false,
description: "string",
project: "string",
ruleName: "string",
securityProfileGroup: "string",
targetSecureTags: [{
name: "string",
state: "string",
}],
targetServiceAccounts: ["string"],
tlsInspect: false,
});
type: gcp:compute:NetworkFirewallPolicyRule
properties:
action: string
description: string
direction: string
disabled: false
enableLogging: false
firewallPolicy: string
match:
destAddressGroups:
- string
destFqdns:
- string
destIpRanges:
- string
destNetworkScope: string
destRegionCodes:
- string
destThreatIntelligences:
- string
layer4Configs:
- ipProtocol: string
ports:
- string
srcAddressGroups:
- string
srcFqdns:
- string
srcIpRanges:
- string
srcNetworkScope: string
srcNetworks:
- string
srcRegionCodes:
- string
srcSecureTags:
- name: string
state: string
srcThreatIntelligences:
- string
priority: 0
project: string
ruleName: string
securityProfileGroup: string
targetSecureTags:
- name: string
state: string
targetServiceAccounts:
- string
tlsInspect: false
NetworkFirewallPolicyRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The NetworkFirewallPolicyRule resource accepts the following input properties:
- Action
This property is required. string - The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- Direction
This property is required. string - The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - Firewall
Policy stringThis property is required. 
Changes to this property will trigger replacement. - The firewall policy of the resource.
- Match
This property is required. NetworkFirewall Policy Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority
int
This property is required. Changes to this property will trigger replacement. - An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Description string
- An optional description for this resource.
- Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Project
- Rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
-
List<Network
Firewall Policy Rule Target Secure Tag> - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- Target
Service List<string>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- Action
This property is required. string - The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- Direction
This property is required. string - The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - Firewall
Policy stringThis property is required. Changes to this property will trigger replacement. - The firewall policy of the resource.
- Match
This property is required. NetworkFirewall Policy Rule Match Args - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority
int
This property is required. Changes to this property will trigger replacement. - An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Description string
- An optional description for this resource.
- Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Project
- Rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
-
[]Network
Firewall Policy Rule Target Secure Tag Args - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- Target
Service []stringAccounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action
This property is required. String - The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- direction
This property is required. String - The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - firewall
Policy StringThis property is required. Changes to this property will trigger replacement. - The firewall policy of the resource.
- match
This property is required. NetworkFirewall Policy Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority
Integer
This property is required. Changes to this property will trigger replacement. - An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description String
- An optional description for this resource.
- disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- project
- rule
Name String - An optional name for the rule. This field is not a unique identifier and can be updated.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
-
List<Network
Firewall Policy Rule Target Secure Tag> - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target
Service List<String>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action
This property is required. string - The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- direction
This property is required. string - The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - firewall
Policy stringThis property is required. Changes to this property will trigger replacement. - The firewall policy of the resource.
- match
This property is required. NetworkFirewall Policy Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority
number
This property is required. Changes to this property will trigger replacement. - An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description string
- An optional description for this resource.
- disabled boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- project
- rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
-
Network
Firewall Policy Rule Target Secure Tag[] - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target
Service string[]Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect boolean - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action
This property is required. str - The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- direction
This property is required. str - The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - firewall_
policy strThis property is required. Changes to this property will trigger replacement. - The firewall policy of the resource.
- match
This property is required. NetworkFirewall Policy Rule Match Args - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority
int
This property is required. Changes to this property will trigger replacement. - An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description str
- An optional description for this resource.
- disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable_
logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- project
- rule_
name str - An optional name for the rule. This field is not a unique identifier and can be updated.
- security_
profile_ strgroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
-
Sequence[Network
Firewall Policy Rule Target Secure Tag Args] - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target_
service_ Sequence[str]accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls_
inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action
This property is required. String - The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- direction
This property is required. String - The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - firewall
Policy StringThis property is required. Changes to this property will trigger replacement. - The firewall policy of the resource.
- match
This property is required. Property Map - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority
Number
This property is required. Changes to this property will trigger replacement. - An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description String
- An optional description for this resource.
- disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- project
- rule
Name String - An optional name for the rule. This field is not a unique identifier and can be updated.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- List<Property Map>
- A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target
Service List<String>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
Outputs
All input properties are implicitly available as output properties. Additionally, the NetworkFirewallPolicyRule resource produces the following output properties:
- Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Id string
- The provider-assigned unique ID for this managed resource.
- Kind string
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - Rule
Tuple intCount - Calculation of the complexity of a single firewall policy rule.
- Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Id string
- The provider-assigned unique ID for this managed resource.
- Kind string
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - Rule
Tuple intCount - Calculation of the complexity of a single firewall policy rule.
- creation
Timestamp String - Creation timestamp in RFC3339 text format.
- id String
- The provider-assigned unique ID for this managed resource.
- kind String
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - rule
Tuple IntegerCount - Calculation of the complexity of a single firewall policy rule.
- creation
Timestamp string - Creation timestamp in RFC3339 text format.
- id string
- The provider-assigned unique ID for this managed resource.
- kind string
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - rule
Tuple numberCount - Calculation of the complexity of a single firewall policy rule.
- creation_
timestamp str - Creation timestamp in RFC3339 text format.
- id str
- The provider-assigned unique ID for this managed resource.
- kind str
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - rule_
tuple_ intcount - Calculation of the complexity of a single firewall policy rule.
- creation
Timestamp String - Creation timestamp in RFC3339 text format.
- id String
- The provider-assigned unique ID for this managed resource.
- kind String
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - rule
Tuple NumberCount - Calculation of the complexity of a single firewall policy rule.
Look up Existing NetworkFirewallPolicyRule Resource
Get an existing NetworkFirewallPolicyRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: NetworkFirewallPolicyRuleState, opts?: CustomResourceOptions): NetworkFirewallPolicyRule@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
creation_timestamp: Optional[str] = None,
description: Optional[str] = None,
direction: Optional[str] = None,
disabled: Optional[bool] = None,
enable_logging: Optional[bool] = None,
firewall_policy: Optional[str] = None,
kind: Optional[str] = None,
match: Optional[NetworkFirewallPolicyRuleMatchArgs] = None,
priority: Optional[int] = None,
project: Optional[str] = None,
rule_name: Optional[str] = None,
rule_tuple_count: Optional[int] = None,
security_profile_group: Optional[str] = None,
target_secure_tags: Optional[Sequence[NetworkFirewallPolicyRuleTargetSecureTagArgs]] = None,
target_service_accounts: Optional[Sequence[str]] = None,
tls_inspect: Optional[bool] = None) -> NetworkFirewallPolicyRulefunc GetNetworkFirewallPolicyRule(ctx *Context, name string, id IDInput, state *NetworkFirewallPolicyRuleState, opts ...ResourceOption) (*NetworkFirewallPolicyRule, error)public static NetworkFirewallPolicyRule Get(string name, Input<string> id, NetworkFirewallPolicyRuleState? state, CustomResourceOptions? opts = null)public static NetworkFirewallPolicyRule get(String name, Output<String> id, NetworkFirewallPolicyRuleState state, CustomResourceOptions options)resources: _: type: gcp:compute:NetworkFirewallPolicyRule get: id: ${id}- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Action string
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Description string
- An optional description for this resource.
- Direction string
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Firewall
Policy - The firewall policy of the resource.
- Kind string
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - Match
Network
Firewall Policy Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Project
- Rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- Rule
Tuple intCount - Calculation of the complexity of a single firewall policy rule.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
-
List<Network
Firewall Policy Rule Target Secure Tag> - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- Target
Service List<string>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- Action string
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- Creation
Timestamp string - Creation timestamp in RFC3339 text format.
- Description string
- An optional description for this resource.
- Direction string
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - Disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Firewall
Policy - The firewall policy of the resource.
- Kind string
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - Match
Network
Firewall Policy Rule Match Args - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Project
- Rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- Rule
Tuple intCount - Calculation of the complexity of a single firewall policy rule.
- Security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
-
[]Network
Firewall Policy Rule Target Secure Tag Args - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- Target
Service []stringAccounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- Tls
Inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action String
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- creation
Timestamp String - Creation timestamp in RFC3339 text format.
- description String
- An optional description for this resource.
- direction String
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall
Policy - The firewall policy of the resource.
- kind String
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - match
Network
Firewall Policy Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- project
- rule
Name String - An optional name for the rule. This field is not a unique identifier and can be updated.
- rule
Tuple IntegerCount - Calculation of the complexity of a single firewall policy rule.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
-
List<Network
Firewall Policy Rule Target Secure Tag> - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target
Service List<String>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action string
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- creation
Timestamp string - Creation timestamp in RFC3339 text format.
- description string
- An optional description for this resource.
- direction string
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - disabled boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall
Policy - The firewall policy of the resource.
- kind string
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - match
Network
Firewall Policy Rule Match - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- project
- rule
Name string - An optional name for the rule. This field is not a unique identifier and can be updated.
- rule
Tuple numberCount - Calculation of the complexity of a single firewall policy rule.
- security
Profile stringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
-
Network
Firewall Policy Rule Target Secure Tag[] - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target
Service string[]Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect boolean - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action str
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- creation_
timestamp str - Creation timestamp in RFC3339 text format.
- description str
- An optional description for this resource.
- direction str
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - disabled bool
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable_
logging bool - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall_
policy - The firewall policy of the resource.
- kind str
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - match
Network
Firewall Policy Rule Match Args - A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- project
- rule_
name str - An optional name for the rule. This field is not a unique identifier and can be updated.
- rule_
tuple_ intcount - Calculation of the complexity of a single firewall policy rule.
- security_
profile_ strgroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
-
Sequence[Network
Firewall Policy Rule Target Secure Tag Args] - A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target_
service_ Sequence[str]accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls_
inspect bool - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
- action String
- The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
- creation
Timestamp String - Creation timestamp in RFC3339 text format.
- description String
- An optional description for this resource.
- direction String
- The direction in which this rule applies.
Possible values are:
INGRESS,EGRESS. - disabled Boolean
- Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean - Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall
Policy - The firewall policy of the resource.
- kind String
- Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules - match Property Map
- A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority
- An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- project
- rule
Name String - An optional name for the rule. This field is not a unique identifier and can be updated.
- rule
Tuple NumberCount - Calculation of the complexity of a single firewall policy rule.
- security
Profile StringGroup - A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
- List<Property Map>
- A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target
Service List<String>Accounts - A list of service accounts indicating the sets of instances that are applied with this rule.
- tls
Inspect Boolean - Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
Supporting Types
NetworkFirewallPolicyRuleMatch, NetworkFirewallPolicyRuleMatchArgs
, NetworkFirewallPolicyRuleMatchArgs
- Layer4Configs
This property is required. List<NetworkFirewall Policy Rule Match Layer4Config> - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- Dest
Address List<string>Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- Dest
Fqdns List<string> - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- Dest
Ip List<string>Ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- Dest
Network stringScope - Network scope of the traffic destination.
Possible values are:
INTERNET,INTRA_VPC,NON_INTERNET,VPC_NETWORKS. - Dest
Region List<string>Codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
- Dest
Threat List<string>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- Src
Address List<string>Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- Src
Fqdns List<string> - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- Src
Ip List<string>Ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- Src
Network stringScope - Network scope of the traffic source.
Possible values are:
INTERNET,INTRA_VPC,NON_INTERNET,VPC_NETWORKS. - Src
Networks List<string> - Networks of the traffic source. It can be either a full or partial url.
- Src
Region List<string>Codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
List<Network
Firewall Policy Rule Match Src Secure Tag> - List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
- Src
Threat List<string>Intelligences Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
The
layer4_configsblock supports:
- Layer4Configs
This property is required. []NetworkFirewall Policy Rule Match Layer4Config - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- Dest
Address []stringGroups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- Dest
Fqdns []string - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- Dest
Ip []stringRanges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- Dest
Network stringScope - Network scope of the traffic destination.
Possible values are:
INTERNET,INTRA_VPC,NON_INTERNET,VPC_NETWORKS. - Dest
Region []stringCodes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
- Dest
Threat []stringIntelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- Src
Address []stringGroups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- Src
Fqdns []string - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- Src
Ip []stringRanges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- Src
Network stringScope - Network scope of the traffic source.
Possible values are:
INTERNET,INTRA_VPC,NON_INTERNET,VPC_NETWORKS. - Src
Networks []string - Networks of the traffic source. It can be either a full or partial url.
- Src
Region []stringCodes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
[]Network
Firewall Policy Rule Match Src Secure Tag - List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
- Src
Threat []stringIntelligences Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
The
layer4_configsblock supports:
- layer4Configs
This property is required. List<NetworkFirewall Policy Rule Match Layer4Config> - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- dest
Address List<String>Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- dest
Fqdns List<String> - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- dest
Ip List<String>Ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- dest
Network StringScope - Network scope of the traffic destination.
Possible values are:
INTERNET,INTRA_VPC,NON_INTERNET,VPC_NETWORKS. - dest
Region List<String>Codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
- dest
Threat List<String>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- src
Address List<String>Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- src
Fqdns List<String> - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- src
Ip List<String>Ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- src
Network StringScope - Network scope of the traffic source.
Possible values are:
INTERNET,INTRA_VPC,NON_INTERNET,VPC_NETWORKS. - src
Networks List<String> - Networks of the traffic source. It can be either a full or partial url.
- src
Region List<String>Codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
List<Network
Firewall Policy Rule Match Src Secure Tag> - List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
- src
Threat List<String>Intelligences Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
The
layer4_configsblock supports:
- layer4Configs
This property is required. NetworkFirewall Policy Rule Match Layer4Config[] - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- dest
Address string[]Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- dest
Fqdns string[] - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- dest
Ip string[]Ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- dest
Network stringScope - Network scope of the traffic destination.
Possible values are:
INTERNET,INTRA_VPC,NON_INTERNET,VPC_NETWORKS. - dest
Region string[]Codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
- dest
Threat string[]Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- src
Address string[]Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- src
Fqdns string[] - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- src
Ip string[]Ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- src
Network stringScope - Network scope of the traffic source.
Possible values are:
INTERNET,INTRA_VPC,NON_INTERNET,VPC_NETWORKS. - src
Networks string[] - Networks of the traffic source. It can be either a full or partial url.
- src
Region string[]Codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
Network
Firewall Policy Rule Match Src Secure Tag[] - List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
- src
Threat string[]Intelligences Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
The
layer4_configsblock supports:
- layer4_
configs This property is required. Sequence[NetworkFirewall Policy Rule Match Layer4Config] - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- dest_
address_ Sequence[str]groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- dest_
fqdns Sequence[str] - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- dest_
ip_ Sequence[str]ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- dest_
network_ strscope - Network scope of the traffic destination.
Possible values are:
INTERNET,INTRA_VPC,NON_INTERNET,VPC_NETWORKS. - dest_
region_ Sequence[str]codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
- dest_
threat_ Sequence[str]intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- src_
address_ Sequence[str]groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- src_
fqdns Sequence[str] - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- src_
ip_ Sequence[str]ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- src_
network_ strscope - Network scope of the traffic source.
Possible values are:
INTERNET,INTRA_VPC,NON_INTERNET,VPC_NETWORKS. - src_
networks Sequence[str] - Networks of the traffic source. It can be either a full or partial url.
- src_
region_ Sequence[str]codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
-
Sequence[Network
Firewall Policy Rule Match Src Secure Tag] - List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
- src_
threat_ Sequence[str]intelligences Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
The
layer4_configsblock supports:
- layer4Configs
This property is required. List<Property Map> - Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- dest
Address List<String>Groups - Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
- dest
Fqdns List<String> - Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
- dest
Ip List<String>Ranges - CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- dest
Network StringScope - Network scope of the traffic destination.
Possible values are:
INTERNET,INTRA_VPC,NON_INTERNET,VPC_NETWORKS. - dest
Region List<String>Codes - Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
- dest
Threat List<String>Intelligences - Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
- src
Address List<String>Groups - Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
- src
Fqdns List<String> - Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
- src
Ip List<String>Ranges - CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- src
Network StringScope - Network scope of the traffic source.
Possible values are:
INTERNET,INTRA_VPC,NON_INTERNET,VPC_NETWORKS. - src
Networks List<String> - Networks of the traffic source. It can be either a full or partial url.
- src
Region List<String>Codes - Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
- List<Property Map>
- List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.
- src
Threat List<String>Intelligences Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
The
layer4_configsblock supports:
NetworkFirewallPolicyRuleMatchLayer4Config, NetworkFirewallPolicyRuleMatchLayer4ConfigArgs
, NetworkFirewallPolicyRuleMatchLayer4ConfigArgs
- Ip
Protocol This property is required. string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- Ports List<string>
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- Ip
Protocol This property is required. string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- Ports []string
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip
Protocol This property is required. String - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports List<String>
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip
Protocol This property is required. string - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports string[]
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip_
protocol This property is required. str - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports Sequence[str]
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
- ip
Protocol This property is required. String - The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
- ports List<String>
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
NetworkFirewallPolicyRuleMatchSrcSecureTag, NetworkFirewallPolicyRuleMatchSrcSecureTagArgs
, NetworkFirewallPolicyRuleMatchSrcSecureTagArgs
NetworkFirewallPolicyRuleTargetSecureTag, NetworkFirewallPolicyRuleTargetSecureTagArgs
, NetworkFirewallPolicyRuleTargetSecureTagArgs
Import
NetworkFirewallPolicyRule can be imported using any of these accepted formats:
projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}{{project}}/{{firewall_policy}}/{{priority}}{{firewall_policy}}/{{priority}}
When using the pulumi import command, NetworkFirewallPolicyRule can be imported using one of the formats above. For example:
$ pulumi import gcp:compute/networkFirewallPolicyRule:NetworkFirewallPolicyRule default projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}
$ pulumi import gcp:compute/networkFirewallPolicyRule:NetworkFirewallPolicyRule default {{project}}/{{firewall_policy}}/{{priority}}
$ pulumi import gcp:compute/networkFirewallPolicyRule:NetworkFirewallPolicyRule default {{firewall_policy}}/{{priority}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.
- Example Usage
- Network Firewall Policy Rule
- Network Firewall Policy Rule Network Scope Egress
- Network Firewall Policy Rule Network Scope Ingress
- Create NetworkFirewallPolicyRule Resource
- Constructor syntax
- Constructor example
- NetworkFirewallPolicyRule Resource Properties
- Inputs
- Outputs
- Look up Existing NetworkFirewallPolicyRule Resource
- Supporting Types
- Import
- Package Details