1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. compute
  5. Firewall
Google Cloud Classic v7.28.0 published on Friday, Jun 21, 2024 by Pulumi

gcp.compute.Firewall

Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.28.0 published on Friday, Jun 21, 2024 by Pulumi

    Each network has its own firewall controlling access to and from the instances.

    All traffic to instances, even from other instances, is blocked by the firewall unless firewall rules are created to allow it.

    The default network has automatically created firewall rules that are shown in default firewall rules. No manually created network has automatically created firewall rules except for a default “allow” rule for outgoing traffic and a default “deny” for incoming traffic. For all networks except the default network, you must create any firewall rules you need.

    To get more information about Firewall, see:

    Example Usage

    Firewall Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const defaultNetwork = new gcp.compute.Network("default", {name: "test-network"});
    const _default = new gcp.compute.Firewall("default", {
        name: "test-firewall",
        network: defaultNetwork.name,
        allows: [
            {
                protocol: "icmp",
            },
            {
                protocol: "tcp",
                ports: [
                    "80",
                    "8080",
                    "1000-2000",
                ],
            },
        ],
        sourceTags: ["web"],
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    default_network = gcp.compute.Network("default", name="test-network")
    default = gcp.compute.Firewall("default",
        name="test-firewall",
        network=default_network.name,
        allows=[
            gcp.compute.FirewallAllowArgs(
                protocol="icmp",
            ),
            gcp.compute.FirewallAllowArgs(
                protocol="tcp",
                ports=[
                    "80",
                    "8080",
                    "1000-2000",
                ],
            ),
        ],
        source_tags=["web"])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		defaultNetwork, err := compute.NewNetwork(ctx, "default", &compute.NetworkArgs{
    			Name: pulumi.String("test-network"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = compute.NewFirewall(ctx, "default", &compute.FirewallArgs{
    			Name:    pulumi.String("test-firewall"),
    			Network: defaultNetwork.Name,
    			Allows: compute.FirewallAllowArray{
    				&compute.FirewallAllowArgs{
    					Protocol: pulumi.String("icmp"),
    				},
    				&compute.FirewallAllowArgs{
    					Protocol: pulumi.String("tcp"),
    					Ports: pulumi.StringArray{
    						pulumi.String("80"),
    						pulumi.String("8080"),
    						pulumi.String("1000-2000"),
    					},
    				},
    			},
    			SourceTags: pulumi.StringArray{
    				pulumi.String("web"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var defaultNetwork = new Gcp.Compute.Network("default", new()
        {
            Name = "test-network",
        });
    
        var @default = new Gcp.Compute.Firewall("default", new()
        {
            Name = "test-firewall",
            Network = defaultNetwork.Name,
            Allows = new[]
            {
                new Gcp.Compute.Inputs.FirewallAllowArgs
                {
                    Protocol = "icmp",
                },
                new Gcp.Compute.Inputs.FirewallAllowArgs
                {
                    Protocol = "tcp",
                    Ports = new[]
                    {
                        "80",
                        "8080",
                        "1000-2000",
                    },
                },
            },
            SourceTags = new[]
            {
                "web",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.compute.Network;
    import com.pulumi.gcp.compute.NetworkArgs;
    import com.pulumi.gcp.compute.Firewall;
    import com.pulumi.gcp.compute.FirewallArgs;
    import com.pulumi.gcp.compute.inputs.FirewallAllowArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var defaultNetwork = new Network("defaultNetwork", NetworkArgs.builder()
                .name("test-network")
                .build());
    
            var default_ = new Firewall("default", FirewallArgs.builder()
                .name("test-firewall")
                .network(defaultNetwork.name())
                .allows(            
                    FirewallAllowArgs.builder()
                        .protocol("icmp")
                        .build(),
                    FirewallAllowArgs.builder()
                        .protocol("tcp")
                        .ports(                    
                            "80",
                            "8080",
                            "1000-2000")
                        .build())
                .sourceTags("web")
                .build());
    
        }
    }
    
    resources:
      default:
        type: gcp:compute:Firewall
        properties:
          name: test-firewall
          network: ${defaultNetwork.name}
          allows:
            - protocol: icmp
            - protocol: tcp
              ports:
                - '80'
                - '8080'
                - 1000-2000
          sourceTags:
            - web
      defaultNetwork:
        type: gcp:compute:Network
        name: default
        properties:
          name: test-network
    

    Firewall With Target Tags

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const rules = new gcp.compute.Firewall("rules", {
        project: "my-project-name",
        name: "my-firewall-rule",
        network: "default",
        description: "Creates firewall rule targeting tagged instances",
        allows: [{
            protocol: "tcp",
            ports: [
                "80",
                "8080",
                "1000-2000",
            ],
        }],
        sourceTags: ["foo"],
        targetTags: ["web"],
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    rules = gcp.compute.Firewall("rules",
        project="my-project-name",
        name="my-firewall-rule",
        network="default",
        description="Creates firewall rule targeting tagged instances",
        allows=[gcp.compute.FirewallAllowArgs(
            protocol="tcp",
            ports=[
                "80",
                "8080",
                "1000-2000",
            ],
        )],
        source_tags=["foo"],
        target_tags=["web"])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := compute.NewFirewall(ctx, "rules", &compute.FirewallArgs{
    			Project:     pulumi.String("my-project-name"),
    			Name:        pulumi.String("my-firewall-rule"),
    			Network:     pulumi.String("default"),
    			Description: pulumi.String("Creates firewall rule targeting tagged instances"),
    			Allows: compute.FirewallAllowArray{
    				&compute.FirewallAllowArgs{
    					Protocol: pulumi.String("tcp"),
    					Ports: pulumi.StringArray{
    						pulumi.String("80"),
    						pulumi.String("8080"),
    						pulumi.String("1000-2000"),
    					},
    				},
    			},
    			SourceTags: pulumi.StringArray{
    				pulumi.String("foo"),
    			},
    			TargetTags: pulumi.StringArray{
    				pulumi.String("web"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var rules = new Gcp.Compute.Firewall("rules", new()
        {
            Project = "my-project-name",
            Name = "my-firewall-rule",
            Network = "default",
            Description = "Creates firewall rule targeting tagged instances",
            Allows = new[]
            {
                new Gcp.Compute.Inputs.FirewallAllowArgs
                {
                    Protocol = "tcp",
                    Ports = new[]
                    {
                        "80",
                        "8080",
                        "1000-2000",
                    },
                },
            },
            SourceTags = new[]
            {
                "foo",
            },
            TargetTags = new[]
            {
                "web",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.compute.Firewall;
    import com.pulumi.gcp.compute.FirewallArgs;
    import com.pulumi.gcp.compute.inputs.FirewallAllowArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var rules = new Firewall("rules", FirewallArgs.builder()
                .project("my-project-name")
                .name("my-firewall-rule")
                .network("default")
                .description("Creates firewall rule targeting tagged instances")
                .allows(FirewallAllowArgs.builder()
                    .protocol("tcp")
                    .ports(                
                        "80",
                        "8080",
                        "1000-2000")
                    .build())
                .sourceTags("foo")
                .targetTags("web")
                .build());
    
        }
    }
    
    resources:
      rules:
        type: gcp:compute:Firewall
        properties:
          project: my-project-name
          name: my-firewall-rule
          network: default
          description: Creates firewall rule targeting tagged instances
          allows:
            - protocol: tcp
              ports:
                - '80'
                - '8080'
                - 1000-2000
          sourceTags:
            - foo
          targetTags:
            - web
    

    Create Firewall Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Firewall(name: string, args: FirewallArgs, opts?: CustomResourceOptions);
    @overload
    def Firewall(resource_name: str,
                 args: FirewallArgs,
                 opts: Optional[ResourceOptions] = None)
    
    @overload
    def Firewall(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 network: Optional[str] = None,
                 name: Optional[str] = None,
                 log_config: Optional[FirewallLogConfigArgs] = None,
                 destination_ranges: Optional[Sequence[str]] = None,
                 direction: Optional[str] = None,
                 denies: Optional[Sequence[FirewallDenyArgs]] = None,
                 enable_logging: Optional[bool] = None,
                 description: Optional[str] = None,
                 allows: Optional[Sequence[FirewallAllowArgs]] = None,
                 disabled: Optional[bool] = None,
                 priority: Optional[int] = None,
                 project: Optional[str] = None,
                 source_ranges: Optional[Sequence[str]] = None,
                 source_service_accounts: Optional[Sequence[str]] = None,
                 source_tags: Optional[Sequence[str]] = None,
                 target_service_accounts: Optional[Sequence[str]] = None,
                 target_tags: Optional[Sequence[str]] = None)
    func NewFirewall(ctx *Context, name string, args FirewallArgs, opts ...ResourceOption) (*Firewall, error)
    public Firewall(string name, FirewallArgs args, CustomResourceOptions? opts = null)
    public Firewall(String name, FirewallArgs args)
    public Firewall(String name, FirewallArgs args, CustomResourceOptions options)
    
    type: gcp:compute:Firewall
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args FirewallArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args FirewallArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args FirewallArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args FirewallArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args FirewallArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Example

    The following reference example uses placeholder values for all input properties.

    var firewallResource = new Gcp.Compute.Firewall("firewallResource", new()
    {
        Network = "string",
        Name = "string",
        LogConfig = new Gcp.Compute.Inputs.FirewallLogConfigArgs
        {
            Metadata = "string",
        },
        DestinationRanges = new[]
        {
            "string",
        },
        Direction = "string",
        Denies = new[]
        {
            new Gcp.Compute.Inputs.FirewallDenyArgs
            {
                Protocol = "string",
                Ports = new[]
                {
                    "string",
                },
            },
        },
        Description = "string",
        Allows = new[]
        {
            new Gcp.Compute.Inputs.FirewallAllowArgs
            {
                Protocol = "string",
                Ports = new[]
                {
                    "string",
                },
            },
        },
        Disabled = false,
        Priority = 0,
        Project = "string",
        SourceRanges = new[]
        {
            "string",
        },
        SourceServiceAccounts = new[]
        {
            "string",
        },
        SourceTags = new[]
        {
            "string",
        },
        TargetServiceAccounts = new[]
        {
            "string",
        },
        TargetTags = new[]
        {
            "string",
        },
    });
    
    example, err := compute.NewFirewall(ctx, "firewallResource", &compute.FirewallArgs{
    	Network: pulumi.String("string"),
    	Name:    pulumi.String("string"),
    	LogConfig: &compute.FirewallLogConfigArgs{
    		Metadata: pulumi.String("string"),
    	},
    	DestinationRanges: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Direction: pulumi.String("string"),
    	Denies: compute.FirewallDenyArray{
    		&compute.FirewallDenyArgs{
    			Protocol: pulumi.String("string"),
    			Ports: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    	},
    	Description: pulumi.String("string"),
    	Allows: compute.FirewallAllowArray{
    		&compute.FirewallAllowArgs{
    			Protocol: pulumi.String("string"),
    			Ports: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    	},
    	Disabled: pulumi.Bool(false),
    	Priority: pulumi.Int(0),
    	Project:  pulumi.String("string"),
    	SourceRanges: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	SourceServiceAccounts: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	SourceTags: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	TargetServiceAccounts: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	TargetTags: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    })
    
    var firewallResource = new Firewall("firewallResource", FirewallArgs.builder()
        .network("string")
        .name("string")
        .logConfig(FirewallLogConfigArgs.builder()
            .metadata("string")
            .build())
        .destinationRanges("string")
        .direction("string")
        .denies(FirewallDenyArgs.builder()
            .protocol("string")
            .ports("string")
            .build())
        .description("string")
        .allows(FirewallAllowArgs.builder()
            .protocol("string")
            .ports("string")
            .build())
        .disabled(false)
        .priority(0)
        .project("string")
        .sourceRanges("string")
        .sourceServiceAccounts("string")
        .sourceTags("string")
        .targetServiceAccounts("string")
        .targetTags("string")
        .build());
    
    firewall_resource = gcp.compute.Firewall("firewallResource",
        network="string",
        name="string",
        log_config=gcp.compute.FirewallLogConfigArgs(
            metadata="string",
        ),
        destination_ranges=["string"],
        direction="string",
        denies=[gcp.compute.FirewallDenyArgs(
            protocol="string",
            ports=["string"],
        )],
        description="string",
        allows=[gcp.compute.FirewallAllowArgs(
            protocol="string",
            ports=["string"],
        )],
        disabled=False,
        priority=0,
        project="string",
        source_ranges=["string"],
        source_service_accounts=["string"],
        source_tags=["string"],
        target_service_accounts=["string"],
        target_tags=["string"])
    
    const firewallResource = new gcp.compute.Firewall("firewallResource", {
        network: "string",
        name: "string",
        logConfig: {
            metadata: "string",
        },
        destinationRanges: ["string"],
        direction: "string",
        denies: [{
            protocol: "string",
            ports: ["string"],
        }],
        description: "string",
        allows: [{
            protocol: "string",
            ports: ["string"],
        }],
        disabled: false,
        priority: 0,
        project: "string",
        sourceRanges: ["string"],
        sourceServiceAccounts: ["string"],
        sourceTags: ["string"],
        targetServiceAccounts: ["string"],
        targetTags: ["string"],
    });
    
    type: gcp:compute:Firewall
    properties:
        allows:
            - ports:
                - string
              protocol: string
        denies:
            - ports:
                - string
              protocol: string
        description: string
        destinationRanges:
            - string
        direction: string
        disabled: false
        logConfig:
            metadata: string
        name: string
        network: string
        priority: 0
        project: string
        sourceRanges:
            - string
        sourceServiceAccounts:
            - string
        sourceTags:
            - string
        targetServiceAccounts:
            - string
        targetTags:
            - string
    

    Firewall Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Firewall resource accepts the following input properties:

    Network string
    The name or self_link of the network to attach this firewall to.


    Allows List<FirewallAllow>
    The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection. Structure is documented below.
    Denies List<FirewallDeny>
    The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection. Structure is documented below.
    Description string
    An optional description of this resource. Provide this property when you create the resource.
    DestinationRanges List<string>
    If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
    Direction string
    Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required. Possible values are: INGRESS, EGRESS.
    Disabled bool
    Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
    EnableLogging bool
    This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of log_config

    Deprecated: Deprecated in favor of log_config

    LogConfig FirewallLogConfig
    This field denotes the logging options for a particular firewall rule. If defined, logging is enabled, and logs will be exported to Cloud Logging. Structure is documented below.
    Name string
    Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    Priority int
    Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    SourceRanges List<string>
    If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    SourceServiceAccounts List<string>
    If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    SourceTags List<string>
    If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    TargetServiceAccounts List<string>
    A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
    TargetTags List<string>
    A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network.
    Network string
    The name or self_link of the network to attach this firewall to.


    Allows []FirewallAllowArgs
    The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection. Structure is documented below.
    Denies []FirewallDenyArgs
    The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection. Structure is documented below.
    Description string
    An optional description of this resource. Provide this property when you create the resource.
    DestinationRanges []string
    If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
    Direction string
    Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required. Possible values are: INGRESS, EGRESS.
    Disabled bool
    Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
    EnableLogging bool
    This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of log_config

    Deprecated: Deprecated in favor of log_config

    LogConfig FirewallLogConfigArgs
    This field denotes the logging options for a particular firewall rule. If defined, logging is enabled, and logs will be exported to Cloud Logging. Structure is documented below.
    Name string
    Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    Priority int
    Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    SourceRanges []string
    If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    SourceServiceAccounts []string
    If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    SourceTags []string
    If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    TargetServiceAccounts []string
    A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
    TargetTags []string
    A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network.
    network String
    The name or self_link of the network to attach this firewall to.


    allows List<FirewallAllow>
    The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection. Structure is documented below.
    denies List<FirewallDeny>
    The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection. Structure is documented below.
    description String
    An optional description of this resource. Provide this property when you create the resource.
    destinationRanges List<String>
    If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
    direction String
    Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required. Possible values are: INGRESS, EGRESS.
    disabled Boolean
    Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
    enableLogging Boolean
    This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of log_config

    Deprecated: Deprecated in favor of log_config

    logConfig FirewallLogConfig
    This field denotes the logging options for a particular firewall rule. If defined, logging is enabled, and logs will be exported to Cloud Logging. Structure is documented below.
    name String
    Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    priority Integer
    Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    sourceRanges List<String>
    If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    sourceServiceAccounts List<String>
    If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    sourceTags List<String>
    If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    targetServiceAccounts List<String>
    A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
    targetTags List<String>
    A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network.
    network string
    The name or self_link of the network to attach this firewall to.


    allows FirewallAllow[]
    The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection. Structure is documented below.
    denies FirewallDeny[]
    The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection. Structure is documented below.
    description string
    An optional description of this resource. Provide this property when you create the resource.
    destinationRanges string[]
    If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
    direction string
    Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required. Possible values are: INGRESS, EGRESS.
    disabled boolean
    Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
    enableLogging boolean
    This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of log_config

    Deprecated: Deprecated in favor of log_config

    logConfig FirewallLogConfig
    This field denotes the logging options for a particular firewall rule. If defined, logging is enabled, and logs will be exported to Cloud Logging. Structure is documented below.
    name string
    Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    priority number
    Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority.
    project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    sourceRanges string[]
    If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    sourceServiceAccounts string[]
    If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    sourceTags string[]
    If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    targetServiceAccounts string[]
    A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
    targetTags string[]
    A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network.
    network str
    The name or self_link of the network to attach this firewall to.


    allows Sequence[FirewallAllowArgs]
    The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection. Structure is documented below.
    denies Sequence[FirewallDenyArgs]
    The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection. Structure is documented below.
    description str
    An optional description of this resource. Provide this property when you create the resource.
    destination_ranges Sequence[str]
    If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
    direction str
    Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required. Possible values are: INGRESS, EGRESS.
    disabled bool
    Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
    enable_logging bool
    This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of log_config

    Deprecated: Deprecated in favor of log_config

    log_config FirewallLogConfigArgs
    This field denotes the logging options for a particular firewall rule. If defined, logging is enabled, and logs will be exported to Cloud Logging. Structure is documented below.
    name str
    Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    priority int
    Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority.
    project str
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    source_ranges Sequence[str]
    If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    source_service_accounts Sequence[str]
    If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    source_tags Sequence[str]
    If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    target_service_accounts Sequence[str]
    A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
    target_tags Sequence[str]
    A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network.
    network String
    The name or self_link of the network to attach this firewall to.


    allows List<Property Map>
    The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection. Structure is documented below.
    denies List<Property Map>
    The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection. Structure is documented below.
    description String
    An optional description of this resource. Provide this property when you create the resource.
    destinationRanges List<String>
    If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
    direction String
    Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required. Possible values are: INGRESS, EGRESS.
    disabled Boolean
    Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
    enableLogging Boolean
    This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of log_config

    Deprecated: Deprecated in favor of log_config

    logConfig Property Map
    This field denotes the logging options for a particular firewall rule. If defined, logging is enabled, and logs will be exported to Cloud Logging. Structure is documented below.
    name String
    Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    priority Number
    Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    sourceRanges List<String>
    If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    sourceServiceAccounts List<String>
    If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    sourceTags List<String>
    If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    targetServiceAccounts List<String>
    A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
    targetTags List<String>
    A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Firewall resource produces the following output properties:

    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Id string
    The provider-assigned unique ID for this managed resource.
    SelfLink string
    The URI of the created resource.
    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Id string
    The provider-assigned unique ID for this managed resource.
    SelfLink string
    The URI of the created resource.
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    id String
    The provider-assigned unique ID for this managed resource.
    selfLink String
    The URI of the created resource.
    creationTimestamp string
    Creation timestamp in RFC3339 text format.
    id string
    The provider-assigned unique ID for this managed resource.
    selfLink string
    The URI of the created resource.
    creation_timestamp str
    Creation timestamp in RFC3339 text format.
    id str
    The provider-assigned unique ID for this managed resource.
    self_link str
    The URI of the created resource.
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    id String
    The provider-assigned unique ID for this managed resource.
    selfLink String
    The URI of the created resource.

    Look up Existing Firewall Resource

    Get an existing Firewall resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: FirewallState, opts?: CustomResourceOptions): Firewall
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            allows: Optional[Sequence[FirewallAllowArgs]] = None,
            creation_timestamp: Optional[str] = None,
            denies: Optional[Sequence[FirewallDenyArgs]] = None,
            description: Optional[str] = None,
            destination_ranges: Optional[Sequence[str]] = None,
            direction: Optional[str] = None,
            disabled: Optional[bool] = None,
            enable_logging: Optional[bool] = None,
            log_config: Optional[FirewallLogConfigArgs] = None,
            name: Optional[str] = None,
            network: Optional[str] = None,
            priority: Optional[int] = None,
            project: Optional[str] = None,
            self_link: Optional[str] = None,
            source_ranges: Optional[Sequence[str]] = None,
            source_service_accounts: Optional[Sequence[str]] = None,
            source_tags: Optional[Sequence[str]] = None,
            target_service_accounts: Optional[Sequence[str]] = None,
            target_tags: Optional[Sequence[str]] = None) -> Firewall
    func GetFirewall(ctx *Context, name string, id IDInput, state *FirewallState, opts ...ResourceOption) (*Firewall, error)
    public static Firewall Get(string name, Input<string> id, FirewallState? state, CustomResourceOptions? opts = null)
    public static Firewall get(String name, Output<String> id, FirewallState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Allows List<FirewallAllow>
    The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection. Structure is documented below.
    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Denies List<FirewallDeny>
    The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection. Structure is documented below.
    Description string
    An optional description of this resource. Provide this property when you create the resource.
    DestinationRanges List<string>
    If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
    Direction string
    Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required. Possible values are: INGRESS, EGRESS.
    Disabled bool
    Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
    EnableLogging bool
    This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of log_config

    Deprecated: Deprecated in favor of log_config

    LogConfig FirewallLogConfig
    This field denotes the logging options for a particular firewall rule. If defined, logging is enabled, and logs will be exported to Cloud Logging. Structure is documented below.
    Name string
    Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    Network string
    The name or self_link of the network to attach this firewall to.


    Priority int
    Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    SelfLink string
    The URI of the created resource.
    SourceRanges List<string>
    If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    SourceServiceAccounts List<string>
    If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    SourceTags List<string>
    If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    TargetServiceAccounts List<string>
    A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
    TargetTags List<string>
    A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network.
    Allows []FirewallAllowArgs
    The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection. Structure is documented below.
    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Denies []FirewallDenyArgs
    The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection. Structure is documented below.
    Description string
    An optional description of this resource. Provide this property when you create the resource.
    DestinationRanges []string
    If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
    Direction string
    Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required. Possible values are: INGRESS, EGRESS.
    Disabled bool
    Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
    EnableLogging bool
    This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of log_config

    Deprecated: Deprecated in favor of log_config

    LogConfig FirewallLogConfigArgs
    This field denotes the logging options for a particular firewall rule. If defined, logging is enabled, and logs will be exported to Cloud Logging. Structure is documented below.
    Name string
    Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    Network string
    The name or self_link of the network to attach this firewall to.


    Priority int
    Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    SelfLink string
    The URI of the created resource.
    SourceRanges []string
    If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    SourceServiceAccounts []string
    If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    SourceTags []string
    If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    TargetServiceAccounts []string
    A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
    TargetTags []string
    A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network.
    allows List<FirewallAllow>
    The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection. Structure is documented below.
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    denies List<FirewallDeny>
    The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection. Structure is documented below.
    description String
    An optional description of this resource. Provide this property when you create the resource.
    destinationRanges List<String>
    If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
    direction String
    Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required. Possible values are: INGRESS, EGRESS.
    disabled Boolean
    Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
    enableLogging Boolean
    This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of log_config

    Deprecated: Deprecated in favor of log_config

    logConfig FirewallLogConfig
    This field denotes the logging options for a particular firewall rule. If defined, logging is enabled, and logs will be exported to Cloud Logging. Structure is documented below.
    name String
    Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    network String
    The name or self_link of the network to attach this firewall to.


    priority Integer
    Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    selfLink String
    The URI of the created resource.
    sourceRanges List<String>
    If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    sourceServiceAccounts List<String>
    If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    sourceTags List<String>
    If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    targetServiceAccounts List<String>
    A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
    targetTags List<String>
    A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network.
    allows FirewallAllow[]
    The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection. Structure is documented below.
    creationTimestamp string
    Creation timestamp in RFC3339 text format.
    denies FirewallDeny[]
    The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection. Structure is documented below.
    description string
    An optional description of this resource. Provide this property when you create the resource.
    destinationRanges string[]
    If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
    direction string
    Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required. Possible values are: INGRESS, EGRESS.
    disabled boolean
    Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
    enableLogging boolean
    This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of log_config

    Deprecated: Deprecated in favor of log_config

    logConfig FirewallLogConfig
    This field denotes the logging options for a particular firewall rule. If defined, logging is enabled, and logs will be exported to Cloud Logging. Structure is documented below.
    name string
    Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    network string
    The name or self_link of the network to attach this firewall to.


    priority number
    Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority.
    project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    selfLink string
    The URI of the created resource.
    sourceRanges string[]
    If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    sourceServiceAccounts string[]
    If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    sourceTags string[]
    If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    targetServiceAccounts string[]
    A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
    targetTags string[]
    A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network.
    allows Sequence[FirewallAllowArgs]
    The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection. Structure is documented below.
    creation_timestamp str
    Creation timestamp in RFC3339 text format.
    denies Sequence[FirewallDenyArgs]
    The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection. Structure is documented below.
    description str
    An optional description of this resource. Provide this property when you create the resource.
    destination_ranges Sequence[str]
    If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
    direction str
    Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required. Possible values are: INGRESS, EGRESS.
    disabled bool
    Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
    enable_logging bool
    This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of log_config

    Deprecated: Deprecated in favor of log_config

    log_config FirewallLogConfigArgs
    This field denotes the logging options for a particular firewall rule. If defined, logging is enabled, and logs will be exported to Cloud Logging. Structure is documented below.
    name str
    Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    network str
    The name or self_link of the network to attach this firewall to.


    priority int
    Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority.
    project str
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    self_link str
    The URI of the created resource.
    source_ranges Sequence[str]
    If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    source_service_accounts Sequence[str]
    If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    source_tags Sequence[str]
    If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    target_service_accounts Sequence[str]
    A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
    target_tags Sequence[str]
    A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network.
    allows List<Property Map>
    The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection. Structure is documented below.
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    denies List<Property Map>
    The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection. Structure is documented below.
    description String
    An optional description of this resource. Provide this property when you create the resource.
    destinationRanges List<String>
    If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
    direction String
    Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required. Possible values are: INGRESS, EGRESS.
    disabled Boolean
    Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
    enableLogging Boolean
    This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of log_config

    Deprecated: Deprecated in favor of log_config

    logConfig Property Map
    This field denotes the logging options for a particular firewall rule. If defined, logging is enabled, and logs will be exported to Cloud Logging. Structure is documented below.
    name String
    Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    network String
    The name or self_link of the network to attach this firewall to.


    priority Number
    Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    selfLink String
    The URI of the created resource.
    sourceRanges List<String>
    If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    sourceServiceAccounts List<String>
    If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    sourceTags List<String>
    If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. For INGRESS traffic, one of source_ranges, source_tags or source_service_accounts is required.
    targetServiceAccounts List<String>
    A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
    targetTags List<String>
    A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network.

    Supporting Types

    FirewallAllow, FirewallAllowArgs

    Protocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
    Ports List<string>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    Protocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
    Ports []string
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    protocol String
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
    ports List<String>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    protocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
    ports string[]
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    protocol str
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
    ports Sequence[str]
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    protocol String
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
    ports List<String>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

    FirewallDeny, FirewallDenyArgs

    Protocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
    Ports List<string>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    Protocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
    Ports []string
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    protocol String
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
    ports List<String>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    protocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
    ports string[]
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    protocol str
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
    ports Sequence[str]
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    protocol String
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
    ports List<String>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

    FirewallLogConfig, FirewallLogConfigArgs

    Metadata string
    This field denotes whether to include or exclude metadata for firewall logs. Possible values are: EXCLUDE_ALL_METADATA, INCLUDE_ALL_METADATA.
    Metadata string
    This field denotes whether to include or exclude metadata for firewall logs. Possible values are: EXCLUDE_ALL_METADATA, INCLUDE_ALL_METADATA.
    metadata String
    This field denotes whether to include or exclude metadata for firewall logs. Possible values are: EXCLUDE_ALL_METADATA, INCLUDE_ALL_METADATA.
    metadata string
    This field denotes whether to include or exclude metadata for firewall logs. Possible values are: EXCLUDE_ALL_METADATA, INCLUDE_ALL_METADATA.
    metadata str
    This field denotes whether to include or exclude metadata for firewall logs. Possible values are: EXCLUDE_ALL_METADATA, INCLUDE_ALL_METADATA.
    metadata String
    This field denotes whether to include or exclude metadata for firewall logs. Possible values are: EXCLUDE_ALL_METADATA, INCLUDE_ALL_METADATA.

    Import

    Firewall can be imported using any of these accepted formats:

    • projects/{{project}}/global/firewalls/{{name}}

    • {{project}}/{{name}}

    • {{name}}

    When using the pulumi import command, Firewall can be imported using one of the formats above. For example:

    $ pulumi import gcp:compute/firewall:Firewall default projects/{{project}}/global/firewalls/{{name}}
    
    $ pulumi import gcp:compute/firewall:Firewall default {{project}}/{{name}}
    
    $ pulumi import gcp:compute/firewall:Firewall default {{name}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v7.28.0 published on Friday, Jun 21, 2024 by Pulumi