gcp.compute.FirewallPolicyRule

Explore with Pulumi AI

Hierarchical firewall policy rules let you create and enforce a consistent firewall policy across your organization. Rules can explicitly allow or deny connections or delegate evaluation to lower level policies.

For more information see the official documentation

Example Usage

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var defaultFirewallPolicy = new Gcp.Compute.FirewallPolicy("defaultFirewallPolicy", new()
    {
        Parent = "organizations/12345",
        ShortName = "my-policy",
        Description = "Example Resource",
    });

    var defaultFirewallPolicyRule = new Gcp.Compute.FirewallPolicyRule("defaultFirewallPolicyRule", new()
    {
        FirewallPolicy = defaultFirewallPolicy.Id,
        Description = "Example Resource",
        Priority = 9000,
        EnableLogging = true,
        Action = "allow",
        Direction = "EGRESS",
        Disabled = false,
        Match = new Gcp.Compute.Inputs.FirewallPolicyRuleMatchArgs
        {
            Layer4Configs = new[]
            {
                new Gcp.Compute.Inputs.FirewallPolicyRuleMatchLayer4ConfigArgs
                {
                    IpProtocol = "tcp",
                    Ports = new[]
                    {
                        "80",
                        "8080",
                    },
                },
            },
            DestIpRanges = new[]
            {
                "11.100.0.1/32",
            },
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/compute"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		defaultFirewallPolicy, err := compute.NewFirewallPolicy(ctx, "defaultFirewallPolicy", &compute.FirewallPolicyArgs{
			Parent:      pulumi.String("organizations/12345"),
			ShortName:   pulumi.String("my-policy"),
			Description: pulumi.String("Example Resource"),
		})
		if err != nil {
			return err
		}
		_, err = compute.NewFirewallPolicyRule(ctx, "defaultFirewallPolicyRule", &compute.FirewallPolicyRuleArgs{
			FirewallPolicy: defaultFirewallPolicy.ID(),
			Description:    pulumi.String("Example Resource"),
			Priority:       pulumi.Int(9000),
			EnableLogging:  pulumi.Bool(true),
			Action:         pulumi.String("allow"),
			Direction:      pulumi.String("EGRESS"),
			Disabled:       pulumi.Bool(false),
			Match: &compute.FirewallPolicyRuleMatchArgs{
				Layer4Configs: compute.FirewallPolicyRuleMatchLayer4ConfigArray{
					&compute.FirewallPolicyRuleMatchLayer4ConfigArgs{
						IpProtocol: pulumi.String("tcp"),
						Ports: pulumi.StringArray{
							pulumi.String("80"),
							pulumi.String("8080"),
						},
					},
				},
				DestIpRanges: pulumi.StringArray{
					pulumi.String("11.100.0.1/32"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.FirewallPolicy;
import com.pulumi.gcp.compute.FirewallPolicyArgs;
import com.pulumi.gcp.compute.FirewallPolicyRule;
import com.pulumi.gcp.compute.FirewallPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.FirewallPolicyRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var defaultFirewallPolicy = new FirewallPolicy("defaultFirewallPolicy", FirewallPolicyArgs.builder()        
            .parent("organizations/12345")
            .shortName("my-policy")
            .description("Example Resource")
            .build());

        var defaultFirewallPolicyRule = new FirewallPolicyRule("defaultFirewallPolicyRule", FirewallPolicyRuleArgs.builder()        
            .firewallPolicy(defaultFirewallPolicy.id())
            .description("Example Resource")
            .priority(9000)
            .enableLogging(true)
            .action("allow")
            .direction("EGRESS")
            .disabled(false)
            .match(FirewallPolicyRuleMatchArgs.builder()
                .layer4Configs(FirewallPolicyRuleMatchLayer4ConfigArgs.builder()
                    .ipProtocol("tcp")
                    .ports(                    
                        80,
                        8080)
                    .build())
                .destIpRanges("11.100.0.1/32")
                .build())
            .build());

    }
}
import pulumi
import pulumi_gcp as gcp

default_firewall_policy = gcp.compute.FirewallPolicy("defaultFirewallPolicy",
    parent="organizations/12345",
    short_name="my-policy",
    description="Example Resource")
default_firewall_policy_rule = gcp.compute.FirewallPolicyRule("defaultFirewallPolicyRule",
    firewall_policy=default_firewall_policy.id,
    description="Example Resource",
    priority=9000,
    enable_logging=True,
    action="allow",
    direction="EGRESS",
    disabled=False,
    match=gcp.compute.FirewallPolicyRuleMatchArgs(
        layer4_configs=[gcp.compute.FirewallPolicyRuleMatchLayer4ConfigArgs(
            ip_protocol="tcp",
            ports=[
                "80",
                "8080",
            ],
        )],
        dest_ip_ranges=["11.100.0.1/32"],
    ))
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const defaultFirewallPolicy = new gcp.compute.FirewallPolicy("defaultFirewallPolicy", {
    parent: "organizations/12345",
    shortName: "my-policy",
    description: "Example Resource",
});
const defaultFirewallPolicyRule = new gcp.compute.FirewallPolicyRule("defaultFirewallPolicyRule", {
    firewallPolicy: defaultFirewallPolicy.id,
    description: "Example Resource",
    priority: 9000,
    enableLogging: true,
    action: "allow",
    direction: "EGRESS",
    disabled: false,
    match: {
        layer4Configs: [{
            ipProtocol: "tcp",
            ports: [
                "80",
                "8080",
            ],
        }],
        destIpRanges: ["11.100.0.1/32"],
    },
});
resources:
  defaultFirewallPolicy:
    type: gcp:compute:FirewallPolicy
    properties:
      parent: organizations/12345
      shortName: my-policy
      description: Example Resource
  defaultFirewallPolicyRule:
    type: gcp:compute:FirewallPolicyRule
    properties:
      firewallPolicy: ${defaultFirewallPolicy.id}
      description: Example Resource
      priority: 9000
      enableLogging: true
      action: allow
      direction: EGRESS
      disabled: false
      match:
        layer4Configs:
          - ipProtocol: tcp
            ports:
              - 80
              - 8080
        destIpRanges:
          - 11.100.0.1/32

Create FirewallPolicyRule Resource

new FirewallPolicyRule(name: string, args: FirewallPolicyRuleArgs, opts?: CustomResourceOptions);
@overload
def FirewallPolicyRule(resource_name: str,
                       opts: Optional[ResourceOptions] = None,
                       action: Optional[str] = None,
                       description: Optional[str] = None,
                       direction: Optional[str] = None,
                       disabled: Optional[bool] = None,
                       enable_logging: Optional[bool] = None,
                       firewall_policy: Optional[str] = None,
                       match: Optional[FirewallPolicyRuleMatchArgs] = None,
                       priority: Optional[int] = None,
                       target_resources: Optional[Sequence[str]] = None,
                       target_service_accounts: Optional[Sequence[str]] = None)
@overload
def FirewallPolicyRule(resource_name: str,
                       args: FirewallPolicyRuleArgs,
                       opts: Optional[ResourceOptions] = None)
func NewFirewallPolicyRule(ctx *Context, name string, args FirewallPolicyRuleArgs, opts ...ResourceOption) (*FirewallPolicyRule, error)
public FirewallPolicyRule(string name, FirewallPolicyRuleArgs args, CustomResourceOptions? opts = null)
public FirewallPolicyRule(String name, FirewallPolicyRuleArgs args)
public FirewallPolicyRule(String name, FirewallPolicyRuleArgs args, CustomResourceOptions options)
type: gcp:compute:FirewallPolicyRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args FirewallPolicyRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args FirewallPolicyRuleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args FirewallPolicyRuleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args FirewallPolicyRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args FirewallPolicyRuleArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

FirewallPolicyRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The FirewallPolicyRule resource accepts the following input properties:

Action string

The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.

Direction string

The direction in which this rule applies. Possible values: INGRESS, EGRESS

FirewallPolicy string

The firewall policy of the resource.

Match FirewallPolicyRuleMatchArgs

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.

Priority int

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.

Description string

An optional description for this resource.

Disabled bool

Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.

EnableLogging bool

Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.

TargetResources List<string>

A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.

TargetServiceAccounts List<string>

A list of service accounts indicating the sets of instances that are applied with this rule.

Action string

The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.

Direction string

The direction in which this rule applies. Possible values: INGRESS, EGRESS

FirewallPolicy string

The firewall policy of the resource.

Match FirewallPolicyRuleMatchArgs

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.

Priority int

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.

Description string

An optional description for this resource.

Disabled bool

Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.

EnableLogging bool

Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.

TargetResources []string

A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.

TargetServiceAccounts []string

A list of service accounts indicating the sets of instances that are applied with this rule.

action String

The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.

direction String

The direction in which this rule applies. Possible values: INGRESS, EGRESS

firewallPolicy String

The firewall policy of the resource.

match FirewallPolicyRuleMatchArgs

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.

priority Integer

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.

description String

An optional description for this resource.

disabled Boolean

Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.

enableLogging Boolean

Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.

targetResources List<String>

A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.

targetServiceAccounts List<String>

A list of service accounts indicating the sets of instances that are applied with this rule.

action string

The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.

direction string

The direction in which this rule applies. Possible values: INGRESS, EGRESS

firewallPolicy string

The firewall policy of the resource.

match FirewallPolicyRuleMatchArgs

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.

priority number

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.

description string

An optional description for this resource.

disabled boolean

Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.

enableLogging boolean

Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.

targetResources string[]

A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.

targetServiceAccounts string[]

A list of service accounts indicating the sets of instances that are applied with this rule.

action str

The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.

direction str

The direction in which this rule applies. Possible values: INGRESS, EGRESS

firewall_policy str

The firewall policy of the resource.

match FirewallPolicyRuleMatchArgs

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.

priority int

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.

description str

An optional description for this resource.

disabled bool

Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.

enable_logging bool

Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.

target_resources Sequence[str]

A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.

target_service_accounts Sequence[str]

A list of service accounts indicating the sets of instances that are applied with this rule.

action String

The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.

direction String

The direction in which this rule applies. Possible values: INGRESS, EGRESS

firewallPolicy String

The firewall policy of the resource.

match Property Map

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.

priority Number

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.

description String

An optional description for this resource.

disabled Boolean

Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.

enableLogging Boolean

Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.

targetResources List<String>

A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.

targetServiceAccounts List<String>

A list of service accounts indicating the sets of instances that are applied with this rule.

Outputs

All input properties are implicitly available as output properties. Additionally, the FirewallPolicyRule resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Kind string

Type of the resource. Always compute#firewallPolicyRule for firewall policy rules

RuleTupleCount int

Calculation of the complexity of a single firewall policy rule.

Id string

The provider-assigned unique ID for this managed resource.

Kind string

Type of the resource. Always compute#firewallPolicyRule for firewall policy rules

RuleTupleCount int

Calculation of the complexity of a single firewall policy rule.

id String

The provider-assigned unique ID for this managed resource.

kind String

Type of the resource. Always compute#firewallPolicyRule for firewall policy rules

ruleTupleCount Integer

Calculation of the complexity of a single firewall policy rule.

id string

The provider-assigned unique ID for this managed resource.

kind string

Type of the resource. Always compute#firewallPolicyRule for firewall policy rules

ruleTupleCount number

Calculation of the complexity of a single firewall policy rule.

id str

The provider-assigned unique ID for this managed resource.

kind str

Type of the resource. Always compute#firewallPolicyRule for firewall policy rules

rule_tuple_count int

Calculation of the complexity of a single firewall policy rule.

id String

The provider-assigned unique ID for this managed resource.

kind String

Type of the resource. Always compute#firewallPolicyRule for firewall policy rules

ruleTupleCount Number

Calculation of the complexity of a single firewall policy rule.

Look up Existing FirewallPolicyRule Resource

Get an existing FirewallPolicyRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: FirewallPolicyRuleState, opts?: CustomResourceOptions): FirewallPolicyRule
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        action: Optional[str] = None,
        description: Optional[str] = None,
        direction: Optional[str] = None,
        disabled: Optional[bool] = None,
        enable_logging: Optional[bool] = None,
        firewall_policy: Optional[str] = None,
        kind: Optional[str] = None,
        match: Optional[FirewallPolicyRuleMatchArgs] = None,
        priority: Optional[int] = None,
        rule_tuple_count: Optional[int] = None,
        target_resources: Optional[Sequence[str]] = None,
        target_service_accounts: Optional[Sequence[str]] = None) -> FirewallPolicyRule
func GetFirewallPolicyRule(ctx *Context, name string, id IDInput, state *FirewallPolicyRuleState, opts ...ResourceOption) (*FirewallPolicyRule, error)
public static FirewallPolicyRule Get(string name, Input<string> id, FirewallPolicyRuleState? state, CustomResourceOptions? opts = null)
public static FirewallPolicyRule get(String name, Output<String> id, FirewallPolicyRuleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
Action string

The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.

Description string

An optional description for this resource.

Direction string

The direction in which this rule applies. Possible values: INGRESS, EGRESS

Disabled bool

Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.

EnableLogging bool

Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.

FirewallPolicy string

The firewall policy of the resource.

Kind string

Type of the resource. Always compute#firewallPolicyRule for firewall policy rules

Match FirewallPolicyRuleMatchArgs

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.

Priority int

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.

RuleTupleCount int

Calculation of the complexity of a single firewall policy rule.

TargetResources List<string>

A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.

TargetServiceAccounts List<string>

A list of service accounts indicating the sets of instances that are applied with this rule.

Action string

The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.

Description string

An optional description for this resource.

Direction string

The direction in which this rule applies. Possible values: INGRESS, EGRESS

Disabled bool

Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.

EnableLogging bool

Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.

FirewallPolicy string

The firewall policy of the resource.

Kind string

Type of the resource. Always compute#firewallPolicyRule for firewall policy rules

Match FirewallPolicyRuleMatchArgs

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.

Priority int

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.

RuleTupleCount int

Calculation of the complexity of a single firewall policy rule.

TargetResources []string

A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.

TargetServiceAccounts []string

A list of service accounts indicating the sets of instances that are applied with this rule.

action String

The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.

description String

An optional description for this resource.

direction String

The direction in which this rule applies. Possible values: INGRESS, EGRESS

disabled Boolean

Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.

enableLogging Boolean

Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.

firewallPolicy String

The firewall policy of the resource.

kind String

Type of the resource. Always compute#firewallPolicyRule for firewall policy rules

match FirewallPolicyRuleMatchArgs

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.

priority Integer

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.

ruleTupleCount Integer

Calculation of the complexity of a single firewall policy rule.

targetResources List<String>

A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.

targetServiceAccounts List<String>

A list of service accounts indicating the sets of instances that are applied with this rule.

action string

The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.

description string

An optional description for this resource.

direction string

The direction in which this rule applies. Possible values: INGRESS, EGRESS

disabled boolean

Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.

enableLogging boolean

Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.

firewallPolicy string

The firewall policy of the resource.

kind string

Type of the resource. Always compute#firewallPolicyRule for firewall policy rules

match FirewallPolicyRuleMatchArgs

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.

priority number

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.

ruleTupleCount number

Calculation of the complexity of a single firewall policy rule.

targetResources string[]

A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.

targetServiceAccounts string[]

A list of service accounts indicating the sets of instances that are applied with this rule.

action str

The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.

description str

An optional description for this resource.

direction str

The direction in which this rule applies. Possible values: INGRESS, EGRESS

disabled bool

Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.

enable_logging bool

Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.

firewall_policy str

The firewall policy of the resource.

kind str

Type of the resource. Always compute#firewallPolicyRule for firewall policy rules

match FirewallPolicyRuleMatchArgs

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.

priority int

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.

rule_tuple_count int

Calculation of the complexity of a single firewall policy rule.

target_resources Sequence[str]

A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.

target_service_accounts Sequence[str]

A list of service accounts indicating the sets of instances that are applied with this rule.

action String

The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.

description String

An optional description for this resource.

direction String

The direction in which this rule applies. Possible values: INGRESS, EGRESS

disabled Boolean

Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.

enableLogging Boolean

Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.

firewallPolicy String

The firewall policy of the resource.

kind String

Type of the resource. Always compute#firewallPolicyRule for firewall policy rules

match Property Map

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.

priority Number

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.

ruleTupleCount Number

Calculation of the complexity of a single firewall policy rule.

targetResources List<String>

A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.

targetServiceAccounts List<String>

A list of service accounts indicating the sets of instances that are applied with this rule.

Supporting Types

FirewallPolicyRuleMatch

Layer4Configs List<FirewallPolicyRuleMatchLayer4Config>

Pairs of IP protocols and ports that the rule should match. Structure is documented below.

DestAddressGroups List<string>
DestFqdns List<string>
DestIpRanges List<string>

CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.

DestRegionCodes List<string>
DestThreatIntelligences List<string>
SrcAddressGroups List<string>
SrcFqdns List<string>
SrcIpRanges List<string>

CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.

The layer4_configs block supports:

SrcRegionCodes List<string>
SrcThreatIntelligences List<string>
Layer4Configs []FirewallPolicyRuleMatchLayer4Config

Pairs of IP protocols and ports that the rule should match. Structure is documented below.

DestAddressGroups []string
DestFqdns []string
DestIpRanges []string

CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.

DestRegionCodes []string
DestThreatIntelligences []string
SrcAddressGroups []string
SrcFqdns []string
SrcIpRanges []string

CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.

The layer4_configs block supports:

SrcRegionCodes []string
SrcThreatIntelligences []string
layer4Configs List<FirewallPolicyRuleMatchLayer4Config>

Pairs of IP protocols and ports that the rule should match. Structure is documented below.

destAddressGroups List<String>
destFqdns List<String>
destIpRanges List<String>

CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.

destRegionCodes List<String>
destThreatIntelligences List<String>
srcAddressGroups List<String>
srcFqdns List<String>
srcIpRanges List<String>

CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.

The layer4_configs block supports:

srcRegionCodes List<String>
srcThreatIntelligences List<String>
layer4Configs FirewallPolicyRuleMatchLayer4Config[]

Pairs of IP protocols and ports that the rule should match. Structure is documented below.

destAddressGroups string[]
destFqdns string[]
destIpRanges string[]

CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.

destRegionCodes string[]
destThreatIntelligences string[]
srcAddressGroups string[]
srcFqdns string[]
srcIpRanges string[]

CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.

The layer4_configs block supports:

srcRegionCodes string[]
srcThreatIntelligences string[]
layer4_configs Sequence[FirewallPolicyRuleMatchLayer4Config]

Pairs of IP protocols and ports that the rule should match. Structure is documented below.

dest_address_groups Sequence[str]
dest_fqdns Sequence[str]
dest_ip_ranges Sequence[str]

CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.

dest_region_codes Sequence[str]
dest_threat_intelligences Sequence[str]
src_address_groups Sequence[str]
src_fqdns Sequence[str]
src_ip_ranges Sequence[str]

CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.

The layer4_configs block supports:

src_region_codes Sequence[str]
src_threat_intelligences Sequence[str]
layer4Configs List<Property Map>

Pairs of IP protocols and ports that the rule should match. Structure is documented below.

destAddressGroups List<String>
destFqdns List<String>
destIpRanges List<String>

CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.

destRegionCodes List<String>
destThreatIntelligences List<String>
srcAddressGroups List<String>
srcFqdns List<String>
srcIpRanges List<String>

CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.

The layer4_configs block supports:

srcRegionCodes List<String>
srcThreatIntelligences List<String>

FirewallPolicyRuleMatchLayer4Config

IpProtocol string

The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.

Ports List<string>

An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.


IpProtocol string

The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.

Ports []string

An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.


ipProtocol String

The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.

ports List<String>

An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.


ipProtocol string

The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.

ports string[]

An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.


ip_protocol str

The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.

ports Sequence[str]

An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.


ipProtocol String

The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.

ports List<String>

An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.


Import

FirewallPolicyRule can be imported using any of these accepted formats

 $ pulumi import gcp:compute/firewallPolicyRule:FirewallPolicyRule default locations/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}
 $ pulumi import gcp:compute/firewallPolicyRule:FirewallPolicyRule default {{firewall_policy}}/{{priority}}

Package Details

Repository
Google Cloud (GCP) Classic pulumi/pulumi-gcp
License
Apache-2.0
Notes

This Pulumi package is based on the google-beta Terraform Provider.