Google Cloud Classic v6.57.0, May 30 23
Google Cloud Classic v6.57.0, May 30 23
gcp.compute.FirewallPolicyRule
Explore with Pulumi AI
Hierarchical firewall policy rules let you create and enforce a consistent firewall policy across your organization. Rules can explicitly allow or deny connections or delegate evaluation to lower level policies.
For more information see the official documentation
Example Usage
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var defaultFirewallPolicy = new Gcp.Compute.FirewallPolicy("defaultFirewallPolicy", new()
{
Parent = "organizations/12345",
ShortName = "my-policy",
Description = "Example Resource",
});
var defaultFirewallPolicyRule = new Gcp.Compute.FirewallPolicyRule("defaultFirewallPolicyRule", new()
{
FirewallPolicy = defaultFirewallPolicy.Id,
Description = "Example Resource",
Priority = 9000,
EnableLogging = true,
Action = "allow",
Direction = "EGRESS",
Disabled = false,
Match = new Gcp.Compute.Inputs.FirewallPolicyRuleMatchArgs
{
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.FirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "tcp",
Ports = new[]
{
"80",
"8080",
},
},
},
DestIpRanges = new[]
{
"11.100.0.1/32",
},
},
});
});
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
defaultFirewallPolicy, err := compute.NewFirewallPolicy(ctx, "defaultFirewallPolicy", &compute.FirewallPolicyArgs{
Parent: pulumi.String("organizations/12345"),
ShortName: pulumi.String("my-policy"),
Description: pulumi.String("Example Resource"),
})
if err != nil {
return err
}
_, err = compute.NewFirewallPolicyRule(ctx, "defaultFirewallPolicyRule", &compute.FirewallPolicyRuleArgs{
FirewallPolicy: defaultFirewallPolicy.ID(),
Description: pulumi.String("Example Resource"),
Priority: pulumi.Int(9000),
EnableLogging: pulumi.Bool(true),
Action: pulumi.String("allow"),
Direction: pulumi.String("EGRESS"),
Disabled: pulumi.Bool(false),
Match: &compute.FirewallPolicyRuleMatchArgs{
Layer4Configs: compute.FirewallPolicyRuleMatchLayer4ConfigArray{
&compute.FirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("tcp"),
Ports: pulumi.StringArray{
pulumi.String("80"),
pulumi.String("8080"),
},
},
},
DestIpRanges: pulumi.StringArray{
pulumi.String("11.100.0.1/32"),
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.FirewallPolicy;
import com.pulumi.gcp.compute.FirewallPolicyArgs;
import com.pulumi.gcp.compute.FirewallPolicyRule;
import com.pulumi.gcp.compute.FirewallPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.FirewallPolicyRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultFirewallPolicy = new FirewallPolicy("defaultFirewallPolicy", FirewallPolicyArgs.builder()
.parent("organizations/12345")
.shortName("my-policy")
.description("Example Resource")
.build());
var defaultFirewallPolicyRule = new FirewallPolicyRule("defaultFirewallPolicyRule", FirewallPolicyRuleArgs.builder()
.firewallPolicy(defaultFirewallPolicy.id())
.description("Example Resource")
.priority(9000)
.enableLogging(true)
.action("allow")
.direction("EGRESS")
.disabled(false)
.match(FirewallPolicyRuleMatchArgs.builder()
.layer4Configs(FirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("tcp")
.ports(
80,
8080)
.build())
.destIpRanges("11.100.0.1/32")
.build())
.build());
}
}
import pulumi
import pulumi_gcp as gcp
default_firewall_policy = gcp.compute.FirewallPolicy("defaultFirewallPolicy",
parent="organizations/12345",
short_name="my-policy",
description="Example Resource")
default_firewall_policy_rule = gcp.compute.FirewallPolicyRule("defaultFirewallPolicyRule",
firewall_policy=default_firewall_policy.id,
description="Example Resource",
priority=9000,
enable_logging=True,
action="allow",
direction="EGRESS",
disabled=False,
match=gcp.compute.FirewallPolicyRuleMatchArgs(
layer4_configs=[gcp.compute.FirewallPolicyRuleMatchLayer4ConfigArgs(
ip_protocol="tcp",
ports=[
"80",
"8080",
],
)],
dest_ip_ranges=["11.100.0.1/32"],
))
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const defaultFirewallPolicy = new gcp.compute.FirewallPolicy("defaultFirewallPolicy", {
parent: "organizations/12345",
shortName: "my-policy",
description: "Example Resource",
});
const defaultFirewallPolicyRule = new gcp.compute.FirewallPolicyRule("defaultFirewallPolicyRule", {
firewallPolicy: defaultFirewallPolicy.id,
description: "Example Resource",
priority: 9000,
enableLogging: true,
action: "allow",
direction: "EGRESS",
disabled: false,
match: {
layer4Configs: [{
ipProtocol: "tcp",
ports: [
"80",
"8080",
],
}],
destIpRanges: ["11.100.0.1/32"],
},
});
resources:
defaultFirewallPolicy:
type: gcp:compute:FirewallPolicy
properties:
parent: organizations/12345
shortName: my-policy
description: Example Resource
defaultFirewallPolicyRule:
type: gcp:compute:FirewallPolicyRule
properties:
firewallPolicy: ${defaultFirewallPolicy.id}
description: Example Resource
priority: 9000
enableLogging: true
action: allow
direction: EGRESS
disabled: false
match:
layer4Configs:
- ipProtocol: tcp
ports:
- 80
- 8080
destIpRanges:
- 11.100.0.1/32
Create FirewallPolicyRule Resource
new FirewallPolicyRule(name: string, args: FirewallPolicyRuleArgs, opts?: CustomResourceOptions);
@overload
def FirewallPolicyRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
description: Optional[str] = None,
direction: Optional[str] = None,
disabled: Optional[bool] = None,
enable_logging: Optional[bool] = None,
firewall_policy: Optional[str] = None,
match: Optional[FirewallPolicyRuleMatchArgs] = None,
priority: Optional[int] = None,
target_resources: Optional[Sequence[str]] = None,
target_service_accounts: Optional[Sequence[str]] = None)
@overload
def FirewallPolicyRule(resource_name: str,
args: FirewallPolicyRuleArgs,
opts: Optional[ResourceOptions] = None)
func NewFirewallPolicyRule(ctx *Context, name string, args FirewallPolicyRuleArgs, opts ...ResourceOption) (*FirewallPolicyRule, error)
public FirewallPolicyRule(string name, FirewallPolicyRuleArgs args, CustomResourceOptions? opts = null)
public FirewallPolicyRule(String name, FirewallPolicyRuleArgs args)
public FirewallPolicyRule(String name, FirewallPolicyRuleArgs args, CustomResourceOptions options)
type: gcp:compute:FirewallPolicyRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args FirewallPolicyRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args FirewallPolicyRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args FirewallPolicyRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args FirewallPolicyRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args FirewallPolicyRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
FirewallPolicyRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The FirewallPolicyRule resource accepts the following input properties:
- Action string
The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.
- Direction string
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- Firewall
Policy string The firewall policy of the resource.
- Match
Firewall
Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority int
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Description string
An optional description for this resource.
- Disabled bool
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Target
Resources List<string> A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- Target
Service List<string>Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- Action string
The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.
- Direction string
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- Firewall
Policy string The firewall policy of the resource.
- Match
Firewall
Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority int
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Description string
An optional description for this resource.
- Disabled bool
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Target
Resources []string A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- Target
Service []stringAccounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action String
The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.
- direction String
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- firewall
Policy String The firewall policy of the resource.
- match
Firewall
Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority Integer
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description String
An optional description for this resource.
- disabled Boolean
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- target
Resources List<String> A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target
Service List<String>Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action string
The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.
- direction string
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- firewall
Policy string The firewall policy of the resource.
- match
Firewall
Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority number
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description string
An optional description for this resource.
- disabled boolean
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging boolean Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- target
Resources string[] A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target
Service string[]Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action str
The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.
- direction str
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- firewall_
policy str The firewall policy of the resource.
- match
Firewall
Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority int
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description str
An optional description for this resource.
- disabled bool
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable_
logging bool Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- target_
resources Sequence[str] A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target_
service_ Sequence[str]accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action String
The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.
- direction String
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- firewall
Policy String The firewall policy of the resource.
- match Property Map
A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority Number
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description String
An optional description for this resource.
- disabled Boolean
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- target
Resources List<String> A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target
Service List<String>Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
Outputs
All input properties are implicitly available as output properties. Additionally, the FirewallPolicyRule resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Kind string
Type of the resource. Always
compute#firewallPolicyRule
for firewall policy rules- Rule
Tuple intCount Calculation of the complexity of a single firewall policy rule.
- Id string
The provider-assigned unique ID for this managed resource.
- Kind string
Type of the resource. Always
compute#firewallPolicyRule
for firewall policy rules- Rule
Tuple intCount Calculation of the complexity of a single firewall policy rule.
- id String
The provider-assigned unique ID for this managed resource.
- kind String
Type of the resource. Always
compute#firewallPolicyRule
for firewall policy rules- rule
Tuple IntegerCount Calculation of the complexity of a single firewall policy rule.
- id string
The provider-assigned unique ID for this managed resource.
- kind string
Type of the resource. Always
compute#firewallPolicyRule
for firewall policy rules- rule
Tuple numberCount Calculation of the complexity of a single firewall policy rule.
- id str
The provider-assigned unique ID for this managed resource.
- kind str
Type of the resource. Always
compute#firewallPolicyRule
for firewall policy rules- rule_
tuple_ intcount Calculation of the complexity of a single firewall policy rule.
- id String
The provider-assigned unique ID for this managed resource.
- kind String
Type of the resource. Always
compute#firewallPolicyRule
for firewall policy rules- rule
Tuple NumberCount Calculation of the complexity of a single firewall policy rule.
Look up Existing FirewallPolicyRule Resource
Get an existing FirewallPolicyRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: FirewallPolicyRuleState, opts?: CustomResourceOptions): FirewallPolicyRule
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
description: Optional[str] = None,
direction: Optional[str] = None,
disabled: Optional[bool] = None,
enable_logging: Optional[bool] = None,
firewall_policy: Optional[str] = None,
kind: Optional[str] = None,
match: Optional[FirewallPolicyRuleMatchArgs] = None,
priority: Optional[int] = None,
rule_tuple_count: Optional[int] = None,
target_resources: Optional[Sequence[str]] = None,
target_service_accounts: Optional[Sequence[str]] = None) -> FirewallPolicyRule
func GetFirewallPolicyRule(ctx *Context, name string, id IDInput, state *FirewallPolicyRuleState, opts ...ResourceOption) (*FirewallPolicyRule, error)
public static FirewallPolicyRule Get(string name, Input<string> id, FirewallPolicyRuleState? state, CustomResourceOptions? opts = null)
public static FirewallPolicyRule get(String name, Output<String> id, FirewallPolicyRuleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Action string
The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.
- Description string
An optional description for this resource.
- Direction string
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- Disabled bool
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Firewall
Policy string The firewall policy of the resource.
- Kind string
Type of the resource. Always
compute#firewallPolicyRule
for firewall policy rules- Match
Firewall
Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority int
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Rule
Tuple intCount Calculation of the complexity of a single firewall policy rule.
- Target
Resources List<string> A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- Target
Service List<string>Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- Action string
The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.
- Description string
An optional description for this resource.
- Direction string
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- Disabled bool
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Firewall
Policy string The firewall policy of the resource.
- Kind string
Type of the resource. Always
compute#firewallPolicyRule
for firewall policy rules- Match
Firewall
Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- Priority int
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Rule
Tuple intCount Calculation of the complexity of a single firewall policy rule.
- Target
Resources []string A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- Target
Service []stringAccounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action String
The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.
- description String
An optional description for this resource.
- direction String
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- disabled Boolean
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall
Policy String The firewall policy of the resource.
- kind String
Type of the resource. Always
compute#firewallPolicyRule
for firewall policy rules- match
Firewall
Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority Integer
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- rule
Tuple IntegerCount Calculation of the complexity of a single firewall policy rule.
- target
Resources List<String> A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target
Service List<String>Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action string
The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.
- description string
An optional description for this resource.
- direction string
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- disabled boolean
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging boolean Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall
Policy string The firewall policy of the resource.
- kind string
Type of the resource. Always
compute#firewallPolicyRule
for firewall policy rules- match
Firewall
Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority number
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- rule
Tuple numberCount Calculation of the complexity of a single firewall policy rule.
- target
Resources string[] A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target
Service string[]Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action str
The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.
- description str
An optional description for this resource.
- direction str
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- disabled bool
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable_
logging bool Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall_
policy str The firewall policy of the resource.
- kind str
Type of the resource. Always
compute#firewallPolicyRule
for firewall policy rules- match
Firewall
Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority int
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- rule_
tuple_ intcount Calculation of the complexity of a single firewall policy rule.
- target_
resources Sequence[str] A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target_
service_ Sequence[str]accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action String
The Action to perform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.
- description String
An optional description for this resource.
- direction String
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- disabled Boolean
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall
Policy String The firewall policy of the resource.
- kind String
Type of the resource. Always
compute#firewallPolicyRule
for firewall policy rules- match Property Map
A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
- priority Number
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- rule
Tuple NumberCount Calculation of the complexity of a single firewall policy rule.
- target
Resources List<String> A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
- target
Service List<String>Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
Supporting Types
FirewallPolicyRuleMatch
- Layer4Configs
List<Firewall
Policy Rule Match Layer4Config> Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- Dest
Address List<string>Groups - Dest
Fqdns List<string> - Dest
Ip List<string>Ranges CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.
- Dest
Region List<string>Codes - Dest
Threat List<string>Intelligences - Src
Address List<string>Groups - Src
Fqdns List<string> - Src
Ip List<string>Ranges CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.
The
layer4_configs
block supports:- Src
Region List<string>Codes - Src
Threat List<string>Intelligences
- Layer4Configs
[]Firewall
Policy Rule Match Layer4Config Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- Dest
Address []stringGroups - Dest
Fqdns []string - Dest
Ip []stringRanges CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.
- Dest
Region []stringCodes - Dest
Threat []stringIntelligences - Src
Address []stringGroups - Src
Fqdns []string - Src
Ip []stringRanges CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.
The
layer4_configs
block supports:- Src
Region []stringCodes - Src
Threat []stringIntelligences
- layer4Configs
List<Firewall
Policy Rule Match Layer4Config> Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- dest
Address List<String>Groups - dest
Fqdns List<String> - dest
Ip List<String>Ranges CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.
- dest
Region List<String>Codes - dest
Threat List<String>Intelligences - src
Address List<String>Groups - src
Fqdns List<String> - src
Ip List<String>Ranges CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.
The
layer4_configs
block supports:- src
Region List<String>Codes - src
Threat List<String>Intelligences
- layer4Configs
Firewall
Policy Rule Match Layer4Config[] Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- dest
Address string[]Groups - dest
Fqdns string[] - dest
Ip string[]Ranges CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.
- dest
Region string[]Codes - dest
Threat string[]Intelligences - src
Address string[]Groups - src
Fqdns string[] - src
Ip string[]Ranges CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.
The
layer4_configs
block supports:- src
Region string[]Codes - src
Threat string[]Intelligences
- layer4_
configs Sequence[FirewallPolicy Rule Match Layer4Config] Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- dest_
address_ Sequence[str]groups - dest_
fqdns Sequence[str] - dest_
ip_ Sequence[str]ranges CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.
- dest_
region_ Sequence[str]codes - dest_
threat_ Sequence[str]intelligences - src_
address_ Sequence[str]groups - src_
fqdns Sequence[str] - src_
ip_ Sequence[str]ranges CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.
The
layer4_configs
block supports:- src_
region_ Sequence[str]codes - src_
threat_ Sequence[str]intelligences
- layer4Configs List<Property Map>
Pairs of IP protocols and ports that the rule should match. Structure is documented below.
- dest
Address List<String>Groups - dest
Fqdns List<String> - dest
Ip List<String>Ranges CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 256.
- dest
Region List<String>Codes - dest
Threat List<String>Intelligences - src
Address List<String>Groups - src
Fqdns List<String> - src
Ip List<String>Ranges CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 256.
The
layer4_configs
block supports:- src
Region List<String>Codes - src
Threat List<String>Intelligences
FirewallPolicyRuleMatchLayer4Config
- Ip
Protocol string The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp
,udp
,icmp
,esp
,ah
,ipip
,sctp
), or the IP protocol number.- Ports List<string>
An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- Ip
Protocol string The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp
,udp
,icmp
,esp
,ah
,ipip
,sctp
), or the IP protocol number.- Ports []string
An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- ip
Protocol String The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp
,udp
,icmp
,esp
,ah
,ipip
,sctp
), or the IP protocol number.- ports List<String>
An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- ip
Protocol string The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp
,udp
,icmp
,esp
,ah
,ipip
,sctp
), or the IP protocol number.- ports string[]
An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- ip_
protocol str The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp
,udp
,icmp
,esp
,ah
,ipip
,sctp
), or the IP protocol number.- ports Sequence[str]
An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- ip
Protocol String The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp
,udp
,icmp
,esp
,ah
,ipip
,sctp
), or the IP protocol number.- ports List<String>
An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
Import
FirewallPolicyRule can be imported using any of these accepted formats
$ pulumi import gcp:compute/firewallPolicyRule:FirewallPolicyRule default locations/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}
$ pulumi import gcp:compute/firewallPolicyRule:FirewallPolicyRule default {{firewall_policy}}/{{priority}}
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
google-beta
Terraform Provider.