1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. compute
  5. FirewallPolicyRule
Google Cloud Classic v8.10.0 published on Wednesday, Nov 20, 2024 by Pulumi

gcp.compute.FirewallPolicyRule

Explore with Pulumi AI

gcp logo
Google Cloud Classic v8.10.0 published on Wednesday, Nov 20, 2024 by Pulumi

    Example Usage

    Firewall Policy Rule

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const basicGlobalNetworksecurityAddressGroup = new gcp.networksecurity.AddressGroup("basic_global_networksecurity_address_group", {
        name: "address",
        parent: "organizations/123456789",
        description: "Sample global networksecurity_address_group",
        location: "global",
        items: ["208.80.154.224/32"],
        type: "IPV4",
        capacity: 100,
    });
    const folder = new gcp.organizations.Folder("folder", {
        displayName: "folder",
        parent: "organizations/123456789",
        deletionProtection: false,
    });
    const _default = new gcp.compute.FirewallPolicy("default", {
        parent: folder.id,
        shortName: "policy",
        description: "Resource created for Terraform acceptance testing",
    });
    const policyRule = new gcp.compute.FirewallPolicyRule("policy_rule", {
        firewallPolicy: _default.name,
        description: "Resource created for Terraform acceptance testing",
        priority: 9000,
        enableLogging: true,
        action: "allow",
        direction: "EGRESS",
        disabled: false,
        match: {
            layer4Configs: [
                {
                    ipProtocol: "tcp",
                    ports: ["8080"],
                },
                {
                    ipProtocol: "udp",
                    ports: ["22"],
                },
            ],
            destIpRanges: ["11.100.0.1/32"],
            destFqdns: [],
            destRegionCodes: ["US"],
            destThreatIntelligences: ["iplist-known-malicious-ips"],
            srcAddressGroups: [],
            destAddressGroups: [basicGlobalNetworksecurityAddressGroup.id],
        },
        targetServiceAccounts: ["my@service-account.com"],
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    basic_global_networksecurity_address_group = gcp.networksecurity.AddressGroup("basic_global_networksecurity_address_group",
        name="address",
        parent="organizations/123456789",
        description="Sample global networksecurity_address_group",
        location="global",
        items=["208.80.154.224/32"],
        type="IPV4",
        capacity=100)
    folder = gcp.organizations.Folder("folder",
        display_name="folder",
        parent="organizations/123456789",
        deletion_protection=False)
    default = gcp.compute.FirewallPolicy("default",
        parent=folder.id,
        short_name="policy",
        description="Resource created for Terraform acceptance testing")
    policy_rule = gcp.compute.FirewallPolicyRule("policy_rule",
        firewall_policy=default.name,
        description="Resource created for Terraform acceptance testing",
        priority=9000,
        enable_logging=True,
        action="allow",
        direction="EGRESS",
        disabled=False,
        match={
            "layer4_configs": [
                {
                    "ip_protocol": "tcp",
                    "ports": ["8080"],
                },
                {
                    "ip_protocol": "udp",
                    "ports": ["22"],
                },
            ],
            "dest_ip_ranges": ["11.100.0.1/32"],
            "dest_fqdns": [],
            "dest_region_codes": ["US"],
            "dest_threat_intelligences": ["iplist-known-malicious-ips"],
            "src_address_groups": [],
            "dest_address_groups": [basic_global_networksecurity_address_group.id],
        },
        target_service_accounts=["my@service-account.com"])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/compute"
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/networksecurity"
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		basicGlobalNetworksecurityAddressGroup, err := networksecurity.NewAddressGroup(ctx, "basic_global_networksecurity_address_group", &networksecurity.AddressGroupArgs{
    			Name:        pulumi.String("address"),
    			Parent:      pulumi.String("organizations/123456789"),
    			Description: pulumi.String("Sample global networksecurity_address_group"),
    			Location:    pulumi.String("global"),
    			Items: pulumi.StringArray{
    				pulumi.String("208.80.154.224/32"),
    			},
    			Type:     pulumi.String("IPV4"),
    			Capacity: pulumi.Int(100),
    		})
    		if err != nil {
    			return err
    		}
    		folder, err := organizations.NewFolder(ctx, "folder", &organizations.FolderArgs{
    			DisplayName:        pulumi.String("folder"),
    			Parent:             pulumi.String("organizations/123456789"),
    			DeletionProtection: pulumi.Bool(false),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = compute.NewFirewallPolicy(ctx, "default", &compute.FirewallPolicyArgs{
    			Parent:      folder.ID(),
    			ShortName:   pulumi.String("policy"),
    			Description: pulumi.String("Resource created for Terraform acceptance testing"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = compute.NewFirewallPolicyRule(ctx, "policy_rule", &compute.FirewallPolicyRuleArgs{
    			FirewallPolicy: _default.Name,
    			Description:    pulumi.String("Resource created for Terraform acceptance testing"),
    			Priority:       pulumi.Int(9000),
    			EnableLogging:  pulumi.Bool(true),
    			Action:         pulumi.String("allow"),
    			Direction:      pulumi.String("EGRESS"),
    			Disabled:       pulumi.Bool(false),
    			Match: &compute.FirewallPolicyRuleMatchArgs{
    				Layer4Configs: compute.FirewallPolicyRuleMatchLayer4ConfigArray{
    					&compute.FirewallPolicyRuleMatchLayer4ConfigArgs{
    						IpProtocol: pulumi.String("tcp"),
    						Ports: pulumi.StringArray{
    							pulumi.String("8080"),
    						},
    					},
    					&compute.FirewallPolicyRuleMatchLayer4ConfigArgs{
    						IpProtocol: pulumi.String("udp"),
    						Ports: pulumi.StringArray{
    							pulumi.String("22"),
    						},
    					},
    				},
    				DestIpRanges: pulumi.StringArray{
    					pulumi.String("11.100.0.1/32"),
    				},
    				DestFqdns: pulumi.StringArray{},
    				DestRegionCodes: pulumi.StringArray{
    					pulumi.String("US"),
    				},
    				DestThreatIntelligences: pulumi.StringArray{
    					pulumi.String("iplist-known-malicious-ips"),
    				},
    				SrcAddressGroups: pulumi.StringArray{},
    				DestAddressGroups: pulumi.StringArray{
    					basicGlobalNetworksecurityAddressGroup.ID(),
    				},
    			},
    			TargetServiceAccounts: pulumi.StringArray{
    				pulumi.String("my@service-account.com"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var basicGlobalNetworksecurityAddressGroup = new Gcp.NetworkSecurity.AddressGroup("basic_global_networksecurity_address_group", new()
        {
            Name = "address",
            Parent = "organizations/123456789",
            Description = "Sample global networksecurity_address_group",
            Location = "global",
            Items = new[]
            {
                "208.80.154.224/32",
            },
            Type = "IPV4",
            Capacity = 100,
        });
    
        var folder = new Gcp.Organizations.Folder("folder", new()
        {
            DisplayName = "folder",
            Parent = "organizations/123456789",
            DeletionProtection = false,
        });
    
        var @default = new Gcp.Compute.FirewallPolicy("default", new()
        {
            Parent = folder.Id,
            ShortName = "policy",
            Description = "Resource created for Terraform acceptance testing",
        });
    
        var policyRule = new Gcp.Compute.FirewallPolicyRule("policy_rule", new()
        {
            FirewallPolicy = @default.Name,
            Description = "Resource created for Terraform acceptance testing",
            Priority = 9000,
            EnableLogging = true,
            Action = "allow",
            Direction = "EGRESS",
            Disabled = false,
            Match = new Gcp.Compute.Inputs.FirewallPolicyRuleMatchArgs
            {
                Layer4Configs = new[]
                {
                    new Gcp.Compute.Inputs.FirewallPolicyRuleMatchLayer4ConfigArgs
                    {
                        IpProtocol = "tcp",
                        Ports = new[]
                        {
                            "8080",
                        },
                    },
                    new Gcp.Compute.Inputs.FirewallPolicyRuleMatchLayer4ConfigArgs
                    {
                        IpProtocol = "udp",
                        Ports = new[]
                        {
                            "22",
                        },
                    },
                },
                DestIpRanges = new[]
                {
                    "11.100.0.1/32",
                },
                DestFqdns = new() { },
                DestRegionCodes = new[]
                {
                    "US",
                },
                DestThreatIntelligences = new[]
                {
                    "iplist-known-malicious-ips",
                },
                SrcAddressGroups = new() { },
                DestAddressGroups = new[]
                {
                    basicGlobalNetworksecurityAddressGroup.Id,
                },
            },
            TargetServiceAccounts = new[]
            {
                "my@service-account.com",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.networksecurity.AddressGroup;
    import com.pulumi.gcp.networksecurity.AddressGroupArgs;
    import com.pulumi.gcp.organizations.Folder;
    import com.pulumi.gcp.organizations.FolderArgs;
    import com.pulumi.gcp.compute.FirewallPolicy;
    import com.pulumi.gcp.compute.FirewallPolicyArgs;
    import com.pulumi.gcp.compute.FirewallPolicyRule;
    import com.pulumi.gcp.compute.FirewallPolicyRuleArgs;
    import com.pulumi.gcp.compute.inputs.FirewallPolicyRuleMatchArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var basicGlobalNetworksecurityAddressGroup = new AddressGroup("basicGlobalNetworksecurityAddressGroup", AddressGroupArgs.builder()
                .name("address")
                .parent("organizations/123456789")
                .description("Sample global networksecurity_address_group")
                .location("global")
                .items("208.80.154.224/32")
                .type("IPV4")
                .capacity(100)
                .build());
    
            var folder = new Folder("folder", FolderArgs.builder()
                .displayName("folder")
                .parent("organizations/123456789")
                .deletionProtection(false)
                .build());
    
            var default_ = new FirewallPolicy("default", FirewallPolicyArgs.builder()
                .parent(folder.id())
                .shortName("policy")
                .description("Resource created for Terraform acceptance testing")
                .build());
    
            var policyRule = new FirewallPolicyRule("policyRule", FirewallPolicyRuleArgs.builder()
                .firewallPolicy(default_.name())
                .description("Resource created for Terraform acceptance testing")
                .priority(9000)
                .enableLogging(true)
                .action("allow")
                .direction("EGRESS")
                .disabled(false)
                .match(FirewallPolicyRuleMatchArgs.builder()
                    .layer4Configs(                
                        FirewallPolicyRuleMatchLayer4ConfigArgs.builder()
                            .ipProtocol("tcp")
                            .ports(8080)
                            .build(),
                        FirewallPolicyRuleMatchLayer4ConfigArgs.builder()
                            .ipProtocol("udp")
                            .ports(22)
                            .build())
                    .destIpRanges("11.100.0.1/32")
                    .destFqdns()
                    .destRegionCodes("US")
                    .destThreatIntelligences("iplist-known-malicious-ips")
                    .srcAddressGroups()
                    .destAddressGroups(basicGlobalNetworksecurityAddressGroup.id())
                    .build())
                .targetServiceAccounts("my@service-account.com")
                .build());
    
        }
    }
    
    resources:
      basicGlobalNetworksecurityAddressGroup:
        type: gcp:networksecurity:AddressGroup
        name: basic_global_networksecurity_address_group
        properties:
          name: address
          parent: organizations/123456789
          description: Sample global networksecurity_address_group
          location: global
          items:
            - 208.80.154.224/32
          type: IPV4
          capacity: 100
      folder:
        type: gcp:organizations:Folder
        properties:
          displayName: folder
          parent: organizations/123456789
          deletionProtection: false
      default:
        type: gcp:compute:FirewallPolicy
        properties:
          parent: ${folder.id}
          shortName: policy
          description: Resource created for Terraform acceptance testing
      policyRule:
        type: gcp:compute:FirewallPolicyRule
        name: policy_rule
        properties:
          firewallPolicy: ${default.name}
          description: Resource created for Terraform acceptance testing
          priority: 9000
          enableLogging: true
          action: allow
          direction: EGRESS
          disabled: false
          match:
            layer4Configs:
              - ipProtocol: tcp
                ports:
                  - 8080
              - ipProtocol: udp
                ports:
                  - 22
            destIpRanges:
              - 11.100.0.1/32
            destFqdns: []
            destRegionCodes:
              - US
            destThreatIntelligences:
              - iplist-known-malicious-ips
            srcAddressGroups: []
            destAddressGroups:
              - ${basicGlobalNetworksecurityAddressGroup.id}
          targetServiceAccounts:
            - my@service-account.com
    

    Create FirewallPolicyRule Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new FirewallPolicyRule(name: string, args: FirewallPolicyRuleArgs, opts?: CustomResourceOptions);
    @overload
    def FirewallPolicyRule(resource_name: str,
                           args: FirewallPolicyRuleArgs,
                           opts: Optional[ResourceOptions] = None)
    
    @overload
    def FirewallPolicyRule(resource_name: str,
                           opts: Optional[ResourceOptions] = None,
                           action: Optional[str] = None,
                           direction: Optional[str] = None,
                           firewall_policy: Optional[str] = None,
                           match: Optional[FirewallPolicyRuleMatchArgs] = None,
                           priority: Optional[int] = None,
                           description: Optional[str] = None,
                           disabled: Optional[bool] = None,
                           enable_logging: Optional[bool] = None,
                           security_profile_group: Optional[str] = None,
                           target_resources: Optional[Sequence[str]] = None,
                           target_service_accounts: Optional[Sequence[str]] = None,
                           tls_inspect: Optional[bool] = None)
    func NewFirewallPolicyRule(ctx *Context, name string, args FirewallPolicyRuleArgs, opts ...ResourceOption) (*FirewallPolicyRule, error)
    public FirewallPolicyRule(string name, FirewallPolicyRuleArgs args, CustomResourceOptions? opts = null)
    public FirewallPolicyRule(String name, FirewallPolicyRuleArgs args)
    public FirewallPolicyRule(String name, FirewallPolicyRuleArgs args, CustomResourceOptions options)
    
    type: gcp:compute:FirewallPolicyRule
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args FirewallPolicyRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args FirewallPolicyRuleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args FirewallPolicyRuleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args FirewallPolicyRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args FirewallPolicyRuleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var firewallPolicyRuleResource = new Gcp.Compute.FirewallPolicyRule("firewallPolicyRuleResource", new()
    {
        Action = "string",
        Direction = "string",
        FirewallPolicy = "string",
        Match = new Gcp.Compute.Inputs.FirewallPolicyRuleMatchArgs
        {
            Layer4Configs = new[]
            {
                new Gcp.Compute.Inputs.FirewallPolicyRuleMatchLayer4ConfigArgs
                {
                    IpProtocol = "string",
                    Ports = new[]
                    {
                        "string",
                    },
                },
            },
            DestAddressGroups = new[]
            {
                "string",
            },
            DestFqdns = new[]
            {
                "string",
            },
            DestIpRanges = new[]
            {
                "string",
            },
            DestRegionCodes = new[]
            {
                "string",
            },
            DestThreatIntelligences = new[]
            {
                "string",
            },
            SrcAddressGroups = new[]
            {
                "string",
            },
            SrcFqdns = new[]
            {
                "string",
            },
            SrcIpRanges = new[]
            {
                "string",
            },
            SrcRegionCodes = new[]
            {
                "string",
            },
            SrcThreatIntelligences = new[]
            {
                "string",
            },
        },
        Priority = 0,
        Description = "string",
        Disabled = false,
        EnableLogging = false,
        SecurityProfileGroup = "string",
        TargetResources = new[]
        {
            "string",
        },
        TargetServiceAccounts = new[]
        {
            "string",
        },
        TlsInspect = false,
    });
    
    example, err := compute.NewFirewallPolicyRule(ctx, "firewallPolicyRuleResource", &compute.FirewallPolicyRuleArgs{
    	Action:         pulumi.String("string"),
    	Direction:      pulumi.String("string"),
    	FirewallPolicy: pulumi.String("string"),
    	Match: &compute.FirewallPolicyRuleMatchArgs{
    		Layer4Configs: compute.FirewallPolicyRuleMatchLayer4ConfigArray{
    			&compute.FirewallPolicyRuleMatchLayer4ConfigArgs{
    				IpProtocol: pulumi.String("string"),
    				Ports: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    		},
    		DestAddressGroups: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		DestFqdns: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		DestIpRanges: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		DestRegionCodes: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		DestThreatIntelligences: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		SrcAddressGroups: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		SrcFqdns: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		SrcIpRanges: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		SrcRegionCodes: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		SrcThreatIntelligences: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	Priority:             pulumi.Int(0),
    	Description:          pulumi.String("string"),
    	Disabled:             pulumi.Bool(false),
    	EnableLogging:        pulumi.Bool(false),
    	SecurityProfileGroup: pulumi.String("string"),
    	TargetResources: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	TargetServiceAccounts: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	TlsInspect: pulumi.Bool(false),
    })
    
    var firewallPolicyRuleResource = new FirewallPolicyRule("firewallPolicyRuleResource", FirewallPolicyRuleArgs.builder()
        .action("string")
        .direction("string")
        .firewallPolicy("string")
        .match(FirewallPolicyRuleMatchArgs.builder()
            .layer4Configs(FirewallPolicyRuleMatchLayer4ConfigArgs.builder()
                .ipProtocol("string")
                .ports("string")
                .build())
            .destAddressGroups("string")
            .destFqdns("string")
            .destIpRanges("string")
            .destRegionCodes("string")
            .destThreatIntelligences("string")
            .srcAddressGroups("string")
            .srcFqdns("string")
            .srcIpRanges("string")
            .srcRegionCodes("string")
            .srcThreatIntelligences("string")
            .build())
        .priority(0)
        .description("string")
        .disabled(false)
        .enableLogging(false)
        .securityProfileGroup("string")
        .targetResources("string")
        .targetServiceAccounts("string")
        .tlsInspect(false)
        .build());
    
    firewall_policy_rule_resource = gcp.compute.FirewallPolicyRule("firewallPolicyRuleResource",
        action="string",
        direction="string",
        firewall_policy="string",
        match={
            "layer4_configs": [{
                "ip_protocol": "string",
                "ports": ["string"],
            }],
            "dest_address_groups": ["string"],
            "dest_fqdns": ["string"],
            "dest_ip_ranges": ["string"],
            "dest_region_codes": ["string"],
            "dest_threat_intelligences": ["string"],
            "src_address_groups": ["string"],
            "src_fqdns": ["string"],
            "src_ip_ranges": ["string"],
            "src_region_codes": ["string"],
            "src_threat_intelligences": ["string"],
        },
        priority=0,
        description="string",
        disabled=False,
        enable_logging=False,
        security_profile_group="string",
        target_resources=["string"],
        target_service_accounts=["string"],
        tls_inspect=False)
    
    const firewallPolicyRuleResource = new gcp.compute.FirewallPolicyRule("firewallPolicyRuleResource", {
        action: "string",
        direction: "string",
        firewallPolicy: "string",
        match: {
            layer4Configs: [{
                ipProtocol: "string",
                ports: ["string"],
            }],
            destAddressGroups: ["string"],
            destFqdns: ["string"],
            destIpRanges: ["string"],
            destRegionCodes: ["string"],
            destThreatIntelligences: ["string"],
            srcAddressGroups: ["string"],
            srcFqdns: ["string"],
            srcIpRanges: ["string"],
            srcRegionCodes: ["string"],
            srcThreatIntelligences: ["string"],
        },
        priority: 0,
        description: "string",
        disabled: false,
        enableLogging: false,
        securityProfileGroup: "string",
        targetResources: ["string"],
        targetServiceAccounts: ["string"],
        tlsInspect: false,
    });
    
    type: gcp:compute:FirewallPolicyRule
    properties:
        action: string
        description: string
        direction: string
        disabled: false
        enableLogging: false
        firewallPolicy: string
        match:
            destAddressGroups:
                - string
            destFqdns:
                - string
            destIpRanges:
                - string
            destRegionCodes:
                - string
            destThreatIntelligences:
                - string
            layer4Configs:
                - ipProtocol: string
                  ports:
                    - string
            srcAddressGroups:
                - string
            srcFqdns:
                - string
            srcIpRanges:
                - string
            srcRegionCodes:
                - string
            srcThreatIntelligences:
                - string
        priority: 0
        securityProfileGroup: string
        targetResources:
            - string
        targetServiceAccounts:
            - string
        tlsInspect: false
    

    FirewallPolicyRule Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The FirewallPolicyRule resource accepts the following input properties:

    Action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    Direction string
    The direction in which this rule applies. Possible values are: INGRESS, EGRESS.
    FirewallPolicy string
    The firewall policy of the resource.
    Match FirewallPolicyRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    Description string
    An optional description for this resource.
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    SecurityProfileGroup string
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    TargetResources List<string>
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    TargetServiceAccounts List<string>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    TlsInspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    Action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    Direction string
    The direction in which this rule applies. Possible values are: INGRESS, EGRESS.
    FirewallPolicy string
    The firewall policy of the resource.
    Match FirewallPolicyRuleMatchArgs
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    Description string
    An optional description for this resource.
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    SecurityProfileGroup string
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    TargetResources []string
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    TargetServiceAccounts []string
    A list of service accounts indicating the sets of instances that are applied with this rule.
    TlsInspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action String
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    direction String
    The direction in which this rule applies. Possible values are: INGRESS, EGRESS.
    firewallPolicy String
    The firewall policy of the resource.
    match FirewallPolicyRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority Integer
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    description String
    An optional description for this resource.
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    securityProfileGroup String
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    targetResources List<String>
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect Boolean
    Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    direction string
    The direction in which this rule applies. Possible values are: INGRESS, EGRESS.
    firewallPolicy string
    The firewall policy of the resource.
    match FirewallPolicyRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority number
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    description string
    An optional description for this resource.
    disabled boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    securityProfileGroup string
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    targetResources string[]
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    targetServiceAccounts string[]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect boolean
    Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action str
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    direction str
    The direction in which this rule applies. Possible values are: INGRESS, EGRESS.
    firewall_policy str
    The firewall policy of the resource.
    match FirewallPolicyRuleMatchArgs
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    description str
    An optional description for this resource.
    disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enable_logging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    security_profile_group str
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    target_resources Sequence[str]
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    target_service_accounts Sequence[str]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tls_inspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action String
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    direction String
    The direction in which this rule applies. Possible values are: INGRESS, EGRESS.
    firewallPolicy String
    The firewall policy of the resource.
    match Property Map
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority Number
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    description String
    An optional description for this resource.
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    securityProfileGroup String
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    targetResources List<String>
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect Boolean
    Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the FirewallPolicyRule resource produces the following output properties:

    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Id string
    The provider-assigned unique ID for this managed resource.
    Kind string
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    RuleTupleCount int
    Calculation of the complexity of a single firewall policy rule.
    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Id string
    The provider-assigned unique ID for this managed resource.
    Kind string
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    RuleTupleCount int
    Calculation of the complexity of a single firewall policy rule.
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    id String
    The provider-assigned unique ID for this managed resource.
    kind String
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    ruleTupleCount Integer
    Calculation of the complexity of a single firewall policy rule.
    creationTimestamp string
    Creation timestamp in RFC3339 text format.
    id string
    The provider-assigned unique ID for this managed resource.
    kind string
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    ruleTupleCount number
    Calculation of the complexity of a single firewall policy rule.
    creation_timestamp str
    Creation timestamp in RFC3339 text format.
    id str
    The provider-assigned unique ID for this managed resource.
    kind str
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    rule_tuple_count int
    Calculation of the complexity of a single firewall policy rule.
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    id String
    The provider-assigned unique ID for this managed resource.
    kind String
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    ruleTupleCount Number
    Calculation of the complexity of a single firewall policy rule.

    Look up Existing FirewallPolicyRule Resource

    Get an existing FirewallPolicyRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: FirewallPolicyRuleState, opts?: CustomResourceOptions): FirewallPolicyRule
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            action: Optional[str] = None,
            creation_timestamp: Optional[str] = None,
            description: Optional[str] = None,
            direction: Optional[str] = None,
            disabled: Optional[bool] = None,
            enable_logging: Optional[bool] = None,
            firewall_policy: Optional[str] = None,
            kind: Optional[str] = None,
            match: Optional[FirewallPolicyRuleMatchArgs] = None,
            priority: Optional[int] = None,
            rule_tuple_count: Optional[int] = None,
            security_profile_group: Optional[str] = None,
            target_resources: Optional[Sequence[str]] = None,
            target_service_accounts: Optional[Sequence[str]] = None,
            tls_inspect: Optional[bool] = None) -> FirewallPolicyRule
    func GetFirewallPolicyRule(ctx *Context, name string, id IDInput, state *FirewallPolicyRuleState, opts ...ResourceOption) (*FirewallPolicyRule, error)
    public static FirewallPolicyRule Get(string name, Input<string> id, FirewallPolicyRuleState? state, CustomResourceOptions? opts = null)
    public static FirewallPolicyRule get(String name, Output<String> id, FirewallPolicyRuleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Description string
    An optional description for this resource.
    Direction string
    The direction in which this rule applies. Possible values are: INGRESS, EGRESS.
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    FirewallPolicy string
    The firewall policy of the resource.
    Kind string
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    Match FirewallPolicyRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    RuleTupleCount int
    Calculation of the complexity of a single firewall policy rule.
    SecurityProfileGroup string
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    TargetResources List<string>
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    TargetServiceAccounts List<string>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    TlsInspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    Action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Description string
    An optional description for this resource.
    Direction string
    The direction in which this rule applies. Possible values are: INGRESS, EGRESS.
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    FirewallPolicy string
    The firewall policy of the resource.
    Kind string
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    Match FirewallPolicyRuleMatchArgs
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    RuleTupleCount int
    Calculation of the complexity of a single firewall policy rule.
    SecurityProfileGroup string
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    TargetResources []string
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    TargetServiceAccounts []string
    A list of service accounts indicating the sets of instances that are applied with this rule.
    TlsInspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action String
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    description String
    An optional description for this resource.
    direction String
    The direction in which this rule applies. Possible values are: INGRESS, EGRESS.
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    firewallPolicy String
    The firewall policy of the resource.
    kind String
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    match FirewallPolicyRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority Integer
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    ruleTupleCount Integer
    Calculation of the complexity of a single firewall policy rule.
    securityProfileGroup String
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    targetResources List<String>
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect Boolean
    Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    creationTimestamp string
    Creation timestamp in RFC3339 text format.
    description string
    An optional description for this resource.
    direction string
    The direction in which this rule applies. Possible values are: INGRESS, EGRESS.
    disabled boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    firewallPolicy string
    The firewall policy of the resource.
    kind string
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    match FirewallPolicyRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority number
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    ruleTupleCount number
    Calculation of the complexity of a single firewall policy rule.
    securityProfileGroup string
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    targetResources string[]
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    targetServiceAccounts string[]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect boolean
    Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action str
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    creation_timestamp str
    Creation timestamp in RFC3339 text format.
    description str
    An optional description for this resource.
    direction str
    The direction in which this rule applies. Possible values are: INGRESS, EGRESS.
    disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enable_logging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    firewall_policy str
    The firewall policy of the resource.
    kind str
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    match FirewallPolicyRuleMatchArgs
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    rule_tuple_count int
    Calculation of the complexity of a single firewall policy rule.
    security_profile_group str
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    target_resources Sequence[str]
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    target_service_accounts Sequence[str]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tls_inspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action String
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    description String
    An optional description for this resource.
    direction String
    The direction in which this rule applies. Possible values are: INGRESS, EGRESS.
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    firewallPolicy String
    The firewall policy of the resource.
    kind String
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    match Property Map
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority Number
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    ruleTupleCount Number
    Calculation of the complexity of a single firewall policy rule.
    securityProfileGroup String
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    targetResources List<String>
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect Boolean
    Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.

    Supporting Types

    FirewallPolicyRuleMatch, FirewallPolicyRuleMatchArgs

    Layer4Configs List<FirewallPolicyRuleMatchLayer4Config>
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    DestAddressGroups List<string>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    DestFqdns List<string>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    DestIpRanges List<string>
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    DestRegionCodes List<string>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    DestThreatIntelligences List<string>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    SrcAddressGroups List<string>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    SrcFqdns List<string>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    SrcIpRanges List<string>
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    SrcRegionCodes List<string>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    SrcThreatIntelligences List<string>

    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.

    The layer4_configs block supports:

    Layer4Configs []FirewallPolicyRuleMatchLayer4Config
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    DestAddressGroups []string
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    DestFqdns []string
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    DestIpRanges []string
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    DestRegionCodes []string
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    DestThreatIntelligences []string
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    SrcAddressGroups []string
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    SrcFqdns []string
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    SrcIpRanges []string
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    SrcRegionCodes []string
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    SrcThreatIntelligences []string

    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.

    The layer4_configs block supports:

    layer4Configs List<FirewallPolicyRuleMatchLayer4Config>
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    destAddressGroups List<String>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges List<String>
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    destRegionCodes List<String>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    destThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    srcAddressGroups List<String>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges List<String>
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    srcRegionCodes List<String>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcThreatIntelligences List<String>

    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.

    The layer4_configs block supports:

    layer4Configs FirewallPolicyRuleMatchLayer4Config[]
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    destAddressGroups string[]
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns string[]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges string[]
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    destRegionCodes string[]
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    destThreatIntelligences string[]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    srcAddressGroups string[]
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns string[]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges string[]
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    srcRegionCodes string[]
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcThreatIntelligences string[]

    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.

    The layer4_configs block supports:

    layer4_configs Sequence[FirewallPolicyRuleMatchLayer4Config]
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    dest_address_groups Sequence[str]
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    dest_fqdns Sequence[str]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    dest_ip_ranges Sequence[str]
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    dest_region_codes Sequence[str]
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    dest_threat_intelligences Sequence[str]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    src_address_groups Sequence[str]
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    src_fqdns Sequence[str]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    src_ip_ranges Sequence[str]
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    src_region_codes Sequence[str]
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    src_threat_intelligences Sequence[str]

    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.

    The layer4_configs block supports:

    layer4Configs List<Property Map>
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    destAddressGroups List<String>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges List<String>
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    destRegionCodes List<String>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    destThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    srcAddressGroups List<String>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges List<String>
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    srcRegionCodes List<String>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcThreatIntelligences List<String>

    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.

    The layer4_configs block supports:

    FirewallPolicyRuleMatchLayer4Config, FirewallPolicyRuleMatchLayer4ConfigArgs

    IpProtocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    Ports List<string>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    IpProtocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    Ports []string
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol String
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports List<String>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports string[]
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ip_protocol str
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports Sequence[str]
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol String
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports List<String>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

    Import

    FirewallPolicyRule can be imported using any of these accepted formats:

    • locations/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}

    • {{firewall_policy}}/{{priority}}

    When using the pulumi import command, FirewallPolicyRule can be imported using one of the formats above. For example:

    $ pulumi import gcp:compute/firewallPolicyRule:FirewallPolicyRule default locations/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}
    
    $ pulumi import gcp:compute/firewallPolicyRule:FirewallPolicyRule default {{firewall_policy}}/{{priority}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v8.10.0 published on Wednesday, Nov 20, 2024 by Pulumi