Google Cloud Classic v7.2.2, Jan 1 01

Google Cloud Classic v7.2.2 published on Monday, Jan 1, 0001 by Pulumi

gcp.compute.NetworkFirewallPolicyRule

Explore with Pulumi AI

Google Cloud Classic v7.2.2 published on Monday, Jan 1, 0001 by Pulumi

pulumi/pulumi-gcp

Example Usage

Global

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var basicGlobalNetworksecurityAddressGroup = new Gcp.NetworkSecurity.AddressGroup("basicGlobalNetworksecurityAddressGroup", new()
    {
        Parent = "projects/my-project-name",
        Description = "Sample global networksecurity_address_group",
        Location = "global",
        Items = new[]
        {
            "208.80.154.224/32",
        },
        Type = "IPV4",
        Capacity = 100,
    });

    var basicNetworkFirewallPolicy = new Gcp.Compute.NetworkFirewallPolicy("basicNetworkFirewallPolicy", new()
    {
        Description = "Sample global network firewall policy",
        Project = "my-project-name",
    });

    var basicNetwork = new Gcp.Compute.Network("basicNetwork");

    var basicKey = new Gcp.Tags.TagKey("basicKey", new()
    {
        Description = "For keyname resources.",
        Parent = "organizations/123456789",
        Purpose = "GCE_FIREWALL",
        ShortName = "tagkey",
        PurposeData = 
        {
            { "network", basicNetwork.Name.Apply(name => $"my-project-name/{name}") },
        },
    });

    var basicValue = new Gcp.Tags.TagValue("basicValue", new()
    {
        Description = "For valuename resources.",
        Parent = basicKey.Name.Apply(name => $"tagKeys/{name}"),
        ShortName = "tagvalue",
    });

    var primary = new Gcp.Compute.NetworkFirewallPolicyRule("primary", new()
    {
        Action = "allow",
        Description = "This is a simple rule description",
        Direction = "INGRESS",
        Disabled = false,
        EnableLogging = true,
        FirewallPolicy = basicNetworkFirewallPolicy.Name,
        Priority = 1000,
        RuleName = "test-rule",
        TargetServiceAccounts = new[]
        {
            "my@service-account.com",
        },
        Match = new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchArgs
        {
            SrcIpRanges = new[]
            {
                "10.100.0.1/32",
            },
            SrcFqdns = new[]
            {
                "google.com",
            },
            SrcRegionCodes = new[]
            {
                "US",
            },
            SrcThreatIntelligences = new[]
            {
                "iplist-known-malicious-ips",
            },
            SrcSecureTags = new[]
            {
                new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchSrcSecureTagArgs
                {
                    Name = basicValue.Name.Apply(name => $"tagValues/{name}"),
                },
            },
            Layer4Configs = new[]
            {
                new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchLayer4ConfigArgs
                {
                    IpProtocol = "all",
                },
            },
            SrcAddressGroups = new[]
            {
                basicGlobalNetworksecurityAddressGroup.Id,
            },
        },
    });

});

package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/networksecurity"
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/tags"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		basicGlobalNetworksecurityAddressGroup, err := networksecurity.NewAddressGroup(ctx, "basicGlobalNetworksecurityAddressGroup", &networksecurity.AddressGroupArgs{
			Parent:      pulumi.String("projects/my-project-name"),
			Description: pulumi.String("Sample global networksecurity_address_group"),
			Location:    pulumi.String("global"),
			Items: pulumi.StringArray{
				pulumi.String("208.80.154.224/32"),
			},
			Type:     pulumi.String("IPV4"),
			Capacity: pulumi.Int(100),
		})
		if err != nil {
			return err
		}
		basicNetworkFirewallPolicy, err := compute.NewNetworkFirewallPolicy(ctx, "basicNetworkFirewallPolicy", &compute.NetworkFirewallPolicyArgs{
			Description: pulumi.String("Sample global network firewall policy"),
			Project:     pulumi.String("my-project-name"),
		})
		if err != nil {
			return err
		}
		basicNetwork, err := compute.NewNetwork(ctx, "basicNetwork", nil)
		if err != nil {
			return err
		}
		basicKey, err := tags.NewTagKey(ctx, "basicKey", &tags.TagKeyArgs{
			Description: pulumi.String("For keyname resources."),
			Parent:      pulumi.String("organizations/123456789"),
			Purpose:     pulumi.String("GCE_FIREWALL"),
			ShortName:   pulumi.String("tagkey"),
			PurposeData: pulumi.StringMap{
				"network": basicNetwork.Name.ApplyT(func(name string) (string, error) {
					return fmt.Sprintf("my-project-name/%v", name), nil
				}).(pulumi.StringOutput),
			},
		})
		if err != nil {
			return err
		}
		basicValue, err := tags.NewTagValue(ctx, "basicValue", &tags.TagValueArgs{
			Description: pulumi.String("For valuename resources."),
			Parent: basicKey.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("tagKeys/%v", name), nil
			}).(pulumi.StringOutput),
			ShortName: pulumi.String("tagvalue"),
		})
		if err != nil {
			return err
		}
		_, err = compute.NewNetworkFirewallPolicyRule(ctx, "primary", &compute.NetworkFirewallPolicyRuleArgs{
			Action:         pulumi.String("allow"),
			Description:    pulumi.String("This is a simple rule description"),
			Direction:      pulumi.String("INGRESS"),
			Disabled:       pulumi.Bool(false),
			EnableLogging:  pulumi.Bool(true),
			FirewallPolicy: basicNetworkFirewallPolicy.Name,
			Priority:       pulumi.Int(1000),
			RuleName:       pulumi.String("test-rule"),
			TargetServiceAccounts: pulumi.StringArray{
				pulumi.String("my@service-account.com"),
			},
			Match: &compute.NetworkFirewallPolicyRuleMatchArgs{
				SrcIpRanges: pulumi.StringArray{
					pulumi.String("10.100.0.1/32"),
				},
				SrcFqdns: pulumi.StringArray{
					pulumi.String("google.com"),
				},
				SrcRegionCodes: pulumi.StringArray{
					pulumi.String("US"),
				},
				SrcThreatIntelligences: pulumi.StringArray{
					pulumi.String("iplist-known-malicious-ips"),
				},
				SrcSecureTags: compute.NetworkFirewallPolicyRuleMatchSrcSecureTagArray{
					&compute.NetworkFirewallPolicyRuleMatchSrcSecureTagArgs{
						Name: basicValue.Name.ApplyT(func(name string) (string, error) {
							return fmt.Sprintf("tagValues/%v", name), nil
						}).(pulumi.StringOutput),
					},
				},
				Layer4Configs: compute.NetworkFirewallPolicyRuleMatchLayer4ConfigArray{
					&compute.NetworkFirewallPolicyRuleMatchLayer4ConfigArgs{
						IpProtocol: pulumi.String("all"),
					},
				},
				SrcAddressGroups: pulumi.StringArray{
					basicGlobalNetworksecurityAddressGroup.ID(),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.networksecurity.AddressGroup;
import com.pulumi.gcp.networksecurity.AddressGroupArgs;
import com.pulumi.gcp.compute.NetworkFirewallPolicy;
import com.pulumi.gcp.compute.NetworkFirewallPolicyArgs;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.tags.TagKey;
import com.pulumi.gcp.tags.TagKeyArgs;
import com.pulumi.gcp.tags.TagValue;
import com.pulumi.gcp.tags.TagValueArgs;
import com.pulumi.gcp.compute.NetworkFirewallPolicyRule;
import com.pulumi.gcp.compute.NetworkFirewallPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.NetworkFirewallPolicyRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var basicGlobalNetworksecurityAddressGroup = new AddressGroup("basicGlobalNetworksecurityAddressGroup", AddressGroupArgs.builder()        
            .parent("projects/my-project-name")
            .description("Sample global networksecurity_address_group")
            .location("global")
            .items("208.80.154.224/32")
            .type("IPV4")
            .capacity(100)
            .build());

        var basicNetworkFirewallPolicy = new NetworkFirewallPolicy("basicNetworkFirewallPolicy", NetworkFirewallPolicyArgs.builder()        
            .description("Sample global network firewall policy")
            .project("my-project-name")
            .build());

        var basicNetwork = new Network("basicNetwork");

        var basicKey = new TagKey("basicKey", TagKeyArgs.builder()        
            .description("For keyname resources.")
            .parent("organizations/123456789")
            .purpose("GCE_FIREWALL")
            .shortName("tagkey")
            .purposeData(Map.of("network", basicNetwork.name().applyValue(name -> String.format("my-project-name/%s", name))))
            .build());

        var basicValue = new TagValue("basicValue", TagValueArgs.builder()        
            .description("For valuename resources.")
            .parent(basicKey.name().applyValue(name -> String.format("tagKeys/%s", name)))
            .shortName("tagvalue")
            .build());

        var primary = new NetworkFirewallPolicyRule("primary", NetworkFirewallPolicyRuleArgs.builder()        
            .action("allow")
            .description("This is a simple rule description")
            .direction("INGRESS")
            .disabled(false)
            .enableLogging(true)
            .firewallPolicy(basicNetworkFirewallPolicy.name())
            .priority(1000)
            .ruleName("test-rule")
            .targetServiceAccounts("my@service-account.com")
            .match(NetworkFirewallPolicyRuleMatchArgs.builder()
                .srcIpRanges("10.100.0.1/32")
                .srcFqdns("google.com")
                .srcRegionCodes("US")
                .srcThreatIntelligences("iplist-known-malicious-ips")
                .srcSecureTags(NetworkFirewallPolicyRuleMatchSrcSecureTagArgs.builder()
                    .name(basicValue.name().applyValue(name -> String.format("tagValues/%s", name)))
                    .build())
                .layer4Configs(NetworkFirewallPolicyRuleMatchLayer4ConfigArgs.builder()
                    .ipProtocol("all")
                    .build())
                .srcAddressGroups(basicGlobalNetworksecurityAddressGroup.id())
                .build())
            .build());

    }
}

import pulumi
import pulumi_gcp as gcp

basic_global_networksecurity_address_group = gcp.networksecurity.AddressGroup("basicGlobalNetworksecurityAddressGroup",
    parent="projects/my-project-name",
    description="Sample global networksecurity_address_group",
    location="global",
    items=["208.80.154.224/32"],
    type="IPV4",
    capacity=100)
basic_network_firewall_policy = gcp.compute.NetworkFirewallPolicy("basicNetworkFirewallPolicy",
    description="Sample global network firewall policy",
    project="my-project-name")
basic_network = gcp.compute.Network("basicNetwork")
basic_key = gcp.tags.TagKey("basicKey",
    description="For keyname resources.",
    parent="organizations/123456789",
    purpose="GCE_FIREWALL",
    short_name="tagkey",
    purpose_data={
        "network": basic_network.name.apply(lambda name: f"my-project-name/{name}"),
    })
basic_value = gcp.tags.TagValue("basicValue",
    description="For valuename resources.",
    parent=basic_key.name.apply(lambda name: f"tagKeys/{name}"),
    short_name="tagvalue")
primary = gcp.compute.NetworkFirewallPolicyRule("primary",
    action="allow",
    description="This is a simple rule description",
    direction="INGRESS",
    disabled=False,
    enable_logging=True,
    firewall_policy=basic_network_firewall_policy.name,
    priority=1000,
    rule_name="test-rule",
    target_service_accounts=["my@service-account.com"],
    match=gcp.compute.NetworkFirewallPolicyRuleMatchArgs(
        src_ip_ranges=["10.100.0.1/32"],
        src_fqdns=["google.com"],
        src_region_codes=["US"],
        src_threat_intelligences=["iplist-known-malicious-ips"],
        src_secure_tags=[gcp.compute.NetworkFirewallPolicyRuleMatchSrcSecureTagArgs(
            name=basic_value.name.apply(lambda name: f"tagValues/{name}"),
        )],
        layer4_configs=[gcp.compute.NetworkFirewallPolicyRuleMatchLayer4ConfigArgs(
            ip_protocol="all",
        )],
        src_address_groups=[basic_global_networksecurity_address_group.id],
    ))

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const basicGlobalNetworksecurityAddressGroup = new gcp.networksecurity.AddressGroup("basicGlobalNetworksecurityAddressGroup", {
    parent: "projects/my-project-name",
    description: "Sample global networksecurity_address_group",
    location: "global",
    items: ["208.80.154.224/32"],
    type: "IPV4",
    capacity: 100,
});
const basicNetworkFirewallPolicy = new gcp.compute.NetworkFirewallPolicy("basicNetworkFirewallPolicy", {
    description: "Sample global network firewall policy",
    project: "my-project-name",
});
const basicNetwork = new gcp.compute.Network("basicNetwork", {});
const basicKey = new gcp.tags.TagKey("basicKey", {
    description: "For keyname resources.",
    parent: "organizations/123456789",
    purpose: "GCE_FIREWALL",
    shortName: "tagkey",
    purposeData: {
        network: pulumi.interpolate`my-project-name/${basicNetwork.name}`,
    },
});
const basicValue = new gcp.tags.TagValue("basicValue", {
    description: "For valuename resources.",
    parent: pulumi.interpolate`tagKeys/${basicKey.name}`,
    shortName: "tagvalue",
});
const primary = new gcp.compute.NetworkFirewallPolicyRule("primary", {
    action: "allow",
    description: "This is a simple rule description",
    direction: "INGRESS",
    disabled: false,
    enableLogging: true,
    firewallPolicy: basicNetworkFirewallPolicy.name,
    priority: 1000,
    ruleName: "test-rule",
    targetServiceAccounts: ["my@service-account.com"],
    match: {
        srcIpRanges: ["10.100.0.1/32"],
        srcFqdns: ["google.com"],
        srcRegionCodes: ["US"],
        srcThreatIntelligences: ["iplist-known-malicious-ips"],
        srcSecureTags: [{
            name: pulumi.interpolate`tagValues/${basicValue.name}`,
        }],
        layer4Configs: [{
            ipProtocol: "all",
        }],
        srcAddressGroups: [basicGlobalNetworksecurityAddressGroup.id],
    },
});

resources:
  basicGlobalNetworksecurityAddressGroup:
    type: gcp:networksecurity:AddressGroup
    properties:
      parent: projects/my-project-name
      description: Sample global networksecurity_address_group
      location: global
      items:
        - 208.80.154.224/32
      type: IPV4
      capacity: 100
  basicNetworkFirewallPolicy:
    type: gcp:compute:NetworkFirewallPolicy
    properties:
      description: Sample global network firewall policy
      project: my-project-name
  primary:
    type: gcp:compute:NetworkFirewallPolicyRule
    properties:
      action: allow
      description: This is a simple rule description
      direction: INGRESS
      disabled: false
      enableLogging: true
      firewallPolicy: ${basicNetworkFirewallPolicy.name}
      priority: 1000
      ruleName: test-rule
      targetServiceAccounts:
        - my@service-account.com
      match:
        srcIpRanges:
          - 10.100.0.1/32
        srcFqdns:
          - google.com
        srcRegionCodes:
          - US
        srcThreatIntelligences:
          - iplist-known-malicious-ips
        srcSecureTags:
          - name: tagValues/${basicValue.name}
        layer4Configs:
          - ipProtocol: all
        srcAddressGroups:
          - ${basicGlobalNetworksecurityAddressGroup.id}
  basicNetwork:
    type: gcp:compute:Network
  basicKey:
    type: gcp:tags:TagKey
    properties:
      description: For keyname resources.
      parent: organizations/123456789
      purpose: GCE_FIREWALL
      shortName: tagkey
      purposeData:
        network: my-project-name/${basicNetwork.name}
  basicValue:
    type: gcp:tags:TagValue
    properties:
      description: For valuename resources.
      parent: tagKeys/${basicKey.name}
      shortName: tagvalue

Create NetworkFirewallPolicyRule Resource

new NetworkFirewallPolicyRule(name: string, args: NetworkFirewallPolicyRuleArgs, opts?: CustomResourceOptions);

@overload
def NetworkFirewallPolicyRule(resource_name: str,
                              opts: Optional[ResourceOptions] = None,
                              action: Optional[str] = None,
                              description: Optional[str] = None,
                              direction: Optional[str] = None,
                              disabled: Optional[bool] = None,
                              enable_logging: Optional[bool] = None,
                              firewall_policy: Optional[str] = None,
                              match: Optional[NetworkFirewallPolicyRuleMatchArgs] = None,
                              priority: Optional[int] = None,
                              project: Optional[str] = None,
                              rule_name: Optional[str] = None,
                              target_secure_tags: Optional[Sequence[NetworkFirewallPolicyRuleTargetSecureTagArgs]] = None,
                              target_service_accounts: Optional[Sequence[str]] = None)
@overload
def NetworkFirewallPolicyRule(resource_name: str,
                              args: NetworkFirewallPolicyRuleArgs,
                              opts: Optional[ResourceOptions] = None)

func NewNetworkFirewallPolicyRule(ctx *Context, name string, args NetworkFirewallPolicyRuleArgs, opts ...ResourceOption) (*NetworkFirewallPolicyRule, error)

public NetworkFirewallPolicyRule(string name, NetworkFirewallPolicyRuleArgs args, CustomResourceOptions? opts = null)

public NetworkFirewallPolicyRule(String name, NetworkFirewallPolicyRuleArgs args)
public NetworkFirewallPolicyRule(String name, NetworkFirewallPolicyRuleArgs args, CustomResourceOptions options)

type: gcp:compute:NetworkFirewallPolicyRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args NetworkFirewallPolicyRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args NetworkFirewallPolicyRuleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args NetworkFirewallPolicyRuleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args NetworkFirewallPolicyRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args NetworkFirewallPolicyRuleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

NetworkFirewallPolicyRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The NetworkFirewallPolicyRule resource accepts the following input properties:

Action string: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
Direction string: The direction in which this rule applies. Possible values: INGRESS, EGRESS
FirewallPolicy string: The firewall policy of the resource.
Match NetworkFirewallPolicyRuleMatch: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
Priority int: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
Description string: An optional description for this resource.
Disabled bool: Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
EnableLogging bool: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
Project string: The project for the resource
RuleName string: An optional name for the rule. This field is not a unique identifier and can be updated.
TargetSecureTags List<NetworkFirewallPolicyRuleTargetSecureTag>: A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
TargetServiceAccounts List<string>: A list of service accounts indicating the sets of instances that are applied with this rule.

Action string: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
Direction string: The direction in which this rule applies. Possible values: INGRESS, EGRESS
FirewallPolicy string: The firewall policy of the resource.
Match NetworkFirewallPolicyRuleMatchArgs: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
Priority int: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
Description string: An optional description for this resource.
Disabled bool: Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
EnableLogging bool: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
Project string: The project for the resource
RuleName string: An optional name for the rule. This field is not a unique identifier and can be updated.
TargetSecureTags []NetworkFirewallPolicyRuleTargetSecureTagArgs: A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
TargetServiceAccounts []string: A list of service accounts indicating the sets of instances that are applied with this rule.

action String: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
direction String: The direction in which this rule applies. Possible values: INGRESS, EGRESS
firewallPolicy String: The firewall policy of the resource.
match NetworkFirewallPolicyRuleMatch: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
priority Integer: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
description String: An optional description for this resource.
disabled Boolean: Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
enableLogging Boolean: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
project String: The project for the resource
ruleName String: An optional name for the rule. This field is not a unique identifier and can be updated.
targetSecureTags List<NetworkFirewallPolicyRuleTargetSecureTag>: A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
targetServiceAccounts List<String>: A list of service accounts indicating the sets of instances that are applied with this rule.

action string: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
direction string: The direction in which this rule applies. Possible values: INGRESS, EGRESS
firewallPolicy string: The firewall policy of the resource.
match NetworkFirewallPolicyRuleMatch: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
priority number: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
description string: An optional description for this resource.
disabled boolean: Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
enableLogging boolean: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
project string: The project for the resource
ruleName string: An optional name for the rule. This field is not a unique identifier and can be updated.
targetSecureTags NetworkFirewallPolicyRuleTargetSecureTag[]: A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
targetServiceAccounts string[]: A list of service accounts indicating the sets of instances that are applied with this rule.

action str: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
direction str: The direction in which this rule applies. Possible values: INGRESS, EGRESS
firewall_policy str: The firewall policy of the resource.
match NetworkFirewallPolicyRuleMatchArgs: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
priority int: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
description str: An optional description for this resource.
disabled bool: Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
enable_logging bool: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
project str: The project for the resource
rule_name str: An optional name for the rule. This field is not a unique identifier and can be updated.
target_secure_tags Sequence[NetworkFirewallPolicyRuleTargetSecureTagArgs]: A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
target_service_accounts Sequence[str]: A list of service accounts indicating the sets of instances that are applied with this rule.

action String: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
direction String: The direction in which this rule applies. Possible values: INGRESS, EGRESS
firewallPolicy String: The firewall policy of the resource.
match Property Map: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
priority Number: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
description String: An optional description for this resource.
disabled Boolean: Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
enableLogging Boolean: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
project String: The project for the resource
ruleName String: An optional name for the rule. This field is not a unique identifier and can be updated.
targetSecureTags List<Property Map>: A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
targetServiceAccounts List<String>: A list of service accounts indicating the sets of instances that are applied with this rule.

Outputs

All input properties are implicitly available as output properties. Additionally, the NetworkFirewallPolicyRule resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
Kind string: Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
RuleTupleCount int: Calculation of the complexity of a single firewall policy rule.

Id string: The provider-assigned unique ID for this managed resource.
Kind string: Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
RuleTupleCount int: Calculation of the complexity of a single firewall policy rule.

id String: The provider-assigned unique ID for this managed resource.
kind String: Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
ruleTupleCount Integer: Calculation of the complexity of a single firewall policy rule.

id string: The provider-assigned unique ID for this managed resource.
kind string: Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
ruleTupleCount number: Calculation of the complexity of a single firewall policy rule.

id str: The provider-assigned unique ID for this managed resource.
kind str: Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
rule_tuple_count int: Calculation of the complexity of a single firewall policy rule.

id String: The provider-assigned unique ID for this managed resource.
kind String: Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
ruleTupleCount Number: Calculation of the complexity of a single firewall policy rule.

Look up Existing NetworkFirewallPolicyRule Resource

Get an existing NetworkFirewallPolicyRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: NetworkFirewallPolicyRuleState, opts?: CustomResourceOptions): NetworkFirewallPolicyRule

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        action: Optional[str] = None,
        description: Optional[str] = None,
        direction: Optional[str] = None,
        disabled: Optional[bool] = None,
        enable_logging: Optional[bool] = None,
        firewall_policy: Optional[str] = None,
        kind: Optional[str] = None,
        match: Optional[NetworkFirewallPolicyRuleMatchArgs] = None,
        priority: Optional[int] = None,
        project: Optional[str] = None,
        rule_name: Optional[str] = None,
        rule_tuple_count: Optional[int] = None,
        target_secure_tags: Optional[Sequence[NetworkFirewallPolicyRuleTargetSecureTagArgs]] = None,
        target_service_accounts: Optional[Sequence[str]] = None) -> NetworkFirewallPolicyRule

func GetNetworkFirewallPolicyRule(ctx *Context, name string, id IDInput, state *NetworkFirewallPolicyRuleState, opts ...ResourceOption) (*NetworkFirewallPolicyRule, error)

public static NetworkFirewallPolicyRule Get(string name, Input<string> id, NetworkFirewallPolicyRuleState? state, CustomResourceOptions? opts = null)

public static NetworkFirewallPolicyRule get(String name, Output<String> id, NetworkFirewallPolicyRuleState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Action string: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
Description string: An optional description for this resource.
Direction string: The direction in which this rule applies. Possible values: INGRESS, EGRESS
Disabled bool: Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
EnableLogging bool: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
FirewallPolicy string: The firewall policy of the resource.
Kind string: Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
Match NetworkFirewallPolicyRuleMatch: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
Priority int: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
Project string: The project for the resource
RuleName string: An optional name for the rule. This field is not a unique identifier and can be updated.
RuleTupleCount int: Calculation of the complexity of a single firewall policy rule.
TargetSecureTags List<NetworkFirewallPolicyRuleTargetSecureTag>: A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
TargetServiceAccounts List<string>: A list of service accounts indicating the sets of instances that are applied with this rule.

Action string: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
Description string: An optional description for this resource.
Direction string: The direction in which this rule applies. Possible values: INGRESS, EGRESS
Disabled bool: Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
EnableLogging bool: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
FirewallPolicy string: The firewall policy of the resource.
Kind string: Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
Match NetworkFirewallPolicyRuleMatchArgs: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
Priority int: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
Project string: The project for the resource
RuleName string: An optional name for the rule. This field is not a unique identifier and can be updated.
RuleTupleCount int: Calculation of the complexity of a single firewall policy rule.
TargetSecureTags []NetworkFirewallPolicyRuleTargetSecureTagArgs: A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
TargetServiceAccounts []string: A list of service accounts indicating the sets of instances that are applied with this rule.

action String: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
description String: An optional description for this resource.
direction String: The direction in which this rule applies. Possible values: INGRESS, EGRESS
disabled Boolean: Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
enableLogging Boolean: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
firewallPolicy String: The firewall policy of the resource.
kind String: Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
match NetworkFirewallPolicyRuleMatch: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
priority Integer: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
project String: The project for the resource
ruleName String: An optional name for the rule. This field is not a unique identifier and can be updated.
ruleTupleCount Integer: Calculation of the complexity of a single firewall policy rule.
targetSecureTags List<NetworkFirewallPolicyRuleTargetSecureTag>: A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
targetServiceAccounts List<String>: A list of service accounts indicating the sets of instances that are applied with this rule.

action string: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
description string: An optional description for this resource.
direction string: The direction in which this rule applies. Possible values: INGRESS, EGRESS
disabled boolean: Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
enableLogging boolean: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
firewallPolicy string: The firewall policy of the resource.
kind string: Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
match NetworkFirewallPolicyRuleMatch: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
priority number: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
project string: The project for the resource
ruleName string: An optional name for the rule. This field is not a unique identifier and can be updated.
ruleTupleCount number: Calculation of the complexity of a single firewall policy rule.
targetSecureTags NetworkFirewallPolicyRuleTargetSecureTag[]: A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
targetServiceAccounts string[]: A list of service accounts indicating the sets of instances that are applied with this rule.

action str: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
description str: An optional description for this resource.
direction str: The direction in which this rule applies. Possible values: INGRESS, EGRESS
disabled bool: Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
enable_logging bool: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
firewall_policy str: The firewall policy of the resource.
kind str: Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
match NetworkFirewallPolicyRuleMatchArgs: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
priority int: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
project str: The project for the resource
rule_name str: An optional name for the rule. This field is not a unique identifier and can be updated.
rule_tuple_count int: Calculation of the complexity of a single firewall policy rule.
target_secure_tags Sequence[NetworkFirewallPolicyRuleTargetSecureTagArgs]: A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
target_service_accounts Sequence[str]: A list of service accounts indicating the sets of instances that are applied with this rule.

action String: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
description String: An optional description for this resource.
direction String: The direction in which this rule applies. Possible values: INGRESS, EGRESS
disabled Boolean: Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
enableLogging Boolean: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
firewallPolicy String: The firewall policy of the resource.
kind String: Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
match Property Map: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
priority Number: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
project String: The project for the resource
ruleName String: An optional name for the rule. This field is not a unique identifier and can be updated.
ruleTupleCount Number: Calculation of the complexity of a single firewall policy rule.
targetSecureTags List<Property Map>: A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
targetServiceAccounts List<String>: A list of service accounts indicating the sets of instances that are applied with this rule.

Supporting Types

NetworkFirewallPolicyRuleMatch, NetworkFirewallPolicyRuleMatchArgs

Layer4Configs List<NetworkFirewallPolicyRuleMatchLayer4Config>

Pairs of IP protocols and ports that the rule should match.

DestAddressGroups List<string>

Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.

DestFqdns List<string>

Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.

DestIpRanges List<string>

CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.

DestRegionCodes List<string>

The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.

DestThreatIntelligences List<string>

Name of the Google Cloud Threat Intelligence list.

SrcAddressGroups List<string>

Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.

SrcFqdns List<string>

Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.

SrcIpRanges List<string>

CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.

SrcRegionCodes List<string>

The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.

SrcSecureTags List<NetworkFirewallPolicyRuleMatchSrcSecureTag>

List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.

SrcThreatIntelligences List<string>

Name of the Google Cloud Threat Intelligence list.

The layer4_configs block supports:

Layer4Configs []NetworkFirewallPolicyRuleMatchLayer4Config

Pairs of IP protocols and ports that the rule should match.

DestAddressGroups []string

Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.

DestFqdns []string

Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.

DestIpRanges []string

CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.

DestRegionCodes []string

The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.

DestThreatIntelligences []string

Name of the Google Cloud Threat Intelligence list.

SrcAddressGroups []string

Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.

SrcFqdns []string

Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.

SrcIpRanges []string

CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.

SrcRegionCodes []string

The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.

SrcSecureTags []NetworkFirewallPolicyRuleMatchSrcSecureTag

SrcThreatIntelligences []string

Name of the Google Cloud Threat Intelligence list.

The layer4_configs block supports:

layer4Configs List<NetworkFirewallPolicyRuleMatchLayer4Config>

Pairs of IP protocols and ports that the rule should match.

destAddressGroups List<String>

Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.

destFqdns List<String>

Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.

destIpRanges List<String>

CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.

destRegionCodes List<String>

The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.

destThreatIntelligences List<String>

Name of the Google Cloud Threat Intelligence list.

srcAddressGroups List<String>

Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.

srcFqdns List<String>

Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.

srcIpRanges List<String>

CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.

srcRegionCodes List<String>

The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.

srcSecureTags List<NetworkFirewallPolicyRuleMatchSrcSecureTag>

srcThreatIntelligences List<String>

Name of the Google Cloud Threat Intelligence list.

The layer4_configs block supports:

layer4Configs NetworkFirewallPolicyRuleMatchLayer4Config[]

Pairs of IP protocols and ports that the rule should match.

destAddressGroups string[]

Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.

destFqdns string[]

Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.

destIpRanges string[]

CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.

destRegionCodes string[]

The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.

destThreatIntelligences string[]

Name of the Google Cloud Threat Intelligence list.

srcAddressGroups string[]

Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.

srcFqdns string[]

Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.

srcIpRanges string[]

CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.

srcRegionCodes string[]

The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.

srcSecureTags NetworkFirewallPolicyRuleMatchSrcSecureTag[]

srcThreatIntelligences string[]

Name of the Google Cloud Threat Intelligence list.

The layer4_configs block supports:

layer4_configs Sequence[NetworkFirewallPolicyRuleMatchLayer4Config]

Pairs of IP protocols and ports that the rule should match.

dest_address_groups Sequence[str]

Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.

dest_fqdns Sequence[str]

Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.

dest_ip_ranges Sequence[str]

CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.

dest_region_codes Sequence[str]

The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.

dest_threat_intelligences Sequence[str]

Name of the Google Cloud Threat Intelligence list.

src_address_groups Sequence[str]

Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.

src_fqdns Sequence[str]

Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.

src_ip_ranges Sequence[str]

CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.

src_region_codes Sequence[str]

The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.

src_secure_tags Sequence[NetworkFirewallPolicyRuleMatchSrcSecureTag]

src_threat_intelligences Sequence[str]

Name of the Google Cloud Threat Intelligence list.

The layer4_configs block supports:

layer4Configs List<Property Map>

Pairs of IP protocols and ports that the rule should match.

destAddressGroups List<String>

Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.

destFqdns List<String>

Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.

destIpRanges List<String>

CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.

destRegionCodes List<String>

The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.

destThreatIntelligences List<String>

Name of the Google Cloud Threat Intelligence list.

srcAddressGroups List<String>

Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.

srcFqdns List<String>

Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.

srcIpRanges List<String>

CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.

srcRegionCodes List<String>

The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.

srcSecureTags List<Property Map>

srcThreatIntelligences List<String>

Name of the Google Cloud Threat Intelligence list.

The layer4_configs block supports:

NetworkFirewallPolicyRuleMatchLayer4Config, NetworkFirewallPolicyRuleMatchLayer4ConfigArgs

IpProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
Ports List<string>: An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.

IpProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
Ports []string: An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.

ipProtocol String: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
ports List<String>: An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.

ipProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
ports string[]: An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.

ip_protocol str: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
ports Sequence[str]: An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.

ipProtocol String: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
ports List<String>: An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.

NetworkFirewallPolicyRuleMatchSrcSecureTag, NetworkFirewallPolicyRuleMatchSrcSecureTagArgs

Name string: Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
State string: [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

Name string: Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
State string: [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

name String: Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
state String: [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

name string: Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
state string: [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

name str: Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
state str: [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

name String: Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
state String: [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

NetworkFirewallPolicyRuleTargetSecureTag, NetworkFirewallPolicyRuleTargetSecureTagArgs

Name string: Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
State string: [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

Name string: Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
State string: [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

name String: Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
state String: [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

name string: Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
state string: [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

name str: Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
state str: [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

name String: Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
state String: [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

Import

NetworkFirewallPolicyRule can be imported using any of these accepted formats* projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}} * {{project}}/{{firewall_policy}}/{{priority}} * {{firewall_policy}}/{{priority}} In Terraform v1.5.0 and later, use an import block to import NetworkFirewallPolicyRule using one of the formats above. For exampletf import {

id = “projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}”

to = google_compute_network_firewall_policy_rule.default }

 $ pulumi import gcp:compute/networkFirewallPolicyRule:NetworkFirewallPolicyRule When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), NetworkFirewallPolicyRule can be imported using one of the formats above. For example

 $ pulumi import gcp:compute/networkFirewallPolicyRule:NetworkFirewallPolicyRule default projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}

 $ pulumi import gcp:compute/networkFirewallPolicyRule:NetworkFirewallPolicyRule default {{project}}/{{firewall_policy}}/{{priority}}

 $ pulumi import gcp:compute/networkFirewallPolicyRule:NetworkFirewallPolicyRule default {{firewall_policy}}/{{priority}}

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Google Cloud Classic v7.2.2 published on Monday, Jan 1, 0001 by Pulumi

pulumi/pulumi-gcp

gcp.compute.NetworkFirewallPolicyRule

On this page

On this page

Example Usage

Global

Create NetworkFirewallPolicyRule Resource

NetworkFirewallPolicyRule Resource Properties

Inputs

Outputs

Look up Existing NetworkFirewallPolicyRule Resource

Supporting Types

NetworkFirewallPolicyRuleMatch, NetworkFirewallPolicyRuleMatchArgs

NetworkFirewallPolicyRuleMatchLayer4Config, NetworkFirewallPolicyRuleMatchLayer4ConfigArgs

NetworkFirewallPolicyRuleMatchSrcSecureTag, NetworkFirewallPolicyRuleMatchSrcSecureTagArgs

NetworkFirewallPolicyRuleTargetSecureTag, NetworkFirewallPolicyRuleTargetSecureTagArgs

Import

Package Details

On this page

On this page