Docs
Packagesgcp.compute.RegionNetworkFirewallPolicyRule
Explore with Pulumi AI
The Compute NetworkFirewallPolicyRule resource
Example Usage
Regional
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var basicRegionalNetworksecurityAddressGroup = new Gcp.NetworkSecurity.AddressGroup("basicRegionalNetworksecurityAddressGroup", new()
{
Parent = "projects/my-project-name",
Description = "Sample regional networksecurity_address_group",
Location = "us-west1",
Items = new[]
{
"208.80.154.224/32",
},
Type = "IPV4",
Capacity = 100,
});
var basicRegionalNetworkFirewallPolicy = new Gcp.Compute.RegionNetworkFirewallPolicy("basicRegionalNetworkFirewallPolicy", new()
{
Description = "Sample regional network firewall policy",
Project = "my-project-name",
Region = "us-west1",
});
var basicNetwork = new Gcp.Compute.Network("basicNetwork");
var basicKey = new Gcp.Tags.TagKey("basicKey", new()
{
Description = "For keyname resources.",
Parent = "organizations/123456789",
Purpose = "GCE_FIREWALL",
ShortName = "tagkey",
PurposeData =
{
{ "network", basicNetwork.Name.Apply(name => $"my-project-name/{name}") },
},
});
var basicValue = new Gcp.Tags.TagValue("basicValue", new()
{
Description = "For valuename resources.",
Parent = basicKey.Name.Apply(name => $"tagKeys/{name}"),
ShortName = "tagvalue",
});
var primary = new Gcp.Compute.RegionNetworkFirewallPolicyRule("primary", new()
{
Action = "allow",
Description = "This is a simple rule description",
Direction = "INGRESS",
Disabled = false,
EnableLogging = true,
FirewallPolicy = basicRegionalNetworkFirewallPolicy.Name,
Priority = 1000,
Region = "us-west1",
RuleName = "test-rule",
TargetServiceAccounts = new[]
{
"my@service-account.com",
},
Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchArgs
{
SrcIpRanges = new[]
{
"10.100.0.1/32",
},
SrcFqdns = new[]
{
"example.com",
},
SrcRegionCodes = new[]
{
"US",
},
SrcThreatIntelligences = new[]
{
"iplist-known-malicious-ips",
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "all",
},
},
SrcSecureTags = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs
{
Name = basicValue.Name.Apply(name => $"tagValues/{name}"),
},
},
SrcAddressGroups = new[]
{
basicRegionalNetworksecurityAddressGroup.Id,
},
},
});
});
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/networksecurity"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/tags"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basicRegionalNetworksecurityAddressGroup, err := networksecurity.NewAddressGroup(ctx, "basicRegionalNetworksecurityAddressGroup", &networksecurity.AddressGroupArgs{
Parent: pulumi.String("projects/my-project-name"),
Description: pulumi.String("Sample regional networksecurity_address_group"),
Location: pulumi.String("us-west1"),
Items: pulumi.StringArray{
pulumi.String("208.80.154.224/32"),
},
Type: pulumi.String("IPV4"),
Capacity: pulumi.Int(100),
})
if err != nil {
return err
}
basicRegionalNetworkFirewallPolicy, err := compute.NewRegionNetworkFirewallPolicy(ctx, "basicRegionalNetworkFirewallPolicy", &compute.RegionNetworkFirewallPolicyArgs{
Description: pulumi.String("Sample regional network firewall policy"),
Project: pulumi.String("my-project-name"),
Region: pulumi.String("us-west1"),
})
if err != nil {
return err
}
basicNetwork, err := compute.NewNetwork(ctx, "basicNetwork", nil)
if err != nil {
return err
}
basicKey, err := tags.NewTagKey(ctx, "basicKey", &tags.TagKeyArgs{
Description: pulumi.String("For keyname resources."),
Parent: pulumi.String("organizations/123456789"),
Purpose: pulumi.String("GCE_FIREWALL"),
ShortName: pulumi.String("tagkey"),
PurposeData: pulumi.StringMap{
"network": basicNetwork.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("my-project-name/%v", name), nil
}).(pulumi.StringOutput),
},
})
if err != nil {
return err
}
basicValue, err := tags.NewTagValue(ctx, "basicValue", &tags.TagValueArgs{
Description: pulumi.String("For valuename resources."),
Parent: basicKey.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("tagKeys/%v", name), nil
}).(pulumi.StringOutput),
ShortName: pulumi.String("tagvalue"),
})
if err != nil {
return err
}
_, err = compute.NewRegionNetworkFirewallPolicyRule(ctx, "primary", &compute.RegionNetworkFirewallPolicyRuleArgs{
Action: pulumi.String("allow"),
Description: pulumi.String("This is a simple rule description"),
Direction: pulumi.String("INGRESS"),
Disabled: pulumi.Bool(false),
EnableLogging: pulumi.Bool(true),
FirewallPolicy: basicRegionalNetworkFirewallPolicy.Name,
Priority: pulumi.Int(1000),
Region: pulumi.String("us-west1"),
RuleName: pulumi.String("test-rule"),
TargetServiceAccounts: pulumi.StringArray{
pulumi.String("my@service-account.com"),
},
Match: &compute.RegionNetworkFirewallPolicyRuleMatchArgs{
SrcIpRanges: pulumi.StringArray{
pulumi.String("10.100.0.1/32"),
},
SrcFqdns: pulumi.StringArray{
pulumi.String("example.com"),
},
SrcRegionCodes: pulumi.StringArray{
pulumi.String("US"),
},
SrcThreatIntelligences: pulumi.StringArray{
pulumi.String("iplist-known-malicious-ips"),
},
Layer4Configs: compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArray{
&compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("all"),
},
},
SrcSecureTags: compute.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArray{
&compute.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs{
Name: basicValue.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("tagValues/%v", name), nil
}).(pulumi.StringOutput),
},
},
SrcAddressGroups: pulumi.StringArray{
basicRegionalNetworksecurityAddressGroup.ID(),
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.networksecurity.AddressGroup;
import com.pulumi.gcp.networksecurity.AddressGroupArgs;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicy;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyArgs;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.tags.TagKey;
import com.pulumi.gcp.tags.TagKeyArgs;
import com.pulumi.gcp.tags.TagValue;
import com.pulumi.gcp.tags.TagValueArgs;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyRule;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.RegionNetworkFirewallPolicyRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var basicRegionalNetworksecurityAddressGroup = new AddressGroup("basicRegionalNetworksecurityAddressGroup", AddressGroupArgs.builder()
.parent("projects/my-project-name")
.description("Sample regional networksecurity_address_group")
.location("us-west1")
.items("208.80.154.224/32")
.type("IPV4")
.capacity(100)
.build());
var basicRegionalNetworkFirewallPolicy = new RegionNetworkFirewallPolicy("basicRegionalNetworkFirewallPolicy", RegionNetworkFirewallPolicyArgs.builder()
.description("Sample regional network firewall policy")
.project("my-project-name")
.region("us-west1")
.build());
var basicNetwork = new Network("basicNetwork");
var basicKey = new TagKey("basicKey", TagKeyArgs.builder()
.description("For keyname resources.")
.parent("organizations/123456789")
.purpose("GCE_FIREWALL")
.shortName("tagkey")
.purposeData(Map.of("network", basicNetwork.name().applyValue(name -> String.format("my-project-name/%s", name))))
.build());
var basicValue = new TagValue("basicValue", TagValueArgs.builder()
.description("For valuename resources.")
.parent(basicKey.name().applyValue(name -> String.format("tagKeys/%s", name)))
.shortName("tagvalue")
.build());
var primary = new RegionNetworkFirewallPolicyRule("primary", RegionNetworkFirewallPolicyRuleArgs.builder()
.action("allow")
.description("This is a simple rule description")
.direction("INGRESS")
.disabled(false)
.enableLogging(true)
.firewallPolicy(basicRegionalNetworkFirewallPolicy.name())
.priority(1000)
.region("us-west1")
.ruleName("test-rule")
.targetServiceAccounts("my@service-account.com")
.match(RegionNetworkFirewallPolicyRuleMatchArgs.builder()
.srcIpRanges("10.100.0.1/32")
.srcFqdns("example.com")
.srcRegionCodes("US")
.srcThreatIntelligences("iplist-known-malicious-ips")
.layer4Configs(RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("all")
.build())
.srcSecureTags(RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs.builder()
.name(basicValue.name().applyValue(name -> String.format("tagValues/%s", name)))
.build())
.srcAddressGroups(basicRegionalNetworksecurityAddressGroup.id())
.build())
.build());
}
}
import pulumi
import pulumi_gcp as gcp
basic_regional_networksecurity_address_group = gcp.networksecurity.AddressGroup("basicRegionalNetworksecurityAddressGroup",
parent="projects/my-project-name",
description="Sample regional networksecurity_address_group",
location="us-west1",
items=["208.80.154.224/32"],
type="IPV4",
capacity=100)
basic_regional_network_firewall_policy = gcp.compute.RegionNetworkFirewallPolicy("basicRegionalNetworkFirewallPolicy",
description="Sample regional network firewall policy",
project="my-project-name",
region="us-west1")
basic_network = gcp.compute.Network("basicNetwork")
basic_key = gcp.tags.TagKey("basicKey",
description="For keyname resources.",
parent="organizations/123456789",
purpose="GCE_FIREWALL",
short_name="tagkey",
purpose_data={
"network": basic_network.name.apply(lambda name: f"my-project-name/{name}"),
})
basic_value = gcp.tags.TagValue("basicValue",
description="For valuename resources.",
parent=basic_key.name.apply(lambda name: f"tagKeys/{name}"),
short_name="tagvalue")
primary = gcp.compute.RegionNetworkFirewallPolicyRule("primary",
action="allow",
description="This is a simple rule description",
direction="INGRESS",
disabled=False,
enable_logging=True,
firewall_policy=basic_regional_network_firewall_policy.name,
priority=1000,
region="us-west1",
rule_name="test-rule",
target_service_accounts=["my@service-account.com"],
match=gcp.compute.RegionNetworkFirewallPolicyRuleMatchArgs(
src_ip_ranges=["10.100.0.1/32"],
src_fqdns=["example.com"],
src_region_codes=["US"],
src_threat_intelligences=["iplist-known-malicious-ips"],
layer4_configs=[gcp.compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs(
ip_protocol="all",
)],
src_secure_tags=[gcp.compute.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs(
name=basic_value.name.apply(lambda name: f"tagValues/{name}"),
)],
src_address_groups=[basic_regional_networksecurity_address_group.id],
))
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const basicRegionalNetworksecurityAddressGroup = new gcp.networksecurity.AddressGroup("basicRegionalNetworksecurityAddressGroup", {
parent: "projects/my-project-name",
description: "Sample regional networksecurity_address_group",
location: "us-west1",
items: ["208.80.154.224/32"],
type: "IPV4",
capacity: 100,
});
const basicRegionalNetworkFirewallPolicy = new gcp.compute.RegionNetworkFirewallPolicy("basicRegionalNetworkFirewallPolicy", {
description: "Sample regional network firewall policy",
project: "my-project-name",
region: "us-west1",
});
const basicNetwork = new gcp.compute.Network("basicNetwork", {});
const basicKey = new gcp.tags.TagKey("basicKey", {
description: "For keyname resources.",
parent: "organizations/123456789",
purpose: "GCE_FIREWALL",
shortName: "tagkey",
purposeData: {
network: pulumi.interpolate`my-project-name/${basicNetwork.name}`,
},
});
const basicValue = new gcp.tags.TagValue("basicValue", {
description: "For valuename resources.",
parent: pulumi.interpolate`tagKeys/${basicKey.name}`,
shortName: "tagvalue",
});
const primary = new gcp.compute.RegionNetworkFirewallPolicyRule("primary", {
action: "allow",
description: "This is a simple rule description",
direction: "INGRESS",
disabled: false,
enableLogging: true,
firewallPolicy: basicRegionalNetworkFirewallPolicy.name,
priority: 1000,
region: "us-west1",
ruleName: "test-rule",
targetServiceAccounts: ["my@service-account.com"],
match: {
srcIpRanges: ["10.100.0.1/32"],
srcFqdns: ["example.com"],
srcRegionCodes: ["US"],
srcThreatIntelligences: ["iplist-known-malicious-ips"],
layer4Configs: [{
ipProtocol: "all",
}],
srcSecureTags: [{
name: pulumi.interpolate`tagValues/${basicValue.name}`,
}],
srcAddressGroups: [basicRegionalNetworksecurityAddressGroup.id],
},
});
resources:
basicRegionalNetworksecurityAddressGroup:
type: gcp:networksecurity:AddressGroup
properties:
parent: projects/my-project-name
description: Sample regional networksecurity_address_group
location: us-west1
items:
- 208.80.154.224/32
type: IPV4
capacity: 100
basicRegionalNetworkFirewallPolicy:
type: gcp:compute:RegionNetworkFirewallPolicy
properties:
description: Sample regional network firewall policy
project: my-project-name
region: us-west1
primary:
type: gcp:compute:RegionNetworkFirewallPolicyRule
properties:
action: allow
description: This is a simple rule description
direction: INGRESS
disabled: false
enableLogging: true
firewallPolicy: ${basicRegionalNetworkFirewallPolicy.name}
priority: 1000
region: us-west1
ruleName: test-rule
targetServiceAccounts:
- my@service-account.com
match:
srcIpRanges:
- 10.100.0.1/32
srcFqdns:
- example.com
srcRegionCodes:
- US
srcThreatIntelligences:
- iplist-known-malicious-ips
layer4Configs:
- ipProtocol: all
srcSecureTags:
- name: tagValues/${basicValue.name}
srcAddressGroups:
- ${basicRegionalNetworksecurityAddressGroup.id}
basicNetwork:
type: gcp:compute:Network
basicKey:
type: gcp:tags:TagKey
properties:
description: For keyname resources.
parent: organizations/123456789
purpose: GCE_FIREWALL
shortName: tagkey
purposeData:
network: my-project-name/${basicNetwork.name}
basicValue:
type: gcp:tags:TagValue
properties:
description: For valuename resources.
parent: tagKeys/${basicKey.name}
shortName: tagvalue
Create RegionNetworkFirewallPolicyRule Resource
new RegionNetworkFirewallPolicyRule(name: string, args: RegionNetworkFirewallPolicyRuleArgs, opts?: CustomResourceOptions);@overload
def RegionNetworkFirewallPolicyRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
description: Optional[str] = None,
direction: Optional[str] = None,
disabled: Optional[bool] = None,
enable_logging: Optional[bool] = None,
firewall_policy: Optional[str] = None,
match: Optional[RegionNetworkFirewallPolicyRuleMatchArgs] = None,
priority: Optional[int] = None,
project: Optional[str] = None,
region: Optional[str] = None,
rule_name: Optional[str] = None,
target_secure_tags: Optional[Sequence[RegionNetworkFirewallPolicyRuleTargetSecureTagArgs]] = None,
target_service_accounts: Optional[Sequence[str]] = None)
@overload
def RegionNetworkFirewallPolicyRule(resource_name: str,
args: RegionNetworkFirewallPolicyRuleArgs,
opts: Optional[ResourceOptions] = None)func NewRegionNetworkFirewallPolicyRule(ctx *Context, name string, args RegionNetworkFirewallPolicyRuleArgs, opts ...ResourceOption) (*RegionNetworkFirewallPolicyRule, error)public RegionNetworkFirewallPolicyRule(string name, RegionNetworkFirewallPolicyRuleArgs args, CustomResourceOptions? opts = null)
public RegionNetworkFirewallPolicyRule(String name, RegionNetworkFirewallPolicyRuleArgs args)
public RegionNetworkFirewallPolicyRule(String name, RegionNetworkFirewallPolicyRuleArgs args, CustomResourceOptions options)
type: gcp:compute:RegionNetworkFirewallPolicyRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RegionNetworkFirewallPolicyRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args RegionNetworkFirewallPolicyRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RegionNetworkFirewallPolicyRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RegionNetworkFirewallPolicyRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args RegionNetworkFirewallPolicyRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
RegionNetworkFirewallPolicyRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The RegionNetworkFirewallPolicyRule resource accepts the following input properties:
- Action string
The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
- Direction string
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- Firewall
Policy string The firewall policy of the resource.
- Match
Region
Network Firewall Policy Rule Match A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- Priority int
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Description string
An optional description for this resource.
- Disabled bool
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Project string
The project for the resource
- Region string
The location of this resource.
- Rule
Name string An optional name for the rule. This field is not a unique identifier and can be updated.
-
List<Region
Network Firewall Policy Rule Target Secure Tag> A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- Target
Service List<string>Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- Action string
The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
- Direction string
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- Firewall
Policy string The firewall policy of the resource.
- Match
Region
Network Firewall Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- Priority int
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Description string
An optional description for this resource.
- Disabled bool
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Project string
The project for the resource
- Region string
The location of this resource.
- Rule
Name string An optional name for the rule. This field is not a unique identifier and can be updated.
-
[]Region
Network Firewall Policy Rule Target Secure Tag Args A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- Target
Service []stringAccounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action String
The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
- direction String
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- firewall
Policy String The firewall policy of the resource.
- match
Region
Network Firewall Policy Rule Match A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority Integer
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description String
An optional description for this resource.
- disabled Boolean
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- project String
The project for the resource
- region String
The location of this resource.
- rule
Name String An optional name for the rule. This field is not a unique identifier and can be updated.
-
List<Region
Network Firewall Policy Rule Target Secure Tag> A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target
Service List<String>Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action string
The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
- direction string
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- firewall
Policy string The firewall policy of the resource.
- match
Region
Network Firewall Policy Rule Match A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority number
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description string
An optional description for this resource.
- disabled boolean
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging boolean Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- project string
The project for the resource
- region string
The location of this resource.
- rule
Name string An optional name for the rule. This field is not a unique identifier and can be updated.
-
Region
Network Firewall Policy Rule Target Secure Tag[] A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target
Service string[]Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action str
The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
- direction str
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- firewall_
policy str The firewall policy of the resource.
- match
Region
Network Firewall Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority int
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description str
An optional description for this resource.
- disabled bool
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable_
logging bool Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- project str
The project for the resource
- region str
The location of this resource.
- rule_
name str An optional name for the rule. This field is not a unique identifier and can be updated.
-
Sequence[Region
Network Firewall Policy Rule Target Secure Tag Args] A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target_
service_ Sequence[str]accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action String
The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
- direction String
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- firewall
Policy String The firewall policy of the resource.
- match Property Map
A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority Number
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- description String
An optional description for this resource.
- disabled Boolean
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- project String
The project for the resource
- region String
The location of this resource.
- rule
Name String An optional name for the rule. This field is not a unique identifier and can be updated.
- List<Property Map>
A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target
Service List<String>Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
Outputs
All input properties are implicitly available as output properties. Additionally, the RegionNetworkFirewallPolicyRule resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Kind string
Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules- Rule
Tuple intCount Calculation of the complexity of a single firewall policy rule.
- Id string
The provider-assigned unique ID for this managed resource.
- Kind string
Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules- Rule
Tuple intCount Calculation of the complexity of a single firewall policy rule.
- id String
The provider-assigned unique ID for this managed resource.
- kind String
Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules- rule
Tuple IntegerCount Calculation of the complexity of a single firewall policy rule.
- id string
The provider-assigned unique ID for this managed resource.
- kind string
Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules- rule
Tuple numberCount Calculation of the complexity of a single firewall policy rule.
- id str
The provider-assigned unique ID for this managed resource.
- kind str
Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules- rule_
tuple_ intcount Calculation of the complexity of a single firewall policy rule.
- id String
The provider-assigned unique ID for this managed resource.
- kind String
Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules- rule
Tuple NumberCount Calculation of the complexity of a single firewall policy rule.
Look up Existing RegionNetworkFirewallPolicyRule Resource
Get an existing RegionNetworkFirewallPolicyRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: RegionNetworkFirewallPolicyRuleState, opts?: CustomResourceOptions): RegionNetworkFirewallPolicyRule@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
description: Optional[str] = None,
direction: Optional[str] = None,
disabled: Optional[bool] = None,
enable_logging: Optional[bool] = None,
firewall_policy: Optional[str] = None,
kind: Optional[str] = None,
match: Optional[RegionNetworkFirewallPolicyRuleMatchArgs] = None,
priority: Optional[int] = None,
project: Optional[str] = None,
region: Optional[str] = None,
rule_name: Optional[str] = None,
rule_tuple_count: Optional[int] = None,
target_secure_tags: Optional[Sequence[RegionNetworkFirewallPolicyRuleTargetSecureTagArgs]] = None,
target_service_accounts: Optional[Sequence[str]] = None) -> RegionNetworkFirewallPolicyRulefunc GetRegionNetworkFirewallPolicyRule(ctx *Context, name string, id IDInput, state *RegionNetworkFirewallPolicyRuleState, opts ...ResourceOption) (*RegionNetworkFirewallPolicyRule, error)public static RegionNetworkFirewallPolicyRule Get(string name, Input<string> id, RegionNetworkFirewallPolicyRuleState? state, CustomResourceOptions? opts = null)public static RegionNetworkFirewallPolicyRule get(String name, Output<String> id, RegionNetworkFirewallPolicyRuleState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Action string
The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
- Description string
An optional description for this resource.
- Direction string
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- Disabled bool
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Firewall
Policy string The firewall policy of the resource.
- Kind string
Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules- Match
Region
Network Firewall Policy Rule Match A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- Priority int
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Project string
The project for the resource
- Region string
The location of this resource.
- Rule
Name string An optional name for the rule. This field is not a unique identifier and can be updated.
- Rule
Tuple intCount Calculation of the complexity of a single firewall policy rule.
-
List<Region
Network Firewall Policy Rule Target Secure Tag> A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- Target
Service List<string>Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- Action string
The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
- Description string
An optional description for this resource.
- Direction string
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- Disabled bool
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- Enable
Logging bool Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- Firewall
Policy string The firewall policy of the resource.
- Kind string
Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules- Match
Region
Network Firewall Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- Priority int
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- Project string
The project for the resource
- Region string
The location of this resource.
- Rule
Name string An optional name for the rule. This field is not a unique identifier and can be updated.
- Rule
Tuple intCount Calculation of the complexity of a single firewall policy rule.
-
[]Region
Network Firewall Policy Rule Target Secure Tag Args A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- Target
Service []stringAccounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action String
The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
- description String
An optional description for this resource.
- direction String
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- disabled Boolean
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall
Policy String The firewall policy of the resource.
- kind String
Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules- match
Region
Network Firewall Policy Rule Match A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority Integer
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- project String
The project for the resource
- region String
The location of this resource.
- rule
Name String An optional name for the rule. This field is not a unique identifier and can be updated.
- rule
Tuple IntegerCount Calculation of the complexity of a single firewall policy rule.
-
List<Region
Network Firewall Policy Rule Target Secure Tag> A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target
Service List<String>Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action string
The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
- description string
An optional description for this resource.
- direction string
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- disabled boolean
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging boolean Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall
Policy string The firewall policy of the resource.
- kind string
Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules- match
Region
Network Firewall Policy Rule Match A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority number
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- project string
The project for the resource
- region string
The location of this resource.
- rule
Name string An optional name for the rule. This field is not a unique identifier and can be updated.
- rule
Tuple numberCount Calculation of the complexity of a single firewall policy rule.
-
Region
Network Firewall Policy Rule Target Secure Tag[] A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target
Service string[]Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action str
The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
- description str
An optional description for this resource.
- direction str
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- disabled bool
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable_
logging bool Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall_
policy str The firewall policy of the resource.
- kind str
Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules- match
Region
Network Firewall Policy Rule Match Args A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority int
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- project str
The project for the resource
- region str
The location of this resource.
- rule_
name str An optional name for the rule. This field is not a unique identifier and can be updated.
- rule_
tuple_ intcount Calculation of the complexity of a single firewall policy rule.
-
Sequence[Region
Network Firewall Policy Rule Target Secure Tag Args] A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target_
service_ Sequence[str]accounts A list of service accounts indicating the sets of instances that are applied with this rule.
- action String
The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
- description String
An optional description for this resource.
- direction String
The direction in which this rule applies. Possible values: INGRESS, EGRESS
- disabled Boolean
Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
- enable
Logging Boolean Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
- firewall
Policy String The firewall policy of the resource.
- kind String
Type of the resource. Always
compute#firewallPolicyRulefor firewall policy rules- match Property Map
A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
- priority Number
An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
- project String
The project for the resource
- region String
The location of this resource.
- rule
Name String An optional name for the rule. This field is not a unique identifier and can be updated.
- rule
Tuple NumberCount Calculation of the complexity of a single firewall policy rule.
- List<Property Map>
A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
- target
Service List<String>Accounts A list of service accounts indicating the sets of instances that are applied with this rule.
Supporting Types
RegionNetworkFirewallPolicyRuleMatch, RegionNetworkFirewallPolicyRuleMatchArgs
- Layer4Configs
List<Region
Network Firewall Policy Rule Match Layer4Config> Pairs of IP protocols and ports that the rule should match.
- Dest
Address List<string>Groups Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
- Dest
Fqdns List<string> Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
- Dest
Ip List<string>Ranges CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- Dest
Region List<string>Codes The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
- Dest
Threat List<string>Intelligences Name of the Google Cloud Threat Intelligence list.
- Src
Address List<string>Groups Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
- Src
Fqdns List<string> Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
- Src
Ip List<string>Ranges CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- Src
Region List<string>Codes The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
-
List<Region
Network Firewall Policy Rule Match Src Secure Tag> List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
- Src
Threat List<string>Intelligences Name of the Google Cloud Threat Intelligence list.
The
layer4_configsblock supports:
- Layer4Configs
[]Region
Network Firewall Policy Rule Match Layer4Config Pairs of IP protocols and ports that the rule should match.
- Dest
Address []stringGroups Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
- Dest
Fqdns []string Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
- Dest
Ip []stringRanges CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- Dest
Region []stringCodes The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
- Dest
Threat []stringIntelligences Name of the Google Cloud Threat Intelligence list.
- Src
Address []stringGroups Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
- Src
Fqdns []string Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
- Src
Ip []stringRanges CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- Src
Region []stringCodes The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
-
[]Region
Network Firewall Policy Rule Match Src Secure Tag List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
- Src
Threat []stringIntelligences Name of the Google Cloud Threat Intelligence list.
The
layer4_configsblock supports:
- layer4Configs
List<Region
Network Firewall Policy Rule Match Layer4Config> Pairs of IP protocols and ports that the rule should match.
- dest
Address List<String>Groups Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
- dest
Fqdns List<String> Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
- dest
Ip List<String>Ranges CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- dest
Region List<String>Codes The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
- dest
Threat List<String>Intelligences Name of the Google Cloud Threat Intelligence list.
- src
Address List<String>Groups Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
- src
Fqdns List<String> Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
- src
Ip List<String>Ranges CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- src
Region List<String>Codes The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
-
List<Region
Network Firewall Policy Rule Match Src Secure Tag> List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
- src
Threat List<String>Intelligences Name of the Google Cloud Threat Intelligence list.
The
layer4_configsblock supports:
- layer4Configs
Region
Network Firewall Policy Rule Match Layer4Config[] Pairs of IP protocols and ports that the rule should match.
- dest
Address string[]Groups Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
- dest
Fqdns string[] Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
- dest
Ip string[]Ranges CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- dest
Region string[]Codes The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
- dest
Threat string[]Intelligences Name of the Google Cloud Threat Intelligence list.
- src
Address string[]Groups Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
- src
Fqdns string[] Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
- src
Ip string[]Ranges CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- src
Region string[]Codes The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
-
Region
Network Firewall Policy Rule Match Src Secure Tag[] List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
- src
Threat string[]Intelligences Name of the Google Cloud Threat Intelligence list.
The
layer4_configsblock supports:
- layer4_
configs Sequence[RegionNetwork Firewall Policy Rule Match Layer4Config] Pairs of IP protocols and ports that the rule should match.
- dest_
address_ Sequence[str]groups Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
- dest_
fqdns Sequence[str] Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
- dest_
ip_ Sequence[str]ranges CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- dest_
region_ Sequence[str]codes The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
- dest_
threat_ Sequence[str]intelligences Name of the Google Cloud Threat Intelligence list.
- src_
address_ Sequence[str]groups Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
- src_
fqdns Sequence[str] Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
- src_
ip_ Sequence[str]ranges CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- src_
region_ Sequence[str]codes The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
-
Sequence[Region
Network Firewall Policy Rule Match Src Secure Tag] List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
- src_
threat_ Sequence[str]intelligences Name of the Google Cloud Threat Intelligence list.
The
layer4_configsblock supports:
- layer4Configs List<Property Map>
Pairs of IP protocols and ports that the rule should match.
- dest
Address List<String>Groups Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
- dest
Fqdns List<String> Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
- dest
Ip List<String>Ranges CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
- dest
Region List<String>Codes The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
- dest
Threat List<String>Intelligences Name of the Google Cloud Threat Intelligence list.
- src
Address List<String>Groups Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
- src
Fqdns List<String> Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
- src
Ip List<String>Ranges CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
- src
Region List<String>Codes The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
- List<Property Map>
List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
- src
Threat List<String>Intelligences Name of the Google Cloud Threat Intelligence list.
The
layer4_configsblock supports:
RegionNetworkFirewallPolicyRuleMatchLayer4Config, RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs
- Ip
Protocol string The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp,udp,icmp,esp,ah,ipip,sctp), or the IP protocol number.- Ports List<string>
An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- Ip
Protocol string The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp,udp,icmp,esp,ah,ipip,sctp), or the IP protocol number.- Ports []string
An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- ip
Protocol String The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp,udp,icmp,esp,ah,ipip,sctp), or the IP protocol number.- ports List<String>
An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- ip
Protocol string The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp,udp,icmp,esp,ah,ipip,sctp), or the IP protocol number.- ports string[]
An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- ip_
protocol str The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp,udp,icmp,esp,ah,ipip,sctp), or the IP protocol number.- ports Sequence[str]
An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
- ip
Protocol String The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (
tcp,udp,icmp,esp,ah,ipip,sctp), or the IP protocol number.- ports List<String>
An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
RegionNetworkFirewallPolicyRuleMatchSrcSecureTag, RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs
RegionNetworkFirewallPolicyRuleTargetSecureTag, RegionNetworkFirewallPolicyRuleTargetSecureTagArgs
Import
NetworkFirewallPolicyRule can be imported using any of these accepted formats* projects/{{project}}/regions/{{region}}/firewallPolicies/{{firewall_policy}}/{{priority}} * {{project}}/{{region}}/{{firewall_policy}}/{{priority}} * {{region}}/{{firewall_policy}}/{{priority}} * {{firewall_policy}}/{{priority}} In Terraform v1.5.0 and later, use an import block to import NetworkFirewallPolicyRule using one of the formats above. For exampletf import {
id = “projects/{{project}}/regions/{{region}}/firewallPolicies/{{firewall_policy}}/{{priority}}”
to = google_compute_region_network_firewall_policy_rule.default }
$ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), NetworkFirewallPolicyRule can be imported using one of the formats above. For example
$ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default projects/{{project}}/regions/{{region}}/firewallPolicies/{{firewall_policy}}/{{priority}}
$ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default {{project}}/{{region}}/{{firewall_policy}}/{{priority}}
$ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default {{region}}/{{firewall_policy}}/{{priority}}
$ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default {{firewall_policy}}/{{priority}}
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
google-betaTerraform Provider.