1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. compute
  5. RegionNetworkFirewallPolicyRule
Google Cloud Classic v7.28.0 published on Friday, Jun 21, 2024 by Pulumi

gcp.compute.RegionNetworkFirewallPolicyRule

Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.28.0 published on Friday, Jun 21, 2024 by Pulumi

    The Compute NetworkFirewallPolicyRule resource

    Example Usage

    Regional

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const basicRegionalNetworksecurityAddressGroup = new gcp.networksecurity.AddressGroup("basic_regional_networksecurity_address_group", {
        name: "policy",
        parent: "projects/my-project-name",
        description: "Sample regional networksecurity_address_group",
        location: "us-west1",
        items: ["208.80.154.224/32"],
        type: "IPV4",
        capacity: 100,
    });
    const basicRegionalNetworkFirewallPolicy = new gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", {
        name: "policy",
        description: "Sample regional network firewall policy",
        project: "my-project-name",
        region: "us-west1",
    });
    const basicNetwork = new gcp.compute.Network("basic_network", {name: "network"});
    const basicKey = new gcp.tags.TagKey("basic_key", {
        description: "For keyname resources.",
        parent: "organizations/123456789",
        purpose: "GCE_FIREWALL",
        shortName: "tagkey",
        purposeData: {
            network: pulumi.interpolate`my-project-name/${basicNetwork.name}`,
        },
    });
    const basicValue = new gcp.tags.TagValue("basic_value", {
        description: "For valuename resources.",
        parent: pulumi.interpolate`tagKeys/${basicKey.name}`,
        shortName: "tagvalue",
    });
    const primary = new gcp.compute.RegionNetworkFirewallPolicyRule("primary", {
        action: "allow",
        description: "This is a simple rule description",
        direction: "INGRESS",
        disabled: false,
        enableLogging: true,
        firewallPolicy: basicRegionalNetworkFirewallPolicy.name,
        priority: 1000,
        region: "us-west1",
        ruleName: "test-rule",
        targetServiceAccounts: ["my@service-account.com"],
        match: {
            srcIpRanges: ["10.100.0.1/32"],
            srcFqdns: ["example.com"],
            srcRegionCodes: ["US"],
            srcThreatIntelligences: ["iplist-known-malicious-ips"],
            layer4Configs: [{
                ipProtocol: "all",
            }],
            srcSecureTags: [{
                name: pulumi.interpolate`tagValues/${basicValue.name}`,
            }],
            srcAddressGroups: [basicRegionalNetworksecurityAddressGroup.id],
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    basic_regional_networksecurity_address_group = gcp.networksecurity.AddressGroup("basic_regional_networksecurity_address_group",
        name="policy",
        parent="projects/my-project-name",
        description="Sample regional networksecurity_address_group",
        location="us-west1",
        items=["208.80.154.224/32"],
        type="IPV4",
        capacity=100)
    basic_regional_network_firewall_policy = gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy",
        name="policy",
        description="Sample regional network firewall policy",
        project="my-project-name",
        region="us-west1")
    basic_network = gcp.compute.Network("basic_network", name="network")
    basic_key = gcp.tags.TagKey("basic_key",
        description="For keyname resources.",
        parent="organizations/123456789",
        purpose="GCE_FIREWALL",
        short_name="tagkey",
        purpose_data={
            "network": basic_network.name.apply(lambda name: f"my-project-name/{name}"),
        })
    basic_value = gcp.tags.TagValue("basic_value",
        description="For valuename resources.",
        parent=basic_key.name.apply(lambda name: f"tagKeys/{name}"),
        short_name="tagvalue")
    primary = gcp.compute.RegionNetworkFirewallPolicyRule("primary",
        action="allow",
        description="This is a simple rule description",
        direction="INGRESS",
        disabled=False,
        enable_logging=True,
        firewall_policy=basic_regional_network_firewall_policy.name,
        priority=1000,
        region="us-west1",
        rule_name="test-rule",
        target_service_accounts=["my@service-account.com"],
        match=gcp.compute.RegionNetworkFirewallPolicyRuleMatchArgs(
            src_ip_ranges=["10.100.0.1/32"],
            src_fqdns=["example.com"],
            src_region_codes=["US"],
            src_threat_intelligences=["iplist-known-malicious-ips"],
            layer4_configs=[gcp.compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs(
                ip_protocol="all",
            )],
            src_secure_tags=[gcp.compute.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs(
                name=basic_value.name.apply(lambda name: f"tagValues/{name}"),
            )],
            src_address_groups=[basic_regional_networksecurity_address_group.id],
        ))
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/networksecurity"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/tags"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		basicRegionalNetworksecurityAddressGroup, err := networksecurity.NewAddressGroup(ctx, "basic_regional_networksecurity_address_group", &networksecurity.AddressGroupArgs{
    			Name:        pulumi.String("policy"),
    			Parent:      pulumi.String("projects/my-project-name"),
    			Description: pulumi.String("Sample regional networksecurity_address_group"),
    			Location:    pulumi.String("us-west1"),
    			Items: pulumi.StringArray{
    				pulumi.String("208.80.154.224/32"),
    			},
    			Type:     pulumi.String("IPV4"),
    			Capacity: pulumi.Int(100),
    		})
    		if err != nil {
    			return err
    		}
    		basicRegionalNetworkFirewallPolicy, err := compute.NewRegionNetworkFirewallPolicy(ctx, "basic_regional_network_firewall_policy", &compute.RegionNetworkFirewallPolicyArgs{
    			Name:        pulumi.String("policy"),
    			Description: pulumi.String("Sample regional network firewall policy"),
    			Project:     pulumi.String("my-project-name"),
    			Region:      pulumi.String("us-west1"),
    		})
    		if err != nil {
    			return err
    		}
    		basicNetwork, err := compute.NewNetwork(ctx, "basic_network", &compute.NetworkArgs{
    			Name: pulumi.String("network"),
    		})
    		if err != nil {
    			return err
    		}
    		basicKey, err := tags.NewTagKey(ctx, "basic_key", &tags.TagKeyArgs{
    			Description: pulumi.String("For keyname resources."),
    			Parent:      pulumi.String("organizations/123456789"),
    			Purpose:     pulumi.String("GCE_FIREWALL"),
    			ShortName:   pulumi.String("tagkey"),
    			PurposeData: pulumi.StringMap{
    				"network": basicNetwork.Name.ApplyT(func(name string) (string, error) {
    					return fmt.Sprintf("my-project-name/%v", name), nil
    				}).(pulumi.StringOutput),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		basicValue, err := tags.NewTagValue(ctx, "basic_value", &tags.TagValueArgs{
    			Description: pulumi.String("For valuename resources."),
    			Parent: basicKey.Name.ApplyT(func(name string) (string, error) {
    				return fmt.Sprintf("tagKeys/%v", name), nil
    			}).(pulumi.StringOutput),
    			ShortName: pulumi.String("tagvalue"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = compute.NewRegionNetworkFirewallPolicyRule(ctx, "primary", &compute.RegionNetworkFirewallPolicyRuleArgs{
    			Action:         pulumi.String("allow"),
    			Description:    pulumi.String("This is a simple rule description"),
    			Direction:      pulumi.String("INGRESS"),
    			Disabled:       pulumi.Bool(false),
    			EnableLogging:  pulumi.Bool(true),
    			FirewallPolicy: basicRegionalNetworkFirewallPolicy.Name,
    			Priority:       pulumi.Int(1000),
    			Region:         pulumi.String("us-west1"),
    			RuleName:       pulumi.String("test-rule"),
    			TargetServiceAccounts: pulumi.StringArray{
    				pulumi.String("my@service-account.com"),
    			},
    			Match: &compute.RegionNetworkFirewallPolicyRuleMatchArgs{
    				SrcIpRanges: pulumi.StringArray{
    					pulumi.String("10.100.0.1/32"),
    				},
    				SrcFqdns: pulumi.StringArray{
    					pulumi.String("example.com"),
    				},
    				SrcRegionCodes: pulumi.StringArray{
    					pulumi.String("US"),
    				},
    				SrcThreatIntelligences: pulumi.StringArray{
    					pulumi.String("iplist-known-malicious-ips"),
    				},
    				Layer4Configs: compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArray{
    					&compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs{
    						IpProtocol: pulumi.String("all"),
    					},
    				},
    				SrcSecureTags: compute.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArray{
    					&compute.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs{
    						Name: basicValue.Name.ApplyT(func(name string) (string, error) {
    							return fmt.Sprintf("tagValues/%v", name), nil
    						}).(pulumi.StringOutput),
    					},
    				},
    				SrcAddressGroups: pulumi.StringArray{
    					basicRegionalNetworksecurityAddressGroup.ID(),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var basicRegionalNetworksecurityAddressGroup = new Gcp.NetworkSecurity.AddressGroup("basic_regional_networksecurity_address_group", new()
        {
            Name = "policy",
            Parent = "projects/my-project-name",
            Description = "Sample regional networksecurity_address_group",
            Location = "us-west1",
            Items = new[]
            {
                "208.80.154.224/32",
            },
            Type = "IPV4",
            Capacity = 100,
        });
    
        var basicRegionalNetworkFirewallPolicy = new Gcp.Compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", new()
        {
            Name = "policy",
            Description = "Sample regional network firewall policy",
            Project = "my-project-name",
            Region = "us-west1",
        });
    
        var basicNetwork = new Gcp.Compute.Network("basic_network", new()
        {
            Name = "network",
        });
    
        var basicKey = new Gcp.Tags.TagKey("basic_key", new()
        {
            Description = "For keyname resources.",
            Parent = "organizations/123456789",
            Purpose = "GCE_FIREWALL",
            ShortName = "tagkey",
            PurposeData = 
            {
                { "network", basicNetwork.Name.Apply(name => $"my-project-name/{name}") },
            },
        });
    
        var basicValue = new Gcp.Tags.TagValue("basic_value", new()
        {
            Description = "For valuename resources.",
            Parent = basicKey.Name.Apply(name => $"tagKeys/{name}"),
            ShortName = "tagvalue",
        });
    
        var primary = new Gcp.Compute.RegionNetworkFirewallPolicyRule("primary", new()
        {
            Action = "allow",
            Description = "This is a simple rule description",
            Direction = "INGRESS",
            Disabled = false,
            EnableLogging = true,
            FirewallPolicy = basicRegionalNetworkFirewallPolicy.Name,
            Priority = 1000,
            Region = "us-west1",
            RuleName = "test-rule",
            TargetServiceAccounts = new[]
            {
                "my@service-account.com",
            },
            Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchArgs
            {
                SrcIpRanges = new[]
                {
                    "10.100.0.1/32",
                },
                SrcFqdns = new[]
                {
                    "example.com",
                },
                SrcRegionCodes = new[]
                {
                    "US",
                },
                SrcThreatIntelligences = new[]
                {
                    "iplist-known-malicious-ips",
                },
                Layer4Configs = new[]
                {
                    new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs
                    {
                        IpProtocol = "all",
                    },
                },
                SrcSecureTags = new[]
                {
                    new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs
                    {
                        Name = basicValue.Name.Apply(name => $"tagValues/{name}"),
                    },
                },
                SrcAddressGroups = new[]
                {
                    basicRegionalNetworksecurityAddressGroup.Id,
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.networksecurity.AddressGroup;
    import com.pulumi.gcp.networksecurity.AddressGroupArgs;
    import com.pulumi.gcp.compute.RegionNetworkFirewallPolicy;
    import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyArgs;
    import com.pulumi.gcp.compute.Network;
    import com.pulumi.gcp.compute.NetworkArgs;
    import com.pulumi.gcp.tags.TagKey;
    import com.pulumi.gcp.tags.TagKeyArgs;
    import com.pulumi.gcp.tags.TagValue;
    import com.pulumi.gcp.tags.TagValueArgs;
    import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyRule;
    import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyRuleArgs;
    import com.pulumi.gcp.compute.inputs.RegionNetworkFirewallPolicyRuleMatchArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var basicRegionalNetworksecurityAddressGroup = new AddressGroup("basicRegionalNetworksecurityAddressGroup", AddressGroupArgs.builder()
                .name("policy")
                .parent("projects/my-project-name")
                .description("Sample regional networksecurity_address_group")
                .location("us-west1")
                .items("208.80.154.224/32")
                .type("IPV4")
                .capacity(100)
                .build());
    
            var basicRegionalNetworkFirewallPolicy = new RegionNetworkFirewallPolicy("basicRegionalNetworkFirewallPolicy", RegionNetworkFirewallPolicyArgs.builder()
                .name("policy")
                .description("Sample regional network firewall policy")
                .project("my-project-name")
                .region("us-west1")
                .build());
    
            var basicNetwork = new Network("basicNetwork", NetworkArgs.builder()
                .name("network")
                .build());
    
            var basicKey = new TagKey("basicKey", TagKeyArgs.builder()
                .description("For keyname resources.")
                .parent("organizations/123456789")
                .purpose("GCE_FIREWALL")
                .shortName("tagkey")
                .purposeData(Map.of("network", basicNetwork.name().applyValue(name -> String.format("my-project-name/%s", name))))
                .build());
    
            var basicValue = new TagValue("basicValue", TagValueArgs.builder()
                .description("For valuename resources.")
                .parent(basicKey.name().applyValue(name -> String.format("tagKeys/%s", name)))
                .shortName("tagvalue")
                .build());
    
            var primary = new RegionNetworkFirewallPolicyRule("primary", RegionNetworkFirewallPolicyRuleArgs.builder()
                .action("allow")
                .description("This is a simple rule description")
                .direction("INGRESS")
                .disabled(false)
                .enableLogging(true)
                .firewallPolicy(basicRegionalNetworkFirewallPolicy.name())
                .priority(1000)
                .region("us-west1")
                .ruleName("test-rule")
                .targetServiceAccounts("my@service-account.com")
                .match(RegionNetworkFirewallPolicyRuleMatchArgs.builder()
                    .srcIpRanges("10.100.0.1/32")
                    .srcFqdns("example.com")
                    .srcRegionCodes("US")
                    .srcThreatIntelligences("iplist-known-malicious-ips")
                    .layer4Configs(RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs.builder()
                        .ipProtocol("all")
                        .build())
                    .srcSecureTags(RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs.builder()
                        .name(basicValue.name().applyValue(name -> String.format("tagValues/%s", name)))
                        .build())
                    .srcAddressGroups(basicRegionalNetworksecurityAddressGroup.id())
                    .build())
                .build());
    
        }
    }
    
    resources:
      basicRegionalNetworksecurityAddressGroup:
        type: gcp:networksecurity:AddressGroup
        name: basic_regional_networksecurity_address_group
        properties:
          name: policy
          parent: projects/my-project-name
          description: Sample regional networksecurity_address_group
          location: us-west1
          items:
            - 208.80.154.224/32
          type: IPV4
          capacity: 100
      basicRegionalNetworkFirewallPolicy:
        type: gcp:compute:RegionNetworkFirewallPolicy
        name: basic_regional_network_firewall_policy
        properties:
          name: policy
          description: Sample regional network firewall policy
          project: my-project-name
          region: us-west1
      primary:
        type: gcp:compute:RegionNetworkFirewallPolicyRule
        properties:
          action: allow
          description: This is a simple rule description
          direction: INGRESS
          disabled: false
          enableLogging: true
          firewallPolicy: ${basicRegionalNetworkFirewallPolicy.name}
          priority: 1000
          region: us-west1
          ruleName: test-rule
          targetServiceAccounts:
            - my@service-account.com
          match:
            srcIpRanges:
              - 10.100.0.1/32
            srcFqdns:
              - example.com
            srcRegionCodes:
              - US
            srcThreatIntelligences:
              - iplist-known-malicious-ips
            layer4Configs:
              - ipProtocol: all
            srcSecureTags:
              - name: tagValues/${basicValue.name}
            srcAddressGroups:
              - ${basicRegionalNetworksecurityAddressGroup.id}
      basicNetwork:
        type: gcp:compute:Network
        name: basic_network
        properties:
          name: network
      basicKey:
        type: gcp:tags:TagKey
        name: basic_key
        properties:
          description: For keyname resources.
          parent: organizations/123456789
          purpose: GCE_FIREWALL
          shortName: tagkey
          purposeData:
            network: my-project-name/${basicNetwork.name}
      basicValue:
        type: gcp:tags:TagValue
        name: basic_value
        properties:
          description: For valuename resources.
          parent: tagKeys/${basicKey.name}
          shortName: tagvalue
    

    Create RegionNetworkFirewallPolicyRule Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new RegionNetworkFirewallPolicyRule(name: string, args: RegionNetworkFirewallPolicyRuleArgs, opts?: CustomResourceOptions);
    @overload
    def RegionNetworkFirewallPolicyRule(resource_name: str,
                                        args: RegionNetworkFirewallPolicyRuleArgs,
                                        opts: Optional[ResourceOptions] = None)
    
    @overload
    def RegionNetworkFirewallPolicyRule(resource_name: str,
                                        opts: Optional[ResourceOptions] = None,
                                        firewall_policy: Optional[str] = None,
                                        priority: Optional[int] = None,
                                        direction: Optional[str] = None,
                                        action: Optional[str] = None,
                                        match: Optional[RegionNetworkFirewallPolicyRuleMatchArgs] = None,
                                        disabled: Optional[bool] = None,
                                        enable_logging: Optional[bool] = None,
                                        description: Optional[str] = None,
                                        project: Optional[str] = None,
                                        region: Optional[str] = None,
                                        rule_name: Optional[str] = None,
                                        security_profile_group: Optional[str] = None,
                                        target_secure_tags: Optional[Sequence[RegionNetworkFirewallPolicyRuleTargetSecureTagArgs]] = None,
                                        target_service_accounts: Optional[Sequence[str]] = None,
                                        tls_inspect: Optional[bool] = None)
    func NewRegionNetworkFirewallPolicyRule(ctx *Context, name string, args RegionNetworkFirewallPolicyRuleArgs, opts ...ResourceOption) (*RegionNetworkFirewallPolicyRule, error)
    public RegionNetworkFirewallPolicyRule(string name, RegionNetworkFirewallPolicyRuleArgs args, CustomResourceOptions? opts = null)
    public RegionNetworkFirewallPolicyRule(String name, RegionNetworkFirewallPolicyRuleArgs args)
    public RegionNetworkFirewallPolicyRule(String name, RegionNetworkFirewallPolicyRuleArgs args, CustomResourceOptions options)
    
    type: gcp:compute:RegionNetworkFirewallPolicyRule
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args RegionNetworkFirewallPolicyRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args RegionNetworkFirewallPolicyRuleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args RegionNetworkFirewallPolicyRuleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args RegionNetworkFirewallPolicyRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args RegionNetworkFirewallPolicyRuleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Example

    The following reference example uses placeholder values for all input properties.

    var regionNetworkFirewallPolicyRuleResource = new Gcp.Compute.RegionNetworkFirewallPolicyRule("regionNetworkFirewallPolicyRuleResource", new()
    {
        FirewallPolicy = "string",
        Priority = 0,
        Direction = "string",
        Action = "string",
        Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchArgs
        {
            Layer4Configs = new[]
            {
                new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs
                {
                    IpProtocol = "string",
                    Ports = new[]
                    {
                        "string",
                    },
                },
            },
            DestAddressGroups = new[]
            {
                "string",
            },
            DestFqdns = new[]
            {
                "string",
            },
            DestIpRanges = new[]
            {
                "string",
            },
            DestRegionCodes = new[]
            {
                "string",
            },
            DestThreatIntelligences = new[]
            {
                "string",
            },
            SrcAddressGroups = new[]
            {
                "string",
            },
            SrcFqdns = new[]
            {
                "string",
            },
            SrcIpRanges = new[]
            {
                "string",
            },
            SrcRegionCodes = new[]
            {
                "string",
            },
            SrcSecureTags = new[]
            {
                new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs
                {
                    Name = "string",
                    State = "string",
                },
            },
            SrcThreatIntelligences = new[]
            {
                "string",
            },
        },
        Disabled = false,
        EnableLogging = false,
        Description = "string",
        Project = "string",
        Region = "string",
        RuleName = "string",
        SecurityProfileGroup = "string",
        TargetSecureTags = new[]
        {
            new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleTargetSecureTagArgs
            {
                Name = "string",
                State = "string",
            },
        },
        TargetServiceAccounts = new[]
        {
            "string",
        },
        TlsInspect = false,
    });
    
    example, err := compute.NewRegionNetworkFirewallPolicyRule(ctx, "regionNetworkFirewallPolicyRuleResource", &compute.RegionNetworkFirewallPolicyRuleArgs{
    	FirewallPolicy: pulumi.String("string"),
    	Priority:       pulumi.Int(0),
    	Direction:      pulumi.String("string"),
    	Action:         pulumi.String("string"),
    	Match: &compute.RegionNetworkFirewallPolicyRuleMatchArgs{
    		Layer4Configs: compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArray{
    			&compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs{
    				IpProtocol: pulumi.String("string"),
    				Ports: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    		},
    		DestAddressGroups: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		DestFqdns: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		DestIpRanges: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		DestRegionCodes: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		DestThreatIntelligences: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		SrcAddressGroups: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		SrcFqdns: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		SrcIpRanges: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		SrcRegionCodes: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		SrcSecureTags: compute.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArray{
    			&compute.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs{
    				Name:  pulumi.String("string"),
    				State: pulumi.String("string"),
    			},
    		},
    		SrcThreatIntelligences: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	Disabled:             pulumi.Bool(false),
    	EnableLogging:        pulumi.Bool(false),
    	Description:          pulumi.String("string"),
    	Project:              pulumi.String("string"),
    	Region:               pulumi.String("string"),
    	RuleName:             pulumi.String("string"),
    	SecurityProfileGroup: pulumi.String("string"),
    	TargetSecureTags: compute.RegionNetworkFirewallPolicyRuleTargetSecureTagArray{
    		&compute.RegionNetworkFirewallPolicyRuleTargetSecureTagArgs{
    			Name:  pulumi.String("string"),
    			State: pulumi.String("string"),
    		},
    	},
    	TargetServiceAccounts: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	TlsInspect: pulumi.Bool(false),
    })
    
    var regionNetworkFirewallPolicyRuleResource = new RegionNetworkFirewallPolicyRule("regionNetworkFirewallPolicyRuleResource", RegionNetworkFirewallPolicyRuleArgs.builder()
        .firewallPolicy("string")
        .priority(0)
        .direction("string")
        .action("string")
        .match(RegionNetworkFirewallPolicyRuleMatchArgs.builder()
            .layer4Configs(RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs.builder()
                .ipProtocol("string")
                .ports("string")
                .build())
            .destAddressGroups("string")
            .destFqdns("string")
            .destIpRanges("string")
            .destRegionCodes("string")
            .destThreatIntelligences("string")
            .srcAddressGroups("string")
            .srcFqdns("string")
            .srcIpRanges("string")
            .srcRegionCodes("string")
            .srcSecureTags(RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs.builder()
                .name("string")
                .state("string")
                .build())
            .srcThreatIntelligences("string")
            .build())
        .disabled(false)
        .enableLogging(false)
        .description("string")
        .project("string")
        .region("string")
        .ruleName("string")
        .securityProfileGroup("string")
        .targetSecureTags(RegionNetworkFirewallPolicyRuleTargetSecureTagArgs.builder()
            .name("string")
            .state("string")
            .build())
        .targetServiceAccounts("string")
        .tlsInspect(false)
        .build());
    
    region_network_firewall_policy_rule_resource = gcp.compute.RegionNetworkFirewallPolicyRule("regionNetworkFirewallPolicyRuleResource",
        firewall_policy="string",
        priority=0,
        direction="string",
        action="string",
        match=gcp.compute.RegionNetworkFirewallPolicyRuleMatchArgs(
            layer4_configs=[gcp.compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs(
                ip_protocol="string",
                ports=["string"],
            )],
            dest_address_groups=["string"],
            dest_fqdns=["string"],
            dest_ip_ranges=["string"],
            dest_region_codes=["string"],
            dest_threat_intelligences=["string"],
            src_address_groups=["string"],
            src_fqdns=["string"],
            src_ip_ranges=["string"],
            src_region_codes=["string"],
            src_secure_tags=[gcp.compute.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs(
                name="string",
                state="string",
            )],
            src_threat_intelligences=["string"],
        ),
        disabled=False,
        enable_logging=False,
        description="string",
        project="string",
        region="string",
        rule_name="string",
        security_profile_group="string",
        target_secure_tags=[gcp.compute.RegionNetworkFirewallPolicyRuleTargetSecureTagArgs(
            name="string",
            state="string",
        )],
        target_service_accounts=["string"],
        tls_inspect=False)
    
    const regionNetworkFirewallPolicyRuleResource = new gcp.compute.RegionNetworkFirewallPolicyRule("regionNetworkFirewallPolicyRuleResource", {
        firewallPolicy: "string",
        priority: 0,
        direction: "string",
        action: "string",
        match: {
            layer4Configs: [{
                ipProtocol: "string",
                ports: ["string"],
            }],
            destAddressGroups: ["string"],
            destFqdns: ["string"],
            destIpRanges: ["string"],
            destRegionCodes: ["string"],
            destThreatIntelligences: ["string"],
            srcAddressGroups: ["string"],
            srcFqdns: ["string"],
            srcIpRanges: ["string"],
            srcRegionCodes: ["string"],
            srcSecureTags: [{
                name: "string",
                state: "string",
            }],
            srcThreatIntelligences: ["string"],
        },
        disabled: false,
        enableLogging: false,
        description: "string",
        project: "string",
        region: "string",
        ruleName: "string",
        securityProfileGroup: "string",
        targetSecureTags: [{
            name: "string",
            state: "string",
        }],
        targetServiceAccounts: ["string"],
        tlsInspect: false,
    });
    
    type: gcp:compute:RegionNetworkFirewallPolicyRule
    properties:
        action: string
        description: string
        direction: string
        disabled: false
        enableLogging: false
        firewallPolicy: string
        match:
            destAddressGroups:
                - string
            destFqdns:
                - string
            destIpRanges:
                - string
            destRegionCodes:
                - string
            destThreatIntelligences:
                - string
            layer4Configs:
                - ipProtocol: string
                  ports:
                    - string
            srcAddressGroups:
                - string
            srcFqdns:
                - string
            srcIpRanges:
                - string
            srcRegionCodes:
                - string
            srcSecureTags:
                - name: string
                  state: string
            srcThreatIntelligences:
                - string
        priority: 0
        project: string
        region: string
        ruleName: string
        securityProfileGroup: string
        targetSecureTags:
            - name: string
              state: string
        targetServiceAccounts:
            - string
        tlsInspect: false
    

    RegionNetworkFirewallPolicyRule Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The RegionNetworkFirewallPolicyRule resource accepts the following input properties:

    Action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    Direction string
    The direction in which this rule applies. Possible values: INGRESS, EGRESS
    FirewallPolicy string
    The firewall policy of the resource.
    Match RegionNetworkFirewallPolicyRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    Description string
    An optional description for this resource.
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    Project string
    The project for the resource
    Region string
    The location of this resource.
    RuleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    SecurityProfileGroup string
    A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    TargetSecureTags List<RegionNetworkFirewallPolicyRuleTargetSecureTag>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    TargetServiceAccounts List<string>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    TlsInspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    Action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    Direction string
    The direction in which this rule applies. Possible values: INGRESS, EGRESS
    FirewallPolicy string
    The firewall policy of the resource.
    Match RegionNetworkFirewallPolicyRuleMatchArgs
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    Description string
    An optional description for this resource.
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    Project string
    The project for the resource
    Region string
    The location of this resource.
    RuleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    SecurityProfileGroup string
    A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    TargetSecureTags []RegionNetworkFirewallPolicyRuleTargetSecureTagArgs
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    TargetServiceAccounts []string
    A list of service accounts indicating the sets of instances that are applied with this rule.
    TlsInspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action String
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    direction String
    The direction in which this rule applies. Possible values: INGRESS, EGRESS
    firewallPolicy String
    The firewall policy of the resource.
    match RegionNetworkFirewallPolicyRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority Integer
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    description String
    An optional description for this resource.
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    project String
    The project for the resource
    region String
    The location of this resource.
    ruleName String
    An optional name for the rule. This field is not a unique identifier and can be updated.
    securityProfileGroup String
    A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    targetSecureTags List<RegionNetworkFirewallPolicyRuleTargetSecureTag>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect Boolean
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    direction string
    The direction in which this rule applies. Possible values: INGRESS, EGRESS
    firewallPolicy string
    The firewall policy of the resource.
    match RegionNetworkFirewallPolicyRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority number
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    description string
    An optional description for this resource.
    disabled boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    project string
    The project for the resource
    region string
    The location of this resource.
    ruleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    securityProfileGroup string
    A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    targetSecureTags RegionNetworkFirewallPolicyRuleTargetSecureTag[]
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    targetServiceAccounts string[]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect boolean
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action str
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    direction str
    The direction in which this rule applies. Possible values: INGRESS, EGRESS
    firewall_policy str
    The firewall policy of the resource.
    match RegionNetworkFirewallPolicyRuleMatchArgs
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    description str
    An optional description for this resource.
    disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enable_logging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    project str
    The project for the resource
    region str
    The location of this resource.
    rule_name str
    An optional name for the rule. This field is not a unique identifier and can be updated.
    security_profile_group str
    A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    target_secure_tags Sequence[RegionNetworkFirewallPolicyRuleTargetSecureTagArgs]
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    target_service_accounts Sequence[str]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tls_inspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action String
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    direction String
    The direction in which this rule applies. Possible values: INGRESS, EGRESS
    firewallPolicy String
    The firewall policy of the resource.
    match Property Map
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority Number
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    description String
    An optional description for this resource.
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    project String
    The project for the resource
    region String
    The location of this resource.
    ruleName String
    An optional name for the rule. This field is not a unique identifier and can be updated.
    securityProfileGroup String
    A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    targetSecureTags List<Property Map>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect Boolean
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the RegionNetworkFirewallPolicyRule resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Kind string
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    RuleTupleCount int
    Calculation of the complexity of a single firewall policy rule.
    Id string
    The provider-assigned unique ID for this managed resource.
    Kind string
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    RuleTupleCount int
    Calculation of the complexity of a single firewall policy rule.
    id String
    The provider-assigned unique ID for this managed resource.
    kind String
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    ruleTupleCount Integer
    Calculation of the complexity of a single firewall policy rule.
    id string
    The provider-assigned unique ID for this managed resource.
    kind string
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    ruleTupleCount number
    Calculation of the complexity of a single firewall policy rule.
    id str
    The provider-assigned unique ID for this managed resource.
    kind str
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    rule_tuple_count int
    Calculation of the complexity of a single firewall policy rule.
    id String
    The provider-assigned unique ID for this managed resource.
    kind String
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    ruleTupleCount Number
    Calculation of the complexity of a single firewall policy rule.

    Look up Existing RegionNetworkFirewallPolicyRule Resource

    Get an existing RegionNetworkFirewallPolicyRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: RegionNetworkFirewallPolicyRuleState, opts?: CustomResourceOptions): RegionNetworkFirewallPolicyRule
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            action: Optional[str] = None,
            description: Optional[str] = None,
            direction: Optional[str] = None,
            disabled: Optional[bool] = None,
            enable_logging: Optional[bool] = None,
            firewall_policy: Optional[str] = None,
            kind: Optional[str] = None,
            match: Optional[RegionNetworkFirewallPolicyRuleMatchArgs] = None,
            priority: Optional[int] = None,
            project: Optional[str] = None,
            region: Optional[str] = None,
            rule_name: Optional[str] = None,
            rule_tuple_count: Optional[int] = None,
            security_profile_group: Optional[str] = None,
            target_secure_tags: Optional[Sequence[RegionNetworkFirewallPolicyRuleTargetSecureTagArgs]] = None,
            target_service_accounts: Optional[Sequence[str]] = None,
            tls_inspect: Optional[bool] = None) -> RegionNetworkFirewallPolicyRule
    func GetRegionNetworkFirewallPolicyRule(ctx *Context, name string, id IDInput, state *RegionNetworkFirewallPolicyRuleState, opts ...ResourceOption) (*RegionNetworkFirewallPolicyRule, error)
    public static RegionNetworkFirewallPolicyRule Get(string name, Input<string> id, RegionNetworkFirewallPolicyRuleState? state, CustomResourceOptions? opts = null)
    public static RegionNetworkFirewallPolicyRule get(String name, Output<String> id, RegionNetworkFirewallPolicyRuleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    Description string
    An optional description for this resource.
    Direction string
    The direction in which this rule applies. Possible values: INGRESS, EGRESS
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    FirewallPolicy string
    The firewall policy of the resource.
    Kind string
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    Match RegionNetworkFirewallPolicyRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    Project string
    The project for the resource
    Region string
    The location of this resource.
    RuleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    RuleTupleCount int
    Calculation of the complexity of a single firewall policy rule.
    SecurityProfileGroup string
    A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    TargetSecureTags List<RegionNetworkFirewallPolicyRuleTargetSecureTag>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    TargetServiceAccounts List<string>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    TlsInspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    Action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    Description string
    An optional description for this resource.
    Direction string
    The direction in which this rule applies. Possible values: INGRESS, EGRESS
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    FirewallPolicy string
    The firewall policy of the resource.
    Kind string
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    Match RegionNetworkFirewallPolicyRuleMatchArgs
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    Project string
    The project for the resource
    Region string
    The location of this resource.
    RuleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    RuleTupleCount int
    Calculation of the complexity of a single firewall policy rule.
    SecurityProfileGroup string
    A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    TargetSecureTags []RegionNetworkFirewallPolicyRuleTargetSecureTagArgs
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    TargetServiceAccounts []string
    A list of service accounts indicating the sets of instances that are applied with this rule.
    TlsInspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action String
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    description String
    An optional description for this resource.
    direction String
    The direction in which this rule applies. Possible values: INGRESS, EGRESS
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    firewallPolicy String
    The firewall policy of the resource.
    kind String
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    match RegionNetworkFirewallPolicyRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority Integer
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    project String
    The project for the resource
    region String
    The location of this resource.
    ruleName String
    An optional name for the rule. This field is not a unique identifier and can be updated.
    ruleTupleCount Integer
    Calculation of the complexity of a single firewall policy rule.
    securityProfileGroup String
    A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    targetSecureTags List<RegionNetworkFirewallPolicyRuleTargetSecureTag>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect Boolean
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    description string
    An optional description for this resource.
    direction string
    The direction in which this rule applies. Possible values: INGRESS, EGRESS
    disabled boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    firewallPolicy string
    The firewall policy of the resource.
    kind string
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    match RegionNetworkFirewallPolicyRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority number
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    project string
    The project for the resource
    region string
    The location of this resource.
    ruleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    ruleTupleCount number
    Calculation of the complexity of a single firewall policy rule.
    securityProfileGroup string
    A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    targetSecureTags RegionNetworkFirewallPolicyRuleTargetSecureTag[]
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    targetServiceAccounts string[]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect boolean
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action str
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    description str
    An optional description for this resource.
    direction str
    The direction in which this rule applies. Possible values: INGRESS, EGRESS
    disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enable_logging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    firewall_policy str
    The firewall policy of the resource.
    kind str
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    match RegionNetworkFirewallPolicyRuleMatchArgs
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    project str
    The project for the resource
    region str
    The location of this resource.
    rule_name str
    An optional name for the rule. This field is not a unique identifier and can be updated.
    rule_tuple_count int
    Calculation of the complexity of a single firewall policy rule.
    security_profile_group str
    A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    target_secure_tags Sequence[RegionNetworkFirewallPolicyRuleTargetSecureTagArgs]
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    target_service_accounts Sequence[str]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tls_inspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action String
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "goto_next" and "apply_security_profile_group".
    description String
    An optional description for this resource.
    direction String
    The direction in which this rule applies. Possible values: INGRESS, EGRESS
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    firewallPolicy String
    The firewall policy of the resource.
    kind String
    Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    match Property Map
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority Number
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    project String
    The project for the resource
    region String
    The location of this resource.
    ruleName String
    An optional name for the rule. This field is not a unique identifier and can be updated.
    ruleTupleCount Number
    Calculation of the complexity of a single firewall policy rule.
    securityProfileGroup String
    A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
    targetSecureTags List<Property Map>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect Boolean
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.

    Supporting Types

    RegionNetworkFirewallPolicyRuleMatch, RegionNetworkFirewallPolicyRuleMatchArgs

    Layer4Configs List<RegionNetworkFirewallPolicyRuleMatchLayer4Config>
    Pairs of IP protocols and ports that the rule should match.
    DestAddressGroups List<string>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
    DestFqdns List<string>
    Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
    DestIpRanges List<string>
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    DestRegionCodes List<string>
    The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
    DestThreatIntelligences List<string>
    Name of the Google Cloud Threat Intelligence list.
    SrcAddressGroups List<string>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
    SrcFqdns List<string>
    Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
    SrcIpRanges List<string>
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    SrcRegionCodes List<string>
    The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
    SrcSecureTags List<RegionNetworkFirewallPolicyRuleMatchSrcSecureTag>
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    SrcThreatIntelligences List<string>

    Name of the Google Cloud Threat Intelligence list.

    The layer4_configs block supports:

    Layer4Configs []RegionNetworkFirewallPolicyRuleMatchLayer4Config
    Pairs of IP protocols and ports that the rule should match.
    DestAddressGroups []string
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
    DestFqdns []string
    Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
    DestIpRanges []string
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    DestRegionCodes []string
    The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
    DestThreatIntelligences []string
    Name of the Google Cloud Threat Intelligence list.
    SrcAddressGroups []string
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
    SrcFqdns []string
    Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
    SrcIpRanges []string
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    SrcRegionCodes []string
    The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
    SrcSecureTags []RegionNetworkFirewallPolicyRuleMatchSrcSecureTag
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    SrcThreatIntelligences []string

    Name of the Google Cloud Threat Intelligence list.

    The layer4_configs block supports:

    layer4Configs List<RegionNetworkFirewallPolicyRuleMatchLayer4Config>
    Pairs of IP protocols and ports that the rule should match.
    destAddressGroups List<String>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
    destFqdns List<String>
    Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
    destIpRanges List<String>
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    destRegionCodes List<String>
    The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
    destThreatIntelligences List<String>
    Name of the Google Cloud Threat Intelligence list.
    srcAddressGroups List<String>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
    srcFqdns List<String>
    Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
    srcIpRanges List<String>
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    srcRegionCodes List<String>
    The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
    srcSecureTags List<RegionNetworkFirewallPolicyRuleMatchSrcSecureTag>
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    srcThreatIntelligences List<String>

    Name of the Google Cloud Threat Intelligence list.

    The layer4_configs block supports:

    layer4Configs RegionNetworkFirewallPolicyRuleMatchLayer4Config[]
    Pairs of IP protocols and ports that the rule should match.
    destAddressGroups string[]
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
    destFqdns string[]
    Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
    destIpRanges string[]
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    destRegionCodes string[]
    The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
    destThreatIntelligences string[]
    Name of the Google Cloud Threat Intelligence list.
    srcAddressGroups string[]
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
    srcFqdns string[]
    Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
    srcIpRanges string[]
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    srcRegionCodes string[]
    The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
    srcSecureTags RegionNetworkFirewallPolicyRuleMatchSrcSecureTag[]
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    srcThreatIntelligences string[]

    Name of the Google Cloud Threat Intelligence list.

    The layer4_configs block supports:

    layer4_configs Sequence[RegionNetworkFirewallPolicyRuleMatchLayer4Config]
    Pairs of IP protocols and ports that the rule should match.
    dest_address_groups Sequence[str]
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
    dest_fqdns Sequence[str]
    Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
    dest_ip_ranges Sequence[str]
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    dest_region_codes Sequence[str]
    The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
    dest_threat_intelligences Sequence[str]
    Name of the Google Cloud Threat Intelligence list.
    src_address_groups Sequence[str]
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
    src_fqdns Sequence[str]
    Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
    src_ip_ranges Sequence[str]
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    src_region_codes Sequence[str]
    The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
    src_secure_tags Sequence[RegionNetworkFirewallPolicyRuleMatchSrcSecureTag]
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    src_threat_intelligences Sequence[str]

    Name of the Google Cloud Threat Intelligence list.

    The layer4_configs block supports:

    layer4Configs List<Property Map>
    Pairs of IP protocols and ports that the rule should match.
    destAddressGroups List<String>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. Destination address groups is only supported in Egress rules.
    destFqdns List<String>
    Domain names that will be used to match against the resolved domain name of destination of traffic. Can only be specified if DIRECTION is egress.
    destIpRanges List<String>
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    destRegionCodes List<String>
    The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is egress.
    destThreatIntelligences List<String>
    Name of the Google Cloud Threat Intelligence list.
    srcAddressGroups List<String>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. Source address groups is only supported in Ingress rules.
    srcFqdns List<String>
    Domain names that will be used to match against the resolved domain name of source of traffic. Can only be specified if DIRECTION is ingress.
    srcIpRanges List<String>
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    srcRegionCodes List<String>
    The Unicode country codes whose IP addresses will be used to match against the source of traffic. Can only be specified if DIRECTION is ingress.
    srcSecureTags List<Property Map>
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    srcThreatIntelligences List<String>

    Name of the Google Cloud Threat Intelligence list.

    The layer4_configs block supports:

    RegionNetworkFirewallPolicyRuleMatchLayer4Config, RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs

    IpProtocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    Ports List<string>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
    IpProtocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    Ports []string
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
    ipProtocol String
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports List<String>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
    ipProtocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports string[]
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
    ip_protocol str
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports Sequence[str]
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.
    ipProtocol String
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports List<String>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ``.

    RegionNetworkFirewallPolicyRuleMatchSrcSecureTag, RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs

    Name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    State string
    [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    Name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    State string
    [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name String
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state String
    [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state string
    [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name str
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state str
    [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name String
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state String
    [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

    RegionNetworkFirewallPolicyRuleTargetSecureTag, RegionNetworkFirewallPolicyRuleTargetSecureTagArgs

    Name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    State string
    [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    Name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    State string
    [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name String
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state String
    [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state string
    [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name str
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state str
    [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name String
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state String
    [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

    Import

    NetworkFirewallPolicyRule can be imported using any of these accepted formats:

    • projects/{{project}}/regions/{{region}}/firewallPolicies/{{firewall_policy}}/{{priority}}

    • {{project}}/{{region}}/{{firewall_policy}}/{{priority}}

    • {{region}}/{{firewall_policy}}/{{priority}}

    • {{firewall_policy}}/{{priority}}

    When using the pulumi import command, NetworkFirewallPolicyRule can be imported using one of the formats above. For example:

    $ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default projects/{{project}}/regions/{{region}}/firewallPolicies/{{firewall_policy}}/{{priority}}
    
    $ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default {{project}}/{{region}}/{{firewall_policy}}/{{priority}}
    
    $ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default {{region}}/{{firewall_policy}}/{{priority}}
    
    $ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default {{firewall_policy}}/{{priority}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v7.28.0 published on Friday, Jun 21, 2024 by Pulumi