1. Packages
  2. Google Cloud Native
  3. API Docs
  4. compute
  5. compute/v1
  6. FirewallPolicy

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

google-native.compute/v1.FirewallPolicy

Explore with Pulumi AI

google-native logo

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

    Creates a new policy in the specified project using the data included in the request.

    Create FirewallPolicy Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new FirewallPolicy(name: string, args?: FirewallPolicyArgs, opts?: CustomResourceOptions);
    @overload
    def FirewallPolicy(resource_name: str,
                       args: Optional[FirewallPolicyArgs] = None,
                       opts: Optional[ResourceOptions] = None)
    
    @overload
    def FirewallPolicy(resource_name: str,
                       opts: Optional[ResourceOptions] = None,
                       associations: Optional[Sequence[FirewallPolicyAssociationArgs]] = None,
                       description: Optional[str] = None,
                       display_name: Optional[str] = None,
                       name: Optional[str] = None,
                       parent_id: Optional[str] = None,
                       request_id: Optional[str] = None,
                       rules: Optional[Sequence[FirewallPolicyRuleArgs]] = None,
                       short_name: Optional[str] = None)
    func NewFirewallPolicy(ctx *Context, name string, args *FirewallPolicyArgs, opts ...ResourceOption) (*FirewallPolicy, error)
    public FirewallPolicy(string name, FirewallPolicyArgs? args = null, CustomResourceOptions? opts = null)
    public FirewallPolicy(String name, FirewallPolicyArgs args)
    public FirewallPolicy(String name, FirewallPolicyArgs args, CustomResourceOptions options)
    
    type: google-native:compute/v1:FirewallPolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args FirewallPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args FirewallPolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args FirewallPolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args FirewallPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args FirewallPolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Example

    The following reference example uses placeholder values for all input properties.

    var examplefirewallPolicyResourceResourceFromComputev1 = new GoogleNative.Compute.V1.FirewallPolicy("examplefirewallPolicyResourceResourceFromComputev1", new()
    {
        Associations = new[]
        {
            new GoogleNative.Compute.V1.Inputs.FirewallPolicyAssociationArgs
            {
                AttachmentTarget = "string",
                Name = "string",
            },
        },
        Description = "string",
        Name = "string",
        ParentId = "string",
        RequestId = "string",
        Rules = new[]
        {
            new GoogleNative.Compute.V1.Inputs.FirewallPolicyRuleArgs
            {
                Action = "string",
                Description = "string",
                Direction = GoogleNative.Compute.V1.FirewallPolicyRuleDirection.Egress,
                Disabled = false,
                EnableLogging = false,
                Match = new GoogleNative.Compute.V1.Inputs.FirewallPolicyRuleMatcherArgs
                {
                    DestAddressGroups = new[]
                    {
                        "string",
                    },
                    DestFqdns = new[]
                    {
                        "string",
                    },
                    DestIpRanges = new[]
                    {
                        "string",
                    },
                    DestRegionCodes = new[]
                    {
                        "string",
                    },
                    DestThreatIntelligences = new[]
                    {
                        "string",
                    },
                    Layer4Configs = new[]
                    {
                        new GoogleNative.Compute.V1.Inputs.FirewallPolicyRuleMatcherLayer4ConfigArgs
                        {
                            IpProtocol = "string",
                            Ports = new[]
                            {
                                "string",
                            },
                        },
                    },
                    SrcAddressGroups = new[]
                    {
                        "string",
                    },
                    SrcFqdns = new[]
                    {
                        "string",
                    },
                    SrcIpRanges = new[]
                    {
                        "string",
                    },
                    SrcRegionCodes = new[]
                    {
                        "string",
                    },
                    SrcSecureTags = new[]
                    {
                        new GoogleNative.Compute.V1.Inputs.FirewallPolicyRuleSecureTagArgs
                        {
                            Name = "string",
                        },
                    },
                    SrcThreatIntelligences = new[]
                    {
                        "string",
                    },
                },
                Priority = 0,
                RuleName = "string",
                TargetResources = new[]
                {
                    "string",
                },
                TargetSecureTags = new[]
                {
                    new GoogleNative.Compute.V1.Inputs.FirewallPolicyRuleSecureTagArgs
                    {
                        Name = "string",
                    },
                },
                TargetServiceAccounts = new[]
                {
                    "string",
                },
            },
        },
        ShortName = "string",
    });
    
    example, err := computev1.NewFirewallPolicy(ctx, "examplefirewallPolicyResourceResourceFromComputev1", &computev1.FirewallPolicyArgs{
    Associations: compute.FirewallPolicyAssociationArray{
    &compute.FirewallPolicyAssociationArgs{
    AttachmentTarget: pulumi.String("string"),
    Name: pulumi.String("string"),
    },
    },
    Description: pulumi.String("string"),
    Name: pulumi.String("string"),
    ParentId: pulumi.String("string"),
    RequestId: pulumi.String("string"),
    Rules: compute.FirewallPolicyRuleArray{
    &compute.FirewallPolicyRuleArgs{
    Action: pulumi.String("string"),
    Description: pulumi.String("string"),
    Direction: computev1.FirewallPolicyRuleDirectionEgress,
    Disabled: pulumi.Bool(false),
    EnableLogging: pulumi.Bool(false),
    Match: &compute.FirewallPolicyRuleMatcherArgs{
    DestAddressGroups: pulumi.StringArray{
    pulumi.String("string"),
    },
    DestFqdns: pulumi.StringArray{
    pulumi.String("string"),
    },
    DestIpRanges: pulumi.StringArray{
    pulumi.String("string"),
    },
    DestRegionCodes: pulumi.StringArray{
    pulumi.String("string"),
    },
    DestThreatIntelligences: pulumi.StringArray{
    pulumi.String("string"),
    },
    Layer4Configs: compute.FirewallPolicyRuleMatcherLayer4ConfigArray{
    &compute.FirewallPolicyRuleMatcherLayer4ConfigArgs{
    IpProtocol: pulumi.String("string"),
    Ports: pulumi.StringArray{
    pulumi.String("string"),
    },
    },
    },
    SrcAddressGroups: pulumi.StringArray{
    pulumi.String("string"),
    },
    SrcFqdns: pulumi.StringArray{
    pulumi.String("string"),
    },
    SrcIpRanges: pulumi.StringArray{
    pulumi.String("string"),
    },
    SrcRegionCodes: pulumi.StringArray{
    pulumi.String("string"),
    },
    SrcSecureTags: compute.FirewallPolicyRuleSecureTagArray{
    &compute.FirewallPolicyRuleSecureTagArgs{
    Name: pulumi.String("string"),
    },
    },
    SrcThreatIntelligences: pulumi.StringArray{
    pulumi.String("string"),
    },
    },
    Priority: pulumi.Int(0),
    RuleName: pulumi.String("string"),
    TargetResources: pulumi.StringArray{
    pulumi.String("string"),
    },
    TargetSecureTags: compute.FirewallPolicyRuleSecureTagArray{
    &compute.FirewallPolicyRuleSecureTagArgs{
    Name: pulumi.String("string"),
    },
    },
    TargetServiceAccounts: pulumi.StringArray{
    pulumi.String("string"),
    },
    },
    },
    ShortName: pulumi.String("string"),
    })
    
    var examplefirewallPolicyResourceResourceFromComputev1 = new FirewallPolicy("examplefirewallPolicyResourceResourceFromComputev1", FirewallPolicyArgs.builder()
        .associations(FirewallPolicyAssociationArgs.builder()
            .attachmentTarget("string")
            .name("string")
            .build())
        .description("string")
        .name("string")
        .parentId("string")
        .requestId("string")
        .rules(FirewallPolicyRuleArgs.builder()
            .action("string")
            .description("string")
            .direction("EGRESS")
            .disabled(false)
            .enableLogging(false)
            .match(FirewallPolicyRuleMatcherArgs.builder()
                .destAddressGroups("string")
                .destFqdns("string")
                .destIpRanges("string")
                .destRegionCodes("string")
                .destThreatIntelligences("string")
                .layer4Configs(FirewallPolicyRuleMatcherLayer4ConfigArgs.builder()
                    .ipProtocol("string")
                    .ports("string")
                    .build())
                .srcAddressGroups("string")
                .srcFqdns("string")
                .srcIpRanges("string")
                .srcRegionCodes("string")
                .srcSecureTags(FirewallPolicyRuleSecureTagArgs.builder()
                    .name("string")
                    .build())
                .srcThreatIntelligences("string")
                .build())
            .priority(0)
            .ruleName("string")
            .targetResources("string")
            .targetSecureTags(FirewallPolicyRuleSecureTagArgs.builder()
                .name("string")
                .build())
            .targetServiceAccounts("string")
            .build())
        .shortName("string")
        .build());
    
    examplefirewall_policy_resource_resource_from_computev1 = google_native.compute.v1.FirewallPolicy("examplefirewallPolicyResourceResourceFromComputev1",
        associations=[google_native.compute.v1.FirewallPolicyAssociationArgs(
            attachment_target="string",
            name="string",
        )],
        description="string",
        name="string",
        parent_id="string",
        request_id="string",
        rules=[google_native.compute.v1.FirewallPolicyRuleArgs(
            action="string",
            description="string",
            direction=google_native.compute.v1.FirewallPolicyRuleDirection.EGRESS,
            disabled=False,
            enable_logging=False,
            match=google_native.compute.v1.FirewallPolicyRuleMatcherArgs(
                dest_address_groups=["string"],
                dest_fqdns=["string"],
                dest_ip_ranges=["string"],
                dest_region_codes=["string"],
                dest_threat_intelligences=["string"],
                layer4_configs=[google_native.compute.v1.FirewallPolicyRuleMatcherLayer4ConfigArgs(
                    ip_protocol="string",
                    ports=["string"],
                )],
                src_address_groups=["string"],
                src_fqdns=["string"],
                src_ip_ranges=["string"],
                src_region_codes=["string"],
                src_secure_tags=[google_native.compute.v1.FirewallPolicyRuleSecureTagArgs(
                    name="string",
                )],
                src_threat_intelligences=["string"],
            ),
            priority=0,
            rule_name="string",
            target_resources=["string"],
            target_secure_tags=[google_native.compute.v1.FirewallPolicyRuleSecureTagArgs(
                name="string",
            )],
            target_service_accounts=["string"],
        )],
        short_name="string")
    
    const examplefirewallPolicyResourceResourceFromComputev1 = new google_native.compute.v1.FirewallPolicy("examplefirewallPolicyResourceResourceFromComputev1", {
        associations: [{
            attachmentTarget: "string",
            name: "string",
        }],
        description: "string",
        name: "string",
        parentId: "string",
        requestId: "string",
        rules: [{
            action: "string",
            description: "string",
            direction: google_native.compute.v1.FirewallPolicyRuleDirection.Egress,
            disabled: false,
            enableLogging: false,
            match: {
                destAddressGroups: ["string"],
                destFqdns: ["string"],
                destIpRanges: ["string"],
                destRegionCodes: ["string"],
                destThreatIntelligences: ["string"],
                layer4Configs: [{
                    ipProtocol: "string",
                    ports: ["string"],
                }],
                srcAddressGroups: ["string"],
                srcFqdns: ["string"],
                srcIpRanges: ["string"],
                srcRegionCodes: ["string"],
                srcSecureTags: [{
                    name: "string",
                }],
                srcThreatIntelligences: ["string"],
            },
            priority: 0,
            ruleName: "string",
            targetResources: ["string"],
            targetSecureTags: [{
                name: "string",
            }],
            targetServiceAccounts: ["string"],
        }],
        shortName: "string",
    });
    
    type: google-native:compute/v1:FirewallPolicy
    properties:
        associations:
            - attachmentTarget: string
              name: string
        description: string
        name: string
        parentId: string
        requestId: string
        rules:
            - action: string
              description: string
              direction: EGRESS
              disabled: false
              enableLogging: false
              match:
                destAddressGroups:
                    - string
                destFqdns:
                    - string
                destIpRanges:
                    - string
                destRegionCodes:
                    - string
                destThreatIntelligences:
                    - string
                layer4Configs:
                    - ipProtocol: string
                      ports:
                        - string
                srcAddressGroups:
                    - string
                srcFqdns:
                    - string
                srcIpRanges:
                    - string
                srcRegionCodes:
                    - string
                srcSecureTags:
                    - name: string
                srcThreatIntelligences:
                    - string
              priority: 0
              ruleName: string
              targetResources:
                - string
              targetSecureTags:
                - name: string
              targetServiceAccounts:
                - string
        shortName: string
    

    FirewallPolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The FirewallPolicy resource accepts the following input properties:

    Associations List<Pulumi.GoogleNative.Compute.V1.Inputs.FirewallPolicyAssociation>
    A list of associations that belong to this firewall policy.
    Description string
    An optional description of this resource. Provide this property when you create the resource.
    DisplayName string
    Deprecated, please use short name instead. User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

    Deprecated: Deprecated, please use short name instead. User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

    Name string
    Name of the resource. For Organization Firewall Policies it's a [Output Only] numeric ID allocated by Google Cloud which uniquely identifies the Organization Firewall Policy.
    ParentId string
    Parent ID for this request. The ID can be either be "folders/[FOLDER_ID]" if the parent is a folder or "organizations/[ORGANIZATION_ID]" if the parent is an organization.
    RequestId string
    An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported ( 00000000-0000-0000-0000-000000000000).
    Rules List<Pulumi.GoogleNative.Compute.V1.Inputs.FirewallPolicyRule>
    A list of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a firewall policy, a default rule with action "allow" will be added.
    ShortName string
    User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    Associations []FirewallPolicyAssociationArgs
    A list of associations that belong to this firewall policy.
    Description string
    An optional description of this resource. Provide this property when you create the resource.
    DisplayName string
    Deprecated, please use short name instead. User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

    Deprecated: Deprecated, please use short name instead. User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

    Name string
    Name of the resource. For Organization Firewall Policies it's a [Output Only] numeric ID allocated by Google Cloud which uniquely identifies the Organization Firewall Policy.
    ParentId string
    Parent ID for this request. The ID can be either be "folders/[FOLDER_ID]" if the parent is a folder or "organizations/[ORGANIZATION_ID]" if the parent is an organization.
    RequestId string
    An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported ( 00000000-0000-0000-0000-000000000000).
    Rules []FirewallPolicyRuleArgs
    A list of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a firewall policy, a default rule with action "allow" will be added.
    ShortName string
    User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    associations List<FirewallPolicyAssociation>
    A list of associations that belong to this firewall policy.
    description String
    An optional description of this resource. Provide this property when you create the resource.
    displayName String
    Deprecated, please use short name instead. User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

    Deprecated: Deprecated, please use short name instead. User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

    name String
    Name of the resource. For Organization Firewall Policies it's a [Output Only] numeric ID allocated by Google Cloud which uniquely identifies the Organization Firewall Policy.
    parentId String
    Parent ID for this request. The ID can be either be "folders/[FOLDER_ID]" if the parent is a folder or "organizations/[ORGANIZATION_ID]" if the parent is an organization.
    requestId String
    An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported ( 00000000-0000-0000-0000-000000000000).
    rules List<FirewallPolicyRule>
    A list of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a firewall policy, a default rule with action "allow" will be added.
    shortName String
    User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    associations FirewallPolicyAssociation[]
    A list of associations that belong to this firewall policy.
    description string
    An optional description of this resource. Provide this property when you create the resource.
    displayName string
    Deprecated, please use short name instead. User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

    Deprecated: Deprecated, please use short name instead. User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

    name string
    Name of the resource. For Organization Firewall Policies it's a [Output Only] numeric ID allocated by Google Cloud which uniquely identifies the Organization Firewall Policy.
    parentId string
    Parent ID for this request. The ID can be either be "folders/[FOLDER_ID]" if the parent is a folder or "organizations/[ORGANIZATION_ID]" if the parent is an organization.
    requestId string
    An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported ( 00000000-0000-0000-0000-000000000000).
    rules FirewallPolicyRule[]
    A list of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a firewall policy, a default rule with action "allow" will be added.
    shortName string
    User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    associations Sequence[FirewallPolicyAssociationArgs]
    A list of associations that belong to this firewall policy.
    description str
    An optional description of this resource. Provide this property when you create the resource.
    display_name str
    Deprecated, please use short name instead. User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

    Deprecated: Deprecated, please use short name instead. User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

    name str
    Name of the resource. For Organization Firewall Policies it's a [Output Only] numeric ID allocated by Google Cloud which uniquely identifies the Organization Firewall Policy.
    parent_id str
    Parent ID for this request. The ID can be either be "folders/[FOLDER_ID]" if the parent is a folder or "organizations/[ORGANIZATION_ID]" if the parent is an organization.
    request_id str
    An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported ( 00000000-0000-0000-0000-000000000000).
    rules Sequence[FirewallPolicyRuleArgs]
    A list of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a firewall policy, a default rule with action "allow" will be added.
    short_name str
    User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    associations List<Property Map>
    A list of associations that belong to this firewall policy.
    description String
    An optional description of this resource. Provide this property when you create the resource.
    displayName String
    Deprecated, please use short name instead. User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

    Deprecated: Deprecated, please use short name instead. User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

    name String
    Name of the resource. For Organization Firewall Policies it's a [Output Only] numeric ID allocated by Google Cloud which uniquely identifies the Organization Firewall Policy.
    parentId String
    Parent ID for this request. The ID can be either be "folders/[FOLDER_ID]" if the parent is a folder or "organizations/[ORGANIZATION_ID]" if the parent is an organization.
    requestId String
    An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported ( 00000000-0000-0000-0000-000000000000).
    rules List<Property Map>
    A list of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a firewall policy, a default rule with action "allow" will be added.
    shortName String
    User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the FirewallPolicy resource produces the following output properties:

    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Fingerprint string
    Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the firewall policy.
    Id string
    The provider-assigned unique ID for this managed resource.
    Kind string
    [Output only] Type of the resource. Always compute#firewallPolicyfor firewall policies
    Parent string
    The parent of the firewall policy. This field is not applicable to network firewall policies.
    Region string
    URL of the region where the regional firewall policy resides. This field is not applicable to global firewall policies. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
    RuleTupleCount int
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    SelfLink string
    Server-defined URL for the resource.
    SelfLinkWithId string
    Server-defined URL for this resource with the resource id.
    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Fingerprint string
    Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the firewall policy.
    Id string
    The provider-assigned unique ID for this managed resource.
    Kind string
    [Output only] Type of the resource. Always compute#firewallPolicyfor firewall policies
    Parent string
    The parent of the firewall policy. This field is not applicable to network firewall policies.
    Region string
    URL of the region where the regional firewall policy resides. This field is not applicable to global firewall policies. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
    RuleTupleCount int
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    SelfLink string
    Server-defined URL for the resource.
    SelfLinkWithId string
    Server-defined URL for this resource with the resource id.
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    fingerprint String
    Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the firewall policy.
    id String
    The provider-assigned unique ID for this managed resource.
    kind String
    [Output only] Type of the resource. Always compute#firewallPolicyfor firewall policies
    parent String
    The parent of the firewall policy. This field is not applicable to network firewall policies.
    region String
    URL of the region where the regional firewall policy resides. This field is not applicable to global firewall policies. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
    ruleTupleCount Integer
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    selfLink String
    Server-defined URL for the resource.
    selfLinkWithId String
    Server-defined URL for this resource with the resource id.
    creationTimestamp string
    Creation timestamp in RFC3339 text format.
    fingerprint string
    Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the firewall policy.
    id string
    The provider-assigned unique ID for this managed resource.
    kind string
    [Output only] Type of the resource. Always compute#firewallPolicyfor firewall policies
    parent string
    The parent of the firewall policy. This field is not applicable to network firewall policies.
    region string
    URL of the region where the regional firewall policy resides. This field is not applicable to global firewall policies. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
    ruleTupleCount number
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    selfLink string
    Server-defined URL for the resource.
    selfLinkWithId string
    Server-defined URL for this resource with the resource id.
    creation_timestamp str
    Creation timestamp in RFC3339 text format.
    fingerprint str
    Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the firewall policy.
    id str
    The provider-assigned unique ID for this managed resource.
    kind str
    [Output only] Type of the resource. Always compute#firewallPolicyfor firewall policies
    parent str
    The parent of the firewall policy. This field is not applicable to network firewall policies.
    region str
    URL of the region where the regional firewall policy resides. This field is not applicable to global firewall policies. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
    rule_tuple_count int
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    self_link str
    Server-defined URL for the resource.
    self_link_with_id str
    Server-defined URL for this resource with the resource id.
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    fingerprint String
    Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the firewall policy.
    id String
    The provider-assigned unique ID for this managed resource.
    kind String
    [Output only] Type of the resource. Always compute#firewallPolicyfor firewall policies
    parent String
    The parent of the firewall policy. This field is not applicable to network firewall policies.
    region String
    URL of the region where the regional firewall policy resides. This field is not applicable to global firewall policies. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body.
    ruleTupleCount Number
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    selfLink String
    Server-defined URL for the resource.
    selfLinkWithId String
    Server-defined URL for this resource with the resource id.

    Supporting Types

    FirewallPolicyAssociation, FirewallPolicyAssociationArgs

    AttachmentTarget string
    The target that the firewall policy is attached to.
    Name string
    The name for an association.
    AttachmentTarget string
    The target that the firewall policy is attached to.
    Name string
    The name for an association.
    attachmentTarget String
    The target that the firewall policy is attached to.
    name String
    The name for an association.
    attachmentTarget string
    The target that the firewall policy is attached to.
    name string
    The name for an association.
    attachment_target str
    The target that the firewall policy is attached to.
    name str
    The name for an association.
    attachmentTarget String
    The target that the firewall policy is attached to.
    name String
    The name for an association.

    FirewallPolicyAssociationResponse, FirewallPolicyAssociationResponseArgs

    AttachmentTarget string
    The target that the firewall policy is attached to.
    DisplayName string
    Deprecated, please use short name instead. The display name of the firewall policy of the association.
    FirewallPolicyId string
    The firewall policy ID of the association.
    Name string
    The name for an association.
    ShortName string
    The short name of the firewall policy of the association.
    AttachmentTarget string
    The target that the firewall policy is attached to.
    DisplayName string
    Deprecated, please use short name instead. The display name of the firewall policy of the association.
    FirewallPolicyId string
    The firewall policy ID of the association.
    Name string
    The name for an association.
    ShortName string
    The short name of the firewall policy of the association.
    attachmentTarget String
    The target that the firewall policy is attached to.
    displayName String
    Deprecated, please use short name instead. The display name of the firewall policy of the association.
    firewallPolicyId String
    The firewall policy ID of the association.
    name String
    The name for an association.
    shortName String
    The short name of the firewall policy of the association.
    attachmentTarget string
    The target that the firewall policy is attached to.
    displayName string
    Deprecated, please use short name instead. The display name of the firewall policy of the association.
    firewallPolicyId string
    The firewall policy ID of the association.
    name string
    The name for an association.
    shortName string
    The short name of the firewall policy of the association.
    attachment_target str
    The target that the firewall policy is attached to.
    display_name str
    Deprecated, please use short name instead. The display name of the firewall policy of the association.
    firewall_policy_id str
    The firewall policy ID of the association.
    name str
    The name for an association.
    short_name str
    The short name of the firewall policy of the association.
    attachmentTarget String
    The target that the firewall policy is attached to.
    displayName String
    Deprecated, please use short name instead. The display name of the firewall policy of the association.
    firewallPolicyId String
    The firewall policy ID of the association.
    name String
    The name for an association.
    shortName String
    The short name of the firewall policy of the association.

    FirewallPolicyRule, FirewallPolicyRuleArgs

    Action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
    Description string
    An optional description for this resource.
    Direction Pulumi.GoogleNative.Compute.V1.FirewallPolicyRuleDirection
    The direction in which this rule applies.
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    Match Pulumi.GoogleNative.Compute.V1.Inputs.FirewallPolicyRuleMatcher
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    RuleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    TargetResources List<string>
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    TargetSecureTags List<Pulumi.GoogleNative.Compute.V1.Inputs.FirewallPolicyRuleSecureTag>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    TargetServiceAccounts List<string>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    Action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
    Description string
    An optional description for this resource.
    Direction FirewallPolicyRuleDirection
    The direction in which this rule applies.
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    Match FirewallPolicyRuleMatcher
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    RuleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    TargetResources []string
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    TargetSecureTags []FirewallPolicyRuleSecureTag
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    TargetServiceAccounts []string
    A list of service accounts indicating the sets of instances that are applied with this rule.
    action String
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
    description String
    An optional description for this resource.
    direction FirewallPolicyRuleDirection
    The direction in which this rule applies.
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    match FirewallPolicyRuleMatcher
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority Integer
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    ruleName String
    An optional name for the rule. This field is not a unique identifier and can be updated.
    targetResources List<String>
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    targetSecureTags List<FirewallPolicyRuleSecureTag>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
    description string
    An optional description for this resource.
    direction FirewallPolicyRuleDirection
    The direction in which this rule applies.
    disabled boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    match FirewallPolicyRuleMatcher
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority number
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    ruleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    targetResources string[]
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    targetSecureTags FirewallPolicyRuleSecureTag[]
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    targetServiceAccounts string[]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    action str
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
    description str
    An optional description for this resource.
    direction FirewallPolicyRuleDirection
    The direction in which this rule applies.
    disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enable_logging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    match FirewallPolicyRuleMatcher
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    rule_name str
    An optional name for the rule. This field is not a unique identifier and can be updated.
    target_resources Sequence[str]
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    target_secure_tags Sequence[FirewallPolicyRuleSecureTag]
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    target_service_accounts Sequence[str]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    action String
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
    description String
    An optional description for this resource.
    direction "EGRESS" | "INGRESS"
    The direction in which this rule applies.
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    match Property Map
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority Number
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    ruleName String
    An optional name for the rule. This field is not a unique identifier and can be updated.
    targetResources List<String>
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    targetSecureTags List<Property Map>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.

    FirewallPolicyRuleDirection, FirewallPolicyRuleDirectionArgs

    Egress
    EGRESS
    Ingress
    INGRESS
    FirewallPolicyRuleDirectionEgress
    EGRESS
    FirewallPolicyRuleDirectionIngress
    INGRESS
    Egress
    EGRESS
    Ingress
    INGRESS
    Egress
    EGRESS
    Ingress
    INGRESS
    EGRESS
    EGRESS
    INGRESS
    INGRESS
    "EGRESS"
    EGRESS
    "INGRESS"
    INGRESS

    FirewallPolicyRuleMatcher, FirewallPolicyRuleMatcherArgs

    DestAddressGroups List<string>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    DestFqdns List<string>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    DestIpRanges List<string>
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    DestRegionCodes List<string>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    DestThreatIntelligences List<string>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    Layer4Configs List<Pulumi.GoogleNative.Compute.V1.Inputs.FirewallPolicyRuleMatcherLayer4Config>
    Pairs of IP protocols and ports that the rule should match.
    SrcAddressGroups List<string>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    SrcFqdns List<string>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    SrcIpRanges List<string>
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    SrcRegionCodes List<string>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    SrcSecureTags List<Pulumi.GoogleNative.Compute.V1.Inputs.FirewallPolicyRuleSecureTag>
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    SrcThreatIntelligences List<string>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    DestAddressGroups []string
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    DestFqdns []string
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    DestIpRanges []string
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    DestRegionCodes []string
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    DestThreatIntelligences []string
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    Layer4Configs []FirewallPolicyRuleMatcherLayer4Config
    Pairs of IP protocols and ports that the rule should match.
    SrcAddressGroups []string
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    SrcFqdns []string
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    SrcIpRanges []string
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    SrcRegionCodes []string
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    SrcSecureTags []FirewallPolicyRuleSecureTag
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    SrcThreatIntelligences []string
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    destAddressGroups List<String>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges List<String>
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    destRegionCodes List<String>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    destThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    layer4Configs List<FirewallPolicyRuleMatcherLayer4Config>
    Pairs of IP protocols and ports that the rule should match.
    srcAddressGroups List<String>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges List<String>
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    srcRegionCodes List<String>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcSecureTags List<FirewallPolicyRuleSecureTag>
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    srcThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    destAddressGroups string[]
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns string[]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges string[]
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    destRegionCodes string[]
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    destThreatIntelligences string[]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    layer4Configs FirewallPolicyRuleMatcherLayer4Config[]
    Pairs of IP protocols and ports that the rule should match.
    srcAddressGroups string[]
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns string[]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges string[]
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    srcRegionCodes string[]
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcSecureTags FirewallPolicyRuleSecureTag[]
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    srcThreatIntelligences string[]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    dest_address_groups Sequence[str]
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    dest_fqdns Sequence[str]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    dest_ip_ranges Sequence[str]
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    dest_region_codes Sequence[str]
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    dest_threat_intelligences Sequence[str]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    layer4_configs Sequence[FirewallPolicyRuleMatcherLayer4Config]
    Pairs of IP protocols and ports that the rule should match.
    src_address_groups Sequence[str]
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    src_fqdns Sequence[str]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    src_ip_ranges Sequence[str]
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    src_region_codes Sequence[str]
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    src_secure_tags Sequence[FirewallPolicyRuleSecureTag]
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    src_threat_intelligences Sequence[str]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    destAddressGroups List<String>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges List<String>
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    destRegionCodes List<String>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    destThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    layer4Configs List<Property Map>
    Pairs of IP protocols and ports that the rule should match.
    srcAddressGroups List<String>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges List<String>
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    srcRegionCodes List<String>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcSecureTags List<Property Map>
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    srcThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.

    FirewallPolicyRuleMatcherLayer4Config, FirewallPolicyRuleMatcherLayer4ConfigArgs

    IpProtocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    Ports List<string>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    IpProtocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    Ports []string
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol String
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports List<String>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports string[]
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ip_protocol str
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports Sequence[str]
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol String
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports List<String>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

    FirewallPolicyRuleMatcherLayer4ConfigResponse, FirewallPolicyRuleMatcherLayer4ConfigResponseArgs

    IpProtocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    Ports List<string>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    IpProtocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    Ports []string
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol String
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports List<String>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol string
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports string[]
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ip_protocol str
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports Sequence[str]
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol String
    The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports List<String>
    An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

    FirewallPolicyRuleMatcherResponse, FirewallPolicyRuleMatcherResponseArgs

    DestAddressGroups List<string>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    DestFqdns List<string>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    DestIpRanges List<string>
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    DestRegionCodes List<string>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    DestThreatIntelligences List<string>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    Layer4Configs List<Pulumi.GoogleNative.Compute.V1.Inputs.FirewallPolicyRuleMatcherLayer4ConfigResponse>
    Pairs of IP protocols and ports that the rule should match.
    SrcAddressGroups List<string>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    SrcFqdns List<string>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    SrcIpRanges List<string>
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    SrcRegionCodes List<string>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    SrcSecureTags List<Pulumi.GoogleNative.Compute.V1.Inputs.FirewallPolicyRuleSecureTagResponse>
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    SrcThreatIntelligences List<string>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    DestAddressGroups []string
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    DestFqdns []string
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    DestIpRanges []string
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    DestRegionCodes []string
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    DestThreatIntelligences []string
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    Layer4Configs []FirewallPolicyRuleMatcherLayer4ConfigResponse
    Pairs of IP protocols and ports that the rule should match.
    SrcAddressGroups []string
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    SrcFqdns []string
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    SrcIpRanges []string
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    SrcRegionCodes []string
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    SrcSecureTags []FirewallPolicyRuleSecureTagResponse
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    SrcThreatIntelligences []string
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    destAddressGroups List<String>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges List<String>
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    destRegionCodes List<String>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    destThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    layer4Configs List<FirewallPolicyRuleMatcherLayer4ConfigResponse>
    Pairs of IP protocols and ports that the rule should match.
    srcAddressGroups List<String>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges List<String>
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    srcRegionCodes List<String>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcSecureTags List<FirewallPolicyRuleSecureTagResponse>
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    srcThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    destAddressGroups string[]
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns string[]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges string[]
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    destRegionCodes string[]
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    destThreatIntelligences string[]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    layer4Configs FirewallPolicyRuleMatcherLayer4ConfigResponse[]
    Pairs of IP protocols and ports that the rule should match.
    srcAddressGroups string[]
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns string[]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges string[]
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    srcRegionCodes string[]
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcSecureTags FirewallPolicyRuleSecureTagResponse[]
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    srcThreatIntelligences string[]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    dest_address_groups Sequence[str]
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    dest_fqdns Sequence[str]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    dest_ip_ranges Sequence[str]
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    dest_region_codes Sequence[str]
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    dest_threat_intelligences Sequence[str]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    layer4_configs Sequence[FirewallPolicyRuleMatcherLayer4ConfigResponse]
    Pairs of IP protocols and ports that the rule should match.
    src_address_groups Sequence[str]
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    src_fqdns Sequence[str]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    src_ip_ranges Sequence[str]
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    src_region_codes Sequence[str]
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    src_secure_tags Sequence[FirewallPolicyRuleSecureTagResponse]
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    src_threat_intelligences Sequence[str]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    destAddressGroups List<String>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges List<String>
    CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    destRegionCodes List<String>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    destThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    layer4Configs List<Property Map>
    Pairs of IP protocols and ports that the rule should match.
    srcAddressGroups List<String>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges List<String>
    CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    srcRegionCodes List<String>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcSecureTags List<Property Map>
    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256.
    srcThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.

    FirewallPolicyRuleResponse, FirewallPolicyRuleResponseArgs

    Action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
    Description string
    An optional description for this resource.
    Direction string
    The direction in which this rule applies.
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    Kind string
    [Output only] Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    Match Pulumi.GoogleNative.Compute.V1.Inputs.FirewallPolicyRuleMatcherResponse
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    RuleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    RuleTupleCount int
    Calculation of the complexity of a single firewall policy rule.
    TargetResources List<string>
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    TargetSecureTags List<Pulumi.GoogleNative.Compute.V1.Inputs.FirewallPolicyRuleSecureTagResponse>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    TargetServiceAccounts List<string>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    Action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
    Description string
    An optional description for this resource.
    Direction string
    The direction in which this rule applies.
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    Kind string
    [Output only] Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    Match FirewallPolicyRuleMatcherResponse
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    RuleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    RuleTupleCount int
    Calculation of the complexity of a single firewall policy rule.
    TargetResources []string
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    TargetSecureTags []FirewallPolicyRuleSecureTagResponse
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    TargetServiceAccounts []string
    A list of service accounts indicating the sets of instances that are applied with this rule.
    action String
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
    description String
    An optional description for this resource.
    direction String
    The direction in which this rule applies.
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    kind String
    [Output only] Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    match FirewallPolicyRuleMatcherResponse
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority Integer
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    ruleName String
    An optional name for the rule. This field is not a unique identifier and can be updated.
    ruleTupleCount Integer
    Calculation of the complexity of a single firewall policy rule.
    targetResources List<String>
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    targetSecureTags List<FirewallPolicyRuleSecureTagResponse>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    action string
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
    description string
    An optional description for this resource.
    direction string
    The direction in which this rule applies.
    disabled boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    kind string
    [Output only] Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    match FirewallPolicyRuleMatcherResponse
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority number
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    ruleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    ruleTupleCount number
    Calculation of the complexity of a single firewall policy rule.
    targetResources string[]
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    targetSecureTags FirewallPolicyRuleSecureTagResponse[]
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    targetServiceAccounts string[]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    action str
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
    description str
    An optional description for this resource.
    direction str
    The direction in which this rule applies.
    disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enable_logging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    kind str
    [Output only] Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    match FirewallPolicyRuleMatcherResponse
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority int
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    rule_name str
    An optional name for the rule. This field is not a unique identifier and can be updated.
    rule_tuple_count int
    Calculation of the complexity of a single firewall policy rule.
    target_resources Sequence[str]
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    target_secure_tags Sequence[FirewallPolicyRuleSecureTagResponse]
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    target_service_accounts Sequence[str]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    action String
    The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
    description String
    An optional description for this resource.
    direction String
    The direction in which this rule applies.
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
    kind String
    [Output only] Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
    match Property Map
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
    priority Number
    An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
    ruleName String
    An optional name for the rule. This field is not a unique identifier and can be updated.
    ruleTupleCount Number
    Calculation of the complexity of a single firewall policy rule.
    targetResources List<String>
    A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    targetSecureTags List<Property Map>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.

    FirewallPolicyRuleSecureTag, FirewallPolicyRuleSecureTagArgs

    Name string
    Name of the secure tag, created with TagManager's TagValue API.
    Name string
    Name of the secure tag, created with TagManager's TagValue API.
    name String
    Name of the secure tag, created with TagManager's TagValue API.
    name string
    Name of the secure tag, created with TagManager's TagValue API.
    name str
    Name of the secure tag, created with TagManager's TagValue API.
    name String
    Name of the secure tag, created with TagManager's TagValue API.

    FirewallPolicyRuleSecureTagResponse, FirewallPolicyRuleSecureTagResponseArgs

    Name string
    Name of the secure tag, created with TagManager's TagValue API.
    State string
    State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    Name string
    Name of the secure tag, created with TagManager's TagValue API.
    State string
    State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name String
    Name of the secure tag, created with TagManager's TagValue API.
    state String
    State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name string
    Name of the secure tag, created with TagManager's TagValue API.
    state string
    State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name str
    Name of the secure tag, created with TagManager's TagValue API.
    state str
    State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name String
    Name of the secure tag, created with TagManager's TagValue API.
    state String
    State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

    Package Details

    Repository
    Google Cloud Native pulumi/pulumi-google-native
    License
    Apache-2.0
    google-native logo

    Google Cloud Native is in preview. Google Cloud Classic is fully supported.

    Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi