Network
data class NetworkFirewallPolicyRuleArgs(val action: Output<String>? = null, val description: Output<String>? = null, val direction: Output<String>? = null, val disabled: Output<Boolean>? = null, val enableLogging: Output<Boolean>? = null, val firewallPolicy: Output<String>? = null, val match: Output<NetworkFirewallPolicyRuleMatchArgs>? = null, val priority: Output<Int>? = null, val project: Output<String>? = null, val ruleName: Output<String>? = null, val securityProfileGroup: Output<String>? = null, val targetSecureTags: Output<List<NetworkFirewallPolicyRuleTargetSecureTagArgs>>? = null, val targetServiceAccounts: Output<List<String>>? = null, val tlsInspect: Output<Boolean>? = null) : ConvertibleToJava<NetworkFirewallPolicyRuleArgs>
The Compute NetworkFirewallPolicyRule resource
Example Usage
Global
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const basicGlobalNetworksecurityAddressGroup = new gcp.networksecurity.AddressGroup("basic_global_networksecurity_address_group", {
name: "policy",
parent: "projects/my-project-name",
description: "Sample global networksecurity_address_group",
location: "global",
items: ["208.80.154.224/32"],
type: "IPV4",
capacity: 100,
});
const basicNetworkFirewallPolicy = new gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy", {
name: "policy",
description: "Sample global network firewall policy",
project: "my-project-name",
});
const basicNetwork = new gcp.compute.Network("basic_network", {name: "network"});
const basicKey = new gcp.tags.TagKey("basic_key", {
description: "For keyname resources.",
parent: "organizations/123456789",
purpose: "GCE_FIREWALL",
shortName: "tagkey",
purposeData: {
network: pulumi.interpolate`my-project-name/${basicNetwork.name}`,
},
});
const basicValue = new gcp.tags.TagValue("basic_value", {
description: "For valuename resources.",
parent: pulumi.interpolate`tagKeys/${basicKey.name}`,
shortName: "tagvalue",
});
const primary = new gcp.compute.NetworkFirewallPolicyRule("primary", {
action: "allow",
description: "This is a simple rule description",
direction: "INGRESS",
disabled: false,
enableLogging: true,
firewallPolicy: basicNetworkFirewallPolicy.name,
priority: 1000,
ruleName: "test-rule",
targetServiceAccounts: ["my@service-account.com"],
match: {
srcIpRanges: ["10.100.0.1/32"],
srcFqdns: ["google.com"],
srcRegionCodes: ["US"],
srcThreatIntelligences: ["iplist-known-malicious-ips"],
srcSecureTags: [{
name: pulumi.interpolate`tagValues/${basicValue.name}`,
}],
layer4Configs: [{
ipProtocol: "all",
}],
srcAddressGroups: [basicGlobalNetworksecurityAddressGroup.id],
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
basic_global_networksecurity_address_group = gcp.networksecurity.AddressGroup("basic_global_networksecurity_address_group",
name="policy",
parent="projects/my-project-name",
description="Sample global networksecurity_address_group",
location="global",
items=["208.80.154.224/32"],
type="IPV4",
capacity=100)
basic_network_firewall_policy = gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy",
name="policy",
description="Sample global network firewall policy",
project="my-project-name")
basic_network = gcp.compute.Network("basic_network", name="network")
basic_key = gcp.tags.TagKey("basic_key",
description="For keyname resources.",
parent="organizations/123456789",
purpose="GCE_FIREWALL",
short_name="tagkey",
purpose_data={
"network": basic_network.name.apply(lambda name: f"my-project-name/{name}"),
})
basic_value = gcp.tags.TagValue("basic_value",
description="For valuename resources.",
parent=basic_key.name.apply(lambda name: f"tagKeys/{name}"),
short_name="tagvalue")
primary = gcp.compute.NetworkFirewallPolicyRule("primary",
action="allow",
description="This is a simple rule description",
direction="INGRESS",
disabled=False,
enable_logging=True,
firewall_policy=basic_network_firewall_policy.name,
priority=1000,
rule_name="test-rule",
target_service_accounts=["my@service-account.com"],
match={
"src_ip_ranges": ["10.100.0.1/32"],
"src_fqdns": ["google.com"],
"src_region_codes": ["US"],
"src_threat_intelligences": ["iplist-known-malicious-ips"],
"src_secure_tags": [{
"name": basic_value.name.apply(lambda name: f"tagValues/{name}"),
}],
"layer4_configs": [{
"ip_protocol": "all",
}],
"src_address_groups": [basic_global_networksecurity_address_group.id],
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var basicGlobalNetworksecurityAddressGroup = new Gcp.NetworkSecurity.AddressGroup("basic_global_networksecurity_address_group", new()
{
Name = "policy",
Parent = "projects/my-project-name",
Description = "Sample global networksecurity_address_group",
Location = "global",
Items = new[]
{
"208.80.154.224/32",
},
Type = "IPV4",
Capacity = 100,
});
var basicNetworkFirewallPolicy = new Gcp.Compute.NetworkFirewallPolicy("basic_network_firewall_policy", new()
{
Name = "policy",
Description = "Sample global network firewall policy",
Project = "my-project-name",
});
var basicNetwork = new Gcp.Compute.Network("basic_network", new()
{
Name = "network",
});
var basicKey = new Gcp.Tags.TagKey("basic_key", new()
{
Description = "For keyname resources.",
Parent = "organizations/123456789",
Purpose = "GCE_FIREWALL",
ShortName = "tagkey",
PurposeData =
{
{ "network", basicNetwork.Name.Apply(name => $"my-project-name/{name}") },
},
});
var basicValue = new Gcp.Tags.TagValue("basic_value", new()
{
Description = "For valuename resources.",
Parent = basicKey.Name.Apply(name => $"tagKeys/{name}"),
ShortName = "tagvalue",
});
var primary = new Gcp.Compute.NetworkFirewallPolicyRule("primary", new()
{
Action = "allow",
Description = "This is a simple rule description",
Direction = "INGRESS",
Disabled = false,
EnableLogging = true,
FirewallPolicy = basicNetworkFirewallPolicy.Name,
Priority = 1000,
RuleName = "test-rule",
TargetServiceAccounts = new[]
{
"my@service-account.com",
},
Match = new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchArgs
{
SrcIpRanges = new[]
{
"10.100.0.1/32",
},
SrcFqdns = new[]
{
"google.com",
},
SrcRegionCodes = new[]
{
"US",
},
SrcThreatIntelligences = new[]
{
"iplist-known-malicious-ips",
},
SrcSecureTags = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchSrcSecureTagArgs
{
Name = basicValue.Name.Apply(name => $"tagValues/{name}"),
},
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.NetworkFirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "all",
},
},
SrcAddressGroups = new[]
{
basicGlobalNetworksecurityAddressGroup.Id,
},
},
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/networksecurity"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/tags"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basicGlobalNetworksecurityAddressGroup, err := networksecurity.NewAddressGroup(ctx, "basic_global_networksecurity_address_group", &networksecurity.AddressGroupArgs{
Name: pulumi.String("policy"),
Parent: pulumi.String("projects/my-project-name"),
Description: pulumi.String("Sample global networksecurity_address_group"),
Location: pulumi.String("global"),
Items: pulumi.StringArray{
pulumi.String("208.80.154.224/32"),
},
Type: pulumi.String("IPV4"),
Capacity: pulumi.Int(100),
})
if err != nil {
return err
}
basicNetworkFirewallPolicy, err := compute.NewNetworkFirewallPolicy(ctx, "basic_network_firewall_policy", &compute.NetworkFirewallPolicyArgs{
Name: pulumi.String("policy"),
Description: pulumi.String("Sample global network firewall policy"),
Project: pulumi.String("my-project-name"),
})
if err != nil {
return err
}
basicNetwork, err := compute.NewNetwork(ctx, "basic_network", &compute.NetworkArgs{
Name: pulumi.String("network"),
})
if err != nil {
return err
}
basicKey, err := tags.NewTagKey(ctx, "basic_key", &tags.TagKeyArgs{
Description: pulumi.String("For keyname resources."),
Parent: pulumi.String("organizations/123456789"),
Purpose: pulumi.String("GCE_FIREWALL"),
ShortName: pulumi.String("tagkey"),
PurposeData: pulumi.StringMap{
"network": basicNetwork.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("my-project-name/%v", name), nil
}).(pulumi.StringOutput),
},
})
if err != nil {
return err
}
basicValue, err := tags.NewTagValue(ctx, "basic_value", &tags.TagValueArgs{
Description: pulumi.String("For valuename resources."),
Parent: basicKey.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("tagKeys/%v", name), nil
}).(pulumi.StringOutput),
ShortName: pulumi.String("tagvalue"),
})
if err != nil {
return err
}
_, err = compute.NewNetworkFirewallPolicyRule(ctx, "primary", &compute.NetworkFirewallPolicyRuleArgs{
Action: pulumi.String("allow"),
Description: pulumi.String("This is a simple rule description"),
Direction: pulumi.String("INGRESS"),
Disabled: pulumi.Bool(false),
EnableLogging: pulumi.Bool(true),
FirewallPolicy: basicNetworkFirewallPolicy.Name,
Priority: pulumi.Int(1000),
RuleName: pulumi.String("test-rule"),
TargetServiceAccounts: pulumi.StringArray{
pulumi.String("my@service-account.com"),
},
Match: &compute.NetworkFirewallPolicyRuleMatchArgs{
SrcIpRanges: pulumi.StringArray{
pulumi.String("10.100.0.1/32"),
},
SrcFqdns: pulumi.StringArray{
pulumi.String("google.com"),
},
SrcRegionCodes: pulumi.StringArray{
pulumi.String("US"),
},
SrcThreatIntelligences: pulumi.StringArray{
pulumi.String("iplist-known-malicious-ips"),
},
SrcSecureTags: compute.NetworkFirewallPolicyRuleMatchSrcSecureTagArray{
&compute.NetworkFirewallPolicyRuleMatchSrcSecureTagArgs{
Name: basicValue.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("tagValues/%v", name), nil
}).(pulumi.StringOutput),
},
},
Layer4Configs: compute.NetworkFirewallPolicyRuleMatchLayer4ConfigArray{
&compute.NetworkFirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("all"),
},
},
SrcAddressGroups: pulumi.StringArray{
basicGlobalNetworksecurityAddressGroup.ID(),
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.networksecurity.AddressGroup;
import com.pulumi.gcp.networksecurity.AddressGroupArgs;
import com.pulumi.gcp.compute.NetworkFirewallPolicy;
import com.pulumi.gcp.compute.NetworkFirewallPolicyArgs;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.tags.TagKey;
import com.pulumi.gcp.tags.TagKeyArgs;
import com.pulumi.gcp.tags.TagValue;
import com.pulumi.gcp.tags.TagValueArgs;
import com.pulumi.gcp.compute.NetworkFirewallPolicyRule;
import com.pulumi.gcp.compute.NetworkFirewallPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.NetworkFirewallPolicyRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var basicGlobalNetworksecurityAddressGroup = new AddressGroup("basicGlobalNetworksecurityAddressGroup", AddressGroupArgs.builder()
.name("policy")
.parent("projects/my-project-name")
.description("Sample global networksecurity_address_group")
.location("global")
.items("208.80.154.224/32")
.type("IPV4")
.capacity(100)
.build());
var basicNetworkFirewallPolicy = new NetworkFirewallPolicy("basicNetworkFirewallPolicy", NetworkFirewallPolicyArgs.builder()
.name("policy")
.description("Sample global network firewall policy")
.project("my-project-name")
.build());
var basicNetwork = new Network("basicNetwork", NetworkArgs.builder()
.name("network")
.build());
var basicKey = new TagKey("basicKey", TagKeyArgs.builder()
.description("For keyname resources.")
.parent("organizations/123456789")
.purpose("GCE_FIREWALL")
.shortName("tagkey")
.purposeData(Map.of("network", basicNetwork.name().applyValue(name -> String.format("my-project-name/%s", name))))
.build());
var basicValue = new TagValue("basicValue", TagValueArgs.builder()
.description("For valuename resources.")
.parent(basicKey.name().applyValue(name -> String.format("tagKeys/%s", name)))
.shortName("tagvalue")
.build());
var primary = new NetworkFirewallPolicyRule("primary", NetworkFirewallPolicyRuleArgs.builder()
.action("allow")
.description("This is a simple rule description")
.direction("INGRESS")
.disabled(false)
.enableLogging(true)
.firewallPolicy(basicNetworkFirewallPolicy.name())
.priority(1000)
.ruleName("test-rule")
.targetServiceAccounts("my@service-account.com")
.match(NetworkFirewallPolicyRuleMatchArgs.builder()
.srcIpRanges("10.100.0.1/32")
.srcFqdns("google.com")
.srcRegionCodes("US")
.srcThreatIntelligences("iplist-known-malicious-ips")
.srcSecureTags(NetworkFirewallPolicyRuleMatchSrcSecureTagArgs.builder()
.name(basicValue.name().applyValue(name -> String.format("tagValues/%s", name)))
.build())
.layer4Configs(NetworkFirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("all")
.build())
.srcAddressGroups(basicGlobalNetworksecurityAddressGroup.id())
.build())
.build());
}
}Content copied to clipboard
resources:
basicGlobalNetworksecurityAddressGroup:
type: gcp:networksecurity:AddressGroup
name: basic_global_networksecurity_address_group
properties:
name: policy
parent: projects/my-project-name
description: Sample global networksecurity_address_group
location: global
items:
- 208.80.154.224/32
type: IPV4
capacity: 100
basicNetworkFirewallPolicy:
type: gcp:compute:NetworkFirewallPolicy
name: basic_network_firewall_policy
properties:
name: policy
description: Sample global network firewall policy
project: my-project-name
primary:
type: gcp:compute:NetworkFirewallPolicyRule
properties:
action: allow
description: This is a simple rule description
direction: INGRESS
disabled: false
enableLogging: true
firewallPolicy: ${basicNetworkFirewallPolicy.name}
priority: 1000
ruleName: test-rule
targetServiceAccounts:
- my@service-account.com
match:
srcIpRanges:
- 10.100.0.1/32
srcFqdns:
- google.com
srcRegionCodes:
- US
srcThreatIntelligences:
- iplist-known-malicious-ips
srcSecureTags:
- name: tagValues/${basicValue.name}
layer4Configs:
- ipProtocol: all
srcAddressGroups:
- ${basicGlobalNetworksecurityAddressGroup.id}
basicNetwork:
type: gcp:compute:Network
name: basic_network
properties:
name: network
basicKey:
type: gcp:tags:TagKey
name: basic_key
properties:
description: For keyname resources.
parent: organizations/123456789
purpose: GCE_FIREWALL
shortName: tagkey
purposeData:
network: my-project-name/${basicNetwork.name}
basicValue:
type: gcp:tags:TagValue
name: basic_value
properties:
description: For valuename resources.
parent: tagKeys/${basicKey.name}
shortName: tagvalueContent copied to clipboard
Import
NetworkFirewallPolicyRule can be imported using any of these accepted formats:
projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}{{project}}/{{firewall_policy}}/{{priority}}{{firewall_policy}}/{{priority}}When using thepulumi importcommand, NetworkFirewallPolicyRule can be imported using one of the formats above. For example:
$ pulumi import gcp:compute/networkFirewallPolicyRule:NetworkFirewallPolicyRule default projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}Content copied to clipboard
$ pulumi import gcp:compute/networkFirewallPolicyRule:NetworkFirewallPolicyRule default {{project}}/{{firewall_policy}}/{{priority}}Content copied to clipboard
$ pulumi import gcp:compute/networkFirewallPolicyRule:NetworkFirewallPolicyRule default {{firewall_policy}}/{{priority}}Content copied to clipboard
Constructors
Link copied to clipboard
constructor(action: Output<String>? = null, description: Output<String>? = null, direction: Output<String>? = null, disabled: Output<Boolean>? = null, enableLogging: Output<Boolean>? = null, firewallPolicy: Output<String>? = null, match: Output<NetworkFirewallPolicyRuleMatchArgs>? = null, priority: Output<Int>? = null, project: Output<String>? = null, ruleName: Output<String>? = null, securityProfileGroup: Output<String>? = null, targetSecureTags: Output<List<NetworkFirewallPolicyRuleTargetSecureTagArgs>>? = null, targetServiceAccounts: Output<List<String>>? = null, tlsInspect: Output<Boolean>? = null)
Properties
Link copied to clipboard
An optional description for this resource.
Link copied to clipboard
Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
Link copied to clipboard
The firewall policy of the resource.
Link copied to clipboard
A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
Link copied to clipboard
Link copied to clipboard
A fully-qualified URL of a SecurityProfileGroup resource. Example: https://networksecurity.googleapis.com/v1/organizations/{organizationId}/locations/global/securityProfileGroups/my-security-profile-group. It must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
Link copied to clipboard
A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
Link copied to clipboard
A list of service accounts indicating the sets of instances that are applied with this rule.
Link copied to clipboard
Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.