Firewall
data class FirewallPolicyWithRulesArgs(val description: Output<String>? = null, val parent: Output<String>? = null, val rules: Output<List<FirewallPolicyWithRulesRuleArgs>>? = null, val shortName: Output<String>? = null) : ConvertibleToJava<FirewallPolicyWithRulesArgs>
Example Usage
Compute Firewall Policy With Rules Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const project = gcp.organizations.getProject({});
const addressGroup1 = new gcp.networksecurity.AddressGroup("address_group_1", {
name: "address-group",
parent: "organizations/123456789",
description: "Global address group",
location: "global",
items: ["208.80.154.224/32"],
type: "IPV4",
capacity: 100,
});
const securityProfile1 = new gcp.networksecurity.SecurityProfile("security_profile_1", {
name: "sp",
type: "THREAT_PREVENTION",
parent: "organizations/123456789",
location: "global",
});
const securityProfileGroup1 = new gcp.networksecurity.SecurityProfileGroup("security_profile_group_1", {
name: "spg",
parent: "organizations/123456789",
description: "my description",
threatPreventionProfile: securityProfile1.id,
});
const network = new gcp.compute.Network("network", {
name: "network",
autoCreateSubnetworks: false,
});
const primary = new gcp.compute.FirewallPolicyWithRules("primary", {
shortName: "fw-policy",
description: "Terraform test",
parent: "organizations/123456789",
rules: [
{
description: "tcp rule",
priority: 1000,
enableLogging: true,
action: "allow",
direction: "EGRESS",
targetResources: [project.then(project => `https://www.googleapis.com/compute/beta/projects/${project.projectId}/global/networks/default`)],
match: {
destIpRanges: ["11.100.0.1/32"],
destFqdns: [
"www.yyy.com",
"www.zzz.com",
],
destRegionCodes: [
"HK",
"IN",
],
destThreatIntelligences: [
"iplist-search-engines-crawlers",
"iplist-tor-exit-nodes",
],
destAddressGroups: [addressGroup1.id],
layer4Configs: [{
ipProtocol: "tcp",
ports: [
"8080",
"7070",
],
}],
},
},
{
description: "udp rule",
priority: 2000,
enableLogging: false,
action: "deny",
direction: "INGRESS",
disabled: true,
match: {
srcIpRanges: ["0.0.0.0/0"],
srcFqdns: [
"www.abc.com",
"www.def.com",
],
srcRegionCodes: [
"US",
"CA",
],
srcThreatIntelligences: [
"iplist-known-malicious-ips",
"iplist-public-clouds",
],
srcAddressGroups: [addressGroup1.id],
layer4Configs: [{
ipProtocol: "udp",
}],
},
},
{
description: "security profile group rule",
ruleName: "tcp rule",
priority: 3000,
enableLogging: false,
action: "apply_security_profile_group",
direction: "INGRESS",
targetServiceAccounts: ["test@google.com"],
securityProfileGroup: pulumi.interpolate`//networksecurity.googleapis.com/${securityProfileGroup1.id}`,
tlsInspect: true,
match: {
srcIpRanges: ["0.0.0.0/0"],
layer4Configs: [{
ipProtocol: "tcp",
}],
},
},
{
description: "network scope rule 1",
ruleName: "network scope 1",
priority: 4000,
enableLogging: false,
action: "allow",
direction: "INGRESS",
match: {
srcIpRanges: ["11.100.0.1/32"],
srcNetworkScope: "VPC_NETWORKS",
srcNetworks: [network.id],
layer4Configs: [{
ipProtocol: "tcp",
ports: ["8080"],
}],
},
},
{
description: "network scope rule 2",
ruleName: "network scope 2",
priority: 5000,
enableLogging: false,
action: "allow",
direction: "EGRESS",
match: {
destIpRanges: ["0.0.0.0/0"],
destNetworkScope: "INTERNET",
layer4Configs: [{
ipProtocol: "tcp",
ports: ["8080"],
}],
},
},
],
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
project = gcp.organizations.get_project()
address_group1 = gcp.networksecurity.AddressGroup("address_group_1",
name="address-group",
parent="organizations/123456789",
description="Global address group",
location="global",
items=["208.80.154.224/32"],
type="IPV4",
capacity=100)
security_profile1 = gcp.networksecurity.SecurityProfile("security_profile_1",
name="sp",
type="THREAT_PREVENTION",
parent="organizations/123456789",
location="global")
security_profile_group1 = gcp.networksecurity.SecurityProfileGroup("security_profile_group_1",
name="spg",
parent="organizations/123456789",
description="my description",
threat_prevention_profile=security_profile1.id)
network = gcp.compute.Network("network",
name="network",
auto_create_subnetworks=False)
primary = gcp.compute.FirewallPolicyWithRules("primary",
short_name="fw-policy",
description="Terraform test",
parent="organizations/123456789",
rules=[
{
"description": "tcp rule",
"priority": 1000,
"enable_logging": True,
"action": "allow",
"direction": "EGRESS",
"target_resources": [f"https://www.googleapis.com/compute/beta/projects/{project.project_id}/global/networks/default"],
"match": {
"dest_ip_ranges": ["11.100.0.1/32"],
"dest_fqdns": [
"www.yyy.com",
"www.zzz.com",
],
"dest_region_codes": [
"HK",
"IN",
],
"dest_threat_intelligences": [
"iplist-search-engines-crawlers",
"iplist-tor-exit-nodes",
],
"dest_address_groups": [address_group1.id],
"layer4_configs": [{
"ip_protocol": "tcp",
"ports": [
"8080",
"7070",
],
}],
},
},
{
"description": "udp rule",
"priority": 2000,
"enable_logging": False,
"action": "deny",
"direction": "INGRESS",
"disabled": True,
"match": {
"src_ip_ranges": ["0.0.0.0/0"],
"src_fqdns": [
"www.abc.com",
"www.def.com",
],
"src_region_codes": [
"US",
"CA",
],
"src_threat_intelligences": [
"iplist-known-malicious-ips",
"iplist-public-clouds",
],
"src_address_groups": [address_group1.id],
"layer4_configs": [{
"ip_protocol": "udp",
}],
},
},
{
"description": "security profile group rule",
"rule_name": "tcp rule",
"priority": 3000,
"enable_logging": False,
"action": "apply_security_profile_group",
"direction": "INGRESS",
"target_service_accounts": ["test@google.com"],
"security_profile_group": security_profile_group1.id.apply(lambda id: f"//networksecurity.googleapis.com/{id}"),
"tls_inspect": True,
"match": {
"src_ip_ranges": ["0.0.0.0/0"],
"layer4_configs": [{
"ip_protocol": "tcp",
}],
},
},
{
"description": "network scope rule 1",
"rule_name": "network scope 1",
"priority": 4000,
"enable_logging": False,
"action": "allow",
"direction": "INGRESS",
"match": {
"src_ip_ranges": ["11.100.0.1/32"],
"src_network_scope": "VPC_NETWORKS",
"src_networks": [network.id],
"layer4_configs": [{
"ip_protocol": "tcp",
"ports": ["8080"],
}],
},
},
{
"description": "network scope rule 2",
"rule_name": "network scope 2",
"priority": 5000,
"enable_logging": False,
"action": "allow",
"direction": "EGRESS",
"match": {
"dest_ip_ranges": ["0.0.0.0/0"],
"dest_network_scope": "INTERNET",
"layer4_configs": [{
"ip_protocol": "tcp",
"ports": ["8080"],
}],
},
},
])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var project = Gcp.Organizations.GetProject.Invoke();
var addressGroup1 = new Gcp.NetworkSecurity.AddressGroup("address_group_1", new()
{
Name = "address-group",
Parent = "organizations/123456789",
Description = "Global address group",
Location = "global",
Items = new[]
{
"208.80.154.224/32",
},
Type = "IPV4",
Capacity = 100,
});
var securityProfile1 = new Gcp.NetworkSecurity.SecurityProfile("security_profile_1", new()
{
Name = "sp",
Type = "THREAT_PREVENTION",
Parent = "organizations/123456789",
Location = "global",
});
var securityProfileGroup1 = new Gcp.NetworkSecurity.SecurityProfileGroup("security_profile_group_1", new()
{
Name = "spg",
Parent = "organizations/123456789",
Description = "my description",
ThreatPreventionProfile = securityProfile1.Id,
});
var network = new Gcp.Compute.Network("network", new()
{
Name = "network",
AutoCreateSubnetworks = false,
});
var primary = new Gcp.Compute.FirewallPolicyWithRules("primary", new()
{
ShortName = "fw-policy",
Description = "Terraform test",
Parent = "organizations/123456789",
Rules = new[]
{
new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleArgs
{
Description = "tcp rule",
Priority = 1000,
EnableLogging = true,
Action = "allow",
Direction = "EGRESS",
TargetResources = new[]
{
$"https://www.googleapis.com/compute/beta/projects/{project.Apply(getProjectResult => getProjectResult.ProjectId)}/global/networks/default",
},
Match = new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleMatchArgs
{
DestIpRanges = new[]
{
"11.100.0.1/32",
},
DestFqdns = new[]
{
"www.yyy.com",
"www.zzz.com",
},
DestRegionCodes = new[]
{
"HK",
"IN",
},
DestThreatIntelligences = new[]
{
"iplist-search-engines-crawlers",
"iplist-tor-exit-nodes",
},
DestAddressGroups = new[]
{
addressGroup1.Id,
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
{
IpProtocol = "tcp",
Ports = new[]
{
"8080",
"7070",
},
},
},
},
},
new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleArgs
{
Description = "udp rule",
Priority = 2000,
EnableLogging = false,
Action = "deny",
Direction = "INGRESS",
Disabled = true,
Match = new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleMatchArgs
{
SrcIpRanges = new[]
{
"0.0.0.0/0",
},
SrcFqdns = new[]
{
"www.abc.com",
"www.def.com",
},
SrcRegionCodes = new[]
{
"US",
"CA",
},
SrcThreatIntelligences = new[]
{
"iplist-known-malicious-ips",
"iplist-public-clouds",
},
SrcAddressGroups = new[]
{
addressGroup1.Id,
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
{
IpProtocol = "udp",
},
},
},
},
new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleArgs
{
Description = "security profile group rule",
RuleName = "tcp rule",
Priority = 3000,
EnableLogging = false,
Action = "apply_security_profile_group",
Direction = "INGRESS",
TargetServiceAccounts = new[]
{
"test@google.com",
},
SecurityProfileGroup = securityProfileGroup1.Id.Apply(id => $"//networksecurity.googleapis.com/{id}"),
TlsInspect = true,
Match = new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleMatchArgs
{
SrcIpRanges = new[]
{
"0.0.0.0/0",
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
{
IpProtocol = "tcp",
},
},
},
},
new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleArgs
{
Description = "network scope rule 1",
RuleName = "network scope 1",
Priority = 4000,
EnableLogging = false,
Action = "allow",
Direction = "INGRESS",
Match = new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleMatchArgs
{
SrcIpRanges = new[]
{
"11.100.0.1/32",
},
SrcNetworkScope = "VPC_NETWORKS",
SrcNetworks = new[]
{
network.Id,
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
{
IpProtocol = "tcp",
Ports = new[]
{
"8080",
},
},
},
},
},
new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleArgs
{
Description = "network scope rule 2",
RuleName = "network scope 2",
Priority = 5000,
EnableLogging = false,
Action = "allow",
Direction = "EGRESS",
Match = new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleMatchArgs
{
DestIpRanges = new[]
{
"0.0.0.0/0",
},
DestNetworkScope = "INTERNET",
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
{
IpProtocol = "tcp",
Ports = new[]
{
"8080",
},
},
},
},
},
},
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/networksecurity"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
project, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
if err != nil {
return err
}
addressGroup1, err := networksecurity.NewAddressGroup(ctx, "address_group_1", &networksecurity.AddressGroupArgs{
Name: pulumi.String("address-group"),
Parent: pulumi.String("organizations/123456789"),
Description: pulumi.String("Global address group"),
Location: pulumi.String("global"),
Items: pulumi.StringArray{
pulumi.String("208.80.154.224/32"),
},
Type: pulumi.String("IPV4"),
Capacity: pulumi.Int(100),
})
if err != nil {
return err
}
securityProfile1, err := networksecurity.NewSecurityProfile(ctx, "security_profile_1", &networksecurity.SecurityProfileArgs{
Name: pulumi.String("sp"),
Type: pulumi.String("THREAT_PREVENTION"),
Parent: pulumi.String("organizations/123456789"),
Location: pulumi.String("global"),
})
if err != nil {
return err
}
securityProfileGroup1, err := networksecurity.NewSecurityProfileGroup(ctx, "security_profile_group_1", &networksecurity.SecurityProfileGroupArgs{
Name: pulumi.String("spg"),
Parent: pulumi.String("organizations/123456789"),
Description: pulumi.String("my description"),
ThreatPreventionProfile: securityProfile1.ID(),
})
if err != nil {
return err
}
network, err := compute.NewNetwork(ctx, "network", &compute.NetworkArgs{
Name: pulumi.String("network"),
AutoCreateSubnetworks: pulumi.Bool(false),
})
if err != nil {
return err
}
_, err = compute.NewFirewallPolicyWithRules(ctx, "primary", &compute.FirewallPolicyWithRulesArgs{
ShortName: pulumi.String("fw-policy"),
Description: pulumi.String("Terraform test"),
Parent: pulumi.String("organizations/123456789"),
Rules: compute.FirewallPolicyWithRulesRuleArray{
&compute.FirewallPolicyWithRulesRuleArgs{
Description: pulumi.String("tcp rule"),
Priority: pulumi.Int(1000),
EnableLogging: pulumi.Bool(true),
Action: pulumi.String("allow"),
Direction: pulumi.String("EGRESS"),
TargetResources: pulumi.StringArray{
pulumi.Sprintf("https://www.googleapis.com/compute/beta/projects/%v/global/networks/default", project.ProjectId),
},
Match: &compute.FirewallPolicyWithRulesRuleMatchArgs{
DestIpRanges: pulumi.StringArray{
pulumi.String("11.100.0.1/32"),
},
DestFqdns: pulumi.StringArray{
pulumi.String("www.yyy.com"),
pulumi.String("www.zzz.com"),
},
DestRegionCodes: pulumi.StringArray{
pulumi.String("HK"),
pulumi.String("IN"),
},
DestThreatIntelligences: pulumi.StringArray{
pulumi.String("iplist-search-engines-crawlers"),
pulumi.String("iplist-tor-exit-nodes"),
},
DestAddressGroups: pulumi.StringArray{
addressGroup1.ID(),
},
Layer4Configs: compute.FirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
&compute.FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("tcp"),
Ports: pulumi.StringArray{
pulumi.String("8080"),
pulumi.String("7070"),
},
},
},
},
},
&compute.FirewallPolicyWithRulesRuleArgs{
Description: pulumi.String("udp rule"),
Priority: pulumi.Int(2000),
EnableLogging: pulumi.Bool(false),
Action: pulumi.String("deny"),
Direction: pulumi.String("INGRESS"),
Disabled: pulumi.Bool(true),
Match: &compute.FirewallPolicyWithRulesRuleMatchArgs{
SrcIpRanges: pulumi.StringArray{
pulumi.String("0.0.0.0/0"),
},
SrcFqdns: pulumi.StringArray{
pulumi.String("www.abc.com"),
pulumi.String("www.def.com"),
},
SrcRegionCodes: pulumi.StringArray{
pulumi.String("US"),
pulumi.String("CA"),
},
SrcThreatIntelligences: pulumi.StringArray{
pulumi.String("iplist-known-malicious-ips"),
pulumi.String("iplist-public-clouds"),
},
SrcAddressGroups: pulumi.StringArray{
addressGroup1.ID(),
},
Layer4Configs: compute.FirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
&compute.FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("udp"),
},
},
},
},
&compute.FirewallPolicyWithRulesRuleArgs{
Description: pulumi.String("security profile group rule"),
RuleName: pulumi.String("tcp rule"),
Priority: pulumi.Int(3000),
EnableLogging: pulumi.Bool(false),
Action: pulumi.String("apply_security_profile_group"),
Direction: pulumi.String("INGRESS"),
TargetServiceAccounts: pulumi.StringArray{
pulumi.String("test@google.com"),
},
SecurityProfileGroup: securityProfileGroup1.ID().ApplyT(func(id string) (string, error) {
return fmt.Sprintf("//networksecurity.googleapis.com/%v", id), nil
}).(pulumi.StringOutput),
TlsInspect: pulumi.Bool(true),
Match: &compute.FirewallPolicyWithRulesRuleMatchArgs{
SrcIpRanges: pulumi.StringArray{
pulumi.String("0.0.0.0/0"),
},
Layer4Configs: compute.FirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
&compute.FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("tcp"),
},
},
},
},
&compute.FirewallPolicyWithRulesRuleArgs{
Description: pulumi.String("network scope rule 1"),
RuleName: pulumi.String("network scope 1"),
Priority: pulumi.Int(4000),
EnableLogging: pulumi.Bool(false),
Action: pulumi.String("allow"),
Direction: pulumi.String("INGRESS"),
Match: &compute.FirewallPolicyWithRulesRuleMatchArgs{
SrcIpRanges: pulumi.StringArray{
pulumi.String("11.100.0.1/32"),
},
SrcNetworkScope: pulumi.String("VPC_NETWORKS"),
SrcNetworks: pulumi.StringArray{
network.ID(),
},
Layer4Configs: compute.FirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
&compute.FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("tcp"),
Ports: pulumi.StringArray{
pulumi.String("8080"),
},
},
},
},
},
&compute.FirewallPolicyWithRulesRuleArgs{
Description: pulumi.String("network scope rule 2"),
RuleName: pulumi.String("network scope 2"),
Priority: pulumi.Int(5000),
EnableLogging: pulumi.Bool(false),
Action: pulumi.String("allow"),
Direction: pulumi.String("EGRESS"),
Match: &compute.FirewallPolicyWithRulesRuleMatchArgs{
DestIpRanges: pulumi.StringArray{
pulumi.String("0.0.0.0/0"),
},
DestNetworkScope: pulumi.String("INTERNET"),
Layer4Configs: compute.FirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
&compute.FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("tcp"),
Ports: pulumi.StringArray{
pulumi.String("8080"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.networksecurity.AddressGroup;
import com.pulumi.gcp.networksecurity.AddressGroupArgs;
import com.pulumi.gcp.networksecurity.SecurityProfile;
import com.pulumi.gcp.networksecurity.SecurityProfileArgs;
import com.pulumi.gcp.networksecurity.SecurityProfileGroup;
import com.pulumi.gcp.networksecurity.SecurityProfileGroupArgs;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.FirewallPolicyWithRules;
import com.pulumi.gcp.compute.FirewallPolicyWithRulesArgs;
import com.pulumi.gcp.compute.inputs.FirewallPolicyWithRulesRuleArgs;
import com.pulumi.gcp.compute.inputs.FirewallPolicyWithRulesRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var project = OrganizationsFunctions.getProject(GetProjectArgs.builder()
.build());
var addressGroup1 = new AddressGroup("addressGroup1", AddressGroupArgs.builder()
.name("address-group")
.parent("organizations/123456789")
.description("Global address group")
.location("global")
.items("208.80.154.224/32")
.type("IPV4")
.capacity(100)
.build());
var securityProfile1 = new SecurityProfile("securityProfile1", SecurityProfileArgs.builder()
.name("sp")
.type("THREAT_PREVENTION")
.parent("organizations/123456789")
.location("global")
.build());
var securityProfileGroup1 = new SecurityProfileGroup("securityProfileGroup1", SecurityProfileGroupArgs.builder()
.name("spg")
.parent("organizations/123456789")
.description("my description")
.threatPreventionProfile(securityProfile1.id())
.build());
var network = new Network("network", NetworkArgs.builder()
.name("network")
.autoCreateSubnetworks(false)
.build());
var primary = new FirewallPolicyWithRules("primary", FirewallPolicyWithRulesArgs.builder()
.shortName("fw-policy")
.description("Terraform test")
.parent("organizations/123456789")
.rules(
FirewallPolicyWithRulesRuleArgs.builder()
.description("tcp rule")
.priority(1000)
.enableLogging(true)
.action("allow")
.direction("EGRESS")
.targetResources(String.format("https://www.googleapis.com/compute/beta/projects/%s/global/networks/default", project.projectId()))
.match(FirewallPolicyWithRulesRuleMatchArgs.builder()
.destIpRanges("11.100.0.1/32")
.destFqdns(
"www.yyy.com",
"www.zzz.com")
.destRegionCodes(
"HK",
"IN")
.destThreatIntelligences(
"iplist-search-engines-crawlers",
"iplist-tor-exit-nodes")
.destAddressGroups(addressGroup1.id())
.layer4Configs(FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("tcp")
.ports(
"8080",
"7070")
.build())
.build())
.build(),
FirewallPolicyWithRulesRuleArgs.builder()
.description("udp rule")
.priority(2000)
.enableLogging(false)
.action("deny")
.direction("INGRESS")
.disabled(true)
.match(FirewallPolicyWithRulesRuleMatchArgs.builder()
.srcIpRanges("0.0.0.0/0")
.srcFqdns(
"www.abc.com",
"www.def.com")
.srcRegionCodes(
"US",
"CA")
.srcThreatIntelligences(
"iplist-known-malicious-ips",
"iplist-public-clouds")
.srcAddressGroups(addressGroup1.id())
.layer4Configs(FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("udp")
.build())
.build())
.build(),
FirewallPolicyWithRulesRuleArgs.builder()
.description("security profile group rule")
.ruleName("tcp rule")
.priority(3000)
.enableLogging(false)
.action("apply_security_profile_group")
.direction("INGRESS")
.targetServiceAccounts("test@google.com")
.securityProfileGroup(securityProfileGroup1.id().applyValue(_id -> String.format("//networksecurity.googleapis.com/%s", _id)))
.tlsInspect(true)
.match(FirewallPolicyWithRulesRuleMatchArgs.builder()
.srcIpRanges("0.0.0.0/0")
.layer4Configs(FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("tcp")
.build())
.build())
.build(),
FirewallPolicyWithRulesRuleArgs.builder()
.description("network scope rule 1")
.ruleName("network scope 1")
.priority(4000)
.enableLogging(false)
.action("allow")
.direction("INGRESS")
.match(FirewallPolicyWithRulesRuleMatchArgs.builder()
.srcIpRanges("11.100.0.1/32")
.srcNetworkScope("VPC_NETWORKS")
.srcNetworks(network.id())
.layer4Configs(FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("tcp")
.ports("8080")
.build())
.build())
.build(),
FirewallPolicyWithRulesRuleArgs.builder()
.description("network scope rule 2")
.ruleName("network scope 2")
.priority(5000)
.enableLogging(false)
.action("allow")
.direction("EGRESS")
.match(FirewallPolicyWithRulesRuleMatchArgs.builder()
.destIpRanges("0.0.0.0/0")
.destNetworkScope("INTERNET")
.layer4Configs(FirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("tcp")
.ports("8080")
.build())
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
primary:
type: gcp:compute:FirewallPolicyWithRules
properties:
shortName: fw-policy
description: Terraform test
parent: organizations/123456789
rules:
- description: tcp rule
priority: 1000
enableLogging: true
action: allow
direction: EGRESS
targetResources:
- https://www.googleapis.com/compute/beta/projects/${project.projectId}/global/networks/default
match:
destIpRanges:
- 11.100.0.1/32
destFqdns:
- www.yyy.com
- www.zzz.com
destRegionCodes:
- HK
- IN
destThreatIntelligences:
- iplist-search-engines-crawlers
- iplist-tor-exit-nodes
destAddressGroups:
- ${addressGroup1.id}
layer4Configs:
- ipProtocol: tcp
ports:
- 8080
- 7070
- description: udp rule
priority: 2000
enableLogging: false
action: deny
direction: INGRESS
disabled: true
match:
srcIpRanges:
- 0.0.0.0/0
srcFqdns:
- www.abc.com
- www.def.com
srcRegionCodes:
- US
- CA
srcThreatIntelligences:
- iplist-known-malicious-ips
- iplist-public-clouds
srcAddressGroups:
- ${addressGroup1.id}
layer4Configs:
- ipProtocol: udp
- description: security profile group rule
ruleName: tcp rule
priority: 3000
enableLogging: false
action: apply_security_profile_group
direction: INGRESS
targetServiceAccounts:
- test@google.com
securityProfileGroup: //networksecurity.googleapis.com/${securityProfileGroup1.id}
tlsInspect: true
match:
srcIpRanges:
- 0.0.0.0/0
layer4Configs:
- ipProtocol: tcp
- description: network scope rule 1
ruleName: network scope 1
priority: 4000
enableLogging: false
action: allow
direction: INGRESS
match:
srcIpRanges:
- 11.100.0.1/32
srcNetworkScope: VPC_NETWORKS
srcNetworks:
- ${network.id}
layer4Configs:
- ipProtocol: tcp
ports:
- 8080
- description: network scope rule 2
ruleName: network scope 2
priority: 5000
enableLogging: false
action: allow
direction: EGRESS
match:
destIpRanges:
- 0.0.0.0/0
destNetworkScope: INTERNET
layer4Configs:
- ipProtocol: tcp
ports:
- 8080
addressGroup1:
type: gcp:networksecurity:AddressGroup
name: address_group_1
properties:
name: address-group
parent: organizations/123456789
description: Global address group
location: global
items:
- 208.80.154.224/32
type: IPV4
capacity: 100
securityProfileGroup1:
type: gcp:networksecurity:SecurityProfileGroup
name: security_profile_group_1
properties:
name: spg
parent: organizations/123456789
description: my description
threatPreventionProfile: ${securityProfile1.id}
securityProfile1:
type: gcp:networksecurity:SecurityProfile
name: security_profile_1
properties:
name: sp
type: THREAT_PREVENTION
parent: organizations/123456789
location: global
network:
type: gcp:compute:Network
properties:
name: network
autoCreateSubnetworks: false
variables:
project:
fn::invoke:
function: gcp:organizations:getProject
arguments: {}Content copied to clipboard
Import
FirewallPolicyWithRules can be imported using any of these accepted formats:
locations/global/firewallPolicies/{{policy_id}}{{policy_id}}When using thepulumi importcommand, FirewallPolicyWithRules can be imported using one of the formats above. For example:
$ pulumi import gcp:compute/firewallPolicyWithRules:FirewallPolicyWithRules default locations/global/firewallPolicies/{{policy_id}}Content copied to clipboard
$ pulumi import gcp:compute/firewallPolicyWithRules:FirewallPolicyWithRules default {{policy_id}}Content copied to clipboard
Constructors
Link copied to clipboard
constructor(description: Output<String>? = null, parent: Output<String>? = null, rules: Output<List<FirewallPolicyWithRulesRuleArgs>>? = null, shortName: Output<String>? = null)