Region
Example Usage
Compute Region Network Firewall Policy With Rules Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const project = gcp.organizations.getProject({});
const addressGroup1 = new gcp.networksecurity.AddressGroup("address_group_1", {
name: "address-group",
parent: project.then(project => project.id),
description: "Regional address group",
location: "us-west2",
items: ["208.80.154.224/32"],
type: "IPV4",
capacity: 100,
});
const secureTagKey1 = new gcp.tags.TagKey("secure_tag_key_1", {
description: "Tag key",
parent: project.then(project => project.id),
purpose: "GCE_FIREWALL",
shortName: "tag-key",
purposeData: {
network: project.then(project => `${project.name}/default`),
},
});
const secureTagValue1 = new gcp.tags.TagValue("secure_tag_value_1", {
description: "Tag value",
parent: secureTagKey1.id,
shortName: "tag-value",
});
const network = new gcp.compute.Network("network", {
name: "network",
autoCreateSubnetworks: false,
});
const primary = new gcp.compute.RegionNetworkFirewallPolicyWithRules("primary", {
name: "fw-policy",
region: "us-west2",
description: "Terraform test",
rules: [
{
description: "tcp rule",
priority: 1000,
enableLogging: true,
action: "allow",
direction: "EGRESS",
match: {
destIpRanges: ["11.100.0.1/32"],
destFqdns: [
"www.yyy.com",
"www.zzz.com",
],
destRegionCodes: [
"HK",
"IN",
],
destThreatIntelligences: [
"iplist-search-engines-crawlers",
"iplist-tor-exit-nodes",
],
destAddressGroups: [addressGroup1.id],
layer4Configs: [{
ipProtocol: "tcp",
ports: [
"8080",
"7070",
],
}],
},
targetSecureTags: [{
name: secureTagValue1.id,
}],
},
{
description: "udp rule",
ruleName: "test-rule",
priority: 2000,
enableLogging: false,
action: "deny",
direction: "INGRESS",
disabled: true,
match: {
srcIpRanges: ["0.0.0.0/0"],
srcFqdns: [
"www.abc.com",
"www.def.com",
],
srcRegionCodes: [
"US",
"CA",
],
srcThreatIntelligences: [
"iplist-known-malicious-ips",
"iplist-public-clouds",
],
srcAddressGroups: [addressGroup1.id],
srcSecureTags: [{
name: secureTagValue1.id,
}],
layer4Configs: [{
ipProtocol: "udp",
}],
},
},
{
description: "network scope rule 1",
ruleName: "network scope 1",
priority: 4000,
enableLogging: false,
action: "allow",
direction: "INGRESS",
match: {
srcIpRanges: ["11.100.0.1/32"],
srcNetworkScope: "VPC_NETWORKS",
srcNetworks: [network.id],
layer4Configs: [{
ipProtocol: "tcp",
ports: ["8080"],
}],
},
},
{
description: "network scope rule 2",
ruleName: "network scope 2",
priority: 5000,
enableLogging: false,
action: "allow",
direction: "EGRESS",
match: {
destIpRanges: ["0.0.0.0/0"],
destNetworkScope: "NON_INTERNET",
layer4Configs: [{
ipProtocol: "tcp",
ports: ["8080"],
}],
},
},
],
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
project = gcp.organizations.get_project()
address_group1 = gcp.networksecurity.AddressGroup("address_group_1",
name="address-group",
parent=project.id,
description="Regional address group",
location="us-west2",
items=["208.80.154.224/32"],
type="IPV4",
capacity=100)
secure_tag_key1 = gcp.tags.TagKey("secure_tag_key_1",
description="Tag key",
parent=project.id,
purpose="GCE_FIREWALL",
short_name="tag-key",
purpose_data={
"network": f"{project.name}/default",
})
secure_tag_value1 = gcp.tags.TagValue("secure_tag_value_1",
description="Tag value",
parent=secure_tag_key1.id,
short_name="tag-value")
network = gcp.compute.Network("network",
name="network",
auto_create_subnetworks=False)
primary = gcp.compute.RegionNetworkFirewallPolicyWithRules("primary",
name="fw-policy",
region="us-west2",
description="Terraform test",
rules=[
{
"description": "tcp rule",
"priority": 1000,
"enable_logging": True,
"action": "allow",
"direction": "EGRESS",
"match": {
"dest_ip_ranges": ["11.100.0.1/32"],
"dest_fqdns": [
"www.yyy.com",
"www.zzz.com",
],
"dest_region_codes": [
"HK",
"IN",
],
"dest_threat_intelligences": [
"iplist-search-engines-crawlers",
"iplist-tor-exit-nodes",
],
"dest_address_groups": [address_group1.id],
"layer4_configs": [{
"ip_protocol": "tcp",
"ports": [
"8080",
"7070",
],
}],
},
"target_secure_tags": [{
"name": secure_tag_value1.id,
}],
},
{
"description": "udp rule",
"rule_name": "test-rule",
"priority": 2000,
"enable_logging": False,
"action": "deny",
"direction": "INGRESS",
"disabled": True,
"match": {
"src_ip_ranges": ["0.0.0.0/0"],
"src_fqdns": [
"www.abc.com",
"www.def.com",
],
"src_region_codes": [
"US",
"CA",
],
"src_threat_intelligences": [
"iplist-known-malicious-ips",
"iplist-public-clouds",
],
"src_address_groups": [address_group1.id],
"src_secure_tags": [{
"name": secure_tag_value1.id,
}],
"layer4_configs": [{
"ip_protocol": "udp",
}],
},
},
{
"description": "network scope rule 1",
"rule_name": "network scope 1",
"priority": 4000,
"enable_logging": False,
"action": "allow",
"direction": "INGRESS",
"match": {
"src_ip_ranges": ["11.100.0.1/32"],
"src_network_scope": "VPC_NETWORKS",
"src_networks": [network.id],
"layer4_configs": [{
"ip_protocol": "tcp",
"ports": ["8080"],
}],
},
},
{
"description": "network scope rule 2",
"rule_name": "network scope 2",
"priority": 5000,
"enable_logging": False,
"action": "allow",
"direction": "EGRESS",
"match": {
"dest_ip_ranges": ["0.0.0.0/0"],
"dest_network_scope": "NON_INTERNET",
"layer4_configs": [{
"ip_protocol": "tcp",
"ports": ["8080"],
}],
},
},
])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var project = Gcp.Organizations.GetProject.Invoke();
var addressGroup1 = new Gcp.NetworkSecurity.AddressGroup("address_group_1", new()
{
Name = "address-group",
Parent = project.Apply(getProjectResult => getProjectResult.Id),
Description = "Regional address group",
Location = "us-west2",
Items = new[]
{
"208.80.154.224/32",
},
Type = "IPV4",
Capacity = 100,
});
var secureTagKey1 = new Gcp.Tags.TagKey("secure_tag_key_1", new()
{
Description = "Tag key",
Parent = project.Apply(getProjectResult => getProjectResult.Id),
Purpose = "GCE_FIREWALL",
ShortName = "tag-key",
PurposeData =
{
{ "network", $"{project.Apply(getProjectResult => getProjectResult.Name)}/default" },
},
});
var secureTagValue1 = new Gcp.Tags.TagValue("secure_tag_value_1", new()
{
Description = "Tag value",
Parent = secureTagKey1.Id,
ShortName = "tag-value",
});
var network = new Gcp.Compute.Network("network", new()
{
Name = "network",
AutoCreateSubnetworks = false,
});
var primary = new Gcp.Compute.RegionNetworkFirewallPolicyWithRules("primary", new()
{
Name = "fw-policy",
Region = "us-west2",
Description = "Terraform test",
Rules = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleArgs
{
Description = "tcp rule",
Priority = 1000,
EnableLogging = true,
Action = "allow",
Direction = "EGRESS",
Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs
{
DestIpRanges = new[]
{
"11.100.0.1/32",
},
DestFqdns = new[]
{
"www.yyy.com",
"www.zzz.com",
},
DestRegionCodes = new[]
{
"HK",
"IN",
},
DestThreatIntelligences = new[]
{
"iplist-search-engines-crawlers",
"iplist-tor-exit-nodes",
},
DestAddressGroups = new[]
{
addressGroup1.Id,
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
{
IpProtocol = "tcp",
Ports = new[]
{
"8080",
"7070",
},
},
},
},
TargetSecureTags = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs
{
Name = secureTagValue1.Id,
},
},
},
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleArgs
{
Description = "udp rule",
RuleName = "test-rule",
Priority = 2000,
EnableLogging = false,
Action = "deny",
Direction = "INGRESS",
Disabled = true,
Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs
{
SrcIpRanges = new[]
{
"0.0.0.0/0",
},
SrcFqdns = new[]
{
"www.abc.com",
"www.def.com",
},
SrcRegionCodes = new[]
{
"US",
"CA",
},
SrcThreatIntelligences = new[]
{
"iplist-known-malicious-ips",
"iplist-public-clouds",
},
SrcAddressGroups = new[]
{
addressGroup1.Id,
},
SrcSecureTags = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs
{
Name = secureTagValue1.Id,
},
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
{
IpProtocol = "udp",
},
},
},
},
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleArgs
{
Description = "network scope rule 1",
RuleName = "network scope 1",
Priority = 4000,
EnableLogging = false,
Action = "allow",
Direction = "INGRESS",
Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs
{
SrcIpRanges = new[]
{
"11.100.0.1/32",
},
SrcNetworkScope = "VPC_NETWORKS",
SrcNetworks = new[]
{
network.Id,
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
{
IpProtocol = "tcp",
Ports = new[]
{
"8080",
},
},
},
},
},
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleArgs
{
Description = "network scope rule 2",
RuleName = "network scope 2",
Priority = 5000,
EnableLogging = false,
Action = "allow",
Direction = "EGRESS",
Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs
{
DestIpRanges = new[]
{
"0.0.0.0/0",
},
DestNetworkScope = "NON_INTERNET",
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
{
IpProtocol = "tcp",
Ports = new[]
{
"8080",
},
},
},
},
},
},
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/networksecurity"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/tags"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
project, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
if err != nil {
return err
}
addressGroup1, err := networksecurity.NewAddressGroup(ctx, "address_group_1", &networksecurity.AddressGroupArgs{
Name: pulumi.String("address-group"),
Parent: pulumi.String(project.Id),
Description: pulumi.String("Regional address group"),
Location: pulumi.String("us-west2"),
Items: pulumi.StringArray{
pulumi.String("208.80.154.224/32"),
},
Type: pulumi.String("IPV4"),
Capacity: pulumi.Int(100),
})
if err != nil {
return err
}
secureTagKey1, err := tags.NewTagKey(ctx, "secure_tag_key_1", &tags.TagKeyArgs{
Description: pulumi.String("Tag key"),
Parent: pulumi.String(project.Id),
Purpose: pulumi.String("GCE_FIREWALL"),
ShortName: pulumi.String("tag-key"),
PurposeData: pulumi.StringMap{
"network": pulumi.Sprintf("%v/default", project.Name),
},
})
if err != nil {
return err
}
secureTagValue1, err := tags.NewTagValue(ctx, "secure_tag_value_1", &tags.TagValueArgs{
Description: pulumi.String("Tag value"),
Parent: secureTagKey1.ID(),
ShortName: pulumi.String("tag-value"),
})
if err != nil {
return err
}
network, err := compute.NewNetwork(ctx, "network", &compute.NetworkArgs{
Name: pulumi.String("network"),
AutoCreateSubnetworks: pulumi.Bool(false),
})
if err != nil {
return err
}
_, err = compute.NewRegionNetworkFirewallPolicyWithRules(ctx, "primary", &compute.RegionNetworkFirewallPolicyWithRulesArgs{
Name: pulumi.String("fw-policy"),
Region: pulumi.String("us-west2"),
Description: pulumi.String("Terraform test"),
Rules: compute.RegionNetworkFirewallPolicyWithRulesRuleArray{
&compute.RegionNetworkFirewallPolicyWithRulesRuleArgs{
Description: pulumi.String("tcp rule"),
Priority: pulumi.Int(1000),
EnableLogging: pulumi.Bool(true),
Action: pulumi.String("allow"),
Direction: pulumi.String("EGRESS"),
Match: &compute.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs{
DestIpRanges: pulumi.StringArray{
pulumi.String("11.100.0.1/32"),
},
DestFqdns: pulumi.StringArray{
pulumi.String("www.yyy.com"),
pulumi.String("www.zzz.com"),
},
DestRegionCodes: pulumi.StringArray{
pulumi.String("HK"),
pulumi.String("IN"),
},
DestThreatIntelligences: pulumi.StringArray{
pulumi.String("iplist-search-engines-crawlers"),
pulumi.String("iplist-tor-exit-nodes"),
},
DestAddressGroups: pulumi.StringArray{
addressGroup1.ID(),
},
Layer4Configs: compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
&compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("tcp"),
Ports: pulumi.StringArray{
pulumi.String("8080"),
pulumi.String("7070"),
},
},
},
},
TargetSecureTags: compute.RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagArray{
&compute.RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs{
Name: secureTagValue1.ID(),
},
},
},
&compute.RegionNetworkFirewallPolicyWithRulesRuleArgs{
Description: pulumi.String("udp rule"),
RuleName: pulumi.String("test-rule"),
Priority: pulumi.Int(2000),
EnableLogging: pulumi.Bool(false),
Action: pulumi.String("deny"),
Direction: pulumi.String("INGRESS"),
Disabled: pulumi.Bool(true),
Match: &compute.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs{
SrcIpRanges: pulumi.StringArray{
pulumi.String("0.0.0.0/0"),
},
SrcFqdns: pulumi.StringArray{
pulumi.String("www.abc.com"),
pulumi.String("www.def.com"),
},
SrcRegionCodes: pulumi.StringArray{
pulumi.String("US"),
pulumi.String("CA"),
},
SrcThreatIntelligences: pulumi.StringArray{
pulumi.String("iplist-known-malicious-ips"),
pulumi.String("iplist-public-clouds"),
},
SrcAddressGroups: pulumi.StringArray{
addressGroup1.ID(),
},
SrcSecureTags: compute.RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArray{
&compute.RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs{
Name: secureTagValue1.ID(),
},
},
Layer4Configs: compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
&compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("udp"),
},
},
},
},
&compute.RegionNetworkFirewallPolicyWithRulesRuleArgs{
Description: pulumi.String("network scope rule 1"),
RuleName: pulumi.String("network scope 1"),
Priority: pulumi.Int(4000),
EnableLogging: pulumi.Bool(false),
Action: pulumi.String("allow"),
Direction: pulumi.String("INGRESS"),
Match: &compute.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs{
SrcIpRanges: pulumi.StringArray{
pulumi.String("11.100.0.1/32"),
},
SrcNetworkScope: pulumi.String("VPC_NETWORKS"),
SrcNetworks: pulumi.StringArray{
network.ID(),
},
Layer4Configs: compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
&compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("tcp"),
Ports: pulumi.StringArray{
pulumi.String("8080"),
},
},
},
},
},
&compute.RegionNetworkFirewallPolicyWithRulesRuleArgs{
Description: pulumi.String("network scope rule 2"),
RuleName: pulumi.String("network scope 2"),
Priority: pulumi.Int(5000),
EnableLogging: pulumi.Bool(false),
Action: pulumi.String("allow"),
Direction: pulumi.String("EGRESS"),
Match: &compute.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs{
DestIpRanges: pulumi.StringArray{
pulumi.String("0.0.0.0/0"),
},
DestNetworkScope: pulumi.String("NON_INTERNET"),
Layer4Configs: compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
&compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("tcp"),
Ports: pulumi.StringArray{
pulumi.String("8080"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.networksecurity.AddressGroup;
import com.pulumi.gcp.networksecurity.AddressGroupArgs;
import com.pulumi.gcp.tags.TagKey;
import com.pulumi.gcp.tags.TagKeyArgs;
import com.pulumi.gcp.tags.TagValue;
import com.pulumi.gcp.tags.TagValueArgs;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyWithRules;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyWithRulesArgs;
import com.pulumi.gcp.compute.inputs.RegionNetworkFirewallPolicyWithRulesRuleArgs;
import com.pulumi.gcp.compute.inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var project = OrganizationsFunctions.getProject(GetProjectArgs.builder()
.build());
var addressGroup1 = new AddressGroup("addressGroup1", AddressGroupArgs.builder()
.name("address-group")
.parent(project.id())
.description("Regional address group")
.location("us-west2")
.items("208.80.154.224/32")
.type("IPV4")
.capacity(100)
.build());
var secureTagKey1 = new TagKey("secureTagKey1", TagKeyArgs.builder()
.description("Tag key")
.parent(project.id())
.purpose("GCE_FIREWALL")
.shortName("tag-key")
.purposeData(Map.of("network", String.format("%s/default", project.name())))
.build());
var secureTagValue1 = new TagValue("secureTagValue1", TagValueArgs.builder()
.description("Tag value")
.parent(secureTagKey1.id())
.shortName("tag-value")
.build());
var network = new Network("network", NetworkArgs.builder()
.name("network")
.autoCreateSubnetworks(false)
.build());
var primary = new RegionNetworkFirewallPolicyWithRules("primary", RegionNetworkFirewallPolicyWithRulesArgs.builder()
.name("fw-policy")
.region("us-west2")
.description("Terraform test")
.rules(
RegionNetworkFirewallPolicyWithRulesRuleArgs.builder()
.description("tcp rule")
.priority(1000)
.enableLogging(true)
.action("allow")
.direction("EGRESS")
.match(RegionNetworkFirewallPolicyWithRulesRuleMatchArgs.builder()
.destIpRanges("11.100.0.1/32")
.destFqdns(
"www.yyy.com",
"www.zzz.com")
.destRegionCodes(
"HK",
"IN")
.destThreatIntelligences(
"iplist-search-engines-crawlers",
"iplist-tor-exit-nodes")
.destAddressGroups(addressGroup1.id())
.layer4Configs(RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("tcp")
.ports(
"8080",
"7070")
.build())
.build())
.targetSecureTags(RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs.builder()
.name(secureTagValue1.id())
.build())
.build(),
RegionNetworkFirewallPolicyWithRulesRuleArgs.builder()
.description("udp rule")
.ruleName("test-rule")
.priority(2000)
.enableLogging(false)
.action("deny")
.direction("INGRESS")
.disabled(true)
.match(RegionNetworkFirewallPolicyWithRulesRuleMatchArgs.builder()
.srcIpRanges("0.0.0.0/0")
.srcFqdns(
"www.abc.com",
"www.def.com")
.srcRegionCodes(
"US",
"CA")
.srcThreatIntelligences(
"iplist-known-malicious-ips",
"iplist-public-clouds")
.srcAddressGroups(addressGroup1.id())
.srcSecureTags(RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs.builder()
.name(secureTagValue1.id())
.build())
.layer4Configs(RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("udp")
.build())
.build())
.build(),
RegionNetworkFirewallPolicyWithRulesRuleArgs.builder()
.description("network scope rule 1")
.ruleName("network scope 1")
.priority(4000)
.enableLogging(false)
.action("allow")
.direction("INGRESS")
.match(RegionNetworkFirewallPolicyWithRulesRuleMatchArgs.builder()
.srcIpRanges("11.100.0.1/32")
.srcNetworkScope("VPC_NETWORKS")
.srcNetworks(network.id())
.layer4Configs(RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("tcp")
.ports("8080")
.build())
.build())
.build(),
RegionNetworkFirewallPolicyWithRulesRuleArgs.builder()
.description("network scope rule 2")
.ruleName("network scope 2")
.priority(5000)
.enableLogging(false)
.action("allow")
.direction("EGRESS")
.match(RegionNetworkFirewallPolicyWithRulesRuleMatchArgs.builder()
.destIpRanges("0.0.0.0/0")
.destNetworkScope("NON_INTERNET")
.layer4Configs(RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("tcp")
.ports("8080")
.build())
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
primary:
type: gcp:compute:RegionNetworkFirewallPolicyWithRules
properties:
name: fw-policy
region: us-west2
description: Terraform test
rules:
- description: tcp rule
priority: 1000
enableLogging: true
action: allow
direction: EGRESS
match:
destIpRanges:
- 11.100.0.1/32
destFqdns:
- www.yyy.com
- www.zzz.com
destRegionCodes:
- HK
- IN
destThreatIntelligences:
- iplist-search-engines-crawlers
- iplist-tor-exit-nodes
destAddressGroups:
- ${addressGroup1.id}
layer4Configs:
- ipProtocol: tcp
ports:
- 8080
- 7070
targetSecureTags:
- name: ${secureTagValue1.id}
- description: udp rule
ruleName: test-rule
priority: 2000
enableLogging: false
action: deny
direction: INGRESS
disabled: true
match:
srcIpRanges:
- 0.0.0.0/0
srcFqdns:
- www.abc.com
- www.def.com
srcRegionCodes:
- US
- CA
srcThreatIntelligences:
- iplist-known-malicious-ips
- iplist-public-clouds
srcAddressGroups:
- ${addressGroup1.id}
srcSecureTags:
- name: ${secureTagValue1.id}
layer4Configs:
- ipProtocol: udp
- description: network scope rule 1
ruleName: network scope 1
priority: 4000
enableLogging: false
action: allow
direction: INGRESS
match:
srcIpRanges:
- 11.100.0.1/32
srcNetworkScope: VPC_NETWORKS
srcNetworks:
- ${network.id}
layer4Configs:
- ipProtocol: tcp
ports:
- 8080
- description: network scope rule 2
ruleName: network scope 2
priority: 5000
enableLogging: false
action: allow
direction: EGRESS
match:
destIpRanges:
- 0.0.0.0/0
destNetworkScope: NON_INTERNET
layer4Configs:
- ipProtocol: tcp
ports:
- 8080
addressGroup1:
type: gcp:networksecurity:AddressGroup
name: address_group_1
properties:
name: address-group
parent: ${project.id}
description: Regional address group
location: us-west2
items:
- 208.80.154.224/32
type: IPV4
capacity: 100
secureTagKey1:
type: gcp:tags:TagKey
name: secure_tag_key_1
properties:
description: Tag key
parent: ${project.id}
purpose: GCE_FIREWALL
shortName: tag-key
purposeData:
network: ${project.name}/default
secureTagValue1:
type: gcp:tags:TagValue
name: secure_tag_value_1
properties:
description: Tag value
parent: ${secureTagKey1.id}
shortName: tag-value
network:
type: gcp:compute:Network
properties:
name: network
autoCreateSubnetworks: false
variables:
project:
fn::invoke:
function: gcp:organizations:getProject
arguments: {}Content copied to clipboard
Import
RegionNetworkFirewallPolicyWithRules can be imported using any of these accepted formats:
projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}{{project}}/{{region}}/{{name}}{{region}}/{{name}}{{name}}When using thepulumi importcommand, RegionNetworkFirewallPolicyWithRules can be imported using one of the formats above. For example:
$ pulumi import gcp:compute/regionNetworkFirewallPolicyWithRules:RegionNetworkFirewallPolicyWithRules default projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}Content copied to clipboard
$ pulumi import gcp:compute/regionNetworkFirewallPolicyWithRules:RegionNetworkFirewallPolicyWithRules default {{project}}/{{region}}/{{name}}Content copied to clipboard
$ pulumi import gcp:compute/regionNetworkFirewallPolicyWithRules:RegionNetworkFirewallPolicyWithRules default {{region}}/{{name}}Content copied to clipboard
$ pulumi import gcp:compute/regionNetworkFirewallPolicyWithRules:RegionNetworkFirewallPolicyWithRules default {{name}}Content copied to clipboard
Properties
Link copied to clipboard
Creation timestamp in RFC3339 text format.
Link copied to clipboard
(Output) A description of the rule.
Link copied to clipboard
Fingerprint of the resource. This field is used internally during updates of this resource.
Link copied to clipboard
User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
Link copied to clipboard
The unique identifier for the resource. This identifier is defined by the server.
Link copied to clipboard
A list of firewall policy pre-defined rules. Structure is documented below.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
A list of firewall policy rules. Structure is documented below.
Link copied to clipboard
Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
Link copied to clipboard
Server-defined URL for this resource with the resource id.