@pulumi/gcp

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Represents a rule that describes one or more match conditions along with the action to be taken when traffic matches this condition (allow or deny). * * To get more information about FirewallPolicyRule, see: * * * [API documentation](https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies/addRule) * * ## Example Usage * * ### Firewall Policy Rule * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const basicGlobalNetworksecurityAddressGroup = new gcp.networksecurity.AddressGroup("basic_global_networksecurity_address_group", { * name: "address-group", * parent: "organizations/123456789", * description: "Sample global networksecurity_address_group", * location: "global", * items: ["208.80.154.224/32"], * type: "IPV4", * capacity: 100, * }); * const folder = new gcp.organizations.Folder("folder", { * displayName: "folder", * parent: "organizations/123456789", * deletionProtection: false, * }); * const _default = new gcp.compute.FirewallPolicy("default", { * parent: folder.id, * shortName: "fw-policy", * description: "Resource created for Terraform acceptance testing", * }); * const primary = new gcp.compute.FirewallPolicyRule("primary", { * firewallPolicy: _default.name, * description: "Resource created for Terraform acceptance testing", * priority: 9000, * enableLogging: true, * action: "allow", * direction: "EGRESS", * disabled: false, * targetServiceAccounts: ["my@service-account.com"], * match: { * destIpRanges: ["11.100.0.1/32"], * destFqdns: [], * destRegionCodes: ["US"], * destThreatIntelligences: ["iplist-known-malicious-ips"], * srcAddressGroups: [], * destAddressGroups: [basicGlobalNetworksecurityAddressGroup.id], * layer4Configs: [ * { * ipProtocol: "tcp", * ports: ["8080"], * }, * { * ipProtocol: "udp", * ports: ["22"], * }, * ], * }, * }); * ``` * ### Firewall Policy Rule Network Scope * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const folder = new gcp.organizations.Folder("folder", { * displayName: "folder", * parent: "organizations/123456789", * deletionProtection: false, * }); * const _default = new gcp.compute.FirewallPolicy("default", { * parent: folder.id, * shortName: "fw-policy", * description: "Firewall policy", * }); * const network = new gcp.compute.Network("network", { * name: "network", * autoCreateSubnetworks: false, * }); * const primary = new gcp.compute.FirewallPolicyRule("primary", { * firewallPolicy: _default.name, * description: "Firewall policy rule with network scope", * priority: 9000, * action: "allow", * direction: "INGRESS", * disabled: false, * match: { * srcIpRanges: ["11.100.0.1/32"], * srcNetworkScope: "VPC_NETWORKS", * srcNetworks: [network.id], * layer4Configs: [ * { * ipProtocol: "tcp", * ports: ["8080"], * }, * { * ipProtocol: "udp", * ports: ["22"], * }, * ], * }, * }); * ``` * * ## Import * * FirewallPolicyRule can be imported using any of these accepted formats: * * * `locations/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}` * * * `{{firewall_policy}}/{{priority}}` * * When using the `pulumi import` command, FirewallPolicyRule can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:compute/firewallPolicyRule:FirewallPolicyRule default locations/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/firewallPolicyRule:FirewallPolicyRule default {{firewall_policy}}/{{priority}} * ``` */ export declare class FirewallPolicyRule extends pulumi.CustomResource { /** * Get an existing FirewallPolicyRule resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: FirewallPolicyRuleState, opts?: pulumi.CustomResourceOptions): FirewallPolicyRule; /** * Returns true if the given object is an instance of FirewallPolicyRule. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is FirewallPolicyRule; /** * The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "gotoNext" and "applySecurityProfileGroup". */ readonly action: pulumi.Output<string>; /** * Creation timestamp in RFC3339 text format. */ readonly creationTimestamp: pulumi.Output<string>; /** * An optional description for this resource. */ readonly description: pulumi.Output<string | undefined>; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ readonly direction: pulumi.Output<string>; /** * Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and * traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled. */ readonly disabled: pulumi.Output<boolean | undefined>; /** * Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured * export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on * "gotoNext" rules. */ readonly enableLogging: pulumi.Output<boolean | undefined>; /** * The firewall policy of the resource. */ readonly firewallPolicy: pulumi.Output<string>; /** * Type of the resource. Always `compute#firewallPolicyRule` for firewall policy rules */ readonly kind: pulumi.Output<string>; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ readonly match: pulumi.Output<outputs.compute.FirewallPolicyRuleMatch>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */ readonly priority: pulumi.Output<number>; /** * Calculation of the complexity of a single firewall policy rule. */ readonly ruleTupleCount: pulumi.Output<number>; /** * A fully-qualified URL of a SecurityProfile resource instance. Example: * https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions. */ readonly securityProfileGroup: pulumi.Output<string | undefined>; /** * A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get * this rule. If this field is left blank, all VMs within the organization will receive the rule. */ readonly targetResources: pulumi.Output<string[] | undefined>; /** * A list of service accounts indicating the sets of instances that are applied with this rule. */ readonly targetServiceAccounts: pulumi.Output<string[] | undefined>; /** * Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = * 'apply_security_profile_group' and cannot be set for other actions. */ readonly tlsInspect: pulumi.Output<boolean | undefined>; /** * Create a FirewallPolicyRule resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: FirewallPolicyRuleArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering FirewallPolicyRule resources. */ export interface FirewallPolicyRuleState { /** * The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "gotoNext" and "applySecurityProfileGroup". */ action?: pulumi.Input<string>; /** * Creation timestamp in RFC3339 text format. */ creationTimestamp?: pulumi.Input<string>; /** * An optional description for this resource. */ description?: pulumi.Input<string>; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ direction?: pulumi.Input<string>; /** * Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and * traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled. */ disabled?: pulumi.Input<boolean>; /** * Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured * export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on * "gotoNext" rules. */ enableLogging?: pulumi.Input<boolean>; /** * The firewall policy of the resource. */ firewallPolicy?: pulumi.Input<string>; /** * Type of the resource. Always `compute#firewallPolicyRule` for firewall policy rules */ kind?: pulumi.Input<string>; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match?: pulumi.Input<inputs.compute.FirewallPolicyRuleMatch>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */ priority?: pulumi.Input<number>; /** * Calculation of the complexity of a single firewall policy rule. */ ruleTupleCount?: pulumi.Input<number>; /** * A fully-qualified URL of a SecurityProfile resource instance. Example: * https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions. */ securityProfileGroup?: pulumi.Input<string>; /** * A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get * this rule. If this field is left blank, all VMs within the organization will receive the rule. */ targetResources?: pulumi.Input<pulumi.Input<string>[]>; /** * A list of service accounts indicating the sets of instances that are applied with this rule. */ targetServiceAccounts?: pulumi.Input<pulumi.Input<string>[]>; /** * Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = * 'apply_security_profile_group' and cannot be set for other actions. */ tlsInspect?: pulumi.Input<boolean>; } /** * The set of arguments for constructing a FirewallPolicyRule resource. */ export interface FirewallPolicyRuleArgs { /** * The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "gotoNext" and "applySecurityProfileGroup". */ action: pulumi.Input<string>; /** * An optional description for this resource. */ description?: pulumi.Input<string>; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ direction: pulumi.Input<string>; /** * Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and * traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled. */ disabled?: pulumi.Input<boolean>; /** * Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured * export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on * "gotoNext" rules. */ enableLogging?: pulumi.Input<boolean>; /** * The firewall policy of the resource. */ firewallPolicy: pulumi.Input<string>; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match: pulumi.Input<inputs.compute.FirewallPolicyRuleMatch>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */ priority: pulumi.Input<number>; /** * A fully-qualified URL of a SecurityProfile resource instance. Example: * https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions. */ securityProfileGroup?: pulumi.Input<string>; /** * A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get * this rule. If this field is left blank, all VMs within the organization will receive the rule. */ targetResources?: pulumi.Input<pulumi.Input<string>[]>; /** * A list of service accounts indicating the sets of instances that are applied with this rule. */ targetServiceAccounts?: pulumi.Input<pulumi.Input<string>[]>; /** * Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = * 'apply_security_profile_group' and cannot be set for other actions. */ tlsInspect?: pulumi.Input<boolean>; }