@pulumi/gcp

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Represents a rule that describes one or more match conditions along with the action to be taken when traffic matches this condition (allow or deny). * * To get more information about RegionNetworkFirewallPolicyRule, see: * * * [API documentation](https://cloud.google.com/compute/docs/reference/rest/v1/regionNetworkFirewallPolicies/addRule) * * ## Example Usage * * ### Region Network Firewall Policy Rule * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const basicRegionalNetworksecurityAddressGroup = new gcp.networksecurity.AddressGroup("basic_regional_networksecurity_address_group", { * name: "address-group", * parent: "projects/my-project-name", * description: "Sample regional networksecurity_address_group", * location: "us-west1", * items: ["208.80.154.224/32"], * type: "IPV4", * capacity: 100, * }); * const basicRegionalNetworkFirewallPolicy = new gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", { * name: "fw-policy", * description: "Sample regional network firewall policy", * project: "my-project-name", * region: "us-west1", * }); * const basicNetwork = new gcp.compute.Network("basic_network", {name: "network"}); * const basicKey = new gcp.tags.TagKey("basic_key", { * description: "For keyname resources.", * parent: "organizations/123456789", * purpose: "GCE_FIREWALL", * shortName: "tag-key", * purposeData: { * network: pulumi.interpolate`my-project-name/${basicNetwork.name}`, * }, * }); * const basicValue = new gcp.tags.TagValue("basic_value", { * description: "For valuename resources.", * parent: basicKey.id, * shortName: "tag-value", * }); * const primary = new gcp.compute.RegionNetworkFirewallPolicyRule("primary", { * action: "allow", * description: "This is a simple rule description", * direction: "INGRESS", * disabled: false, * enableLogging: true, * firewallPolicy: basicRegionalNetworkFirewallPolicy.name, * priority: 1000, * region: "us-west1", * ruleName: "test-rule", * targetServiceAccounts: ["my@service-account.com"], * match: { * srcAddressGroups: [basicRegionalNetworksecurityAddressGroup.id], * srcIpRanges: ["10.100.0.1/32"], * srcFqdns: ["example.com"], * srcRegionCodes: ["US"], * srcThreatIntelligences: ["iplist-known-malicious-ips"], * layer4Configs: [{ * ipProtocol: "all", * }], * srcSecureTags: [{ * name: basicValue.id, * }], * }, * }); * ``` * ### Region Network Firewall Policy Rule Network Scope Egress * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const basicRegionalNetworkFirewallPolicy = new gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", { * name: "fw-policy", * description: "Sample regional network firewall policy", * project: "my-project-name", * region: "us-west1", * }); * const primary = new gcp.compute.RegionNetworkFirewallPolicyRule("primary", { * action: "allow", * description: "This is a simple rule description", * direction: "EGRESS", * disabled: false, * enableLogging: true, * firewallPolicy: basicRegionalNetworkFirewallPolicy.name, * priority: 1000, * region: "us-west1", * ruleName: "test-rule", * match: { * destIpRanges: ["10.100.0.1/32"], * destNetworkScope: "INTERNET", * layer4Configs: [{ * ipProtocol: "all", * }], * }, * }); * ``` * ### Region Network Firewall Policy Rule Network Scope Ingress * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const basicRegionalNetworkFirewallPolicy = new gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", { * name: "fw-policy", * description: "Sample regional network firewall policy", * project: "my-project-name", * region: "us-west1", * }); * const network = new gcp.compute.Network("network", {name: "network"}); * const primary = new gcp.compute.RegionNetworkFirewallPolicyRule("primary", { * action: "allow", * description: "This is a simple rule description", * direction: "INGRESS", * disabled: false, * enableLogging: true, * firewallPolicy: basicRegionalNetworkFirewallPolicy.name, * priority: 1000, * region: "us-west1", * ruleName: "test-rule", * match: { * srcIpRanges: ["10.100.0.1/32"], * srcNetworkScope: "VPC_NETWORKS", * srcNetworks: [network.id], * layer4Configs: [{ * ipProtocol: "all", * }], * }, * }); * ``` * * ## Import * * RegionNetworkFirewallPolicyRule can be imported using any of these accepted formats: * * * `projects/{{project}}/regions/{{region}}/firewallPolicies/{{firewall_policy}}/{{priority}}` * * * `{{project}}/{{region}}/{{firewall_policy}}/{{priority}}` * * * `{{region}}/{{firewall_policy}}/{{priority}}` * * * `{{firewall_policy}}/{{priority}}` * * When using the `pulumi import` command, RegionNetworkFirewallPolicyRule can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default projects/{{project}}/regions/{{region}}/firewallPolicies/{{firewall_policy}}/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default {{project}}/{{region}}/{{firewall_policy}}/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default {{region}}/{{firewall_policy}}/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default {{firewall_policy}}/{{priority}} * ``` */ export declare class RegionNetworkFirewallPolicyRule extends pulumi.CustomResource { /** * Get an existing RegionNetworkFirewallPolicyRule resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: RegionNetworkFirewallPolicyRuleState, opts?: pulumi.CustomResourceOptions): RegionNetworkFirewallPolicyRule; /** * Returns true if the given object is an instance of RegionNetworkFirewallPolicyRule. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is RegionNetworkFirewallPolicyRule; /** * The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "gotoNext" and "applySecurityProfileGroup". */ readonly action: pulumi.Output<string>; /** * Creation timestamp in RFC3339 text format. */ readonly creationTimestamp: pulumi.Output<string>; /** * An optional description for this resource. */ readonly description: pulumi.Output<string | undefined>; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ readonly direction: pulumi.Output<string>; /** * Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and * traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled. */ readonly disabled: pulumi.Output<boolean | undefined>; /** * Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured * export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on * "gotoNext" rules. */ readonly enableLogging: pulumi.Output<boolean | undefined>; /** * The firewall policy of the resource. */ readonly firewallPolicy: pulumi.Output<string>; /** * Type of the resource. Always `compute#firewallPolicyRule` for firewall policy rules */ readonly kind: pulumi.Output<string>; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ readonly match: pulumi.Output<outputs.compute.RegionNetworkFirewallPolicyRuleMatch>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */ readonly priority: pulumi.Output<number>; readonly project: pulumi.Output<string>; /** * The location of this resource. */ readonly region: pulumi.Output<string>; /** * An optional name for the rule. This field is not a unique identifier and can be updated. */ readonly ruleName: pulumi.Output<string | undefined>; /** * Calculation of the complexity of a single firewall policy rule. */ readonly ruleTupleCount: pulumi.Output<number>; /** * A fully-qualified URL of a SecurityProfile resource instance. Example: * https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions. Security Profile * Group and Firewall Policy Rule must be in the same scope. */ readonly securityProfileGroup: pulumi.Output<string | undefined>; /** * A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then * the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the * targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same * time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule * applies to all instances on the specified network. Maximum number of target label tags allowed is 256. */ readonly targetSecureTags: pulumi.Output<outputs.compute.RegionNetworkFirewallPolicyRuleTargetSecureTag[] | undefined>; /** * A list of service accounts indicating the sets of instances that are applied with this rule. */ readonly targetServiceAccounts: pulumi.Output<string[] | undefined>; /** * Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = * 'apply_security_profile_group' and cannot be set for other actions. */ readonly tlsInspect: pulumi.Output<boolean | undefined>; /** * Create a RegionNetworkFirewallPolicyRule resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: RegionNetworkFirewallPolicyRuleArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering RegionNetworkFirewallPolicyRule resources. */ export interface RegionNetworkFirewallPolicyRuleState { /** * The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "gotoNext" and "applySecurityProfileGroup". */ action?: pulumi.Input<string>; /** * Creation timestamp in RFC3339 text format. */ creationTimestamp?: pulumi.Input<string>; /** * An optional description for this resource. */ description?: pulumi.Input<string>; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ direction?: pulumi.Input<string>; /** * Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and * traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled. */ disabled?: pulumi.Input<boolean>; /** * Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured * export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on * "gotoNext" rules. */ enableLogging?: pulumi.Input<boolean>; /** * The firewall policy of the resource. */ firewallPolicy?: pulumi.Input<string>; /** * Type of the resource. Always `compute#firewallPolicyRule` for firewall policy rules */ kind?: pulumi.Input<string>; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match?: pulumi.Input<inputs.compute.RegionNetworkFirewallPolicyRuleMatch>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */ priority?: pulumi.Input<number>; project?: pulumi.Input<string>; /** * The location of this resource. */ region?: pulumi.Input<string>; /** * An optional name for the rule. This field is not a unique identifier and can be updated. */ ruleName?: pulumi.Input<string>; /** * Calculation of the complexity of a single firewall policy rule. */ ruleTupleCount?: pulumi.Input<number>; /** * A fully-qualified URL of a SecurityProfile resource instance. Example: * https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions. Security Profile * Group and Firewall Policy Rule must be in the same scope. */ securityProfileGroup?: pulumi.Input<string>; /** * A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then * the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the * targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same * time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule * applies to all instances on the specified network. Maximum number of target label tags allowed is 256. */ targetSecureTags?: pulumi.Input<pulumi.Input<inputs.compute.RegionNetworkFirewallPolicyRuleTargetSecureTag>[]>; /** * A list of service accounts indicating the sets of instances that are applied with this rule. */ targetServiceAccounts?: pulumi.Input<pulumi.Input<string>[]>; /** * Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = * 'apply_security_profile_group' and cannot be set for other actions. */ tlsInspect?: pulumi.Input<boolean>; } /** * The set of arguments for constructing a RegionNetworkFirewallPolicyRule resource. */ export interface RegionNetworkFirewallPolicyRuleArgs { /** * The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "gotoNext" and "applySecurityProfileGroup". */ action: pulumi.Input<string>; /** * An optional description for this resource. */ description?: pulumi.Input<string>; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ direction: pulumi.Input<string>; /** * Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and * traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled. */ disabled?: pulumi.Input<boolean>; /** * Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured * export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on * "gotoNext" rules. */ enableLogging?: pulumi.Input<boolean>; /** * The firewall policy of the resource. */ firewallPolicy: pulumi.Input<string>; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match: pulumi.Input<inputs.compute.RegionNetworkFirewallPolicyRuleMatch>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */ priority: pulumi.Input<number>; project?: pulumi.Input<string>; /** * The location of this resource. */ region?: pulumi.Input<string>; /** * An optional name for the rule. This field is not a unique identifier and can be updated. */ ruleName?: pulumi.Input<string>; /** * A fully-qualified URL of a SecurityProfile resource instance. Example: * https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions. Security Profile * Group and Firewall Policy Rule must be in the same scope. */ securityProfileGroup?: pulumi.Input<string>; /** * A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then * the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the * targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same * time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule * applies to all instances on the specified network. Maximum number of target label tags allowed is 256. */ targetSecureTags?: pulumi.Input<pulumi.Input<inputs.compute.RegionNetworkFirewallPolicyRuleTargetSecureTag>[]>; /** * A list of service accounts indicating the sets of instances that are applied with this rule. */ targetServiceAccounts?: pulumi.Input<pulumi.Input<string>[]>; /** * Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = * 'apply_security_profile_group' and cannot be set for other actions. */ tlsInspect?: pulumi.Input<boolean>; }