@pulumi/gcp

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Represents a rule that describes one or more match conditions along with the action to be taken when traffic matches this condition (allow or deny). * * To get more information about NetworkFirewallPolicyRule, see: * * * [API documentation](https://cloud.google.com/compute/docs/reference/rest/v1/networkFirewallPolicies/addRule) * * ## Example Usage * * ### Network Firewall Policy Rule * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const basicGlobalNetworksecurityAddressGroup = new gcp.networksecurity.AddressGroup("basic_global_networksecurity_address_group", { * name: "address-group", * parent: "projects/my-project-name", * description: "Sample global networksecurity_address_group", * location: "global", * items: ["208.80.154.224/32"], * type: "IPV4", * capacity: 100, * }); * const basicNetworkFirewallPolicy = new gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy", { * name: "fw-policy", * description: "Sample global network firewall policy", * project: "my-project-name", * }); * const basicNetwork = new gcp.compute.Network("basic_network", {name: "network"}); * const basicKey = new gcp.tags.TagKey("basic_key", { * description: "For keyname resources.", * parent: "organizations/123456789", * purpose: "GCE_FIREWALL", * shortName: "tag-key", * purposeData: { * network: pulumi.interpolate`my-project-name/${basicNetwork.name}`, * }, * }); * const basicValue = new gcp.tags.TagValue("basic_value", { * description: "For valuename resources.", * parent: basicKey.id, * shortName: "tag-value", * }); * const primary = new gcp.compute.NetworkFirewallPolicyRule("primary", { * action: "allow", * description: "This is a simple rule description", * direction: "INGRESS", * disabled: false, * enableLogging: true, * firewallPolicy: basicNetworkFirewallPolicy.name, * priority: 1000, * ruleName: "test-rule", * targetServiceAccounts: ["my@service-account.com"], * match: { * srcAddressGroups: [basicGlobalNetworksecurityAddressGroup.id], * srcIpRanges: ["10.100.0.1/32"], * srcFqdns: ["google.com"], * srcRegionCodes: ["US"], * srcThreatIntelligences: ["iplist-known-malicious-ips"], * srcSecureTags: [{ * name: basicValue.id, * }], * layer4Configs: [{ * ipProtocol: "all", * }], * }, * }); * ``` * ### Network Firewall Policy Rule Network Scope Egress * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const basicNetworkFirewallPolicy = new gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy", { * name: "fw-policy", * description: "Sample global network firewall policy", * project: "my-project-name", * }); * const primary = new gcp.compute.NetworkFirewallPolicyRule("primary", { * action: "allow", * description: "This is a simple rule description", * direction: "EGRESS", * disabled: false, * enableLogging: true, * firewallPolicy: basicNetworkFirewallPolicy.name, * priority: 1000, * ruleName: "test-rule", * match: { * destIpRanges: ["10.100.0.1/32"], * destNetworkScope: "INTERNET", * layer4Configs: [{ * ipProtocol: "all", * }], * }, * }); * ``` * ### Network Firewall Policy Rule Network Scope Ingress * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const basicNetworkFirewallPolicy = new gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy", { * name: "fw-policy", * description: "Sample global network firewall policy", * project: "my-project-name", * }); * const network = new gcp.compute.Network("network", {name: "network"}); * const primary = new gcp.compute.NetworkFirewallPolicyRule("primary", { * action: "allow", * description: "This is a simple rule description", * direction: "INGRESS", * disabled: false, * enableLogging: true, * firewallPolicy: basicNetworkFirewallPolicy.name, * priority: 1000, * ruleName: "test-rule", * match: { * srcIpRanges: ["11.100.0.1/32"], * srcNetworkScope: "VPC_NETWORKS", * srcNetworks: [network.id], * layer4Configs: [{ * ipProtocol: "all", * }], * }, * }); * ``` * * ## Import * * NetworkFirewallPolicyRule can be imported using any of these accepted formats: * * * `projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}` * * * `{{project}}/{{firewall_policy}}/{{priority}}` * * * `{{firewall_policy}}/{{priority}}` * * When using the `pulumi import` command, NetworkFirewallPolicyRule can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:compute/networkFirewallPolicyRule:NetworkFirewallPolicyRule default projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/networkFirewallPolicyRule:NetworkFirewallPolicyRule default {{project}}/{{firewall_policy}}/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/networkFirewallPolicyRule:NetworkFirewallPolicyRule default {{firewall_policy}}/{{priority}} * ``` */ export declare class NetworkFirewallPolicyRule extends pulumi.CustomResource { /** * Get an existing NetworkFirewallPolicyRule resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: NetworkFirewallPolicyRuleState, opts?: pulumi.CustomResourceOptions): NetworkFirewallPolicyRule; /** * Returns true if the given object is an instance of NetworkFirewallPolicyRule. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is NetworkFirewallPolicyRule; /** * The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "gotoNext" and "applySecurityProfileGroup". */ readonly action: pulumi.Output<string>; /** * Creation timestamp in RFC3339 text format. */ readonly creationTimestamp: pulumi.Output<string>; /** * An optional description for this resource. */ readonly description: pulumi.Output<string | undefined>; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ readonly direction: pulumi.Output<string>; /** * Denotes whether the firewall policy rule is disabled. * When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. * If this is unspecified, the firewall policy rule will be enabled. */ readonly disabled: pulumi.Output<boolean | undefined>; /** * Denotes whether to enable logging for a particular rule. * If logging is enabled, logs will be exported to the configured export destination in Stackdriver. * Logs may be exported to BigQuery or Pub/Sub. * Note: you cannot enable logging on "gotoNext" rules. */ readonly enableLogging: pulumi.Output<boolean | undefined>; /** * The firewall policy of the resource. */ readonly firewallPolicy: pulumi.Output<string>; /** * Type of the resource. Always `compute#firewallPolicyRule` for firewall policy rules */ readonly kind: pulumi.Output<string>; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ readonly match: pulumi.Output<outputs.compute.NetworkFirewallPolicyRuleMatch>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */ readonly priority: pulumi.Output<number>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output<string>; /** * An optional name for the rule. This field is not a unique identifier and can be updated. */ readonly ruleName: pulumi.Output<string | undefined>; /** * Calculation of the complexity of a single firewall policy rule. */ readonly ruleTupleCount: pulumi.Output<number>; /** * A fully-qualified URL of a SecurityProfile resource instance. * Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions. */ readonly securityProfileGroup: pulumi.Output<string | undefined>; /** * A list of secure tags that controls which instances the firewall rule applies to. * If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. * targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. * Structure is documented below. */ readonly targetSecureTags: pulumi.Output<outputs.compute.NetworkFirewallPolicyRuleTargetSecureTag[] | undefined>; /** * A list of service accounts indicating the sets of instances that are applied with this rule. */ readonly targetServiceAccounts: pulumi.Output<string[] | undefined>; /** * Boolean flag indicating if the traffic should be TLS decrypted. * Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions. */ readonly tlsInspect: pulumi.Output<boolean | undefined>; /** * Create a NetworkFirewallPolicyRule resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: NetworkFirewallPolicyRuleArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering NetworkFirewallPolicyRule resources. */ export interface NetworkFirewallPolicyRuleState { /** * The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "gotoNext" and "applySecurityProfileGroup". */ action?: pulumi.Input<string>; /** * Creation timestamp in RFC3339 text format. */ creationTimestamp?: pulumi.Input<string>; /** * An optional description for this resource. */ description?: pulumi.Input<string>; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ direction?: pulumi.Input<string>; /** * Denotes whether the firewall policy rule is disabled. * When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. * If this is unspecified, the firewall policy rule will be enabled. */ disabled?: pulumi.Input<boolean>; /** * Denotes whether to enable logging for a particular rule. * If logging is enabled, logs will be exported to the configured export destination in Stackdriver. * Logs may be exported to BigQuery or Pub/Sub. * Note: you cannot enable logging on "gotoNext" rules. */ enableLogging?: pulumi.Input<boolean>; /** * The firewall policy of the resource. */ firewallPolicy?: pulumi.Input<string>; /** * Type of the resource. Always `compute#firewallPolicyRule` for firewall policy rules */ kind?: pulumi.Input<string>; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match?: pulumi.Input<inputs.compute.NetworkFirewallPolicyRuleMatch>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */ priority?: pulumi.Input<number>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * An optional name for the rule. This field is not a unique identifier and can be updated. */ ruleName?: pulumi.Input<string>; /** * Calculation of the complexity of a single firewall policy rule. */ ruleTupleCount?: pulumi.Input<number>; /** * A fully-qualified URL of a SecurityProfile resource instance. * Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions. */ securityProfileGroup?: pulumi.Input<string>; /** * A list of secure tags that controls which instances the firewall rule applies to. * If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. * targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. * Structure is documented below. */ targetSecureTags?: pulumi.Input<pulumi.Input<inputs.compute.NetworkFirewallPolicyRuleTargetSecureTag>[]>; /** * A list of service accounts indicating the sets of instances that are applied with this rule. */ targetServiceAccounts?: pulumi.Input<pulumi.Input<string>[]>; /** * Boolean flag indicating if the traffic should be TLS decrypted. * Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions. */ tlsInspect?: pulumi.Input<boolean>; } /** * The set of arguments for constructing a NetworkFirewallPolicyRule resource. */ export interface NetworkFirewallPolicyRuleArgs { /** * The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "gotoNext" and "applySecurityProfileGroup". */ action: pulumi.Input<string>; /** * An optional description for this resource. */ description?: pulumi.Input<string>; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ direction: pulumi.Input<string>; /** * Denotes whether the firewall policy rule is disabled. * When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. * If this is unspecified, the firewall policy rule will be enabled. */ disabled?: pulumi.Input<boolean>; /** * Denotes whether to enable logging for a particular rule. * If logging is enabled, logs will be exported to the configured export destination in Stackdriver. * Logs may be exported to BigQuery or Pub/Sub. * Note: you cannot enable logging on "gotoNext" rules. */ enableLogging?: pulumi.Input<boolean>; /** * The firewall policy of the resource. */ firewallPolicy: pulumi.Input<string>; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match: pulumi.Input<inputs.compute.NetworkFirewallPolicyRuleMatch>; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */ priority: pulumi.Input<number>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * An optional name for the rule. This field is not a unique identifier and can be updated. */ ruleName?: pulumi.Input<string>; /** * A fully-qualified URL of a SecurityProfile resource instance. * Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions. */ securityProfileGroup?: pulumi.Input<string>; /** * A list of secure tags that controls which instances the firewall rule applies to. * If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. * targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. * Structure is documented below. */ targetSecureTags?: pulumi.Input<pulumi.Input<inputs.compute.NetworkFirewallPolicyRuleTargetSecureTag>[]>; /** * A list of service accounts indicating the sets of instances that are applied with this rule. */ targetServiceAccounts?: pulumi.Input<pulumi.Input<string>[]>; /** * Boolean flag indicating if the traffic should be TLS decrypted. * Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions. */ tlsInspect?: pulumi.Input<boolean>; }