import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Represents a rule that describes one or more match conditions along with the action to be taken when traffic matches this condition (allow or deny). * * To get more information about RegionNetworkFirewallPolicyRule, see: * * * [API documentation](https://cloud.google.com/compute/docs/reference/rest/v1/regionNetworkFirewallPolicies/addRule) * * ## Example Usage * * ### Region Network Firewall Policy Rule * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const basicRegionalNetworksecurityAddressGroup = new gcp.networksecurity.AddressGroup("basic_regional_networksecurity_address_group", { * name: "address-group", * parent: "projects/my-project-name", * description: "Sample regional networksecurity_address_group", * location: "us-west1", * items: ["208.80.154.224/32"], * type: "IPV4", * capacity: 100, * }); * const basicRegionalNetworkFirewallPolicy = new gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", { * name: "fw-policy", * description: "Sample regional network firewall policy", * project: "my-project-name", * region: "us-west1", * }); * const basicNetwork = new gcp.compute.Network("basic_network", {name: "network"}); * const basicKey = new gcp.tags.TagKey("basic_key", { * description: "For keyname resources.", * parent: "organizations/123456789", * purpose: "GCE_FIREWALL", * shortName: "tag-key", * purposeData: { * network: pulumi.interpolate`my-project-name/${basicNetwork.name}`, * }, * }); * const basicValue = new gcp.tags.TagValue("basic_value", { * description: "For valuename resources.", * parent: basicKey.id, * shortName: "tag-value", * }); * const primary = new gcp.compute.RegionNetworkFirewallPolicyRule("primary", { * action: "allow", * description: "This is a simple rule description", * direction: "INGRESS", * disabled: false, * enableLogging: true, * firewallPolicy: basicRegionalNetworkFirewallPolicy.name, * priority: 1000, * region: "us-west1", * ruleName: "test-rule", * targetServiceAccounts: ["my@service-account.com"], * match: { * srcAddressGroups: [basicRegionalNetworksecurityAddressGroup.id], * srcIpRanges: ["10.100.0.1/32"], * srcFqdns: ["example.com"], * srcRegionCodes: ["US"], * srcThreatIntelligences: ["iplist-known-malicious-ips"], * layer4Configs: [{ * ipProtocol: "all", * }], * srcSecureTags: [{ * name: basicValue.id, * }], * }, * }); * ``` * ### Region Network Firewall Policy Rule Network Scope Egress * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const basicRegionalNetworkFirewallPolicy = new gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", { * name: "fw-policy", * description: "Sample regional network firewall policy", * project: "my-project-name", * region: "us-west1", * }); * const primary = new gcp.compute.RegionNetworkFirewallPolicyRule("primary", { * action: "allow", * description: "This is a simple rule description", * direction: "EGRESS", * disabled: false, * enableLogging: true, * firewallPolicy: basicRegionalNetworkFirewallPolicy.name, * priority: 1000, * region: "us-west1", * ruleName: "test-rule", * match: { * destIpRanges: ["10.100.0.1/32"], * destNetworkScope: "INTERNET", * layer4Configs: [{ * ipProtocol: "all", * }], * }, * }); * ``` * ### Region Network Firewall Policy Rule Network Scope Ingress * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const basicRegionalNetworkFirewallPolicy = new gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", { * name: "fw-policy", * description: "Sample regional network firewall policy", * project: "my-project-name", * region: "us-west1", * }); * const network = new gcp.compute.Network("network", {name: "network"}); * const primary = new gcp.compute.RegionNetworkFirewallPolicyRule("primary", { * action: "allow", * description: "This is a simple rule description", * direction: "INGRESS", * disabled: false, * enableLogging: true, * firewallPolicy: basicRegionalNetworkFirewallPolicy.name, * priority: 1000, * region: "us-west1", * ruleName: "test-rule", * match: { * srcIpRanges: ["10.100.0.1/32"], * srcNetworkScope: "VPC_NETWORKS", * srcNetworks: [network.id], * layer4Configs: [{ * ipProtocol: "all", * }], * }, * }); * ``` * * ## Import * * RegionNetworkFirewallPolicyRule can be imported using any of these accepted formats: * * * `projects/{{project}}/regions/{{region}}/firewallPolicies/{{firewall_policy}}/{{priority}}` * * * `{{project}}/{{region}}/{{firewall_policy}}/{{priority}}` * * * `{{region}}/{{firewall_policy}}/{{priority}}` * * * `{{firewall_policy}}/{{priority}}` * * When using the `pulumi import` command, RegionNetworkFirewallPolicyRule can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default projects/{{project}}/regions/{{region}}/firewallPolicies/{{firewall_policy}}/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default {{project}}/{{region}}/{{firewall_policy}}/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default {{region}}/{{firewall_policy}}/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule default {{firewall_policy}}/{{priority}} * ``` */ export declare class RegionNetworkFirewallPolicyRule extends pulumi.CustomResource { /** * Get an existing RegionNetworkFirewallPolicyRule resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: RegionNetworkFirewallPolicyRuleState, opts?: pulumi.CustomResourceOptions): RegionNetworkFirewallPolicyRule; /** * Returns true if the given object is an instance of RegionNetworkFirewallPolicyRule. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is RegionNetworkFirewallPolicyRule; /** * The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "gotoNext" and "applySecurityProfileGroup". */ readonly action: pulumi.Output; /** * Creation timestamp in RFC3339 text format. */ readonly creationTimestamp: pulumi.Output; /** * An optional description for this resource. */ readonly description: pulumi.Output; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ readonly direction: pulumi.Output; /** * Denotes whether the firewall policy rule is disabled. * When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. * If this is unspecified, the firewall policy rule will be enabled. */ readonly disabled: pulumi.Output; /** * Denotes whether to enable logging for a particular rule. * If logging is enabled, logs will be exported to the configured export destination in Stackdriver. * Logs may be exported to BigQuery or Pub/Sub. * Note: you cannot enable logging on "gotoNext" rules. */ readonly enableLogging: pulumi.Output; /** * The firewall policy of the resource. */ readonly firewallPolicy: pulumi.Output; /** * Type of the resource. Always `compute#firewallPolicyRule` for firewall policy rules */ readonly kind: pulumi.Output; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ readonly match: pulumi.Output; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */ readonly priority: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * The location of this resource. */ readonly region: pulumi.Output; /** * An optional name for the rule. This field is not a unique identifier and can be updated. */ readonly ruleName: pulumi.Output; /** * Calculation of the complexity of a single firewall policy rule. */ readonly ruleTupleCount: pulumi.Output; /** * A fully-qualified URL of a SecurityProfile resource instance. * Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions. * Security Profile Group and Firewall Policy Rule must be in the same scope. */ readonly securityProfileGroup: pulumi.Output; /** * A list of secure tags that controls which instances the firewall rule applies to. * If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. * targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. * Structure is documented below. */ readonly targetSecureTags: pulumi.Output; /** * A list of service accounts indicating the sets of instances that are applied with this rule. */ readonly targetServiceAccounts: pulumi.Output; /** * Boolean flag indicating if the traffic should be TLS decrypted. * Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions. */ readonly tlsInspect: pulumi.Output; /** * Create a RegionNetworkFirewallPolicyRule resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: RegionNetworkFirewallPolicyRuleArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering RegionNetworkFirewallPolicyRule resources. */ export interface RegionNetworkFirewallPolicyRuleState { /** * The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "gotoNext" and "applySecurityProfileGroup". */ action?: pulumi.Input; /** * Creation timestamp in RFC3339 text format. */ creationTimestamp?: pulumi.Input; /** * An optional description for this resource. */ description?: pulumi.Input; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ direction?: pulumi.Input; /** * Denotes whether the firewall policy rule is disabled. * When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. * If this is unspecified, the firewall policy rule will be enabled. */ disabled?: pulumi.Input; /** * Denotes whether to enable logging for a particular rule. * If logging is enabled, logs will be exported to the configured export destination in Stackdriver. * Logs may be exported to BigQuery or Pub/Sub. * Note: you cannot enable logging on "gotoNext" rules. */ enableLogging?: pulumi.Input; /** * The firewall policy of the resource. */ firewallPolicy?: pulumi.Input; /** * Type of the resource. Always `compute#firewallPolicyRule` for firewall policy rules */ kind?: pulumi.Input; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match?: pulumi.Input; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */ priority?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The location of this resource. */ region?: pulumi.Input; /** * An optional name for the rule. This field is not a unique identifier and can be updated. */ ruleName?: pulumi.Input; /** * Calculation of the complexity of a single firewall policy rule. */ ruleTupleCount?: pulumi.Input; /** * A fully-qualified URL of a SecurityProfile resource instance. * Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions. * Security Profile Group and Firewall Policy Rule must be in the same scope. */ securityProfileGroup?: pulumi.Input; /** * A list of secure tags that controls which instances the firewall rule applies to. * If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. * targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. * Structure is documented below. */ targetSecureTags?: pulumi.Input[]>; /** * A list of service accounts indicating the sets of instances that are applied with this rule. */ targetServiceAccounts?: pulumi.Input[]>; /** * Boolean flag indicating if the traffic should be TLS decrypted. * Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions. */ tlsInspect?: pulumi.Input; } /** * The set of arguments for constructing a RegionNetworkFirewallPolicyRule resource. */ export interface RegionNetworkFirewallPolicyRuleArgs { /** * The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny", "gotoNext" and "applySecurityProfileGroup". */ action: pulumi.Input; /** * An optional description for this resource. */ description?: pulumi.Input; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ direction: pulumi.Input; /** * Denotes whether the firewall policy rule is disabled. * When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. * If this is unspecified, the firewall policy rule will be enabled. */ disabled?: pulumi.Input; /** * Denotes whether to enable logging for a particular rule. * If logging is enabled, logs will be exported to the configured export destination in Stackdriver. * Logs may be exported to BigQuery or Pub/Sub. * Note: you cannot enable logging on "gotoNext" rules. */ enableLogging?: pulumi.Input; /** * The firewall policy of the resource. */ firewallPolicy: pulumi.Input; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match: pulumi.Input; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */ priority: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The location of this resource. */ region?: pulumi.Input; /** * An optional name for the rule. This field is not a unique identifier and can be updated. */ ruleName?: pulumi.Input; /** * A fully-qualified URL of a SecurityProfile resource instance. * Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions. * Security Profile Group and Firewall Policy Rule must be in the same scope. */ securityProfileGroup?: pulumi.Input; /** * A list of secure tags that controls which instances the firewall rule applies to. * If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. * targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. * Structure is documented below. */ targetSecureTags?: pulumi.Input[]>; /** * A list of service accounts indicating the sets of instances that are applied with this rule. */ targetServiceAccounts?: pulumi.Input[]>; /** * Boolean flag indicating if the traffic should be TLS decrypted. * Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions. */ tlsInspect?: pulumi.Input; }