1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. compute
  5. RegionNetworkFirewallPolicyWithRules
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

gcp.compute.RegionNetworkFirewallPolicyWithRules

Explore with Pulumi AI

gcp logo
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

    Example Usage

    Compute Region Network Firewall Policy With Rules Full

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const project = gcp.organizations.getProject({});
    const addressGroup1 = new gcp.networksecurity.AddressGroup("address_group_1", {
        name: "tf-address-group",
        parent: project.then(project => project.id),
        description: "Regional address group",
        location: "us-west2",
        items: ["208.80.154.224/32"],
        type: "IPV4",
        capacity: 100,
    });
    const secureTagKey1 = new gcp.tags.TagKey("secure_tag_key_1", {
        description: "Tag key",
        parent: project.then(project => project.id),
        purpose: "GCE_FIREWALL",
        shortName: "tf-tag-key",
        purposeData: {
            network: project.then(project => `${project.name}/default`),
        },
    });
    const secureTagValue1 = new gcp.tags.TagValue("secure_tag_value_1", {
        description: "Tag value",
        parent: secureTagKey1.id,
        shortName: "tf-tag-value",
    });
    const region_network_firewall_policy_with_rules = new gcp.compute.RegionNetworkFirewallPolicyWithRules("region-network-firewall-policy-with-rules", {
        name: "tf-region-fw-policy-with-rules",
        region: "us-west2",
        description: "Terraform test",
        rules: [
            {
                description: "tcp rule",
                priority: 1000,
                enableLogging: true,
                action: "allow",
                direction: "EGRESS",
                match: {
                    layer4Configs: [{
                        ipProtocol: "tcp",
                        ports: [
                            "8080",
                            "7070",
                        ],
                    }],
                    destIpRanges: ["11.100.0.1/32"],
                    destFqdns: [
                        "www.yyy.com",
                        "www.zzz.com",
                    ],
                    destRegionCodes: [
                        "HK",
                        "IN",
                    ],
                    destThreatIntelligences: [
                        "iplist-search-engines-crawlers",
                        "iplist-tor-exit-nodes",
                    ],
                    destAddressGroups: [addressGroup1.id],
                },
                targetSecureTags: [{
                    name: secureTagValue1.id,
                }],
            },
            {
                description: "udp rule",
                ruleName: "test-rule",
                priority: 2000,
                enableLogging: false,
                action: "deny",
                direction: "INGRESS",
                match: {
                    layer4Configs: [{
                        ipProtocol: "udp",
                    }],
                    srcIpRanges: ["0.0.0.0/0"],
                    srcFqdns: [
                        "www.abc.com",
                        "www.def.com",
                    ],
                    srcRegionCodes: [
                        "US",
                        "CA",
                    ],
                    srcThreatIntelligences: [
                        "iplist-known-malicious-ips",
                        "iplist-public-clouds",
                    ],
                    srcAddressGroups: [addressGroup1.id],
                    srcSecureTags: [{
                        name: secureTagValue1.id,
                    }],
                },
                disabled: true,
            },
        ],
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    project = gcp.organizations.get_project()
    address_group1 = gcp.networksecurity.AddressGroup("address_group_1",
        name="tf-address-group",
        parent=project.id,
        description="Regional address group",
        location="us-west2",
        items=["208.80.154.224/32"],
        type="IPV4",
        capacity=100)
    secure_tag_key1 = gcp.tags.TagKey("secure_tag_key_1",
        description="Tag key",
        parent=project.id,
        purpose="GCE_FIREWALL",
        short_name="tf-tag-key",
        purpose_data={
            "network": f"{project.name}/default",
        })
    secure_tag_value1 = gcp.tags.TagValue("secure_tag_value_1",
        description="Tag value",
        parent=secure_tag_key1.id,
        short_name="tf-tag-value")
    region_network_firewall_policy_with_rules = gcp.compute.RegionNetworkFirewallPolicyWithRules("region-network-firewall-policy-with-rules",
        name="tf-region-fw-policy-with-rules",
        region="us-west2",
        description="Terraform test",
        rules=[
            {
                "description": "tcp rule",
                "priority": 1000,
                "enable_logging": True,
                "action": "allow",
                "direction": "EGRESS",
                "match": {
                    "layer4_configs": [{
                        "ip_protocol": "tcp",
                        "ports": [
                            "8080",
                            "7070",
                        ],
                    }],
                    "dest_ip_ranges": ["11.100.0.1/32"],
                    "dest_fqdns": [
                        "www.yyy.com",
                        "www.zzz.com",
                    ],
                    "dest_region_codes": [
                        "HK",
                        "IN",
                    ],
                    "dest_threat_intelligences": [
                        "iplist-search-engines-crawlers",
                        "iplist-tor-exit-nodes",
                    ],
                    "dest_address_groups": [address_group1.id],
                },
                "target_secure_tags": [{
                    "name": secure_tag_value1.id,
                }],
            },
            {
                "description": "udp rule",
                "rule_name": "test-rule",
                "priority": 2000,
                "enable_logging": False,
                "action": "deny",
                "direction": "INGRESS",
                "match": {
                    "layer4_configs": [{
                        "ip_protocol": "udp",
                    }],
                    "src_ip_ranges": ["0.0.0.0/0"],
                    "src_fqdns": [
                        "www.abc.com",
                        "www.def.com",
                    ],
                    "src_region_codes": [
                        "US",
                        "CA",
                    ],
                    "src_threat_intelligences": [
                        "iplist-known-malicious-ips",
                        "iplist-public-clouds",
                    ],
                    "src_address_groups": [address_group1.id],
                    "src_secure_tags": [{
                        "name": secure_tag_value1.id,
                    }],
                },
                "disabled": True,
            },
        ])
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/compute"
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/networksecurity"
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/tags"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		project, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
    		if err != nil {
    			return err
    		}
    		addressGroup1, err := networksecurity.NewAddressGroup(ctx, "address_group_1", &networksecurity.AddressGroupArgs{
    			Name:        pulumi.String("tf-address-group"),
    			Parent:      pulumi.String(project.Id),
    			Description: pulumi.String("Regional address group"),
    			Location:    pulumi.String("us-west2"),
    			Items: pulumi.StringArray{
    				pulumi.String("208.80.154.224/32"),
    			},
    			Type:     pulumi.String("IPV4"),
    			Capacity: pulumi.Int(100),
    		})
    		if err != nil {
    			return err
    		}
    		secureTagKey1, err := tags.NewTagKey(ctx, "secure_tag_key_1", &tags.TagKeyArgs{
    			Description: pulumi.String("Tag key"),
    			Parent:      pulumi.String(project.Id),
    			Purpose:     pulumi.String("GCE_FIREWALL"),
    			ShortName:   pulumi.String("tf-tag-key"),
    			PurposeData: pulumi.StringMap{
    				"network": pulumi.Sprintf("%v/default", project.Name),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		secureTagValue1, err := tags.NewTagValue(ctx, "secure_tag_value_1", &tags.TagValueArgs{
    			Description: pulumi.String("Tag value"),
    			Parent:      secureTagKey1.ID(),
    			ShortName:   pulumi.String("tf-tag-value"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = compute.NewRegionNetworkFirewallPolicyWithRules(ctx, "region-network-firewall-policy-with-rules", &compute.RegionNetworkFirewallPolicyWithRulesArgs{
    			Name:        pulumi.String("tf-region-fw-policy-with-rules"),
    			Region:      pulumi.String("us-west2"),
    			Description: pulumi.String("Terraform test"),
    			Rules: compute.RegionNetworkFirewallPolicyWithRulesRuleArray{
    				&compute.RegionNetworkFirewallPolicyWithRulesRuleArgs{
    					Description:   pulumi.String("tcp rule"),
    					Priority:      pulumi.Int(1000),
    					EnableLogging: pulumi.Bool(true),
    					Action:        pulumi.String("allow"),
    					Direction:     pulumi.String("EGRESS"),
    					Match: &compute.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs{
    						Layer4Configs: compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
    							&compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
    								IpProtocol: pulumi.String("tcp"),
    								Ports: pulumi.StringArray{
    									pulumi.String("8080"),
    									pulumi.String("7070"),
    								},
    							},
    						},
    						DestIpRanges: pulumi.StringArray{
    							pulumi.String("11.100.0.1/32"),
    						},
    						DestFqdns: pulumi.StringArray{
    							pulumi.String("www.yyy.com"),
    							pulumi.String("www.zzz.com"),
    						},
    						DestRegionCodes: pulumi.StringArray{
    							pulumi.String("HK"),
    							pulumi.String("IN"),
    						},
    						DestThreatIntelligences: pulumi.StringArray{
    							pulumi.String("iplist-search-engines-crawlers"),
    							pulumi.String("iplist-tor-exit-nodes"),
    						},
    						DestAddressGroups: pulumi.StringArray{
    							addressGroup1.ID(),
    						},
    					},
    					TargetSecureTags: compute.RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagArray{
    						&compute.RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs{
    							Name: secureTagValue1.ID(),
    						},
    					},
    				},
    				&compute.RegionNetworkFirewallPolicyWithRulesRuleArgs{
    					Description:   pulumi.String("udp rule"),
    					RuleName:      pulumi.String("test-rule"),
    					Priority:      pulumi.Int(2000),
    					EnableLogging: pulumi.Bool(false),
    					Action:        pulumi.String("deny"),
    					Direction:     pulumi.String("INGRESS"),
    					Match: &compute.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs{
    						Layer4Configs: compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
    							&compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
    								IpProtocol: pulumi.String("udp"),
    							},
    						},
    						SrcIpRanges: pulumi.StringArray{
    							pulumi.String("0.0.0.0/0"),
    						},
    						SrcFqdns: pulumi.StringArray{
    							pulumi.String("www.abc.com"),
    							pulumi.String("www.def.com"),
    						},
    						SrcRegionCodes: pulumi.StringArray{
    							pulumi.String("US"),
    							pulumi.String("CA"),
    						},
    						SrcThreatIntelligences: pulumi.StringArray{
    							pulumi.String("iplist-known-malicious-ips"),
    							pulumi.String("iplist-public-clouds"),
    						},
    						SrcAddressGroups: pulumi.StringArray{
    							addressGroup1.ID(),
    						},
    						SrcSecureTags: compute.RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArray{
    							&compute.RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs{
    								Name: secureTagValue1.ID(),
    							},
    						},
    					},
    					Disabled: pulumi.Bool(true),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var project = Gcp.Organizations.GetProject.Invoke();
    
        var addressGroup1 = new Gcp.NetworkSecurity.AddressGroup("address_group_1", new()
        {
            Name = "tf-address-group",
            Parent = project.Apply(getProjectResult => getProjectResult.Id),
            Description = "Regional address group",
            Location = "us-west2",
            Items = new[]
            {
                "208.80.154.224/32",
            },
            Type = "IPV4",
            Capacity = 100,
        });
    
        var secureTagKey1 = new Gcp.Tags.TagKey("secure_tag_key_1", new()
        {
            Description = "Tag key",
            Parent = project.Apply(getProjectResult => getProjectResult.Id),
            Purpose = "GCE_FIREWALL",
            ShortName = "tf-tag-key",
            PurposeData = 
            {
                { "network", $"{project.Apply(getProjectResult => getProjectResult.Name)}/default" },
            },
        });
    
        var secureTagValue1 = new Gcp.Tags.TagValue("secure_tag_value_1", new()
        {
            Description = "Tag value",
            Parent = secureTagKey1.Id,
            ShortName = "tf-tag-value",
        });
    
        var region_network_firewall_policy_with_rules = new Gcp.Compute.RegionNetworkFirewallPolicyWithRules("region-network-firewall-policy-with-rules", new()
        {
            Name = "tf-region-fw-policy-with-rules",
            Region = "us-west2",
            Description = "Terraform test",
            Rules = new[]
            {
                new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleArgs
                {
                    Description = "tcp rule",
                    Priority = 1000,
                    EnableLogging = true,
                    Action = "allow",
                    Direction = "EGRESS",
                    Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs
                    {
                        Layer4Configs = new[]
                        {
                            new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
                            {
                                IpProtocol = "tcp",
                                Ports = new[]
                                {
                                    "8080",
                                    "7070",
                                },
                            },
                        },
                        DestIpRanges = new[]
                        {
                            "11.100.0.1/32",
                        },
                        DestFqdns = new[]
                        {
                            "www.yyy.com",
                            "www.zzz.com",
                        },
                        DestRegionCodes = new[]
                        {
                            "HK",
                            "IN",
                        },
                        DestThreatIntelligences = new[]
                        {
                            "iplist-search-engines-crawlers",
                            "iplist-tor-exit-nodes",
                        },
                        DestAddressGroups = new[]
                        {
                            addressGroup1.Id,
                        },
                    },
                    TargetSecureTags = new[]
                    {
                        new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs
                        {
                            Name = secureTagValue1.Id,
                        },
                    },
                },
                new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleArgs
                {
                    Description = "udp rule",
                    RuleName = "test-rule",
                    Priority = 2000,
                    EnableLogging = false,
                    Action = "deny",
                    Direction = "INGRESS",
                    Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs
                    {
                        Layer4Configs = new[]
                        {
                            new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
                            {
                                IpProtocol = "udp",
                            },
                        },
                        SrcIpRanges = new[]
                        {
                            "0.0.0.0/0",
                        },
                        SrcFqdns = new[]
                        {
                            "www.abc.com",
                            "www.def.com",
                        },
                        SrcRegionCodes = new[]
                        {
                            "US",
                            "CA",
                        },
                        SrcThreatIntelligences = new[]
                        {
                            "iplist-known-malicious-ips",
                            "iplist-public-clouds",
                        },
                        SrcAddressGroups = new[]
                        {
                            addressGroup1.Id,
                        },
                        SrcSecureTags = new[]
                        {
                            new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs
                            {
                                Name = secureTagValue1.Id,
                            },
                        },
                    },
                    Disabled = true,
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.OrganizationsFunctions;
    import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
    import com.pulumi.gcp.networksecurity.AddressGroup;
    import com.pulumi.gcp.networksecurity.AddressGroupArgs;
    import com.pulumi.gcp.tags.TagKey;
    import com.pulumi.gcp.tags.TagKeyArgs;
    import com.pulumi.gcp.tags.TagValue;
    import com.pulumi.gcp.tags.TagValueArgs;
    import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyWithRules;
    import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyWithRulesArgs;
    import com.pulumi.gcp.compute.inputs.RegionNetworkFirewallPolicyWithRulesRuleArgs;
    import com.pulumi.gcp.compute.inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var project = OrganizationsFunctions.getProject();
    
            var addressGroup1 = new AddressGroup("addressGroup1", AddressGroupArgs.builder()
                .name("tf-address-group")
                .parent(project.applyValue(getProjectResult -> getProjectResult.id()))
                .description("Regional address group")
                .location("us-west2")
                .items("208.80.154.224/32")
                .type("IPV4")
                .capacity(100)
                .build());
    
            var secureTagKey1 = new TagKey("secureTagKey1", TagKeyArgs.builder()
                .description("Tag key")
                .parent(project.applyValue(getProjectResult -> getProjectResult.id()))
                .purpose("GCE_FIREWALL")
                .shortName("tf-tag-key")
                .purposeData(Map.of("network", String.format("%s/default", project.applyValue(getProjectResult -> getProjectResult.name()))))
                .build());
    
            var secureTagValue1 = new TagValue("secureTagValue1", TagValueArgs.builder()
                .description("Tag value")
                .parent(secureTagKey1.id())
                .shortName("tf-tag-value")
                .build());
    
            var region_network_firewall_policy_with_rules = new RegionNetworkFirewallPolicyWithRules("region-network-firewall-policy-with-rules", RegionNetworkFirewallPolicyWithRulesArgs.builder()
                .name("tf-region-fw-policy-with-rules")
                .region("us-west2")
                .description("Terraform test")
                .rules(            
                    RegionNetworkFirewallPolicyWithRulesRuleArgs.builder()
                        .description("tcp rule")
                        .priority(1000)
                        .enableLogging(true)
                        .action("allow")
                        .direction("EGRESS")
                        .match(RegionNetworkFirewallPolicyWithRulesRuleMatchArgs.builder()
                            .layer4Configs(RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
                                .ipProtocol("tcp")
                                .ports(                            
                                    8080,
                                    7070)
                                .build())
                            .destIpRanges("11.100.0.1/32")
                            .destFqdns(                        
                                "www.yyy.com",
                                "www.zzz.com")
                            .destRegionCodes(                        
                                "HK",
                                "IN")
                            .destThreatIntelligences(                        
                                "iplist-search-engines-crawlers",
                                "iplist-tor-exit-nodes")
                            .destAddressGroups(addressGroup1.id())
                            .build())
                        .targetSecureTags(RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs.builder()
                            .name(secureTagValue1.id())
                            .build())
                        .build(),
                    RegionNetworkFirewallPolicyWithRulesRuleArgs.builder()
                        .description("udp rule")
                        .ruleName("test-rule")
                        .priority(2000)
                        .enableLogging(false)
                        .action("deny")
                        .direction("INGRESS")
                        .match(RegionNetworkFirewallPolicyWithRulesRuleMatchArgs.builder()
                            .layer4Configs(RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
                                .ipProtocol("udp")
                                .build())
                            .srcIpRanges("0.0.0.0/0")
                            .srcFqdns(                        
                                "www.abc.com",
                                "www.def.com")
                            .srcRegionCodes(                        
                                "US",
                                "CA")
                            .srcThreatIntelligences(                        
                                "iplist-known-malicious-ips",
                                "iplist-public-clouds")
                            .srcAddressGroups(addressGroup1.id())
                            .srcSecureTags(RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs.builder()
                                .name(secureTagValue1.id())
                                .build())
                            .build())
                        .disabled(true)
                        .build())
                .build());
    
        }
    }
    
    resources:
      region-network-firewall-policy-with-rules:
        type: gcp:compute:RegionNetworkFirewallPolicyWithRules
        properties:
          name: tf-region-fw-policy-with-rules
          region: us-west2
          description: Terraform test
          rules:
            - description: tcp rule
              priority: 1000
              enableLogging: true
              action: allow
              direction: EGRESS
              match:
                layer4Configs:
                  - ipProtocol: tcp
                    ports:
                      - 8080
                      - 7070
                destIpRanges:
                  - 11.100.0.1/32
                destFqdns:
                  - www.yyy.com
                  - www.zzz.com
                destRegionCodes:
                  - HK
                  - IN
                destThreatIntelligences:
                  - iplist-search-engines-crawlers
                  - iplist-tor-exit-nodes
                destAddressGroups:
                  - ${addressGroup1.id}
              targetSecureTags:
                - name: ${secureTagValue1.id}
            - description: udp rule
              ruleName: test-rule
              priority: 2000
              enableLogging: false
              action: deny
              direction: INGRESS
              match:
                layer4Configs:
                  - ipProtocol: udp
                srcIpRanges:
                  - 0.0.0.0/0
                srcFqdns:
                  - www.abc.com
                  - www.def.com
                srcRegionCodes:
                  - US
                  - CA
                srcThreatIntelligences:
                  - iplist-known-malicious-ips
                  - iplist-public-clouds
                srcAddressGroups:
                  - ${addressGroup1.id}
                srcSecureTags:
                  - name: ${secureTagValue1.id}
              disabled: true
      addressGroup1:
        type: gcp:networksecurity:AddressGroup
        name: address_group_1
        properties:
          name: tf-address-group
          parent: ${project.id}
          description: Regional address group
          location: us-west2
          items:
            - 208.80.154.224/32
          type: IPV4
          capacity: 100
      secureTagKey1:
        type: gcp:tags:TagKey
        name: secure_tag_key_1
        properties:
          description: Tag key
          parent: ${project.id}
          purpose: GCE_FIREWALL
          shortName: tf-tag-key
          purposeData:
            network: ${project.name}/default
      secureTagValue1:
        type: gcp:tags:TagValue
        name: secure_tag_value_1
        properties:
          description: Tag value
          parent: ${secureTagKey1.id}
          shortName: tf-tag-value
    variables:
      project:
        fn::invoke:
          Function: gcp:organizations:getProject
          Arguments: {}
    

    Create RegionNetworkFirewallPolicyWithRules Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new RegionNetworkFirewallPolicyWithRules(name: string, args: RegionNetworkFirewallPolicyWithRulesArgs, opts?: CustomResourceOptions);
    @overload
    def RegionNetworkFirewallPolicyWithRules(resource_name: str,
                                             args: RegionNetworkFirewallPolicyWithRulesArgs,
                                             opts: Optional[ResourceOptions] = None)
    
    @overload
    def RegionNetworkFirewallPolicyWithRules(resource_name: str,
                                             opts: Optional[ResourceOptions] = None,
                                             rules: Optional[Sequence[RegionNetworkFirewallPolicyWithRulesRuleArgs]] = None,
                                             description: Optional[str] = None,
                                             name: Optional[str] = None,
                                             project: Optional[str] = None,
                                             region: Optional[str] = None)
    func NewRegionNetworkFirewallPolicyWithRules(ctx *Context, name string, args RegionNetworkFirewallPolicyWithRulesArgs, opts ...ResourceOption) (*RegionNetworkFirewallPolicyWithRules, error)
    public RegionNetworkFirewallPolicyWithRules(string name, RegionNetworkFirewallPolicyWithRulesArgs args, CustomResourceOptions? opts = null)
    public RegionNetworkFirewallPolicyWithRules(String name, RegionNetworkFirewallPolicyWithRulesArgs args)
    public RegionNetworkFirewallPolicyWithRules(String name, RegionNetworkFirewallPolicyWithRulesArgs args, CustomResourceOptions options)
    
    type: gcp:compute:RegionNetworkFirewallPolicyWithRules
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args RegionNetworkFirewallPolicyWithRulesArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args RegionNetworkFirewallPolicyWithRulesArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args RegionNetworkFirewallPolicyWithRulesArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args RegionNetworkFirewallPolicyWithRulesArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args RegionNetworkFirewallPolicyWithRulesArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var regionNetworkFirewallPolicyWithRulesResource = new Gcp.Compute.RegionNetworkFirewallPolicyWithRules("regionNetworkFirewallPolicyWithRulesResource", new()
    {
        Rules = new[]
        {
            new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleArgs
            {
                Action = "string",
                Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs
                {
                    Layer4Configs = new[]
                    {
                        new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs
                        {
                            IpProtocol = "string",
                            Ports = new[]
                            {
                                "string",
                            },
                        },
                    },
                    DestAddressGroups = new[]
                    {
                        "string",
                    },
                    DestFqdns = new[]
                    {
                        "string",
                    },
                    DestIpRanges = new[]
                    {
                        "string",
                    },
                    DestRegionCodes = new[]
                    {
                        "string",
                    },
                    DestThreatIntelligences = new[]
                    {
                        "string",
                    },
                    SrcAddressGroups = new[]
                    {
                        "string",
                    },
                    SrcFqdns = new[]
                    {
                        "string",
                    },
                    SrcIpRanges = new[]
                    {
                        "string",
                    },
                    SrcRegionCodes = new[]
                    {
                        "string",
                    },
                    SrcSecureTags = new[]
                    {
                        new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs
                        {
                            Name = "string",
                            State = "string",
                        },
                    },
                    SrcThreatIntelligences = new[]
                    {
                        "string",
                    },
                },
                Priority = 0,
                Description = "string",
                Direction = "string",
                Disabled = false,
                EnableLogging = false,
                RuleName = "string",
                SecurityProfileGroup = "string",
                TargetSecureTags = new[]
                {
                    new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs
                    {
                        Name = "string",
                        State = "string",
                    },
                },
                TargetServiceAccounts = new[]
                {
                    "string",
                },
                TlsInspect = false,
            },
        },
        Description = "string",
        Name = "string",
        Project = "string",
        Region = "string",
    });
    
    example, err := compute.NewRegionNetworkFirewallPolicyWithRules(ctx, "regionNetworkFirewallPolicyWithRulesResource", &compute.RegionNetworkFirewallPolicyWithRulesArgs{
    	Rules: compute.RegionNetworkFirewallPolicyWithRulesRuleArray{
    		&compute.RegionNetworkFirewallPolicyWithRulesRuleArgs{
    			Action: pulumi.String("string"),
    			Match: &compute.RegionNetworkFirewallPolicyWithRulesRuleMatchArgs{
    				Layer4Configs: compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArray{
    					&compute.RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs{
    						IpProtocol: pulumi.String("string"),
    						Ports: pulumi.StringArray{
    							pulumi.String("string"),
    						},
    					},
    				},
    				DestAddressGroups: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				DestFqdns: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				DestIpRanges: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				DestRegionCodes: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				DestThreatIntelligences: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				SrcAddressGroups: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				SrcFqdns: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				SrcIpRanges: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				SrcRegionCodes: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				SrcSecureTags: compute.RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArray{
    					&compute.RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs{
    						Name:  pulumi.String("string"),
    						State: pulumi.String("string"),
    					},
    				},
    				SrcThreatIntelligences: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			Priority:             pulumi.Int(0),
    			Description:          pulumi.String("string"),
    			Direction:            pulumi.String("string"),
    			Disabled:             pulumi.Bool(false),
    			EnableLogging:        pulumi.Bool(false),
    			RuleName:             pulumi.String("string"),
    			SecurityProfileGroup: pulumi.String("string"),
    			TargetSecureTags: compute.RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagArray{
    				&compute.RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs{
    					Name:  pulumi.String("string"),
    					State: pulumi.String("string"),
    				},
    			},
    			TargetServiceAccounts: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			TlsInspect: pulumi.Bool(false),
    		},
    	},
    	Description: pulumi.String("string"),
    	Name:        pulumi.String("string"),
    	Project:     pulumi.String("string"),
    	Region:      pulumi.String("string"),
    })
    
    var regionNetworkFirewallPolicyWithRulesResource = new RegionNetworkFirewallPolicyWithRules("regionNetworkFirewallPolicyWithRulesResource", RegionNetworkFirewallPolicyWithRulesArgs.builder()
        .rules(RegionNetworkFirewallPolicyWithRulesRuleArgs.builder()
            .action("string")
            .match(RegionNetworkFirewallPolicyWithRulesRuleMatchArgs.builder()
                .layer4Configs(RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs.builder()
                    .ipProtocol("string")
                    .ports("string")
                    .build())
                .destAddressGroups("string")
                .destFqdns("string")
                .destIpRanges("string")
                .destRegionCodes("string")
                .destThreatIntelligences("string")
                .srcAddressGroups("string")
                .srcFqdns("string")
                .srcIpRanges("string")
                .srcRegionCodes("string")
                .srcSecureTags(RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs.builder()
                    .name("string")
                    .state("string")
                    .build())
                .srcThreatIntelligences("string")
                .build())
            .priority(0)
            .description("string")
            .direction("string")
            .disabled(false)
            .enableLogging(false)
            .ruleName("string")
            .securityProfileGroup("string")
            .targetSecureTags(RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs.builder()
                .name("string")
                .state("string")
                .build())
            .targetServiceAccounts("string")
            .tlsInspect(false)
            .build())
        .description("string")
        .name("string")
        .project("string")
        .region("string")
        .build());
    
    region_network_firewall_policy_with_rules_resource = gcp.compute.RegionNetworkFirewallPolicyWithRules("regionNetworkFirewallPolicyWithRulesResource",
        rules=[{
            "action": "string",
            "match": {
                "layer4_configs": [{
                    "ip_protocol": "string",
                    "ports": ["string"],
                }],
                "dest_address_groups": ["string"],
                "dest_fqdns": ["string"],
                "dest_ip_ranges": ["string"],
                "dest_region_codes": ["string"],
                "dest_threat_intelligences": ["string"],
                "src_address_groups": ["string"],
                "src_fqdns": ["string"],
                "src_ip_ranges": ["string"],
                "src_region_codes": ["string"],
                "src_secure_tags": [{
                    "name": "string",
                    "state": "string",
                }],
                "src_threat_intelligences": ["string"],
            },
            "priority": 0,
            "description": "string",
            "direction": "string",
            "disabled": False,
            "enable_logging": False,
            "rule_name": "string",
            "security_profile_group": "string",
            "target_secure_tags": [{
                "name": "string",
                "state": "string",
            }],
            "target_service_accounts": ["string"],
            "tls_inspect": False,
        }],
        description="string",
        name="string",
        project="string",
        region="string")
    
    const regionNetworkFirewallPolicyWithRulesResource = new gcp.compute.RegionNetworkFirewallPolicyWithRules("regionNetworkFirewallPolicyWithRulesResource", {
        rules: [{
            action: "string",
            match: {
                layer4Configs: [{
                    ipProtocol: "string",
                    ports: ["string"],
                }],
                destAddressGroups: ["string"],
                destFqdns: ["string"],
                destIpRanges: ["string"],
                destRegionCodes: ["string"],
                destThreatIntelligences: ["string"],
                srcAddressGroups: ["string"],
                srcFqdns: ["string"],
                srcIpRanges: ["string"],
                srcRegionCodes: ["string"],
                srcSecureTags: [{
                    name: "string",
                    state: "string",
                }],
                srcThreatIntelligences: ["string"],
            },
            priority: 0,
            description: "string",
            direction: "string",
            disabled: false,
            enableLogging: false,
            ruleName: "string",
            securityProfileGroup: "string",
            targetSecureTags: [{
                name: "string",
                state: "string",
            }],
            targetServiceAccounts: ["string"],
            tlsInspect: false,
        }],
        description: "string",
        name: "string",
        project: "string",
        region: "string",
    });
    
    type: gcp:compute:RegionNetworkFirewallPolicyWithRules
    properties:
        description: string
        name: string
        project: string
        region: string
        rules:
            - action: string
              description: string
              direction: string
              disabled: false
              enableLogging: false
              match:
                destAddressGroups:
                    - string
                destFqdns:
                    - string
                destIpRanges:
                    - string
                destRegionCodes:
                    - string
                destThreatIntelligences:
                    - string
                layer4Configs:
                    - ipProtocol: string
                      ports:
                        - string
                srcAddressGroups:
                    - string
                srcFqdns:
                    - string
                srcIpRanges:
                    - string
                srcRegionCodes:
                    - string
                srcSecureTags:
                    - name: string
                      state: string
                srcThreatIntelligences:
                    - string
              priority: 0
              ruleName: string
              securityProfileGroup: string
              targetSecureTags:
                - name: string
                  state: string
              targetServiceAccounts:
                - string
              tlsInspect: false
    

    RegionNetworkFirewallPolicyWithRules Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The RegionNetworkFirewallPolicyWithRules resource accepts the following input properties:

    Rules List<RegionNetworkFirewallPolicyWithRulesRule>
    A list of firewall policy rules. Structure is documented below.
    Description string
    (Output) A description of the rule.
    Name string
    User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    Project string
    Region string
    The region of this resource.
    Rules []RegionNetworkFirewallPolicyWithRulesRuleArgs
    A list of firewall policy rules. Structure is documented below.
    Description string
    (Output) A description of the rule.
    Name string
    User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    Project string
    Region string
    The region of this resource.
    rules List<RegionNetworkFirewallPolicyWithRulesRule>
    A list of firewall policy rules. Structure is documented below.
    description String
    (Output) A description of the rule.
    name String
    User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    project String
    region String
    The region of this resource.
    rules RegionNetworkFirewallPolicyWithRulesRule[]
    A list of firewall policy rules. Structure is documented below.
    description string
    (Output) A description of the rule.
    name string
    User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    project string
    region string
    The region of this resource.
    rules Sequence[RegionNetworkFirewallPolicyWithRulesRuleArgs]
    A list of firewall policy rules. Structure is documented below.
    description str
    (Output) A description of the rule.
    name str
    User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    project str
    region str
    The region of this resource.
    rules List<Property Map>
    A list of firewall policy rules. Structure is documented below.
    description String
    (Output) A description of the rule.
    name String
    User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    project String
    region String
    The region of this resource.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the RegionNetworkFirewallPolicyWithRules resource produces the following output properties:

    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Fingerprint string
    Fingerprint of the resource. This field is used internally during updates of this resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    NetworkFirewallPolicyId string
    The unique identifier for the resource. This identifier is defined by the server.
    PredefinedRules List<RegionNetworkFirewallPolicyWithRulesPredefinedRule>
    A list of firewall policy pre-defined rules. Structure is documented below.
    RuleTupleCount int
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    SelfLink string
    Server-defined URL for the resource.
    SelfLinkWithId string
    Server-defined URL for this resource with the resource id.
    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Fingerprint string
    Fingerprint of the resource. This field is used internally during updates of this resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    NetworkFirewallPolicyId string
    The unique identifier for the resource. This identifier is defined by the server.
    PredefinedRules []RegionNetworkFirewallPolicyWithRulesPredefinedRule
    A list of firewall policy pre-defined rules. Structure is documented below.
    RuleTupleCount int
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    SelfLink string
    Server-defined URL for the resource.
    SelfLinkWithId string
    Server-defined URL for this resource with the resource id.
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    fingerprint String
    Fingerprint of the resource. This field is used internally during updates of this resource.
    id String
    The provider-assigned unique ID for this managed resource.
    networkFirewallPolicyId String
    The unique identifier for the resource. This identifier is defined by the server.
    predefinedRules List<RegionNetworkFirewallPolicyWithRulesPredefinedRule>
    A list of firewall policy pre-defined rules. Structure is documented below.
    ruleTupleCount Integer
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    selfLink String
    Server-defined URL for the resource.
    selfLinkWithId String
    Server-defined URL for this resource with the resource id.
    creationTimestamp string
    Creation timestamp in RFC3339 text format.
    fingerprint string
    Fingerprint of the resource. This field is used internally during updates of this resource.
    id string
    The provider-assigned unique ID for this managed resource.
    networkFirewallPolicyId string
    The unique identifier for the resource. This identifier is defined by the server.
    predefinedRules RegionNetworkFirewallPolicyWithRulesPredefinedRule[]
    A list of firewall policy pre-defined rules. Structure is documented below.
    ruleTupleCount number
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    selfLink string
    Server-defined URL for the resource.
    selfLinkWithId string
    Server-defined URL for this resource with the resource id.
    creation_timestamp str
    Creation timestamp in RFC3339 text format.
    fingerprint str
    Fingerprint of the resource. This field is used internally during updates of this resource.
    id str
    The provider-assigned unique ID for this managed resource.
    network_firewall_policy_id str
    The unique identifier for the resource. This identifier is defined by the server.
    predefined_rules Sequence[RegionNetworkFirewallPolicyWithRulesPredefinedRule]
    A list of firewall policy pre-defined rules. Structure is documented below.
    rule_tuple_count int
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    self_link str
    Server-defined URL for the resource.
    self_link_with_id str
    Server-defined URL for this resource with the resource id.
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    fingerprint String
    Fingerprint of the resource. This field is used internally during updates of this resource.
    id String
    The provider-assigned unique ID for this managed resource.
    networkFirewallPolicyId String
    The unique identifier for the resource. This identifier is defined by the server.
    predefinedRules List<Property Map>
    A list of firewall policy pre-defined rules. Structure is documented below.
    ruleTupleCount Number
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    selfLink String
    Server-defined URL for the resource.
    selfLinkWithId String
    Server-defined URL for this resource with the resource id.

    Look up Existing RegionNetworkFirewallPolicyWithRules Resource

    Get an existing RegionNetworkFirewallPolicyWithRules resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: RegionNetworkFirewallPolicyWithRulesState, opts?: CustomResourceOptions): RegionNetworkFirewallPolicyWithRules
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            creation_timestamp: Optional[str] = None,
            description: Optional[str] = None,
            fingerprint: Optional[str] = None,
            name: Optional[str] = None,
            network_firewall_policy_id: Optional[str] = None,
            predefined_rules: Optional[Sequence[RegionNetworkFirewallPolicyWithRulesPredefinedRuleArgs]] = None,
            project: Optional[str] = None,
            region: Optional[str] = None,
            rule_tuple_count: Optional[int] = None,
            rules: Optional[Sequence[RegionNetworkFirewallPolicyWithRulesRuleArgs]] = None,
            self_link: Optional[str] = None,
            self_link_with_id: Optional[str] = None) -> RegionNetworkFirewallPolicyWithRules
    func GetRegionNetworkFirewallPolicyWithRules(ctx *Context, name string, id IDInput, state *RegionNetworkFirewallPolicyWithRulesState, opts ...ResourceOption) (*RegionNetworkFirewallPolicyWithRules, error)
    public static RegionNetworkFirewallPolicyWithRules Get(string name, Input<string> id, RegionNetworkFirewallPolicyWithRulesState? state, CustomResourceOptions? opts = null)
    public static RegionNetworkFirewallPolicyWithRules get(String name, Output<String> id, RegionNetworkFirewallPolicyWithRulesState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Description string
    (Output) A description of the rule.
    Fingerprint string
    Fingerprint of the resource. This field is used internally during updates of this resource.
    Name string
    User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    NetworkFirewallPolicyId string
    The unique identifier for the resource. This identifier is defined by the server.
    PredefinedRules List<RegionNetworkFirewallPolicyWithRulesPredefinedRule>
    A list of firewall policy pre-defined rules. Structure is documented below.
    Project string
    Region string
    The region of this resource.
    RuleTupleCount int
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    Rules List<RegionNetworkFirewallPolicyWithRulesRule>
    A list of firewall policy rules. Structure is documented below.
    SelfLink string
    Server-defined URL for the resource.
    SelfLinkWithId string
    Server-defined URL for this resource with the resource id.
    CreationTimestamp string
    Creation timestamp in RFC3339 text format.
    Description string
    (Output) A description of the rule.
    Fingerprint string
    Fingerprint of the resource. This field is used internally during updates of this resource.
    Name string
    User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    NetworkFirewallPolicyId string
    The unique identifier for the resource. This identifier is defined by the server.
    PredefinedRules []RegionNetworkFirewallPolicyWithRulesPredefinedRuleArgs
    A list of firewall policy pre-defined rules. Structure is documented below.
    Project string
    Region string
    The region of this resource.
    RuleTupleCount int
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    Rules []RegionNetworkFirewallPolicyWithRulesRuleArgs
    A list of firewall policy rules. Structure is documented below.
    SelfLink string
    Server-defined URL for the resource.
    SelfLinkWithId string
    Server-defined URL for this resource with the resource id.
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    description String
    (Output) A description of the rule.
    fingerprint String
    Fingerprint of the resource. This field is used internally during updates of this resource.
    name String
    User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    networkFirewallPolicyId String
    The unique identifier for the resource. This identifier is defined by the server.
    predefinedRules List<RegionNetworkFirewallPolicyWithRulesPredefinedRule>
    A list of firewall policy pre-defined rules. Structure is documented below.
    project String
    region String
    The region of this resource.
    ruleTupleCount Integer
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    rules List<RegionNetworkFirewallPolicyWithRulesRule>
    A list of firewall policy rules. Structure is documented below.
    selfLink String
    Server-defined URL for the resource.
    selfLinkWithId String
    Server-defined URL for this resource with the resource id.
    creationTimestamp string
    Creation timestamp in RFC3339 text format.
    description string
    (Output) A description of the rule.
    fingerprint string
    Fingerprint of the resource. This field is used internally during updates of this resource.
    name string
    User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    networkFirewallPolicyId string
    The unique identifier for the resource. This identifier is defined by the server.
    predefinedRules RegionNetworkFirewallPolicyWithRulesPredefinedRule[]
    A list of firewall policy pre-defined rules. Structure is documented below.
    project string
    region string
    The region of this resource.
    ruleTupleCount number
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    rules RegionNetworkFirewallPolicyWithRulesRule[]
    A list of firewall policy rules. Structure is documented below.
    selfLink string
    Server-defined URL for the resource.
    selfLinkWithId string
    Server-defined URL for this resource with the resource id.
    creation_timestamp str
    Creation timestamp in RFC3339 text format.
    description str
    (Output) A description of the rule.
    fingerprint str
    Fingerprint of the resource. This field is used internally during updates of this resource.
    name str
    User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    network_firewall_policy_id str
    The unique identifier for the resource. This identifier is defined by the server.
    predefined_rules Sequence[RegionNetworkFirewallPolicyWithRulesPredefinedRuleArgs]
    A list of firewall policy pre-defined rules. Structure is documented below.
    project str
    region str
    The region of this resource.
    rule_tuple_count int
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    rules Sequence[RegionNetworkFirewallPolicyWithRulesRuleArgs]
    A list of firewall policy rules. Structure is documented below.
    self_link str
    Server-defined URL for the resource.
    self_link_with_id str
    Server-defined URL for this resource with the resource id.
    creationTimestamp String
    Creation timestamp in RFC3339 text format.
    description String
    (Output) A description of the rule.
    fingerprint String
    Fingerprint of the resource. This field is used internally during updates of this resource.
    name String
    User-provided name of the Network firewall policy. The name should be unique in the project in which the firewall policy is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
    networkFirewallPolicyId String
    The unique identifier for the resource. This identifier is defined by the server.
    predefinedRules List<Property Map>
    A list of firewall policy pre-defined rules. Structure is documented below.
    project String
    region String
    The region of this resource.
    ruleTupleCount Number
    Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples.
    rules List<Property Map>
    A list of firewall policy rules. Structure is documented below.
    selfLink String
    Server-defined URL for the resource.
    selfLinkWithId String
    Server-defined URL for this resource with the resource id.

    Supporting Types

    RegionNetworkFirewallPolicyWithRulesPredefinedRule, RegionNetworkFirewallPolicyWithRulesPredefinedRuleArgs

    Action string
    (Output) The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
    Description string
    (Output) A description of the rule.
    Direction string
    (Output) The direction in which this rule applies. If unspecified an INGRESS rule is created.
    Disabled bool
    (Output) Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    (Output) Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
    Matches List<RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatch>
    (Output) A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    Priority int
    (Output) An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
    RuleName string
    (Output) An optional name for the rule. This field is not a unique identifier and can be updated.
    SecurityProfileGroup string
    (Output) A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
    TargetSecureTags List<RegionNetworkFirewallPolicyWithRulesPredefinedRuleTargetSecureTag>
    (Output) A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
    TargetServiceAccounts List<string>
    (Output) A list of service accounts indicating the sets of instances that are applied with this rule.
    TlsInspect bool
    (Output) Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    Action string
    (Output) The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
    Description string
    (Output) A description of the rule.
    Direction string
    (Output) The direction in which this rule applies. If unspecified an INGRESS rule is created.
    Disabled bool
    (Output) Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    (Output) Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
    Matches []RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatch
    (Output) A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    Priority int
    (Output) An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
    RuleName string
    (Output) An optional name for the rule. This field is not a unique identifier and can be updated.
    SecurityProfileGroup string
    (Output) A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
    TargetSecureTags []RegionNetworkFirewallPolicyWithRulesPredefinedRuleTargetSecureTag
    (Output) A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
    TargetServiceAccounts []string
    (Output) A list of service accounts indicating the sets of instances that are applied with this rule.
    TlsInspect bool
    (Output) Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action String
    (Output) The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
    description String
    (Output) A description of the rule.
    direction String
    (Output) The direction in which this rule applies. If unspecified an INGRESS rule is created.
    disabled Boolean
    (Output) Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    (Output) Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
    matches List<RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatch>
    (Output) A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority Integer
    (Output) An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
    ruleName String
    (Output) An optional name for the rule. This field is not a unique identifier and can be updated.
    securityProfileGroup String
    (Output) A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
    targetSecureTags List<RegionNetworkFirewallPolicyWithRulesPredefinedRuleTargetSecureTag>
    (Output) A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
    targetServiceAccounts List<String>
    (Output) A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect Boolean
    (Output) Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action string
    (Output) The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
    description string
    (Output) A description of the rule.
    direction string
    (Output) The direction in which this rule applies. If unspecified an INGRESS rule is created.
    disabled boolean
    (Output) Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging boolean
    (Output) Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
    matches RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatch[]
    (Output) A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority number
    (Output) An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
    ruleName string
    (Output) An optional name for the rule. This field is not a unique identifier and can be updated.
    securityProfileGroup string
    (Output) A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
    targetSecureTags RegionNetworkFirewallPolicyWithRulesPredefinedRuleTargetSecureTag[]
    (Output) A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
    targetServiceAccounts string[]
    (Output) A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect boolean
    (Output) Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action str
    (Output) The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
    description str
    (Output) A description of the rule.
    direction str
    (Output) The direction in which this rule applies. If unspecified an INGRESS rule is created.
    disabled bool
    (Output) Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enable_logging bool
    (Output) Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
    matches Sequence[RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatch]
    (Output) A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority int
    (Output) An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
    rule_name str
    (Output) An optional name for the rule. This field is not a unique identifier and can be updated.
    security_profile_group str
    (Output) A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
    target_secure_tags Sequence[RegionNetworkFirewallPolicyWithRulesPredefinedRuleTargetSecureTag]
    (Output) A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
    target_service_accounts Sequence[str]
    (Output) A list of service accounts indicating the sets of instances that are applied with this rule.
    tls_inspect bool
    (Output) Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action String
    (Output) The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
    description String
    (Output) A description of the rule.
    direction String
    (Output) The direction in which this rule applies. If unspecified an INGRESS rule is created.
    disabled Boolean
    (Output) Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    (Output) Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
    matches List<Property Map>
    (Output) A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority Number
    (Output) An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
    ruleName String
    (Output) An optional name for the rule. This field is not a unique identifier and can be updated.
    securityProfileGroup String
    (Output) A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
    targetSecureTags List<Property Map>
    (Output) A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
    targetServiceAccounts List<String>
    (Output) A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect Boolean
    (Output) Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.

    RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatch, RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchArgs

    DestAddressGroups List<string>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    DestFqdns List<string>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    DestIpRanges List<string>
    Destination IP address range in CIDR format. Required for EGRESS rules.
    DestRegionCodes List<string>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
    DestThreatIntelligences List<string>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    Layer4Configs List<RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchLayer4Config>
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    SrcAddressGroups List<string>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    SrcFqdns List<string>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    SrcIpRanges List<string>
    Source IP address range in CIDR format. Required for INGRESS rules.
    SrcRegionCodes List<string>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    SrcSecureTags List<RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchSrcSecureTag>

    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.

    The layer4_config block supports:

    SrcThreatIntelligences List<string>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    DestAddressGroups []string
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    DestFqdns []string
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    DestIpRanges []string
    Destination IP address range in CIDR format. Required for EGRESS rules.
    DestRegionCodes []string
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
    DestThreatIntelligences []string
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    Layer4Configs []RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchLayer4Config
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    SrcAddressGroups []string
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    SrcFqdns []string
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    SrcIpRanges []string
    Source IP address range in CIDR format. Required for INGRESS rules.
    SrcRegionCodes []string
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    SrcSecureTags []RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchSrcSecureTag

    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.

    The layer4_config block supports:

    SrcThreatIntelligences []string
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    destAddressGroups List<String>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges List<String>
    Destination IP address range in CIDR format. Required for EGRESS rules.
    destRegionCodes List<String>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
    destThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    layer4Configs List<RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchLayer4Config>
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    srcAddressGroups List<String>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges List<String>
    Source IP address range in CIDR format. Required for INGRESS rules.
    srcRegionCodes List<String>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcSecureTags List<RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchSrcSecureTag>

    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.

    The layer4_config block supports:

    srcThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    destAddressGroups string[]
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns string[]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges string[]
    Destination IP address range in CIDR format. Required for EGRESS rules.
    destRegionCodes string[]
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
    destThreatIntelligences string[]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    layer4Configs RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchLayer4Config[]
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    srcAddressGroups string[]
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns string[]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges string[]
    Source IP address range in CIDR format. Required for INGRESS rules.
    srcRegionCodes string[]
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcSecureTags RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchSrcSecureTag[]

    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.

    The layer4_config block supports:

    srcThreatIntelligences string[]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    dest_address_groups Sequence[str]
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    dest_fqdns Sequence[str]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    dest_ip_ranges Sequence[str]
    Destination IP address range in CIDR format. Required for EGRESS rules.
    dest_region_codes Sequence[str]
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
    dest_threat_intelligences Sequence[str]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    layer4_configs Sequence[RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchLayer4Config]
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    src_address_groups Sequence[str]
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    src_fqdns Sequence[str]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    src_ip_ranges Sequence[str]
    Source IP address range in CIDR format. Required for INGRESS rules.
    src_region_codes Sequence[str]
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    src_secure_tags Sequence[RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchSrcSecureTag]

    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.

    The layer4_config block supports:

    src_threat_intelligences Sequence[str]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    destAddressGroups List<String>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges List<String>
    Destination IP address range in CIDR format. Required for EGRESS rules.
    destRegionCodes List<String>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
    destThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    layer4Configs List<Property Map>
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    srcAddressGroups List<String>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges List<String>
    Source IP address range in CIDR format. Required for INGRESS rules.
    srcRegionCodes List<String>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcSecureTags List<Property Map>

    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.

    The layer4_config block supports:

    srcThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.

    RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchLayer4Config, RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchLayer4ConfigArgs

    IpProtocol string
    (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    Ports List<string>
    (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    IpProtocol string
    (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    Ports []string
    (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol String
    (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports List<String>
    (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol string
    (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports string[]
    (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ip_protocol str
    (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports Sequence[str]
    (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol String
    (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports List<String>
    (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

    RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchSrcSecureTag, RegionNetworkFirewallPolicyWithRulesPredefinedRuleMatchSrcSecureTagArgs

    Name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    State string
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    Name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    State string
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name String
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state String
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state string
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name str
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state str
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name String
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state String
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

    RegionNetworkFirewallPolicyWithRulesPredefinedRuleTargetSecureTag, RegionNetworkFirewallPolicyWithRulesPredefinedRuleTargetSecureTagArgs

    Name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    State string
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.


    Name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    State string
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.


    name String
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state String
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.


    name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state string
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.


    name str
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state str
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.


    name String
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state String
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.


    RegionNetworkFirewallPolicyWithRulesRule, RegionNetworkFirewallPolicyWithRulesRuleArgs

    Action string
    The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
    Match RegionNetworkFirewallPolicyWithRulesRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
    Description string
    A description of the rule.
    Direction string
    The direction in which this rule applies. If unspecified an INGRESS rule is created. Possible values are: INGRESS, EGRESS.
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
    RuleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    SecurityProfileGroup string
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
    TargetSecureTags List<RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
    TargetServiceAccounts List<string>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    TlsInspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    Action string
    The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
    Match RegionNetworkFirewallPolicyWithRulesRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    Priority int
    An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
    Description string
    A description of the rule.
    Direction string
    The direction in which this rule applies. If unspecified an INGRESS rule is created. Possible values are: INGRESS, EGRESS.
    Disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    EnableLogging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
    RuleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    SecurityProfileGroup string
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
    TargetSecureTags []RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
    TargetServiceAccounts []string
    A list of service accounts indicating the sets of instances that are applied with this rule.
    TlsInspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action String
    The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
    match RegionNetworkFirewallPolicyWithRulesRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority Integer
    An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
    description String
    A description of the rule.
    direction String
    The direction in which this rule applies. If unspecified an INGRESS rule is created. Possible values are: INGRESS, EGRESS.
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
    ruleName String
    An optional name for the rule. This field is not a unique identifier and can be updated.
    securityProfileGroup String
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
    targetSecureTags List<RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect Boolean
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action string
    The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
    match RegionNetworkFirewallPolicyWithRulesRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority number
    An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
    description string
    A description of the rule.
    direction string
    The direction in which this rule applies. If unspecified an INGRESS rule is created. Possible values are: INGRESS, EGRESS.
    disabled boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
    ruleName string
    An optional name for the rule. This field is not a unique identifier and can be updated.
    securityProfileGroup string
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
    targetSecureTags RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag[]
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
    targetServiceAccounts string[]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect boolean
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action str
    The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
    match RegionNetworkFirewallPolicyWithRulesRuleMatch
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority int
    An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
    description str
    A description of the rule.
    direction str
    The direction in which this rule applies. If unspecified an INGRESS rule is created. Possible values are: INGRESS, EGRESS.
    disabled bool
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enable_logging bool
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
    rule_name str
    An optional name for the rule. This field is not a unique identifier and can be updated.
    security_profile_group str
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
    target_secure_tags Sequence[RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag]
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
    target_service_accounts Sequence[str]
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tls_inspect bool
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.
    action String
    The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny", "apply_security_profile_group" or "goto_next".
    match Property Map
    A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. Structure is documented below.
    priority Number
    An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
    description String
    A description of the rule.
    direction String
    The direction in which this rule applies. If unspecified an INGRESS rule is created. Possible values are: INGRESS, EGRESS.
    disabled Boolean
    Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
    enableLogging Boolean
    Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver.
    ruleName String
    An optional name for the rule. This field is not a unique identifier and can be updated.
    securityProfileGroup String
    A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action is 'apply_security_profile_group'.
    targetSecureTags List<Property Map>
    A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. Structure is documented below.
    targetServiceAccounts List<String>
    A list of service accounts indicating the sets of instances that are applied with this rule.
    tlsInspect Boolean
    Boolean flag indicating if the traffic should be TLS decrypted. It can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.

    RegionNetworkFirewallPolicyWithRulesRuleMatch, RegionNetworkFirewallPolicyWithRulesRuleMatchArgs

    Layer4Configs List<RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config>
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    DestAddressGroups List<string>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    DestFqdns List<string>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    DestIpRanges List<string>
    Destination IP address range in CIDR format. Required for EGRESS rules.
    DestRegionCodes List<string>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
    DestThreatIntelligences List<string>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    SrcAddressGroups List<string>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    SrcFqdns List<string>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    SrcIpRanges List<string>
    Source IP address range in CIDR format. Required for INGRESS rules.
    SrcRegionCodes List<string>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    SrcSecureTags List<RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag>

    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.

    The layer4_config block supports:

    SrcThreatIntelligences List<string>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    Layer4Configs []RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    DestAddressGroups []string
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    DestFqdns []string
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    DestIpRanges []string
    Destination IP address range in CIDR format. Required for EGRESS rules.
    DestRegionCodes []string
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
    DestThreatIntelligences []string
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    SrcAddressGroups []string
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    SrcFqdns []string
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    SrcIpRanges []string
    Source IP address range in CIDR format. Required for INGRESS rules.
    SrcRegionCodes []string
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    SrcSecureTags []RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag

    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.

    The layer4_config block supports:

    SrcThreatIntelligences []string
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    layer4Configs List<RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config>
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    destAddressGroups List<String>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges List<String>
    Destination IP address range in CIDR format. Required for EGRESS rules.
    destRegionCodes List<String>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
    destThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    srcAddressGroups List<String>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges List<String>
    Source IP address range in CIDR format. Required for INGRESS rules.
    srcRegionCodes List<String>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcSecureTags List<RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag>

    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.

    The layer4_config block supports:

    srcThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    layer4Configs RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config[]
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    destAddressGroups string[]
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns string[]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges string[]
    Destination IP address range in CIDR format. Required for EGRESS rules.
    destRegionCodes string[]
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
    destThreatIntelligences string[]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    srcAddressGroups string[]
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns string[]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges string[]
    Source IP address range in CIDR format. Required for INGRESS rules.
    srcRegionCodes string[]
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcSecureTags RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag[]

    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.

    The layer4_config block supports:

    srcThreatIntelligences string[]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    layer4_configs Sequence[RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config]
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    dest_address_groups Sequence[str]
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    dest_fqdns Sequence[str]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    dest_ip_ranges Sequence[str]
    Destination IP address range in CIDR format. Required for EGRESS rules.
    dest_region_codes Sequence[str]
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
    dest_threat_intelligences Sequence[str]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    src_address_groups Sequence[str]
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    src_fqdns Sequence[str]
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    src_ip_ranges Sequence[str]
    Source IP address range in CIDR format. Required for INGRESS rules.
    src_region_codes Sequence[str]
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    src_secure_tags Sequence[RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag]

    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.

    The layer4_config block supports:

    src_threat_intelligences Sequence[str]
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    layer4Configs List<Property Map>
    Pairs of IP protocols and ports that the rule should match. Structure is documented below.
    destAddressGroups List<String>
    Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    destFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    destIpRanges List<String>
    Destination IP address range in CIDR format. Required for EGRESS rules.
    destRegionCodes List<String>
    Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of destination region codes allowed is 5000.
    destThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    srcAddressGroups List<String>
    Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    srcFqdns List<String>
    Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    srcIpRanges List<String>
    Source IP address range in CIDR format. Required for INGRESS rules.
    srcRegionCodes List<String>
    Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    srcSecureTags List<Property Map>

    List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. Structure is documented below.

    The layer4_config block supports:

    srcThreatIntelligences List<String>
    Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.

    RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4Config, RegionNetworkFirewallPolicyWithRulesRuleMatchLayer4ConfigArgs

    IpProtocol string
    (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    Ports List<string>
    (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    IpProtocol string
    (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    Ports []string
    (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol String
    (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports List<String>
    (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol string
    (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports string[]
    (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ip_protocol str
    (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports Sequence[str]
    (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
    ipProtocol String
    (Output) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.
    ports List<String>
    (Output) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

    RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTag, RegionNetworkFirewallPolicyWithRulesRuleMatchSrcSecureTagArgs

    Name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    State string
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    Name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    State string
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name String
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state String
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state string
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name str
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state str
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.
    name String
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state String
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

    RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTag, RegionNetworkFirewallPolicyWithRulesRuleTargetSecureTagArgs

    Name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    State string
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.


    Name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    State string
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.


    name String
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state String
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.


    name string
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state string
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.


    name str
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state str
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.


    name String
    Name of the secure tag, created with TagManager's TagValue API. @pattern tagValues/[0-9]+
    state String
    (Output) [Output Only] State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.


    Import

    RegionNetworkFirewallPolicyWithRules can be imported using any of these accepted formats:

    • projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}

    • {{project}}/{{region}}/{{name}}

    • {{region}}/{{name}}

    • {{name}}

    When using the pulumi import command, RegionNetworkFirewallPolicyWithRules can be imported using one of the formats above. For example:

    $ pulumi import gcp:compute/regionNetworkFirewallPolicyWithRules:RegionNetworkFirewallPolicyWithRules default projects/{{project}}/regions/{{region}}/firewallPolicies/{{name}}
    
    $ pulumi import gcp:compute/regionNetworkFirewallPolicyWithRules:RegionNetworkFirewallPolicyWithRules default {{project}}/{{region}}/{{name}}
    
    $ pulumi import gcp:compute/regionNetworkFirewallPolicyWithRules:RegionNetworkFirewallPolicyWithRules default {{region}}/{{name}}
    
    $ pulumi import gcp:compute/regionNetworkFirewallPolicyWithRules:RegionNetworkFirewallPolicyWithRules default {{name}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi