import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * ## Example Usage * * ### Compute Network Firewall Policy Packet Mirroring Rule * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const project = gcp.organizations.getProject({}); * const _default = new gcp.compute.Network("default", { * name: "fw-network", * autoCreateSubnetworks: false, * }); * const basicNetworkFirewallPolicy = new gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy", { * name: "fw-policy", * description: "Sample global network firewall policy", * project: "my-project-name", * }); * const defaultMirroringDeploymentGroup = new gcp.networksecurity.MirroringDeploymentGroup("default", { * mirroringDeploymentGroupId: "deployment-group", * location: "global", * network: _default.id, * }); * const defaultMirroringEndpointGroup = new gcp.networksecurity.MirroringEndpointGroup("default", { * mirroringEndpointGroupId: "endpoint-group", * location: "global", * mirroringDeploymentGroup: defaultMirroringDeploymentGroup.id, * }); * const defaultSecurityProfile = new gcp.networksecurity.SecurityProfile("default", { * name: "sec-profile", * parent: "organizations/123456789", * description: "my description", * type: "CUSTOM_MIRRORING", * customMirroringProfile: { * mirroringEndpointGroup: defaultMirroringEndpointGroup.id, * }, * }); * const securityProfileGroup1 = new gcp.networksecurity.SecurityProfileGroup("security_profile_group_1", { * name: "sec-profile-group", * parent: "organizations/123456789", * description: "my description", * customMirroringProfile: defaultSecurityProfile.id, * }); * const secureTagKey1 = new gcp.tags.TagKey("secure_tag_key_1", { * description: "Test tag key description", * parent: "organizations/123456789", * purpose: "GCE_FIREWALL", * shortName: "tag-key", * purposeData: { * network: pulumi.interpolate`my-project-name/${_default.name}`, * }, * }); * const secureTagValue1 = new gcp.tags.TagValue("secure_tag_value_1", { * description: "Test tag value description.", * parent: secureTagKey1.id, * shortName: "tag-value", * }); * const primary = new gcp.compute.NetworkFirewallPolicyPacketMirroringRule("primary", { * action: "mirror", * description: "This is a simple packet mirroring rule description", * direction: "INGRESS", * disabled: false, * firewallPolicy: basicNetworkFirewallPolicy.name, * priority: 1000, * ruleName: "test-rule", * match: { * srcIpRanges: ["10.100.0.1/32"], * layer4Configs: [{ * ipProtocol: "all", * }], * }, * securityProfileGroup: pulumi.interpolate`//networksecurity.googleapis.com/${securityProfileGroup1.id}`, * targetSecureTags: [{ * name: pulumi.interpolate`tagValues/${secureTagValue1.name}`, * }], * }); * ``` * * ## Import * * NetworkFirewallPolicyPacketMirroringRule can be imported using any of these accepted formats: * * * `projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/packetMirroringRules/{{priority}}` * * * `{{project}}/{{firewall_policy}}/{{priority}}` * * * `{{firewall_policy}}/{{priority}}` * * When using the `pulumi import` command, NetworkFirewallPolicyPacketMirroringRule can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:compute/networkFirewallPolicyPacketMirroringRule:NetworkFirewallPolicyPacketMirroringRule default projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/packetMirroringRules/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/networkFirewallPolicyPacketMirroringRule:NetworkFirewallPolicyPacketMirroringRule default {{project}}/{{firewall_policy}}/{{priority}} * ``` * * ```sh * $ pulumi import gcp:compute/networkFirewallPolicyPacketMirroringRule:NetworkFirewallPolicyPacketMirroringRule default {{firewall_policy}}/{{priority}} * ``` */ export declare class NetworkFirewallPolicyPacketMirroringRule extends pulumi.CustomResource { /** * Get an existing NetworkFirewallPolicyPacketMirroringRule resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: NetworkFirewallPolicyPacketMirroringRuleState, opts?: pulumi.CustomResourceOptions): NetworkFirewallPolicyPacketMirroringRule; /** * Returns true if the given object is an instance of NetworkFirewallPolicyPacketMirroringRule. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is NetworkFirewallPolicyPacketMirroringRule; /** * The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "doNotMirror", "gotoNext". */ readonly action: pulumi.Output; /** * Creation timestamp in RFC3339 text format. */ readonly creationTimestamp: pulumi.Output; /** * An optional description for this resource. */ readonly description: pulumi.Output; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ readonly direction: pulumi.Output; /** * Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and * traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled. */ readonly disabled: pulumi.Output; /** * The firewall policy of the resource. */ readonly firewallPolicy: pulumi.Output; /** * Type of the resource. Always `compute#packetMirroringRule` for firewall policy packet mirroring rules */ readonly kind: pulumi.Output; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ readonly match: pulumi.Output; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. */ readonly priority: pulumi.Output; readonly project: pulumi.Output; /** * An optional name for the rule. This field is not a unique identifier and can be updated. */ readonly ruleName: pulumi.Output; /** * Calculation of the complexity of a single firewall policy rule. */ readonly ruleTupleCount: pulumi.Output; /** * A fully-qualified URL of a SecurityProfile resource instance. Example: * https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'mirror' and cannot be specified for other actions. */ readonly securityProfileGroup: pulumi.Output; /** * A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then * the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the * targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same * time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule * applies to all instances on the specified network. Maximum number of target label tags allowed is 256. */ readonly targetSecureTags: pulumi.Output; /** * Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set * for other actions. */ readonly tlsInspect: pulumi.Output; /** * Create a NetworkFirewallPolicyPacketMirroringRule resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: NetworkFirewallPolicyPacketMirroringRuleArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering NetworkFirewallPolicyPacketMirroringRule resources. */ export interface NetworkFirewallPolicyPacketMirroringRuleState { /** * The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "doNotMirror", "gotoNext". */ action?: pulumi.Input; /** * Creation timestamp in RFC3339 text format. */ creationTimestamp?: pulumi.Input; /** * An optional description for this resource. */ description?: pulumi.Input; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ direction?: pulumi.Input; /** * Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and * traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled. */ disabled?: pulumi.Input; /** * The firewall policy of the resource. */ firewallPolicy?: pulumi.Input; /** * Type of the resource. Always `compute#packetMirroringRule` for firewall policy packet mirroring rules */ kind?: pulumi.Input; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match?: pulumi.Input; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. */ priority?: pulumi.Input; project?: pulumi.Input; /** * An optional name for the rule. This field is not a unique identifier and can be updated. */ ruleName?: pulumi.Input; /** * Calculation of the complexity of a single firewall policy rule. */ ruleTupleCount?: pulumi.Input; /** * A fully-qualified URL of a SecurityProfile resource instance. Example: * https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'mirror' and cannot be specified for other actions. */ securityProfileGroup?: pulumi.Input; /** * A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then * the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the * targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same * time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule * applies to all instances on the specified network. Maximum number of target label tags allowed is 256. */ targetSecureTags?: pulumi.Input[]>; /** * Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set * for other actions. */ tlsInspect?: pulumi.Input; } /** * The set of arguments for constructing a NetworkFirewallPolicyPacketMirroringRule resource. */ export interface NetworkFirewallPolicyPacketMirroringRuleArgs { /** * The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "doNotMirror", "gotoNext". */ action: pulumi.Input; /** * An optional description for this resource. */ description?: pulumi.Input; /** * The direction in which this rule applies. * Possible values are: `INGRESS`, `EGRESS`. */ direction: pulumi.Input; /** * Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and * traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled. */ disabled?: pulumi.Input; /** * The firewall policy of the resource. */ firewallPolicy: pulumi.Input; /** * A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. * Structure is documented below. */ match: pulumi.Input; /** * An integer indicating the priority of a rule in the list. * The priority must be a positive value between 0 and 2147483647. * Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. */ priority: pulumi.Input; project?: pulumi.Input; /** * An optional name for the rule. This field is not a unique identifier and can be updated. */ ruleName?: pulumi.Input; /** * A fully-qualified URL of a SecurityProfile resource instance. Example: * https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group * Must be specified if action = 'mirror' and cannot be specified for other actions. */ securityProfileGroup?: pulumi.Input; /** * A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then * the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the * targetSecureTag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same * time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule * applies to all instances on the specified network. Maximum number of target label tags allowed is 256. */ targetSecureTags?: pulumi.Input[]>; /** * Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'mirror' and cannot be set * for other actions. */ tlsInspect?: pulumi.Input; }