import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Each network has its own firewall controlling access to and from the * instances. * * All traffic to instances, even from other instances, is blocked by the * firewall unless firewall rules are created to allow it. * * The default network has automatically created firewall rules that are * shown in default firewall rules. No manually created network has * automatically created firewall rules except for a default "allow" rule for * outgoing traffic and a default "deny" for incoming traffic. For all * networks except the default network, you must create any firewall rules * you need. * * To get more information about Firewall, see: * * * [API documentation](https://cloud.google.com/compute/docs/reference/v1/firewalls) * * How-to Guides * * [Official Documentation](https://cloud.google.com/vpc/docs/firewalls) * * ## Example Usage * * ### Firewall Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const defaultNetwork = new gcp.compute.Network("default", {name: "test-network"}); * const _default = new gcp.compute.Firewall("default", { * name: "test-firewall", * network: defaultNetwork.name, * allows: [ * { * protocol: "icmp", * }, * { * protocol: "tcp", * ports: [ * "80", * "8080", * "1000-2000", * ], * }, * ], * sourceTags: ["web"], * }); * ``` * ### Firewall With Target Tags * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const rules = new gcp.compute.Firewall("rules", { * project: "my-project-name", * name: "my-firewall-rule", * network: "default", * description: "Creates firewall rule targeting tagged instances", * allows: [{ * protocol: "tcp", * ports: [ * "80", * "8080", * "1000-2000", * ], * }], * sourceTags: ["foo"], * targetTags: ["web"], * }); * ``` * * ## Import * * Firewall can be imported using any of these accepted formats: * * * `projects/{{project}}/global/firewalls/{{name}}` * * `{{project}}/{{name}}` * * `{{name}}` * * When using the `pulumi import` command, Firewall can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:compute/firewall:Firewall default projects/{{project}}/global/firewalls/{{name}} * $ pulumi import gcp:compute/firewall:Firewall default {{project}}/{{name}} * $ pulumi import gcp:compute/firewall:Firewall default {{name}} * ``` */ export declare class Firewall extends pulumi.CustomResource { /** * Get an existing Firewall resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: FirewallState, opts?: pulumi.CustomResourceOptions): Firewall; /** * Returns true if the given object is an instance of Firewall. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Firewall; /** * The list of ALLOW rules specified by this firewall. Each rule * specifies a protocol and port-range tuple that describes a permitted * connection. * Structure is documented below. */ readonly allows: pulumi.Output; /** * Creation timestamp in RFC3339 text format. */ readonly creationTimestamp: pulumi.Output; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ readonly deletionPolicy: pulumi.Output; /** * The list of DENY rules specified by this firewall. Each rule specifies * a protocol and port-range tuple that describes a denied connection. * Structure is documented below. */ readonly denies: pulumi.Output; /** * An optional description of this resource. Provide this property when * you create the resource. */ readonly description: pulumi.Output; /** * If destination ranges are specified, the firewall will apply only to * traffic that has destination IP address in these ranges. These ranges * must be expressed in CIDR format. IPv4 or IPv6 ranges are supported. */ readonly destinationRanges: pulumi.Output; /** * Direction of traffic to which this firewall applies; default is * INGRESS. Note: For INGRESS traffic, one of `sourceRanges`, * `sourceTags` or `sourceServiceAccounts` is required. * Possible values are: `INGRESS`, `EGRESS`. */ readonly direction: pulumi.Output; /** * Denotes whether the firewall rule is disabled, i.e not applied to the * network it is associated with. When set to true, the firewall rule is * not enforced and the network behaves as if it did not exist. If this * is unspecified, the firewall rule will be enabled. */ readonly disabled: pulumi.Output; /** * This field denotes whether to enable logging for a particular firewall rule. * If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of `logConfig` * * @deprecated Deprecated in favor of log_config */ readonly enableLogging: pulumi.Output; /** * This field denotes the logging options for a particular firewall rule. * If defined, logging is enabled, and logs will be exported to Cloud Logging. * Structure is documented below. */ readonly logConfig: pulumi.Output; /** * Name of the resource. Provided by the client when the resource is * created. The name must be 1-63 characters long, and comply with * RFC1035. Specifically, the name must be 1-63 characters long and match * the regular expression `a-z?` which means the * first character must be a lowercase letter, and all following * characters must be a dash, lowercase letter, or digit, except the last * character, which cannot be a dash. */ readonly name: pulumi.Output; /** * The name or selfLink of the network to attach this firewall to. */ readonly network: pulumi.Output; /** * Additional params passed with the request, but not persisted as part of resource payload * Structure is documented below. */ readonly params: pulumi.Output; /** * Priority for this rule. This is an integer between 0 and 65535, both * inclusive. When not specified, the value assumed is 1000. Relative * priorities determine precedence of conflicting rules. Lower value of * priority implies higher precedence (eg, a rule with priority 0 has * higher precedence than a rule with priority 1). DENY rules take * precedence over ALLOW rules having equal priority. */ readonly priority: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * The URI of the created resource. */ readonly selfLink: pulumi.Output; /** * If source ranges are specified, the firewall will apply only to * traffic that has source IP address in these ranges. These ranges must * be expressed in CIDR format. One or both of sourceRanges and * sourceTags may be set. If both properties are set, the firewall will * apply to traffic that has source IP address within sourceRanges OR the * source IP that belongs to a tag listed in the sourceTags property. The * connection does not need to match both properties for the firewall to * apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of * `sourceRanges`, `sourceTags` or `sourceServiceAccounts` is required. */ readonly sourceRanges: pulumi.Output; /** * If source service accounts are specified, the firewall will apply only * to traffic originating from an instance with a service account in this * list. Source service accounts cannot be used to control traffic to an * instance's external IP address because service accounts are associated * with an instance, not an IP address. sourceRanges can be set at the * same time as sourceServiceAccounts. If both are set, the firewall will * apply to traffic that has source IP address within sourceRanges OR the * source IP belongs to an instance with service account listed in * sourceServiceAccount. The connection does not need to match both * properties for the firewall to apply. sourceServiceAccounts cannot be * used at the same time as sourceTags or targetTags. For INGRESS traffic, * one of `sourceRanges`, `sourceTags` or `sourceServiceAccounts` is required. */ readonly sourceServiceAccounts: pulumi.Output; /** * If source tags are specified, the firewall will apply only to traffic * with source IP that belongs to a tag listed in source tags. Source * tags cannot be used to control traffic to an instance's external IP * address. Because tags are associated with an instance, not an IP * address. One or both of sourceRanges and sourceTags may be set. If * both properties are set, the firewall will apply to traffic that has * source IP address within sourceRanges OR the source IP that belongs to * a tag listed in the sourceTags property. The connection does not need * to match both properties for the firewall to apply. For INGRESS traffic, * one of `sourceRanges`, `sourceTags` or `sourceServiceAccounts` is required. */ readonly sourceTags: pulumi.Output; /** * A list of service accounts indicating sets of instances located in the * network that may make network connections as specified in allowed[]. * targetServiceAccounts cannot be used at the same time as targetTags or * sourceTags. If neither targetServiceAccounts nor targetTags are * specified, the firewall rule applies to all instances on the specified * network. */ readonly targetServiceAccounts: pulumi.Output; /** * A list of instance tags indicating sets of instances located in the * network that may make network connections as specified in allowed[]. * If no targetTags are specified, the firewall rule applies to all * instances on the specified network. */ readonly targetTags: pulumi.Output; /** * Create a Firewall resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: FirewallArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Firewall resources. */ export interface FirewallState { /** * The list of ALLOW rules specified by this firewall. Each rule * specifies a protocol and port-range tuple that describes a permitted * connection. * Structure is documented below. */ allows?: pulumi.Input[] | undefined>; /** * Creation timestamp in RFC3339 text format. */ creationTimestamp?: pulumi.Input; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input; /** * The list of DENY rules specified by this firewall. Each rule specifies * a protocol and port-range tuple that describes a denied connection. * Structure is documented below. */ denies?: pulumi.Input[] | undefined>; /** * An optional description of this resource. Provide this property when * you create the resource. */ description?: pulumi.Input; /** * If destination ranges are specified, the firewall will apply only to * traffic that has destination IP address in these ranges. These ranges * must be expressed in CIDR format. IPv4 or IPv6 ranges are supported. */ destinationRanges?: pulumi.Input[] | undefined>; /** * Direction of traffic to which this firewall applies; default is * INGRESS. Note: For INGRESS traffic, one of `sourceRanges`, * `sourceTags` or `sourceServiceAccounts` is required. * Possible values are: `INGRESS`, `EGRESS`. */ direction?: pulumi.Input; /** * Denotes whether the firewall rule is disabled, i.e not applied to the * network it is associated with. When set to true, the firewall rule is * not enforced and the network behaves as if it did not exist. If this * is unspecified, the firewall rule will be enabled. */ disabled?: pulumi.Input; /** * This field denotes whether to enable logging for a particular firewall rule. * If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of `logConfig` * * @deprecated Deprecated in favor of log_config */ enableLogging?: pulumi.Input; /** * This field denotes the logging options for a particular firewall rule. * If defined, logging is enabled, and logs will be exported to Cloud Logging. * Structure is documented below. */ logConfig?: pulumi.Input; /** * Name of the resource. Provided by the client when the resource is * created. The name must be 1-63 characters long, and comply with * RFC1035. Specifically, the name must be 1-63 characters long and match * the regular expression `a-z?` which means the * first character must be a lowercase letter, and all following * characters must be a dash, lowercase letter, or digit, except the last * character, which cannot be a dash. */ name?: pulumi.Input; /** * The name or selfLink of the network to attach this firewall to. */ network?: pulumi.Input; /** * Additional params passed with the request, but not persisted as part of resource payload * Structure is documented below. */ params?: pulumi.Input; /** * Priority for this rule. This is an integer between 0 and 65535, both * inclusive. When not specified, the value assumed is 1000. Relative * priorities determine precedence of conflicting rules. Lower value of * priority implies higher precedence (eg, a rule with priority 0 has * higher precedence than a rule with priority 1). DENY rules take * precedence over ALLOW rules having equal priority. */ priority?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The URI of the created resource. */ selfLink?: pulumi.Input; /** * If source ranges are specified, the firewall will apply only to * traffic that has source IP address in these ranges. These ranges must * be expressed in CIDR format. One or both of sourceRanges and * sourceTags may be set. If both properties are set, the firewall will * apply to traffic that has source IP address within sourceRanges OR the * source IP that belongs to a tag listed in the sourceTags property. The * connection does not need to match both properties for the firewall to * apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of * `sourceRanges`, `sourceTags` or `sourceServiceAccounts` is required. */ sourceRanges?: pulumi.Input[] | undefined>; /** * If source service accounts are specified, the firewall will apply only * to traffic originating from an instance with a service account in this * list. Source service accounts cannot be used to control traffic to an * instance's external IP address because service accounts are associated * with an instance, not an IP address. sourceRanges can be set at the * same time as sourceServiceAccounts. If both are set, the firewall will * apply to traffic that has source IP address within sourceRanges OR the * source IP belongs to an instance with service account listed in * sourceServiceAccount. The connection does not need to match both * properties for the firewall to apply. sourceServiceAccounts cannot be * used at the same time as sourceTags or targetTags. For INGRESS traffic, * one of `sourceRanges`, `sourceTags` or `sourceServiceAccounts` is required. */ sourceServiceAccounts?: pulumi.Input[] | undefined>; /** * If source tags are specified, the firewall will apply only to traffic * with source IP that belongs to a tag listed in source tags. Source * tags cannot be used to control traffic to an instance's external IP * address. Because tags are associated with an instance, not an IP * address. One or both of sourceRanges and sourceTags may be set. If * both properties are set, the firewall will apply to traffic that has * source IP address within sourceRanges OR the source IP that belongs to * a tag listed in the sourceTags property. The connection does not need * to match both properties for the firewall to apply. For INGRESS traffic, * one of `sourceRanges`, `sourceTags` or `sourceServiceAccounts` is required. */ sourceTags?: pulumi.Input[] | undefined>; /** * A list of service accounts indicating sets of instances located in the * network that may make network connections as specified in allowed[]. * targetServiceAccounts cannot be used at the same time as targetTags or * sourceTags. If neither targetServiceAccounts nor targetTags are * specified, the firewall rule applies to all instances on the specified * network. */ targetServiceAccounts?: pulumi.Input[] | undefined>; /** * A list of instance tags indicating sets of instances located in the * network that may make network connections as specified in allowed[]. * If no targetTags are specified, the firewall rule applies to all * instances on the specified network. */ targetTags?: pulumi.Input[] | undefined>; } /** * The set of arguments for constructing a Firewall resource. */ export interface FirewallArgs { /** * The list of ALLOW rules specified by this firewall. Each rule * specifies a protocol and port-range tuple that describes a permitted * connection. * Structure is documented below. */ allows?: pulumi.Input[] | undefined>; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input; /** * The list of DENY rules specified by this firewall. Each rule specifies * a protocol and port-range tuple that describes a denied connection. * Structure is documented below. */ denies?: pulumi.Input[] | undefined>; /** * An optional description of this resource. Provide this property when * you create the resource. */ description?: pulumi.Input; /** * If destination ranges are specified, the firewall will apply only to * traffic that has destination IP address in these ranges. These ranges * must be expressed in CIDR format. IPv4 or IPv6 ranges are supported. */ destinationRanges?: pulumi.Input[] | undefined>; /** * Direction of traffic to which this firewall applies; default is * INGRESS. Note: For INGRESS traffic, one of `sourceRanges`, * `sourceTags` or `sourceServiceAccounts` is required. * Possible values are: `INGRESS`, `EGRESS`. */ direction?: pulumi.Input; /** * Denotes whether the firewall rule is disabled, i.e not applied to the * network it is associated with. When set to true, the firewall rule is * not enforced and the network behaves as if it did not exist. If this * is unspecified, the firewall rule will be enabled. */ disabled?: pulumi.Input; /** * This field denotes whether to enable logging for a particular firewall rule. * If logging is enabled, logs will be exported to Stackdriver. Deprecated in favor of `logConfig` * * @deprecated Deprecated in favor of log_config */ enableLogging?: pulumi.Input; /** * This field denotes the logging options for a particular firewall rule. * If defined, logging is enabled, and logs will be exported to Cloud Logging. * Structure is documented below. */ logConfig?: pulumi.Input; /** * Name of the resource. Provided by the client when the resource is * created. The name must be 1-63 characters long, and comply with * RFC1035. Specifically, the name must be 1-63 characters long and match * the regular expression `a-z?` which means the * first character must be a lowercase letter, and all following * characters must be a dash, lowercase letter, or digit, except the last * character, which cannot be a dash. */ name?: pulumi.Input; /** * The name or selfLink of the network to attach this firewall to. */ network: pulumi.Input; /** * Additional params passed with the request, but not persisted as part of resource payload * Structure is documented below. */ params?: pulumi.Input; /** * Priority for this rule. This is an integer between 0 and 65535, both * inclusive. When not specified, the value assumed is 1000. Relative * priorities determine precedence of conflicting rules. Lower value of * priority implies higher precedence (eg, a rule with priority 0 has * higher precedence than a rule with priority 1). DENY rules take * precedence over ALLOW rules having equal priority. */ priority?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * If source ranges are specified, the firewall will apply only to * traffic that has source IP address in these ranges. These ranges must * be expressed in CIDR format. One or both of sourceRanges and * sourceTags may be set. If both properties are set, the firewall will * apply to traffic that has source IP address within sourceRanges OR the * source IP that belongs to a tag listed in the sourceTags property. The * connection does not need to match both properties for the firewall to * apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of * `sourceRanges`, `sourceTags` or `sourceServiceAccounts` is required. */ sourceRanges?: pulumi.Input[] | undefined>; /** * If source service accounts are specified, the firewall will apply only * to traffic originating from an instance with a service account in this * list. Source service accounts cannot be used to control traffic to an * instance's external IP address because service accounts are associated * with an instance, not an IP address. sourceRanges can be set at the * same time as sourceServiceAccounts. If both are set, the firewall will * apply to traffic that has source IP address within sourceRanges OR the * source IP belongs to an instance with service account listed in * sourceServiceAccount. The connection does not need to match both * properties for the firewall to apply. sourceServiceAccounts cannot be * used at the same time as sourceTags or targetTags. For INGRESS traffic, * one of `sourceRanges`, `sourceTags` or `sourceServiceAccounts` is required. */ sourceServiceAccounts?: pulumi.Input[] | undefined>; /** * If source tags are specified, the firewall will apply only to traffic * with source IP that belongs to a tag listed in source tags. Source * tags cannot be used to control traffic to an instance's external IP * address. Because tags are associated with an instance, not an IP * address. One or both of sourceRanges and sourceTags may be set. If * both properties are set, the firewall will apply to traffic that has * source IP address within sourceRanges OR the source IP that belongs to * a tag listed in the sourceTags property. The connection does not need * to match both properties for the firewall to apply. For INGRESS traffic, * one of `sourceRanges`, `sourceTags` or `sourceServiceAccounts` is required. */ sourceTags?: pulumi.Input[] | undefined>; /** * A list of service accounts indicating sets of instances located in the * network that may make network connections as specified in allowed[]. * targetServiceAccounts cannot be used at the same time as targetTags or * sourceTags. If neither targetServiceAccounts nor targetTags are * specified, the firewall rule applies to all instances on the specified * network. */ targetServiceAccounts?: pulumi.Input[] | undefined>; /** * A list of instance tags indicating sets of instances located in the * network that may make network connections as specified in allowed[]. * If no targetTags are specified, the firewall rule applies to all * instances on the specified network. */ targetTags?: pulumi.Input[] | undefined>; } //# sourceMappingURL=firewall.d.ts.map