google::compute-firewall-rule

Creates a firewall rule.

Example

google::compute-firewall-rule firewall-rule-example
    name: "firewall-rule-example"
    network: $(google::network network-example-firewall-rule)
    description: "firewall-rule-example-desc"
    direction: "ingress"
    priority: 1001

    rule-type: "allow"

    allowed
        protocol: "tcp"
        ports: ["95-96", "80-85"]
    end

    source-tags: [
        "source-tag-example"
    ]
end

Attributes

Attribute Description
name The name of the firewall rule. Needs to follow Google firewall rule naming convention. Must be 1-63 characters long consisting only of dash, lowercase letter, or digit. First character needs to be a letter and the last character can either be a letter or a digit. (Required)
network The network to create this firewall rule in. (Required)
description The description of the firewall rule.
rule-type Allow or Deny requests that matches the rules. Valid values are ALLOW or DENY. (Required)
allowed list subresource

A set of rules that allow requests to pass that get matched. Required if ‘rule-type’ set to ALLOW.

protocol
The protocol that is going to be matched for the incoming/outgoing requests. Valid values are tcp, udp, icmp, esp, ah, ipip, sctp, an IP protocol number, or all. (Required)
ports set
A list of ports associated with the protocol. Can only be set when ‘protocol’ set to tcp or udp. Valid values are valid port number or port number range. Ex. 22 or 22-443.
denied list subresource A set of rules that deny requests to pass that get matched. Required if ‘rule-type’ set to DENY.
destination-ranges set A set of destination IP in cidr form that the firewall rule applies to. Can only be set when ‘direction’ set to ‘EGRESS’.
direction The direction specifies the type of requests this rule applies to. INGRESS for incoming and EGRESS for outgoing requests. Valid values are INGRESS or EGRESS. (Required)
disabled When true, disables the firewall rule. Defaults to false.
priority The priority of the firewall rule, when there are multiple that match a certain requests. Lower the number higher the priority. Defaults to 1000. Valid values are between 0 and 65535.
source-ranges set A set of source IP in cidr form that the firewall rule applies to. Can only be set when ‘direction’ set to ‘INGRESS’.
source-service-accounts set A set of service accounts that the incoming requests are going to be matched with only if it originated from instances of the accounts specified. Can only be set when ‘direction’ set to ‘INGRESS’. Only one of ‘source-service-accounts’ or ‘source-tags’ can be set.
source-tags set A set of tags that the incoming requests are going to be matched with only if it originated from instances whose primary network interface has the same tags. Can only be set when ‘direction’ set to ‘INGRESS’. Only one of ‘source-service-accounts’ or ‘source-tags’ can be set.
log-config When true, enables logs for the firewall rule. Defaults to false.
target-service-accounts set A set of service accounts that the outgoing requests are going to be matched with only if it is targeted from instances of the accounts specified. Only one of ‘target-service-accounts’ or ‘target-tags’ can be set.
target-tags set A set of tags that the outgoing requests are going to be matched with only if it is targeted from instances whose primary network interface has the same tags. Only one of ‘target-service-accounts’ or ‘target-tags’ can be set.

Outputs

Attribute Description
id The ID of the firewall rule.
self-link The fully qualified url of the firewall rule.