google::compute-firewall-rule¶

Creates a firewall rule.

Example¶

google::compute-firewall-rule firewall-rule-example
    name: "firewall-rule-example"
    network: $(google::network network-example-firewall-rule)
    description: "firewall-rule-example-desc"
    direction: "ingress"
    priority: 1001

    rule-type: "allow"

    allowed
        protocol: "tcp"
        ports: ["95-96", "80-85"]
    end

    source-tags: [
        "source-tag-example"
    ]
end

Attributes¶

Attribute	Description
name	The name of the firewall rule. Needs to follow Google firewall rule naming convention. Must be 1-63 characters long consisting only of dash, lowercase letter, or digit. First character needs to be a letter and the last character can either be a letter or a digit. (Required)
network	The network to create this firewall rule in. (Required)
description	The description of the firewall rule.
rule-type	Allow or Deny requests that matches the rules. Valid values are `ALLOW` or `DENY`. (Required)
allowed list subresource	A set of rules that allow requests to pass that get matched. Required if ‘rule-type’ set to `ALLOW`. Cannot be set if `denied` is set. protocol The protocol that is going to be matched for the incoming/outgoing requests. Valid values are `tcp`, `udp`, `icmp`, `esp`, `ah`, `ipip`, `sctp`, an IP protocol number, or `all`. (Required) ports set A list of ports associated with the protocol. Can only be set when ‘protocol’ set to `tcp` or `udp`. Valid values are valid port number or port number range. Ex. `22` or `22-443`.
denied list subresource	A set of rules that deny requests to pass that get matched. Required if ‘rule-type’ set to `DENY`. Cannot be set if `allowed` is set.
destination-ranges set	A set of destination IP in cidr form that the firewall rule applies to. Can only be set when ‘direction’ set to ‘EGRESS’.
direction	The direction specifies the type of requests this rule applies to. INGRESS for incoming and EGRESS for outgoing requests. Valid values are `INGRESS` or `EGRESS`. (Required)
disabled	When true, disables the firewall rule. Defaults to `false`.
priority	The priority of the firewall rule, when there are multiple that match a certain requests. Lower the number higher the priority. Defaults to `1000`. Valid values are between `0` to `65535`.
source-ranges set	A set of source IP in cidr form that the firewall rule applies to. Can only be set when ‘direction’ set to ‘INGRESS’.
source-service-accounts set	A set of service accounts that the incoming requests are going to be matched with only if it originated from instances of the accounts specified. Can only be set when ‘direction’ set to ‘INGRESS’. Cannot be set if any of `source-tags` or `target-tags` is set.
source-tags set	A set of tags that the incoming requests are going to be matched with only if it originated from instances whose primary network interface has the same tags. Can only be set when ‘direction’ set to ‘INGRESS’. Only one of ‘source-service-accounts’ or ‘source-tags’ can be set.
log-config	When true, enables logs for the firewall rule. Defaults to `false`.
target-service-accounts set	A set of service accounts that the outgoing requests are going to be matched with only if it is targeted from instances of the accounts specified. Cannot be set if any of `target-tags` or `source-tags` is set.
target-tags set	A set of tags that the outgoing requests are going to be matched with only if it is targeted from instances whose primary network interface has the same tags. Only one of ‘target-service-accounts’ or ‘target-tags’ can be set.

Outputs¶

Attribute	Description
id	The ID of the firewall rule.
self-link	The fully qualified url of the firewall rule.