2014-08-26 21:50:29 +00:00
|
|
|
---
|
|
|
|
layout: "google"
|
|
|
|
page_title: "Google: google_compute_firewall"
|
2015-10-23 14:10:41 +00:00
|
|
|
sidebar_current: "docs-google-compute-firewall"
|
2014-10-22 03:21:56 +00:00
|
|
|
description: |-
|
|
|
|
Manages a firewall resource within GCE.
|
2014-08-26 21:50:29 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
# google\_compute\_firewall
|
|
|
|
|
2017-07-28 18:05:48 +00:00
|
|
|
Manages a firewall resource within GCE. For more information see
|
|
|
|
[the official documentation](https://cloud.google.com/compute/docs/vpc/firewalls)
|
|
|
|
and
|
|
|
|
[API](https://cloud.google.com/compute/docs/reference/latest/firewalls).
|
2014-08-26 21:50:29 +00:00
|
|
|
|
|
|
|
## Example Usage
|
|
|
|
|
2017-04-17 10:17:54 +00:00
|
|
|
```hcl
|
2014-08-26 21:50:29 +00:00
|
|
|
resource "google_compute_firewall" "default" {
|
2017-06-14 00:46:50 +00:00
|
|
|
name = "test-firewall"
|
2016-04-10 21:34:15 +00:00
|
|
|
network = "${google_compute_network.other.name}"
|
2014-08-26 21:50:29 +00:00
|
|
|
|
2016-04-10 21:34:15 +00:00
|
|
|
allow {
|
|
|
|
protocol = "icmp"
|
|
|
|
}
|
2014-08-26 21:50:29 +00:00
|
|
|
|
2016-04-10 21:34:15 +00:00
|
|
|
allow {
|
|
|
|
protocol = "tcp"
|
|
|
|
ports = ["80", "8080", "1000-2000"]
|
|
|
|
}
|
2014-08-26 21:50:29 +00:00
|
|
|
|
2016-04-10 21:34:15 +00:00
|
|
|
source_tags = ["web"]
|
2014-08-26 21:50:29 +00:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
## Argument Reference
|
|
|
|
|
|
|
|
The following arguments are supported:
|
|
|
|
|
|
|
|
* `name` - (Required) A unique name for the resource, required by GCE.
|
|
|
|
Changing this forces a new resource to be created.
|
|
|
|
|
2017-09-28 19:02:39 +00:00
|
|
|
* `network` - (Required) The name or self_link of the network to attach this firewall to.
|
2014-08-26 21:50:29 +00:00
|
|
|
|
2017-11-21 00:39:37 +00:00
|
|
|
- - -
|
|
|
|
|
2014-08-26 21:50:29 +00:00
|
|
|
* `allow` - (Required) Can be specified multiple times for each allow
|
|
|
|
rule. Each allow block supports fields documented below.
|
2017-11-21 00:39:37 +00:00
|
|
|
|
|
|
|
* `deny` - (Optional) Can be specified multiple times for each deny
|
|
|
|
rule. Each deny block supports fields documented below. Can be specified
|
|
|
|
instead of allow.
|
2016-04-10 21:34:15 +00:00
|
|
|
|
|
|
|
* `description` - (Optional) Textual description field.
|
|
|
|
|
|
|
|
* `project` - (Optional) The project in which the resource belongs. If it
|
|
|
|
is not provided, the provider project is used.
|
|
|
|
|
2017-08-30 19:19:50 +00:00
|
|
|
* `priority` - (Optional) The priority for this firewall. Ranges from 0-65535, inclusive. Defaults to 1000. Firewall
|
|
|
|
resources with lower priority values have higher precedence (e.g. a firewall resource with a priority value of 0
|
|
|
|
takes effect over all other firewall rules with a non-zero priority).
|
|
|
|
|
2015-01-14 17:28:25 +00:00
|
|
|
* `source_ranges` - (Optional) A list of source CIDR ranges that this
|
2017-08-08 20:28:49 +00:00
|
|
|
firewall applies to. Can't be used for `EGRESS`.
|
2014-08-26 21:50:29 +00:00
|
|
|
|
2017-08-08 20:28:49 +00:00
|
|
|
* `source_tags` - (Optional) A list of source tags for this firewall. Can't be used for `EGRESS`.
|
2014-09-27 19:42:46 +00:00
|
|
|
|
2016-04-10 21:34:15 +00:00
|
|
|
* `target_tags` - (Optional) A list of target tags for this firewall.
|
2014-08-26 21:50:29 +00:00
|
|
|
|
2017-11-20 23:38:47 +00:00
|
|
|
* `direction` - (Optional) Direction of traffic to which this firewall applies;
|
2017-08-08 20:28:49 +00:00
|
|
|
One of `INGRESS` or `EGRESS`. Defaults to `INGRESS`.
|
|
|
|
|
2017-11-20 23:38:47 +00:00
|
|
|
* `destination_ranges` - (Optional) A list of destination CIDR ranges that this
|
2017-08-08 20:28:49 +00:00
|
|
|
firewall applies to. Can't be used for `INGRESS`.
|
|
|
|
|
2017-11-20 23:38:47 +00:00
|
|
|
* `source_service_accounts` - (Optional) A list of service accounts such that
|
2017-11-06 17:34:48 +00:00
|
|
|
the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts
|
|
|
|
cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not
|
|
|
|
an IP address. `source_ranges` can be set at the same time as `source_service_accounts`. If both are set, the firewall will apply to
|
|
|
|
traffic that has source IP address within `source_ranges` OR the source IP belongs to an instance with service account listed in
|
|
|
|
`source_service_accounts`. The connection does not need to match both properties for the firewall to apply. `source_service_accounts`
|
|
|
|
cannot be used at the same time as `source_tags` or `target_tags`.
|
|
|
|
|
2017-11-20 23:38:47 +00:00
|
|
|
* `target_service_accounts` - (Optional) A list of service accounts indicating
|
2017-11-06 17:34:48 +00:00
|
|
|
sets of instances located in the network that may make network connections as specified in `allow`. `target_service_accounts` cannot
|
|
|
|
be used at the same time as `source_tags` or `target_tags`. If neither `target_service_accounts` nor `target_tags` are specified, the
|
|
|
|
firewall rule applies to all instances on the specified network.
|
|
|
|
|
2014-08-26 21:50:29 +00:00
|
|
|
The `allow` block supports:
|
|
|
|
|
2017-11-21 00:39:37 +00:00
|
|
|
* `protocol` - (Required) The name of the protocol to allow. This value can either be one of the following well
|
|
|
|
known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number, or `all`.
|
2014-08-26 21:50:29 +00:00
|
|
|
|
2017-08-07 20:14:35 +00:00
|
|
|
* `ports` - (Optional) List of ports and/or port ranges to allow. This can
|
|
|
|
only be specified if the protocol is TCP or UDP.
|
|
|
|
|
|
|
|
The `deny` block supports:
|
|
|
|
|
2017-11-21 00:39:37 +00:00
|
|
|
* `protocol` - (Required) The name of the protocol to allow. This value can either be one of the following well
|
|
|
|
known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number, or `all`.
|
2017-08-07 20:14:35 +00:00
|
|
|
|
2015-01-14 17:28:25 +00:00
|
|
|
* `ports` - (Optional) List of ports and/or port ranges to allow. This can
|
2014-08-26 21:50:29 +00:00
|
|
|
only be specified if the protocol is TCP or UDP.
|
|
|
|
|
|
|
|
## Attributes Reference
|
|
|
|
|
2016-04-10 21:34:15 +00:00
|
|
|
In addition to the arguments listed above, the following computed attributes are
|
|
|
|
exported:
|
2014-08-26 21:50:29 +00:00
|
|
|
|
2016-04-10 21:34:15 +00:00
|
|
|
* `self_link` - The URI of the created resource.
|
2017-06-14 00:46:50 +00:00
|
|
|
|
|
|
|
|
|
|
|
## Import
|
|
|
|
|
|
|
|
Firewalls can be imported using the `name`, e.g.
|
|
|
|
|
|
|
|
```
|
|
|
|
$ terraform import google_compute_firewall.default test-firewall
|
|
|
|
```
|