mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-10-04 17:51:11 +00:00
Generate resource_compute_firewall in magic-modules. I also decided to use PATCH instead of PUT for updates, because a lot of the fields we had marked as ForceNew can be updated with PATCH. (#1907)
<!-- This change is generated by MagicModules. --> /cc @danawillow
This commit is contained in:
parent
41e088dcef
commit
875f1f874e
@ -21,6 +21,7 @@ var GeneratedComputeResourcesMap = map[string]*schema.Resource{
|
|||||||
"google_compute_autoscaler": resourceComputeAutoscaler(),
|
"google_compute_autoscaler": resourceComputeAutoscaler(),
|
||||||
"google_compute_backend_bucket": resourceComputeBackendBucket(),
|
"google_compute_backend_bucket": resourceComputeBackendBucket(),
|
||||||
"google_compute_disk": resourceComputeDisk(),
|
"google_compute_disk": resourceComputeDisk(),
|
||||||
|
"google_compute_firewall": resourceComputeFirewall(),
|
||||||
"google_compute_forwarding_rule": resourceComputeForwardingRule(),
|
"google_compute_forwarding_rule": resourceComputeForwardingRule(),
|
||||||
"google_compute_global_address": resourceComputeGlobalAddress(),
|
"google_compute_global_address": resourceComputeGlobalAddress(),
|
||||||
"google_compute_http_health_check": resourceComputeHttpHealthCheck(),
|
"google_compute_http_health_check": resourceComputeHttpHealthCheck(),
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,24 +1,56 @@
|
|||||||
---
|
---
|
||||||
|
# ----------------------------------------------------------------------------
|
||||||
|
#
|
||||||
|
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||||||
|
#
|
||||||
|
# ----------------------------------------------------------------------------
|
||||||
|
#
|
||||||
|
# This file is automatically generated by Magic Modules and manual
|
||||||
|
# changes will be clobbered when the file is regenerated.
|
||||||
|
#
|
||||||
|
# Please read more about how to change this file in
|
||||||
|
# .github/CONTRIBUTING.md.
|
||||||
|
#
|
||||||
|
# ----------------------------------------------------------------------------
|
||||||
layout: "google"
|
layout: "google"
|
||||||
page_title: "Google: google_compute_firewall"
|
page_title: "Google: google_compute_firewall"
|
||||||
sidebar_current: "docs-google-compute-firewall"
|
sidebar_current: "docs-google-compute-firewall"
|
||||||
description: |-
|
description: |-
|
||||||
Manages a firewall resource within GCE.
|
Each network has its own firewall controlling access to and from the
|
||||||
|
instances.
|
||||||
---
|
---
|
||||||
|
|
||||||
# google\_compute\_firewall
|
# google\_compute\_firewall
|
||||||
|
|
||||||
Manages a firewall resource within GCE. For more information see
|
Each network has its own firewall controlling access to and from the
|
||||||
[the official documentation](https://cloud.google.com/compute/docs/vpc/firewalls)
|
instances.
|
||||||
and
|
|
||||||
[API](https://cloud.google.com/compute/docs/reference/latest/firewalls).
|
All traffic to instances, even from other instances, is blocked by the
|
||||||
|
firewall unless firewall rules are created to allow it.
|
||||||
|
|
||||||
|
The default network has automatically created firewall rules that are
|
||||||
|
shown in default firewall rules. No manually created network has
|
||||||
|
automatically created firewall rules except for a default "allow" rule for
|
||||||
|
outgoing traffic and a default "deny" for incoming traffic. For all
|
||||||
|
networks except the default network, you must create any firewall rules
|
||||||
|
you need.
|
||||||
|
|
||||||
|
To get more information about Firewall, see:
|
||||||
|
|
||||||
|
* [API documentation](https://cloud.google.com/compute/docs/reference/latest/firewalls)
|
||||||
|
* How-to Guides
|
||||||
|
* [Official Documentation](https://cloud.google.com/vpc/docs/firewalls)
|
||||||
|
|
||||||
## Example Usage
|
## Example Usage
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
|
resource "google_compute_network" "default" {
|
||||||
|
name = "test-network"
|
||||||
|
}
|
||||||
|
|
||||||
resource "google_compute_firewall" "default" {
|
resource "google_compute_firewall" "default" {
|
||||||
name = "test-firewall"
|
name = "test-firewall"
|
||||||
network = "${google_compute_network.other.name}"
|
network = "${google_compute_network.default.name}"
|
||||||
|
|
||||||
allow {
|
allow {
|
||||||
protocol = "icmp"
|
protocol = "icmp"
|
||||||
@ -37,88 +69,187 @@ resource "google_compute_firewall" "default" {
|
|||||||
|
|
||||||
The following arguments are supported:
|
The following arguments are supported:
|
||||||
|
|
||||||
* `name` - (Required) A unique name for the resource, required by GCE.
|
|
||||||
Changing this forces a new resource to be created.
|
|
||||||
|
|
||||||
* `network` - (Required) The name or self_link of the network to attach this firewall to.
|
* `name` -
|
||||||
|
(Required)
|
||||||
|
Name of the resource. Provided by the client when the resource is
|
||||||
|
created. The name must be 1-63 characters long, and comply with
|
||||||
|
RFC1035. Specifically, the name must be 1-63 characters long and match
|
||||||
|
the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the
|
||||||
|
first character must be a lowercase letter, and all following
|
||||||
|
characters must be a dash, lowercase letter, or digit, except the last
|
||||||
|
character, which cannot be a dash.
|
||||||
|
|
||||||
|
* `network` -
|
||||||
|
(Required)
|
||||||
|
The name or self_link of the network to attach this firewall to.
|
||||||
|
|
||||||
|
|
||||||
- - -
|
- - -
|
||||||
|
|
||||||
* `allow` - (Required) Can be specified multiple times for each allow
|
|
||||||
rule. Each allow block supports fields documented below.
|
|
||||||
|
|
||||||
* `deny` - (Optional) Can be specified multiple times for each deny
|
* `allow` -
|
||||||
rule. Each deny block supports fields documented below. Can be specified
|
(Optional)
|
||||||
instead of allow.
|
The list of ALLOW rules specified by this firewall. Each rule
|
||||||
|
specifies a protocol and port-range tuple that describes a permitted
|
||||||
|
connection. Structure is documented below.
|
||||||
|
|
||||||
* `description` - (Optional) Textual description field.
|
* `deny` -
|
||||||
|
(Optional)
|
||||||
|
The list of DENY rules specified by this firewall. Each rule specifies
|
||||||
|
a protocol and port-range tuple that describes a denied connection. Structure is documented below.
|
||||||
|
|
||||||
* `disabled` - (Optional) Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with.
|
* `description` -
|
||||||
When set to true, the firewall rule is not enforced and the network behaves as if it did not exist.
|
(Optional)
|
||||||
|
An optional description of this resource. Provide this property when
|
||||||
|
you create the resource.
|
||||||
|
|
||||||
* `project` - (Optional) The ID of the project in which the resource belongs. If it
|
* `destination_ranges` -
|
||||||
is not provided, the provider project is used.
|
(Optional)
|
||||||
|
If destination ranges are specified, the firewall will apply only to
|
||||||
|
traffic that has destination IP address in these ranges. These ranges
|
||||||
|
must be expressed in CIDR format. Only IPv4 is supported.
|
||||||
|
|
||||||
* `priority` - (Optional) The priority for this firewall. Ranges from 0-65535, inclusive. Defaults to 1000. Firewall
|
* `direction` -
|
||||||
resources with lower priority values have higher precedence (e.g. a firewall resource with a priority value of 0
|
(Optional)
|
||||||
takes effect over all other firewall rules with a non-zero priority).
|
Direction of traffic to which this firewall applies; default is
|
||||||
|
INGRESS. Note: For INGRESS traffic, it is NOT supported to specify
|
||||||
|
destinationRanges; For EGRESS traffic, it is NOT supported to specify
|
||||||
|
sourceRanges OR sourceTags.
|
||||||
|
|
||||||
* `source_ranges` - (Optional) A list of source CIDR ranges that this
|
* `disabled` -
|
||||||
firewall applies to. Can't be used for `EGRESS`.
|
(Optional)
|
||||||
|
Denotes whether the firewall rule is disabled, i.e not applied to the
|
||||||
|
network it is associated with. When set to true, the firewall rule is
|
||||||
|
not enforced and the network behaves as if it did not exist. If this
|
||||||
|
is unspecified, the firewall rule will be enabled.
|
||||||
|
|
||||||
* `source_tags` - (Optional) A list of source tags for this firewall. Can't be used for `EGRESS`.
|
* `priority` -
|
||||||
|
(Optional)
|
||||||
|
Priority for this rule. This is an integer between 0 and 65535, both
|
||||||
|
inclusive. When not specified, the value assumed is 1000. Relative
|
||||||
|
priorities determine precedence of conflicting rules. Lower value of
|
||||||
|
priority implies higher precedence (eg, a rule with priority 0 has
|
||||||
|
higher precedence than a rule with priority 1). DENY rules take
|
||||||
|
precedence over ALLOW rules having equal priority.
|
||||||
|
|
||||||
* `target_tags` - (Optional) A list of target tags for this firewall.
|
* `source_ranges` -
|
||||||
|
(Optional)
|
||||||
|
If source ranges are specified, the firewall will apply only to
|
||||||
|
traffic that has source IP address in these ranges. These ranges must
|
||||||
|
be expressed in CIDR format. One or both of sourceRanges and
|
||||||
|
sourceTags may be set. If both properties are set, the firewall will
|
||||||
|
apply to traffic that has source IP address within sourceRanges OR the
|
||||||
|
source IP that belongs to a tag listed in the sourceTags property. The
|
||||||
|
connection does not need to match both properties for the firewall to
|
||||||
|
apply. Only IPv4 is supported.
|
||||||
|
|
||||||
* `direction` - (Optional) Direction of traffic to which this firewall applies;
|
* `source_service_accounts` -
|
||||||
One of `INGRESS` or `EGRESS`. Defaults to `INGRESS`.
|
(Optional)
|
||||||
|
If source service accounts are specified, the firewall will apply only
|
||||||
|
to traffic originating from an instance with a service account in this
|
||||||
|
list. Source service accounts cannot be used to control traffic to an
|
||||||
|
instance's external IP address because service accounts are associated
|
||||||
|
with an instance, not an IP address. sourceRanges can be set at the
|
||||||
|
same time as sourceServiceAccounts. If both are set, the firewall will
|
||||||
|
apply to traffic that has source IP address within sourceRanges OR the
|
||||||
|
source IP belongs to an instance with service account listed in
|
||||||
|
sourceServiceAccount. The connection does not need to match both
|
||||||
|
properties for the firewall to apply. sourceServiceAccounts cannot be
|
||||||
|
used at the same time as sourceTags or targetTags.
|
||||||
|
|
||||||
* `destination_ranges` - (Optional) A list of destination CIDR ranges that this
|
* `source_tags` -
|
||||||
firewall applies to. Can't be used for `INGRESS`.
|
(Optional)
|
||||||
|
If source tags are specified, the firewall will apply only to traffic
|
||||||
|
with source IP that belongs to a tag listed in source tags. Source
|
||||||
|
tags cannot be used to control traffic to an instance's external IP
|
||||||
|
address. Because tags are associated with an instance, not an IP
|
||||||
|
address. One or both of sourceRanges and sourceTags may be set. If
|
||||||
|
both properties are set, the firewall will apply to traffic that has
|
||||||
|
source IP address within sourceRanges OR the source IP that belongs to
|
||||||
|
a tag listed in the sourceTags property. The connection does not need
|
||||||
|
to match both properties for the firewall to apply.
|
||||||
|
|
||||||
* `source_service_accounts` - (Optional) A list of service accounts such that
|
* `target_service_accounts` -
|
||||||
the firewall will apply only to traffic originating from an instance with a service account in this list. Note that as of May 2018,
|
(Optional)
|
||||||
this list can contain only one item, due to a change in the way that these firewall rules are handled. Source service accounts
|
A list of service accounts indicating sets of instances located in the
|
||||||
cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not
|
network that may make network connections as specified in allowed[].
|
||||||
an IP address. `source_ranges` can be set at the same time as `source_service_accounts`. If both are set, the firewall will apply to
|
targetServiceAccounts cannot be used at the same time as targetTags or
|
||||||
traffic that has source IP address within `source_ranges` OR the source IP belongs to an instance with service account listed in
|
sourceTags. If neither targetServiceAccounts nor targetTags are
|
||||||
`source_service_accounts`. The connection does not need to match both properties for the firewall to apply. `source_service_accounts`
|
specified, the firewall rule applies to all instances on the specified
|
||||||
cannot be used at the same time as `source_tags` or `target_tags`.
|
network.
|
||||||
|
|
||||||
|
* `target_tags` -
|
||||||
|
(Optional)
|
||||||
|
A list of instance tags indicating sets of instances located in the
|
||||||
|
network that may make network connections as specified in allowed[].
|
||||||
|
If no targetTags are specified, the firewall rule applies to all
|
||||||
|
instances on the specified network.
|
||||||
|
* `project` - (Optional) The ID of the project in which the resource belongs.
|
||||||
|
If it is not provided, the provider project is used.
|
||||||
|
|
||||||
* `target_service_accounts` - (Optional) A list of service accounts indicating
|
|
||||||
sets of instances located in the network that may make network connections as specified in `allow`. `target_service_accounts` cannot
|
|
||||||
be used at the same time as `source_tags` or `target_tags`. If neither `target_service_accounts` nor `target_tags` are specified, the
|
|
||||||
firewall rule applies to all instances on the specified network. Note that as of May 2018, this list can contain only one item, due
|
|
||||||
to a change in the way that these firewall rules are handled.
|
|
||||||
|
|
||||||
The `allow` block supports:
|
The `allow` block supports:
|
||||||
|
|
||||||
* `protocol` - (Required) The name of the protocol to allow. This value can either be one of the following well
|
* `protocol` -
|
||||||
known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number, or `all`.
|
(Required)
|
||||||
|
The IP protocol to which this rule applies. The protocol type is
|
||||||
|
required when creating a firewall rule. This value can either be
|
||||||
|
one of the following well known protocol strings (tcp, udp,
|
||||||
|
icmp, esp, ah, sctp), or the IP protocol number.
|
||||||
|
|
||||||
* `ports` - (Optional) List of ports and/or port ranges to allow. This can
|
* `ports` -
|
||||||
only be specified if the protocol is TCP or UDP.
|
(Optional)
|
||||||
|
An optional list of ports to which this rule applies. This field
|
||||||
|
is only applicable for UDP or TCP protocol. Each entry must be
|
||||||
|
either an integer or a range. If not specified, this rule
|
||||||
|
applies to connections through any port.
|
||||||
|
Example inputs include: ["22"], ["80","443"], and
|
||||||
|
["12345-12349"].
|
||||||
|
|
||||||
The `deny` block supports:
|
The `deny` block supports:
|
||||||
|
|
||||||
* `protocol` - (Required) The name of the protocol to deny. This value can either be one of the following well
|
* `protocol` -
|
||||||
known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number, or `all`.
|
(Required)
|
||||||
|
The IP protocol to which this rule applies. The protocol type is
|
||||||
|
required when creating a firewall rule. This value can either be
|
||||||
|
one of the following well known protocol strings (tcp, udp,
|
||||||
|
icmp, esp, ah, sctp), or the IP protocol number.
|
||||||
|
|
||||||
* `ports` - (Optional) List of ports and/or port ranges to allow. This can
|
* `ports` -
|
||||||
only be specified if the protocol is TCP or UDP.
|
(Optional)
|
||||||
|
An optional list of ports to which this rule applies. This field
|
||||||
|
is only applicable for UDP or TCP protocol. Each entry must be
|
||||||
|
either an integer or a range. If not specified, this rule
|
||||||
|
applies to connections through any port.
|
||||||
|
Example inputs include: ["22"], ["80","443"], and
|
||||||
|
["12345-12349"].
|
||||||
|
|
||||||
## Attributes Reference
|
## Attributes Reference
|
||||||
|
|
||||||
In addition to the arguments listed above, the following computed attributes are
|
In addition to the arguments listed above, the following computed attributes are exported:
|
||||||
exported:
|
|
||||||
|
|
||||||
|
|
||||||
|
* `creation_timestamp` -
|
||||||
|
Creation timestamp in RFC3339 text format.
|
||||||
* `self_link` - The URI of the created resource.
|
* `self_link` - The URI of the created resource.
|
||||||
|
|
||||||
|
|
||||||
|
## Timeouts
|
||||||
|
|
||||||
|
This resource provides the following
|
||||||
|
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
|
||||||
|
|
||||||
|
- `create` - Default is 4 minutes.
|
||||||
|
- `update` - Default is 4 minutes.
|
||||||
|
- `delete` - Default is 4 minutes.
|
||||||
|
|
||||||
## Import
|
## Import
|
||||||
|
|
||||||
Firewalls can be imported using the `name`, e.g.
|
Firewall can be imported using any of these accepted formats:
|
||||||
|
|
||||||
```
|
```
|
||||||
$ terraform import google_compute_firewall.default test-firewall
|
$ terraform import google_compute_firewall.default projects/{{project}}/global/firewalls/{{name}}
|
||||||
|
$ terraform import google_compute_firewall.default {{project}}/{{name}}
|
||||||
|
$ terraform import google_compute_firewall.default {{name}}
|
||||||
```
|
```
|
||||||
|
Loading…
Reference in New Issue
Block a user