mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-07-05 17:52:38 +00:00
Generate resource_compute_firewall in magic-modules. I also decided to use PATCH instead of PUT for updates, because a lot of the fields we had marked as ForceNew can be updated with PATCH. (#1907)
<!-- This change is generated by MagicModules. --> /cc @danawillow
This commit is contained in:
parent
41e088dcef
commit
875f1f874e
|
@ -21,6 +21,7 @@ var GeneratedComputeResourcesMap = map[string]*schema.Resource{
|
|||
"google_compute_autoscaler": resourceComputeAutoscaler(),
|
||||
"google_compute_backend_bucket": resourceComputeBackendBucket(),
|
||||
"google_compute_disk": resourceComputeDisk(),
|
||||
"google_compute_firewall": resourceComputeFirewall(),
|
||||
"google_compute_forwarding_rule": resourceComputeForwardingRule(),
|
||||
"google_compute_global_address": resourceComputeGlobalAddress(),
|
||||
"google_compute_http_health_check": resourceComputeHttpHealthCheck(),
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,24 +1,56 @@
|
|||
---
|
||||
# ----------------------------------------------------------------------------
|
||||
#
|
||||
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||||
#
|
||||
# ----------------------------------------------------------------------------
|
||||
#
|
||||
# This file is automatically generated by Magic Modules and manual
|
||||
# changes will be clobbered when the file is regenerated.
|
||||
#
|
||||
# Please read more about how to change this file in
|
||||
# .github/CONTRIBUTING.md.
|
||||
#
|
||||
# ----------------------------------------------------------------------------
|
||||
layout: "google"
|
||||
page_title: "Google: google_compute_firewall"
|
||||
sidebar_current: "docs-google-compute-firewall"
|
||||
description: |-
|
||||
Manages a firewall resource within GCE.
|
||||
Each network has its own firewall controlling access to and from the
|
||||
instances.
|
||||
---
|
||||
|
||||
# google\_compute\_firewall
|
||||
|
||||
Manages a firewall resource within GCE. For more information see
|
||||
[the official documentation](https://cloud.google.com/compute/docs/vpc/firewalls)
|
||||
and
|
||||
[API](https://cloud.google.com/compute/docs/reference/latest/firewalls).
|
||||
Each network has its own firewall controlling access to and from the
|
||||
instances.
|
||||
|
||||
All traffic to instances, even from other instances, is blocked by the
|
||||
firewall unless firewall rules are created to allow it.
|
||||
|
||||
The default network has automatically created firewall rules that are
|
||||
shown in default firewall rules. No manually created network has
|
||||
automatically created firewall rules except for a default "allow" rule for
|
||||
outgoing traffic and a default "deny" for incoming traffic. For all
|
||||
networks except the default network, you must create any firewall rules
|
||||
you need.
|
||||
|
||||
To get more information about Firewall, see:
|
||||
|
||||
* [API documentation](https://cloud.google.com/compute/docs/reference/latest/firewalls)
|
||||
* How-to Guides
|
||||
* [Official Documentation](https://cloud.google.com/vpc/docs/firewalls)
|
||||
|
||||
## Example Usage
|
||||
|
||||
```hcl
|
||||
resource "google_compute_network" "default" {
|
||||
name = "test-network"
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "default" {
|
||||
name = "test-firewall"
|
||||
network = "${google_compute_network.other.name}"
|
||||
network = "${google_compute_network.default.name}"
|
||||
|
||||
allow {
|
||||
protocol = "icmp"
|
||||
|
@ -37,88 +69,187 @@ resource "google_compute_firewall" "default" {
|
|||
|
||||
The following arguments are supported:
|
||||
|
||||
* `name` - (Required) A unique name for the resource, required by GCE.
|
||||
Changing this forces a new resource to be created.
|
||||
|
||||
* `network` - (Required) The name or self_link of the network to attach this firewall to.
|
||||
* `name` -
|
||||
(Required)
|
||||
Name of the resource. Provided by the client when the resource is
|
||||
created. The name must be 1-63 characters long, and comply with
|
||||
RFC1035. Specifically, the name must be 1-63 characters long and match
|
||||
the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the
|
||||
first character must be a lowercase letter, and all following
|
||||
characters must be a dash, lowercase letter, or digit, except the last
|
||||
character, which cannot be a dash.
|
||||
|
||||
* `network` -
|
||||
(Required)
|
||||
The name or self_link of the network to attach this firewall to.
|
||||
|
||||
|
||||
- - -
|
||||
|
||||
* `allow` - (Required) Can be specified multiple times for each allow
|
||||
rule. Each allow block supports fields documented below.
|
||||
|
||||
* `deny` - (Optional) Can be specified multiple times for each deny
|
||||
rule. Each deny block supports fields documented below. Can be specified
|
||||
instead of allow.
|
||||
* `allow` -
|
||||
(Optional)
|
||||
The list of ALLOW rules specified by this firewall. Each rule
|
||||
specifies a protocol and port-range tuple that describes a permitted
|
||||
connection. Structure is documented below.
|
||||
|
||||
* `description` - (Optional) Textual description field.
|
||||
* `deny` -
|
||||
(Optional)
|
||||
The list of DENY rules specified by this firewall. Each rule specifies
|
||||
a protocol and port-range tuple that describes a denied connection. Structure is documented below.
|
||||
|
||||
* `disabled` - (Optional) Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with.
|
||||
When set to true, the firewall rule is not enforced and the network behaves as if it did not exist.
|
||||
* `description` -
|
||||
(Optional)
|
||||
An optional description of this resource. Provide this property when
|
||||
you create the resource.
|
||||
|
||||
* `project` - (Optional) The ID of the project in which the resource belongs. If it
|
||||
is not provided, the provider project is used.
|
||||
* `destination_ranges` -
|
||||
(Optional)
|
||||
If destination ranges are specified, the firewall will apply only to
|
||||
traffic that has destination IP address in these ranges. These ranges
|
||||
must be expressed in CIDR format. Only IPv4 is supported.
|
||||
|
||||
* `priority` - (Optional) The priority for this firewall. Ranges from 0-65535, inclusive. Defaults to 1000. Firewall
|
||||
resources with lower priority values have higher precedence (e.g. a firewall resource with a priority value of 0
|
||||
takes effect over all other firewall rules with a non-zero priority).
|
||||
* `direction` -
|
||||
(Optional)
|
||||
Direction of traffic to which this firewall applies; default is
|
||||
INGRESS. Note: For INGRESS traffic, it is NOT supported to specify
|
||||
destinationRanges; For EGRESS traffic, it is NOT supported to specify
|
||||
sourceRanges OR sourceTags.
|
||||
|
||||
* `source_ranges` - (Optional) A list of source CIDR ranges that this
|
||||
firewall applies to. Can't be used for `EGRESS`.
|
||||
* `disabled` -
|
||||
(Optional)
|
||||
Denotes whether the firewall rule is disabled, i.e not applied to the
|
||||
network it is associated with. When set to true, the firewall rule is
|
||||
not enforced and the network behaves as if it did not exist. If this
|
||||
is unspecified, the firewall rule will be enabled.
|
||||
|
||||
* `source_tags` - (Optional) A list of source tags for this firewall. Can't be used for `EGRESS`.
|
||||
* `priority` -
|
||||
(Optional)
|
||||
Priority for this rule. This is an integer between 0 and 65535, both
|
||||
inclusive. When not specified, the value assumed is 1000. Relative
|
||||
priorities determine precedence of conflicting rules. Lower value of
|
||||
priority implies higher precedence (eg, a rule with priority 0 has
|
||||
higher precedence than a rule with priority 1). DENY rules take
|
||||
precedence over ALLOW rules having equal priority.
|
||||
|
||||
* `target_tags` - (Optional) A list of target tags for this firewall.
|
||||
* `source_ranges` -
|
||||
(Optional)
|
||||
If source ranges are specified, the firewall will apply only to
|
||||
traffic that has source IP address in these ranges. These ranges must
|
||||
be expressed in CIDR format. One or both of sourceRanges and
|
||||
sourceTags may be set. If both properties are set, the firewall will
|
||||
apply to traffic that has source IP address within sourceRanges OR the
|
||||
source IP that belongs to a tag listed in the sourceTags property. The
|
||||
connection does not need to match both properties for the firewall to
|
||||
apply. Only IPv4 is supported.
|
||||
|
||||
* `direction` - (Optional) Direction of traffic to which this firewall applies;
|
||||
One of `INGRESS` or `EGRESS`. Defaults to `INGRESS`.
|
||||
* `source_service_accounts` -
|
||||
(Optional)
|
||||
If source service accounts are specified, the firewall will apply only
|
||||
to traffic originating from an instance with a service account in this
|
||||
list. Source service accounts cannot be used to control traffic to an
|
||||
instance's external IP address because service accounts are associated
|
||||
with an instance, not an IP address. sourceRanges can be set at the
|
||||
same time as sourceServiceAccounts. If both are set, the firewall will
|
||||
apply to traffic that has source IP address within sourceRanges OR the
|
||||
source IP belongs to an instance with service account listed in
|
||||
sourceServiceAccount. The connection does not need to match both
|
||||
properties for the firewall to apply. sourceServiceAccounts cannot be
|
||||
used at the same time as sourceTags or targetTags.
|
||||
|
||||
* `destination_ranges` - (Optional) A list of destination CIDR ranges that this
|
||||
firewall applies to. Can't be used for `INGRESS`.
|
||||
* `source_tags` -
|
||||
(Optional)
|
||||
If source tags are specified, the firewall will apply only to traffic
|
||||
with source IP that belongs to a tag listed in source tags. Source
|
||||
tags cannot be used to control traffic to an instance's external IP
|
||||
address. Because tags are associated with an instance, not an IP
|
||||
address. One or both of sourceRanges and sourceTags may be set. If
|
||||
both properties are set, the firewall will apply to traffic that has
|
||||
source IP address within sourceRanges OR the source IP that belongs to
|
||||
a tag listed in the sourceTags property. The connection does not need
|
||||
to match both properties for the firewall to apply.
|
||||
|
||||
* `source_service_accounts` - (Optional) A list of service accounts such that
|
||||
the firewall will apply only to traffic originating from an instance with a service account in this list. Note that as of May 2018,
|
||||
this list can contain only one item, due to a change in the way that these firewall rules are handled. Source service accounts
|
||||
cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not
|
||||
an IP address. `source_ranges` can be set at the same time as `source_service_accounts`. If both are set, the firewall will apply to
|
||||
traffic that has source IP address within `source_ranges` OR the source IP belongs to an instance with service account listed in
|
||||
`source_service_accounts`. The connection does not need to match both properties for the firewall to apply. `source_service_accounts`
|
||||
cannot be used at the same time as `source_tags` or `target_tags`.
|
||||
* `target_service_accounts` -
|
||||
(Optional)
|
||||
A list of service accounts indicating sets of instances located in the
|
||||
network that may make network connections as specified in allowed[].
|
||||
targetServiceAccounts cannot be used at the same time as targetTags or
|
||||
sourceTags. If neither targetServiceAccounts nor targetTags are
|
||||
specified, the firewall rule applies to all instances on the specified
|
||||
network.
|
||||
|
||||
* `target_tags` -
|
||||
(Optional)
|
||||
A list of instance tags indicating sets of instances located in the
|
||||
network that may make network connections as specified in allowed[].
|
||||
If no targetTags are specified, the firewall rule applies to all
|
||||
instances on the specified network.
|
||||
* `project` - (Optional) The ID of the project in which the resource belongs.
|
||||
If it is not provided, the provider project is used.
|
||||
|
||||
* `target_service_accounts` - (Optional) A list of service accounts indicating
|
||||
sets of instances located in the network that may make network connections as specified in `allow`. `target_service_accounts` cannot
|
||||
be used at the same time as `source_tags` or `target_tags`. If neither `target_service_accounts` nor `target_tags` are specified, the
|
||||
firewall rule applies to all instances on the specified network. Note that as of May 2018, this list can contain only one item, due
|
||||
to a change in the way that these firewall rules are handled.
|
||||
|
||||
The `allow` block supports:
|
||||
|
||||
* `protocol` - (Required) The name of the protocol to allow. This value can either be one of the following well
|
||||
known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number, or `all`.
|
||||
* `protocol` -
|
||||
(Required)
|
||||
The IP protocol to which this rule applies. The protocol type is
|
||||
required when creating a firewall rule. This value can either be
|
||||
one of the following well known protocol strings (tcp, udp,
|
||||
icmp, esp, ah, sctp), or the IP protocol number.
|
||||
|
||||
* `ports` - (Optional) List of ports and/or port ranges to allow. This can
|
||||
only be specified if the protocol is TCP or UDP.
|
||||
* `ports` -
|
||||
(Optional)
|
||||
An optional list of ports to which this rule applies. This field
|
||||
is only applicable for UDP or TCP protocol. Each entry must be
|
||||
either an integer or a range. If not specified, this rule
|
||||
applies to connections through any port.
|
||||
Example inputs include: ["22"], ["80","443"], and
|
||||
["12345-12349"].
|
||||
|
||||
The `deny` block supports:
|
||||
|
||||
* `protocol` - (Required) The name of the protocol to deny. This value can either be one of the following well
|
||||
known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number, or `all`.
|
||||
* `protocol` -
|
||||
(Required)
|
||||
The IP protocol to which this rule applies. The protocol type is
|
||||
required when creating a firewall rule. This value can either be
|
||||
one of the following well known protocol strings (tcp, udp,
|
||||
icmp, esp, ah, sctp), or the IP protocol number.
|
||||
|
||||
* `ports` - (Optional) List of ports and/or port ranges to allow. This can
|
||||
only be specified if the protocol is TCP or UDP.
|
||||
* `ports` -
|
||||
(Optional)
|
||||
An optional list of ports to which this rule applies. This field
|
||||
is only applicable for UDP or TCP protocol. Each entry must be
|
||||
either an integer or a range. If not specified, this rule
|
||||
applies to connections through any port.
|
||||
Example inputs include: ["22"], ["80","443"], and
|
||||
["12345-12349"].
|
||||
|
||||
## Attributes Reference
|
||||
|
||||
In addition to the arguments listed above, the following computed attributes are
|
||||
exported:
|
||||
In addition to the arguments listed above, the following computed attributes are exported:
|
||||
|
||||
|
||||
* `creation_timestamp` -
|
||||
Creation timestamp in RFC3339 text format.
|
||||
* `self_link` - The URI of the created resource.
|
||||
|
||||
|
||||
## Timeouts
|
||||
|
||||
This resource provides the following
|
||||
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
|
||||
|
||||
- `create` - Default is 4 minutes.
|
||||
- `update` - Default is 4 minutes.
|
||||
- `delete` - Default is 4 minutes.
|
||||
|
||||
## Import
|
||||
|
||||
Firewalls can be imported using the `name`, e.g.
|
||||
Firewall can be imported using any of these accepted formats:
|
||||
|
||||
```
|
||||
$ terraform import google_compute_firewall.default test-firewall
|
||||
$ terraform import google_compute_firewall.default projects/{{project}}/global/firewalls/{{name}}
|
||||
$ terraform import google_compute_firewall.default {{project}}/{{name}}
|
||||
$ terraform import google_compute_firewall.default {{name}}
|
||||
```
|
||||
|
|
Loading…
Reference in New Issue
Block a user