mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-10-14 23:17:15 +00:00
aa0c53245e
<!-- This change is generated by MagicModules. --> /cc @rileykarson
263 lines
9.7 KiB
Markdown
263 lines
9.7 KiB
Markdown
---
|
|
# ----------------------------------------------------------------------------
|
|
#
|
|
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
|
#
|
|
# ----------------------------------------------------------------------------
|
|
#
|
|
# This file is automatically generated by Magic Modules and manual
|
|
# changes will be clobbered when the file is regenerated.
|
|
#
|
|
# Please read more about how to change this file in
|
|
# .github/CONTRIBUTING.md.
|
|
#
|
|
# ----------------------------------------------------------------------------
|
|
layout: "google"
|
|
page_title: "Google: google_compute_firewall"
|
|
sidebar_current: "docs-google-compute-firewall"
|
|
description: |-
|
|
Each network has its own firewall controlling access to and from the
|
|
instances.
|
|
---
|
|
|
|
# google\_compute\_firewall
|
|
|
|
Each network has its own firewall controlling access to and from the
|
|
instances.
|
|
|
|
All traffic to instances, even from other instances, is blocked by the
|
|
firewall unless firewall rules are created to allow it.
|
|
|
|
The default network has automatically created firewall rules that are
|
|
shown in default firewall rules. No manually created network has
|
|
automatically created firewall rules except for a default "allow" rule for
|
|
outgoing traffic and a default "deny" for incoming traffic. For all
|
|
networks except the default network, you must create any firewall rules
|
|
you need.
|
|
|
|
|
|
To get more information about Firewall, see:
|
|
|
|
* [API documentation](https://cloud.google.com/compute/docs/reference/latest/firewalls)
|
|
* How-to Guides
|
|
* [Official Documentation](https://cloud.google.com/vpc/docs/firewalls)
|
|
|
|
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
|
|
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=firewall_basic&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
|
|
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
|
|
</a>
|
|
</div>
|
|
## Example Usage - Firewall Basic
|
|
|
|
|
|
```hcl
|
|
resource "google_compute_firewall" "default" {
|
|
name = "test-firewall"
|
|
network = "${google_compute_network.default.name}"
|
|
|
|
allow {
|
|
protocol = "icmp"
|
|
}
|
|
|
|
allow {
|
|
protocol = "tcp"
|
|
ports = ["80", "8080", "1000-2000"]
|
|
}
|
|
|
|
source_tags = ["web"]
|
|
}
|
|
|
|
resource "google_compute_network" "default" {
|
|
name = "test-network"
|
|
}
|
|
```
|
|
|
|
## Argument Reference
|
|
|
|
The following arguments are supported:
|
|
|
|
|
|
* `name` -
|
|
(Required)
|
|
Name of the resource. Provided by the client when the resource is
|
|
created. The name must be 1-63 characters long, and comply with
|
|
RFC1035. Specifically, the name must be 1-63 characters long and match
|
|
the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the
|
|
first character must be a lowercase letter, and all following
|
|
characters must be a dash, lowercase letter, or digit, except the last
|
|
character, which cannot be a dash.
|
|
|
|
* `network` -
|
|
(Required)
|
|
The name or self_link of the network to attach this firewall to.
|
|
|
|
|
|
- - -
|
|
|
|
|
|
* `allow` -
|
|
(Optional)
|
|
The list of ALLOW rules specified by this firewall. Each rule
|
|
specifies a protocol and port-range tuple that describes a permitted
|
|
connection. Structure is documented below.
|
|
|
|
* `deny` -
|
|
(Optional)
|
|
The list of DENY rules specified by this firewall. Each rule specifies
|
|
a protocol and port-range tuple that describes a denied connection. Structure is documented below.
|
|
|
|
* `description` -
|
|
(Optional)
|
|
An optional description of this resource. Provide this property when
|
|
you create the resource.
|
|
|
|
* `destination_ranges` -
|
|
(Optional)
|
|
If destination ranges are specified, the firewall will apply only to
|
|
traffic that has destination IP address in these ranges. These ranges
|
|
must be expressed in CIDR format. Only IPv4 is supported.
|
|
|
|
* `direction` -
|
|
(Optional)
|
|
Direction of traffic to which this firewall applies; default is
|
|
INGRESS. Note: For INGRESS traffic, it is NOT supported to specify
|
|
destinationRanges; For EGRESS traffic, it is NOT supported to specify
|
|
sourceRanges OR sourceTags.
|
|
|
|
* `disabled` -
|
|
(Optional)
|
|
Denotes whether the firewall rule is disabled, i.e not applied to the
|
|
network it is associated with. When set to true, the firewall rule is
|
|
not enforced and the network behaves as if it did not exist. If this
|
|
is unspecified, the firewall rule will be enabled.
|
|
|
|
* `priority` -
|
|
(Optional)
|
|
Priority for this rule. This is an integer between 0 and 65535, both
|
|
inclusive. When not specified, the value assumed is 1000. Relative
|
|
priorities determine precedence of conflicting rules. Lower value of
|
|
priority implies higher precedence (eg, a rule with priority 0 has
|
|
higher precedence than a rule with priority 1). DENY rules take
|
|
precedence over ALLOW rules having equal priority.
|
|
|
|
* `source_ranges` -
|
|
(Optional)
|
|
If source ranges are specified, the firewall will apply only to
|
|
traffic that has source IP address in these ranges. These ranges must
|
|
be expressed in CIDR format. One or both of sourceRanges and
|
|
sourceTags may be set. If both properties are set, the firewall will
|
|
apply to traffic that has source IP address within sourceRanges OR the
|
|
source IP that belongs to a tag listed in the sourceTags property. The
|
|
connection does not need to match both properties for the firewall to
|
|
apply. Only IPv4 is supported.
|
|
|
|
* `source_service_accounts` -
|
|
(Optional)
|
|
If source service accounts are specified, the firewall will apply only
|
|
to traffic originating from an instance with a service account in this
|
|
list. Source service accounts cannot be used to control traffic to an
|
|
instance's external IP address because service accounts are associated
|
|
with an instance, not an IP address. sourceRanges can be set at the
|
|
same time as sourceServiceAccounts. If both are set, the firewall will
|
|
apply to traffic that has source IP address within sourceRanges OR the
|
|
source IP belongs to an instance with service account listed in
|
|
sourceServiceAccount. The connection does not need to match both
|
|
properties for the firewall to apply. sourceServiceAccounts cannot be
|
|
used at the same time as sourceTags or targetTags.
|
|
|
|
* `source_tags` -
|
|
(Optional)
|
|
If source tags are specified, the firewall will apply only to traffic
|
|
with source IP that belongs to a tag listed in source tags. Source
|
|
tags cannot be used to control traffic to an instance's external IP
|
|
address. Because tags are associated with an instance, not an IP
|
|
address. One or both of sourceRanges and sourceTags may be set. If
|
|
both properties are set, the firewall will apply to traffic that has
|
|
source IP address within sourceRanges OR the source IP that belongs to
|
|
a tag listed in the sourceTags property. The connection does not need
|
|
to match both properties for the firewall to apply.
|
|
|
|
* `target_service_accounts` -
|
|
(Optional)
|
|
A list of service accounts indicating sets of instances located in the
|
|
network that may make network connections as specified in allowed[].
|
|
targetServiceAccounts cannot be used at the same time as targetTags or
|
|
sourceTags. If neither targetServiceAccounts nor targetTags are
|
|
specified, the firewall rule applies to all instances on the specified
|
|
network.
|
|
|
|
* `target_tags` -
|
|
(Optional)
|
|
A list of instance tags indicating sets of instances located in the
|
|
network that may make network connections as specified in allowed[].
|
|
If no targetTags are specified, the firewall rule applies to all
|
|
instances on the specified network.
|
|
* `project` - (Optional) The ID of the project in which the resource belongs.
|
|
If it is not provided, the provider project is used.
|
|
|
|
|
|
The `allow` block supports:
|
|
|
|
* `protocol` -
|
|
(Required)
|
|
The IP protocol to which this rule applies. The protocol type is
|
|
required when creating a firewall rule. This value can either be
|
|
one of the following well known protocol strings (tcp, udp,
|
|
icmp, esp, ah, sctp), or the IP protocol number.
|
|
|
|
* `ports` -
|
|
(Optional)
|
|
An optional list of ports to which this rule applies. This field
|
|
is only applicable for UDP or TCP protocol. Each entry must be
|
|
either an integer or a range. If not specified, this rule
|
|
applies to connections through any port.
|
|
Example inputs include: ["22"], ["80","443"], and
|
|
["12345-12349"].
|
|
|
|
The `deny` block supports:
|
|
|
|
* `protocol` -
|
|
(Required)
|
|
The IP protocol to which this rule applies. The protocol type is
|
|
required when creating a firewall rule. This value can either be
|
|
one of the following well known protocol strings (tcp, udp,
|
|
icmp, esp, ah, sctp), or the IP protocol number.
|
|
|
|
* `ports` -
|
|
(Optional)
|
|
An optional list of ports to which this rule applies. This field
|
|
is only applicable for UDP or TCP protocol. Each entry must be
|
|
either an integer or a range. If not specified, this rule
|
|
applies to connections through any port.
|
|
Example inputs include: ["22"], ["80","443"], and
|
|
["12345-12349"].
|
|
|
|
## Attributes Reference
|
|
|
|
In addition to the arguments listed above, the following computed attributes are exported:
|
|
|
|
|
|
* `creation_timestamp` -
|
|
Creation timestamp in RFC3339 text format.
|
|
* `self_link` - The URI of the created resource.
|
|
|
|
|
|
## Timeouts
|
|
|
|
This resource provides the following
|
|
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
|
|
|
|
- `create` - Default is 4 minutes.
|
|
- `update` - Default is 4 minutes.
|
|
- `delete` - Default is 4 minutes.
|
|
|
|
## Import
|
|
|
|
Firewall can be imported using any of these accepted formats:
|
|
|
|
```
|
|
$ terraform import google_compute_firewall.default projects/{{project}}/global/firewalls/{{name}}
|
|
$ terraform import google_compute_firewall.default {{project}}/{{name}}
|
|
$ terraform import google_compute_firewall.default {{name}}
|
|
```
|