pulumi-gcp 8.17.0a1738274430__py3-none-any.whl → 8.18.0__py3-none-any.whl

pulumi_gcp/compute/network_firewall_policy_rule.py

@@ -609,7 +609,7 @@ class NetworkFirewallPolicyRule(pulumi.CustomResource):
         import pulumi_gcp as gcp
 
         basic_global_networksecurity_address_group = gcp.networksecurity.AddressGroup("basic_global_networksecurity_address_group",
-            name="address",
+            name="address-group",
             parent="projects/my-project-name",
             description="Sample global networksecurity_address_group",
             location="global",
@@ -617,7 +617,7 @@ class NetworkFirewallPolicyRule(pulumi.CustomResource):
             type="IPV4",
             capacity=100)
         basic_network_firewall_policy = gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy",
-            name="policy",
+            name="fw-policy",
             description="Sample global network firewall policy",
             project="my-project-name")
         basic_network = gcp.compute.Network("basic_network", name="network")
@@ -625,14 +625,14 @@ class NetworkFirewallPolicyRule(pulumi.CustomResource):
             description="For keyname resources.",
             parent="organizations/123456789",
             purpose="GCE_FIREWALL",
-            short_name="tagkey",
+            short_name="tag-key",
             purpose_data={
                 "network": basic_network.name.apply(lambda name: f"my-project-name/{name}"),
             })
         basic_value = gcp.tags.TagValue("basic_value",
             description="For valuename resources.",
             parent=basic_key.id,
-            short_name="tagvalue")
+            short_name="tag-value")
         primary = gcp.compute.NetworkFirewallPolicyRule("primary",
             action="allow",
             description="This is a simple rule description",
@@ -644,6 +644,7 @@ class NetworkFirewallPolicyRule(pulumi.CustomResource):
             rule_name="test-rule",
             target_service_accounts=["my@service-account.com"],
             match={
+                "src_address_groups": [basic_global_networksecurity_address_group.id],
                 "src_ip_ranges": ["10.100.0.1/32"],
                 "src_fqdns": ["google.com"],
                 "src_region_codes": ["US"],
@@ -654,7 +655,62 @@ class NetworkFirewallPolicyRule(pulumi.CustomResource):
                 "layer4_configs": [{
                     "ip_protocol": "all",
                 }],
-                "src_address_groups": [basic_global_networksecurity_address_group.id],
+            })
+        ```
+        ### Network Firewall Policy Rule Network Scope Egress
+
+        ```python
+        import pulumi
+        import pulumi_gcp as gcp
+
+        basic_network_firewall_policy = gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy",
+            name="fw-policy",
+            description="Sample global network firewall policy",
+            project="my-project-name")
+        primary = gcp.compute.NetworkFirewallPolicyRule("primary",
+            action="allow",
+            description="This is a simple rule description",
+            direction="EGRESS",
+            disabled=False,
+            enable_logging=True,
+            firewall_policy=basic_network_firewall_policy.name,
+            priority=1000,
+            rule_name="test-rule",
+            match={
+                "dest_ip_ranges": ["10.100.0.1/32"],
+                "dest_network_scope": "INTERNET",
+                "layer4_configs": [{
+                    "ip_protocol": "all",
+                }],
+            })
+        ```
+        ### Network Firewall Policy Rule Network Scope Ingress
+
+        ```python
+        import pulumi
+        import pulumi_gcp as gcp
+
+        basic_network_firewall_policy = gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy",
+            name="fw-policy",
+            description="Sample global network firewall policy",
+            project="my-project-name")
+        network = gcp.compute.Network("network", name="network")
+        primary = gcp.compute.NetworkFirewallPolicyRule("primary",
+            action="allow",
+            description="This is a simple rule description",
+            direction="INGRESS",
+            disabled=False,
+            enable_logging=True,
+            firewall_policy=basic_network_firewall_policy.name,
+            priority=1000,
+            rule_name="test-rule",
+            match={
+                "src_ip_ranges": ["11.100.0.1/32"],
+                "src_network_scope": "VPC_NETWORKS",
+                "src_networks": [network.id],
+                "layer4_configs": [{
+                    "ip_protocol": "all",
+                }],
             })
         ```
 
@@ -734,7 +790,7 @@ class NetworkFirewallPolicyRule(pulumi.CustomResource):
         import pulumi_gcp as gcp
 
         basic_global_networksecurity_address_group = gcp.networksecurity.AddressGroup("basic_global_networksecurity_address_group",
-            name="address",
+            name="address-group",
             parent="projects/my-project-name",
             description="Sample global networksecurity_address_group",
             location="global",
@@ -742,7 +798,7 @@ class NetworkFirewallPolicyRule(pulumi.CustomResource):
             type="IPV4",
             capacity=100)
         basic_network_firewall_policy = gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy",
-            name="policy",
+            name="fw-policy",
             description="Sample global network firewall policy",
             project="my-project-name")
         basic_network = gcp.compute.Network("basic_network", name="network")
@@ -750,14 +806,14 @@ class NetworkFirewallPolicyRule(pulumi.CustomResource):
             description="For keyname resources.",
             parent="organizations/123456789",
             purpose="GCE_FIREWALL",
-            short_name="tagkey",
+            short_name="tag-key",
             purpose_data={
                 "network": basic_network.name.apply(lambda name: f"my-project-name/{name}"),
             })
         basic_value = gcp.tags.TagValue("basic_value",
             description="For valuename resources.",
             parent=basic_key.id,
-            short_name="tagvalue")
+            short_name="tag-value")
         primary = gcp.compute.NetworkFirewallPolicyRule("primary",
             action="allow",
             description="This is a simple rule description",
@@ -769,6 +825,7 @@ class NetworkFirewallPolicyRule(pulumi.CustomResource):
             rule_name="test-rule",
             target_service_accounts=["my@service-account.com"],
             match={
+                "src_address_groups": [basic_global_networksecurity_address_group.id],
                 "src_ip_ranges": ["10.100.0.1/32"],
                 "src_fqdns": ["google.com"],
                 "src_region_codes": ["US"],
@@ -779,7 +836,62 @@ class NetworkFirewallPolicyRule(pulumi.CustomResource):
                 "layer4_configs": [{
                     "ip_protocol": "all",
                 }],
-                "src_address_groups": [basic_global_networksecurity_address_group.id],
+            })
+        ```
+        ### Network Firewall Policy Rule Network Scope Egress
+
+        ```python
+        import pulumi
+        import pulumi_gcp as gcp
+
+        basic_network_firewall_policy = gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy",
+            name="fw-policy",
+            description="Sample global network firewall policy",
+            project="my-project-name")
+        primary = gcp.compute.NetworkFirewallPolicyRule("primary",
+            action="allow",
+            description="This is a simple rule description",
+            direction="EGRESS",
+            disabled=False,
+            enable_logging=True,
+            firewall_policy=basic_network_firewall_policy.name,
+            priority=1000,
+            rule_name="test-rule",
+            match={
+                "dest_ip_ranges": ["10.100.0.1/32"],
+                "dest_network_scope": "INTERNET",
+                "layer4_configs": [{
+                    "ip_protocol": "all",
+                }],
+            })
+        ```
+        ### Network Firewall Policy Rule Network Scope Ingress
+
+        ```python
+        import pulumi
+        import pulumi_gcp as gcp
+
+        basic_network_firewall_policy = gcp.compute.NetworkFirewallPolicy("basic_network_firewall_policy",
+            name="fw-policy",
+            description="Sample global network firewall policy",
+            project="my-project-name")
+        network = gcp.compute.Network("network", name="network")
+        primary = gcp.compute.NetworkFirewallPolicyRule("primary",
+            action="allow",
+            description="This is a simple rule description",
+            direction="INGRESS",
+            disabled=False,
+            enable_logging=True,
+            firewall_policy=basic_network_firewall_policy.name,
+            priority=1000,
+            rule_name="test-rule",
+            match={
+                "src_ip_ranges": ["11.100.0.1/32"],
+                "src_network_scope": "VPC_NETWORKS",
+                "src_networks": [network.id],
+                "layer4_configs": [{
+                    "ip_protocol": "all",
+                }],
             })
         ```
 

pulumi_gcp/compute/network_firewall_policy_with_rules.py

@@ -316,7 +316,7 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
 
         project = gcp.organizations.get_project()
         address_group1 = gcp.networksecurity.AddressGroup("address_group_1",
-            name="tf-address-group",
+            name="address-group",
             parent=project.id,
             description="Global address group",
             location="global",
@@ -327,26 +327,29 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
             description="Tag key",
             parent=project.id,
             purpose="GCE_FIREWALL",
-            short_name="tf-tag-key",
+            short_name="tag-key",
             purpose_data={
                 "network": f"{project.name}/default",
             })
         secure_tag_value1 = gcp.tags.TagValue("secure_tag_value_1",
             description="Tag value",
             parent=secure_tag_key1.id,
-            short_name="tf-tag-value")
+            short_name="tag-value")
         security_profile1 = gcp.networksecurity.SecurityProfile("security_profile_1",
-            name="tf-security-profile",
+            name="sp",
             type="THREAT_PREVENTION",
             parent="organizations/123456789",
             location="global")
         security_profile_group1 = gcp.networksecurity.SecurityProfileGroup("security_profile_group_1",
-            name="tf-security-profile-group",
+            name="spg",
             parent="organizations/123456789",
             description="my description",
             threat_prevention_profile=security_profile1.id)
-        network_firewall_policy_with_rules = gcp.compute.NetworkFirewallPolicyWithRules("network-firewall-policy-with-rules",
-            name="tf-fw-policy-with-rules",
+        network = gcp.compute.Network("network",
+            name="network",
+            auto_create_subnetworks=False)
+        primary = gcp.compute.NetworkFirewallPolicyWithRules("primary",
+            name="fw-policy",
             description="Terraform test",
             rules=[
                 {
@@ -356,13 +359,6 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
                     "action": "allow",
                     "direction": "EGRESS",
                     "match": {
-                        "layer4_configs": [{
-                            "ip_protocol": "tcp",
-                            "ports": [
-                                "8080",
-                                "7070",
-                            ],
-                        }],
                         "dest_ip_ranges": ["11.100.0.1/32"],
                         "dest_fqdns": [
                             "www.yyy.com",
@@ -377,6 +373,13 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
                             "iplist-tor-exit-nodes",
                         ],
                         "dest_address_groups": [address_group1.id],
+                        "layer4_configs": [{
+                            "ip_protocol": "tcp",
+                            "ports": [
+                                "8080",
+                                "7070",
+                            ],
+                        }],
                     },
                     "target_secure_tags": [{
                         "name": secure_tag_value1.id,
@@ -388,10 +391,8 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
                     "enable_logging": False,
                     "action": "deny",
                     "direction": "INGRESS",
+                    "disabled": True,
                     "match": {
-                        "layer4_configs": [{
-                            "ip_protocol": "udp",
-                        }],
                         "src_ip_ranges": ["0.0.0.0/0"],
                         "src_fqdns": [
                             "www.abc.com",
@@ -409,8 +410,10 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
                         "src_secure_tags": [{
                             "name": secure_tag_value1.id,
                         }],
+                        "layer4_configs": [{
+                            "ip_protocol": "udp",
+                        }],
                     },
-                    "disabled": True,
                 },
                 {
                     "description": "security profile group rule",
@@ -419,15 +422,48 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
                     "enable_logging": False,
                     "action": "apply_security_profile_group",
                     "direction": "INGRESS",
+                    "target_service_accounts": ["test@google.com"],
+                    "security_profile_group": security_profile_group1.id.apply(lambda id: f"//networksecurity.googleapis.com/{id}"),
+                    "tls_inspect": True,
+                    "match": {
+                        "src_ip_ranges": ["0.0.0.0/0"],
+                        "layer4_configs": [{
+                            "ip_protocol": "tcp",
+                        }],
+                    },
+                },
+                {
+                    "description": "network scope rule 1",
+                    "rule_name": "network scope 1",
+                    "priority": 4000,
+                    "enable_logging": False,
+                    "action": "allow",
+                    "direction": "INGRESS",
                     "match": {
+                        "src_ip_ranges": ["11.100.0.1/32"],
+                        "src_network_scope": "VPC_NETWORKS",
+                        "src_networks": [network.id],
                         "layer4_configs": [{
                             "ip_protocol": "tcp",
+                            "ports": ["8080"],
+                        }],
+                    },
+                },
+                {
+                    "description": "network scope rule 2",
+                    "rule_name": "network scope 2",
+                    "priority": 5000,
+                    "enable_logging": False,
+                    "action": "allow",
+                    "direction": "EGRESS",
+                    "match": {
+                        "dest_ip_ranges": ["0.0.0.0/0"],
+                        "dest_network_scope": "INTERNET",
+                        "layer4_configs": [{
+                            "ip_protocol": "tcp",
+                            "ports": ["8080"],
                         }],
-                        "src_ip_ranges": ["0.0.0.0/0"],
                     },
-                    "target_service_accounts": ["test@google.com"],
-                    "security_profile_group": security_profile_group1.id.apply(lambda id: f"//networksecurity.googleapis.com/{id}"),
-                    "tls_inspect": True,
                 },
             ])
         ```
@@ -486,7 +522,7 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
 
         project = gcp.organizations.get_project()
         address_group1 = gcp.networksecurity.AddressGroup("address_group_1",
-            name="tf-address-group",
+            name="address-group",
             parent=project.id,
             description="Global address group",
             location="global",
@@ -497,26 +533,29 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
             description="Tag key",
             parent=project.id,
             purpose="GCE_FIREWALL",
-            short_name="tf-tag-key",
+            short_name="tag-key",
             purpose_data={
                 "network": f"{project.name}/default",
             })
         secure_tag_value1 = gcp.tags.TagValue("secure_tag_value_1",
             description="Tag value",
             parent=secure_tag_key1.id,
-            short_name="tf-tag-value")
+            short_name="tag-value")
         security_profile1 = gcp.networksecurity.SecurityProfile("security_profile_1",
-            name="tf-security-profile",
+            name="sp",
             type="THREAT_PREVENTION",
             parent="organizations/123456789",
             location="global")
         security_profile_group1 = gcp.networksecurity.SecurityProfileGroup("security_profile_group_1",
-            name="tf-security-profile-group",
+            name="spg",
             parent="organizations/123456789",
             description="my description",
             threat_prevention_profile=security_profile1.id)
-        network_firewall_policy_with_rules = gcp.compute.NetworkFirewallPolicyWithRules("network-firewall-policy-with-rules",
-            name="tf-fw-policy-with-rules",
+        network = gcp.compute.Network("network",
+            name="network",
+            auto_create_subnetworks=False)
+        primary = gcp.compute.NetworkFirewallPolicyWithRules("primary",
+            name="fw-policy",
             description="Terraform test",
             rules=[
                 {
@@ -526,13 +565,6 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
                     "action": "allow",
                     "direction": "EGRESS",
                     "match": {
-                        "layer4_configs": [{
-                            "ip_protocol": "tcp",
-                            "ports": [
-                                "8080",
-                                "7070",
-                            ],
-                        }],
                         "dest_ip_ranges": ["11.100.0.1/32"],
                         "dest_fqdns": [
                             "www.yyy.com",
@@ -547,6 +579,13 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
                             "iplist-tor-exit-nodes",
                         ],
                         "dest_address_groups": [address_group1.id],
+                        "layer4_configs": [{
+                            "ip_protocol": "tcp",
+                            "ports": [
+                                "8080",
+                                "7070",
+                            ],
+                        }],
                     },
                     "target_secure_tags": [{
                         "name": secure_tag_value1.id,
@@ -558,10 +597,8 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
                     "enable_logging": False,
                     "action": "deny",
                     "direction": "INGRESS",
+                    "disabled": True,
                     "match": {
-                        "layer4_configs": [{
-                            "ip_protocol": "udp",
-                        }],
                         "src_ip_ranges": ["0.0.0.0/0"],
                         "src_fqdns": [
                             "www.abc.com",
@@ -579,8 +616,10 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
                         "src_secure_tags": [{
                             "name": secure_tag_value1.id,
                         }],
+                        "layer4_configs": [{
+                            "ip_protocol": "udp",
+                        }],
                     },
-                    "disabled": True,
                 },
                 {
                     "description": "security profile group rule",
@@ -589,15 +628,48 @@ class NetworkFirewallPolicyWithRules(pulumi.CustomResource):
                     "enable_logging": False,
                     "action": "apply_security_profile_group",
                     "direction": "INGRESS",
+                    "target_service_accounts": ["test@google.com"],
+                    "security_profile_group": security_profile_group1.id.apply(lambda id: f"//networksecurity.googleapis.com/{id}"),
+                    "tls_inspect": True,
+                    "match": {
+                        "src_ip_ranges": ["0.0.0.0/0"],
+                        "layer4_configs": [{
+                            "ip_protocol": "tcp",
+                        }],
+                    },
+                },
+                {
+                    "description": "network scope rule 1",
+                    "rule_name": "network scope 1",
+                    "priority": 4000,
+                    "enable_logging": False,
+                    "action": "allow",
+                    "direction": "INGRESS",
                     "match": {
+                        "src_ip_ranges": ["11.100.0.1/32"],
+                        "src_network_scope": "VPC_NETWORKS",
+                        "src_networks": [network.id],
                         "layer4_configs": [{
                             "ip_protocol": "tcp",
+                            "ports": ["8080"],
+                        }],
+                    },
+                },
+                {
+                    "description": "network scope rule 2",
+                    "rule_name": "network scope 2",
+                    "priority": 5000,
+                    "enable_logging": False,
+                    "action": "allow",
+                    "direction": "EGRESS",
+                    "match": {
+                        "dest_ip_ranges": ["0.0.0.0/0"],
+                        "dest_network_scope": "INTERNET",
+                        "layer4_configs": [{
+                            "ip_protocol": "tcp",
+                            "ports": ["8080"],
                         }],
-                        "src_ip_ranges": ["0.0.0.0/0"],
                     },
-                    "target_service_accounts": ["test@google.com"],
-                    "security_profile_group": security_profile_group1.id.apply(lambda id: f"//networksecurity.googleapis.com/{id}"),
-                    "tls_inspect": True,
                 },
             ])
         ```