Skip to content

Commit

Permalink
Add Network Firewall Policy Policy Packet Mirroring Rule resource (#1…
Browse files Browse the repository at this point in the history 
…2855) (#21196)

[upstream:bc0b2a950500c7b7ac185e34a3706e6c9f393ce9]

Signed-off-by: Modular Magician <[email protected]>
  • Loading branch information
@modular-magician
modular-magician authored Jan 31, 2025
1 parent 6d3489f commit 267eb08
Show file tree
Hide file tree
Showing 3 changed files with 296 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .changelog/12855.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:new-resource
`google_compute_network_firewall_policy_packet_mirroring_rule` (beta)
```
3 changes: 3 additions & 0 deletions ...e/services/compute/resource_compute_network_firewall_policy_packet_mirroring_rule_test.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package compute_test
290 changes: 290 additions & 0 deletions website/docs/r/compute_network_firewall_policy_packet_mirroring_rule.html.markdown
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,290 @@
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** Type: MMv1 ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Compute Engine"
description: |-
Represents a packet mirroring rule that describes one or more match conditions along with the action to be taken when traffic matches this condition (mirror or do_not_mirror).
---

# google_compute_network_firewall_policy_packet_mirroring_rule

Represents a packet mirroring rule that describes one or more match conditions along with the action to be taken when traffic matches this condition (mirror or do_not_mirror).

~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider.
See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.

To get more information about NetworkFirewallPolicyPacketMirroringRule, see:

* [API documentation](https://cloud.google.com/compute/docs/reference/rest/beta/networkFirewallPolicies/addPacketMirroringRule)

## Example Usage - Compute Network Firewall Policy Packet Mirroring Rule


```hcl
data "google_project" "project" {
provider = google-beta
}
resource "google_compute_network" "default" {
provider = google-beta
name = "fw-network"
auto_create_subnetworks = false
}
resource "google_compute_network_firewall_policy" "basic_network_firewall_policy" {
provider = google-beta
name = "fw-policy"
description = "Sample global network firewall policy"
project = "my-project-name"
}
resource "google_compute_network_firewall_policy_packet_mirroring_rule" "primary" {
provider = google-beta
action = "mirror"
description = "This is a simple packet mirroring rule description"
direction = "INGRESS"
disabled = false
firewall_policy = google_compute_network_firewall_policy.basic_network_firewall_policy.name
priority = 1000
rule_name = "test-rule"
match {
src_ip_ranges = ["10.100.0.1/32"]
layer4_configs {
ip_protocol = "all"
}
}
security_profile_group = "//networksecurity.googleapis.com/${google_network_security_security_profile_group.security_profile_group_1.id}"
target_secure_tags {
name = "tagValues/${google_tags_tag_value.secure_tag_value_1.name}"
}
}
resource "google_network_security_mirroring_deployment_group" "default" {
provider = google-beta
mirroring_deployment_group_id = "deployment-group"
location = "global"
network = google_compute_network.default.id
}
resource "google_network_security_mirroring_endpoint_group" "default" {
provider = google-beta
mirroring_endpoint_group_id = "endpoint-group"
location = "global"
mirroring_deployment_group = google_network_security_mirroring_deployment_group.default.id
}
resource "google_network_security_security_profile" "default" {
provider = google-beta
name = "sec-profile"
parent = "organizations/123456789"
description = "my description"
type = "CUSTOM_MIRRORING"
custom_mirroring_profile {
mirroring_endpoint_group = google_network_security_mirroring_endpoint_group.default.id
}
}
resource "google_network_security_security_profile_group" "security_profile_group_1" {
provider = google-beta
name = "sec-profile-group"
parent = "organizations/123456789"
description = "my description"
custom_mirroring_profile = google_network_security_security_profile.default.id
}
resource "google_tags_tag_key" "secure_tag_key_1" {
provider = google-beta
description = "Test tag key description"
parent = "organizations/123456789"
purpose = "GCE_FIREWALL"
short_name = "tag-key"
purpose_data = {
network = "my-project-name/${google_compute_network.default.name}"
}
}
resource "google_tags_tag_value" "secure_tag_value_1" {
provider = google-beta
description = "Test tag value description."
parent = google_tags_tag_key.secure_tag_key_1.id
short_name = "tag-value"
}
```

## Argument Reference

The following arguments are supported:


* `priority` -
(Required)
An integer indicating the priority of a rule in the list.
The priority must be a positive value between 0 and 2147483647.
Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.

* `match` -
(Required)
A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
Structure is [documented below](#nested_match).

* `action` -
(Required)
The Action to perform when the client connection triggers the rule. Valid actions are "mirror", "do_not_mirror", "goto_next".

* `direction` -
(Required)
The direction in which this rule applies.
Possible values are: `INGRESS`, `EGRESS`.

* `firewall_policy` -
(Required)
The firewall policy of the resource.


<a name="nested_match"></a>The `match` block supports:

* `src_ip_ranges` -
(Optional)
CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.

* `dest_ip_ranges` -
(Optional)
CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.

* `layer4_configs` -
(Required)
Pairs of IP protocols and ports that the rule should match.
Structure is [documented below](#nested_match_layer4_configs).


<a name="nested_match_layer4_configs"></a>The `layer4_configs` block supports:

* `ip_protocol` -
(Required)
The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule.
This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number.

* `ports` -
(Optional)
An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port.
Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

- - -


* `rule_name` -
(Optional)
An optional name for the rule. This field is not a unique identifier and can be updated.

* `description` -
(Optional)
An optional description for this resource.

* `security_profile_group` -
(Optional)
A fully-qualified URL of a SecurityProfile resource instance.
Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group
Must be specified if action = 'mirror' and cannot be specified for other actions.

* `target_secure_tags` -
(Optional)
A list of secure tags that controls which instances the firewall rule applies to.
If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the targetSecureTag are in INEFFECTIVE state, then this rule will be ignored.
targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256.
Structure is [documented below](#nested_target_secure_tags).

* `tls_inspect` -
(Optional)
Boolean flag indicating if the traffic should be TLS decrypted.
Can be set only if action = 'mirror' and cannot be set for other actions.

* `disabled` -
(Optional)
Denotes whether the firewall policy rule is disabled.
When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist.
If this is unspecified, the firewall policy rule will be enabled.

* `project` - (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.


<a name="nested_target_secure_tags"></a>The `target_secure_tags` block supports:

* `name` -
(Optional)
Name of the secure tag, created with TagManager's TagValue API.
diff_suppress_func: 'tpgresource.CompareSelfLinkOrResourceName'

* `state` -
(Output)
State of the secure tag, either EFFECTIVE or INEFFECTIVE. A secure tag is INEFFECTIVE when it is deleted or its network is deleted.

## Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

* `id` - an identifier for the resource with format `projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/packetMirroringRules/{{priority}}`

* `creation_timestamp` -
Creation timestamp in RFC3339 text format.

* `kind` -
Type of the resource. Always `compute#packetMirroringRule` for firewall policy packet mirroring rules

* `rule_tuple_count` -
Calculation of the complexity of a single firewall policy rule.


## Timeouts

This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

- `create` - Default is 20 minutes.
- `update` - Default is 20 minutes.
- `delete` - Default is 20 minutes.

## Import


NetworkFirewallPolicyPacketMirroringRule can be imported using any of these accepted formats:

* `projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/packetMirroringRules/{{priority}}`
* `{{project}}/{{firewall_policy}}/{{priority}}`
* `{{firewall_policy}}/{{priority}}`


In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import NetworkFirewallPolicyPacketMirroringRule using one of the formats above. For example:

```tf
import {
id = "projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/packetMirroringRules/{{priority}}"
to = google_compute_network_firewall_policy_packet_mirroring_rule.default
}
```

When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), NetworkFirewallPolicyPacketMirroringRule can be imported using one of the formats above. For example:

```
$ terraform import google_compute_network_firewall_policy_packet_mirroring_rule.default projects/{{project}}/global/firewallPolicies/{{firewall_policy}}/packetMirroringRules/{{priority}}
$ terraform import google_compute_network_firewall_policy_packet_mirroring_rule.default {{project}}/{{firewall_policy}}/{{priority}}
$ terraform import google_compute_network_firewall_policy_packet_mirroring_rule.default {{firewall_policy}}/{{priority}}
```

## User Project Overrides

This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).

0 comments on commit 267eb08

Please sign in to comment.