$schema: "http://json-schema.org/draft-06/schema#"

title: compute v1 FirewallPolicyRule export schema
description: A gcloud export/import command YAML validation schema.
type: object
additionalProperties: false
properties:
  COMMENT:
    type: object
    description: User specified info ignored by gcloud import.
    additionalProperties: false
    properties:
      template-id:
        type: string
      region:
        type: string
      description:
        type: string
      date:
        type: string
      version:
        type: string
  UNKNOWN:
    type: array
    description: Unknown API fields that cannot be imported.
    items:
      type: string
  action:
    description: |-
      The Action to perform when the client connection triggers the rule. Valid
      actions for firewall rules are: "allow", "deny",
      "apply_security_profile_group" and "goto_next". Valid actions for packet
      mirroring rules are: "mirror", "do_not_mirror" and "goto_next".
    type: string
  description:
    description: An optional description for this resource.
    type: string
  direction:
    description: The direction in which this rule applies.
    type: string
    enum:
    - EGRESS
    - INGRESS
  disabled:
    description: |-
      Denotes whether the firewall policy rule is disabled. When set to true,
      the firewall policy rule is not enforced and traffic behaves as if it did
      not exist. If this is unspecified, the firewall policy rule will be
      enabled.
    type: boolean
  enableLogging:
    description: |-
      Denotes whether to enable logging for a particular rule. If logging is
      enabled, logs will be exported to the configured export destination in
      Stackdriver. Logs may be exported to BigQuery or Pub/Sub.
    type: boolean
  match:
    description: |-
      A match condition that incoming traffic is evaluated against. If it
      evaluates to true, the corresponding 'action' is enforced.
    $ref: FirewallPolicyRuleMatcher.yaml
  priority:
    description: |-
      An integer indicating the priority of a rule in the list. The priority
      must be a positive value between 0 and 2147483647. Rules are evaluated
      from highest to lowest priority where 0 is the highest priority and
      2147483647 is the lowest priority.
    type: integer
  ruleName:
    description: |-
      An optional name for the rule. This field is not a unique identifier and
      can be updated.
    type: string
  securityProfileGroup:
    description: |-
      A fully-qualified URL of a SecurityProfile resource instance. Example:
      https://networksecurity.googleapis.com/v1/projects/{p
      roject}/locations/{location}/securityProfileGroups/my-security-profile-
      group Must be specified if action is one of 'apply_security_profile_group'
      or 'mirror'. Cannot be specified for other actions.
    type: string
  targetForwardingRules:
    description: |-
      A list of forwarding rules to which this rule applies. This field allows
      you to control which load balancers get this rule. For example, the
      following are valid values:              - https:
      //www.googleapis.com/compute/v1/projects/project/global/forwardingRules/
      forwardingRule      - https://www.googleapis.com/compute/v1/projects/pro
      ject/regions/region/forwardingRules/forwardingRule      -
      projects/project/global/      forwardingRules/forwardingRule      -
      projects/project/regions/region/forwardingRules/      forwardingRule
    type: array
    items:
      type: string
  targetResources:
    description: |-
      A list of network resource URLs to which this rule applies.  This
      field allows you to control which network's VMs get this rule.  If
      this field is left blank, all VMs within the organization will receive
      the rule.
    type: array
    items:
      type: string
  targetSecureTags:
    description: |-
      A list of secure tags that controls which instances the firewall
      rule applies to. If targetSecureTag are specified, then the
      firewall rule applies only to instances in the VPC network that
      have one of those EFFECTIVE secure tags, if all the
      target_secure_tag are in INEFFECTIVE state, then this rule will be
      ignored.targetSecureTag may not be set at the same time
      astargetServiceAccounts. If neither targetServiceAccounts
      nortargetSecureTag are specified, the firewall rule applies to all
      instances on the specified network. Maximum number of target label
      tags allowed is 256.
    type: array
    items:
      $ref: FirewallPolicyRuleSecureTag.yaml
  targetServiceAccounts:
    description: |-
      A list of service accounts indicating the sets of instances
      that are applied with this rule.
    type: array
    items:
      type: string
  targetType:
    description: |-
      Target types of the firewall policy rule. Default value is
      INSTANCES.
    type: string
    enum:
    - INSTANCES
    - INTERNAL_MANAGED_LB
  tlsInspect:
    description: |-
      Boolean flag indicating if the traffic should be TLS
      decrypted. Can be set only if action =
      'apply_security_profile_group' and cannot be set for other
      actions.
    type: boolean