github/terraform-provider-unifi
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
terraform-provider-unifi/docs/resources/firewall_zone_policy.md
Mateusz Filipowicz b9284f7758 docs: improve documentation for 1.0.0 release (#75) 
* docs: add examples and recreate TF documentation

* update readme

* add information about experimental support of firewall zones
2025-03-22 19:13:16 +01:00

7.3 KiB
Raw Permalink Blame History

page_title, subcategory, description
page_title subcategory description
unifi_firewall_zone_policy Resource - terraform-provider-unifi The unifi_firewall_zone_policy resource manages firewall policies between zones in the UniFi controller. This resource allows you to create, update, and delete policies that define allowed or blocked traffic between zones. !> This is experimental feature, that requires UniFi OS 9.0.0 or later and Zone Based Firewall feature enabled. Check official documentation https://help.ui.com/hc/en-us/articles/28223082254743-Migrating-to-Zone-Based-Firewalls-in-UniFi how to migate to Zone-Based firewalls.

unifi_firewall_zone_policy (Resource)

The unifi_firewall_zone_policy resource manages firewall policies between zones in the UniFi controller. This resource allows you to create, update, and delete policies that define allowed or blocked traffic between zones.

!> This is experimental feature, that requires UniFi OS 9.0.0 or later and Zone Based Firewall feature enabled. Check official documentation how to migate to Zone-Based firewalls.

Example Usage

resource "unifi_network" "network" {
    name    = "my-network"
    purpose = "corporate"
    subnet  = "10.0.10.0/24"
    vlan_id = "400"
}

resource "unifi_firewall_zone" "src" {
    name = "my-source-zone"
    networks = [unifi_network.network.id]
}

resource "unifi_firewall_zone" "dst" {
    name = "my-destination-zone"
}

# Allow TCP/UDP traffic from any ip and port other than 192.168.1.1 and 443 in `src` zone to `dst` zone
resource "unifi_firewall_zone_policy" "policy" {
    name     = "my-zone-policy"
    action   = "ALLOW"
    protocol = "tcp_udp"

    source = {
        zone_id              = unifi_firewall_zone.src.id
        ips = ["192.168.1.1"]
        port                 = "443"
        match_opposite_ips   = true
        match_opposite_ports = true
    }

    destination = {
        zone_id = unifi_firewall_zone.dst.id
    }

    schedule = {
        mode         = "EVERY_DAY"
        time_all_day = false
        time_from    = "08:00"
        time_to      = "17:00"
    }
}

resource "unifi_firewall_group" "web-ports" {
    name = "web-apps"
    type = "port-group"
    members = ["80", "443"]
}

# Block TCP/UDP traffic from any ip and port in `src` zone to `dst` zone ports 80 and 443 defined in port group
resource "unifi_firewall_zone_policy" "policy2" {
    name     = "my-policy-2"
    action   = "BLOCK"
    protocol = "tcp_udp"

    source = {
        zone_id = unifi_firewall_zone.src.id
    }

    destination = {
        zone_id       = unifi_firewall_zone.dst.id
        port_group_id = unifi_firewall_group.web-ports.id
    }
}

Schema

Required

  • action (String) Determines which action to take on matching traffic. Must be one of BLOCK, ALLOW, or REJECT.
  • destination (Attributes) The zone matching the destination of the traffic. Optionally match on a specific destination inside the zone. (see below for nested schema)
  • name (String) The name of the firewall zone policy.
  • source (Attributes) The zone matching the source of the traffic. Optionally match on a specific source inside the zone. (see below for nested schema)

Optional

  • auto_allow_return_traffic (Boolean) Creates a built-in policy for the opposite Zone Pair to automatically allow the return traffic. If disabled, return traffic must be manually allowed
  • connection_state_type (String) Optionally match on a firewall connection state such as traffic associated with an already existing connection. Valid values are ALL, RESPOND_ONLY, or CUSTOM.
  • connection_states (List of String) Connection states to match when connection_state_type is CUSTOM. Valid values include ESTABLISHED, NEW, RELATED, and INVALID.
  • description (String) Description of the firewall zone policy.
  • enabled (Boolean) Enable the policy
  • index (Number) Priority index for the policy.
  • ip_version (String) Optionally match on only IPv4 or IPv6. Valid values are BOTH, IPV4, or IPV6.
  • logging (Boolean) Enable to generate syslog entries when traffic is matched.
  • match_ip_sec_type (String) Optionally match on traffic encrypted by IPsec. This is typically used for Ipsec Policy-Based VPNs. Valid values are MATCH_IP_SEC or MATCH_NON_IP_SEC.
  • match_opposite_protocol (Boolean) Whether to match the opposite protocol.
  • protocol (String) Optionally match a specific protocol. Valid values include: all, tcp_udp, tcp, udp, etc.
  • schedule (Attributes) Enforce this policy at specific times. (see below for nested schema)
  • site (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.

Read-Only

  • id (String) The unique identifier of this resource.

Nested Schema for destination

Required:

  • zone_id (String) ID of the firewall zone.

Optional:

  • app_category_ids (List of String) List of application category IDs.
  • app_ids (List of String) List of application IDs.
  • ip_group_id (String) ID of the source IP group.
  • ips (List of String) List of source IPs.
  • match_opposite_ips (Boolean) Whether to match opposite IPs.
  • match_opposite_ports (Boolean) Whether to match opposite ports.
  • port (Number) Source port.
  • port_group_id (String) ID of the source port group.
  • regions (List of String) List of regions.
  • web_domains (List of String) List of web domains.

Nested Schema for source

Required:

  • zone_id (String) ID of the firewall zone.

Optional:

  • client_macs (List of String) List of client MAC addresses.
  • ip_group_id (String) ID of the source IP group.
  • ips (List of String) List of source IPs.
  • mac (String) Source MAC address.
  • macs (List of String) List of MAC addresses.
  • match_opposite_ips (Boolean) Whether to match opposite IPs.
  • match_opposite_networks (Boolean) Whether to match opposite networks.
  • match_opposite_ports (Boolean) Whether to match opposite ports.
  • network_ids (List of String) List of network IDs.
  • port (Number) Source port.
  • port_group_id (String) ID of the source port group.

Nested Schema for schedule

Optional:

  • date (String) Date for the schedule.
  • date_end (String) End date for the schedule.
  • date_start (String) Start date for the schedule.
  • mode (String) Schedule mode. Valid values are ALWAYS, EVERY_DAY, EVERY_WEEK, ONE_TIME_ONLY, or CUSTOM.
  • repeat_on_days (List of String) Days of the week when schedule repeats. Valid values include mon, tue, wed, thu, fri, sat, and sun.
  • time_all_day (Boolean) Whether the schedule applies all day.
  • time_from (String) Schedule starting time in 24-hour format (HH:MM).
  • time_to (String) Schedule ending time in 24-hour format (HH:MM).

Import

Import is supported using the following syntax:

# import from provider configured site
terraform import unifi_network.mynetwork 5dc28e5e9106d105bdc87217

# import from another site
terraform import unifi_network.mynetwork zone:5dc28e5e9106d105bdc87217
Reference in New Issue View Git Blame Copy Permalink