github/terraform-provider-unifi
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b9284f7758544f495d244133d459ffd530c9e7ed
terraform-provider-unifi/docs/resources/firewall_zone_policy.md
Mateusz Filipowicz b9284f7758 docs: improve documentation for 1.0.0 release (#75) 
* docs: add examples and recreate TF documentation

* update readme

* add information about experimental support of firewall zones
2025-03-22 19:13:16 +01:00

182 lines
7.3 KiB
Markdown
Raw Blame History

---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "unifi_firewall_zone_policy Resource - terraform-provider-unifi"
subcategory: ""
description: |-
The unifi_firewall_zone_policy resource manages firewall policies between zones in the UniFi controller. This resource allows you to create, update, and delete policies that define allowed or blocked traffic between zones.
!> This is experimental feature, that requires UniFi OS 9.0.0 or later and Zone Based Firewall feature enabled. Check official documentation https://help.ui.com/hc/en-us/articles/28223082254743-Migrating-to-Zone-Based-Firewalls-in-UniFi how to migate to Zone-Based firewalls.
---
# unifi_firewall_zone_policy (Resource)
The `unifi_firewall_zone_policy` resource manages firewall policies between zones in the UniFi controller. This resource allows you to create, update, and delete policies that define allowed or blocked traffic between zones.
!> This is experimental feature, that requires UniFi OS 9.0.0 or later and Zone Based Firewall feature enabled. Check [official documentation](https://help.ui.com/hc/en-us/articles/28223082254743-Migrating-to-Zone-Based-Firewalls-in-UniFi) how to migate to Zone-Based firewalls.
## Example Usage
```terraform
resource "unifi_network" "network" {
name = "my-network"
purpose = "corporate"
subnet = "10.0.10.0/24"
vlan_id = "400"
}
resource "unifi_firewall_zone" "src" {
name = "my-source-zone"
networks = [unifi_network.network.id]
}
resource "unifi_firewall_zone" "dst" {
name = "my-destination-zone"
}
# Allow TCP/UDP traffic from any ip and port other than 192.168.1.1 and 443 in `src` zone to `dst` zone
resource "unifi_firewall_zone_policy" "policy" {
name = "my-zone-policy"
action = "ALLOW"
protocol = "tcp_udp"
source = {
zone_id = unifi_firewall_zone.src.id
ips = ["192.168.1.1"]
port = "443"
match_opposite_ips = true
match_opposite_ports = true
}
destination = {
zone_id = unifi_firewall_zone.dst.id
}
schedule = {
mode = "EVERY_DAY"
time_all_day = false
time_from = "08:00"
time_to = "17:00"
}
}
resource "unifi_firewall_group" "web-ports" {
name = "web-apps"
type = "port-group"
members = ["80", "443"]
}
# Block TCP/UDP traffic from any ip and port in `src` zone to `dst` zone ports 80 and 443 defined in port group
resource "unifi_firewall_zone_policy" "policy2" {
name = "my-policy-2"
action = "BLOCK"
protocol = "tcp_udp"
source = {
zone_id = unifi_firewall_zone.src.id
}
destination = {
zone_id = unifi_firewall_zone.dst.id
port_group_id = unifi_firewall_group.web-ports.id
}
}
```
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `action` (String) Determines which action to take on matching traffic. Must be one of `BLOCK`, `ALLOW`, or `REJECT`.
- `destination` (Attributes) The zone matching the destination of the traffic. Optionally match on a specific destination inside the zone. (see [below for nested schema](#nestedatt--destination))
- `name` (String) The name of the firewall zone policy.
- `source` (Attributes) The zone matching the source of the traffic. Optionally match on a specific source inside the zone. (see [below for nested schema](#nestedatt--source))
### Optional
- `auto_allow_return_traffic` (Boolean) Creates a built-in policy for the opposite Zone Pair to automatically allow the return traffic. If disabled, return traffic must be manually allowed
- `connection_state_type` (String) Optionally match on a firewall connection state such as traffic associated with an already existing connection. Valid values are `ALL`, `RESPOND_ONLY`, or `CUSTOM`.
- `connection_states` (List of String) Connection states to match when `connection_state_type` is `CUSTOM`. Valid values include `ESTABLISHED`, `NEW`, `RELATED`, and `INVALID`.
- `description` (String) Description of the firewall zone policy.
- `enabled` (Boolean) Enable the policy
- `index` (Number) Priority index for the policy.
- `ip_version` (String) Optionally match on only IPv4 or IPv6. Valid values are `BOTH`, `IPV4`, or `IPV6`.
- `logging` (Boolean) Enable to generate syslog entries when traffic is matched.
- `match_ip_sec_type` (String) Optionally match on traffic encrypted by IPsec. This is typically used for Ipsec Policy-Based VPNs. Valid values are `MATCH_IP_SEC` or `MATCH_NON_IP_SEC`.
- `match_opposite_protocol` (Boolean) Whether to match the opposite protocol.
- `protocol` (String) Optionally match a specific protocol. Valid values include: `all`, `tcp_udp`, `tcp`, `udp`, etc.
- `schedule` (Attributes) Enforce this policy at specific times. (see [below for nested schema](#nestedatt--schedule))
- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
### Read-Only
- `id` (String) The unique identifier of this resource.
<a id="nestedatt--destination"></a>
### Nested Schema for `destination`
Required:
- `zone_id` (String) ID of the firewall zone.
Optional:
- `app_category_ids` (List of String) List of application category IDs.
- `app_ids` (List of String) List of application IDs.
- `ip_group_id` (String) ID of the source IP group.
- `ips` (List of String) List of source IPs.
- `match_opposite_ips` (Boolean) Whether to match opposite IPs.
- `match_opposite_ports` (Boolean) Whether to match opposite ports.
- `port` (Number) Source port.
- `port_group_id` (String) ID of the source port group.
- `regions` (List of String) List of regions.
- `web_domains` (List of String) List of web domains.
<a id="nestedatt--source"></a>
### Nested Schema for `source`
Required:
- `zone_id` (String) ID of the firewall zone.
Optional:
- `client_macs` (List of String) List of client MAC addresses.
- `ip_group_id` (String) ID of the source IP group.
- `ips` (List of String) List of source IPs.
- `mac` (String) Source MAC address.
- `macs` (List of String) List of MAC addresses.
- `match_opposite_ips` (Boolean) Whether to match opposite IPs.
- `match_opposite_networks` (Boolean) Whether to match opposite networks.
- `match_opposite_ports` (Boolean) Whether to match opposite ports.
- `network_ids` (List of String) List of network IDs.
- `port` (Number) Source port.
- `port_group_id` (String) ID of the source port group.
<a id="nestedatt--schedule"></a>
### Nested Schema for `schedule`
Optional:
- `date` (String) Date for the schedule.
- `date_end` (String) End date for the schedule.
- `date_start` (String) Start date for the schedule.
- `mode` (String) Schedule mode. Valid values are `ALWAYS`, `EVERY_DAY`, `EVERY_WEEK`, `ONE_TIME_ONLY`, or `CUSTOM`.
- `repeat_on_days` (List of String) Days of the week when schedule repeats. Valid values include `mon`, `tue`, `wed`, `thu`, `fri`, `sat`, and `sun`.
- `time_all_day` (Boolean) Whether the schedule applies all day.
- `time_from` (String) Schedule starting time in 24-hour format (HH:MM).
- `time_to` (String) Schedule ending time in 24-hour format (HH:MM).
## Import
Import is supported using the following syntax:
```shell
# import from provider configured site
terraform import unifi_network.mynetwork 5dc28e5e9106d105bdc87217
# import from another site
terraform import unifi_network.mynetwork zone:5dc28e5e9106d105bdc87217
```
Reference in New Issue View Git Blame Copy Permalink