c"SrSSKJr SSKJr SSKJr SSKJr SSKJr SSKJ r Sr "S S \ R5rSSjrS?SjrS?SjrS@SjrS?SjrS>SjrS>SjrS>Sjr S>Sjr!S>Sjr"S>S jr#SAS!jr$S>S"jr%S>S#jr&S>S$jr'S%r(S&r)S'r*S(r+S)r,S*r-S+r.S>S,jr/S>S-jr0S>S.jr1S>S/jr2S0r3S1r4S2r5S>S3jr6S>S4jr7S>S5jr8S6r9S>S7jr:S>S8jr;S>S9jrS;jr>g )BzJFlags and helpers for the compute organization firewall policies commands.)absolute_import)division)unicode_literals) arg_parsers) completers)flagszJ table( name:label=ID, displayName, description )c(^\rSrSrU4SjrSrU=r$)FirewallPoliciesCompleter"c 4>[[U] "SSSS.UD6 g)Ncompute.firewallPoliciesz(compute org-firewall-policies list --uri) collection list_command)superr __init__)selfkwargs __class__s Alib/googlecloudsdk/command_lib/compute/firewall_policies/flags.pyr"FirewallPoliciesCompleter.__init__$s( #T3-? r)__name__ __module__ __qualname____firstlineno__r__static_attributes__ __classcell__)rs@rr r "s rr Nc ^[R"SS[UUSSRU5SS9$)NFIREWALL_POLICYfirewall policyfirewall policiesz)Short name of the firewall policy to {0}.r name resource_name completerpluralrequired custom_plural short_helpglobal_collection compute_flagsResourceArgumentr formatr(r' operations rFirewallPolicyRuleListArgumentr2,s:  ' ' %) '<CCIN2  rc ^[R"SS[UUSSRU5SS9$)Nr r!r"z/Short name or ID of the firewall policy to {0}.r r#r,r0s rFirewallPolicyArgumentr4;s=  ' ' %) 'BII 3  rc 4[R"SSUUSSS9$)N--firewall-policyr!z>Short name or ID of the firewall policy ID of the association.r )r$r%r'r(r*r+)r-r.)r(r's r"FirewallPolicyAssociationsArgumentr7Js'  ' ' %  J2  rc \[R"SS[UUSSRU5S9$)Npriorityzfirewall policy ruler z+Priority of the firewall policy rule to {}.)r$r%r&r'r(r+r*r,r0s rFirewallPolicyRuleArgumentr:Ws:  ' ' *) 2>EE   rcURSSSS9 URSSS9nURSSS9 URS S S9 URS S S9 g )z.Adds the argument for firewall policy creaton.z --short-nameTzgA textual name of the firewall policy. The name must be 1-63 characters long, and comply with RFC 1035.r(helpr(mutex--organizationzHOrganization in which the organization firewall policy is to be created.r=--folderzBFolder in which the organization firewall policy is to be created. --descriptionFAn optional, textual description for the organization security policy.N) add_argument add_groupparsergroups rAddArgFirewallPolicyCreationrJis 7    D  5%  O   rcFURSSSS9 URSSS9 g) z2Adds the argument for firewall policy clone rules.z--source-firewall-policyTz=The URL of the source firewall policy to copy the rules from.r<r@zzOrganization in which the organization firewall policy to copy the rules to. Must be set if firewall-policy is short name.rANrErHs rAddArgsCloneRulesrNs<  J   Erc$URSSS9 g)zFAdds the argument for firewall policy force start progressive rollout.r@zOrganization in which the organization firewall policy to start the rollout of resides. Must be set if firewall-policy is short name.rANrLrMs r#AddArgsForceStartProgressiveRolloutrPs OrcdURSSS9nURSSS9 URSSS9 g) z+Adds the argument for firewall policy list.Tr>r@z2Organization in which firewall policies are listedrArBz,Folder in which firewall policies are listedNrFrErGs rAddArgsListFirewallPolicyrSsK   D  5% ? ErcDURSSS9 URSSS9 g)z+Adds the argument for firewall policy move.r@ztOrganization in which the organization firewall policy is to be moved. Must be set if FIREWALL_POLICY is short name.rArBz@Folder to which the organization firewall policy is to be moved.NrLrMs r AddArgsMoverUs9 B  MrcDURSSS9 URSSS9 g)z-Adds the argument for firewall policy update.r@zvOrganization in which the organization firewall policy is to be updated. Must be set if FIREWALL_POLICY is short name.rArCrDNrLrMs rAddArgsUpdateFirewallPolicyrWs; D  rc URSU(aSOS-SU(aSOS[SRU(aSOSU5S9 g) z+Adds the priority argument to the argparse.r$sPRIORITY*NzPriority of the rule{0} to {1}. Rules are evaluated in order from highest priority to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.)metavarnargsr&r=)rEr r/)rHr1 is_plurals r AddPriorityr`sF yb)C$) <AddAction.. QWWYr:Action to take if the request matches the match condition.choicestyper(r=NrLrHr(s r AddActionrvs$L  G rc0URS/SQSUSS9 g)rbrc)mirror do_not_mirrorrfc"UR5$rirjrls rrn*AddPacketMirroringAction..rprrqrrNrLrus rAddPacketMirroringActionr|s$6  G rcDURSUSRU5S9 g)z5Adds the firewall policy ID argument to the argparse.r6zCShort name of the firewall policy into which the rule should be {}.r<NrEr/)rHr(r1s rAddFirewallPolicyIdrs* 6)$ rc&URSUSS9 g)Nr@zmOrganization which the organization firewall policy belongs to. Must be set if FIREWALL_POLICY is short name.r<rLrus rAddOrganizationr s  : rcPURS[R"5USSS9 g)zAdds the source IP ranges.z--src-ip-ranges SRC_IP_RANGEz(Source IP ranges to match for this rule.rtr(r]r=NrErArgListrus rAddSrcIpRangesrs-     5 rcPURS[R"5USSS9 g)zAdds the destination IP ranges.z--dest-ip-ranges DEST_IP_RANGEz-Destination IP ranges to match for this rule.rNrrus rAddDestIpRangesr!s-     : rcPURS[R"5USSS9 g)zAdds the layer4 configs.z--layer4-configs LAYER4_CONFIGzPA list of destination protocols and ports to which the firewall rule will apply.rNrrus rAddLayer4Configsr,s/       rc,URSUSS/SS9 g)z?Adds the direction of the traffic to which the rule is applied.z --directionINGRESSEGRESSzZDirection of the traffic the rule is applied. The default is to apply on incoming traffic.)r(rsr=NrLrus r AddDirectionr:s((# ( rcDURSU[RSS9 g)z"Adds the option to enable logging.z--enable-loggingzSUse this flag to enable logging of connections that allowed or denied by this rule.r(actionr=NrErStoreTrueFalseActionrus rAddEnableLoggingrGs)  - - ! rcDURSU[RSS9 g)z$Adds the option to disable the rule.z --disabledzJUse this flag to disable the rule. Disabled rules will not affect traffic.rNrrus r AddDisabledrTs)  - -  rcBURSSRU5S9 g)z;Adds the new firewall policy rule priority to the argparse.z--new-priorityz6New priority for the rule to {}. Valid in [0, 65535]. rANr~)rHr1s rAddNewPriorityras) B I I rcPURS[R"5SUSS9 g)z1Adds the target resources the rule is applied to.z--target-resourcesTARGET_RESOURCESz>List of URLs of target resources to which the rule is applied.rtr]r(r=Nrrus rAddTargetResourcesrms-      K rcPURS[R"5SUSS9 g)z.Adds the target service accounts for the rule.z--target-service-accountsTARGET_SERVICE_ACCOUNTSz-List of target service accounts for the rule.rNrrus rAddTargetServiceAccountsrxs-!    ' : rc&URSUSS9 g)z"Adds the description of this rule.rCz.An optional, textual description for the rule.r<NrLrus rAddDescriptionrs ;rcURSSSS9 URSSS9 URSS S9 URS S S S S S9 URSSS9 g)z+Adds the arguments of association creation.r6Tz&Security policy ID of the association.r<r@zvID of the organization in which the firewall policy is to be associated. Must be set if FIREWALL_POLICY is short name.rArBz7ID of the folder with which the association is created.z--replace-association-on-target store_trueFaBy default, if you attempt to insert an association to an organization or folder resource that is already associated with a firewall policy the method will fail. If this is set, the existing association will be deleted at the same time that the new association is created.)rdefaultr(r=z--namezName to identify this association. If unspecified, the name will be set to "organization-{ORGANIZATION_ID}" or "folder-{FOLDER_ID}".NrLrMs rAddArgsCreateAssociationrs 3   G P '  $    %rcFURSSSS9 URSSS9 g) z+Adds the arguments of association deletion.r$NAMEz"Name of the association to delete.)r]r=r@ztID of the organization in which the firewall policy is to be detached. Must be set if FIREWALL_POLICY is short name.rANrLrMs rAddArgsDeleteAssociationrs<  /   ErcdURSSS9nURSSS9 URSSS9 g) z'Adds the arguments of association list.Tr>r@z//organizations//locations/global/securityProfileGroups/ b) (//)/organizations//locations/global/securityProfileGroups/ c) . In case "c" `gcloud` CLI will create a reference matching format "a", but to make it work CLOUDSDK_API_ENDPOINT_OVERRIDES_NETWORKSECURITY property must be set. In order to set this property, please run the command `gcloud config set api_endpoint_overrides/networksecurity https:///`.r]r(r=NrLrMs rAddSecurityProfileGrouprh# & $ rc(URSSSSS9 g)rrrFaNAn org-based security profile group to be used with mirror action. Allowed formats are: a) http(s):////organizations//locations/global/securityProfileGroups/ b) (//)/organizations//locations/global/securityProfileGroups/ c) . In case "c" `gcloud` CLI will create a reference matching format "a", but to make it work CLOUDSDK_API_ENDPOINT_OVERRIDES_NETWORKSECURITY property must be set. In order to set this property, please run the command `gcloud config set api_endpoint_overrides/networksecurity https:///`.rNrLrMs r AddMirroringSecurityProfileGroupr}rrcDURSS[RSS9 g)z6Adds the option to turn on TLS decryption on the rule.z --tls-inspectFzUse this flag to indicate whether TLS traffic should be inspected using the TLS inspection policy when the security profile group is applied. Default: no TLS inspection.rNrrMs r AddTlsInspectrs)  - - 4  rc(URSUSSS9 g)z'Adds source network scope to this rule.z--src-network-scopeTaEDeprecated. Use --src-network-type instead. Use this flag to indicate that the rule should match internet, non-internet traffic or traffic coming from the network specified by --src-network. It applies to ingress rules. Valid values are INTERNET, NON_INTERNET, VPC_NETWORKS and INTRA_VPC. Use empty string to clear the field.r(hiddenr=NrLrus rAddSrcNetworkScopers#  (  rc&URSUSS9 g)z&Adds source network type to this rule.z--src-network-typeUse this flag to indicate that the rule should match internet, non-internet traffic or traffic coming from the network specified by --src-network. It applies to ingress rules. Valid values are INTERNET, NON_INTERNET, VPC_NETWORKS and INTRA_VPC. Use empty string to clear the field.r<NrLrus rAddSrcNetworkTypers  (  rc&URSUSS9 g)z)Adds source network context to this rule.z--src-network-contextrr<NrLrus rAddSrcNetworkContextrs  (  rcPURS[R"5SSSS9 g)z+Adds source network urls list to this rule.z--src-networks SRC_NETWORKSFzThe source VPC networks to match for this rule. It can only be specified when --src-network-type is VPC_NETWORKS. It applies to ingress rules. It accepts full or partial URLs.rNrrMs rAddSrcNetworksrs/     =  rc(URSUSSS9 g)z,Adds destination network scope to this rule.z--dest-network-scopeTaDeprecated. Use --dest-network-type instead. Use this flag to indicate that the rule should match internet or non-internet traffic. It applies to destination traffic for egress rules. Valid values are INTERNET and NON_INTERNET. Use empty string to clear the field.rNrLrus rAddDestNetworkScopers#  .  rc&URSUSS9 g)z+Adds destination network type to this rule.z--dest-network-typeUse this flag to indicate that the rule should match internet or non-internet traffic. It applies to destination traffic for egress rules. Valid values are INTERNET and NON_INTERNET. Use empty string to clear the field.r<NrLrus rAddDestNetworkTypers  .  rc&URSUSS9 g)z.Adds destination network context to this rule.z--dest-network-contextrr<NrLrus rAddDestNetworkContextrs  .  rclSnU(aUS- nURS[R"5SUUS9 g)z'Adds a source secure tag to this rule.aA list of instance secure tags indicating the set of instances on the network to which the rule applies if all other fields match. Either --src-ip-ranges or --src-secure-tags must be specified for ingress traffic. If both --src-ip-ranges and --src-secure-tags are specified, an inbound connection is allowed if either the range of the source matches --src-ip-ranges or the tag of the source matches --src-secure-tags. Secure Tags can be assigned to instances during instance creation.zD Secure tags cannot be specified if source network type is INTERNET.z--src-secure-tagsSOURCE_SECURE_TAGSrNr)rHr(rrs rAddSrcSecureTagsr sK  NI     "  rcPURS[R"5SUSS9 g)z&Adds a target secure tag to this rule.z--target-secure-tagsTARGET_SECURE_TAGSzdAn optional, list of target secure tags with a name of the format tagValues/ or full namespaced namerNrrus rAddTargetSecureTagsr$s/    " 6  r)FFN)FF)F)T)TNri)?__doc__ __future__rrrgooglecloudsdk.callioper"googlecloudsdk.command_lib.computercompute_completersrr-DEFAULT_LIST_FORMATListCommandCompleterr r2r4r7r:rJrNrPrSrUrWr`rvr|rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrs:Q&'/OE  2 G G-1    $ F"   $"      (V"     (&42** "      4 r