lSrSSKJr SSKJr SSKJr SSKrSSKrSSKrSSKJ r SSK J r SSK J r SS KJr SS KJr SS KJr SS KJr SS KJr SSKJr SSKJr SS KJr SSKJr SSKJ!r! SSK"J#r# SSK"J$r$ SSK%J&r& Sr'Sr(Sr)Sr*Sr+Sr,Sr-Sr.Sr/Sr0Sr1S r2S!r3S"r4S#r5S$r6S%r7S&r8S'r9S(r:S)r;S*rS-r?S.r@S/rAS0rB\R\R"\RR\RR5"S1S2\R555rIS3S4S5S6.\IlJg)7zLCommand for migrate from legacy firewall rules to network firewall policies.)absolute_import)division)unicode_literalsN) list_pager) base_classes)poller)tags)waiter)base) exceptions)flags)convert_terraform)secure_tags_utils)endpoint_utils) operations)log) properties)filesc/nUHPnSnURH!nURUR:XdMSnM# U(dM?URU5 MR U$NFT) associationsattachmentTargetselfLinkappend)networkfirewall_policiesfiltered_policiesfirewall_policy associated associations -lib/surface/compute/firewall_rules/migrate.py)_GetFirewallPoliciesAssociatedWithNetworkr"+s]*oJ&33  % %)9)9 9 4z/ + cv/nUH0nURUR:XdMURU5 M2 U$N)rrr)r firewallsfiltered_firewallsfirewalls r!"_GetFirewallsAssociatedWithNetworkr)7s<h7+++) r#c[5nUH9nURUR5 URUR5 M; U$r%)setupdate sourceTags targetTags)selected_firewallsr r(s r!_GetLegacyTagsr0?s> $$hKK##$KK##$% +r#c[5nUHBnURUR5 U(aM'URUR5 MD U$r%)r+r,sourceServiceAccountstargetServiceAccounts)r/keep_target_service_accountsservice_accountsr(s r!_GetServiceAccountsr6GsJU$hH::; ' 'h<<=% r#c:SURs=::aS::ag gg)NiiTF)priority)rules r!_IsDefaultFirewallPolicyRuler:Ps 4==.J. / r#c(SSRX54$)NFz"Mapping for {} '{}' was not found.)format)fieldtags r!_UnsupportedTagResultr?Xs 5<s r!_IsFirewallSupportedrJ\s"77o$62 " "$<8 &#99!&!8 ! 4$ $&>  : c  "< 55! c  "< 55! r#cdUH*n[R"X R5(dM* g g)NTF)rematchname)r(patternspatterns r!_IsExcludedFirewallrQxs'g xx''  r#cXRRR:Xa URRR$URRR$r%)FirewallDirectionValueValuesEnumINGRESSFirewallPolicyRuleEGRESS)messages directions r!_ConvertRuleDirectionrZsJ##<<DDD  & & ? ? G GG  $ $ = = D DDr#c/nUH6nURURURURS95 M8 U$)N) ipProtocolports)r%FirewallPolicyRuleMatcherLayer4Config IPProtocolr])rX l4_configslayer4_configsconfigs r!_ConvertLayer4ConfigsrcsI.f66((  7  r#cPUVs/sHnURXS9PM sn$s snf)NrNFirewallPolicyRuleSecureTag)rXrGr r>s r! _ConvertTagsrhs: #** 0@*A  s#cXUVs/sHnURUSU-S9PM sn$s snf)NrArerf)rXrGr5rHs r!_ConvertServiceAccountsrjsJ .  ./**5?23+.   s'cURn[XUR5nU(d/nU[XUR5-nUR UR UR UR[XR5URUURRURURUR[XUR 5[XUR"5-[%X5S9UUS9 $)z-Converts VPC Firewall to FirewallPolicy.Rule.) destIpRanges srcIpRanges srcSecureTags layer4Configs) disabledruleName descriptionrYr8action enableLoggingrMr3targetSecureTags)r3rhr.rjrVrprNrrrZrYr8 logConfigenableFirewallPolicyRuleMatcherdestinationRanges sourceRangesr-r2rc)rXr(rsr`rGr4target_service_accountstarget_secure_tagss r!_ConvertRuleInternalr}s%::#H8;N;NO % +.Ex==/  $ $  }}&&%h0B0BC  &&--  . .11++8(2E2EF')G)G .hC / 4)) % r#cUR(a[UUSURUU5$[UUSURUU5$)Ndenyallow)deniedr}allowed)rXr(rGr4s r! _ConvertRulersS __ $    "  r#cZSnUH#nU(a U(a gU=(d U(+nM% gr)statusesfalse_detectedstatuss r! _IsPrefixTruers*.f . #16zN r#c<UnUR5 [U5$r%)reverser)r statuses_copys r! _IsSuffixTruers- } %%r#c[R"U5n[R"U5nSSS5 WR5VVs0sHupEU[R"U5_M nnnU$!,(df  NI=f![a/ [ R RSRUS95 g[a/ [ R RSRUS95 g[a^n[ R RSRUS95 [ R R[U55 SnAgSnAff=fs snnf)z6Imports legacy to secure tag mapping from a JSON file.Nz:File '{file}' was not found. Tag mapping was not imported.filezOOS error occurred when opening the file '{file}'. Tag mapping was not imported.z\Unexpected error occurred when reading the JSON file '{file}'. Tag mapping was not imported.)r FileReaderjsonloadFileNotFoundErrorrrPrintr<OSError ExceptionrepritemsrTranslateSecureTag) file_namefdataekvrGs r!_ReadTagMappingrs)   ) $ YYq\d %0>BZZ\=ITQa  - -a 00\ 7 % $ JJDKK L   JJ VV+  JJ %%+VV%;JJT!W  sFBA2B #E2 B<BB6E;5E2 E;AEEcURRS5nSURUS-nURSUR-SUR-5$)Nz /projects/z//compute.googleapis.comz instances/%s)rfindreplacerNid)instance start_index resource_names r!_GetFullCanonicalResourceNamer sZ!!&&|4+,x/@/@/NN-   x}}$x{{" r#cjURURRS5[S5-S$)Nz/zones/)zonerlen)rs r!_GetInstanceLocationrs, x}})))4s9~EG HHr#cZ^U4SjnURnURRURUSSS95nURR Vs/sHnUR RPM nn[[R"U65n[[X855$s snf)zGets instances in the network.c >[URVs/sH4nURRST-5(dM(URPM6 sn5$s snf)Nz/%s)rnetworkInterfacesrendswith)rnetwork_interface network_names r!_HasInterfaceMatchingNetwork<_GetInstancesInNetwork.._HasInterfaceMatchingNetworksY !)!;!;!;   $ $ - -el.B C "!!!; s 'AAT)projectincludeAllScopes maxResults) MESSAGES_MODULE instancesAggregatedList%ComputeInstancesAggregatedListRequestradditionalPropertiesvaluelist itertoolschainfilter) rrcompute_clientrrXinstance_aggregationsiteminstances_listrs ` r!_GetInstancesInNetworkrs + +((22AA445(--BBB$ jjB 9??N34) f1= >>s B(c H[R"5n[U5nURX0S9nUR US9n[ U5n[ R"U5 [R"5RU5nUR(d1[R"USRX0UR55 SSS5 g![a5n[ R"R%S['U5-5 SnANCSnAff=f!,(df  g=f)zBinds tag to the instance.)parenttagValue) tagBindingzQWaiting for TagBinding for parent [{}] and tag value [{}] to be created with [{}]z"Tag binding could not be created: N)rm_tags TagMessagesr TagBinding,CloudresourcemanagerTagBindingsCreateRequestr endpointsCrmEndpointOverridesTagBindingsServiceCreatedonerWaitForReturnOperationr<rNrrrrr) tag_valuerrXr tag_binding binding_reqlocationoprs r!_BindTagToInstancer6s  "(/9-##=#M+EEF+"( +(%%h/ G  % % ' . .{ ;b WW))  &} I 0/ G jj;d1gEFFG0/s1 D"A&C D+D D DD D!c[U5nU(dg[XU5nUHn[XF5 [XF5 M g)z:Binds secure tags to instances with matching network tags.N)rr_BindTagsToInstance_BindServiceTagsToInstance)rrtag_mapping_file_namerrG vm_instancesvms r!_BindSecureTagsToInstancesrOs; 56+  '~N, b ({/ r#chURRHnX ;dM [XU5 M gr%)r rr)rGrr>s r!rr^s' WW]]c )2.r#cURVs/sHo"RPM nnUHnSU-nX@;dM[XU5 M gs snfNrA)serviceAccountsemailr)rGrsar5 prefixed_tags r!rrdsL)+););<);2hh);< b2:L"2B7 =sA cH[[SU55n[RUR U55n[ R "USS9n[R"XE5 SSS5 g!,(df  g=f![a/ [RRSRUS95 g[a^n[RRSRUS95 [RR[U55 SnAgSnAff=f)z4Exports legacy to secure tag mapping to a JSON file.c SU-$rr)xs r!"_WriteTagMapping..psr#Tpath create_pathNzOOS error occurred when opening the file '{file}'. Tag mapping was not exported.rz\Unexpected error occurred when writing the JSON file '{file}'. Tag mapping was not exported.)r+mapdictfromkeysunionr FileWriterrdumprrrrr<rr)rr r5prefixed_service_accountsmappingrrs r!_WriteTagMappingrms"#&;=M"NO MM$**%>? @'   yd ;q ii < ; ;  JJ VV+ JJ %%+VV%;JJT!W s<BA1(B1 A?;B?B6D!: D!ADD!c[R"USS9nURU5 SSS5 g!,(df  g=f![a/ [R R SRUS95 g[a^n[R R SRUS95 [R R [U55 SnAgSnAff=f)zExports Terraform script.TrNzTOS error occurred when opening the file '{file}'. Terraform script was not exported.rz_Unexpected error occurred when writing to the file '{file}'. Terraform script was not exported. rrwriterrrrr<rr)r tf_scriptrrs r!_WriteTerraformScriptrs   yd ;qggi < ; ;  JJ Y/ JJ $$*F F$:JJT!W s7A2A AAA6C"; C"ACC"c[R"USS9nUHnURUS-5 M SSS5 g!,(df  g=f![a/ [R R SRUS95 g[a^n[R R SRUS95 [R R [U55 SnAgSnAff=f)z-Exports regexes used for excluding firewalls.Tr NzWOS error occurred when opening the file '{file}'. Exclusion patterns were not exported.rzbUnexpected error occurred when writing to the file '{file}'. Exclusion patterns were not exported.r)rrOrrPrs r!_WriteExclusionPatternsrs   yd ;q' $ < ; ;  JJ $f)f4 JJ ''-v9v'=JJT!W s8A>A A A A6C. C.AC))C.c[R"U5nUR5nUVs/sHo3RS5PM nnSSS5 SnWHn[R"U5 M U(d/S4$US4$s snf!,(df  ND=f![a3 [ R RSRUS95 /S4s$[a3 [ R RSRUS95 /S4s$[abn[ R RSRUS95 [ R R[U55 /S4sSnA$SnAff=f![adnSn[ R RS RU55 [ R R[U55 SnAGMSnAff=f) z'Imports exclusion patterns from a file.rNzBFile '{file}' was not found. Exclusion patterns were not imported.rTzWOS error occurred when opening the file '{file}'. Exclusion patterns were not imported.z_Unexpected error occurred when reading the file '{file}'. Exclusion patterns were not imported.Fz&Cannot compile regular expression '{}')rr readlinesrstriprrrrr<rrrrLcompile)rrlineslinerOrsuccessrPs r!_ReadExclusionPatternsr s   ) $kkme056++d#h6 %. 'g jj  t8O 5C7 % $ JJL Y  t8O JJ $f)f4 t8O JJ ''-v9v'=JJT!W t8O   g jj?FFwOP jjtAw sqBBBB BE=B BBB:E:9E: E:AE5/E:5E:= G+AG&&G+c:\rSrSrSrSr/SQr\S5rSr Sr g)Migrateiz@Migrate from legacy firewall rules to network firewall policies.N)zgke-(.+)-ipv6-allzCgke-(.+)-(.+)-((master)|(vms)|(all)|(inkubelet)|(exkubelet)|(mcsd))zk8s-fw-(l7-)?(.+)z'k8s-(.+)-((node)|(http)|(node-http))-hcz(.+)-hczk8s2-(.+)-(.+)-(.+)-(.+)(-fw)?zk8s2-(.+)-l4-shared-hc-fwzgke((gw)|(mcg))1-l7-(.+)-(.+)c URSSS9nURSSS9 URSSSS 9 URS SS S 9 URS SS S 9 [R"SS[R SSSSSS9UlUR RU5 URSSSS9 URSSSSS9 URSSSS9 URSSSS9 URSSSSS9 URS SSS!S9 g)"NT)mutexrequiredz--target-firewall-policyz^ Name of the new Network Firewall Policy used to store the migration result. )helpz--export-tag-mapping store_truez If set, migration tool will inspect all VPC Firewalls attached to SOURCE_NETWORK, collect all source and target tags, and store them in TAG_MAPPING_FILE. )rsrz--export-exclusion-patternszk If set, migration tool will dump list of regexes used to filter VPC Firewall out of migration. z--bind-tags-to-instancesz If set, migration tool will bind secure tags to the instances with the network tags which match secure tags from the tag mapping file. z--source-networkrFzcompute.networksz["R$R'S05 ["R$R'S15 S2n9/n:U7H|un)n/nU8(a[U9U/l,U9S-n9["R$R'S3R)U/RXU)U/RxU/Rb55 U:RMU/U45 M~ U8(a["R$R'S)5 UR5[zRR|:Xa0URS4UUR~RRS59nOURS4US69nU (a[R"UU5S!-n;U:H"un/nU;[R"U/5-S!-n;M$ U(a;[UU;5 ["R$R'S7R)U55 g["R$R'S85 ["R$R'U;5 gUR2RURUUS995n<[R"UR25n=URRU[R"U=U>S5 /n?U:Hun/nU?RMUR2RURUU/US?955 U(dMH["R$R'S(R)URXUR:URb55 M [R"URUR25n=U?VrXrr policy_namer(rr*exclusion_patterns_file_namer,r-!terraform_script_output_file_namer/r4rOerrrfp_list_responserrfetched_firewallsassociated_firewallsrP firewall_idmarked_firewallsr(selectedr/_ legacy_tagsr5rGrrsorted_firewallsconverted_firewallsconversion_failures_countselected_firewalls_countr8rerrorconverted_firewallnon_selected_firewall_countfirewall_policy_rulesr9 joined_rulesrsafe_migration_impossiblesafe_migration_error_messageprsrules_to_migratepriorities_remap_neededcurrent_prioritymigrated_rulesrresponseoperation_poller operation_ref responsesoperation_refssA r!Run Migrate.Runes!  * *4+<+<+> ?F ]] * *F%%H || g!!&&..88:g4!12L$ 8$?K ';UC#D*"JJHOO $ %| JJ9@@ '' (  ** jjw+JJTK((43J3JKKhx;?@!Ok) #3 (Ha 8  # #H -$4##56k, :,k;KL jj - 4 45J K &K#$9:k   GH"2!1 Q" !((Q2q(;!1./ ! .>*!Q(Govu #;a#? . k#?  +*  '@!&C #  Xx);VU K%/?.  jj , 3 34L M jj56,? (!XxAq 8 **  ""##X]]H4H4H -@ jjr  #;; # jj / 6 6)   jj56,? (!XxAqx **  ""##X]]H4H4H -@ jjr! jj 8 ? ?'  /B *!Xq!VUv **  ""8#4#4hmmUK /B  jjr,!''$+D11  & &t ,(-+@*?$*?##89 !6!6 Xt 4tT2. 5L55    P P g g h-./0/0-.7CCl2Aq!QlHC % ! 55    P P g g h8 $ $ 56$(! 8 $ $ 56$(!!   D  =INL&8q!Q1aA Aq LN" 0 1 09Aq!Q 0 12    jjGH jj CN$4 $ ( +a/   # # x8H8H  T8,-%5 jjr d//555 //"11PPcc0o!// 0o  1 1/7 K  $'$ )CCDI ID P $ +?K  8 ? ?1    D  # --44<<O = H }}V%C%CD$$**&@+M NN3::;GJJ=>JJABI(h  ( ( 0 0CC!,%)!D     !!8==(2F2F  )")) v55" "H    *D  "   NN&//?Ur 0D8O 2Zs02|)||%||  | <|)+.|0)rE) __name__ __module__ __qualname____firstlineno____doc__rrE classmethodr#r__static_attributes__rr#r!r r s2I+>ggRLr#r zXCreate a new Network Firewall Policy and move all customer defined firewall rules there.z *{command}* is used to create a new Network Firewall Policy that contain all rules defined in already existing Network Firewall Policy associated with the given VPC Network and all customer defined VPC Firewall Rules attached to that VPC Network. z To execute the migration for VPC Network 'my-network' which stores the result in 'my-policy' Network Firewall Policy, run: $ {command} --source-network=my-network --target-firewall-policy=my-policy )brief DESCRIPTIONEXAMPLES)Kr __future__rrrrrrLapitools.base.pyrgooglecloudsdk.api_lib.computer)googlecloudsdk.api_lib.compute.operationsr'googlecloudsdk.api_lib.resource_managerr rgooglecloudsdk.api_lib.utilr googlecloudsdk.callioper r "googlecloudsdk.command_lib.computer rrsRS&' '7<C.(.EZZNSB#** J8E %P(& BI?:G2 0/ 8.(*&RD%%++T->->-C-CDY d  Y EY |  r#