Skip to content

firewall_rule_group

This resource allows management of CrowdStrike Firewall rule groups. A rule group is a collection of firewall rules that can be assigned to firewall policies.

The following API scopes are required:

  • Firewall management: READ
  • Firewall management: WRITE
terraform {
required_providers {
crowdstrike = {
source = "registry.terraform.io/crowdstrike/crowdstrike"
}
}
}
provider "crowdstrike" {}
# Basic firewall rule group with a single rule
resource "crowdstrike_firewall_rule_group" "web_servers" {
name = "Web Server Rules"
description = "Firewall rules for web servers"
platform = "Windows"
enabled = true
rules = [
{
name = "Allow HTTPS Inbound"
description = "Allow inbound HTTPS traffic"
enabled = true
action = "ALLOW"
direction = "IN"
protocol = "TCP"
remote_port = [
{
start = 443
end = 0
}
]
},
{
name = "Allow HTTP Inbound"
description = "Allow inbound HTTP traffic"
enabled = true
action = "ALLOW"
direction = "IN"
protocol = "TCP"
remote_port = [
{
start = 80
end = 0
}
]
},
{
name = "Block All Other Inbound"
description = "Block all other inbound traffic"
enabled = true
action = "DENY"
direction = "IN"
protocol = "ANY"
}
]
}
# Firewall rule group with IP restrictions
resource "crowdstrike_firewall_rule_group" "database_servers" {
name = "Database Server Rules"
description = "Firewall rules for database servers"
platform = "Linux"
enabled = true
rules = [
{
name = "Allow PostgreSQL from App Servers"
description = "Allow PostgreSQL connections from application server subnet"
enabled = true
action = "ALLOW"
direction = "IN"
protocol = "TCP"
remote_address = [
{
address = "10.0.1.0"
netmask = 24
}
]
local_port = [
{
start = 5432
end = 0
}
]
},
{
name = "Allow MySQL from App Servers"
description = "Allow MySQL connections from application server subnet"
enabled = true
action = "ALLOW"
direction = "IN"
protocol = "TCP"
remote_address = [
{
address = "10.0.1.0"
netmask = 24
}
]
local_port = [
{
start = 3306
end = 0
}
]
}
]
}
# Firewall rule group with FQDN-based rules (outbound only)
resource "crowdstrike_firewall_rule_group" "outbound_rules" {
name = "Outbound Access Rules"
description = "Control outbound access to specific domains"
platform = "Windows"
enabled = true
rules = [
{
name = "Allow Updates"
description = "Allow outbound HTTPS to update servers"
enabled = true
action = "ALLOW"
direction = "OUT"
protocol = "TCP"
fqdn = "update.microsoft.com;download.windowsupdate.com"
remote_port = [
{
start = 443
end = 0
}
]
}
]
}
# Mac platform example (note: executable_path and service_name not supported on Mac)
resource "crowdstrike_firewall_rule_group" "mac_rules" {
name = "Mac Workstation Rules"
description = "Firewall rules for Mac workstations"
platform = "Mac"
enabled = true
rules = [
{
name = "Allow Outbound HTTPS"
description = "Allow outbound HTTPS traffic"
enabled = true
action = "ALLOW"
direction = "OUT"
protocol = "TCP"
remote_port = [
{
start = 443
end = 0
}
]
}
]
}
output "firewall_rule_group" {
value = crowdstrike_firewall_rule_group.web_servers
}
  • enabled (Boolean) Whether the rule group is enabled.
  • name (String) Name of the firewall rule group.
  • platform (String) Platform for the rule group. One of: Windows, Mac, Linux.
  • description (String) Description of the firewall rule group.
  • rules (Attributes List) List of firewall rules in this rule group. Rule precedence is determined by the order in the list. (see below for nested schema)
  • id (String) Identifier for the firewall rule group.

Required:

  • action (String) Action to take when the rule matches. One of: ALLOW, DENY.
  • direction (String) Traffic direction for the rule. One of: IN, OUT, BOTH.
  • name (String) Name of the firewall rule.
  • protocol (String) Protocol for the rule. Named protocols: TCP, UDP, ICMPV4, ICMPV6, IPV6 ENCAPSULATION, ANY. Additional protocols reachable via the console’s Advanced (numeric protocol) option: GRE, ESP, IGMP, IP-IN-IP. Note: Some protocols have platform restrictions (see platform documentation).

Optional:

  • address_family (String) Address family for the rule. One of: IP4, IP6, ANY (ANY matches any address family and clears any configured addresses).
  • description (String) Description of the firewall rule.
  • enabled (Boolean) Whether the rule is enabled.
  • executable_path (String) Path to executable that this rule applies to.
  • fqdn (String) Fully qualified domain name for the rule. Only valid for outbound rules. Multiple FQDNs can be separated by semicolons. Wildcard (*.example.com) and glob syntax are supported.
  • icmp_code (String) ICMP code for ICMP protocol rules. Use * for any.
  • icmp_type (String) ICMP type for ICMP protocol rules. Use * for any.
  • local_address (Attributes List) Local IP addresses for the rule. If empty, matches any local address. (see below for nested schema)
  • local_port (Attributes List) Local ports for the rule. Only applicable for TCP/UDP protocols. If empty, matches any port. (see below for nested schema)
  • network_location (String) Network location restriction. One of the built-in values ANY, DOMAIN, PRIVATE, PUBLIC, or a custom network location ID. Not supported on Linux (only ANY is valid there).
  • remote_address (Attributes List) Remote IP addresses for the rule. If empty, matches any remote address. (see below for nested schema)
  • remote_port (Attributes List) Remote ports for the rule. Only applicable for TCP/UDP protocols. If empty, matches any port. (see below for nested schema)
  • service_name (String) Windows service name that this rule applies to. Only valid for Windows platform.
  • watch_mode (Boolean) Enable watch mode (monitoring) for this rule instead of enforcing.

Read-Only:

  • id (String) Identifier for the firewall rule. Note: Rule IDs may change when the rule group is updated.

Required:

  • address (String) IP address for the rule, or * to match any address.

Optional:

  • netmask (Number) CIDR netmask. Use 0 for a single IP or any.

Required:

  • start (Number) Start port (1-65535).

Optional:

  • end (Number) End port for range (1-65535). Use 0 for single port.

Required:

  • address (String) IP address for the rule, or * to match any address.

Optional:

  • netmask (Number) CIDR netmask. Use 0 for a single IP or any.

Required:

  • start (Number) Start port (1-65535).

Optional:

  • end (Number) End port for range (1-65535). Use 0 for single port.

Import is supported using the following syntax:

#!/bin/bash
# Import an existing firewall rule group by its ID
terraform import crowdstrike_firewall_rule_group.web_servers <rule_group_id>