Delete multiple firewall rules in a network Google Cloud Platform

Question

For school we have to write a script to automaticaly deploy an application on gcp.

In my script, I need to be able to delete multiple firewall rules in my test environment network. The only option I see to do this, is to hardcode the list of names of the firewall rules. I do want it to be dynamic tho, so that when I add a rule with a different name, it also deletes that one. Is there any way to do this?

Answer 1

Use the following command to delete all firewall rules from a VPC

gcloud compute firewall-rules delete $(gcloud compute firewall-rules list --project=<your-project> --filter="NETWORK:<your-vpc>" --format="value(name)" | tr "\n" " ") --project=<your-project>

Command exlained: Because currently there is no way to delete multiple firewal rules based on some conditions, you have to list all firewall rules with an applied filter, then get the output and build a string of all the firewall rule names. Then we can execute the delete firewall rule comand

Answer 2

Use

gcloud compute firewall-rules list --project YOUR_PROJECT --regexp SOME_REGEX 

to list all the firewall rules you want to delete. Generally they start with the name of the network they apply to. So for instance yours might start with test-network-....

If you want to delete all of them dynamically do

gcloud compute firewall-rules list --project YOUR_PROJECT --regexp test-network.* 

This will give you an output containing the list with all the complete firewall rule names.

After that in the script you can loop through them and build a string of their concatenation, but without "," . Something like "rule_name_1 rule_name_2 ... rule_name_n".

After that use

gcloud compute firewall-rules delete rule_name_1 rule_name_2 ... rule_name_n --project YOUR_PROJECT

Answer 3

Unfortunately, there's no other way to do it. You should delete unnecessary rules and then create new ones.

Have a look at the documentation Using firewall rules there's no such flags like --replace or --delete for create command:

gcloud compute firewall-rules create NAME \
    [--network NETWORK; default="default"] \
    [--priority PRIORITY;default=1000] \
    [--direction (ingress|egress|in|out); default="ingress"] \
    [--action (deny | allow )] \
    [--target-tags TAG,TAG,...] \
    [--target-service-accounts=IAM Service Account,IAM Service Account,...] \
    [--source-ranges CIDR-RANGE,CIDR-RANGE...] \
    [--source-tags TAG,TAG,...] \
    [--source-service-accounts=IAM Service Account,IAM Service Account,...] \
    [--destination-ranges CIDR-RANGE,CIDR-RANGE...] \
    [--rules (PROTOCOL[:PORT[-PORT]],[PROTOCOL[:PORT[-PORT]],...]] | all ) \
    [--disabled | --no-disabled]
    [--enable-logging | --no-enable-logging]

You can try to update existing rules, but it has some limitations:

You can modify some components of a firewall rule, such as the specified protocols and ports for the match condition. You cannot modify a firewall rule's name, network, the action on match, and the direction of traffic.

If you need to change the name, network, or the action or direction component, you must delete the rule and create a new one instead.

As a possible workaround you can file a feature request at the Google Issue Tracker under this component and ask to introduce some --replace or --delete flags for create command.