linode · aweingarten · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026
@@ -35,10 +35,14 @@ In addition to all arguments above, the following attributes are exported:
 
 * [`inbound`](#inbound-and-outbound) - A firewall rule that specifies what inbound network traffic is allowed.
 
+* `inbound_ruleset` - A list of Firewall Rule Set IDs referenced as inbound rules.
+
 * `inbound_policy` - The default behavior for inbound traffic. (`ACCEPT`, `DROP`)
 
 * [`outbound`](#inbound-and-outbound) - A firewall rule that specifies what outbound network traffic is allowed.
 
+* `outbound_ruleset` - A list of Firewall Rule Set IDs referenced as outbound rules.
+
 * `outbound_policy` - The default behavior for outbound traffic. (`ACCEPT`, `DROP`)
 
 * `linodes` - The IDs of Linodes assigned to this Firewall.
@@ -49,6 +53,8 @@ In addition to all arguments above, the following attributes are exported:
 
 * `status` - The status of the firewall. (`enabled`, `disabled`, `deleted`)
 
+* `version` - The version number of the Firewall's rule configuration. This is incremented each time the Firewall's rules are changed.
+
 * `created` - When this firewall was created.
 
 * `updated` - When this firewall was last updated.
@@ -67,9 +73,9 @@ The following arguments are supported in the inbound and outbound rule blocks:
 
 * `ports` - A string representation of ports and/or port ranges (i.e. "443" or "80-90, 91").
 
-* `ipv4` - A list of IPv4 addresses or networks. Must be in IP/mask format.
+* `ipv4` - A list of IPv4 addresses or networks in CIDR format, or prefix list tokens.
 
-* `ipv6` - A list of IPv6 addresses or networks. Must be in IP/mask format.
+* `ipv6` - A list of IPv6 addresses or networks in CIDR format, or prefix list tokens.
 
 ### devices
 

@@ -0,0 +1,72 @@
+---
+page_title: "Linode: linode_firewall_rules_expansion"
+description: |-
+  Provides the expanded (resolved) firewall rules for a Firewall.
+---
+
+# Data Source: linode\_firewall\_rules\_expansion
+
+Provides the expanded (resolved) firewall rules for a Linode Firewall. This data source resolves all prefix list tokens and rule set references into their concrete IP addresses and individual rules, giving you the effective rule set that the firewall is currently enforcing.
+
+For more information, see the [Linode APIv4 docs](https://techdocs.akamai.com/linode-api/reference/get-firewall-rules-expansion).
+
+## Example Usage
+
+```terraform
+resource "linode_firewall" "my_firewall" {
+  label = "my-firewall"
+
+  inbound_ruleset = [linode_firewall_ruleset.allow_web.id]
+
+  inbound_policy  = "DROP"
+  outbound_policy = "ACCEPT"
+
+  linodes = [linode_instance.my_instance.id]
+}
+
+data "linode_firewall_rules_expansion" "expanded" {
+  firewall_id = linode_firewall.my_firewall.id
+}
+
+output "effective_inbound_rules" {
+  value = data.linode_firewall_rules_expansion.expanded.inbound
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `firewall_id` - (Required) The ID of the Firewall to get the expanded rules for.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* [`inbound`](#rules) - The expanded inbound firewall rules with all prefix list tokens and rule set references resolved.
+
+* `inbound_policy` - The default behavior for inbound traffic. (`ACCEPT`, `DROP`)
+
+* [`outbound`](#rules) - The expanded outbound firewall rules with all prefix list tokens and rule set references resolved.
+
+* `outbound_policy` - The default behavior for outbound traffic. (`ACCEPT`, `DROP`)
+
+* `version` - The version number of the Firewall's rule configuration.
+
+### rules
+
+Each expanded rule exports the following attributes:
+
+* `label` - The label for this rule.
+
+* `action` - Controls whether traffic is accepted or dropped by this rule. (`ACCEPT`, `DROP`)
+
+* `protocol` - The network protocol this rule controls. (`TCP`, `UDP`, `ICMP`, `IPENCAP`)
+
+* `description` - The description for this rule.
+
+* `ports` - A string representation of ports and/or port ranges (i.e. "443" or "80-90, 91").
+
+* `ipv4` - A list of resolved IPv4 addresses or networks in CIDR format.
+
+* `ipv6` - A list of resolved IPv6 addresses or networks in CIDR format.
@@ -0,0 +1,62 @@
+---
+page_title: "Linode: linode_firewall_ruleset"
+description: |-
+  Provides details about a Firewall Rule Set.
+---
+
+# Data Source: linode\_firewall\_ruleset
+
+Provides details about a Linode Firewall Rule Set.
+For more information, see the [Linode APIv4 docs](https://techdocs.akamai.com/linode-api/reference/get-firewall-rule-set).
+
+## Example Usage
+
+```terraform
+data "linode_firewall_ruleset" "example" {
+  id = "12345"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `id` - (Required) The ID of the Firewall Rule Set.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `label` - The label for the Rule Set.
+
+* `description` - The description of the Rule Set.
+
+* `type` - The type of rule set (`inbound` or `outbound`).
+
+* [`rules`](#rules) - The firewall rules defined in this set.
+
+* `is_service_defined` - Whether this Rule Set is service-defined (managed by Linode).
+
+* `version` - The version number of this Rule Set.
+
+* `created` - When this Rule Set was created.
+
+* `updated` - When this Rule Set was last updated.
+
+### rules
+
+Each rule exports the following attributes:
+
+* `label` - The label for this rule.
+
+* `action` - Controls whether traffic is accepted or dropped by this rule. (`ACCEPT`, `DROP`)
+
+* `protocol` - The network protocol this rule controls. (`TCP`, `UDP`, `ICMP`, `IPENCAP`)
+
+* `description` - The description for this rule.
+
+* `ports` - A string representation of ports and/or port ranges (i.e. "443" or "80-90, 91").
+
+* `ipv4` - A list of IPv4 addresses or networks in CIDR format, or prefix list tokens.
+
+* `ipv6` - A list of IPv6 addresses or networks in CIDR format, or prefix list tokens.
@@ -0,0 +1,95 @@
+---
+page_title: "Linode: linode_firewall_rulesets"
+description: |-
+  Provides information about Firewall Rule Sets that match a set of filters.
+---
+
+# Data Source: linode\_firewall\_rulesets
+
+Provides information about Linode Firewall Rule Sets that match a set of filters.
+For more information, see the [Linode APIv4 docs](https://techdocs.akamai.com/linode-api/reference/get-firewall-rule-sets).
+
+## Example Usage
+
+Get information about all inbound rule sets:
+
+```terraform
+data "linode_firewall_rulesets" "inbound" {
+  filter {
+    name   = "type"
+    values = ["inbound"]
+  }
+}
+
+output "ruleset_labels" {
+  value = data.linode_firewall_rulesets.inbound.rulesets.*.label
+}
+```
+
+Get all rule sets:
+
+```terraform
+data "linode_firewall_rulesets" "all" {}
+
+output "ruleset_ids" {
+  value = data.linode_firewall_rulesets.all.rulesets.*.id
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* [`filter`](#filter) - (Optional) A set of filters used to select Firewall Rule Sets that meet certain requirements.
+
+### Filter
+
+* `name` - (Required) The name of the field to filter by. See the [Filterable Fields section](#filterable-fields) for a complete list of filterable fields.
+
+* `values` - (Required) A list of values for the filter to allow. These values should all be in string form.
+
+* `match_by` - (Optional) The method to match the field by. (`exact`, `regex`, `substring`; default `exact`)
+
+## Attributes Reference
+
+Each Firewall Rule Set will be stored in the `rulesets` attribute and will export the following attributes:
+
+* `label` - The label for the Rule Set.
+
+* `description` - The description of the Rule Set.
+
+* `type` - The type of rule set (`inbound` or `outbound`).
+
+* [`rules`](#rules) - The firewall rules defined in this set.
+
+* `is_service_defined` - Whether this Rule Set is service-defined (managed by Linode).
+
+* `version` - The version number of the Rule Set.
+
+* `created` - When this Rule Set was created.
+
+* `updated` - When this Rule Set was last updated.
+
+### rules
+
+Each rule exports the following attributes:
+
+* `label` - The label for this rule.
+
+* `action` - Controls whether traffic is accepted or dropped by this rule. (`ACCEPT`, `DROP`)
+
+* `protocol` - The network protocol this rule controls. (`TCP`, `UDP`, `ICMP`, `IPENCAP`)
+
+* `description` - The description for this rule.
+
+* `ports` - A string representation of ports and/or port ranges (i.e. "443" or "80-90, 91").
+
+* `ipv4` - A list of IPv4 addresses or networks in CIDR format, or prefix list tokens.
+
+* `ipv6` - A list of IPv6 addresses or networks in CIDR format, or prefix list tokens.
+
+## Filterable Fields
+
+* `label`
+
+* `type`
@@ -89,6 +89,8 @@ Each Linode firewall will be stored in the `firewalls` attribute and will export
 
 * `status` - The status of the firewall.
 
+* `version` - The version number of the Firewall's rule configuration.
+
 * `created` - When this firewall was created.
 
 * `updated` - When this firewall was last updated.

@@ -49,6 +49,12 @@ In addition to all arguments above, the following attributes are exported:
 
 * `apl_enabled` - Enables the App Platform Layer
 
+* `ruleset_ids` - The IDs of the service-managed firewall rulesets automatically created for LKE Enterprise clusters.
+
+  * `inbound` - The ID of the inbound service-managed ruleset.
+
+  * `outbound` - The ID of the outbound service-managed ruleset.
+
 * `subnet_id` - The ID of the VPC subnet to use for the Kubernetes cluster. This subnet must be dual stack (IPv4 and IPv6 should both be enabled).
 
 * `vpc_id` - The ID of the VPC to use for the Kubernetes cluster.
@@ -69,6 +75,12 @@ In addition to all arguments above, the following attributes are exported:
 
   * `disk_encryption` - The disk encryption policy for nodes in this pool.
 
+  * `isolation` - Network isolation settings for the node pool.
+
+    * `public_ipv4` - Whether nodes have public IPv4 addresses.
+
+    * `public_ipv6` - Whether nodes have public IPv6 addresses.
+
   * `tags` - An array of tags applied to this object. Tags are case-insensitive and are for organizational purposes only.
 
   * `tier` - The desired Kubernetes tier. **NOTE: This field may not be available to all users and is only populated when api_version is set to `v4beta`.**

@@ -40,6 +40,12 @@ In addition to all arguments above, the following attributes are exported:
 
 * `disk_encryption` - Indicates the local disk encryption setting for this LKE node pool.
 
+* `isolation` - Network isolation settings for this node pool.
+
+  * `public_ipv4` - Whether nodes have public IPv4 addresses.
+
+  * `public_ipv6` - Whether nodes have public IPv6 addresses.
+
 * `disks` - This node pool's custom disk layout.
 
   * `size` - The size of this custom disk partition in MB.

@@ -0,0 +1,46 @@
+---
+page_title: "Linode: linode_prefix_list"
+description: |-
+  Provides details about a Prefix List.
+---
+
+# Data Source: linode\_prefix\_list
+
+Provides details about a Linode Prefix List.
+For more information, see the [Linode APIv4 docs](https://techdocs.akamai.com/linode-api/reference/get-prefix-list).
+
+## Example Usage
+
+```terraform
+data "linode_prefix_list" "example" {
+  id = "12345"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `id` - (Required) The ID of the Prefix List.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `name` - The name of the Prefix List (e.g. `pl:system:object-storage:us-iad`, `pl::customer:my-list`).
+
+* `description` - A description of the Prefix List.
+
+* `visibility` - The visibility of the Prefix List. (`account`, `restricted`)
+
+* `source_prefixlist_id` - The ID of the source prefix list, if this is a derived list.
+
+* `ipv4` - A list of IPv4 addresses or networks in CIDR format contained in this prefix list.
+
+* `ipv6` - A list of IPv6 addresses or networks in CIDR format contained in this prefix list.
+
+* `version` - The version number of this Prefix List.
+
+* `created` - When this Prefix List was created.
+
+* `updated` - When this Prefix List was last updated.