import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. * * To get more information about DataAccessScope, see: * * * [API documentation](https://cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.dataAccessScopes) * * How-to Guides * * [Introduction to data RBAC](https://cloud.google.com/chronicle/docs/onboard/onboard-datarbac) * * ## Example Usage * * ### Chronicle Dataaccessscope With Logtype * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const example = new gcp.chronicle.DataAccessScope("example", { * location: "us", * instance: "00000000-0000-0000-0000-000000000000", * dataAccessScopeId: "scope-id", * description: "scope-description", * allowedDataAccessLabels: [ * { * logType: "GCP_CLOUDAUDIT", * }, * { * logType: "GITHUB", * }, * ], * }); * ``` * ### Chronicle Dataaccessscope With Dataaccesslabel * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const customDataAccessLabel = new gcp.chronicle.DataAccessLabel("custom_data_access_label", { * location: "us", * instance: "00000000-0000-0000-0000-000000000000", * dataAccessLabelId: "label-id", * udmQuery: "principal.hostname=\"google.com\"", * }); * const example = new gcp.chronicle.DataAccessScope("example", { * location: "us", * instance: "00000000-0000-0000-0000-000000000000", * dataAccessScopeId: "scope-id", * description: "scope-description", * allowedDataAccessLabels: [{ * dataAccessLabel: googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId, * }], * }); * ``` * ### Chronicle Dataaccessscope With Asset Namespace * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const example = new gcp.chronicle.DataAccessScope("example", { * location: "us", * instance: "00000000-0000-0000-0000-000000000000", * dataAccessScopeId: "scope-id", * description: "scope-description", * allowedDataAccessLabels: [{ * assetNamespace: "my-namespace", * }], * }); * ``` * ### Chronicle Dataaccessscope With Ingestion Label * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const example = new gcp.chronicle.DataAccessScope("example", { * location: "us", * instance: "00000000-0000-0000-0000-000000000000", * dataAccessScopeId: "scope-id", * description: "scope-description", * allowedDataAccessLabels: [{ * ingestionLabel: { * ingestionLabelKey: "ingestion_key", * ingestionLabelValue: "ingestion_value", * }, * }], * }); * ``` * ### Chronicle Dataaccessscope With Denied Labels * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const customDataAccessLabel = new gcp.chronicle.DataAccessLabel("custom_data_access_label", { * location: "us", * instance: "00000000-0000-0000-0000-000000000000", * dataAccessLabelId: "label-id", * udmQuery: "principal.hostname=\"google.com\"", * }); * const example = new gcp.chronicle.DataAccessScope("example", { * location: "us", * instance: "00000000-0000-0000-0000-000000000000", * dataAccessScopeId: "scope-id", * description: "scope-description", * allowAll: true, * deniedDataAccessLabels: [ * { * logType: "GCP_CLOUDAUDIT", * }, * { * dataAccessLabel: googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId, * }, * { * ingestionLabel: { * ingestionLabelKey: "ingestion_key", * ingestionLabelValue: "ingestion_value", * }, * }, * { * assetNamespace: "my-namespace", * }, * ], * }); * ``` * * ## Import * * DataAccessScope can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/{{location}}/instances/{{instance}}/dataAccessScopes/{{data_access_scope_id}}` * * `{{project}}/{{location}}/{{instance}}/{{data_access_scope_id}}` * * `{{location}}/{{instance}}/{{data_access_scope_id}}` * * When using the `pulumi import` command, DataAccessScope can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:chronicle/dataAccessScope:DataAccessScope default projects/{{project}}/locations/{{location}}/instances/{{instance}}/dataAccessScopes/{{data_access_scope_id}} * $ pulumi import gcp:chronicle/dataAccessScope:DataAccessScope default {{project}}/{{location}}/{{instance}}/{{data_access_scope_id}} * $ pulumi import gcp:chronicle/dataAccessScope:DataAccessScope default {{location}}/{{instance}}/{{data_access_scope_id}} * ``` */ export declare class DataAccessScope extends pulumi.CustomResource { /** * Get an existing DataAccessScope resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: DataAccessScopeState, opts?: pulumi.CustomResourceOptions): DataAccessScope; /** * Returns true if the given object is an instance of DataAccessScope. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is DataAccessScope; /** * Optional. Whether or not the scope allows all labels, allowAll and * allowedDataAccessLabels are mutually exclusive and one of them must be * present. deniedDataAccessLabels can still be used along with allow_all. * When combined with denied_data_access_labels, access will be granted to all * data that doesn't have labels mentioned in denied_data_access_labels. E.g.: * A customer with scope with denied labels A and B and allowAll will be able * to see all data except data labeled with A and data labeled with B and data * with labels A and B. */ readonly allowAll: pulumi.Output; /** * The allowed labels for the scope. There has to be at * least one label allowed for the scope to be valid. * The logical operator for evaluation of the allowed labels is OR. * Either allowAll or allowedDataAccessLabels needs to be provided. * E.g.: A customer with scope with allowed labels A and B will be able * to see data with labeled with A or B or (A and B). * Structure is documented below. */ readonly allowedDataAccessLabels: pulumi.Output; /** * Output only. The user who created the data access scope. */ readonly author: pulumi.Output; /** * Output only. The time at which the data access scope was created. */ readonly createTime: pulumi.Output; /** * Required. The user provided scope id which will become the last part of the name * of the scope resource. * Needs to be compliant with https://google.aip.dev/122 */ readonly dataAccessScopeId: pulumi.Output; /** * Optional. The denied labels for the scope. * The logical operator for evaluation of the denied labels is AND. * E.g.: A customer with scope with denied labels A and B won't be able * to see data labeled with A and data labeled with B * and data with labels A and B. * Structure is documented below. */ readonly deniedDataAccessLabels: pulumi.Output; /** * Optional. A description of the data access scope for a human reader. */ readonly description: pulumi.Output; /** * Output only. The name to be used for display to customers of the data access scope. */ readonly displayName: pulumi.Output; /** * The unique identifier for the Chronicle instance, which is the same as the customer ID. */ readonly instance: pulumi.Output; /** * Output only. The user who last updated the data access scope. */ readonly lastEditor: pulumi.Output; /** * The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2". */ readonly location: pulumi.Output; /** * The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. * Format: * projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id} */ readonly name: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * Output only. The time at which the data access scope was last updated. */ readonly updateTime: pulumi.Output; /** * Create a DataAccessScope resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: DataAccessScopeArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering DataAccessScope resources. */ export interface DataAccessScopeState { /** * Optional. Whether or not the scope allows all labels, allowAll and * allowedDataAccessLabels are mutually exclusive and one of them must be * present. deniedDataAccessLabels can still be used along with allow_all. * When combined with denied_data_access_labels, access will be granted to all * data that doesn't have labels mentioned in denied_data_access_labels. E.g.: * A customer with scope with denied labels A and B and allowAll will be able * to see all data except data labeled with A and data labeled with B and data * with labels A and B. */ allowAll?: pulumi.Input; /** * The allowed labels for the scope. There has to be at * least one label allowed for the scope to be valid. * The logical operator for evaluation of the allowed labels is OR. * Either allowAll or allowedDataAccessLabels needs to be provided. * E.g.: A customer with scope with allowed labels A and B will be able * to see data with labeled with A or B or (A and B). * Structure is documented below. */ allowedDataAccessLabels?: pulumi.Input[]>; /** * Output only. The user who created the data access scope. */ author?: pulumi.Input; /** * Output only. The time at which the data access scope was created. */ createTime?: pulumi.Input; /** * Required. The user provided scope id which will become the last part of the name * of the scope resource. * Needs to be compliant with https://google.aip.dev/122 */ dataAccessScopeId?: pulumi.Input; /** * Optional. The denied labels for the scope. * The logical operator for evaluation of the denied labels is AND. * E.g.: A customer with scope with denied labels A and B won't be able * to see data labeled with A and data labeled with B * and data with labels A and B. * Structure is documented below. */ deniedDataAccessLabels?: pulumi.Input[]>; /** * Optional. A description of the data access scope for a human reader. */ description?: pulumi.Input; /** * Output only. The name to be used for display to customers of the data access scope. */ displayName?: pulumi.Input; /** * The unique identifier for the Chronicle instance, which is the same as the customer ID. */ instance?: pulumi.Input; /** * Output only. The user who last updated the data access scope. */ lastEditor?: pulumi.Input; /** * The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2". */ location?: pulumi.Input; /** * The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. * Format: * projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id} */ name?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * Output only. The time at which the data access scope was last updated. */ updateTime?: pulumi.Input; } /** * The set of arguments for constructing a DataAccessScope resource. */ export interface DataAccessScopeArgs { /** * Optional. Whether or not the scope allows all labels, allowAll and * allowedDataAccessLabels are mutually exclusive and one of them must be * present. deniedDataAccessLabels can still be used along with allow_all. * When combined with denied_data_access_labels, access will be granted to all * data that doesn't have labels mentioned in denied_data_access_labels. E.g.: * A customer with scope with denied labels A and B and allowAll will be able * to see all data except data labeled with A and data labeled with B and data * with labels A and B. */ allowAll?: pulumi.Input; /** * The allowed labels for the scope. There has to be at * least one label allowed for the scope to be valid. * The logical operator for evaluation of the allowed labels is OR. * Either allowAll or allowedDataAccessLabels needs to be provided. * E.g.: A customer with scope with allowed labels A and B will be able * to see data with labeled with A or B or (A and B). * Structure is documented below. */ allowedDataAccessLabels?: pulumi.Input[]>; /** * Required. The user provided scope id which will become the last part of the name * of the scope resource. * Needs to be compliant with https://google.aip.dev/122 */ dataAccessScopeId: pulumi.Input; /** * Optional. The denied labels for the scope. * The logical operator for evaluation of the denied labels is AND. * E.g.: A customer with scope with denied labels A and B won't be able * to see data labeled with A and data labeled with B * and data with labels A and B. * Structure is documented below. */ deniedDataAccessLabels?: pulumi.Input[]>; /** * Optional. A description of the data access scope for a human reader. */ description?: pulumi.Input; /** * The unique identifier for the Chronicle instance, which is the same as the customer ID. */ instance: pulumi.Input; /** * The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2". */ location: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; }