import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * The Rule resource represents a user-created rule. * * To get more information about Rule, see: * * * [API documentation](https://cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.rules) * * How-to Guides * * [Google SecOps Guides](https://cloud.google.com/chronicle/docs/secops/secops-overview) * * ## Example Usage * * ### Chronicle Rule Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const example = new gcp.chronicle.Rule("example", { * location: "us", * instance: "00000000-0000-0000-0000-000000000000", * deletionPolicy: "DEFAULT", * text: "rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }\n", * }); * ``` * ### Chronicle Rule With Force Deletion * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const example = new gcp.chronicle.Rule("example", { * location: "us", * instance: "00000000-0000-0000-0000-000000000000", * deletionPolicy: "FORCE", * text: "rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }\n", * }); * ``` * ### Chronicle Rule With Data Access Scope * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const dataAccessScopeTest = new gcp.chronicle.DataAccessScope("data_access_scope_test", { * location: "us", * instance: "00000000-0000-0000-0000-000000000000", * dataAccessScopeId: "scope-name", * description: "scope-description", * allowedDataAccessLabels: [{ * logType: "GCP_CLOUDAUDIT", * }], * }); * const example = new gcp.chronicle.Rule("example", { * location: "us", * instance: "00000000-0000-0000-0000-000000000000", * scope: googleChronicleDataAccessScope.dataAccessScopeTest.name, * text: "rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }\n", * }); * ``` * * ## Import * * Rule can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/{{location}}/instances/{{instance}}/rules/{{rule_id}}` * * `{{project}}/{{location}}/{{instance}}/{{rule_id}}` * * `{{location}}/{{instance}}/{{rule_id}}` * * When using the `pulumi import` command, Rule can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:chronicle/rule:Rule default projects/{{project}}/locations/{{location}}/instances/{{instance}}/rules/{{rule_id}} * $ pulumi import gcp:chronicle/rule:Rule default {{project}}/{{location}}/{{instance}}/{{rule_id}} * $ pulumi import gcp:chronicle/rule:Rule default {{location}}/{{instance}}/{{rule_id}} * ``` */ export declare class Rule extends pulumi.CustomResource { /** * Get an existing Rule resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: RuleState, opts?: pulumi.CustomResourceOptions): Rule; /** * Returns true if the given object is an instance of Rule. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Rule; /** * Output only. The run frequencies that are allowed for the rule. * Populated in BASIC view and FULL view. */ readonly allowedRunFrequencies: pulumi.Output; /** * Output only. The author of the rule. Extracted from the meta section of text. * Populated in BASIC view and FULL view. */ readonly author: pulumi.Output; /** * Output only. A list of a rule's corresponding compilation diagnostic messages * such as compilation errors and compilation warnings. * Populated in FULL view. * Structure is documented below. */ readonly compilationDiagnostics: pulumi.Output; /** * Output only. The current compilation state of the rule. * Populated in FULL view. * Possible values: * COMPILATION_STATE_UNSPECIFIED * SUCCEEDED * FAILED */ readonly compilationState: pulumi.Output; /** * Output only. The timestamp of when the rule was created. * Populated in FULL view. */ readonly createTime: pulumi.Output; /** * Output only. Resource names of the data tables used in this rule. */ readonly dataTables: pulumi.Output; /** * Policy to determine if the rule should be deleted forcefully. * If deletionPolicy = "FORCE", any retrohunts and any detections associated with the rule * will also be deleted. If deletionPolicy = "DEFAULT", the call will only succeed if the * rule has no associated retrohunts, including completed retrohunts, and no * associated detections. Regardless of this field's value, the rule * deployment associated with this rule will also be deleted. * Possible values: DEFAULT, FORCE */ readonly deletionPolicy: pulumi.Output; /** * The display name of the severity level. Extracted from the meta section of * the rule text. */ readonly displayName: pulumi.Output; /** * The etag for this rule. * If this is provided on update, the request will succeed if and only if it * matches the server-computed value, and will fail with an ABORTED error * otherwise. * Populated in BASIC view and FULL view. */ readonly etag: pulumi.Output; /** * The unique identifier for the Chronicle instance, which is the same as the customer ID. */ readonly instance: pulumi.Output; /** * The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2". */ readonly location: pulumi.Output; /** * Output only. Additional metadata specified in the meta section of text. * Populated in FULL view. */ readonly metadata: pulumi.Output<{ [key: string]: string; }>; /** * Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. * Format: * projects/{project}/locations/{location}/instances/{instance}/rules/{rule} */ readonly name: pulumi.Output; /** * Output only. Indicate the rule can run in near real time live rule. * If this is true, the rule uses the near real time live rule when the run * frequency is set to LIVE. */ readonly nearRealTimeLiveRuleEligible: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * Output only. Resource names of the reference lists used in this rule. * Populated in FULL view. */ readonly referenceLists: pulumi.Output; /** * Output only. The timestamp of when the rule revision was created. * Populated in FULL, REVISION_METADATA_ONLY views. */ readonly revisionCreateTime: pulumi.Output; /** * Output only. The revision ID of the rule. * A new revision is created whenever the rule text is changed in any way. * Format: v_{10 digits}_{9 digits} * Populated in REVISION_METADATA_ONLY view and FULL view. */ readonly revisionId: pulumi.Output; /** * Rule Id is the ID of the Rule. */ readonly ruleId: pulumi.Output; /** * Resource name of the DataAccessScope bound to this rule. * Populated in BASIC view and FULL view. * If reference lists are used in the rule, validations will be performed * against this scope to ensure that the reference lists are compatible with * both the user's and the rule's scopes. * The scope should be in the format: * "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". */ readonly scope: pulumi.Output; /** * (Output) * Output only. The severity of a rule's compilation diagnostic. * Possible values: * SEVERITY_UNSPECIFIED * WARNING * ERROR */ readonly severities: pulumi.Output; /** * The YARA-L content of the rule. * Populated in FULL view. */ readonly text: pulumi.Output; /** * Possible values: * RULE_TYPE_UNSPECIFIED * SINGLE_EVENT * MULTI_EVENT */ readonly type: pulumi.Output; /** * Create a Rule resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: RuleArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Rule resources. */ export interface RuleState { /** * Output only. The run frequencies that are allowed for the rule. * Populated in BASIC view and FULL view. */ allowedRunFrequencies?: pulumi.Input[]>; /** * Output only. The author of the rule. Extracted from the meta section of text. * Populated in BASIC view and FULL view. */ author?: pulumi.Input; /** * Output only. A list of a rule's corresponding compilation diagnostic messages * such as compilation errors and compilation warnings. * Populated in FULL view. * Structure is documented below. */ compilationDiagnostics?: pulumi.Input[]>; /** * Output only. The current compilation state of the rule. * Populated in FULL view. * Possible values: * COMPILATION_STATE_UNSPECIFIED * SUCCEEDED * FAILED */ compilationState?: pulumi.Input; /** * Output only. The timestamp of when the rule was created. * Populated in FULL view. */ createTime?: pulumi.Input; /** * Output only. Resource names of the data tables used in this rule. */ dataTables?: pulumi.Input[]>; /** * Policy to determine if the rule should be deleted forcefully. * If deletionPolicy = "FORCE", any retrohunts and any detections associated with the rule * will also be deleted. If deletionPolicy = "DEFAULT", the call will only succeed if the * rule has no associated retrohunts, including completed retrohunts, and no * associated detections. Regardless of this field's value, the rule * deployment associated with this rule will also be deleted. * Possible values: DEFAULT, FORCE */ deletionPolicy?: pulumi.Input; /** * The display name of the severity level. Extracted from the meta section of * the rule text. */ displayName?: pulumi.Input; /** * The etag for this rule. * If this is provided on update, the request will succeed if and only if it * matches the server-computed value, and will fail with an ABORTED error * otherwise. * Populated in BASIC view and FULL view. */ etag?: pulumi.Input; /** * The unique identifier for the Chronicle instance, which is the same as the customer ID. */ instance?: pulumi.Input; /** * The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2". */ location?: pulumi.Input; /** * Output only. Additional metadata specified in the meta section of text. * Populated in FULL view. */ metadata?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters. * Format: * projects/{project}/locations/{location}/instances/{instance}/rules/{rule} */ name?: pulumi.Input; /** * Output only. Indicate the rule can run in near real time live rule. * If this is true, the rule uses the near real time live rule when the run * frequency is set to LIVE. */ nearRealTimeLiveRuleEligible?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * Output only. Resource names of the reference lists used in this rule. * Populated in FULL view. */ referenceLists?: pulumi.Input[]>; /** * Output only. The timestamp of when the rule revision was created. * Populated in FULL, REVISION_METADATA_ONLY views. */ revisionCreateTime?: pulumi.Input; /** * Output only. The revision ID of the rule. * A new revision is created whenever the rule text is changed in any way. * Format: v_{10 digits}_{9 digits} * Populated in REVISION_METADATA_ONLY view and FULL view. */ revisionId?: pulumi.Input; /** * Rule Id is the ID of the Rule. */ ruleId?: pulumi.Input; /** * Resource name of the DataAccessScope bound to this rule. * Populated in BASIC view and FULL view. * If reference lists are used in the rule, validations will be performed * against this scope to ensure that the reference lists are compatible with * both the user's and the rule's scopes. * The scope should be in the format: * "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". */ scope?: pulumi.Input; /** * (Output) * Output only. The severity of a rule's compilation diagnostic. * Possible values: * SEVERITY_UNSPECIFIED * WARNING * ERROR */ severities?: pulumi.Input[]>; /** * The YARA-L content of the rule. * Populated in FULL view. */ text?: pulumi.Input; /** * Possible values: * RULE_TYPE_UNSPECIFIED * SINGLE_EVENT * MULTI_EVENT */ type?: pulumi.Input; } /** * The set of arguments for constructing a Rule resource. */ export interface RuleArgs { /** * Policy to determine if the rule should be deleted forcefully. * If deletionPolicy = "FORCE", any retrohunts and any detections associated with the rule * will also be deleted. If deletionPolicy = "DEFAULT", the call will only succeed if the * rule has no associated retrohunts, including completed retrohunts, and no * associated detections. Regardless of this field's value, the rule * deployment associated with this rule will also be deleted. * Possible values: DEFAULT, FORCE */ deletionPolicy?: pulumi.Input; /** * The etag for this rule. * If this is provided on update, the request will succeed if and only if it * matches the server-computed value, and will fail with an ABORTED error * otherwise. * Populated in BASIC view and FULL view. */ etag?: pulumi.Input; /** * The unique identifier for the Chronicle instance, which is the same as the customer ID. */ instance: pulumi.Input; /** * The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2". */ location: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * Rule Id is the ID of the Rule. */ ruleId?: pulumi.Input; /** * Resource name of the DataAccessScope bound to this rule. * Populated in BASIC view and FULL view. * If reference lists are used in the rule, validations will be performed * against this scope to ensure that the reference lists are compatible with * both the user's and the rule's scopes. * The scope should be in the format: * "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". */ scope?: pulumi.Input; /** * The YARA-L content of the rule. * Populated in FULL view. */ text?: pulumi.Input; }