import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Cloud controls are the building blocks that make up frameworks. Each cloud control is a unit encapsulating various platform-specific logic for prevention, detection, and audit. * * To get more information about CloudControl, see: * * * [API documentation](https://docs.cloud.google.com/security-command-center/docs/reference/cloudsecuritycompliance/rest/v1/organizations.locations.cloudControls) * * ## Example Usage * * ### Cloudsecuritycompliance Cloudcontrol Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const example = new gcp.cloudsecuritycompliance.CloudControl("example", { * organization: "123456789", * location: "global", * cloudControlId: "example-cloudcontrol", * displayName: "TF test CloudControl Name", * description: "A test cloud control for security compliance", * categories: ["CC_CATEGORY_INFRASTRUCTURE"], * severity: "HIGH", * findingCategory: "SECURITY_POLICY", * remediationSteps: "Review and update the security configuration according to best practices.", * supportedCloudProviders: ["GCP"], * rules: [{ * description: "Ensure compute instances have secure boot enabled", * ruleActionTypes: ["RULE_ACTION_TYPE_DETECTIVE"], * celExpression: { * expression: "resource.data.shieldedInstanceConfig.enableSecureBoot == true", * resourceTypesValues: { * values: ["compute.googleapis.com/Instance"], * }, * }, * }], * parameterSpecs: [ * { * name: "location", * displayName: "Resource Location", * description: "The location where the resource should be deployed", * valueType: "STRING", * isRequired: true, * defaultValue: { * stringValue: "us-central1", * }, * validation: { * regexpPattern: { * pattern: "^[a-z]+-[a-z]+[0-9]$", * }, * }, * }, * { * name: "enable_secure_boot", * displayName: "Enable Secure Boot", * description: "Whether to enable secure boot for instances", * valueType: "BOOLEAN", * isRequired: true, * defaultValue: { * boolValue: true, * }, * substitutionRules: [{ * attributeSubstitutionRule: { * attribute: "rules[0].cel_expression.expression", * }, * }], * validation: { * allowedValues: { * values: [{ * boolValue: true, * }], * }, * }, * }, * { * name: "max_instances", * displayName: "Maximum Instances", * description: "Maximum number of instances allowed", * valueType: "NUMBER", * isRequired: false, * defaultValue: { * numberValue: 10, * }, * substitutionRules: [{ * placeholderSubstitutionRule: { * attribute: "rules[0].description", * }, * }], * validation: { * intRange: { * min: "1", * max: "100", * }, * }, * }, * { * name: "allowed_regions", * displayName: "Allowed Regions", * description: "List of regions where resources can be deployed", * valueType: "STRINGLIST", * isRequired: true, * defaultValue: { * stringListValue: { * values: [ * "us-central1", * "us-east1", * "us-west1", * ], * }, * }, * validation: { * allowedValues: { * values: [ * { * stringListValue: { * values: [ * "us-central1", * "us-east1", * ], * }, * }, * { * stringListValue: { * values: [ * "us-west1", * "us-west2", * ], * }, * }, * ], * }, * }, * }, * { * name: "environment_type", * displayName: "Environment Type", * description: "The type of environment", * valueType: "STRING", * isRequired: true, * defaultValue: { * stringValue: "production", * }, * validation: { * allowedValues: { * values: [ * { * stringValue: "production", * }, * { * stringValue: "staging", * }, * { * numberValue: 1, * }, * ], * }, * }, * }, * ], * }); * ``` * * ## Import * * CloudControl can be imported using any of these accepted formats: * * * `organizations/{{organization}}/locations/{{location}}/cloudControls/{{cloud_control_id}}` * * `{{organization}}/{{location}}/{{cloud_control_id}}` * * When using the `pulumi import` command, CloudControl can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:cloudsecuritycompliance/cloudControl:CloudControl default organizations/{{organization}}/locations/{{location}}/cloudControls/{{cloud_control_id}} * $ pulumi import gcp:cloudsecuritycompliance/cloudControl:CloudControl default {{organization}}/{{location}}/{{cloud_control_id}} * ``` */ export declare class CloudControl extends pulumi.CustomResource { /** * Get an existing CloudControl resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: CloudControlState, opts?: pulumi.CustomResourceOptions): CloudControl; /** * Returns true if the given object is an instance of CloudControl. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is CloudControl; /** * The categories of the cloud control. */ readonly categories: pulumi.Output; /** * ID of the CloudControl. * This is the last segment of the CloudControl resource name. * Format: `^a-zA-Z{0,61}[a-zA-Z0-9]$`. */ readonly cloudControlId: pulumi.Output; /** * The last updated time of the cloud control. * The createTime is used because a new CC is created whenever we update an * existing CC. */ readonly createTime: pulumi.Output; /** * A description of the cloud control. The maximum length is 2000 characters. */ readonly description: pulumi.Output; /** * The display name of the cloud control. The maximum length is 200 * characters. */ readonly displayName: pulumi.Output; /** * The findingCategory of the cloud control. The maximum length is 255 * characters. */ readonly findingCategory: pulumi.Output; /** * Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. Currently, only "global" is supported as a location. */ readonly location: pulumi.Output; /** * Major revision of the cloud control incremented in ascending order. */ readonly majorRevisionId: pulumi.Output; /** * Identifier. The resource name of the cloud control. * Format: * organizations/{organization}/locations/{location}/cloudControls/{cloud_control_id} */ readonly name: pulumi.Output; /** * Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. */ readonly organization: pulumi.Output; /** * The parameter spec of the cloud control. * Structure is documented below. */ readonly parameterSpecs: pulumi.Output; /** * The Frameworks that include this CloudControl */ readonly relatedFrameworks: pulumi.Output; /** * The remediation steps for the findings generated by the cloud control. The * maximum length is 400 characters. */ readonly remediationSteps: pulumi.Output; /** * The Policy to be enforced to prevent/detect resource non-compliance. * Structure is documented below. */ readonly rules: pulumi.Output; /** * Possible values: * CRITICAL * HIGH * MEDIUM * LOW */ readonly severity: pulumi.Output; /** * cloud providers supported */ readonly supportedCloudProviders: pulumi.Output; /** * The supported enforcement mode of the cloud control. Default is DETECTIVE. */ readonly supportedEnforcementModes: pulumi.Output; /** * target resource types supported by the CloudControl. */ readonly supportedTargetResourceTypes: pulumi.Output; /** * Create a CloudControl resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: CloudControlArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering CloudControl resources. */ export interface CloudControlState { /** * The categories of the cloud control. */ categories?: pulumi.Input[]>; /** * ID of the CloudControl. * This is the last segment of the CloudControl resource name. * Format: `^a-zA-Z{0,61}[a-zA-Z0-9]$`. */ cloudControlId?: pulumi.Input; /** * The last updated time of the cloud control. * The createTime is used because a new CC is created whenever we update an * existing CC. */ createTime?: pulumi.Input; /** * A description of the cloud control. The maximum length is 2000 characters. */ description?: pulumi.Input; /** * The display name of the cloud control. The maximum length is 200 * characters. */ displayName?: pulumi.Input; /** * The findingCategory of the cloud control. The maximum length is 255 * characters. */ findingCategory?: pulumi.Input; /** * Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. Currently, only "global" is supported as a location. */ location?: pulumi.Input; /** * Major revision of the cloud control incremented in ascending order. */ majorRevisionId?: pulumi.Input; /** * Identifier. The resource name of the cloud control. * Format: * organizations/{organization}/locations/{location}/cloudControls/{cloud_control_id} */ name?: pulumi.Input; /** * Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. */ organization?: pulumi.Input; /** * The parameter spec of the cloud control. * Structure is documented below. */ parameterSpecs?: pulumi.Input[]>; /** * The Frameworks that include this CloudControl */ relatedFrameworks?: pulumi.Input[]>; /** * The remediation steps for the findings generated by the cloud control. The * maximum length is 400 characters. */ remediationSteps?: pulumi.Input; /** * The Policy to be enforced to prevent/detect resource non-compliance. * Structure is documented below. */ rules?: pulumi.Input[]>; /** * Possible values: * CRITICAL * HIGH * MEDIUM * LOW */ severity?: pulumi.Input; /** * cloud providers supported */ supportedCloudProviders?: pulumi.Input[]>; /** * The supported enforcement mode of the cloud control. Default is DETECTIVE. */ supportedEnforcementModes?: pulumi.Input[]>; /** * target resource types supported by the CloudControl. */ supportedTargetResourceTypes?: pulumi.Input[]>; } /** * The set of arguments for constructing a CloudControl resource. */ export interface CloudControlArgs { /** * The categories of the cloud control. */ categories?: pulumi.Input[]>; /** * ID of the CloudControl. * This is the last segment of the CloudControl resource name. * Format: `^a-zA-Z{0,61}[a-zA-Z0-9]$`. */ cloudControlId: pulumi.Input; /** * A description of the cloud control. The maximum length is 2000 characters. */ description?: pulumi.Input; /** * The display name of the cloud control. The maximum length is 200 * characters. */ displayName?: pulumi.Input; /** * The findingCategory of the cloud control. The maximum length is 255 * characters. */ findingCategory?: pulumi.Input; /** * Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. Currently, only "global" is supported as a location. */ location: pulumi.Input; /** * Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. */ organization: pulumi.Input; /** * The parameter spec of the cloud control. * Structure is documented below. */ parameterSpecs?: pulumi.Input[]>; /** * The remediation steps for the findings generated by the cloud control. The * maximum length is 400 characters. */ remediationSteps?: pulumi.Input; /** * The Policy to be enforced to prevent/detect resource non-compliance. * Structure is documented below. */ rules?: pulumi.Input[]>; /** * Possible values: * CRITICAL * HIGH * MEDIUM * LOW */ severity?: pulumi.Input; /** * cloud providers supported */ supportedCloudProviders?: pulumi.Input[]>; }