import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A Posture represents a collection of policy set including its name, state, description * and policy sets. A policy set includes set of policies along with their definition. * A posture can be created at the organization level. * Every update to a deployed posture creates a new posture revision with an updated revision_id. * * To get more information about Posture, see: * * * [API documentation](https://cloud.google.com/security-command-center/docs/reference/securityposture/rest/v1/Posture) * * How-to Guides * * [Create and deploy a posture](https://cloud.google.com/security-command-center/docs/how-to-use-security-posture) * * ## Example Usage * * ### Securityposture Posture Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const posture1 = new gcp.securityposture.Posture("posture1", { * postureId: "posture_example", * parent: "organizations/123456789", * location: "global", * state: "ACTIVE", * description: "a new posture", * policySets: [ * { * policySetId: "org_policy_set", * description: "set of org policies", * policies: [ * { * policyId: "canned_org_policy", * constraint: { * orgPolicyConstraint: { * cannedConstraintId: "storage.uniformBucketLevelAccess", * policyRules: [{ * enforce: true, * condition: { * description: "condition description", * expression: "resource.matchTag('org_id/tag_key_short_name,'tag_value_short_name')", * title: "a CEL condition", * }, * }], * }, * }, * }, * { * policyId: "custom_org_policy", * constraint: { * orgPolicyConstraintCustom: { * customConstraint: { * name: "organizations/123456789/customConstraints/custom.disableGkeAutoUpgrade", * displayName: "Disable GKE auto upgrade", * description: "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.", * actionType: "ALLOW", * condition: "resource.management.autoUpgrade == false", * methodTypes: [ * "CREATE", * "UPDATE", * ], * resourceTypes: ["container.googleapis.com/NodePool"], * }, * policyRules: [{ * enforce: true, * condition: { * description: "condition description", * expression: "resource.matchTagId('tagKeys/key_id','tagValues/value_id')", * title: "a CEL condition", * }, * }], * }, * }, * }, * ], * }, * { * policySetId: "sha_policy_set", * description: "set of sha policies", * policies: [ * { * policyId: "sha_builtin_module", * constraint: { * securityHealthAnalyticsModule: { * moduleName: "BIGQUERY_TABLE_CMEK_DISABLED", * moduleEnablementState: "ENABLED", * }, * }, * description: "enable BIGQUERY_TABLE_CMEK_DISABLED", * }, * { * policyId: "sha_custom_module", * constraint: { * securityHealthAnalyticsCustomModule: { * displayName: "custom_SHA_policy", * config: { * predicate: { * expression: "resource.rotationPeriod > duration('2592000s')", * }, * customOutput: { * properties: [{ * name: "duration", * valueExpression: { * expression: "resource.rotationPeriod", * }, * }], * }, * resourceSelector: { * resourceTypes: ["cloudkms.googleapis.com/CryptoKey"], * }, * severity: "LOW", * description: "Custom Module", * recommendation: "Testing custom modules", * }, * moduleEnablementState: "ENABLED", * }, * }, * }, * ], * }, * ], * }); * ``` * * ## Import * * Posture can be imported using any of these accepted formats: * * * `{{parent}}/locations/{{location}}/postures/{{posture_id}}` * * When using the `pulumi import` command, Posture can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:securityposture/posture:Posture default {{parent}}/locations/{{location}}/postures/{{posture_id}} * ``` */ export declare class Posture extends pulumi.CustomResource { /** * Get an existing Posture resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: PostureState, opts?: pulumi.CustomResourceOptions): Posture; /** * Returns true if the given object is an instance of Posture. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Posture; /** * Time the Posture was created in UTC. */ readonly createTime: pulumi.Output; /** * Description of the posture. */ readonly description: pulumi.Output; /** * For Resource freshness validation (https://google.aip.dev/154) */ readonly etag: pulumi.Output; /** * Location of the resource, eg: global. */ readonly location: pulumi.Output; /** * Name of the posture. */ readonly name: pulumi.Output; /** * The parent of the resource, an organization. Format should be `organizations/{organization_id}`. */ readonly parent: pulumi.Output; /** * List of policy sets for the posture. * Structure is documented below. */ readonly policySets: pulumi.Output; /** * Id of the posture. It is an immutable field. */ readonly postureId: pulumi.Output; /** * If set, there are currently changes in flight to the posture. */ readonly reconciling: pulumi.Output; /** * Revision_id of the posture. */ readonly revisionId: pulumi.Output; /** * State of the posture. Update to state field should not be triggered along with * with other field updates. * Possible values are: `DEPRECATED`, `DRAFT`, `ACTIVE`. */ readonly state: pulumi.Output; /** * Time the Posture was updated in UTC. */ readonly updateTime: pulumi.Output; /** * Create a Posture resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: PostureArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Posture resources. */ export interface PostureState { /** * Time the Posture was created in UTC. */ createTime?: pulumi.Input; /** * Description of the posture. */ description?: pulumi.Input; /** * For Resource freshness validation (https://google.aip.dev/154) */ etag?: pulumi.Input; /** * Location of the resource, eg: global. */ location?: pulumi.Input; /** * Name of the posture. */ name?: pulumi.Input; /** * The parent of the resource, an organization. Format should be `organizations/{organization_id}`. */ parent?: pulumi.Input; /** * List of policy sets for the posture. * Structure is documented below. */ policySets?: pulumi.Input[]>; /** * Id of the posture. It is an immutable field. */ postureId?: pulumi.Input; /** * If set, there are currently changes in flight to the posture. */ reconciling?: pulumi.Input; /** * Revision_id of the posture. */ revisionId?: pulumi.Input; /** * State of the posture. Update to state field should not be triggered along with * with other field updates. * Possible values are: `DEPRECATED`, `DRAFT`, `ACTIVE`. */ state?: pulumi.Input; /** * Time the Posture was updated in UTC. */ updateTime?: pulumi.Input; } /** * The set of arguments for constructing a Posture resource. */ export interface PostureArgs { /** * Description of the posture. */ description?: pulumi.Input; /** * Location of the resource, eg: global. */ location: pulumi.Input; /** * The parent of the resource, an organization. Format should be `organizations/{organization_id}`. */ parent: pulumi.Input; /** * List of policy sets for the posture. * Structure is documented below. */ policySets: pulumi.Input[]>; /** * Id of the posture. It is an immutable field. */ postureId: pulumi.Input; /** * State of the posture. Update to state field should not be triggered along with * with other field updates. * Possible values are: `DEPRECATED`, `DRAFT`, `ACTIVE`. */ state: pulumi.Input; }