import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A **Resource Group** defines the **set of Harness resources** that fall within an RBAC boundary (for example, all pipelines, selected connectors, or specific secrets), along with the **scopes** (account, organization, or project) where the group applies. * * When configuring a resource group, you typically control access using two dimensions: * * * **Scopes** – where the resource group applies (`includedScopes`) * * **Resources** – what resources are included (`resourceFilter`) * * *** * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as harness from "@pulumi/harness"; * * const example = new harness.platform.ResourceGroup("example", { * identifier: "identifier", * name: "name", * description: "test", * tags: ["foo:bar"], * accountId: "account_id", * allowedScopeLevels: ["account"], * includedScopes: [{ * filter: "EXCLUDING_CHILD_SCOPES", * accountId: "account_id", * }], * resourceFilters: [{ * includeAllResources: false, * resources: [{ * resourceType: "CONNECTOR", * attributeFilters: [{ * attributeName: "category", * attributeValues: ["CLOUD_COST"], * }], * }], * }], * }); * ``` * * *** * * ## Scopes: `includedScopes` * * The `includedScopes` block defines the scope boundaries covered by this resource group. * * You can define scope using: * * * `accountId` → Account-level scope * * `accountId` + `orgId` → Organization-level scope * * `accountId` + `orgId` + `projectId` → Project-level scope * * ### `included_scopes.filter` (Required) * * Controls whether child scopes are included automatically: * * * `EXCLUDING_CHILD_SCOPES` * Includes only the explicitly specified scope. * Example: Account only (does not automatically include its organizations or projects). * * * `INCLUDING_CHILD_SCOPES` * Includes the specified scope and all nested child scopes. * Example: Account plus all organizations and projects under it. * * *** * * ## Resources: `resourceFilter` * * The `resourceFilter` block determines which resources within the included scopes are part of the resource group. * * ### `includeAllResources` * * * `true` – Includes all resources within the defined scopes. * * `false` – Includes only the resources explicitly defined under `resources`. * * ### `resources` * * Each `resources` block selects a set of resources using: * * * `resourceType` (**required**) * * `attributeFilter` (optional rule-based filtering) * * `identifiers` (optional explicit allowlist): * * 1. You can only use `identifiers` when the resource group operates in **static scope**. This happens when: * * `includedScopes` points to that **same scope** * * `filter = EXCLUDING_CHILD_SCOPES` * * In this case, the set of resources is fixed, so you can select specific resources such as: * * `"pipelineA"` * * `"connectorX"` * * 2. You cannot use `identifiers` when the resource group is in **dynamic scope**. This happens when: * * `filter = INCLUDING_CHILD_SCOPES` * * `includedScopes` points to a child scope. * * In dynamic scope, the matching resources can change over time as child scopes are added or removed. Because of this, you can only select resources by `resourceType` (and optionally `attributeFilter`), not by specific identifiers. * * If you attempt to use `identifiers` in this case, you will receive: * ``` * Cannot provide specific identifiers in resource filter for a dynamic scope * ``` * *** * * ## Supported `resourceType` Values * * The following values are supported for `resourceType`: * * | Category | Resource Types | * | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | * | **Core Platform** | `ACCOUNT`, `ORGANIZATION`, `PROJECT`, `USER`, `USERGROUP`, `ROLE`, `RESOURCEGROUP`, `SERVICEACCOUNT`, `LICENSE`, `SETTING`, `AUTHSETTING`, `ACCESS_POLICIES`, `BANNER` | * | **Pipelines & Delivery** | `PIPELINE`, `INPUT_SET`, `SERVICE`, `ENVIRONMENT`, `ENVIRONMENT_GROUP`, `DEPLOYMENTFREEZE`, `TEMPLATE`, `FILE`, `VARIABLE`, `ARTIFACT_REGISTRY`, `PROVIDER` | * | **Connectors & Infrastructure** | `CONNECTOR`, `DELEGATE`, `DELEGATECONFIGURATION`, `CERTIFICATE`, `CODE_REPOSITORY`, `NETWORK_MAP` | * | **Secrets & Security** | `SECRET`, `FEATUREFLAG`, `FF_PROXYAPIKEY`, `SSCA_REMEDIATION_TRACKER`, `SSCA_ENFORCEMENT_EXEMPTION`, `STO_TESTTARGET`, `STO_EXEMPTION`, `STO_ISSUE`, `STO_SCAN` | * | **Governance & Policy** | `GOVERNANCEPOLICY`, `GOVERNANCEPOLICYSETS`, `AUDIT` | * | **Monitoring & Reliability** | `MONITOREDSERVICE`, `SLO`, `DOWNTIME`, `MONITORING_AGENT`, `METRIC_SOURCE`, `NOTIFICATION`, `NOTIFICATION_CHANNEL`, `NOTIFICATION_RULE` | * | **GitOps** | `GITOPS_AGENT`, `GITOPS_APP`, `GITOPS_REPOSITORY`, `GITOPS_CLUSTER`, `GITOPS_GPGKEY`, `GITOPS_CERT` | * | **Chaos Engineering** | `CHAOS_IMAGE_REGISTRY`, `CHAOS_HUB`, `CHAOS_INFRASTRUCTURE`, `CHAOS_EXPERIMENT`, `CHAOS_GAMEDAY`, `CHAOS_PROBE`, `CHAOS_SECURITY_GOVERNANCE` | * | **Cloud Cost Management (CCM)** | `CCM_OVERVIEW`, `CCM_PERSPECTIVE`, `CCM_DATA_SCOPE`, `CCM_FOLDER`, `CCM_BUDGET`, `CCM_COSTCATEGORY`, `CCM_AUTOSTOPPINGRULE`, `CCM_LOADBALANCER`, `CCM_CURRENCYPREFERENCE`, `CCM_CLOUD_ASSET_GOVERNANCE_RULE`, `CCM_CLOUD_ASSET_GOVERNANCE_RULE_SET`, `CCM_CLOUD_ASSET_GOVERNANCE_RULE_ENFORCEMENT`, `CCM_ANOMALIES`, `CCM_RECOMMENDATIONS`, `CCM_COMMITMENT_ORCHESTRATOR` | * | **Internal Developer Portal (IDP)** | `IDP_CATALOG`, `IDP_WORKFLOW`, `IDP_PLUGIN`, `IDP_SCORECARD`, `IDP_LAYOUT`, `IDP_CATALOG_ACCESS_POLICY`, `IDP_INTEGRATION`, `IDP_ADVANCED_CONFIGURATION` | * | **Incident Response (IRO)** | `IRO_MANAGER`, `IRO_ALERT`, `IRO_ALERT_RULE`, `IRO_INCIDENT`, `IRO_CONNECT_WORKSPACE`, `IRO_RUNBOOK` | * | **Continuous Engineering Tools (CET)** | `CET_AGENT`, `CET_TOKEN`, `CET_CRITICAL_EVENT` | * | **Infrastructure as Code (IAC)** | `IAC_WORKSPACE`, `IAC_REGISTRY`, `IAC_VARIABLE_SET` | * | **Software Engineering Insights (SEI)** | `SEI_CONFIGURATION_SETTINGS`, `SEI_COLLECTIONS`, `SEI_INSIGHTS`, `SEI_PANORAMA` | * | **Feature Management & Experimentation (FME)** | `FME_ENVIRONMENT`, `FME_TRAFFIC_TYPE`, `FME_FEATURE_FLAG`, `FME_SEGMENT`, `FME_LARGE_SEGMENT`, `FME_METRIC`, `FME_EXPERIMENT` | * | **Databases** | `DB_SCHEMA`, `DB_INSTANCE` | * | **Targets & Deployment** | `TARGET`, `TARGETGROUP`, `TICKET`, `SMTP`, `STREAMING_DESTINATION` | * | **Dashboards & Reporting** | `DASHBOARDS` | * * *** * * ## Attribute Filtering (`attributeFilter`) * * Use `attributeFilter` to include resources dynamically based on defined rules instead of explicit identifiers. * * ### Valid `attributeName` Values * * * `category` * * `type` * * `labels` * * `tag` or `tags` * * ### `attributeValues` Constraints * * * For `category`, supported values include: * `ARTIFACTORY`, `CLOUD_COST`, `CLOUD_PROVIDER`, `CODE_REPO`, `MONITORING`, `SECRET_MANAGER`, `TICKETING` * * * For `type`, supported values include: * `Production`, `PreProduction` * * * For `labels`, use the format: * `label:value` * * * For `tag` or `tags`, any string value is supported. * * *** * * ## Common Configuration Patterns * * ### Common Configuration Examples * * 1. Add Specific Resources at the Current Scope (Static Scope) * * Use this when you want to allow only certain resources (for example, specific pipelines or connectors) in the same scope where the resource group is created. * * This works because the scope is static (EXCLUDING_CHILD_SCOPES). * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as harness from "@pulumi/harness"; * * const staticExample = new harness.platform.ResourceGroup("static_example", { * identifier: "static_rg", * name: "Static Resource Group", * accountId: "account_id", * allowedScopeLevels: ["account"], * includedScopes: [{ * filter: "EXCLUDING_CHILD_SCOPES", * accountId: "account_id", * }], * resourceFilters: [{ * includeAllResources: false, * resources: [{ * resourceType: "PIPELINE", * identifiers: [ * "pipeline_a", * "pipeline_b", * ], * }], * }], * }); * ``` * * 2. Add All Resources at the Current Scope * * This includes all resources within the defined included_scopes. If you want to include everything at a specific scope: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as harness from "@pulumi/harness"; * * const allResourcesAccount = new harness.platform.ResourceGroup("all_resources_account", { * identifier: "all_resources_account", * name: "All Resources - Account Level", * description: "Includes all resources at the account scope", * accountId: "account_id", * allowedScopeLevels: ["account"], * includedScopes: [{ * filter: "EXCLUDING_CHILD_SCOPES", * accountId: "account_id", * }], * resourceFilters: [{ * includeAllResources: true, * }], * }); * ``` * * 3. Add All Resources Across Child Scopes (Dynamic Scope) * * Use this when you want all resources across an account and its child orgs/projects. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as harness from "@pulumi/harness"; * * const dynamicExample = new harness.platform.ResourceGroup("dynamic_example", { * identifier: "dynamic_rg", * name: "Dynamic Resource Group", * accountId: "account_id", * allowedScopeLevels: ["account"], * includedScopes: [{ * filter: "INCLUDING_CHILD_SCOPES", * accountId: "account_id", * }], * resourceFilters: [{ * includeAllResources: false, * resources: [{ * resourceType: "PIPELINE", * }], * }], * }); * ``` * * *** * * ## Import * * The `pulumi import` command can be used, for example: * * Import account level resource group * * ```sh * $ pulumi import harness:platform/resourceGroup:ResourceGroup example * ``` * * Import org level resource group * * ```sh * $ pulumi import harness:platform/resourceGroup:ResourceGroup example / * ``` * * Import project level resource group * * ```sh * $ pulumi import harness:platform/resourceGroup:ResourceGroup example // * ``` */ export declare class ResourceGroup extends pulumi.CustomResource { /** * Get an existing ResourceGroup resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: ResourceGroupState, opts?: pulumi.CustomResourceOptions): ResourceGroup; /** * Returns true if the given object is an instance of ResourceGroup. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is ResourceGroup; /** * Account Identifier of the account */ readonly accountId: pulumi.Output; /** * The scope levels at which this resource group can be used */ readonly allowedScopeLevels: pulumi.Output; /** * Color of the environment. */ readonly color: pulumi.Output; /** * Description of the resource. */ readonly description: pulumi.Output; /** * Unique identifier of the resource. */ readonly identifier: pulumi.Output; /** * Included scopes; default selected based on resource group scope if not specified. */ readonly includedScopes: pulumi.Output; /** * Name of the resource. */ readonly name: pulumi.Output; /** * Unique identifier of the organization. */ readonly orgId: pulumi.Output; /** * Unique identifier of the project. */ readonly projectId: pulumi.Output; /** * Contains resource filter for a resource group */ readonly resourceFilters: pulumi.Output; /** * Tags to associate with the resource. */ readonly tags: pulumi.Output; /** * Create a ResourceGroup resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: ResourceGroupArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering ResourceGroup resources. */ export interface ResourceGroupState { /** * Account Identifier of the account */ accountId?: pulumi.Input; /** * The scope levels at which this resource group can be used */ allowedScopeLevels?: pulumi.Input[] | undefined>; /** * Color of the environment. */ color?: pulumi.Input; /** * Description of the resource. */ description?: pulumi.Input; /** * Unique identifier of the resource. */ identifier?: pulumi.Input; /** * Included scopes; default selected based on resource group scope if not specified. */ includedScopes?: pulumi.Input[] | undefined>; /** * Name of the resource. */ name?: pulumi.Input; /** * Unique identifier of the organization. */ orgId?: pulumi.Input; /** * Unique identifier of the project. */ projectId?: pulumi.Input; /** * Contains resource filter for a resource group */ resourceFilters?: pulumi.Input[] | undefined>; /** * Tags to associate with the resource. */ tags?: pulumi.Input[] | undefined>; } /** * The set of arguments for constructing a ResourceGroup resource. */ export interface ResourceGroupArgs { /** * Account Identifier of the account */ accountId: pulumi.Input; /** * The scope levels at which this resource group can be used */ allowedScopeLevels?: pulumi.Input[] | undefined>; /** * Color of the environment. */ color?: pulumi.Input; /** * Description of the resource. */ description?: pulumi.Input; /** * Unique identifier of the resource. */ identifier: pulumi.Input; /** * Included scopes; default selected based on resource group scope if not specified. */ includedScopes?: pulumi.Input[] | undefined>; /** * Name of the resource. */ name?: pulumi.Input; /** * Unique identifier of the organization. */ orgId?: pulumi.Input; /** * Unique identifier of the project. */ projectId?: pulumi.Input; /** * Contains resource filter for a resource group */ resourceFilters?: pulumi.Input[] | undefined>; /** * Tags to associate with the resource. */ tags?: pulumi.Input[] | undefined>; } //# sourceMappingURL=resourceGroup.d.ts.map