@pulumi/gcp/chronicle/rule.d.ts

A Pulumi package for creating and managing Google Cloud Platform resources.

import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
import * as outputs from "../types/output";
/**
 * The Rule resource represents a user-created rule.
 *
 * To get more information about Rule, see:
 *
 * * [API documentation](https://cloud.google.com/chronicle/docs/reference/rest/v1/projects.locations.instances.rules)
 * * How-to Guides
 *     * [Google SecOps Guides](https://cloud.google.com/chronicle/docs/secops/secops-overview)
 *
 * ## Example Usage
 *
 * ### Chronicle Rule Basic
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const example = new gcp.chronicle.Rule("example", {
 *     location: "us",
 *     instance: "00000000-0000-0000-0000-000000000000",
 *     deletionPolicy: "DEFAULT",
 *     text: "rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n",
 * });
 * ```
 * ### Chronicle Rule With Force Deletion
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const example = new gcp.chronicle.Rule("example", {
 *     location: "us",
 *     instance: "00000000-0000-0000-0000-000000000000",
 *     deletionPolicy: "FORCE",
 *     text: "rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n",
 * });
 * ```
 * ### Chronicle Rule With Data Access Scope
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const dataAccessScopeTest = new gcp.chronicle.DataAccessScope("data_access_scope_test", {
 *     location: "us",
 *     instance: "00000000-0000-0000-0000-000000000000",
 *     dataAccessScopeId: "scope-name",
 *     description: "scope-description",
 *     allowedDataAccessLabels: [{
 *         logType: "GCP_CLOUDAUDIT",
 *     }],
 * });
 * const example = new gcp.chronicle.Rule("example", {
 *     location: "us",
 *     instance: "00000000-0000-0000-0000-000000000000",
 *     scope: googleChronicleDataAccessScope.dataAccessScopeTest.name,
 *     text: "rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }\n",
 * });
 * ```
 *
 * ## Import
 *
 * Rule can be imported using any of these accepted formats:
 *
 * * `projects/{{project}}/locations/{{location}}/instances/{{instance}}/rules/{{rule_id}}`
 *
 * * `{{project}}/{{location}}/{{instance}}/{{rule_id}}`
 *
 * * `{{location}}/{{instance}}/{{rule_id}}`
 *
 * When using the `pulumi import` command, Rule can be imported using one of the formats above. For example:
 *
 * ```sh
 * $ pulumi import gcp:chronicle/rule:Rule default projects/{{project}}/locations/{{location}}/instances/{{instance}}/rules/{{rule_id}}
 * ```
 *
 * ```sh
 * $ pulumi import gcp:chronicle/rule:Rule default {{project}}/{{location}}/{{instance}}/{{rule_id}}
 * ```
 *
 * ```sh
 * $ pulumi import gcp:chronicle/rule:Rule default {{location}}/{{instance}}/{{rule_id}}
 * ```
 */
export declare class Rule extends pulumi.CustomResource {
    /**
     * Get an existing Rule resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: RuleState, opts?: pulumi.CustomResourceOptions): Rule;
    /**
     * Returns true if the given object is an instance of Rule.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is Rule;
    /**
     * Output only. The run frequencies that are allowed for the rule.
     * Populated in BASIC view and FULL view.
     */
    readonly allowedRunFrequencies: pulumi.Output<string[]>;
    /**
     * Output only. The author of the rule. Extracted from the meta section of text.
     * Populated in BASIC view and FULL view.
     */
    readonly author: pulumi.Output<string>;
    /**
     * Output only. A list of a rule's corresponding compilation diagnostic messages
     * such as compilation errors and compilation warnings.
     * Populated in FULL view.
     * Structure is documented below.
     */
    readonly compilationDiagnostics: pulumi.Output<outputs.chronicle.RuleCompilationDiagnostic[]>;
    /**
     * Output only. The current compilation state of the rule.
     * Populated in FULL view.
     * Possible values:
     * COMPILATION_STATE_UNSPECIFIED
     * SUCCEEDED
     * FAILED
     */
    readonly compilationState: pulumi.Output<string>;
    /**
     * Output only. The timestamp of when the rule was created.
     * Populated in FULL view.
     */
    readonly createTime: pulumi.Output<string>;
    /**
     * Output only. Resource names of the data tables used in this rule.
     */
    readonly dataTables: pulumi.Output<string[]>;
    /**
     * Policy to determine if the rule should be deleted forcefully.
     * If deletionPolicy = "FORCE", any retrohunts and any detections associated with the rule
     * will also be deleted. If deletionPolicy = "DEFAULT", the call will only succeed if the
     * rule has no associated retrohunts, including completed retrohunts, and no
     * associated detections. Regardless of this field's value, the rule
     * deployment associated with this rule will also be deleted.
     * Possible values: DEFAULT, FORCE
     */
    readonly deletionPolicy: pulumi.Output<string | undefined>;
    /**
     * The display name of the severity level. Extracted from the meta section of
     * the rule text.
     */
    readonly displayName: pulumi.Output<string>;
    /**
     * The etag for this rule.
     * If this is provided on update, the request will succeed if and only if it
     * matches the server-computed value, and will fail with an ABORTED error
     * otherwise.
     * Populated in BASIC view and FULL view.
     */
    readonly etag: pulumi.Output<string>;
    /**
     * The unique identifier for the Chronicle instance, which is the same as the customer ID.
     *
     *
     * - - -
     */
    readonly instance: pulumi.Output<string>;
    /**
     * The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
     */
    readonly location: pulumi.Output<string>;
    /**
     * Output only. Additional metadata specified in the meta section of text.
     * Populated in FULL view.
     */
    readonly metadata: pulumi.Output<{
        [key: string]: string;
    }>;
    /**
     * Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters.
     * Format:
     * projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
     */
    readonly name: pulumi.Output<string>;
    /**
     * Output only. Indicate the rule can run in near real time live rule.
     * If this is true, the rule uses the near real time live rule when the run
     * frequency is set to LIVE.
     */
    readonly nearRealTimeLiveRuleEligible: pulumi.Output<boolean>;
    /**
     * The ID of the project in which the resource belongs.
     * If it is not provided, the provider project is used.
     */
    readonly project: pulumi.Output<string>;
    /**
     * Output only. Resource names of the reference lists used in this rule.
     * Populated in FULL view.
     */
    readonly referenceLists: pulumi.Output<string[]>;
    /**
     * Output only. The timestamp of when the rule revision was created.
     * Populated in FULL, REVISION_METADATA_ONLY views.
     */
    readonly revisionCreateTime: pulumi.Output<string>;
    /**
     * Output only. The revision ID of the rule.
     * A new revision is created whenever the rule text is changed in any way.
     * Format: v_{10 digits}_{9 digits}
     * Populated in REVISION_METADATA_ONLY view and FULL view.
     */
    readonly revisionId: pulumi.Output<string>;
    /**
     * Rule Id is the ID of the Rule.
     */
    readonly ruleId: pulumi.Output<string>;
    /**
     * Resource name of the DataAccessScope bound to this rule.
     * Populated in BASIC view and FULL view.
     * If reference lists are used in the rule, validations will be performed
     * against this scope to ensure that the reference lists are compatible with
     * both the user's and the rule's scopes.
     * The scope should be in the format:
     * "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
     */
    readonly scope: pulumi.Output<string | undefined>;
    /**
     * (Output)
     * Output only. The severity of a rule's compilation diagnostic.
     * Possible values:
     * SEVERITY_UNSPECIFIED
     * WARNING
     * ERROR
     */
    readonly severities: pulumi.Output<outputs.chronicle.RuleSeverity[]>;
    /**
     * The YARA-L content of the rule.
     * Populated in FULL view.
     */
    readonly text: pulumi.Output<string | undefined>;
    /**
     * Possible values:
     * RULE_TYPE_UNSPECIFIED
     * SINGLE_EVENT
     * MULTI_EVENT
     */
    readonly type: pulumi.Output<string>;
    /**
     * Create a Rule resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: RuleArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering Rule resources.
 */
export interface RuleState {
    /**
     * Output only. The run frequencies that are allowed for the rule.
     * Populated in BASIC view and FULL view.
     */
    allowedRunFrequencies?: pulumi.Input<pulumi.Input<string>[]>;
    /**
     * Output only. The author of the rule. Extracted from the meta section of text.
     * Populated in BASIC view and FULL view.
     */
    author?: pulumi.Input<string>;
    /**
     * Output only. A list of a rule's corresponding compilation diagnostic messages
     * such as compilation errors and compilation warnings.
     * Populated in FULL view.
     * Structure is documented below.
     */
    compilationDiagnostics?: pulumi.Input<pulumi.Input<inputs.chronicle.RuleCompilationDiagnostic>[]>;
    /**
     * Output only. The current compilation state of the rule.
     * Populated in FULL view.
     * Possible values:
     * COMPILATION_STATE_UNSPECIFIED
     * SUCCEEDED
     * FAILED
     */
    compilationState?: pulumi.Input<string>;
    /**
     * Output only. The timestamp of when the rule was created.
     * Populated in FULL view.
     */
    createTime?: pulumi.Input<string>;
    /**
     * Output only. Resource names of the data tables used in this rule.
     */
    dataTables?: pulumi.Input<pulumi.Input<string>[]>;
    /**
     * Policy to determine if the rule should be deleted forcefully.
     * If deletionPolicy = "FORCE", any retrohunts and any detections associated with the rule
     * will also be deleted. If deletionPolicy = "DEFAULT", the call will only succeed if the
     * rule has no associated retrohunts, including completed retrohunts, and no
     * associated detections. Regardless of this field's value, the rule
     * deployment associated with this rule will also be deleted.
     * Possible values: DEFAULT, FORCE
     */
    deletionPolicy?: pulumi.Input<string>;
    /**
     * The display name of the severity level. Extracted from the meta section of
     * the rule text.
     */
    displayName?: pulumi.Input<string>;
    /**
     * The etag for this rule.
     * If this is provided on update, the request will succeed if and only if it
     * matches the server-computed value, and will fail with an ABORTED error
     * otherwise.
     * Populated in BASIC view and FULL view.
     */
    etag?: pulumi.Input<string>;
    /**
     * The unique identifier for the Chronicle instance, which is the same as the customer ID.
     *
     *
     * - - -
     */
    instance?: pulumi.Input<string>;
    /**
     * The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
     */
    location?: pulumi.Input<string>;
    /**
     * Output only. Additional metadata specified in the meta section of text.
     * Populated in FULL view.
     */
    metadata?: pulumi.Input<{
        [key: string]: pulumi.Input<string>;
    }>;
    /**
     * Full resource name for the rule. This unique identifier is generated using values provided for the URL parameters.
     * Format:
     * projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
     */
    name?: pulumi.Input<string>;
    /**
     * Output only. Indicate the rule can run in near real time live rule.
     * If this is true, the rule uses the near real time live rule when the run
     * frequency is set to LIVE.
     */
    nearRealTimeLiveRuleEligible?: pulumi.Input<boolean>;
    /**
     * The ID of the project in which the resource belongs.
     * If it is not provided, the provider project is used.
     */
    project?: pulumi.Input<string>;
    /**
     * Output only. Resource names of the reference lists used in this rule.
     * Populated in FULL view.
     */
    referenceLists?: pulumi.Input<pulumi.Input<string>[]>;
    /**
     * Output only. The timestamp of when the rule revision was created.
     * Populated in FULL, REVISION_METADATA_ONLY views.
     */
    revisionCreateTime?: pulumi.Input<string>;
    /**
     * Output only. The revision ID of the rule.
     * A new revision is created whenever the rule text is changed in any way.
     * Format: v_{10 digits}_{9 digits}
     * Populated in REVISION_METADATA_ONLY view and FULL view.
     */
    revisionId?: pulumi.Input<string>;
    /**
     * Rule Id is the ID of the Rule.
     */
    ruleId?: pulumi.Input<string>;
    /**
     * Resource name of the DataAccessScope bound to this rule.
     * Populated in BASIC view and FULL view.
     * If reference lists are used in the rule, validations will be performed
     * against this scope to ensure that the reference lists are compatible with
     * both the user's and the rule's scopes.
     * The scope should be in the format:
     * "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
     */
    scope?: pulumi.Input<string>;
    /**
     * (Output)
     * Output only. The severity of a rule's compilation diagnostic.
     * Possible values:
     * SEVERITY_UNSPECIFIED
     * WARNING
     * ERROR
     */
    severities?: pulumi.Input<pulumi.Input<inputs.chronicle.RuleSeverity>[]>;
    /**
     * The YARA-L content of the rule.
     * Populated in FULL view.
     */
    text?: pulumi.Input<string>;
    /**
     * Possible values:
     * RULE_TYPE_UNSPECIFIED
     * SINGLE_EVENT
     * MULTI_EVENT
     */
    type?: pulumi.Input<string>;
}
/**
 * The set of arguments for constructing a Rule resource.
 */
export interface RuleArgs {
    /**
     * Policy to determine if the rule should be deleted forcefully.
     * If deletionPolicy = "FORCE", any retrohunts and any detections associated with the rule
     * will also be deleted. If deletionPolicy = "DEFAULT", the call will only succeed if the
     * rule has no associated retrohunts, including completed retrohunts, and no
     * associated detections. Regardless of this field's value, the rule
     * deployment associated with this rule will also be deleted.
     * Possible values: DEFAULT, FORCE
     */
    deletionPolicy?: pulumi.Input<string>;
    /**
     * The etag for this rule.
     * If this is provided on update, the request will succeed if and only if it
     * matches the server-computed value, and will fail with an ABORTED error
     * otherwise.
     * Populated in BASIC view and FULL view.
     */
    etag?: pulumi.Input<string>;
    /**
     * The unique identifier for the Chronicle instance, which is the same as the customer ID.
     *
     *
     * - - -
     */
    instance: pulumi.Input<string>;
    /**
     * The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
     */
    location: pulumi.Input<string>;
    /**
     * The ID of the project in which the resource belongs.
     * If it is not provided, the provider project is used.
     */
    project?: pulumi.Input<string>;
    /**
     * Rule Id is the ID of the Rule.
     */
    ruleId?: pulumi.Input<string>;
    /**
     * Resource name of the DataAccessScope bound to this rule.
     * Populated in BASIC view and FULL view.
     * If reference lists are used in the rule, validations will be performed
     * against this scope to ensure that the reference lists are compatible with
     * both the user's and the rule's scopes.
     * The scope should be in the format:
     * "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
     */
    scope?: pulumi.Input<string>;
    /**
     * The YARA-L content of the rule.
     * Populated in FULL view.
     */
    text?: pulumi.Input<string>;
}