Governance
data class GovernanceRuleArgs(val description: Output<String>? = null, val displayName: Output<String>? = null, val excludedScopes: Output<List<String>>? = null, val governanceEmailNotification: Output<GovernanceRuleEmailNotificationArgs>? = null, val includeMemberScopes: Output<Boolean>? = null, val isDisabled: Output<Boolean>? = null, val isGracePeriod: Output<Boolean>? = null, val ownerSource: Output<GovernanceRuleOwnerSourceArgs>? = null, val remediationTimeframe: Output<String>? = null, val ruleId: Output<String>? = null, val rulePriority: Output<Int>? = null, val ruleType: Output<Either<String, GovernanceRuleType>>? = null, val scope: Output<String>? = null, val sourceResourceType: Output<Either<String, GovernanceRuleSourceResourceType>>? = null) : ConvertibleToJava<GovernanceRuleArgs>
Governance rule over a given scope Uses Azure REST API version 2022-01-01-preview. In version 2.x of the Azure Native provider, it used API version 2022-01-01-preview.
Example Usage
Create or update governance rule over management group scope
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var governanceRule = new AzureNative.Security.GovernanceRule("governanceRule", new()
{
Description = "A rule for a management group",
DisplayName = "Management group rule",
ExcludedScopes = new[]
{
"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
},
GovernanceEmailNotification = new AzureNative.Security.Inputs.GovernanceRuleEmailNotificationArgs
{
DisableManagerEmailNotification = true,
DisableOwnerEmailNotification = false,
},
IsDisabled = false,
IsGracePeriod = true,
OwnerSource = new AzureNative.Security.Inputs.GovernanceRuleOwnerSourceArgs
{
Type = AzureNative.Security.GovernanceRuleOwnerSourceType.Manually,
Value = "user@contoso.com",
},
RemediationTimeframe = "7.00:00:00",
RuleId = "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
RulePriority = 200,
RuleType = AzureNative.Security.GovernanceRuleType.Integrated,
Scope = "providers/Microsoft.Management/managementGroups/contoso",
SourceResourceType = AzureNative.Security.GovernanceRuleSourceResourceType.Assessments,
});
});Content copied to clipboard
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewGovernanceRule(ctx, "governanceRule", &security.GovernanceRuleArgs{
Description: pulumi.String("A rule for a management group"),
DisplayName: pulumi.String("Management group rule"),
ExcludedScopes: pulumi.StringArray{
pulumi.String("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"),
},
GovernanceEmailNotification: &security.GovernanceRuleEmailNotificationArgs{
DisableManagerEmailNotification: pulumi.Bool(true),
DisableOwnerEmailNotification: pulumi.Bool(false),
},
IsDisabled: pulumi.Bool(false),
IsGracePeriod: pulumi.Bool(true),
OwnerSource: &security.GovernanceRuleOwnerSourceArgs{
Type: pulumi.String(security.GovernanceRuleOwnerSourceTypeManually),
Value: pulumi.String("user@contoso.com"),
},
RemediationTimeframe: pulumi.String("7.00:00:00"),
RuleId: pulumi.String("ad9a8e26-29d9-4829-bb30-e597a58cdbb8"),
RulePriority: pulumi.Int(200),
RuleType: pulumi.String(security.GovernanceRuleTypeIntegrated),
Scope: pulumi.String("providers/Microsoft.Management/managementGroups/contoso"),
SourceResourceType: pulumi.String(security.GovernanceRuleSourceResourceTypeAssessments),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.GovernanceRule;
import com.pulumi.azurenative.security.GovernanceRuleArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleEmailNotificationArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleOwnerSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var governanceRule = new GovernanceRule("governanceRule", GovernanceRuleArgs.builder()
.description("A rule for a management group")
.displayName("Management group rule")
.excludedScopes("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23")
.governanceEmailNotification(GovernanceRuleEmailNotificationArgs.builder()
.disableManagerEmailNotification(true)
.disableOwnerEmailNotification(false)
.build())
.isDisabled(false)
.isGracePeriod(true)
.ownerSource(GovernanceRuleOwnerSourceArgs.builder()
.type("Manually")
.value("user@contoso.com")
.build())
.remediationTimeframe("7.00:00:00")
.ruleId("ad9a8e26-29d9-4829-bb30-e597a58cdbb8")
.rulePriority(200)
.ruleType("Integrated")
.scope("providers/Microsoft.Management/managementGroups/contoso")
.sourceResourceType("Assessments")
.build());
}
}Content copied to clipboard
Create or update governance rule over security connector scope
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var governanceRule = new AzureNative.Security.GovernanceRule("governanceRule", new()
{
Description = "A rule on critical GCP recommendations",
DisplayName = "GCP Admin's rule",
GovernanceEmailNotification = new AzureNative.Security.Inputs.GovernanceRuleEmailNotificationArgs
{
DisableManagerEmailNotification = true,
DisableOwnerEmailNotification = false,
},
IsDisabled = false,
IsGracePeriod = true,
OwnerSource = new AzureNative.Security.Inputs.GovernanceRuleOwnerSourceArgs
{
Type = AzureNative.Security.GovernanceRuleOwnerSourceType.Manually,
Value = "user@contoso.com",
},
RemediationTimeframe = "7.00:00:00",
RuleId = "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
RulePriority = 200,
RuleType = AzureNative.Security.GovernanceRuleType.Integrated,
Scope = "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector",
SourceResourceType = AzureNative.Security.GovernanceRuleSourceResourceType.Assessments,
});
});Content copied to clipboard
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewGovernanceRule(ctx, "governanceRule", &security.GovernanceRuleArgs{
Description: pulumi.String("A rule on critical GCP recommendations"),
DisplayName: pulumi.String("GCP Admin's rule"),
GovernanceEmailNotification: &security.GovernanceRuleEmailNotificationArgs{
DisableManagerEmailNotification: pulumi.Bool(true),
DisableOwnerEmailNotification: pulumi.Bool(false),
},
IsDisabled: pulumi.Bool(false),
IsGracePeriod: pulumi.Bool(true),
OwnerSource: &security.GovernanceRuleOwnerSourceArgs{
Type: pulumi.String(security.GovernanceRuleOwnerSourceTypeManually),
Value: pulumi.String("user@contoso.com"),
},
RemediationTimeframe: pulumi.String("7.00:00:00"),
RuleId: pulumi.String("ad9a8e26-29d9-4829-bb30-e597a58cdbb8"),
RulePriority: pulumi.Int(200),
RuleType: pulumi.String(security.GovernanceRuleTypeIntegrated),
Scope: pulumi.String("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector"),
SourceResourceType: pulumi.String(security.GovernanceRuleSourceResourceTypeAssessments),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.GovernanceRule;
import com.pulumi.azurenative.security.GovernanceRuleArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleEmailNotificationArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleOwnerSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var governanceRule = new GovernanceRule("governanceRule", GovernanceRuleArgs.builder()
.description("A rule on critical GCP recommendations")
.displayName("GCP Admin's rule")
.governanceEmailNotification(GovernanceRuleEmailNotificationArgs.builder()
.disableManagerEmailNotification(true)
.disableOwnerEmailNotification(false)
.build())
.isDisabled(false)
.isGracePeriod(true)
.ownerSource(GovernanceRuleOwnerSourceArgs.builder()
.type("Manually")
.value("user@contoso.com")
.build())
.remediationTimeframe("7.00:00:00")
.ruleId("ad9a8e26-29d9-4829-bb30-e597a58cdbb8")
.rulePriority(200)
.ruleType("Integrated")
.scope("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector")
.sourceResourceType("Assessments")
.build());
}
}Content copied to clipboard
Create or update governance rule over subscription scope
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var governanceRule = new AzureNative.Security.GovernanceRule("governanceRule", new()
{
Description = "A rule for critical recommendations",
DisplayName = "Admin's rule",
GovernanceEmailNotification = new AzureNative.Security.Inputs.GovernanceRuleEmailNotificationArgs
{
DisableManagerEmailNotification = false,
DisableOwnerEmailNotification = false,
},
IsDisabled = false,
IsGracePeriod = true,
OwnerSource = new AzureNative.Security.Inputs.GovernanceRuleOwnerSourceArgs
{
Type = AzureNative.Security.GovernanceRuleOwnerSourceType.Manually,
Value = "user@contoso.com",
},
RemediationTimeframe = "7.00:00:00",
RuleId = "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
RulePriority = 200,
RuleType = AzureNative.Security.GovernanceRuleType.Integrated,
Scope = "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
SourceResourceType = AzureNative.Security.GovernanceRuleSourceResourceType.Assessments,
});
});Content copied to clipboard
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewGovernanceRule(ctx, "governanceRule", &security.GovernanceRuleArgs{
Description: pulumi.String("A rule for critical recommendations"),
DisplayName: pulumi.String("Admin's rule"),
GovernanceEmailNotification: &security.GovernanceRuleEmailNotificationArgs{
DisableManagerEmailNotification: pulumi.Bool(false),
DisableOwnerEmailNotification: pulumi.Bool(false),
},
IsDisabled: pulumi.Bool(false),
IsGracePeriod: pulumi.Bool(true),
OwnerSource: &security.GovernanceRuleOwnerSourceArgs{
Type: pulumi.String(security.GovernanceRuleOwnerSourceTypeManually),
Value: pulumi.String("user@contoso.com"),
},
RemediationTimeframe: pulumi.String("7.00:00:00"),
RuleId: pulumi.String("ad9a8e26-29d9-4829-bb30-e597a58cdbb8"),
RulePriority: pulumi.Int(200),
RuleType: pulumi.String(security.GovernanceRuleTypeIntegrated),
Scope: pulumi.String("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"),
SourceResourceType: pulumi.String(security.GovernanceRuleSourceResourceTypeAssessments),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.GovernanceRule;
import com.pulumi.azurenative.security.GovernanceRuleArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleEmailNotificationArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleOwnerSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var governanceRule = new GovernanceRule("governanceRule", GovernanceRuleArgs.builder()
.description("A rule for critical recommendations")
.displayName("Admin's rule")
.governanceEmailNotification(GovernanceRuleEmailNotificationArgs.builder()
.disableManagerEmailNotification(false)
.disableOwnerEmailNotification(false)
.build())
.isDisabled(false)
.isGracePeriod(true)
.ownerSource(GovernanceRuleOwnerSourceArgs.builder()
.type("Manually")
.value("user@contoso.com")
.build())
.remediationTimeframe("7.00:00:00")
.ruleId("ad9a8e26-29d9-4829-bb30-e597a58cdbb8")
.rulePriority(200)
.ruleType("Integrated")
.scope("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23")
.sourceResourceType("Assessments")
.build());
}
}Content copied to clipboard
Import
An existing resource can be imported using its type token, name, and identifier, e.g.
$ pulumi import azure-native:security:GovernanceRule ad9a8e26-29d9-4829-bb30-e597a58cdbb8 /{scope}/providers/Microsoft.Security/governanceRules/{ruleId}Content copied to clipboard
Constructors
Link copied to clipboard
constructor(description: Output<String>? = null, displayName: Output<String>? = null, excludedScopes: Output<List<String>>? = null, governanceEmailNotification: Output<GovernanceRuleEmailNotificationArgs>? = null, includeMemberScopes: Output<Boolean>? = null, isDisabled: Output<Boolean>? = null, isGracePeriod: Output<Boolean>? = null, ownerSource: Output<GovernanceRuleOwnerSourceArgs>? = null, remediationTimeframe: Output<String>? = null, ruleId: Output<String>? = null, rulePriority: Output<Int>? = null, ruleType: Output<Either<String, GovernanceRuleType>>? = null, scope: Output<String>? = null, sourceResourceType: Output<Either<String, GovernanceRuleSourceResourceType>>? = null)
Properties
Link copied to clipboard
Description of the governance rule
Link copied to clipboard
Display name of the governance rule
Link copied to clipboard
Excluded scopes, filter out the descendants of the scope (on management scopes)
Link copied to clipboard
The email notifications settings for the governance rule, states whether to disable notifications for mangers and owners
Link copied to clipboard
Defines whether the rule is management scope rule (master connector as a single scope or management scope)
Link copied to clipboard
Defines whether the rule is active/inactive
Link copied to clipboard
Defines whether there is a grace period on the governance rule
Link copied to clipboard
The owner source for the governance rule - e.g. Manually by user@contoso.com - see example
Link copied to clipboard
Governance rule remediation timeframe - this is the time that will affect on the grace-period duration e.g. 7.00:00:00 - means 7 days
Link copied to clipboard
The governance rule priority, priority to the lower number. Rules with the same priority on the same scope will not be allowed
Link copied to clipboard
The rule type of the governance rule, defines the source of the rule e.g. Integrated
Link copied to clipboard
The scope of the Governance rules. Valid scopes are: management group (format: 'providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: 'subscriptions/{subscriptionId}'), or security connector (format: 'subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName})'
Link copied to clipboard
The governance rule source, what the rule affects, e.g. Assessments