Rule
data class RuleArgs(val deletionPolicy: Output<String>? = null, val etag: Output<String>? = null, val instance: Output<String>? = null, val location: Output<String>? = null, val project: Output<String>? = null, val ruleId: Output<String>? = null, val scope: Output<String>? = null, val text: Output<String>? = null) : ConvertibleToJava<RuleArgs>
The Rule resource represents a user-created rule. To get more information about Rule, see:
How-to Guides
Example Usage
Chronicle Rule Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.chronicle.Rule("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
deletionPolicy: "DEFAULT",
text: "rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }\n",
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
example = gcp.chronicle.Rule("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
deletion_policy="DEFAULT",
text="rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }\n")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Chronicle.Rule("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DeletionPolicy = "DEFAULT",
Text = @"rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }
",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewRule(ctx, "example", &chronicle.RuleArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DeletionPolicy: pulumi.String("DEFAULT"),
Text: pulumi.String("rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }\n"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.Rule;
import com.pulumi.gcp.chronicle.RuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Rule("example", RuleArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.deletionPolicy("DEFAULT")
.text("""
rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }
""")
.build());
}
}Content copied to clipboard
resources:
example:
type: gcp:chronicle:Rule
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
deletionPolicy: DEFAULT
text: |
rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }Content copied to clipboard
Chronicle Rule With Force Deletion
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.chronicle.Rule("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
deletionPolicy: "FORCE",
text: "rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }\n",
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
example = gcp.chronicle.Rule("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
deletion_policy="FORCE",
text="rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }\n")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Chronicle.Rule("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DeletionPolicy = "FORCE",
Text = @"rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }
",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewRule(ctx, "example", &chronicle.RuleArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DeletionPolicy: pulumi.String("FORCE"),
Text: pulumi.String("rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }\n"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.Rule;
import com.pulumi.gcp.chronicle.RuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Rule("example", RuleArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.deletionPolicy("FORCE")
.text("""
rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }
""")
.build());
}
}Content copied to clipboard
resources:
example:
type: gcp:chronicle:Rule
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
deletionPolicy: FORCE
text: |
rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }Content copied to clipboard
Chronicle Rule With Data Access Scope
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const dataAccessScopeTest = new gcp.chronicle.DataAccessScope("data_access_scope_test", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-name",
description: "scope-description",
allowedDataAccessLabels: [{
logType: "GCP_CLOUDAUDIT",
}],
});
const example = new gcp.chronicle.Rule("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
scope: googleChronicleDataAccessScope.dataAccessScopeTest.name,
text: "rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }\n",
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
data_access_scope_test = gcp.chronicle.DataAccessScope("data_access_scope_test",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-name",
description="scope-description",
allowed_data_access_labels=[{
"log_type": "GCP_CLOUDAUDIT",
}])
example = gcp.chronicle.Rule("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
scope=google_chronicle_data_access_scope["dataAccessScopeTest"]["name"],
text="rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }\n")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var dataAccessScopeTest = new Gcp.Chronicle.DataAccessScope("data_access_scope_test", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-name",
Description = "scope-description",
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
LogType = "GCP_CLOUDAUDIT",
},
},
});
var example = new Gcp.Chronicle.Rule("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
Scope = googleChronicleDataAccessScope.DataAccessScopeTest.Name,
Text = @"rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }
",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessScope(ctx, "data_access_scope_test", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-name"),
Description: pulumi.String("scope-description"),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
LogType: pulumi.String("GCP_CLOUDAUDIT"),
},
},
})
if err != nil {
return err
}
_, err = chronicle.NewRule(ctx, "example", &chronicle.RuleArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
Scope: pulumi.Any(googleChronicleDataAccessScope.DataAccessScopeTest.Name),
Text: pulumi.String("rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }\n"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import com.pulumi.gcp.chronicle.Rule;
import com.pulumi.gcp.chronicle.RuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var dataAccessScopeTest = new DataAccessScope("dataAccessScopeTest", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-name")
.description("scope-description")
.allowedDataAccessLabels(DataAccessScopeAllowedDataAccessLabelArgs.builder()
.logType("GCP_CLOUDAUDIT")
.build())
.build());
var example = new Rule("example", RuleArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.scope(googleChronicleDataAccessScope.dataAccessScopeTest().name())
.text("""
rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }
""")
.build());
}
}Content copied to clipboard
resources:
dataAccessScopeTest:
type: gcp:chronicle:DataAccessScope
name: data_access_scope_test
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-name
description: scope-description
allowedDataAccessLabels:
- logType: GCP_CLOUDAUDIT
example:
type: gcp:chronicle:Rule
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
scope: ${googleChronicleDataAccessScope.dataAccessScopeTest.name}
text: |
rule test_rule { meta: events: $userid = $e.principal.user.userid match: $userid over 10m condition: $e }Content copied to clipboard
Import
Rule can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/instances/{{instance}}/rules/{{rule_id}}{{project}}/{{location}}/{{instance}}/{{rule_id}}{{location}}/{{instance}}/{{rule_id}}When using thepulumi importcommand, Rule can be imported using one of the formats above. For example:
$ pulumi import gcp:chronicle/rule:Rule default projects/{{project}}/locations/{{location}}/instances/{{instance}}/rules/{{rule_id}}Content copied to clipboard
$ pulumi import gcp:chronicle/rule:Rule default {{project}}/{{location}}/{{instance}}/{{rule_id}}Content copied to clipboard
$ pulumi import gcp:chronicle/rule:Rule default {{location}}/{{instance}}/{{rule_id}}Content copied to clipboard
Properties
Link copied to clipboard
Policy to determine if the rule should be deleted forcefully. If deletion_policy = "FORCE", any retrohunts and any detections associated with the rule will also be deleted. If deletion_policy = "DEFAULT", the call will only succeed if the rule has no associated retrohunts, including completed retrohunts, and no associated detections. Regardless of this field's value, the rule deployment associated with this rule will also be deleted. Possible values: DEFAULT, FORCE
Link copied to clipboard
Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".