google_securityposture_posture

A Posture represents a collection of policy set including its name, state, description and policy sets. A policy set includes set of policies along with their definition. A posture can be created at the organization level. Every update to a deployed posture creates a new posture revision with an updated revision_id.

To get more information about Posture, see:

Example Usage - Securityposture Posture Basic

resource "google_securityposture_posture" "posture1"{
  posture_id  = "posture_example"
  parent      = "organizations/123456789"
  location    = "global"
  state       = "ACTIVE"
  description = "a new posture"
  policy_sets {
    policy_set_id = "org_policy_set"
    description   = "set of org policies"
    policies {
      policy_id = "canned_org_policy"
      constraint {
        org_policy_constraint {
          canned_constraint_id = "storage.uniformBucketLevelAccess"
          policy_rules {
            enforce = true
            condition {
                description = "condition description"
                expression  = "resource.matchTag('org_id/tag_key_short_name,'tag_value_short_name')"
                title       = "a CEL condition"
            }
          }
        }
      }
    }
    policies {
      policy_id = "custom_org_policy"
      constraint {
        org_policy_constraint_custom {
          custom_constraint {
            name           = "organizations/123456789/customConstraints/custom.disableGkeAutoUpgrade"
            display_name   = "Disable GKE auto upgrade"
            description    = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."
            action_type    = "ALLOW"
            condition      = "resource.management.autoUpgrade == false"
            method_types   = ["CREATE", "UPDATE"]
            resource_types = ["container.googleapis.com/NodePool"]
          }
          policy_rules {
            enforce = true
            condition {
                description = "condition description"
                expression = "resource.matchTagId('tagKeys/key_id','tagValues/value_id')"
                title = "a CEL condition"
            }
          }
        }
      }
    }
  }
  policy_sets {
    policy_set_id = "sha_policy_set"
    description   = "set of sha policies"
    policies {
      policy_id = "sha_builtin_module"
      constraint {
        security_health_analytics_module {
          module_name             = "BIGQUERY_TABLE_CMEK_DISABLED"
          module_enablement_state = "ENABLED"
        }
      }
      description = "enable BIGQUERY_TABLE_CMEK_DISABLED"
    }
    policies {
      policy_id = "sha_custom_module"
      constraint {
        security_health_analytics_custom_module {
          display_name = "custom_SHA_policy"
          config {
            predicate {
              expression = "resource.rotationPeriod > duration('2592000s')"
            }
            custom_output {
              properties {
                name = "duration"
                value_expression {
                  expression = "resource.rotationPeriod"
                }
              }
            }
            resource_selector {
              resource_types = ["cloudkms.googleapis.com/CryptoKey"]
            }
            severity       = "LOW"
            description    = "Custom Module"
            recommendation = "Testing custom modules"
          }
          module_enablement_state = "ENABLED"
        }
      }
    }
  }
}

Argument Reference

The following arguments are supported:

The policy_sets block supports:

The policies block supports:

The compliance_standards block supports:

The constraint block supports:

The org_policy_constraint block supports:

The policy_rules block supports:

The values block supports:

The condition block supports:

The org_policy_constraint_custom block supports:

The custom_constraint block supports:

The policy_rules block supports:

The values block supports:

The condition block supports:

The security_health_analytics_module block supports:

The security_health_analytics_custom_module block supports:

The config block supports:

The predicate block supports:

The custom_output block supports:

The properties block supports:

The value_expression block supports:

The resource_selector block supports:


Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

Posture can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import Posture using one of the formats above. For example:

import {
  id = "{{parent}}/locations/{{location}}/postures/{{posture_id}}"
  to = google_securityposture_posture.default
}

When using the terraform import command, Posture can be imported using one of the formats above. For example:

$ terraform import google_securityposture_posture.default {{parent}}/locations/{{location}}/postures/{{posture_id}}