Represents the settings related to security issues, such as data redaction and data retention. It may take hours for updates on the settings to propagate to all the related components and take effect. Multiple security settings can be configured in each location. Each agent can specify the security settings to apply, and each setting can be applied to multiple agents in the same project and location.
To get more information about SecuritySettings, see:
resource "google_dialogflow_cx_security_settings" "basic_security_settings" {
display_name = "dialogflowcx-security-settings"
location = "global"
purge_data_types = []
retention_window_days = 7
}
resource "google_data_loss_prevention_inspect_template" "inspect" {
parent = "projects/my-project-name/locations/global"
display_name = "dialogflowcx-inspect-template"
inspect_config {
info_types {
name = "EMAIL_ADDRESS"
}
}
}
resource "google_data_loss_prevention_deidentify_template" "deidentify" {
parent = "projects/my-project-name/locations/global"
display_name = "dialogflowcx-deidentify-template"
deidentify_config {
info_type_transformations {
transformations {
primitive_transformation {
replace_config {
new_value {
string_value = "[REDACTED]"
}
}
}
}
}
}
}
resource "google_storage_bucket" "bucket" {
name = "dialogflowcx-bucket"
location = "US"
uniform_bucket_level_access = true
}
resource "google_dialogflow_cx_security_settings" "basic_security_settings" {
display_name = "dialogflowcx-security-settings"
location = "global"
redaction_strategy = "REDACT_WITH_SERVICE"
redaction_scope = "REDACT_DISK_STORAGE"
inspect_template = google_data_loss_prevention_inspect_template.inspect.id
deidentify_template = google_data_loss_prevention_deidentify_template.deidentify.id
purge_data_types = ["DIALOGFLOW_HISTORY"]
audio_export_settings {
gcs_bucket = google_storage_bucket.bucket.id
audio_export_pattern = "export"
enable_audio_redaction = true
audio_format = "OGG"
}
insights_export_settings {
enable_insights_export = true
}
retention_strategy = "REMOVE_AFTER_CONVERSATION"
}
The following arguments are supported:
location
-
(Required)
The location these settings are located in. Settings can only be applied to an agent in the same location.
See Available Regions for a list of supported locations.
display_name
-
(Required)
The human-readable name of the security settings, unique within the location.
redaction_strategy
-
(Optional)
Defines how we redact data. If not set, defaults to not redacting.
REDACT_WITH_SERVICE
.redaction_scope
-
(Optional)
Defines what types of data to redact. If not set, defaults to not redacting any kind of data.
REDACT_DISK_STORAGE
.inspect_template
-
(Optional)
DLP inspect template name. Use this template to define inspect base settings. If empty, we use the default DLP inspect config.
Note: inspectTemplate must be located in the same region as the SecuritySettings.
Format: projects/
deidentify_template
-
(Optional)
DLP deidentify template name. Use this template to define de-identification configuration for the content. If empty, Dialogflow replaces sensitive info with [redacted] text.
Note: deidentifyTemplate must be located in the same region as the SecuritySettings.
Format: projects/
purge_data_types
-
(Optional)
List of types of data to remove when retention settings triggers purge.
Each value may be one of: DIALOGFLOW_HISTORY
.
audio_export_settings
-
(Optional)
Controls audio export settings for post-conversation analytics when ingesting audio to conversations.
If retention_strategy is set to REMOVE_AFTER_CONVERSATION or gcs_bucket is empty, audio export is disabled.
If audio export is enabled, audio is recorded and saved to gcs_bucket, subject to retention policy of gcs_bucket.
This setting won't effect audio input for implicit sessions via Sessions.DetectIntent.
Structure is documented below.
insights_export_settings
-
(Optional)
Controls conversation exporting settings to Insights after conversation is completed.
If retentionStrategy is set to REMOVE_AFTER_CONVERSATION, Insights export is disabled no matter what you configure here.
Structure is documented below.
retention_window_days
-
(Optional)
Retains the data for the specified number of days. User must set a value lower than Dialogflow's default 365d TTL (30 days for Agent Assist traffic), higher value will be ignored and use default. Setting a value higher than that has no effect. A missing value or setting to 0 also means we use default TTL.
Only one of retention_window_days
and retention_strategy
may be set.
retention_strategy
-
(Optional)
Defines how long we retain persisted data that contains sensitive info. Only one of retention_window_days
and retention_strategy
may be set.
REMOVE_AFTER_CONVERSATION
.project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
The audio_export_settings
block supports:
gcs_bucket
-
(Optional)
Cloud Storage bucket to export audio record to. Setting this field would grant the Storage Object Creator role to the Dialogflow Service Agent. API caller that tries to modify this field should have the permission of storage.buckets.setIamPolicy.
audio_export_pattern
-
(Optional)
Filename pattern for exported audio.
enable_audio_redaction
-
(Optional)
Enable audio redaction if it is true.
audio_format
-
(Optional)
File format for exported audio file. Currently only in telephony recordings.
MULAW
, MP3
, OGG
.The insights_export_settings
block supports:
enable_insights_export
-
(Required)
If enabled, we will automatically exports conversations to Insights and Insights runs its analyzers.In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/locations/{{location}}/securitySettings/{{name}}
name
-
The unique identifier of the settings.
Format: projects/
This resource provides the following Timeouts configuration options:
create
- Default is 40 minutes.update
- Default is 40 minutes.delete
- Default is 20 minutes.SecuritySettings can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/securitySettings/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import SecuritySettings using one of the formats above. For example:
import {
id = "projects/{{project}}/locations/{{location}}/securitySettings/{{name}}"
to = google_dialogflow_cx_security_settings.default
}
When using the terraform import
command, SecuritySettings can be imported using one of the formats above. For example:
$ terraform import google_dialogflow_cx_security_settings.default projects/{{project}}/locations/{{location}}/securitySettings/{{name}}
$ terraform import google_dialogflow_cx_security_settings.default {{project}}/{{location}}/{{name}}
$ terraform import google_dialogflow_cx_security_settings.default {{location}}/{{name}}
This resource supports User Project Overrides.