Provides a Datadog Cloud Configuration Rule resource.
resource "datadog_cloud_configuration_rule" "myrule" {
name = "My cloud configuration rule"
message = "Rule has triggered"
enabled = true
policy = <<-EOT
package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
eval(resource) = "skip" if {
# Logic that evaluates to true if the resource should be skipped
true
} else = "pass" {
# Logic that evaluates to true if the resource is compliant
true
} else = "fail" {
# Logic that evaluates to true if the resource is not compliant
true
}
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
EOT
resource_type = "aws_s3_bucket"
related_resource_types = []
severity = "high"
group_by = ["@resource"]
notifications = ["@channel"]
tags = ["some:tag"]
}
enabled
(Boolean) Whether the cloud configuration rule is enabled.message
(String) The message associated to the rule that will be shown in findings and signals.name
(String) The name of the cloud configuration rule.policy
(String) Policy written in Rego format.resource_type
(String) Main resource type to be checked by the rule.severity
(String) Severity of the rule and associated signals. Valid values are info
, low
, medium
, high
, critical
.filter
(Block List) Additional queries to filter matched events before they are processed. Defaults to empty list (see below for nested schema)group_by
(List of String) Defaults to empty list. This function will be deprecated soon. Use the notification rules function instead. Fields to group by when generating signals, e.g. @resource.notifications
(List of String) This function will be deprecated soon. Use the notification rules function instead. Notification targets for signals. Defaults to empty list.related_resource_types
(List of String) Related resource types to be checked by the rule. Defaults to empty list.tags
(List of String) Tags of the rule, propagated to findings and signals. Defaults to empty list.id
(String) The ID of this resource.filter
Required:
action
(String) The type of filtering action. Valid values are require
, suppress
.query
(String) Query for selecting logs to apply the filtering action.Import is supported using the following syntax:
# Security monitoring rules can be imported using ID, e.g.
terraform import datadog_cloud_configuration_rule.my_rule m0o-hto-lkb