A Posture represents a collection of policy set including its name, state, description and policy sets. A policy set includes set of policies along with their definition. A posture can be created at the organization level. Every update to a deployed posture creates a new posture revision with an updated revision_id.
To get more information about Posture, see:
resource "google_securityposture_posture" "posture1"{
posture_id = "posture_example"
parent = "organizations/123456789"
location = "global"
state = "ACTIVE"
description = "a new posture"
policy_sets {
policy_set_id = "org_policy_set"
description = "set of org policies"
policies {
policy_id = "canned_org_policy"
constraint {
org_policy_constraint {
canned_constraint_id = "storage.uniformBucketLevelAccess"
policy_rules {
enforce = true
condition {
description = "condition description"
expression = "resource.matchTag('org_id/tag_key_short_name,'tag_value_short_name')"
title = "a CEL condition"
}
}
}
}
}
policies {
policy_id = "custom_org_policy"
constraint {
org_policy_constraint_custom {
custom_constraint {
name = "organizations/123456789/customConstraints/custom.disableGkeAutoUpgrade"
display_name = "Disable GKE auto upgrade"
description = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."
action_type = "ALLOW"
condition = "resource.management.autoUpgrade == false"
method_types = ["CREATE", "UPDATE"]
resource_types = ["container.googleapis.com/NodePool"]
}
policy_rules {
enforce = true
condition {
description = "condition description"
expression = "resource.matchTagId('tagKeys/key_id','tagValues/value_id')"
title = "a CEL condition"
}
}
}
}
}
}
policy_sets {
policy_set_id = "sha_policy_set"
description = "set of sha policies"
policies {
policy_id = "sha_builtin_module"
constraint {
security_health_analytics_module {
module_name = "BIGQUERY_TABLE_CMEK_DISABLED"
module_enablement_state = "ENABLED"
}
}
description = "enable BIGQUERY_TABLE_CMEK_DISABLED"
}
policies {
policy_id = "sha_custom_module"
constraint {
security_health_analytics_custom_module {
display_name = "custom_SHA_policy"
config {
predicate {
expression = "resource.rotationPeriod > duration('2592000s')"
}
custom_output {
properties {
name = "duration"
value_expression {
expression = "resource.rotationPeriod"
}
}
}
resource_selector {
resource_types = ["cloudkms.googleapis.com/CryptoKey"]
}
severity = "LOW"
description = "Custom Module"
recommendation = "Testing custom modules"
}
module_enablement_state = "ENABLED"
}
}
}
}
}
The following arguments are supported:
state
-
(Required)
State of the posture. Update to state field should not be triggered along with
with other field updates.
Possible values are: DEPRECATED
, DRAFT
, ACTIVE
.
policy_sets
-
(Required)
List of policy sets for the posture.
Structure is documented below.
parent
-
(Required)
The parent of the resource, an organization. Format should be organizations/{organization_id}
.
location
-
(Required)
Location of the resource, eg: global.
posture_id
-
(Required)
Id of the posture. It is an immutable field.
The policy_sets
block supports:
policy_set_id
-
(Required)
ID of the policy set.
description
-
(Optional)
Description of the policy set.
policies
-
(Required)
List of security policy
Structure is documented below.
policy_id
-
(Required)
ID of the policy.
description
-
(Optional)
Description of the policy.
compliance_standards
-
(Optional)
Mapping for policy to security standards and controls.
Structure is documented below.
constraint
-
(Required)
Policy constraint definition.It can have the definition of one of following constraints: orgPolicyConstraint orgPolicyConstraintCustom securityHealthAnalyticsModule securityHealthAnalyticsCustomModule
Structure is documented below.
The compliance_standards
block supports:
standard
-
(Optional)
Mapping of compliance standards for the policy.
control
-
(Optional)
Mapping of security controls for the policy.
The constraint
block supports:
org_policy_constraint
-
(Optional)
Organization policy canned constraint definition.
Structure is documented below.
org_policy_constraint_custom
-
(Optional)
Organization policy custom constraint policy definition.
Structure is documented below.
security_health_analytics_module
-
(Optional)
Security Health Analytics built-in detector definition.
Structure is documented below.
security_health_analytics_custom_module
-
(Optional)
Definition of Security Health Analytics Custom Module.
Structure is documented below.
The org_policy_constraint
block supports:
canned_constraint_id
-
(Required)
Organization policy canned constraint Id
policy_rules
-
(Required)
Definition of policy rules
Structure is documented below.
The policy_rules
block supports:
values
-
(Optional)
List of values to be used for this policy rule. This field can be set only in policies for list constraints.
Structure is documented below.
allow_all
-
(Optional)
Setting this to true means that all values are allowed. This field can be set only in policies for list constraints.
deny_all
-
(Optional)
Setting this to true means that all values are denied. This field can be set only in policies for list constraints.
enforce
-
(Optional)
If true
, then the policy is enforced. If false
, then any configuration is acceptable.
This field can be set only in policies for boolean constraints.
condition
-
(Optional)
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language.
This page details the objects and attributes that are used to the build the CEL expressions for
custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec.
Structure is documented below.
allowed_values
-
(Optional)
List of values allowed at this resource.
denied_values
-
(Optional)
List of values denied at this resource.
expression
-
(Required)
Textual representation of an expression in Common Expression Language syntax.
title
-
(Optional)
Title for the expression, i.e. a short string describing its purpose.
description
-
(Optional)
Description of the expression
location
-
(Optional)
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file
The org_policy_constraint_custom
block supports:
custom_constraint
-
(Optional)
Organization policy custom constraint definition.
Structure is documented below.
policy_rules
-
(Required)
Definition of policy rules
Structure is documented below.
The custom_constraint
block supports:
name
-
(Required)
Immutable. The name of the custom constraint. This is unique within the organization.
display_name
-
(Optional)
A human-friendly name for the constraint.
description
-
(Optional)
A human-friendly description of the constraint to display as an error message when the policy is violated.
condition
-
(Required)
A CEL condition that refers to a supported service resource, for example resource.management.autoUpgrade == false
. For details about CEL usage, see Common Expression Language.
action_type
-
(Required)
The action to take if the condition is met.
Possible values are: ALLOW
, DENY
.
method_types
-
(Required)
A list of RESTful methods for which to enforce the constraint. Can be CREATE
, UPDATE
, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in Supported services.
resource_types
-
(Required)
Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, container.googleapis.com/NodePool
.
The policy_rules
block supports:
values
-
(Optional)
List of values to be used for this policy rule. This field can be set only in policies for list constraints.
Structure is documented below.
allow_all
-
(Optional)
Setting this to true means that all values are allowed. This field can be set only in policies for list constraints.
deny_all
-
(Optional)
Setting this to true means that all values are denied. This field can be set only in policies for list constraints.
enforce
-
(Optional)
If true
, then the policy is enforced. If false
, then any configuration is acceptable.
This field can be set only in policies for boolean constraints.
condition
-
(Optional)
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language.
This page details the objects and attributes that are used to the build the CEL expressions for
custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec.
Structure is documented below.
allowed_values
-
(Optional)
List of values allowed at this resource.
denied_values
-
(Optional)
List of values denied at this resource.
expression
-
(Required)
Textual representation of an expression in Common Expression Language syntax.
title
-
(Optional)
Title for the expression, i.e. a short string describing its purpose.
description
-
(Optional)
Description of the expression
location
-
(Optional)
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file
The security_health_analytics_module
block supports:
module_name
-
(Required)
The name of the module eg: BIGQUERY_TABLE_CMEK_DISABLED.
module_enablement_state
-
(Optional)
The state of enablement for the module at its level of the resource hierarchy.
Possible values are: ENABLEMENT_STATE_UNSPECIFIED
, ENABLED
, DISABLED
.
The security_health_analytics_custom_module
block supports:
id
-
(Output)
A server generated id of custom module.
display_name
-
(Optional)
The display name of the Security Health Analytics custom module. This
display name becomes the finding category for all findings that are
returned by this custom module.
module_enablement_state
-
(Optional)
The state of enablement for the module at its level of the resource hierarchy.
Possible values are: ENABLEMENT_STATE_UNSPECIFIED
, ENABLED
, DISABLED
.
config
-
(Required)
Custom module details.
Structure is documented below.
predicate
-
(Required)
The CEL expression to evaluate to produce findings.When the expression
evaluates to true against a resource, a finding is generated.
Structure is documented below.
custom_output
-
(Optional)
Custom output properties. A set of optional name-value pairs that define custom source properties to
return with each finding that is generated by the custom module. The custom
source properties that are defined here are included in the finding JSON
under sourceProperties
.
Structure is documented below.
resource_selector
-
(Required)
The resource types that the custom module operates on. Each custom module
can specify up to 5 resource types.
Structure is documented below.
severity
-
(Required)
The severity to assign to findings generated by the module.
Possible values are: SEVERITY_UNSPECIFIED
, CRITICAL
, HIGH
, MEDIUM
, LOW
.
description
-
(Optional)
Text that describes the vulnerability or misconfiguration that the custom
module detects.
recommendation
-
(Optional)
An explanation of the recommended steps that security teams can take to
resolve the detected issue
expression
-
(Required)
Textual representation of an expression in Common Expression Language syntax.
title
-
(Optional)
Title for the expression, i.e. a short string describing its purpose.
description
-
(Optional)
Description of the expression
location
-
(Optional)
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file
The custom_output
block supports:
properties
-
(Optional)
A list of custom output properties to add to the finding.
Structure is documented below.The properties
block supports:
name
-
(Required)
Name of the property for the custom output.
value_expression
-
(Optional)
The CEL expression for the custom output. A resource property can be
specified to return the value of the property or a text string enclosed
in quotation marks.
Structure is documented below.
The value_expression
block supports:
expression
-
(Required)
Textual representation of an expression in Common Expression Language syntax.
title
-
(Optional)
Title for the expression, i.e. a short string describing its purpose.
description
-
(Optional)
Description of the expression
location
-
(Optional)
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file
The resource_selector
block supports:
resource_types
-
(Required)
The resource types to run the detector on.description
-
(Optional)
Description of the posture.In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format {{parent}}/locations/{{location}}/postures/{{posture_id}}
name
-
Name of the posture.
revision_id
-
Revision_id of the posture.
create_time
-
Time the Posture was created in UTC.
update_time
-
Time the Posture was updated in UTC.
etag
-
For Resource freshness validation (https://google.aip.dev/154)
reconciling
-
If set, there are currently changes in flight to the posture.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.Posture can be imported using any of these accepted formats:
{{parent}}/locations/{{location}}/postures/{{posture_id}}
In Terraform v1.5.0 and later, use an import
block to import Posture using one of the formats above. For example:
import {
id = "{{parent}}/locations/{{location}}/postures/{{posture_id}}"
to = google_securityposture_posture.default
}
When using the terraform import
command, Posture can be imported using one of the formats above. For example:
$ terraform import google_securityposture_posture.default {{parent}}/locations/{{location}}/postures/{{posture_id}}