A BigQuery Data Policy
To get more information about DataPolicy, see:
resource "google_bigquery_datapolicy_data_policy" "data_policy" {
location = "us-central1"
data_policy_id = "data_policy"
policy_tag = google_data_catalog_policy_tag.policy_tag.name
data_policy_type = "COLUMN_LEVEL_SECURITY_POLICY"
}
resource "google_data_catalog_policy_tag" "policy_tag" {
taxonomy = google_data_catalog_taxonomy.taxonomy.id
display_name = "Low security"
description = "A policy tag normally associated with low security items"
}
resource "google_data_catalog_taxonomy" "taxonomy" {
region = "us-central1"
display_name = "taxonomy"
description = "A collection of policy tags"
activated_policy_types = ["FINE_GRAINED_ACCESS_CONTROL"]
}
resource "google_bigquery_datapolicy_data_policy" "data_policy" {
location = "us-central1"
data_policy_id = "data_policy"
policy_tag = google_data_catalog_policy_tag.policy_tag.name
data_policy_type = "DATA_MASKING_POLICY"
data_masking_policy {
routine = google_bigquery_routine.custom_masking_routine.id
}
}
resource "google_data_catalog_policy_tag" "policy_tag" {
taxonomy = google_data_catalog_taxonomy.taxonomy.id
display_name = "Low security"
description = "A policy tag normally associated with low security items"
}
resource "google_data_catalog_taxonomy" "taxonomy" {
region = "us-central1"
display_name = "taxonomy"
description = "A collection of policy tags"
activated_policy_types = ["FINE_GRAINED_ACCESS_CONTROL"]
}
resource "google_bigquery_dataset" "test" {
dataset_id = "dataset_id"
location = "us-central1"
}
resource "google_bigquery_routine" "custom_masking_routine" {
dataset_id = google_bigquery_dataset.test.dataset_id
routine_id = "custom_masking_routine"
routine_type = "SCALAR_FUNCTION"
language = "SQL"
data_governance_type = "DATA_MASKING"
definition_body = "SAFE.REGEXP_REPLACE(ssn, '[0-9]', 'X')"
return_type = "{\"typeKind\" : \"STRING\"}"
arguments {
name = "ssn"
data_type = "{\"typeKind\" : \"STRING\"}"
}
}
The following arguments are supported:
data_policy_id
-
(Required)
User-assigned (human readable) ID of the data policy that needs to be unique within a project. Used as {dataPolicyId} in part of the resource name.
location
-
(Required)
The name of the location of the data policy.
policy_tag
-
(Required)
Policy tag resource name, in the format of projects/{project_number}/locations/{locationId}/taxonomies/{taxonomyId}/policyTags/{policyTag_id}.
data_policy_type
-
(Required)
The enrollment level of the service.
Possible values are: COLUMN_LEVEL_SECURITY_POLICY
, DATA_MASKING_POLICY
.
data_masking_policy
-
(Optional)
The data masking policy that specifies the data masking rule to use.
Structure is documented below.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
The data_masking_policy
block supports:
predefined_expression
-
(Optional)
The available masking rules. Learn more here: https://cloud.google.com/bigquery/docs/column-data-masking-intro#masking_options.
Possible values are: SHA256
, ALWAYS_NULL
, DEFAULT_MASKING_VALUE
, LAST_FOUR_CHARACTERS
, FIRST_FOUR_CHARACTERS
, EMAIL_MASK
, DATE_YEAR_MASK
.
routine
-
(Optional)
The name of the BigQuery routine that contains the custom masking routine, in the format of projects/{projectNumber}/datasets/{dataset_id}/routines/{routine_id}.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/locations/{{location}}/dataPolicies/{{data_policy_id}}
name
-
Resource name of this data policy, in the format of projects/{project_number}/locations/{locationId}/dataPolicies/{dataPolicyId}.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.DataPolicy can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/dataPolicies/{{data_policy_id}}
{{project}}/{{location}}/{{data_policy_id}}
{{location}}/{{data_policy_id}}
In Terraform v1.5.0 and later, use an import
block to import DataPolicy using one of the formats above. For example:
import {
id = "projects/{{project}}/locations/{{location}}/dataPolicies/{{data_policy_id}}"
to = google_bigquery_datapolicy_data_policy.default
}
When using the terraform import
command, DataPolicy can be imported using one of the formats above. For example:
$ terraform import google_bigquery_datapolicy_data_policy.default projects/{{project}}/locations/{{location}}/dataPolicies/{{data_policy_id}}
$ terraform import google_bigquery_datapolicy_data_policy.default {{project}}/{{location}}/{{data_policy_id}}
$ terraform import google_bigquery_datapolicy_data_policy.default {{location}}/{{data_policy_id}}
This resource supports User Project Overrides.