Docs Home
Google Cloud v8.21.0 published on Wednesday, Mar 5, 2025 by Pulumi
gcp.chronicle.DataAccessScope
Explore with Pulumi AI
Example Usage
Chronicle Dataaccessscope With Logtype
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowedDataAccessLabels: [
{
logType: "GCP_CLOUDAUDIT",
},
{
logType: "GITHUB",
},
],
});
import pulumi
import pulumi_gcp as gcp
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allowed_data_access_labels=[
{
"log_type": "GCP_CLOUDAUDIT",
},
{
"log_type": "GITHUB",
},
])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
LogType: pulumi.String("GCP_CLOUDAUDIT"),
},
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
LogType: pulumi.String("GITHUB"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
LogType = "GCP_CLOUDAUDIT",
},
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
LogType = "GITHUB",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowedDataAccessLabels(
DataAccessScopeAllowedDataAccessLabelArgs.builder()
.logType("GCP_CLOUDAUDIT")
.build(),
DataAccessScopeAllowedDataAccessLabelArgs.builder()
.logType("GITHUB")
.build())
.build());
}
}
resources:
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowedDataAccessLabels:
- logType: GCP_CLOUDAUDIT
- logType: GITHUB
Chronicle Dataaccessscope With Dataaccesslabel
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const customDataAccessLabel = new gcp.chronicle.DataAccessLabel("custom_data_access_label", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessLabelId: "label-id",
udmQuery: "principal.hostname=\"google.com\"",
});
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowedDataAccessLabels: [{
dataAccessLabel: googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId,
}],
});
import pulumi
import pulumi_gcp as gcp
custom_data_access_label = gcp.chronicle.DataAccessLabel("custom_data_access_label",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_label_id="label-id",
udm_query="principal.hostname=\"google.com\"")
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allowed_data_access_labels=[{
"data_access_label": google_chronicle_data_access_label["customDataAccessLabel"]["dataAccessLabelId"],
}])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessLabel(ctx, "custom_data_access_label", &chronicle.DataAccessLabelArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessLabelId: pulumi.String("label-id"),
UdmQuery: pulumi.String("principal.hostname=\"google.com\""),
})
if err != nil {
return err
}
_, err = chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
DataAccessLabel: pulumi.Any(googleChronicleDataAccessLabel.CustomDataAccessLabel.DataAccessLabelId),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var customDataAccessLabel = new Gcp.Chronicle.DataAccessLabel("custom_data_access_label", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessLabelId = "label-id",
UdmQuery = "principal.hostname=\"google.com\"",
});
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
DataAccessLabel = googleChronicleDataAccessLabel.CustomDataAccessLabel.DataAccessLabelId,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessLabel;
import com.pulumi.gcp.chronicle.DataAccessLabelArgs;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var customDataAccessLabel = new DataAccessLabel("customDataAccessLabel", DataAccessLabelArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessLabelId("label-id")
.udmQuery("principal.hostname=\"google.com\"")
.build());
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowedDataAccessLabels(DataAccessScopeAllowedDataAccessLabelArgs.builder()
.dataAccessLabel(googleChronicleDataAccessLabel.customDataAccessLabel().dataAccessLabelId())
.build())
.build());
}
}
resources:
customDataAccessLabel:
type: gcp:chronicle:DataAccessLabel
name: custom_data_access_label
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessLabelId: label-id
udmQuery: principal.hostname="google.com"
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowedDataAccessLabels:
- dataAccessLabel: ${googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId}
Chronicle Dataaccessscope With Asset Namespace
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowedDataAccessLabels: [{
assetNamespace: "my-namespace",
}],
});
import pulumi
import pulumi_gcp as gcp
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allowed_data_access_labels=[{
"asset_namespace": "my-namespace",
}])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
AssetNamespace: pulumi.String("my-namespace"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
AssetNamespace = "my-namespace",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowedDataAccessLabels(DataAccessScopeAllowedDataAccessLabelArgs.builder()
.assetNamespace("my-namespace")
.build())
.build());
}
}
resources:
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowedDataAccessLabels:
- assetNamespace: my-namespace
Chronicle Dataaccessscope With Ingestion Label
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowedDataAccessLabels: [{
ingestionLabel: {
ingestionLabelKey: "ingestion_key",
ingestionLabelValue: "ingestion_value",
},
}],
});
import pulumi
import pulumi_gcp as gcp
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allowed_data_access_labels=[{
"ingestion_label": {
"ingestion_label_key": "ingestion_key",
"ingestion_label_value": "ingestion_value",
},
}])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
IngestionLabel: &chronicle.DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs{
IngestionLabelKey: pulumi.String("ingestion_key"),
IngestionLabelValue: pulumi.String("ingestion_value"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
IngestionLabel = new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs
{
IngestionLabelKey = "ingestion_key",
IngestionLabelValue = "ingestion_value",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowedDataAccessLabels(DataAccessScopeAllowedDataAccessLabelArgs.builder()
.ingestionLabel(DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs.builder()
.ingestionLabelKey("ingestion_key")
.ingestionLabelValue("ingestion_value")
.build())
.build())
.build());
}
}
resources:
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowedDataAccessLabels:
- ingestionLabel:
ingestionLabelKey: ingestion_key
ingestionLabelValue: ingestion_value
Chronicle Dataaccessscope With Denied Labels
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const customDataAccessLabel = new gcp.chronicle.DataAccessLabel("custom_data_access_label", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessLabelId: "label-id",
udmQuery: "principal.hostname=\"google.com\"",
});
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowAll: true,
deniedDataAccessLabels: [
{
logType: "GCP_CLOUDAUDIT",
},
{
dataAccessLabel: googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId,
},
{
ingestionLabel: {
ingestionLabelKey: "ingestion_key",
ingestionLabelValue: "ingestion_value",
},
},
{
assetNamespace: "my-namespace",
},
],
});
import pulumi
import pulumi_gcp as gcp
custom_data_access_label = gcp.chronicle.DataAccessLabel("custom_data_access_label",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_label_id="label-id",
udm_query="principal.hostname=\"google.com\"")
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allow_all=True,
denied_data_access_labels=[
{
"log_type": "GCP_CLOUDAUDIT",
},
{
"data_access_label": google_chronicle_data_access_label["customDataAccessLabel"]["dataAccessLabelId"],
},
{
"ingestion_label": {
"ingestion_label_key": "ingestion_key",
"ingestion_label_value": "ingestion_value",
},
},
{
"asset_namespace": "my-namespace",
},
])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessLabel(ctx, "custom_data_access_label", &chronicle.DataAccessLabelArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessLabelId: pulumi.String("label-id"),
UdmQuery: pulumi.String("principal.hostname=\"google.com\""),
})
if err != nil {
return err
}
_, err = chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowAll: pulumi.Bool(true),
DeniedDataAccessLabels: chronicle.DataAccessScopeDeniedDataAccessLabelArray{
&chronicle.DataAccessScopeDeniedDataAccessLabelArgs{
LogType: pulumi.String("GCP_CLOUDAUDIT"),
},
&chronicle.DataAccessScopeDeniedDataAccessLabelArgs{
DataAccessLabel: pulumi.Any(googleChronicleDataAccessLabel.CustomDataAccessLabel.DataAccessLabelId),
},
&chronicle.DataAccessScopeDeniedDataAccessLabelArgs{
IngestionLabel: &chronicle.DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs{
IngestionLabelKey: pulumi.String("ingestion_key"),
IngestionLabelValue: pulumi.String("ingestion_value"),
},
},
&chronicle.DataAccessScopeDeniedDataAccessLabelArgs{
AssetNamespace: pulumi.String("my-namespace"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var customDataAccessLabel = new Gcp.Chronicle.DataAccessLabel("custom_data_access_label", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessLabelId = "label-id",
UdmQuery = "principal.hostname=\"google.com\"",
});
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowAll = true,
DeniedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelArgs
{
LogType = "GCP_CLOUDAUDIT",
},
new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelArgs
{
DataAccessLabel = googleChronicleDataAccessLabel.CustomDataAccessLabel.DataAccessLabelId,
},
new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelArgs
{
IngestionLabel = new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs
{
IngestionLabelKey = "ingestion_key",
IngestionLabelValue = "ingestion_value",
},
},
new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelArgs
{
AssetNamespace = "my-namespace",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessLabel;
import com.pulumi.gcp.chronicle.DataAccessLabelArgs;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeDeniedDataAccessLabelArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var customDataAccessLabel = new DataAccessLabel("customDataAccessLabel", DataAccessLabelArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessLabelId("label-id")
.udmQuery("principal.hostname=\"google.com\"")
.build());
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowAll(true)
.deniedDataAccessLabels(
DataAccessScopeDeniedDataAccessLabelArgs.builder()
.logType("GCP_CLOUDAUDIT")
.build(),
DataAccessScopeDeniedDataAccessLabelArgs.builder()
.dataAccessLabel(googleChronicleDataAccessLabel.customDataAccessLabel().dataAccessLabelId())
.build(),
DataAccessScopeDeniedDataAccessLabelArgs.builder()
.ingestionLabel(DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs.builder()
.ingestionLabelKey("ingestion_key")
.ingestionLabelValue("ingestion_value")
.build())
.build(),
DataAccessScopeDeniedDataAccessLabelArgs.builder()
.assetNamespace("my-namespace")
.build())
.build());
}
}
resources:
customDataAccessLabel:
type: gcp:chronicle:DataAccessLabel
name: custom_data_access_label
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessLabelId: label-id
udmQuery: principal.hostname="google.com"
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowAll: true
deniedDataAccessLabels:
- logType: GCP_CLOUDAUDIT
- dataAccessLabel: ${googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId}
- ingestionLabel:
ingestionLabelKey: ingestion_key
ingestionLabelValue: ingestion_value
- assetNamespace: my-namespace
Create DataAccessScope Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new DataAccessScope(name: string, args: DataAccessScopeArgs, opts?: CustomResourceOptions);@overload
def DataAccessScope(resource_name: str,
args: DataAccessScopeArgs,
opts: Optional[ResourceOptions] = None)
@overload
def DataAccessScope(resource_name: str,
opts: Optional[ResourceOptions] = None,
data_access_scope_id: Optional[str] = None,
instance: Optional[str] = None,
location: Optional[str] = None,
allow_all: Optional[bool] = None,
allowed_data_access_labels: Optional[Sequence[DataAccessScopeAllowedDataAccessLabelArgs]] = None,
denied_data_access_labels: Optional[Sequence[DataAccessScopeDeniedDataAccessLabelArgs]] = None,
description: Optional[str] = None,
project: Optional[str] = None)func NewDataAccessScope(ctx *Context, name string, args DataAccessScopeArgs, opts ...ResourceOption) (*DataAccessScope, error)public DataAccessScope(string name, DataAccessScopeArgs args, CustomResourceOptions? opts = null)
public DataAccessScope(String name, DataAccessScopeArgs args)
public DataAccessScope(String name, DataAccessScopeArgs args, CustomResourceOptions options)
type: gcp:chronicle:DataAccessScope
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args DataAccessScopeArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args DataAccessScopeArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args DataAccessScopeArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args DataAccessScopeArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args DataAccessScopeArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var dataAccessScopeResource = new Gcp.Chronicle.DataAccessScope("dataAccessScopeResource", new()
{
DataAccessScopeId = "string",
Instance = "string",
Location = "string",
AllowAll = false,
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
AssetNamespace = "string",
DataAccessLabel = "string",
DisplayName = "string",
IngestionLabel = new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs
{
IngestionLabelKey = "string",
IngestionLabelValue = "string",
},
LogType = "string",
},
},
DeniedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelArgs
{
AssetNamespace = "string",
DataAccessLabel = "string",
DisplayName = "string",
IngestionLabel = new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs
{
IngestionLabelKey = "string",
IngestionLabelValue = "string",
},
LogType = "string",
},
},
Description = "string",
Project = "string",
});
example, err := chronicle.NewDataAccessScope(ctx, "dataAccessScopeResource", &chronicle.DataAccessScopeArgs{
DataAccessScopeId: pulumi.String("string"),
Instance: pulumi.String("string"),
Location: pulumi.String("string"),
AllowAll: pulumi.Bool(false),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
AssetNamespace: pulumi.String("string"),
DataAccessLabel: pulumi.String("string"),
DisplayName: pulumi.String("string"),
IngestionLabel: &chronicle.DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs{
IngestionLabelKey: pulumi.String("string"),
IngestionLabelValue: pulumi.String("string"),
},
LogType: pulumi.String("string"),
},
},
DeniedDataAccessLabels: chronicle.DataAccessScopeDeniedDataAccessLabelArray{
&chronicle.DataAccessScopeDeniedDataAccessLabelArgs{
AssetNamespace: pulumi.String("string"),
DataAccessLabel: pulumi.String("string"),
DisplayName: pulumi.String("string"),
IngestionLabel: &chronicle.DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs{
IngestionLabelKey: pulumi.String("string"),
IngestionLabelValue: pulumi.String("string"),
},
LogType: pulumi.String("string"),
},
},
Description: pulumi.String("string"),
Project: pulumi.String("string"),
})
var dataAccessScopeResource = new DataAccessScope("dataAccessScopeResource", DataAccessScopeArgs.builder()
.dataAccessScopeId("string")
.instance("string")
.location("string")
.allowAll(false)
.allowedDataAccessLabels(DataAccessScopeAllowedDataAccessLabelArgs.builder()
.assetNamespace("string")
.dataAccessLabel("string")
.displayName("string")
.ingestionLabel(DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs.builder()
.ingestionLabelKey("string")
.ingestionLabelValue("string")
.build())
.logType("string")
.build())
.deniedDataAccessLabels(DataAccessScopeDeniedDataAccessLabelArgs.builder()
.assetNamespace("string")
.dataAccessLabel("string")
.displayName("string")
.ingestionLabel(DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs.builder()
.ingestionLabelKey("string")
.ingestionLabelValue("string")
.build())
.logType("string")
.build())
.description("string")
.project("string")
.build());
data_access_scope_resource = gcp.chronicle.DataAccessScope("dataAccessScopeResource",
data_access_scope_id="string",
instance="string",
location="string",
allow_all=False,
allowed_data_access_labels=[{
"asset_namespace": "string",
"data_access_label": "string",
"display_name": "string",
"ingestion_label": {
"ingestion_label_key": "string",
"ingestion_label_value": "string",
},
"log_type": "string",
}],
denied_data_access_labels=[{
"asset_namespace": "string",
"data_access_label": "string",
"display_name": "string",
"ingestion_label": {
"ingestion_label_key": "string",
"ingestion_label_value": "string",
},
"log_type": "string",
}],
description="string",
project="string")
const dataAccessScopeResource = new gcp.chronicle.DataAccessScope("dataAccessScopeResource", {
dataAccessScopeId: "string",
instance: "string",
location: "string",
allowAll: false,
allowedDataAccessLabels: [{
assetNamespace: "string",
dataAccessLabel: "string",
displayName: "string",
ingestionLabel: {
ingestionLabelKey: "string",
ingestionLabelValue: "string",
},
logType: "string",
}],
deniedDataAccessLabels: [{
assetNamespace: "string",
dataAccessLabel: "string",
displayName: "string",
ingestionLabel: {
ingestionLabelKey: "string",
ingestionLabelValue: "string",
},
logType: "string",
}],
description: "string",
project: "string",
});
type: gcp:chronicle:DataAccessScope
properties:
allowAll: false
allowedDataAccessLabels:
- assetNamespace: string
dataAccessLabel: string
displayName: string
ingestionLabel:
ingestionLabelKey: string
ingestionLabelValue: string
logType: string
dataAccessScopeId: string
deniedDataAccessLabels:
- assetNamespace: string
dataAccessLabel: string
displayName: string
ingestionLabel:
ingestionLabelKey: string
ingestionLabelValue: string
logType: string
description: string
instance: string
location: string
project: string
DataAccessScope Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The DataAccessScope resource accepts the following input properties:
- Data
Access stringScope Id - Required. The user provided scope id which will become the last part of the name
of the scope resource.
Needs to be compliant with https://google.aip.dev/122
- Instance string
- The unique identifier for the Chronicle instance, which is the same as the customer ID.
- Location string
- The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
- Allow
All bool - Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B.
- Allowed
Data List<DataAccess Labels Access Scope Allowed Data Access Label> - The allowed labels for the scope. There has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. Either allow_all or allowed_data_access_labels needs to be provided. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). Structure is documented below.
- Denied
Data List<DataAccess Labels Access Scope Denied Data Access Label> - Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. Structure is documented below.
- Description string
- Optional. A description of the data access scope for a human reader.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Data
Access stringScope Id - Required. The user provided scope id which will become the last part of the name
of the scope resource.
Needs to be compliant with https://google.aip.dev/122
- Instance string
- The unique identifier for the Chronicle instance, which is the same as the customer ID.
- Location string
- The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
- Allow
All bool - Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B.
- Allowed
Data []DataAccess Labels Access Scope Allowed Data Access Label Args - The allowed labels for the scope. There has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. Either allow_all or allowed_data_access_labels needs to be provided. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). Structure is documented below.
- Denied
Data []DataAccess Labels Access Scope Denied Data Access Label Args - Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. Structure is documented below.
- Description string
- Optional. A description of the data access scope for a human reader.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- data
Access StringScope Id - Required. The user provided scope id which will become the last part of the name
of the scope resource.
Needs to be compliant with https://google.aip.dev/122
- instance String
- The unique identifier for the Chronicle instance, which is the same as the customer ID.
- location String
- The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
- allow
All Boolean - Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B.
- allowed
Data List<DataAccess Labels Access Scope Allowed Data Access Label> - The allowed labels for the scope. There has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. Either allow_all or allowed_data_access_labels needs to be provided. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). Structure is documented below.
- denied
Data List<DataAccess Labels Access Scope Denied Data Access Label> - Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. Structure is documented below.
- description String
- Optional. A description of the data access scope for a human reader.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- data
Access stringScope Id - Required. The user provided scope id which will become the last part of the name
of the scope resource.
Needs to be compliant with https://google.aip.dev/122
- instance string
- The unique identifier for the Chronicle instance, which is the same as the customer ID.
- location string
- The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
- allow
All boolean - Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B.
- allowed
Data DataAccess Labels Access Scope Allowed Data Access Label[] - The allowed labels for the scope. There has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. Either allow_all or allowed_data_access_labels needs to be provided. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). Structure is documented below.
- denied
Data DataAccess Labels Access Scope Denied Data Access Label[] - Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. Structure is documented below.
- description string
- Optional. A description of the data access scope for a human reader.
- project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- data_
access_ strscope_ id - Required. The user provided scope id which will become the last part of the name
of the scope resource.
Needs to be compliant with https://google.aip.dev/122
- instance str
- The unique identifier for the Chronicle instance, which is the same as the customer ID.
- location str
- The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
- allow_
all bool - Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B.
- allowed_
data_ Sequence[Dataaccess_ labels Access Scope Allowed Data Access Label Args] - The allowed labels for the scope. There has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. Either allow_all or allowed_data_access_labels needs to be provided. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). Structure is documented below.
- denied_
data_ Sequence[Dataaccess_ labels Access Scope Denied Data Access Label Args] - Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. Structure is documented below.
- description str
- Optional. A description of the data access scope for a human reader.
- project str
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- data
Access StringScope Id - Required. The user provided scope id which will become the last part of the name
of the scope resource.
Needs to be compliant with https://google.aip.dev/122
- instance String
- The unique identifier for the Chronicle instance, which is the same as the customer ID.
- location String
- The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
- allow
All Boolean - Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B.
- allowed
Data List<Property Map>Access Labels - The allowed labels for the scope. There has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. Either allow_all or allowed_data_access_labels needs to be provided. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). Structure is documented below.
- denied
Data List<Property Map>Access Labels - Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. Structure is documented below.
- description String
- Optional. A description of the data access scope for a human reader.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
Outputs
All input properties are implicitly available as output properties. Additionally, the DataAccessScope resource produces the following output properties:
- string
- Output only. The user who created the data access scope.
- Create
Time string - Output only. The time at which the data access scope was created.
- Display
Name string - Output only. The name to be used for display to customers of the data access scope.
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Editor string - Output only. The user who last updated the data access scope.
- Name string
- The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id}
- Update
Time string - Output only. The time at which the data access scope was last updated.
- string
- Output only. The user who created the data access scope.
- Create
Time string - Output only. The time at which the data access scope was created.
- Display
Name string - Output only. The name to be used for display to customers of the data access scope.
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Editor string - Output only. The user who last updated the data access scope.
- Name string
- The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id}
- Update
Time string - Output only. The time at which the data access scope was last updated.
- String
- Output only. The user who created the data access scope.
- create
Time String - Output only. The time at which the data access scope was created.
- display
Name String - Output only. The name to be used for display to customers of the data access scope.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Editor String - Output only. The user who last updated the data access scope.
- name String
- The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id}
- update
Time String - Output only. The time at which the data access scope was last updated.
- string
- Output only. The user who created the data access scope.
- create
Time string - Output only. The time at which the data access scope was created.
- display
Name string - Output only. The name to be used for display to customers of the data access scope.
- id string
- The provider-assigned unique ID for this managed resource.
- last
Editor string - Output only. The user who last updated the data access scope.
- name string
- The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id}
- update
Time string - Output only. The time at which the data access scope was last updated.
- str
- Output only. The user who created the data access scope.
- create_
time str - Output only. The time at which the data access scope was created.
- display_
name str - Output only. The name to be used for display to customers of the data access scope.
- id str
- The provider-assigned unique ID for this managed resource.
- last_
editor str - Output only. The user who last updated the data access scope.
- name str
- The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id}
- update_
time str - Output only. The time at which the data access scope was last updated.
- String
- Output only. The user who created the data access scope.
- create
Time String - Output only. The time at which the data access scope was created.
- display
Name String - Output only. The name to be used for display to customers of the data access scope.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Editor String - Output only. The user who last updated the data access scope.
- name String
- The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id}
- update
Time String - Output only. The time at which the data access scope was last updated.
Look up Existing DataAccessScope Resource
Get an existing DataAccessScope resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: DataAccessScopeState, opts?: CustomResourceOptions): DataAccessScope@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allow_all: Optional[bool] = None,
allowed_data_access_labels: Optional[Sequence[DataAccessScopeAllowedDataAccessLabelArgs]] = None,
author: Optional[str] = None,
create_time: Optional[str] = None,
data_access_scope_id: Optional[str] = None,
denied_data_access_labels: Optional[Sequence[DataAccessScopeDeniedDataAccessLabelArgs]] = None,
description: Optional[str] = None,
display_name: Optional[str] = None,
instance: Optional[str] = None,
last_editor: Optional[str] = None,
location: Optional[str] = None,
name: Optional[str] = None,
project: Optional[str] = None,
update_time: Optional[str] = None) -> DataAccessScopefunc GetDataAccessScope(ctx *Context, name string, id IDInput, state *DataAccessScopeState, opts ...ResourceOption) (*DataAccessScope, error)public static DataAccessScope Get(string name, Input<string> id, DataAccessScopeState? state, CustomResourceOptions? opts = null)public static DataAccessScope get(String name, Output<String> id, DataAccessScopeState state, CustomResourceOptions options)resources: _: type: gcp:chronicle:DataAccessScope get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allow
All bool - Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B.
- Allowed
Data List<DataAccess Labels Access Scope Allowed Data Access Label> - The allowed labels for the scope. There has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. Either allow_all or allowed_data_access_labels needs to be provided. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). Structure is documented below.
- string
- Output only. The user who created the data access scope.
- Create
Time string - Output only. The time at which the data access scope was created.
- Data
Access stringScope Id - Required. The user provided scope id which will become the last part of the name
of the scope resource.
Needs to be compliant with https://google.aip.dev/122
- Denied
Data List<DataAccess Labels Access Scope Denied Data Access Label> - Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. Structure is documented below.
- Description string
- Optional. A description of the data access scope for a human reader.
- Display
Name string - Output only. The name to be used for display to customers of the data access scope.
- Instance string
- The unique identifier for the Chronicle instance, which is the same as the customer ID.
- Last
Editor string - Output only. The user who last updated the data access scope.
- Location string
- The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
- Name string
- The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id}
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Update
Time string - Output only. The time at which the data access scope was last updated.
- Allow
All bool - Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B.
- Allowed
Data []DataAccess Labels Access Scope Allowed Data Access Label Args - The allowed labels for the scope. There has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. Either allow_all or allowed_data_access_labels needs to be provided. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). Structure is documented below.
- string
- Output only. The user who created the data access scope.
- Create
Time string - Output only. The time at which the data access scope was created.
- Data
Access stringScope Id - Required. The user provided scope id which will become the last part of the name
of the scope resource.
Needs to be compliant with https://google.aip.dev/122
- Denied
Data []DataAccess Labels Access Scope Denied Data Access Label Args - Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. Structure is documented below.
- Description string
- Optional. A description of the data access scope for a human reader.
- Display
Name string - Output only. The name to be used for display to customers of the data access scope.
- Instance string
- The unique identifier for the Chronicle instance, which is the same as the customer ID.
- Last
Editor string - Output only. The user who last updated the data access scope.
- Location string
- The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
- Name string
- The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id}
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Update
Time string - Output only. The time at which the data access scope was last updated.
- allow
All Boolean - Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B.
- allowed
Data List<DataAccess Labels Access Scope Allowed Data Access Label> - The allowed labels for the scope. There has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. Either allow_all or allowed_data_access_labels needs to be provided. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). Structure is documented below.
- String
- Output only. The user who created the data access scope.
- create
Time String - Output only. The time at which the data access scope was created.
- data
Access StringScope Id - Required. The user provided scope id which will become the last part of the name
of the scope resource.
Needs to be compliant with https://google.aip.dev/122
- denied
Data List<DataAccess Labels Access Scope Denied Data Access Label> - Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. Structure is documented below.
- description String
- Optional. A description of the data access scope for a human reader.
- display
Name String - Output only. The name to be used for display to customers of the data access scope.
- instance String
- The unique identifier for the Chronicle instance, which is the same as the customer ID.
- last
Editor String - Output only. The user who last updated the data access scope.
- location String
- The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
- name String
- The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id}
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- update
Time String - Output only. The time at which the data access scope was last updated.
- allow
All boolean - Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B.
- allowed
Data DataAccess Labels Access Scope Allowed Data Access Label[] - The allowed labels for the scope. There has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. Either allow_all or allowed_data_access_labels needs to be provided. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). Structure is documented below.
- string
- Output only. The user who created the data access scope.
- create
Time string - Output only. The time at which the data access scope was created.
- data
Access stringScope Id - Required. The user provided scope id which will become the last part of the name
of the scope resource.
Needs to be compliant with https://google.aip.dev/122
- denied
Data DataAccess Labels Access Scope Denied Data Access Label[] - Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. Structure is documented below.
- description string
- Optional. A description of the data access scope for a human reader.
- display
Name string - Output only. The name to be used for display to customers of the data access scope.
- instance string
- The unique identifier for the Chronicle instance, which is the same as the customer ID.
- last
Editor string - Output only. The user who last updated the data access scope.
- location string
- The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
- name string
- The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id}
- project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- update
Time string - Output only. The time at which the data access scope was last updated.
- allow_
all bool - Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B.
- allowed_
data_ Sequence[Dataaccess_ labels Access Scope Allowed Data Access Label Args] - The allowed labels for the scope. There has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. Either allow_all or allowed_data_access_labels needs to be provided. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). Structure is documented below.
- str
- Output only. The user who created the data access scope.
- create_
time str - Output only. The time at which the data access scope was created.
- data_
access_ strscope_ id - Required. The user provided scope id which will become the last part of the name
of the scope resource.
Needs to be compliant with https://google.aip.dev/122
- denied_
data_ Sequence[Dataaccess_ labels Access Scope Denied Data Access Label Args] - Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. Structure is documented below.
- description str
- Optional. A description of the data access scope for a human reader.
- display_
name str - Output only. The name to be used for display to customers of the data access scope.
- instance str
- The unique identifier for the Chronicle instance, which is the same as the customer ID.
- last_
editor str - Output only. The user who last updated the data access scope.
- location str
- The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
- name str
- The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id}
- project str
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- update_
time str - Output only. The time at which the data access scope was last updated.
- allow
All Boolean - Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B.
- allowed
Data List<Property Map>Access Labels - The allowed labels for the scope. There has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. Either allow_all or allowed_data_access_labels needs to be provided. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). Structure is documented below.
- String
- Output only. The user who created the data access scope.
- create
Time String - Output only. The time at which the data access scope was created.
- data
Access StringScope Id - Required. The user provided scope id which will become the last part of the name
of the scope resource.
Needs to be compliant with https://google.aip.dev/122
- denied
Data List<Property Map>Access Labels - Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. Structure is documented below.
- description String
- Optional. A description of the data access scope for a human reader.
- display
Name String - Output only. The name to be used for display to customers of the data access scope.
- instance String
- The unique identifier for the Chronicle instance, which is the same as the customer ID.
- last
Editor String - Output only. The user who last updated the data access scope.
- location String
- The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2".
- name String
- The unique full name of the data access scope. This unique identifier is generated using values provided for the URL parameters. Format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{data_access_scope_id}
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- update
Time String - Output only. The time at which the data access scope was last updated.
Supporting Types
DataAccessScopeAllowedDataAccessLabel, DataAccessScopeAllowedDataAccessLabelArgs
- Asset
Namespace string - The asset namespace configured in the forwarder of the customer's events.
- Data
Access stringLabel - The name of the data access label.
- Display
Name string - (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple.
- Ingestion
Label DataAccess Scope Allowed Data Access Label Ingestion Label - Representation of an ingestion label type. Structure is documented below.
- Log
Type string - The name of the log type.
- Asset
Namespace string - The asset namespace configured in the forwarder of the customer's events.
- Data
Access stringLabel - The name of the data access label.
- Display
Name string - (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple.
- Ingestion
Label DataAccess Scope Allowed Data Access Label Ingestion Label - Representation of an ingestion label type. Structure is documented below.
- Log
Type string - The name of the log type.
- asset
Namespace String - The asset namespace configured in the forwarder of the customer's events.
- data
Access StringLabel - The name of the data access label.
- display
Name String - (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple.
- ingestion
Label DataAccess Scope Allowed Data Access Label Ingestion Label - Representation of an ingestion label type. Structure is documented below.
- log
Type String - The name of the log type.
- asset
Namespace string - The asset namespace configured in the forwarder of the customer's events.
- data
Access stringLabel - The name of the data access label.
- display
Name string - (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple.
- ingestion
Label DataAccess Scope Allowed Data Access Label Ingestion Label - Representation of an ingestion label type. Structure is documented below.
- log
Type string - The name of the log type.
- asset_
namespace str - The asset namespace configured in the forwarder of the customer's events.
- data_
access_ strlabel - The name of the data access label.
- display_
name str - (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple.
- ingestion_
label DataAccess Scope Allowed Data Access Label Ingestion Label - Representation of an ingestion label type. Structure is documented below.
- log_
type str - The name of the log type.
- asset
Namespace String - The asset namespace configured in the forwarder of the customer's events.
- data
Access StringLabel - The name of the data access label.
- display
Name String - (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple.
- ingestion
Label Property Map - Representation of an ingestion label type. Structure is documented below.
- log
Type String - The name of the log type.
DataAccessScopeAllowedDataAccessLabelIngestionLabel, DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs
- Ingestion
Label stringKey - Required. The key of the ingestion label. Always required.
- Ingestion
Label stringValue - Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value.
- Ingestion
Label stringKey - Required. The key of the ingestion label. Always required.
- Ingestion
Label stringValue - Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value.
- ingestion
Label StringKey - Required. The key of the ingestion label. Always required.
- ingestion
Label StringValue - Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value.
- ingestion
Label stringKey - Required. The key of the ingestion label. Always required.
- ingestion
Label stringValue - Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value.
- ingestion_
label_ strkey - Required. The key of the ingestion label. Always required.
- ingestion_
label_ strvalue - Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value.
- ingestion
Label StringKey - Required. The key of the ingestion label. Always required.
- ingestion
Label StringValue - Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value.
DataAccessScopeDeniedDataAccessLabel, DataAccessScopeDeniedDataAccessLabelArgs
- Asset
Namespace string - The asset namespace configured in the forwarder of the customer's events.
- Data
Access stringLabel - The name of the data access label.
- Display
Name string - (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple.
- Ingestion
Label DataAccess Scope Denied Data Access Label Ingestion Label - Representation of an ingestion label type. Structure is documented below.
- Log
Type string - The name of the log type.
- Asset
Namespace string - The asset namespace configured in the forwarder of the customer's events.
- Data
Access stringLabel - The name of the data access label.
- Display
Name string - (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple.
- Ingestion
Label DataAccess Scope Denied Data Access Label Ingestion Label - Representation of an ingestion label type. Structure is documented below.
- Log
Type string - The name of the log type.
- asset
Namespace String - The asset namespace configured in the forwarder of the customer's events.
- data
Access StringLabel - The name of the data access label.
- display
Name String - (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple.
- ingestion
Label DataAccess Scope Denied Data Access Label Ingestion Label - Representation of an ingestion label type. Structure is documented below.
- log
Type String - The name of the log type.
- asset
Namespace string - The asset namespace configured in the forwarder of the customer's events.
- data
Access stringLabel - The name of the data access label.
- display
Name string - (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple.
- ingestion
Label DataAccess Scope Denied Data Access Label Ingestion Label - Representation of an ingestion label type. Structure is documented below.
- log
Type string - The name of the log type.
- asset_
namespace str - The asset namespace configured in the forwarder of the customer's events.
- data_
access_ strlabel - The name of the data access label.
- display_
name str - (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple.
- ingestion_
label DataAccess Scope Denied Data Access Label Ingestion Label - Representation of an ingestion label type. Structure is documented below.
- log_
type str - The name of the log type.
- asset
Namespace String - The asset namespace configured in the forwarder of the customer's events.
- data
Access StringLabel - The name of the data access label.
- display
Name String - (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple.
- ingestion
Label Property Map - Representation of an ingestion label type. Structure is documented below.
- log
Type String - The name of the log type.
DataAccessScopeDeniedDataAccessLabelIngestionLabel, DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs
- Ingestion
Label stringKey - Required. The key of the ingestion label. Always required.
- Ingestion
Label stringValue - Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value.
- Ingestion
Label stringKey - Required. The key of the ingestion label. Always required.
- Ingestion
Label stringValue - Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value.
- ingestion
Label StringKey - Required. The key of the ingestion label. Always required.
- ingestion
Label StringValue - Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value.
- ingestion
Label stringKey - Required. The key of the ingestion label. Always required.
- ingestion
Label stringValue - Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value.
- ingestion_
label_ strkey - Required. The key of the ingestion label. Always required.
- ingestion_
label_ strvalue - Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value.
- ingestion
Label StringKey - Required. The key of the ingestion label. Always required.
- ingestion
Label StringValue - Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value.
Import
DataAccessScope can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/instances/{{instance}}/dataAccessScopes/{{data_access_scope_id}}{{project}}/{{location}}/{{instance}}/{{data_access_scope_id}}{{location}}/{{instance}}/{{data_access_scope_id}}
When using the pulumi import command, DataAccessScope can be imported using one of the formats above. For example:
$ pulumi import gcp:chronicle/dataAccessScope:DataAccessScope default projects/{{project}}/locations/{{location}}/instances/{{instance}}/dataAccessScopes/{{data_access_scope_id}}
$ pulumi import gcp:chronicle/dataAccessScope:DataAccessScope default {{project}}/{{location}}/{{instance}}/{{data_access_scope_id}}
$ pulumi import gcp:chronicle/dataAccessScope:DataAccessScope default {{location}}/{{instance}}/{{data_access_scope_id}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.