The gcp:dataloss/preventionInspectTemplate:PreventionInspectTemplate resource, part of the Pulumi GCP provider, defines reusable DLP inspection configurations: which sensitive data types to detect, how to filter results, and how to adjust detection confidence. This guide focuses on three capabilities: built-in info type detection with exclusion rules, custom regex-based patterns, and surrogate type tracking.
Inspect templates define detection rules but don’t scan data themselves. They’re referenced by DLP jobs that inspect BigQuery tables, Cloud Storage buckets, or Datastore entities. The examples are intentionally small. Combine them with DLP job resources to scan actual data sources.
Detect built-in sensitive data types with exclusion rules
Most DLP workflows scan for built-in sensitive data types like email addresses, phone numbers, and names, while excluding known safe patterns.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const basic = new gcp.dataloss.PreventionInspectTemplate("basic", {
parent: "projects/my-project-name",
description: "My description",
displayName: "display_name",
inspectConfig: {
infoTypes: [
{
name: "EMAIL_ADDRESS",
},
{
name: "PERSON_NAME",
},
{
name: "LAST_NAME",
},
{
name: "DOMAIN_NAME",
},
{
name: "PHONE_NUMBER",
},
{
name: "FIRST_NAME",
},
],
minLikelihood: "UNLIKELY",
ruleSets: [
{
infoTypes: [{
name: "EMAIL_ADDRESS",
}],
rules: [{
exclusionRule: {
regex: {
pattern: ".+@example.com",
},
matchingType: "MATCHING_TYPE_FULL_MATCH",
},
}],
},
{
infoTypes: [
{
name: "EMAIL_ADDRESS",
},
{
name: "DOMAIN_NAME",
},
{
name: "PHONE_NUMBER",
},
{
name: "PERSON_NAME",
},
{
name: "FIRST_NAME",
},
],
rules: [{
exclusionRule: {
dictionary: {
wordList: {
words: ["TEST"],
},
},
matchingType: "MATCHING_TYPE_PARTIAL_MATCH",
},
}],
},
{
infoTypes: [{
name: "PERSON_NAME",
}],
rules: [{
hotwordRule: {
hotwordRegex: {
pattern: "patient",
},
proximity: {
windowBefore: 50,
},
likelihoodAdjustment: {
fixedLikelihood: "VERY_LIKELY",
},
},
}],
},
],
limits: {
maxFindingsPerItem: 10,
maxFindingsPerRequest: 50,
maxFindingsPerInfoTypes: [
{
maxFindings: 75,
infoType: {
name: "PERSON_NAME",
},
},
{
maxFindings: 80,
infoType: {
name: "LAST_NAME",
},
},
],
},
},
});
import pulumi
import pulumi_gcp as gcp
basic = gcp.dataloss.PreventionInspectTemplate("basic",
parent="projects/my-project-name",
description="My description",
display_name="display_name",
inspect_config={
"info_types": [
{
"name": "EMAIL_ADDRESS",
},
{
"name": "PERSON_NAME",
},
{
"name": "LAST_NAME",
},
{
"name": "DOMAIN_NAME",
},
{
"name": "PHONE_NUMBER",
},
{
"name": "FIRST_NAME",
},
],
"min_likelihood": "UNLIKELY",
"rule_sets": [
{
"info_types": [{
"name": "EMAIL_ADDRESS",
}],
"rules": [{
"exclusion_rule": {
"regex": {
"pattern": ".+@example.com",
},
"matching_type": "MATCHING_TYPE_FULL_MATCH",
},
}],
},
{
"info_types": [
{
"name": "EMAIL_ADDRESS",
},
{
"name": "DOMAIN_NAME",
},
{
"name": "PHONE_NUMBER",
},
{
"name": "PERSON_NAME",
},
{
"name": "FIRST_NAME",
},
],
"rules": [{
"exclusion_rule": {
"dictionary": {
"word_list": {
"words": ["TEST"],
},
},
"matching_type": "MATCHING_TYPE_PARTIAL_MATCH",
},
}],
},
{
"info_types": [{
"name": "PERSON_NAME",
}],
"rules": [{
"hotword_rule": {
"hotword_regex": {
"pattern": "patient",
},
"proximity": {
"window_before": 50,
},
"likelihood_adjustment": {
"fixed_likelihood": "VERY_LIKELY",
},
},
}],
},
],
"limits": {
"max_findings_per_item": 10,
"max_findings_per_request": 50,
"max_findings_per_info_types": [
{
"max_findings": 75,
"info_type": {
"name": "PERSON_NAME",
},
},
{
"max_findings": 80,
"info_type": {
"name": "LAST_NAME",
},
},
],
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataloss"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataloss.NewPreventionInspectTemplate(ctx, "basic", &dataloss.PreventionInspectTemplateArgs{
Parent: pulumi.String("projects/my-project-name"),
Description: pulumi.String("My description"),
DisplayName: pulumi.String("display_name"),
InspectConfig: &dataloss.PreventionInspectTemplateInspectConfigArgs{
InfoTypes: dataloss.PreventionInspectTemplateInspectConfigInfoTypeArray{
&dataloss.PreventionInspectTemplateInspectConfigInfoTypeArgs{
Name: pulumi.String("EMAIL_ADDRESS"),
},
&dataloss.PreventionInspectTemplateInspectConfigInfoTypeArgs{
Name: pulumi.String("PERSON_NAME"),
},
&dataloss.PreventionInspectTemplateInspectConfigInfoTypeArgs{
Name: pulumi.String("LAST_NAME"),
},
&dataloss.PreventionInspectTemplateInspectConfigInfoTypeArgs{
Name: pulumi.String("DOMAIN_NAME"),
},
&dataloss.PreventionInspectTemplateInspectConfigInfoTypeArgs{
Name: pulumi.String("PHONE_NUMBER"),
},
&dataloss.PreventionInspectTemplateInspectConfigInfoTypeArgs{
Name: pulumi.String("FIRST_NAME"),
},
},
MinLikelihood: pulumi.String("UNLIKELY"),
RuleSets: dataloss.PreventionInspectTemplateInspectConfigRuleSetArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetArgs{
InfoTypes: dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs{
Name: pulumi.String("EMAIL_ADDRESS"),
},
},
Rules: dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArgs{
ExclusionRule: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleArgs{
Regex: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleRegexArgs{
Pattern: pulumi.String(".+@example.com"),
},
MatchingType: pulumi.String("MATCHING_TYPE_FULL_MATCH"),
},
},
},
},
&dataloss.PreventionInspectTemplateInspectConfigRuleSetArgs{
InfoTypes: dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs{
Name: pulumi.String("EMAIL_ADDRESS"),
},
&dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs{
Name: pulumi.String("DOMAIN_NAME"),
},
&dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs{
Name: pulumi.String("PHONE_NUMBER"),
},
&dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs{
Name: pulumi.String("PERSON_NAME"),
},
&dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs{
Name: pulumi.String("FIRST_NAME"),
},
},
Rules: dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArgs{
ExclusionRule: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleArgs{
Dictionary: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleDictionaryArgs{
WordList: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleDictionaryWordListArgs{
Words: pulumi.StringArray{
pulumi.String("TEST"),
},
},
},
MatchingType: pulumi.String("MATCHING_TYPE_PARTIAL_MATCH"),
},
},
},
},
&dataloss.PreventionInspectTemplateInspectConfigRuleSetArgs{
InfoTypes: dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs{
Name: pulumi.String("PERSON_NAME"),
},
},
Rules: dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArgs{
HotwordRule: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleArgs{
HotwordRegex: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleHotwordRegexArgs{
Pattern: pulumi.String("patient"),
},
Proximity: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleProximityArgs{
WindowBefore: pulumi.Int(50),
},
LikelihoodAdjustment: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleLikelihoodAdjustmentArgs{
FixedLikelihood: pulumi.String("VERY_LIKELY"),
},
},
},
},
},
},
Limits: &dataloss.PreventionInspectTemplateInspectConfigLimitsArgs{
MaxFindingsPerItem: pulumi.Int(10),
MaxFindingsPerRequest: pulumi.Int(50),
MaxFindingsPerInfoTypes: dataloss.PreventionInspectTemplateInspectConfigLimitsMaxFindingsPerInfoTypeArray{
&dataloss.PreventionInspectTemplateInspectConfigLimitsMaxFindingsPerInfoTypeArgs{
MaxFindings: pulumi.Int(75),
InfoType: &dataloss.PreventionInspectTemplateInspectConfigLimitsMaxFindingsPerInfoTypeInfoTypeArgs{
Name: pulumi.String("PERSON_NAME"),
},
},
&dataloss.PreventionInspectTemplateInspectConfigLimitsMaxFindingsPerInfoTypeArgs{
MaxFindings: pulumi.Int(80),
InfoType: &dataloss.PreventionInspectTemplateInspectConfigLimitsMaxFindingsPerInfoTypeInfoTypeArgs{
Name: pulumi.String("LAST_NAME"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var basic = new Gcp.DataLoss.PreventionInspectTemplate("basic", new()
{
Parent = "projects/my-project-name",
Description = "My description",
DisplayName = "display_name",
InspectConfig = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigArgs
{
InfoTypes = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigInfoTypeArgs
{
Name = "EMAIL_ADDRESS",
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigInfoTypeArgs
{
Name = "PERSON_NAME",
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigInfoTypeArgs
{
Name = "LAST_NAME",
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigInfoTypeArgs
{
Name = "DOMAIN_NAME",
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigInfoTypeArgs
{
Name = "PHONE_NUMBER",
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigInfoTypeArgs
{
Name = "FIRST_NAME",
},
},
MinLikelihood = "UNLIKELY",
RuleSets = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetArgs
{
InfoTypes = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs
{
Name = "EMAIL_ADDRESS",
},
},
Rules = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleArgs
{
ExclusionRule = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleArgs
{
Regex = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleRegexArgs
{
Pattern = ".+@example.com",
},
MatchingType = "MATCHING_TYPE_FULL_MATCH",
},
},
},
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetArgs
{
InfoTypes = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs
{
Name = "EMAIL_ADDRESS",
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs
{
Name = "DOMAIN_NAME",
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs
{
Name = "PHONE_NUMBER",
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs
{
Name = "PERSON_NAME",
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs
{
Name = "FIRST_NAME",
},
},
Rules = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleArgs
{
ExclusionRule = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleArgs
{
Dictionary = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleDictionaryArgs
{
WordList = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleDictionaryWordListArgs
{
Words = new[]
{
"TEST",
},
},
},
MatchingType = "MATCHING_TYPE_PARTIAL_MATCH",
},
},
},
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetArgs
{
InfoTypes = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs
{
Name = "PERSON_NAME",
},
},
Rules = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleArgs
{
HotwordRule = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleArgs
{
HotwordRegex = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleHotwordRegexArgs
{
Pattern = "patient",
},
Proximity = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleProximityArgs
{
WindowBefore = 50,
},
LikelihoodAdjustment = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleLikelihoodAdjustmentArgs
{
FixedLikelihood = "VERY_LIKELY",
},
},
},
},
},
},
Limits = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigLimitsArgs
{
MaxFindingsPerItem = 10,
MaxFindingsPerRequest = 50,
MaxFindingsPerInfoTypes = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigLimitsMaxFindingsPerInfoTypeArgs
{
MaxFindings = 75,
InfoType = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigLimitsMaxFindingsPerInfoTypeInfoTypeArgs
{
Name = "PERSON_NAME",
},
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigLimitsMaxFindingsPerInfoTypeArgs
{
MaxFindings = 80,
InfoType = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigLimitsMaxFindingsPerInfoTypeInfoTypeArgs
{
Name = "LAST_NAME",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataloss.PreventionInspectTemplate;
import com.pulumi.gcp.dataloss.PreventionInspectTemplateArgs;
import com.pulumi.gcp.dataloss.inputs.PreventionInspectTemplateInspectConfigArgs;
import com.pulumi.gcp.dataloss.inputs.PreventionInspectTemplateInspectConfigLimitsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var basic = new PreventionInspectTemplate("basic", PreventionInspectTemplateArgs.builder()
.parent("projects/my-project-name")
.description("My description")
.displayName("display_name")
.inspectConfig(PreventionInspectTemplateInspectConfigArgs.builder()
.infoTypes(
PreventionInspectTemplateInspectConfigInfoTypeArgs.builder()
.name("EMAIL_ADDRESS")
.build(),
PreventionInspectTemplateInspectConfigInfoTypeArgs.builder()
.name("PERSON_NAME")
.build(),
PreventionInspectTemplateInspectConfigInfoTypeArgs.builder()
.name("LAST_NAME")
.build(),
PreventionInspectTemplateInspectConfigInfoTypeArgs.builder()
.name("DOMAIN_NAME")
.build(),
PreventionInspectTemplateInspectConfigInfoTypeArgs.builder()
.name("PHONE_NUMBER")
.build(),
PreventionInspectTemplateInspectConfigInfoTypeArgs.builder()
.name("FIRST_NAME")
.build())
.minLikelihood("UNLIKELY")
.ruleSets(
PreventionInspectTemplateInspectConfigRuleSetArgs.builder()
.infoTypes(PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs.builder()
.name("EMAIL_ADDRESS")
.build())
.rules(PreventionInspectTemplateInspectConfigRuleSetRuleArgs.builder()
.exclusionRule(PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleArgs.builder()
.regex(PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleRegexArgs.builder()
.pattern(".+@example.com")
.build())
.matchingType("MATCHING_TYPE_FULL_MATCH")
.build())
.build())
.build(),
PreventionInspectTemplateInspectConfigRuleSetArgs.builder()
.infoTypes(
PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs.builder()
.name("EMAIL_ADDRESS")
.build(),
PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs.builder()
.name("DOMAIN_NAME")
.build(),
PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs.builder()
.name("PHONE_NUMBER")
.build(),
PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs.builder()
.name("PERSON_NAME")
.build(),
PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs.builder()
.name("FIRST_NAME")
.build())
.rules(PreventionInspectTemplateInspectConfigRuleSetRuleArgs.builder()
.exclusionRule(PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleArgs.builder()
.dictionary(PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleDictionaryArgs.builder()
.wordList(PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleDictionaryWordListArgs.builder()
.words("TEST")
.build())
.build())
.matchingType("MATCHING_TYPE_PARTIAL_MATCH")
.build())
.build())
.build(),
PreventionInspectTemplateInspectConfigRuleSetArgs.builder()
.infoTypes(PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs.builder()
.name("PERSON_NAME")
.build())
.rules(PreventionInspectTemplateInspectConfigRuleSetRuleArgs.builder()
.hotwordRule(PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleArgs.builder()
.hotwordRegex(PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleHotwordRegexArgs.builder()
.pattern("patient")
.build())
.proximity(PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleProximityArgs.builder()
.windowBefore(50)
.build())
.likelihoodAdjustment(PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleLikelihoodAdjustmentArgs.builder()
.fixedLikelihood("VERY_LIKELY")
.build())
.build())
.build())
.build())
.limits(PreventionInspectTemplateInspectConfigLimitsArgs.builder()
.maxFindingsPerItem(10)
.maxFindingsPerRequest(50)
.maxFindingsPerInfoTypes(
PreventionInspectTemplateInspectConfigLimitsMaxFindingsPerInfoTypeArgs.builder()
.maxFindings(75)
.infoType(PreventionInspectTemplateInspectConfigLimitsMaxFindingsPerInfoTypeInfoTypeArgs.builder()
.name("PERSON_NAME")
.build())
.build(),
PreventionInspectTemplateInspectConfigLimitsMaxFindingsPerInfoTypeArgs.builder()
.maxFindings(80)
.infoType(PreventionInspectTemplateInspectConfigLimitsMaxFindingsPerInfoTypeInfoTypeArgs.builder()
.name("LAST_NAME")
.build())
.build())
.build())
.build())
.build());
}
}
resources:
basic:
type: gcp:dataloss:PreventionInspectTemplate
properties:
parent: projects/my-project-name
description: My description
displayName: display_name
inspectConfig:
infoTypes:
- name: EMAIL_ADDRESS
- name: PERSON_NAME
- name: LAST_NAME
- name: DOMAIN_NAME
- name: PHONE_NUMBER
- name: FIRST_NAME
minLikelihood: UNLIKELY
ruleSets:
- infoTypes:
- name: EMAIL_ADDRESS
rules:
- exclusionRule:
regex:
pattern: .+@example.com
matchingType: MATCHING_TYPE_FULL_MATCH
- infoTypes:
- name: EMAIL_ADDRESS
- name: DOMAIN_NAME
- name: PHONE_NUMBER
- name: PERSON_NAME
- name: FIRST_NAME
rules:
- exclusionRule:
dictionary:
wordList:
words:
- TEST
matchingType: MATCHING_TYPE_PARTIAL_MATCH
- infoTypes:
- name: PERSON_NAME
rules:
- hotwordRule:
hotwordRegex:
pattern: patient
proximity:
windowBefore: 50
likelihoodAdjustment:
fixedLikelihood: VERY_LIKELY
limits:
maxFindingsPerItem: 10
maxFindingsPerRequest: 50
maxFindingsPerInfoTypes:
- maxFindings: '75'
infoType:
name: PERSON_NAME
- maxFindings: '80'
infoType:
name: LAST_NAME
The infoTypes array specifies which built-in detectors to use (EMAIL_ADDRESS, PERSON_NAME, etc.). The minLikelihood property sets the confidence threshold; only findings above this level are reported. Rule sets let you exclude patterns (like internal email domains via exclusionRule) or boost confidence when keywords appear nearby (via hotwordRule). The limits block caps how many findings are returned per item, request, or info type to control scan costs and output size.
Define custom patterns with regex-based detection
When built-in detectors don’t cover organization-specific formats, you can define custom info types using regular expressions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const custom = new gcp.dataloss.PreventionInspectTemplate("custom", {
parent: "projects/my-project-name",
description: "My description",
displayName: "display_name",
inspectConfig: {
customInfoTypes: [{
infoType: {
name: "MY_CUSTOM_TYPE",
},
likelihood: "UNLIKELY",
regex: {
pattern: "test*",
},
}],
infoTypes: [{
name: "EMAIL_ADDRESS",
}],
minLikelihood: "UNLIKELY",
ruleSets: [
{
infoTypes: [{
name: "EMAIL_ADDRESS",
}],
rules: [{
exclusionRule: {
regex: {
pattern: ".+@example.com",
},
matchingType: "MATCHING_TYPE_FULL_MATCH",
},
}],
},
{
infoTypes: [{
name: "MY_CUSTOM_TYPE",
}],
rules: [{
hotwordRule: {
hotwordRegex: {
pattern: "example*",
},
proximity: {
windowBefore: 50,
},
likelihoodAdjustment: {
fixedLikelihood: "VERY_LIKELY",
},
},
}],
},
],
limits: {
maxFindingsPerItem: 10,
maxFindingsPerRequest: 50,
},
},
});
import pulumi
import pulumi_gcp as gcp
custom = gcp.dataloss.PreventionInspectTemplate("custom",
parent="projects/my-project-name",
description="My description",
display_name="display_name",
inspect_config={
"custom_info_types": [{
"info_type": {
"name": "MY_CUSTOM_TYPE",
},
"likelihood": "UNLIKELY",
"regex": {
"pattern": "test*",
},
}],
"info_types": [{
"name": "EMAIL_ADDRESS",
}],
"min_likelihood": "UNLIKELY",
"rule_sets": [
{
"info_types": [{
"name": "EMAIL_ADDRESS",
}],
"rules": [{
"exclusion_rule": {
"regex": {
"pattern": ".+@example.com",
},
"matching_type": "MATCHING_TYPE_FULL_MATCH",
},
}],
},
{
"info_types": [{
"name": "MY_CUSTOM_TYPE",
}],
"rules": [{
"hotword_rule": {
"hotword_regex": {
"pattern": "example*",
},
"proximity": {
"window_before": 50,
},
"likelihood_adjustment": {
"fixed_likelihood": "VERY_LIKELY",
},
},
}],
},
],
"limits": {
"max_findings_per_item": 10,
"max_findings_per_request": 50,
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataloss"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataloss.NewPreventionInspectTemplate(ctx, "custom", &dataloss.PreventionInspectTemplateArgs{
Parent: pulumi.String("projects/my-project-name"),
Description: pulumi.String("My description"),
DisplayName: pulumi.String("display_name"),
InspectConfig: &dataloss.PreventionInspectTemplateInspectConfigArgs{
CustomInfoTypes: dataloss.PreventionInspectTemplateInspectConfigCustomInfoTypeArray{
&dataloss.PreventionInspectTemplateInspectConfigCustomInfoTypeArgs{
InfoType: &dataloss.PreventionInspectTemplateInspectConfigCustomInfoTypeInfoTypeArgs{
Name: pulumi.String("MY_CUSTOM_TYPE"),
},
Likelihood: pulumi.String("UNLIKELY"),
Regex: &dataloss.PreventionInspectTemplateInspectConfigCustomInfoTypeRegexArgs{
Pattern: pulumi.String("test*"),
},
},
},
InfoTypes: dataloss.PreventionInspectTemplateInspectConfigInfoTypeArray{
&dataloss.PreventionInspectTemplateInspectConfigInfoTypeArgs{
Name: pulumi.String("EMAIL_ADDRESS"),
},
},
MinLikelihood: pulumi.String("UNLIKELY"),
RuleSets: dataloss.PreventionInspectTemplateInspectConfigRuleSetArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetArgs{
InfoTypes: dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs{
Name: pulumi.String("EMAIL_ADDRESS"),
},
},
Rules: dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArgs{
ExclusionRule: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleArgs{
Regex: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleRegexArgs{
Pattern: pulumi.String(".+@example.com"),
},
MatchingType: pulumi.String("MATCHING_TYPE_FULL_MATCH"),
},
},
},
},
&dataloss.PreventionInspectTemplateInspectConfigRuleSetArgs{
InfoTypes: dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs{
Name: pulumi.String("MY_CUSTOM_TYPE"),
},
},
Rules: dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArgs{
HotwordRule: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleArgs{
HotwordRegex: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleHotwordRegexArgs{
Pattern: pulumi.String("example*"),
},
Proximity: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleProximityArgs{
WindowBefore: pulumi.Int(50),
},
LikelihoodAdjustment: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleLikelihoodAdjustmentArgs{
FixedLikelihood: pulumi.String("VERY_LIKELY"),
},
},
},
},
},
},
Limits: &dataloss.PreventionInspectTemplateInspectConfigLimitsArgs{
MaxFindingsPerItem: pulumi.Int(10),
MaxFindingsPerRequest: pulumi.Int(50),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var custom = new Gcp.DataLoss.PreventionInspectTemplate("custom", new()
{
Parent = "projects/my-project-name",
Description = "My description",
DisplayName = "display_name",
InspectConfig = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigArgs
{
CustomInfoTypes = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigCustomInfoTypeArgs
{
InfoType = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigCustomInfoTypeInfoTypeArgs
{
Name = "MY_CUSTOM_TYPE",
},
Likelihood = "UNLIKELY",
Regex = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigCustomInfoTypeRegexArgs
{
Pattern = "test*",
},
},
},
InfoTypes = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigInfoTypeArgs
{
Name = "EMAIL_ADDRESS",
},
},
MinLikelihood = "UNLIKELY",
RuleSets = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetArgs
{
InfoTypes = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs
{
Name = "EMAIL_ADDRESS",
},
},
Rules = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleArgs
{
ExclusionRule = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleArgs
{
Regex = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleRegexArgs
{
Pattern = ".+@example.com",
},
MatchingType = "MATCHING_TYPE_FULL_MATCH",
},
},
},
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetArgs
{
InfoTypes = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs
{
Name = "MY_CUSTOM_TYPE",
},
},
Rules = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleArgs
{
HotwordRule = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleArgs
{
HotwordRegex = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleHotwordRegexArgs
{
Pattern = "example*",
},
Proximity = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleProximityArgs
{
WindowBefore = 50,
},
LikelihoodAdjustment = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleLikelihoodAdjustmentArgs
{
FixedLikelihood = "VERY_LIKELY",
},
},
},
},
},
},
Limits = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigLimitsArgs
{
MaxFindingsPerItem = 10,
MaxFindingsPerRequest = 50,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataloss.PreventionInspectTemplate;
import com.pulumi.gcp.dataloss.PreventionInspectTemplateArgs;
import com.pulumi.gcp.dataloss.inputs.PreventionInspectTemplateInspectConfigArgs;
import com.pulumi.gcp.dataloss.inputs.PreventionInspectTemplateInspectConfigLimitsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var custom = new PreventionInspectTemplate("custom", PreventionInspectTemplateArgs.builder()
.parent("projects/my-project-name")
.description("My description")
.displayName("display_name")
.inspectConfig(PreventionInspectTemplateInspectConfigArgs.builder()
.customInfoTypes(PreventionInspectTemplateInspectConfigCustomInfoTypeArgs.builder()
.infoType(PreventionInspectTemplateInspectConfigCustomInfoTypeInfoTypeArgs.builder()
.name("MY_CUSTOM_TYPE")
.build())
.likelihood("UNLIKELY")
.regex(PreventionInspectTemplateInspectConfigCustomInfoTypeRegexArgs.builder()
.pattern("test*")
.build())
.build())
.infoTypes(PreventionInspectTemplateInspectConfigInfoTypeArgs.builder()
.name("EMAIL_ADDRESS")
.build())
.minLikelihood("UNLIKELY")
.ruleSets(
PreventionInspectTemplateInspectConfigRuleSetArgs.builder()
.infoTypes(PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs.builder()
.name("EMAIL_ADDRESS")
.build())
.rules(PreventionInspectTemplateInspectConfigRuleSetRuleArgs.builder()
.exclusionRule(PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleArgs.builder()
.regex(PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleRegexArgs.builder()
.pattern(".+@example.com")
.build())
.matchingType("MATCHING_TYPE_FULL_MATCH")
.build())
.build())
.build(),
PreventionInspectTemplateInspectConfigRuleSetArgs.builder()
.infoTypes(PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs.builder()
.name("MY_CUSTOM_TYPE")
.build())
.rules(PreventionInspectTemplateInspectConfigRuleSetRuleArgs.builder()
.hotwordRule(PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleArgs.builder()
.hotwordRegex(PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleHotwordRegexArgs.builder()
.pattern("example*")
.build())
.proximity(PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleProximityArgs.builder()
.windowBefore(50)
.build())
.likelihoodAdjustment(PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleLikelihoodAdjustmentArgs.builder()
.fixedLikelihood("VERY_LIKELY")
.build())
.build())
.build())
.build())
.limits(PreventionInspectTemplateInspectConfigLimitsArgs.builder()
.maxFindingsPerItem(10)
.maxFindingsPerRequest(50)
.build())
.build())
.build());
}
}
resources:
custom:
type: gcp:dataloss:PreventionInspectTemplate
properties:
parent: projects/my-project-name
description: My description
displayName: display_name
inspectConfig:
customInfoTypes:
- infoType:
name: MY_CUSTOM_TYPE
likelihood: UNLIKELY
regex:
pattern: test*
infoTypes:
- name: EMAIL_ADDRESS
minLikelihood: UNLIKELY
ruleSets:
- infoTypes:
- name: EMAIL_ADDRESS
rules:
- exclusionRule:
regex:
pattern: .+@example.com
matchingType: MATCHING_TYPE_FULL_MATCH
- infoTypes:
- name: MY_CUSTOM_TYPE
rules:
- hotwordRule:
hotwordRegex:
pattern: example*
proximity:
windowBefore: 50
likelihoodAdjustment:
fixedLikelihood: VERY_LIKELY
limits:
maxFindingsPerItem: 10
maxFindingsPerRequest: 50
The customInfoTypes array defines patterns not covered by built-in detectors. Each custom type specifies a regex pattern and a likelihood level. You can apply the same rule sets (exclusions, hotword adjustments) to custom types as you do to built-in ones. This example combines a custom “MY_CUSTOM_TYPE” detector with standard EMAIL_ADDRESS detection.
Detect previously de-identified surrogate values
After de-identifying data with surrogate markers, you may need to scan for those markers in downstream systems.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const customTypeSurrogate = new gcp.dataloss.PreventionInspectTemplate("custom_type_surrogate", {
parent: "projects/my-project-name",
description: "My description",
displayName: "display_name",
inspectConfig: {
customInfoTypes: [{
infoType: {
name: "MY_CUSTOM_TYPE",
},
likelihood: "UNLIKELY",
surrogateType: {},
}],
infoTypes: [{
name: "EMAIL_ADDRESS",
}],
minLikelihood: "UNLIKELY",
ruleSets: [
{
infoTypes: [{
name: "EMAIL_ADDRESS",
}],
rules: [{
exclusionRule: {
regex: {
pattern: ".+@example.com",
},
matchingType: "MATCHING_TYPE_FULL_MATCH",
},
}],
},
{
infoTypes: [{
name: "MY_CUSTOM_TYPE",
}],
rules: [{
hotwordRule: {
hotwordRegex: {
pattern: "example*",
},
proximity: {
windowBefore: 50,
},
likelihoodAdjustment: {
fixedLikelihood: "VERY_LIKELY",
},
},
}],
},
],
limits: {
maxFindingsPerItem: 10,
maxFindingsPerRequest: 50,
},
},
});
import pulumi
import pulumi_gcp as gcp
custom_type_surrogate = gcp.dataloss.PreventionInspectTemplate("custom_type_surrogate",
parent="projects/my-project-name",
description="My description",
display_name="display_name",
inspect_config={
"custom_info_types": [{
"info_type": {
"name": "MY_CUSTOM_TYPE",
},
"likelihood": "UNLIKELY",
"surrogate_type": {},
}],
"info_types": [{
"name": "EMAIL_ADDRESS",
}],
"min_likelihood": "UNLIKELY",
"rule_sets": [
{
"info_types": [{
"name": "EMAIL_ADDRESS",
}],
"rules": [{
"exclusion_rule": {
"regex": {
"pattern": ".+@example.com",
},
"matching_type": "MATCHING_TYPE_FULL_MATCH",
},
}],
},
{
"info_types": [{
"name": "MY_CUSTOM_TYPE",
}],
"rules": [{
"hotword_rule": {
"hotword_regex": {
"pattern": "example*",
},
"proximity": {
"window_before": 50,
},
"likelihood_adjustment": {
"fixed_likelihood": "VERY_LIKELY",
},
},
}],
},
],
"limits": {
"max_findings_per_item": 10,
"max_findings_per_request": 50,
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataloss"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataloss.NewPreventionInspectTemplate(ctx, "custom_type_surrogate", &dataloss.PreventionInspectTemplateArgs{
Parent: pulumi.String("projects/my-project-name"),
Description: pulumi.String("My description"),
DisplayName: pulumi.String("display_name"),
InspectConfig: &dataloss.PreventionInspectTemplateInspectConfigArgs{
CustomInfoTypes: dataloss.PreventionInspectTemplateInspectConfigCustomInfoTypeArray{
&dataloss.PreventionInspectTemplateInspectConfigCustomInfoTypeArgs{
InfoType: &dataloss.PreventionInspectTemplateInspectConfigCustomInfoTypeInfoTypeArgs{
Name: pulumi.String("MY_CUSTOM_TYPE"),
},
Likelihood: pulumi.String("UNLIKELY"),
SurrogateType: &dataloss.PreventionInspectTemplateInspectConfigCustomInfoTypeSurrogateTypeArgs{},
},
},
InfoTypes: dataloss.PreventionInspectTemplateInspectConfigInfoTypeArray{
&dataloss.PreventionInspectTemplateInspectConfigInfoTypeArgs{
Name: pulumi.String("EMAIL_ADDRESS"),
},
},
MinLikelihood: pulumi.String("UNLIKELY"),
RuleSets: dataloss.PreventionInspectTemplateInspectConfigRuleSetArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetArgs{
InfoTypes: dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs{
Name: pulumi.String("EMAIL_ADDRESS"),
},
},
Rules: dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArgs{
ExclusionRule: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleArgs{
Regex: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleRegexArgs{
Pattern: pulumi.String(".+@example.com"),
},
MatchingType: pulumi.String("MATCHING_TYPE_FULL_MATCH"),
},
},
},
},
&dataloss.PreventionInspectTemplateInspectConfigRuleSetArgs{
InfoTypes: dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs{
Name: pulumi.String("MY_CUSTOM_TYPE"),
},
},
Rules: dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArray{
&dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleArgs{
HotwordRule: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleArgs{
HotwordRegex: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleHotwordRegexArgs{
Pattern: pulumi.String("example*"),
},
Proximity: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleProximityArgs{
WindowBefore: pulumi.Int(50),
},
LikelihoodAdjustment: &dataloss.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleLikelihoodAdjustmentArgs{
FixedLikelihood: pulumi.String("VERY_LIKELY"),
},
},
},
},
},
},
Limits: &dataloss.PreventionInspectTemplateInspectConfigLimitsArgs{
MaxFindingsPerItem: pulumi.Int(10),
MaxFindingsPerRequest: pulumi.Int(50),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var customTypeSurrogate = new Gcp.DataLoss.PreventionInspectTemplate("custom_type_surrogate", new()
{
Parent = "projects/my-project-name",
Description = "My description",
DisplayName = "display_name",
InspectConfig = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigArgs
{
CustomInfoTypes = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigCustomInfoTypeArgs
{
InfoType = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigCustomInfoTypeInfoTypeArgs
{
Name = "MY_CUSTOM_TYPE",
},
Likelihood = "UNLIKELY",
SurrogateType = null,
},
},
InfoTypes = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigInfoTypeArgs
{
Name = "EMAIL_ADDRESS",
},
},
MinLikelihood = "UNLIKELY",
RuleSets = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetArgs
{
InfoTypes = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs
{
Name = "EMAIL_ADDRESS",
},
},
Rules = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleArgs
{
ExclusionRule = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleArgs
{
Regex = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleRegexArgs
{
Pattern = ".+@example.com",
},
MatchingType = "MATCHING_TYPE_FULL_MATCH",
},
},
},
},
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetArgs
{
InfoTypes = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs
{
Name = "MY_CUSTOM_TYPE",
},
},
Rules = new[]
{
new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleArgs
{
HotwordRule = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleArgs
{
HotwordRegex = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleHotwordRegexArgs
{
Pattern = "example*",
},
Proximity = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleProximityArgs
{
WindowBefore = 50,
},
LikelihoodAdjustment = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleLikelihoodAdjustmentArgs
{
FixedLikelihood = "VERY_LIKELY",
},
},
},
},
},
},
Limits = new Gcp.DataLoss.Inputs.PreventionInspectTemplateInspectConfigLimitsArgs
{
MaxFindingsPerItem = 10,
MaxFindingsPerRequest = 50,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataloss.PreventionInspectTemplate;
import com.pulumi.gcp.dataloss.PreventionInspectTemplateArgs;
import com.pulumi.gcp.dataloss.inputs.PreventionInspectTemplateInspectConfigArgs;
import com.pulumi.gcp.dataloss.inputs.PreventionInspectTemplateInspectConfigLimitsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var customTypeSurrogate = new PreventionInspectTemplate("customTypeSurrogate", PreventionInspectTemplateArgs.builder()
.parent("projects/my-project-name")
.description("My description")
.displayName("display_name")
.inspectConfig(PreventionInspectTemplateInspectConfigArgs.builder()
.customInfoTypes(PreventionInspectTemplateInspectConfigCustomInfoTypeArgs.builder()
.infoType(PreventionInspectTemplateInspectConfigCustomInfoTypeInfoTypeArgs.builder()
.name("MY_CUSTOM_TYPE")
.build())
.likelihood("UNLIKELY")
.surrogateType(PreventionInspectTemplateInspectConfigCustomInfoTypeSurrogateTypeArgs.builder()
.build())
.build())
.infoTypes(PreventionInspectTemplateInspectConfigInfoTypeArgs.builder()
.name("EMAIL_ADDRESS")
.build())
.minLikelihood("UNLIKELY")
.ruleSets(
PreventionInspectTemplateInspectConfigRuleSetArgs.builder()
.infoTypes(PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs.builder()
.name("EMAIL_ADDRESS")
.build())
.rules(PreventionInspectTemplateInspectConfigRuleSetRuleArgs.builder()
.exclusionRule(PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleArgs.builder()
.regex(PreventionInspectTemplateInspectConfigRuleSetRuleExclusionRuleRegexArgs.builder()
.pattern(".+@example.com")
.build())
.matchingType("MATCHING_TYPE_FULL_MATCH")
.build())
.build())
.build(),
PreventionInspectTemplateInspectConfigRuleSetArgs.builder()
.infoTypes(PreventionInspectTemplateInspectConfigRuleSetInfoTypeArgs.builder()
.name("MY_CUSTOM_TYPE")
.build())
.rules(PreventionInspectTemplateInspectConfigRuleSetRuleArgs.builder()
.hotwordRule(PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleArgs.builder()
.hotwordRegex(PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleHotwordRegexArgs.builder()
.pattern("example*")
.build())
.proximity(PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleProximityArgs.builder()
.windowBefore(50)
.build())
.likelihoodAdjustment(PreventionInspectTemplateInspectConfigRuleSetRuleHotwordRuleLikelihoodAdjustmentArgs.builder()
.fixedLikelihood("VERY_LIKELY")
.build())
.build())
.build())
.build())
.limits(PreventionInspectTemplateInspectConfigLimitsArgs.builder()
.maxFindingsPerItem(10)
.maxFindingsPerRequest(50)
.build())
.build())
.build());
}
}
resources:
customTypeSurrogate:
type: gcp:dataloss:PreventionInspectTemplate
name: custom_type_surrogate
properties:
parent: projects/my-project-name
description: My description
displayName: display_name
inspectConfig:
customInfoTypes:
- infoType:
name: MY_CUSTOM_TYPE
likelihood: UNLIKELY
surrogateType: {}
infoTypes:
- name: EMAIL_ADDRESS
minLikelihood: UNLIKELY
ruleSets:
- infoTypes:
- name: EMAIL_ADDRESS
rules:
- exclusionRule:
regex:
pattern: .+@example.com
matchingType: MATCHING_TYPE_FULL_MATCH
- infoTypes:
- name: MY_CUSTOM_TYPE
rules:
- hotwordRule:
hotwordRegex:
pattern: example*
proximity:
windowBefore: 50
likelihoodAdjustment:
fixedLikelihood: VERY_LIKELY
limits:
maxFindingsPerItem: 10
maxFindingsPerRequest: 50
The surrogateType property (an empty object) tells DLP to detect surrogate tokens that replaced original sensitive values during de-identification. This is useful for tracking where de-identified data has propagated. Unlike regex-based custom types, surrogate types don’t define a pattern; they recognize the specific format DLP uses for surrogate markers.
Beyond these examples
These snippets focus on specific template-level features: built-in and custom info type detection, exclusion rules and hotword adjustments, and surrogate type tracking. They’re intentionally minimal rather than full DLP scanning solutions.
The examples require pre-existing infrastructure such as a GCP project with DLP API enabled. They focus on template configuration rather than the jobs that use these templates to scan data.
To keep things focused, common DLP patterns are omitted, including:
- Storage inspection (BigQuery, Cloud Storage, Datastore)
- Custom dictionaries and stored info types
- Template versioning and updates
- IAM permissions and service account configuration
These omissions are intentional: the goal is to illustrate how each template feature is wired, not provide drop-in scanning modules. See the DLP Inspect Template resource reference for all available configuration options.
Let's configure GCP Data Loss Prevention Inspect Templates
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Template Configuration & Immutability
What happens if I change the parent or templateId after creating the template?
Both
parent and templateId are immutable, so changing either forces resource replacement. Plan these values carefully during initial creation.What formats can I use for the parent parameter?
You can use four formats:
projects/{{project}}, projects/{{project}}/locations/{{location}}, organizations/{{organization_id}}, or organizations/{{organization_id}}/locations/{{location}}.Can I let GCP auto-generate the templateId?
Yes,
templateId can be empty to allow the system to generate one. Otherwise, it must match the regex [a-zA-Z\d-_]+ with a maximum length of 100 characters.Info Types & Detection
What's the difference between infoTypes and customInfoTypes?
infoTypes uses built-in detectors like EMAIL_ADDRESS or PERSON_NAME, while customInfoTypes lets you define custom detection patterns using regex or surrogateType.How do I create a custom info type?
Define a
customInfoType with an infoType.name and either a regex.pattern (e.g., test*) or an empty surrogateType object for detecting de-identified surrogate values.Rules & Exclusions
How do I exclude specific patterns from detection?
Use an
exclusionRule in ruleSets with either a regex.pattern (e.g., .+@example.com) or a dictionary.wordList containing words to exclude.What's a hotword rule and when should I use it?
A
hotwordRule boosts detection likelihood when specific keywords appear nearby. Configure hotwordRegex.pattern, proximity.windowBefore, and likelihoodAdjustment.fixedLikelihood to adjust confidence based on context.Limits & Thresholds
How do I limit the number of findings returned?
Configure
limits with maxFindingsPerItem, maxFindingsPerRequest, and optionally maxFindingsPerInfoTypes to set per-info-type limits.