Aquasec v0.8.27, Jan 29 24

Aquasec v0.8.27 published on Monday, Jan 29, 2024 by Pulumiverse

aquasec.EnforcerGroups

Explore with Pulumi AI

Aquasec v0.8.27 published on Monday, Jan 29, 2024 by Pulumiverse

Example Usage

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aquasec = Pulumiverse.Aquasec;

return await Deployment.RunAsync(() => 
{
    var @group = new Aquasec.EnforcerGroups("group", new()
    {
        AntivirusProtection = true,
        ContainerActivityProtection = true,
        ContainerAntivirusProtection = true,
        Enforce = true,
        Forensics = true,
        GroupId = "tf-test-enforcer",
        HostAssurance = true,
        HostForensics = true,
        HostNetworkProtection = true,
        HostProtection = true,
        ImageAssurance = true,
        NetworkProtection = true,
        Orchestrators = new[]
        {
            null,
        },
        RiskExplorerAutoDiscovery = true,
        SyncHostImages = true,
        Type = "agent",
    });

    var group_kubeEnforcer = new Aquasec.EnforcerGroups("group-kubeEnforcer", new()
    {
        AdmissionControl = true,
        AutoCopySecrets = true,
        AutoDiscoverConfigureRegistries = true,
        AutoDiscoveryEnabled = true,
        AutoScanDiscoveredImagesRunningContainers = true,
        BlockAdmissionControl = true,
        Enforce = true,
        GroupId = "tf-test-kube_enforcer",
        KubeBenchImageName = "registry.aquasec.com/kube-bench:v0.6.5",
        MicroEnforcerSecretsName = "aqua-registry",
        Orchestrators = new[]
        {
            new Aquasec.Inputs.EnforcerGroupsOrchestratorArgs
            {
                Namespace = "aqua",
                Type = "kubernetes",
            },
        },
        Type = "kube_enforcer",
    });

});

package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumiverse/pulumi-aquasec/sdk/go/aquasec"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := aquasec.NewEnforcerGroups(ctx, "group", &aquasec.EnforcerGroupsArgs{
			AntivirusProtection:          pulumi.Bool(true),
			ContainerActivityProtection:  pulumi.Bool(true),
			ContainerAntivirusProtection: pulumi.Bool(true),
			Enforce:                      pulumi.Bool(true),
			Forensics:                    pulumi.Bool(true),
			GroupId:                      pulumi.String("tf-test-enforcer"),
			HostAssurance:                pulumi.Bool(true),
			HostForensics:                pulumi.Bool(true),
			HostNetworkProtection:        pulumi.Bool(true),
			HostProtection:               pulumi.Bool(true),
			ImageAssurance:               pulumi.Bool(true),
			NetworkProtection:            pulumi.Bool(true),
			Orchestrators: aquasec.EnforcerGroupsOrchestratorArray{
				nil,
			},
			RiskExplorerAutoDiscovery: pulumi.Bool(true),
			SyncHostImages:            pulumi.Bool(true),
			Type:                      pulumi.String("agent"),
		})
		if err != nil {
			return err
		}
		_, err = aquasec.NewEnforcerGroups(ctx, "group-kubeEnforcer", &aquasec.EnforcerGroupsArgs{
			AdmissionControl:                          pulumi.Bool(true),
			AutoCopySecrets:                           pulumi.Bool(true),
			AutoDiscoverConfigureRegistries:           pulumi.Bool(true),
			AutoDiscoveryEnabled:                      pulumi.Bool(true),
			AutoScanDiscoveredImagesRunningContainers: pulumi.Bool(true),
			BlockAdmissionControl:                     pulumi.Bool(true),
			Enforce:                                   pulumi.Bool(true),
			GroupId:                                   pulumi.String("tf-test-kube_enforcer"),
			KubeBenchImageName:                        pulumi.String("registry.aquasec.com/kube-bench:v0.6.5"),
			MicroEnforcerSecretsName:                  pulumi.String("aqua-registry"),
			Orchestrators: aquasec.EnforcerGroupsOrchestratorArray{
				&aquasec.EnforcerGroupsOrchestratorArgs{
					Namespace: pulumi.String("aqua"),
					Type:      pulumi.String("kubernetes"),
				},
			},
			Type: pulumi.String("kube_enforcer"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aquasec.EnforcerGroups;
import com.pulumi.aquasec.EnforcerGroupsArgs;
import com.pulumi.aquasec.inputs.EnforcerGroupsOrchestratorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var group = new EnforcerGroups("group", EnforcerGroupsArgs.builder()        
            .antivirusProtection(true)
            .containerActivityProtection(true)
            .containerAntivirusProtection(true)
            .enforce(true)
            .forensics(true)
            .groupId("tf-test-enforcer")
            .hostAssurance(true)
            .hostForensics(true)
            .hostNetworkProtection(true)
            .hostProtection(true)
            .imageAssurance(true)
            .networkProtection(true)
            .orchestrators()
            .riskExplorerAutoDiscovery(true)
            .syncHostImages(true)
            .type("agent")
            .build());

        var group_kubeEnforcer = new EnforcerGroups("group-kubeEnforcer", EnforcerGroupsArgs.builder()        
            .admissionControl(true)
            .autoCopySecrets(true)
            .autoDiscoverConfigureRegistries(true)
            .autoDiscoveryEnabled(true)
            .autoScanDiscoveredImagesRunningContainers(true)
            .blockAdmissionControl(true)
            .enforce(true)
            .groupId("tf-test-kube_enforcer")
            .kubeBenchImageName("registry.aquasec.com/kube-bench:v0.6.5")
            .microEnforcerSecretsName("aqua-registry")
            .orchestrators(EnforcerGroupsOrchestratorArgs.builder()
                .namespace("aqua")
                .type("kubernetes")
                .build())
            .type("kube_enforcer")
            .build());

    }
}

import pulumi
import pulumiverse_aquasec as aquasec

group = aquasec.EnforcerGroups("group",
    antivirus_protection=True,
    container_activity_protection=True,
    container_antivirus_protection=True,
    enforce=True,
    forensics=True,
    group_id="tf-test-enforcer",
    host_assurance=True,
    host_forensics=True,
    host_network_protection=True,
    host_protection=True,
    image_assurance=True,
    network_protection=True,
    orchestrators=[aquasec.EnforcerGroupsOrchestratorArgs()],
    risk_explorer_auto_discovery=True,
    sync_host_images=True,
    type="agent")
group_kube_enforcer = aquasec.EnforcerGroups("group-kubeEnforcer",
    admission_control=True,
    auto_copy_secrets=True,
    auto_discover_configure_registries=True,
    auto_discovery_enabled=True,
    auto_scan_discovered_images_running_containers=True,
    block_admission_control=True,
    enforce=True,
    group_id="tf-test-kube_enforcer",
    kube_bench_image_name="registry.aquasec.com/kube-bench:v0.6.5",
    micro_enforcer_secrets_name="aqua-registry",
    orchestrators=[aquasec.EnforcerGroupsOrchestratorArgs(
        namespace="aqua",
        type="kubernetes",
    )],
    type="kube_enforcer")

import * as pulumi from "@pulumi/pulumi";
import * as aquasec from "@pulumiverse/aquasec";

const group = new aquasec.EnforcerGroups("group", {
    antivirusProtection: true,
    containerActivityProtection: true,
    containerAntivirusProtection: true,
    enforce: true,
    forensics: true,
    groupId: "tf-test-enforcer",
    hostAssurance: true,
    hostForensics: true,
    hostNetworkProtection: true,
    hostProtection: true,
    imageAssurance: true,
    networkProtection: true,
    orchestrators: [{}],
    riskExplorerAutoDiscovery: true,
    syncHostImages: true,
    type: "agent",
});
const group_kubeEnforcer = new aquasec.EnforcerGroups("group-kubeEnforcer", {
    admissionControl: true,
    autoCopySecrets: true,
    autoDiscoverConfigureRegistries: true,
    autoDiscoveryEnabled: true,
    autoScanDiscoveredImagesRunningContainers: true,
    blockAdmissionControl: true,
    enforce: true,
    groupId: "tf-test-kube_enforcer",
    kubeBenchImageName: "registry.aquasec.com/kube-bench:v0.6.5",
    microEnforcerSecretsName: "aqua-registry",
    orchestrators: [{
        namespace: "aqua",
        type: "kubernetes",
    }],
    type: "kube_enforcer",
});

resources:
  group:
    type: aquasec:EnforcerGroups
    properties:
      # Advanced Malware Protection (Host Protection)
      antivirusProtection: true
      # Runtime Controls
      containerActivityProtection: true
      # Advanced Malware Protection (Container Protection)
      containerAntivirusProtection: true
      enforce: true
      # forensics
      forensics: true
      groupId: tf-test-enforcer
      # Host Assurance
      hostAssurance: true
      # host_forensics
      hostForensics: true
      # Network Firewall (Host Protection)
      hostNetworkProtection: true
      # Runtime Controls
      hostProtection: true
      # Image Assurance
      imageAssurance: true
      # Network Firewall (Container Protection)
      networkProtection: true
      orchestrators:
        - {}
      # Risk Explorer
      riskExplorerAutoDiscovery: true
      # Host Images
      syncHostImages: true
      type: agent
  group-kubeEnforcer:
    type: aquasec:EnforcerGroups
    properties:
      # Enable admission control
      admissionControl: true
      # Auto copy these secrets to the Pod Enforcer namespace and container
      autoCopySecrets: true
      # Add discovered registries
      autoDiscoverConfigureRegistries: true
      # Enable workload discovery
      autoDiscoveryEnabled: true
      # Register discovered pod images
      autoScanDiscoveredImagesRunningContainers: true
      # Perform admission control if not connected to a gateway
      blockAdmissionControl: true
      enforce: true
      groupId: tf-test-kube_enforcer
      # Kube-bench image path
      kubeBenchImageName: registry.aquasec.com/kube-bench:v0.6.5
      # Secret that holds the registry credentials for the Pod Enforcer and kube-bench
      microEnforcerSecretsName: aqua-registry
      orchestrators:
        - namespace: aqua
          type: kubernetes
      type: kube_enforcer

Create EnforcerGroups Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new EnforcerGroups(name: string, args: EnforcerGroupsArgs, opts?: CustomResourceOptions);

@overload
def EnforcerGroups(resource_name: str,
                   args: EnforcerGroupsArgs,
                   opts: Optional[ResourceOptions] = None)

@overload
def EnforcerGroups(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   group_id: Optional[str] = None,
                   type: Optional[str] = None,
                   orchestrators: Optional[Sequence[EnforcerGroupsOrchestratorArgs]] = None,
                   host_assurance: Optional[bool] = None,
                   risk_explorer_auto_discovery: Optional[bool] = None,
                   antivirus_protection: Optional[bool] = None,
                   audit_all: Optional[bool] = None,
                   auto_copy_secrets: Optional[bool] = None,
                   auto_discover_configure_registries: Optional[bool] = None,
                   host_behavioral_engine: Optional[bool] = None,
                   auto_scan_discovered_images_running_containers: Optional[bool] = None,
                   behavioral_engine: Optional[bool] = None,
                   block_admission_control: Optional[bool] = None,
                   container_activity_protection: Optional[bool] = None,
                   container_antivirus_protection: Optional[bool] = None,
                   description: Optional[str] = None,
                   enforce: Optional[bool] = None,
                   forensics: Optional[bool] = None,
                   gateways: Optional[Sequence[str]] = None,
                   allowed_labels: Optional[Sequence[str]] = None,
                   host_network_protection: Optional[bool] = None,
                   auto_discovery_enabled: Optional[bool] = None,
                   allowed_registries: Optional[Sequence[str]] = None,
                   admission_control: Optional[bool] = None,
                   host_os: Optional[str] = None,
                   host_protection: Optional[bool] = None,
                   host_user_protection: Optional[bool] = None,
                   image_assurance: Optional[bool] = None,
                   kube_bench_image_name: Optional[str] = None,
                   logical_name: Optional[str] = None,
                   micro_enforcer_certs_secrets_name: Optional[str] = None,
                   micro_enforcer_image_name: Optional[str] = None,
                   micro_enforcer_injection: Optional[bool] = None,
                   micro_enforcer_secrets_name: Optional[str] = None,
                   network_protection: Optional[bool] = None,
                   allowed_applications: Optional[Sequence[str]] = None,
                   permission: Optional[str] = None,
                   host_forensics: Optional[bool] = None,
                   runtime_type: Optional[str] = None,
                   sync_host_images: Optional[bool] = None,
                   syscall_enabled: Optional[bool] = None,
                   allow_kube_enforcer_audit: Optional[bool] = None,
                   user_access_control: Optional[bool] = None)

func NewEnforcerGroups(ctx *Context, name string, args EnforcerGroupsArgs, opts ...ResourceOption) (*EnforcerGroups, error)

public EnforcerGroups(string name, EnforcerGroupsArgs args, CustomResourceOptions? opts = null)

public EnforcerGroups(String name, EnforcerGroupsArgs args)
public EnforcerGroups(String name, EnforcerGroupsArgs args, CustomResourceOptions options)

type: aquasec:EnforcerGroups
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args EnforcerGroupsArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args EnforcerGroupsArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args EnforcerGroupsArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args EnforcerGroupsArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args EnforcerGroupsArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Example

The following reference example uses placeholder values for all input properties.

var enforcerGroupsResource = new Aquasec.EnforcerGroups("enforcerGroupsResource", new()
{
    GroupId = "string",
    Type = "string",
    Orchestrators = new[]
    {
        new Aquasec.Inputs.EnforcerGroupsOrchestratorArgs
        {
            Master = false,
            Namespace = "string",
            ServiceAccount = "string",
            Type = "string",
        },
    },
    HostAssurance = false,
    RiskExplorerAutoDiscovery = false,
    AntivirusProtection = false,
    AuditAll = false,
    AutoCopySecrets = false,
    AutoDiscoverConfigureRegistries = false,
    HostBehavioralEngine = false,
    AutoScanDiscoveredImagesRunningContainers = false,
    BehavioralEngine = false,
    BlockAdmissionControl = false,
    ContainerActivityProtection = false,
    ContainerAntivirusProtection = false,
    Description = "string",
    Enforce = false,
    Forensics = false,
    Gateways = new[]
    {
        "string",
    },
    AllowedLabels = new[]
    {
        "string",
    },
    HostNetworkProtection = false,
    AutoDiscoveryEnabled = false,
    AllowedRegistries = new[]
    {
        "string",
    },
    AdmissionControl = false,
    HostOs = "string",
    HostProtection = false,
    HostUserProtection = false,
    ImageAssurance = false,
    KubeBenchImageName = "string",
    LogicalName = "string",
    MicroEnforcerCertsSecretsName = "string",
    MicroEnforcerImageName = "string",
    MicroEnforcerInjection = false,
    MicroEnforcerSecretsName = "string",
    NetworkProtection = false,
    AllowedApplications = new[]
    {
        "string",
    },
    Permission = "string",
    HostForensics = false,
    RuntimeType = "string",
    SyncHostImages = false,
    SyscallEnabled = false,
    AllowKubeEnforcerAudit = false,
    UserAccessControl = false,
});

example, err := aquasec.NewEnforcerGroups(ctx, "enforcerGroupsResource", &aquasec.EnforcerGroupsArgs{
	GroupId: pulumi.String("string"),
	Type:    pulumi.String("string"),
	Orchestrators: aquasec.EnforcerGroupsOrchestratorArray{
		&aquasec.EnforcerGroupsOrchestratorArgs{
			Master:         pulumi.Bool(false),
			Namespace:      pulumi.String("string"),
			ServiceAccount: pulumi.String("string"),
			Type:           pulumi.String("string"),
		},
	},
	HostAssurance:                             pulumi.Bool(false),
	RiskExplorerAutoDiscovery:                 pulumi.Bool(false),
	AntivirusProtection:                       pulumi.Bool(false),
	AuditAll:                                  pulumi.Bool(false),
	AutoCopySecrets:                           pulumi.Bool(false),
	AutoDiscoverConfigureRegistries:           pulumi.Bool(false),
	HostBehavioralEngine:                      pulumi.Bool(false),
	AutoScanDiscoveredImagesRunningContainers: pulumi.Bool(false),
	BehavioralEngine:                          pulumi.Bool(false),
	BlockAdmissionControl:                     pulumi.Bool(false),
	ContainerActivityProtection:               pulumi.Bool(false),
	ContainerAntivirusProtection:              pulumi.Bool(false),
	Description:                               pulumi.String("string"),
	Enforce:                                   pulumi.Bool(false),
	Forensics:                                 pulumi.Bool(false),
	Gateways: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowedLabels: pulumi.StringArray{
		pulumi.String("string"),
	},
	HostNetworkProtection: pulumi.Bool(false),
	AutoDiscoveryEnabled:  pulumi.Bool(false),
	AllowedRegistries: pulumi.StringArray{
		pulumi.String("string"),
	},
	AdmissionControl:              pulumi.Bool(false),
	HostOs:                        pulumi.String("string"),
	HostProtection:                pulumi.Bool(false),
	HostUserProtection:            pulumi.Bool(false),
	ImageAssurance:                pulumi.Bool(false),
	KubeBenchImageName:            pulumi.String("string"),
	LogicalName:                   pulumi.String("string"),
	MicroEnforcerCertsSecretsName: pulumi.String("string"),
	MicroEnforcerImageName:        pulumi.String("string"),
	MicroEnforcerInjection:        pulumi.Bool(false),
	MicroEnforcerSecretsName:      pulumi.String("string"),
	NetworkProtection:             pulumi.Bool(false),
	AllowedApplications: pulumi.StringArray{
		pulumi.String("string"),
	},
	Permission:             pulumi.String("string"),
	HostForensics:          pulumi.Bool(false),
	RuntimeType:            pulumi.String("string"),
	SyncHostImages:         pulumi.Bool(false),
	SyscallEnabled:         pulumi.Bool(false),
	AllowKubeEnforcerAudit: pulumi.Bool(false),
	UserAccessControl:      pulumi.Bool(false),
})

var enforcerGroupsResource = new EnforcerGroups("enforcerGroupsResource", EnforcerGroupsArgs.builder()        
    .groupId("string")
    .type("string")
    .orchestrators(EnforcerGroupsOrchestratorArgs.builder()
        .master(false)
        .namespace("string")
        .serviceAccount("string")
        .type("string")
        .build())
    .hostAssurance(false)
    .riskExplorerAutoDiscovery(false)
    .antivirusProtection(false)
    .auditAll(false)
    .autoCopySecrets(false)
    .autoDiscoverConfigureRegistries(false)
    .hostBehavioralEngine(false)
    .autoScanDiscoveredImagesRunningContainers(false)
    .behavioralEngine(false)
    .blockAdmissionControl(false)
    .containerActivityProtection(false)
    .containerAntivirusProtection(false)
    .description("string")
    .enforce(false)
    .forensics(false)
    .gateways("string")
    .allowedLabels("string")
    .hostNetworkProtection(false)
    .autoDiscoveryEnabled(false)
    .allowedRegistries("string")
    .admissionControl(false)
    .hostOs("string")
    .hostProtection(false)
    .hostUserProtection(false)
    .imageAssurance(false)
    .kubeBenchImageName("string")
    .logicalName("string")
    .microEnforcerCertsSecretsName("string")
    .microEnforcerImageName("string")
    .microEnforcerInjection(false)
    .microEnforcerSecretsName("string")
    .networkProtection(false)
    .allowedApplications("string")
    .permission("string")
    .hostForensics(false)
    .runtimeType("string")
    .syncHostImages(false)
    .syscallEnabled(false)
    .allowKubeEnforcerAudit(false)
    .userAccessControl(false)
    .build());

enforcer_groups_resource = aquasec.EnforcerGroups("enforcerGroupsResource",
    group_id="string",
    type="string",
    orchestrators=[aquasec.EnforcerGroupsOrchestratorArgs(
        master=False,
        namespace="string",
        service_account="string",
        type="string",
    )],
    host_assurance=False,
    risk_explorer_auto_discovery=False,
    antivirus_protection=False,
    audit_all=False,
    auto_copy_secrets=False,
    auto_discover_configure_registries=False,
    host_behavioral_engine=False,
    auto_scan_discovered_images_running_containers=False,
    behavioral_engine=False,
    block_admission_control=False,
    container_activity_protection=False,
    container_antivirus_protection=False,
    description="string",
    enforce=False,
    forensics=False,
    gateways=["string"],
    allowed_labels=["string"],
    host_network_protection=False,
    auto_discovery_enabled=False,
    allowed_registries=["string"],
    admission_control=False,
    host_os="string",
    host_protection=False,
    host_user_protection=False,
    image_assurance=False,
    kube_bench_image_name="string",
    logical_name="string",
    micro_enforcer_certs_secrets_name="string",
    micro_enforcer_image_name="string",
    micro_enforcer_injection=False,
    micro_enforcer_secrets_name="string",
    network_protection=False,
    allowed_applications=["string"],
    permission="string",
    host_forensics=False,
    runtime_type="string",
    sync_host_images=False,
    syscall_enabled=False,
    allow_kube_enforcer_audit=False,
    user_access_control=False)

const enforcerGroupsResource = new aquasec.EnforcerGroups("enforcerGroupsResource", {
    groupId: "string",
    type: "string",
    orchestrators: [{
        master: false,
        namespace: "string",
        serviceAccount: "string",
        type: "string",
    }],
    hostAssurance: false,
    riskExplorerAutoDiscovery: false,
    antivirusProtection: false,
    auditAll: false,
    autoCopySecrets: false,
    autoDiscoverConfigureRegistries: false,
    hostBehavioralEngine: false,
    autoScanDiscoveredImagesRunningContainers: false,
    behavioralEngine: false,
    blockAdmissionControl: false,
    containerActivityProtection: false,
    containerAntivirusProtection: false,
    description: "string",
    enforce: false,
    forensics: false,
    gateways: ["string"],
    allowedLabels: ["string"],
    hostNetworkProtection: false,
    autoDiscoveryEnabled: false,
    allowedRegistries: ["string"],
    admissionControl: false,
    hostOs: "string",
    hostProtection: false,
    hostUserProtection: false,
    imageAssurance: false,
    kubeBenchImageName: "string",
    logicalName: "string",
    microEnforcerCertsSecretsName: "string",
    microEnforcerImageName: "string",
    microEnforcerInjection: false,
    microEnforcerSecretsName: "string",
    networkProtection: false,
    allowedApplications: ["string"],
    permission: "string",
    hostForensics: false,
    runtimeType: "string",
    syncHostImages: false,
    syscallEnabled: false,
    allowKubeEnforcerAudit: false,
    userAccessControl: false,
});

type: aquasec:EnforcerGroups
properties:
    admissionControl: false
    allowKubeEnforcerAudit: false
    allowedApplications:
        - string
    allowedLabels:
        - string
    allowedRegistries:
        - string
    antivirusProtection: false
    auditAll: false
    autoCopySecrets: false
    autoDiscoverConfigureRegistries: false
    autoDiscoveryEnabled: false
    autoScanDiscoveredImagesRunningContainers: false
    behavioralEngine: false
    blockAdmissionControl: false
    containerActivityProtection: false
    containerAntivirusProtection: false
    description: string
    enforce: false
    forensics: false
    gateways:
        - string
    groupId: string
    hostAssurance: false
    hostBehavioralEngine: false
    hostForensics: false
    hostNetworkProtection: false
    hostOs: string
    hostProtection: false
    hostUserProtection: false
    imageAssurance: false
    kubeBenchImageName: string
    logicalName: string
    microEnforcerCertsSecretsName: string
    microEnforcerImageName: string
    microEnforcerInjection: false
    microEnforcerSecretsName: string
    networkProtection: false
    orchestrators:
        - master: false
          namespace: string
          serviceAccount: string
          type: string
    permission: string
    riskExplorerAutoDiscovery: false
    runtimeType: string
    syncHostImages: false
    syscallEnabled: false
    type: string
    userAccessControl: false

EnforcerGroups Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The EnforcerGroups resource accepts the following input properties:

GroupId string: The ID of the Enforcer group.
Orchestrators List<Pulumiverse.Aquasec.Inputs.EnforcerGroupsOrchestrator>: The orchestrator for which you are creating the Enforcer group.
Type string: Enforcer Type.
AdmissionControl bool: Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
AllowKubeEnforcerAudit bool: Allow kube enforcer audit.
AllowedApplications List<string>: List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
AllowedLabels List<string>: List of label names to allow on the hosts.
AllowedRegistries List<string>: List of registry names to allow on the hosts.
AntivirusProtection bool: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
AuditAll bool: Agent will send extra audit messages to the server for success operations from inside the container (runtime).
AutoCopySecrets bool: This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
AutoDiscoverConfigureRegistries bool: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
AutoDiscoveryEnabled bool: When this option is selected, the KubeEnforcer will discover workloads on its cluster.
AutoScanDiscoveredImagesRunningContainers bool: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
BehavioralEngine bool: Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
BlockAdmissionControl bool: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
ContainerActivityProtection bool: Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
ContainerAntivirusProtection bool: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
Description string: A description of the Aqua Enforcer group.
Enforce bool: Whether to enable enforce mode on the Enforcers, defaults to False.
Forensics bool: Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
Gateways List<string>: List of Aqua gateway IDs for the Enforcers.
HostAssurance bool: Set True to enable host scanning and respective Host Assurance controls.
HostBehavioralEngine bool: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
HostForensics bool: Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
HostNetworkProtection bool: Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
HostOs string: The OS type for the host
HostProtection bool: Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
HostUserProtection bool: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
ImageAssurance bool: Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
KubeBenchImageName string: See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
LogicalName string: Name for the batch install record.
MicroEnforcerCertsSecretsName string: This option is applicable only if Enable Pod Enforcer injection is selected.
MicroEnforcerImageName string: This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
MicroEnforcerInjection bool: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
MicroEnforcerSecretsName string: You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
NetworkProtection bool: Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
Permission string: Permission Action
RiskExplorerAutoDiscovery bool: Set True to allow Enforcers to be discovered in the Risk Explorer.
RuntimeType string: The container runtime environment.
SyncHostImages bool: Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
SyscallEnabled bool: Set True will allow profiling and monitoring system calls made by running containers.
UserAccessControl bool: Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

GroupId string: The ID of the Enforcer group.
Orchestrators []EnforcerGroupsOrchestratorArgs: The orchestrator for which you are creating the Enforcer group.
Type string: Enforcer Type.
AdmissionControl bool: Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
AllowKubeEnforcerAudit bool: Allow kube enforcer audit.
AllowedApplications []string: List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
AllowedLabels []string: List of label names to allow on the hosts.
AllowedRegistries []string: List of registry names to allow on the hosts.
AntivirusProtection bool: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
AuditAll bool: Agent will send extra audit messages to the server for success operations from inside the container (runtime).
AutoCopySecrets bool: This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
AutoDiscoverConfigureRegistries bool: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
AutoDiscoveryEnabled bool: When this option is selected, the KubeEnforcer will discover workloads on its cluster.
AutoScanDiscoveredImagesRunningContainers bool: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
BehavioralEngine bool: Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
BlockAdmissionControl bool: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
ContainerActivityProtection bool: Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
ContainerAntivirusProtection bool: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
Description string: A description of the Aqua Enforcer group.
Enforce bool: Whether to enable enforce mode on the Enforcers, defaults to False.
Forensics bool: Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
Gateways []string: List of Aqua gateway IDs for the Enforcers.
HostAssurance bool: Set True to enable host scanning and respective Host Assurance controls.
HostBehavioralEngine bool: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
HostForensics bool: Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
HostNetworkProtection bool: Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
HostOs string: The OS type for the host
HostProtection bool: Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
HostUserProtection bool: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
ImageAssurance bool: Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
KubeBenchImageName string: See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
LogicalName string: Name for the batch install record.
MicroEnforcerCertsSecretsName string: This option is applicable only if Enable Pod Enforcer injection is selected.
MicroEnforcerImageName string: This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
MicroEnforcerInjection bool: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
MicroEnforcerSecretsName string: You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
NetworkProtection bool: Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
Permission string: Permission Action
RiskExplorerAutoDiscovery bool: Set True to allow Enforcers to be discovered in the Risk Explorer.
RuntimeType string: The container runtime environment.
SyncHostImages bool: Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
SyscallEnabled bool: Set True will allow profiling and monitoring system calls made by running containers.
UserAccessControl bool: Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

groupId String: The ID of the Enforcer group.
orchestrators List<EnforcerGroupsOrchestrator>: The orchestrator for which you are creating the Enforcer group.
type String: Enforcer Type.
admissionControl Boolean: Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
allowKubeEnforcerAudit Boolean: Allow kube enforcer audit.
allowedApplications List<String>: List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
allowedLabels List<String>: List of label names to allow on the hosts.
allowedRegistries List<String>: List of registry names to allow on the hosts.
antivirusProtection Boolean: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
auditAll Boolean: Agent will send extra audit messages to the server for success operations from inside the container (runtime).
autoCopySecrets Boolean: This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
autoDiscoverConfigureRegistries Boolean: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
autoDiscoveryEnabled Boolean: When this option is selected, the KubeEnforcer will discover workloads on its cluster.
autoScanDiscoveredImagesRunningContainers Boolean: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
behavioralEngine Boolean: Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
blockAdmissionControl Boolean: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
containerActivityProtection Boolean: Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
containerAntivirusProtection Boolean: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
description String: A description of the Aqua Enforcer group.
enforce Boolean: Whether to enable enforce mode on the Enforcers, defaults to False.
forensics Boolean: Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
gateways List<String>: List of Aqua gateway IDs for the Enforcers.
hostAssurance Boolean: Set True to enable host scanning and respective Host Assurance controls.
hostBehavioralEngine Boolean: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
hostForensics Boolean: Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
hostNetworkProtection Boolean: Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
hostOs String: The OS type for the host
hostProtection Boolean: Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
hostUserProtection Boolean: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
imageAssurance Boolean: Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
kubeBenchImageName String: See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
logicalName String: Name for the batch install record.
microEnforcerCertsSecretsName String: This option is applicable only if Enable Pod Enforcer injection is selected.
microEnforcerImageName String: This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
microEnforcerInjection Boolean: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
microEnforcerSecretsName String: You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
networkProtection Boolean: Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
permission String: Permission Action
riskExplorerAutoDiscovery Boolean: Set True to allow Enforcers to be discovered in the Risk Explorer.
runtimeType String: The container runtime environment.
syncHostImages Boolean: Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
syscallEnabled Boolean: Set True will allow profiling and monitoring system calls made by running containers.
userAccessControl Boolean: Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

groupId string: The ID of the Enforcer group.
orchestrators EnforcerGroupsOrchestrator[]: The orchestrator for which you are creating the Enforcer group.
type string: Enforcer Type.
admissionControl boolean: Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
allowKubeEnforcerAudit boolean: Allow kube enforcer audit.
allowedApplications string[]: List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
allowedLabels string[]: List of label names to allow on the hosts.
allowedRegistries string[]: List of registry names to allow on the hosts.
antivirusProtection boolean: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
auditAll boolean: Agent will send extra audit messages to the server for success operations from inside the container (runtime).
autoCopySecrets boolean: This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
autoDiscoverConfigureRegistries boolean: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
autoDiscoveryEnabled boolean: When this option is selected, the KubeEnforcer will discover workloads on its cluster.
autoScanDiscoveredImagesRunningContainers boolean: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
behavioralEngine boolean: Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
blockAdmissionControl boolean: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
containerActivityProtection boolean: Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
containerAntivirusProtection boolean: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
description string: A description of the Aqua Enforcer group.
enforce boolean: Whether to enable enforce mode on the Enforcers, defaults to False.
forensics boolean: Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
gateways string[]: List of Aqua gateway IDs for the Enforcers.
hostAssurance boolean: Set True to enable host scanning and respective Host Assurance controls.
hostBehavioralEngine boolean: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
hostForensics boolean: Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
hostNetworkProtection boolean: Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
hostOs string: The OS type for the host
hostProtection boolean: Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
hostUserProtection boolean: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
imageAssurance boolean: Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
kubeBenchImageName string: See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
logicalName string: Name for the batch install record.
microEnforcerCertsSecretsName string: This option is applicable only if Enable Pod Enforcer injection is selected.
microEnforcerImageName string: This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
microEnforcerInjection boolean: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
microEnforcerSecretsName string: You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
networkProtection boolean: Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
permission string: Permission Action
riskExplorerAutoDiscovery boolean: Set True to allow Enforcers to be discovered in the Risk Explorer.
runtimeType string: The container runtime environment.
syncHostImages boolean: Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
syscallEnabled boolean: Set True will allow profiling and monitoring system calls made by running containers.
userAccessControl boolean: Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

group_id str: The ID of the Enforcer group.
orchestrators Sequence[EnforcerGroupsOrchestratorArgs]: The orchestrator for which you are creating the Enforcer group.
type str: Enforcer Type.
admission_control bool: Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
allow_kube_enforcer_audit bool: Allow kube enforcer audit.
allowed_applications Sequence[str]: List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
allowed_labels Sequence[str]: List of label names to allow on the hosts.
allowed_registries Sequence[str]: List of registry names to allow on the hosts.
antivirus_protection bool: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
audit_all bool: Agent will send extra audit messages to the server for success operations from inside the container (runtime).
auto_copy_secrets bool: This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
auto_discover_configure_registries bool: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
auto_discovery_enabled bool: When this option is selected, the KubeEnforcer will discover workloads on its cluster.
auto_scan_discovered_images_running_containers bool: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
behavioral_engine bool: Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
block_admission_control bool: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
container_activity_protection bool: Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
container_antivirus_protection bool: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
description str: A description of the Aqua Enforcer group.
enforce bool: Whether to enable enforce mode on the Enforcers, defaults to False.
forensics bool: Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
gateways Sequence[str]: List of Aqua gateway IDs for the Enforcers.
host_assurance bool: Set True to enable host scanning and respective Host Assurance controls.
host_behavioral_engine bool: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
host_forensics bool: Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
host_network_protection bool: Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
host_os str: The OS type for the host
host_protection bool: Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
host_user_protection bool: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
image_assurance bool: Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
kube_bench_image_name str: See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
logical_name str: Name for the batch install record.
micro_enforcer_certs_secrets_name str: This option is applicable only if Enable Pod Enforcer injection is selected.
micro_enforcer_image_name str: This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
micro_enforcer_injection bool: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
micro_enforcer_secrets_name str: You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
network_protection bool: Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
permission str: Permission Action
risk_explorer_auto_discovery bool: Set True to allow Enforcers to be discovered in the Risk Explorer.
runtime_type str: The container runtime environment.
sync_host_images bool: Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
syscall_enabled bool: Set True will allow profiling and monitoring system calls made by running containers.
user_access_control bool: Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

groupId String: The ID of the Enforcer group.
orchestrators List<Property Map>: The orchestrator for which you are creating the Enforcer group.
type String: Enforcer Type.
admissionControl Boolean: Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
allowKubeEnforcerAudit Boolean: Allow kube enforcer audit.
allowedApplications List<String>: List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
allowedLabels List<String>: List of label names to allow on the hosts.
allowedRegistries List<String>: List of registry names to allow on the hosts.
antivirusProtection Boolean: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
auditAll Boolean: Agent will send extra audit messages to the server for success operations from inside the container (runtime).
autoCopySecrets Boolean: This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
autoDiscoverConfigureRegistries Boolean: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
autoDiscoveryEnabled Boolean: When this option is selected, the KubeEnforcer will discover workloads on its cluster.
autoScanDiscoveredImagesRunningContainers Boolean: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
behavioralEngine Boolean: Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
blockAdmissionControl Boolean: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
containerActivityProtection Boolean: Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
containerAntivirusProtection Boolean: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
description String: A description of the Aqua Enforcer group.
enforce Boolean: Whether to enable enforce mode on the Enforcers, defaults to False.
forensics Boolean: Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
gateways List<String>: List of Aqua gateway IDs for the Enforcers.
hostAssurance Boolean: Set True to enable host scanning and respective Host Assurance controls.
hostBehavioralEngine Boolean: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
hostForensics Boolean: Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
hostNetworkProtection Boolean: Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
hostOs String: The OS type for the host
hostProtection Boolean: Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
hostUserProtection Boolean: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
imageAssurance Boolean: Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
kubeBenchImageName String: See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
logicalName String: Name for the batch install record.
microEnforcerCertsSecretsName String: This option is applicable only if Enable Pod Enforcer injection is selected.
microEnforcerImageName String: This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
microEnforcerInjection Boolean: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
microEnforcerSecretsName String: You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
networkProtection Boolean: Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
permission String: Permission Action
riskExplorerAutoDiscovery Boolean: Set True to allow Enforcers to be discovered in the Risk Explorer.
runtimeType String: The container runtime environment.
syncHostImages Boolean: Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
syscallEnabled Boolean: Set True will allow profiling and monitoring system calls made by running containers.
userAccessControl Boolean: Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

Outputs

All input properties are implicitly available as output properties. Additionally, the EnforcerGroups resource produces the following output properties:

AquaVersion string: Aqua server version
Commands List<Pulumiverse.Aquasec.Outputs.EnforcerGroupsCommand>: The installation command.
ConnectedCount int: Number of connected enforcers in the enforcer group.
DisconnectedCount int: Number of disconnected enforcers in the enforcer group.
EnforcerImageName string: The specific Aqua Enforcer product image (with image tag) to be deployed.
GatewayAddress string: Gateway Address
GatewayName string: Gateway Name
HighVulns int: Number of high vulnerabilities in the enforcers that in this enforcer group.
Hostname string: The hostname
HostsCount int: Number of enforcers in the enforcer group.
Id string: The provider-assigned unique ID for this managed resource.
InstallCommand string: Enforcer install command
LastUpdate int: The last date and time the batch token was updated in UNIX time.
LowVulns int: Number of low vulnerabilities in the enforcers that in this enforcer group.
MedVulns int: Number of medium vulnerabilities in the enforcers that in this enforcer group.
NegVulns int: Number of negligible vulnerabilities in the enforcers that in this enforcer group.
PasDeploymentLink string: pas deployment link
RuntimePolicyName string: Function Runtime Policy that will applay on the nano enforcer.
Token string: The batch install token.

AquaVersion string: Aqua server version
Commands []EnforcerGroupsCommand: The installation command.
ConnectedCount int: Number of connected enforcers in the enforcer group.
DisconnectedCount int: Number of disconnected enforcers in the enforcer group.
EnforcerImageName string: The specific Aqua Enforcer product image (with image tag) to be deployed.
GatewayAddress string: Gateway Address
GatewayName string: Gateway Name
HighVulns int: Number of high vulnerabilities in the enforcers that in this enforcer group.
Hostname string: The hostname
HostsCount int: Number of enforcers in the enforcer group.
Id string: The provider-assigned unique ID for this managed resource.
InstallCommand string: Enforcer install command
LastUpdate int: The last date and time the batch token was updated in UNIX time.
LowVulns int: Number of low vulnerabilities in the enforcers that in this enforcer group.
MedVulns int: Number of medium vulnerabilities in the enforcers that in this enforcer group.
NegVulns int: Number of negligible vulnerabilities in the enforcers that in this enforcer group.
PasDeploymentLink string: pas deployment link
RuntimePolicyName string: Function Runtime Policy that will applay on the nano enforcer.
Token string: The batch install token.

aquaVersion String: Aqua server version
commands List<EnforcerGroupsCommand>: The installation command.
connectedCount Integer: Number of connected enforcers in the enforcer group.
disconnectedCount Integer: Number of disconnected enforcers in the enforcer group.
enforcerImageName String: The specific Aqua Enforcer product image (with image tag) to be deployed.
gatewayAddress String: Gateway Address
gatewayName String: Gateway Name
highVulns Integer: Number of high vulnerabilities in the enforcers that in this enforcer group.
hostname String: The hostname
hostsCount Integer: Number of enforcers in the enforcer group.
id String: The provider-assigned unique ID for this managed resource.
installCommand String: Enforcer install command
lastUpdate Integer: The last date and time the batch token was updated in UNIX time.
lowVulns Integer: Number of low vulnerabilities in the enforcers that in this enforcer group.
medVulns Integer: Number of medium vulnerabilities in the enforcers that in this enforcer group.
negVulns Integer: Number of negligible vulnerabilities in the enforcers that in this enforcer group.
pasDeploymentLink String: pas deployment link
runtimePolicyName String: Function Runtime Policy that will applay on the nano enforcer.
token String: The batch install token.

aquaVersion string: Aqua server version
commands EnforcerGroupsCommand[]: The installation command.
connectedCount number: Number of connected enforcers in the enforcer group.
disconnectedCount number: Number of disconnected enforcers in the enforcer group.
enforcerImageName string: The specific Aqua Enforcer product image (with image tag) to be deployed.
gatewayAddress string: Gateway Address
gatewayName string: Gateway Name
highVulns number: Number of high vulnerabilities in the enforcers that in this enforcer group.
hostname string: The hostname
hostsCount number: Number of enforcers in the enforcer group.
id string: The provider-assigned unique ID for this managed resource.
installCommand string: Enforcer install command
lastUpdate number: The last date and time the batch token was updated in UNIX time.
lowVulns number: Number of low vulnerabilities in the enforcers that in this enforcer group.
medVulns number: Number of medium vulnerabilities in the enforcers that in this enforcer group.
negVulns number: Number of negligible vulnerabilities in the enforcers that in this enforcer group.
pasDeploymentLink string: pas deployment link
runtimePolicyName string: Function Runtime Policy that will applay on the nano enforcer.
token string: The batch install token.

aqua_version str: Aqua server version
commands Sequence[EnforcerGroupsCommand]: The installation command.
connected_count int: Number of connected enforcers in the enforcer group.
disconnected_count int: Number of disconnected enforcers in the enforcer group.
enforcer_image_name str: The specific Aqua Enforcer product image (with image tag) to be deployed.
gateway_address str: Gateway Address
gateway_name str: Gateway Name
high_vulns int: Number of high vulnerabilities in the enforcers that in this enforcer group.
hostname str: The hostname
hosts_count int: Number of enforcers in the enforcer group.
id str: The provider-assigned unique ID for this managed resource.
install_command str: Enforcer install command
last_update int: The last date and time the batch token was updated in UNIX time.
low_vulns int: Number of low vulnerabilities in the enforcers that in this enforcer group.
med_vulns int: Number of medium vulnerabilities in the enforcers that in this enforcer group.
neg_vulns int: Number of negligible vulnerabilities in the enforcers that in this enforcer group.
pas_deployment_link str: pas deployment link
runtime_policy_name str: Function Runtime Policy that will applay on the nano enforcer.
token str: The batch install token.

aquaVersion String: Aqua server version
commands List<Property Map>: The installation command.
connectedCount Number: Number of connected enforcers in the enforcer group.
disconnectedCount Number: Number of disconnected enforcers in the enforcer group.
enforcerImageName String: The specific Aqua Enforcer product image (with image tag) to be deployed.
gatewayAddress String: Gateway Address
gatewayName String: Gateway Name
highVulns Number: Number of high vulnerabilities in the enforcers that in this enforcer group.
hostname String: The hostname
hostsCount Number: Number of enforcers in the enforcer group.
id String: The provider-assigned unique ID for this managed resource.
installCommand String: Enforcer install command
lastUpdate Number: The last date and time the batch token was updated in UNIX time.
lowVulns Number: Number of low vulnerabilities in the enforcers that in this enforcer group.
medVulns Number: Number of medium vulnerabilities in the enforcers that in this enforcer group.
negVulns Number: Number of negligible vulnerabilities in the enforcers that in this enforcer group.
pasDeploymentLink String: pas deployment link
runtimePolicyName String: Function Runtime Policy that will applay on the nano enforcer.
token String: The batch install token.

Look up Existing EnforcerGroups Resource

Get an existing EnforcerGroups resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: EnforcerGroupsState, opts?: CustomResourceOptions): EnforcerGroups

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        admission_control: Optional[bool] = None,
        allow_kube_enforcer_audit: Optional[bool] = None,
        allowed_applications: Optional[Sequence[str]] = None,
        allowed_labels: Optional[Sequence[str]] = None,
        allowed_registries: Optional[Sequence[str]] = None,
        antivirus_protection: Optional[bool] = None,
        aqua_version: Optional[str] = None,
        audit_all: Optional[bool] = None,
        auto_copy_secrets: Optional[bool] = None,
        auto_discover_configure_registries: Optional[bool] = None,
        auto_discovery_enabled: Optional[bool] = None,
        auto_scan_discovered_images_running_containers: Optional[bool] = None,
        behavioral_engine: Optional[bool] = None,
        block_admission_control: Optional[bool] = None,
        commands: Optional[Sequence[EnforcerGroupsCommandArgs]] = None,
        connected_count: Optional[int] = None,
        container_activity_protection: Optional[bool] = None,
        container_antivirus_protection: Optional[bool] = None,
        description: Optional[str] = None,
        disconnected_count: Optional[int] = None,
        enforce: Optional[bool] = None,
        enforcer_image_name: Optional[str] = None,
        forensics: Optional[bool] = None,
        gateway_address: Optional[str] = None,
        gateway_name: Optional[str] = None,
        gateways: Optional[Sequence[str]] = None,
        group_id: Optional[str] = None,
        high_vulns: Optional[int] = None,
        host_assurance: Optional[bool] = None,
        host_behavioral_engine: Optional[bool] = None,
        host_forensics: Optional[bool] = None,
        host_network_protection: Optional[bool] = None,
        host_os: Optional[str] = None,
        host_protection: Optional[bool] = None,
        host_user_protection: Optional[bool] = None,
        hostname: Optional[str] = None,
        hosts_count: Optional[int] = None,
        image_assurance: Optional[bool] = None,
        install_command: Optional[str] = None,
        kube_bench_image_name: Optional[str] = None,
        last_update: Optional[int] = None,
        logical_name: Optional[str] = None,
        low_vulns: Optional[int] = None,
        med_vulns: Optional[int] = None,
        micro_enforcer_certs_secrets_name: Optional[str] = None,
        micro_enforcer_image_name: Optional[str] = None,
        micro_enforcer_injection: Optional[bool] = None,
        micro_enforcer_secrets_name: Optional[str] = None,
        neg_vulns: Optional[int] = None,
        network_protection: Optional[bool] = None,
        orchestrators: Optional[Sequence[EnforcerGroupsOrchestratorArgs]] = None,
        pas_deployment_link: Optional[str] = None,
        permission: Optional[str] = None,
        risk_explorer_auto_discovery: Optional[bool] = None,
        runtime_policy_name: Optional[str] = None,
        runtime_type: Optional[str] = None,
        sync_host_images: Optional[bool] = None,
        syscall_enabled: Optional[bool] = None,
        token: Optional[str] = None,
        type: Optional[str] = None,
        user_access_control: Optional[bool] = None) -> EnforcerGroups

func GetEnforcerGroups(ctx *Context, name string, id IDInput, state *EnforcerGroupsState, opts ...ResourceOption) (*EnforcerGroups, error)

public static EnforcerGroups Get(string name, Input<string> id, EnforcerGroupsState? state, CustomResourceOptions? opts = null)

public static EnforcerGroups get(String name, Output<String> id, EnforcerGroupsState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AdmissionControl bool: Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
AllowKubeEnforcerAudit bool: Allow kube enforcer audit.
AllowedApplications List<string>: List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
AllowedLabels List<string>: List of label names to allow on the hosts.
AllowedRegistries List<string>: List of registry names to allow on the hosts.
AntivirusProtection bool: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
AquaVersion string: Aqua server version
AuditAll bool: Agent will send extra audit messages to the server for success operations from inside the container (runtime).
AutoCopySecrets bool: This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
AutoDiscoverConfigureRegistries bool: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
AutoDiscoveryEnabled bool: When this option is selected, the KubeEnforcer will discover workloads on its cluster.
AutoScanDiscoveredImagesRunningContainers bool: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
BehavioralEngine bool: Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
BlockAdmissionControl bool: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
Commands List<Pulumiverse.Aquasec.Inputs.EnforcerGroupsCommand>: The installation command.
ConnectedCount int: Number of connected enforcers in the enforcer group.
ContainerActivityProtection bool: Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
ContainerAntivirusProtection bool: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
Description string: A description of the Aqua Enforcer group.
DisconnectedCount int: Number of disconnected enforcers in the enforcer group.
Enforce bool: Whether to enable enforce mode on the Enforcers, defaults to False.
EnforcerImageName string: The specific Aqua Enforcer product image (with image tag) to be deployed.
Forensics bool: Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
GatewayAddress string: Gateway Address
GatewayName string: Gateway Name
Gateways List<string>: List of Aqua gateway IDs for the Enforcers.
GroupId string: The ID of the Enforcer group.
HighVulns int: Number of high vulnerabilities in the enforcers that in this enforcer group.
HostAssurance bool: Set True to enable host scanning and respective Host Assurance controls.
HostBehavioralEngine bool: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
HostForensics bool: Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
HostNetworkProtection bool: Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
HostOs string: The OS type for the host
HostProtection bool: Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
HostUserProtection bool: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
Hostname string: The hostname
HostsCount int: Number of enforcers in the enforcer group.
ImageAssurance bool: Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
InstallCommand string: Enforcer install command
KubeBenchImageName string: See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
LastUpdate int: The last date and time the batch token was updated in UNIX time.
LogicalName string: Name for the batch install record.
LowVulns int: Number of low vulnerabilities in the enforcers that in this enforcer group.
MedVulns int: Number of medium vulnerabilities in the enforcers that in this enforcer group.
MicroEnforcerCertsSecretsName string: This option is applicable only if Enable Pod Enforcer injection is selected.
MicroEnforcerImageName string: This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
MicroEnforcerInjection bool: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
MicroEnforcerSecretsName string: You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
NegVulns int: Number of negligible vulnerabilities in the enforcers that in this enforcer group.
NetworkProtection bool: Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
Orchestrators List<Pulumiverse.Aquasec.Inputs.EnforcerGroupsOrchestrator>: The orchestrator for which you are creating the Enforcer group.
PasDeploymentLink string: pas deployment link
Permission string: Permission Action
RiskExplorerAutoDiscovery bool: Set True to allow Enforcers to be discovered in the Risk Explorer.
RuntimePolicyName string: Function Runtime Policy that will applay on the nano enforcer.
RuntimeType string: The container runtime environment.
SyncHostImages bool: Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
SyscallEnabled bool: Set True will allow profiling and monitoring system calls made by running containers.
Token string: The batch install token.
Type string: Enforcer Type.
UserAccessControl bool: Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

AdmissionControl bool: Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
AllowKubeEnforcerAudit bool: Allow kube enforcer audit.
AllowedApplications []string: List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
AllowedLabels []string: List of label names to allow on the hosts.
AllowedRegistries []string: List of registry names to allow on the hosts.
AntivirusProtection bool: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
AquaVersion string: Aqua server version
AuditAll bool: Agent will send extra audit messages to the server for success operations from inside the container (runtime).
AutoCopySecrets bool: This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
AutoDiscoverConfigureRegistries bool: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
AutoDiscoveryEnabled bool: When this option is selected, the KubeEnforcer will discover workloads on its cluster.
AutoScanDiscoveredImagesRunningContainers bool: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
BehavioralEngine bool: Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
BlockAdmissionControl bool: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
Commands []EnforcerGroupsCommandArgs: The installation command.
ConnectedCount int: Number of connected enforcers in the enforcer group.
ContainerActivityProtection bool: Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
ContainerAntivirusProtection bool: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
Description string: A description of the Aqua Enforcer group.
DisconnectedCount int: Number of disconnected enforcers in the enforcer group.
Enforce bool: Whether to enable enforce mode on the Enforcers, defaults to False.
EnforcerImageName string: The specific Aqua Enforcer product image (with image tag) to be deployed.
Forensics bool: Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
GatewayAddress string: Gateway Address
GatewayName string: Gateway Name
Gateways []string: List of Aqua gateway IDs for the Enforcers.
GroupId string: The ID of the Enforcer group.
HighVulns int: Number of high vulnerabilities in the enforcers that in this enforcer group.
HostAssurance bool: Set True to enable host scanning and respective Host Assurance controls.
HostBehavioralEngine bool: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
HostForensics bool: Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
HostNetworkProtection bool: Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
HostOs string: The OS type for the host
HostProtection bool: Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
HostUserProtection bool: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
Hostname string: The hostname
HostsCount int: Number of enforcers in the enforcer group.
ImageAssurance bool: Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
InstallCommand string: Enforcer install command
KubeBenchImageName string: See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
LastUpdate int: The last date and time the batch token was updated in UNIX time.
LogicalName string: Name for the batch install record.
LowVulns int: Number of low vulnerabilities in the enforcers that in this enforcer group.
MedVulns int: Number of medium vulnerabilities in the enforcers that in this enforcer group.
MicroEnforcerCertsSecretsName string: This option is applicable only if Enable Pod Enforcer injection is selected.
MicroEnforcerImageName string: This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
MicroEnforcerInjection bool: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
MicroEnforcerSecretsName string: You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
NegVulns int: Number of negligible vulnerabilities in the enforcers that in this enforcer group.
NetworkProtection bool: Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
Orchestrators []EnforcerGroupsOrchestratorArgs: The orchestrator for which you are creating the Enforcer group.
PasDeploymentLink string: pas deployment link
Permission string: Permission Action
RiskExplorerAutoDiscovery bool: Set True to allow Enforcers to be discovered in the Risk Explorer.
RuntimePolicyName string: Function Runtime Policy that will applay on the nano enforcer.
RuntimeType string: The container runtime environment.
SyncHostImages bool: Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
SyscallEnabled bool: Set True will allow profiling and monitoring system calls made by running containers.
Token string: The batch install token.
Type string: Enforcer Type.
UserAccessControl bool: Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

admissionControl Boolean: Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
allowKubeEnforcerAudit Boolean: Allow kube enforcer audit.
allowedApplications List<String>: List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
allowedLabels List<String>: List of label names to allow on the hosts.
allowedRegistries List<String>: List of registry names to allow on the hosts.
antivirusProtection Boolean: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
aquaVersion String: Aqua server version
auditAll Boolean: Agent will send extra audit messages to the server for success operations from inside the container (runtime).
autoCopySecrets Boolean: This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
autoDiscoverConfigureRegistries Boolean: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
autoDiscoveryEnabled Boolean: When this option is selected, the KubeEnforcer will discover workloads on its cluster.
autoScanDiscoveredImagesRunningContainers Boolean: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
behavioralEngine Boolean: Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
blockAdmissionControl Boolean: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
commands List<EnforcerGroupsCommand>: The installation command.
connectedCount Integer: Number of connected enforcers in the enforcer group.
containerActivityProtection Boolean: Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
containerAntivirusProtection Boolean: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
description String: A description of the Aqua Enforcer group.
disconnectedCount Integer: Number of disconnected enforcers in the enforcer group.
enforce Boolean: Whether to enable enforce mode on the Enforcers, defaults to False.
enforcerImageName String: The specific Aqua Enforcer product image (with image tag) to be deployed.
forensics Boolean: Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
gatewayAddress String: Gateway Address
gatewayName String: Gateway Name
gateways List<String>: List of Aqua gateway IDs for the Enforcers.
groupId String: The ID of the Enforcer group.
highVulns Integer: Number of high vulnerabilities in the enforcers that in this enforcer group.
hostAssurance Boolean: Set True to enable host scanning and respective Host Assurance controls.
hostBehavioralEngine Boolean: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
hostForensics Boolean: Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
hostNetworkProtection Boolean: Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
hostOs String: The OS type for the host
hostProtection Boolean: Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
hostUserProtection Boolean: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
hostname String: The hostname
hostsCount Integer: Number of enforcers in the enforcer group.
imageAssurance Boolean: Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
installCommand String: Enforcer install command
kubeBenchImageName String: See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
lastUpdate Integer: The last date and time the batch token was updated in UNIX time.
logicalName String: Name for the batch install record.
lowVulns Integer: Number of low vulnerabilities in the enforcers that in this enforcer group.
medVulns Integer: Number of medium vulnerabilities in the enforcers that in this enforcer group.
microEnforcerCertsSecretsName String: This option is applicable only if Enable Pod Enforcer injection is selected.
microEnforcerImageName String: This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
microEnforcerInjection Boolean: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
microEnforcerSecretsName String: You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
negVulns Integer: Number of negligible vulnerabilities in the enforcers that in this enforcer group.
networkProtection Boolean: Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
orchestrators List<EnforcerGroupsOrchestrator>: The orchestrator for which you are creating the Enforcer group.
pasDeploymentLink String: pas deployment link
permission String: Permission Action
riskExplorerAutoDiscovery Boolean: Set True to allow Enforcers to be discovered in the Risk Explorer.
runtimePolicyName String: Function Runtime Policy that will applay on the nano enforcer.
runtimeType String: The container runtime environment.
syncHostImages Boolean: Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
syscallEnabled Boolean: Set True will allow profiling and monitoring system calls made by running containers.
token String: The batch install token.
type String: Enforcer Type.
userAccessControl Boolean: Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

admissionControl boolean: Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
allowKubeEnforcerAudit boolean: Allow kube enforcer audit.
allowedApplications string[]: List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
allowedLabels string[]: List of label names to allow on the hosts.
allowedRegistries string[]: List of registry names to allow on the hosts.
antivirusProtection boolean: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
aquaVersion string: Aqua server version
auditAll boolean: Agent will send extra audit messages to the server for success operations from inside the container (runtime).
autoCopySecrets boolean: This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
autoDiscoverConfigureRegistries boolean: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
autoDiscoveryEnabled boolean: When this option is selected, the KubeEnforcer will discover workloads on its cluster.
autoScanDiscoveredImagesRunningContainers boolean: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
behavioralEngine boolean: Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
blockAdmissionControl boolean: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
commands EnforcerGroupsCommand[]: The installation command.
connectedCount number: Number of connected enforcers in the enforcer group.
containerActivityProtection boolean: Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
containerAntivirusProtection boolean: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
description string: A description of the Aqua Enforcer group.
disconnectedCount number: Number of disconnected enforcers in the enforcer group.
enforce boolean: Whether to enable enforce mode on the Enforcers, defaults to False.
enforcerImageName string: The specific Aqua Enforcer product image (with image tag) to be deployed.
forensics boolean: Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
gatewayAddress string: Gateway Address
gatewayName string: Gateway Name
gateways string[]: List of Aqua gateway IDs for the Enforcers.
groupId string: The ID of the Enforcer group.
highVulns number: Number of high vulnerabilities in the enforcers that in this enforcer group.
hostAssurance boolean: Set True to enable host scanning and respective Host Assurance controls.
hostBehavioralEngine boolean: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
hostForensics boolean: Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
hostNetworkProtection boolean: Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
hostOs string: The OS type for the host
hostProtection boolean: Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
hostUserProtection boolean: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
hostname string: The hostname
hostsCount number: Number of enforcers in the enforcer group.
imageAssurance boolean: Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
installCommand string: Enforcer install command
kubeBenchImageName string: See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
lastUpdate number: The last date and time the batch token was updated in UNIX time.
logicalName string: Name for the batch install record.
lowVulns number: Number of low vulnerabilities in the enforcers that in this enforcer group.
medVulns number: Number of medium vulnerabilities in the enforcers that in this enforcer group.
microEnforcerCertsSecretsName string: This option is applicable only if Enable Pod Enforcer injection is selected.
microEnforcerImageName string: This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
microEnforcerInjection boolean: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
microEnforcerSecretsName string: You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
negVulns number: Number of negligible vulnerabilities in the enforcers that in this enforcer group.
networkProtection boolean: Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
orchestrators EnforcerGroupsOrchestrator[]: The orchestrator for which you are creating the Enforcer group.
pasDeploymentLink string: pas deployment link
permission string: Permission Action
riskExplorerAutoDiscovery boolean: Set True to allow Enforcers to be discovered in the Risk Explorer.
runtimePolicyName string: Function Runtime Policy that will applay on the nano enforcer.
runtimeType string: The container runtime environment.
syncHostImages boolean: Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
syscallEnabled boolean: Set True will allow profiling and monitoring system calls made by running containers.
token string: The batch install token.
type string: Enforcer Type.
userAccessControl boolean: Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

admission_control bool: Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
allow_kube_enforcer_audit bool: Allow kube enforcer audit.
allowed_applications Sequence[str]: List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
allowed_labels Sequence[str]: List of label names to allow on the hosts.
allowed_registries Sequence[str]: List of registry names to allow on the hosts.
antivirus_protection bool: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
aqua_version str: Aqua server version
audit_all bool: Agent will send extra audit messages to the server for success operations from inside the container (runtime).
auto_copy_secrets bool: This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
auto_discover_configure_registries bool: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
auto_discovery_enabled bool: When this option is selected, the KubeEnforcer will discover workloads on its cluster.
auto_scan_discovered_images_running_containers bool: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
behavioral_engine bool: Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
block_admission_control bool: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
commands Sequence[EnforcerGroupsCommandArgs]: The installation command.
connected_count int: Number of connected enforcers in the enforcer group.
container_activity_protection bool: Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
container_antivirus_protection bool: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
description str: A description of the Aqua Enforcer group.
disconnected_count int: Number of disconnected enforcers in the enforcer group.
enforce bool: Whether to enable enforce mode on the Enforcers, defaults to False.
enforcer_image_name str: The specific Aqua Enforcer product image (with image tag) to be deployed.
forensics bool: Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
gateway_address str: Gateway Address
gateway_name str: Gateway Name
gateways Sequence[str]: List of Aqua gateway IDs for the Enforcers.
group_id str: The ID of the Enforcer group.
high_vulns int: Number of high vulnerabilities in the enforcers that in this enforcer group.
host_assurance bool: Set True to enable host scanning and respective Host Assurance controls.
host_behavioral_engine bool: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
host_forensics bool: Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
host_network_protection bool: Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
host_os str: The OS type for the host
host_protection bool: Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
host_user_protection bool: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
hostname str: The hostname
hosts_count int: Number of enforcers in the enforcer group.
image_assurance bool: Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
install_command str: Enforcer install command
kube_bench_image_name str: See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
last_update int: The last date and time the batch token was updated in UNIX time.
logical_name str: Name for the batch install record.
low_vulns int: Number of low vulnerabilities in the enforcers that in this enforcer group.
med_vulns int: Number of medium vulnerabilities in the enforcers that in this enforcer group.
micro_enforcer_certs_secrets_name str: This option is applicable only if Enable Pod Enforcer injection is selected.
micro_enforcer_image_name str: This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
micro_enforcer_injection bool: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
micro_enforcer_secrets_name str: You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
neg_vulns int: Number of negligible vulnerabilities in the enforcers that in this enforcer group.
network_protection bool: Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
orchestrators Sequence[EnforcerGroupsOrchestratorArgs]: The orchestrator for which you are creating the Enforcer group.
pas_deployment_link str: pas deployment link
permission str: Permission Action
risk_explorer_auto_discovery bool: Set True to allow Enforcers to be discovered in the Risk Explorer.
runtime_policy_name str: Function Runtime Policy that will applay on the nano enforcer.
runtime_type str: The container runtime environment.
sync_host_images bool: Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
syscall_enabled bool: Set True will allow profiling and monitoring system calls made by running containers.
token str: The batch install token.
type str: Enforcer Type.
user_access_control bool: Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

admissionControl Boolean: Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
allowKubeEnforcerAudit Boolean: Allow kube enforcer audit.
allowedApplications List<String>: List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
allowedLabels List<String>: List of label names to allow on the hosts.
allowedRegistries List<String>: List of registry names to allow on the hosts.
antivirusProtection Boolean: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
aquaVersion String: Aqua server version
auditAll Boolean: Agent will send extra audit messages to the server for success operations from inside the container (runtime).
autoCopySecrets Boolean: This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
autoDiscoverConfigureRegistries Boolean: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
autoDiscoveryEnabled Boolean: When this option is selected, the KubeEnforcer will discover workloads on its cluster.
autoScanDiscoveredImagesRunningContainers Boolean: This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
behavioralEngine Boolean: Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
blockAdmissionControl Boolean: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
commands List<Property Map>: The installation command.
connectedCount Number: Number of connected enforcers in the enforcer group.
containerActivityProtection Boolean: Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
containerAntivirusProtection Boolean: This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
description String: A description of the Aqua Enforcer group.
disconnectedCount Number: Number of disconnected enforcers in the enforcer group.
enforce Boolean: Whether to enable enforce mode on the Enforcers, defaults to False.
enforcerImageName String: The specific Aqua Enforcer product image (with image tag) to be deployed.
forensics Boolean: Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
gatewayAddress String: Gateway Address
gatewayName String: Gateway Name
gateways List<String>: List of Aqua gateway IDs for the Enforcers.
groupId String: The ID of the Enforcer group.
highVulns Number: Number of high vulnerabilities in the enforcers that in this enforcer group.
hostAssurance Boolean: Set True to enable host scanning and respective Host Assurance controls.
hostBehavioralEngine Boolean: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
hostForensics Boolean: Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
hostNetworkProtection Boolean: Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
hostOs String: The OS type for the host
hostProtection Boolean: Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
hostUserProtection Boolean: Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
hostname String: The hostname
hostsCount Number: Number of enforcers in the enforcer group.
imageAssurance Boolean: Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
installCommand String: Enforcer install command
kubeBenchImageName String: See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
lastUpdate Number: The last date and time the batch token was updated in UNIX time.
logicalName String: Name for the batch install record.
lowVulns Number: Number of low vulnerabilities in the enforcers that in this enforcer group.
medVulns Number: Number of medium vulnerabilities in the enforcers that in this enforcer group.
microEnforcerCertsSecretsName String: This option is applicable only if Enable Pod Enforcer injection is selected.
microEnforcerImageName String: This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
microEnforcerInjection Boolean: This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
microEnforcerSecretsName String: You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
negVulns Number: Number of negligible vulnerabilities in the enforcers that in this enforcer group.
networkProtection Boolean: Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
orchestrators List<Property Map>: The orchestrator for which you are creating the Enforcer group.
pasDeploymentLink String: pas deployment link
permission String: Permission Action
riskExplorerAutoDiscovery Boolean: Set True to allow Enforcers to be discovered in the Risk Explorer.
runtimePolicyName String: Function Runtime Policy that will applay on the nano enforcer.
runtimeType String: The container runtime environment.
syncHostImages Boolean: Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
syscallEnabled Boolean: Set True will allow profiling and monitoring system calls made by running containers.
token String: The batch install token.
type String: Enforcer Type.
userAccessControl Boolean: Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

Supporting Types

EnforcerGroupsCommand, EnforcerGroupsCommandArgs

Default string
Kubernetes string
Swarm string
Windows string

Default string
Kubernetes string
Swarm string
Windows string

default_ String
kubernetes String
swarm String
windows String

default string
kubernetes string
swarm string
windows string

default str
kubernetes str
swarm str
windows str

default String
kubernetes String
swarm String
windows String

EnforcerGroupsOrchestrator, EnforcerGroupsOrchestratorArgs

Master bool
Namespace string: May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
ServiceAccount string: May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
Type string

Master bool
Namespace string: May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
ServiceAccount string: May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
Type string

master Boolean
namespace String: May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
serviceAccount String: May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
type String

master boolean
namespace string: May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
serviceAccount string: May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
type string

master bool
namespace str: May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
service_account str: May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
type str

master Boolean
namespace String: May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
serviceAccount String: May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
type String

Package Details

Repository: aquasec pulumiverse/pulumi-aquasec
License: Apache-2.0
Notes: This Pulumi package is based on the aquasec Terraform Provider.

Aquasec v0.8.27 published on Monday, Jan 29, 2024 by Pulumiverse

pulumiverse/pulumi-aquasec

aquasec.EnforcerGroups

On this page

On this page

Example Usage

Create EnforcerGroups Resource

Constructor syntax

Parameters

Example

EnforcerGroups Resource Properties

Inputs

Outputs

Look up Existing EnforcerGroups Resource

Supporting Types

EnforcerGroupsCommand, EnforcerGroupsCommandArgs

EnforcerGroupsOrchestrator, EnforcerGroupsOrchestratorArgs

Package Details

On this page

On this page