Aquasec

v0.2.2 published on Monday, Nov 14, 2022 by Pulumiverse

getEnforcerGroups

Example Usage

using System.Collections.Generic;
using Pulumi;
using Aquasec = Pulumi.Aquasec;

return await Deployment.RunAsync(() => 
{
    var groups = Aquasec.GetEnforcerGroups.Invoke(new()
    {
        GroupId = "IacGroup",
    });

    return new Dictionary<string, object?>
    {
        ["groupDetails"] = groups.Apply(getEnforcerGroupsResult => getEnforcerGroupsResult),
    };
});
package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumiverse/pulumi-aquasec/sdk/go/aquasec"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		groups, err := aquasec.LookupEnforcerGroups(ctx, &GetEnforcerGroupsArgs{
			GroupId: "IacGroup",
		}, nil)
		if err != nil {
			return err
		}
		ctx.Export("groupDetails", groups)
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aquasec.AquasecFunctions;
import com.pulumi.aquasec.inputs.GetEnforcerGroupsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var groups = AquasecFunctions.getEnforcerGroups(GetEnforcerGroupsArgs.builder()
            .groupId("IacGroup")
            .build());

        ctx.export("groupDetails", groups.applyValue(getEnforcerGroupsResult -> getEnforcerGroupsResult));
    }
}
import pulumi
import pulumi_aquasec as aquasec

groups = aquasec.get_enforcer_groups(group_id="IacGroup")
pulumi.export("groupDetails", groups)
import * as pulumi from "@pulumi/pulumi";
import * as aquasec from "@pulumi/aquasec";

const groups = aquasec.getEnforcerGroups({
    groupId: "IacGroup",
});
export const groupDetails = groups;
variables:
  groups:
    fn::invoke:
      Function: aquasec:getEnforcerGroups
      Arguments:
        groupId: IacGroup
outputs:
  groupDetails: ${groups}

Using getEnforcerGroups

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getEnforcerGroups(args: GetEnforcerGroupsArgs, opts?: InvokeOptions): Promise<GetEnforcerGroupsResult>
function getEnforcerGroupsOutput(args: GetEnforcerGroupsOutputArgs, opts?: InvokeOptions): Output<GetEnforcerGroupsResult>
def get_enforcer_groups(forensics: Optional[bool] = None,
                        group_id: Optional[str] = None,
                        host_forensics: Optional[bool] = None,
                        opts: Optional[InvokeOptions] = None) -> GetEnforcerGroupsResult
def get_enforcer_groups_output(forensics: Optional[pulumi.Input[bool]] = None,
                        group_id: Optional[pulumi.Input[str]] = None,
                        host_forensics: Optional[pulumi.Input[bool]] = None,
                        opts: Optional[InvokeOptions] = None) -> Output[GetEnforcerGroupsResult]
func LookupEnforcerGroups(ctx *Context, args *LookupEnforcerGroupsArgs, opts ...InvokeOption) (*LookupEnforcerGroupsResult, error)
func LookupEnforcerGroupsOutput(ctx *Context, args *LookupEnforcerGroupsOutputArgs, opts ...InvokeOption) LookupEnforcerGroupsResultOutput

> Note: This function is named LookupEnforcerGroups in the Go SDK.

public static class GetEnforcerGroups 
{
    public static Task<GetEnforcerGroupsResult> InvokeAsync(GetEnforcerGroupsArgs args, InvokeOptions? opts = null)
    public static Output<GetEnforcerGroupsResult> Invoke(GetEnforcerGroupsInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetEnforcerGroupsResult> getEnforcerGroups(GetEnforcerGroupsArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
  function: aquasec:index/getEnforcerGroups:getEnforcerGroups
  arguments:
    # arguments dictionary

The following arguments are supported:

GroupId string

The ID of the Enforcer group.

Forensics bool

Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.

HostForensics bool

Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.

GroupId string

The ID of the Enforcer group.

Forensics bool

Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.

HostForensics bool

Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.

groupId String

The ID of the Enforcer group.

forensics Boolean

Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.

hostForensics Boolean

Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.

groupId string

The ID of the Enforcer group.

forensics boolean

Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.

hostForensics boolean

Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.

group_id str

The ID of the Enforcer group.

forensics bool

Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.

host_forensics bool

Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.

groupId String

The ID of the Enforcer group.

forensics Boolean

Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.

hostForensics Boolean

Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.

getEnforcerGroups Result

The following output properties are available:

AdmissionControl bool

Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.

AllowKubeEnforcerAudit bool

Allow kube enforcer audit.

AllowedApplications List<string>

List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.

AllowedLabels List<string>

List of label names to allow on the hosts.

AllowedRegistries List<string>

List of registry names to allow on the hosts.

AntivirusProtection bool

This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.

AquaVersion string

Aqua server version

AuditAll bool

Agent will send extra audit messages to the server for success operations from inside the container (runtime).

AutoCopySecrets bool

This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.

AutoDiscoverConfigureRegistries bool

This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.

AutoDiscoveryEnabled bool

When this option is selected, the KubeEnforcer will discover workloads on its cluster.

AutoScanDiscoveredImagesRunningContainers bool

This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).

BehavioralEngine bool

If Enabled, detects suspicious activity in your containers and displays potential security threats in the Incidents and Audits pages.

BlockAdmissionControl bool

This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.

Commands List<Pulumiverse.Aquasec.Outputs.GetEnforcerGroupsCommand>

The installation command.

ConnectedCount int

Number of connected enforcers in the enforcer group.

ContainerActivityProtection bool

When set to True applies Container Runtime Policies, Image Profiles, and Firewall Policies to containers.

ContainerAntivirusProtection bool

This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.

Description string

A description for the Aqua Enforcer group.

DisconnectedCount int

Number of disconnected enforcers in the enforcer group.

Enforce bool

Whether the enforce mode is enabled on the Enforcers.

EnforcerImageName string

The specific Aqua Enforcer product image (with image tag) to be deployed.

GatewayAddress string

Gateway Address

GatewayName string

Gateway Name

Gateways List<string>

List of Aqua gateway IDs for the Enforcers.

GroupId string

The ID of the Enforcer group.

HighVulns int

Number of high vulnerabilities in the enforcers that in this enforcer group.

HostAssurance bool

When set to True enables host scanning and respective Host Assurance controls.

HostBehavioralEngine bool

When set to True enables these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked

HostNetworkProtection bool

When set to True applies Firewall Policies to hosts, and allows recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information

HostOs string

The OS type for the host

HostProtection bool

When set to True enables all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.

HostUserProtection bool

When set to True enables these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked

HostsCount int

Number of enforcers in the enforcer group.

Id string

The provider-assigned unique ID for this managed resource.

ImageAssurance bool

When Set to True enables selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).

InstallCommand string

Enforcer install command

KubeBenchImageName string

See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.

LastUpdate int

The last date and time the batch token was updated in UNIX time.

LogicalName string

Name for the batch install record.

LowVulns int

Number of low vulnerabilities in the enforcers that in this enforcer group.

MedVulns int

Number of medium vulnerabilities in the enforcers that in this enforcer group.

MicroEnforcerCertsSecretsName string

This option is applicable only if Enable Pod Enforcer injection is selected.

MicroEnforcerImageName string

This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.

MicroEnforcerInjection bool

This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.

MicroEnforcerSecretsName string

This option is applicable only if Enable Pod Enforcer injection is selected.

NegVulns int

Number of negligible vulnerabilities in the enforcers that in this enforcer group.

NetworkProtection bool

When set to True applies Firewall Policies to containers, and allows recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.

Orchestrators List<Pulumiverse.Aquasec.Outputs.GetEnforcerGroupsOrchestrator>

The orchestrator for which you are creating the Enforcer group.

PasDeploymentLink string

pas deployment link

Permission string

Permission Action

RiskExplorerAutoDiscovery bool

When set to True allows Enforcers to be discovered in the Risk Explorer.

RuntimePolicyName string

Function Runtime Policy that will applay on the nano enforcer.

RuntimeType string

The container runtime environment.

SyncHostImages bool

When set to True configures Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).

SyscallEnabled bool

When set to True allows profiling and monitoring system calls made by running containers.

Token string

The batch install token.

Type string

Enforcer Type.

UserAccessControl bool

When set to True applies User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

Forensics bool

Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.

HostForensics bool

Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.

AdmissionControl bool

Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.

AllowKubeEnforcerAudit bool

Allow kube enforcer audit.

AllowedApplications []string

List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.

AllowedLabels []string

List of label names to allow on the hosts.

AllowedRegistries []string

List of registry names to allow on the hosts.

AntivirusProtection bool

This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.

AquaVersion string

Aqua server version

AuditAll bool

Agent will send extra audit messages to the server for success operations from inside the container (runtime).

AutoCopySecrets bool

This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.

AutoDiscoverConfigureRegistries bool

This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.

AutoDiscoveryEnabled bool

When this option is selected, the KubeEnforcer will discover workloads on its cluster.

AutoScanDiscoveredImagesRunningContainers bool

This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).

BehavioralEngine bool

If Enabled, detects suspicious activity in your containers and displays potential security threats in the Incidents and Audits pages.

BlockAdmissionControl bool

This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.

Commands []GetEnforcerGroupsCommand

The installation command.

ConnectedCount int

Number of connected enforcers in the enforcer group.

ContainerActivityProtection bool

When set to True applies Container Runtime Policies, Image Profiles, and Firewall Policies to containers.

ContainerAntivirusProtection bool

This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.

Description string

A description for the Aqua Enforcer group.

DisconnectedCount int

Number of disconnected enforcers in the enforcer group.

Enforce bool

Whether the enforce mode is enabled on the Enforcers.

EnforcerImageName string

The specific Aqua Enforcer product image (with image tag) to be deployed.

GatewayAddress string

Gateway Address

GatewayName string

Gateway Name

Gateways []string

List of Aqua gateway IDs for the Enforcers.

GroupId string

The ID of the Enforcer group.

HighVulns int

Number of high vulnerabilities in the enforcers that in this enforcer group.

HostAssurance bool

When set to True enables host scanning and respective Host Assurance controls.

HostBehavioralEngine bool

When set to True enables these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked

HostNetworkProtection bool

When set to True applies Firewall Policies to hosts, and allows recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information

HostOs string

The OS type for the host

HostProtection bool

When set to True enables all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.

HostUserProtection bool

When set to True enables these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked

HostsCount int

Number of enforcers in the enforcer group.

Id string

The provider-assigned unique ID for this managed resource.

ImageAssurance bool

When Set to True enables selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).

InstallCommand string

Enforcer install command

KubeBenchImageName string

See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.

LastUpdate int

The last date and time the batch token was updated in UNIX time.

LogicalName string

Name for the batch install record.

LowVulns int

Number of low vulnerabilities in the enforcers that in this enforcer group.

MedVulns int

Number of medium vulnerabilities in the enforcers that in this enforcer group.

MicroEnforcerCertsSecretsName string

This option is applicable only if Enable Pod Enforcer injection is selected.

MicroEnforcerImageName string

This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.

MicroEnforcerInjection bool

This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.

MicroEnforcerSecretsName string

This option is applicable only if Enable Pod Enforcer injection is selected.

NegVulns int

Number of negligible vulnerabilities in the enforcers that in this enforcer group.

NetworkProtection bool

When set to True applies Firewall Policies to containers, and allows recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.

Orchestrators []GetEnforcerGroupsOrchestrator

The orchestrator for which you are creating the Enforcer group.

PasDeploymentLink string

pas deployment link

Permission string

Permission Action

RiskExplorerAutoDiscovery bool

When set to True allows Enforcers to be discovered in the Risk Explorer.

RuntimePolicyName string

Function Runtime Policy that will applay on the nano enforcer.

RuntimeType string

The container runtime environment.

SyncHostImages bool

When set to True configures Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).

SyscallEnabled bool

When set to True allows profiling and monitoring system calls made by running containers.

Token string

The batch install token.

Type string

Enforcer Type.

UserAccessControl bool

When set to True applies User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

Forensics bool

Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.

HostForensics bool

Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.

admissionControl Boolean

Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.

allowKubeEnforcerAudit Boolean

Allow kube enforcer audit.

allowedApplications List<String>

List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.

allowedLabels List<String>

List of label names to allow on the hosts.

allowedRegistries List<String>

List of registry names to allow on the hosts.

antivirusProtection Boolean

This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.

aquaVersion String

Aqua server version

auditAll Boolean

Agent will send extra audit messages to the server for success operations from inside the container (runtime).

autoCopySecrets Boolean

This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.

autoDiscoverConfigureRegistries Boolean

This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.

autoDiscoveryEnabled Boolean

When this option is selected, the KubeEnforcer will discover workloads on its cluster.

autoScanDiscoveredImagesRunningContainers Boolean

This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).

behavioralEngine Boolean

If Enabled, detects suspicious activity in your containers and displays potential security threats in the Incidents and Audits pages.

blockAdmissionControl Boolean

This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.

commands List<GetEnforcerGroupsCommand>

The installation command.

connectedCount Integer

Number of connected enforcers in the enforcer group.

containerActivityProtection Boolean

When set to True applies Container Runtime Policies, Image Profiles, and Firewall Policies to containers.

containerAntivirusProtection Boolean

This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.

description String

A description for the Aqua Enforcer group.

disconnectedCount Integer

Number of disconnected enforcers in the enforcer group.

enforce Boolean

Whether the enforce mode is enabled on the Enforcers.

enforcerImageName String

The specific Aqua Enforcer product image (with image tag) to be deployed.

gatewayAddress String

Gateway Address

gatewayName String

Gateway Name

gateways List<String>

List of Aqua gateway IDs for the Enforcers.

groupId String

The ID of the Enforcer group.

highVulns Integer

Number of high vulnerabilities in the enforcers that in this enforcer group.

hostAssurance Boolean

When set to True enables host scanning and respective Host Assurance controls.

hostBehavioralEngine Boolean

When set to True enables these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked

hostNetworkProtection Boolean

When set to True applies Firewall Policies to hosts, and allows recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information

hostOs String

The OS type for the host

hostProtection Boolean

When set to True enables all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.

hostUserProtection Boolean

When set to True enables these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked

hostsCount Integer

Number of enforcers in the enforcer group.

id String

The provider-assigned unique ID for this managed resource.

imageAssurance Boolean

When Set to True enables selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).

installCommand String

Enforcer install command

kubeBenchImageName String

See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.

lastUpdate Integer

The last date and time the batch token was updated in UNIX time.

logicalName String

Name for the batch install record.

lowVulns Integer

Number of low vulnerabilities in the enforcers that in this enforcer group.

medVulns Integer

Number of medium vulnerabilities in the enforcers that in this enforcer group.

microEnforcerCertsSecretsName String

This option is applicable only if Enable Pod Enforcer injection is selected.

microEnforcerImageName String

This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.

microEnforcerInjection Boolean

This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.

microEnforcerSecretsName String

This option is applicable only if Enable Pod Enforcer injection is selected.

negVulns Integer

Number of negligible vulnerabilities in the enforcers that in this enforcer group.

networkProtection Boolean

When set to True applies Firewall Policies to containers, and allows recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.

orchestrators List<GetEnforcerGroupsOrchestrator>

The orchestrator for which you are creating the Enforcer group.

pasDeploymentLink String

pas deployment link

permission String

Permission Action

riskExplorerAutoDiscovery Boolean

When set to True allows Enforcers to be discovered in the Risk Explorer.

runtimePolicyName String

Function Runtime Policy that will applay on the nano enforcer.

runtimeType String

The container runtime environment.

syncHostImages Boolean

When set to True configures Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).

syscallEnabled Boolean

When set to True allows profiling and monitoring system calls made by running containers.

token String

The batch install token.

type String

Enforcer Type.

userAccessControl Boolean

When set to True applies User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

forensics Boolean

Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.

hostForensics Boolean

Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.

admissionControl boolean

Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.

allowKubeEnforcerAudit boolean

Allow kube enforcer audit.

allowedApplications string[]

List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.

allowedLabels string[]

List of label names to allow on the hosts.

allowedRegistries string[]

List of registry names to allow on the hosts.

antivirusProtection boolean

This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.

aquaVersion string

Aqua server version

auditAll boolean

Agent will send extra audit messages to the server for success operations from inside the container (runtime).

autoCopySecrets boolean

This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.

autoDiscoverConfigureRegistries boolean

This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.

autoDiscoveryEnabled boolean

When this option is selected, the KubeEnforcer will discover workloads on its cluster.

autoScanDiscoveredImagesRunningContainers boolean

This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).

behavioralEngine boolean

If Enabled, detects suspicious activity in your containers and displays potential security threats in the Incidents and Audits pages.

blockAdmissionControl boolean

This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.

commands GetEnforcerGroupsCommand[]

The installation command.

connectedCount number

Number of connected enforcers in the enforcer group.

containerActivityProtection boolean

When set to True applies Container Runtime Policies, Image Profiles, and Firewall Policies to containers.

containerAntivirusProtection boolean

This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.

description string

A description for the Aqua Enforcer group.

disconnectedCount number

Number of disconnected enforcers in the enforcer group.

enforce boolean

Whether the enforce mode is enabled on the Enforcers.

enforcerImageName string

The specific Aqua Enforcer product image (with image tag) to be deployed.

gatewayAddress string

Gateway Address

gatewayName string

Gateway Name

gateways string[]

List of Aqua gateway IDs for the Enforcers.

groupId string

The ID of the Enforcer group.

highVulns number

Number of high vulnerabilities in the enforcers that in this enforcer group.

hostAssurance boolean

When set to True enables host scanning and respective Host Assurance controls.

hostBehavioralEngine boolean

When set to True enables these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked

hostNetworkProtection boolean

When set to True applies Firewall Policies to hosts, and allows recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information

hostOs string

The OS type for the host

hostProtection boolean

When set to True enables all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.

hostUserProtection boolean

When set to True enables these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked

hostsCount number

Number of enforcers in the enforcer group.

id string

The provider-assigned unique ID for this managed resource.

imageAssurance boolean

When Set to True enables selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).

installCommand string

Enforcer install command

kubeBenchImageName string

See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.

lastUpdate number

The last date and time the batch token was updated in UNIX time.

logicalName string

Name for the batch install record.

lowVulns number

Number of low vulnerabilities in the enforcers that in this enforcer group.

medVulns number

Number of medium vulnerabilities in the enforcers that in this enforcer group.

microEnforcerCertsSecretsName string

This option is applicable only if Enable Pod Enforcer injection is selected.

microEnforcerImageName string

This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.

microEnforcerInjection boolean

This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.

microEnforcerSecretsName string

This option is applicable only if Enable Pod Enforcer injection is selected.

negVulns number

Number of negligible vulnerabilities in the enforcers that in this enforcer group.

networkProtection boolean

When set to True applies Firewall Policies to containers, and allows recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.

orchestrators GetEnforcerGroupsOrchestrator[]

The orchestrator for which you are creating the Enforcer group.

pasDeploymentLink string

pas deployment link

permission string

Permission Action

riskExplorerAutoDiscovery boolean

When set to True allows Enforcers to be discovered in the Risk Explorer.

runtimePolicyName string

Function Runtime Policy that will applay on the nano enforcer.

runtimeType string

The container runtime environment.

syncHostImages boolean

When set to True configures Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).

syscallEnabled boolean

When set to True allows profiling and monitoring system calls made by running containers.

token string

The batch install token.

type string

Enforcer Type.

userAccessControl boolean

When set to True applies User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

forensics boolean

Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.

hostForensics boolean

Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.

admission_control bool

Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.

allow_kube_enforcer_audit bool

Allow kube enforcer audit.

allowed_applications Sequence[str]

List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.

allowed_labels Sequence[str]

List of label names to allow on the hosts.

allowed_registries Sequence[str]

List of registry names to allow on the hosts.

antivirus_protection bool

This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.

aqua_version str

Aqua server version

audit_all bool

Agent will send extra audit messages to the server for success operations from inside the container (runtime).

auto_copy_secrets bool

This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.

auto_discover_configure_registries bool

This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.

auto_discovery_enabled bool

When this option is selected, the KubeEnforcer will discover workloads on its cluster.

auto_scan_discovered_images_running_containers bool

This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).

behavioral_engine bool

If Enabled, detects suspicious activity in your containers and displays potential security threats in the Incidents and Audits pages.

block_admission_control bool

This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.

commands Sequence[GetEnforcerGroupsCommand]

The installation command.

connected_count int

Number of connected enforcers in the enforcer group.

container_activity_protection bool

When set to True applies Container Runtime Policies, Image Profiles, and Firewall Policies to containers.

container_antivirus_protection bool

This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.

description str

A description for the Aqua Enforcer group.

disconnected_count int

Number of disconnected enforcers in the enforcer group.

enforce bool

Whether the enforce mode is enabled on the Enforcers.

enforcer_image_name str

The specific Aqua Enforcer product image (with image tag) to be deployed.

gateway_address str

Gateway Address

gateway_name str

Gateway Name

gateways Sequence[str]

List of Aqua gateway IDs for the Enforcers.

group_id str

The ID of the Enforcer group.

high_vulns int

Number of high vulnerabilities in the enforcers that in this enforcer group.

host_assurance bool

When set to True enables host scanning and respective Host Assurance controls.

host_behavioral_engine bool

When set to True enables these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked

host_network_protection bool

When set to True applies Firewall Policies to hosts, and allows recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information

host_os str

The OS type for the host

host_protection bool

When set to True enables all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.

host_user_protection bool

When set to True enables these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked

hosts_count int

Number of enforcers in the enforcer group.

id str

The provider-assigned unique ID for this managed resource.

image_assurance bool

When Set to True enables selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).

install_command str

Enforcer install command

kube_bench_image_name str

See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.

last_update int

The last date and time the batch token was updated in UNIX time.

logical_name str

Name for the batch install record.

low_vulns int

Number of low vulnerabilities in the enforcers that in this enforcer group.

med_vulns int

Number of medium vulnerabilities in the enforcers that in this enforcer group.

micro_enforcer_certs_secrets_name str

This option is applicable only if Enable Pod Enforcer injection is selected.

micro_enforcer_image_name str

This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.

micro_enforcer_injection bool

This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.

micro_enforcer_secrets_name str

This option is applicable only if Enable Pod Enforcer injection is selected.

neg_vulns int

Number of negligible vulnerabilities in the enforcers that in this enforcer group.

network_protection bool

When set to True applies Firewall Policies to containers, and allows recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.

orchestrators Sequence[GetEnforcerGroupsOrchestrator]

The orchestrator for which you are creating the Enforcer group.

pas_deployment_link str

pas deployment link

permission str

Permission Action

risk_explorer_auto_discovery bool

When set to True allows Enforcers to be discovered in the Risk Explorer.

runtime_policy_name str

Function Runtime Policy that will applay on the nano enforcer.

runtime_type str

The container runtime environment.

sync_host_images bool

When set to True configures Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).

syscall_enabled bool

When set to True allows profiling and monitoring system calls made by running containers.

token str

The batch install token.

type str

Enforcer Type.

user_access_control bool

When set to True applies User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

forensics bool

Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.

host_forensics bool

Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.

admissionControl Boolean

Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
* Block Non-Compliant Images
* Block Non-Compliant Workloads
* Block Unregistered Images
This functionality can work only when the KubeEnforcer is deployed in Enforce mode.

allowKubeEnforcerAudit Boolean

Allow kube enforcer audit.

allowedApplications List<String>

List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.

allowedLabels List<String>

List of label names to allow on the hosts.

allowedRegistries List<String>

List of registry names to allow on the hosts.

antivirusProtection Boolean

This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.

aquaVersion String

Aqua server version

auditAll Boolean

Agent will send extra audit messages to the server for success operations from inside the container (runtime).

autoCopySecrets Boolean

This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.

autoDiscoverConfigureRegistries Boolean

This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.

autoDiscoveryEnabled Boolean

When this option is selected, the KubeEnforcer will discover workloads on its cluster.

autoScanDiscoveredImagesRunningContainers Boolean

This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).

behavioralEngine Boolean

If Enabled, detects suspicious activity in your containers and displays potential security threats in the Incidents and Audits pages.

blockAdmissionControl Boolean

This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.

commands List<Property Map>

The installation command.

connectedCount Number

Number of connected enforcers in the enforcer group.

containerActivityProtection Boolean

When set to True applies Container Runtime Policies, Image Profiles, and Firewall Policies to containers.

containerAntivirusProtection Boolean

This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.

description String

A description for the Aqua Enforcer group.

disconnectedCount Number

Number of disconnected enforcers in the enforcer group.

enforce Boolean

Whether the enforce mode is enabled on the Enforcers.

enforcerImageName String

The specific Aqua Enforcer product image (with image tag) to be deployed.

gatewayAddress String

Gateway Address

gatewayName String

Gateway Name

gateways List<String>

List of Aqua gateway IDs for the Enforcers.

groupId String

The ID of the Enforcer group.

highVulns Number

Number of high vulnerabilities in the enforcers that in this enforcer group.

hostAssurance Boolean

When set to True enables host scanning and respective Host Assurance controls.

hostBehavioralEngine Boolean

When set to True enables these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked

hostNetworkProtection Boolean

When set to True applies Firewall Policies to hosts, and allows recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information

hostOs String

The OS type for the host

hostProtection Boolean

When set to True enables all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.

hostUserProtection Boolean

When set to True enables these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked

hostsCount Number

Number of enforcers in the enforcer group.

id String

The provider-assigned unique ID for this managed resource.

imageAssurance Boolean

When Set to True enables selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).

installCommand String

Enforcer install command

kubeBenchImageName String

See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.

lastUpdate Number

The last date and time the batch token was updated in UNIX time.

logicalName String

Name for the batch install record.

lowVulns Number

Number of low vulnerabilities in the enforcers that in this enforcer group.

medVulns Number

Number of medium vulnerabilities in the enforcers that in this enforcer group.

microEnforcerCertsSecretsName String

This option is applicable only if Enable Pod Enforcer injection is selected.

microEnforcerImageName String

This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.

microEnforcerInjection Boolean

This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.

microEnforcerSecretsName String

This option is applicable only if Enable Pod Enforcer injection is selected.

negVulns Number

Number of negligible vulnerabilities in the enforcers that in this enforcer group.

networkProtection Boolean

When set to True applies Firewall Policies to containers, and allows recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.

orchestrators List<Property Map>

The orchestrator for which you are creating the Enforcer group.

pasDeploymentLink String

pas deployment link

permission String

Permission Action

riskExplorerAutoDiscovery Boolean

When set to True allows Enforcers to be discovered in the Risk Explorer.

runtimePolicyName String

Function Runtime Policy that will applay on the nano enforcer.

runtimeType String

The container runtime environment.

syncHostImages Boolean

When set to True configures Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).

syscallEnabled Boolean

When set to True allows profiling and monitoring system calls made by running containers.

token String

The batch install token.

type String

Enforcer Type.

userAccessControl Boolean

When set to True applies User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

forensics Boolean

Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.

hostForensics Boolean

Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.

Supporting Types

GetEnforcerGroupsCommand

Default string
Kubernetes string
Swarm string
Windows string
Default string
Kubernetes string
Swarm string
Windows string
default_ String
kubernetes String
swarm String
windows String
default string
kubernetes string
swarm string
windows string
default String
kubernetes String
swarm String
windows String

GetEnforcerGroupsOrchestrator

Master bool
Namespace string
ServiceAccount string
Type string

Enforcer Type.

Master bool
Namespace string
ServiceAccount string
Type string

Enforcer Type.

master Boolean
namespace String
serviceAccount String
type String

Enforcer Type.

master boolean
namespace string
serviceAccount string
type string

Enforcer Type.

master bool
namespace str
service_account str
type str

Enforcer Type.

master Boolean
namespace String
serviceAccount String
type String

Enforcer Type.

Package Details

Repository
https://github.com/pulumiverse/pulumi-aquasec
License
Apache-2.0
Notes

This Pulumi package is based on the aquasec Terraform Provider.