cyral.PolicySet

# cyral.PolicySet (Resource)

This resource allows management of policy sets in the Cyral platform.

Import ID syntax is {policy_set_id}.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as cyral from "@pulumi/cyral";

const myrepo = new cyral.Repository("myrepo", {
    type: "mongodb",
    repoNodes: [{
        name: "node-1",
        host: "mongodb.cyral.com",
        port: 27017,
    }],
    mongodbSettings: {
        serverType: "standalone",
    },
});
const repoLockdownExample = new cyral.PolicySet("repoLockdownExample", {
    wizardId: "repo-lockdown",
    description: "This default policy will block by default all queries for myrepo except the ones not parsed by Cyral",
    enabled: true,
    tags: [
        "default block",
        "fail open",
    ],
    scope: {
        repoIds: [myrepo.id],
    },
    wizardParameters: JSON.stringify({
        denyByDefault: true,
        failClosed: false,
    }),
});

import pulumi
import json
import pulumi_cyral as cyral

myrepo = cyral.Repository("myrepo",
    type="mongodb",
    repo_nodes=[{
        "name": "node-1",
        "host": "mongodb.cyral.com",
        "port": 27017,
    }],
    mongodb_settings={
        "server_type": "standalone",
    })
repo_lockdown_example = cyral.PolicySet("repoLockdownExample",
    wizard_id="repo-lockdown",
    description="This default policy will block by default all queries for myrepo except the ones not parsed by Cyral",
    enabled=True,
    tags=[
        "default block",
        "fail open",
    ],
    scope={
        "repo_ids": [myrepo.id],
    },
    wizard_parameters=json.dumps({
        "denyByDefault": True,
        "failClosed": False,
    }))

package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-terraform-provider/sdks/go/cyral/v4/cyral"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		myrepo, err := cyral.NewRepository(ctx, "myrepo", &cyral.RepositoryArgs{
			Type: pulumi.String("mongodb"),
			RepoNodes: cyral.RepositoryRepoNodeArray{
				&cyral.RepositoryRepoNodeArgs{
					Name: pulumi.String("node-1"),
					Host: pulumi.String("mongodb.cyral.com"),
					Port: pulumi.Float64(27017),
				},
			},
			MongodbSettings: &cyral.RepositoryMongodbSettingsArgs{
				ServerType: pulumi.String("standalone"),
			},
		})
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"denyByDefault": true,
			"failClosed":    false,
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = cyral.NewPolicySet(ctx, "repoLockdownExample", &cyral.PolicySetArgs{
			WizardId:    pulumi.String("repo-lockdown"),
			Description: pulumi.String("This default policy will block by default all queries for myrepo except the ones not parsed by Cyral"),
			Enabled:     pulumi.Bool(true),
			Tags: pulumi.StringArray{
				pulumi.String("default block"),
				pulumi.String("fail open"),
			},
			Scope: &cyral.PolicySetScopeArgs{
				RepoIds: pulumi.StringArray{
					myrepo.ID(),
				},
			},
			WizardParameters: pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Cyral = Pulumi.Cyral;

return await Deployment.RunAsync(() => 
{
    var myrepo = new Cyral.Repository("myrepo", new()
    {
        Type = "mongodb",
        RepoNodes = new[]
        {
            new Cyral.Inputs.RepositoryRepoNodeArgs
            {
                Name = "node-1",
                Host = "mongodb.cyral.com",
                Port = 27017,
            },
        },
        MongodbSettings = new Cyral.Inputs.RepositoryMongodbSettingsArgs
        {
            ServerType = "standalone",
        },
    });

    var repoLockdownExample = new Cyral.PolicySet("repoLockdownExample", new()
    {
        WizardId = "repo-lockdown",
        Description = "This default policy will block by default all queries for myrepo except the ones not parsed by Cyral",
        Enabled = true,
        Tags = new[]
        {
            "default block",
            "fail open",
        },
        Scope = new Cyral.Inputs.PolicySetScopeArgs
        {
            RepoIds = new[]
            {
                myrepo.Id,
            },
        },
        WizardParameters = JsonSerializer.Serialize(new Dictionary<string, object?>
        {
            ["denyByDefault"] = true,
            ["failClosed"] = false,
        }),
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cyral.Repository;
import com.pulumi.cyral.RepositoryArgs;
import com.pulumi.cyral.inputs.RepositoryRepoNodeArgs;
import com.pulumi.cyral.inputs.RepositoryMongodbSettingsArgs;
import com.pulumi.cyral.PolicySet;
import com.pulumi.cyral.PolicySetArgs;
import com.pulumi.cyral.inputs.PolicySetScopeArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var myrepo = new Repository("myrepo", RepositoryArgs.builder()
            .type("mongodb")
            .repoNodes(RepositoryRepoNodeArgs.builder()
                .name("node-1")
                .host("mongodb.cyral.com")
                .port(27017)
                .build())
            .mongodbSettings(RepositoryMongodbSettingsArgs.builder()
                .serverType("standalone")
                .build())
            .build());

        var repoLockdownExample = new PolicySet("repoLockdownExample", PolicySetArgs.builder()
            .wizardId("repo-lockdown")
            .description("This default policy will block by default all queries for myrepo except the ones not parsed by Cyral")
            .enabled(true)
            .tags(            
                "default block",
                "fail open")
            .scope(PolicySetScopeArgs.builder()
                .repoIds(myrepo.id())
                .build())
            .wizardParameters(serializeJson(
                jsonObject(
                    jsonProperty("denyByDefault", true),
                    jsonProperty("failClosed", false)
                )))
            .build());

    }
}

resources:
  myrepo:
    type: cyral:Repository
    properties:
      type: mongodb
      repoNodes:
        - name: node-1
          host: mongodb.cyral.com
          port: 27017
      mongodbSettings:
        serverType: standalone
  repoLockdownExample:
    type: cyral:PolicySet
    properties:
      wizardId: repo-lockdown
      description: This default policy will block by default all queries for myrepo except the ones not parsed by Cyral
      enabled: true
      tags:
        - default block
        - fail open
      scope:
        repoIds:
          - ${myrepo.id}
      wizardParameters:
        fn::toJSON:
          denyByDefault: true
          failClosed: false

Available Policy Wizards

The following policy wizards are available for creating policy sets. The wizard parameters, specified as a JSON object, are described below for each wizard as well.

You can also use the Cyral API GET /v1/regopolicies/templates to retrieve all existing templates and their corresponding parameters schema.

Data Firewall (data-firewall) - Ensure that sensitive data can only be read by specified individuals.

• dataset (String) Data Set (table, collection, etc.) to which the policy applies.
• dataFilter (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.
• substitutionQuery (String) A query that will be used to replace all occurrences of the dataset in the original query. Only one of dataFilter and substitutionQuery can be specified.
• excludedIdentities (Object) Identities that will be excluded from this policy. See identityList.

Data Masking (data-masking) - Mask fields for specific users and applications.

• maskType (String) Mask Type (E.g.: null, constant, format-preserving).
• maskArguments (Array) Mask Argument associated to the given Mask Type (E.g.: Replacement Value).
• tags (Array) Data Tags to which the policy applies.
• labels (Array) Data Labels to which the policy applies.
• identities (Object) Identities to which the policy applies. If empty, the policy will apply to all identities. See identities.
• dbAccounts (Object) Database Accounts to which the policy applies. If empty, the policy will apply to any database account. See dbAccounts.

Data Protection (data-protection) - Guard against reads and writes of specified tables or fields.

• block (Boolean) Policy action to block.
• governedOperations (Array) Operations governed by this policy, can be one or more of: read, update, delete, and insert.
• tags (Array) Data Tags to which the policy applies.
• labels (Array) Data Labels to which the policy applies.
• datasets (Array) Data Sets (tables, collections, etc.) to which the policy applies.
• identities (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See identities.
• dbAccounts (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See dbAccounts.

Object Protection (object-protection) - Guards against operations like create, drop, and alter for specified object types.

• objectType (String) The type of object to monitor or protect. The only value currently supported is role/user.
• block (Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.
• governedOperations (Array) Operations governed by this policy, can be one or more of: create, drop, and alter.
• identities (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See identities.
• dbAccounts (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See dbAccounts.
• alertSeverity (String) Alert severity. Allowed values are: low, medium, high.

Rate Limit (rate-limit) - Implement threshold on sensitive data reads over a period of time.

• rateLimit (Integer) Maximum number of rows that can be returned per hour. Note: the value must be an integer greater than zero.
• enforce (Boolean) Whether to enforce the policy, if false, only alerts will be raised on policy violations.
• tags (Array) Data Tags to which the policy applies.
• labels (Array) Data Labels to which the policy applies.
• identities (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See identities.
• dbAccounts (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See dbAccounts.

Read Limit (read-limit) - Prevent certain data from being read beyond a specified limit.

• rowLimit (Integer) Maximum number of rows that can be read per query. Note: the value must be an integer greater than zero.
• enforce (Boolean) Whether to enforce the policy, if false, only alerts will be raised on policy violations.
• tags (Array) Data Tags to which the policy applies.
• labels (Array) Data Labels to which the policy applies.
• datasets (Array) Data Sets (tables, collections, etc.) to which the policy applies.
• identities (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See identities.
• dbAccounts (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See dbAccounts.

Repository Lockdown (repo-lockdown) - Deny all statements that are not allowed by some policy and/or not understood by Cyral.

• failClosed (Boolean) Whether to fail closed, if true, all statements that are not understood by Cyral will be blocked.
• denyByDefault (Boolean) Whether to deny all statements by default, if true, all statements that are not explicitly allowed by some policy will be blocked.

Repository Protection (repository-protection) - Alert when more than a specified number of records are updated, deleted, or inserted in specified datasets.

• rowLimit (Integer) Maximum number of rows that can be modified per query. Note: the value must be an integer greater than zero.
• governedOperations (Array) Operations governed by this policy, can be one or more of: update, delete and insert.
• datasets (Array) Data Sets (tables, collections, etc.) to which the policy applies.
• identities (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See identities.
• dbAccounts (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See dbAccounts.

Schema Protection (schema-protection) - Protect database schema against unauthorized creation, deletion, or modification of tables and views.

• block (Boolean) Whether to block unauthorized schema changes.
• schemas (Array) Schemas to which the policy applies.
• excludedIdentities (Object) Identities that are exempt from the policy. See identities.

Service Account Abuse (service-account-abuse) - Ensure service accounts can only be used by intended applications.

• block (Boolean) Policy action to enforce.
• serviceAccounts (Array) Service accounts for which end user attribution is always required.
• alertSeverity (String) Alert severity. Allowed values are: low, medium, high.

Stored Procedure Governance (stored-procedure-governance) - Restrict execution of stored procedures..

• enforced (Boolean) Whether to enforce the policy, if false, only alerts will be raised on policy violations.
• governedProcedures (Array) Stored procedures to which the policy applies.
• identities (Object) Identities to which the policy applies. If empty, the policy will be applied to all identities. See identities.
• dbAccounts (Object) Database Accounts to which the policy applies. If empty, the policy will be applied to any database account. See dbAccounts.
• alertSeverity (String) Alert severity. Allowed values are: low, medium, high.

User Segmentation (user-segmentation) - Restrict specific users to a subset of data.

• dataset (String) Data Set (table, collection, etc.) to which the policy applies.
• dataFilter (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.
• substitutionQuery (String) A query that will be used to replace all occurrences of the dataset in the original query. Only one of dataFilter and substitutionQuery can be specified.
• includedIdentities (Object) Identities that cannot see restricted records. See identityList.
• includedDbAccounts (Array) Database accounts cannot see restricted records.

Objects

• identities (Object) Identities. See properties below:
  • included (Object) Included Identities. See identityList.
  • excluded (Object) Excluded Identities. See identityList.
• dbAccounts (Object) Database Accounts. See properties below:
  • included (Array) Included Database Accounts.
  • excluded (Array) Excluded Database Accounts.
• identityList (Object) Identity List. See properties below:
  • userNames (Array) Identity Emails.
  • emails (Array) Identity Usernames.
  • groups (Array) Identity Groups.

Create PolicySet Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new PolicySet(name: string, args: PolicySetArgs, opts?: CustomResourceOptions);

@overload
def PolicySet(resource_name: str,
              args: PolicySetArgs,
              opts: Optional[ResourceOptions] = None)

@overload
def PolicySet(resource_name: str,
              opts: Optional[ResourceOptions] = None,
              wizard_id: Optional[str] = None,
              wizard_parameters: Optional[str] = None,
              description: Optional[str] = None,
              enabled: Optional[bool] = None,
              name: Optional[str] = None,
              scope: Optional[PolicySetScopeArgs] = None,
              tags: Optional[Sequence[str]] = None)

func NewPolicySet(ctx *Context, name string, args PolicySetArgs, opts ...ResourceOption) (*PolicySet, error)

public PolicySet(string name, PolicySetArgs args, CustomResourceOptions? opts = null)

public PolicySet(String name, PolicySetArgs args)
public PolicySet(String name, PolicySetArgs args, CustomResourceOptions options)

type: cyral:PolicySet
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

Constructor example

The following reference example uses placeholder values for all input properties.

var policySetResource = new Cyral.PolicySet("policySetResource", new()
{
    WizardId = "string",
    WizardParameters = "string",
    Description = "string",
    Enabled = false,
    Name = "string",
    Scope = new Cyral.Inputs.PolicySetScopeArgs
    {
        RepoIds = new[]
        {
            "string",
        },
    },
    Tags = new[]
    {
        "string",
    },
});

example, err := cyral.NewPolicySet(ctx, "policySetResource", &cyral.PolicySetArgs{
	WizardId:         pulumi.String("string"),
	WizardParameters: pulumi.String("string"),
	Description:      pulumi.String("string"),
	Enabled:          pulumi.Bool(false),
	Name:             pulumi.String("string"),
	Scope: &cyral.PolicySetScopeArgs{
		RepoIds: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	Tags: pulumi.StringArray{
		pulumi.String("string"),
	},
})

var policySetResource = new PolicySet("policySetResource", PolicySetArgs.builder()
    .wizardId("string")
    .wizardParameters("string")
    .description("string")
    .enabled(false)
    .name("string")
    .scope(PolicySetScopeArgs.builder()
        .repoIds("string")
        .build())
    .tags("string")
    .build());

policy_set_resource = cyral.PolicySet("policySetResource",
    wizard_id="string",
    wizard_parameters="string",
    description="string",
    enabled=False,
    name="string",
    scope={
        "repo_ids": ["string"],
    },
    tags=["string"])

const policySetResource = new cyral.PolicySet("policySetResource", {
    wizardId: "string",
    wizardParameters: "string",
    description: "string",
    enabled: false,
    name: "string",
    scope: {
        repoIds: ["string"],
    },
    tags: ["string"],
});

type: cyral:PolicySet
properties:
    description: string
    enabled: false
    name: string
    scope:
        repoIds:
            - string
    tags:
        - string
    wizardId: string
    wizardParameters: string

PolicySet Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The PolicySet resource accepts the following input properties:

Outputs

All input properties are implicitly available as output properties. Additionally, the PolicySet resource produces the following output properties:

Look up Existing PolicySet Resource

Get an existing PolicySet resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: PolicySetState, opts?: CustomResourceOptions): PolicySet

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        created: Optional[Mapping[str, str]] = None,
        description: Optional[str] = None,
        enabled: Optional[bool] = None,
        last_updated: Optional[Mapping[str, str]] = None,
        name: Optional[str] = None,
        policies: Optional[Sequence[PolicySetPolicyArgs]] = None,
        scope: Optional[PolicySetScopeArgs] = None,
        tags: Optional[Sequence[str]] = None,
        wizard_id: Optional[str] = None,
        wizard_parameters: Optional[str] = None) -> PolicySet

func GetPolicySet(ctx *Context, name string, id IDInput, state *PolicySetState, opts ...ResourceOption) (*PolicySet, error)

public static PolicySet Get(string name, Input<string> id, PolicySetState? state, CustomResourceOptions? opts = null)

public static PolicySet get(String name, Output<String> id, PolicySetState state, CustomResourceOptions options)

resources:  _:    type: cyral:PolicySet    get:      id: ${id}

Supporting Types

PolicySetPolicy, PolicySetPolicyArgs

PolicySetScope, PolicySetScopeArgs

Package Details

Repository

cyral cyralinc/terraform-provider-cyral

License

Notes

This Pulumi package is based on the cyral Terraform Provider.