Docs Home
cyral 4.16.3 published on Monday, Apr 14, 2025 by cyralinc
cyral.RegoPolicyInstance
Explore with Pulumi AI
# cyral.RegoPolicyInstance (Resource)
Manages a Rego Policy instance.
Note This resource can be used to create repo-level policies by specifying the repo IDs associated to the policy
scope. For more information, see the scope field.
Import ID syntax is
{category}/{policy_id}.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as cyral from "@pulumi/cyral";
//## Global rego policy instance
const policyRegoPolicyInstance = new cyral.RegoPolicyInstance("policyRegoPolicyInstance", {
category: "SECURITY",
description: "Policy to govern user management operations",
templateId: "object-protection",
parameters: JSON.stringify({
objectType: "role/user",
block: true,
monitorCreates: true,
monitorAlters: true,
monitorDrops: true,
identities: {
excluded: {
groups: ["dba"],
},
},
}),
enabled: true,
tags: [
"tag1",
"tag2",
],
});
export const policyLastUpdated = policyRegoPolicyInstance.lastUpdateds;
export const policyCreated = policyRegoPolicyInstance.createds;
//## Repo-level policy
const repo = new cyral.Repository("repo", {
type: "mysql",
repoNodes: [{
host: "mysql.cyral.com",
port: 3306,
}],
});
const policyIndex_regoPolicyInstanceRegoPolicyInstance = new cyral.RegoPolicyInstance("policyIndex/regoPolicyInstanceRegoPolicyInstance", {
category: "SECURITY",
description: "Policy to govern user management operations",
templateId: "object-protection",
parameters: JSON.stringify({
objectType: "role/user",
block: true,
monitorCreates: true,
monitorAlters: true,
monitorDrops: true,
identities: {
excluded: {
groups: ["dba"],
},
},
}),
enabled: true,
scope: {
repoIds: [repo.id],
},
tags: [
"tag1",
"tag2",
],
});
//## Rego policy instance with duration
const policyCyralIndex_regoPolicyInstanceRegoPolicyInstance = new cyral.RegoPolicyInstance("policyCyralIndex/regoPolicyInstanceRegoPolicyInstance", {
category: "SECURITY",
description: "Policy to govern user management operations",
templateId: "object-protection",
parameters: JSON.stringify({
objectType: "role/user",
block: true,
monitorCreates: true,
monitorAlters: true,
monitorDrops: true,
identities: {
excluded: {
groups: ["dba"],
},
},
}),
enabled: true,
tags: [
"tag1",
"tag2",
],
duration: "10s",
});
import pulumi
import json
import pulumi_cyral as cyral
### Global rego policy instance
policy_rego_policy_instance = cyral.RegoPolicyInstance("policyRegoPolicyInstance",
category="SECURITY",
description="Policy to govern user management operations",
template_id="object-protection",
parameters=json.dumps({
"objectType": "role/user",
"block": True,
"monitorCreates": True,
"monitorAlters": True,
"monitorDrops": True,
"identities": {
"excluded": {
"groups": ["dba"],
},
},
}),
enabled=True,
tags=[
"tag1",
"tag2",
])
pulumi.export("policyLastUpdated", policy_rego_policy_instance.last_updateds)
pulumi.export("policyCreated", policy_rego_policy_instance.createds)
### Repo-level policy
repo = cyral.Repository("repo",
type="mysql",
repo_nodes=[{
"host": "mysql.cyral.com",
"port": 3306,
}])
policy_index_rego_policy_instance_rego_policy_instance = cyral.RegoPolicyInstance("policyIndex/regoPolicyInstanceRegoPolicyInstance",
category="SECURITY",
description="Policy to govern user management operations",
template_id="object-protection",
parameters=json.dumps({
"objectType": "role/user",
"block": True,
"monitorCreates": True,
"monitorAlters": True,
"monitorDrops": True,
"identities": {
"excluded": {
"groups": ["dba"],
},
},
}),
enabled=True,
scope={
"repo_ids": [repo.id],
},
tags=[
"tag1",
"tag2",
])
### Rego policy instance with duration
policy_cyral_index_rego_policy_instance_rego_policy_instance = cyral.RegoPolicyInstance("policyCyralIndex/regoPolicyInstanceRegoPolicyInstance",
category="SECURITY",
description="Policy to govern user management operations",
template_id="object-protection",
parameters=json.dumps({
"objectType": "role/user",
"block": True,
"monitorCreates": True,
"monitorAlters": True,
"monitorDrops": True,
"identities": {
"excluded": {
"groups": ["dba"],
},
},
}),
enabled=True,
tags=[
"tag1",
"tag2",
],
duration="10s")
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-terraform-provider/sdks/go/cyral/v4/cyral"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
tmpJSON0, err := json.Marshal(map[string]interface{}{
"objectType": "role/user",
"block": true,
"monitorCreates": true,
"monitorAlters": true,
"monitorDrops": true,
"identities": map[string]interface{}{
"excluded": map[string]interface{}{
"groups": []string{
"dba",
},
},
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
// ## Global rego policy instance
policyRegoPolicyInstance, err := cyral.NewRegoPolicyInstance(ctx, "policyRegoPolicyInstance", &cyral.RegoPolicyInstanceArgs{
Category: pulumi.String("SECURITY"),
Description: pulumi.String("Policy to govern user management operations"),
TemplateId: pulumi.String("object-protection"),
Parameters: pulumi.String(json0),
Enabled: pulumi.Bool(true),
Tags: pulumi.StringArray{
pulumi.String("tag1"),
pulumi.String("tag2"),
},
})
if err != nil {
return err
}
ctx.Export("policyLastUpdated", policyRegoPolicyInstance.LastUpdateds)
ctx.Export("policyCreated", policyRegoPolicyInstance.Createds)
// ## Repo-level policy
repo, err := cyral.NewRepository(ctx, "repo", &cyral.RepositoryArgs{
Type: pulumi.String("mysql"),
RepoNodes: cyral.RepositoryRepoNodeArray{
&cyral.RepositoryRepoNodeArgs{
Host: pulumi.String("mysql.cyral.com"),
Port: pulumi.Float64(3306),
},
},
})
if err != nil {
return err
}
tmpJSON1, err := json.Marshal(map[string]interface{}{
"objectType": "role/user",
"block": true,
"monitorCreates": true,
"monitorAlters": true,
"monitorDrops": true,
"identities": map[string]interface{}{
"excluded": map[string]interface{}{
"groups": []string{
"dba",
},
},
},
})
if err != nil {
return err
}
json1 := string(tmpJSON1)
_, err = cyral.NewRegoPolicyInstance(ctx, "policyIndex/regoPolicyInstanceRegoPolicyInstance", &cyral.RegoPolicyInstanceArgs{
Category: pulumi.String("SECURITY"),
Description: pulumi.String("Policy to govern user management operations"),
TemplateId: pulumi.String("object-protection"),
Parameters: pulumi.String(json1),
Enabled: pulumi.Bool(true),
Scope: &cyral.RegoPolicyInstanceScopeArgs{
RepoIds: pulumi.StringArray{
repo.ID(),
},
},
Tags: pulumi.StringArray{
pulumi.String("tag1"),
pulumi.String("tag2"),
},
})
if err != nil {
return err
}
tmpJSON2, err := json.Marshal(map[string]interface{}{
"objectType": "role/user",
"block": true,
"monitorCreates": true,
"monitorAlters": true,
"monitorDrops": true,
"identities": map[string]interface{}{
"excluded": map[string]interface{}{
"groups": []string{
"dba",
},
},
},
})
if err != nil {
return err
}
json2 := string(tmpJSON2)
// ## Rego policy instance with duration
_, err = cyral.NewRegoPolicyInstance(ctx, "policyCyralIndex/regoPolicyInstanceRegoPolicyInstance", &cyral.RegoPolicyInstanceArgs{
Category: pulumi.String("SECURITY"),
Description: pulumi.String("Policy to govern user management operations"),
TemplateId: pulumi.String("object-protection"),
Parameters: pulumi.String(json2),
Enabled: pulumi.Bool(true),
Tags: pulumi.StringArray{
pulumi.String("tag1"),
pulumi.String("tag2"),
},
Duration: pulumi.String("10s"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Cyral = Pulumi.Cyral;
return await Deployment.RunAsync(() =>
{
//## Global rego policy instance
var policyRegoPolicyInstance = new Cyral.RegoPolicyInstance("policyRegoPolicyInstance", new()
{
Category = "SECURITY",
Description = "Policy to govern user management operations",
TemplateId = "object-protection",
Parameters = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["objectType"] = "role/user",
["block"] = true,
["monitorCreates"] = true,
["monitorAlters"] = true,
["monitorDrops"] = true,
["identities"] = new Dictionary<string, object?>
{
["excluded"] = new Dictionary<string, object?>
{
["groups"] = new[]
{
"dba",
},
},
},
}),
Enabled = true,
Tags = new[]
{
"tag1",
"tag2",
},
});
//## Repo-level policy
var repo = new Cyral.Repository("repo", new()
{
Type = "mysql",
RepoNodes = new[]
{
new Cyral.Inputs.RepositoryRepoNodeArgs
{
Host = "mysql.cyral.com",
Port = 3306,
},
},
});
var policyIndex_regoPolicyInstanceRegoPolicyInstance = new Cyral.RegoPolicyInstance("policyIndex/regoPolicyInstanceRegoPolicyInstance", new()
{
Category = "SECURITY",
Description = "Policy to govern user management operations",
TemplateId = "object-protection",
Parameters = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["objectType"] = "role/user",
["block"] = true,
["monitorCreates"] = true,
["monitorAlters"] = true,
["monitorDrops"] = true,
["identities"] = new Dictionary<string, object?>
{
["excluded"] = new Dictionary<string, object?>
{
["groups"] = new[]
{
"dba",
},
},
},
}),
Enabled = true,
Scope = new Cyral.Inputs.RegoPolicyInstanceScopeArgs
{
RepoIds = new[]
{
repo.Id,
},
},
Tags = new[]
{
"tag1",
"tag2",
},
});
//## Rego policy instance with duration
var policyCyralIndex_regoPolicyInstanceRegoPolicyInstance = new Cyral.RegoPolicyInstance("policyCyralIndex/regoPolicyInstanceRegoPolicyInstance", new()
{
Category = "SECURITY",
Description = "Policy to govern user management operations",
TemplateId = "object-protection",
Parameters = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["objectType"] = "role/user",
["block"] = true,
["monitorCreates"] = true,
["monitorAlters"] = true,
["monitorDrops"] = true,
["identities"] = new Dictionary<string, object?>
{
["excluded"] = new Dictionary<string, object?>
{
["groups"] = new[]
{
"dba",
},
},
},
}),
Enabled = true,
Tags = new[]
{
"tag1",
"tag2",
},
Duration = "10s",
});
return new Dictionary<string, object?>
{
["policyLastUpdated"] = policyRegoPolicyInstance.LastUpdateds,
["policyCreated"] = policyRegoPolicyInstance.Createds,
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cyral.RegoPolicyInstance;
import com.pulumi.cyral.RegoPolicyInstanceArgs;
import com.pulumi.cyral.Repository;
import com.pulumi.cyral.RepositoryArgs;
import com.pulumi.cyral.inputs.RepositoryRepoNodeArgs;
import com.pulumi.cyral.inputs.RegoPolicyInstanceScopeArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
//## Global rego policy instance
var policyRegoPolicyInstance = new RegoPolicyInstance("policyRegoPolicyInstance", RegoPolicyInstanceArgs.builder()
.category("SECURITY")
.description("Policy to govern user management operations")
.templateId("object-protection")
.parameters(serializeJson(
jsonObject(
jsonProperty("objectType", "role/user"),
jsonProperty("block", true),
jsonProperty("monitorCreates", true),
jsonProperty("monitorAlters", true),
jsonProperty("monitorDrops", true),
jsonProperty("identities", jsonObject(
jsonProperty("excluded", jsonObject(
jsonProperty("groups", jsonArray("dba"))
))
))
)))
.enabled(true)
.tags(
"tag1",
"tag2")
.build());
ctx.export("policyLastUpdated", policyRegoPolicyInstance.lastUpdateds());
ctx.export("policyCreated", policyRegoPolicyInstance.createds());
//## Repo-level policy
var repo = new Repository("repo", RepositoryArgs.builder()
.type("mysql")
.repoNodes(RepositoryRepoNodeArgs.builder()
.host("mysql.cyral.com")
.port(3306)
.build())
.build());
var policyIndex_regoPolicyInstanceRegoPolicyInstance = new RegoPolicyInstance("policyIndex/regoPolicyInstanceRegoPolicyInstance", RegoPolicyInstanceArgs.builder()
.category("SECURITY")
.description("Policy to govern user management operations")
.templateId("object-protection")
.parameters(serializeJson(
jsonObject(
jsonProperty("objectType", "role/user"),
jsonProperty("block", true),
jsonProperty("monitorCreates", true),
jsonProperty("monitorAlters", true),
jsonProperty("monitorDrops", true),
jsonProperty("identities", jsonObject(
jsonProperty("excluded", jsonObject(
jsonProperty("groups", jsonArray("dba"))
))
))
)))
.enabled(true)
.scope(RegoPolicyInstanceScopeArgs.builder()
.repoIds(repo.id())
.build())
.tags(
"tag1",
"tag2")
.build());
//## Rego policy instance with duration
var policyCyralIndex_regoPolicyInstanceRegoPolicyInstance = new RegoPolicyInstance("policyCyralIndex/regoPolicyInstanceRegoPolicyInstance", RegoPolicyInstanceArgs.builder()
.category("SECURITY")
.description("Policy to govern user management operations")
.templateId("object-protection")
.parameters(serializeJson(
jsonObject(
jsonProperty("objectType", "role/user"),
jsonProperty("block", true),
jsonProperty("monitorCreates", true),
jsonProperty("monitorAlters", true),
jsonProperty("monitorDrops", true),
jsonProperty("identities", jsonObject(
jsonProperty("excluded", jsonObject(
jsonProperty("groups", jsonArray("dba"))
))
))
)))
.enabled(true)
.tags(
"tag1",
"tag2")
.duration("10s")
.build());
}
}
resources:
### Global rego policy instance
policyRegoPolicyInstance:
type: cyral:RegoPolicyInstance
properties:
category: SECURITY
description: Policy to govern user management operations
templateId: object-protection
parameters:
fn::toJSON:
objectType: role/user
block: true
monitorCreates: true
monitorAlters: true
monitorDrops: true
identities:
excluded:
groups:
- dba
enabled: true
tags:
- tag1
- tag2
### Repo-level policy
repo:
type: cyral:Repository
properties:
type: mysql
repoNodes:
- host: mysql.cyral.com
port: 3306
policyIndex/regoPolicyInstanceRegoPolicyInstance:
type: cyral:RegoPolicyInstance
properties:
category: SECURITY
description: Policy to govern user management operations
templateId: object-protection
parameters:
fn::toJSON:
objectType: role/user
block: true
monitorCreates: true
monitorAlters: true
monitorDrops: true
identities:
excluded:
groups:
- dba
enabled: true
scope:
repoIds:
- ${repo.id}
tags:
- tag1
- tag2
### Rego policy instance with duration
policyCyralIndex/regoPolicyInstanceRegoPolicyInstance:
type: cyral:RegoPolicyInstance
properties:
category: SECURITY
description: Policy to govern user management operations
templateId: object-protection
parameters:
fn::toJSON:
objectType: role/user
block: true
monitorCreates: true
monitorAlters: true
monitorDrops: true
identities:
excluded:
groups:
- dba
enabled: true
tags:
- tag1
- tag2
duration: 10s
outputs:
policyLastUpdated: ${policyRegoPolicyInstance.lastUpdateds}
policyCreated: ${policyRegoPolicyInstance.createds}
Template Parameters
All templates use parameters defined as JSON, below is a list of all the corresponding parameters for the predefined templates.
You can also use the Cyral API
GET/v1/regopolicies/templatesto retrieve all existing templates and their corresponding parameters schema.
Fail Closed (fail-closed) - Protect against statements that are not understood by Cyral.
block(Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.identities(Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See identities.dbAccounts(Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See dbAccounts.alertSeverity(String) Policy action to alert, using the respective severity. Allowed values are:low,medium,high.
Object Protection (object-protection) - Guards against operations like create, drop, and alter for specified object types.
objectType(String) The type of object to monitor or protect. Supported types include tables, views, roles/users, and schemas. Specific actions depend on the object type.block(Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.monitorCreates(Boolean) Specifies whether to monitor ‘CREATE’ operations for the defined object type. Applies only to relevant object types.monitorDrops(Boolean) Specifies whether to monitor ‘DROP’ operations for the defined object type. Applies only to relevant object types.monitorAlters(Boolean) Specifies whether to monitor ‘ALTER’ operations for the defined object type. Applies only to relevant object types.objects(Array) A list of specific objects (e.g., tables or views) to monitor or protect. Required for ’table’ or ‘view’ object types. Not applicable to ‘role/user’ or ‘schema’.identities(Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See identities.dbAccounts(Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See dbAccounts.alertSeverity(String) Policy action to alert, using the respective severity. Allowed values are:low,medium,high.
Service Account Abuse (service-account-abuse) - Ensure service accounts can only be used by intended applications.
block(Boolean) Policy action to enforce.serviceAccounts(Array) Service accounts for which end user attribution is always required.alertSeverity(String) Policy action to alert, using the respective severity. Allowed values are:low,medium,high.
Stored Procedure Governance (stored-procedure-governance) - Restrict execution of stored procedures.
governedProcedures(Array) List of stored procedures to be governed.enforce(Boolean) Whether to enforce the policy, if false, only alerts will be raised on policy violations.identities(Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See identities.dbAccounts(Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See dbAccounts.alertSeverity(String) Policy action to alert, using the respective severity. Allowed values are:low,medium,high.
Ungoverned Statements (ungoverned-statements) - Control execution of statements not governed by other policies.
block(Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.identities(Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See identities.dbAccounts(Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See dbAccounts.alertSeverity(String) Policy action to alert, using the respective severity. Allowed values are:low,medium,high.
Deprecated policy templates
The remaining list of policy templates have been deprecated in v4.18.X of the Cyral Control Plane
and can not be used for creating new policies. Managing existing policy instances is still supported.
Please visit cyral.PolicySet
resource to find replacements for the deprecated policy templates.
Data Firewall (data-firewall)
dataSet(String) Data Set.dataFilter(String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.tags(Array) Tags.labels(Array) Data Labels.excludedIdentities(Object) Identities that will be excluded from this policy. See identityList.
Data Masking (data-masking)
maskType(String) Mask Type (E.g.:NULL_MASK,CONSTANT_MASK,MASK).maskArguments(Array) Mask Argument associated to the given Mask Type (E.g.: Replacement Value).tags(Array) Tags.labels(Array) Data Labels.identities(Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See identities.dbAccounts(Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See dbAccounts.
Data Protection (data-protection)
block(Boolean) Policy action to block.monitorReads(Boolean) Monitor read operations.monitorUpdates(Boolean) Monitor update operations.monitorDeletes(Boolean) Monitor delete operations.tags(Array) Tags.labels(Array) Data Labels.identities(Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See identities.dbAccounts(Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See dbAccounts.alertSeverity(String) Policy action to alert, using the respective severity. Allowed values are:low,medium,high.
Ephemeral Grant (EphemeralGrantPolicy)
repoAccount(String) Repository Account Name.repo(String) Repository Name.allowedSensitiveAttributes(Array) Allowed Sensitive Attributes.
Rate Limit (rate-limit)
rateLimit(Integer) Maximum number of rows that can be returned per hour. Note: the value must be an integer greater than zero.block(Boolean) Policy action to enforce.tags(Array) Tags.labels(Array) Data Labels.identities(Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See identities.dbAccounts(Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See dbAccounts.alertSeverity(String) Policy action to alert, using the respective severity. Allowed values are:low,medium,high.
Read Limit (read-limit)
rowLimit(Integer) Maximum number of rows that can be read per query. Note: the value must be an integer greater than zero.block(Boolean) Policy action to enforce.appliesToAllData(Boolean) Whether the policy should apply to the entire repository data.tags(Array) Tags.labels(Array) Data Labels.identities(Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See identities.dbAccounts(Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See dbAccounts.alertSeverity(String) Policy action to alert, using the respective severity. Allowed values are:low,medium,high.
Repository Protection (repository-protection)
rowLimit(Integer) Maximum number of rows that can be modified per query. Note: the value must be an integer greater than zero.monitorUpdates(Boolean) Monitor update operations.monitorDeletes(Boolean) Monitor delete operations.identities(Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See identities.dbAccounts(Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See dbAccounts.alertSeverity(String) Policy action to alert, using the respective severity. Allowed values are:low,medium,high.
User Segmentation (user-segmentation)
dataSet(String) Data Set.dataFilter(String) Data filter that will be applied when anyone tries to read the specified data labels from the data set.tags(Array) Tags.labels(Array) Data Labels.includedIdentities(Object) Identities that cannot see restricted records. See identityList.includedDbAccounts(Array) Database accounts cannot see restricted records.
Objects
identities(Object) Identities. See properties below:dbAccounts(Object) Database Accounts. See properties below:identityList(Object) Identity List. See properties below:userNames(Array) Identity Emails.emails(Array) Identity Usernames.groups(Array) Identity Groups.
Create RegoPolicyInstance Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new RegoPolicyInstance(name: string, args: RegoPolicyInstanceArgs, opts?: CustomResourceOptions);@overload
def RegoPolicyInstance(resource_name: str,
args: RegoPolicyInstanceArgs,
opts: Optional[ResourceOptions] = None)
@overload
def RegoPolicyInstance(resource_name: str,
opts: Optional[ResourceOptions] = None,
category: Optional[str] = None,
template_id: Optional[str] = None,
description: Optional[str] = None,
duration: Optional[str] = None,
enabled: Optional[bool] = None,
name: Optional[str] = None,
parameters: Optional[str] = None,
scope: Optional[RegoPolicyInstanceScopeArgs] = None,
tags: Optional[Sequence[str]] = None)func NewRegoPolicyInstance(ctx *Context, name string, args RegoPolicyInstanceArgs, opts ...ResourceOption) (*RegoPolicyInstance, error)public RegoPolicyInstance(string name, RegoPolicyInstanceArgs args, CustomResourceOptions? opts = null)
public RegoPolicyInstance(String name, RegoPolicyInstanceArgs args)
public RegoPolicyInstance(String name, RegoPolicyInstanceArgs args, CustomResourceOptions options)
type: cyral:RegoPolicyInstance
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args RegoPolicyInstanceArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args RegoPolicyInstanceArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RegoPolicyInstanceArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RegoPolicyInstanceArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args RegoPolicyInstanceArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var regoPolicyInstanceResource = new Cyral.RegoPolicyInstance("regoPolicyInstanceResource", new()
{
Category = "string",
TemplateId = "string",
Description = "string",
Duration = "string",
Enabled = false,
Name = "string",
Parameters = "string",
Scope = new Cyral.Inputs.RegoPolicyInstanceScopeArgs
{
RepoIds = new[]
{
"string",
},
},
Tags = new[]
{
"string",
},
});
example, err := cyral.NewRegoPolicyInstance(ctx, "regoPolicyInstanceResource", &cyral.RegoPolicyInstanceArgs{
Category: pulumi.String("string"),
TemplateId: pulumi.String("string"),
Description: pulumi.String("string"),
Duration: pulumi.String("string"),
Enabled: pulumi.Bool(false),
Name: pulumi.String("string"),
Parameters: pulumi.String("string"),
Scope: &cyral.RegoPolicyInstanceScopeArgs{
RepoIds: pulumi.StringArray{
pulumi.String("string"),
},
},
Tags: pulumi.StringArray{
pulumi.String("string"),
},
})
var regoPolicyInstanceResource = new RegoPolicyInstance("regoPolicyInstanceResource", RegoPolicyInstanceArgs.builder()
.category("string")
.templateId("string")
.description("string")
.duration("string")
.enabled(false)
.name("string")
.parameters("string")
.scope(RegoPolicyInstanceScopeArgs.builder()
.repoIds("string")
.build())
.tags("string")
.build());
rego_policy_instance_resource = cyral.RegoPolicyInstance("regoPolicyInstanceResource",
category="string",
template_id="string",
description="string",
duration="string",
enabled=False,
name="string",
parameters="string",
scope={
"repo_ids": ["string"],
},
tags=["string"])
const regoPolicyInstanceResource = new cyral.RegoPolicyInstance("regoPolicyInstanceResource", {
category: "string",
templateId: "string",
description: "string",
duration: "string",
enabled: false,
name: "string",
parameters: "string",
scope: {
repoIds: ["string"],
},
tags: ["string"],
});
type: cyral:RegoPolicyInstance
properties:
category: string
description: string
duration: string
enabled: false
name: string
parameters: string
scope:
repoIds:
- string
tags:
- string
templateId: string
RegoPolicyInstance Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The RegoPolicyInstance resource accepts the following input properties:
- Category string
- Policy category. List of supported categories: -
SECURITY-GRANT-USER_DEFINED - Template
Id string - Policy template identifier. Predefined templates are: -
data-firewall-data-masking-data-protection-EphemeralGrantPolicy-rate-limit-read-limit-repository-protection-service-account-abuse-user-segmentation - Description string
- Policy description.
- Duration string
- Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format,
which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds.
For example:
300s,60s,10.50s, etc. - Enabled bool
- Enable/disable the policy. Defaults to
false(Disabled). - Name string
- Policy name.
- Parameters string
- Policy parameters. The parameters vary based on the policy template schema.
- Scope
Rego
Policy Instance Scope - Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the
corresponding
repo_idsthat this policy should be applied. - List<string>
- Tags that can be used to categorize the policy.
- Category string
- Policy category. List of supported categories: -
SECURITY-GRANT-USER_DEFINED - Template
Id string - Policy template identifier. Predefined templates are: -
data-firewall-data-masking-data-protection-EphemeralGrantPolicy-rate-limit-read-limit-repository-protection-service-account-abuse-user-segmentation - Description string
- Policy description.
- Duration string
- Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format,
which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds.
For example:
300s,60s,10.50s, etc. - Enabled bool
- Enable/disable the policy. Defaults to
false(Disabled). - Name string
- Policy name.
- Parameters string
- Policy parameters. The parameters vary based on the policy template schema.
- Scope
Rego
Policy Instance Scope Args - Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the
corresponding
repo_idsthat this policy should be applied. - []string
- Tags that can be used to categorize the policy.
- category String
- Policy category. List of supported categories: -
SECURITY-GRANT-USER_DEFINED - template
Id String - Policy template identifier. Predefined templates are: -
data-firewall-data-masking-data-protection-EphemeralGrantPolicy-rate-limit-read-limit-repository-protection-service-account-abuse-user-segmentation - description String
- Policy description.
- duration String
- Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format,
which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds.
For example:
300s,60s,10.50s, etc. - enabled Boolean
- Enable/disable the policy. Defaults to
false(Disabled). - name String
- Policy name.
- parameters String
- Policy parameters. The parameters vary based on the policy template schema.
- scope
Rego
Policy Instance Scope - Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the
corresponding
repo_idsthat this policy should be applied. - List<String>
- Tags that can be used to categorize the policy.
- category string
- Policy category. List of supported categories: -
SECURITY-GRANT-USER_DEFINED - template
Id string - Policy template identifier. Predefined templates are: -
data-firewall-data-masking-data-protection-EphemeralGrantPolicy-rate-limit-read-limit-repository-protection-service-account-abuse-user-segmentation - description string
- Policy description.
- duration string
- Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format,
which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds.
For example:
300s,60s,10.50s, etc. - enabled boolean
- Enable/disable the policy. Defaults to
false(Disabled). - name string
- Policy name.
- parameters string
- Policy parameters. The parameters vary based on the policy template schema.
- scope
Rego
Policy Instance Scope - Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the
corresponding
repo_idsthat this policy should be applied. - string[]
- Tags that can be used to categorize the policy.
- category str
- Policy category. List of supported categories: -
SECURITY-GRANT-USER_DEFINED - template_
id str - Policy template identifier. Predefined templates are: -
data-firewall-data-masking-data-protection-EphemeralGrantPolicy-rate-limit-read-limit-repository-protection-service-account-abuse-user-segmentation - description str
- Policy description.
- duration str
- Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format,
which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds.
For example:
300s,60s,10.50s, etc. - enabled bool
- Enable/disable the policy. Defaults to
false(Disabled). - name str
- Policy name.
- parameters str
- Policy parameters. The parameters vary based on the policy template schema.
- scope
Rego
Policy Instance Scope Args - Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the
corresponding
repo_idsthat this policy should be applied. - Sequence[str]
- Tags that can be used to categorize the policy.
- category String
- Policy category. List of supported categories: -
SECURITY-GRANT-USER_DEFINED - template
Id String - Policy template identifier. Predefined templates are: -
data-firewall-data-masking-data-protection-EphemeralGrantPolicy-rate-limit-read-limit-repository-protection-service-account-abuse-user-segmentation - description String
- Policy description.
- duration String
- Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format,
which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds.
For example:
300s,60s,10.50s, etc. - enabled Boolean
- Enable/disable the policy. Defaults to
false(Disabled). - name String
- Policy name.
- parameters String
- Policy parameters. The parameters vary based on the policy template schema.
- scope Property Map
- Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the
corresponding
repo_idsthat this policy should be applied. - List<String>
- Tags that can be used to categorize the policy.
Outputs
All input properties are implicitly available as output properties. Additionally, the RegoPolicyInstance resource produces the following output properties:
- Createds
List<Rego
Policy Instance Created> - Information regarding the policy creation.
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Updateds List<RegoPolicy Instance Last Updated> - Information regarding the policy last update.
- Policy
Id string - ID of this rego policy instance in Cyral environment.
- Createds
[]Rego
Policy Instance Created - Information regarding the policy creation.
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Updateds []RegoPolicy Instance Last Updated - Information regarding the policy last update.
- Policy
Id string - ID of this rego policy instance in Cyral environment.
- createds
List<Rego
Policy Instance Created> - Information regarding the policy creation.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Updateds List<RegoPolicy Instance Last Updated> - Information regarding the policy last update.
- policy
Id String - ID of this rego policy instance in Cyral environment.
- createds
Rego
Policy Instance Created[] - Information regarding the policy creation.
- id string
- The provider-assigned unique ID for this managed resource.
- last
Updateds RegoPolicy Instance Last Updated[] - Information regarding the policy last update.
- policy
Id string - ID of this rego policy instance in Cyral environment.
- createds
Sequence[Rego
Policy Instance Created] - Information regarding the policy creation.
- id str
- The provider-assigned unique ID for this managed resource.
- last_
updateds Sequence[RegoPolicy Instance Last Updated] - Information regarding the policy last update.
- policy_
id str - ID of this rego policy instance in Cyral environment.
- createds List<Property Map>
- Information regarding the policy creation.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Updateds List<Property Map> - Information regarding the policy last update.
- policy
Id String - ID of this rego policy instance in Cyral environment.
Look up Existing RegoPolicyInstance Resource
Get an existing RegoPolicyInstance resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: RegoPolicyInstanceState, opts?: CustomResourceOptions): RegoPolicyInstance@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
category: Optional[str] = None,
createds: Optional[Sequence[RegoPolicyInstanceCreatedArgs]] = None,
description: Optional[str] = None,
duration: Optional[str] = None,
enabled: Optional[bool] = None,
last_updateds: Optional[Sequence[RegoPolicyInstanceLastUpdatedArgs]] = None,
name: Optional[str] = None,
parameters: Optional[str] = None,
policy_id: Optional[str] = None,
scope: Optional[RegoPolicyInstanceScopeArgs] = None,
tags: Optional[Sequence[str]] = None,
template_id: Optional[str] = None) -> RegoPolicyInstancefunc GetRegoPolicyInstance(ctx *Context, name string, id IDInput, state *RegoPolicyInstanceState, opts ...ResourceOption) (*RegoPolicyInstance, error)public static RegoPolicyInstance Get(string name, Input<string> id, RegoPolicyInstanceState? state, CustomResourceOptions? opts = null)public static RegoPolicyInstance get(String name, Output<String> id, RegoPolicyInstanceState state, CustomResourceOptions options)resources: _: type: cyral:RegoPolicyInstance get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Category string
- Policy category. List of supported categories: -
SECURITY-GRANT-USER_DEFINED - Createds
List<Rego
Policy Instance Created> - Information regarding the policy creation.
- Description string
- Policy description.
- Duration string
- Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format,
which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds.
For example:
300s,60s,10.50s, etc. - Enabled bool
- Enable/disable the policy. Defaults to
false(Disabled). - Last
Updateds List<RegoPolicy Instance Last Updated> - Information regarding the policy last update.
- Name string
- Policy name.
- Parameters string
- Policy parameters. The parameters vary based on the policy template schema.
- Policy
Id string - ID of this rego policy instance in Cyral environment.
- Scope
Rego
Policy Instance Scope - Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the
corresponding
repo_idsthat this policy should be applied. - List<string>
- Tags that can be used to categorize the policy.
- Template
Id string - Policy template identifier. Predefined templates are: -
data-firewall-data-masking-data-protection-EphemeralGrantPolicy-rate-limit-read-limit-repository-protection-service-account-abuse-user-segmentation
- Category string
- Policy category. List of supported categories: -
SECURITY-GRANT-USER_DEFINED - Createds
[]Rego
Policy Instance Created Args - Information regarding the policy creation.
- Description string
- Policy description.
- Duration string
- Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format,
which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds.
For example:
300s,60s,10.50s, etc. - Enabled bool
- Enable/disable the policy. Defaults to
false(Disabled). - Last
Updateds []RegoPolicy Instance Last Updated Args - Information regarding the policy last update.
- Name string
- Policy name.
- Parameters string
- Policy parameters. The parameters vary based on the policy template schema.
- Policy
Id string - ID of this rego policy instance in Cyral environment.
- Scope
Rego
Policy Instance Scope Args - Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the
corresponding
repo_idsthat this policy should be applied. - []string
- Tags that can be used to categorize the policy.
- Template
Id string - Policy template identifier. Predefined templates are: -
data-firewall-data-masking-data-protection-EphemeralGrantPolicy-rate-limit-read-limit-repository-protection-service-account-abuse-user-segmentation
- category String
- Policy category. List of supported categories: -
SECURITY-GRANT-USER_DEFINED - createds
List<Rego
Policy Instance Created> - Information regarding the policy creation.
- description String
- Policy description.
- duration String
- Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format,
which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds.
For example:
300s,60s,10.50s, etc. - enabled Boolean
- Enable/disable the policy. Defaults to
false(Disabled). - last
Updateds List<RegoPolicy Instance Last Updated> - Information regarding the policy last update.
- name String
- Policy name.
- parameters String
- Policy parameters. The parameters vary based on the policy template schema.
- policy
Id String - ID of this rego policy instance in Cyral environment.
- scope
Rego
Policy Instance Scope - Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the
corresponding
repo_idsthat this policy should be applied. - List<String>
- Tags that can be used to categorize the policy.
- template
Id String - Policy template identifier. Predefined templates are: -
data-firewall-data-masking-data-protection-EphemeralGrantPolicy-rate-limit-read-limit-repository-protection-service-account-abuse-user-segmentation
- category string
- Policy category. List of supported categories: -
SECURITY-GRANT-USER_DEFINED - createds
Rego
Policy Instance Created[] - Information regarding the policy creation.
- description string
- Policy description.
- duration string
- Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format,
which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds.
For example:
300s,60s,10.50s, etc. - enabled boolean
- Enable/disable the policy. Defaults to
false(Disabled). - last
Updateds RegoPolicy Instance Last Updated[] - Information regarding the policy last update.
- name string
- Policy name.
- parameters string
- Policy parameters. The parameters vary based on the policy template schema.
- policy
Id string - ID of this rego policy instance in Cyral environment.
- scope
Rego
Policy Instance Scope - Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the
corresponding
repo_idsthat this policy should be applied. - string[]
- Tags that can be used to categorize the policy.
- template
Id string - Policy template identifier. Predefined templates are: -
data-firewall-data-masking-data-protection-EphemeralGrantPolicy-rate-limit-read-limit-repository-protection-service-account-abuse-user-segmentation
- category str
- Policy category. List of supported categories: -
SECURITY-GRANT-USER_DEFINED - createds
Sequence[Rego
Policy Instance Created Args] - Information regarding the policy creation.
- description str
- Policy description.
- duration str
- Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format,
which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds.
For example:
300s,60s,10.50s, etc. - enabled bool
- Enable/disable the policy. Defaults to
false(Disabled). - last_
updateds Sequence[RegoPolicy Instance Last Updated Args] - Information regarding the policy last update.
- name str
- Policy name.
- parameters str
- Policy parameters. The parameters vary based on the policy template schema.
- policy_
id str - ID of this rego policy instance in Cyral environment.
- scope
Rego
Policy Instance Scope Args - Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the
corresponding
repo_idsthat this policy should be applied. - Sequence[str]
- Tags that can be used to categorize the policy.
- template_
id str - Policy template identifier. Predefined templates are: -
data-firewall-data-masking-data-protection-EphemeralGrantPolicy-rate-limit-read-limit-repository-protection-service-account-abuse-user-segmentation
- category String
- Policy category. List of supported categories: -
SECURITY-GRANT-USER_DEFINED - createds List<Property Map>
- Information regarding the policy creation.
- description String
- Policy description.
- duration String
- Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format,
which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds.
For example:
300s,60s,10.50s, etc. - enabled Boolean
- Enable/disable the policy. Defaults to
false(Disabled). - last
Updateds List<Property Map> - Information regarding the policy last update.
- name String
- Policy name.
- parameters String
- Policy parameters. The parameters vary based on the policy template schema.
- policy
Id String - ID of this rego policy instance in Cyral environment.
- scope Property Map
- Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the
corresponding
repo_idsthat this policy should be applied. - List<String>
- Tags that can be used to categorize the policy.
- template
Id String - Policy template identifier. Predefined templates are: -
data-firewall-data-masking-data-protection-EphemeralGrantPolicy-rate-limit-read-limit-repository-protection-service-account-abuse-user-segmentation
Supporting Types
RegoPolicyInstanceCreated, RegoPolicyInstanceCreatedArgs
- actor str
- actor_
type str - timestamp str
RegoPolicyInstanceLastUpdated, RegoPolicyInstanceLastUpdatedArgs
- actor str
- actor_
type str - timestamp str
RegoPolicyInstanceScope, RegoPolicyInstanceScopeArgs
- Repo
Ids List<string> - A list of repository identifiers that belongs to the policy scope. The policy will be applied at repo-level for every repository ID included in this list. This is equivalent of creating a repo-level policy in the UI for a given repository.
- Repo
Ids []string - A list of repository identifiers that belongs to the policy scope. The policy will be applied at repo-level for every repository ID included in this list. This is equivalent of creating a repo-level policy in the UI for a given repository.
- repo
Ids List<String> - A list of repository identifiers that belongs to the policy scope. The policy will be applied at repo-level for every repository ID included in this list. This is equivalent of creating a repo-level policy in the UI for a given repository.
- repo
Ids string[] - A list of repository identifiers that belongs to the policy scope. The policy will be applied at repo-level for every repository ID included in this list. This is equivalent of creating a repo-level policy in the UI for a given repository.
- repo_
ids Sequence[str] - A list of repository identifiers that belongs to the policy scope. The policy will be applied at repo-level for every repository ID included in this list. This is equivalent of creating a repo-level policy in the UI for a given repository.
- repo
Ids List<String> - A list of repository identifiers that belongs to the policy scope. The policy will be applied at repo-level for every repository ID included in this list. This is equivalent of creating a repo-level policy in the UI for a given repository.
Package Details
- Repository
- cyral cyralinc/terraform-provider-cyral
- License
- Notes
- This Pulumi package is based on the
cyralTerraform Provider.