v5.18.0/website/docs/r/securityposture_posture.html.markdown - terraform-provider-google-beta - Git at Google

 ---
 # ----------------------------------------------------------------------------
 #
 #     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
 #
 # ----------------------------------------------------------------------------
 #
 #     This file is automatically generated by Magic Modules and manual
 #     changes will be clobbered when the file is regenerated.
 #
 #     Please read more about how to change this file in
 #     .github/CONTRIBUTING.md.
 #
 # ----------------------------------------------------------------------------
 subcategory: "Security Posture"
 description: |-
   A Posture represents a collection of policy set including its name, state, description
   and policy sets.
 ---

 # google\_securityposture\_posture

 A Posture represents a collection of policy set including its name, state, description
 and policy sets. A policy set includes set of policies along with their definition.
 A posture can be created at the organization level.
 Every update to a deployed posture creates a new posture revision with an updated revision_id.


 To get more information about Posture, see:

 * How-to Guides
     * [Create and deploy a posture](https://cloud.google.com/security-command-center/docs/how-to-use-security-posture)

 ## Example Usage - Securityposture Posture Basic


 ```hcl
 resource "google_securityposture_posture" "posture1"{
   posture_id  = "posture_1"
   parent      = "organizations/123456789"
   location    = "global"
   state       = "ACTIVE"
   description = "a new posture"
   policy_sets {
     policy_set_id = "org_policy_set"
     description   = "set of org policies"
     policies {
       policy_id = "canned_org_policy"
       constraint {
         org_policy_constraint {
           canned_constraint_id = "storage.uniformBucketLevelAccess"
           policy_rules {
             enforce = true
             condition {
             	description = "condition description"
             	expression = "resource.matchTag('org_id/tag_key_short_name,'tag_value_short_name')"
             	title = "a CEL condition"
             }
           }
         }
       }
     }
     policies {
       policy_id = "custom_org_policy"
       constraint {
         org_policy_constraint_custom {
           custom_constraint {
             name         = "organizations/123456789/customConstraints/custom.disableGkeAutoUpgrade"
             display_name = "Disable GKE auto upgrade"
             description  = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."
             action_type    = "ALLOW"
             condition      = "resource.management.autoUpgrade == false"
             method_types   = ["CREATE", "UPDATE"]
             resource_types = ["container.googleapis.com/NodePool"]
           }
           policy_rules {
             enforce = true
             condition {
             	description = "condition description"
             	expression = "resource.matchTagId('tagKeys/key_id','tagValues/value_id')"
             	title = "a CEL condition"
             }
           }
         }
       }
     }
   }
   policy_sets {
     policy_set_id = "sha_policy_set"
     description   = "set of sha policies"
     policies {
       policy_id = "sha_builtin_module"
       constraint {
         security_health_analytics_module {
           module_name             = "BIGQUERY_TABLE_CMEK_DISABLED"
           module_enablement_state = "ENABLED"
         }
       }
       description = "enable BIGQUERY_TABLE_CMEK_DISABLED"
     }
     policies {
       policy_id = "sha_custom_module"
       constraint {
         security_health_analytics_custom_module {
           display_name = "custom_SHA_policy"
           config {
             predicate {
               expression = "resource.rotationPeriod > duration('2592000s')"
             }
             custom_output {
               properties {
                 name = "duration"
                 value_expression {
                   expression = "resource.rotationPeriod"
                 }
               }
             }
             resource_selector {
               resource_types = ["cloudkms.googleapis.com/CryptoKey"]
             }
             severity       = "LOW"
             description    = "Custom Module"
             recommendation = "Testing custom modules"
           }
           module_enablement_state = "ENABLED"
         }
       }
     }
   }
 }
 ```

 ## Argument Reference

 The following arguments are supported:


 * `state` -
   (Required)
   State of the posture. Update to state field should not be triggered along with
   with other field updates.
   Possible values are: `DEPRECATED`, `DRAFT`, `ACTIVE`.

 * `policy_sets` -
   (Required)
   List of policy sets for the posture.
   Structure is [documented below](#nested_policy_sets).

 * `parent` -
   (Required)
   The parent of the resource, an organization. Format should be `organizations/{organization_id}`.

 * `location` -
   (Required)
   Location of the resource, eg: global.

 * `posture_id` -
   (Required)
   Id of the posture. It is an immutable field.


 <a name="nested_policy_sets"></a>The `policy_sets` block supports:

 * `policy_set_id` -
   (Required)
   ID of the policy set.

 * `description` -
   (Optional)
   Description of the policy set.

 * `policies` -
   (Required)
   List of security policy
   Structure is [documented below](#nested_policies).


 <a name="nested_policies"></a>The `policies` block supports:

 * `policy_id` -
   (Required)
   ID of the policy.

 * `description` -
   (Optional)
   Description of the policy.

 * `compliance_standards` -
   (Optional)
   Mapping for policy to security standards and controls.
   Structure is [documented below](#nested_compliance_standards).

 * `constraint` -
   (Required)
   Policy constraint definition.It can have the definition of one of following constraints: orgPolicyConstraint orgPolicyConstraintCustom securityHealthAnalyticsModule securityHealthAnalyticsCustomModule
   Structure is [documented below](#nested_constraint).


 <a name="nested_compliance_standards"></a>The `compliance_standards` block supports:

 * `standard` -
   (Optional)
   Mapping of compliance standards for the policy.

 * `control` -
   (Optional)
   Mapping of security controls for the policy.

 <a name="nested_constraint"></a>The `constraint` block supports:

 * `org_policy_constraint` -
   (Optional)
   Organization policy canned constraint definition.
   Structure is [documented below](#nested_org_policy_constraint).

 * `org_policy_constraint_custom` -
   (Optional)
   Organization policy custom constraint policy definition.
   Structure is [documented below](#nested_org_policy_constraint_custom).

 * `security_health_analytics_module` -
   (Optional)
   Security Health Analytics built-in detector definition.
   Structure is [documented below](#nested_security_health_analytics_module).

 * `security_health_analytics_custom_module` -
   (Optional)
   Definition of Security Health Analytics Custom Module.
   Structure is [documented below](#nested_security_health_analytics_custom_module).


 <a name="nested_org_policy_constraint"></a>The `org_policy_constraint` block supports:

 * `canned_constraint_id` -
   (Required)
   Organization policy canned constraint Id

 * `policy_rules` -
   (Required)
   Definition of policy rules
   Structure is [documented below](#nested_policy_rules).


 <a name="nested_policy_rules"></a>The `policy_rules` block supports:

 * `values` -
   (Optional)
   List of values to be used for this policy rule. This field can be set only in policies for list constraints.
   Structure is [documented below](#nested_values).

 * `allow_all` -
   (Optional)
   Setting this to true means that all values are allowed. This field can be set only in policies for list constraints.

 * `deny_all` -
   (Optional)
   Setting this to true means that all values are denied. This field can be set only in policies for list constraints.

 * `enforce` -
   (Optional)
   If `true`, then the policy is enforced. If `false`, then any configuration is acceptable.
   This field can be set only in policies for boolean constraints.

 * `condition` -
   (Optional)
   Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language.
   This page details the objects and attributes that are used to the build the CEL expressions for
   custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec.
   Structure is [documented below](#nested_condition).


 <a name="nested_values"></a>The `values` block supports:

 * `allowed_values` -
   (Optional)
   List of values allowed at this resource.

 * `denied_values` -
   (Optional)
   List of values denied at this resource.

 <a name="nested_condition"></a>The `condition` block supports:

 * `expression` -
   (Required)
   Textual representation of an expression in Common Expression Language syntax.

 * `title` -
   (Optional)
   Title for the expression, i.e. a short string describing its purpose.

 * `description` -
   (Optional)
   Description of the expression

 * `location` -
   (Optional)
   String indicating the location of the expression for error reporting, e.g. a file name and a position in the file

 <a name="nested_org_policy_constraint_custom"></a>The `org_policy_constraint_custom` block supports:

 * `custom_constraint` -
   (Optional)
   Organization policy custom constraint definition.
   Structure is [documented below](#nested_custom_constraint).

 * `policy_rules` -
   (Required)
   Definition of policy rules
   Structure is [documented below](#nested_policy_rules).


 <a name="nested_custom_constraint"></a>The `custom_constraint` block supports:

 * `name` -
   (Required)
   Immutable. The name of the custom constraint. This is unique within the organization.

 * `display_name` -
   (Optional)
   A human-friendly name for the constraint.

 * `description` -
   (Optional)
   A human-friendly description of the constraint to display as an error message when the policy is violated.

 * `condition` -
   (Required)
   A CEL condition that refers to a supported service resource, for example `resource.management.autoUpgrade == false`. For details about CEL usage, see [Common Expression Language](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints#common_expression_language).

 * `action_type` -
   (Required)
   The action to take if the condition is met.
   Possible values are: `ALLOW`, `DENY`.

 * `method_types` -
   (Required)
   A list of RESTful methods for which to enforce the constraint. Can be `CREATE`, `UPDATE`, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in [Supported services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services).

 * `resource_types` -
   (Required)
   Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, `container.googleapis.com/NodePool`.

 <a name="nested_policy_rules"></a>The `policy_rules` block supports:

 * `values` -
   (Optional)
   List of values to be used for this policy rule. This field can be set only in policies for list constraints.
   Structure is [documented below](#nested_values).

 * `allow_all` -
   (Optional)
   Setting this to true means that all values are allowed. This field can be set only in policies for list constraints.

 * `deny_all` -
   (Optional)
   Setting this to true means that all values are denied. This field can be set only in policies for list constraints.

 * `enforce` -
   (Optional)
   If `true`, then the policy is enforced. If `false`, then any configuration is acceptable.
   This field can be set only in policies for boolean constraints.

 * `condition` -
   (Optional)
   Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language.
   This page details the objects and attributes that are used to the build the CEL expressions for
   custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec.
   Structure is [documented below](#nested_condition).


 <a name="nested_values"></a>The `values` block supports:

 * `allowed_values` -
   (Optional)
   List of values allowed at this resource.

 * `denied_values` -
   (Optional)
   List of values denied at this resource.

 <a name="nested_condition"></a>The `condition` block supports:

 * `expression` -
   (Required)
   Textual representation of an expression in Common Expression Language syntax.

 * `title` -
   (Optional)
   Title for the expression, i.e. a short string describing its purpose.

 * `description` -
   (Optional)
   Description of the expression

 * `location` -
   (Optional)
   String indicating the location of the expression for error reporting, e.g. a file name and a position in the file

 <a name="nested_security_health_analytics_module"></a>The `security_health_analytics_module` block supports:

 * `module_name` -
   (Required)
   The name of the module eg: BIGQUERY_TABLE_CMEK_DISABLED.

 * `module_enablement_state` -
   (Optional)
   The state of enablement for the module at its level of the resource hierarchy.
   Possible values are: `ENABLEMENT_STATE_UNSPECIFIED`, `ENABLED`, `DISABLED`.

 <a name="nested_security_health_analytics_custom_module"></a>The `security_health_analytics_custom_module` block supports:

 * `id` -
   (Output)
   A server generated id of custom module.

 * `display_name` -
   (Optional)
   The display name of the Security Health Analytics custom module. This
   display name becomes the finding category for all findings that are
   returned by this custom module.

 * `module_enablement_state` -
   (Optional)
   The state of enablement for the module at its level of the resource hierarchy.
   Possible values are: `ENABLEMENT_STATE_UNSPECIFIED`, `ENABLED`, `DISABLED`.

 * `config` -
   (Required)
   Custom module details.
   Structure is [documented below](#nested_config).


 <a name="nested_config"></a>The `config` block supports:

 * `predicate` -
   (Required)
   The CEL expression to evaluate to produce findings.When the expression
   evaluates to true against a resource, a finding is generated.
   Structure is [documented below](#nested_predicate).

 * `custom_output` -
   (Optional)
   Custom output properties. A set of optional name-value pairs that define custom source properties to
   return with each finding that is generated by the custom module. The custom
   source properties that are defined here are included in the finding JSON
   under `sourceProperties`.
   Structure is [documented below](#nested_custom_output).

 * `resource_selector` -
   (Required)
   The resource types that the custom module operates on. Each custom module
   can specify up to 5 resource types.
   Structure is [documented below](#nested_resource_selector).

 * `severity` -
   (Required)
   The severity to assign to findings generated by the module.
   Possible values are: `SEVERITY_UNSPECIFIED`, `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`.

 * `description` -
   (Optional)
   Text that describes the vulnerability or misconfiguration that the custom
   module detects.

 * `recommendation` -
   (Optional)
   An explanation of the recommended steps that security teams can take to
   resolve the detected issue


 <a name="nested_predicate"></a>The `predicate` block supports:

 * `expression` -
   (Required)
   Textual representation of an expression in Common Expression Language syntax.

 * `title` -
   (Optional)
   Title for the expression, i.e. a short string describing its purpose.

 * `description` -
   (Optional)
   Description of the expression

 * `location` -
   (Optional)
   String indicating the location of the expression for error reporting, e.g. a file name and a position in the file

 <a name="nested_custom_output"></a>The `custom_output` block supports:

 * `properties` -
   (Optional)
   A list of custom output properties to add to the finding.
   Structure is [documented below](#nested_properties).


 <a name="nested_properties"></a>The `properties` block supports:

 * `name` -
   (Required)
   Name of the property for the custom output.

 * `value_expression` -
   (Optional)
   The CEL expression for the custom output. A resource property can be
   specified to return the value of the property or a text string enclosed
   in quotation marks.
   Structure is [documented below](#nested_value_expression).


 <a name="nested_value_expression"></a>The `value_expression` block supports:

 * `expression` -
   (Required)
   Textual representation of an expression in Common Expression Language syntax.

 * `title` -
   (Optional)
   Title for the expression, i.e. a short string describing its purpose.

 * `description` -
   (Optional)
   Description of the expression

 * `location` -
   (Optional)
   String indicating the location of the expression for error reporting, e.g. a file name and a position in the file

 <a name="nested_resource_selector"></a>The `resource_selector` block supports:

 * `resource_types` -
   (Required)
   The resource types to run the detector on.

 - - -


 * `description` -
   (Optional)
   Description of the posture.


 ## Attributes Reference

 In addition to the arguments listed above, the following computed attributes are exported:

 * `id` - an identifier for the resource with format `{{parent}}/locations/{{location}}/postures/{{posture_id}}`

 * `name` -
   Name of the posture.

 * `revision_id` -
   Revision_id of the posture.

 * `create_time` -
   Time the Posture was created in UTC.

 * `update_time` -
   Time the Posture was updated in UTC.

 * `etag` -
   For Resource freshness validation (https://google.aip.dev/154)

 * `reconciling` -
   If set, there are currently changes in flight to the posture.


 ## Timeouts

 This resource provides the following
 [Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

 - `create` - Default is 20 minutes.
 - `update` - Default is 20 minutes.
 - `delete` - Default is 20 minutes.

 ## Import


 Posture can be imported using any of these accepted formats:

 * `{{parent}}/locations/{{location}}/postures/{{posture_id}}`


 In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import Posture using one of the formats above. For example:

 ```tf
 import {
   id = "{{parent}}/locations/{{location}}/postures/{{posture_id}}"
   to = google_securityposture_posture.default
 }
 ```

 When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), Posture can be imported using one of the formats above. For example:

 ```
 $ terraform import google_securityposture_posture.default {{parent}}/locations/{{location}}/postures/{{posture_id}}
 ```
	---
	# ----------------------------------------------------------------------------
	#
	# * AUTO GENERATED CODE * Type: MMv1 ***
	#
	# ----------------------------------------------------------------------------
	#
	# This file is automatically generated by Magic Modules and manual
	# changes will be clobbered when the file is regenerated.
	#
	# Please read more about how to change this file in
	# .github/CONTRIBUTING.md.
	#
	# ----------------------------------------------------------------------------
	subcategory: "Security Posture"
	description: \|-
	A Posture represents a collection of policy set including its name, state, description
	and policy sets.
	---

	# google\_securityposture\_posture

	A Posture represents a collection of policy set including its name, state, description
	and policy sets. A policy set includes set of policies along with their definition.
	A posture can be created at the organization level.
	Every update to a deployed posture creates a new posture revision with an updated revision_id.


	To get more information about Posture, see:

	* How-to Guides
	* [Create and deploy a posture](https://cloud.google.com/security-command-center/docs/how-to-use-security-posture)

	## Example Usage - Securityposture Posture Basic


	```hcl
	resource "google_securityposture_posture" "posture1"{
	posture_id = "posture_1"
	parent = "organizations/123456789"
	location = "global"
	state = "ACTIVE"
	description = "a new posture"
	policy_sets {
	policy_set_id = "org_policy_set"
	description = "set of org policies"
	policies {
	policy_id = "canned_org_policy"
	constraint {
	org_policy_constraint {
	canned_constraint_id = "storage.uniformBucketLevelAccess"
	policy_rules {
	enforce = true
	condition {
	description = "condition description"
	expression = "resource.matchTag('org_id/tag_key_short_name,'tag_value_short_name')"
	title = "a CEL condition"
	}
	}
	}
	}
	}
	policies {
	policy_id = "custom_org_policy"
	constraint {
	org_policy_constraint_custom {
	custom_constraint {
	name = "organizations/123456789/customConstraints/custom.disableGkeAutoUpgrade"
	display_name = "Disable GKE auto upgrade"
	description = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."
	action_type = "ALLOW"
	condition = "resource.management.autoUpgrade == false"
	method_types = ["CREATE", "UPDATE"]
	resource_types = ["container.googleapis.com/NodePool"]
	}
	policy_rules {
	enforce = true
	condition {
	description = "condition description"
	expression = "resource.matchTagId('tagKeys/key_id','tagValues/value_id')"
	title = "a CEL condition"
	}
	}
	}
	}
	}
	}
	policy_sets {
	policy_set_id = "sha_policy_set"
	description = "set of sha policies"
	policies {
	policy_id = "sha_builtin_module"
	constraint {
	security_health_analytics_module {
	module_name = "BIGQUERY_TABLE_CMEK_DISABLED"
	module_enablement_state = "ENABLED"
	}
	}
	description = "enable BIGQUERY_TABLE_CMEK_DISABLED"
	}
	policies {
	policy_id = "sha_custom_module"
	constraint {
	security_health_analytics_custom_module {
	display_name = "custom_SHA_policy"
	config {
	predicate {
	expression = "resource.rotationPeriod > duration('2592000s')"
	}
	custom_output {
	properties {
	name = "duration"
	value_expression {
	expression = "resource.rotationPeriod"
	}
	}
	}
	resource_selector {
	resource_types = ["cloudkms.googleapis.com/CryptoKey"]
	}
	severity = "LOW"
	description = "Custom Module"
	recommendation = "Testing custom modules"
	}
	module_enablement_state = "ENABLED"
	}
	}
	}
	}
	}
	```

	## Argument Reference

	The following arguments are supported:


	* `state` -
	(Required)
	State of the posture. Update to state field should not be triggered along with
	with other field updates.
	Possible values are: `DEPRECATED`, `DRAFT`, `ACTIVE`.

	* `policy_sets` -
	(Required)
	List of policy sets for the posture.
	Structure is [documented below](#nested_policy_sets).

	* `parent` -
	(Required)
	The parent of the resource, an organization. Format should be `organizations/{organization_id}`.

	* `location` -
	(Required)
	Location of the resource, eg: global.

	* `posture_id` -
	(Required)
	Id of the posture. It is an immutable field.


	<a name="nested_policy_sets"></a>The `policy_sets` block supports:

	* `policy_set_id` -
	(Required)
	ID of the policy set.

	* `description` -
	(Optional)
	Description of the policy set.

	* `policies` -
	(Required)
	List of security policy
	Structure is [documented below](#nested_policies).


	<a name="nested_policies"></a>The `policies` block supports:

	* `policy_id` -
	(Required)
	ID of the policy.

	* `description` -
	(Optional)
	Description of the policy.

	* `compliance_standards` -
	(Optional)
	Mapping for policy to security standards and controls.
	Structure is [documented below](#nested_compliance_standards).

	* `constraint` -
	(Required)
	Policy constraint definition.It can have the definition of one of following constraints: orgPolicyConstraint orgPolicyConstraintCustom securityHealthAnalyticsModule securityHealthAnalyticsCustomModule
	Structure is [documented below](#nested_constraint).


	<a name="nested_compliance_standards"></a>The `compliance_standards` block supports:

	* `standard` -
	(Optional)
	Mapping of compliance standards for the policy.

	* `control` -
	(Optional)
	Mapping of security controls for the policy.

	<a name="nested_constraint"></a>The `constraint` block supports:

	* `org_policy_constraint` -
	(Optional)
	Organization policy canned constraint definition.
	Structure is [documented below](#nested_org_policy_constraint).

	* `org_policy_constraint_custom` -
	(Optional)
	Organization policy custom constraint policy definition.
	Structure is [documented below](#nested_org_policy_constraint_custom).

	* `security_health_analytics_module` -
	(Optional)
	Security Health Analytics built-in detector definition.
	Structure is [documented below](#nested_security_health_analytics_module).

	* `security_health_analytics_custom_module` -
	(Optional)
	Definition of Security Health Analytics Custom Module.
	Structure is [documented below](#nested_security_health_analytics_custom_module).


	<a name="nested_org_policy_constraint"></a>The `org_policy_constraint` block supports:

	* `canned_constraint_id` -
	(Required)
	Organization policy canned constraint Id

	* `policy_rules` -
	(Required)
	Definition of policy rules
	Structure is [documented below](#nested_policy_rules).


	<a name="nested_policy_rules"></a>The `policy_rules` block supports:

	* `values` -
	(Optional)
	List of values to be used for this policy rule. This field can be set only in policies for list constraints.
	Structure is [documented below](#nested_values).

	* `allow_all` -
	(Optional)
	Setting this to true means that all values are allowed. This field can be set only in policies for list constraints.

	* `deny_all` -
	(Optional)
	Setting this to true means that all values are denied. This field can be set only in policies for list constraints.

	* `enforce` -
	(Optional)
	If `true`, then the policy is enforced. If `false`, then any configuration is acceptable.
	This field can be set only in policies for boolean constraints.

	* `condition` -
	(Optional)
	Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language.
	This page details the objects and attributes that are used to the build the CEL expressions for
	custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec.
	Structure is [documented below](#nested_condition).


	<a name="nested_values"></a>The `values` block supports:

	* `allowed_values` -
	(Optional)
	List of values allowed at this resource.

	* `denied_values` -
	(Optional)
	List of values denied at this resource.

	<a name="nested_condition"></a>The `condition` block supports:

	* `expression` -
	(Required)
	Textual representation of an expression in Common Expression Language syntax.

	* `title` -
	(Optional)
	Title for the expression, i.e. a short string describing its purpose.

	* `description` -
	(Optional)
	Description of the expression

	* `location` -
	(Optional)
	String indicating the location of the expression for error reporting, e.g. a file name and a position in the file

	<a name="nested_org_policy_constraint_custom"></a>The `org_policy_constraint_custom` block supports:

	* `custom_constraint` -
	(Optional)
	Organization policy custom constraint definition.
	Structure is [documented below](#nested_custom_constraint).

	* `policy_rules` -
	(Required)
	Definition of policy rules
	Structure is [documented below](#nested_policy_rules).


	<a name="nested_custom_constraint"></a>The `custom_constraint` block supports:

	* `name` -
	(Required)
	Immutable. The name of the custom constraint. This is unique within the organization.

	* `display_name` -
	(Optional)
	A human-friendly name for the constraint.

	* `description` -
	(Optional)
	A human-friendly description of the constraint to display as an error message when the policy is violated.

	* `condition` -
	(Required)
	A CEL condition that refers to a supported service resource, for example `resource.management.autoUpgrade == false`. For details about CEL usage, see [Common Expression Language](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints#common_expression_language).

	* `action_type` -
	(Required)
	The action to take if the condition is met.
	Possible values are: `ALLOW`, `DENY`.

	* `method_types` -
	(Required)
	A list of RESTful methods for which to enforce the constraint. Can be `CREATE`, `UPDATE`, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in [Supported services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services).

	* `resource_types` -
	(Required)
	Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, `container.googleapis.com/NodePool`.

	<a name="nested_policy_rules"></a>The `policy_rules` block supports:

	* `values` -
	(Optional)
	List of values to be used for this policy rule. This field can be set only in policies for list constraints.
	Structure is [documented below](#nested_values).

	* `allow_all` -
	(Optional)
	Setting this to true means that all values are allowed. This field can be set only in policies for list constraints.

	* `deny_all` -
	(Optional)
	Setting this to true means that all values are denied. This field can be set only in policies for list constraints.

	* `enforce` -
	(Optional)
	If `true`, then the policy is enforced. If `false`, then any configuration is acceptable.
	This field can be set only in policies for boolean constraints.

	* `condition` -
	(Optional)
	Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language.
	This page details the objects and attributes that are used to the build the CEL expressions for
	custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec.
	Structure is [documented below](#nested_condition).


	<a name="nested_values"></a>The `values` block supports:

	* `allowed_values` -
	(Optional)
	List of values allowed at this resource.

	* `denied_values` -
	(Optional)
	List of values denied at this resource.

	<a name="nested_condition"></a>The `condition` block supports:

	* `expression` -
	(Required)
	Textual representation of an expression in Common Expression Language syntax.

	* `title` -
	(Optional)
	Title for the expression, i.e. a short string describing its purpose.

	* `description` -
	(Optional)
	Description of the expression

	* `location` -
	(Optional)
	String indicating the location of the expression for error reporting, e.g. a file name and a position in the file

	<a name="nested_security_health_analytics_module"></a>The `security_health_analytics_module` block supports:

	* `module_name` -
	(Required)
	The name of the module eg: BIGQUERY_TABLE_CMEK_DISABLED.

	* `module_enablement_state` -
	(Optional)
	The state of enablement for the module at its level of the resource hierarchy.
	Possible values are: `ENABLEMENT_STATE_UNSPECIFIED`, `ENABLED`, `DISABLED`.

	<a name="nested_security_health_analytics_custom_module"></a>The `security_health_analytics_custom_module` block supports:

	* `id` -
	(Output)
	A server generated id of custom module.

	* `display_name` -
	(Optional)
	The display name of the Security Health Analytics custom module. This
	display name becomes the finding category for all findings that are
	returned by this custom module.

	* `module_enablement_state` -
	(Optional)
	The state of enablement for the module at its level of the resource hierarchy.
	Possible values are: `ENABLEMENT_STATE_UNSPECIFIED`, `ENABLED`, `DISABLED`.

	* `config` -
	(Required)
	Custom module details.
	Structure is [documented below](#nested_config).


	<a name="nested_config"></a>The `config` block supports:

	* `predicate` -
	(Required)
	The CEL expression to evaluate to produce findings.When the expression
	evaluates to true against a resource, a finding is generated.
	Structure is [documented below](#nested_predicate).

	* `custom_output` -
	(Optional)
	Custom output properties. A set of optional name-value pairs that define custom source properties to
	return with each finding that is generated by the custom module. The custom
	source properties that are defined here are included in the finding JSON
	under `sourceProperties`.
	Structure is [documented below](#nested_custom_output).

	* `resource_selector` -
	(Required)
	The resource types that the custom module operates on. Each custom module
	can specify up to 5 resource types.
	Structure is [documented below](#nested_resource_selector).

	* `severity` -
	(Required)
	The severity to assign to findings generated by the module.
	Possible values are: `SEVERITY_UNSPECIFIED`, `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`.

	* `description` -
	(Optional)
	Text that describes the vulnerability or misconfiguration that the custom
	module detects.

	* `recommendation` -
	(Optional)
	An explanation of the recommended steps that security teams can take to
	resolve the detected issue


	<a name="nested_predicate"></a>The `predicate` block supports:

	* `expression` -
	(Required)
	Textual representation of an expression in Common Expression Language syntax.

	* `title` -
	(Optional)
	Title for the expression, i.e. a short string describing its purpose.

	* `description` -
	(Optional)
	Description of the expression

	* `location` -
	(Optional)
	String indicating the location of the expression for error reporting, e.g. a file name and a position in the file

	<a name="nested_custom_output"></a>The `custom_output` block supports:

	* `properties` -
	(Optional)
	A list of custom output properties to add to the finding.
	Structure is [documented below](#nested_properties).


	<a name="nested_properties"></a>The `properties` block supports:

	* `name` -
	(Required)
	Name of the property for the custom output.

	* `value_expression` -
	(Optional)
	The CEL expression for the custom output. A resource property can be
	specified to return the value of the property or a text string enclosed
	in quotation marks.
	Structure is [documented below](#nested_value_expression).


	<a name="nested_value_expression"></a>The `value_expression` block supports:

	* `expression` -
	(Required)
	Textual representation of an expression in Common Expression Language syntax.

	* `title` -
	(Optional)
	Title for the expression, i.e. a short string describing its purpose.

	* `description` -
	(Optional)
	Description of the expression

	* `location` -
	(Optional)
	String indicating the location of the expression for error reporting, e.g. a file name and a position in the file

	<a name="nested_resource_selector"></a>The `resource_selector` block supports:

	* `resource_types` -
	(Required)
	The resource types to run the detector on.

	- - -


	* `description` -
	(Optional)
	Description of the posture.


	## Attributes Reference

	In addition to the arguments listed above, the following computed attributes are exported:

	* `id` - an identifier for the resource with format `{{parent}}/locations/{{location}}/postures/{{posture_id}}`

	* `name` -
	Name of the posture.

	* `revision_id` -
	Revision_id of the posture.

	* `create_time` -
	Time the Posture was created in UTC.

	* `update_time` -
	Time the Posture was updated in UTC.

	* `etag` -
	For Resource freshness validation (https://google.aip.dev/154)

	* `reconciling` -
	If set, there are currently changes in flight to the posture.


	## Timeouts

	This resource provides the following
	[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

	- `create` - Default is 20 minutes.
	- `update` - Default is 20 minutes.
	- `delete` - Default is 20 minutes.

	## Import


	Posture can be imported using any of these accepted formats:

	* `{{parent}}/locations/{{location}}/postures/{{posture_id}}`


	In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import Posture using one of the formats above. For example:

	```tf
	import {
	id = "{{parent}}/locations/{{location}}/postures/{{posture_id}}"
	to = google_securityposture_posture.default
	}
	```

	When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), Posture can be imported using one of the formats above. For example:

	```
	$ terraform import google_securityposture_posture.default {{parent}}/locations/{{location}}/postures/{{posture_id}}
	```