Google Git
Sign in
third-party-mirror / terraform-provider-google-beta / b9c4dd45f637f009e6ebbee053c562b25e63e4f7 / . / v6.2.0 / website / docs / r / data_loss_prevention_discovery_config.html.markdown
blob: afc0696e4d565e50ba9bbc492fe73713c7305d1a [file] [log] [blame]
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** Type: MMv1 ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Data loss prevention"
description: |-
Configuration for discovery to scan resources for profile generation.
---
# google_data_loss_prevention_discovery_config
Configuration for discovery to scan resources for profile generation. Only one discovery configuration may exist per organization, folder, or project.
To get more information about DiscoveryConfig, see:
* [API documentation](https://cloud.google.com/dlp/docs/reference/rest/v2/projects.locations.discoveryConfigs)
* How-to Guides
* [Schedule inspection scan](https://cloud.google.com/dlp/docs/schedule-inspection-scan)
## Example Usage - Dlp Discovery Config Basic
```hcl
resource "google_data_loss_prevention_discovery_config" "basic" {
parent = "projects/my-project-name/locations/us"
location = "us"
status = "RUNNING"
targets {
big_query_target {
filter {
other_tables {}
}
}
}
inspect_templates = ["projects/%{project}/inspectTemplates/${google_data_loss_prevention_inspect_template.basic.name}"]
}
resource "google_data_loss_prevention_inspect_template" "basic" {
parent = "projects/my-project-name"
description = "My description"
display_name = "display_name"
inspect_config {
info_types {
name = "EMAIL_ADDRESS"
}
}
}
```
## Example Usage - Dlp Discovery Config Actions
```hcl
resource "google_data_loss_prevention_discovery_config" "actions" {
parent = "projects/my-project-name/locations/us"
location = "us"
status = "RUNNING"
targets {
big_query_target {
filter {
other_tables {}
}
}
}
actions {
export_data {
profile_table {
project_id = "project"
dataset_id = "dataset"
table_id = "table"
}
}
}
actions {
pub_sub_notification {
topic = "projects/%{project}/topics/${google_pubsub_topic.actions.name}"
event = "NEW_PROFILE"
pubsub_condition {
expressions {
logical_operator = "OR"
conditions {
minimum_sensitivity_score = "HIGH"
}
}
}
detail_of_message = "TABLE_PROFILE"
}
}
actions {
tag_resources {
tag_conditions {
tag {
namespaced_value = "123456/environment/prod"
}
sensitivity_score {
score = "SENSITIVITY_HIGH"
}
}
tag_conditions {
tag {
namespaced_value = "123456/environment/test"
}
sensitivity_score {
score = "SENSITIVITY_LOW"
}
}
profile_generations_to_tag = ["PROFILE_GENERATION_NEW", "PROFILE_GENERATION_UPDATE"]
lower_data_risk_to_low = true
}
}
inspect_templates = ["projects/%{project}/inspectTemplates/${google_data_loss_prevention_inspect_template.basic.name}"]
}
resource "google_pubsub_topic" "actions" {
name = "fake-topic"
}
resource "google_data_loss_prevention_inspect_template" "basic" {
parent = "projects/my-project-name"
description = "My description"
display_name = "display_name"
inspect_config {
info_types {
name = "EMAIL_ADDRESS"
}
}
}
data "google_project" "project" {
project_id = "%{project}"
}
resource "google_tags_tag_key" "tag_key" {
parent = "projects/${data.google_project.project.number}"
short_name = "environment"
}
resource "google_tags_tag_value" "tag_value" {
parent = "tagKeys/${google_tags_tag_key.tag_key.name}"
short_name = "prod"
}
resource "google_project_iam_member" "tag_role" {
project = "%{project}"
role = "roles/resourcemanager.tagUser"
member = "serviceAccount:service-${data.google_project.project.number}@dlp-api.iam.gserviceaccount.com"
}
```
## Example Usage - Dlp Discovery Config Org Running
```hcl
resource "google_data_loss_prevention_discovery_config" "org_running" {
parent = "organizations/123456789/locations/us"
location = "us"
targets {
big_query_target {
filter {
other_tables {}
}
}
}
org_config {
project_id = "my-project-name"
location {
organization_id = "123456789"
}
}
inspect_templates = ["projects/%{project}/inspectTemplates/${google_data_loss_prevention_inspect_template.basic.name}"]
status = "RUNNING"
}
resource "google_data_loss_prevention_inspect_template" "basic" {
parent = "projects/my-project-name"
description = "My description"
display_name = "display_name"
inspect_config {
info_types {
name = "EMAIL_ADDRESS"
}
}
}
```
## Example Usage - Dlp Discovery Config Org Folder Paused
```hcl
resource "google_data_loss_prevention_discovery_config" "org_folder_paused" {
parent = "organizations/123456789/locations/us"
location = "us"
targets {
big_query_target {
filter {
other_tables {}
}
}
}
org_config {
project_id = "my-project-name"
location {
folder_id = 123
}
}
inspect_templates = ["projects/%{project}/inspectTemplates/${google_data_loss_prevention_inspect_template.basic.name}"]
status = "PAUSED"
}
resource "google_data_loss_prevention_inspect_template" "basic" {
parent = "projects/my-project-name"
description = "My description"
display_name = "display_name"
inspect_config {
info_types {
name = "EMAIL_ADDRESS"
}
}
}
```
## Example Usage - Dlp Discovery Config Conditions Cadence
```hcl
resource "google_data_loss_prevention_discovery_config" "conditions_cadence" {
parent = "projects/my-project-name/locations/us"
location = "us"
status = "RUNNING"
targets {
big_query_target {
filter {
other_tables {}
}
conditions {
type_collection = "BIG_QUERY_COLLECTION_ALL_TYPES"
}
cadence {
schema_modified_cadence {
types = ["SCHEMA_NEW_COLUMNS"]
frequency = "UPDATE_FREQUENCY_DAILY"
}
table_modified_cadence {
types = ["TABLE_MODIFIED_TIMESTAMP"]
frequency = "UPDATE_FREQUENCY_DAILY"
}
inspect_template_modified_cadence {
frequency = "UPDATE_FREQUENCY_DAILY"
}
}
}
}
inspect_templates = ["projects/%{project}/inspectTemplates/${google_data_loss_prevention_inspect_template.basic.name}"]
}
resource "google_data_loss_prevention_inspect_template" "basic" {
parent = "projects/my-project-name"
description = "My description"
display_name = "display_name"
inspect_config {
info_types {
name = "EMAIL_ADDRESS"
}
}
}
```
## Example Usage - Dlp Discovery Config Filter Regexes And Conditions
```hcl
resource "google_data_loss_prevention_discovery_config" "filter_regexes_and_conditions" {
parent = "projects/my-project-name/locations/us"
location = "us"
status = "RUNNING"
targets {
big_query_target {
filter {
tables {
include_regexes {
patterns {
project_id_regex = ".*"
dataset_id_regex = ".*"
table_id_regex = ".*"
}
}
}
}
conditions {
created_after = "2023-10-02T15:01:23Z"
types {
types = ["BIG_QUERY_TABLE_TYPE_TABLE", "BIG_QUERY_TABLE_TYPE_EXTERNAL_BIG_LAKE"]
}
or_conditions {
min_row_count = 10
min_age = "10800s"
}
}
}
}
targets {
big_query_target {
filter {
other_tables {}
}
}
}
inspect_templates = ["projects/%{project}/inspectTemplates/${google_data_loss_prevention_inspect_template.basic.name}"]
}
resource "google_data_loss_prevention_inspect_template" "basic" {
parent = "projects/my-project-name"
description = "My description"
display_name = "display_name"
inspect_config {
info_types {
name = "EMAIL_ADDRESS"
}
}
}
```
## Example Usage - Dlp Discovery Config Cloud Sql
```hcl
resource "google_data_loss_prevention_discovery_config" "cloud_sql" {
parent = "projects/my-project-name/locations/us"
location = "us"
status = "RUNNING"
targets {
cloud_sql_target {
filter {
collection {
include_regexes {
patterns {
project_id_regex = ".*"
instance_regex = ".*"
database_regex = ".*"
database_resource_name_regex = "mytable.*"
}
}
}
}
conditions {
database_engines = ["ALL_SUPPORTED_DATABASE_ENGINES"]
types = ["DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES"]
}
generation_cadence {
schema_modified_cadence {
types = ["NEW_COLUMNS", "REMOVED_COLUMNS"]
frequency = "UPDATE_FREQUENCY_DAILY"
}
refresh_frequency = "UPDATE_FREQUENCY_MONTHLY"
}
}
}
targets {
cloud_sql_target {
filter {
collection {
include_regexes {
patterns {
project_id_regex = ".*"
instance_regex = ".*"
database_regex = "do-not-scan.*"
database_resource_name_regex = ".*"
}
}
}
}
disabled {}
}
}
targets {
cloud_sql_target {
filter {
others {}
}
generation_cadence {
schema_modified_cadence {
types = ["NEW_COLUMNS"]
frequency = "UPDATE_FREQUENCY_MONTHLY"
}
refresh_frequency = "UPDATE_FREQUENCY_MONTHLY"
}
}
}
inspect_templates = ["projects/%{project}/inspectTemplates/${google_data_loss_prevention_inspect_template.basic.name}"]
}
resource "google_data_loss_prevention_inspect_template" "basic" {
parent = "projects/my-project-name"
description = "My description"
display_name = "display_name"
inspect_config {
info_types {
name = "EMAIL_ADDRESS"
}
}
}
```
## Example Usage - Dlp Discovery Config Cloud Storage
```hcl
resource "google_data_loss_prevention_discovery_config" "cloud_storage" {
parent = "projects/my-project-name/locations/us"
location = "us"
status = "RUNNING"
targets {
cloud_storage_target {
filter {
collection {
include_regexes {
patterns {
cloud_storage_regex {
project_id_regex = "foo-project"
bucket_name_regex = "bucket"
}
}
}
}
}
conditions {
created_after = "2023-10-02T15:01:23Z"
min_age = "10800s"
cloud_storage_conditions {
included_object_attributes = ["ALL_SUPPORTED_OBJECTS"]
included_bucket_attributes = ["ALL_SUPPORTED_BUCKETS"]
}
}
generation_cadence {
inspect_template_modified_cadence {
frequency = "UPDATE_FREQUENCY_DAILY"
}
refresh_frequency = "UPDATE_FREQUENCY_MONTHLY"
}
}
}
targets {
cloud_storage_target {
filter {
collection {
include_regexes {
patterns {
cloud_storage_regex {
project_id_regex = "foo-project"
bucket_name_regex = "do-not-scan"
}
}
}
}
}
disabled {}
}
}
targets {
cloud_storage_target {
filter {
others {}
}
generation_cadence {
schema_modified_cadence {
types = ["NEW_COLUMNS"]
frequency = "UPDATE_FREQUENCY_MONTHLY"
}
refresh_frequency = "UPDATE_FREQUENCY_MONTHLY"
}
}
}
inspect_templates = ["projects/%{project}/inspectTemplates/${google_data_loss_prevention_inspect_template.basic.name}"]
}
resource "google_data_loss_prevention_inspect_template" "basic" {
parent = "projects/my-project-name"
description = "My description"
display_name = "display_name"
inspect_config {
info_types {
name = "EMAIL_ADDRESS"
}
}
}
```
## Argument Reference
The following arguments are supported:
* `parent` -
(Required)
The parent of the discovery config in any of the following formats:
* `projects/{{project}}/locations/{{location}}`
* `organizations/{{organization_id}}/locations/{{location}}`
* `location` -
(Required)
Location to create the discovery config in.
- - -
* `display_name` -
(Optional)
Display Name (max 1000 Chars)
* `org_config` -
(Optional)
A nested object resource
Structure is [documented below](#nested_org_config).
* `inspect_templates` -
(Optional)
Detection logic for profile generation
* `actions` -
(Optional)
Actions to execute at the completion of scanning
Structure is [documented below](#nested_actions).
* `targets` -
(Optional)
Target to match against for determining what to scan and how frequently
Structure is [documented below](#nested_targets).
* `status` -
(Optional)
Required. A status for this configuration
Possible values are: `RUNNING`, `PAUSED`.
<a name="nested_org_config"></a>The `org_config` block supports:
* `project_id` -
(Optional)
The project that will run the scan. The DLP service account that exists within this project must have access to all resources that are profiled, and the cloud DLP API must be enabled.
* `location` -
(Optional)
The data to scan folder org or project
Structure is [documented below](#nested_location).
<a name="nested_location"></a>The `location` block supports:
* `organization_id` -
(Optional)
The ID of an organization to scan
* `folder_id` -
(Optional)
The ID for the folder within an organization to scan
<a name="nested_actions"></a>The `actions` block supports:
* `export_data` -
(Optional)
Export data profiles into a provided location
Structure is [documented below](#nested_export_data).
* `pub_sub_notification` -
(Optional)
Publish a message into the Pub/Sub topic.
Structure is [documented below](#nested_pub_sub_notification).
* `tag_resources` -
(Optional)
Publish a message into the Pub/Sub topic.
Structure is [documented below](#nested_tag_resources).
<a name="nested_export_data"></a>The `export_data` block supports:
* `profile_table` -
(Optional)
Store all table and column profiles in an existing table or a new table in an existing dataset. Each re-generation will result in a new row in BigQuery
Structure is [documented below](#nested_profile_table).
<a name="nested_profile_table"></a>The `profile_table` block supports:
* `project_id` -
(Optional)
The Google Cloud Platform project ID of the project containing the table. If omitted, the project ID is inferred from the API call.
* `dataset_id` -
(Optional)
Dataset Id of the table
* `table_id` -
(Optional)
Name of the table
<a name="nested_pub_sub_notification"></a>The `pub_sub_notification` block supports:
* `topic` -
(Optional)
Cloud Pub/Sub topic to send notifications to. Format is projects/{project}/topics/{topic}.
* `event` -
(Optional)
The type of event that triggers a Pub/Sub. At most one PubSubNotification per EventType is permitted.
Possible values are: `NEW_PROFILE`, `CHANGED_PROFILE`, `SCORE_INCREASED`, `ERROR_CHANGED`.
* `pubsub_condition` -
(Optional)
Conditions for triggering pubsub
Structure is [documented below](#nested_pubsub_condition).
* `detail_of_message` -
(Optional)
How much data to include in the pub/sub message.
Possible values are: `TABLE_PROFILE`, `RESOURCE_NAME`.
<a name="nested_pubsub_condition"></a>The `pubsub_condition` block supports:
* `expressions` -
(Optional)
An expression
Structure is [documented below](#nested_expressions).
<a name="nested_expressions"></a>The `expressions` block supports:
* `logical_operator` -
(Optional)
The operator to apply to the collection of conditions
Possible values are: `OR`, `AND`.
* `conditions` -
(Optional)
Conditions to apply to the expression
Structure is [documented below](#nested_conditions).
<a name="nested_conditions"></a>The `conditions` block supports:
* `minimum_risk_score` -
(Optional)
The minimum data risk score that triggers the condition.
Possible values are: `HIGH`, `MEDIUM_OR_HIGH`.
* `minimum_sensitivity_score` -
(Optional)
The minimum sensitivity level that triggers the condition.
Possible values are: `HIGH`, `MEDIUM_OR_HIGH`.
<a name="nested_tag_resources"></a>The `tag_resources` block supports:
* `tag_conditions` -
(Optional)
The tags to associate with different conditions.
Structure is [documented below](#nested_tag_conditions).
* `profile_generations_to_tag` -
(Optional)
The profile generations for which the tag should be attached to resources. If you attach a tag to only new profiles, then if the sensitivity score of a profile subsequently changes, its tag doesn't change. By default, this field includes only new profiles. To include both new and updated profiles for tagging, this field should explicitly include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`.
Each value may be one of: `PROFILE_GENERATION_NEW`, `PROFILE_GENERATION_UPDATE`.
* `lower_data_risk_to_low` -
(Optional)
Whether applying a tag to a resource should lower the risk of the profile for that resource. For example, in conjunction with an [IAM deny policy](https://cloud.google.com/iam/docs/deny-overview), you can deny all principals a permission if a tag value is present, mitigating the risk of the resource. This also lowers the data risk of resources at the lower levels of the resource hierarchy. For example, reducing the data risk of a table data profile also reduces the data risk of the constituent column data profiles.
<a name="nested_tag_conditions"></a>The `tag_conditions` block supports:
* `tag` -
(Optional)
The tag value to attach to resources.
Structure is [documented below](#nested_tag).
* `sensitivity_score` -
(Optional)
Conditions attaching the tag to a resource on its profile having this sensitivity score.
Structure is [documented below](#nested_sensitivity_score).
<a name="nested_tag"></a>The `tag` block supports:
* `namespaced_value` -
(Optional)
The namespaced name for the tag value to attach to resources. Must be in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for example, "123456/environment/prod".
<a name="nested_sensitivity_score"></a>The `sensitivity_score` block supports:
* `score` -
(Required)
The sensitivity score applied to the resource.
Possible values are: `SENSITIVITY_LOW`, `SENSITIVITY_MODERATE`, `SENSITIVITY_HIGH`.
<a name="nested_targets"></a>The `targets` block supports:
* `big_query_target` -
(Optional)
BigQuery target for Discovery. The first target to match a table will be the one applied.
Structure is [documented below](#nested_big_query_target).
* `cloud_sql_target` -
(Optional)
Cloud SQL target for Discovery. The first target to match a table will be the one applied.
Structure is [documented below](#nested_cloud_sql_target).
* `secrets_target` -
(Optional)
Discovery target that looks for credentials and secrets stored in cloud resource metadata and reports them as vulnerabilities to Security Command Center. Only one target of this type is allowed.
* `cloud_storage_target` -
(Optional)
Cloud Storage target for Discovery. The first target to match a bucket will be the one applied.
Structure is [documented below](#nested_cloud_storage_target).
<a name="nested_big_query_target"></a>The `big_query_target` block supports:
* `filter` -
(Optional)
Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table
Structure is [documented below](#nested_filter).
* `conditions` -
(Optional)
In addition to matching the filter, these conditions must be true before a profile is generated
Structure is [documented below](#nested_conditions).
* `cadence` -
(Optional)
How often and when to update profiles. New tables that match both the fiter and conditions are scanned as quickly as possible depending on system capacity.
Structure is [documented below](#nested_cadence).
* `disabled` -
(Optional)
Tables that match this filter will not have profiles created.
<a name="nested_filter"></a>The `filter` block supports:
* `tables` -
(Optional)
A specific set of tables for this filter to apply to. A table collection must be specified in only one filter per config.
Structure is [documented below](#nested_tables).
* `other_tables` -
(Optional)
Catch-all. This should always be the last filter in the list because anything above it will apply first.
* `table_reference` -
(Optional)
The table to scan. Discovery configurations including this can only include one DiscoveryTarget (the DiscoveryTarget with this TableReference).
Structure is [documented below](#nested_table_reference).
<a name="nested_tables"></a>The `tables` block supports:
* `include_regexes` -
(Optional)
A collection of regular expressions to match a BQ table against.
Structure is [documented below](#nested_include_regexes).
<a name="nested_include_regexes"></a>The `include_regexes` block supports:
* `patterns` -
(Optional)
A single BigQuery regular expression pattern to match against one or more tables, datasets, or projects that contain BigQuery tables.
Structure is [documented below](#nested_patterns).
<a name="nested_patterns"></a>The `patterns` block supports:
* `project_id_regex` -
(Optional)
For organizations, if unset, will match all projects. Has no effect for data profile configurations created within a project.
* `dataset_id_regex` -
(Optional)
if unset, this property matches all datasets
* `table_id_regex` -
(Optional)
if unset, this property matches all tables
<a name="nested_table_reference"></a>The `table_reference` block supports:
* `dataset_id` -
(Required)
Dataset ID of the table.
* `table_id` -
(Required)
Name of the table.
<a name="nested_conditions"></a>The `conditions` block supports:
* `created_after` -
(Optional)
A timestamp in RFC3339 UTC "Zulu" format with nanosecond resolution and upto nine fractional digits.
* `or_conditions` -
(Optional)
At least one of the conditions must be true for a table to be scanned.
Structure is [documented below](#nested_or_conditions).
* `types` -
(Optional)
Restrict discovery to specific table type
Structure is [documented below](#nested_types).
* `type_collection` -
(Optional)
Restrict discovery to categories of table types. Currently view, materialized view, snapshot and non-biglake external tables are supported.
Possible values are: `BIG_QUERY_COLLECTION_ALL_TYPES`, `BIG_QUERY_COLLECTION_ONLY_SUPPORTED_TYPES`.
<a name="nested_or_conditions"></a>The `or_conditions` block supports:
* `min_age` -
(Optional)
Duration format. The minimum age a table must have before Cloud DLP can profile it. Value greater than 1.
* `min_row_count` -
(Optional)
Minimum number of rows that should be present before Cloud DLP profiles as a table.
<a name="nested_types"></a>The `types` block supports:
* `types` -
(Optional)
A set of BiqQuery table types
Each value may be one of: `BIG_QUERY_TABLE_TYPE_TABLE`, `BIG_QUERY_TABLE_TYPE_EXTERNAL_BIG_LAKE`.
<a name="nested_cadence"></a>The `cadence` block supports:
* `schema_modified_cadence` -
(Optional)
Governs when to update data profiles when a schema is modified
Structure is [documented below](#nested_schema_modified_cadence).
* `table_modified_cadence` -
(Optional)
Governs when to update profile when a table is modified.
Structure is [documented below](#nested_table_modified_cadence).
* `inspect_template_modified_cadence` -
(Optional)
Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
Structure is [documented below](#nested_inspect_template_modified_cadence).
<a name="nested_schema_modified_cadence"></a>The `schema_modified_cadence` block supports:
* `types` -
(Optional)
The type of events to consider when deciding if the table's schema has been modified and should have the profile updated. Defaults to NEW_COLUMN.
Each value may be one of: `SCHEMA_NEW_COLUMNS`, `SCHEMA_REMOVED_COLUMNS`.
* `frequency` -
(Optional)
How frequently profiles may be updated when schemas are modified. Default to monthly
Possible values are: `UPDATE_FREQUENCY_NEVER`, `UPDATE_FREQUENCY_DAILY`, `UPDATE_FREQUENCY_MONTHLY`.
<a name="nested_table_modified_cadence"></a>The `table_modified_cadence` block supports:
* `types` -
(Optional)
The type of events to consider when deciding if the table has been modified and should have the profile updated. Defaults to MODIFIED_TIMESTAMP
Each value may be one of: `TABLE_MODIFIED_TIMESTAMP`.
* `frequency` -
(Optional)
How frequently data profiles can be updated when tables are modified. Defaults to never.
Possible values are: `UPDATE_FREQUENCY_NEVER`, `UPDATE_FREQUENCY_DAILY`, `UPDATE_FREQUENCY_MONTHLY`.
<a name="nested_inspect_template_modified_cadence"></a>The `inspect_template_modified_cadence` block supports:
* `frequency` -
(Optional)
How frequently data profiles can be updated when the template is modified. Defaults to never.
Possible values are: `UPDATE_FREQUENCY_NEVER`, `UPDATE_FREQUENCY_DAILY`, `UPDATE_FREQUENCY_MONTHLY`.
<a name="nested_cloud_sql_target"></a>The `cloud_sql_target` block supports:
* `filter` -
(Required)
Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
Structure is [documented below](#nested_filter).
* `conditions` -
(Optional)
In addition to matching the filter, these conditions must be true before a profile is generated.
Structure is [documented below](#nested_conditions).
* `generation_cadence` -
(Optional)
How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
Structure is [documented below](#nested_generation_cadence).
* `disabled` -
(Optional)
Disable profiling for database resources that match this filter.
<a name="nested_filter"></a>The `filter` block supports:
* `collection` -
(Optional)
A specific set of database resources for this filter to apply to.
Structure is [documented below](#nested_collection).
* `others` -
(Optional)
Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
* `database_resource_reference` -
(Optional)
The database resource to scan. Targets including this can only include one target (the target with this database resource reference).
Structure is [documented below](#nested_database_resource_reference).
<a name="nested_collection"></a>The `collection` block supports:
* `include_regexes` -
(Optional)
A collection of regular expressions to match a database resource against.
Structure is [documented below](#nested_include_regexes).
<a name="nested_include_regexes"></a>The `include_regexes` block supports:
* `patterns` -
(Optional)
A group of regular expression patterns to match against one or more database resources. Maximum of 100 entries. The sum of all regular expressions' length can't exceed 10 KiB.
Structure is [documented below](#nested_patterns).
<a name="nested_patterns"></a>The `patterns` block supports:
* `project_id_regex` -
(Optional)
For organizations, if unset, will match all projects. Has no effect for data profile configurations created within a project.
* `instance_regex` -
(Optional)
Regex to test the instance name against. If empty, all instances match.
* `database_regex` -
(Optional)
Regex to test the database name against. If empty, all databases match.
* `database_resource_name_regex` -
(Optional)
Regex to test the database resource's name against. An example of a database resource name is a table's name. Other database resource names like view names could be included in the future. If empty, all database resources match.'
<a name="nested_database_resource_reference"></a>The `database_resource_reference` block supports:
* `project_id` -
(Required)
Required. If within a project-level config, then this must match the config's project ID.
* `instance` -
(Required)
Required. The instance where this resource is located. For example: Cloud SQL instance ID.
* `database` -
(Required)
Required. Name of a database within the instance.
* `database_resource` -
(Required)
Required. Name of a database resource, for example, a table within the database.
<a name="nested_conditions"></a>The `conditions` block supports:
* `database_engines` -
(Optional)
Database engines that should be profiled. Optional. Defaults to ALL_SUPPORTED_DATABASE_ENGINES if unspecified.
Each value may be one of: `ALL_SUPPORTED_DATABASE_ENGINES`, `MYSQL`, `POSTGRES`.
* `types` -
(Optional)
Data profiles will only be generated for the database resource types specified in this field. If not specified, defaults to [DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES].
Each value may be one of: `DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES`, `DATABASE_RESOURCE_TYPE_TABLE`.
<a name="nested_generation_cadence"></a>The `generation_cadence` block supports:
* `schema_modified_cadence` -
(Optional)
Governs when to update data profiles when a schema is modified
Structure is [documented below](#nested_schema_modified_cadence).
* `refresh_frequency` -
(Optional)
Data changes (non-schema changes) in Cloud SQL tables can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying tables have changes. Defaults to never.
Possible values are: `UPDATE_FREQUENCY_NEVER`, `UPDATE_FREQUENCY_DAILY`, `UPDATE_FREQUENCY_MONTHLY`.
* `inspect_template_modified_cadence` -
(Optional)
Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
Structure is [documented below](#nested_inspect_template_modified_cadence).
<a name="nested_schema_modified_cadence"></a>The `schema_modified_cadence` block supports:
* `types` -
(Optional)
The types of schema modifications to consider. Defaults to NEW_COLUMNS.
Each value may be one of: `NEW_COLUMNS`, `REMOVED_COLUMNS`.
* `frequency` -
(Optional)
Frequency to regenerate data profiles when the schema is modified. Defaults to monthly.
Possible values are: `UPDATE_FREQUENCY_NEVER`, `UPDATE_FREQUENCY_DAILY`, `UPDATE_FREQUENCY_MONTHLY`.
<a name="nested_inspect_template_modified_cadence"></a>The `inspect_template_modified_cadence` block supports:
* `frequency` -
(Required)
How frequently data profiles can be updated when the template is modified. Defaults to never.
Possible values are: `UPDATE_FREQUENCY_NEVER`, `UPDATE_FREQUENCY_DAILY`, `UPDATE_FREQUENCY_MONTHLY`.
<a name="nested_cloud_storage_target"></a>The `cloud_storage_target` block supports:
* `filter` -
(Required)
The buckets the generation_cadence applies to. The first target with a matching filter will be the one to apply to a bucket.
Structure is [documented below](#nested_filter).
* `conditions` -
(Optional)
In addition to matching the filter, these conditions must be true before a profile is generated.
Structure is [documented below](#nested_conditions).
* `generation_cadence` -
(Optional)
How often and when to update profiles. New buckets that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
Structure is [documented below](#nested_generation_cadence).
* `disabled` -
(Optional)
Disable profiling for buckets that match this filter.
<a name="nested_filter"></a>The `filter` block supports:
* `collection` -
(Optional)
A specific set of buckets for this filter to apply to.
Structure is [documented below](#nested_collection).
* `cloud_storage_resource_reference` -
(Optional)
The bucket to scan. Targets including this can only include one target (the target with this bucket). This enables profiling the contents of a single bucket, while the other options allow for easy profiling of many buckets within a project or an organization.
Structure is [documented below](#nested_cloud_storage_resource_reference).
* `others` -
(Optional)
Match discovery resources not covered by any other filter.
<a name="nested_collection"></a>The `collection` block supports:
* `include_regexes` -
(Optional)
A collection of regular expressions to match a file store against.
Structure is [documented below](#nested_include_regexes).
<a name="nested_include_regexes"></a>The `include_regexes` block supports:
* `patterns` -
(Optional)
The group of regular expression patterns to match against one or more file stores. Maximum of 100 entries. The sum of all lengths of regular expressions can't exceed 10 KiB.
Structure is [documented below](#nested_patterns).
<a name="nested_patterns"></a>The `patterns` block supports:
* `cloud_storage_regex` -
(Optional)
Regex for Cloud Storage.
Structure is [documented below](#nested_cloud_storage_regex).
<a name="nested_cloud_storage_regex"></a>The `cloud_storage_regex` block supports:
* `project_id_regex` -
(Optional)
For organizations, if unset, will match all projects.
* `bucket_name_regex` -
(Optional)
Regex to test the bucket name against. If empty, all buckets match. Example: "marketing2021" or "(marketing)\d{4}" will both match the bucket gs://marketing2021
<a name="nested_cloud_storage_resource_reference"></a>The `cloud_storage_resource_reference` block supports:
* `bucket_name` -
(Optional)
The bucket to scan.
* `project_id` -
(Optional)
If within a project-level config, then this must match the config's project id.
<a name="nested_conditions"></a>The `conditions` block supports:
* `created_after` -
(Optional)
File store must have been created after this date. Used to avoid backfilling. A timestamp in RFC3339 UTC "Zulu" format with nanosecond resolution and upto nine fractional digits.
* `min_age` -
(Optional)
Duration format. Minimum age a file store must have. If set, the value must be 1 hour or greater.
* `cloud_storage_conditions` -
(Optional)
Cloud Storage conditions.
Structure is [documented below](#nested_cloud_storage_conditions).
<a name="nested_cloud_storage_conditions"></a>The `cloud_storage_conditions` block supports:
* `included_object_attributes` -
(Optional)
Only objects with the specified attributes will be scanned. If an object has one of the specified attributes but is inside an excluded bucket, it will not be scanned. Defaults to [ALL_SUPPORTED_OBJECTS]. A profile will be created even if no objects match the included_object_attributes.
Each value may be one of: `ALL_SUPPORTED_OBJECTS`, `STANDARD`, `NEARLINE`, `COLDLINE`, `ARCHIVE`, `REGIONAL`, `MULTI_REGIONAL`, `DURABLE_REDUCED_AVAILABILITY`.
* `included_bucket_attributes` -
(Optional)
Only objects with the specified attributes will be scanned. Defaults to [ALL_SUPPORTED_BUCKETS] if unset.
Each value may be one of: `ALL_SUPPORTED_BUCKETS`, `AUTOCLASS_DISABLED`, `AUTOCLASS_ENABLED`.
<a name="nested_generation_cadence"></a>The `generation_cadence` block supports:
* `refresh_frequency` -
(Optional)
Data changes in Cloud Storage can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying buckets have changes. Defaults to never.
Possible values are: `UPDATE_FREQUENCY_NEVER`, `UPDATE_FREQUENCY_DAILY`, `UPDATE_FREQUENCY_MONTHLY`.
* `inspect_template_modified_cadence` -
(Optional)
Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
Structure is [documented below](#nested_inspect_template_modified_cadence).
<a name="nested_inspect_template_modified_cadence"></a>The `inspect_template_modified_cadence` block supports:
* `frequency` -
(Optional)
How frequently data profiles can be updated when the template is modified. Defaults to never.
Possible values are: `UPDATE_FREQUENCY_NEVER`, `UPDATE_FREQUENCY_DAILY`, `UPDATE_FREQUENCY_MONTHLY`.
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `id` - an identifier for the resource with format `{{parent}}/discoveryConfigs/{{name}}`
* `name` -
Unique resource name for the DiscoveryConfig, assigned by the service when the DiscoveryConfig is created.
* `errors` -
Output only. A stream of errors encountered when the config was activated. Repeated errors may result in the config automatically being paused. Output only field. Will return the last 100 errors. Whenever the config is modified this list will be cleared.
Structure is [documented below](#nested_errors).
* `create_time` -
Output only. The creation timestamp of a DiscoveryConfig.
* `update_time` -
Output only. The last update timestamp of a DiscoveryConfig.
* `last_run_time` -
Output only. The timestamp of the last time this config was executed
<a name="nested_errors"></a>The `errors` block contains:
* `details` -
(Optional)
Detailed error codes and messages.
Structure is [documented below](#nested_details).
* `timestamp` -
(Optional)
The times the error occurred. List includes the oldest timestamp and the last 9 timestamps.
<a name="nested_details"></a>The `details` block supports:
* `code` -
(Optional)
The status code, which should be an enum value of google.rpc.Code.
* `message` -
(Optional)
A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
* `details` -
(Optional)
A list of messages that carry the error details.
## Timeouts
This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:
- `create` - Default is 20 minutes.
- `update` - Default is 20 minutes.
- `delete` - Default is 20 minutes.
## Import
DiscoveryConfig can be imported using any of these accepted formats:
* `{{parent}}/discoveryConfigs/{{name}}`
* `{{parent}}/{{name}}`
In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import DiscoveryConfig using one of the formats above. For example:
```tf
import {
id = "{{parent}}/discoveryConfigs/{{name}}"
to = google_data_loss_prevention_discovery_config.default
}
```
When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), DiscoveryConfig can be imported using one of the formats above. For example:
```
$ terraform import google_data_loss_prevention_discovery_config.default {{parent}}/discoveryConfigs/{{name}}
$ terraform import google_data_loss_prevention_discovery_config.default {{parent}}/{{name}}
```