» google_data_loss_prevention_inspect_template

An inspect job template.

To get more information about InspectTemplate, see:

» Example Usage - Dlp Inspect Template Basic

resource "google_data_loss_prevention_inspect_template" "basic" {
    parent = "projects/my-project-name"
    description = "My description"
    display_name = "display_name"

    inspect_config {
        info_types {
            name = "EMAIL_ADDRESS"
        }
        info_types {
            name = "PERSON_NAME"
        }
        info_types {
            name = "LAST_NAME"
        }
        info_types {
            name = "DOMAIN_NAME"
        }
        info_types {
            name = "PHONE_NUMBER"
        }
        info_types {
            name = "FIRST_NAME"
        }

        min_likelihood = "UNLIKELY"
        rule_set {
            info_types {
                name = "EMAIL_ADDRESS"
            }
            rules {
                exclusion_rule {
                    regex {
                        pattern = ".+@example.com"
                    }
                    matching_type = "MATCHING_TYPE_FULL_MATCH"
                }
            }
        }
        rule_set {
            info_types {
                name = "EMAIL_ADDRESS"
            }
            info_types {
                name = "DOMAIN_NAME"
            }
            info_types {
                name = "PHONE_NUMBER"
            }
            info_types {
                name = "PERSON_NAME"
            }
            info_types {
                name = "FIRST_NAME"
            }
            rules {
                exclusion_rule {
                    dictionary {
                        word_list {
                            words = ["TEST"]
                        }
                    }
                    matching_type = "MATCHING_TYPE_PARTIAL_MATCH"
                }
            }
        }

        rule_set {
            info_types {
                name = "PERSON_NAME"
            }
            rules {
                hotword_rule {
                    hotword_regex {
                        pattern = "patient"
                    }
                    proximity {
                        window_before = 50
                    }
                    likelihood_adjustment {
                        fixed_likelihood = "VERY_LIKELY"
                    }
                }
            }
        }

        limits {
            max_findings_per_item    = 10
            max_findings_per_request = 50
            max_findings_per_info_type {
                max_findings = "75"
                info_type {
                    name = "PERSON_NAME"
                }
            }
            max_findings_per_info_type {
                max_findings = "80"
                info_type {
                    name = "LAST_NAME"
                }
            }
        }
    }
}

» Argument Reference

The following arguments are supported:


  • description - (Optional) A description of the inspect template.

  • display_name - (Optional) User set display name of the inspect template.

  • inspect_config - (Optional) The core content of the template. Structure is documented below.

The inspect_config block supports:

  • exclude_info_types - (Optional) When true, excludes type information of the findings.

  • include_quote - (Optional) When true, a contextual quote from the data that triggered a finding is included in the response.

  • min_likelihood - (Optional) Only returns findings equal or above this threshold. See https://cloud.google.com/dlp/docs/likelihood for more info Default value is POSSIBLE. Possible values are VERY_UNLIKELY, UNLIKELY, POSSIBLE, LIKELY, and VERY_LIKELY.

  • limits - (Optional) Configuration to control the number of findings returned. Structure is documented below.

  • info_types - (Optional) Restricts what infoTypes to look for. The values must correspond to InfoType values returned by infoTypes.list or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. Structure is documented below.

  • content_options - (Optional) List of options defining data content to scan. If empty, text, images, and other content will be included. Each value may be one of CONTENT_TEXT and CONTENT_IMAGE.

  • rule_set - (Optional) Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type. Structure is documented below.

The limits block supports:

  • max_findings_per_item - (Required) Max number of findings that will be returned for each item scanned. The maximum returned is 2000.

  • max_findings_per_request - (Required) Max number of findings that will be returned per request/job. The maximum returned is 2000.

  • max_findings_per_info_type - (Optional) Configuration of findings limit given for specified infoTypes. Structure is documented below.

The max_findings_per_info_type block supports:

  • info_type - (Required) Type of information the findings limit applies to. Only one limit per infoType should be provided. If InfoTypeLimit does not have an infoType, the DLP API applies the limit against all infoTypes that are found but not specified in another InfoTypeLimit. Structure is documented below.

  • max_findings - (Required) Max findings limit for the given infoType.

The info_type block supports:

The info_types block supports:

The rule_set block supports:

  • info_types - (Required) List of infoTypes this rule set is applied to. Structure is documented below.

  • rules - (Required) Set of rules to be applied to infoTypes. The rules are applied in order. Structure is documented below.

The info_types block supports:

The rules block supports:

  • hotword_rule - (Optional) Hotword-based detection rule. Structure is documented below.

  • exclusion_rule - (Optional) The rule that specifies conditions when findings of infoTypes specified in InspectionRuleSet are removed from results. Structure is documented below.

The hotword_rule block supports:

  • hotword_regex - (Required) Regular expression pattern defining what qualifies as a hotword. Structure is documented below.

  • proximity - (Required) Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex (\d{3}) \d{3}-\d{4} could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex (xxx), where xxx is the area code in question. Structure is documented below.

  • likelihood_adjustment - (Required) Likelihood adjustment to apply to all matching findings. Structure is documented below.

The hotword_regex block supports:

  • pattern - (Required) Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

  • group_indexes - (Optional) The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

The proximity block supports:

  • window_before - (Optional) Number of characters before the finding to consider. Either this or window_after must be specified

  • window_after - (Optional) Number of characters after the finding to consider. Either this or window_before must be specified

The likelihood_adjustment block supports:

  • fixed_likelihood - (Optional) Set the likelihood of a finding to a fixed value. Either this or relative_likelihood can be set. Possible values are VERY_UNLIKELY, UNLIKELY, POSSIBLE, LIKELY, and VERY_LIKELY.

  • relative_likelihood - (Optional) Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be POSSIBLE without the detection rule and relativeLikelihood is 1, then it is upgraded to LIKELY, while a value of -1 would downgrade it to UNLIKELY. Likelihood may never drop below VERY_UNLIKELY or exceed VERY_LIKELY, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is VERY_LIKELY will result in a final likelihood of LIKELY. Either this or fixed_likelihood can be set.

The exclusion_rule block supports:

The dictionary block supports:

  • word_list - (Optional) List of words or phrases to search for. Structure is documented below.

  • cloud_storage_path - (Optional) Newline-delimited file of words in Cloud Storage. Only a single file is accepted. Structure is documented below.

The word_list block supports:

  • words - (Required) Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits.

The cloud_storage_path block supports:

  • path - (Required) A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

The regex block supports:

  • pattern - (Required) Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

  • group_indexes - (Optional) The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

The exclude_info_types block supports:

  • info_types - (Required) If a finding is matched by any of the infoType detectors listed here, the finding will be excluded from the scan results. Structure is documented below.

The info_types block supports:

» Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format {{parent}}/inspectTemplates/{{name}}

  • name - The resource name of the inspect template. Set by the server.

» Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 4 minutes.
  • update - Default is 4 minutes.
  • delete - Default is 4 minutes.

» Import

InspectTemplate can be imported using any of these accepted formats:

$ terraform import google_data_loss_prevention_inspect_template.default {{parent}}/inspectTemplates/{{name}}
$ terraform import google_data_loss_prevention_inspect_template.default {{parent}}/{{name}}