From 91a197e1f475f3bf9a988b6f4ce230e98d43fb8d Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Fri, 23 Oct 2020 16:21:18 -0700 Subject: [PATCH 1/2] Add support for custom info types to inspect template. --- products/dlp/api.yaml | 92 +++++++++++++++++++ products/dlp/terraform.yaml | 7 ++ .../dlp_inspect_template_custom_type.tf.erb | 43 +++++++++ 3 files changed, 142 insertions(+) create mode 100644 templates/terraform/examples/dlp_inspect_template_custom_type.tf.erb diff --git a/products/dlp/api.yaml b/products/dlp/api.yaml index 1b7c53fb7c3d..91a85b071ab8 100644 --- a/products/dlp/api.yaml +++ b/products/dlp/api.yaml @@ -628,6 +628,98 @@ objects: description: | Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. + - !ruby/object:Api::Type::Array + name: 'customInfoTypes' + description: | + Custom info types to be used. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'infoType' + required: true + description: | + CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing + infoTypes and that infoType is specified in `info_types` field. Specifying the latter adds findings to the + one detected by the system. If built-in info type is not specified in `info_types` list then the name is + treated as a custom info type. + properties: + - !ruby/object:Api::Type::String + name: 'name' + required: true + description: | + Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names + listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. + - !ruby/object:Api::Type::Enum + name: 'likelihood' + description: | + Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria + specified by the rule. + values: + - :VERY_UNLIKELY + - :UNLIKELY + - :POSSIBLE + - :LIKELY + - :VERY_LIKELY + default_value: :VERY_LIKELY + - !ruby/object:Api::Type::Enum + name: 'exclusionType' + description: | + If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching. + values: + - :EXCLUSION_TYPE_EXCLUDE + - !ruby/object:Api::Type::NestedObject + name: 'regex' + description: Regular expression which defines the rule. + input: true + properties: + - !ruby/object:Api::Type::String + name: 'pattern' + required: true + description: | + Pattern defining the regular expression. + Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. + - !ruby/object:Api::Type::Array + name: 'groupIndexes' + description: | + The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. + item_type: Api::Type::Integer + - !ruby/object:Api::Type::NestedObject + name: 'dictionary' + description: Dictionary which defines the rule. + input: true + properties: + - !ruby/object:Api::Type::NestedObject + name: 'wordList' + description: List of words or phrases to search for. + properties: + - !ruby/object:Api::Type::Array + name: 'words' + required: true + description: | + Words or phrases defining the dictionary. The dictionary must contain at least one + phrase and every phrase must contain at least 2 characters that are letters or digits. + item_type: Api::Type::String + - !ruby/object:Api::Type::NestedObject + name: 'cloudStoragePath' + description: Newline-delimited file of words in Cloud Storage. Only a single file is accepted. + properties: + - !ruby/object:Api::Type::String + name: 'path' + required: true + description: | + A url representing a file or path (no wildcards) in Cloud Storage. Example: `gs://[BUCKET_NAME]/dictionary.txt` + - !ruby/object:Api::Type::NestedObject + name: 'storedType' + description: A reference to a StoredInfoType to use with scanning. + input: true + properties: + - !ruby/object:Api::Type::String + name: 'name' + required: true + description: | + Resource name of the requested StoredInfoType, for example `organizations/433245324/storedInfoTypes/432452342` + or `projects/project-id/storedInfoTypes/432452342`. + - !ruby/object:Api::Resource name: 'StoredInfoType' create_url: "{{parent}}/storedInfoTypes" diff --git a/products/dlp/terraform.yaml b/products/dlp/terraform.yaml index 3be6e0b2b71e..fb254258dc73 100644 --- a/products/dlp/terraform.yaml +++ b/products/dlp/terraform.yaml @@ -56,6 +56,13 @@ overrides: !ruby/object:Overrides::ResourceOverrides template: "temp" test_env_vars: project: :PROJECT_NAME + - !ruby/object:Provider::Terraform::Examples + name: "dlp_inspect_template_custom_type" + primary_resource_id: "custom" + vars: + template: "temp" + test_env_vars: + project: :PROJECT_NAME custom_code: !ruby/object:Provider::Terraform::CustomCode encoder: templates/terraform/encoders/wrap_object.go.erb custom_import: templates/terraform/custom_import/dlp_import.go.erb diff --git a/templates/terraform/examples/dlp_inspect_template_custom_type.tf.erb b/templates/terraform/examples/dlp_inspect_template_custom_type.tf.erb new file mode 100644 index 000000000000..ba0f86fb5d1d --- /dev/null +++ b/templates/terraform/examples/dlp_inspect_template_custom_type.tf.erb @@ -0,0 +1,43 @@ +resource "google_data_loss_prevention_inspect_template" "<%= ctx[:primary_resource_id] %>" { + parent = "projects/<%= ctx[:test_env_vars]['project'] %>" + description = "My description" + display_name = "display_name" + + inspect_config { + custom_info_types { + info_type { + name = "MY_CUSTOM_TYPE" + } + + likelihood = "UNLIKELY" + + regex { + pattern = "test*" + } + } + + info_types { + name = "EMAIL_ADDRESS" + } + + min_likelihood = "UNLIKELY" + rule_set { + info_types { + name = "EMAIL_ADDRESS" + } + rules { + exclusion_rule { + regex { + pattern = ".+@example.com" + } + matching_type = "MATCHING_TYPE_FULL_MATCH" + } + } + } + + limits { + max_findings_per_item = 10 + max_findings_per_request = 50 + } + } +} From 250c0a92b83d0b0cae0b9d2d2227e57473899d14 Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Tue, 27 Oct 2020 09:17:06 -0700 Subject: [PATCH 2/2] Add use in hotword rule --- .../dlp_inspect_template_custom_type.tf.erb | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/templates/terraform/examples/dlp_inspect_template_custom_type.tf.erb b/templates/terraform/examples/dlp_inspect_template_custom_type.tf.erb index ba0f86fb5d1d..8286a2aac5a3 100644 --- a/templates/terraform/examples/dlp_inspect_template_custom_type.tf.erb +++ b/templates/terraform/examples/dlp_inspect_template_custom_type.tf.erb @@ -35,6 +35,25 @@ resource "google_data_loss_prevention_inspect_template" "<%= ctx[:primary_resour } } + rule_set { + info_types { + name = "MY_CUSTOM_TYPE" + } + rules { + hotword_rule { + hotword_regex { + pattern = "example*" + } + proximity { + window_before = 50 + } + likelihood_adjustment { + fixed_likelihood = "VERY_LIKELY" + } + } + } + } + limits { max_findings_per_item = 10 max_findings_per_request = 50