lacework 2.0.6, Apr 14 25

lacework 2.0.6 published on Monday, Apr 14, 2025 by lacework

lacework.PolicyCompliance

Explore with Pulumi AI

lacework 2.0.6 published on Monday, Apr 14, 2025 by lacework

Example Usage

Create a Lacework Compliance Policy to check for unenabled CloudTrail log file validation.

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as lacework from "@pulumi/lacework";

const aWSConfigCloudTrailLogFileValidationNotEnabled = new lacework.Query("aWSConfigCloudTrailLogFileValidationNotEnabled", {
    queryId: "LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled",
    query: `  {
    source {
      LW_CFG_AWS_CLOUDTRAIL
    }
    filter {
      RESOURCE_CONFIG:LogFileValidationEnabled = 'false'
    }
    return distinct {
      ACCOUNT_ALIAS,
      ACCOUNT_ID,
      ARN as RESOURCE_KEY,
      RESOURCE_REGION,
      RESOURCE_TYPE,
      SERVICE,
      'CloudTrailLogFileValidationNotEnabled' as COMPLIANCE_FAILURE_REASON
    }
  }
`,
});
const example = new lacework.PolicyCompliance("example", {
    queryId: aWSConfigCloudTrailLogFileValidationNotEnabled.laceworkQueryId,
    title: "Ensure CloudTrail log file validation is enabled",
    enabled: false,
    severity: "High",
    description: `CloudTrail log file validation creates a digitally signed digest
file containing a hash of each log that CloudTrail writes to S3. These digest
files can be used to determine whether a log file was changed, deleted, or unchanged
after CloudTrail delivered the log. It is recommended that file validation be
enabled on all CloudTrails.`,
    remediation: `Perform the following to enable log file validation on a given trail:
From Console:
1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)
2. Click on Trails on the left navigation pane
3. Click on target trail
4. Within the S3 section click on the edit icon (pencil)
5. Click Advanced
6. Click on the Yes radio button in section Enable log file validation
7. Click Save
From Command Line:
aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>`,
    tags: ["security:compliance"],
    alertingEnabled: false,
});

import pulumi
import pulumi_lacework as lacework

a_ws_config_cloud_trail_log_file_validation_not_enabled = lacework.Query("aWSConfigCloudTrailLogFileValidationNotEnabled",
    query_id="LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled",
    query="""  {
    source {
      LW_CFG_AWS_CLOUDTRAIL
    }
    filter {
      RESOURCE_CONFIG:LogFileValidationEnabled = 'false'
    }
    return distinct {
      ACCOUNT_ALIAS,
      ACCOUNT_ID,
      ARN as RESOURCE_KEY,
      RESOURCE_REGION,
      RESOURCE_TYPE,
      SERVICE,
      'CloudTrailLogFileValidationNotEnabled' as COMPLIANCE_FAILURE_REASON
    }
  }
""")
example = lacework.PolicyCompliance("example",
    query_id=a_ws_config_cloud_trail_log_file_validation_not_enabled.lacework_query_id,
    title="Ensure CloudTrail log file validation is enabled",
    enabled=False,
    severity="High",
    description="""CloudTrail log file validation creates a digitally signed digest
file containing a hash of each log that CloudTrail writes to S3. These digest
files can be used to determine whether a log file was changed, deleted, or unchanged
after CloudTrail delivered the log. It is recommended that file validation be
enabled on all CloudTrails.""",
    remediation="""Perform the following to enable log file validation on a given trail:
From Console:
1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)
2. Click on Trails on the left navigation pane
3. Click on target trail
4. Within the S3 section click on the edit icon (pencil)
5. Click Advanced
6. Click on the Yes radio button in section Enable log file validation
7. Click Save
From Command Line:
aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>""",
    tags=["security:compliance"],
    alerting_enabled=False)

package main

import (
	"github.com/pulumi/pulumi-terraform-provider/sdks/go/lacework/v2/lacework"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		aWSConfigCloudTrailLogFileValidationNotEnabled, err := lacework.NewQuery(ctx, "aWSConfigCloudTrailLogFileValidationNotEnabled", &lacework.QueryArgs{
			QueryId: pulumi.String("LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled"),
			Query: pulumi.String(`  {
    source {
      LW_CFG_AWS_CLOUDTRAIL
    }
    filter {
      RESOURCE_CONFIG:LogFileValidationEnabled = 'false'
    }
    return distinct {
      ACCOUNT_ALIAS,
      ACCOUNT_ID,
      ARN as RESOURCE_KEY,
      RESOURCE_REGION,
      RESOURCE_TYPE,
      SERVICE,
      'CloudTrailLogFileValidationNotEnabled' as COMPLIANCE_FAILURE_REASON
    }
  }
`),
		})
		if err != nil {
			return err
		}
		_, err = lacework.NewPolicyCompliance(ctx, "example", &lacework.PolicyComplianceArgs{
			QueryId:     aWSConfigCloudTrailLogFileValidationNotEnabled.LaceworkQueryId,
			Title:       pulumi.String("Ensure CloudTrail log file validation is enabled"),
			Enabled:     pulumi.Bool(false),
			Severity:    pulumi.String("High"),
			Description: pulumi.String("CloudTrail log file validation creates a digitally signed digest\nfile containing a hash of each log that CloudTrail writes to S3. These digest\nfiles can be used to determine whether a log file was changed, deleted, or unchanged\nafter CloudTrail delivered the log. It is recommended that file validation be\nenabled on all CloudTrails."),
			Remediation: pulumi.String(`Perform the following to enable log file validation on a given trail:
From Console:
1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)
2. Click on Trails on the left navigation pane
3. Click on target trail
4. Within the S3 section click on the edit icon (pencil)
5. Click Advanced
6. Click on the Yes radio button in section Enable log file validation
7. Click Save
From Command Line:
aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>`),
			Tags: pulumi.StringArray{
				pulumi.String("security:compliance"),
			},
			AlertingEnabled: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Lacework = Pulumi.Lacework;

return await Deployment.RunAsync(() => 
{
    var aWSConfigCloudTrailLogFileValidationNotEnabled = new Lacework.Query("aWSConfigCloudTrailLogFileValidationNotEnabled", new()
    {
        QueryId = "LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled",
        Query = @"  {
    source {
      LW_CFG_AWS_CLOUDTRAIL
    }
    filter {
      RESOURCE_CONFIG:LogFileValidationEnabled = 'false'
    }
    return distinct {
      ACCOUNT_ALIAS,
      ACCOUNT_ID,
      ARN as RESOURCE_KEY,
      RESOURCE_REGION,
      RESOURCE_TYPE,
      SERVICE,
      'CloudTrailLogFileValidationNotEnabled' as COMPLIANCE_FAILURE_REASON
    }
  }
",
    });

    var example = new Lacework.PolicyCompliance("example", new()
    {
        QueryId = aWSConfigCloudTrailLogFileValidationNotEnabled.LaceworkQueryId,
        Title = "Ensure CloudTrail log file validation is enabled",
        Enabled = false,
        Severity = "High",
        Description = @"CloudTrail log file validation creates a digitally signed digest
file containing a hash of each log that CloudTrail writes to S3. These digest
files can be used to determine whether a log file was changed, deleted, or unchanged
after CloudTrail delivered the log. It is recommended that file validation be
enabled on all CloudTrails.",
        Remediation = @"Perform the following to enable log file validation on a given trail:
From Console:
1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)
2. Click on Trails on the left navigation pane
3. Click on target trail
4. Within the S3 section click on the edit icon (pencil)
5. Click Advanced
6. Click on the Yes radio button in section Enable log file validation
7. Click Save
From Command Line:
aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>",
        Tags = new[]
        {
            "security:compliance",
        },
        AlertingEnabled = false,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.lacework.Query;
import com.pulumi.lacework.QueryArgs;
import com.pulumi.lacework.PolicyCompliance;
import com.pulumi.lacework.PolicyComplianceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var aWSConfigCloudTrailLogFileValidationNotEnabled = new Query("aWSConfigCloudTrailLogFileValidationNotEnabled", QueryArgs.builder()
            .queryId("LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled")
            .query("""
  {
    source {
      LW_CFG_AWS_CLOUDTRAIL
    }
    filter {
      RESOURCE_CONFIG:LogFileValidationEnabled = 'false'
    }
    return distinct {
      ACCOUNT_ALIAS,
      ACCOUNT_ID,
      ARN as RESOURCE_KEY,
      RESOURCE_REGION,
      RESOURCE_TYPE,
      SERVICE,
      'CloudTrailLogFileValidationNotEnabled' as COMPLIANCE_FAILURE_REASON
    }
  }
            """)
            .build());

        var example = new PolicyCompliance("example", PolicyComplianceArgs.builder()
            .queryId(aWSConfigCloudTrailLogFileValidationNotEnabled.laceworkQueryId())
            .title("Ensure CloudTrail log file validation is enabled")
            .enabled(false)
            .severity("High")
            .description("""
CloudTrail log file validation creates a digitally signed digest
file containing a hash of each log that CloudTrail writes to S3. These digest
files can be used to determine whether a log file was changed, deleted, or unchanged
after CloudTrail delivered the log. It is recommended that file validation be
enabled on all CloudTrails.            """)
            .remediation("""
Perform the following to enable log file validation on a given trail:
From Console:
1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)
2. Click on Trails on the left navigation pane
3. Click on target trail
4. Within the S3 section click on the edit icon (pencil)
5. Click Advanced
6. Click on the Yes radio button in section Enable log file validation
7. Click Save
From Command Line:
aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>            """)
            .tags("security:compliance")
            .alertingEnabled(false)
            .build());

    }
}

resources:
  aWSConfigCloudTrailLogFileValidationNotEnabled:
    type: lacework:Query
    properties:
      queryId: LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled
      query: |2
          {
            source {
              LW_CFG_AWS_CLOUDTRAIL
            }
            filter {
              RESOURCE_CONFIG:LogFileValidationEnabled = 'false'
            }
            return distinct {
              ACCOUNT_ALIAS,
              ACCOUNT_ID,
              ARN as RESOURCE_KEY,
              RESOURCE_REGION,
              RESOURCE_TYPE,
              SERVICE,
              'CloudTrailLogFileValidationNotEnabled' as COMPLIANCE_FAILURE_REASON
            }
          }
  example:
    type: lacework:PolicyCompliance
    properties:
      queryId: ${aWSConfigCloudTrailLogFileValidationNotEnabled.laceworkQueryId}
      title: Ensure CloudTrail log file validation is enabled
      enabled: false
      severity: High
      description: |-
        CloudTrail log file validation creates a digitally signed digest
        file containing a hash of each log that CloudTrail writes to S3. These digest
        files can be used to determine whether a log file was changed, deleted, or unchanged
        after CloudTrail delivered the log. It is recommended that file validation be
        enabled on all CloudTrails.        
      remediation: |-
        Perform the following to enable log file validation on a given trail:
        From Console:
        1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)
        2. Click on Trails on the left navigation pane
        3. Click on target trail
        4. Within the S3 section click on the edit icon (pencil)
        5. Click Advanced
        6. Click on the Yes radio button in section Enable log file validation
        7. Click Save
        From Command Line:
        aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
        Note that periodic validation of logs using these digests can be performed by running the following command:
        aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>        
      tags:
        - security:compliance
      alertingEnabled: false

Note: Lacework automatically generates a policy id when you create a policy, which is the recommended workflow. Optionally, you can define your own policy id using the policy_id_suffix, this suffix must be all lowercase letters, optionally followed by - and numbers, for example, abcd-1234. When you define your own policy id, Lacework prepends the account name. The final policy id would then be lwaccountname-abcd-1234.

Create PolicyCompliance Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

new PolicyCompliance(name: string, args: PolicyComplianceArgs, opts?: CustomResourceOptions);

@overload
def PolicyCompliance(resource_name: str,
                     args: PolicyComplianceArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def PolicyCompliance(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     description: Optional[str] = None,
                     query_id: Optional[str] = None,
                     remediation: Optional[str] = None,
                     severity: Optional[str] = None,
                     title: Optional[str] = None,
                     alerting_enabled: Optional[bool] = None,
                     enabled: Optional[bool] = None,
                     policy_id_suffix: Optional[str] = None,
                     tags: Optional[Sequence[str]] = None)

func NewPolicyCompliance(ctx *Context, name string, args PolicyComplianceArgs, opts ...ResourceOption) (*PolicyCompliance, error)

public PolicyCompliance(string name, PolicyComplianceArgs args, CustomResourceOptions? opts = null)

public PolicyCompliance(String name, PolicyComplianceArgs args)
public PolicyCompliance(String name, PolicyComplianceArgs args, CustomResourceOptions options)

type: lacework:PolicyCompliance
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args PolicyComplianceArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args PolicyComplianceArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args PolicyComplianceArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args PolicyComplianceArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args PolicyComplianceArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var policyComplianceResource = new Lacework.PolicyCompliance("policyComplianceResource", new()
{
    Description = "string",
    QueryId = "string",
    Remediation = "string",
    Severity = "string",
    Title = "string",
    AlertingEnabled = false,
    Enabled = false,
    PolicyIdSuffix = "string",
    Tags = new[]
    {
        "string",
    },
});

example, err := lacework.NewPolicyCompliance(ctx, "policyComplianceResource", &lacework.PolicyComplianceArgs{
Description: pulumi.String("string"),
QueryId: pulumi.String("string"),
Remediation: pulumi.String("string"),
Severity: pulumi.String("string"),
Title: pulumi.String("string"),
AlertingEnabled: pulumi.Bool(false),
Enabled: pulumi.Bool(false),
PolicyIdSuffix: pulumi.String("string"),
Tags: pulumi.StringArray{
pulumi.String("string"),
},
})

var policyComplianceResource = new PolicyCompliance("policyComplianceResource", PolicyComplianceArgs.builder()
    .description("string")
    .queryId("string")
    .remediation("string")
    .severity("string")
    .title("string")
    .alertingEnabled(false)
    .enabled(false)
    .policyIdSuffix("string")
    .tags("string")
    .build());

policy_compliance_resource = lacework.PolicyCompliance("policyComplianceResource",
    description="string",
    query_id="string",
    remediation="string",
    severity="string",
    title="string",
    alerting_enabled=False,
    enabled=False,
    policy_id_suffix="string",
    tags=["string"])

const policyComplianceResource = new lacework.PolicyCompliance("policyComplianceResource", {
    description: "string",
    queryId: "string",
    remediation: "string",
    severity: "string",
    title: "string",
    alertingEnabled: false,
    enabled: false,
    policyIdSuffix: "string",
    tags: ["string"],
});

type: lacework:PolicyCompliance
properties:
    alertingEnabled: false
    description: string
    enabled: false
    policyIdSuffix: string
    queryId: string
    remediation: string
    severity: string
    tags:
        - string
    title: string

PolicyCompliance Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The PolicyCompliance resource accepts the following input properties:

Description string: The description of the policy.
QueryId string: The query id.
Remediation string: The remediation message to display.
Severity string: The list of the severities. Valid severities include: Critical, High, Medium, Low and Info.
Title string: The policy title.
AlertingEnabled bool: Whether the alerting profile is enabled or disabled. Defaults to true.
Enabled bool: Whether the policy is enabled or disabled. Defaults to true.
PolicyIdSuffix string: The string appended to the end of the policy id.
Tags List<string>: A list of policy tags.

Description string: The description of the policy.
QueryId string: The query id.
Remediation string: The remediation message to display.
Severity string: The list of the severities. Valid severities include: Critical, High, Medium, Low and Info.
Title string: The policy title.
AlertingEnabled bool: Whether the alerting profile is enabled or disabled. Defaults to true.
Enabled bool: Whether the policy is enabled or disabled. Defaults to true.
PolicyIdSuffix string: The string appended to the end of the policy id.
Tags []string: A list of policy tags.

description String: The description of the policy.
queryId String: The query id.
remediation String: The remediation message to display.
severity String: The list of the severities. Valid severities include: Critical, High, Medium, Low and Info.
title String: The policy title.
alertingEnabled Boolean: Whether the alerting profile is enabled or disabled. Defaults to true.
enabled Boolean: Whether the policy is enabled or disabled. Defaults to true.
policyIdSuffix String: The string appended to the end of the policy id.
tags List<String>: A list of policy tags.

description string: The description of the policy.
queryId string: The query id.
remediation string: The remediation message to display.
severity string: The list of the severities. Valid severities include: Critical, High, Medium, Low and Info.
title string: The policy title.
alertingEnabled boolean: Whether the alerting profile is enabled or disabled. Defaults to true.
enabled boolean: Whether the policy is enabled or disabled. Defaults to true.
policyIdSuffix string: The string appended to the end of the policy id.
tags string[]: A list of policy tags.

description str: The description of the policy.
query_id str: The query id.
remediation str: The remediation message to display.
severity str: The list of the severities. Valid severities include: Critical, High, Medium, Low and Info.
title str: The policy title.
alerting_enabled bool: Whether the alerting profile is enabled or disabled. Defaults to true.
enabled bool: Whether the policy is enabled or disabled. Defaults to true.
policy_id_suffix str: The string appended to the end of the policy id.
tags Sequence[str]: A list of policy tags.

description String: The description of the policy.
queryId String: The query id.
remediation String: The remediation message to display.
severity String: The list of the severities. Valid severities include: Critical, High, Medium, Low and Info.
title String: The policy title.
alertingEnabled Boolean: Whether the alerting profile is enabled or disabled. Defaults to true.
enabled Boolean: Whether the policy is enabled or disabled. Defaults to true.
policyIdSuffix String: The string appended to the end of the policy id.
tags List<String>: A list of policy tags.

Outputs

All input properties are implicitly available as output properties. Additionally, the PolicyCompliance resource produces the following output properties:

ComputedTags string: All policy tags, server generated and user specified tags
Id string: The provider-assigned unique ID for this managed resource.
Owner string
UpdatedBy string
UpdatedTime string

ComputedTags string: All policy tags, server generated and user specified tags
Id string: The provider-assigned unique ID for this managed resource.
Owner string
UpdatedBy string
UpdatedTime string

computedTags String: All policy tags, server generated and user specified tags
id String: The provider-assigned unique ID for this managed resource.
owner String
updatedBy String
updatedTime String

computedTags string: All policy tags, server generated and user specified tags
id string: The provider-assigned unique ID for this managed resource.
owner string
updatedBy string
updatedTime string

computed_tags str: All policy tags, server generated and user specified tags
id str: The provider-assigned unique ID for this managed resource.
owner str
updated_by str
updated_time str

computedTags String: All policy tags, server generated and user specified tags
id String: The provider-assigned unique ID for this managed resource.
owner String
updatedBy String
updatedTime String

Look up Existing PolicyCompliance Resource

Get an existing PolicyCompliance resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

TypeScript
Python
Go
C#
Java
YAML

public static get(name: string, id: Input<ID>, state?: PolicyComplianceState, opts?: CustomResourceOptions): PolicyCompliance

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        alerting_enabled: Optional[bool] = None,
        computed_tags: Optional[str] = None,
        description: Optional[str] = None,
        enabled: Optional[bool] = None,
        owner: Optional[str] = None,
        policy_id_suffix: Optional[str] = None,
        query_id: Optional[str] = None,
        remediation: Optional[str] = None,
        severity: Optional[str] = None,
        tags: Optional[Sequence[str]] = None,
        title: Optional[str] = None,
        updated_by: Optional[str] = None,
        updated_time: Optional[str] = None) -> PolicyCompliance

func GetPolicyCompliance(ctx *Context, name string, id IDInput, state *PolicyComplianceState, opts ...ResourceOption) (*PolicyCompliance, error)

public static PolicyCompliance Get(string name, Input<string> id, PolicyComplianceState? state, CustomResourceOptions? opts = null)

public static PolicyCompliance get(String name, Output<String> id, PolicyComplianceState state, CustomResourceOptions options)

resources:  _:    type: lacework:PolicyCompliance    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AlertingEnabled bool: Whether the alerting profile is enabled or disabled. Defaults to true.
ComputedTags string: All policy tags, server generated and user specified tags
Description string: The description of the policy.
Enabled bool: Whether the policy is enabled or disabled. Defaults to true.
Owner string
PolicyIdSuffix string: The string appended to the end of the policy id.
QueryId string: The query id.
Remediation string: The remediation message to display.
Severity string: The list of the severities. Valid severities include: Critical, High, Medium, Low and Info.
Tags List<string>: A list of policy tags.
Title string: The policy title.
UpdatedBy string
UpdatedTime string

AlertingEnabled bool: Whether the alerting profile is enabled or disabled. Defaults to true.
ComputedTags string: All policy tags, server generated and user specified tags
Description string: The description of the policy.
Enabled bool: Whether the policy is enabled or disabled. Defaults to true.
Owner string
PolicyIdSuffix string: The string appended to the end of the policy id.
QueryId string: The query id.
Remediation string: The remediation message to display.
Severity string: The list of the severities. Valid severities include: Critical, High, Medium, Low and Info.
Tags []string: A list of policy tags.
Title string: The policy title.
UpdatedBy string
UpdatedTime string

alertingEnabled Boolean: Whether the alerting profile is enabled or disabled. Defaults to true.
computedTags String: All policy tags, server generated and user specified tags
description String: The description of the policy.
enabled Boolean: Whether the policy is enabled or disabled. Defaults to true.
owner String
policyIdSuffix String: The string appended to the end of the policy id.
queryId String: The query id.
remediation String: The remediation message to display.
severity String: The list of the severities. Valid severities include: Critical, High, Medium, Low and Info.
tags List<String>: A list of policy tags.
title String: The policy title.
updatedBy String
updatedTime String

alertingEnabled boolean: Whether the alerting profile is enabled or disabled. Defaults to true.
computedTags string: All policy tags, server generated and user specified tags
description string: The description of the policy.
enabled boolean: Whether the policy is enabled or disabled. Defaults to true.
owner string
policyIdSuffix string: The string appended to the end of the policy id.
queryId string: The query id.
remediation string: The remediation message to display.
severity string: The list of the severities. Valid severities include: Critical, High, Medium, Low and Info.
tags string[]: A list of policy tags.
title string: The policy title.
updatedBy string
updatedTime string

alerting_enabled bool: Whether the alerting profile is enabled or disabled. Defaults to true.
computed_tags str: All policy tags, server generated and user specified tags
description str: The description of the policy.
enabled bool: Whether the policy is enabled or disabled. Defaults to true.
owner str
policy_id_suffix str: The string appended to the end of the policy id.
query_id str: The query id.
remediation str: The remediation message to display.
severity str: The list of the severities. Valid severities include: Critical, High, Medium, Low and Info.
tags Sequence[str]: A list of policy tags.
title str: The policy title.
updated_by str
updated_time str

alertingEnabled Boolean: Whether the alerting profile is enabled or disabled. Defaults to true.
computedTags String: All policy tags, server generated and user specified tags
description String: The description of the policy.
enabled Boolean: Whether the policy is enabled or disabled. Defaults to true.
owner String
policyIdSuffix String: The string appended to the end of the policy id.
queryId String: The query id.
remediation String: The remediation message to display.
severity String: The list of the severities. Valid severities include: Critical, High, Medium, Low and Info.
tags List<String>: A list of policy tags.
title String: The policy title.
updatedBy String
updatedTime String

Import

A Lacework compliance policy can be imported using a POLICY_ID, e.g.

$ pulumi import lacework:index/policyCompliance:PolicyCompliance example YourLQLPolicyID

-> Note: To retrieve the POLICY_ID from existing policies in your account, use the Lacework CLI command lacework policy list. To install this tool follow this documentation.

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: lacework lacework/terraform-provider-lacework
License
Notes: This Pulumi package is based on the lacework Terraform Provider.

lacework 2.0.6 published on Monday, Apr 14, 2025 by lacework

lacework/terraform-provider-lacework

lacework.PolicyCompliance

On this page

On this page

Example Usage

Create PolicyCompliance Resource

Constructor syntax

Parameters

Constructor example

PolicyCompliance Resource Properties

Inputs

Outputs

Look up Existing PolicyCompliance Resource

Import

Package Details

On this page

On this page