cloud_group

This resource manages CrowdStrike Cloud Groups for organizing cloud resources and container images.

API Scopes

The following API scopes are required:

• Cloud Groups V2: READ
• Cloud Groups V2: WRITE

Example Usage

terraform {
  required_providers {
    crowdstrike = {
      source = "crowdstrike/crowdstrike"
    }
  }
}

provider "crowdstrike" {
  cloud = "us-1"
}

# AWS cloud group with filters
resource "crowdstrike_cloud_group" "aws_production" {
  name            = "Production AWS Resources"
  description     = "Production AWS accounts in us-east-1 and us-west-2"
  business_impact = "high"
  business_unit   = "Engineering"
  environment     = "prod"
  owners          = ["security@example.com", "devops@example.com"]

  aws = {
    account_ids = ["123456789012", "234567890123"]
    filters = {
      region = ["us-east-1", "us-west-2"]
      tags   = ["Environment=Production", "Team=Platform"]
    }
  }
}

# Multi-cloud group
resource "crowdstrike_cloud_group" "multi_cloud_dev" {
  name            = "Development Multi-Cloud"
  description     = "Development resources across AWS, Azure, and GCP"
  business_impact = "moderate"
  environment     = "dev"

  aws = {
    account_ids = ["987654321098"]
    filters = {
      region = ["us-east-1"]
    }
  }

  azure = {
    account_ids = ["a1b2c3d4-e5f6-7890-abcd-ef1234567890"]
    filters = {
      region = ["eastus"]
      tags   = ["Environment=Dev"]
    }
  }

  gcp = {
    account_ids = ["my-gcp-project-id"]
    filters = {
      region = ["us-central1"]
    }
  }
}

# Container image group
resource "crowdstrike_cloud_group" "container_images" {
  name        = "Production Container Images"
  description = "Production container images from various registries"
  environment = "prod"

  images = [
    {
      registry     = "docker.io"
      repositories = ["myorg/backend-api"]
      tags         = ["v1.2.3"]
    },
    {
      registry     = "ghcr.io"
      repositories = ["myorg/frontend"]
      tags         = ["latest"]
    },
    {
      registry     = "123456789012.dkr.ecr.us-east-1.amazonaws.com"
      repositories = ["internal/worker"]
    }
  ]
}

# Azure-only group with minimal configuration
resource "crowdstrike_cloud_group" "azure_simple" {
  name = "Azure Subscriptions"

  azure = {
    account_ids = [
      "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "b2c3d4e5-f6a7-8901-bcde-f12345678901"
    ]
  }
}

# GCP group (note: GCP does not support tag filtering)
resource "crowdstrike_cloud_group" "gcp_projects" {
  name            = "GCP Projects"
  description     = "All GCP projects for data analytics"
  business_unit   = "Data Analytics"
  business_impact = "moderate"

  gcp = {
    account_ids = ["analytics-project-prod", "analytics-project-staging"]
    filters = {
      region = ["us-central1", "us-east1", "global", "us"]
    }
  }
}

# Multi-cloud group managing all accounts with selective filters
resource "crowdstrike_cloud_group" "all_clouds_filtered" {
  name            = "All Cloud Accounts - Production Only"
  description     = "Access to all accounts across clouds, filtered by production tags"
  business_impact = "high"
  environment     = "prod"

  aws = {
    filters = {
      region = ["us-east-1", "us-west-2", "eu-west-1"]
      tags   = ["Environment=Production", "ManagedBy=Terraform"]
    }
  }

  azure = {
    filters = {
      region = ["eastus", "westus", "westeurope"]
      tags   = ["Environment=Production"]
    }
  }

  gcp = {
    filters = {
      region = ["us-central1", "us-east1", "europe-west1"]
    }
  }
}

Schema

Required

• name (String) The name of the cloud group.

Optional

• aws (Attributes) AWS cloud resource configuration (see below for nested schema)
• azure (Attributes) Azure cloud resource configuration (see below for nested schema)
• business_impact (String) An impact level that reflects how critical the cloud group’s assets are to business operations. Valid values: high, moderate, low.
• business_unit (String) A free-text label used to associate the cloud group with an internal team.
• description (String) The description of the cloud group.
• environment (String) Environment designation for the group. Valid values: dev, test, stage, prod.
• gcp (Attributes) GCP cloud resource configuration (see below for nested schema)
• images (Attributes List) The container images accessible to the group. Each entry includes a registry and filters for repositories and tags. (see below for nested schema)
• owners (List of String) Contact information for stakeholders responsible for the cloud group. List of email addresses.

Read-Only

• created_at (String) The timestamp when the group was created.
• created_by (String) The API client ID that created the group.
• id (String) The ID of the cloud group.
• last_updated (String) The timestamp when the group was last updated.

Nested Schema for aws

Optional:

• account_ids (List of String) The cloud account identifiers (AWS account IDs) to include in the group. This field limits access to cloud resources in the specified accounts. When not provided, resources across all accounts in the cloud provider are accessible to the group.
• filters (Attributes) Filters for AWS cloud resources (see below for nested schema)

Nested Schema for aws.filters

Optional:

• region (List of String) List of AWS regions to include
• tags (List of String) List of tags to filter by (format: key=value)

Nested Schema for azure

Optional:

• account_ids (List of String) The cloud account identifiers (Azure subscription IDs) to include in the group. This field limits access to cloud resources in the specified accounts. When not provided, resources across all accounts in the cloud provider are accessible to the group.
• filters (Attributes) Filters for Azure cloud resources (see below for nested schema)

Nested Schema for azure.filters

Optional:

• region (List of String) List of Azure regions to include
• tags (List of String) List of tags to filter by (format: key=value)

Nested Schema for gcp

Optional:

• account_ids (List of String) The cloud account identifiers (GCP project IDs) to include in the group. This field limits access to cloud resources in the specified accounts. When not provided, resources across all accounts in the cloud provider are accessible to the group.
• filters (Attributes) Filters for GCP cloud resources. Note: GCP does not support tag filtering. (see below for nested schema)

Nested Schema for gcp.filters

Optional:

• region (List of String) List of GCP regions to include

Nested Schema for images

Required:

• registry (String) The container registry to include in the group. Must be a complete HTTPS URL for a supported registry. For info about supported registries and URL format, see https://docs.crowdstrike.com/r/ved836f1

Optional:

• repositories (List of String) The container image repositories within the specified registry to filter by. When specified, only images within these repositories are accessible to the group. When omitted, all repositories in the registry are included.
• tags (List of String) The container image tags to filter by. Tag matching is scoped to the specified repositories values, or across all repositories in the given registry if repositories are not provided.

Import

Import is supported using the following syntax:

#!/bin/bash

# Import an existing cloud group by its UUID
terraform import crowdstrike_cloud_group.aws_production "a1b2c3d4-e5f6-7890-abcd-ef1234567890"