From da8f625bda5315f8f8e045f2b32f66b1abc4dad0 Mon Sep 17 00:00:00 2001 From: The Magician Date: Fri, 13 Sep 2024 15:15:33 -0700 Subject: [PATCH] Add Resource v1 SCC Findings Export to BQ Folder Config (#11587) (#8183) [upstream:6d67e349fe1f372cb7cb1bc1f720f858dab78187] Signed-off-by: Modular Magician --- .changelog/11587.txt | 3 + .../provider/provider_mmv1_resources.go | 5 +- ...scc_folder_big_query_export_config_test.go | 133 +++++ ...esource_scc_folder_scc_big_query_export.go | 462 ++++++++++++++++++ ...scc_folder_scc_big_query_export_sweeper.go | 143 ++++++ ..._folder_scc_big_query_export.html.markdown | 185 +++++++ 6 files changed, 929 insertions(+), 2 deletions(-) create mode 100644 .changelog/11587.txt create mode 100644 google-beta/services/securitycenter/resource_scc_folder_big_query_export_config_test.go create mode 100644 google-beta/services/securitycenter/resource_scc_folder_scc_big_query_export.go create mode 100644 google-beta/services/securitycenter/resource_scc_folder_scc_big_query_export_sweeper.go create mode 100644 website/docs/r/scc_folder_scc_big_query_export.html.markdown diff --git a/.changelog/11587.txt b/.changelog/11587.txt new file mode 100644 index 0000000000..9c6355a49e --- /dev/null +++ b/.changelog/11587.txt @@ -0,0 +1,3 @@ +```release-note:new-resource +`google_scc_folder_scc_big_query_export` +``` \ No newline at end of file diff --git a/google-beta/provider/provider_mmv1_resources.go b/google-beta/provider/provider_mmv1_resources.go index 079e1f1c07..43a1a7dbaf 100644 --- a/google-beta/provider/provider_mmv1_resources.go +++ b/google-beta/provider/provider_mmv1_resources.go @@ -481,9 +481,9 @@ var handwrittenIAMDatasources = map[string]*schema.Resource{ } // Resources -// Generated resources: 523 +// Generated resources: 524 // Generated IAM resources: 291 -// Total generated resources: 814 +// Total generated resources: 815 var generatedResources = map[string]*schema.Resource{ "google_folder_access_approval_settings": accessapproval.ResourceAccessApprovalFolderSettings(), "google_organization_access_approval_settings": accessapproval.ResourceAccessApprovalOrganizationSettings(), @@ -1171,6 +1171,7 @@ var generatedResources = map[string]*schema.Resource{ "google_scc_event_threat_detection_custom_module": securitycenter.ResourceSecurityCenterEventThreatDetectionCustomModule(), "google_scc_folder_custom_module": securitycenter.ResourceSecurityCenterFolderCustomModule(), "google_scc_folder_notification_config": securitycenter.ResourceSecurityCenterFolderNotificationConfig(), + "google_scc_folder_scc_big_query_export": securitycenter.ResourceSecurityCenterFolderSccBigQueryExport(), "google_scc_mute_config": securitycenter.ResourceSecurityCenterMuteConfig(), "google_scc_notification_config": securitycenter.ResourceSecurityCenterNotificationConfig(), "google_scc_organization_custom_module": securitycenter.ResourceSecurityCenterOrganizationCustomModule(), diff --git a/google-beta/services/securitycenter/resource_scc_folder_big_query_export_config_test.go b/google-beta/services/securitycenter/resource_scc_folder_big_query_export_config_test.go new file mode 100644 index 0000000000..f1d7b64c2e --- /dev/null +++ b/google-beta/services/securitycenter/resource_scc_folder_big_query_export_config_test.go @@ -0,0 +1,133 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 +package securitycenter_test + +import ( + "testing" + + "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/hashicorp/terraform-plugin-testing/plancheck" + "github.com/hashicorp/terraform-provider-google-beta/google-beta/acctest" + "github.com/hashicorp/terraform-provider-google-beta/google-beta/envvar" +) + +func TestAccSecurityCenterFolderBigQueryExportConfig_update(t *testing.T) { + t.Parallel() + + randomSuffix := acctest.RandString(t, 10) + dataset_id := "tf_test_" + randomSuffix + dataset_id2 := dataset_id + "2" + orgID := envvar.GetTestOrgFromEnv(t) + + context := map[string]interface{}{ + "org_id": orgID, + "random_suffix": randomSuffix, + "dataset_id": dataset_id, + "dataset_id2": dataset_id2, + "big_query_export_id": "tf-test-export-" + randomSuffix, + "folder_name": "tf-test-folder-name-" + randomSuffix, + } + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + ExternalProviders: map[string]resource.ExternalProvider{ + "time": {}, + }, + Steps: []resource.TestStep{ + { + Config: testAccSecurityCenterFolderBigQueryExportConfig_basic(context), + }, + { + ResourceName: "google_scc_folder_scc_big_query_export.default", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"update_time"}, + }, + { + Config: testAccSecurityCenterFolderBigQueryExportConfig_update(context), + ConfigPlanChecks: resource.ConfigPlanChecks{ + PreApply: []plancheck.PlanCheck{ + plancheck.ExpectResourceAction("google_scc_folder_scc_big_query_export.default", plancheck.ResourceActionUpdate), + }, + }, + }, + { + ResourceName: "google_scc_folder_scc_big_query_export.default", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"update_time"}, + }, + }, + }) +} + +func testAccSecurityCenterFolderBigQueryExportConfig_basic(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_folder" "folder" { + parent = "organizations/%{org_id}" + display_name = "%{folder_name}" + deletion_protection = false +} +resource "google_bigquery_dataset" "default" { + dataset_id = "%{dataset_id}" + friendly_name = "test" + description = "This is a test description" + location = "US" + default_table_expiration_ms = 3600000 + default_partition_expiration_ms = null + labels = { + env = "default" + } + lifecycle { + ignore_changes = [default_partition_expiration_ms] + } +} +resource "time_sleep" "wait_1_minute" { + depends_on = [google_bigquery_dataset.default] + create_duration = "3m" +} +resource "google_scc_folder_scc_big_query_export" "default" { + big_query_export_id = "%{big_query_export_id}" + folder = google_folder.folder.folder_id + dataset = google_bigquery_dataset.default.id + description = "Cloud Security Command Center Findings Big Query Export Config" + filter = "state=\"ACTIVE\" AND NOT mute=\"MUTED\"" + + depends_on = [time_sleep.wait_1_minute] +} + +`, context) +} + +func testAccSecurityCenterFolderBigQueryExportConfig_update(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_folder" "folder" { + parent = "organizations/%{org_id}" + display_name = "%{folder_name}" + deletion_protection = false +} +resource "google_bigquery_dataset" "default" { + dataset_id = "%{dataset_id2}" + friendly_name = "test" + description = "This is a test description" + location = "US" + default_table_expiration_ms = 3600000 + default_partition_expiration_ms = null + labels = { + env = "default" + } + lifecycle { + ignore_changes = [default_partition_expiration_ms] + } +} +resource "google_scc_folder_scc_big_query_export" "default" { + big_query_export_id = "%{big_query_export_id}" + folder = google_folder.folder.folder_id + dataset = google_bigquery_dataset.default.id + description = "SCC Findings Big Query Export Update" + filter = "" +} + +`, context) +} diff --git a/google-beta/services/securitycenter/resource_scc_folder_scc_big_query_export.go b/google-beta/services/securitycenter/resource_scc_folder_scc_big_query_export.go new file mode 100644 index 0000000000..3b28cae010 --- /dev/null +++ b/google-beta/services/securitycenter/resource_scc_folder_scc_big_query_export.go @@ -0,0 +1,462 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: MMv1 *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package securitycenter + +import ( + "fmt" + "log" + "net/http" + "reflect" + "strings" + "time" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" + + "github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource" + transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport" +) + +func ResourceSecurityCenterFolderSccBigQueryExport() *schema.Resource { + return &schema.Resource{ + Create: resourceSecurityCenterFolderSccBigQueryExportCreate, + Read: resourceSecurityCenterFolderSccBigQueryExportRead, + Update: resourceSecurityCenterFolderSccBigQueryExportUpdate, + Delete: resourceSecurityCenterFolderSccBigQueryExportDelete, + + Importer: &schema.ResourceImporter{ + State: resourceSecurityCenterFolderSccBigQueryExportImport, + }, + + Timeouts: &schema.ResourceTimeout{ + Create: schema.DefaultTimeout(20 * time.Minute), + Update: schema.DefaultTimeout(20 * time.Minute), + Delete: schema.DefaultTimeout(20 * time.Minute), + }, + + Schema: map[string]*schema.Schema{ + "big_query_export_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + Description: `This must be unique within the organization.`, + }, + "dataset": { + Type: schema.TypeString, + Required: true, + Description: `The dataset to write findings' updates to. +Its format is "projects/[projectId]/datasets/[bigquery_dataset_id]". +BigQuery Dataset unique ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_).`, + }, + "description": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringLenBetween(0, 1024), + Description: `The description of the export (max of 1024 characters).`, + }, + "filter": { + Type: schema.TypeString, + Required: true, + Description: `Expression that defines the filter to apply across create/update +events of findings. The +expression is a list of zero or more restrictions combined via +logical operators AND and OR. Parentheses are supported, and OR +has higher precedence than AND. + +Restrictions have the form and may have +a - character in front of them to indicate negation. The fields +map to those defined in the corresponding resource. + +The supported operators are: + +* = for all value types. +* >, <, >=, <= for integer values. +* :, meaning substring matching, for strings. + +The supported value types are: + +* string literals in quotes. +* integer literals without quotes. +* boolean literals true and false without quotes. + +See +[Filtering notifications](https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications) +for information on how to write a filter.`, + }, + "folder": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + Description: `The folder where Cloud Security Command Center Big Query Export +Config lives in.`, + }, + "create_time": { + Type: schema.TypeString, + Computed: true, + Description: `The time at which the BigQuery export was created. +A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. +Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".`, + }, + "most_recent_editor": { + Type: schema.TypeString, + Computed: true, + Description: `Email address of the user who last edited the BigQuery export.`, + }, + "name": { + Type: schema.TypeString, + Computed: true, + Description: `The resource name of this export, in the format +'projects/{{project}}/bigQueryExports/{{big_query_export_id}}'. +This field is provided in responses, and is ignored when provided in create requests.`, + }, + "principal": { + Type: schema.TypeString, + Computed: true, + Description: `The service account that needs permission to create table and upload data to the BigQuery dataset.`, + }, + "update_time": { + Type: schema.TypeString, + Computed: true, + Description: `The most recent time at which the BigQuery export was updated. +A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. +Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".`, + }, + }, + UseJSONNumber: true, + } +} + +func resourceSecurityCenterFolderSccBigQueryExportCreate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } + + obj := make(map[string]interface{}) + descriptionProp, err := expandSecurityCenterFolderSccBigQueryExportDescription(d.Get("description"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("description"); !tpgresource.IsEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { + obj["description"] = descriptionProp + } + datasetProp, err := expandSecurityCenterFolderSccBigQueryExportDataset(d.Get("dataset"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("dataset"); !tpgresource.IsEmptyValue(reflect.ValueOf(datasetProp)) && (ok || !reflect.DeepEqual(v, datasetProp)) { + obj["dataset"] = datasetProp + } + filterProp, err := expandSecurityCenterFolderSccBigQueryExportFilter(d.Get("filter"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("filter"); ok || !reflect.DeepEqual(v, filterProp) { + obj["filter"] = filterProp + } + + url, err := tpgresource.ReplaceVars(d, config, "{{SecurityCenterBasePath}}folders/{{folder}}/bigQueryExports?bigQueryExportId={{big_query_export_id}}") + if err != nil { + return err + } + + log.Printf("[DEBUG] Creating new FolderSccBigQueryExport: %#v", obj) + billingProject := "" + + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp + } + + headers := make(http.Header) + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "POST", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Body: obj, + Timeout: d.Timeout(schema.TimeoutCreate), + Headers: headers, + }) + if err != nil { + return fmt.Errorf("Error creating FolderSccBigQueryExport: %s", err) + } + if err := d.Set("name", flattenSecurityCenterFolderSccBigQueryExportName(res["name"], d, config)); err != nil { + return fmt.Errorf(`Error setting computed identity field "name": %s`, err) + } + + // Store the ID now + id, err := tpgresource.ReplaceVars(d, config, "folders/{{folder}}/bigQueryExports/{{big_query_export_id}}") + if err != nil { + return fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + log.Printf("[DEBUG] Finished creating FolderSccBigQueryExport %q: %#v", d.Id(), res) + + return resourceSecurityCenterFolderSccBigQueryExportRead(d, meta) +} + +func resourceSecurityCenterFolderSccBigQueryExportRead(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } + + url, err := tpgresource.ReplaceVars(d, config, "{{SecurityCenterBasePath}}folders/{{folder}}/bigQueryExports/{{big_query_export_id}}") + if err != nil { + return err + } + + billingProject := "" + + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp + } + + headers := make(http.Header) + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "GET", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Headers: headers, + }) + if err != nil { + return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("SecurityCenterFolderSccBigQueryExport %q", d.Id())) + } + + if err := d.Set("name", flattenSecurityCenterFolderSccBigQueryExportName(res["name"], d, config)); err != nil { + return fmt.Errorf("Error reading FolderSccBigQueryExport: %s", err) + } + if err := d.Set("description", flattenSecurityCenterFolderSccBigQueryExportDescription(res["description"], d, config)); err != nil { + return fmt.Errorf("Error reading FolderSccBigQueryExport: %s", err) + } + if err := d.Set("dataset", flattenSecurityCenterFolderSccBigQueryExportDataset(res["dataset"], d, config)); err != nil { + return fmt.Errorf("Error reading FolderSccBigQueryExport: %s", err) + } + if err := d.Set("create_time", flattenSecurityCenterFolderSccBigQueryExportCreateTime(res["createTime"], d, config)); err != nil { + return fmt.Errorf("Error reading FolderSccBigQueryExport: %s", err) + } + if err := d.Set("update_time", flattenSecurityCenterFolderSccBigQueryExportUpdateTime(res["updateTime"], d, config)); err != nil { + return fmt.Errorf("Error reading FolderSccBigQueryExport: %s", err) + } + if err := d.Set("most_recent_editor", flattenSecurityCenterFolderSccBigQueryExportMostRecentEditor(res["mostRecentEditor"], d, config)); err != nil { + return fmt.Errorf("Error reading FolderSccBigQueryExport: %s", err) + } + if err := d.Set("principal", flattenSecurityCenterFolderSccBigQueryExportPrincipal(res["principal"], d, config)); err != nil { + return fmt.Errorf("Error reading FolderSccBigQueryExport: %s", err) + } + if err := d.Set("filter", flattenSecurityCenterFolderSccBigQueryExportFilter(res["filter"], d, config)); err != nil { + return fmt.Errorf("Error reading FolderSccBigQueryExport: %s", err) + } + + return nil +} + +func resourceSecurityCenterFolderSccBigQueryExportUpdate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } + + billingProject := "" + + obj := make(map[string]interface{}) + descriptionProp, err := expandSecurityCenterFolderSccBigQueryExportDescription(d.Get("description"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("description"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { + obj["description"] = descriptionProp + } + datasetProp, err := expandSecurityCenterFolderSccBigQueryExportDataset(d.Get("dataset"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("dataset"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, datasetProp)) { + obj["dataset"] = datasetProp + } + filterProp, err := expandSecurityCenterFolderSccBigQueryExportFilter(d.Get("filter"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("filter"); ok || !reflect.DeepEqual(v, filterProp) { + obj["filter"] = filterProp + } + + url, err := tpgresource.ReplaceVars(d, config, "{{SecurityCenterBasePath}}folders/{{folder}}/bigQueryExports/{{big_query_export_id}}") + if err != nil { + return err + } + + log.Printf("[DEBUG] Updating FolderSccBigQueryExport %q: %#v", d.Id(), obj) + headers := make(http.Header) + updateMask := []string{} + + if d.HasChange("description") { + updateMask = append(updateMask, "description") + } + + if d.HasChange("dataset") { + updateMask = append(updateMask, "dataset") + } + + if d.HasChange("filter") { + updateMask = append(updateMask, "filter") + } + // updateMask is a URL parameter but not present in the schema, so ReplaceVars + // won't set it + url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")}) + if err != nil { + return err + } + + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp + } + + // if updateMask is empty we are not updating anything so skip the post + if len(updateMask) > 0 { + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "PATCH", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Body: obj, + Timeout: d.Timeout(schema.TimeoutUpdate), + Headers: headers, + }) + + if err != nil { + return fmt.Errorf("Error updating FolderSccBigQueryExport %q: %s", d.Id(), err) + } else { + log.Printf("[DEBUG] Finished updating FolderSccBigQueryExport %q: %#v", d.Id(), res) + } + + } + + return resourceSecurityCenterFolderSccBigQueryExportRead(d, meta) +} + +func resourceSecurityCenterFolderSccBigQueryExportDelete(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } + + billingProject := "" + + url, err := tpgresource.ReplaceVars(d, config, "{{SecurityCenterBasePath}}folders/{{folder}}/bigQueryExports/{{big_query_export_id}}") + if err != nil { + return err + } + + var obj map[string]interface{} + + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp + } + + headers := make(http.Header) + + log.Printf("[DEBUG] Deleting FolderSccBigQueryExport %q", d.Id()) + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "DELETE", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Body: obj, + Timeout: d.Timeout(schema.TimeoutDelete), + Headers: headers, + }) + if err != nil { + return transport_tpg.HandleNotFoundError(err, d, "FolderSccBigQueryExport") + } + + log.Printf("[DEBUG] Finished deleting FolderSccBigQueryExport %q: %#v", d.Id(), res) + return nil +} + +func resourceSecurityCenterFolderSccBigQueryExportImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + config := meta.(*transport_tpg.Config) + if err := tpgresource.ParseImportId([]string{ + "^folders/(?P[^/]+)/bigQueryExports/(?P[^/]+)$", + "^(?P[^/]+)/(?P[^/]+)$", + }, d, config); err != nil { + return nil, err + } + + // Replace import id for the resource id + id, err := tpgresource.ReplaceVars(d, config, "folders/{{folder}}/bigQueryExports/{{big_query_export_id}}") + if err != nil { + return nil, fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) + + return []*schema.ResourceData{d}, nil +} + +func flattenSecurityCenterFolderSccBigQueryExportName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenSecurityCenterFolderSccBigQueryExportDescription(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenSecurityCenterFolderSccBigQueryExportDataset(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenSecurityCenterFolderSccBigQueryExportCreateTime(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenSecurityCenterFolderSccBigQueryExportUpdateTime(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenSecurityCenterFolderSccBigQueryExportMostRecentEditor(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenSecurityCenterFolderSccBigQueryExportPrincipal(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenSecurityCenterFolderSccBigQueryExportFilter(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func expandSecurityCenterFolderSccBigQueryExportDescription(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandSecurityCenterFolderSccBigQueryExportDataset(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandSecurityCenterFolderSccBigQueryExportFilter(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} diff --git a/google-beta/services/securitycenter/resource_scc_folder_scc_big_query_export_sweeper.go b/google-beta/services/securitycenter/resource_scc_folder_scc_big_query_export_sweeper.go new file mode 100644 index 0000000000..a67a29455f --- /dev/null +++ b/google-beta/services/securitycenter/resource_scc_folder_scc_big_query_export_sweeper.go @@ -0,0 +1,143 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +// ---------------------------------------------------------------------------- +// +// *** AUTO GENERATED CODE *** Type: MMv1 *** +// +// ---------------------------------------------------------------------------- +// +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. +// +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. +// +// ---------------------------------------------------------------------------- + +package securitycenter + +import ( + "context" + "log" + "strings" + "testing" + + "github.com/hashicorp/terraform-provider-google-beta/google-beta/envvar" + "github.com/hashicorp/terraform-provider-google-beta/google-beta/sweeper" + "github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource" + transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport" +) + +func init() { + sweeper.AddTestSweepers("SecurityCenterFolderSccBigQueryExport", testSweepSecurityCenterFolderSccBigQueryExport) +} + +// At the time of writing, the CI only passes us-central1 as the region +func testSweepSecurityCenterFolderSccBigQueryExport(region string) error { + resourceName := "SecurityCenterFolderSccBigQueryExport" + log.Printf("[INFO][SWEEPER_LOG] Starting sweeper for %s", resourceName) + + config, err := sweeper.SharedConfigForRegion(region) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] error getting shared config for region: %s", err) + return err + } + + err = config.LoadAndValidate(context.Background()) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] error loading: %s", err) + return err + } + + t := &testing.T{} + billingId := envvar.GetTestBillingAccountFromEnv(t) + + // Setup variables to replace in list template + d := &tpgresource.ResourceDataMock{ + FieldsInSchema: map[string]interface{}{ + "project": config.Project, + "region": region, + "location": region, + "zone": "-", + "billing_account": billingId, + }, + } + + listTemplate := strings.Split("https://securitycenter.googleapis.com/v1/folders/{{folder}}/bigQueryExports", "?")[0] + listUrl, err := tpgresource.ReplaceVars(d, config, listTemplate) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] error preparing sweeper list url: %s", err) + return nil + } + + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "GET", + Project: config.Project, + RawURL: listUrl, + UserAgent: config.UserAgent, + }) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] Error in response from request %s: %s", listUrl, err) + return nil + } + + resourceList, ok := res["folderSccBigQueryExports"] + if !ok { + log.Printf("[INFO][SWEEPER_LOG] Nothing found in response.") + return nil + } + + rl := resourceList.([]interface{}) + + log.Printf("[INFO][SWEEPER_LOG] Found %d items in %s list response.", len(rl), resourceName) + // Keep count of items that aren't sweepable for logging. + nonPrefixCount := 0 + for _, ri := range rl { + obj := ri.(map[string]interface{}) + var name string + // Id detected in the delete URL, attempt to use id. + if obj["id"] != nil { + name = tpgresource.GetResourceNameFromSelfLink(obj["id"].(string)) + } else if obj["name"] != nil { + name = tpgresource.GetResourceNameFromSelfLink(obj["name"].(string)) + } else { + log.Printf("[INFO][SWEEPER_LOG] %s resource name and id were nil", resourceName) + return nil + } + // Skip resources that shouldn't be sweeped + if !sweeper.IsSweepableTestResource(name) { + nonPrefixCount++ + continue + } + + deleteTemplate := "https://securitycenter.googleapis.com/v1/folders/{{folder}}/bigQueryExports/{{big_query_export_id}}" + deleteUrl, err := tpgresource.ReplaceVars(d, config, deleteTemplate) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] error preparing delete url: %s", err) + return nil + } + deleteUrl = deleteUrl + name + + // Don't wait on operations as we may have a lot to delete + _, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "DELETE", + Project: config.Project, + RawURL: deleteUrl, + UserAgent: config.UserAgent, + }) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] Error deleting for url %s : %s", deleteUrl, err) + } else { + log.Printf("[INFO][SWEEPER_LOG] Sent delete request for %s resource: %s", resourceName, name) + } + } + + if nonPrefixCount > 0 { + log.Printf("[INFO][SWEEPER_LOG] %d items were non-sweepable and skipped.", nonPrefixCount) + } + + return nil +} diff --git a/website/docs/r/scc_folder_scc_big_query_export.html.markdown b/website/docs/r/scc_folder_scc_big_query_export.html.markdown new file mode 100644 index 0000000000..3d56139660 --- /dev/null +++ b/website/docs/r/scc_folder_scc_big_query_export.html.markdown @@ -0,0 +1,185 @@ +--- +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in +# .github/CONTRIBUTING.md. +# +# ---------------------------------------------------------------------------- +subcategory: "Security Command Center (SCC)" +description: |- + A Cloud Security Command Center (Cloud SCC) Big Query Export Config. +--- + +# google_scc_folder_scc_big_query_export + +A Cloud Security Command Center (Cloud SCC) Big Query Export Config. +It represents exporting Security Command Center data, including assets, findings, and security marks +to a BigQuery instance. + +-> **Note:** In order to use Cloud SCC resources, your organization must be enrolled +in [SCC Standard/Premium](https://cloud.google.com/security-command-center/docs/quickstart-security-command-center). +Without doing so, you may run into errors during resource creation. + + +To get more information about FolderSccBigQueryExport, see: + +* [API documentation](https://cloud.google.com/security-command-center/docs/reference/rest/v1/folders.bigQueryExports) +* How-to Guides + * [Official Documentation](https://cloud.google.com/security-command-center/docs/how-to-analyze-findings-in-big-query) + +## Example Usage - Scc Folder Big Query Export Config Basic + + +```hcl +resource "google_folder" "folder" { + parent = "organizations/123456789" + display_name = "folder-name" + + deletion_protection = false +} + +resource "google_bigquery_dataset" "default" { + dataset_id = "my_dataset_id" + friendly_name = "test" + description = "This is a test description" + location = "US" + default_table_expiration_ms = 3600000 + default_partition_expiration_ms = null + + labels = { + env = "default" + } + + lifecycle { + ignore_changes = [default_partition_expiration_ms] + } +} + +resource "google_scc_folder_scc_big_query_export" "custom_big_query_export_config" { + big_query_export_id = "my-export" + folder = google_folder.folder.folder_id + dataset = google_bigquery_dataset.default.id + description = "Cloud Security Command Center Findings Big Query Export Config" + filter = "state=\"ACTIVE\" AND NOT mute=\"MUTED\"" +} +``` + +## Argument Reference + +The following arguments are supported: + + +* `description` - + (Required) + The description of the export (max of 1024 characters). + +* `dataset` - + (Required) + The dataset to write findings' updates to. + Its format is "projects/[projectId]/datasets/[bigquery_dataset_id]". + BigQuery Dataset unique ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_). + +* `filter` - + (Required) + Expression that defines the filter to apply across create/update + events of findings. The + expression is a list of zero or more restrictions combined via + logical operators AND and OR. Parentheses are supported, and OR + has higher precedence than AND. + Restrictions have the form and may have + a - character in front of them to indicate negation. The fields + map to those defined in the corresponding resource. + The supported operators are: + * = for all value types. + * >, <, >=, <= for integer values. + * :, meaning substring matching, for strings. + The supported value types are: + * string literals in quotes. + * integer literals without quotes. + * boolean literals true and false without quotes. + See + [Filtering notifications](https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications) + for information on how to write a filter. + +* `folder` - + (Required) + The folder where Cloud Security Command Center Big Query Export + Config lives in. + +* `big_query_export_id` - + (Required) + This must be unique within the organization. + + +- - - + + + +## Attributes Reference + +In addition to the arguments listed above, the following computed attributes are exported: + +* `id` - an identifier for the resource with format `folders/{{folder}}/bigQueryExports/{{big_query_export_id}}` + +* `name` - + The resource name of this export, in the format + `projects/{{project}}/bigQueryExports/{{big_query_export_id}}`. + This field is provided in responses, and is ignored when provided in create requests. + +* `create_time` - + The time at which the BigQuery export was created. + A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. + Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + +* `update_time` - + The most recent time at which the BigQuery export was updated. + A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. + Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + +* `most_recent_editor` - + Email address of the user who last edited the BigQuery export. + +* `principal` - + The service account that needs permission to create table and upload data to the BigQuery dataset. + + +## Timeouts + +This resource provides the following +[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options: + +- `create` - Default is 20 minutes. +- `update` - Default is 20 minutes. +- `delete` - Default is 20 minutes. + +## Import + + +FolderSccBigQueryExport can be imported using any of these accepted formats: + +* `folders/{{folder}}/bigQueryExports/{{big_query_export_id}}` +* `{{folder}}/{{big_query_export_id}}` + + +In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import FolderSccBigQueryExport using one of the formats above. For example: + +```tf +import { + id = "folders/{{folder}}/bigQueryExports/{{big_query_export_id}}" + to = google_scc_folder_scc_big_query_export.default +} +``` + +When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), FolderSccBigQueryExport can be imported using one of the formats above. For example: + +``` +$ terraform import google_scc_folder_scc_big_query_export.default folders/{{folder}}/bigQueryExports/{{big_query_export_id}} +$ terraform import google_scc_folder_scc_big_query_export.default {{folder}}/{{big_query_export_id}} +```