Add support for security command center mute rules in module organization, folder and project (#3694)
This commit is contained in:
Vannick Trinquier
committed by
GitHub
GitHub
parent
0e760c3015
commit
2af44b0651
@@ -17,6 +17,8 @@ This module allows the creation and management of folders, including support for
|
||||
- [KMS Autokey](#kms-autokey)
|
||||
- [Custom Security Health Analytics Modules](#custom-security-health-analytics-modules)
|
||||
- [Custom Security Health Analytics Modules Factory](#custom-security-health-analytics-modules-factory)
|
||||
- [Security Command Center Mute Configs](#security-command-center-mute-configs)
|
||||
- [Security Command Center Mute Configs Factory](#security-command-center-mute-configs-factory)
|
||||
- [Cloud Asset Inventory Feeds](#cloud-asset-inventory-feeds)
|
||||
- [Tags](#tags)
|
||||
- [Files](#files)
|
||||
@@ -569,6 +571,52 @@ cloudkmKeyRotationPeriod:
|
||||
- "cloudkms.googleapis.com/CryptoKey"
|
||||
```
|
||||
|
||||
## Security Command Center Mute Configs
|
||||
|
||||
[Security Command Center Mute Configs](https://cloud.google.com/security-command-center/docs/how-to-mute-findings) can be defined via the `scc_mute_configs` variable:
|
||||
|
||||
```hcl
|
||||
module "folder" {
|
||||
source = "./fabric/modules/folder"
|
||||
parent = var.folder_id
|
||||
name = "Folder name"
|
||||
scc_mute_configs = {
|
||||
muteHighSeverity = {
|
||||
description = "Mute high severity findings"
|
||||
filter = "severity=\"HIGH\""
|
||||
type = "DYNAMIC"
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 inventory=scc-mute-configs.yaml
|
||||
```
|
||||
|
||||
### Security Command Center Mute Configs Factory
|
||||
|
||||
Mute configs can also be specified via a factory. Each file is mapped to a mute config, where the config ID defaults to the file name.
|
||||
|
||||
Mute configs defined via the variable are merged with those coming from the factory, and override them in case of duplicate names.
|
||||
|
||||
```hcl
|
||||
module "folder" {
|
||||
source = "./fabric/modules/folder"
|
||||
parent = var.folder_id
|
||||
name = "Folder name"
|
||||
factories_config = {
|
||||
scc_mute_configs = "data/scc_mute_configs"
|
||||
}
|
||||
}
|
||||
# tftest modules=1 files=mute-config-1 inventory=scc-mute-configs.yaml
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=mute-config-1 path=data/scc_mute_configs/muteHighSeverity.yaml schema=scc-mute-config.schema.json
|
||||
muteHighSeverity:
|
||||
description: "Mute high severity findings"
|
||||
filter: "severity=\"HIGH\""
|
||||
type: "DYNAMIC"
|
||||
```
|
||||
|
||||
## Cloud Asset Inventory Feeds
|
||||
|
||||
Cloud Asset Inventory feeds allow you to monitor asset changes in real-time by publishing notifications to a Pub/Sub topic. Feeds configured at the folder level will monitor all resources within the folder and its subfolders.
|
||||
@@ -645,6 +693,7 @@ module "folder" {
|
||||
| [organization-policies.tf](./organization-policies.tf) | Folder-level organization policies. | <code>google_org_policy_policy</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
||||
| [pam.tf](./pam.tf) | None | <code>google_privileged_access_manager_entitlement</code> |
|
||||
| [scc-mute-configs.tf](./scc-mute-configs.tf) | Folder-level SCC mute configurations. | <code>google_scc_v2_folder_mute_config</code> |
|
||||
| [scc-sha-custom-modules.tf](./scc-sha-custom-modules.tf) | Folder-level Custom modules with Security Health Analytics. | <code>google_scc_management_folder_security_health_analytics_custom_module</code> |
|
||||
| [service-agents.tf](./service-agents.tf) | Service agents supporting resources. | |
|
||||
| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> |
|
||||
@@ -665,26 +714,27 @@ module "folder" {
|
||||
| [contacts](variables.tf#L122) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [context](variables.tf#L141) | Context-specific interpolations. | <code title="object({ bigquery_datasets = optional(map(string), {}) condition_vars = optional(map(map(string)), {}) custom_roles = optional(map(string), {}) email_addresses = optional(map(string), {}) folder_ids = optional(map(string), {}) iam_principals = optional(map(string), {}) log_buckets = optional(map(string), {}) project_ids = optional(map(string), {}) project_numbers = optional(map(string), {}) pubsub_topics = optional(map(string), {}) storage_buckets = optional(map(string), {}) tag_values = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [deletion_protection](variables.tf#L161) | Deletion protection setting for this folder. | <code>bool</code> | | <code>false</code> |
|
||||
| [factories_config](variables.tf#L167) | Paths to data files and folders that enable factory functionality. | <code title="object({ org_policies = optional(string) pam_entitlements = optional(string) scc_sha_custom_modules = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [firewall_policy](variables.tf#L178) | Hierarchical firewall policy to associate to this folder. | <code title="object({ name = string policy = string })">object({…})</code> | | <code>null</code> |
|
||||
| [folder_create](variables.tf#L187) | Create folder. When set to false, uses id to reference an existing folder. | <code>bool</code> | | <code>true</code> |
|
||||
| [factories_config](variables.tf#L167) | Paths to data files and folders that enable factory functionality. | <code title="object({ org_policies = optional(string) pam_entitlements = optional(string) scc_mute_configs = optional(string) scc_sha_custom_modules = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [firewall_policy](variables.tf#L179) | Hierarchical firewall policy to associate to this folder. | <code title="object({ name = string policy = string })">object({…})</code> | | <code>null</code> |
|
||||
| [folder_create](variables.tf#L188) | Create folder. When set to false, uses id to reference an existing folder. | <code>bool</code> | | <code>true</code> |
|
||||
| [iam](variables-iam.tf#L17) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [iam_by_principals](variables-iam.tf#L61) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid errors. Merged internally with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_by_principals_additive](variables-iam.tf#L54) | Additive IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid errors. Merged internally with the `iam_bindings_additive` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_by_principals_conditional](variables-iam.tf#L68) | Authoritative IAM binding in {PRINCIPAL => {roles = [roles], condition = {cond}}} format. Principals need to be statically defined to avoid errors. Condition is required. | <code title="map(object({ roles = list(string) condition = object({ expression = string title = string description = optional(string) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [id](variables.tf#L197) | Folder ID in case you use folder_create=false. | <code>string</code> | | <code>null</code> |
|
||||
| [id](variables.tf#L198) | Folder ID in case you use folder_create=false. | <code>string</code> | | <code>null</code> |
|
||||
| [logging_data_access](variables-logging.tf#L17) | Control activation of data access logs. The special 'allServices' key denotes configuration for all services. | <code title="map(object({ ADMIN_READ = optional(object({ exempted_members = optional(list(string), []) })), DATA_READ = optional(object({ exempted_members = optional(list(string), []) })), DATA_WRITE = optional(object({ exempted_members = optional(list(string), []) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [logging_exclusions](variables-logging.tf#L28) | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_settings](variables-logging.tf#L35) | Default settings for logging resources. | <code title="object({ disable_default_sink = optional(bool) storage_location = optional(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [logging_sinks](variables-logging.tf#L45) | Logging sinks to create for the folder. | <code title="map(object({ bq_partitioned_table = optional(bool, false) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = optional(string) iam = optional(bool, true) include_children = optional(bool, true) intercept_children = optional(bool, false) type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L203) | Folder name. | <code>string</code> | | <code>null</code> |
|
||||
| [org_policies](variables.tf#L209) | Organization policies applied to this folder keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) parameters = optional(string) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L204) | Folder name. | <code>string</code> | | <code>null</code> |
|
||||
| [org_policies](variables.tf#L210) | Organization policies applied to this folder keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) parameters = optional(string) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [pam_entitlements](variables-pam.tf#L17) | Privileged Access Manager entitlements for this resource, keyed by entitlement ID. | <code title="map(object({ max_request_duration = string eligible_users = list(string) privileged_access = list(object({ role = string condition = optional(string) })) requester_justification_config = optional(object({ not_mandatory = optional(bool, true) unstructured = optional(bool, false) }), { not_mandatory = false, unstructured = true }) manual_approvals = optional(object({ require_approver_justification = bool steps = list(object({ approvers = list(string) approvals_needed = optional(number, 1) approver_email_recipients = optional(list(string)) })) })) additional_notification_targets = optional(object({ admin_email_recipients = optional(list(string)) requester_email_recipients = optional(list(string)) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [parent](variables.tf#L237) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
||||
| [scc_sha_custom_modules](variables-scc.tf#L17) | SCC custom modules keyed by module name. | <code title="map(object({ description = optional(string) severity = string recommendation = string predicate = object({ expression = string }) resource_selector = object({ resource_types = list(string) }) enablement_state = optional(string, "ENABLED") }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables.tf#L251) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [parent](variables.tf#L238) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
||||
| [scc_mute_configs](variables-scc.tf#L17) | SCC mute configurations keyed by name. | <code title="map(object({ description = optional(string) filter = string type = optional(string, "DYNAMIC") }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [scc_sha_custom_modules](variables-scc.tf#L27) | SCC custom modules keyed by module name. | <code title="map(object({ description = optional(string) severity = string recommendation = string predicate = object({ expression = string }) resource_selector = object({ resource_types = list(string) }) enablement_state = optional(string, "ENABLED") }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables.tf#L252) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
54
modules/folder/scc-mute-configs.tf
Normal file
54
modules/folder/scc-mute-configs.tf
Normal file
@@ -0,0 +1,54 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
# tfdoc:file:description Folder-level SCC mute configurations.
|
||||
|
||||
locals {
|
||||
_scc_mute_configs_factory_path = pathexpand(coalesce(var.factories_config.scc_mute_configs, "-"))
|
||||
_scc_mute_configs_factory_data_raw = merge([
|
||||
for f in try(fileset(local._scc_mute_configs_factory_path, "*.yaml"), []) :
|
||||
yamldecode(file("${local._scc_mute_configs_factory_path}/${f}"))
|
||||
]...)
|
||||
_scc_mute_configs_factory_data = {
|
||||
for k, v in local._scc_mute_configs_factory_data_raw :
|
||||
k => {
|
||||
description = try(v.description, null)
|
||||
filter = v.filter
|
||||
type = try(v.type, "DYNAMIC")
|
||||
}
|
||||
}
|
||||
_scc_mute_configs = merge(
|
||||
local._scc_mute_configs_factory_data,
|
||||
var.scc_mute_configs
|
||||
)
|
||||
scc_mute_configs = {
|
||||
for k, v in local._scc_mute_configs :
|
||||
k => merge(v, {
|
||||
name = k
|
||||
parent = local.folder_id
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_scc_v2_folder_mute_config" "scc_mute_configs" {
|
||||
for_each = local.scc_mute_configs
|
||||
folder = replace(local.folder_id, "folders/", "")
|
||||
location = "global"
|
||||
mute_config_id = each.key
|
||||
description = each.value.description
|
||||
filter = each.value.filter
|
||||
type = each.value.type
|
||||
}
|
||||
29
modules/folder/schemas/scc-mute-config.schema.json
Normal file
29
modules/folder/schemas/scc-mute-config.schema.json
Normal file
@@ -0,0 +1,29 @@
|
||||
{
|
||||
"$schema": "http://json-schema.org/draft-07/schema#",
|
||||
"title": "SCC Mute Configurations",
|
||||
"type": "object",
|
||||
"patternProperties": {
|
||||
"^[a-zA-Z]+$": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"filter"
|
||||
],
|
||||
"properties": {
|
||||
"description": {
|
||||
"type": "string"
|
||||
},
|
||||
"filter": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": {
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"DYNAMIC",
|
||||
"STATIC"
|
||||
],
|
||||
"default": "DYNAMIC"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
11
modules/folder/schemas/scc-mute-config.schema.md
Normal file
11
modules/folder/schemas/scc-mute-config.schema.md
Normal file
@@ -0,0 +1,11 @@
|
||||
# SCC Mute Configurations
|
||||
|
||||
<!-- markdownlint-disable MD036 -->
|
||||
|
||||
## Properties
|
||||
|
||||
- **`^[a-zA-Z]+$`**: *object*
|
||||
- **description**: *string*
|
||||
- ⁺**filter**: *string*
|
||||
- **type**: *string*
|
||||
- enum: `DYNAMIC`, `STATIC`
|
||||
@@ -14,6 +14,16 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "scc_mute_configs" {
|
||||
description = "SCC mute configurations keyed by name."
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
filter = string
|
||||
type = optional(string, "DYNAMIC")
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
variable "scc_sha_custom_modules" {
|
||||
description = "SCC custom modules keyed by module name."
|
||||
type = map(object({
|
||||
|
||||
@@ -169,6 +169,7 @@ variable "factories_config" {
|
||||
type = object({
|
||||
org_policies = optional(string)
|
||||
pam_entitlements = optional(string)
|
||||
scc_mute_configs = optional(string)
|
||||
scc_sha_custom_modules = optional(string)
|
||||
})
|
||||
nullable = false
|
||||
|
||||
@@ -31,6 +31,8 @@ To manage organization policies, the `orgpolicy.googleapis.com` service should b
|
||||
- [Custom Roles Factory](#custom-roles-factory)
|
||||
- [Custom Security Health Analytics Modules](#custom-security-health-analytics-modules)
|
||||
- [Custom Security Health Analytics Modules Factory](#custom-security-health-analytics-modules-factory)
|
||||
- [Security Command Center Mute Configs](#security-command-center-mute-configs)
|
||||
- [Security Command Center Mute Configs Factory](#security-command-center-mute-configs-factory)
|
||||
- [Cloud Asset Inventory Feeds](#cloud-asset-inventory-feeds)
|
||||
- [Tags](#tags)
|
||||
- [Tags Factory](#tags-factory)
|
||||
@@ -579,6 +581,50 @@ cloudkmKeyRotationPeriod:
|
||||
- "cloudkms.googleapis.com/CryptoKey"
|
||||
```
|
||||
|
||||
## Security Command Center Mute Configs
|
||||
|
||||
[Security Command Center Mute Configs](https://cloud.google.com/security-command-center/docs/how-to-mute-findings) can be defined via the `scc_mute_configs` variable:
|
||||
|
||||
```hcl
|
||||
module "org" {
|
||||
source = "./fabric/modules/organization"
|
||||
organization_id = var.organization_id
|
||||
scc_mute_configs = {
|
||||
muteHighSeverity = {
|
||||
description = "Mute high severity findings"
|
||||
filter = "severity=\"HIGH\""
|
||||
type = "DYNAMIC"
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=1 inventory=scc-mute-configs.yaml
|
||||
```
|
||||
|
||||
### Security Command Center Mute Configs Factory
|
||||
|
||||
Mute configs can also be specified via a factory. Each file is mapped to a mute config, where the config ID defaults to the file name.
|
||||
|
||||
Mute configs defined via the variable are merged with those coming from the factory, and override them in case of duplicate names.
|
||||
|
||||
```hcl
|
||||
module "org" {
|
||||
source = "./fabric/modules/organization"
|
||||
organization_id = var.organization_id
|
||||
factories_config = {
|
||||
scc_mute_configs = "data/scc_mute_configs"
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=1 files=mute-config-1 inventory=scc-mute-configs.yaml
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=mute-config-1 path=data/scc_mute_configs/mute-high-severity.yaml schema=scc-mute-config.schema.json
|
||||
muteHighSeverity:
|
||||
description: "Mute high severity findings"
|
||||
filter: "severity=\"HIGH\""
|
||||
type: "DYNAMIC"
|
||||
```
|
||||
|
||||
## Cloud Asset Inventory Feeds
|
||||
|
||||
Cloud Asset Inventory feeds allow you to monitor asset changes in real-time by publishing notifications to a Pub/Sub topic. Feeds configured at the organization level will monitor all resources within the organization.
|
||||
@@ -847,6 +893,7 @@ module "org" {
|
||||
| [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_policy</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
||||
| [pam.tf](./pam.tf) | None | <code>google_privileged_access_manager_entitlement</code> |
|
||||
| [scc-mute-configs.tf](./scc-mute-configs.tf) | Organization-level SCC mute configurations. | <code>google_scc_v2_organization_mute_config</code> |
|
||||
| [scc-sha-custom-modules.tf](./scc-sha-custom-modules.tf) | Organization-level Custom modules with Security Health Analytics. | <code>google_scc_management_organization_security_health_analytics_custom_module</code> |
|
||||
| [service-agents.tf](./service-agents.tf) | Service agents supporting resources. | |
|
||||
| [tags.tf](./tags.tf) | Manages GCP Secure Tags, keys, values, and IAM. | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_key_iam_member</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> · <code>google_tags_tag_value_iam_member</code> |
|
||||
@@ -863,13 +910,13 @@ module "org" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [organization_id](variables.tf#L161) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [organization_id](variables.tf#L162) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [asset_feeds](variables.tf#L18) | Cloud Asset Inventory feeds. | <code title="map(object({ billing_project = string content_type = optional(string) asset_types = optional(list(string)) asset_names = optional(list(string)) feed_output_config = object({ pubsub_destination = object({ topic = string }) }) condition = optional(object({ expression = string title = optional(string) description = optional(string) location = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [contacts](variables.tf#L51) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [context](variables.tf#L69) | Context-specific interpolations. | <code title="object({ bigquery_datasets = optional(map(string), {}) condition_vars = optional(map(map(string)), {}) custom_roles = optional(map(string), {}) email_addresses = optional(map(string), {}) iam_principals = optional(map(string), {}) locations = optional(map(string), {}) log_buckets = optional(map(string), {}) project_ids = optional(map(string), {}) pubsub_topics = optional(map(string), {}) storage_buckets = optional(map(string), {}) tag_keys = optional(map(string), {}) tag_values = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [custom_roles](variables.tf#L89) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L96) | Paths to data files and folders that enable factory functionality. | <code title="object({ custom_roles = optional(string) org_policies = optional(string) org_policy_custom_constraints = optional(string) pam_entitlements = optional(string) scc_sha_custom_modules = optional(string) tags = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [firewall_policy](variables.tf#L110) | Hierarchical firewall policies to associate to the organization. | <code title="object({ name = string policy = string })">object({…})</code> | | <code>null</code> |
|
||||
| [factories_config](variables.tf#L96) | Paths to data files and folders that enable factory functionality. | <code title="object({ custom_roles = optional(string) org_policies = optional(string) org_policy_custom_constraints = optional(string) pam_entitlements = optional(string) scc_mute_configs = optional(string) scc_sha_custom_modules = optional(string) tags = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [firewall_policy](variables.tf#L111) | Hierarchical firewall policies to associate to the organization. | <code title="object({ name = string policy = string })">object({…})</code> | | <code>null</code> |
|
||||
| [iam](variables-iam.tf#L17) | Authoritative IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
@@ -881,10 +928,11 @@ module "org" {
|
||||
| [logging_settings](variables-logging.tf#L35) | Default settings for logging resources. | <code title="object({ disable_default_sink = optional(bool) kms_key_name = optional(string) storage_location = optional(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [logging_sinks](variables-logging.tf#L46) | Logging sinks to create for the organization. | <code title="map(object({ destination = string bq_partitioned_table = optional(bool, false) description = optional(string) disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = optional(string) iam = optional(bool, true) include_children = optional(bool, true) intercept_children = optional(bool, false) type = optional(string, "logging") }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") id = optional(string) network = string # project_id/vpc_name or "ALL" to toggle GCE_FIREWALL purpose iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") id = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policies](variables.tf#L119) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) parameters = optional(string) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policy_custom_constraints](variables.tf#L147) | Organization policy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policies](variables.tf#L120) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) parameters = optional(string) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policy_custom_constraints](variables.tf#L148) | Organization policy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [pam_entitlements](variables-pam.tf#L17) | Privileged Access Manager entitlements for this resource, keyed by entitlement ID. | <code title="map(object({ max_request_duration = string eligible_users = list(string) privileged_access = list(object({ role = string condition = optional(string) })) requester_justification_config = optional(object({ not_mandatory = optional(bool, true) unstructured = optional(bool, false) }), { not_mandatory = false, unstructured = true }) manual_approvals = optional(object({ require_approver_justification = bool steps = list(object({ approvers = list(string) approvals_needed = optional(number, 1) approver_email_recipients = optional(list(string)) })) })) additional_notification_targets = optional(object({ admin_email_recipients = optional(list(string)) requester_email_recipients = optional(list(string)) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [scc_sha_custom_modules](variables-scc.tf#L17) | SCC custom modules keyed by module name. | <code title="map(object({ description = optional(string) severity = string recommendation = string predicate = object({ expression = string }) resource_selector = object({ resource_types = list(string) }) enablement_state = optional(string, "ENABLED") }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [scc_mute_configs](variables-scc.tf#L17) | SCC mute configurations keyed by name. | <code title="map(object({ description = optional(string) filter = string type = optional(string, "DYNAMIC") }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [scc_sha_custom_modules](variables-scc.tf#L28) | SCC custom modules keyed by module name. | <code title="map(object({ description = optional(string) severity = string recommendation = string predicate = object({ expression = string }) resource_selector = object({ resource_types = list(string) }) enablement_state = optional(string, "ENABLED") }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables-tags.tf#L89) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [tags](variables-tags.tf#L96) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tags_config](variables-tags.tf#L161) | Fine-grained control on tag resource and IAM creation. | <code title="object({ force_context_ids = optional(bool, false) ignore_iam = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
@@ -904,10 +952,11 @@ module "org" {
|
||||
| [organization_id](outputs.tf#L81) | Organization id dependent on module resources. | |
|
||||
| [organization_policies_ids](outputs.tf#L98) | Map of ORGANIZATION_POLICIES => ID in the organization. | |
|
||||
| [scc_custom_sha_modules_ids](outputs.tf#L103) | Map of SCC CUSTOM SHA MODULES => ID in the organization. | |
|
||||
| [service_agents](outputs.tf#L108) | Identities of all organization-level service agents. | |
|
||||
| [sink_writer_identities](outputs.tf#L113) | Writer identities created for each sink. | |
|
||||
| [tag_keys](outputs.tf#L121) | Tag key resources. | |
|
||||
| [tag_values](outputs.tf#L130) | Tag value resources. | |
|
||||
| [workforce_identity_provider_names](outputs.tf#L138) | Workforce Identity provider names. | |
|
||||
| [workforce_identity_providers](outputs.tf#L145) | Workforce Identity provider attributes. | |
|
||||
| [scc_mute_configs](outputs.tf#L108) | SCC mute configurations. | |
|
||||
| [service_agents](outputs.tf#L113) | Identities of all organization-level service agents. | |
|
||||
| [sink_writer_identities](outputs.tf#L118) | Writer identities created for each sink. | |
|
||||
| [tag_keys](outputs.tf#L126) | Tag key resources. | |
|
||||
| [tag_values](outputs.tf#L135) | Tag value resources. | |
|
||||
| [workforce_identity_provider_names](outputs.tf#L143) | Workforce Identity provider names. | |
|
||||
| [workforce_identity_providers](outputs.tf#L150) | Workforce Identity provider attributes. | |
|
||||
<!-- END TFDOC -->
|
||||
|
||||
@@ -105,6 +105,11 @@ output "scc_custom_sha_modules_ids" {
|
||||
value = { for k, v in google_scc_management_organization_security_health_analytics_custom_module.scc_organization_custom_module : k => v.id }
|
||||
}
|
||||
|
||||
output "scc_mute_configs" {
|
||||
description = "SCC mute configurations."
|
||||
value = google_scc_v2_organization_mute_config.scc_mute_configs
|
||||
}
|
||||
|
||||
output "service_agents" {
|
||||
description = "Identities of all organization-level service agents."
|
||||
value = local.service_agents
|
||||
|
||||
60
modules/organization/scc-mute-configs.tf
Normal file
60
modules/organization/scc-mute-configs.tf
Normal file
@@ -0,0 +1,60 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
# tfdoc:file:description Organization-level SCC mute configurations.
|
||||
|
||||
locals {
|
||||
_scc_mute_configs_factory_path = pathexpand(coalesce(var.factories_config.scc_mute_configs, "-"))
|
||||
_scc_mute_configs_factory_data_raw = merge([
|
||||
for f in try(fileset(local._scc_mute_configs_factory_path, "*.yaml"), []) :
|
||||
yamldecode(file("${local._scc_mute_configs_factory_path}/${f}"))
|
||||
]...)
|
||||
_scc_mute_configs_factory_data = {
|
||||
for k, v in local._scc_mute_configs_factory_data_raw :
|
||||
k => {
|
||||
description = try(v.description, null)
|
||||
filter = v.filter
|
||||
type = try(v.type, "DYNAMIC")
|
||||
}
|
||||
}
|
||||
_scc_mute_configs = merge(
|
||||
local._scc_mute_configs_factory_data,
|
||||
var.scc_mute_configs
|
||||
)
|
||||
scc_mute_configs = {
|
||||
for k, v in local._scc_mute_configs :
|
||||
k => merge(v, {
|
||||
name = k
|
||||
parent = var.organization_id
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_scc_v2_organization_mute_config" "scc_mute_configs" {
|
||||
for_each = local.scc_mute_configs
|
||||
organization = replace(var.organization_id, "organizations/", "")
|
||||
location = "global"
|
||||
mute_config_id = each.key
|
||||
description = each.value.description
|
||||
filter = each.value.filter
|
||||
type = each.value.type
|
||||
|
||||
depends_on = [
|
||||
google_organization_iam_binding.authoritative,
|
||||
google_organization_iam_binding.bindings,
|
||||
google_organization_iam_member.bindings,
|
||||
]
|
||||
}
|
||||
29
modules/organization/schemas/scc-mute-config.schema.json
Normal file
29
modules/organization/schemas/scc-mute-config.schema.json
Normal file
@@ -0,0 +1,29 @@
|
||||
{
|
||||
"$schema": "http://json-schema.org/draft-07/schema#",
|
||||
"title": "SCC Mute Configurations",
|
||||
"type": "object",
|
||||
"patternProperties": {
|
||||
"^[a-zA-Z]+$": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"filter"
|
||||
],
|
||||
"properties": {
|
||||
"description": {
|
||||
"type": "string"
|
||||
},
|
||||
"filter": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": {
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"DYNAMIC",
|
||||
"STATIC"
|
||||
],
|
||||
"default": "DYNAMIC"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
11
modules/organization/schemas/scc-mute-config.schema.md
Normal file
11
modules/organization/schemas/scc-mute-config.schema.md
Normal file
@@ -0,0 +1,11 @@
|
||||
# SCC Mute Configurations
|
||||
|
||||
<!-- markdownlint-disable MD036 -->
|
||||
|
||||
## Properties
|
||||
|
||||
- **`^[a-zA-Z]+$`**: *object*
|
||||
- **description**: *string*
|
||||
- ⁺**filter**: *string*
|
||||
- **type**: *string*
|
||||
- enum: `DYNAMIC`, `STATIC`
|
||||
@@ -14,6 +14,17 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "scc_mute_configs" {
|
||||
description = "SCC mute configurations keyed by name."
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
filter = string
|
||||
type = optional(string, "DYNAMIC")
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "scc_sha_custom_modules" {
|
||||
description = "SCC custom modules keyed by module name."
|
||||
type = map(object({
|
||||
|
||||
@@ -100,6 +100,7 @@ variable "factories_config" {
|
||||
org_policies = optional(string)
|
||||
org_policy_custom_constraints = optional(string)
|
||||
pam_entitlements = optional(string)
|
||||
scc_mute_configs = optional(string)
|
||||
scc_sha_custom_modules = optional(string)
|
||||
tags = optional(string)
|
||||
})
|
||||
|
||||
File diff suppressed because one or more lines are too long
54
modules/project/scc-mute-configs.tf
Normal file
54
modules/project/scc-mute-configs.tf
Normal file
@@ -0,0 +1,54 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
# tfdoc:file:description Project-level SCC mute configurations.
|
||||
|
||||
locals {
|
||||
_scc_mute_configs_factory_path = pathexpand(coalesce(var.factories_config.scc_mute_configs, "-"))
|
||||
_scc_mute_configs_factory_data_raw = merge([
|
||||
for f in try(fileset(local._scc_mute_configs_factory_path, "*.yaml"), []) :
|
||||
yamldecode(file("${local._scc_mute_configs_factory_path}/${f}"))
|
||||
]...)
|
||||
_scc_mute_configs_factory_data = {
|
||||
for k, v in local._scc_mute_configs_factory_data_raw :
|
||||
k => {
|
||||
description = try(v.description, null)
|
||||
filter = v.filter
|
||||
type = try(v.type, "DYNAMIC")
|
||||
}
|
||||
}
|
||||
_scc_mute_configs = merge(
|
||||
local._scc_mute_configs_factory_data,
|
||||
var.scc_mute_configs
|
||||
)
|
||||
scc_mute_configs = {
|
||||
for k, v in local._scc_mute_configs :
|
||||
k => merge(v, {
|
||||
name = k
|
||||
parent = "projects/${local.project.project_id}"
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_scc_v2_project_mute_config" "scc_mute_configs" {
|
||||
for_each = local.scc_mute_configs
|
||||
project = local.project.project_id
|
||||
location = "global"
|
||||
mute_config_id = each.key
|
||||
description = each.value.description
|
||||
filter = each.value.filter
|
||||
type = each.value.type
|
||||
}
|
||||
29
modules/project/schemas/scc-mute-config.schema.json
Normal file
29
modules/project/schemas/scc-mute-config.schema.json
Normal file
@@ -0,0 +1,29 @@
|
||||
{
|
||||
"$schema": "http://json-schema.org/draft-07/schema#",
|
||||
"title": "SCC Mute Configurations",
|
||||
"type": "object",
|
||||
"patternProperties": {
|
||||
"^[a-zA-Z]+$": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"filter"
|
||||
],
|
||||
"properties": {
|
||||
"description": {
|
||||
"type": "string"
|
||||
},
|
||||
"filter": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": {
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"DYNAMIC",
|
||||
"STATIC"
|
||||
],
|
||||
"default": "DYNAMIC"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
11
modules/project/schemas/scc-mute-config.schema.md
Normal file
11
modules/project/schemas/scc-mute-config.schema.md
Normal file
@@ -0,0 +1,11 @@
|
||||
# SCC Mute Configurations
|
||||
|
||||
<!-- markdownlint-disable MD036 -->
|
||||
|
||||
## Properties
|
||||
|
||||
- **`^[a-zA-Z]+$`**: *object*
|
||||
- **description**: *string*
|
||||
- ⁺**filter**: *string*
|
||||
- **type**: *string*
|
||||
- enum: `DYNAMIC`, `STATIC`
|
||||
@@ -14,6 +14,17 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "scc_mute_configs" {
|
||||
description = "SCC mute configurations keyed by name."
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
filter = string
|
||||
type = optional(string, "DYNAMIC")
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "scc_sha_custom_modules" {
|
||||
description = "SCC custom modules keyed by module name."
|
||||
type = map(object({
|
||||
|
||||
@@ -196,6 +196,7 @@ variable "factories_config" {
|
||||
org_policies = optional(string)
|
||||
pam_entitlements = optional(string)
|
||||
quotas = optional(string)
|
||||
scc_mute_configs = optional(string)
|
||||
scc_sha_custom_modules = optional(string)
|
||||
tags = optional(string)
|
||||
})
|
||||
|
||||
34
tests/modules/folder/examples/scc-mute-configs.yaml
Normal file
34
tests/modules/folder/examples/scc-mute-configs.yaml
Normal file
@@ -0,0 +1,34 @@
|
||||
# Copyright 2025 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
values:
|
||||
module.folder.google_folder.folder[0]:
|
||||
deletion_protection: false
|
||||
display_name: Folder name
|
||||
parent: folders/1122334455
|
||||
tags: null
|
||||
timeouts: null
|
||||
module.folder.google_scc_v2_folder_mute_config.scc_mute_configs["muteHighSeverity"]:
|
||||
description: Mute high severity findings
|
||||
filter: severity="HIGH"
|
||||
location: global
|
||||
mute_config_id: muteHighSeverity
|
||||
type: DYNAMIC
|
||||
|
||||
counts:
|
||||
google_folder: 1
|
||||
google_scc_v2_folder_mute_config: 1
|
||||
modules: 1
|
||||
resources: 2
|
||||
27
tests/modules/organization/examples/scc-mute-configs.yaml
Normal file
27
tests/modules/organization/examples/scc-mute-configs.yaml
Normal file
@@ -0,0 +1,27 @@
|
||||
# Copyright 2025 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.org.google_scc_v2_organization_mute_config.scc_mute_configs["muteHighSeverity"]:
|
||||
description: Mute high severity findings
|
||||
filter: severity="HIGH"
|
||||
location: global
|
||||
mute_config_id: muteHighSeverity
|
||||
organization: '1122334455'
|
||||
type: DYNAMIC
|
||||
|
||||
counts:
|
||||
google_scc_v2_organization_mute_config: 1
|
||||
modules: 1
|
||||
resources: 1
|
||||
44
tests/modules/project/examples/scc-mute-configs.yaml
Normal file
44
tests/modules/project/examples/scc-mute-configs.yaml
Normal file
@@ -0,0 +1,44 @@
|
||||
# Copyright 2025 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.project.google_project.project[0]:
|
||||
auto_create_network: false
|
||||
billing_account: 123456-123456-123456
|
||||
deletion_policy: DELETE
|
||||
effective_labels:
|
||||
goog-terraform-provisioned: 'true'
|
||||
folder_id: '1122334455'
|
||||
labels: null
|
||||
name: test-project
|
||||
org_id: null
|
||||
project_id: test-project
|
||||
tags: null
|
||||
terraform_labels:
|
||||
goog-terraform-provisioned: 'true'
|
||||
timeouts: null
|
||||
module.project.google_scc_v2_project_mute_config.scc_mute_configs["muteHighSeverity"]:
|
||||
description: Mute high severity findings
|
||||
filter: severity="HIGH"
|
||||
location: global
|
||||
mute_config_id: muteHighSeverity
|
||||
project: test-project
|
||||
timeouts: null
|
||||
type: DYNAMIC
|
||||
|
||||
counts:
|
||||
google_project: 1
|
||||
google_scc_v2_project_mute_config: 1
|
||||
modules: 1
|
||||
resources: 2
|
||||
Reference in New Issue
Block a user