Add support for security command center mute rules in module organization, folder and project (#3694)

modules/project/scc-mute-configs.tf

@@ -0,0 +1,54 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# tfdoc:file:description Project-level SCC mute configurations.
+
+locals {
+  _scc_mute_configs_factory_path = pathexpand(coalesce(var.factories_config.scc_mute_configs, "-"))
+  _scc_mute_configs_factory_data_raw = merge([
+    for f in try(fileset(local._scc_mute_configs_factory_path, "*.yaml"), []) :
+    yamldecode(file("${local._scc_mute_configs_factory_path}/${f}"))
+  ]...)
+  _scc_mute_configs_factory_data = {
+    for k, v in local._scc_mute_configs_factory_data_raw :
+    k => {
+      description = try(v.description, null)
+      filter      = v.filter
+      type        = try(v.type, "DYNAMIC")
+    }
+  }
+  _scc_mute_configs = merge(
+    local._scc_mute_configs_factory_data,
+    var.scc_mute_configs
+  )
+  scc_mute_configs = {
+    for k, v in local._scc_mute_configs :
+    k => merge(v, {
+      name   = k
+      parent = "projects/${local.project.project_id}"
+    })
+  }
+}
+
+resource "google_scc_v2_project_mute_config" "scc_mute_configs" {
+  for_each       = local.scc_mute_configs
+  project        = local.project.project_id
+  location       = "global"
+  mute_config_id = each.key
+  description    = each.value.description
+  filter         = each.value.filter
+  type           = each.value.type
+}

modules/project/schemas/scc-mute-config.schema.json

@@ -0,0 +1,29 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "SCC Mute Configurations",
+  "type": "object",
+  "patternProperties": {
+    "^[a-zA-Z]+$": {
+      "type": "object",
+      "required": [
+        "filter"
+      ],
+      "properties": {
+        "description": {
+          "type": "string"
+        },
+        "filter": {
+          "type": "string"
+        },
+        "type": {
+          "type": "string",
+          "enum": [
+            "DYNAMIC",
+            "STATIC"
+          ],
+          "default": "DYNAMIC"
+        }
+      }
+    }
+  }
+}

modules/project/schemas/scc-mute-config.schema.md

@@ -0,0 +1,11 @@
+# SCC Mute Configurations
+
+<!-- markdownlint-disable MD036 -->
+
+## Properties
+
+- **`^[a-zA-Z]+$`**: *object*
+  - **description**: *string*
+  - ⁺**filter**: *string*
+  - **type**: *string*
+    - enum: `DYNAMIC`, `STATIC`

modules/project/variables-scc.tf

@@ -14,6 +14,17 @@
  * limitations under the License.
  */
 
+variable "scc_mute_configs" {
+  description = "SCC mute configurations keyed by name."
+  type = map(object({
+    description = optional(string)
+    filter      = string
+    type        = optional(string, "DYNAMIC")
+  }))
+  default  = {}
+  nullable = false
+}
+
 variable "scc_sha_custom_modules" {
   description = "SCC custom modules keyed by module name."
   type = map(object({

modules/project/variables.tf

@@ -196,6 +196,7 @@ variable "factories_config" {
     org_policies           = optional(string)
     pam_entitlements       = optional(string)
     quotas                 = optional(string)
+    scc_mute_configs       = optional(string)
     scc_sha_custom_modules = optional(string)
     tags                   = optional(string)
   })