Create SCC Mute config resource (GoogleCloudPlatform#7332)

kubalaguna · Feb 27, 2023 · f631ed5 · f631ed5
1 parent 84a5d96
commit f631ed5
Show file tree

Hide file tree

Showing 4 changed files with 125 additions and 1 deletion.
diff --git a/mmv1/products/securitycenter/api.yaml b/mmv1/products/securitycenter/api.yaml
@@ -84,7 +84,7 @@ objects:
       notification config is a Cloud SCC resource that contains the
       configuration to send notifications for create/update events of
       findings, assets and etc.
-      ~> **Note:** In order to use Cloud SCC resources, your organization must be enrolled 
+      ~> **Note:** In order to use Cloud SCC resources, your organization must be enrolled
       in [SCC Standard/Premium](https://cloud.google.com/security-command-center/docs/quickstart-security-command-center).
       Without doing so, you may run into errors during resource creation.
     references: !ruby/object:Api::Resource::ReferenceLinks
@@ -166,3 +166,75 @@ objects:
               See
               [Filtering notifications](https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications)
               for information on how to write a filter.
+  - !ruby/object:Api::Resource
+      name: 'MuteConfig'
+      base_url: '{{parent}}/muteConfigs'
+      self_link: '{{name}}'
+      create_url: '{{parent}}/muteConfigs?muteConfigId={{mute_config_id}}'
+      update_verb: :PATCH
+      update_mask: true
+      description: |
+        Mute Findings is a volume management feature in Security Command Center
+        that lets you manually or programmatically hide irrelevant findings,
+        and create filters to automatically silence existing and future
+        findings based on criteria you specify.
+      references: !ruby/object:Api::Resource::ReferenceLinks
+        api: 'https://cloud.google.com/security-command-center/docs/reference/rest/v1/organizations.muteConfigs'
+      parameters:
+        - !ruby/object:Api::Type::String
+          name: muteConfigId
+          required: true
+          input: true
+          url_param_only: true
+          description: |
+            Unique identifier provided by the client within the parent scope.
+        - !ruby/object:Api::Type::String
+          name: parent
+          required: true
+          input: true
+          url_param_only: true
+          description: |
+            Resource name of the new mute configs's parent. Its format is
+            "organizations/[organization_id]", "folders/[folder_id]", or
+            "projects/[project_id]".
+      properties:
+        - !ruby/object:Api::Type::String
+          name: 'name'
+          output: true
+          description: |
+            Name of the mute config. Its format is
+            organizations/{organization}/muteConfigs/{configId},
+            folders/{folder}/muteConfigs/{configId},
+            or projects/{project}/muteConfigs/{configId}
+        - !ruby/object:Api::Type::String
+          name: 'description'
+          description: A description of the mute config.
+        - !ruby/object:Api::Type::String
+          name: 'filter'
+          description: |
+            An expression that defines the filter to apply across create/update
+            events of findings. While creating a filter string, be mindful of
+            the scope in which the mute configuration is being created. E.g.,
+            If a filter contains project = X but is created under the
+            project = Y scope, it might not match any findings.
+          required: true
+        - !ruby/object:Api::Type::String
+          name: 'createTime'
+          description: |
+            The time at which the mute config was created. This field is set by
+            the server and will be ignored if provided on config creation.
+          output: true
+        - !ruby/object:Api::Type::String
+          name: 'updateTime'
+          description: |
+            Output only. The most recent time at which the mute config was
+            updated. This field is set by the server and will be ignored if
+            provided on config creation or update.
+          output: true
+        - !ruby/object:Api::Type::String
+          name: 'mostRecentEditor'
+          description: |
+            Email address of the user who last edited the mute config. This
+            field is set by the server and will be ignored if provided on
+            config creation or update.
+          output: true
diff --git a/mmv1/products/securitycenter/terraform.yaml b/mmv1/products/securitycenter/terraform.yaml
@@ -56,6 +56,18 @@ overrides: !ruby/object:Overrides::ResourceOverrides
     custom_code: !ruby/object:Provider::Terraform::CustomCode
       custom_import: templates/terraform/custom_import/scc_source_self_link_as_name_set_organization.go.erb
       post_create: templates/terraform/post_create/set_computed_name.erb
+  MuteConfig: !ruby/object:Overrides::Terraform::ResourceOverride
+    examples:
+      - !ruby/object:Provider::Terraform::Examples
+        name: "scc_mute_config"
+        primary_resource_id: "default"
+        vars:
+          mute_config_id: "my-config"
+        test_env_vars:
+          org_id: :ORG_ID
+    import_format: ["{{name}}"]
+    custom_code: !ruby/object:Provider::Terraform::CustomCode
+      custom_import: templates/terraform/custom_import/scc_mute_config.go.erb
 # This is for copying files over
 files: !ruby/object:Provider::Config::Files
   # These files have templating (ERB) code that will be run.

diff --git a/mmv1/templates/terraform/custom_import/scc_mute_config.go.erb b/mmv1/templates/terraform/custom_import/scc_mute_config.go.erb
@@ -0,0 +1,34 @@
+config := meta.(*Config)
+
+if err := parseImportId([]string{"(?P<name>.+)"}, d, config); err != nil {
+	return nil, err
+}
+
+// current import_formats can't import fields with forward slashes in their value
+name := d.Get("name").(string)
+
+matched, err := regexp.MatchString("(organizations|folders|projects)/.+/muteConfigs/.+", name)
+if err != nil {
+	return nil, fmt.Errorf("error validating import name: %s", err)
+}
+
+if !matched {
+	return nil, fmt.Errorf("error validating import name: %s does not fit naming for muteConfigs. Expected %s",
+	name, "organizations/{organization}/muteConfigs/{configId}, folders/{folder}/muteConfigs/{configId} or projects/{project}/muteConfigs/{configId}")
+}
+
+if err := d.Set("name", name); err != nil {
+	return nil, fmt.Errorf("Error setting name: %s", err)
+}
+
+// mute_config_id and parent are not returned by the API and therefore need to be set manually
+stringParts := strings.Split(d.Get("name").(string), "/")
+if err := d.Set("mute_config_id", stringParts[3]); err != nil {
+	return nil, fmt.Errorf("Error setting mute_config_id: %s", err)
+}
+
+if err := d.Set("parent", fmt.Sprintf("%s/%s", stringParts[0], stringParts[1])); err != nil {
+	return nil, fmt.Errorf("Error setting mute_config_id: %s", err)
+}
+
+return []*schema.ResourceData{d}, nil
diff --git a/mmv1/templates/terraform/examples/scc_mute_config.tf.erb b/mmv1/templates/terraform/examples/scc_mute_config.tf.erb
@@ -0,0 +1,6 @@
+resource "google_scc_mute_config" "<%= ctx[:primary_resource_id] %>" {
+  mute_config_id = "<%= ctx[:vars]['mute_config_id'] %>"
+  parent         = "organizations/<%= ctx[:test_env_vars]['org_id'] %>"
+  filter         = "category: \"OS_VULNERABILITY\""
+  description    = "My Mute Config"
+}