Google Git
Sign in
third-party-mirror / terraform-provider-google-beta / 7018e2f3f116fdacfd66c03551fbf0c3db62170a / . / v5.18.0 / website / docs / r / scc_organization_custom_module.html.markdown
blob: 47012bcc735142e896c41b8d52d26c57f78c6aad [file] [log] [blame]
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** Type: MMv1 ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Security Command Center (SCC)"
description: |-
Represents an instance of a Security Health Analytics custom module, including
its full module name, display name, enablement state, and last updated time.
---
# google\_scc\_organization\_custom\_module
Represents an instance of a Security Health Analytics custom module, including
its full module name, display name, enablement state, and last updated time.
You can create a custom module at the organization, folder, or project level.
Custom modules that you create at the organization or folder level are inherited
by the child folders and projects.
To get more information about OrganizationCustomModule, see:
* [API documentation](https://cloud.google.com/security-command-center/docs/reference/rest/v1/organizations.securityHealthAnalyticsSettings.customModules)
* How-to Guides
* [Overview of custom modules for Security Health Analytics](https://cloud.google.com/security-command-center/docs/custom-modules-sha-overview)
## Example Usage - Scc Organization Custom Module Basic
```hcl
resource "google_scc_organization_custom_module" "example" {
organization = "123456789"
display_name = "basic_custom_module"
enablement_state = "ENABLED"
custom_config {
predicate {
expression = "resource.rotationPeriod > duration(\"2592000s\")"
}
resource_selector {
resource_types = [
"cloudkms.googleapis.com/CryptoKey",
]
}
description = "The rotation period of the identified cryptokey resource exceeds 30 days."
recommendation = "Set the rotation period to at most 30 days."
severity = "MEDIUM"
}
}
```
## Example Usage - Scc Organization Custom Module Full
```hcl
resource "google_scc_organization_custom_module" "example" {
organization = "123456789"
display_name = "full_custom_module"
enablement_state = "ENABLED"
custom_config {
predicate {
expression = "resource.rotationPeriod > duration(\"2592000s\")"
title = "Purpose of the expression"
description = "description of the expression"
location = "location of the expression"
}
custom_output {
properties {
name = "duration"
value_expression {
expression = "resource.rotationPeriod"
title = "Purpose of the expression"
description = "description of the expression"
location = "location of the expression"
}
}
}
resource_selector {
resource_types = [
"cloudkms.googleapis.com/CryptoKey",
]
}
severity = "LOW"
description = "Description of the custom module"
recommendation = "Steps to resolve violation"
}
}
```
## Argument Reference
The following arguments are supported:
* `display_name` -
(Required)
The display name of the Security Health Analytics custom module. This
display name becomes the finding category for all findings that are
returned by this custom module. The display name must be between 1 and
128 characters, start with a lowercase letter, and contain alphanumeric
characters or underscores only.
* `enablement_state` -
(Required)
The enablement state of the custom module.
Possible values are: `ENABLED`, `DISABLED`.
* `custom_config` -
(Required)
The user specified custom configuration for the module.
Structure is [documented below](#nested_custom_config).
* `organization` -
(Required)
Numerical ID of the parent organization.
<a name="nested_custom_config"></a>The `custom_config` block supports:
* `predicate` -
(Required)
The CEL expression to evaluate to produce findings. When the expression evaluates
to true against a resource, a finding is generated.
Structure is [documented below](#nested_predicate).
* `custom_output` -
(Optional)
Custom output properties.
Structure is [documented below](#nested_custom_output).
* `resource_selector` -
(Required)
The resource types that the custom module operates on. Each custom module
can specify up to 5 resource types.
Structure is [documented below](#nested_resource_selector).
* `severity` -
(Required)
The severity to assign to findings generated by the module.
Possible values are: `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`.
* `description` -
(Optional)
Text that describes the vulnerability or misconfiguration that the custom
module detects. This explanation is returned with each finding instance to
help investigators understand the detected issue. The text must be enclosed in quotation marks.
* `recommendation` -
(Required)
An explanation of the recommended steps that security teams can take to resolve
the detected issue. This explanation is returned with each finding generated by
this module in the nextSteps property of the finding JSON.
<a name="nested_predicate"></a>The `predicate` block supports:
* `expression` -
(Required)
Textual representation of an expression in Common Expression Language syntax.
* `title` -
(Optional)
Title for the expression, i.e. a short string describing its purpose. This can
be used e.g. in UIs which allow to enter the expression.
* `description` -
(Optional)
Description of the expression. This is a longer text which describes the
expression, e.g. when hovered over it in a UI.
* `location` -
(Optional)
String indicating the location of the expression for error reporting, e.g. a
file name and a position in the file.
<a name="nested_custom_output"></a>The `custom_output` block supports:
* `properties` -
(Optional)
A list of custom output properties to add to the finding.
Structure is [documented below](#nested_properties).
<a name="nested_properties"></a>The `properties` block supports:
* `name` -
(Optional)
Name of the property for the custom output.
* `value_expression` -
(Optional)
The CEL expression for the custom output. A resource property can be specified
to return the value of the property or a text string enclosed in quotation marks.
Structure is [documented below](#nested_value_expression).
<a name="nested_value_expression"></a>The `value_expression` block supports:
* `expression` -
(Required)
Textual representation of an expression in Common Expression Language syntax.
* `title` -
(Optional)
Title for the expression, i.e. a short string describing its purpose. This can
be used e.g. in UIs which allow to enter the expression.
* `description` -
(Optional)
Description of the expression. This is a longer text which describes the
expression, e.g. when hovered over it in a UI.
* `location` -
(Optional)
String indicating the location of the expression for error reporting, e.g. a
file name and a position in the file.
<a name="nested_resource_selector"></a>The `resource_selector` block supports:
* `resource_types` -
(Required)
The resource types to run the detector on.
- - -
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `id` - an identifier for the resource with format `organizations/{{organization}}/securityHealthAnalyticsSettings/customModules/{{name}}`
* `name` -
The resource name of the custom module. Its format is "organizations/{org_id}/securityHealthAnalyticsSettings/customModules/{customModule}".
The id {customModule} is server-generated and is not user settable. It will be a numeric id containing 1-20 digits.
* `update_time` -
The time at which the custom module was last updated.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and
up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
* `last_editor` -
The editor that last updated the custom module.
* `ancestor_module` -
If empty, indicates that the custom module was created in the organization, folder,
or project in which you are viewing the custom module. Otherwise, ancestor_module
specifies the organization or folder from which the custom module is inherited.
## Timeouts
This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:
- `create` - Default is 20 minutes.
- `update` - Default is 20 minutes.
- `delete` - Default is 20 minutes.
## Import
OrganizationCustomModule can be imported using any of these accepted formats:
* `organizations/{{organization}}/securityHealthAnalyticsSettings/customModules/{{name}}`
* `{{organization}}/{{name}}`
In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import OrganizationCustomModule using one of the formats above. For example:
```tf
import {
id = "organizations/{{organization}}/securityHealthAnalyticsSettings/customModules/{{name}}"
to = google_scc_organization_custom_module.default
}
```
When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), OrganizationCustomModule can be imported using one of the formats above. For example:
```
$ terraform import google_scc_organization_custom_module.default organizations/{{organization}}/securityHealthAnalyticsSettings/customModules/{{name}}
$ terraform import google_scc_organization_custom_module.default {{organization}}/{{name}}
```