merge with main

Author: mariammartins

0-bootstrap/README-GitHub.md

@@ -360,7 +360,7 @@ See the shared folder [README.md](../1-org/envs/shared/README.md#inputs) for add
    ```bash
    export ORG_STEP_SA=$(terraform -chdir="../gcp-bootstrap/envs/shared" output -raw organization_step_terraform_service_account_email)
 
-   gcloud scc notifications describe "scc-notify" --format="value(name)" --organization=${ORGANIZATION_ID} --impersonate-service-account=${ORG_STEP_SA}
+   gcloud scc notifications describe "scc-notify" --format="value(name)" --organization=${ORGANIZATION_ID} --location=global --impersonate-service-account=${ORG_STEP_SA}
    ```
 
 1. If the notification exists the output will be:

0-bootstrap/README-GitLab.md

@@ -417,7 +417,7 @@ See the shared folder [README.md](../1-org/envs/shared/README.md#inputs) for add
    ```bash
    export ORG_STEP_SA=$(terraform -chdir="../gcp-bootstrap/envs/shared" output -raw organization_step_terraform_service_account_email)
 
-   gcloud scc notifications describe "scc-notify" --format="value(name)" --organization=${ORGANIZATION_ID} --impersonate-service-account=${ORG_STEP_SA}
+   gcloud scc notifications describe "scc-notify" --format="value(name)" --organization=${ORGANIZATION_ID} --location=global --impersonate-service-account=${ORG_STEP_SA}
    ```
 
 1. If the notification exists the output will be:

0-bootstrap/README-Jenkins.md

@@ -397,7 +397,7 @@ Here you will configure a VPN Network tunnel to enable connectivity between the
 
    ```bash
    export ORGANIZATION_ID=$(terraform -chdir="../gcp-bootstrap/envs/shared" output -json common_config | jq '.org_id' --raw-output)
-   gcloud scc notifications describe "scc-notify" --organization=${ORGANIZATION_ID}
+   gcloud scc notifications describe "scc-notify" --organization=${ORGANIZATION_ID} --location=global
    ```
 
 1. Check if your organization already has an Access Context Manager Policy.

0-bootstrap/README-Terraform-Cloud.md

@@ -329,7 +329,7 @@ See the shared folder [README.md](../1-org/envs/shared/README.md#inputs) for add
    ```bash
    export ORG_STEP_SA=$(terraform -chdir="../gcp-bootstrap/envs/shared" output -raw organization_step_terraform_service_account_email)
 
-   gcloud scc notifications describe "scc-notify" --format="value(name)" --organization=${ORGANIZATION_ID} --impersonate-service-account=${ORG_STEP_SA}
+   gcloud scc notifications describe "scc-notify" --format="value(name)" --organization=${ORGANIZATION_ID} --location=global --impersonate-service-account=${ORG_STEP_SA}
    ```
 
 1. If the notification exists the output will be:

1-org/README.md

@@ -146,7 +146,7 @@ If required, run `terraform output cloudbuild_project_id` in the `0-bootstrap` f
 
    ```bash
    export ORGANIZATION_ID=$(terraform -chdir="../terraform-example-foundation/0-bootstrap/" output -json common_config | jq '.org_id' --raw-output)
-   gcloud scc notifications describe "scc-notify" --organization=${ORGANIZATION_ID}
+   gcloud scc notifications describe "scc-notify" --organization=${ORGANIZATION_ID} --location=global
    ```
 
 1. Check if your organization already has an Access Context Manager policy.
@@ -254,7 +254,7 @@ Create `gcp-org` folder, copy `1-org` content and Terraform wrapper script; ensu
 
    ```bash
    export ORGANIZATION_ID=$(terraform -chdir="../gcp-bootstrap/envs/shared" output -json common_config | jq '.org_id' --raw-output)
-   gcloud scc notifications describe "scc-notify" --organization=${ORGANIZATION_ID}
+   gcloud scc notifications describe "scc-notify" --organization=${ORGANIZATION_ID} --location=global
    ```
 
 1. Check if your organization already has an Access Context Manager policy.

1-org/envs/shared/README.md

@@ -16,7 +16,7 @@
 | egress\_policies\_keys\_dry\_run | (Dry-run) A list of keys to use for the Terraform state. The order should correspond to var.egress\_policies\_dry\_run and the keys must not be dynamically computed. If `null`, var.egress\_policies\_dry\_run will be used as keys. | `list(string)` | `[]` | no |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enable\_kms\_key\_usage\_tracking | Enable KMS centralized key usage tracking system. | `bool` | `true` | no |
-| enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context. | `bool` | `false` | no |
+| enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. Security Command Center must be activated before the creation of the resources. See [Overview of activating Security Command Center](https://cloud.google.com/security-command-center/docs/activate-scc-overview) before enabling this feature. | `bool` | `false` | no |
 | enforce\_allowed\_worker\_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | `bool` | `false` | no |
 | essential\_contacts\_domains\_to\_allow | The list of domains that email addresses added to Essential Contacts can have. | `list(string)` | n/a | yes |
 | essential\_contacts\_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See [Supported languages](https://cloud.google.com/resource-manager/docs/managing-notification-contacts#supported-languages) for a list of supported languages. | `string` | `"en"` | no |
@@ -42,7 +42,7 @@
 | resources | A list of GCP resources that are inside of the service perimeter. Currently only projects and VPC networks are allowed. | `list(string)` | `[]` | no |
 | resources\_dry\_run | A list of GCP resources that are inside of the service perimeter. Currently only projects and VPC networks are allowed. If set, a dry-run policy will be set. | `list(string)` | `[]` | no |
 | scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state = \"ACTIVE\""` | no |
-| scc\_notification\_name | Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe <scc_notification_name> --organization=org_id` to check if it already exists. | `string` | n/a | yes |
+| scc\_notification\_name | Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe <scc_notification_name> --organization=org_id --location=global` to check if it already exists. | `string` | n/a | yes |
 | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no |
 
 ## Outputs

1-org/envs/shared/scc_notification.tf

@@ -31,7 +31,7 @@ resource "google_pubsub_subscription" "scc_notification_subscription" {
   project = module.scc_notifications.project_id
 }
 
-resource "google_scc_notification_config" "scc_notification_config" {
+resource "google_scc_v2_organization_notification_config" "scc_notification_config" {
   count        = var.enable_scc_resources_in_terraform ? 1 : 0
   config_id    = var.scc_notification_name
   organization = local.org_id

1-org/envs/shared/variables.tf

@@ -27,7 +27,7 @@ variable "enable_hub_and_spoke" {
 }
 
 variable "enable_scc_resources_in_terraform" {
-  description = "Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context."
+  description = "Create Security Command Center resources in Terraform. Security Command Center must be activated before the creation of the resources. See [Overview of activating Security Command Center](https://cloud.google.com/security-command-center/docs/activate-scc-overview) before enabling this feature."
   type        = bool
   default     = false
 }
@@ -44,7 +44,7 @@ variable "domains_to_allow" {
 }
 
 variable "scc_notification_name" {
-  description = "Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe <scc_notification_name> --organization=org_id` to check if it already exists."
+  description = "Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe <scc_notification_name> --organization=org_id --location=global` to check if it already exists."
   type        = string
 }
 

1-org/modules/cai-monitoring/function-source/index.js

@@ -21,7 +21,7 @@ const uuid4 = require('uuid4')
 const moment = require('moment')
 
 // SCC client
-const { SecurityCenterClient } = require('@google-cloud/security-center');
+const { SecurityCenterClient } = require('@google-cloud/security-center').v2;
 const client = new SecurityCenterClient();
 
 // Environment variables