chore: disabling SCC notifications for now (#1304)

Author: lpezet

1-org/envs/shared/README.md

@@ -9,6 +9,7 @@
 | data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no |
 | domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | `list(string)` | n/a | yes |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
+| enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context. | `bool` | `false` | no |
 | enforce\_allowed\_worker\_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | `bool` | `false` | no |
 | essential\_contacts\_domains\_to\_allow | The list of domains that email addresses added to Essential Contacts can have. | `list(string)` | n/a | yes |
 | essential\_contacts\_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See [Supported languages](https://cloud.google.com/resource-manager/docs/managing-notification-contacts#supported-languages) for a list of supported languages. | `string` | `"en"` | no |

1-org/envs/shared/cai_monitoring.tf

@@ -15,11 +15,11 @@
  */
 
 module "cai_monitoring" {
-  source = "../../modules/cai-monitoring"
-
+  source                = "../../modules/cai-monitoring"
+  count                 = var.enable_scc_resources_in_terraform ? 1 : 0
   org_id                = local.org_id
   billing_account       = local.billing_account
   project_id            = module.scc_notifications.project_id
   location              = local.default_region
-  build_service_account = "projects/${module.scc_notifications.project_id}/serviceAccounts/${google_service_account.cai_monitoring_builder.email}"
+  build_service_account = "projects/${module.scc_notifications.project_id}/serviceAccounts/${google_service_account.cai_monitoring_builder[0].email}"
 }

1-org/envs/shared/iam.tf

@@ -169,7 +169,7 @@ resource "google_organization_iam_member" "org_scc_admin" {
 }
 
 resource "google_project_iam_member" "project_scc_admin" {
-  count   = var.gcp_groups.scc_admin != null ? 1 : 0
+  count   = var.gcp_groups.scc_admin != null && var.enable_scc_resources_in_terraform ? 1 : 0
   project = module.scc_notifications.project_id
   role    = "roles/securitycenter.adminEditor"
   member  = "group:${var.gcp_groups.scc_admin}"
@@ -191,11 +191,12 @@ resource "google_project_iam_member" "kms_admin" {
 
 resource "google_project_iam_member" "cai_monitoring_builder" {
   project = module.scc_notifications.project_id
-  for_each = toset([
-    "roles/logging.logWriter",
-    "roles/storage.objectViewer",
-    "roles/artifactregistry.writer",
-  ])
+  for_each = toset(var.enable_scc_resources_in_terraform ?
+    [
+      "roles/logging.logWriter",
+      "roles/storage.objectViewer",
+      "roles/artifactregistry.writer",
+  ] : [])
   role   = each.key
-  member = "serviceAccount:${google_service_account.cai_monitoring_builder.email}"
+  member = "serviceAccount:${google_service_account.cai_monitoring_builder[0].email}"
 }

1-org/envs/shared/outputs.tf

@@ -75,7 +75,7 @@ output "interconnect_project_number" {
 }
 
 output "scc_notifications_project_id" {
-  value       = module.scc_notifications.project_id
+  value       = try(module.scc_notifications.project_id, null)
   description = "The SCC notifications project ID"
 }
 
@@ -140,21 +140,21 @@ output "shared_vpc_projects" {
 }
 
 output "cai_monitoring_artifact_registry" {
-  value       = module.cai_monitoring.artifact_registry_name
+  value       = try(module.cai_monitoring[0].artifact_registry_name, null)
   description = "CAI Monitoring Cloud Function Artifact Registry name."
 }
 
 output "cai_monitoring_asset_feed" {
-  value       = module.cai_monitoring.asset_feed_name
+  value       = try(module.cai_monitoring[0].asset_feed_name, null)
   description = "CAI Monitoring Cloud Function Organization Asset Feed name."
 }
 
 output "cai_monitoring_bucket" {
-  value       = module.cai_monitoring.bucket_name
+  value       = try(module.cai_monitoring[0].bucket_name, null)
   description = "CAI Monitoring Cloud Function Source Bucket name."
 }
 
 output "cai_monitoring_topic" {
-  value       = module.cai_monitoring.topic_name
+  value       = try(module.cai_monitoring[0].topic_name, null)
   description = "CAI Monitoring Cloud Function Pub/Sub Topic name."
 }

1-org/envs/shared/sa.tf

@@ -16,6 +16,7 @@
 
 resource "google_service_account" "cai_monitoring_builder" {
   project                      = module.scc_notifications.project_id
+  count                        = var.enable_scc_resources_in_terraform ? 1 : 0
   account_id                   = "cai-monitoring-builder"
   description                  = "Cloud Functions has an underlying dependency on Cloud Build and other services. This service account allows Cloud Build to provision the necessary resources for Cloud Functions."
   create_ignore_already_exists = true

1-org/envs/shared/scc_notification.tf

@@ -19,21 +19,24 @@
 *****************************************/
 
 resource "google_pubsub_topic" "scc_notification_topic" {
+  count   = var.enable_scc_resources_in_terraform ? 1 : 0
   name    = "top-scc-notification"
   project = module.scc_notifications.project_id
 }
 
 resource "google_pubsub_subscription" "scc_notification_subscription" {
+  count   = var.enable_scc_resources_in_terraform ? 1 : 0
   name    = "sub-scc-notification"
-  topic   = google_pubsub_topic.scc_notification_topic.name
+  topic   = google_pubsub_topic.scc_notification_topic[0].name
   project = module.scc_notifications.project_id
 }
 
 resource "google_scc_notification_config" "scc_notification_config" {
+  count        = var.enable_scc_resources_in_terraform ? 1 : 0
   config_id    = var.scc_notification_name
   organization = local.org_id
   description  = "SCC Notification for all active findings"
-  pubsub_topic = google_pubsub_topic.scc_notification_topic.id
+  pubsub_topic = google_pubsub_topic.scc_notification_topic[0].id
 
   streaming_config {
     filter = var.scc_notification_filter

1-org/envs/shared/variables.tf

@@ -20,6 +20,12 @@ variable "enable_hub_and_spoke" {
   default     = false
 }
 
+variable "enable_scc_resources_in_terraform" {
+  description = "Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context."
+  type        = bool
+  default     = false
+}
+
 variable "domains_to_allow" {
   description = "The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy."
   type        = list(string)

test/integration/org/org_test.go

@@ -182,22 +182,22 @@ func TestOrg(t *testing.T) {
 			requireOsLogin := gcloud.Runf(t, "resource-manager org-policies describe %s --folder %s", "constraints/compute.requireOsLogin", parentFolder)
 			assert.Equal("constraints/compute.requireOsLogin", requireOsLogin.Get("constraint").String(), "org policy should require OS Login")
 
-			// security command center
-			sccProjectID := org.GetStringOutput("scc_notifications_project_id")
-			topicName := "top-scc-notification"
-			topicFullName := fmt.Sprintf("projects/%s/topics/%s", sccProjectID, topicName)
-			topic := gcloud.Runf(t, "pubsub topics describe %s --project %s", topicName, sccProjectID)
-			assert.Equal(topicFullName, topic.Get("name").String(), fmt.Sprintf("topic %s should have been created", topicName))
-
-			subscriptionName := "sub-scc-notification"
-			subscriptionFullName := fmt.Sprintf("projects/%s/subscriptions/%s", sccProjectID, subscriptionName)
-			subscription := gcloud.Runf(t, "pubsub subscriptions describe %s --project %s", subscriptionName, sccProjectID)
-			assert.Equal(subscriptionFullName, subscription.Get("name").String(), fmt.Sprintf("subscription %s should have been created", subscriptionName))
-
-			orgID := bootstrap.GetTFSetupStringOutput("org_id")
-			notificationName := org.GetStringOutput("scc_notification_name")
-			notification := gcloud.Runf(t, "scc notifications describe %s --organization %s", notificationName, orgID)
-			assert.Equal(topicFullName, notification.Get("pubsubTopic").String(), fmt.Sprintf("notification %s should use topic %s", notificationName, topicName))
+			// security command center (commented out with issue #1189)
+			// sccProjectID := org.GetStringOutput("scc_notifications_project_id")
+			// topicName := "top-scc-notification"
+			// topicFullName := fmt.Sprintf("projects/%s/topics/%s", sccProjectID, topicName)
+			// topic := gcloud.Runf(t, "pubsub topics describe %s --project %s", topicName, sccProjectID)
+			// assert.Equal(topicFullName, topic.Get("name").String(), fmt.Sprintf("topic %s should have been created", topicName))
+
+			// subscriptionName := "sub-scc-notification"
+			// subscriptionFullName := fmt.Sprintf("projects/%s/subscriptions/%s", sccProjectID, subscriptionName)
+			// subscription := gcloud.Runf(t, "pubsub subscriptions describe %s --project %s", subscriptionName, sccProjectID)
+			// assert.Equal(subscriptionFullName, subscription.Get("name").String(), fmt.Sprintf("subscription %s should have been created", subscriptionName))
+
+			// orgID := bootstrap.GetTFSetupStringOutput("org_id")
+			// notificationName := org.GetStringOutput("scc_notification_name")
+			// notification := gcloud.Runf(t, "scc notifications describe %s --organization %s", notificationName, orgID)
+			// assert.Equal(topicFullName, notification.Get("pubsubTopic").String(), fmt.Sprintf("notification %s should use topic %s", notificationName, topicName))
 
 			//essential contacts
 			//test case considers that just the Org Admin group exists and will subscribe for all categories
@@ -293,33 +293,33 @@ func TestOrg(t *testing.T) {
 				}
 			}
 
-			// CAI Monitoring
+			// CAI Monitoring (commented out with issue #1189)
 			// Variables
-			caiAr := org.GetStringOutput("cai_monitoring_artifact_registry")
-			caiBucket := org.GetStringOutput("cai_monitoring_bucket")
-			caiTopic := org.GetStringOutput("cai_monitoring_topic")
+			// caiAr := org.GetStringOutput("cai_monitoring_artifact_registry")
+			// caiBucket := org.GetStringOutput("cai_monitoring_bucket")
+			// caiTopic := org.GetStringOutput("cai_monitoring_topic")
 
-			caiSaEmail := fmt.Sprintf("cai-monitoring@%s.iam.gserviceaccount.com", sccProjectID)
-			caiTopicFullName := fmt.Sprintf("projects/%s/topics/%s", sccProjectID, caiTopic)
+			// caiSaEmail := fmt.Sprintf("cai-monitoring@%s.iam.gserviceaccount.com", sccProjectID)
+			// caiTopicFullName := fmt.Sprintf("projects/%s/topics/%s", sccProjectID, caiTopic)
 
 			// Cloud Function
-			opCf := gcloud.Runf(t, "functions describe caiMonitoring --project %s --gen2 --region %s", sccProjectID, defaultRegion)
-			assert.Equal("ACTIVE", opCf.Get("state").String(), "Should be ACTIVE. Cloud Function is not successfully deployed.")
-			assert.Equal(caiSaEmail, opCf.Get("serviceConfig.serviceAccountEmail").String(), fmt.Sprintf("Cloud Function should use the service account %s.", caiSaEmail))
-			assert.Contains(opCf.Get("eventTrigger.eventType").String(), "google.cloud.pubsub.topic.v1.messagePublished", "Event Trigger is not based on Pub/Sub message. Check the EventType configuration.")
+			// opCf := gcloud.Runf(t, "functions describe caiMonitoring --project %s --gen2 --region %s", sccProjectID, defaultRegion)
+			// assert.Equal("ACTIVE", opCf.Get("state").String(), "Should be ACTIVE. Cloud Function is not successfully deployed.")
+			// assert.Equal(caiSaEmail, opCf.Get("serviceConfig.serviceAccountEmail").String(), fmt.Sprintf("Cloud Function should use the service account %s.", caiSaEmail))
+			// assert.Contains(opCf.Get("eventTrigger.eventType").String(), "google.cloud.pubsub.topic.v1.messagePublished", "Event Trigger is not based on Pub/Sub message. Check the EventType configuration.")
 
 			// Cloud Function Storage Bucket
-			bktArgs := gcloud.WithCommonArgs([]string{"--project", sccProjectID, "--json"})
-			opSrcBucket := gcloud.Run(t, fmt.Sprintf("alpha storage ls --buckets gs://%s", caiBucket), bktArgs).Array()
-			assert.Equal("true", opSrcBucket[0].Get("metadata.iamConfiguration.bucketPolicyOnly.enabled").String(), "Should have Bucket Policy Only enabled.")
+			// bktArgs := gcloud.WithCommonArgs([]string{"--project", sccProjectID, "--json"})
+			// opSrcBucket := gcloud.Run(t, fmt.Sprintf("alpha storage ls --buckets gs://%s", caiBucket), bktArgs).Array()
+			// assert.Equal("true", opSrcBucket[0].Get("metadata.iamConfiguration.bucketPolicyOnly.enabled").String(), "Should have Bucket Policy Only enabled.")
 
 			// Cloud Function Artifact Registry
-			opAR := gcloud.Runf(t, "artifacts repositories describe %s --project %s --location %s", caiAr, sccProjectID, defaultRegion)
-			assert.Equal("DOCKER", opAR.Get("format").String(), "Should have type: DOCKER")
+			// opAR := gcloud.Runf(t, "artifacts repositories describe %s --project %s --location %s", caiAr, sccProjectID, defaultRegion)
+			// assert.Equal("DOCKER", opAR.Get("format").String(), "Should have type: DOCKER")
 
 			// Cloud Function Pub/Sub
-			opTopic := gcloud.Runf(t, "pubsub topics describe %s --project %s", caiTopic, sccProjectID)
-			assert.Equal(caiTopicFullName, opTopic.Get("name").String(), fmt.Sprintf("Topic %s should have been created", caiTopicFullName))
+			// opTopic := gcloud.Runf(t, "pubsub topics describe %s --project %s", caiTopic, sccProjectID)
+			// assert.Equal(caiTopicFullName, opTopic.Get("name").String(), fmt.Sprintf("Topic %s should have been created", caiTopicFullName))
 
 			// Log Sink
 			for _, sink := range []struct {