search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.25k stars 1.7k forks source link

scc_notification_config: This API is no longer available. Please use API V2. #17893

Open daniel-cit opened 3 months ago

daniel-cit commented 3 months ago

Community Note

Terraform Version

Terraform v1.3.10 on linux_amd64

Affected Resource(s)

Terraform Configuration

variable "org_id" {
  type = string
}

variable "project_id" {
  type = string
}

resource "google_pubsub_topic" "scc_notification_topic" {
  name    = "top-scc-notification"
  project = var.project_id
}

resource "google_pubsub_subscription" "scc_notification_subscription" {
  name    = "sub-scc-notification"
  topic   = google_pubsub_topic.scc_notification_topic.name
  project = var.project_id
}

resource "google_scc_notification_config" "scc_notification_config" {
  config_id    = "test_api_v1_v2"
  organization = var.org_id
  description  = "SCC Notification for all active findings"
  pubsub_topic = google_pubsub_topic.scc_notification_topic.id

  streaming_config {
    filter = "state = \"ACTIVE\""
  }
}

Debug Output

No response

Expected Behavior

SCC Notification config created

Actual Behavior

Error: Error creating NotificationConfig: googleapi: Error 400: This API is no longer available. Please use API V2.

Steps to reproduce

  1. Enable Security Command Center for the first time in a organization
  2. terraform apply

Important Factoids

In an organization that already has Security Command Center enable for some time:

In an organization that Security Command Center enable has been just enable

References

https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189

b/335841742

ggtisc commented 2 months ago

Hi @daniel-cit!

The linked reference was checked and as you reported this scenario was replicated from scratch with the shared steps to reproduce and with the provided terraform version 1.3.10. At the end of the process the result was successful and without errors. I recommend you to check your org tier as this link suggest, because the google_scc_notification_config is only available for Standard and Premium tiers and finally among other provider configurations you should add this:

provider "google" {
  user_project_override = true
  billing_project = "yourprojectname"
}
daniel-cit commented 2 months ago

Hi @daniel-cit!

The linked reference was checked and as you reported this scenario was replicated from scratch with the shared steps to reproduce and with the provided terraform version 1.3.10. At the end of the process the result was successful and without errors. I recommend you to check your org tier as this link suggest, because the google_scc_notification_config is only available for Standard and Premium tiers and finally among other provider configurations you should add this:

provider "google" {
  user_project_override = true
  billing_project = "yourprojectname"
}

Hi @ggtisc thanks for the response.

As stated in this comment and in this comment Security Command Center has been enable in the organizations.

In the first case SCC Premium has been enable in the organization and in the second one SCC standard has been enable in the organization. These are different organization and SCC had not been enable before.

In both cases the resource google_scc_notification_config fails to create the SCC Notification config.

As stated in a following comment for the second case, it is only possible to create the notification config using the gcloud command with the new option --location=global which when used replaces the service endpoint used by gcloud from the V1 API to the V2 API

if we try to replace the service endpoint in the provider using 

provider "google" {
  security_center_custom_endpoint = "https://securitycenter.googleapis.com/v2/"
}

we got this error

The requested URL <code>/v2/organizations/REDACTED/notificationConfigs?alt=json&amp;configId=test_api_v1_v2</code> was not found on this server.  <ins>Thatā€™s all we know.</ins>

Because the resource is trying to use the parent from V1 "organizations/[organization_id]" in V2

The parent from V2 is "organizations/[organization_id]/locations/[locationId]".

The terraform resource does not have a location parameter that we could use. For the gcloud CLI the --location flag was added in release 466.0.0 (2024-02-27)

The Terraform resource should be able to do the same check that the gcloud CLI is doing.

roaks3 commented 2 months ago

FYI that this was also raised internally with b/335437367. We may also want to ultimately forward this issue as well, to highlight the Terraform issue specifically.

ggtisc commented 2 months ago

It was successful for me but forward to service team to clarify

petri-o-ojala commented 2 weeks ago

Any progress on this?

roaks3 commented 2 weeks ago

The service team is looking at this, with no specific timeline that I can see.

Note that: