feat(securitycenter): Add Resource SCC Management API Org SHA Custom … (

#3952)

* feat(securitycenter): Add Resource SCC Management API Org SHA Custom Modules

* fix: adjust comment to remove extra word

Co-authored-by: code-review-assist[bot] <182814678+code-review-assist[bot]@users.noreply.github.com>

* fix: lint issue

* updated test

* refactor cleanup code

* updated test

* fix lint issue

* update test case

---------

Co-authored-by: Jennifer Davis <[email protected]>
Co-authored-by: code-review-assist[bot] <182814678+code-review-assist[bot]@users.noreply.github.com>

security-center/snippets/management_api/createSecurityHealthAnalyticsCustomModule.js

@@ -0,0 +1,99 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+'use strict';
+
+/**
+ *  Create security health analytics custom module
+ */
+function main(organizationId, customModuleDisplayName, locationId = 'global') {
+  // [START securitycenter_create_security_health_analytics_custom_module]
+  // npm install '@google-cloud/securitycentermanagement'
+  const {
+    SecurityCenterManagementClient,
+    protos,
+  } = require('@google-cloud/securitycentermanagement');
+
+  const client = new SecurityCenterManagementClient();
+
+  const EnablementState =
+    protos.google.cloud.securitycentermanagement.v1
+      .SecurityHealthAnalyticsCustomModule.EnablementState;
+
+  const Severity =
+    protos.google.cloud.securitycentermanagement.v1.CustomConfig.Severity;
+
+  /*
+   * Required. The name of the parent resource of security health analytics module
+   *     Its format is
+   *    `organizations/[organization_id]/locations/[location_id]`
+   *    `folders/[folder_id]/locations/[location_id]`
+   *    `projects/[project_id]/locations/[location_id]`
+   */
+  const parent = `organizations/${organizationId}/locations/${locationId}`;
+
+  /*
+   * Required. Resource name of security health analytics module.
+   *     Its format is
+   *    `organizations/[organization_id]/locations/[location_id]/securityHealthAnalyticsCustomModules/[custom_module]`
+   *    `folders/[folder_id]/locations/[location_id]/securityHealthAnalyticsCustomModules/[custom_module]`
+   *    `projects/[project_id]/locations/[location_id]/securityHealthAnalyticsCustomModules/[custom_module]`
+   */
+  const name = `organizations/${organizationId}/locations/${locationId}/securityHealthAnalyticsCustomModules/custom_module`;
+
+  // define the CEL expression here and this will scans for keys that have not been rotated in
+  // the last 30 days, change it according to your requirements
+  const expr = {
+    expression: `has(resource.rotationPeriod) && (resource.rotationPeriod > duration('2592000s'))`,
+  };
+
+  // define the resource selector
+  const resourceSelector = {
+    resourceTypes: ['cloudkms.googleapis.com/CryptoKey'],
+  };
+
+  // define the custom module configuration, update the severity, description,
+  // recommendation below
+  const customConfig = {
+    predicate: expr,
+    resourceSelector: resourceSelector,
+    severity: Severity.MEDIUM,
+    description: 'add your description here',
+    recommendation: 'add your recommendation here',
+  };
+
+  // define the security health analytics custom module configuration, update the
+  // EnablementState below
+  const securityHealthAnalyticsCustomModule = {
+    name: name,
+    displayName: customModuleDisplayName,
+    enablementState: EnablementState.ENABLED,
+    customConfig: customConfig,
+  };
+
+  async function createSecurityHealthAnalyticsCustomModule() {
+    const [response] = await client.createSecurityHealthAnalyticsCustomModule({
+      parent: parent,
+      securityHealthAnalyticsCustomModule: securityHealthAnalyticsCustomModule,
+    });
+    console.log(
+      'Security Health Analytics Custom Module creation succeeded: ',
+      response
+    );
+  }
+
+  createSecurityHealthAnalyticsCustomModule();
+  // [END securitycenter_create_security_health_analytics_custom_module]
+}
+
+main(...process.argv.slice(2));

security-center/snippets/management_api/getEffectiveSecurityHealthAnalyticsCustomModule.js

@@ -0,0 +1,52 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+'use strict';
+
+/**
+ *  Retrieve an existing effective security health analytics custom module
+ */
+function main(organizationId, customModuleId, locationId = 'global') {
+  // [START securitycenter_get_effective_security_health_analytics_custom_module]
+  // npm install '@google-cloud/securitycentermanagement'
+  const {
+    SecurityCenterManagementClient,
+  } = require('@google-cloud/securitycentermanagement');
+
+  const client = new SecurityCenterManagementClient();
+
+  /*
+   * Required. Resource name of security health analytics module.
+   *     Its format is
+   *    `organizations/[organization_id]/locations/[location_id]/effectiveSecurityHealthAnalyticsCustomModules/[custom_module]`
+   *    `folders/[folder_id]/locations/[location_id]/effectiveSecurityHealthAnalyticsCustomModules/[custom_module]`
+   *    `projects/[project_id]/locations/[location_id]/effectiveSecurityHealthAnalyticsCustomModules/[custom_module]`
+   */
+  const name = `organizations/${organizationId}/locations/${locationId}/effectiveSecurityHealthAnalyticsCustomModules/${customModuleId}`;
+
+  async function getEffectiveSecurityHealthAnalyticsCustomModule() {
+    const [response] =
+      await client.getEffectiveSecurityHealthAnalyticsCustomModule({
+        name: name,
+      });
+    console.log(
+      'Security Health Analytics Custom Module get effective succeeded: ',
+      response
+    );
+  }
+
+  getEffectiveSecurityHealthAnalyticsCustomModule();
+  // [END securitycenter_get_effective_security_health_analytics_custom_module]
+}
+
+main(...process.argv.slice(2));

security-center/snippets/management_api/getSecurityHealthAnalyticsCustomModule.js

@@ -0,0 +1,51 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+'use strict';
+
+/**
+ *  Retrieve an existing security health analytics custom module
+ */
+function main(organizationId, customModuleId, locationId = 'global') {
+  // [START securitycenter_get_security_health_analytics_custom_module]
+  // npm install '@google-cloud/securitycentermanagement'
+  const {
+    SecurityCenterManagementClient,
+  } = require('@google-cloud/securitycentermanagement');
+
+  const client = new SecurityCenterManagementClient();
+
+  /*
+   * Required. Resource name of security health analytics module.
+   *     Its format is
+   *    `organizations/[organization_id]/locations/[location_id]/securityHealthAnalyticsCustomModules/[custom_module]`
+   *    `folders/[folder_id]/locations/[location_id]/securityHealthAnalyticsCustomModules/[custom_module]`
+   *    `projects/[project_id]/locations/[location_id]/securityHealthAnalyticsCustomModules/[custom_module]`
+   */
+  const name = `organizations/${organizationId}/locations/${locationId}/securityHealthAnalyticsCustomModules/${customModuleId}`;
+
+  async function getSecurityHealthAnalyticsCustomModule() {
+    const [response] = await client.getSecurityHealthAnalyticsCustomModule({
+      name: name,
+    });
+    console.log(
+      'Security Health Analytics Custom Module get succeeded: ',
+      response
+    );
+  }
+
+  getSecurityHealthAnalyticsCustomModule();
+  // [END securitycenter_get_security_health_analytics_custom_module]
+}
+
+main(...process.argv.slice(2));

security-center/snippets/management_api/updateSecurityHealthAnalyticsCustomModule.js

@@ -0,0 +1,69 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+'use strict';
+
+/**
+ *  Update an existing security health analytics custom module
+ */
+function main(organizationId, customModuleId, locationId = 'global') {
+  // [START securitycenter_update_security_health_analytics_custom_module]
+  // npm install '@google-cloud/securitycentermanagement'
+  const {
+    SecurityCenterManagementClient,
+    protos,
+  } = require('@google-cloud/securitycentermanagement');
+
+  const client = new SecurityCenterManagementClient();
+
+  const EnablementState =
+    protos.google.cloud.securitycentermanagement.v1
+      .SecurityHealthAnalyticsCustomModule.EnablementState;
+
+  /*
+   * Required. Resource name of security health analytics module.
+   *     Its format is
+   *    `organizations/[organization_id]/locations/[location_id]/securityHealthAnalyticsCustomModules/[custom_module]`
+   *    `folders/[folder_id]/locations/[location_id]/securityHealthAnalyticsCustomModules/[custom_module]`
+   *    `projects/[project_id]/locations/[location_id]/securityHealthAnalyticsCustomModules/[custom_module]`
+   */
+  const name = `organizations/${organizationId}/locations/${locationId}/securityHealthAnalyticsCustomModules/${customModuleId}`;
+
+  // define the security health analytics custom module configuration, update the
+  // EnablementState below
+  const securityHealthAnalyticsCustomModule = {
+    name: name,
+    enablementState: EnablementState.DISABLED,
+  };
+
+  // Set the field mask to specify which properties should be updated.
+  const fieldMask = {
+    paths: ['enablement_state'],
+  };
+
+  async function updateSecurityHealthAnalyticsCustomModule() {
+    const [response] = await client.updateSecurityHealthAnalyticsCustomModule({
+      updateMask: fieldMask,
+      securityHealthAnalyticsCustomModule: securityHealthAnalyticsCustomModule,
+    });
+    console.log(
+      'Security Health Analytics Custom Module update succeeded: ',
+      response
+    );
+  }
+
+  updateSecurityHealthAnalyticsCustomModule();
+  // [END securitycenter_update_security_health_analytics_custom_module]
+}
+
+main(...process.argv.slice(2));