cloudsecuritycompliace: replace organization with parent to support PLE (#17644) (#1342)

[upstream:fbe417ab7d4cc96c24d79137c2b492289a2f6f06]

Signed-off-by: Modular Magician <magic-modules@google.com>

Author: modular-magician

cloudsecuritycompliance_cloudcontrol_project_basic/backing_file.tf

@@ -0,0 +1,15 @@
+# This file has some scaffolding to make sure that names are unique and that
+# a region and zone are selected when you try to create your Terraform resources.
+
+locals {
+  name_suffix = "${random_pet.suffix.id}"
+}
+
+resource "random_pet" "suffix" {
+  length = 2
+}
+
+provider "google" {
+  region = "us-central1"
+  zone   = "us-central1-c"
+}

cloudsecuritycompliance_cloudcontrol_project_basic/main.tf

@@ -0,0 +1,151 @@
+data "google_project" "project" {}
+resource "google_cloud_security_compliance_cloud_control" "example" {
+  parent              = "projects/${data.google_project.project.number}"
+  location            = "global"
+  cloud_control_id    = "example-cloudcontrol-${local.name_suffix}"
+
+  display_name      = "TF test CloudControl Name"
+  description       = "A test cloud control for security compliance"
+  categories        = ["CC_CATEGORY_INFRASTRUCTURE"]
+  severity          = "HIGH"
+  finding_category  = "SECURITY_POLICY"
+  remediation_steps = "Review and update the security configuration according to best practices."
+  
+  supported_cloud_providers        = ["GCP"]
+  
+  rules {
+    description         = "Ensure compute instances have secure boot enabled"
+    rule_action_types   = ["RULE_ACTION_TYPE_DETECTIVE"]
+    
+    cel_expression {
+      expression = "resource.data.shieldedInstanceConfig.enableSecureBoot == true"
+      resource_types_values {
+        values = ["compute.googleapis.com/Instance"]
+      }
+    }
+  }
+
+  parameter_spec {
+    name         = "location"
+    display_name = "Resource Location"
+    description  = "The location where the resource should be deployed"
+    value_type   = "STRING"
+    is_required  = true
+    
+    default_value {
+      string_value = "us-central1"
+    }
+    
+    validation {
+      regexp_pattern {
+        pattern = "^[a-z]+-[a-z]+[0-9]$"
+      }
+    }
+  }
+
+  parameter_spec {
+    name         = "enable_secure_boot"
+    display_name = "Enable Secure Boot"
+    description  = "Whether to enable secure boot for instances"
+    value_type   = "BOOLEAN"
+    is_required  = true
+    
+    default_value {
+      bool_value = true
+    }
+    
+    substitution_rules {
+      attribute_substitution_rule {
+        attribute = "rules[0].cel_expression.expression"
+      }
+    }
+    
+    validation {
+      allowed_values {
+        values {
+          bool_value = true
+        }
+      }
+    }
+  }
+
+  parameter_spec {
+    name         = "max_instances"
+    display_name = "Maximum Instances"
+    description  = "Maximum number of instances allowed"
+    value_type   = "NUMBER"
+    is_required  = false
+    
+    default_value {
+      number_value = 10
+    }
+    
+    substitution_rules {
+      placeholder_substitution_rule {
+        attribute = "rules[0].description"
+      }
+    }
+    
+    validation {
+      int_range {
+        min = "1"
+        max = "100"
+      }
+    }
+  }
+
+  parameter_spec {
+    name         = "allowed_regions"
+    display_name = "Allowed Regions"
+    description  = "List of regions where resources can be deployed"
+    value_type   = "STRINGLIST"
+    is_required  = true
+    
+    default_value {
+      string_list_value {
+        values = ["us-central1", "us-east1", "us-west1"]
+      }
+    }
+    
+    validation {
+      allowed_values {
+        values {
+          string_list_value {
+            values = ["us-central1", "us-east1"]
+          }
+        }
+        values {
+          string_list_value {
+            values = ["us-west1", "us-west2"]
+          }
+        }
+      }
+    }
+  }
+
+  parameter_spec {
+    name         = "environment_type"
+    display_name = "Environment Type"
+    description  = "The type of environment"
+    value_type   = "STRING"
+    is_required  = true
+    
+    default_value {
+      string_value = "production"
+    }
+    
+    validation {
+      allowed_values {
+        values {
+          string_value = "production"
+        }
+        values {
+          string_value = "staging"
+        }
+        values {
+          number_value = 1
+        }
+      }
+    }
+  }
+}

cloudsecuritycompliance_cloudcontrol_project_basic/motd

@@ -0,0 +1,7 @@
+===
+
+These examples use real resources that will be billed to the
+Google Cloud Platform project you use - so make sure that you
+run "terraform destroy" before quitting!
+
+===

cloudsecuritycompliance_cloudcontrol_project_basic/tutorial.md

@@ -0,0 +1,79 @@
+# Cloudsecuritycompliance Cloudcontrol Project Basic - Terraform
+
+## Setup
+
+<walkthrough-author name="rileykarson@google.com" analyticsId="UA-125550242-1" tutorialName="cloudsecuritycompliance_cloudcontrol_project_basic" repositoryUrl="https://github.com/terraform-google-modules/docs-examples"></walkthrough-author>
+
+Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform.
+
+<walkthrough-project-billing-setup></walkthrough-project-billing-setup>
+
+Terraform provisions real GCP resources, so anything you create in this session will be billed against this project.
+
+## Terraforming!
+
+Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command
+to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up
+the project name from the environment variable.
+
+```bash
+export GOOGLE_CLOUD_PROJECT={{project-id}}
+```
+
+After that, let's get Terraform started. Run the following to pull in the providers.
+
+```bash
+terraform init
+```
+
+With the providers downloaded and a project set, you're ready to use Terraform. Go ahead!
+
+```bash
+terraform apply
+```
+
+Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan.
+
+```bash
+yes
+```
+
+
+## Post-Apply
+
+### Editing your config
+
+Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed.
+
+```bash
+terraform plan
+```
+
+So let's make a change! Try editing a number, or appending a value to the name in the editor. Then,
+run a 'plan' again.
+
+```bash
+terraform plan
+```
+
+Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes
+at the 'yes' prompt.
+
+```bash
+terraform apply
+```
+
+```bash
+yes
+```
+
+## Cleanup
+
+Run the following to remove the resources Terraform provisioned:
+
+```bash
+terraform destroy
+```
+```bash
+yes
+```

cloudsecuritycompliance_framework_deployment_project_application_basic/backing_file.tf

@@ -0,0 +1,15 @@
+# This file has some scaffolding to make sure that names are unique and that
+# a region and zone are selected when you try to create your Terraform resources.
+
+locals {
+  name_suffix = "${random_pet.suffix.id}"
+}
+
+resource "random_pet" "suffix" {
+  length = 2
+}
+
+provider "google" {
+  region = "us-central1"
+  zone   = "us-central1-c"
+}

cloudsecuritycompliance_framework_deployment_project_application_basic/main.tf

@@ -0,0 +1,65 @@
+data "google_project" "project" {}
+
+# App Hub Application resource to act as the target
+resource "google_apphub_application" "application" {
+  location       = "us-central1"
+  application_id = "example-app-${local.name_suffix}"
+  scope {
+    type = "REGIONAL"
+  }
+}
+
+resource "google_cloud_security_compliance_framework" "example" {
+  parent       = "projects/${data.google_project.project.number}"
+  location     = "global"
+  framework_id = "example-framework-${local.name_suffix}"
+  
+  display_name = "Terraform Framework Name"
+  description  = "A Terraform description for the framework"
+  
+  cloud_control_details {
+    name              = "projects/${data.google_project.project.number}/locations/global/cloudControls/builtin-require-cmek-on-bigquery-datasets"
+    major_revision_id = "2"
+    
+    parameters {
+      name = "location"
+      parameter_value {
+        number_value = 1
+      }
+    }
+  }
+}
+
+resource "google_cloud_security_compliance_framework_deployment" "example" {
+  parent                  = "projects/${data.google_project.project.number}"
+  location                = "global"
+  framework_deployment_id = "example-deployment-${local.name_suffix}"
+  description             = "A framework deployment with project parent targeting an application"
+  
+  framework {
+    framework             = google_cloud_security_compliance_framework.example.name
+    major_revision_id     = "1"
+  }
+  
+  target_resource_config {
+    # Target the App Hub Application's fully qualified ID 
+    # e.g., projects/abc/locations/us-central1/applications/app-name
+    existing_target_resource = "projects/${data.google_project.project.number}/locations/us-central1/applications/${google_apphub_application.application.application_id}"
+  }
+  
+  cloud_control_metadata {
+    enforcement_mode = "DETECTIVE"
+    
+    cloud_control_details {
+      name              = "projects/${data.google_project.project.number}/locations/global/cloudControls/builtin-require-cmek-on-bigquery-datasets"
+      major_revision_id = "2"
+      
+      parameters {
+        name = "location"
+        parameter_value {
+          number_value = 1
+        }
+      }
+    }
+  }
+}

cloudsecuritycompliance_framework_deployment_project_application_basic/motd

@@ -0,0 +1,7 @@
+===
+
+These examples use real resources that will be billed to the
+Google Cloud Platform project you use - so make sure that you
+run "terraform destroy" before quitting!
+
+===