Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scc_notification_config: This API is no longer available. Please use API V2. #17893

Open
daniel-cit opened this issue Apr 17, 2024 · 6 comments
Open

scc_notification_config: This API is no longer available. Please use API V2. #17893

daniel-cit opened this issue Apr 17, 2024 · 6 comments
Labels
bug forward/linked service/securitycenter

Comments

@daniel-cit
Copy link

daniel-cit commented Apr 17, 2024
edited by roaks3
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to a user, that user is claiming responsibility for the issue.
  • Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version

Terraform v1.3.10
on linux_amd64

  • provider registry.terraform.io/hashicorp/google v4.84.0
  • provider registry.terraform.io/hashicorp/google-beta v4.84.0

Affected Resource(s)

  • google_scc_notification_config
  • google_scc_source

Terraform Configuration

variable "org_id" {
  type = string
}

variable "project_id" {
  type = string
}

resource "google_pubsub_topic" "scc_notification_topic" {
  name    = "top-scc-notification"
  project = var.project_id
}

resource "google_pubsub_subscription" "scc_notification_subscription" {
  name    = "sub-scc-notification"
  topic   = google_pubsub_topic.scc_notification_topic.name
  project = var.project_id
}

resource "google_scc_notification_config" "scc_notification_config" {
  config_id    = "test_api_v1_v2"
  organization = var.org_id
  description  = "SCC Notification for all active findings"
  pubsub_topic = google_pubsub_topic.scc_notification_topic.id

  streaming_config {
    filter = "state = \"ACTIVE\""
  }
}

Debug Output

No response

Expected Behavior

SCC Notification config created

Actual Behavior

Error: Error creating NotificationConfig: googleapi: Error 400: This API is no longer available. Please use API V2.

Steps to reproduce

  1. Enable Security Command Center for the first time in a organization
  2. terraform apply

Important Factoids

In an organization that already has Security Command Center enable for some time:

  • the terraform configuration is able to create the SCC notification config.
  • gcloud is able to create the SCC notification config.

In an organization that Security Command Center enable has been just enable

References

terraform-google-modules/terraform-example-foundation#1189

b/335841742
@daniel-cit daniel-cit added the bug label Apr 17, 2024
@github-actions github-actions bot added forward/review In review; remove label to forward service/securitycenter labels Apr 17, 2024
@ggtisc
Copy link
Collaborator

ggtisc commented Apr 18, 2024

Hi @daniel-cit!

The linked reference was checked and as you reported this scenario was replicated from scratch with the shared steps to reproduce and with the provided terraform version 1.3.10. At the end of the process the result was successful and without errors. I recommend you to check your org tier as this link suggest, because the google_scc_notification_config is only available for Standard and Premium tiers and finally among other provider configurations you should add this:

provider "google" {
  user_project_override = true
  billing_project = "yourprojectname"
}

@ggtisc ggtisc self-assigned this Apr 18, 2024
@daniel-cit
Copy link
Author

Hi @daniel-cit!

The linked reference was checked and as you reported this scenario was replicated from scratch with the shared steps to reproduce and with the provided terraform version 1.3.10. At the end of the process the result was successful and without errors. I recommend you to check your org tier as this link suggest, because the google_scc_notification_config is only available for Standard and Premium tiers and finally among other provider configurations you should add this:

provider "google" {
  user_project_override = true
  billing_project = "yourprojectname"
}

Hi @ggtisc thanks for the response.

As stated in this comment and in this comment Security Command Center has been enable in the organizations.

In the first case SCC Premium has been enable in the organization and in the second one SCC standard has been enable in the organization. These are different organization and SCC had not been enable before.

In both cases the resource google_scc_notification_config fails to create the SCC Notification config.

As stated in a following comment for the second case, it is only possible to create the notification config using the gcloud command with the new option --location=global which when used replaces the service endpoint used by gcloud from the V1 API to the V2 API

if we try to replace the service endpoint in the provider using

provider "google" {
  security_center_custom_endpoint = "https://securitycenter.googleapis.com/v2/"
}

we got this error

The requested URL <code>/v2/organizations/REDACTED/notificationConfigs?alt=json&amp;configId=test_api_v1_v2</code> was not found on this server.  <ins>That’s all we know.</ins>

Because the resource is trying to use the parent from V1 "organizations/[organization_id]" in V2

The parent from V2 is "organizations/[organization_id]/locations/[locationId]".

The terraform resource does not have a location parameter that we could use.
For the gcloud CLI the --location flag was added in release 466.0.0 (2024-02-27)

The Terraform resource should be able to do the same check that the gcloud CLI is doing.

@roaks3
Copy link
Collaborator

roaks3 commented Apr 19, 2024

FYI that this was also raised internally with b/335437367. We may also want to ultimately forward this issue as well, to highlight the Terraform issue specifically.

@ggtisc
Copy link
Collaborator

ggtisc commented Apr 19, 2024

It was successful for me but forward to service team to clarify

@ggtisc ggtisc removed the forward/review In review; remove label to forward label Apr 19, 2024
@petri-o-ojala
Copy link

Any progress on this?

@roaks3
Copy link
Collaborator

roaks3 commented Jul 2, 2024

The service team is looking at this, with no specific timeline that I can see.

Note that:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug forward/linked service/securitycenter
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@roaks3 @modular-magician @daniel-cit @petri-o-ojala @ggtisc