Provision Security Command Center resources with Terraform

HashiCorp Terraform is an infrastructure-as-code (IaC) tool that lets you provision and manage cloud infrastructure. Terraform provides plugins called providers that let you interact with cloud providers and other APIs. You can use the Terraform provider for Google Cloud to provision and manage Google Cloud resources, including Security Command Center.

This page introduces you to using Terraform with Security Command Center, including an introduction to how Terraform works and some resources to help you get started using Terraform with Google Cloud. You'll also find links to Terraform reference docs for Security Command Center, code examples, and guides for using Terraform to provision Security Command Center resources.

For instructions on how to get started with Terraform for Google Cloud, see Install and configure Terraform or the Terraform for Google Cloud quickstart.

How Terraform works

Terraform has a declarative and configuration-oriented syntax, which you can use to describe the infrastructure that you want to provision in your Google Cloud project. After you author this configuration in one or more Terraform configuration files, you can use the Terraform CLI to apply this configuration to your Security Command Center resources.

The following steps explain how Terraform works:

1. You describe the infrastructure you want to provision in a Terraform configuration file. You don't need to write code describing how to provision the infrastructure. Terraform provisions the infrastructure for you.
2. You run the terraform plan command, which evaluates your configuration and generates an execution plan. You can review the plan and make changes as needed.

3. You run the terraform apply command, which performs the following actions:

   1. It provisions your infrastructure based on your execution plan by invoking the corresponding Security Command Center APIs in the background.
   2. It creates a Terraform state file, which is a JSON file that maps the resources in your configuration file to the resources in the real-world infrastructure. Terraform uses this file to keep a record of the most recent state of your infrastructure, and to determine when to create, update, and destroy resources.

   3. When you run terraform apply, Terraform uses the mapping in the state file to compare the existing infrastructure to the code, and make updates as necessary:

      • If a resource object is defined in the configuration file, but doesn't exist in the state file, Terraform creates it.
      • If a resource object exists in the state file, but has a different configuration from your configuration file, Terraform updates the resource to match your configuration file.
      • If a resource object in the state file matches your configuration file, Terraform leaves the resource unchanged.

Terraform resources for Security Command Center

Resources are the fundamental elements in the Terraform language. Each resource block describes one or more infrastructure objects, such as virtual networks or compute instances.

The following table lists the Terraform resources available for Security Command Center:

Service	Terraform resources	Data sources
Security Command Center (SCC) v2 API	google_scc_v2_folder_mute_config google_scc_v2_folder_notification_config google_scc_v2_folder_scc_big_query_export google_scc_v2_organization_mute_config google_scc_v2_organization_notification_config google_scc_v2_organization_scc_big_query_export google_scc_v2_organization_scc_big_query_exports google_scc_v2_organization_source google_scc_v2_organization_source_iam google_scc_v2_project_mute_config google_scc_v2_project_notification_config google_scc_v2_project_scc_big_query_export	google_scc_v2_organization_source_iam_policy
Security Command Center (SCC) [v1 API]	google_scc_event_threat_detection_custom_module google_scc_folder_custom_module google_scc_folder_notification_config google_scc_folder_scc_big_query_export google_scc_mute_config google_scc_notification_config google_scc_organization_custom_module google_scc_organization_scc_big_query_export google_scc_project_custom_module google_scc_project_notification_config google_scc_project_scc_big_query_export google_scc_source google_scc_source_iam	google_scc_source_iam_policy
Security Command Center Management (SCC)	google_scc_management_folder_security_health_analytics_custom_module google_scc_management_organization_event_threat_detection_custom_module google_scc_management_organization_security_health_analytics_custom_module google_scc_management_project_security_health_analytics_custom_module
Security Posture	google_securityposture_posture google_securityposture_posture_deployment
Cloud Security Scanner [Web Security Scanner]	google_security_scanner_scan_config

Terraform modules and blueprints for Security Command Center

Modules and blueprints help you automate provisioning and managing of Google Cloud resources at scale. A module is a reusable set of Terraform configuration files that creates a logical abstraction of Terraform resources. A blueprint is a package of deployable and reusable modules, and a policy that implements and documents a specific solution.

The following table lists modules and blueprints related to Security Command Center:

Module or blueprint	Details
iam	Manages multiple IAM roles for resources on Google Cloud
org-policy	Manages Google Cloud organization policies

What's next

• Terraform code samples for Security Command Center
• Terraform on Google Cloud documentation
• Google Cloud provider documentation in HashiCorp
• Infrastructure as code for Google Cloud