feat(securitycenter): Add Resource SCC Management API Org SHA Custom … (

#3978)

* feat(securitycenter): Add Resource SCC Management API Org SHA Custom Modules

* update test case

---------

Co-authored-by: Katie McLaughlin <[email protected]>

security-center/snippets/management_api/deleteSecurityHealthAnalyticsCustomModule.js

@@ -0,0 +1,51 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+'use strict';
+
+/**
+ *  Delete the security health analytics custom module
+ */
+function main(organizationId, customModuleId, locationId = 'global') {
+  // [START securitycenter_delete_security_health_analytics_custom_module]
+  // npm install '@google-cloud/securitycentermanagement'
+  const {
+    SecurityCenterManagementClient,
+  } = require('@google-cloud/securitycentermanagement');
+
+  const client = new SecurityCenterManagementClient();
+
+  /*
+   * Required. Resource name of security health analytics module.
+   *     Its format is
+   *    `organizations/[organization_id]/locations/[location_id]/securityHealthAnalyticsCustomModules/[custom_module]`
+   *    `folders/[folder_id]/locations/[location_id]/securityHealthAnalyticsCustomModules/[custom_module]`
+   *    `projects/[project_id]/locations/[location_id]/securityHealthAnalyticsCustomModules/[custom_module]`
+   */
+  const name = `organizations/${organizationId}/locations/${locationId}/securityHealthAnalyticsCustomModules/${customModuleId}`;
+
+  async function deleteSecurityHealthAnalyticsCustomModule() {
+    const [response] = await client.deleteSecurityHealthAnalyticsCustomModule({
+      name: name,
+    });
+    console.log(
+      'Security Health Analytics Custom Module delete succeeded: ',
+      response
+    );
+  }
+
+  deleteSecurityHealthAnalyticsCustomModule();
+  // [END securitycenter_delete_security_health_analytics_custom_module]
+}
+
+main(...process.argv.slice(2));

security-center/snippets/management_api/listDescendantSecurityHealthAnalyticsCustomModule.js

@@ -0,0 +1,52 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+'use strict';
+
+/**
+ *  List all descendant security health analytics custom module under a given parent resource
+ */
+function main(organizationId, locationId = 'global') {
+  // [START securitycenter_list_descendant_security_health_analytics_custom_module]
+  // npm install '@google-cloud/securitycentermanagement'
+  const {
+    SecurityCenterManagementClient,
+  } = require('@google-cloud/securitycentermanagement');
+
+  const client = new SecurityCenterManagementClient();
+
+  /*
+   * Required. The name of the parent resource of security health analytics module
+   *     Its format is
+   *    `organizations/[organization_id]/locations/[location_id]`
+   *    `folders/[folder_id]/locations/[location_id]`
+   *    `projects/[project_id]/locations/[location_id]`
+   */
+  const parent = `organizations/${organizationId}/locations/${locationId}`;
+
+  async function listDescendantSecurityHealthAnalyticsCustomModule() {
+    const [response] =
+      await client.listDescendantSecurityHealthAnalyticsCustomModules({
+        parent: parent,
+      });
+    console.log(
+      'Security Health Analytics Custom Module list descendant succeeded: ',
+      response
+    );
+  }
+
+  listDescendantSecurityHealthAnalyticsCustomModule();
+  // [END securitycenter_list_descendant_security_health_analytics_custom_module]
+}
+
+main(...process.argv.slice(2));

security-center/snippets/management_api/listEffectiveSecurityHealthAnalyticsCustomModule.js

@@ -0,0 +1,52 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+'use strict';
+
+/**
+ *  List all effective security health analytics custom module under a given parent resource
+ */
+function main(organizationId, locationId = 'global') {
+  // [START securitycenter_list_effective_security_health_analytics_custom_module]
+  // npm install '@google-cloud/securitycentermanagement'
+  const {
+    SecurityCenterManagementClient,
+  } = require('@google-cloud/securitycentermanagement');
+
+  const client = new SecurityCenterManagementClient();
+
+  /*
+   * Required. The name of the parent resource of security health analytics module
+   *     Its format is
+   *    `organizations/[organization_id]/locations/[location_id]`
+   *    `folders/[folder_id]/locations/[location_id]`
+   *    `projects/[project_id]/locations/[location_id]`
+   */
+  const parent = `organizations/${organizationId}/locations/${locationId}`;
+
+  async function listEffectiveSecurityHealthAnalyticsCustomModule() {
+    const [response] =
+      await client.listEffectiveSecurityHealthAnalyticsCustomModules({
+        parent: parent,
+      });
+    console.log(
+      'Security Health Analytics Custom Module list effective succeeded: ',
+      response
+    );
+  }
+
+  listEffectiveSecurityHealthAnalyticsCustomModule();
+  // [END securitycenter_list_effective_security_health_analytics_custom_module]
+}
+
+main(...process.argv.slice(2));

security-center/snippets/management_api/listSecurityHealthAnalyticsCustomModule.js

@@ -0,0 +1,51 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+'use strict';
+
+/**
+ *  List all security health analytics custom module under a given parent resource
+ */
+function main(organizationId, locationId = 'global') {
+  // [START securitycenter_list_security_health_analytics_custom_module]
+  // npm install '@google-cloud/securitycentermanagement'
+  const {
+    SecurityCenterManagementClient,
+  } = require('@google-cloud/securitycentermanagement');
+
+  const client = new SecurityCenterManagementClient();
+
+  /*
+   * Required. The name of the parent resource of security health analytics module
+   *     Its format is
+   *    `organizations/[organization_id]/locations/[location_id]`
+   *    `folders/[folder_id]/locations/[location_id]`
+   *    `projects/[project_id]/locations/[location_id]`
+   */
+  const parent = `organizations/${organizationId}/locations/${locationId}`;
+
+  async function listSecurityHealthAnalyticsCustomModule() {
+    const [response] = await client.listSecurityHealthAnalyticsCustomModules({
+      parent: parent,
+    });
+    console.log(
+      'Security Health Analytics Custom Module list succeeded: ',
+      response
+    );
+  }
+
+  listSecurityHealthAnalyticsCustomModule();
+  // [END securitycenter_list_security_health_analytics_custom_module]
+}
+
+main(...process.argv.slice(2));

security-center/snippets/management_api/simulateSecurityHealthAnalyticsCustomModule.js

@@ -0,0 +1,105 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+'use strict';
+
+/**
+ *  Simulate security health analytics custom module
+ */
+function main(organizationId, locationId = 'global') {
+  // [START securitycenter_simulate_security_health_analytics_custom_module]
+  // npm install '@google-cloud/securitycentermanagement'
+  const {
+    SecurityCenterManagementClient,
+    protos,
+  } = require('@google-cloud/securitycentermanagement');
+
+  const client = new SecurityCenterManagementClient();
+
+  const Severity =
+    protos.google.cloud.securitycentermanagement.v1.CustomConfig.Severity;
+
+  /*
+   * Required. The name of the parent resource of security health analytics module
+   *     Its format is
+   *    `organizations/[organization_id]/locations/[location_id]`
+   *    `folders/[folder_id]/locations/[location_id]`
+   *    `projects/[project_id]/locations/[location_id]`
+   */
+  const parent = `organizations/${organizationId}/locations/${locationId}`;
+
+  // define the CEL expression here and this will scans for keys that have not been rotated in
+  // the last 30 days, change it according to the your requirements
+  const expr = {
+    expression: `has(resource.rotationPeriod) && (resource.rotationPeriod > duration('2592000s'))`,
+  };
+
+  // define the resource selector
+  const resourceSelector = {
+    resourceTypes: ['cloudkms.googleapis.com/CryptoKey'],
+  };
+
+  // define the custom module configuration, update the severity, description,
+  // recommendation below
+  const customConfig = {
+    predicate: expr,
+    resourceSelector: resourceSelector,
+    severity: Severity.MEDIUM,
+    description: 'add your description here',
+    recommendation: 'add your recommendation here',
+  };
+
+  // define the simulated resource data
+  const resourceData = {
+    fields: {
+      resourceId: {stringValue: 'test-resource-id'},
+      name: {stringValue: 'test-resource-name'},
+    },
+  };
+
+  // define the policy
+  const policy = {
+    bindings: [
+      {
+        role: 'roles/owner',
+        members: ['user:[email protected]'],
+      },
+    ],
+  };
+
+  // replace with the correct resource type
+  const simulatedResource = {
+    resourceType: 'cloudkms.googleapis.com/CryptoKey',
+    resourceData: resourceData,
+    iamPolicyData: policy,
+  };
+
+  async function simulateSecurityHealthAnalyticsCustomModule() {
+    const [response] = await client.simulateSecurityHealthAnalyticsCustomModule(
+      {
+        parent: parent,
+        customConfig: customConfig,
+        resource: simulatedResource,
+      }
+    );
+    console.log(
+      'Security Health Analytics Custom Module simulate succeeded: ',
+      response
+    );
+  }
+
+  simulateSecurityHealthAnalyticsCustomModule();
+  // [END securitycenter_simulate_security_health_analytics_custom_module]
+}
+
+main(...process.argv.slice(2));