feat(security-center): Adding SCC's BigQueryExport resource (#3847)

* feat(bigquery): Add Resource v2 API Big Query Samples

* Fix lint

* fix the failing test check by replacing the project

* Address Suggestions

* fix the test error

* fix the lint error

* Add dataset creation logic

* fix lint error

* Add cleanup for dataset

* Fix lint error

* Address suggestions

* add the missing word in console log

* Add comment variable for location

Author: vijaykanthm

security-center/snippets/package.json

@@ -20,6 +20,7 @@
     "c8": "^10.0.0",
     "chai": "^4.5.0",
     "mocha": "^10.4.0",
-    "uuid": "^10.0.0"
+    "uuid": "^10.0.0",
+    "@google-cloud/bigquery": "^7.0.0"
   }
 }

security-center/snippets/system-test/v2/bigQueryExport.test.js

@@ -0,0 +1,167 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const {SecurityCenterClient} = require('@google-cloud/security-center').v2;
+const {assert} = require('chai');
+const {execSync} = require('child_process');
+const exec = cmd => execSync(cmd, {encoding: 'utf8'});
+const {describe, it, before} = require('mocha');
+const {BigQuery} = require('@google-cloud/bigquery');
+
+const organizationId = process.env.GCLOUD_ORGANIZATION;
+const projectId = process.env.GOOGLE_SAMPLES_PROJECT;
+const location = 'global';
+const bigquery = new BigQuery();
+
+async function cleanupDatasets() {
+  const [datasets] = await bigquery.getDatasets();
+  for (const dataset of datasets) {
+    if (dataset.id.startsWith('securitycenter_')) {
+      console.log(`Deleting dataset: ${dataset.id}`);
+      await bigquery.dataset(dataset.id).delete({force: true});
+    }
+  }
+}
+
+async function cleanupBigQueryExports(client) {
+  const [exports] = await client.listBigQueryExports({
+    parent: client.organizationLocationPath(organizationId, location),
+  });
+  for (const exportData of exports) {
+    console.log(`Deleting BigQuery export: ${exportData.name}`);
+    await client.deleteBigQueryExport({name: exportData.name});
+  }
+}
+
+let dataset;
+
+async function createDataset() {
+  const randomSuffix = Math.floor(Date.now() / 1000);
+  const datasetId = `securitycenter_dataset_${randomSuffix}`;
+  const options = {
+    location: 'US',
+  };
+
+  try {
+    const [createdDataset] = await bigquery.createDataset(datasetId, options);
+    console.log(`Dataset ${createdDataset.id} created.`);
+    return createdDataset.id;
+  } catch (error) {
+    if (error.code === 409) {
+      // Dataset already exists - Fail the test instead of moving on
+      console.log(
+        `Dataset ${datasetId} already exists. Exiting to avoid conflict.`
+      );
+      throw new Error(`Dataset ${datasetId} already exists.`);
+    }
+    throw error;
+  }
+}
+
+describe('Client with bigquery export V2', async () => {
+  let data;
+  before(async () => {
+    // Creates a new client.
+    const client = new SecurityCenterClient();
+
+    // Clean up any existing datasets or BigQuery exports
+    await cleanupDatasets();
+    await cleanupBigQueryExports(client);
+
+    // Create a new dataset
+    const createdDataset = await createDataset();
+    dataset = `projects/${projectId}/datasets/${createdDataset}`;
+
+    // Build the create bigquery export request.
+    const bigQueryExportId =
+      'bigqueryexportid-' + Math.floor(Math.random() * 10000);
+    const filter = 'severity="LOW" OR severity="MEDIUM"';
+    const bigQueryExport = {
+      name: 'bigQueryExport node',
+      description:
+        'Export low and medium findings if the compute resource has an IAM anomalous grant',
+      filter: filter,
+      dataset: dataset,
+    };
+    const createBigQueryExportRequest = {
+      parent: client.organizationLocationPath(organizationId, location),
+      bigQueryExport,
+      bigQueryExportId,
+    };
+
+    try {
+      const response = await client.createBigQueryExport(
+        createBigQueryExportRequest
+      );
+      const bigQueryExportResponse = response[0];
+      data = {
+        orgId: organizationId,
+        bigQueryExportId: bigQueryExportId,
+        bigQueryExportName: bigQueryExportResponse.name,
+        untouchedbigQueryExportName: '',
+      };
+      console.log('Created BigQuery export %j', data);
+    } catch (error) {
+      console.error('Error creating BigQuery export:', error);
+    }
+  });
+
+  it('client can create bigquery export V2', done => {
+    const output = exec(
+      `node v2/createBigQueryExport.js ${data.orgId} ${dataset}`
+    );
+    assert(output.includes(data.orgId));
+    assert.match(output, /BigQuery export request created successfully/);
+    assert.notMatch(output, /undefined/);
+    done();
+  });
+
+  it('client can list all bigquery export V2', done => {
+    const output = exec(`node v2/listAllBigQueryExports.js ${data.orgId}`);
+    assert(output.includes(data.bigQueryExportName));
+    assert.match(output, /Sources/);
+    assert.notMatch(output, /undefined/);
+    done();
+  });
+
+  it('client can get a bigquery export V2', done => {
+    const output = exec(
+      `node v2/getBigQueryExport.js ${data.orgId} ${data.bigQueryExportId}`
+    );
+    assert(output.includes(data.bigQueryExportName));
+    assert.match(output, /Retrieved the BigQuery export/);
+    assert.notMatch(output, /undefined/);
+    done();
+  });
+
+  it('client can update a bigquery export V2', done => {
+    const output = exec(
+      `node v2/updateBigQueryExport.js ${data.orgId} ${data.bigQueryExportId} ${dataset}`
+    );
+    assert.match(output, /BigQueryExport updated successfully/);
+    assert.notMatch(output, /undefined/);
+    done();
+  });
+
+  it('client can delete a bigquery export V2', done => {
+    const output = exec(
+      `node v2/deleteBigQueryExport.js ${data.orgId} ${data.bigQueryExportId}`
+    );
+    assert.match(output, /BigQuery export request deleted successfully/);
+    assert.notMatch(output, /undefined/);
+    done();
+  });
+});

security-center/snippets/system-test/v2/notifications.test.js

@@ -41,7 +41,7 @@ describe('Client with Notifications v2', async () => {
 
   before(async () => {
     const configId = 'notif-config-test-node-create-' + uuidv1();
-    topicName = 'test_topic';
+    topicName = 'notifications-sample-topic';
     parent = `projects/${projectId}/locations/${location}`;
     pubsubTopic = `projects/${projectId}/topics/${topicName}`;
 

security-center/snippets/v2/createBigQueryExport.js

@@ -0,0 +1,81 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+'use strict';
+
+/**
+ * Demonstrates how to create a new security finding in CSCC.
+ */
+function main(organizationId, dataset, location = 'global') {
+  // [START securitycenter_create_bigquery_export_v2]
+  // Imports the Google Cloud client library.
+  const {SecurityCenterClient} = require('@google-cloud/security-center').v2;
+
+  // Create a Security Center client
+  const client = new SecurityCenterClient();
+
+  /**
+   *  Required. The name of the parent resource of the new BigQuery export. Its
+   *  format is "organizations/[organization_id]/locations/[location_id]",
+   *  "folders/[folder_id]/locations/[location_id]", or
+   *  "projects/[project_id]/locations/[location_id]".
+   */
+  const parent = client.organizationLocationPath(organizationId, location);
+
+  /**
+   *  Required. The BigQuery export being created.
+   */
+  // filter: Expression that defines the filter to apply across create/update events of findings.
+  const filter = 'severity="LOW" OR severity="MEDIUM"';
+
+  const bigQueryExport = {
+    name: 'bigQueryExport node',
+    description:
+      'Export low and medium findings if the compute resource has an IAM anomalous grant',
+    filter,
+    dataset,
+  };
+
+  /**
+   *  Required. Unique identifier provided by the client within the parent scope.
+   *  It must consist of only lowercase letters, numbers, and hyphens, must start
+   *  with a letter, must end with either a letter or a number, and must be 63
+   *  characters or less.
+   */
+  const bigQueryExportId =
+    'bigqueryexportid-' + Math.floor(Math.random() * 10000);
+
+  // Build the request.
+  const createBigQueryExportRequest = {
+    parent,
+    bigQueryExport,
+    bigQueryExportId,
+  };
+
+  async function createBigQueryExport() {
+    // Call the API.
+    const [response] = await client.createBigQueryExport(
+      createBigQueryExportRequest
+    );
+    console.log(
+      `BigQuery export request created successfully: Name: ${response.name}, Dataset: ${response.dataset}, Description: ${response.description}`
+    );
+  }
+
+  createBigQueryExport();
+  // [END securitycenter_create_bigquery_export_v2]
+}
+
+main(...process.argv.slice(2));

security-center/snippets/v2/deleteBigQueryExport.js

@@ -0,0 +1,54 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+'use strict';
+
+/**
+ *  Delete an existing BigQuery export.
+ */
+function main(organizationId, exportId, location = 'global') {
+  // [START securitycenter_delete_bigquery_export_v2]
+  // Imports the Google Cloud client library.
+  const {SecurityCenterClient} = require('@google-cloud/security-center').v2;
+
+  // Creates a new client.
+  const client = new SecurityCenterClient();
+
+  // Build the full resource path for the BigQuery export to delete.
+  /*
+   * TODO(developer): Update the following references for your own environment before running the sample.
+   */
+  // const organizationId = 'YOUR_ORGANIZATION_ID';
+  // const exportId = 'EXPORT_ID';
+  const name = `organizations/${organizationId}/locations/${location}/bigQueryExports/${exportId}`;
+
+  // Build the request.
+  const deleteBigQueryExportRequest = {
+    name,
+  };
+
+  async function deleteBigQueryExport() {
+    // Call the API.
+    const [response] = await client.deleteBigQueryExport(
+      deleteBigQueryExportRequest
+    );
+    console.log('BigQuery export request deleted successfully: %j', response);
+  }
+
+  deleteBigQueryExport();
+  // [END securitycenter_delete_bigquery_export_v2]
+}
+
+main(...process.argv.slice(2));

security-center/snippets/v2/deleteSecurityMarks.js

@@ -36,6 +36,7 @@ function main(
    */
   // const organizationId = 'YOUR_ORGANIZATION_ID';
   // const sourceId = 'SOURCE_ID';
+  // const location = 'LOCATION_ID';
   const findingName = `organizations/${organizationId}/sources/${sourceId}/locations/${location}/findings/${findingId}`;
 
   // Construct the request to be sent by the client.

security-center/snippets/v2/getBigQueryExport.js

@@ -0,0 +1,53 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+'use strict';
+
+/**
+ *  Retrieve an existing BigQuery export.
+ */
+function main(organizationId, exportId, location = 'global') {
+  // [START securitycenter_get_bigquery_export_v2]
+  // Imports the Google Cloud client library.
+  const {SecurityCenterClient} = require('@google-cloud/security-center').v2;
+
+  // Creates a new client.
+  const client = new SecurityCenterClient();
+
+  // Build the full resource path for the BigQuery export to retrieve.
+  /*
+   * TODO(developer): Update the following references for your own environment before running the sample.
+   */
+  // const organizationId = 'YOUR_ORGANIZATION_ID';
+  // const exportId = 'EXPORT_ID';
+  // const location = 'LOCATION_ID';
+  const name = `organizations/${organizationId}/locations/${location}/bigQueryExports/${exportId}`;
+
+  // Build the request.
+  const getBigQueryExportRequest = {
+    name,
+  };
+
+  async function getBigQueryExport() {
+    // Call the API.
+    const [response] = await client.getBigQueryExport(getBigQueryExportRequest);
+    console.log('Retrieved the BigQuery export: %j', response);
+  }
+
+  getBigQueryExport();
+  // [END securitycenter_get_bigquery_export_v2]
+}
+
+main(...process.argv.slice(2));