Google Security Command Center (SCC) Notification Config

This page shows how to write Terraform for Security Command Center (SCC) Notification Config and write them securely.

google_scc_notification_config (Terraform)

The Notification Config in Security Command Center (SCC) can be configured in Terraform with the resource name google_scc_notification_config. The following sections describe 1 example of how to use the resource and its parameters.

Example Usage from GitHub
resource "google_scc_notification_config" "scc_notification_config" {
  config_id    = var.scc_notification_name
  organization = var.org_id
  description  = "SCC Notification for all active findings"
  pubsub_topic =

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).


The following arguments are supported:

  • pubsub_topic - (Required) The Pub/Sub topic to send notifications to. Its format is "projects/[project_id]/topics/[topic]".

  • streaming_config - (Required) The config for triggering streaming-based notifications. Structure is documented below.

  • organization - (Required) The organization whose Cloud Security Command Center the Notification Config lives in.

  • config_id - (Required) This must be unique within the organization.

The streaming_config block supports:

  • filter - (Required) Expression that defines the filter to apply across create/update events of assets or findings as specified by the event type. The expression is a list of zero or more restrictions combined via logical operators AND and OR. Parentheses are supported, and OR has higher precedence than AND. Restrictions have the form <field> <operator> <value> and may have a - character in front of them to indicate negation. The fields map to those defined in the corresponding resource. The supported operators are:
    • = for all value types.
    • >, <, >=, <= for integer values.
    • :, meaning substring matching, for strings. The supported value types are:
    • string literals in quotes.
    • integer literals without quotes.
    • boolean literals true and false without quotes. See Filtering notifications for information on how to write a filter.

  • description - (Optional) The description of the notification config (max of 1024 characters).

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format [[name]]

  • name - The resource name of this notification config, in the format organizations/[[organization]]/notificationConfigs/[[config_id]].

  • service_account - The service account that needs "pubsub.topics.publish" permission to publish to the Pub/Sub topic.

Explanation in Terraform Registry

A Cloud Security Command Center (Cloud SCC) notification configs. A notification config is a Cloud SCC resource that contains the configuration to send notifications for create/update events of findings, assets and etc.

Note: In order to use Cloud SCC resources, your organization must be enrolled in SCC Standard/Premium. Without doing so, you may run into errors during resource creation. To get more information about NotificationConfig, see:

Frequently asked questions

What is Google Security Command Center (SCC) Notification Config?

Google Security Command Center (SCC) Notification Config is a resource for Security Command Center (SCC) of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Security Command Center (SCC) Notification Config?

For Terraform, the terraform-google-modules/terraform-example-foundation source code example is useful. See the Terraform Example section for further details.


Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.