GoogleCloudPlatform · simonebruzzechesse · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
diff --git a/blueprints/secops-instance/README.md b/blueprints/secops-instance/README.md
@@ -259,7 +259,7 @@ This blueprint allows further tailoring of the SecOps instance to match specific
 | [casestages.tf](./casestages.tf) | None |  | <code>restful_resource</code> |
 | [closedefinition.tf](./closedefinition.tf) | None |  | <code>restful_resource</code> |
 | [environments.tf](./environments.tf) | None |  | <code>restful_resource</code> |
-| [feeds.tf](./feeds.tf) | None |  | <code>restful_operation</code> · <code>restful_resource</code> |
+| [feeds.tf](./feeds.tf) | None | <code>secops-feeds</code> | <code>restful_operation</code> |
 | [logtypes.tf](./logtypes.tf) | None |  | <code>restful_resource</code> |
 | [main.tf](./main.tf) | Project and IAM. | <code>project</code> | <code>google_apikeys_key</code> |
 | [monitoring.tf](./monitoring.tf) | Cloud Monitoring. |  | <code>google_monitoring_alert_policy</code> · <code>google_monitoring_notification_channel</code> |
@@ -269,7 +269,7 @@ This blueprint allows further tailoring of the SecOps instance to match specific
 | [secrets.tf](./secrets.tf) | None | <code>secret-manager</code> |  |
 | [variables.tf](./variables.tf) | Module variables. |  |  |
 | [versions.tf](./versions.tf) | Version pins. |  |  |
-| [workspace.tf](./workspace.tf) | None | <code>iam-service-account</code> | <code>google_service_account_key</code> · <code>restful_resource</code> |
+| [workspace.tf](./workspace.tf) | None | <code>iam-service-account</code> · <code>secops-feeds</code> | <code>google_service_account_key</code> |
 
 ## Variables
 
@@ -288,8 +288,8 @@ This blueprint allows further tailoring of the SecOps instance to match specific
 | [secops_envs](variables.tf#L151) | A map of SecOps environments to provision. Optional fields fall back to these built-in defaults if omitted. | <code title="map&#40;object&#40;&#123;&#10;  display_name       &#61; string&#10;  description        &#61; string&#10;  aliases            &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  contact            &#61; string&#10;  contact_email      &#61; string&#10;  contact_phone      &#61; string&#10;  retention_duration &#61; number&#10;  instance_uri       &#61; optional&#40;string, null&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [secops_group_principals](variables.tf#L166) | Groups ID in IdP assigned to SecOps admins, editors, viewers roles. | <code title="object&#40;&#123;&#10;  admins  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  editors &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  viewers &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [secops_iam](variables.tf#L176) | SecOps IAM configuration in {PRINCIPAL => {roles => [ROLES], scopes => [SCOPES]}} format. | <code title="map&#40;object&#40;&#123;&#10;  roles  &#61; list&#40;string&#41;&#10;  scopes &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [third_party_integration_config](variables.tf#L194) | SecOps Feeds configuration for Workspace logs and entities ingestion. | <code title="object&#40;&#123;&#10;  azure_ad &#61; optional&#40;object&#40;&#123;&#10;    oauth_credentials &#61; object&#40;&#123;&#10;      client_id     &#61; string&#10;      client_secret &#61; string&#10;    &#125;&#41;&#10;    retrieve_devices &#61; optional&#40;bool, true&#41;&#10;    retrieve_groups  &#61; optional&#40;bool, true&#41;&#10;    tenant_id        &#61; string&#10;  &#125;&#41;&#41;&#10;  okta &#61; optional&#40;object&#40;&#123;&#10;    auth_header_key_values     &#61; map&#40;string&#41;&#10;    hostname                   &#61; string&#10;    manager_id_reference_field &#61; string&#10;  &#125;&#41;&#41;&#10;  workspace &#61; optional&#40;object&#40;&#123;&#10;    customer_id    &#61; string&#10;    delegated_user &#61; string&#10;    applications &#61; optional&#40;list&#40;string&#41;, &#91;&#34;access_transparency&#34;, &#34;admin&#34;, &#34;calendar&#34;, &#34;chat&#34;, &#34;drive&#34;, &#34;gcp&#34;,&#10;      &#34;gplus&#34;, &#34;groups&#34;, &#34;groups_enterprise&#34;, &#34;jamboard&#34;, &#34;login&#34;, &#34;meet&#34;, &#34;mobile&#34;, &#34;rules&#34;, &#34;saml&#34;, &#34;token&#34;,&#10;      &#34;user_accounts&#34;, &#34;context_aware_access&#34;, &#34;chrome&#34;, &#34;data_studio&#34;, &#34;keep&#34;,&#10;    &#93;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [webhook_feeds_config](variables.tf#L223) | SecOps Webhook feeds config. | <code title="map&#40;object&#40;&#123;&#10;  display_name &#61; optional&#40;string&#41;&#10;  log_type     &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [third_party_integration_config](variables.tf#L194) | SecOps Feeds configuration for Workspace logs and entities ingestion. | <code title="object&#40;&#123;&#10;  azure_ad &#61; optional&#40;object&#40;&#123;&#10;    secret_manager_config &#61; optional&#40;object&#40;&#123;&#10;      region      &#61; string&#10;      secret_name &#61; string&#10;      version     &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;    oauth_credentials &#61; object&#40;&#123;&#10;      client_id     &#61; string&#10;      client_secret &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#10;    retrieve_devices &#61; optional&#40;bool, true&#41;&#10;    retrieve_groups  &#61; optional&#40;bool, true&#41;&#10;    tenant_id        &#61; string&#10;  &#125;&#41;&#41;&#10;  okta &#61; optional&#40;object&#40;&#123;&#10;    api_key                    &#61; string&#10;    hostname                   &#61; string&#10;    manager_id_reference_field &#61; string&#10;    secret_manager_config &#61; optional&#40;object&#40;&#123;&#10;      region      &#61; string&#10;      secret_name &#61; string&#10;      version     &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  workspace &#61; optional&#40;object&#40;&#123;&#10;    customer_id    &#61; string&#10;    delegated_user &#61; string&#10;    applications &#61; optional&#40;list&#40;string&#41;, &#91;&#34;access_transparency&#34;, &#34;admin&#34;, &#34;calendar&#34;, &#34;chat&#34;, &#34;drive&#34;, &#34;gcp&#34;,&#10;      &#34;gplus&#34;, &#34;groups&#34;, &#34;groups_enterprise&#34;, &#34;jamboard&#34;, &#34;login&#34;, &#34;meet&#34;, &#34;mobile&#34;, &#34;rules&#34;, &#34;saml&#34;, &#34;token&#34;,&#10;      &#34;user_accounts&#34;, &#34;context_aware_access&#34;, &#34;chrome&#34;, &#34;data_studio&#34;, &#34;keep&#34;,&#10;    &#93;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [webhook_feeds_config](variables.tf#L233) | SecOps Webhook feeds config. | <code title="map&#40;object&#40;&#123;&#10;  display_name    &#61; optional&#40;string&#41;&#10;  log_type        &#61; string&#10;  split_delimiter &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 
 ## Outputs
 

diff --git a/blueprints/secops-instance/feeds.tf b/blueprints/secops-instance/feeds.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,134 +14,119 @@
  * limitations under the License.
  */
 
-locals {
-  azure_ad_feeds = {
-    azure-ad = {
-      log_type  = "AZURE_AD"
-      feed_type = "azure_ad_settings"
-      hostname  = "graph.microsoft.com/v1.0/auditLogs/signIns"
-    }
-    azure-ad-audit = {
-      log_type  = "AZURE_AD_AUDIT"
-      feed_type = "azure_ad_audit_settings"
-      hostname  = "graph.microsoft.com/v1.0/auditLogs/directoryAudits"
-    }
-    azure-ad-context = {
-      log_type  = "AZURE_AD_CONTEXT"
-      feed_type = "azure_ad_context_settings"
-      hostname  = "graph.microsoft.com/beta"
-    }
-  }
-  okta_feeds = {
-    okta = {
-      log_type  = "OKTA"
-      feed_type = "okta_settings"
+module "webhook_feeds" {
+  source = "../../modules/secops-feeds"
+  secops_config = merge(var.secops_tenant_config, {
+    project = module.project.project_id
+  })
+  feeds = { for key, value in var.webhook_feeds_config : key => {
+    display_name = value.display_name
+    log_type     = value.log_type
+    https_push_webhook_settings = {
+      split_delimiter = value.split_delimiter
     }
-    okta-user-context = {
-      log_type  = "OKTA_USER_CONTEXT"
-      feed_type = "okta_user_context_settings"
-    }
-  }
-  secops_webhook_feeds_id = {
-    for key, value in restful_resource.webhook_feeds : key =>
-    [for feed in value.output.feeds : element(split("/", feed.name), length(split("/", feed.name)) - 1)
-    if try(feed.displayName == lower(key), false)][0]
-  }
-}
-
-resource "restful_resource" "webhook_feeds" {
-  for_each        = var.webhook_feeds_config
-  path            = local.secops_feeds_api_path
-  create_method   = "POST"
-  delete_method   = "DELETE"
-  check_existance = false
-  delete_path     = "$query_unescape(body.name)"
-  read_selector   = "feeds.#(displayName==\"${lower(each.key)}\")"
-  body = {
-    name : lower(each.key),
-    display_name : coalesce(each.value.display_name, lower(each.key)),
-    details : {
-      feed_source_type : "HTTPS_PUSH_WEBHOOK",
-      log_type : "projects/${module.project.project_id}/locations/${var.secops_tenant_config.region}/instances/${var.secops_tenant_config.customer_id}/logTypes/${each.key}",
-      httpsPushWebhookSettings : {}
-    }
-  }
-  write_only_attrs = ["details"]
-  lifecycle {
-    ignore_changes = [body, output]
-  }
+  } }
 }
 
 resource "restful_operation" "webhook_feeds_secret" {
   for_each = var.webhook_feeds_config
-  path     = "${local.secops_feeds_api_path}/${local.secops_webhook_feeds_id[each.key]}:generateSecret"
+  path     = "${local.secops_feeds_api_path}/${module.webhook_feeds.feeds_id[each.key]}:generateSecret"
   method   = "POST"
 }
 
 # Azure AD feeds
-
-resource "restful_resource" "azure_ad_feeds" {
-  for_each        = var.third_party_integration_config.azure_ad == null ? {} : local.azure_ad_feeds
-  path            = local.secops_feeds_api_path
-  create_method   = "POST"
-  delete_method   = "DELETE"
-  check_existance = false
-  delete_path     = "$query_unescape(body.name)"
-  read_selector   = "feeds.#(displayName==\"${lower(each.key)}\")"
-  body = {
-    "name" : lower(each.key),
-    "display_name" : lower(each.key),
-    "details" : {
-      feed_source_type : "API",
-      log_type : "projects/${module.project.project_id}/locations/${var.secops_tenant_config.region}/instances/${var.secops_tenant_config.customer_id}/logTypes/${each.value.log_type}",
-      (each.value.feed_type) : merge({
-        authentication : {
-          client_id : var.third_party_integration_config.azure_ad.oauth_credentials.client_id,
-          client_secret : var.third_party_integration_config.azure_ad.oauth_credentials.client_secret,
-        },
-        hostname : each.value.hostname,
-        auth_endpoint : "login.microsoftonline.com",
-        tenant_id : var.third_party_integration_config.azure_ad.tenant_id,
-        }, each.key == "azure-ad-context" ? {
-        retrieve_groups : var.third_party_integration_config.azure_ad.retrieve_groups
-        retrieve_devices : var.third_party_integration_config.azure_ad.retrieve_devices
-      } : {})
+module "azure_ad_feeds" {
+  count  = var.third_party_integration_config.azure_ad == null ? 0 : 1
+  source = "../../modules/secops-feeds"
+  secops_config = merge(var.secops_tenant_config, {
+    project = module.project.project_id
+  })
+  feeds = {
+    azure-ad = {
+      display_name          = "Azure AD",
+      secret_manager_config = var.third_party_integration_config.azure_ad.secret_manager_config,
+      azure_ad_settings = {
+        auth_endpoint = "login.microsoftonline.com",
+        hostname      = "graph.microsoft.com/v1.0/auditLogs/signIns",
+        tenant_id     = var.third_party_integration_config.azure_ad.tenant_id,
+        authentication = {
+          client_id     = var.third_party_integration_config.azure_ad.oauth_credentials.client_id
+          client_secret = var.third_party_integration_config.azure_ad.oauth_credentials.client_secret
+        }
+      }
+      log_type = "AZURE_AD"
+    }
+    azure-ad-audit = {
+      display_name          = "Azure AD Audit",
+      secret_manager_config = var.third_party_integration_config.azure_ad.secret_manager_config,
+      azure_ad_audit_settings = {
+        auth_endpoint = "login.microsoftonline.com",
+        hostname      = "graph.microsoft.com/v1.0/auditLogs/directoryAudits",
+        tenant_id     = var.third_party_integration_config.azure_ad.tenant_id,
+        authentication = {
+          client_id     = var.third_party_integration_config.azure_ad.oauth_credentials.client_id
+          client_secret = var.third_party_integration_config.azure_ad.oauth_credentials.client_secret
+        }
+      }
+      log_type = "AZURE_AD_AUDIT"
+    }
+    azure-ad-context = {
+      display_name          = "Azure AD Context",
+      secret_manager_config = var.third_party_integration_config.azure_ad.secret_manager_config,
+      azure_ad_context_settings = {
+        auth_endpoint = "login.microsoftonline.com",
+        hostname      = "graph.microsoft.com/beta",
+        tenant_id     = var.third_party_integration_config.azure_ad.tenant_id,
+        authentication = {
+          client_id     = var.third_party_integration_config.azure_ad.oauth_credentials.client_id
+          client_secret = var.third_party_integration_config.azure_ad.oauth_credentials.client_secret
+        }
+      }
+      log_type = "AZURE_AD_CONTEXT"
     }
-  }
-  write_only_attrs = ["details"]
-  lifecycle {
-    ignore_changes = [body, output]
   }
 }
 
-# Okta feeds
-
-resource "restful_resource" "okta_ad_feeds" {
-  for_each        = var.third_party_integration_config.okta == null ? {} : local.okta_feeds
-  path            = local.secops_feeds_api_path
-  create_method   = "POST"
-  delete_method   = "DELETE"
-  check_existance = false
-  delete_path     = "$query_unescape(body.name)"
-  read_selector   = "feeds.#(displayName==\"${lower(each.key)}\")"
-  body = {
-    "name" : lower(each.key),
-    "display_name" : lower(each.key),
-    "details" : {
-      "feed_source_type" : "API",
-      "log_type" : "projects/${module.project.project_id}/locations/${var.secops_tenant_config.region}/instances/${var.secops_tenant_config.customer_id}/logTypes/${each.value.log_type}",
-      (each.value.feed_type) : merge({
-        "authentication" : {
-          "header_key_values" : [for k, v in var.third_party_integration_config.okta.auth_header_key_values : { key = k, value = v }]
+# Okta Feeds
+module "okta_feeds" {
+  count  = var.third_party_integration_config.okta == null ? 0 : 1
+  source = "../../modules/secops-feeds"
+  secops_config = merge(var.secops_tenant_config, {
+    project = module.project.project_id
+  })
+  feeds = {
+    okta = {
+      display_name          = "Okta",
+      secret_manager_config = var.third_party_integration_config.okta.secret_manager_config,
+      okta_settings = {
+        authentication = {
+          header_key_values = [
+            {
+              key   = "Authorization"
+              value = var.third_party_integration_config.okta.api_key
+            }
+          ]
         },
-        "hostname" : var.third_party_integration_config.okta.hostname
-        }, each.key == "okta-user-context" ? {
-        "manager_id_reference_field" : var.third_party_integration_config.okta.manager_id_reference_field
-      } : {})
+        hostname = var.third_party_integration_config.okta.hostname
+      }
+      log_type = "OKTA"
+    }
+    okta-user-context = {
+      display_name          = "Okta User Context",
+      secret_manager_config = var.third_party_integration_config.okta.secret_manager_config,
+      okta_user_context_settings = {
+        authentication = {
+          header_key_values = [
+            {
+              key   = "Authorization"
+              value = var.third_party_integration_config.okta.api_key
+            }
+          ]
+        },
+        hostname                   = var.third_party_integration_config.okta.hostname,
+        manager_id_reference_field = var.third_party_integration_config.okta.manager_id_reference_field
+      }
+      log_type = "OKTA_USER_CONTEXT"
     }
   }
-  write_only_attrs = ["details"]
-  lifecycle {
-    ignore_changes = [body, output]
-  }
-}
+}
diff --git a/blueprints/secops-instance/variables.tf b/blueprints/secops-instance/variables.tf
@@ -195,18 +195,28 @@ variable "third_party_integration_config" {
   description = "SecOps Feeds configuration for Workspace logs and entities ingestion."
   type = object({
     azure_ad = optional(object({
+      secret_manager_config = optional(object({
+        region      = string
+        secret_name = string
+        version     = optional(string)
+      }))
       oauth_credentials = object({
         client_id     = string
-        client_secret = string
+        client_secret = optional(string)
       })
       retrieve_devices = optional(bool, true)
       retrieve_groups  = optional(bool, true)
       tenant_id        = string
     }))
     okta = optional(object({
-      auth_header_key_values     = map(string)
+      api_key                    = string
       hostname                   = string
       manager_id_reference_field = string
+      secret_manager_config = optional(object({
+        region      = string
+        secret_name = string
+        version     = optional(string)
+      }))
     }))
     workspace = optional(object({
       customer_id    = string
@@ -223,8 +233,9 @@ variable "third_party_integration_config" {
 variable "webhook_feeds_config" {
   description = "SecOps Webhook feeds config."
   type = map(object({
-    display_name = optional(string)
-    log_type     = string
+    display_name    = optional(string)
+    log_type        = string
+    split_delimiter = optional(string)
   }))
   default  = {}
   nullable = false