diff --git a/cloudsecuritycompliance_cloudcontrol_project_basic/backing_file.tf b/cloudsecuritycompliance_cloudcontrol_project_basic/backing_file.tf
new file mode 100644
index 00000000..c60b1199
--- /dev/null
+++ b/cloudsecuritycompliance_cloudcontrol_project_basic/backing_file.tf
@@ -0,0 +1,15 @@
+# This file has some scaffolding to make sure that names are unique and that
+# a region and zone are selected when you try to create your Terraform resources.
+
+locals {
+ name_suffix = "${random_pet.suffix.id}"
+}
+
+resource "random_pet" "suffix" {
+ length = 2
+}
+
+provider "google" {
+ region = "us-central1"
+ zone = "us-central1-c"
+}
diff --git a/cloudsecuritycompliance_cloudcontrol_project_basic/main.tf b/cloudsecuritycompliance_cloudcontrol_project_basic/main.tf
new file mode 100644
index 00000000..3b6a1684
--- /dev/null
+++ b/cloudsecuritycompliance_cloudcontrol_project_basic/main.tf
@@ -0,0 +1,151 @@
+data "google_project" "project" {}
+resource "google_cloud_security_compliance_cloud_control" "example" {
+ parent = "projects/${data.google_project.project.number}"
+ location = "global"
+ cloud_control_id = "example-cloudcontrol-${local.name_suffix}"
+
+ display_name = "TF test CloudControl Name"
+ description = "A test cloud control for security compliance"
+ categories = ["CC_CATEGORY_INFRASTRUCTURE"]
+ severity = "HIGH"
+ finding_category = "SECURITY_POLICY"
+ remediation_steps = "Review and update the security configuration according to best practices."
+
+ supported_cloud_providers = ["GCP"]
+
+ rules {
+ description = "Ensure compute instances have secure boot enabled"
+ rule_action_types = ["RULE_ACTION_TYPE_DETECTIVE"]
+
+ cel_expression {
+ expression = "resource.data.shieldedInstanceConfig.enableSecureBoot == true"
+ resource_types_values {
+ values = ["compute.googleapis.com/Instance"]
+ }
+ }
+ }
+
+ parameter_spec {
+ name = "location"
+ display_name = "Resource Location"
+ description = "The location where the resource should be deployed"
+ value_type = "STRING"
+ is_required = true
+
+ default_value {
+ string_value = "us-central1"
+ }
+
+ validation {
+ regexp_pattern {
+ pattern = "^[a-z]+-[a-z]+[0-9]$"
+ }
+ }
+ }
+
+ parameter_spec {
+ name = "enable_secure_boot"
+ display_name = "Enable Secure Boot"
+ description = "Whether to enable secure boot for instances"
+ value_type = "BOOLEAN"
+ is_required = true
+
+ default_value {
+ bool_value = true
+ }
+
+ substitution_rules {
+ attribute_substitution_rule {
+ attribute = "rules[0].cel_expression.expression"
+ }
+ }
+
+ validation {
+ allowed_values {
+ values {
+ bool_value = true
+ }
+ }
+ }
+ }
+
+ parameter_spec {
+ name = "max_instances"
+ display_name = "Maximum Instances"
+ description = "Maximum number of instances allowed"
+ value_type = "NUMBER"
+ is_required = false
+
+ default_value {
+ number_value = 10
+ }
+
+ substitution_rules {
+ placeholder_substitution_rule {
+ attribute = "rules[0].description"
+ }
+ }
+
+ validation {
+ int_range {
+ min = "1"
+ max = "100"
+ }
+ }
+ }
+
+ parameter_spec {
+ name = "allowed_regions"
+ display_name = "Allowed Regions"
+ description = "List of regions where resources can be deployed"
+ value_type = "STRINGLIST"
+ is_required = true
+
+ default_value {
+ string_list_value {
+ values = ["us-central1", "us-east1", "us-west1"]
+ }
+ }
+
+ validation {
+ allowed_values {
+ values {
+ string_list_value {
+ values = ["us-central1", "us-east1"]
+ }
+ }
+ values {
+ string_list_value {
+ values = ["us-west1", "us-west2"]
+ }
+ }
+ }
+ }
+ }
+
+ parameter_spec {
+ name = "environment_type"
+ display_name = "Environment Type"
+ description = "The type of environment"
+ value_type = "STRING"
+ is_required = true
+
+ default_value {
+ string_value = "production"
+ }
+
+ validation {
+ allowed_values {
+ values {
+ string_value = "production"
+ }
+ values {
+ string_value = "staging"
+ }
+ values {
+ number_value = 1
+ }
+ }
+ }
+ }
+}
diff --git a/cloudsecuritycompliance_cloudcontrol_project_basic/motd b/cloudsecuritycompliance_cloudcontrol_project_basic/motd
new file mode 100644
index 00000000..45a906e8
--- /dev/null
+++ b/cloudsecuritycompliance_cloudcontrol_project_basic/motd
@@ -0,0 +1,7 @@
+===
+
+These examples use real resources that will be billed to the
+Google Cloud Platform project you use - so make sure that you
+run "terraform destroy" before quitting!
+
+===
diff --git a/cloudsecuritycompliance_cloudcontrol_project_basic/tutorial.md b/cloudsecuritycompliance_cloudcontrol_project_basic/tutorial.md
new file mode 100644
index 00000000..185ba53c
--- /dev/null
+++ b/cloudsecuritycompliance_cloudcontrol_project_basic/tutorial.md
@@ -0,0 +1,79 @@
+# Cloudsecuritycompliance Cloudcontrol Project Basic - Terraform
+
+## Setup
+
+
+
+Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform.
+
+
+
+Terraform provisions real GCP resources, so anything you create in this session will be billed against this project.
+
+## Terraforming!
+
+Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command
+to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up
+the project name from the environment variable.
+
+```bash
+export GOOGLE_CLOUD_PROJECT={{project-id}}
+```
+
+After that, let's get Terraform started. Run the following to pull in the providers.
+
+```bash
+terraform init
+```
+
+With the providers downloaded and a project set, you're ready to use Terraform. Go ahead!
+
+```bash
+terraform apply
+```
+
+Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan.
+
+```bash
+yes
+```
+
+
+## Post-Apply
+
+### Editing your config
+
+Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed.
+
+```bash
+terraform plan
+```
+
+So let's make a change! Try editing a number, or appending a value to the name in the editor. Then,
+run a 'plan' again.
+
+```bash
+terraform plan
+```
+
+Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes
+at the 'yes' prompt.
+
+```bash
+terraform apply
+```
+
+```bash
+yes
+```
+
+## Cleanup
+
+Run the following to remove the resources Terraform provisioned:
+
+```bash
+terraform destroy
+```
+```bash
+yes
+```
diff --git a/cloudsecuritycompliance_framework_deployment_project_application_basic/backing_file.tf b/cloudsecuritycompliance_framework_deployment_project_application_basic/backing_file.tf
new file mode 100644
index 00000000..c60b1199
--- /dev/null
+++ b/cloudsecuritycompliance_framework_deployment_project_application_basic/backing_file.tf
@@ -0,0 +1,15 @@
+# This file has some scaffolding to make sure that names are unique and that
+# a region and zone are selected when you try to create your Terraform resources.
+
+locals {
+ name_suffix = "${random_pet.suffix.id}"
+}
+
+resource "random_pet" "suffix" {
+ length = 2
+}
+
+provider "google" {
+ region = "us-central1"
+ zone = "us-central1-c"
+}
diff --git a/cloudsecuritycompliance_framework_deployment_project_application_basic/main.tf b/cloudsecuritycompliance_framework_deployment_project_application_basic/main.tf
new file mode 100644
index 00000000..a68e3908
--- /dev/null
+++ b/cloudsecuritycompliance_framework_deployment_project_application_basic/main.tf
@@ -0,0 +1,65 @@
+data "google_project" "project" {}
+
+# App Hub Application resource to act as the target
+resource "google_apphub_application" "application" {
+ location = "us-central1"
+ application_id = "example-app-${local.name_suffix}"
+ scope {
+ type = "REGIONAL"
+ }
+}
+
+resource "google_cloud_security_compliance_framework" "example" {
+ parent = "projects/${data.google_project.project.number}"
+ location = "global"
+ framework_id = "example-framework-${local.name_suffix}"
+
+ display_name = "Terraform Framework Name"
+ description = "A Terraform description for the framework"
+
+ cloud_control_details {
+ name = "projects/${data.google_project.project.number}/locations/global/cloudControls/builtin-require-cmek-on-bigquery-datasets"
+ major_revision_id = "2"
+
+ parameters {
+ name = "location"
+ parameter_value {
+ number_value = 1
+ }
+ }
+ }
+}
+
+resource "google_cloud_security_compliance_framework_deployment" "example" {
+ parent = "projects/${data.google_project.project.number}"
+ location = "global"
+ framework_deployment_id = "example-deployment-${local.name_suffix}"
+ description = "A framework deployment with project parent targeting an application"
+
+ framework {
+ framework = google_cloud_security_compliance_framework.example.name
+ major_revision_id = "1"
+ }
+
+ target_resource_config {
+ # Target the App Hub Application's fully qualified ID
+ # e.g., projects/abc/locations/us-central1/applications/app-name
+ existing_target_resource = "projects/${data.google_project.project.number}/locations/us-central1/applications/${google_apphub_application.application.application_id}"
+ }
+
+ cloud_control_metadata {
+ enforcement_mode = "DETECTIVE"
+
+ cloud_control_details {
+ name = "projects/${data.google_project.project.number}/locations/global/cloudControls/builtin-require-cmek-on-bigquery-datasets"
+ major_revision_id = "2"
+
+ parameters {
+ name = "location"
+ parameter_value {
+ number_value = 1
+ }
+ }
+ }
+ }
+}
diff --git a/cloudsecuritycompliance_framework_deployment_project_application_basic/motd b/cloudsecuritycompliance_framework_deployment_project_application_basic/motd
new file mode 100644
index 00000000..45a906e8
--- /dev/null
+++ b/cloudsecuritycompliance_framework_deployment_project_application_basic/motd
@@ -0,0 +1,7 @@
+===
+
+These examples use real resources that will be billed to the
+Google Cloud Platform project you use - so make sure that you
+run "terraform destroy" before quitting!
+
+===
diff --git a/cloudsecuritycompliance_framework_deployment_project_application_basic/tutorial.md b/cloudsecuritycompliance_framework_deployment_project_application_basic/tutorial.md
new file mode 100644
index 00000000..f51fc528
--- /dev/null
+++ b/cloudsecuritycompliance_framework_deployment_project_application_basic/tutorial.md
@@ -0,0 +1,79 @@
+# Cloudsecuritycompliance Framework Deployment Project Application Basic - Terraform
+
+## Setup
+
+
+
+Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform.
+
+
+
+Terraform provisions real GCP resources, so anything you create in this session will be billed against this project.
+
+## Terraforming!
+
+Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command
+to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up
+the project name from the environment variable.
+
+```bash
+export GOOGLE_CLOUD_PROJECT={{project-id}}
+```
+
+After that, let's get Terraform started. Run the following to pull in the providers.
+
+```bash
+terraform init
+```
+
+With the providers downloaded and a project set, you're ready to use Terraform. Go ahead!
+
+```bash
+terraform apply
+```
+
+Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan.
+
+```bash
+yes
+```
+
+
+## Post-Apply
+
+### Editing your config
+
+Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed.
+
+```bash
+terraform plan
+```
+
+So let's make a change! Try editing a number, or appending a value to the name in the editor. Then,
+run a 'plan' again.
+
+```bash
+terraform plan
+```
+
+Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes
+at the 'yes' prompt.
+
+```bash
+terraform apply
+```
+
+```bash
+yes
+```
+
+## Cleanup
+
+Run the following to remove the resources Terraform provisioned:
+
+```bash
+terraform destroy
+```
+```bash
+yes
+```