terraform-ibm-modules · ocofaigh · Jun 5, 2025 · Jun 3, 2025 · Jun 3, 2025 · Jun 3, 2025
@@ -9,22 +9,27 @@
 				"support_ibm",
 				"target_terraform",
 				"security",
-				"ibm_created"
+				"logging_monitoring",
+				"ibm_created",
+				"terraform"
 			],
 			"keywords": [
 				"kms",
 				"scc",
 				"secrets manager",
-				"security-compliance-center",
 				"keyprotect",
 				"IaC",
 				"infrastructure as code",
-				"security and compliance center",
+				"security and compliance center workload protection",
 				"terraform",
 				"solution",
 				"secrets",
 				"key protect",
-				"compliance"
+				"compliance",
+				"cspm",
+				"cloud security posture management",
+				"config aggregator",
+				"app config"
 			],
 			"short_description": "Deploy core security and other supporting services to get set up to manage the security compliance of the resources in your account.",
 			"long_description": "Get IBM Cloud’s suite of core security services with a single deployment enabling you to securely manage keys and secrets and run security and compliance scans so that you always know the posture of the resources in your account. You can also take advantage of an event notification routing service that notifies you to critical events that occur in your IBM Cloud account and observability services that provide enterprise-grade monitoring and logging giving you operational visibility into the performance and health of your apps, services, and infrastructure.",
@@ -42,12 +47,12 @@
 					"description": "Creates and configures an IBM Secrets Manager instance."
 				},
 				{
-					"title": "Creates an IBM Security and Compliance Center instance",
-					"description": "Creates and configures an IBM Security Compliance Center instance."
+					"title": "Creates an App Configuration instance",
+					"description": "Creates and configures an IBM Cloud App Configuration instance with the config aggregator feature enabled."
 				},
 				{
 					"title": "Creates an Security and Compliance Center Workload Protection instance",
-					"description": "Creates and configures an Security and Compliance Center Workload Protection instance."
+					"description": "Creates and configures an Security and Compliance Center Workload Protection instance with Cloud Security Posture Management (CSPM) enabled."
 				},
 				{
 					"title": "Creates an IBM Cloud Object Storage instance",
@@ -97,7 +102,15 @@
 							]
 						},
 						{
-							"service_name": "compliance",
+							"service_name": "sysdig-secure",
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::serviceRole:Manager",
+								"crn:v1:bluemix:public:iam::::role:Operator",
+								"crn:v1:bluemix:public:iam::::role:Editor"
+							]
+						},
+						{
+							"service_name": "apprapp",
 							"role_crns": [
 								"crn:v1:bluemix:public:iam::::serviceRole:Manager",
 								"crn:v1:bluemix:public:iam::::role:Operator",
@@ -128,12 +141,12 @@
 								"description": "Create, lease, and centrally manage secrets that are used in your apps and services using IBM Secrets Manager instance."
 							},
 							{
-								"title": "Optionally configure an IBM Cloud Secrets Manager IAM credentials engine to an IBM Cloud Secrets Manager instance",
-								"description": "Optionally configure an IBM Secrets Manager IAM credentials engine to an IBM Cloud Secrets Manager instance."
+								"title": "Configures an IBM Cloud Secrets Manager IAM credentials engine to an IBM Cloud Secrets Manager instance",
+								"description": "Configures an IBM Secrets Manager IAM credentials engine to an IBM Cloud Secrets Manager instance."
 							  },
 							{
-								"title": "Creates an IBM Cloud Security and Compliance Center instance",
-								"description": "Manage your continuous compliance monitoring needs using IBM Security Compliance Center instance."
+								"title": "Creates an IBM Cloud App Configuration instance with Configuration Aggregator",
+								"description": "Facilitate a Cloud Governance SME with up-to-date configuration data of IBM Cloud resources in one place so that comprehensive information is available for goverance and compliance initiatives."
 							},
 							{
 								"title": "Creates a IBM Cloud Security and Compliance Center Workload Protection instance",
@@ -160,7 +173,6 @@
 						{
 							"key": "prefix",
 							"type": "string",
-							"default_value": "",
 							"description": "The prefix to add to all resources created by this solution. Used to make sure that names are unique when you deploy the solution more than one time. This should start with a lower case letter and not include '--' or end in '-'.",
 							"required": true
 						},
@@ -171,26 +183,46 @@
 							"description": "The region where the resources are created.",
 							"required": true,
 							"options": [
-								{
-									"displayname": "us-south",
-									"value": "us-south"
-								},
-								{
-									"displayname": "eu-de",
-									"value": "eu-de"
-								},
-								{
-									"displayname": "eu-es",
-									"value": "eu-es"
-								}
+							  {
+								"displayname": "Osaka (jp-osa)",
+								"value": "jp-osa"
+							  },
+							  {
+								"displayname": "Tokyo (jp-tok)",
+								"value": "jp-tok"
+							  },
+							  {
+								"displayname": "Frankfurt (eu-de)",
+								"value": "eu-de"
+							  },
+							  {
+								"displayname": "London (eu-gb)",
+								"value": "eu-gb"
+							  },
+							  {
+								"displayname": "Madrid (eu-es)",
+								"value": "eu-es"
+							  },
+							  {
+								"displayname": "Dallas (us-south)",
+								"value": "us-south"
+							  },
+							  {
+								"displayname": "Toronto (ca-tor)",
+								"value": "ca-tor"
+							  },
+							  {
+								"displayname": "Sao Paulo (br-sao)",
+								"value": "br-sao"
+							  }
 							]
 						},
 						{
+							"display_name": "resource_group",
 							"key": "existing_resource_group_name",
 							"type": "string",
 							"default_value": "Default",
 							"description": "The name of an existing resource group to provision all resources to.",
-							"display_name": "Existing resource group name",
 							"required": true,
 							"custom_config": {
 								"type": "resource_group",
@@ -223,13 +255,15 @@
 							"required": false
 						},
 						{
+							"display_name": "event_notifications_email_list",
 							"key": "en_email_list",
 							"type": "array",
 							"default_value": [],
 							"description": "List of emails to configure event notifications.",
 							"required": false
 						},
 						{
+							"display_name": "existing_event_notifications_instance_crn",
 							"key": "existing_en_instance_crn",
 							"type": "string",
 							"default_value": "__NULL__",
@@ -244,46 +278,89 @@
 							"required": false
 						},
 						{
+							"display_name": "secrets_manager_service_plan",
 							"key": "sm_service_plan",
 							"type": "string",
 							"default_value": "standard",
 							"description": "The pricing plan to use for IBM Cloud Secrets Manager. Not used if `existing_secrets_manager_crn` is specified.",
 							"required": false,
 							"options": [
 								{
-									"displayname": "standard",
+									"displayname": "Standard",
 									"value": "standard"
 								},
 								{
-									"displayname": "trial",
+									"displayname": "Trial",
 									"value": "trial"
 								}
 							]
 						},
 						{
+							"display_name": "disable_secrets_manager_iam_credentials_engine",
 							"key": "skip_iam_authorization_policy",
-							"display_name": "Disable Secrets Manager IAM credentials engine auth policy creation?",
 							"type": "boolean",
 							"default_value": false,
 							"description": "Whether to skip the creation of the IAM authorization policies required to enable the Secrets Manager IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service.",
 							"required": false
 						},
 						{
-							"key": "scc_service_plan",
+							"key": "app_config_service_plan",
 							"type": "string",
-							"default_value": "security-compliance-center-standard-plan",
-							"description": "The pricing plan to use for the IBM Cloud Security and Compliance Center.",
+							"default_value": "basic",
+							"description": "The pricing plan to use for the IBM Cloud App Configuration instance.",
 							"required": false,
 							"options": [
 								{
-									"displayname": "standard",
-									"value": "security-compliance-center-standard-plan"
+									"displayname": "Basic",
+									"value": "basic"
+								},
+								{
+									"displayname": "Standard",
+									"value": "standardv2"
 								},
 								{
-									"displayname": "trial",
-									"value": "security-compliance-center-trial-plan"
+									"displayname": "Enterprise",
+									"value": "enterprise"
 								}
 							]
+						},
+						{
+							"key": "scc_workload_protection_service_plan",
+							"type": "string",
+							"default_value": "graduated-tier",
+							"description": "The pricing plan to use for the IBM Cloud Security and Compliance Center Workload Protection instance.",
+							"required": false,
+							"options": [
+								{
+									"displayname": "Graduated Tier",
+									"value": "graduated-tier"
+								},
+								{
+									"displayname": "Free Trial",
+									"value": "free-trial"
+								}
+							]
+						},
+						{
+							"key": "enterprise_id",
+							"type": "string",
+							"default_value": "__NULL__",
+							"description": "If the account is an enterprise account and you want to scan sub-accounts for compliance, this value should be set to the enterprise ID (this is different to the account ID).",
+							"required": false
+						},
+						{
+							"key": "enterprise_account_group_ids_to_assign",
+							"type": "array",
+							"default_value": ["all"],
+							"description": "A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned for compliance. Supports passing the string 'all' in the list to assign to all account groups. Only applies if a value is being passed for `enterprise_id`.",
+							"required": false
+						},
+						{
+							"key": "enterprise_account_ids_to_assign",
+							"type": "array",
+							"default_value": ["all"],
+							"description": "A list of enterprise account IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all accounts. Only applies if a value is being passed for `enterprise_id`.",
+							"required": false
 						}
 					],
 					"outputs": [
@@ -296,8 +373,8 @@
 							"description": "The CRN of the Secrets Manager instance."
 						},
 						{
-							"key": "scc_crn",
-							"description": "The CRN of the Security and Compliance Center instance."
+							"key": "app_config_crn",
+							"description": "The CRN of the App Configuration instance."
 						},
 						{
 							"key": "monitoring_crn",
@@ -311,10 +388,6 @@
 							"key": "en_crn",
 							"description": "The CRN of the Event Notifications instance."
 						},
-						{
-							"key": "log_analysis_crn",
-							"description": "The CRN of the provisioned Log Analysis instance."
-						},
 						{
 							"key": "cloud_logs_crn",
 							"description": "The CRN of the provisioned Cloud Logs instance."

@@ -11,7 +11,7 @@ authors:
   email: [email protected]
 
 # The release that the reference architecture describes
-version: 2.1.0
+version: 3.0.0
 
 # Use if the reference architecture has deployable code.
 # Value is the URL to land the user in the IBM Cloud catalog details page for the deployable architecture.
@@ -52,7 +52,7 @@ https://test.cloud.ibm.com/docs/solution-as-code?topic=solution-as-code-naming-g
 # IBM Cloud Essential Security and Observability Services
 {: #core-security-services-pattern}
 {: toc-content-type="reference-architecture"}
-{: toc-version="2.1.0"}
+{: toc-version="3.0.0"}
 
 <!--
 The IDs, such as {: #title-id} are required for publishing this reference architecture in IBM Cloud Docs. Set unique IDs for each heading. Also include
@@ -67,8 +67,6 @@ Here’s a brief overview of each service:
 
 {{site.data.keyword.secrets-manager_short}}: This service helps in securely storing and managing sensitive information such as API keys, credentials, and certificates. By centralizing secret management, it reduces the risk of exposure and simplifies the process of accessing and rotating secrets, thereby enhancing the security posture.
 
-{{site.data.keyword.compliance_short}}: This platform offers a comprehensive suite of tools to assess, monitor, and maintain the security and compliance of your cloud environment. It provides insights and controls to help organizations meet regulatory requirements, adhere to best practices, and protect against threats.
-
 {{site.data.keyword.sysdigsecure_full_notm}}: This service offers features to protect workloads, get deep cloud and container visibility, posture management (compliance, benchmarks, CIEM), vulnerability scanning, forensics, and threat detection and blocking.
 
 This reference architecture showcases how these services form a foundational security layer that enhances data protection, simplifies compliance, and strengthens overall cloud security for any workload in {{site.data.keyword.cloud_notm}}.
@@ -90,9 +88,9 @@ The architecture is anchored by three fundamental services: {{site.data.keyword.
 
   {{site.data.keyword.secrets-manager_short}} securely stores and manages sensitive information, including API keys, credentials, and certificates. It uses encryption keys from {{site.data.keyword.keymanagementserviceshort}} to encrypt sensitive data and to seal and unseal vaults that hold the secrets. It is preconfigured to send events to the {{site.data.keyword.en_short}} service, allowing customers to set up email or SMS notifications. Moreover, it is automatically configured to forward all API logs to the customer's logging instance.
 
-3. {{site.data.keyword.compliance_short}}
+3. {{site.data.keyword.sysdigsecure_full_notm}}
 
-  The Security Compliance Center instance is preconfigured to scan all resources provisioned by the reference architecture. It can be expanded to include {{site.data.keyword.sysdigsecure_full_notm}} to accomodate the unique workloads of customers.
+  The {{site.data.keyword.sysdigsecure_full_notm}} instance is pre-configured with Cloud Security Posture Management (CSPM) enabled using the Configuration Aggregator features from the App Configuration instance that is also provisioned as part of this solution.
 
 {{site.data.keyword.cos_full_notm}} buckets are set up to receive logs from logging and alerting services. Each bucket is configured to encrypt data at rest by using encryption keys managed by {{site.data.keyword.keymanagementserviceshort}}.
 
@@ -128,14 +126,13 @@ The following table outlines the products or services used in the architecture f
 | Aspects | Architecture components | How the component is used |
 | -------------- | -------------- | -------------- |
 | Storage | [{{site.data.keyword.cos_full_notm}}](https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-about-cloud-object-storage) | Web app static content, backups, logs (application, operational, and audit logs) |
-| Networking | [Virtual Private Endpoint (VPE)](https://cloud.ibm.com/docs/vpc?topic=vpc-about-vpe) | For private network access to {{site.data.keyword.cloud_notm}} services, for example, {{site.data.keyword.keymanagementserviceshort}}, {{site.data.keyword.keymanagementserviceshort}}, {{site.data.keyword.compliance_short}}. |
+| Networking | [Virtual Private Endpoint (VPE)](https://cloud.ibm.com/docs/vpc?topic=vpc-about-vpe) | For private network access to {{site.data.keyword.cloud_notm}} services, for example, {{site.data.keyword.keymanagementserviceshort}} and {{site.data.keyword.secrets-manager_short}}. |
 | Security | [IAM](https://cloud.ibm.com/docs/account?topic=account-cloudaccess) | {{site.data.keyword.iamshort}} |
 |  | [{{site.data.keyword.keymanagementserviceshort}}](https://cloud.ibm.com/docs/key-protect?topic=key-protect-about) | A full-service encryption solution that allows data to be secured and stored in {{site.data.keyword.cloud_notm}} |
 |  | [{{site.data.keyword.secrets-manager_short}}](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-getting-started#getting-started) | Certificate and Secrets Management |
-|  | [{{site.data.keyword.compliance_short}}](https://cloud.ibm.com/docs/security-compliance?topic=security-compliance-getting-started) | Implement controls for secure data and workload deployments, and assess security and compliance posture |
-|  | [{{site.data.keyword.sysdigsecure_full_notm}}](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started) | |
+|  | [{{site.data.keyword.sysdigsecure_full_notm}}](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started) | Implement controls for secure data and workload deployments, and assess security and compliance posture |
 | Service Management | [{{site.data.keyword.monitoringlong_notm}}](https://cloud.ibm.com/docs/monitoring?topic=monitoring-about-monitor) | Apps and operational monitoring |
-|  | [{{site.data.keyword.loganalysislong_notm}}](https://cloud.ibm.com/docs/log-analysis?topic=log-analysis-getting-started) | Apps and operational logs |
+|  | [{{site.data.keyword.logslong_notm}}](https://cloud.ibm.com/docs/log-analysis?topic=log-analysis-getting-started) | Apps and operational logs |
 |  | [{{site.data.keyword.atracker_short}}](https://cloud.ibm.com/docs/atracker?topic=atracker-getting-started) | Audit logs |
 {: caption="Table 2. Components" caption-side="bottom"}