From 56cb9a2ee4088a0865f28eeef2044386acdddc9a Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Thu, 5 Jun 2025 11:38:01 +0100 Subject: [PATCH 1/5] Migrate to SCC Workload Protect --- README.md | 2 +- ibm_catalog.json | 221 ++++++++++++++++++++++- solutions/basic/stack_definition.json | 191 ++++++++++++-------- solutions/standard/stack_definition.json | 191 ++++++++++++-------- 4 files changed, 450 insertions(+), 155 deletions(-) diff --git a/README.md b/README.md index 0e30eb1e..2e3ec253 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ This architecture can help you achieve the following goals: - Establish trust: The architecture configures the IBM Cloud account to align with the compliance settings that are defined in the [IBM Cloud for Financial Services](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-about) framework, and the [AI Security Guardrails 2.0](https://cloud.ibm.com/docs/security-compliance?topic=security-compliance-ai-security-change-log) profile. - Ensure observability: The architecture provides observability by deploying services such as IBM Log Analysis, IBM Monitoring, IBM Activity Tracker, and log retention through IBM Cloud Object Storage buckets. - Implement security: The architecture deploys instances of IBM Key Protect and IBM Secrets Manager. -- Achieve regulatory compliance: The architecture implements CI, CD, and CC pipelines along with IBM Security Compliance Center (SCC) for secure application lifecycle management. +- Achieve regulatory compliance: The architecture implements CI, CD, and CC pipelines along with IBM Security Compliance Center Workload Protection for secure application lifecycle management. ## Before you begin diff --git a/ibm_catalog.json b/ibm_catalog.json index 245d559b..8696e25c 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -5,7 +5,9 @@ "name": "Retrieval_Augmented_Generation_Pattern", "product_kind": "solution", "tags": [ + "solution", "watson", + "security", "banking", "ibm_created" ], @@ -25,7 +27,10 @@ "secure", "secret manager", "key protect", - "scc" + "security and compliance center workload protection", + "cspm", + "config aggregator", + "app config" ], "short_description": "Automate RAG deployment with supporting IBM Cloud and watsonx services, embed your enterprise data in generative AI solutions.", "long_description": "Utilize data from your enterprise to achieve productivity gains in activities related to question/answer conversations, content search, summarization and generation. RAG can be deployed in multiple configurations and is applicable to various industry use cases and solutions.\n\nThis deployable architecture provides a comprehensive foundation for trust, observability, security, and regulatory compliance by configuring and deploying various services and a sample application for a [RAG pattern](https://cloud.ibm.com/docs/pattern-genai-rag?topic=pattern-genai-rag-genai-pattern), including:\n- Configuring IBM Cloud Account with best practices from [IBM Cloud Framework for Financial Services](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-about)\n- Deploying key and secrets management services for storage and management of encryption keys and secrets\n- Deploying controls for continuous compliance\n- Deploying observability services for application and platform logging and monitoring\n- Deploying a suite of watsonx services to provide generative AI RAG capabilities\n- Deploying content databases for storing vector embeddings of the documents and content search/retrieval\n- Deploying a sample application in a variety of run times including CI/CD/CC pipelines for secure application lifecycle management\n\nThe above configured and deployed services enable a secure and trustworthy deployment of generative AI applications on IBM Cloud.\n\nThe configurations are flexible and be changed to meet the needs for several types of RAG patterns depending on the chosen combination of technologies and services.\n\nThe generative AI RAG pattern services include:\n- [watsonx.ai](https://dataplatform.cloud.ibm.com/docs/content/wsj/getting-started/welcome-main.html?context=wx)\n- [watsonx.data](https://cloud.ibm.com/docs/watsonxdata) (with Milvus)\n- [watsonx.governance](https://dataplatform.cloud.ibm.com/docs/content/svc-welcome/aiopenscale.html?context=wx)\n- [watsonx Assistant](https://cloud.ibm.com/docs/watson-assistant?topic=watson-assistant-welcome-new-assistant)\n- [watsonx Orchestrate](https://www.ibm.com/docs/en/watsonx/watson-orchestrate/current)\n- [Watson Discovery](https://cloud.ibm.com/docs/discovery-data)\n- [Elasticsearch](https://cloud.ibm.com/docs/databases-for-elasticsearch) Enterprise and Platinum edition\n\nThe supporting services include:\n- [Secrets Manager](https://cloud.ibm.com/docs/secrets-manager)\n- [Key Protect](https://cloud.ibm.com/docs/key-protect)\n- [Security and Compliance Center](https://cloud.ibm.com/docs/security-compliance)\n- [Event Notifications](https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-getting-started)\n- [Logs](https://cloud.ibm.com/docs/cloud-logs)\n- [Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started)\n- [Object Storage](https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-getting-started-cloud-object-storage)\n- [Continuous Delivery](https://cloud.ibm.com/docs/ContinuousDelivery) toolchains\n- [Container Registry](https://cloud.ibm.com/docs/Registry)\n\nA [sample RAG application](https://github.com/IBM/gen-ai-rag-watsonx-sample-application) is deployed to [Code Engine](https://cloud.ibm.com/docs/codeengine) or [Red Hat OpenShift](https://cloud.ibm.com/docs/openshift) cluster.\n\nBy leveraging this architecture, you can accelerate your deployment and tailor it to meet your unique business needs and enterprise goals.", @@ -43,7 +48,7 @@ }, { "title": "Achieve Regulatory Compliance", - "description": "Ensures regulatory compliance by implementing CI/CD/CC pipelines, along with Security and Compliance Center for continuous compliance." + "description": "Ensures regulatory compliance by implementing CI/CD/CC pipelines, along with Security and Compliance Center Workload Protection for continuous compliance." }, { "title": "Ensure Observability", @@ -104,7 +109,14 @@ "service_name": "kms" }, { - "service_name": "compliance", + "service_name": "sysdig-secure", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ] + }, + { + "service_name": "apprapp", "role_crns": [ "crn:v1:bluemix:public:iam::::serviceRole:Manager", "crn:v1:bluemix:public:iam::::role:Editor" @@ -306,7 +318,7 @@ }, { "key": "skip_iam_authorization_policy", - "display_name": "Disable Secrets Manager IAM credentials engine auth policy creation?", + "display_name": "disable_secrets_manager_iam_credentials_engine", "type": "boolean", "default_value": false, "description": "Whether to skip the creation of the IAM authorization policies required to enable the Secrets Manager IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service.", @@ -326,6 +338,69 @@ "description": "Pass a list of regions to create a tenant that is targeted to the Cloud Logs instance created by this solution. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants.", "required": false }, + { + "key": "app_config_service_plan", + "type": "string", + "default_value": "basic", + "description": "The pricing plan to use for the IBM Cloud App Configuration instance.", + "required": false, + "options": [ + { + "displayname": "Basic", + "value": "basic" + }, + { + "displayname": "Standard", + "value": "standardv2" + }, + { + "displayname": "Enterprise", + "value": "enterprise" + } + ] + }, + { + "key": "scc_workload_protection_service_plan", + "type": "string", + "default_value": "graduated-tier", + "description": "The pricing plan to use for the IBM Cloud Security and Compliance Center Workload Protection instance.", + "required": false, + "options": [ + { + "displayname": "Graduated Tier", + "value": "graduated-tier" + }, + { + "displayname": "Free Trial", + "value": "free-trial" + } + ] + }, + { + "key": "enterprise_id", + "type": "string", + "default_value": "__NULL__", + "description": "If the account is an enterprise account and you want to scan sub-accounts for compliance, this value should be set to the enterprise ID (this is different to the account ID).", + "required": false + }, + { + "key": "enterprise_account_group_ids_to_assign", + "type": "array", + "default_value": [ + "all" + ], + "description": "A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned for compliance. Supports passing the string 'all' in the list to assign to all account groups. Only applies if a value is being passed for `enterprise_id`.", + "required": false + }, + { + "key": "enterprise_account_ids_to_assign", + "type": "array", + "default_value": [ + "all" + ], + "description": "A list of enterprise account IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all accounts. Only applies if a value is being passed for `enterprise_id`.", + "required": false + }, { "key": "sample_app_git_url", "type": "string", @@ -475,7 +550,14 @@ "service_name": "kms" }, { - "service_name": "compliance", + "service_name": "sysdig-secure", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ] + }, + { + "service_name": "apprapp", "role_crns": [ "crn:v1:bluemix:public:iam::::serviceRole:Manager", "crn:v1:bluemix:public:iam::::role:Editor" @@ -690,7 +772,7 @@ }, { "key": "skip_iam_authorization_policy", - "display_name": "Disable Secrets Manager IAM credentials engine auth policy creation?", + "display_name": "disable_secrets_manager_iam_credentials_engine", "type": "boolean", "default_value": false, "description": "Whether to skip the creation of the IAM authorization policies required to enable the Secrets Manager IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service.", @@ -710,6 +792,133 @@ "description": "Pass a list of regions to create a tenant that is targeted to the Cloud Logs instance created by this solution. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants.", "required": false }, + { + "key": "app_config_service_plan", + "type": "string", + "default_value": "basic", + "description": "The pricing plan to use for the IBM Cloud App Configuration instance.", + "required": false, + "options": [ + { + "displayname": "Basic", + "value": "basic" + }, + { + "displayname": "Standard", + "value": "standardv2" + }, + { + "displayname": "Enterprise", + "value": "enterprise" + } + ] + }, + { + "key": "scc_workload_protection_service_plan", + "type": "string", + "default_value": "graduated-tier", + "description": "The pricing plan to use for the IBM Cloud Security and Compliance Center Workload Protection instance.", + "required": false, + "options": [ + { + "displayname": "Graduated Tier", + "value": "graduated-tier" + }, + { + "displayname": "Free Trial", + "value": "free-trial" + } + ] + }, + { + "key": "enterprise_id", + "type": "string", + "default_value": "__NULL__", + "description": "If the account is an enterprise account and you want to scan sub-accounts for compliance, this value should be set to the enterprise ID (this is different to the account ID).", + "required": false + }, + { + "key": "enterprise_account_group_ids_to_assign", + "type": "array", + "default_value": [ + "all" + ], + "description": "A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned for compliance. Supports passing the string 'all' in the list to assign to all account groups. Only applies if a value is being passed for `enterprise_id`.", + "required": false + }, + { + "key": "enterprise_account_ids_to_assign", + "type": "array", + "default_value": [ + "all" + ], + "description": "A list of enterprise account IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all accounts. Only applies if a value is being passed for `enterprise_id`.", + "required": false + }, + { + + "key": "app_config_service_plan", + "type": "string", + "default_value": "basic", + "description": "The pricing plan to use for the IBM Cloud App Configuration instance.", + "required": false, + "options": [ + { + "displayname": "Basic", + "value": "basic" + }, + { + "displayname": "Standard", + "value": "standardv2" + }, + { + "displayname": "Enterprise", + "value": "enterprise" + } + ] + }, + { + "key": "scc_workload_protection_service_plan", + "type": "string", + "default_value": "graduated-tier", + "description": "The pricing plan to use for the IBM Cloud Security and Compliance Center Workload Protection instance.", + "required": false, + "options": [ + { + "displayname": "Graduated Tier", + "value": "graduated-tier" + }, + { + "displayname": "Free Trial", + "value": "free-trial" + } + ] + }, + { + "key": "enterprise_id", + "type": "string", + "default_value": "__NULL__", + "description": "If the account is an enterprise account and you want to scan sub-accounts for compliance, this value should be set to the enterprise ID (this is different to the account ID).", + "required": false + }, + { + "key": "enterprise_account_group_ids_to_assign", + "type": "array", + "default_value": [ + "all" + ], + "description": "A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned for compliance. Supports passing the string 'all' in the list to assign to all account groups. Only applies if a value is being passed for `enterprise_id`.", + "required": false + }, + { + "key": "enterprise_account_ids_to_assign", + "type": "array", + "default_value": [ + "all" + ], + "description": "A list of enterprise account IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all accounts. Only applies if a value is being passed for `enterprise_id`.", + "required": false + }, { "key": "sample_app_git_url", "type": "string", diff --git a/solutions/basic/stack_definition.json b/solutions/basic/stack_definition.json index 76fb9b5e..56068bec 100644 --- a/solutions/basic/stack_definition.json +++ b/solutions/basic/stack_definition.json @@ -4,22 +4,19 @@ "name": "prefix", "required": true, "type": "string", - "hidden": false, - "default": "rag" + "hidden": false }, { "name": "secret_manager_service_plan", "required": false, "type": "string", - "hidden": false, - "default": "trial" + "hidden": false }, { "name": "skip_iam_authorization_policy", "required": false, "type": "boolean", - "hidden": false, - "default": false + "hidden": false }, { "name": "watsonx_admin_api_key", @@ -37,106 +34,126 @@ "name": "existing_resource_group_name", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "region", "required": false, "type": "string", - "hidden": false, - "default": "us-south" + "hidden": false }, { "name": "sample_app_git_url", "required": false, "type": "string", - "hidden": false, - "default": "https://github.com/IBM/gen-ai-rag-watsonx-sample-application" + "hidden": false }, { "name": "signing_key", "required": false, "type": "password", - "hidden": false, - "default": "replace" + "hidden": false }, { "name": "existing_secrets_manager_crn", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "existing_kms_instance_crn", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "existing_event_notification_instance_crn", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "enable_platform_metrics", "required": false, "type": "boolean", - "hidden": false, - "default": false + "hidden": false }, { "name": "logs_routing_tenant_regions", "required": false, "type": "array", + "hidden": false + }, + { + "name": "app_config_service_plan", + "required": false, + "type": "string", "hidden": false, - "default": [] + "custom_config": {} }, { - "name": "existing_discovery_instance", + "name": "scc_workload_protection_service_plan", "required": false, "type": "string", "hidden": false, - "default": null + "custom_config": {} }, { - "name": "existing_assistant_instance_crn", + "name": "enterprise_id", "required": false, "type": "string", "hidden": false, - "default": null + "custom_config": {} + }, + { + "name": "enterprise_account_group_ids_to_assign", + "required": false, + "type": "array", + "hidden": false, + "custom_config": {} + }, + { + "name": "enterprise_account_ids_to_assign", + "required": false, + "type": "array", + "hidden": false, + "custom_config": {} + }, + { + "name": "existing_discovery_instance", + "required": false, + "type": "string", + "hidden": false + }, + { + "name": "existing_assistant_instance_crn", + "required": false, + "type": "string", + "hidden": false }, { "name": "existing_governance_instance", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "existing_studio_instance", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "existing_machine_learning_instance", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "existing_elasticsearch_instance_crn", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false } ], "members": [ @@ -218,9 +235,47 @@ } ] }, + { + "name": "Essential Security - App Configuration", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.c160fa36-fd40-42de-8553-1233e0c5e971-global", + "inputs": [ + { + "name": "existing_resource_group_name", + "value": "ref:../Account Infrastructure Base/outputs/audit_resource_group_name" + }, + { + "name": "region", + "value": "ref:../../inputs/region" + }, + { + "name": "prefix", + "value": "ref:../../inputs/prefix" + }, + { + "name": "app_config_plan", + "value": "ref:../../inputs/app_config_service_plan" + }, + { + "name": "enable_config_aggregator", + "value": true + }, + { + "name": "config_aggregator_enterprise_id", + "value": "ref:../../inputs/enterprise_id" + }, + { + "name": "config_aggregator_enterprise_account_group_ids_to_assign", + "value": "ref:../../inputs/enterprise_account_group_ids_to_assign" + }, + { + "name": "config_aggregator_enterprise_account_ids_to_assign", + "value": "ref:../../inputs/enterprise_account_ids_to_assign" + } + ] + }, { "name": "Essential Security - Encryption Key Management", - "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.efaad0d0-9028-4d39-90e7-7e0f9d6e7569-global", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.93bf5d12-a435-4510-8888-1c32db20b82b-global", "inputs": [ { "name": "resource_group_name", @@ -254,7 +309,7 @@ }, { "name": "Essential Security - Logging Monitoring Activity Tracker", - "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.50624578-9e5c-408c-90ea-ce412899b5dc-global", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.39562a8a-1b92-4342-b990-1944ae583df9-global", "inputs": [ { "name": "ibmcloud_api_key", @@ -296,7 +351,7 @@ }, { "name": "Essential Security - Event Notifications", - "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.1c3a9873-77b2-4ab4-89c7-26d9899b1edb-global", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.b02f9aa4-b40f-41d5-8039-8e87742d756e-global", "inputs": [ { "name": "kms_endpoint_url", @@ -311,13 +366,9 @@ "value": "private" }, { - "name": "resource_group_name", + "name": "existing_resource_group_name", "value": "ref:../Account Infrastructure Base/outputs/observability_resource_group_name" }, - { - "name": "use_existing_resource_group", - "value": true - }, { "name": "region", "value": "ref:../../inputs/region" @@ -395,48 +446,36 @@ ] }, { - "name": "Essential Security - Security Compliance Center", - "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.03c63154-2430-4154-9033-9f8e6f80d93b-global", + "name": "Essential Security - Security and Compliance Center Workload Protection", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.e436bb10-8b6c-4b3b-b4c5-523929d13686-global", "inputs": [ { - "name": "ibmcloud_api_key", - "value": "" - }, - { - "name": "prefix", - "value": "ref:../../inputs/prefix" - }, - { - "name": "cos_region", - "value": "ref:../../inputs/region" + "name": "existing_resource_group_name", + "value": "ref:../Account Infrastructure Base/outputs/audit_resource_group_name" }, { - "name": "scc_region", + "name": "region", "value": "ref:../../inputs/region" }, { - "name": "resource_group_name", - "value": "ref:../Account Infrastructure Base/outputs/audit_resource_group_name" + "name": "prefix", + "value": "ref:../../inputs/prefix" }, { - "name": "existing_kms_instance_crn", - "value": "ref:../Essential Security - Encryption Key Management/outputs/kms_instance_crn" + "name": "scc_workload_protection_service_plan", + "value": "ref:../../inputs/scc_workload_protection_service_plan" }, { - "name": "use_existing_resource_group", + "name": "cspm_enabled", "value": true }, { - "name": "provision_scc_workload_protection", - "value": false + "name": "app_config_crn", + "value": "ref:../../members/Essential Security - App Configuration/outputs/app_config_crn" }, { - "name": "existing_event_notifications_crn", - "value": "ref:../Essential Security - Event Notifications/outputs/crn" - }, - { - "name": "profile_attachments", - "value": [] + "name": "existing_monitoring_crn", + "value": "ref:../../members/Essential Security - Logging Monitoring Activity Tracker/outputs/cloud_monitoring_crn" } ] }, @@ -876,16 +915,20 @@ "value": "ref:./members/Essential Security - Secrets Manager/outputs/secrets_manager_name" }, { - "name": "scc_crn", - "value": "ref:./members/Essential Security - Security Compliance Center/outputs/scc_crn" + "name": "app_config_crn", + "value": "ref:./members/Essential Security - App Configuration/outputs/app_config_crn" }, { - "name": "scc_guid", - "value": "ref:./members/Essential Security - Security Compliance Center/outputs/scc_guid" + "name": "app_config_guid", + "value": "ref:./members/Essential Security - App Configuration/outputs/app_config_guid" }, { "name": "scc_workload_protection_crn", - "value": "ref:./members/Essential Security - Security Compliance Center/outputs/scc_workload_protection_crn" + "value": "ref:./members/Essential Security - Security and Compliance Center Workload Protection/outputs/crn" + }, + { + "name": "scc_workload_protection_guid", + "value": "ref:./members/Essential Security - Security and Compliance Center Workload Protection/outputs/guid" }, { "name": "watson_discovery_crn", diff --git a/solutions/standard/stack_definition.json b/solutions/standard/stack_definition.json index ea0ab64b..338e892c 100644 --- a/solutions/standard/stack_definition.json +++ b/solutions/standard/stack_definition.json @@ -4,22 +4,19 @@ "name": "prefix", "required": true, "type": "string", - "hidden": false, - "default": "rag" + "hidden": false }, { "name": "secret_manager_service_plan", "required": false, "type": "string", - "hidden": false, - "default": "trial" + "hidden": false }, { "name": "skip_iam_authorization_policy", "required": false, "type": "boolean", - "hidden": false, - "default": false + "hidden": false }, { "name": "watsonx_admin_api_key", @@ -37,106 +34,126 @@ "name": "existing_resource_group_name", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "region", "required": false, "type": "string", - "hidden": false, - "default": "us-south" + "hidden": false }, { "name": "sample_app_git_url", "required": false, "type": "string", - "hidden": false, - "default": "https://github.com/IBM/gen-ai-rag-watsonx-sample-application" + "hidden": false }, { "name": "signing_key", "required": false, "type": "password", - "hidden": false, - "default": "replace" + "hidden": false }, { "name": "existing_secrets_manager_crn", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "existing_kms_instance_crn", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "existing_event_notification_instance_crn", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "enable_platform_metrics", "required": false, "type": "boolean", - "hidden": false, - "default": false + "hidden": false }, { "name": "logs_routing_tenant_regions", "required": false, "type": "array", + "hidden": false + }, + { + "name": "app_config_service_plan", + "required": false, + "type": "string", "hidden": false, - "default": [] + "custom_config": {} }, { - "name": "existing_discovery_instance", + "name": "scc_workload_protection_service_plan", "required": false, "type": "string", "hidden": false, - "default": null + "custom_config": {} }, { - "name": "existing_assistant_instance_crn", + "name": "enterprise_id", "required": false, "type": "string", "hidden": false, - "default": null + "custom_config": {} + }, + { + "name": "enterprise_account_group_ids_to_assign", + "required": false, + "type": "array", + "hidden": false, + "custom_config": {} + }, + { + "name": "enterprise_account_ids_to_assign", + "required": false, + "type": "array", + "hidden": false, + "custom_config": {} + }, + { + "name": "existing_discovery_instance", + "required": false, + "type": "string", + "hidden": false + }, + { + "name": "existing_assistant_instance_crn", + "required": false, + "type": "string", + "hidden": false }, { "name": "existing_governance_instance", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "existing_studio_instance", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "existing_machine_learning_instance", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false }, { "name": "existing_elasticsearch_instance_crn", "required": false, "type": "string", - "hidden": false, - "default": null + "hidden": false } ], "members": [ @@ -218,9 +235,47 @@ } ] }, + { + "name": "Essential Security - App Configuration", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.c160fa36-fd40-42de-8553-1233e0c5e971-global", + "inputs": [ + { + "name": "existing_resource_group_name", + "value": "ref:../Account Infrastructure Base/outputs/audit_resource_group_name" + }, + { + "name": "region", + "value": "ref:../../inputs/region" + }, + { + "name": "prefix", + "value": "ref:../../inputs/prefix" + }, + { + "name": "app_config_plan", + "value": "ref:../../inputs/app_config_service_plan" + }, + { + "name": "enable_config_aggregator", + "value": true + }, + { + "name": "config_aggregator_enterprise_id", + "value": "ref:../../inputs/enterprise_id" + }, + { + "name": "config_aggregator_enterprise_account_group_ids_to_assign", + "value": "ref:../../inputs/enterprise_account_group_ids_to_assign" + }, + { + "name": "config_aggregator_enterprise_account_ids_to_assign", + "value": "ref:../../inputs/enterprise_account_ids_to_assign" + } + ] + }, { "name": "Essential Security - Encryption Key Management", - "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.efaad0d0-9028-4d39-90e7-7e0f9d6e7569-global", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.93bf5d12-a435-4510-8888-1c32db20b82b-global", "inputs": [ { "name": "resource_group_name", @@ -254,7 +309,7 @@ }, { "name": "Essential Security - Logging Monitoring Activity Tracker", - "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.50624578-9e5c-408c-90ea-ce412899b5dc-global", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.39562a8a-1b92-4342-b990-1944ae583df9-global", "inputs": [ { "name": "ibmcloud_api_key", @@ -296,7 +351,7 @@ }, { "name": "Essential Security - Event Notifications", - "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.1c3a9873-77b2-4ab4-89c7-26d9899b1edb-global", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.b02f9aa4-b40f-41d5-8039-8e87742d756e-global", "inputs": [ { "name": "kms_endpoint_url", @@ -311,13 +366,9 @@ "value": "private" }, { - "name": "resource_group_name", + "name": "existing_resource_group_name", "value": "ref:../Account Infrastructure Base/outputs/observability_resource_group_name" }, - { - "name": "use_existing_resource_group", - "value": true - }, { "name": "region", "value": "ref:../../inputs/region" @@ -395,48 +446,36 @@ ] }, { - "name": "Essential Security - Security Compliance Center", - "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.03c63154-2430-4154-9033-9f8e6f80d93b-global", + "name": "Essential Security - Security and Compliance Center Workload Protection", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.e436bb10-8b6c-4b3b-b4c5-523929d13686-global", "inputs": [ { - "name": "ibmcloud_api_key", - "value": "" - }, - { - "name": "prefix", - "value": "ref:../../inputs/prefix" - }, - { - "name": "cos_region", - "value": "ref:../../inputs/region" + "name": "existing_resource_group_name", + "value": "ref:../Account Infrastructure Base/outputs/audit_resource_group_name" }, { - "name": "scc_region", + "name": "region", "value": "ref:../../inputs/region" }, { - "name": "resource_group_name", - "value": "ref:../Account Infrastructure Base/outputs/audit_resource_group_name" + "name": "prefix", + "value": "ref:../../inputs/prefix" }, { - "name": "existing_kms_instance_crn", - "value": "ref:../Essential Security - Encryption Key Management/outputs/kms_instance_crn" + "name": "scc_workload_protection_service_plan", + "value": "ref:../../inputs/scc_workload_protection_service_plan" }, { - "name": "use_existing_resource_group", + "name": "cspm_enabled", "value": true }, { - "name": "provision_scc_workload_protection", - "value": false + "name": "app_config_crn", + "value": "ref:../../members/Essential Security - App Configuration/outputs/app_config_crn" }, { - "name": "existing_event_notifications_crn", - "value": "ref:../Essential Security - Event Notifications/outputs/crn" - }, - { - "name": "profile_attachments", - "value": [] + "name": "existing_monitoring_crn", + "value": "ref:../../members/Essential Security - Logging Monitoring Activity Tracker/outputs/cloud_monitoring_crn" } ] }, @@ -934,16 +973,20 @@ "value": "ref:./members/Essential Security - Secrets Manager/outputs/secrets_manager_name" }, { - "name": "scc_crn", - "value": "ref:./members/Essential Security - Security Compliance Center/outputs/scc_crn" + "name": "app_config_crn", + "value": "ref:./members/Essential Security - App Configuration/outputs/app_config_crn" }, { - "name": "scc_guid", - "value": "ref:./members/Essential Security - Security Compliance Center/outputs/scc_guid" + "name": "app_config_guid", + "value": "ref:./members/Essential Security - App Configuration/outputs/app_config_guid" }, { "name": "scc_workload_protection_crn", - "value": "ref:./members/Essential Security - Security Compliance Center/outputs/scc_workload_protection_crn" + "value": "ref:./members/Essential Security - Security and Compliance Center Workload Protection/outputs/crn" + }, + { + "name": "scc_workload_protection_guid", + "value": "ref:./members/Essential Security - Security and Compliance Center Workload Protection/outputs/guid" }, { "name": "watson_discovery_crn", From 8151b3c3c50a2f6884296dcd327c7c5ad6cb14e7 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Mon, 9 Jun 2025 12:42:51 +0100 Subject: [PATCH 2/5] bump account infra --- solutions/basic/stack_definition.json | 2 +- solutions/standard/stack_definition.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/solutions/basic/stack_definition.json b/solutions/basic/stack_definition.json index 56068bec..f4c7e7c4 100644 --- a/solutions/basic/stack_definition.json +++ b/solutions/basic/stack_definition.json @@ -159,7 +159,7 @@ "members": [ { "name": "Account Infrastructure Base", - "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.fa88886a-209c-4fbf-b06c-d5f1a96e0ffc-global", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.24459be4-397b-4dce-b2d1-555ccd576c14-global", "inputs": [ { "name": "prefix", diff --git a/solutions/standard/stack_definition.json b/solutions/standard/stack_definition.json index 338e892c..543c8f95 100644 --- a/solutions/standard/stack_definition.json +++ b/solutions/standard/stack_definition.json @@ -159,7 +159,7 @@ "members": [ { "name": "Account Infrastructure Base", - "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.fa88886a-209c-4fbf-b06c-d5f1a96e0ffc-global", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.24459be4-397b-4dce-b2d1-555ccd576c14-global", "inputs": [ { "name": "prefix", From c21fc15a0837b0768bd9a222d2fd390e833bd1f8 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Mon, 9 Jun 2025 14:23:35 +0100 Subject: [PATCH 3/5] fix EN inputs --- solutions/basic/stack_definition.json | 6 +++++- solutions/standard/stack_definition.json | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/solutions/basic/stack_definition.json b/solutions/basic/stack_definition.json index f4c7e7c4..4d832aca 100644 --- a/solutions/basic/stack_definition.json +++ b/solutions/basic/stack_definition.json @@ -366,9 +366,13 @@ "value": "private" }, { - "name": "existing_resource_group_name", + "name": "resource_group_name", "value": "ref:../Account Infrastructure Base/outputs/observability_resource_group_name" }, + { + "name": "use_existing_resource_group", + "value": true + }, { "name": "region", "value": "ref:../../inputs/region" diff --git a/solutions/standard/stack_definition.json b/solutions/standard/stack_definition.json index 543c8f95..2f12ac92 100644 --- a/solutions/standard/stack_definition.json +++ b/solutions/standard/stack_definition.json @@ -366,9 +366,13 @@ "value": "private" }, { - "name": "existing_resource_group_name", + "name": "resource_group_name", "value": "ref:../Account Infrastructure Base/outputs/observability_resource_group_name" }, + { + "name": "use_existing_resource_group", + "value": true + }, { "name": "region", "value": "ref:../../inputs/region" From 28f2634eab9905daea314d4398a9975b09e53df5 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Tue, 10 Jun 2025 13:20:23 +0100 Subject: [PATCH 4/5] bump slz --- solutions/standard/stack_definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/standard/stack_definition.json b/solutions/standard/stack_definition.json index 2f12ac92..0bf4200e 100644 --- a/solutions/standard/stack_definition.json +++ b/solutions/standard/stack_definition.json @@ -629,7 +629,7 @@ }, { "name": "Workload - Compute Red Hat OpenShift Container Platform on VPC", - "version_locator": "1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc.3a0dc37a-bbb8-4609-b980-9205e91b798a-global", + "version_locator": "1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc.c15a99be-f334-4dfe-b1d2-b650ae01c9ca-global", "inputs": [ { "name": "ibmcloud_api_key", From 62df665062b721064dfc00d6985f663fc815a488 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Wed, 11 Jun 2025 16:03:08 +0100 Subject: [PATCH 5/5] bump sample app --- solutions/basic/stack_definition.json | 2 +- solutions/standard/stack_definition.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/solutions/basic/stack_definition.json b/solutions/basic/stack_definition.json index 4d832aca..1cca3e57 100644 --- a/solutions/basic/stack_definition.json +++ b/solutions/basic/stack_definition.json @@ -748,7 +748,7 @@ }, { "name": "Workload - Sample RAG App Configuration", - "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.78aab24a-ba1c-4d72-91fb-131d718dfeb6-global", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.b1bf8a3d-3d51-4362-a13b-eb528a38c6f3-global", "inputs": [ { "name": "toolchain_region", diff --git a/solutions/standard/stack_definition.json b/solutions/standard/stack_definition.json index 0bf4200e..c4022de2 100644 --- a/solutions/standard/stack_definition.json +++ b/solutions/standard/stack_definition.json @@ -798,7 +798,7 @@ }, { "name": "Workload - Sample RAG App Configuration", - "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.78aab24a-ba1c-4d72-91fb-131d718dfeb6-global", + "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.b1bf8a3d-3d51-4362-a13b-eb528a38c6f3-global", "inputs": [ { "name": "toolchain_region",