feat: init functional release (#15)

feat: init functional release

Author: imprateeksh

.github/settings.yml

@@ -14,12 +14,9 @@ repository:
 
   # By changing this field, you rename the repository.
 
-  # Uncomment this name property and set the name to the current repo name.
-  # name: ""
+  name: "terraform-ibm-base-ocp-vpc"
 
   # The description is displayed under the repository name on the
   # organization page and in the 'About' section of the repository.
 
-  # Uncomment this description property
-  # and update the description to the current repo description.
-  # description: ""
+  description: "Provision an IBM Cloud Red Hat OpenShift cluster on VPC Gen2"

.github/workflows/ci.yml

@@ -15,3 +15,6 @@ jobs:
   call-terraform-ci-pipeline:
     uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/[email protected]
     secrets: inherit
+    with:
+      craTarget: "examples/standard"
+      craGoalIgnoreFile: "cra-tf-validate-ignore-goals.json"

.gitignore

@@ -16,6 +16,8 @@ crash.log
 #
 *.tfvars
 
+.history/*
+
 # Ignore files for local testing
 test.tf
 
@@ -37,7 +39,7 @@ override.tf.json
 .terraformrc
 terraform.rc
 
-# Ignore .tfsec
+# Ignore tfsec
 .tfsec/
 
 # Ignore brew lock
@@ -52,5 +54,5 @@ Brewfile.lock.json
 # Node modules
 /node_modules
 
-# Visual Studio Code
+# VS Code State
 .vscode/

.secrets.baseline

@@ -28,7 +28,7 @@
       "name": "CloudantDetector"
     },
     {
-      "ghe_instance": "github.ibm.com",
+      "ghe_instance": "github.com",
       "name": "GheDetector"
     },
     {

README.md

@@ -0,0 +1,82 @@
+{
+    "scc_goals": [
+        {
+            "scc_goal_id": "3000408",
+            "description": "Check whether Flow Logs for VPC are enabled",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3645",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000902",
+            "description:": "Check whether OpenShift clusters are accessible only by using private endpoints",
+            "ignore_reason": "This is a valid issue - tracking in https://github.ibm.com/GoldenEye/issues/issues/174",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000258",
+            "description": "Check whether Cloud Object Storage has at least # users with the IAM manager role",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3905",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000259",
+            "description:": "Check whether Cloud Object Storage has at least # service IDs with the IAM manager role",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3905",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000266",
+            "description": "Check whether Key Protect has at least # users with the IAM manager role",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3905",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000267",
+            "description:": "Check whether Key Protect has at least # service IDs with the IAM manager role",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3905",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000402",
+            "description": "Check whether Cloud Internet Services (CIS) has DDoS protection enabled",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3905",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000418",
+            "description:": "Check whether account has at least one VPN or Direct Link configured",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3905",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000441",
+            "description": "Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to port 22",
+            "ignore_reason": "This is a false alert. The way the subnets are arranged in the VPC ensures proper workload isolation. And it's not a violation of any NIST, SOC or other control. On the contrary, FedRAMP makes it clear that SG or ACLs are currently not seen as a security boundary, only subnets (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf)",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000442",
+            "description:": "Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to port 3389",
+            "ignore_reason": "This is a false alert. The way the subnets are arranged in the VPC ensures proper workload isolation. And it's not a violation of any NIST, SOC or other control. On the contrary, FedRAMP makes it clear that SG or ACLs are currently not seen as a security boundary, only subnets (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf)",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000451",
+            "description": "Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to any port",
+            "ignore_reason": "This is a false alert. The way the subnets are arranged in the VPC ensures proper workload isolation. And it's not a violation of any NIST, SOC or other control. On the contrary, FedRAMP makes it clear that SG or ACLs are currently not seen as a security boundary, only subnets (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf)",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000452",
+            "description:": "Check whether Virtual Private Cloud (VPC) network access control lists don't allow egress from 0.0.0.0/0 to any port",
+            "ignore_reason": "This is a false alert. The way the subnets are arranged in the VPC ensures proper workload isolation. And it's not a violation of any NIST, SOC or other control. On the contrary, FedRAMP makes it clear that SG or ACLs are currently not seen as a security boundary, only subnets (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf)",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000907",
+            "description:": "Check whether OpenShift version is up-to-date",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/4000",
+            "is_valid": true
+        }
+    ]
+}