fix: add compliance controls to the OCP DA QuickStart variation (#783)

arya-girish-k · web-flow · commit 546e3c3983da · 2025-09-01T16:37:43.000+01:00
diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml
@@ -18,3 +18,7 @@ offerings:
       - name: quickstart
         mark_ready: true
         install_type: fullstack
+        scc:
+          instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
+          region: us-south
+          scope_resource_group_var_name: existing_resource_group_name
diff --git a/common-dev-assets b/common-dev-assets
@@ -1 +1 @@
-Subproject commit 2ba5cc2c867361e8bcf34bd95f7359cc03d82b25
+Subproject commit abf631a16a48a308e609896937e1eed16b4aae4e
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -86,7 +86,7 @@
                 "crn:v1:bluemix:public:iam::::role:Viewer"
               ],
               "service_name": "Resource group only",
-              "notes":"Viewer access is required in the resource group you want to provision in."
+              "notes": "Viewer access is required in the resource group you want to provision in."
             },
             {
               "role_crns": [
@@ -785,7 +785,7 @@
               "key": "subnets",
               "type": "object",
               "default_value": "{\n    zone-1 = [\n      {\n        name           = \"subnet-a\"\n        cidr           = \"10.10.10.0/24\"\n        public_gateway = true\n        acl_name       = \"vpc-acl\"\n        no_addr_prefix = false\n      }\n    ],\n    zone-2 = [\n      {\n        name           = \"subnet-b\"\n        cidr           = \"10.20.10.0/24\"\n        public_gateway = false\n        acl_name       = \"vpc-acl\"\n        no_addr_prefix = false\n      }\n    ],\n    zone-3 = [\n      {\n        name           = \"subnet-c\"\n        cidr           = \"10.30.10.0/24\"\n        public_gateway = false\n        acl_name       = \"vpc-acl\"\n        no_addr_prefix = false\n      }\n    ]\n  }",
-              "description": "List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addressess. Public gateways will be enabled only in zones where a gateway has been created. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#subnets-).",
+              "description": "List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addresses. Public gateways will be enabled only in zones where a gateway has been created. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#subnets-).",
               "required": false,
               "virtual": true
             },
@@ -1059,6 +1059,15 @@
           "index": 1,
           "install_type": "fullstack",
           "working_directory": "solutions/quickstart",
+          "compliance": {
+            "authority": "scc-v3",
+            "profiles": [
+              {
+                "profile_name": "CIS IBM Cloud Foundations Benchmark v1.1.0",
+                "profile_version": "1.1.0"
+              }
+            ]
+          },
           "iam_permissions": [
             {
               "service_name": "containers-kubernetes",
@@ -1084,19 +1093,19 @@
               "notes": "Required for creating Virtual Private Cloud (VPC)."
             },
             {
-                "service_name": "cloud-object-storage",
-                "role_crns": [
-                    "crn:v1:bluemix:public:iam::::serviceRole:Manager",
-                    "crn:v1:bluemix:public:iam::::role:Editor"
-                ],
-                "notes": "Required for creating the OpenShift cluster's internal registry storage bucket."
+              "service_name": "cloud-object-storage",
+              "role_crns": [
+                "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+                "crn:v1:bluemix:public:iam::::role:Editor"
+              ],
+              "notes": "Required for creating the OpenShift cluster's internal registry storage bucket."
             },
             {
               "role_crns": [
                 "crn:v1:bluemix:public:iam::::role:Viewer"
               ],
               "service_name": "Resource group only",
-              "notes":"Viewer access is required in the resource group you want to provision in."
+              "notes": "Viewer access is required in the resource group you want to provision in."
             }
           ],
           "architecture": {
@@ -1246,7 +1255,7 @@
             },
             {
               "key": "access_tags",
-              "hidden":true,
+              "hidden": true,
               "custom_config": {
                 "type": "array",
                 "grouping": "deployment",
@@ -1262,7 +1271,9 @@
             {
               "key": "disable_outbound_traffic_protection"
             }
-          ]
+          ],
+          "dependency_version_2": true,
+          "terraform_version": "1.10.5"
         }
       ]
     }
diff --git a/modules/kube-audit/README.md b/modules/kube-audit/README.md
@@ -80,7 +80,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_audit_deployment_name"></a> [audit\_deployment\_name](#input\_audit\_deployment\_name) | The name of log collection deployement and service. | `string` | `"ibmcloud-kube-audit"` | no |
+| <a name="input_audit_deployment_name"></a> [audit\_deployment\_name](#input\_audit\_deployment\_name) | The name of log collection deployment and service. | `string` | `"ibmcloud-kube-audit"` | no |
 | <a name="input_audit_log_policy"></a> [audit\_log\_policy](#input\_audit\_log\_policy) | Specify the amount of information that is logged to the API server audit logs by choosing the audit log policy profile to use. Supported values are `default` and `WriteRequestBodies`. | `string` | `"default"` | no |
 | <a name="input_audit_namespace"></a> [audit\_namespace](#input\_audit\_namespace) | The name of the namespace where log collection service and a deployment will be created. | `string` | `"ibm-kube-audit"` | no |
 | <a name="input_audit_webhook_listener_image"></a> [audit\_webhook\_listener\_image](#input\_audit\_webhook\_listener\_image) | The audit webhook listener image reference in the format of `[registry-url]/[namespace]/[image]`.The sub-module uses the `icr.io/ibm/ibmcloud-kube-audit-to-ibm-cloud-logs` image to forward logs to IBM Cloud Logs. This image is for demonstration purposes only. For a production solution, configure and maintain your own log forwarding image. | `string` | `"icr.io/ibm/ibmcloud-kube-audit-to-ibm-cloud-logs"` | no |
diff --git a/modules/kube-audit/scripts/set_webhook.sh b/modules/kube-audit/scripts/set_webhook.sh
@@ -20,7 +20,7 @@ get_cloud_endpoint() {
 
 get_cloud_endpoint
 
-# This is a workaround function added to retrive a new token, this can be removed once this issue(https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6107) is fixed.
+# This is a workaround function added to retrieve a new token, this can be removed once this issue(https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6107) is fixed.
 fetch_token() {
     if [ "$IBMCLOUD_IAM_API_ENDPOINT" = "iam.cloud.ibm.com" ]; then
         if [ "$PRIVATE_ENV" = true ]; then
@@ -38,7 +38,7 @@ fetch_token() {
 
 fetch_token
 
-# This is a workaround function added to retrive the CA cert, this can be removed once this issue(https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6068) is fixed.
+# This is a workaround function added to retrieve the CA cert, this can be removed once this issue(https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6068) is fixed.
 get_ca_cert() {
     if [ "$IBMCLOUD_CS_API_ENDPOINT" = "containers.cloud.ibm.com" ]; then
         if [ "$PRIVATE_ENV" = true ]; then
diff --git a/modules/kube-audit/variables.tf b/modules/kube-audit/variables.tf
@@ -81,7 +81,7 @@ variable "audit_namespace" {
 
 variable "audit_deployment_name" {
   type        = string
-  description = "The name of log collection deployement and service."
+  description = "The name of log collection deployment and service."
   default     = "ibmcloud-kube-audit"
 }
 
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
@@ -586,7 +586,7 @@ variable "audit_namespace" {
 
 variable "audit_deployment_name" {
   type        = string
-  description = "The name of log collection deployement and service."
+  description = "The name of log collection deployment and service."
   default     = "ibmcloud-kube-audit"
 }
 

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ variable "audit_namespace" {`
`81`	`81`
`82`	`82`	`variable "audit_deployment_name" {`
`83`	`83`	`type = string`
`84`		`- description = "The name of log collection deployement and service."`
	`84`	`+ description = "The name of log collection deployment and service."`
`85`	`85`	`default = "ibmcloud-kube-audit"`
`86`	`86`	`}`
`87`	`87`
Original file line number	Diff line number	Diff line change
`@@ -586,7 +586,7 @@ variable "audit_namespace" {`
`586`	`586`
`587`	`587`	`variable "audit_deployment_name" {`
`588`	`588`	`type = string`
`589`		`- description = "The name of log collection deployement and service."`
	`589`	`+ description = "The name of log collection deployment and service."`
`590`	`590`	`default = "ibmcloud-kube-audit"`
`591`	`591`	`}`
`592`	`592`