terraform-ibm-modules · ocofaigh · Feb 11, 2025 · Nov 14, 2024 · Nov 15, 2024 · Nov 19, 2024
@@ -1,11 +1,9 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/advanced" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
-    CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
-    PROFILE_ID: "0e6e7b5a-817d-4344-ab6f-e5d7a9c49520" # SCC profile ID (currently set to the FSCloud 1.4.0 profile).
-    # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.
-    # SCC_REGION: "" # The IBM Cloud region that the SCC instance is in. If not provided, a default global value will be used.
-    # CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
-    #   TF_VAR_sample: "sample value"
-    #   TF_VAR_other:  "another value"
+  - CRA_TARGET: "examples/all-combined"
+    CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json"
+    CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
+      TF_VAR_existing_cis_instance_name: "test_value_for_cis_instance_name"
+      TF_VAR_existing_cis_instance_resource_group_id:  "test_value_for_cis_instance_rg_id"
+      TF_VAR_existing_sdnlb_serviceid_name:  "test_value_for_existing_sdnlb_serviceid_name"
@@ -1,3 +1,40 @@
 {
-    "scc_rules": []
+    "scc_rules": [
+      {
+        "scc_rule_id": "rule-216e2449-27d7-4afc-929a-b66e196a9cf9",
+        "description": "Check whether Flow Logs for VPC are enabled",
+        "ignore_reason": "This rule is not relevant to the module itself, just the VPC resource that is used in the example that is scanned",
+        "is_valid": false
+      },
+      {
+        "scc_rule_id": "rule-64c0bea0-8760-4a6b-a56c-ee375a48961e",
+        "description": "Check whether Virtual Private Cloud (VPC) has no public gateways attached",
+        "ignore_reason": "This rule is not relevant to the module itself, just the VPC resource that is used in the example that is scanned",
+        "is_valid": false
+      },
+      {
+        "scc_rule_id": "rule-2325054a-c338-474a-9740-0b7034487e40",
+        "description": "Check whether OpenShift clusters are accessible only by using private endpoints",
+        "ignore_reason": "This rule is not relevant to the module itself, just the OCP cluster resource that is used in the example that is scanned",
+        "is_valid": false
+      },
+      {
+        "scc_rule_id": "rule-4d86c074-097e-4ff3-a763-ccff128388e2",
+        "description": "Check whether multifactor authentication (MFA) is enabled at the account level",
+        "ignore_reason": "This is an account based rule, so unrelated to this module itself",
+        "is_valid": false
+      },
+      {
+        "scc_rule_id": "rule-0704e840-e443-4781-b9be-ec57469d09c1",
+        "description": "Check whether permissions for API key creation are limited and configured in IAM settings for the account owner",
+        "ignore_reason": "This is an account based rule, so unrelated to this module itself",
+        "is_valid": false
+      },
+      {
+        "scc_rule_id": "rule-0244c010-fde6-4db3-95aa-8952bd292ac3",
+        "description": "Check whether permissions for service ID creation are limited and configured in IAM settings for the account owner",
+        "ignore_reason": "This is an account based rule, so unrelated to this module itself",
+        "is_valid": false
+      }
+    ]
 }
@@ -1,11 +1,24 @@
-# Basic example
+# Basic Example
 
-<!--
-The basic example should call the module(s) stored in this repository with a basic configuration.
-Note, there is a pre-commit hook that will take the title of each example and include it in the repos main README.md.
-The text below should describe exactly what resources are provisioned / configured by the example.
--->
+This module provides a basic example to deploy the External Secrets Operator along with a simple username-password type secret in an IBM Cloud environment. It showcases a comprehensive implementation for managing secrets within a Kubernetes cluster, leveraging IBM Cloud's capabilities for a secure and efficient secret management system.
 
-An end-to-end basic example that will provision the following:
-- A new resource group if one is not passed in.
-- A new Cloud Object Storage instance.
+## Actions Performed
+
+- **Resource Group Handling**: Loads an existing resource group or creates a new one based on the provided variables.
+
+- **VPC and Subnet Configuration**: Establishes a Virtual Private Cloud (VPC) with associated subnets, setting up network segmentation and ACL rules.
+
+- **OpenShift Cluster Provisioning**: Deploys an OpenShift (OCP) cluster, tailored for a cloud-native architecture with worker pools for private, transit, and edge network segments.
+
+- **Secrets Manager Integration**:
+  - Either utilizes an existing Secrets Manager instance or creates a new one.
+  - Configures IAM engine, policies, and secret groups to manage access and operations on secrets.
+
+- **External Secrets Operator Configuration**:
+  - Deploys the External Secrets Operator in the Kubernetes cluster.
+  - Includes configurations for the External Secrets Operator to interact with the Secrets Manager and manage secrets at cluster and namespace levels.
+
+- **Secret Management**:
+  - Sets up a service ID (secret-puller) with IAM policies for accessing secrets from the Secrets Manager.
+  - Configures various types of secrets, including IAM service ID API keys and username-password combinations.
+  - Demonstrates the deployment of external secrets within Kubernetes, utilizing the configured `ClusterSecretStore` and `SecretStore` instances.