feat: merge in SCC workload protection features

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-03-24T23:50:51Z",
+  "generated_at": "2025-07-14T16:52:00Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -76,7 +76,18 @@
       "name": "TwilioKeyDetector"
     }
   ],
-  "results": {},
+  "results": {
+    "README.md": [
+      {
+        "hashed_secret": "3f0155e75563ab3adc0505000a86da5baa207d1f",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 49,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ]
+  },
   "version": "0.13.1+ibm.62.dss",
   "word_list": {
     "file": null,

examples/obs-agent-iks/README.md

@@ -1,10 +1,12 @@
-# Monitoring agent on Kubernetes using CSE ingress endpoint with an apikey
+# Deploy agent in IKS cluster
 
-An example that shows how to deploy a Monitoring agent in a Kubernetes cluster to send Logs directly to IBM a Cloud Monitoring instance.
+An example that shows how to deploy the agent in an IKS cluster.
+
+The following resources are provisioned:
 
-The example provisions the following resources:
 - A new resource group, if an existing one is not passed in.
 - A basic VPC (if `is_vpc_cluster` is true).
 - A Kubernetes cluster.
-- An IBM Cloud Monitoring instance
-- Monitoring agent
+- An IBM Cloud Monitoring instance.
+- An SCC Workload Protection instance.
+- The Monitoring and Workload Protection agent.

examples/obs-agent-iks/main.tf

@@ -10,71 +10,89 @@ module "resource_group" {
   existing_resource_group_name = var.resource_group
 }
 
-########################################################################################################################
-# VPC + Subnet + Public Gateway
-#
-# NOTE: This is a very simple VPC with single subnet in a single zone with a public gateway enabled, that will allow
-# all traffic ingress/egress by default.
-# For production use cases this would need to be enhanced by adding more subnets and zones for resiliency, and
-# ACLs/Security Groups for network security.
-########################################################################################################################
-
-resource "ibm_is_vpc" "vpc" {
-  name                      = "${var.prefix}-vpc"
-  resource_group            = module.resource_group.resource_group_id
-  address_prefix_management = "auto"
-  tags                      = var.resource_tags
+##############################################################################
+# Create VPC and IKS Cluster
+##############################################################################
+
+resource "ibm_is_vpc" "example_vpc" {
+  count          = var.is_vpc_cluster ? 1 : 0
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
 }
 
-resource "ibm_is_subnet" "subnet_zone_1" {
-  name                     = "${var.prefix}-subnet-1"
-  vpc                      = ibm_is_vpc.vpc.id
-  resource_group           = module.resource_group.resource_group_id
+resource "ibm_is_subnet" "testacc_subnet" {
+  count                    = var.is_vpc_cluster ? 1 : 0
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc[0].id
   zone                     = "${var.region}-1"
   total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
 }
 
-########################################################################################################################
-# OCP VPC cluster (single zone)
-########################################################################################################################
-
+# Lookup the current default kube version
+data "ibm_container_cluster_versions" "cluster_versions" {}
 locals {
-  cluster_vpc_subnets = {
-    default = [
-      {
-        id         = ibm_is_subnet.subnet_zone_1.id
-        cidr_block = ibm_is_subnet.subnet_zone_1.ipv4_cidr_block
-        zone       = ibm_is_subnet.subnet_zone_1.zone
-      }
-    ]
-  }
+  default_version = data.ibm_container_cluster_versions.cluster_versions.default_kube_version
+}
 
-  worker_pools = [
-    {
-      subnet_prefix    = "default"
-      pool_name        = "default" # ibm_container_vpc_cluster automatically names default pool "default" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
-      machine_type     = "bx2.4x16"
-      operating_system = "REDHAT_8_64"
-      workers_per_zone = 2 # minimum of 2 is allowed when using single zone
-    }
-  ]
+resource "ibm_container_vpc_cluster" "cluster" {
+  count                = var.is_vpc_cluster ? 1 : 0
+  name                 = var.prefix
+  vpc_id               = ibm_is_vpc.example_vpc[0].id
+  kube_version         = local.default_version
+  flavor               = "bx2.4x16"
+  worker_count         = "2"
+  force_delete_storage = true
+  wait_till            = "IngressReady"
+  zones {
+    subnet_id = ibm_is_subnet.testacc_subnet[0].id
+    name      = "${var.region}-1"
+  }
+  resource_group_id = module.resource_group.resource_group_id
+  tags              = var.resource_tags
 }
 
-module "ocp_base" {
-  source               = "terraform-ibm-modules/base-ocp-vpc/ibm"
-  version              = "3.52.0"
+resource "ibm_container_cluster" "cluster" {
+  #checkov:skip=CKV2_IBM_7:Public endpoint is required for testing purposes
+  count                = var.is_vpc_cluster ? 0 : 1
+  name                 = var.prefix
+  datacenter           = var.datacenter
+  default_pool_size    = 2
+  hardware             = "shared"
+  kube_version         = local.default_version
+  force_delete_storage = true
+  machine_type         = "b3c.4x16"
+  public_vlan_id       = ibm_network_vlan.public_vlan[0].id
+  private_vlan_id      = ibm_network_vlan.private_vlan[0].id
+  wait_till            = "Normal"
   resource_group_id    = module.resource_group.resource_group_id
-  region               = var.region
   tags                 = var.resource_tags
-  cluster_name         = var.prefix
-  force_delete_storage = true
-  vpc_id               = ibm_is_vpc.vpc.id
-  vpc_subnets          = local.cluster_vpc_subnets
-  worker_pools         = local.worker_pools
+
+  timeouts {
+    delete = "2h"
+    create = "3h"
+  }
+}
+
+locals {
+  cluster_name_id = var.is_vpc_cluster ? ibm_container_vpc_cluster.cluster[0].id : ibm_container_cluster.cluster[0].id
+}
+
+resource "ibm_network_vlan" "public_vlan" {
+  count      = var.is_vpc_cluster ? 0 : 1
+  datacenter = var.datacenter
+  type       = "PUBLIC"
+}
+
+resource "ibm_network_vlan" "private_vlan" {
+  count      = var.is_vpc_cluster ? 0 : 1
+  datacenter = var.datacenter
+  type       = "PRIVATE"
 }
 
 data "ibm_container_cluster_config" "cluster_config" {
-  cluster_name_id   = module.ocp_base.cluster_id
+  cluster_name_id   = local.cluster_name_id
   resource_group_id = module.resource_group.resource_group_id
 }
 
@@ -85,30 +103,46 @@ resource "time_sleep" "wait_operators" {
 }
 
 ##############################################################################
-# Monitoring Instance
+# Monitoring instance
 ##############################################################################
 
 module "cloud_monitoring" {
-  source                  = "terraform-ibm-modules/observability-instances/ibm//modules/cloud_monitoring"
-  version                 = "3.5.3"
-  instance_name           = "${var.prefix}-cloud-monitoring"
-  resource_group_id       = module.resource_group.resource_group_id
-  region                  = var.region
-  plan                    = "graduated-tier"
-  enable_platform_metrics = var.enable_platform_metrics
+  source            = "terraform-ibm-modules/cloud-monitoring/ibm"
+  version           = "1.3.0"
+  instance_name     = "${var.prefix}-cloud-monitoring"
+  resource_group_id = module.resource_group.resource_group_id
+  resource_tags     = var.resource_tags
+  region            = var.region
+  plan              = "graduated-tier"
+}
+
+##############################################################################
+# SCC Workload Protection instance
+##############################################################################
+
+module "scc_wp" {
+  source                        = "terraform-ibm-modules/scc-workload-protection/ibm"
+  version                       = "1.10.3"
+  name                          = "${var.prefix}-scc-wp"
+  resource_group_id             = module.resource_group.resource_group_id
+  region                        = var.region
+  resource_tags                 = var.resource_tags
+  cloud_monitoring_instance_crn = module.cloud_monitoring.crn
+  cspm_enabled                  = false
 }
 
 ##############################################################################
 # Monitoring Agents
 ##############################################################################
 
 module "monitoring_agents" {
-  source                    = "../.."
-  depends_on                = [time_sleep.wait_operators]
-  cluster_id                = module.ocp_base.cluster_id
+  source = "../.."
+  # remove the above line and uncomment the below 2 lines to consume the module from the registry
+  # source  = "terraform-ibm-modules/monitoring-agent/ibm"
+  # version = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
+  cluster_id                = local.cluster_name_id
   cluster_resource_group_id = module.resource_group.resource_group_id
-  # # Monitoring agent
-  access_key                       = module.cloud_monitoring.access_key
-  cloud_monitoring_instance_region = var.region
-  enable_universal_ebpf            = true
+  is_vpc_cluster            = var.is_vpc_cluster
+  access_key                = module.cloud_monitoring.access_key
+  instance_region           = var.region
 }

examples/obs-agent-iks/provider.tf

@@ -16,3 +16,13 @@ provider "kubernetes" {
   token                  = data.ibm_container_cluster_config.cluster_config.token
   cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
 }
+
+data "ibm_iam_auth_token" "auth_token" {}
+
+provider "restapi" {
+  uri = "https://resource-controller.cloud.ibm.com"
+  headers = {
+    Authorization = data.ibm_iam_auth_token.auth_token.iam_access_token
+  }
+  write_returns_object = true
+}

examples/obs-agent-iks/variables.tf

@@ -28,8 +28,14 @@ variable "region" {
   default     = "au-syd"
 }
 
-variable "enable_platform_metrics" {
+variable "is_vpc_cluster" {
   type        = bool
-  description = "Enable platform metrics"
-  default     = false
+  description = "Specify true if the target cluster for the observability agents is a VPC cluster, false if it is classic cluster."
+  default     = true
+}
+
+variable "datacenter" {
+  type        = string
+  description = "If creating a classic cluster, the data center where the cluster is created"
+  default     = "syd01"
 }

examples/obs-agent-iks/version.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "ibm-cloud/ibm"
-      version = "1.79.0"
+      version = "1.79.2"
     }
     helm = {
       source  = "hashicorp/helm"
@@ -22,5 +22,10 @@ terraform {
       source  = "hashicorp/time"
       version = ">= 0.9.1"
     }
+    # The restapi provider is not actually required by the module itself, just this example, so OK to use ">=" here instead of locking into a version
+    restapi = {
+      source  = "Mastercard/restapi"
+      version = ">= 2.0.1"
+    }
   }
 }

examples/obs-agent-ocp/.secrets.baseline

@@ -0,0 +1,85 @@
+{
+  "exclude": {
+    "files": "^.secrets.baseline$",
+    "lines": null
+  },
+  "generated_at": "2025-07-14T16:51:43Z",
+  "plugins_used": [
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "base64_limit": 4.5,
+      "name": "Base64HighEntropyString"
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "BoxDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "ghe_instance": "github.ibm.com",
+      "name": "GheDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "hex_limit": 3,
+      "name": "HexHighEntropyString"
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "keyword_exclude": null,
+      "name": "KeywordDetector"
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "results": {},
+  "version": "0.13.1+ibm.62.dss",
+  "word_list": {
+    "file": null,
+    "hash": null
+  }
+}