feat: added support to use existing SCC instance using new input variable existing_scc_instance_crn (#138)

Author: Soaib024

solutions/instances/README.md

@@ -39,6 +39,7 @@ This solution supports provisioning and configuring the following infrastructure
 | [ibm_en_topic.en_topic](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.67.1/docs/resources/en_topic) | resource |
 | [ibm_en_destinations.en_destinations](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.67.1/docs/data-sources/en_destinations) | data source |
 | [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.67.1/docs/data-sources/iam_account_settings) | data source |
+| [ibm_resource_instance.scc_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.67.1/docs/data-sources/resource_instance) | data source |
 
 ### Inputs
 
@@ -56,6 +57,7 @@ This solution supports provisioning and configuring the following infrastructure
 | <a name="input_existing_monitoring_crn"></a> [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Security and Compliance Object Storage bucket metrics to, as well as Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket and not provisioning Workload Protection. | `string` | `null` | no |
 | <a name="input_existing_scc_cos_bucket_name"></a> [existing\_scc\_cos\_bucket\_name](#input\_existing\_scc\_cos\_bucket\_name) | The name of an existing bucket inside the existing Object Storage instance to use for Security and Compliance Center. If not specified, a bucket is created. | `string` | `null` | no |
 | <a name="input_existing_scc_cos_kms_key_crn"></a> [existing\_scc\_cos\_kms\_key\_crn](#input\_existing\_scc\_cos\_kms\_key\_crn) | The CRN of an existing KMS key to use to encrypt the Security and Compliance Center Object Storage bucket. If no value is set for this variable, specify a value for either the `existing_kms_instance_crn` variable to create a key ring and key, or for the `existing_scc_cos_bucket_name` variable to use an existing bucket. | `string` | `null` | no |
+| <a name="input_existing_scc_instance_crn"></a> [existing\_scc\_instance\_crn](#input\_existing\_scc\_instance\_crn) | The CRN of an existing Security and Compliance Center instance. If not supplied, a new instance will be created. | `string` | `null` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes |
 | <a name="input_kms_endpoint_type"></a> [kms\_endpoint\_type](#input\_kms\_endpoint\_type) | The endpoint for communicating with the KMS instance. Possible values: `public`, `private.` | `string` | `"private"` | no |
 | <a name="input_management_endpoint_type_for_bucket"></a> [management\_endpoint\_type\_for\_bucket](#input\_management\_endpoint\_type\_for\_bucket) | The type of endpoint for the IBM Terraform provider to use to manage Object Storage buckets. Possible values: `public`, `private`m `direct`. If you specify `private`, enable virtual routing and forwarding in your account, and the Terraform runtime must have access to the the IBM Cloud private network. | `string` | `"private"` | no |

solutions/instances/main.tf

@@ -128,11 +128,33 @@ module "cos" {
 # SCC Instance
 #######################################################################################################################
 
+locals {
+  parsed_existing_scc_instance_crn = var.existing_scc_instance_crn != null ? split(":", var.existing_scc_instance_crn) : []
+  existing_scc_instance_guid       = length(local.parsed_existing_scc_instance_crn) > 0 ? local.parsed_existing_scc_instance_crn[7] : null
+  existing_scc_instance_region     = length(local.parsed_existing_scc_instance_crn) > 0 ? local.parsed_existing_scc_instance_crn[5] : null
+
+  scc_instance_crn    = var.existing_scc_instance_crn == null ? module.scc[0].crn : var.existing_scc_instance_crn
+  scc_instance_guid   = var.existing_scc_instance_crn == null ? module.scc[0].guid : local.existing_scc_instance_guid
+  scc_instance_region = var.existing_scc_instance_crn == null ? var.scc_region : local.existing_scc_instance_region
+
+}
+
+moved {
+  from = module.scc
+  to   = module.scc[0]
+}
+
+data "ibm_resource_instance" "scc_instance" {
+  count      = var.existing_scc_instance_crn == null ? 0 : 1
+  identifier = local.scc_instance_guid
+}
+
 module "scc" {
+  count                             = var.existing_scc_instance_crn == null ? 1 : 0
   source                            = "terraform-ibm-modules/scc/ibm"
   version                           = "1.6.3"
   resource_group_id                 = module.resource_group.resource_group_id
-  region                            = var.scc_region
+  region                            = local.scc_instance_region
   instance_name                     = local.scc_instance_name
   plan                              = var.scc_service_plan
   cos_bucket                        = local.cos_bucket_name
@@ -161,7 +183,7 @@ module "create_profile_attachment" {
   }
   profile_name           = each.key
   profile_version        = "latest"
-  scc_instance_id        = module.scc.guid
+  scc_instance_id        = local.scc_instance_guid
   attachment_name        = "${each.value + 1} daily full account attachment"
   attachment_description = "SCC profile attachment scoped to your specific IBM Cloud account id ${data.ibm_iam_account_settings.iam_account_settings.account_id} with a daily attachment schedule."
   attachment_schedule    = "daily"
@@ -221,7 +243,7 @@ resource "ibm_en_topic" "en_topic" {
   name          = "SCC Topic"
   description   = "Topic for SCC events routing"
   sources {
-    id = module.scc.crn
+    id = local.scc_instance_crn
     rules {
       enabled           = true
       event_type_filter = "$.*"

solutions/instances/outputs.tf

@@ -14,22 +14,22 @@ output "resource_group_id" {
 
 output "scc_id" {
   description = "SCC instance ID"
-  value       = module.scc.id
+  value       = var.existing_scc_instance_crn == null ? module.scc[0].id : var.existing_scc_instance_crn
 }
 
 output "scc_guid" {
   description = "SCC instance guid"
-  value       = module.scc.guid
+  value       = var.existing_scc_instance_crn == null ? module.scc[0].guid : local.existing_scc_instance_guid
 }
 
 output "scc_crn" {
   description = "SCC instance CRN"
-  value       = module.scc.crn
+  value       = var.existing_scc_instance_crn == null ? module.scc[0].crn : var.existing_scc_instance_crn
 }
 
 output "scc_name" {
   description = "SCC instance name"
-  value       = module.scc.name
+  value       = var.existing_scc_instance_crn == null ? module.scc[0].name : data.ibm_resource_instance.scc_instance[0].name
 }
 
 output "scc_workload_protection_id" {

solutions/instances/provider.tf

@@ -4,7 +4,7 @@
 
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
-  region           = var.scc_region
+  region           = local.scc_instance_region
 }
 
 provider "ibm" {

solutions/instances/variables.tf

@@ -167,6 +167,12 @@ variable "existing_activity_tracker_crn" {
 # SCC variables
 ########################################################################################################################
 
+variable "existing_scc_instance_crn" {
+  type        = string
+  default     = null
+  description = "The CRN of an existing Security and Compliance Center instance. If not supplied, a new instance will be created."
+}
+
 variable "scc_instance_name" {
   type        = string
   default     = "base-security-services-scc"