You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Mar 19, 2025. It is now read-only.
feat: Add outputs for the DA solution<br>* Updated to COS module 7.5.3 to pull in fix for bug which occurs when passing existing COS instance<br>* Added some extra logic to validate variable vaules (#24)
Copy file name to clipboardExpand all lines: solutions/instances/README.md
+87Lines changed: 87 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,3 +7,90 @@ This solution supports the following:
7
7
- Provisioning and configuring of a Security and Compliance Center Workload Protection instance.
8
8
9
9
**NB:** This solution is not intended to be called by one or more other modules since it contains a provider configurations, meaning it is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers)
10
+
11
+
### Current limitation
12
+
Currently this solution does not support attaching the Workload Protection instance to the SCC instance. That enhancement is being tracked in https://github.com/terraform-ibm-modules/terraform-ibm-scc-da/issues/23
13
+
14
+
<!-- Below content is automatically populated via pre-commit hook -->
15
+
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
| <aname="input_add_bucket_name_suffix"></a> [add\_bucket\_name\_suffix](#input\_add\_bucket\_name\_suffix)| Add random generated suffix (4 characters long) to the newly provisioned SCC COS bucket name. Only used if not passing existing bucket. set to false if you want full control over bucket naming using the 'scc\_cos\_bucket\_name' variable. |`bool`|`true`| no |
42
+
| <aname="input_cos_instance_access_tags"></a> [cos\_instance\_access\_tags](#input\_cos\_instance\_access\_tags)| A list of access tags to apply to the Cloud Object Storage instance. Only used if not supplying an existing instance. |`list(string)`|`[]`| no |
43
+
| <aname="input_cos_instance_name"></a> [cos\_instance\_name](#input\_cos\_instance\_name)| The name to use when creating the Cloud Object Storage instance. |`string`|`"base-security-services-cos"`| no |
44
+
| <aname="input_cos_instance_tags"></a> [cos\_instance\_tags](#input\_cos\_instance\_tags)| Optional list of tags to be added to Cloud Object Storage instance. Only used if not supplying an existing instance. |`list(string)`|`[]`| no |
45
+
| <aname="input_cos_region"></a> [cos\_region](#input\_cos\_region)| The Cloud Object Storage region. |`string`|`"us-south"`| no |
46
+
| <aname="input_existing_activity_tracker_crn"></a> [existing\_activity\_tracker\_crn](#input\_existing\_activity\_tracker\_crn)| (Optional) The CRN of an existing Activity Tracker instance. Used to send SCC COS bucket log data and all object write events to Activity Tracker. Only used if not supplying an existing COS bucket. |`string`|`null`| no |
47
+
| <aname="input_existing_cos_instance_crn"></a> [existing\_cos\_instance\_crn](#input\_existing\_cos\_instance\_crn)| The CRN of an existing Cloud Object Storage instance. If not supplied, a new instance will be created. |`string`|`null`| no |
48
+
| <aname="input_existing_en_crn"></a> [existing\_en\_crn](#input\_existing\_en\_crn)| (Optional) The CRN of an existing Event Notification instance. Used to integrate with SCC. |`string`|`null`| no |
49
+
| <aname="input_existing_kms_guid"></a> [existing\_kms\_guid](#input\_existing\_kms\_guid)| The GUID of of the KMS instance used for the SCC COS bucket root Key. Only required if not supplying an existing KMS root key and if 'skip\_cos\_kms\_auth\_policy' is true. |`string`|`null`| no |
50
+
| <aname="input_existing_monitoring_crn"></a> [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn)| (Optional) The CRN of an existing IBM Cloud Monitoring instance. Used to send all COS bucket request and usage metrics to, as well as SCC workload protection data. Ignored if using existing COS bucket and not provisioning SCC workload protection. |`string`|`null`| no |
51
+
| <aname="input_existing_resource_group"></a> [existing\_resource\_group](#input\_existing\_resource\_group)| Whether to use an existing resource group. |`bool`|`false`| no |
52
+
| <aname="input_existing_scc_cos_bucket_name"></a> [existing\_scc\_cos\_bucket\_name](#input\_existing\_scc\_cos\_bucket\_name)| The name of an existing bucket inside the existing Cloud Object Storage instance to use for SCC. If not supplied, a new bucket will be created. |`string`|`null`| no |
53
+
| <aname="input_existing_scc_cos_kms_key_crn"></a> [existing\_scc\_cos\_kms\_key\_crn](#input\_existing\_scc\_cos\_kms\_key\_crn)| The CRN of an existing KMS key to be used to encrypt the SCC COS bucket. If not supplied, a new key ring and key will be created in the provided KMS instance. |`string`|`null`| no |
54
+
| <aname="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key)| The API Key to use for IBM Cloud. |`string`| n/a | yes |
55
+
| <aname="input_kms_endpoint_type"></a> [kms\_endpoint\_type](#input\_kms\_endpoint\_type)| The type of endpoint to be used for commincating with the KMS instance. Allowed values are: 'public' or 'private' (default) |`string`|`"private"`| no |
56
+
| <aname="input_kms_region"></a> [kms\_region](#input\_kms\_region)| The region in which KMS instance exists. |`string`|`"us-south"`| no |
57
+
| <aname="input_management_endpoint_type_for_bucket"></a> [management\_endpoint\_type\_for\_bucket](#input\_management\_endpoint\_type\_for\_bucket)| The type of endpoint for the IBM terraform provider to use to manage COS buckets. (`public`, `private` or `direct`). Ensure to enable virtual routing and forwarding (VRF) in your account if using `private`, and that the terraform runtime has access to the the IBM Cloud private network. |`string`|`"private"`| no |
58
+
| <aname="input_provision_scc_workload_protection"></a> [provision\_scc\_workload\_protection](#input\_provision\_scc\_workload\_protection)| Whether to provision an SCC Workload Protection instance. |`bool`|`true`| no |
59
+
| <aname="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name)| The name of a new or an existing resource group in which to provision resources to. |`string`| n/a | yes |
60
+
| <aname="input_scc_cos_bucket_access_tags"></a> [scc\_cos\_bucket\_access\_tags](#input\_scc\_cos\_bucket\_access\_tags)| Optional list of access tags to be added to the SCC COS bucket. |`list(string)`|`[]`| no |
61
+
| <aname="input_scc_cos_bucket_class"></a> [scc\_cos\_bucket\_class](#input\_scc\_cos\_bucket\_class)| The storage class of the newly provisioned SCC COS bucket. Allowed values are: 'standard', 'vault', 'cold', 'smart' (default value), 'onerate\_active' |`string`|`"smart"`| no |
62
+
| <aname="input_scc_cos_bucket_name"></a> [scc\_cos\_bucket\_name](#input\_scc\_cos\_bucket\_name)| The name to use when creating the SCC Cloud Object Storage bucket (NOTE: bucket names are globally unique). If 'add\_bucket\_name\_suffix' is set to true, a random 4 characters will be added to this name to help ensure bucket name is globally unique. |`string`|`"base-security-services-bucket"`| no |
63
+
| <aname="input_scc_cos_key_name"></a> [scc\_cos\_key\_name](#input\_scc\_cos\_key\_name)| The name to give the Key which will be created for the SCC COS bucket. Not used if supplying an existing Key. |`string`|`"scc-cos-key"`| no |
64
+
| <aname="input_scc_cos_key_ring_name"></a> [scc\_cos\_key\_ring\_name](#input\_scc\_cos\_key\_ring\_name)| The name to give the Key Ring which will be created for the SCC COS bucket Key. Not used if supplying an existing Key. |`string`|`"scc-cos-key-ring"`| no |
65
+
| <aname="input_scc_instance_name"></a> [scc\_instance\_name](#input\_scc\_instance\_name)| The name to give the SCC instance that will be provisioned by this solution. |`string`|`"base-security-services-scc"`| no |
66
+
| <aname="input_scc_instance_tags"></a> [scc\_instance\_tags](#input\_scc\_instance\_tags)| Optional list of tags to be added to SCC instance. |`list(string)`|`[]`| no |
67
+
| <aname="input_scc_region"></a> [scc\_region](#input\_scc\_region)| The region in which to provision SCC resources. |`string`|`"us-south"`| no |
68
+
| <aname="input_scc_service_plan"></a> [scc\_service\_plan](#input\_scc\_service\_plan)| The service/pricing plan to use when provisioning a new Security Compliance Center instance. Allowed values are: 'security-compliance-center-standard-plan' (default value) and 'security-compliance-center-trial-plan'. Only used if `provision_scc_instance` is set to true. |`string`|`"security-compliance-center-standard-plan"`| no |
69
+
| <aname="input_scc_wp_access_tags"></a> [scc\_wp\_access\_tags](#input\_scc\_wp\_access\_tags)| A list of access tags to apply to the SCC WP instance. |`list(string)`|`[]`| no |
70
+
| <aname="input_scc_wp_instance_name"></a> [scc\_wp\_instance\_name](#input\_scc\_wp\_instance\_name)| The name to give the SCC Workload Protection instance that will be provisioned by this solution. Must begine with a letter. Only used i 'provision\_scc\_workload\_protection' to true. |`string`|`"base-security-services-scc-wp"`| no |
71
+
| <aname="input_scc_wp_instance_tags"></a> [scc\_wp\_instance\_tags](#input\_scc\_wp\_instance\_tags)| Optional list of tags to be added to SCC Workload Protection instance. |`list(string)`|`[]`| no |
72
+
| <aname="input_scc_wp_resource_key_name"></a> [scc\_wp\_resource\_key\_name](#input\_scc\_wp\_resource\_key\_name)| The name to give the IBM Cloud SCC Workload Protection manager resource key. |`string`|`"SCCWPManagerKey"`| no |
73
+
| <aname="input_scc_wp_resource_key_tags"></a> [scc\_wp\_resource\_key\_tags](#input\_scc\_wp\_resource\_key\_tags)| Tags associated with the IBM Cloud SCC WP resource key. |`list(string)`|`[]`| no |
74
+
| <aname="input_scc_wp_service_plan"></a> [scc\_wp\_service\_plan](#input\_scc\_wp\_service\_plan)| SCC Workload Protection instance service pricing plan. Allowed values are: `free-trial` or `graduated-tier`. |`string`|`"graduated-tier"`| no |
75
+
| <aname="input_skip_cos_kms_auth_policy"></a> [skip\_cos\_kms\_auth\_policy](#input\_skip\_cos\_kms\_auth\_policy)| Set to true to skip the creation of an IAM authorization policy that permits the COS instance created to read the encryption key from the KMS instance. WARNING: An authorization policy must exist before an encrypted bucket can be created |`bool`|`false`| no |
76
+
| <aname="input_skip_scc_cos_auth_policy"></a> [skip\_scc\_cos\_auth\_policy](#input\_skip\_scc\_cos\_auth\_policy)| Set to true to skip the creation of an IAM authorization policy that permits the SCC instance created by this solution write access to the COS instance. Only used if `provision_scc_instance` is set to true. |`bool`|`false`| no |
77
+
78
+
### Outputs
79
+
80
+
| Name | Description |
81
+
|------|-------------|
82
+
| <aname="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id)| Resource group ID |
83
+
| <aname="output_resource_group_name"></a> [resource\_group\_name](#output\_resource\_group\_name)| Resource group name |
84
+
| <aname="output_scc_cos_bucket_name"></a> [scc\_cos\_bucket\_name](#output\_scc\_cos\_bucket\_name)| SCC COS bucket name |
85
+
| <aname="output_scc_cos_kms_key_crn"></a> [scc\_cos\_kms\_key\_crn](#output\_scc\_cos\_kms\_key\_crn)| SCC COS KMS Key CRN |
# TODO: Add some variable validation - https://github.com/terraform-ibm-modules/terraform-ibm-scc-da/issues/6
5
+
locals {
6
+
# tflint-ignore: terraform_unused_declarations
7
+
validate_inputs=var.existing_scc_cos_bucket_name==null&& var.existing_scc_cos_kms_key_crn==null&& var.existing_kms_guid==null?tobool("A value must be passed for 'existing_kms_guid' if not supplying any value for 'existing_scc_cos_kms_key_crn' or 'existing_scc_cos_bucket_name'.") :true
8
+
# tflint-ignore: terraform_unused_declarations
9
+
validate_cos_inputs=var.existing_scc_cos_bucket_name!=null&& var.existing_scc_cos_kms_key_crn!=null?tobool("A value should not be passed for 'existing_scc_cos_kms_key_crn' when passing a value for 'existing_scc_cos_bucket_name'. A key is only needed when creating a new COS bucket.") :true
10
+
# tflint-ignore: terraform_unused_declarations
11
+
validate_auth_inputs=!var.skip_scc_cos_auth_policy&& var.existing_cos_instance_crn==null&& var.existing_scc_cos_bucket_name!=null?tobool("A value must be passed for 'existing_cos_instance_crn' in order to create auth policy.") :true
0 commit comments