feat: add scc workload protection agent DA flavor (#91)

Author: akocbek

.catalog-onboard-pipeline.yaml

@@ -12,3 +12,8 @@ offerings:
         scc:
           instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
           region: us-south
+      - name: agents
+        mark_ready: true
+        install_type: extension
+        pre_validation: "tests/scripts/pre-validation-deploy-slz-roks-and-scc-wp-instances.sh"
+        post_validation: "tests/scripts/post-validation-destroy-slz-roks-and-scc-wp-instances.sh"

ibm_catalog.json

@@ -284,7 +284,7 @@
                         }
                     ],
                     "architecture": {
-                        "descriptions": "This architecture supports creating and configuring an Key Protect instance.",
+                        "descriptions": "This architecture supports creating and configuring a Security and Compliance Center Workload Protection instance.",
                         "features": [
                             {
                                 "title": "Creates a Security and Compliance Center instance.",
@@ -310,7 +310,75 @@
                             }
                         ]
                     }
-                }
+                },
+                {
+                  "label": "Agents",
+                  "name": "agents",
+                  "install_type": "fullstack",
+                  "working_directory": "solutions/agents",
+                  "compliance": {},
+                  "configuration": [
+                      {
+                        "key": "ibmcloud_api_key"
+                      },
+                      {
+                        "key": "scc_workload_protection_agent_agent_name"
+                      },
+                      {
+                        "key": "scc_workload_protection_agent_agent_namespace"
+                      },
+                      {
+                        "key": "scc_workload_protection_agent_cluster_name"
+                      },
+                      {
+                        "key": "scc_workload_protection_agent_access_key"
+                      },
+                      {
+                        "key": "scc_workload_protection_instance_region"
+                      },
+                      {
+                        "key": "scc_workload_protection_agent_endpoint_type",
+                        "options": [
+                          {
+                            "displayname": "Public",
+                            "value": "public"
+                          },
+                          {
+                            "displayname": "Private",
+                            "value": "private"
+                          }
+                        ]
+                      }
+                    ],
+                  "iam_permissions": [
+                      {
+                          "service_name": "compliance",
+                          "role_crns": [
+                              "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+                              "crn:v1:bluemix:public:iam::::role:Editor"
+                          ]
+                      }
+                  ],
+                  "architecture": {
+                      "descriptions": "This architecture supports creating and configuring Security and Compliance Center Workload Protection agents.",
+                      "features": [
+                          {
+                              "title": "Creates a Security and Compliance Center Workload Protection agents.",
+                              "description": "Creates and configures a Security and Compliance Center Workload Protection agents."
+                          }
+                      ],
+                      "diagrams": [
+                          {
+                              "diagram": {
+                                  "caption": "Security and Compliance Center Workload Protection Agent",
+                                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-scc-da/main/reference-architecture/scc-wp-agent.svg",
+                                  "type": "image/svg+xml"
+                              },
+                              "description": "This architecture supports creating and configuring Security and Compliance Center Workload Protection agent resources."
+                          }
+                      ]
+                  }
+              }
             ]
         }
     ]

reference-architecture/scc-wp-agent.svg

@@ -1,3 +1,10 @@
 # Security and Compliance Center Workload Protection Agent solution
 
-(Coming soon)
+This solution supports installing and configuring [IBM Cloud Security and Compliance Center Workload Protection agent](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started). It uses [sysdig-deploy charts](https://github.com/sysdiglabs/charts/tree/master/charts/sysdig-deploy) which deploys the following components into your cluster:
+- Agent
+- Node Analyzer
+- KSPM Collector
+
+This solution will deploy and configure the Workload Protections components in an existing cluster to an existing IBM Cloud Security and Compliance Center Workload Protection instance.
+
+![scc-wp-agent](../../reference-architecture/scc-wp-agent.svg)

solutions/agents/README.md

@@ -0,0 +1,3 @@
+{
+  "ibmcloud_api_key": $VALIDATION_APIKEY
+}

solutions/agents/catalogValidationValues.json.template

@@ -0,0 +1,6 @@
+# Ignore everything
+*
+
+# But not these files...
+!.gitignore
+!README.md

solutions/agents/kubeconfig/.gitignore

@@ -0,0 +1,2 @@
+This directory must exist in source control so the `ibm_container_cluster_config` data lookup can use it to place the
+config.yml used to connect to a kubernetes cluster.

solutions/agents/kubeconfig/README.md

@@ -0,0 +1,20 @@
+#######################################################################################################################
+# SCC WP Agent
+#######################################################################################################################
+
+module "scc_wp_agent" {
+  source                 = "terraform-ibm-modules/scc-workload-protection-agent/ibm"
+  version                = "1.2.3"
+  access_key             = var.access_key
+  cluster_name           = var.cluster_name
+  region                 = var.region
+  endpoint_type          = var.endpoint_type
+  name                   = var.name
+  namespace              = var.namespace
+  deployment_tag         = var.deployment_tag
+  kspm_deploy            = var.kspm_deploy
+  node_analyzer_deploy   = var.node_analyzer_deploy
+  host_scanner_deploy    = var.host_scanner_deploy
+  cluster_scanner_deploy = var.cluster_scanner_deploy
+
+}

solutions/agents/main.tf

@@ -0,0 +1,8 @@
+########################################################################################################################
+# Outputs
+########################################################################################################################
+
+output "name" {
+  description = "Helm chart release name."
+  value       = module.scc_wp_agent.name
+}

solutions/agents/outputs.tf

@@ -0,0 +1,26 @@
+########################################################################################################################
+# Provider config
+########################################################################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
+
+provider "kubernetes" {
+  host  = data.ibm_container_cluster_config.cluster_dconfig.host
+  token = data.ibm_container_cluster_config.cluster_config.token
+}
+
+provider "helm" {
+  kubernetes {
+    host  = data.ibm_container_cluster_config.cluster_config.host
+    token = data.ibm_container_cluster_config.cluster_config.token
+  }
+}
+
+data "ibm_container_cluster_config" "cluster_config" {
+  cluster_name_id = var.cluster_name
+  config_dir      = "${path.module}/kubeconfig"
+  endpoint_type   = var.cluster_endpoint_type
+}