feat: added support to create SCC CBR rules using new inout cbr_rules (#247)

Author: vkuma17

solutions/instances/DA-cbr_rules.md

@@ -0,0 +1,61 @@
+# Configuring complex inputs for SCC in IBM Cloud projects
+
+Several optional input variables in the IBM Cloud [SCC Deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture.
+
+* Context-Based Restrictions Rules (`cbr_rules`)
+
+
+## Rules For Context-Based Restrictions <a name="cbr_rules"></a>
+
+The `cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc.
+
+- Variable name: `cbr_rules`.
+- Type: A list of objects. Allows only one object representing a rule for the target service
+- Default value: An empty list (`[]`).
+
+### Options for cbr_rules
+
+  - `description` (required): The description of the rule to create.
+  - `account_id` (required): The IBM Cloud Account ID
+  - `rule_contexts` (required): (List) The contexts the rule applies to
+      - `attributes` (optional): (List) Individual context attributes
+        - `name` (required): The attribute name.
+        - `value`(required): The attribute value.
+
+  - `enforcement_mode` (required): The rule enforcement mode can have the following values:
+      - `enabled` - The restrictions are enforced and reported. This is the default.
+      - `disabled` - The restrictions are disabled. Nothing is enforced or reported.
+      - `report` - The restrictions are evaluated and reported, but not enforced.
+  - `operations` (optional): The operations this rule applies to
+    - `api_types`(required): (List) The API types this rule applies to.
+        - `api_type_id`(required):The API type ID
+
+
+### Example Rule For Context-Based Restrictions Configuration
+
+```hcl
+cbr_rules = [
+  {
+    "description"     : "SCC Instance can be accessed from xyz"
+    "account_id"      : "defc0df06b644a9cabc6e44f55b3880s."
+    "rule_contexts"   : [{
+      "attributes"  : [
+        {
+          "name" : "endpointType",
+          "value" : "private"
+        },
+        {
+          "name"  : "networkZoneId"
+          "value" : "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
+        }
+      ]
+    }]
+    "enforcement_mode" : "enabled"
+    "operations" : [{
+      "api_types" : [{
+        "api_type_id" : "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+      }]
+    }]
+  }
+]
+```

solutions/instances/README.md

@@ -35,7 +35,7 @@ This solution supports provisioning and configuring the following infrastructure
 | <a name="module_existing_scc_crn_parser"></a> [existing\_scc\_crn\_parser](#module\_existing\_scc\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
 | <a name="module_kms"></a> [kms](#module\_kms) | terraform-ibm-modules/kms-all-inclusive/ibm | 4.19.5 |
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.1.6 |
-| <a name="module_scc"></a> [scc](#module\_scc) | terraform-ibm-modules/scc/ibm | 1.8.36 |
+| <a name="module_scc"></a> [scc](#module\_scc) | terraform-ibm-modules/scc/ibm | 1.9.0 |
 | <a name="module_scc_wp"></a> [scc\_wp](#module\_scc\_wp) | terraform-ibm-modules/scc-workload-protection/ibm | 1.4.3 |
 
 ### Resources
@@ -57,6 +57,7 @@ This solution supports provisioning and configuring the following infrastructure
 |------|-------------|------|---------|:--------:|
 | <a name="input_add_bucket_name_suffix"></a> [add\_bucket\_name\_suffix](#input\_add\_bucket\_name\_suffix) | Whether to add a generated 4-character suffix to the created Security and Compliance Center Object Storage bucket name. Applies only if not specifying an existing bucket. Set to `false` not to add the suffix to the bucket name in the `scc_cos_bucket_name` variable. | `bool` | `true` | no |
 | <a name="input_attachment_schedule"></a> [attachment\_schedule](#input\_attachment\_schedule) | The scanning schedule. Possible values: `daily`, `every_7_days`, `every_30_days`, `none`. | `string` | `"every_30_days"` | no |
+| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restrictions rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-da/tree/main/solutions/instances/DA-cbr_rules.md) | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_cos_instance_access_tags"></a> [cos\_instance\_access\_tags](#input\_cos\_instance\_access\_tags) | A list of access tags to apply to the Object Storage instance. Applies only if not specifying an existing instance. | `list(string)` | `[]` | no |
 | <a name="input_cos_instance_name"></a> [cos\_instance\_name](#input\_cos\_instance\_name) | The name for the Object Storage instance. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format. | `string` | `"base-security-services-cos"` | no |
 | <a name="input_cos_instance_tags"></a> [cos\_instance\_tags](#input\_cos\_instance\_tags) | The list of tags to add to the Object Storage instance. Applies only if not specifying an existing instance. | `list(string)` | `[]` | no |

solutions/instances/main.tf

@@ -237,7 +237,7 @@ moved {
 module "scc" {
   source                            = "terraform-ibm-modules/scc/ibm"
   existing_scc_instance_crn         = var.existing_scc_instance_crn
-  version                           = "1.8.36"
+  version                           = "1.9.0"
   resource_group_id                 = module.resource_group.resource_group_id
   region                            = local.scc_instance_region
   instance_name                     = local.scc_instance_name
@@ -252,6 +252,7 @@ module "scc" {
   attach_wp_to_scc_instance         = var.provision_scc_workload_protection && var.existing_scc_instance_crn == null
   wp_instance_crn                   = var.provision_scc_workload_protection && var.existing_scc_instance_crn == null ? module.scc_wp[0].crn : null
   skip_scc_wp_auth_policy           = var.skip_scc_workload_protection_auth_policy
+  cbr_rules                         = var.cbr_rules
 }
 
 #######################################################################################################################

solutions/instances/variables.tf

@@ -351,3 +351,27 @@ variable "scc_en_email_list" {
   description = "The list of email addresses to notify when Security and Compliance Center triggers an event."
   default     = []
 }
+
+##############################################################
+# Context-based restriction (CBR)
+##############################################################
+
+variable "cbr_rules" {
+  type = list(object({
+    description = string
+    account_id  = string
+    rule_contexts = list(object({
+      attributes = optional(list(object({
+        name  = string
+        value = string
+    }))) }))
+    enforcement_mode = string
+    operations = optional(list(object({
+      api_types = list(object({
+        api_type_id = string
+      }))
+    })))
+  }))
+  description = "(Optional, list) List of context-based restrictions rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-da/tree/main/solutions/instances/DA-cbr_rules.md)"
+  default     = []
+}