-brightgreen){kind=icon}
A module for configuring an IBM Cloud Security and Compliance Center Workload Protection instance. The module will always create a Manager resource key that connects to the SCC WP instance. Some sub-resources can be created using the Sysdig Provider (see advanced example).
- terraform-ibm-scc-workload-protection
- Submodules
- Examples ℹ️ Ctrl/Cmd+Click or right-click on the Schematics deploy button to open in a new tab
- Deployable Architectures
- Contributing
data "ibm_iam_auth_token" "auth_token" {}
provider "restapi" {
# see https://cloud.ibm.com/apidocs/resource-controller/resource-controller#endpoint-url for full list of available resource controller endpoints
uri = "https://resource-controller.cloud.ibm.com"
headers = {
Authorization = data.ibm_iam_auth_token.auth_token.iam_access_token
}
write_returns_object = true
}
module "scc_wp" {
source = "terraform-ibm-modules/scc-workload-protection/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
name = "my-scc-wp-service"
region = "us-south"
resource_group_id = "65xxxxxxxxxxxxxxxa3fd"
resource_key_tags = ["scc-wp-tag"]
cloud_monitoring_instance_crn = "crn:v1:bluemix:public:sysdig-monitor:us-south:a/xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX:xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX::"
app_config_crn = "crn:v1:bluemix:public:apprap:us-south:a/xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX:xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX::"
}When CSPM is enabled (cspm_enabled = true), the module uses the restapi provider to configure the CSPM parameters. Due to a workaround for the restapi provider, Terraform will not detect drift if the following parameters are changed outside of Terraform (e.g., via the console, CLI, or API):
enable_cspmtarget_accounts(includingaccount_id,account_type,config_crn,trusted_profile_id)
This means the CSPM configuration should be fully managed by Terraform. Any out-of-band changes will not be detected or reverted.
This limitation will be resolved when the module is updated to use restapi provider v3.0.0 with ignore_server_additions.
You need the following permissions to run this module.
- IAM Services
- IBM Cloud Security and Compliance Center Workload Protection service
Editorplatform accessWriterservice access
- IBM Cloud Security and Compliance Center Workload Protection service
| Name | Version |
|---|---|
| terraform | >= 1.9.0 |
| ibm | >= 1.86.0, <2.0.0 |
| restapi | >=2.0.1, <3.0.0 |
| Name | Source | Version |
|---|---|---|
| account_type_check | ./modules/account_check | n/a |
| cbr_rule | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.35.15 |
| trusted_profile_scc_wp | terraform-ibm-modules/trusted-profile/ibm | 3.2.19 |
| Name | Type |
|---|---|
| ibm_resource_instance.scc_wp | resource |
| ibm_resource_key.scc_wp_resource_key | resource |
| ibm_resource_tag.scc_wp_access_tag | resource |
| restapi_object.cspm | resource |
| ibm_iam_auth_token.token | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_tags | A list of access tags to apply to the SCC WP instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | list(string) |
[] |
no |
| app_config_crn | The CRN of an existing App Config instance to use with the SCC Workload Protection instance. Required if cspm_enabled is true. NOTE: Ensure the App Config instance has configuration aggregator enabled. |
string |
null |
no |
| cbr_rules | The context-based restrictions rule to create. Only one rule is allowed. | list(object({ |
[] |
no |
| cloud_monitoring_instance_crn | To collect and analyze metrics and security data on hosts using both Monitoring and Workload Protection, pass the CRN of an existing IBM Cloud Monitoring instance to create the connection. Once the connection is created, the Monitoring instance CRN cannot be changed. | string |
null |
no |
| cspm_enabled | Enable Cloud Security Posture Management (CSPM) for the Workload Protection instance. This will create a trusted profile associated with the SCC Workload Protection instance that has viewer / reader access to the App Config service and viewer access to the Enterprise service. Learn more. | bool |
true |
no |
| name | The name to give the SCC Workload Protection instance that will be provisioned by this module. | string |
n/a | yes |
| region | IBM Cloud region where all resources will be deployed | string |
"us-south" |
no |
| resource_group_id | The resource group ID where resources will be provisioned. | string |
n/a | yes |
| resource_key_name | The name to give the IBM Cloud SCC WP resource key. | string |
"SCCWPManagerKey" |
no |
| resource_key_tags | Tags associated with the IBM Cloud SCC WP resource key. | list(string) |
[] |
no |
| resource_tags | Optional list of tags to be added to created SCC WP instance. | list(string) |
[] |
no |
| scc_workload_protection_trusted_profile_name | The name to give the trusted profile that is created by this module if cspm_enabled is true. Must begin with a letter. |
string |
"workload-protection-trusted-profile" |
no |
| scc_wp_service_plan | IBM service pricing plan. | string |
"free-trial" |
no |
| Name | Description |
|---|---|
| access_key | Workload Protection instance access key. |
| account_id | Account ID of created SCC WP instance. |
| api_endpoint | API endpoint. |
| crn | CRN of created SCC WP instance. |
| guid | GUID of created SCC WP instance. |
| id | ID of created SCC WP instance. |
| ingestion_endpoint | Ingestion endpoint. |
| name | Name of created SCC WP instance. |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.