fix: update DA to use private resource controller endpoint by default<br>* updated prefix validation for DA<br>* removed compliance claim from DA (not applicable for this DA) (#248)

Author: ocofaigh

README.md

@@ -47,7 +47,8 @@ unless real values don't help users know what to change.
 data "ibm_iam_auth_token" "auth_token" {}
 
 provider "restapi" {
-  uri = "https://resource-controller.cloud.ibm.com"  # https://private.resource-controller.cloud.ibm.com for private
+  # see https://cloud.ibm.com/apidocs/resource-controller/resource-controller#endpoint-url for full list of available resource controller endpoints
+  uri = "https://resource-controller.cloud.ibm.com"
   headers = {
     Authorization  = data.ibm_iam_auth_token.auth_token.iam_access_token
   }
@@ -101,7 +102,7 @@ statement instead the previous block.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.70.0, <2.0.0 |
 | <a name="requirement_restapi"></a> [restapi](#requirement\_restapi) | >=1.20.0, <2.0.0 |
 

common-dev-assets

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
   required_providers {
     # Use latest version of provider in non-basic examples to verify latest version works with module
     ibm = {

examples/advanced/version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
   required_providers {
     # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
     ibm = {

examples/basic/version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
   required_providers {
     ibm = {
       source  = "ibm-cloud/ibm"

examples/enterprise/version.tf

@@ -47,15 +47,6 @@
           "name": "fully-configurable",
           "working_directory": "solutions/fully-configurable",
           "install_type": "fullstack",
-          "compliance": {
-            "authority": "scc-v3",
-            "profiles": [
-              {
-                "profile_name": "IBM Cloud Framework for Financial Services",
-                "profile_version": "1.7.0"
-              }
-            ]
-          },
           "dependency_version_2": true,
           "dependencies": [
             {

ibm_catalog.json

@@ -18,7 +18,7 @@ There is currently a [known issue](https://github.com/terraform-ibm-modules/terr
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | 1.78.3 |
 | <a name="requirement_restapi"></a> [restapi](#requirement\_restapi) | 1.20.0 |
 
@@ -45,8 +45,8 @@ There is currently a [known issue](https://github.com/terraform-ibm-modules/terr
 | <a name="input_existing_monitoring_crn"></a> [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. | `string` | `null` | no |
 | <a name="input_existing_resource_group_name"></a> [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of a an existing resource group in which to provision resources to. | `string` | `"Default"` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes |
-| <a name="input_ibmcloud_resource_controller_api_endpoint"></a> [ibmcloud\_resource\_controller\_api\_endpoint](#input\_ibmcloud\_resource\_controller\_api\_endpoint) | The URI of the Resource Controller service. This is used to update the Workload Protection instance to enable CSPM once the trusted profiles have been created. | `string` | `"https://resource-controller.cloud.ibm.com"` | no |
-| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
+| <a name="input_ibmcloud_resource_controller_api_endpoint"></a> [ibmcloud\_resource\_controller\_api\_endpoint](#input\_ibmcloud\_resource\_controller\_api\_endpoint) | The IBM Cloud [resource controller endpoint](https://cloud.ibm.com/apidocs/resource-controller/resource-controller#endpoint-url) to use. This is used to update the Workload Protection instance to enable CSPM once the trusted profiles have been created. | `string` | `"https://private.us-south.resource-controller.cloud.ibm.com"` | no |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-scc-wp. | `string` | n/a | yes |
 | <a name="input_provider_visibility"></a> [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision Security and Compliance Center Workload Protection resources in. | `string` | `"us-south"` | no |
 | <a name="input_scc_workload_protection_access_tags"></a> [scc\_workload\_protection\_access\_tags](#input\_scc\_workload\_protection\_access\_tags) | A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. [Learn more](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits). | `list(string)` | `[]` | no |

solutions/fully-configurable/README.md

@@ -1,4 +1,6 @@
 {
   "ibmcloud_api_key": $VALIDATION_APIKEY,
-  "existing_resource_group_name": "geretain-test-resources"
+  "prefix": $PREFIX,
+  "existing_resource_group_name": "geretain-test-resources",
+  "app_config_crn": $APP_CONFIG_CRN
 }

solutions/fully-configurable/catalogValidationValues.json.template

@@ -23,7 +23,29 @@ variable "existing_monitoring_crn" {
 
 variable "prefix" {
   type        = string
-  description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string."
+  nullable    = true
+  description = "The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-scc-wp."
+
+  validation {
+    # - null and empty string is allowed
+    # - Must not contain consecutive hyphens (--): length(regexall("--", var.prefix)) == 0
+    # - Starts with a lowercase letter: [a-z]
+    # - Contains only lowercase letters (a–z), digits (0–9), and hyphens (-)
+    # - Must not end with a hyphen (-): [a-z0-9]
+    condition = (var.prefix == null || var.prefix == "" ? true :
+      alltrue([
+        can(regex("^[a-z][-a-z0-9]*[a-z0-9]$", var.prefix)),
+        length(regexall("--", var.prefix)) == 0
+      ])
+    )
+    error_message = "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--')."
+  }
+
+  validation {
+    # must not exceed 16 characters in length
+    condition     = length(var.prefix) <= 16
+    error_message = "Prefix must not exceed 16 characters."
+  }
 }
 
 variable "provider_visibility" {
@@ -134,10 +156,10 @@ variable "app_config_crn" {
 }
 
 variable "ibmcloud_resource_controller_api_endpoint" {
-  description = "The URI of the Resource Controller service. This is used to update the Workload Protection instance to enable CSPM once the trusted profiles have been created."
+  description = "The IBM Cloud [resource controller endpoint](https://cloud.ibm.com/apidocs/resource-controller/resource-controller#endpoint-url) to use. This is used to update the Workload Protection instance to enable CSPM once the trusted profiles have been created."
   type        = string
-  # TODO: Use private endpoint: https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/issues/244
-  default = "https://resource-controller.cloud.ibm.com"
+  # TODO: When Schematics re-platform and add support for VPE, we can change this default to be "private.resource-controller.cloud.ibm.com"
+  default = "https://private.us-south.resource-controller.cloud.ibm.com"
   validation {
     condition     = !(var.cspm_enabled && var.ibmcloud_resource_controller_api_endpoint == null)
     error_message = "This value cannot be `null` if `cspm_enabled` is set to `true`."

solutions/fully-configurable/variables.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.4.0"
+  required_version = ">= 1.9.0"
   # Lock DA into an exact provider version - renovate automation will keep it updated
   required_providers {
     ibm = {