feat: Add support for Cloud Security Posture Management (CSPM) (#225)

Author: jor2

README.md

@@ -44,6 +44,16 @@ unless real values don't help users know what to change.
 -->
 
 ```hcl
+data "ibm_iam_auth_token" "auth_token" {}
+
+provider "restapi" {
+  uri = "https://resource-controller.cloud.ibm.com"  # https://private.resource-controller.cloud.ibm.com for private
+  headers = {
+    Authorization  = data.ibm_iam_auth_token.auth_token.iam_access_token
+  }
+  write_returns_object = true
+}
+
 module "scc_wp" {
   source                        = "terraform-ibm-modules/scc-workload-protection/ibm"
   version                       = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
@@ -52,9 +62,14 @@ module "scc_wp" {
   resource_group_id             = "65xxxxxxxxxxxxxxxa3fd"
   resource_key_tags             = ["scc-wp-tag"]
   cloud_monitoring_instance_crn = "crn:v1:bluemix:public:sysdig-monitor:us-south:a/xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX:xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX::"
+  app_config_crn                = "crn:v1:bluemix:public:apprap:us-south:a/xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX:xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX::"
 }
 ```
 
+### Known issues
+#### restapi_object.enable_cspm resource always identified for creation
+There is currently a [known issue](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/issues/243) where you will always see the `restapi_object.enable_cspm` resource included in the terraform plan for creation, even after it has already been applied. It is safe to proceed with this apply and will be a no-op if the resource has already been applied.
+
 ### Required IAM access policies
 
 <!-- PERMISSIONS REQUIRED TO RUN MODULE
@@ -88,12 +103,14 @@ statement instead the previous block.
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.70.0, <2.0.0 |
+| <a name="requirement_restapi"></a> [restapi](#requirement\_restapi) | >=1.20.0, <2.0.0 |
 
 ### Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.31.0 |
+| <a name="module_trusted_profile_scc_wp"></a> [trusted\_profile\_scc\_wp](#module\_trusted\_profile\_scc\_wp) | terraform-ibm-modules/trusted-profile/ibm | 3.0.0 |
 
 ### Resources
 
@@ -102,27 +119,32 @@ statement instead the previous block.
 | [ibm_resource_instance.scc_wp](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource |
 | [ibm_resource_key.scc_wp_resource_key](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
 | [ibm_resource_tag.scc_wp_access_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
+| [restapi_object.cspm](https://registry.terraform.io/providers/Mastercard/restapi/latest/docs/resources/object) | resource |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | A list of access tags to apply to the SCC WP instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | `list(string)` | `[]` | no |
+| <a name="input_app_config_crn"></a> [app\_config\_crn](#input\_app\_config\_crn) | The CRN of an existing App Config instance to use with the SCC Workload Protection instance. Required if `cspm_enabled` is true. NOTE: Ensure the App Config instance has configuration aggregator enabled. | `string` | `null` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create. | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    tags = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })), [])<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_cloud_monitoring_instance_crn"></a> [cloud\_monitoring\_instance\_crn](#input\_cloud\_monitoring\_instance\_crn) | The CRN of an IBM Cloud Monitoring instance to connect to the SCC Workload Protection instance. | `string` | `null` | no |
+| <a name="input_cspm_enabled"></a> [cspm\_enabled](#input\_cspm\_enabled) | Enable Cloud Security Posture Management (CSPM) for the Workload Protection instance. This will create a trusted profile associated with the SCC Workload Protection instance that has viewer / reader access to the App Config service and viewer access to the Enterprise service. [Learn more](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-about). | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the SCC Workload Protection instance that will be provisioned by this module. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | IBM Cloud region where all resources will be deployed | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where resources will be provisioned. | `string` | n/a | yes |
 | <a name="input_resource_key_name"></a> [resource\_key\_name](#input\_resource\_key\_name) | The name to give the IBM Cloud SCC WP resource key. | `string` | `"SCCWPManagerKey"` | no |
 | <a name="input_resource_key_tags"></a> [resource\_key\_tags](#input\_resource\_key\_tags) | Tags associated with the IBM Cloud SCC WP resource key. | `list(string)` | `[]` | no |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Optional list of tags to be added to created SCC WP instance. | `list(string)` | `[]` | no |
+| <a name="input_scc_workload_protection_trusted_profile_name"></a> [scc\_workload\_protection\_trusted\_profile\_name](#input\_scc\_workload\_protection\_trusted\_profile\_name) | The name to give the trusted profile that is created by this module if `cspm_enabled` is `true. Must begin with a letter.` | `string` | `"workload-protection-trusted-profile"` | no |
 | <a name="input_scc_wp_service_plan"></a> [scc\_wp\_service\_plan](#input\_scc\_wp\_service\_plan) | IBM service pricing plan. | `string` | `"free-trial"` | no |
 
 ### Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_access_key"></a> [access\_key](#output\_access\_key) | Workload Protection instance access key. |
+| <a name="output_account_id"></a> [account\_id](#output\_account\_id) | Account ID of created SCC WP instance. |
 | <a name="output_api_endpoint"></a> [api\_endpoint](#output\_api\_endpoint) | API endpoint. |
 | <a name="output_crn"></a> [crn](#output\_crn) | CRN of created SCC WP instance. |
 | <a name="output_guid"></a> [guid](#output\_guid) | GUID of created SCC WP instance. |

examples/advanced/main.tf

@@ -53,18 +53,38 @@ module "cbr_zone" {
   }]
 }
 
+########################################################################################################################
+# App Config
+########################################################################################################################
+
+# Create new App Config instance
+module "app_config" {
+  source                                 = "terraform-ibm-modules/app-configuration/ibm"
+  version                                = "1.5.1"
+  region                                 = var.region
+  resource_group_id                      = module.resource_group.resource_group_id
+  app_config_plan                        = "basic"
+  app_config_name                        = "${var.prefix}-app-config"
+  app_config_tags                        = var.resource_tags
+  enable_config_aggregator               = true
+  config_aggregator_trusted_profile_name = "${var.prefix}-app-config-tp"
+}
+
 ########################################################################################################################
 # SCC WP instance
 ########################################################################################################################
 
 module "scc_wp" {
-  source                        = "../.."
-  name                          = var.prefix
-  region                        = var.region
-  resource_group_id             = module.resource_group.resource_group_id
-  resource_tags                 = var.resource_tags
-  access_tags                   = var.access_tags
-  cloud_monitoring_instance_crn = module.cloud_monitoring.crn
+  source                                       = "../.."
+  name                                         = var.prefix
+  region                                       = var.region
+  resource_group_id                            = module.resource_group.resource_group_id
+  resource_tags                                = var.resource_tags
+  access_tags                                  = var.access_tags
+  cloud_monitoring_instance_crn                = module.cloud_monitoring.crn
+  cspm_enabled                                 = true
+  app_config_crn                               = module.app_config.app_config_crn
+  scc_workload_protection_trusted_profile_name = "${var.prefix}-wp-tp"
 
   cbr_rules = [
     {

examples/advanced/provider.tf

@@ -6,3 +6,14 @@ provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.region
 }
+
+data "ibm_iam_auth_token" "auth_token" {}
+
+# Null resource replaced with restapi_object to enable CSPM
+provider "restapi" {
+  uri = "https://resource-controller.cloud.ibm.com"
+  headers = {
+    Authorization = data.ibm_iam_auth_token.auth_token.iam_access_token
+  }
+  write_returns_object = true
+}

examples/advanced/version.tf

@@ -6,5 +6,9 @@ terraform {
       source  = "ibm-cloud/ibm"
       version = ">=1.70.0, <2.0.0"
     }
+    restapi = {
+      source  = "Mastercard/restapi"
+      version = ">=1.20.0, <2.0.0"
+    }
   }
 }

examples/basic/main.tf

@@ -21,4 +21,5 @@ module "scc_wp" {
   resource_group_id = module.resource_group.resource_group_id
   resource_tags     = var.resource_tags
   access_tags       = var.access_tags
+  cspm_enabled      = false
 }

examples/basic/provider.tf

@@ -6,3 +6,14 @@ provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.region
 }
+
+data "ibm_iam_auth_token" "auth_token" {}
+
+# Null resource replaced with restapi_object to enable CSPM
+provider "restapi" {
+  uri = "https://resource-controller.cloud.ibm.com"
+  headers = {
+    Authorization = data.ibm_iam_auth_token.auth_token.iam_access_token
+  }
+  write_returns_object = true
+}

examples/basic/version.tf

@@ -4,7 +4,11 @@ terraform {
     # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
     ibm = {
       source  = "ibm-cloud/ibm"
-      version = "1.70.0"
+      version = "1.76.1"
+    }
+    restapi = {
+      source  = "Mastercard/restapi"
+      version = "1.20.0"
     }
   }
 }

examples/enterprise/README.md

@@ -2,46 +2,52 @@
 
 > Only supported in an enterprise account.
 
-This example demonstrates the full deployment of:
+This example demonstrates a full deployment using modular Terraform code, including:
 
-- IBM Cloud App Configuration
-- IBM Cloud Security and Compliance Center Workload Protection (SCC-WP)
-- IAM Trusted Profile Template with 3 Trusted Profiles
-- Template assignment to account groups
-- Configuration Aggregator to link SCC-WP with App Config
+- **IBM Cloud App Configuration** (App Config)
+- **IBM Cloud Security and Compliance Center Workload Protection** (SCC-WP)
+- **IAM Trusted Profiles** for secure integration
+- **Resource Group** creation or reuse
+- **Configuration Aggregator** to link SCC-WP with App Config
 
 ---
 
-## Flow Overview
+## Module Overview
+
+- **Resource Group Module**
+  Creates or reuses a resource group for all resources.
+
+- **SCC Workload Protection Module**
+  Deploys the SCC-WP instance, attaches tags, and (optionally) enables CSPM and trusted profiles based on input variables.
+
+- **App Config Module**
+  Deploys an App Config instance with enterprise plan, tags, and enables the configuration aggregator with a trusted profile.
 
-1. **Create or reuse a resource group**
-   A resource group is created or reused.
+---
+
+## Flow Overview
 
-2. **Deploy App Config**
-   App Config is deployed along with a collection for organizing features and properties.
+1. **Resource Group**
+   A resource group is created or reused for all resources.
 
-3. **Deploy SCC Workload Protection**
-   SCC-WP is deployed with the `graduated-tier` plan.
+2. **App Config**
+   Deploys App Config with the enterprise plan, tags, and enables the configuration aggregator with a trusted profile.
 
-4. **Create a Trusted Profile Template with 3 profiles**
-   - **App Config -- Enterprise**
-     For IAM template management across the enterprise.
-   - **App Config -- General**
-     For reading platform and IAM services.
-   - **SCC-WP Profile**
-     For integrating SCC-WP with App Config and enterprise usage.
+3. **SCC Workload Protection**
+   Deploys SCC-WP with the `graduated-tier` plan, attaches resource and access tags, and (optionally) enables CSPM and trusted profiles for secure integration.
 
-5. **Assign the template to account groups**
-   All child accounts or specific account groups receive the profile template.
+4. **Trusted Profiles**
+   Trusted profiles are created and linked as needed for App Config and SCC-WP, with enterprise access policies conditionally included if enabled.
 
-6. **Create SCC-WP Config Aggregator**
-   The aggregator connects SCC-WP to App Config and uses the enterprise trusted profile and template ID to enforce secure access.
+5. **Configuration Aggregator**
+   Connects SCC-WP to App Config using the trusted profile and template ID for secure access across the enterprise.
 
 ---
 
 ## Notes
 
-- The `trusted_profile_links` block in each trusted profile is used to **link the profile to a specific CRN**, like a VSI or App Config instance, enabling the identity to assume the trusted profile.
+- The `trusted_profile_links` block in each trusted profile links the profile to a specific CRN (e.g., VSI or App Config instance), enabling the identity to assume the trusted profile.
+- Enterprise-specific access policies are conditionally added based on input variables (e.g., `enterprise_enabled`).
 
 ---