feat: scc workload protection DA

Author: Jordan-Williams2

common-dev-assets

@@ -0,0 +1,60 @@
+# Security and Compliance Center instances solution
+
+This solution supports provisioning and configuring the following infrastructure:
+
+- A resource group, if one is not passed in.
+- A Security and Compliance Center Workload Protection instance.
+
+:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers).
+
+
+<!-- Below content is automatically populated via pre-commit hook -->
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | 1.75.2 |
+
+### Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.1.6 |
+| <a name="module_scc_wp"></a> [scc\_wp](#module\_scc\_wp) | ../.. | n/a |
+
+### Resources
+
+No resources.
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_existing_monitoring_crn"></a> [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Security and Compliance Object Storage bucket metrics to, as well as Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket and not provisioning Workload Protection. | `string` | `null` | no |
+| <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | `"dev"` | no |
+| <a name="input_provider_visibility"></a> [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of a new or an existing resource group in which to provision resources to. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format. | `string` | n/a | yes |
+| <a name="input_scc_region"></a> [scc\_region](#input\_scc\_region) | The region to provision Security and Compliance Center resources in. | `string` | `"us-south"` | no |
+| <a name="input_scc_workload_protection_access_tags"></a> [scc\_workload\_protection\_access\_tags](#input\_scc\_workload\_protection\_access\_tags) | A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. [Learn more](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits). | `list(string)` | `[]` | no |
+| <a name="input_scc_workload_protection_instance_name"></a> [scc\_workload\_protection\_instance\_name](#input\_scc\_workload\_protection\_instance\_name) | The name for the Workload Protection instance that is created by this solution. Must begin with a letter. Applies only if `provision_scc_workload_protection` is true. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format. | `string` | `"base-security-services-scc-wp"` | no |
+| <a name="input_scc_workload_protection_instance_tags"></a> [scc\_workload\_protection\_instance\_tags](#input\_scc\_workload\_protection\_instance\_tags) | The list of tags to add to the Workload Protection instance. | `list(string)` | `[]` | no |
+| <a name="input_scc_workload_protection_resource_key_tags"></a> [scc\_workload\_protection\_resource\_key\_tags](#input\_scc\_workload\_protection\_resource\_key\_tags) | The tags associated with the Workload Protection resource key. | `list(string)` | `[]` | no |
+| <a name="input_scc_workload_protection_service_plan"></a> [scc\_workload\_protection\_service\_plan](#input\_scc\_workload\_protection\_service\_plan) | The pricing plan for the Workload Protection instance service. Possible values: `free-trial`, `graduated-tier`. | `string` | `"graduated-tier"` | no |
+| <a name="input_use_existing_resource_group"></a> [use\_existing\_resource\_group](#input\_use\_existing\_resource\_group) | Whether to use an existing resource group. | `bool` | `false` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | Resource group ID |
+| <a name="output_resource_group_name"></a> [resource\_group\_name](#output\_resource\_group\_name) | Resource group name |
+| <a name="output_scc_workload_protection_access_key"></a> [scc\_workload\_protection\_access\_key](#output\_scc\_workload\_protection\_access\_key) | SCC Workload Protection access key |
+| <a name="output_scc_workload_protection_api_endpoint"></a> [scc\_workload\_protection\_api\_endpoint](#output\_scc\_workload\_protection\_api\_endpoint) | SCC Workload Protection API endpoint |
+| <a name="output_scc_workload_protection_crn"></a> [scc\_workload\_protection\_crn](#output\_scc\_workload\_protection\_crn) | SCC Workload Protection instance CRN |
+| <a name="output_scc_workload_protection_id"></a> [scc\_workload\_protection\_id](#output\_scc\_workload\_protection\_id) | SCC Workload Protection instance ID |
+| <a name="output_scc_workload_protection_ingestion_endpoint"></a> [scc\_workload\_protection\_ingestion\_endpoint](#output\_scc\_workload\_protection\_ingestion\_endpoint) | SCC Workload Protection instance ingestion endpoint |
+| <a name="output_scc_workload_protection_name"></a> [scc\_workload\_protection\_name](#output\_scc\_workload\_protection\_name) | SCC Workload Protection instance name |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

solutions/standard/README.md

@@ -0,0 +1,4 @@
+{
+  "ibmcloud_api_key": $VALIDATION_APIKEY,
+  "resource_group_name": $PREFIX
+}

solutions/standard/catalogValidationValues.json.template

@@ -0,0 +1,34 @@
+locals {
+  prefix = var.prefix != null ? (var.prefix != "" ? var.prefix : null) : null
+
+  scc_workload_protection_instance_name     = try("${local.prefix}-${var.scc_workload_protection_instance_name}", var.scc_workload_protection_instance_name)
+  scc_workload_protection_resource_key_name = try("${local.prefix}-${var.scc_workload_protection_instance_name}-key", "${var.scc_workload_protection_instance_name}-key")
+}
+
+#######################################################################################################################
+# Resource Group
+#######################################################################################################################
+
+module "resource_group" {
+  source                       = "terraform-ibm-modules/resource-group/ibm"
+  version                      = "1.1.6"
+  resource_group_name          = var.use_existing_resource_group == false ? try("${local.prefix}-${var.resource_group_name}", var.resource_group_name) : null
+  existing_resource_group_name = var.use_existing_resource_group == true ? var.resource_group_name : null
+}
+
+#######################################################################################################################
+# SCC Workload Protection
+#######################################################################################################################
+
+module "scc_wp" {
+  source                        = "../.."
+  name                          = local.scc_workload_protection_instance_name
+  region                        = var.scc_region
+  resource_group_id             = module.resource_group.resource_group_id
+  resource_tags                 = var.scc_workload_protection_instance_tags
+  resource_key_name             = local.scc_workload_protection_resource_key_name
+  resource_key_tags             = var.scc_workload_protection_resource_key_tags
+  cloud_monitoring_instance_crn = var.existing_monitoring_crn
+  access_tags                   = var.scc_workload_protection_access_tags
+  scc_wp_service_plan           = var.scc_workload_protection_service_plan
+}

solutions/standard/main.tf

@@ -0,0 +1,46 @@
+
+########################################################################################################################
+# Outputs
+########################################################################################################################
+
+output "resource_group_name" {
+  description = "Resource group name"
+  value       = module.resource_group.resource_group_name
+}
+
+output "resource_group_id" {
+  description = "Resource group ID"
+  value       = module.resource_group.resource_group_id
+}
+
+output "scc_workload_protection_id" {
+  description = "SCC Workload Protection instance ID"
+  value       = module.scc_wp.id
+}
+
+output "scc_workload_protection_crn" {
+  description = "SCC Workload Protection instance CRN"
+  value       = module.scc_wp.crn
+}
+
+output "scc_workload_protection_name" {
+  description = "SCC Workload Protection instance name"
+  value       = module.scc_wp.name
+}
+
+output "scc_workload_protection_ingestion_endpoint" {
+  description = "SCC Workload Protection instance ingestion endpoint"
+  value       = module.scc_wp.name
+}
+
+output "scc_workload_protection_api_endpoint" {
+  description = "SCC Workload Protection API endpoint"
+  value       = module.scc_wp.api_endpoint
+  sensitive   = true
+}
+
+output "scc_workload_protection_access_key" {
+  description = "SCC Workload Protection access key"
+  value       = module.scc_wp.access_key
+  sensitive   = true
+}

solutions/standard/outputs.tf

@@ -0,0 +1,9 @@
+########################################################################################################################
+# Provider config
+########################################################################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.scc_region
+  visibility       = var.provider_visibility
+}

solutions/standard/provider.tf

@@ -0,0 +1,98 @@
+########################################################################################################################
+# Common variables
+########################################################################################################################
+
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API key to deploy resources."
+  sensitive   = true
+}
+
+variable "use_existing_resource_group" {
+  type        = bool
+  description = "Whether to use an existing resource group."
+  default     = false
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "The name of a new or an existing resource group in which to provision resources to. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
+}
+
+variable "existing_monitoring_crn" {
+  type        = string
+  nullable    = true
+  default     = null
+  description = "The CRN of an IBM Cloud Monitoring instance to to send Security and Compliance Object Storage bucket metrics to, as well as Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket and not provisioning Workload Protection."
+}
+
+variable "prefix" {
+  type        = string
+  description = "The prefix to add to all resources that this solution creates. To not use any prefix value, you can set this value to `null` or an empty string."
+  default     = "dev"
+}
+
+variable "provider_visibility" {
+  description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)."
+  type        = string
+  default     = "private"
+
+  validation {
+    condition     = contains(["public", "private", "public-and-private"], var.provider_visibility)
+    error_message = "Invalid visibility option. Allowed values are 'public', 'private', or 'public-and-private'."
+  }
+}
+
+########################################################################################################################
+# SCC variables
+########################################################################################################################
+
+variable "scc_workload_protection_instance_name" {
+  description = "The name for the Workload Protection instance that is created by this solution. Must begin with a letter. Applies only if `provision_scc_workload_protection` is true. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
+  type        = string
+  default     = "base-security-services-scc-wp"
+}
+
+variable "scc_region" {
+  type        = string
+  default     = "us-south"
+  description = "The region to provision Security and Compliance Center resources in."
+}
+
+variable "scc_workload_protection_instance_tags" {
+  type        = list(string)
+  description = "The list of tags to add to the Workload Protection instance."
+  default     = []
+}
+
+variable "scc_workload_protection_resource_key_tags" {
+  type        = list(string)
+  description = "The tags associated with the Workload Protection resource key."
+  default     = []
+}
+
+variable "scc_workload_protection_access_tags" {
+  type        = list(string)
+  description = "A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. [Learn more](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits)."
+  default     = []
+
+  validation {
+    condition = alltrue([
+      for tag in var.scc_workload_protection_access_tags : can(regex("[\\w\\-_\\.]+:[\\w\\-_\\.]+", tag)) && length(tag) <= 128
+    ])
+    error_message = "Tags must match the regular expression \"[\\w\\-_\\.]+:[\\w\\-_\\.]+\", see https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits for more details"
+  }
+}
+
+variable "scc_workload_protection_service_plan" {
+  description = "The pricing plan for the Workload Protection instance service. Possible values: `free-trial`, `graduated-tier`."
+  type        = string
+  default     = "graduated-tier"
+  validation {
+    error_message = "Plan for Workload Protection instances can only be `free-trial` or `graduated-tier`."
+    condition = contains(
+      ["free-trial", "graduated-tier"],
+      var.scc_workload_protection_service_plan
+    )
+  }
+}

solutions/standard/variables.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.4.0"
+  # Lock DA into an exact provider version - renovate automation will keep it updated
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.75.2"
+    }
+  }
+}

solutions/standard/version.tf

@@ -1,6 +1,6 @@
 module github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection
 
-go 1.22.4
+go 1.23.0
 
 toolchain go1.24.0
 
@@ -89,12 +89,13 @@ require (
 	go.opentelemetry.io/otel/metric v1.29.0 // indirect
 	go.opentelemetry.io/otel/trace v1.29.0 // indirect
 	golang.org/x/crypto v0.33.0 // indirect
-	golang.org/x/mod v0.18.0 // indirect
-	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa
+	golang.org/x/mod v0.23.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/text v0.22.0 // indirect
-	golang.org/x/tools v0.22.0 // indirect
+	golang.org/x/tools v0.30.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect