feat: added support to connect an IBM Cloud Monitoring instance to the SCC Workload Protection instance using new input variable cloud_monitoring_instance_crn (#63)

Author: akocbek

README.md

@@ -16,6 +16,7 @@ A module for provisioning an [IBM Cloud Security and Compliance Center Workload
 ## Overview
 * [terraform-ibm-scc-workload-protection](#terraform-ibm-scc-workload-protection)
 * [Examples](./examples)
+    * [Advanced example](./examples/advanced)
     * [Basic example](./examples/basic)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
@@ -44,12 +45,13 @@ unless real values don't help users know what to change.
 
 ```hcl
 module "scc_wp" {
-  source            = "terraform-ibm-modules/scc-workload-protection/ibm"
-  version           = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
-  name              = "my-scc-wp-service"
-  region            = "us-south"
-  resource_group_id = "65xxxxxxxxxxxxxxxa3fd"
-  resource_key_tags = ["scc-wp-tag"]
+  source                        = "terraform-ibm-modules/scc-workload-protection/ibm"
+  version                       = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
+  name                          = "my-scc-wp-service"
+  region                        = "us-south"
+  resource_group_id             = "65xxxxxxxxxxxxxxxa3fd"
+  resource_key_tags             = ["scc-wp-tag"]
+  cloud_monitoring_instance_crn = "crn:v1:bluemix:public:sysdig-monitor:us-south:a/xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX:xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX::"
 }
 ```
 
@@ -109,6 +111,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | A list of access tags to apply to the SCC WP instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | `list(string)` | `[]` | no |
+| <a name="input_cloud_monitoring_instance_crn"></a> [cloud\_monitoring\_instance\_crn](#input\_cloud\_monitoring\_instance\_crn) | The CRN of an IBM Cloud Monitoring instance to connect to the SCC Workload Protection instance. | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | A identifier used as a prefix when naming resources that will be provisioned. Must begin with a letter. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | IBM Cloud region where all resources will be deployed | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where resources will be provisioned. | `string` | n/a | yes |

examples/advanced/README.md

@@ -0,0 +1,7 @@
+# Advanced example
+
+An end-to-end example that uses the module's default variable values. This example uses the IBM Cloud terraform provider to:
+
+- Create a new resource group if one is not passed in.
+- Create a new IBM Cloud monitoring instance.
+- Create a new Security and Compliance Center Workload Protection instance and connect it with IBM Cloud monitoring instance.

examples/advanced/main.tf

@@ -0,0 +1,37 @@
+########################################################################################################################
+# Resource group
+########################################################################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.4"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+########################################################################################################################
+# IBM Cloud monitoring instance
+########################################################################################################################
+
+module "cloud_monitoring" {
+  source            = "terraform-ibm-modules/observability-instances/ibm//modules/cloud_monitoring"
+  version           = "2.11.0"
+  resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  instance_name     = "${var.prefix}-cm"
+}
+
+########################################################################################################################
+# SCC WP instance
+########################################################################################################################
+
+module "scc_wp" {
+  source                        = "../.."
+  name                          = var.prefix
+  region                        = var.region
+  resource_group_id             = module.resource_group.resource_group_id
+  resource_tags                 = var.resource_tags
+  access_tags                   = var.access_tags
+  cloud_monitoring_instance_crn = module.cloud_monitoring.crn
+}

examples/advanced/outputs.tf

@@ -0,0 +1,41 @@
+########################################################################################################################
+# Outputs
+########################################################################################################################
+
+output "id" {
+  description = "ID of created SCC WP instance."
+  value       = module.scc_wp.id
+}
+
+output "crn" {
+  description = "CRN of created SCC WP instance."
+  value       = module.scc_wp.crn
+}
+
+output "name" {
+  description = "Name of created SCC WP instance."
+  value       = module.scc_wp.name
+}
+
+output "ingestion_endpoint" {
+  description = "Ingestion endpoint."
+  value       = module.scc_wp.ingestion_endpoint
+  sensitive   = true
+}
+
+output "api_endpoint" {
+  description = "API endpoint."
+  value       = module.scc_wp.api_endpoint
+  sensitive   = true
+}
+
+output "access_key" {
+  description = "Workload Protection instance access key."
+  value       = module.scc_wp.access_key
+  sensitive   = true
+}
+
+output "cloud_monitoring_crn" {
+  description = "Workload Protection instance access key."
+  value       = module.cloud_monitoring.crn
+}

examples/advanced/provider.tf

@@ -0,0 +1,8 @@
+########################################################################################################################
+# Provider config
+########################################################################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/advanced/variables.tf

@@ -0,0 +1,39 @@
+
+##############################################################################
+# Input Variables
+##############################################################################
+variable "ibmcloud_api_key" {
+  description = "The IBM Cloud platform API key needed to deploy IAM enabled resources."
+  type        = string
+  sensitive   = true
+}
+
+variable "prefix" {
+  description = "Display name of the prefix for related resources"
+  type        = string
+  default     = "scc-wp-adv"
+}
+
+variable "region" {
+  description = "Name of the Region to deploy into"
+  type        = string
+  default     = "us-south"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
+
+variable "access_tags" {
+  type        = list(string)
+  description = "Optional list of access management tags to add to the SCC WP instance"
+  default     = []
+}

examples/advanced/version.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0, <1.6.0"
+  required_providers {
+    # Use latest version of provider in non-basic examples to verify latest version works with module
+    ibm = {
+      source  = "ibm-cloud/ibm"
+      version = ">=1.61.0, <2.0.0"
+    }
+  }
+}

examples/basic/variables.tf

@@ -26,7 +26,6 @@ variable "resource_group" {
   default     = null
 }
 
-
 variable "resource_tags" {
   type        = list(string)
   description = "Optional list of tags to be added to created resources"

main.tf

@@ -15,6 +15,9 @@ resource "ibm_resource_instance" "scc_wp" {
   plan              = var.scc_wp_service_plan
   location          = var.region
   tags              = var.resource_tags
+  parameters = {
+    cloud_monitoring_connected_instance : var.cloud_monitoring_instance_crn
+  }
 }
 
 ##############################################################################

tests/pr_test.go

@@ -12,6 +12,7 @@ import (
 )
 
 // const resourceGroup = "geretain-test-resources"
+const advancedExampleDir = "examples/advanced"
 const basicExampleDir = "examples/basic"
 
 // Define a struct with fields that match the structure of the YAML data
@@ -54,10 +55,10 @@ func TestRunBasicExample(t *testing.T) {
 	assert.NotNil(t, output, "Expected some output")
 }
 
-func TestRunBasicUpgradeExample(t *testing.T) {
+func TestRunAdvancedUpgradeExample(t *testing.T) {
 	t.Parallel()
 
-	options := setupOptions(t, "scc-wp-upg", basicExampleDir)
+	options := setupOptions(t, "scc-wp-upg", advancedExampleDir)
 
 	output, err := options.RunTestUpgrade()
 	if !options.UpgradeTestSkipped {