feat: added logic to determine if account is an enterprise and if it is configure CSPM for enterprise type (#337)

mukulpalit-ibm · web-flow · commit fbae7e429183 · 2025-10-31T08:48:15.000Z
diff --git a/README.md b/README.md
@@ -14,6 +14,8 @@ A module for provisioning an [IBM Cloud Security and Compliance Center Workload
 <!-- BEGIN OVERVIEW HOOK -->
 ## Overview
 * [terraform-ibm-scc-workload-protection](#terraform-ibm-scc-workload-protection)
+* [Submodules](./modules)
+    * [account_check](./modules/account_check)
 * [Examples](./examples)
     * [Advanced example](./examples/advanced)
     * [Basic example](./examples/basic)
@@ -114,6 +116,7 @@ statement instead the previous block.
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_account_type_check"></a> [account\_type\_check](#module\_account\_type\_check) | ./modules/account_check | n/a |
 | <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.33.7 |
 | <a name="module_trusted_profile_scc_wp"></a> [trusted\_profile\_scc\_wp](#module\_trusted\_profile\_scc\_wp) | terraform-ibm-modules/trusted-profile/ibm | 3.1.1 |
 
@@ -125,6 +128,7 @@ statement instead the previous block.
 | [ibm_resource_key.scc_wp_resource_key](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
 | [ibm_resource_tag.scc_wp_access_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
 | [restapi_object.cspm](https://registry.terraform.io/providers/Mastercard/restapi/latest/docs/resources/object) | resource |
+| [ibm_iam_auth_token.token](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_auth_token) | data source |
 
 ### Inputs
 
diff --git a/main.tf b/main.tf
@@ -8,6 +8,10 @@
 # SCC WP
 ##############################################################################
 
+locals {
+  target_account_id = ibm_resource_instance.scc_wp.account_id
+}
+
 resource "ibm_resource_instance" "scc_wp" {
   name              = var.name
   resource_group_id = var.resource_group_id
@@ -20,6 +24,22 @@ resource "ibm_resource_instance" "scc_wp" {
   }
 }
 
+##############################################################################
+# Check Account Type
+##############################################################################
+
+data "ibm_iam_auth_token" "token" {
+  depends_on = [ibm_resource_instance.scc_wp]
+  count      = var.cspm_enabled ? 1 : 0
+}
+
+module "account_type_check" {
+  count             = var.cspm_enabled ? 1 : 0
+  source            = "./modules/account_check"
+  target_account_id = local.target_account_id
+  iam_token         = data.ibm_iam_auth_token.token[0].iam_access_token
+}
+
 ##############################################################################
 # SCC WP Instance Key
 ##############################################################################
@@ -136,6 +156,7 @@ resource "restapi_object" "cspm" {
       target_accounts = var.cspm_enabled ? [
         {
           account_id         = ibm_resource_instance.scc_wp.account_id
+          account_type       = module.account_type_check[0].account_type
           config_crn         = var.app_config_crn
           trusted_profile_id = module.trusted_profile_scc_wp[0].profile_id
         }
diff --git a/modules/account_check/README.md b/modules/account_check/README.md
@@ -0,0 +1,59 @@
+# Account Check
+
+This module determines whether a given IBM Cloud account is part of an `ENTERPRISE` or is a `Standalone (ACCOUNT)` account.
+It uses the IBM Cloud Enterprise Management API and can be easily integrated into Terraform configurations via the external data source.
+
+### Prerequisites
+
+This module utilizes an external script that relies on the following command-line tools being installed on the system where Terraform is executed:
+- `jq`: A lightweight and flexible command-line JSON processor. It is required for parsing the input provided by the Terraform external data source.
+- `curl`: A tool to transfer data with URLs, required for making API calls to the IBM Cloud Enterprise Management API.
+
+### Usage
+```hcl
+module "account_type_check" {
+  source            = "terraform-ibm-modules/scc-workload-protection/ibm//modules/account_check"
+  target_account_id = <ACCOUNT_ID>
+  iam_token         = "XXXXXXXXXXXXXX"  # pragma: allowlist secret
+}
+```
+
+### Required IAM access policies
+
+- Account Management
+  - **Enterprise** service
+      - `Viewer` platform access
+  - **All Identity and Access enabled** services
+      - `Viewer` platform access
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
+| <a name="requirement_external"></a> [external](#requirement\_external) | >= 2.3.5, <3.0.0 |
+
+### Modules
+
+No modules.
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [external_external.account_check](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_iam_token"></a> [iam\_token](#input\_iam\_token) | The IBM Cloud platform IAM token needed to authenticate deploy IAM enabled resources. | `string` | n/a | yes |
+| <a name="input_target_account_id"></a> [target\_account\_id](#input\_target\_account\_id) | The ID of the target account to check for type. | `string` | n/a | yes |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_account_type"></a> [account\_type](#output\_account\_type) | The determined type of the IBM Cloud account. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/account_check/main.tf b/modules/account_check/main.tf
@@ -0,0 +1,12 @@
+locals {
+  # Set account_type variable from the external data source's JSON output.
+  account_type = data.external.account_check.result.account_type
+}
+
+data "external" "account_check" {
+  program = ["/bin/bash", "${path.module}/../scripts/account-check.sh"]
+  query = {
+    account_id = var.target_account_id
+    iam_token  = var.iam_token
+  }
+}
diff --git a/modules/account_check/outputs.tf b/modules/account_check/outputs.tf
@@ -0,0 +1,4 @@
+output "account_type" {
+  description = "The determined type of the IBM Cloud account."
+  value       = local.account_type
+}
diff --git a/modules/account_check/variables.tf b/modules/account_check/variables.tf
@@ -0,0 +1,10 @@
+variable "iam_token" {
+  description = "The IBM Cloud platform IAM token needed to authenticate deploy IAM enabled resources."
+  type        = string
+  sensitive   = true
+}
+
+variable "target_account_id" {
+  description = "The ID of the target account to check for type."
+  type        = string
+}
diff --git a/modules/account_check/version.tf b/modules/account_check/version.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.9.0"
+  required_providers {
+    external = {
+      source  = "hashicorp/external"
+      version = ">= 2.3.5, <3.0.0"
+    }
+  }
+}
diff --git a/modules/scripts/account-check.sh b/modules/scripts/account-check.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+set -e
+
+check_dependencies() {
+    if ! command -v jq &> /dev/null; then
+        echo "Error: 'jq' is required but not found. Please install 'jq' to run this script." >&2
+        exit 1
+    fi
+}
+
+check_dependencies
+
+get_enterprise_endpoint() {
+    default_endpoint="enterprise.cloud.ibm.com"
+    enterprise_endpoint="${IBMCLOUD_ENTERPRISE_API_ENDPOINT:-"$default_endpoint"}"
+    ENTERPRISE_ENDPOINT=${enterprise_endpoint#https://}
+}
+
+get_enterprise_endpoint
+
+read -r TF_INPUT || true
+ACCOUNT_ID=$(echo "$TF_INPUT" | jq -r '.account_id')
+IAM_TOKEN=$(echo "$TF_INPUT" | jq -r '.iam_token')
+
+URL="https://${ENTERPRISE_ENDPOINT}/v1/accounts/${ACCOUNT_ID}"
+
+CURL_OUTPUT=$(curl -s -w "STATUS_CODE:%{http_code}" \
+  --retry 3 \
+  -X GET "$URL" \
+  -H "Authorization: ${IAM_TOKEN}")
+
+HTTP_CODE=$(echo "$CURL_OUTPUT" | grep -o 'STATUS_CODE:[0-9]*$' | awk -F: '{print $2}')
+
+RESPONSE_BODY=${CURL_OUTPUT%STATUS_CODE:*}
+
+ACCOUNT_TYPE="ACCOUNT"
+
+if [ "$HTTP_CODE" == "200" ] && echo "$RESPONSE_BODY" | grep -q '"enterprise_id"'; then
+  ACCOUNT_TYPE="ENTERPRISE"
+fi
+
+echo "{\"account_type\": \"${ACCOUNT_TYPE}\"}"
+
+exit 0
diff --git a/tests/other_tests.go b/tests/other_tests.go
@@ -17,6 +17,9 @@ func setupOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptio
 		TerraformDir:               dir,
 		Prefix:                     prefix,
 		CheckApplyResultForUpgrade: true,
+		IgnoreAdds: testhelper.Exemptions{
+			List: []string{"module.scc_wp.restapi_object.cspm"},
+		},
 	})
 	return options
 }
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -103,6 +103,8 @@ func TestFullyConfigurable(t *testing.T) {
 			Prefix:  "wp-da",
 			TarIncludePatterns: []string{
 				"*.tf",
+				"modules/*/*.tf",
+				"modules/*/*.sh",
 				fullyConfigurableDADir + "/*.tf",
 			},
 			ResourceGroup:          resourceGroup,
@@ -192,6 +194,8 @@ func TestFullyConfigurableUpgrade(t *testing.T) {
 			Prefix:  "wp-da",
 			TarIncludePatterns: []string{
 				"*.tf",
+				"modules/*/*.tf",
+				"modules/*/*.sh",
 				fullyConfigurableDADir + "/*.tf",
 			},
 			ResourceGroup:              resourceGroup,
