diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml
new file mode 100644
index 0000000..4c7713b
--- /dev/null
+++ b/.catalog-onboard-pipeline.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+offerings:
+ - name: deploy-arch-ibm-scc-workload-protection
+ kind: solution
+ catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
+ offering_id: 4322cf44-2289-49aa-a719-dd79e39b14dc
+ variations:
+ - name: fully-configurable
+ mark_ready: true
+ install_type: fullstack
+ scc:
+ instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
+ region: us-south
diff --git a/.releaserc b/.releaserc
index 708916f..622ce91 100644
--- a/.releaserc
+++ b/.releaserc
@@ -10,6 +10,9 @@
}],
["@semantic-release/exec", {
"successCmd": "echo \"SEMVER_VERSION=${nextRelease.version}\" >> $GITHUB_ENV"
+ }],
+ ["@semantic-release/exec", {
+ "publishCmd": "./ci/trigger-catalog-onboarding-pipeline.sh --version=v${nextRelease.version}"
}]
]
}
diff --git a/README.md b/README.md
index e32ae3a..58e47fe 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,6 @@
A module for provisioning an [IBM Cloud Security and Compliance Center Workload Protection instance](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started). The module will always create a Manager resource key that connects to the SCC WP instance.
-
## Overview
diff --git a/ibm_catalog.json b/ibm_catalog.json
new file mode 100644
index 0000000..863b070
--- /dev/null
+++ b/ibm_catalog.json
@@ -0,0 +1,198 @@
+{
+ "products": [
+ {
+ "name": "deploy-arch-ibm-scc-workload-protection",
+ "label": "Cloud automation for Security and Compliance Center Workload Protection",
+ "product_kind": "solution",
+ "tags": [
+ "ibm_created",
+ "target_terraform",
+ "terraform",
+ "solution",
+ "security"
+ ],
+ "keywords": [
+ "SCC",
+ "security",
+ "compliance",
+ "workload-protection",
+ "IaC",
+ "infrastructure as code",
+ "terraform",
+ "solution"
+ ],
+ "short_description": "Creates and configures IBM Security and Compliance Center Workload Protection resources",
+ "long_description": "This architecture supports creating and configuring IBM Security and Compliance Center Workload Protection resources.",
+ "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/instances/README.md",
+ "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/main/images/scc-icon.svg",
+ "provider_name": "IBM",
+ "features": [
+ {
+ "title": "Security and Compliance Center Workload Protection",
+ "description": "Creates and configures a Security and Compliance Center Workload Protection instance."
+ }
+ ],
+ "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/issues](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/issues). Please note this product is not supported via the IBM Cloud Support Center.",
+ "flavors": [
+ {
+ "label": "Fully configurable",
+ "name": "fully-configurable",
+ "working_directory": "solutions/fully-configurable",
+ "install_type": "fullstack",
+ "compliance": {
+ "authority": "scc-v3",
+ "profiles": [
+ {
+ "profile_name": "IBM Cloud Framework for Financial Services",
+ "profile_version": "1.7.0"
+ }
+ ]
+ },
+ "configuration": [
+ {
+ "key": "ibmcloud_api_key",
+ "required": true
+ },
+ {
+ "key": "existing_resource_group_name",
+ "required": true
+ },
+ {
+ "key": "prefix",
+ "required": true,
+ "description": "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can enter the string `__NULL__`."
+ },
+ {
+ "key": "region",
+ "required": true,
+ "options": [
+ {
+ "value": "us-south"
+ },
+ {
+ "value": "eu-de"
+ },
+ {
+ "value": "eu-gb"
+ },
+ {
+ "value": "eu-es"
+ },
+ {
+ "value": "jp-osa"
+ },
+ {
+ "value": "br-sao"
+ },
+ {
+ "value": "au-syd"
+ },
+ {
+ "value": "jp-tok"
+ },
+ {
+ "value": "ca-tor"
+ },
+ {
+ "value": "us-east"
+ }
+ ]
+ },
+ {
+ "key": "provider_visibility",
+ "options": [
+ {
+ "value": "private"
+ },
+ {
+ "value": "public"
+ },
+ {
+ "value": "public-and-private"
+ }
+ ]
+ },
+ {
+ "key": "existing_monitoring_crn"
+ },
+ {
+ "key": "scc_workload_protection_instance_name"
+ },
+ {
+ "key": "scc_workload_protection_service_plan",
+ "options": [
+ {
+ "value": "free-trial"
+ },
+ {
+ "value": "graduated-tier"
+ }
+ ]
+ },
+ {
+ "key": "scc_workload_protection_instance_tags",
+ "custom_config": {
+ "grouping": "deployment",
+ "original_grouping": "deployment",
+ "config_constraints": {
+ "type": "string"
+ }
+ }
+ },
+ {
+ "key": "scc_workload_protection_resource_key_tags",
+ "custom_config": {
+ "grouping": "deployment",
+ "original_grouping": "deployment",
+ "config_constraints": {
+ "type": "string"
+ }
+ }
+ },
+ {
+ "key": "scc_workload_protection_access_tags",
+ "custom_config": {
+ "grouping": "deployment",
+ "original_grouping": "deployment",
+ "config_constraints": {
+ "type": "string"
+ }
+ }
+ },
+ {
+ "key": "cbr_rules"
+ }
+ ],
+ "iam_permissions": [
+ {
+ "service_name": "sysdig-secure",
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+ "crn:v1:bluemix:public:iam::::role:Editor"
+ ]
+ }
+ ],
+ "architecture": {
+ "descriptions": "This architecture supports creating and configuring a Security and Compliance Center Workload Protection instance.",
+ "features": [
+ {
+ "title": "Creates a Security and Compliance Center Workload Protection instance",
+ "description": "Creates and configures a Security and Compliance Center Workload Protection instance."
+ }
+ ],
+ "diagrams": [
+ {
+ "diagram": {
+ "caption": "Security and Compliance Center Workload Protection",
+ "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/main/reference-architecture/scc.svg",
+ "type": "image/svg+xml"
+ },
+ "description": "This architecture supports creating and configuring IBM Security and Compliance Center Workload Protection resources"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ ]
+ }
diff --git a/images/scc-icon.svg b/images/scc-icon.svg
new file mode 100644
index 0000000..c402fe1
--- /dev/null
+++ b/images/scc-icon.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/reference-architecture/scc.svg b/reference-architecture/scc.svg
new file mode 100644
index 0000000..11a4572
--- /dev/null
+++ b/reference-architecture/scc.svg
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md
new file mode 100644
index 0000000..c9e0808
--- /dev/null
+++ b/solutions/fully-configurable/README.md
@@ -0,0 +1,60 @@
+# Cloud automation for Security and Compliance Center Workload Protection
+
+This solution supports provisioning and configuring the following infrastructure:
+
+- A Security and Compliance Center Workload Protection instance.
+
+:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers).
+
+
+
+
+
+### Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.4.0 |
+| [ibm](#requirement\_ibm) | 1.75.2 |
+
+### Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.1.6 |
+| [scc\_wp](#module\_scc\_wp) | ../.. | n/a |
+
+### Resources
+
+No resources.
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/fully-configurable/cbr-rules.md) | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
tags = optional(list(object({
name = string
value = string
})), [])
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
+| [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. | `string` | `null` | no |
+| [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of a an existing resource group in which to provision resources to. | `string` | `"Default"` | no |
+| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes |
+| [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
+| [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no |
+| [region](#input\_region) | The region to provision Security and Compliance Center Workload Protection resources in. | `string` | `"us-south"` | no |
+| [scc\_workload\_protection\_access\_tags](#input\_scc\_workload\_protection\_access\_tags) | A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. [Learn more](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits). | `list(string)` | `[]` | no |
+| [scc\_workload\_protection\_instance\_name](#input\_scc\_workload\_protection\_instance\_name) | The name for the Workload Protection instance that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"scc-workload-protection"` | no |
+| [scc\_workload\_protection\_instance\_tags](#input\_scc\_workload\_protection\_instance\_tags) | The list of tags to add to the Workload Protection instance. | `list(string)` | `[]` | no |
+| [scc\_workload\_protection\_resource\_key\_tags](#input\_scc\_workload\_protection\_resource\_key\_tags) | The tags associated with the Workload Protection resource key. | `list(string)` | `[]` | no |
+| [scc\_workload\_protection\_service\_plan](#input\_scc\_workload\_protection\_service\_plan) | The pricing plan for the Workload Protection instance service. Possible values: `free-trial`, `graduated-tier`. | `string` | `"graduated-tier"` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| [resource\_group\_id](#output\_resource\_group\_id) | Resource group ID |
+| [resource\_group\_name](#output\_resource\_group\_name) | Resource group name |
+| [scc\_workload\_protection\_access\_key](#output\_scc\_workload\_protection\_access\_key) | SCC Workload Protection access key |
+| [scc\_workload\_protection\_api\_endpoint](#output\_scc\_workload\_protection\_api\_endpoint) | SCC Workload Protection API endpoint |
+| [scc\_workload\_protection\_crn](#output\_scc\_workload\_protection\_crn) | SCC Workload Protection instance CRN |
+| [scc\_workload\_protection\_id](#output\_scc\_workload\_protection\_id) | SCC Workload Protection instance ID |
+| [scc\_workload\_protection\_ingestion\_endpoint](#output\_scc\_workload\_protection\_ingestion\_endpoint) | SCC Workload Protection instance ingestion endpoint |
+| [scc\_workload\_protection\_name](#output\_scc\_workload\_protection\_name) | SCC Workload Protection instance name |
+
diff --git a/solutions/fully-configurable/catalogValidationValues.json.template b/solutions/fully-configurable/catalogValidationValues.json.template
new file mode 100644
index 0000000..1d380d9
--- /dev/null
+++ b/solutions/fully-configurable/catalogValidationValues.json.template
@@ -0,0 +1,4 @@
+{
+ "ibmcloud_api_key": $VALIDATION_APIKEY,
+ "existing_resource_group_name": "geretain-test-resources"
+}
diff --git a/solutions/fully-configurable/cbr-rules.md b/solutions/fully-configurable/cbr-rules.md
new file mode 100644
index 0000000..44f7932
--- /dev/null
+++ b/solutions/fully-configurable/cbr-rules.md
@@ -0,0 +1,77 @@
+# Configuring complex inputs for Workload Protection in IBM Cloud projects
+
+Several optional input variables in the IBM Cloud [workload protection deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture.
+
+* Context-Based Restrictions Rules (`cbr_rules`)
+
+
+## Rules For Context-Based Restrictions
+
+The `cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc.
+
+- Variable name: `cbr_rules`.
+- Type: A list of objects. Allows only one object representing a rule for the target service
+- Default value: An empty list (`[]`).
+
+### Options for cbr_rules
+
+ - `description` (required): The description of the rule to create.
+ - `account_id` (required): The IBM Cloud Account ID
+ - `rule_contexts` (required): (List) The contexts the rule applies to
+ - `attributes` (optional): (List) Individual context attributes
+ - `name` (required): The attribute name.
+ - `value` (required): The attribute value.
+
+ - `enforcement_mode` (required): The rule enforcement mode can have the following values:
+ - `enabled` - The restrictions are enforced and reported. This is the default.
+ - `disabled` - The restrictions are disabled. Nothing is enforced or reported.
+ - `report` - The restrictions are evaluated and reported, but not enforced.
+ - `tags` (optional): (List) Resource Tags .
+ - `name` (required): The Tag name.
+ - `value` (required): The Tag value.
+ - `operations` (optional): The operations this rule applies to
+ - `api_types`(required): (List) The API types this rule applies to.
+ - `api_type_id`(required):The API type ID
+
+### Example Rule For Context-Based Restrictions Configuration
+
+```hcl
+[
+ {
+ description = "workload protection can be accessed from xyz"
+ account_id = "defc0df06b644a9cabc6e44f55b3880s."
+ rule_contexts= [
+ {
+ attributes = [
+ {
+ "name" : "endpointType",
+ "value" : "private"
+ },
+ {
+ name = "networkZoneId"
+ value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
+ }
+ ]
+ }
+ ]
+ enforcement_mode = "enabled"
+ resources = [
+ {
+ tags {
+ name = "tag_name"
+ value = "tag_value"
+ }
+ }
+ ]
+ operations = [
+ {
+ api_types = [
+ {
+ api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+ }
+ ]
+ }
+ ]
+ }
+]
+```
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
new file mode 100644
index 0000000..8c4cd81
--- /dev/null
+++ b/solutions/fully-configurable/main.tf
@@ -0,0 +1,34 @@
+locals {
+ prefix_is_valid = var.prefix != null || trimspace(var.prefix) != "" ? true : false
+
+ scc_workload_protection_instance_name = local.prefix_is_valid ? "${var.prefix}-${var.scc_workload_protection_instance_name}" : var.scc_workload_protection_instance_name
+ scc_workload_protection_resource_key_name = local.prefix_is_valid ? "${var.prefix}-${var.scc_workload_protection_instance_name}-key" : "${var.scc_workload_protection_instance_name}-key"
+}
+
+#######################################################################################################################
+# Resource Group
+#######################################################################################################################
+
+module "resource_group" {
+ source = "terraform-ibm-modules/resource-group/ibm"
+ version = "1.1.6"
+ existing_resource_group_name = var.existing_resource_group_name
+}
+
+#######################################################################################################################
+# SCC Workload Protection
+#######################################################################################################################
+
+module "scc_wp" {
+ source = "../.."
+ name = local.scc_workload_protection_instance_name
+ region = var.region
+ resource_group_id = module.resource_group.resource_group_id
+ resource_tags = var.scc_workload_protection_instance_tags
+ resource_key_name = local.scc_workload_protection_resource_key_name
+ resource_key_tags = var.scc_workload_protection_resource_key_tags
+ cloud_monitoring_instance_crn = var.existing_monitoring_crn
+ access_tags = var.scc_workload_protection_access_tags
+ scc_wp_service_plan = var.scc_workload_protection_service_plan
+ cbr_rules = var.cbr_rules
+}
diff --git a/solutions/fully-configurable/outputs.tf b/solutions/fully-configurable/outputs.tf
new file mode 100644
index 0000000..b1ed76c
--- /dev/null
+++ b/solutions/fully-configurable/outputs.tf
@@ -0,0 +1,46 @@
+
+########################################################################################################################
+# Outputs
+########################################################################################################################
+
+output "resource_group_name" {
+ description = "Resource group name"
+ value = module.resource_group.resource_group_name
+}
+
+output "resource_group_id" {
+ description = "Resource group ID"
+ value = module.resource_group.resource_group_id
+}
+
+output "scc_workload_protection_id" {
+ description = "SCC Workload Protection instance ID"
+ value = module.scc_wp.id
+}
+
+output "scc_workload_protection_crn" {
+ description = "SCC Workload Protection instance CRN"
+ value = module.scc_wp.crn
+}
+
+output "scc_workload_protection_name" {
+ description = "SCC Workload Protection instance name"
+ value = module.scc_wp.name
+}
+
+output "scc_workload_protection_ingestion_endpoint" {
+ description = "SCC Workload Protection instance ingestion endpoint"
+ value = module.scc_wp.name
+}
+
+output "scc_workload_protection_api_endpoint" {
+ description = "SCC Workload Protection API endpoint"
+ value = module.scc_wp.api_endpoint
+ sensitive = true
+}
+
+output "scc_workload_protection_access_key" {
+ description = "SCC Workload Protection access key"
+ value = module.scc_wp.access_key
+ sensitive = true
+}
diff --git a/solutions/fully-configurable/provider.tf b/solutions/fully-configurable/provider.tf
new file mode 100644
index 0000000..e669b7b
--- /dev/null
+++ b/solutions/fully-configurable/provider.tf
@@ -0,0 +1,9 @@
+########################################################################################################################
+# Provider config
+########################################################################################################################
+
+provider "ibm" {
+ ibmcloud_api_key = var.ibmcloud_api_key
+ region = var.region
+ visibility = var.provider_visibility
+}
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
new file mode 100644
index 0000000..e55e751
--- /dev/null
+++ b/solutions/fully-configurable/variables.tf
@@ -0,0 +1,134 @@
+########################################################################################################################
+# Common variables
+########################################################################################################################
+
+variable "ibmcloud_api_key" {
+ type = string
+ description = "The IBM Cloud API key to deploy resources."
+ sensitive = true
+}
+
+variable "existing_resource_group_name" {
+ type = string
+ description = "The name of a an existing resource group in which to provision resources to."
+ default = "Default"
+}
+
+variable "existing_monitoring_crn" {
+ type = string
+ nullable = true
+ default = null
+ description = "The CRN of an IBM Cloud Monitoring instance to to send Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration."
+}
+
+variable "prefix" {
+ type = string
+ description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string."
+}
+
+variable "provider_visibility" {
+ description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)."
+ type = string
+ default = "private"
+
+ validation {
+ condition = contains(["public", "private", "public-and-private"], var.provider_visibility)
+ error_message = "Invalid visibility option. Allowed values are 'public', 'private', or 'public-and-private'."
+ }
+}
+
+########################################################################################################################
+# SCC variables
+########################################################################################################################
+
+variable "scc_workload_protection_instance_name" {
+ description = "The name for the Workload Protection instance that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+ type = string
+ default = "scc-workload-protection"
+}
+
+variable "region" {
+ type = string
+ default = "us-south"
+ description = "The region to provision Security and Compliance Center Workload Protection resources in."
+ validation {
+ condition = contains(["us-south",
+ "us-east",
+ "eu-de",
+ "eu-es",
+ "eu-gb",
+ "jp-osa",
+ "jp-tok",
+ "br-sao",
+ "ca-tor",
+ "au-syd",
+ ], var.region)
+ error_message = "Invalid region selected. Allowed values are `us-south` ,`us-east`, `eu-de`, `eu-es`, `eu-gb`, `jp-osa`, `jp-tok`, `br-sao`, `ca-tor`, and `au-syd`."
+ }
+}
+
+variable "scc_workload_protection_instance_tags" {
+ type = list(string)
+ description = "The list of tags to add to the Workload Protection instance."
+ default = []
+}
+
+variable "scc_workload_protection_resource_key_tags" {
+ type = list(string)
+ description = "The tags associated with the Workload Protection resource key."
+ default = []
+}
+
+variable "scc_workload_protection_access_tags" {
+ type = list(string)
+ description = "A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. [Learn more](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits)."
+ default = []
+
+ validation {
+ condition = alltrue([
+ for tag in var.scc_workload_protection_access_tags : can(regex("[\\w\\-_\\.]+:[\\w\\-_\\.]+", tag)) && length(tag) <= 128
+ ])
+ error_message = "Tags must match the regular expression \"[\\w\\-_\\.]+:[\\w\\-_\\.]+\", see https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits for more details"
+ }
+}
+
+variable "scc_workload_protection_service_plan" {
+ description = "The pricing plan for the Workload Protection instance service. Possible values: `free-trial`, `graduated-tier`."
+ type = string
+ default = "graduated-tier"
+ validation {
+ error_message = "Plan for Workload Protection instances can only be `free-trial` or `graduated-tier`."
+ condition = contains(
+ ["free-trial", "graduated-tier"],
+ var.scc_workload_protection_service_plan
+ )
+ }
+}
+
+##############################################################
+# Context-based restriction (CBR)
+##############################################################
+variable "cbr_rules" {
+ type = list(object({
+ description = string
+ account_id = string
+ rule_contexts = list(object({
+ attributes = optional(list(object({
+ name = string
+ value = string
+ }))) }))
+ enforcement_mode = string
+ tags = optional(list(object({
+ name = string
+ value = string
+ })), [])
+ operations = optional(list(object({
+ api_types = list(object({
+ api_type_id = string
+ }))
+ })))
+ }))
+ description = "The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/fully-configurable/cbr-rules.md)"
+ default = []
+ # Validation happens in the rule module
+}
diff --git a/solutions/fully-configurable/version.tf b/solutions/fully-configurable/version.tf
new file mode 100644
index 0000000..19d5d54
--- /dev/null
+++ b/solutions/fully-configurable/version.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 1.4.0"
+ # Lock DA into an exact provider version - renovate automation will keep it updated
+ required_providers {
+ ibm = {
+ source = "IBM-Cloud/ibm"
+ version = "1.75.2"
+ }
+ }
+}
diff --git a/tests/go.sum b/tests/go.sum
index 03fa26b..ac8be1d 100644
--- a/tests/go.sum
+++ b/tests/go.sum
@@ -353,8 +353,8 @@ golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
-golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
+golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -483,8 +483,8 @@ golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
-golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
-golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
+golang.org/x/tools v0.30.0 h1:BgcpHewrV5AUp2G9MebG4XPFI1E2W41zU1SaqVA9vJY=
+golang.org/x/tools v0.30.0/go.mod h1:c347cR/OJfw5TI+GfX7RUPNMdDRRbjvYTS0jPyvsVtY=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/tests/other_tests.go b/tests/other_tests.go
new file mode 100644
index 0000000..13e9614
--- /dev/null
+++ b/tests/other_tests.go
@@ -0,0 +1,42 @@
+// Tests in this file are run in the PR pipeline and the continuous testing pipeline
+package test
+
+import (
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
+)
+
+const advancedExampleDir = "examples/advanced"
+const basicExampleDir = "examples/basic"
+
+func setupOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions {
+ options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
+ Testing: t,
+ TerraformDir: dir,
+ Prefix: prefix,
+ CheckApplyResultForUpgrade: true,
+ })
+ return options
+}
+
+func TestRunBasicExample(t *testing.T) {
+ t.Parallel()
+
+ options := setupOptions(t, "scc-wp", basicExampleDir)
+
+ output, err := options.RunTestConsistency()
+ assert.Nil(t, err, "This should not have errored")
+ assert.NotNil(t, output, "Expected some output")
+}
+
+func TestRunAdvancedExample(t *testing.T) {
+ t.Parallel()
+
+ options := setupOptions(t, "scc-wp-adv", advancedExampleDir)
+
+ output, err := options.RunTest()
+ assert.Nil(t, err, "This should not have errored")
+ assert.NotNil(t, output, "Expected some output")
+}
diff --git a/tests/pr_test.go b/tests/pr_test.go
index 61babca..1dfc332 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -6,18 +6,33 @@ import (
"os"
"testing"
+ "math/rand/v2"
+
"github.com/stretchr/testify/assert"
"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common"
- "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
+ "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic"
)
-// const resourceGroup = "geretain-test-resources"
-const advancedExampleDir = "examples/advanced"
-const basicExampleDir = "examples/basic"
+const resourceGroup = "geretain-test-resources"
+const fullyConfigurableDADir = "solutions/fully-configurable"
-// Define a struct with fields that match the structure of the YAML data
+// Define a struct with fields that match the structure of the YAML data.
const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml"
+// Current supported SCC Workload Protection region
+var validRegions = []string{
+ "us-south",
+ "us-east",
+ "eu-de",
+ "eu-es",
+ "eu-gb",
+ "jp-osa",
+ "jp-tok",
+ "br-sao",
+ "ca-tor",
+ "au-syd",
+}
+
var permanentResources map[string]interface{}
func TestMain(m *testing.M) {
@@ -31,39 +46,70 @@ func TestMain(m *testing.M) {
os.Exit(m.Run())
}
-func setupOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions {
- options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
- Testing: t,
- TerraformDir: dir,
- Prefix: prefix,
- // only one `lite` instance can be provisioned for each RG. Always create a new RG.
- // ResourceGroup: resourceGroup,
- TerraformVars: map[string]interface{}{
- "access_tags": permanentResources["accessTags"],
+func TestDAInSchematics(t *testing.T) {
+ t.Parallel()
+
+ var region = validRegions[rand.IntN(len(validRegions))]
+
+ options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
+ Testing: t,
+ Prefix: "wp-da",
+ TarIncludePatterns: []string{
+ "*.tf",
+ fullyConfigurableDADir + "/*.tf",
},
- CheckApplyResultForUpgrade: true,
+ ResourceGroup: resourceGroup,
+ TemplateFolder: fullyConfigurableDADir,
+ Tags: []string{"test-schematic"},
+ DeleteWorkspaceOnFail: false,
+ WaitJobCompleteMinutes: 60,
})
- return options
-}
-func TestRunBasicExample(t *testing.T) {
- t.Parallel()
-
- options := setupOptions(t, "scc-wp", basicExampleDir)
+ options.TerraformVars = []testschematic.TestSchematicTerraformVar{
+ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
+ {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"},
+ {Name: "region", Value: region, DataType: "string"},
+ {Name: "scc_workload_protection_instance_tags", Value: options.Tags, DataType: "list(string)"},
+ {Name: "scc_workload_protection_resource_key_tags", Value: options.Tags, DataType: "list(string)"},
+ {Name: "scc_workload_protection_access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"},
+ {Name: "prefix", Value: options.Prefix, DataType: "string"},
+ }
- output, err := options.RunTestConsistency()
+ err := options.RunSchematicTest()
assert.Nil(t, err, "This should not have errored")
- assert.NotNil(t, output, "Expected some output")
}
-func TestRunAdvancedUpgradeExample(t *testing.T) {
+func TestRunUpgradeDA(t *testing.T) {
t.Parallel()
- options := setupOptions(t, "scc-wp-upg", advancedExampleDir)
+ var region = validRegions[rand.IntN(len(validRegions))]
+
+ options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
+ Testing: t,
+ Prefix: "wp-da",
+ TarIncludePatterns: []string{
+ "*.tf",
+ fullyConfigurableDADir + "/*.tf",
+ },
+ ResourceGroup: resourceGroup,
+ TemplateFolder: fullyConfigurableDADir,
+ Tags: []string{"test-schematic"},
+ DeleteWorkspaceOnFail: false,
+ WaitJobCompleteMinutes: 60,
+ })
+
+ options.TerraformVars = []testschematic.TestSchematicTerraformVar{
+ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
+ {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"},
+ {Name: "region", Value: region, DataType: "string"},
+ {Name: "scc_workload_protection_instance_tags", Value: options.Tags, DataType: "list(string)"},
+ {Name: "scc_workload_protection_resource_key_tags", Value: options.Tags, DataType: "list(string)"},
+ {Name: "scc_workload_protection_access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"},
+ {Name: "prefix", Value: options.Prefix, DataType: "string"},
+ }
- output, err := options.RunTestUpgrade()
+ err := options.RunSchematicUpgradeTest()
if !options.UpgradeTestSkipped {
assert.Nil(t, err, "This should not have errored")
- assert.NotNil(t, output, "Expected some output")
}
}