From 78012df1ed0d3432063b375dbb2e9870c3de34c3 Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Thu, 20 Feb 2025 05:58:50 +0000 Subject: [PATCH 01/11] feat: scc workload protection DA --- common-dev-assets | 2 +- solutions/standard/README.md | 60 ++++++++++++ .../catalogValidationValues.json.template | 4 + solutions/standard/main.tf | 34 +++++++ solutions/standard/outputs.tf | 46 +++++++++ solutions/standard/provider.tf | 9 ++ solutions/standard/variables.tf | 98 +++++++++++++++++++ solutions/standard/version.tf | 10 ++ tests/go.mod | 9 +- tests/go.sum | 14 +-- tests/other_tests.go | 44 +++++++++ tests/pr_test.go | 79 ++++++++++----- 12 files changed, 375 insertions(+), 34 deletions(-) create mode 100644 solutions/standard/README.md create mode 100644 solutions/standard/catalogValidationValues.json.template create mode 100644 solutions/standard/main.tf create mode 100644 solutions/standard/outputs.tf create mode 100644 solutions/standard/provider.tf create mode 100644 solutions/standard/variables.tf create mode 100644 solutions/standard/version.tf create mode 100644 tests/other_tests.go diff --git a/common-dev-assets b/common-dev-assets index 7918b90..151f5e7 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 7918b907ccd6e8ce14977d9461dac534a2e4114f +Subproject commit 151f5e7fb5a775ed3bea62d9ba5b326cd5fbdc80 diff --git a/solutions/standard/README.md b/solutions/standard/README.md new file mode 100644 index 0000000..7f31069 --- /dev/null +++ b/solutions/standard/README.md @@ -0,0 +1,60 @@ +# Security and Compliance Center instances solution + +This solution supports provisioning and configuring the following infrastructure: + +- A resource group, if one is not passed in. +- A Security and Compliance Center Workload Protection instance. + +:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers). + + + + +### Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.4.0 | +| [ibm](#requirement\_ibm) | 1.75.2 | + +### Modules + +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.1.6 | +| [scc\_wp](#module\_scc\_wp) | ../.. | n/a | + +### Resources + +No resources. + +### Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Security and Compliance Object Storage bucket metrics to, as well as Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket and not provisioning Workload Protection. | `string` | `null` | no | +| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes | +| [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | `"dev"` | no | +| [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | The name of a new or an existing resource group in which to provision resources to. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | n/a | yes | +| [scc\_region](#input\_scc\_region) | The region to provision Security and Compliance Center resources in. | `string` | `"us-south"` | no | +| [scc\_workload\_protection\_access\_tags](#input\_scc\_workload\_protection\_access\_tags) | A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. [Learn more](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits). | `list(string)` | `[]` | no | +| [scc\_workload\_protection\_instance\_name](#input\_scc\_workload\_protection\_instance\_name) | The name for the Workload Protection instance that is created by this solution. Must begin with a letter. Applies only if `provision_scc_workload_protection` is true. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"base-security-services-scc-wp"` | no | +| [scc\_workload\_protection\_instance\_tags](#input\_scc\_workload\_protection\_instance\_tags) | The list of tags to add to the Workload Protection instance. | `list(string)` | `[]` | no | +| [scc\_workload\_protection\_resource\_key\_tags](#input\_scc\_workload\_protection\_resource\_key\_tags) | The tags associated with the Workload Protection resource key. | `list(string)` | `[]` | no | +| [scc\_workload\_protection\_service\_plan](#input\_scc\_workload\_protection\_service\_plan) | The pricing plan for the Workload Protection instance service. Possible values: `free-trial`, `graduated-tier`. | `string` | `"graduated-tier"` | no | +| [use\_existing\_resource\_group](#input\_use\_existing\_resource\_group) | Whether to use an existing resource group. | `bool` | `false` | no | + +### Outputs + +| Name | Description | +|------|-------------| +| [resource\_group\_id](#output\_resource\_group\_id) | Resource group ID | +| [resource\_group\_name](#output\_resource\_group\_name) | Resource group name | +| [scc\_workload\_protection\_access\_key](#output\_scc\_workload\_protection\_access\_key) | SCC Workload Protection access key | +| [scc\_workload\_protection\_api\_endpoint](#output\_scc\_workload\_protection\_api\_endpoint) | SCC Workload Protection API endpoint | +| [scc\_workload\_protection\_crn](#output\_scc\_workload\_protection\_crn) | SCC Workload Protection instance CRN | +| [scc\_workload\_protection\_id](#output\_scc\_workload\_protection\_id) | SCC Workload Protection instance ID | +| [scc\_workload\_protection\_ingestion\_endpoint](#output\_scc\_workload\_protection\_ingestion\_endpoint) | SCC Workload Protection instance ingestion endpoint | +| [scc\_workload\_protection\_name](#output\_scc\_workload\_protection\_name) | SCC Workload Protection instance name | + diff --git a/solutions/standard/catalogValidationValues.json.template b/solutions/standard/catalogValidationValues.json.template new file mode 100644 index 0000000..6dbf420 --- /dev/null +++ b/solutions/standard/catalogValidationValues.json.template @@ -0,0 +1,4 @@ +{ + "ibmcloud_api_key": $VALIDATION_APIKEY, + "resource_group_name": $PREFIX +} diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf new file mode 100644 index 0000000..064cb4c --- /dev/null +++ b/solutions/standard/main.tf @@ -0,0 +1,34 @@ +locals { + prefix = var.prefix != null ? (var.prefix != "" ? var.prefix : null) : null + + scc_workload_protection_instance_name = try("${local.prefix}-${var.scc_workload_protection_instance_name}", var.scc_workload_protection_instance_name) + scc_workload_protection_resource_key_name = try("${local.prefix}-${var.scc_workload_protection_instance_name}-key", "${var.scc_workload_protection_instance_name}-key") +} + +####################################################################################################################### +# Resource Group +####################################################################################################################### + +module "resource_group" { + source = "terraform-ibm-modules/resource-group/ibm" + version = "1.1.6" + resource_group_name = var.use_existing_resource_group == false ? try("${local.prefix}-${var.resource_group_name}", var.resource_group_name) : null + existing_resource_group_name = var.use_existing_resource_group == true ? var.resource_group_name : null +} + +####################################################################################################################### +# SCC Workload Protection +####################################################################################################################### + +module "scc_wp" { + source = "../.." + name = local.scc_workload_protection_instance_name + region = var.scc_region + resource_group_id = module.resource_group.resource_group_id + resource_tags = var.scc_workload_protection_instance_tags + resource_key_name = local.scc_workload_protection_resource_key_name + resource_key_tags = var.scc_workload_protection_resource_key_tags + cloud_monitoring_instance_crn = var.existing_monitoring_crn + access_tags = var.scc_workload_protection_access_tags + scc_wp_service_plan = var.scc_workload_protection_service_plan +} diff --git a/solutions/standard/outputs.tf b/solutions/standard/outputs.tf new file mode 100644 index 0000000..b1ed76c --- /dev/null +++ b/solutions/standard/outputs.tf @@ -0,0 +1,46 @@ + +######################################################################################################################## +# Outputs +######################################################################################################################## + +output "resource_group_name" { + description = "Resource group name" + value = module.resource_group.resource_group_name +} + +output "resource_group_id" { + description = "Resource group ID" + value = module.resource_group.resource_group_id +} + +output "scc_workload_protection_id" { + description = "SCC Workload Protection instance ID" + value = module.scc_wp.id +} + +output "scc_workload_protection_crn" { + description = "SCC Workload Protection instance CRN" + value = module.scc_wp.crn +} + +output "scc_workload_protection_name" { + description = "SCC Workload Protection instance name" + value = module.scc_wp.name +} + +output "scc_workload_protection_ingestion_endpoint" { + description = "SCC Workload Protection instance ingestion endpoint" + value = module.scc_wp.name +} + +output "scc_workload_protection_api_endpoint" { + description = "SCC Workload Protection API endpoint" + value = module.scc_wp.api_endpoint + sensitive = true +} + +output "scc_workload_protection_access_key" { + description = "SCC Workload Protection access key" + value = module.scc_wp.access_key + sensitive = true +} diff --git a/solutions/standard/provider.tf b/solutions/standard/provider.tf new file mode 100644 index 0000000..018649f --- /dev/null +++ b/solutions/standard/provider.tf @@ -0,0 +1,9 @@ +######################################################################################################################## +# Provider config +######################################################################################################################## + +provider "ibm" { + ibmcloud_api_key = var.ibmcloud_api_key + region = var.scc_region + visibility = var.provider_visibility +} diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf new file mode 100644 index 0000000..89b6097 --- /dev/null +++ b/solutions/standard/variables.tf @@ -0,0 +1,98 @@ +######################################################################################################################## +# Common variables +######################################################################################################################## + +variable "ibmcloud_api_key" { + type = string + description = "The IBM Cloud API key to deploy resources." + sensitive = true +} + +variable "use_existing_resource_group" { + type = bool + description = "Whether to use an existing resource group." + default = false +} + +variable "resource_group_name" { + type = string + description = "The name of a new or an existing resource group in which to provision resources to. If a prefix input variable is specified, the prefix is added to the name in the `-` format." +} + +variable "existing_monitoring_crn" { + type = string + nullable = true + default = null + description = "The CRN of an IBM Cloud Monitoring instance to to send Security and Compliance Object Storage bucket metrics to, as well as Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket and not provisioning Workload Protection." +} + +variable "prefix" { + type = string + description = "The prefix to add to all resources that this solution creates. To not use any prefix value, you can set this value to `null` or an empty string." + default = "dev" +} + +variable "provider_visibility" { + description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)." + type = string + default = "private" + + validation { + condition = contains(["public", "private", "public-and-private"], var.provider_visibility) + error_message = "Invalid visibility option. Allowed values are 'public', 'private', or 'public-and-private'." + } +} + +######################################################################################################################## +# SCC variables +######################################################################################################################## + +variable "scc_workload_protection_instance_name" { + description = "The name for the Workload Protection instance that is created by this solution. Must begin with a letter. Applies only if `provision_scc_workload_protection` is true. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + type = string + default = "base-security-services-scc-wp" +} + +variable "scc_region" { + type = string + default = "us-south" + description = "The region to provision Security and Compliance Center resources in." +} + +variable "scc_workload_protection_instance_tags" { + type = list(string) + description = "The list of tags to add to the Workload Protection instance." + default = [] +} + +variable "scc_workload_protection_resource_key_tags" { + type = list(string) + description = "The tags associated with the Workload Protection resource key." + default = [] +} + +variable "scc_workload_protection_access_tags" { + type = list(string) + description = "A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. [Learn more](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits)." + default = [] + + validation { + condition = alltrue([ + for tag in var.scc_workload_protection_access_tags : can(regex("[\\w\\-_\\.]+:[\\w\\-_\\.]+", tag)) && length(tag) <= 128 + ]) + error_message = "Tags must match the regular expression \"[\\w\\-_\\.]+:[\\w\\-_\\.]+\", see https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits for more details" + } +} + +variable "scc_workload_protection_service_plan" { + description = "The pricing plan for the Workload Protection instance service. Possible values: `free-trial`, `graduated-tier`." + type = string + default = "graduated-tier" + validation { + error_message = "Plan for Workload Protection instances can only be `free-trial` or `graduated-tier`." + condition = contains( + ["free-trial", "graduated-tier"], + var.scc_workload_protection_service_plan + ) + } +} diff --git a/solutions/standard/version.tf b/solutions/standard/version.tf new file mode 100644 index 0000000..19d5d54 --- /dev/null +++ b/solutions/standard/version.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.4.0" + # Lock DA into an exact provider version - renovate automation will keep it updated + required_providers { + ibm = { + source = "IBM-Cloud/ibm" + version = "1.75.2" + } + } +} diff --git a/tests/go.mod b/tests/go.mod index 647eaa5..0fd40da 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -1,6 +1,6 @@ module github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection -go 1.22.4 +go 1.23.0 toolchain go1.24.0 @@ -89,12 +89,13 @@ require ( go.opentelemetry.io/otel/metric v1.29.0 // indirect go.opentelemetry.io/otel/trace v1.29.0 // indirect golang.org/x/crypto v0.33.0 // indirect - golang.org/x/mod v0.18.0 // indirect - golang.org/x/net v0.34.0 // indirect + golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa + golang.org/x/mod v0.23.0 // indirect + golang.org/x/net v0.35.0 // indirect golang.org/x/sync v0.11.0 // indirect golang.org/x/sys v0.30.0 // indirect golang.org/x/text v0.22.0 // indirect - golang.org/x/tools v0.22.0 // indirect + golang.org/x/tools v0.30.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/tests/go.sum b/tests/go.sum index c2dcb2d..2427121 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -342,6 +342,8 @@ golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus= golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M= +golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa h1:t2QcU6V556bFjYgu4L6C+6VrCPyJZ+eyRsABUPs1mz4= +golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa/go.mod h1:BHOTPb3L19zxehTsLoJXVaTktb06DFgmdW6Wb9s8jqk= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -352,8 +354,8 @@ golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= -golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM= +golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -381,8 +383,8 @@ golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= -golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0= -golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k= +golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8= +golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -482,8 +484,8 @@ golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= -golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA= -golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= +golang.org/x/tools v0.30.0 h1:BgcpHewrV5AUp2G9MebG4XPFI1E2W41zU1SaqVA9vJY= +golang.org/x/tools v0.30.0/go.mod h1:c347cR/OJfw5TI+GfX7RUPNMdDRRbjvYTS0jPyvsVtY= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/tests/other_tests.go b/tests/other_tests.go new file mode 100644 index 0000000..3afe358 --- /dev/null +++ b/tests/other_tests.go @@ -0,0 +1,44 @@ +// Tests in this file are run in the PR pipeline and the continuous testing pipeline +package test + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" +) + +const advancedExampleDir = "examples/advanced" +const basicExampleDir = "examples/basic" + +func setupOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions { + options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{ + Testing: t, + TerraformDir: dir, + Prefix: prefix, + CheckApplyResultForUpgrade: true, + }) + return options +} + +func TestRunBasicExample(t *testing.T) { + t.Parallel() + + options := setupOptions(t, "scc-wp", basicExampleDir) + + output, err := options.RunTestConsistency() + assert.Nil(t, err, "This should not have errored") + assert.NotNil(t, output, "Expected some output") +} + +func TestRunAdvancedUpgradeExample(t *testing.T) { + t.Parallel() + + options := setupOptions(t, "scc-wp-upg", advancedExampleDir) + + output, err := options.RunTestUpgrade() + if !options.UpgradeTestSkipped { + assert.Nil(t, err, "This should not have errored") + assert.NotNil(t, output, "Expected some output") + } +} diff --git a/tests/pr_test.go b/tests/pr_test.go index 61babca..d7ad197 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -6,18 +6,28 @@ import ( "os" "testing" + "math/rand/v2" + "github.com/stretchr/testify/assert" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" + "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic" ) -// const resourceGroup = "geretain-test-resources" -const advancedExampleDir = "examples/advanced" -const basicExampleDir = "examples/basic" +const resourceGroup = "geretain-test-resources" +const standardSolutionDir = "solutions/standard" // Define a struct with fields that match the structure of the YAML data const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml" +// Current supported SCC region +var validRegions = []string{ + "us-south", + "eu-de", + "ca-tor", + "eu-es", +} + var permanentResources map[string]interface{} func TestMain(m *testing.M) { @@ -31,35 +41,58 @@ func TestMain(m *testing.M) { os.Exit(m.Run()) } -func setupOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions { - options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{ - Testing: t, - TerraformDir: dir, - Prefix: prefix, - // only one `lite` instance can be provisioned for each RG. Always create a new RG. - // ResourceGroup: resourceGroup, - TerraformVars: map[string]interface{}{ - "access_tags": permanentResources["accessTags"], +func TestInstancesInSchematics(t *testing.T) { + t.Parallel() + + var region = validRegions[rand.IntN(len(validRegions))] + + options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{ + Testing: t, + Prefix: "wp-da", + TarIncludePatterns: []string{ + "*.tf", + standardSolutionDir + "/*.tf", }, - CheckApplyResultForUpgrade: true, + ResourceGroup: resourceGroup, + TemplateFolder: standardSolutionDir, + Tags: []string{"test-schematic"}, + DeleteWorkspaceOnFail: false, + WaitJobCompleteMinutes: 60, }) - return options -} -func TestRunBasicExample(t *testing.T) { - t.Parallel() - - options := setupOptions(t, "scc-wp", basicExampleDir) + options.TerraformVars = []testschematic.TestSchematicTerraformVar{ + {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, + {Name: "resource_group_name", Value: options.Prefix, DataType: "string"}, + {Name: "scc_region", Value: region, DataType: "string"}, + {Name: "scc_workload_protection_instance_tags", Value: options.Tags, DataType: "list(string)"}, + {Name: "scc_workload_protection_resource_key_tags", Value: options.Tags, DataType: "list(string)"}, + {Name: "scc_workload_protection_access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"}, + {Name: "prefix", Value: options.Prefix, DataType: "string"}, + } - output, err := options.RunTestConsistency() + err := options.RunSchematicTest() assert.Nil(t, err, "This should not have errored") - assert.NotNil(t, output, "Expected some output") } -func TestRunAdvancedUpgradeExample(t *testing.T) { +func TestRunUpgradeInstances(t *testing.T) { t.Parallel() - options := setupOptions(t, "scc-wp-upg", advancedExampleDir) + var region = validRegions[rand.IntN(len(validRegions))] + + options := testhelper.TestOptionsDefault(&testhelper.TestOptions{ + Testing: t, + TerraformDir: standardSolutionDir, + Prefix: "wp-da-upg", + }) + + options.TerraformVars = map[string]interface{}{ + "prefix": options.Prefix, + "resource_group_name": options.Prefix, + "scc_region": region, + "scc_workload_protection_instance_tags": options.Tags, + "scc_workload_protection_resource_key_tags": options.Tags, + "scc_workload_protection_access_tags": permanentResources["accessTags"], + } output, err := options.RunTestUpgrade() if !options.UpgradeTestSkipped { From bd68d59f82a2d05c7f8c2916ec6560d7e3427e96 Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Thu, 20 Feb 2025 05:59:32 +0000 Subject: [PATCH 02/11] SKIP UPGRADE TESTS --- tests/pr_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/pr_test.go b/tests/pr_test.go index d7ad197..68a07d1 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -17,7 +17,7 @@ import ( const resourceGroup = "geretain-test-resources" const standardSolutionDir = "solutions/standard" -// Define a struct with fields that match the structure of the YAML data +// Define a struct with fields that match the structure of the YAML data. const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml" // Current supported SCC region From dc9d0519f0aaddbb5278c4ddf807789a2b6309bc Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Fri, 21 Feb 2025 12:51:59 +0000 Subject: [PATCH 03/11] feat: review feedback --- solutions/standard/README.md | 7 ++-- solutions/standard/cbr-rules.md | 70 +++++++++++++++++++++++++++++++++ solutions/standard/main.tf | 13 +++--- solutions/standard/provider.tf | 2 +- solutions/standard/variables.tf | 32 ++++++++++++++- tests/pr_test.go | 10 ++--- 6 files changed, 118 insertions(+), 16 deletions(-) create mode 100644 solutions/standard/cbr-rules.md diff --git a/solutions/standard/README.md b/solutions/standard/README.md index 7f31069..eec7bf8 100644 --- a/solutions/standard/README.md +++ b/solutions/standard/README.md @@ -1,4 +1,4 @@ -# Security and Compliance Center instances solution +# Security and Compliance Center Workload Protection solution This solution supports provisioning and configuring the following infrastructure: @@ -34,12 +34,13 @@ No resources. |------|-------------|------|---------|:--------:| | [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Security and Compliance Object Storage bucket metrics to, as well as Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket and not provisioning Workload Protection. | `string` | `null` | no | | [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes | +| [instance\_cbr\_rules](#input\_instance\_cbr\_rules) | The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/standard/cbr-rules.md) | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    tags = optional(list(object({
      name  = string
      value = string
    })), [])
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
| `[]` | no | | [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | `"dev"` | no | | [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no | +| [region](#input\_region) | The region to provision Security and Compliance Center resources in. | `string` | `"us-south"` | no | | [resource\_group\_name](#input\_resource\_group\_name) | The name of a new or an existing resource group in which to provision resources to. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | n/a | yes | -| [scc\_region](#input\_scc\_region) | The region to provision Security and Compliance Center resources in. | `string` | `"us-south"` | no | | [scc\_workload\_protection\_access\_tags](#input\_scc\_workload\_protection\_access\_tags) | A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. [Learn more](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits). | `list(string)` | `[]` | no | -| [scc\_workload\_protection\_instance\_name](#input\_scc\_workload\_protection\_instance\_name) | The name for the Workload Protection instance that is created by this solution. Must begin with a letter. Applies only if `provision_scc_workload_protection` is true. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"base-security-services-scc-wp"` | no | +| [scc\_workload\_protection\_instance\_name](#input\_scc\_workload\_protection\_instance\_name) | The name for the Workload Protection instance that is created by this solution. Must begin with a letter. Applies only if `provision_scc_workload_protection` is true. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"workload_protection"` | no | | [scc\_workload\_protection\_instance\_tags](#input\_scc\_workload\_protection\_instance\_tags) | The list of tags to add to the Workload Protection instance. | `list(string)` | `[]` | no | | [scc\_workload\_protection\_resource\_key\_tags](#input\_scc\_workload\_protection\_resource\_key\_tags) | The tags associated with the Workload Protection resource key. | `list(string)` | `[]` | no | | [scc\_workload\_protection\_service\_plan](#input\_scc\_workload\_protection\_service\_plan) | The pricing plan for the Workload Protection instance service. Possible values: `free-trial`, `graduated-tier`. | `string` | `"graduated-tier"` | no | diff --git a/solutions/standard/cbr-rules.md b/solutions/standard/cbr-rules.md new file mode 100644 index 0000000..970b283 --- /dev/null +++ b/solutions/standard/cbr-rules.md @@ -0,0 +1,70 @@ +# Configuring complex inputs for COS in IBM Cloud projects + +Several optional input variables in the IBM Cloud [COS deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture. + +* Context-Based Restrictions Rules (`instance_cbr_rules`) + + +## Rules For Context-Based Restrictions + +The `instance_cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc. + +- Variable name: `instance_cbr_rules`. +- Type: A list of objects. Allows only one object representing a rule for the target service +- Default value: An empty list (`[]`). + +### Options for instance_cbr_rules + + - `description` (required): The description of the rule to create. + - `account_id` (required): The IBM Cloud Account ID + - `rule_contexts` (required): (List) The contexts the rule applies to + - `attributes` (optional): (List) Individual context attributes + - `name` (required): The attribute name. + - `value` (required): The attribute value. + + - `enforcement_mode` (required): The rule enforcement mode can have the following values: + - `enabled` - The restrictions are enforced and reported. This is the default. + - `disabled` - The restrictions are disabled. Nothing is enforced or reported. + - `report` - The restrictions are evaluated and reported, but not enforced. + - `tags` (optional): (List) Resource Tags . + - `name` (required): The Tag name. + - `value` (required): The Tag value. + - `operations` (optional): The operations this rule applies to + - `api_types`(required): (List) The API types this rule applies to. + - `api_type_id`(required):The API type ID + +### Example Rule For Context-Based Restrictions Configuration + +```hcl +instance_cbr_rules = [ + { + description = "COS can be accessed from xyz" + account_id = "defc0df06b644a9cabc6e44f55b3880s." + rule_contexts= [{ + attributes = [ + { + "name" : "endpointType", + "value" : "private" + }, + { + name = "networkZoneId" + value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret + } + ] + } + ] + enforcement_mode = "enabled" + resources = [{ + tags { + name = "tag_name" + value = "tag_value" + } + }] + operations = [{ + api_types = [{ + api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:" + }] + }] + } +] +``` diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 064cb4c..50e4343 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -1,8 +1,10 @@ locals { - prefix = var.prefix != null ? (var.prefix != "" ? var.prefix : null) : null + prefix_is_valid = var.prefix != null || trimspace(var.prefix) != "" ? true : false - scc_workload_protection_instance_name = try("${local.prefix}-${var.scc_workload_protection_instance_name}", var.scc_workload_protection_instance_name) - scc_workload_protection_resource_key_name = try("${local.prefix}-${var.scc_workload_protection_instance_name}-key", "${var.scc_workload_protection_instance_name}-key") + scc_workload_protection_instance_name = local.prefix_is_valid ? "${var.prefix}-${var.scc_workload_protection_instance_name}" : var.scc_workload_protection_instance_name + scc_workload_protection_resource_key_name = local.prefix_is_valid ? "${var.prefix}-${var.scc_workload_protection_instance_name}-key" : "${var.scc_workload_protection_instance_name}-key" + + resource_group_name = local.prefix_is_valid ? "${var.prefix}-${var.resource_group_name}" : var.resource_group_name } ####################################################################################################################### @@ -12,7 +14,7 @@ locals { module "resource_group" { source = "terraform-ibm-modules/resource-group/ibm" version = "1.1.6" - resource_group_name = var.use_existing_resource_group == false ? try("${local.prefix}-${var.resource_group_name}", var.resource_group_name) : null + resource_group_name = var.use_existing_resource_group == false ? local.resource_group_name : null existing_resource_group_name = var.use_existing_resource_group == true ? var.resource_group_name : null } @@ -23,7 +25,7 @@ module "resource_group" { module "scc_wp" { source = "../.." name = local.scc_workload_protection_instance_name - region = var.scc_region + region = var.region resource_group_id = module.resource_group.resource_group_id resource_tags = var.scc_workload_protection_instance_tags resource_key_name = local.scc_workload_protection_resource_key_name @@ -31,4 +33,5 @@ module "scc_wp" { cloud_monitoring_instance_crn = var.existing_monitoring_crn access_tags = var.scc_workload_protection_access_tags scc_wp_service_plan = var.scc_workload_protection_service_plan + cbr_rules = var.instance_cbr_rules } diff --git a/solutions/standard/provider.tf b/solutions/standard/provider.tf index 018649f..e669b7b 100644 --- a/solutions/standard/provider.tf +++ b/solutions/standard/provider.tf @@ -4,6 +4,6 @@ provider "ibm" { ibmcloud_api_key = var.ibmcloud_api_key - region = var.scc_region + region = var.region visibility = var.provider_visibility } diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 89b6097..8be5d56 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -50,10 +50,10 @@ variable "provider_visibility" { variable "scc_workload_protection_instance_name" { description = "The name for the Workload Protection instance that is created by this solution. Must begin with a letter. Applies only if `provision_scc_workload_protection` is true. If a prefix input variable is specified, the prefix is added to the name in the `-` format." type = string - default = "base-security-services-scc-wp" + default = "workload_protection" } -variable "scc_region" { +variable "region" { type = string default = "us-south" description = "The region to provision Security and Compliance Center resources in." @@ -96,3 +96,31 @@ variable "scc_workload_protection_service_plan" { ) } } + +############################################################## +# Context-based restriction (CBR) +############################################################## +variable "instance_cbr_rules" { + type = list(object({ + description = string + account_id = string + rule_contexts = list(object({ + attributes = optional(list(object({ + name = string + value = string + }))) })) + enforcement_mode = string + tags = optional(list(object({ + name = string + value = string + })), []) + operations = optional(list(object({ + api_types = list(object({ + api_type_id = string + })) + }))) + })) + description = "The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/standard/cbr-rules.md)" + default = [] + # Validation happens in the rule module +} diff --git a/tests/pr_test.go b/tests/pr_test.go index 68a07d1..a61f00d 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -20,7 +20,7 @@ const standardSolutionDir = "solutions/standard" // Define a struct with fields that match the structure of the YAML data. const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml" -// Current supported SCC region +// Current supported SCC Workload Protection region var validRegions = []string{ "us-south", "eu-de", @@ -41,7 +41,7 @@ func TestMain(m *testing.M) { os.Exit(m.Run()) } -func TestInstancesInSchematics(t *testing.T) { +func TestDAInSchematics(t *testing.T) { t.Parallel() var region = validRegions[rand.IntN(len(validRegions))] @@ -63,7 +63,7 @@ func TestInstancesInSchematics(t *testing.T) { options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, {Name: "resource_group_name", Value: options.Prefix, DataType: "string"}, - {Name: "scc_region", Value: region, DataType: "string"}, + {Name: "region", Value: region, DataType: "string"}, {Name: "scc_workload_protection_instance_tags", Value: options.Tags, DataType: "list(string)"}, {Name: "scc_workload_protection_resource_key_tags", Value: options.Tags, DataType: "list(string)"}, {Name: "scc_workload_protection_access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"}, @@ -74,7 +74,7 @@ func TestInstancesInSchematics(t *testing.T) { assert.Nil(t, err, "This should not have errored") } -func TestRunUpgradeInstances(t *testing.T) { +func TestRunUpgradeDA(t *testing.T) { t.Parallel() var region = validRegions[rand.IntN(len(validRegions))] @@ -88,7 +88,7 @@ func TestRunUpgradeInstances(t *testing.T) { options.TerraformVars = map[string]interface{}{ "prefix": options.Prefix, "resource_group_name": options.Prefix, - "scc_region": region, + "region": region, "scc_workload_protection_instance_tags": options.Tags, "scc_workload_protection_resource_key_tags": options.Tags, "scc_workload_protection_access_tags": permanentResources["accessTags"], From e217ab813b413cd2fe024be98016685658c4efc0 Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Fri, 21 Feb 2025 13:22:02 +0000 Subject: [PATCH 04/11] feat: review feedback --- .catalog-onboard-pipeline.yaml | 14 +++ .releaserc | 3 + ibm_catalog.json | 184 ++++++++++++++++++++++++++++++++ images/scc-icon.svg | 1 + reference-architecture/scc.svg | 4 + solutions/standard/README.md | 2 +- solutions/standard/cbr-rules.md | 12 +-- solutions/standard/main.tf | 2 +- solutions/standard/variables.tf | 2 +- 9 files changed, 215 insertions(+), 9 deletions(-) create mode 100644 .catalog-onboard-pipeline.yaml create mode 100644 ibm_catalog.json create mode 100644 images/scc-icon.svg create mode 100644 reference-architecture/scc.svg diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml new file mode 100644 index 0000000..28e1c9c --- /dev/null +++ b/.catalog-onboard-pipeline.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +offerings: + - name: deploy-arch-ibm-workload-protection + kind: solution + catalog_id: _ + offering_id: _ + variations: + - name: standard + mark_ready: true + install_type: extension + scc: + instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37 + region: us-south diff --git a/.releaserc b/.releaserc index 708916f..622ce91 100644 --- a/.releaserc +++ b/.releaserc @@ -10,6 +10,9 @@ }], ["@semantic-release/exec", { "successCmd": "echo \"SEMVER_VERSION=${nextRelease.version}\" >> $GITHUB_ENV" + }], + ["@semantic-release/exec", { + "publishCmd": "./ci/trigger-catalog-onboarding-pipeline.sh --version=v${nextRelease.version}" }] ] } diff --git a/ibm_catalog.json b/ibm_catalog.json new file mode 100644 index 0000000..419cdc4 --- /dev/null +++ b/ibm_catalog.json @@ -0,0 +1,184 @@ +{ + "products": [ + { + "name": "deploy-arch-ibm-scc", + "label": "Cloud automation for Security and Compliance Center Workload Protection", + "product_kind": "solution", + "tags": [ + "ibm_created", + "target_terraform", + "terraform", + "solution", + "security" + ], + "keywords": [ + "SCC", + "security", + "compliance", + "workload-protection", + "IaC", + "infrastructure as code", + "terraform", + "solution" + ], + "short_description": "Creates and configures IBM Security and Compliance Center resources", + "long_description": "This architecture supports creating and configuring IBM Security and Compliance Center resources.", + "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/instances/README.md", + "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/main/images/scc-icon.svg", + "provider_name": "IBM", + "features": [ + { + "title": "Security and Compliance Center Workload Protection", + "description": "Creates and configures a Security and Compliance Center Workload Protection instance." + } + ], + "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [https://github.com/terraform-ibm-modules/terraform-ibm-scc-da/issues](https://github.com/terraform-ibm-modules/terraform-ibm-scc-da/issues). Please note this product is not supported via the IBM Cloud Support Center.", + "flavors": [ + { + "label": "Workload Protection", + "name": "workload-protection", + "install_type": "extension", + "working_directory": "solutions/standard", + "compliance": { + "authority": "scc-v3", + "profiles": [ + { + "profile_name": "IBM Cloud Framework for Financial Services", + "profile_version": "1.7.0" + } + ] + }, + "configuration": [ + { + "key": "ibmcloud_api_key", + "displayname": "API KEY" + }, + { + "key": "provider_visibility", + "displayname": "Provider Visibility", + "options": [ + { + "displayname": "private", + "value": "private" + }, + { + "displayname": "public", + "value": "public" + }, + { + "displayname": "public-and-private", + "value": "public-and-private" + } + ] + }, + { + "key": "use_existing_resource_group", + "displayname": "Use Existing Resource Group", + "required": true + }, + { + "key": "resource_group_name", + "displayname": "Resource Group Name", + "required": true + }, + { + "key": "prefix", + "displayname": "Prefix", + "required": true, + "description": "The prefix to add to all resources that this solution creates. To not use any prefix value, you can enter the string `__NULL__`." + }, + { + "key": "existing_monitoring_crn", + "displayname": "Existing Monitoring CRN" + }, + { + "key": "region", + "displayname": "Region", + "options": [ + { + "displayname": "Dallas (us-south)", + "value": "us-south" + }, + { + "displayname": "Frankfurt (eu-de)", + "value": "eu-de" + }, + { + "displayname": "Madrid (eu-es)", + "value": "eu-es" + }, + { + "displayname": "Toronto (ca-tor)", + "value": "ca-tor" + } + ] + }, + { + "key": "scc_workload_protection_instance_name", + "displayname": "Instance Name" + }, + { + "key": "scc_workload_protection_service_plan", + "displayname": "Service Plan", + "options": [ + { + "displayname": "Free trial", + "value": "free-trial" + }, + { + "displayname": "Graduated tier", + "value": "graduated-tier" + } + ] + }, + { + "key": "scc_workload_protection_instance_tags", + "displayname": "Instance Tags" + }, + { + "key": "scc_workload_protection_resource_key_tags", + "displayname": "Resource Key Tags" + }, + { + "key": "scc_workload_protection_access_tags", + "displayname": "Access Tags" + }, + { + "key": "cbr_rules", + "displayname": "CBR Rules" + } + ], + "iam_permissions": [ + { + "service_name": "compliance", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ] + } + ], + "architecture": { + "descriptions": "This architecture supports creating and configuring a Security and Compliance Center Workload Protection instance.", + "features": [ + { + "title": "Creates a Security and Compliance Center Workload Protection instance", + "description": "Creates and configures a Security and Compliance Center Workload Protection instance." + } + ], + "diagrams": [ + { + "diagram": { + "caption": "Security and Compliance Center", + "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/main/reference-architecture/scc.svg", + "type": "image/svg+xml" + }, + "description": "This architecture supports creating and configuring IBM Security and Compliance Center resources" + } + ] + } + } + ] + } + ] + } + \ No newline at end of file diff --git a/images/scc-icon.svg b/images/scc-icon.svg new file mode 100644 index 0000000..c402fe1 --- /dev/null +++ b/images/scc-icon.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/reference-architecture/scc.svg b/reference-architecture/scc.svg new file mode 100644 index 0000000..c551885 --- /dev/null +++ b/reference-architecture/scc.svg @@ -0,0 +1,4 @@ + + + +
IBM Cloud
IBM Cloud
Monitoring
Monitoring
Region
Region
Resource Group
Resource Group
SCC Workload Protection
SCC Workload Protect...Text is not SVG - cannot display \ No newline at end of file diff --git a/solutions/standard/README.md b/solutions/standard/README.md index eec7bf8..bdafd01 100644 --- a/solutions/standard/README.md +++ b/solutions/standard/README.md @@ -32,9 +32,9 @@ No resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/standard/cbr-rules.md) | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    tags = optional(list(object({
      name  = string
      value = string
    })), [])
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
| `[]` | no | | [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Security and Compliance Object Storage bucket metrics to, as well as Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket and not provisioning Workload Protection. | `string` | `null` | no | | [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes | -| [instance\_cbr\_rules](#input\_instance\_cbr\_rules) | The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/standard/cbr-rules.md) | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    tags = optional(list(object({
      name  = string
      value = string
    })), [])
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
| `[]` | no | | [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | `"dev"` | no | | [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no | | [region](#input\_region) | The region to provision Security and Compliance Center resources in. | `string` | `"us-south"` | no | diff --git a/solutions/standard/cbr-rules.md b/solutions/standard/cbr-rules.md index 970b283..ff29895 100644 --- a/solutions/standard/cbr-rules.md +++ b/solutions/standard/cbr-rules.md @@ -2,18 +2,18 @@ Several optional input variables in the IBM Cloud [COS deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture. -* Context-Based Restrictions Rules (`instance_cbr_rules`) +* Context-Based Restrictions Rules (`cbr_rules`) -## Rules For Context-Based Restrictions +## Rules For Context-Based Restrictions -The `instance_cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc. +The `cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc. -- Variable name: `instance_cbr_rules`. +- Variable name: `cbr_rules`. - Type: A list of objects. Allows only one object representing a rule for the target service - Default value: An empty list (`[]`). -### Options for instance_cbr_rules +### Options for cbr_rules - `description` (required): The description of the rule to create. - `account_id` (required): The IBM Cloud Account ID @@ -36,7 +36,7 @@ The `instance_cbr_rules` input variable allows you to provide a rule for the tar ### Example Rule For Context-Based Restrictions Configuration ```hcl -instance_cbr_rules = [ +cbr_rules = [ { description = "COS can be accessed from xyz" account_id = "defc0df06b644a9cabc6e44f55b3880s." diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 50e4343..25c1d8b 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -33,5 +33,5 @@ module "scc_wp" { cloud_monitoring_instance_crn = var.existing_monitoring_crn access_tags = var.scc_workload_protection_access_tags scc_wp_service_plan = var.scc_workload_protection_service_plan - cbr_rules = var.instance_cbr_rules + cbr_rules = var.cbr_rules } diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 8be5d56..0074806 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -100,7 +100,7 @@ variable "scc_workload_protection_service_plan" { ############################################################## # Context-based restriction (CBR) ############################################################## -variable "instance_cbr_rules" { +variable "cbr_rules" { type = list(object({ description = string account_id = string From 21b14955855a9eefb9bab532945caa35daf9454c Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Mon, 24 Feb 2025 09:54:04 +0000 Subject: [PATCH 05/11] fix: merge --- .gitmodules | 3 +++ common-dev-assets | 1 + 2 files changed, 4 insertions(+) create mode 160000 common-dev-assets diff --git a/.gitmodules b/.gitmodules index e69de29..8d16b96 100644 --- a/.gitmodules +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "common-dev-assets"] + path = common-dev-assets + url = https://github.com/terraform-ibm-modules/common-dev-assets diff --git a/common-dev-assets b/common-dev-assets new file mode 160000 index 0000000..c3e67b4 --- /dev/null +++ b/common-dev-assets @@ -0,0 +1 @@ +Subproject commit c3e67b4ab4ed41f1b0239ae52e306dc8737ea591 From 07d6527915122e9b100b8ba38627a78ef9f26f1b Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Mon, 24 Feb 2025 09:55:03 +0000 Subject: [PATCH 06/11] fix: merge --- .gitmodules | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitmodules b/.gitmodules index 8d16b96..6fbc5c9 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,4 @@ [submodule "common-dev-assets"] path = common-dev-assets url = https://github.com/terraform-ibm-modules/common-dev-assets + branch = main From 285d9bc6d038e15927dd42ed8d1ad2702691c7bc Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Mon, 24 Feb 2025 09:57:03 +0000 Subject: [PATCH 07/11] fix: merge --- ibm_catalog.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 419cdc4..06d583b 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -181,4 +181,4 @@ } ] } - \ No newline at end of file + From 215881d924d37d2e0ae930049a1684ff421fd49b Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Thu, 6 Mar 2025 14:00:55 +0000 Subject: [PATCH 08/11] fix: address feedback --- .catalog-onboard-pipeline.yaml | 4 +- ibm_catalog.json | 138 ++++++++++++------ .../README.md | 4 +- .../catalogValidationValues.json.template | 0 .../cbr-rules.md | 6 +- .../{standard => fully-configurable}/main.tf | 0 .../outputs.tf | 0 .../provider.tf | 0 .../variables.tf | 4 +- .../version.tf | 0 tests/go.mod | 2 +- 11 files changed, 102 insertions(+), 56 deletions(-) rename solutions/{standard => fully-configurable}/README.md (92%) rename solutions/{standard => fully-configurable}/catalogValidationValues.json.template (100%) rename solutions/{standard => fully-configurable}/cbr-rules.md (86%) rename solutions/{standard => fully-configurable}/main.tf (100%) rename solutions/{standard => fully-configurable}/outputs.tf (100%) rename solutions/{standard => fully-configurable}/provider.tf (100%) rename solutions/{standard => fully-configurable}/variables.tf (91%) rename solutions/{standard => fully-configurable}/version.tf (100%) diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml index 28e1c9c..b88a3d7 100644 --- a/.catalog-onboard-pipeline.yaml +++ b/.catalog-onboard-pipeline.yaml @@ -6,9 +6,9 @@ offerings: catalog_id: _ offering_id: _ variations: - - name: standard + - name: fully-configurable mark_ready: true - install_type: extension + install_type: fullstack scc: instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37 region: us-south diff --git a/ibm_catalog.json b/ibm_catalog.json index 06d583b..d03a042 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -1,7 +1,7 @@ { "products": [ { - "name": "deploy-arch-ibm-scc", + "name": "deploy-arch-ibm-workload-protection", "label": "Cloud automation for Security and Compliance Center Workload Protection", "product_kind": "solution", "tags": [ @@ -35,10 +35,10 @@ "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [https://github.com/terraform-ibm-modules/terraform-ibm-scc-da/issues](https://github.com/terraform-ibm-modules/terraform-ibm-scc-da/issues). Please note this product is not supported via the IBM Cloud Support Center.", "flavors": [ { - "label": "Workload Protection", - "name": "workload-protection", - "install_type": "extension", - "working_directory": "solutions/standard", + "label": "Fully Configurable", + "name": "fully-configurable", + "working_directory": "solutions/fully-configurable", + "install_type": "fullstack", "compliance": { "authority": "scc-v3", "profiles": [ @@ -51,101 +51,148 @@ "configuration": [ { "key": "ibmcloud_api_key", - "displayname": "API KEY" - }, - { - "key": "provider_visibility", - "displayname": "Provider Visibility", - "options": [ - { - "displayname": "private", - "value": "private" - }, - { - "displayname": "public", - "value": "public" - }, - { - "displayname": "public-and-private", - "value": "public-and-private" - } - ] + "display_name": "API KEY", + "required": true }, { "key": "use_existing_resource_group", - "displayname": "Use Existing Resource Group", + "display_name": "Use Existing Resource Group", "required": true }, { "key": "resource_group_name", - "displayname": "Resource Group Name", + "display_name": "Resource Group Name", "required": true }, { "key": "prefix", - "displayname": "Prefix", + "display_name": "Prefix", "required": true, - "description": "The prefix to add to all resources that this solution creates. To not use any prefix value, you can enter the string `__NULL__`." - }, - { - "key": "existing_monitoring_crn", - "displayname": "Existing Monitoring CRN" + "description": "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can enter the string `__NULL__`." }, { "key": "region", - "displayname": "Region", + "display_name": "Region", + "required": true, "options": [ { - "displayname": "Dallas (us-south)", + "display_name": "Dallas (us-south)", "value": "us-south" }, { - "displayname": "Frankfurt (eu-de)", + "display_name": "Frankfurt (eu-de)", "value": "eu-de" }, { - "displayname": "Madrid (eu-es)", + "display_name": "London (eu-gb)", + "value": "eu-gb" + }, + { + "display_name": "Madrid (eu-es)", "value": "eu-es" }, { - "displayname": "Toronto (ca-tor)", + "display_name": "Osaka (jp-osa)", + "value": "jp-osa" + }, + { + "display_name": "Sao Paulo (br-sao)", + "value": "br-sao" + }, + { + "display_name": "Sydney (au-syd)", + "value": "au-syd" + }, + { + "display_name": "Tokyo (jp-tok)", + "value": "jp-tok" + }, + { + "display_name": "Toronto (ca-tor)", "value": "ca-tor" + }, + { + "display_name": "Washington DC (us-east)", + "value": "us-east" } ] }, + { + "key": "provider_visibility", + "display_name": "Provider Visibility", + "options": [ + { + "display_name": "private", + "value": "private" + }, + { + "display_name": "public", + "value": "public" + }, + { + "display_name": "public-and-private", + "value": "public-and-private" + } + ] + }, + { + "key": "existing_monitoring_crn", + "display_name": "Existing Monitoring CRN" + }, { "key": "scc_workload_protection_instance_name", - "displayname": "Instance Name" + "display_name": "Instance Name" }, { "key": "scc_workload_protection_service_plan", - "displayname": "Service Plan", + "display_name": "Service Plan", "options": [ { - "displayname": "Free trial", + "display_name": "Free trial", "value": "free-trial" }, { - "displayname": "Graduated tier", + "display_name": "Graduated tier", "value": "graduated-tier" } ] }, { "key": "scc_workload_protection_instance_tags", - "displayname": "Instance Tags" + "display_name": "Instance Tags", + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "type": "string" + } + } }, { "key": "scc_workload_protection_resource_key_tags", - "displayname": "Resource Key Tags" + "display_name": "Resource Key Tags", + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "type": "string" + } + } }, { "key": "scc_workload_protection_access_tags", - "displayname": "Access Tags" + "display_name": "Access Tags", + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "type": "string" + } + } }, { "key": "cbr_rules", - "displayname": "CBR Rules" + "display_name": "CBR Rules" } ], "iam_permissions": [ @@ -181,4 +228,3 @@ } ] } - diff --git a/solutions/standard/README.md b/solutions/fully-configurable/README.md similarity index 92% rename from solutions/standard/README.md rename to solutions/fully-configurable/README.md index bdafd01..7360273 100644 --- a/solutions/standard/README.md +++ b/solutions/fully-configurable/README.md @@ -33,9 +33,9 @@ No resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/standard/cbr-rules.md) | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    tags = optional(list(object({
      name  = string
      value = string
    })), [])
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
| `[]` | no | -| [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Security and Compliance Object Storage bucket metrics to, as well as Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket and not provisioning Workload Protection. | `string` | `null` | no | +| [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket and not provisioning Workload Protection. | `string` | `null` | no | | [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes | -| [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | `"dev"` | no | +| [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string. | `string` | `"dev"` | no | | [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no | | [region](#input\_region) | The region to provision Security and Compliance Center resources in. | `string` | `"us-south"` | no | | [resource\_group\_name](#input\_resource\_group\_name) | The name of a new or an existing resource group in which to provision resources to. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | n/a | yes | diff --git a/solutions/standard/catalogValidationValues.json.template b/solutions/fully-configurable/catalogValidationValues.json.template similarity index 100% rename from solutions/standard/catalogValidationValues.json.template rename to solutions/fully-configurable/catalogValidationValues.json.template diff --git a/solutions/standard/cbr-rules.md b/solutions/fully-configurable/cbr-rules.md similarity index 86% rename from solutions/standard/cbr-rules.md rename to solutions/fully-configurable/cbr-rules.md index ff29895..fe61381 100644 --- a/solutions/standard/cbr-rules.md +++ b/solutions/fully-configurable/cbr-rules.md @@ -1,6 +1,6 @@ -# Configuring complex inputs for COS in IBM Cloud projects +# Configuring complex inputs for Workload Protection in IBM Cloud projects -Several optional input variables in the IBM Cloud [COS deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture. +Several optional input variables in the IBM Cloud [workload protection deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture. * Context-Based Restrictions Rules (`cbr_rules`) @@ -38,7 +38,7 @@ The `cbr_rules` input variable allows you to provide a rule for the target servi ```hcl cbr_rules = [ { - description = "COS can be accessed from xyz" + description = "workload protection can be accessed from xyz" account_id = "defc0df06b644a9cabc6e44f55b3880s." rule_contexts= [{ attributes = [ diff --git a/solutions/standard/main.tf b/solutions/fully-configurable/main.tf similarity index 100% rename from solutions/standard/main.tf rename to solutions/fully-configurable/main.tf diff --git a/solutions/standard/outputs.tf b/solutions/fully-configurable/outputs.tf similarity index 100% rename from solutions/standard/outputs.tf rename to solutions/fully-configurable/outputs.tf diff --git a/solutions/standard/provider.tf b/solutions/fully-configurable/provider.tf similarity index 100% rename from solutions/standard/provider.tf rename to solutions/fully-configurable/provider.tf diff --git a/solutions/standard/variables.tf b/solutions/fully-configurable/variables.tf similarity index 91% rename from solutions/standard/variables.tf rename to solutions/fully-configurable/variables.tf index 0074806..4fc447b 100644 --- a/solutions/standard/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -23,12 +23,12 @@ variable "existing_monitoring_crn" { type = string nullable = true default = null - description = "The CRN of an IBM Cloud Monitoring instance to to send Security and Compliance Object Storage bucket metrics to, as well as Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket and not provisioning Workload Protection." + description = "The CRN of an IBM Cloud Monitoring instance to to send Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket and not provisioning Workload Protection." } variable "prefix" { type = string - description = "The prefix to add to all resources that this solution creates. To not use any prefix value, you can set this value to `null` or an empty string." + description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string." default = "dev" } diff --git a/solutions/standard/version.tf b/solutions/fully-configurable/version.tf similarity index 100% rename from solutions/standard/version.tf rename to solutions/fully-configurable/version.tf diff --git a/tests/go.mod b/tests/go.mod index ed45b0e..2ec845f 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -88,7 +88,7 @@ require ( go.opentelemetry.io/otel v1.29.0 // indirect go.opentelemetry.io/otel/metric v1.29.0 // indirect go.opentelemetry.io/otel/trace v1.29.0 // indirect - golang.org/x/crypto v0.34.0 // indirect + golang.org/x/crypto v0.35.0 // indirect golang.org/x/mod v0.23.0 // indirect golang.org/x/net v0.35.0 // indirect golang.org/x/sync v0.11.0 // indirect From 58bdd70917907605f002ab39fe24be037958e0d6 Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Thu, 13 Mar 2025 15:37:04 +0000 Subject: [PATCH 09/11] fix: address feedback --- .catalog-onboard-pipeline.yaml | 2 +- README.md | 2 + ibm_catalog.json | 44 ++++---------- solutions/fully-configurable/README.md | 13 ++-- .../catalogValidationValues.json.template | 2 +- solutions/fully-configurable/cbr-rules.md | 59 +++++++++++-------- solutions/fully-configurable/main.tf | 5 +- solutions/fully-configurable/variables.tf | 34 +++++++---- tests/other_tests.go | 12 ++-- tests/pr_test.go | 47 +++++++++------ 10 files changed, 111 insertions(+), 109 deletions(-) diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml index b88a3d7..5186b1b 100644 --- a/.catalog-onboard-pipeline.yaml +++ b/.catalog-onboard-pipeline.yaml @@ -1,7 +1,7 @@ --- apiVersion: v1 offerings: - - name: deploy-arch-ibm-workload-protection + - name: deploy-arch-ibm-scc-workload-protection kind: solution catalog_id: _ offering_id: _ diff --git a/README.md b/README.md index e32ae3a..2c4a0d5 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,8 @@ A module for provisioning an [IBM Cloud Security and Compliance Center Workload Protection instance](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started). The module will always create a Manager resource key that connects to the SCC WP instance. +![Workload Protection](./reference-architecture/scc.svg) + diff --git a/ibm_catalog.json b/ibm_catalog.json index d03a042..f9506e9 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -1,7 +1,7 @@ { "products": [ { - "name": "deploy-arch-ibm-workload-protection", + "name": "deploy-arch-ibm-scc-workload-protection", "label": "Cloud automation for Security and Compliance Center Workload Protection", "product_kind": "solution", "tags": [ @@ -21,8 +21,8 @@ "terraform", "solution" ], - "short_description": "Creates and configures IBM Security and Compliance Center resources", - "long_description": "This architecture supports creating and configuring IBM Security and Compliance Center resources.", + "short_description": "Creates and configures IBM Security and Compliance Center Workload Protection resources", + "long_description": "This architecture supports creating and configuring IBM Security and Compliance Center Workload Protection resources.", "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/instances/README.md", "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/main/images/scc-icon.svg", "provider_name": "IBM", @@ -32,7 +32,7 @@ "description": "Creates and configures a Security and Compliance Center Workload Protection instance." } ], - "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [https://github.com/terraform-ibm-modules/terraform-ibm-scc-da/issues](https://github.com/terraform-ibm-modules/terraform-ibm-scc-da/issues). Please note this product is not supported via the IBM Cloud Support Center.", + "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/issues](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/issues). Please note this product is not supported via the IBM Cloud Support Center.", "flavors": [ { "label": "Fully Configurable", @@ -51,28 +51,19 @@ "configuration": [ { "key": "ibmcloud_api_key", - "display_name": "API KEY", "required": true }, { - "key": "use_existing_resource_group", - "display_name": "Use Existing Resource Group", - "required": true - }, - { - "key": "resource_group_name", - "display_name": "Resource Group Name", + "key": "existing_resource_group_name", "required": true }, { "key": "prefix", - "display_name": "Prefix", "required": true, "description": "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can enter the string `__NULL__`." }, { "key": "region", - "display_name": "Region", "required": true, "options": [ { @@ -119,47 +110,37 @@ }, { "key": "provider_visibility", - "display_name": "Provider Visibility", "options": [ { - "display_name": "private", "value": "private" }, { - "display_name": "public", "value": "public" }, { - "display_name": "public-and-private", "value": "public-and-private" } ] }, { - "key": "existing_monitoring_crn", - "display_name": "Existing Monitoring CRN" + "key": "existing_monitoring_crn" }, { - "key": "scc_workload_protection_instance_name", - "display_name": "Instance Name" + "key": "scc_workload_protection_instance_name" }, { "key": "scc_workload_protection_service_plan", - "display_name": "Service Plan", "options": [ { - "display_name": "Free trial", "value": "free-trial" }, { - "display_name": "Graduated tier", "value": "graduated-tier" } ] }, { "key": "scc_workload_protection_instance_tags", - "display_name": "Instance Tags", "custom_config": { "grouping": "deployment", "original_grouping": "deployment", @@ -170,7 +151,6 @@ }, { "key": "scc_workload_protection_resource_key_tags", - "display_name": "Resource Key Tags", "custom_config": { "grouping": "deployment", "original_grouping": "deployment", @@ -181,7 +161,6 @@ }, { "key": "scc_workload_protection_access_tags", - "display_name": "Access Tags", "custom_config": { "grouping": "deployment", "original_grouping": "deployment", @@ -191,13 +170,12 @@ } }, { - "key": "cbr_rules", - "display_name": "CBR Rules" + "key": "cbr_rules" } ], "iam_permissions": [ { - "service_name": "compliance", + "service_name": "sysdig-secure", "role_crns": [ "crn:v1:bluemix:public:iam::::serviceRole:Manager", "crn:v1:bluemix:public:iam::::role:Editor" @@ -215,11 +193,11 @@ "diagrams": [ { "diagram": { - "caption": "Security and Compliance Center", + "caption": "Security and Compliance Center Workload Protection", "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/main/reference-architecture/scc.svg", "type": "image/svg+xml" }, - "description": "This architecture supports creating and configuring IBM Security and Compliance Center resources" + "description": "This architecture supports creating and configuring IBM Security and Compliance Center Workload Protection resources" } ] } diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index 7360273..b58d8db 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -1,4 +1,4 @@ -# Security and Compliance Center Workload Protection solution +# Security and Compliance Center Workload Protection Fully Configurable solution This solution supports provisioning and configuring the following infrastructure: @@ -32,19 +32,18 @@ No resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/standard/cbr-rules.md) | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    tags = optional(list(object({
      name  = string
      value = string
    })), [])
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
| `[]` | no | -| [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket and not provisioning Workload Protection. | `string` | `null` | no | +| [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/fully-configurable/cbr-rules.md) | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    tags = optional(list(object({
      name  = string
      value = string
    })), [])
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
| `[]` | no | +| [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. | `string` | `null` | no | +| [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of a an existing resource group in which to provision resources to. | `string` | `"Default"` | no | | [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes | -| [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string. | `string` | `"dev"` | no | +| [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes | | [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no | | [region](#input\_region) | The region to provision Security and Compliance Center resources in. | `string` | `"us-south"` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of a new or an existing resource group in which to provision resources to. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | n/a | yes | | [scc\_workload\_protection\_access\_tags](#input\_scc\_workload\_protection\_access\_tags) | A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. [Learn more](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits). | `list(string)` | `[]` | no | -| [scc\_workload\_protection\_instance\_name](#input\_scc\_workload\_protection\_instance\_name) | The name for the Workload Protection instance that is created by this solution. Must begin with a letter. Applies only if `provision_scc_workload_protection` is true. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"workload_protection"` | no | +| [scc\_workload\_protection\_instance\_name](#input\_scc\_workload\_protection\_instance\_name) | The name for the Workload Protection instance that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"scc-workload-protection"` | no | | [scc\_workload\_protection\_instance\_tags](#input\_scc\_workload\_protection\_instance\_tags) | The list of tags to add to the Workload Protection instance. | `list(string)` | `[]` | no | | [scc\_workload\_protection\_resource\_key\_tags](#input\_scc\_workload\_protection\_resource\_key\_tags) | The tags associated with the Workload Protection resource key. | `list(string)` | `[]` | no | | [scc\_workload\_protection\_service\_plan](#input\_scc\_workload\_protection\_service\_plan) | The pricing plan for the Workload Protection instance service. Possible values: `free-trial`, `graduated-tier`. | `string` | `"graduated-tier"` | no | -| [use\_existing\_resource\_group](#input\_use\_existing\_resource\_group) | Whether to use an existing resource group. | `bool` | `false` | no | ### Outputs diff --git a/solutions/fully-configurable/catalogValidationValues.json.template b/solutions/fully-configurable/catalogValidationValues.json.template index 6dbf420..1d380d9 100644 --- a/solutions/fully-configurable/catalogValidationValues.json.template +++ b/solutions/fully-configurable/catalogValidationValues.json.template @@ -1,4 +1,4 @@ { "ibmcloud_api_key": $VALIDATION_APIKEY, - "resource_group_name": $PREFIX + "existing_resource_group_name": "geretain-test-resources" } diff --git a/solutions/fully-configurable/cbr-rules.md b/solutions/fully-configurable/cbr-rules.md index fe61381..44f7932 100644 --- a/solutions/fully-configurable/cbr-rules.md +++ b/solutions/fully-configurable/cbr-rules.md @@ -36,35 +36,42 @@ The `cbr_rules` input variable allows you to provide a rule for the target servi ### Example Rule For Context-Based Restrictions Configuration ```hcl -cbr_rules = [ +[ { - description = "workload protection can be accessed from xyz" - account_id = "defc0df06b644a9cabc6e44f55b3880s." - rule_contexts= [{ - attributes = [ - { - "name" : "endpointType", - "value" : "private" - }, - { - name = "networkZoneId" - value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret - } + description = "workload protection can be accessed from xyz" + account_id = "defc0df06b644a9cabc6e44f55b3880s." + rule_contexts= [ + { + attributes = [ + { + "name" : "endpointType", + "value" : "private" + }, + { + name = "networkZoneId" + value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret + } ] - } - ] - enforcement_mode = "enabled" - resources = [{ - tags { - name = "tag_name" - value = "tag_value" + } + ] + enforcement_mode = "enabled" + resources = [ + { + tags { + name = "tag_name" + value = "tag_value" } - }] - operations = [{ - api_types = [{ - api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:" - }] - }] + } + ] + operations = [ + { + api_types = [ + { + api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:" + } + ] + } + ] } ] ``` diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 25c1d8b..8c4cd81 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -3,8 +3,6 @@ locals { scc_workload_protection_instance_name = local.prefix_is_valid ? "${var.prefix}-${var.scc_workload_protection_instance_name}" : var.scc_workload_protection_instance_name scc_workload_protection_resource_key_name = local.prefix_is_valid ? "${var.prefix}-${var.scc_workload_protection_instance_name}-key" : "${var.scc_workload_protection_instance_name}-key" - - resource_group_name = local.prefix_is_valid ? "${var.prefix}-${var.resource_group_name}" : var.resource_group_name } ####################################################################################################################### @@ -14,8 +12,7 @@ locals { module "resource_group" { source = "terraform-ibm-modules/resource-group/ibm" version = "1.1.6" - resource_group_name = var.use_existing_resource_group == false ? local.resource_group_name : null - existing_resource_group_name = var.use_existing_resource_group == true ? var.resource_group_name : null + existing_resource_group_name = var.existing_resource_group_name } ####################################################################################################################### diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 4fc447b..119a3e9 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -8,28 +8,22 @@ variable "ibmcloud_api_key" { sensitive = true } -variable "use_existing_resource_group" { - type = bool - description = "Whether to use an existing resource group." - default = false -} - -variable "resource_group_name" { +variable "existing_resource_group_name" { type = string - description = "The name of a new or an existing resource group in which to provision resources to. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + description = "The name of a an existing resource group in which to provision resources to." + default = "Default" } variable "existing_monitoring_crn" { type = string nullable = true default = null - description = "The CRN of an IBM Cloud Monitoring instance to to send Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket and not provisioning Workload Protection." + description = "The CRN of an IBM Cloud Monitoring instance to to send Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration." } variable "prefix" { type = string description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string." - default = "dev" } variable "provider_visibility" { @@ -48,15 +42,29 @@ variable "provider_visibility" { ######################################################################################################################## variable "scc_workload_protection_instance_name" { - description = "The name for the Workload Protection instance that is created by this solution. Must begin with a letter. Applies only if `provision_scc_workload_protection` is true. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + description = "The name for the Workload Protection instance that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `-` format." type = string - default = "workload_protection" + default = "scc-workload-protection" } variable "region" { type = string default = "us-south" description = "The region to provision Security and Compliance Center resources in." + validation { + condition = contains(["us-south", + "us-east", + "eu-de", + "eu-es", + "eu-gb", + "jp-osa", + "jp-tok", + "br-sao", + "ca-tor", + "au-syd", + ], var.region) + error_message = "Invalid region selected. Allowed values are `us-south` ,`us-east`, `eu-de`, `eu-es`, `eu-gb`, `jp-osa`, `jp-tok`, `br-sao`, `ca-tor`, and `au-syd`." + } } variable "scc_workload_protection_instance_tags" { @@ -120,7 +128,7 @@ variable "cbr_rules" { })) }))) })) - description = "The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/standard/cbr-rules.md)" + description = "The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/fully-configurable/cbr-rules.md)" default = [] # Validation happens in the rule module } diff --git a/tests/other_tests.go b/tests/other_tests.go index 3afe358..13e9614 100644 --- a/tests/other_tests.go +++ b/tests/other_tests.go @@ -31,14 +31,12 @@ func TestRunBasicExample(t *testing.T) { assert.NotNil(t, output, "Expected some output") } -func TestRunAdvancedUpgradeExample(t *testing.T) { +func TestRunAdvancedExample(t *testing.T) { t.Parallel() - options := setupOptions(t, "scc-wp-upg", advancedExampleDir) + options := setupOptions(t, "scc-wp-adv", advancedExampleDir) - output, err := options.RunTestUpgrade() - if !options.UpgradeTestSkipped { - assert.Nil(t, err, "This should not have errored") - assert.NotNil(t, output, "Expected some output") - } + output, err := options.RunTest() + assert.Nil(t, err, "This should not have errored") + assert.NotNil(t, output, "Expected some output") } diff --git a/tests/pr_test.go b/tests/pr_test.go index a61f00d..7dc005f 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -10,12 +10,11 @@ import ( "github.com/stretchr/testify/assert" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common" - "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic" ) const resourceGroup = "geretain-test-resources" -const standardSolutionDir = "solutions/standard" +const standardSolutionDir = "solutions/fully-configurable" // Define a struct with fields that match the structure of the YAML data. const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml" @@ -23,9 +22,15 @@ const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-res // Current supported SCC Workload Protection region var validRegions = []string{ "us-south", + "us-east", "eu-de", - "ca-tor", "eu-es", + "eu-gb", + "jp-osa", + "jp-tok", + "br-sao", + "ca-tor", + "au-syd", } var permanentResources map[string]interface{} @@ -62,7 +67,7 @@ func TestDAInSchematics(t *testing.T) { options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, - {Name: "resource_group_name", Value: options.Prefix, DataType: "string"}, + {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"}, {Name: "region", Value: region, DataType: "string"}, {Name: "scc_workload_protection_instance_tags", Value: options.Tags, DataType: "list(string)"}, {Name: "scc_workload_protection_resource_key_tags", Value: options.Tags, DataType: "list(string)"}, @@ -79,24 +84,32 @@ func TestRunUpgradeDA(t *testing.T) { var region = validRegions[rand.IntN(len(validRegions))] - options := testhelper.TestOptionsDefault(&testhelper.TestOptions{ - Testing: t, - TerraformDir: standardSolutionDir, - Prefix: "wp-da-upg", + options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{ + Testing: t, + Prefix: "wp-da", + TarIncludePatterns: []string{ + "*.tf", + standardSolutionDir + "/*.tf", + }, + ResourceGroup: resourceGroup, + TemplateFolder: standardSolutionDir, + Tags: []string{"test-schematic"}, + DeleteWorkspaceOnFail: false, + WaitJobCompleteMinutes: 60, }) - options.TerraformVars = map[string]interface{}{ - "prefix": options.Prefix, - "resource_group_name": options.Prefix, - "region": region, - "scc_workload_protection_instance_tags": options.Tags, - "scc_workload_protection_resource_key_tags": options.Tags, - "scc_workload_protection_access_tags": permanentResources["accessTags"], + options.TerraformVars = []testschematic.TestSchematicTerraformVar{ + {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, + {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"}, + {Name: "region", Value: region, DataType: "string"}, + {Name: "scc_workload_protection_instance_tags", Value: options.Tags, DataType: "list(string)"}, + {Name: "scc_workload_protection_resource_key_tags", Value: options.Tags, DataType: "list(string)"}, + {Name: "scc_workload_protection_access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"}, + {Name: "prefix", Value: options.Prefix, DataType: "string"}, } - output, err := options.RunTestUpgrade() + err := options.RunSchematicUpgradeTest() if !options.UpgradeTestSkipped { assert.Nil(t, err, "This should not have errored") - assert.NotNil(t, output, "Expected some output") } } From 5ba2b6f74af6369babc5441eb7b4b99157639221 Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Thu, 13 Mar 2025 15:42:58 +0000 Subject: [PATCH 10/11] fix: address feedback --- ibm_catalog.json | 10 ---------- reference-architecture/scc.svg | 2 +- solutions/fully-configurable/README.md | 2 +- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index f9506e9..106792b 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -67,43 +67,33 @@ "required": true, "options": [ { - "display_name": "Dallas (us-south)", "value": "us-south" }, { - "display_name": "Frankfurt (eu-de)", "value": "eu-de" }, { - "display_name": "London (eu-gb)", "value": "eu-gb" }, { - "display_name": "Madrid (eu-es)", "value": "eu-es" }, { - "display_name": "Osaka (jp-osa)", "value": "jp-osa" }, { - "display_name": "Sao Paulo (br-sao)", "value": "br-sao" }, { - "display_name": "Sydney (au-syd)", "value": "au-syd" }, { - "display_name": "Tokyo (jp-tok)", "value": "jp-tok" }, { - "display_name": "Toronto (ca-tor)", "value": "ca-tor" }, { - "display_name": "Washington DC (us-east)", "value": "us-east" } ] diff --git a/reference-architecture/scc.svg b/reference-architecture/scc.svg index c551885..11a4572 100644 --- a/reference-architecture/scc.svg +++ b/reference-architecture/scc.svg @@ -1,4 +1,4 @@ -
IBM Cloud
IBM Cloud
Monitoring
Monitoring
Region
Region
Resource Group
Resource Group
SCC Workload Protection
SCC Workload Protect...Text is not SVG - cannot display \ No newline at end of file +
IBM Cloud
IBM Cloud
Existing Monitoring Instance
Existing Monitorin...
Region
Region
Resource Group
Resource Group
SCC Workload Protection
SCC Workload Protect...
Metrics
MetricsText is not SVG - cannot display \ No newline at end of file diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index b58d8db..162d697 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -1,4 +1,4 @@ -# Security and Compliance Center Workload Protection Fully Configurable solution +# Cloud automation for Security and Compliance Center Workload Protection This solution supports provisioning and configuring the following infrastructure: From 392aebb223efb3c3c45ebfd405936b269484bd41 Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Thu, 13 Mar 2025 17:23:47 +0000 Subject: [PATCH 11/11] fix: address feedback --- .catalog-onboard-pipeline.yaml | 4 ++-- README.md | 3 --- ibm_catalog.json | 2 +- solutions/fully-configurable/README.md | 4 ++-- solutions/fully-configurable/variables.tf | 2 +- tests/pr_test.go | 10 +++++----- 6 files changed, 11 insertions(+), 14 deletions(-) diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml index 5186b1b..4c7713b 100644 --- a/.catalog-onboard-pipeline.yaml +++ b/.catalog-onboard-pipeline.yaml @@ -3,8 +3,8 @@ apiVersion: v1 offerings: - name: deploy-arch-ibm-scc-workload-protection kind: solution - catalog_id: _ - offering_id: _ + catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd + offering_id: 4322cf44-2289-49aa-a719-dd79e39b14dc variations: - name: fully-configurable mark_ready: true diff --git a/README.md b/README.md index 2c4a0d5..58e47fe 100644 --- a/README.md +++ b/README.md @@ -10,9 +10,6 @@ A module for provisioning an [IBM Cloud Security and Compliance Center Workload Protection instance](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started). The module will always create a Manager resource key that connects to the SCC WP instance. -![Workload Protection](./reference-architecture/scc.svg) - - ## Overview diff --git a/ibm_catalog.json b/ibm_catalog.json index 106792b..863b070 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -35,7 +35,7 @@ "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/issues](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/issues). Please note this product is not supported via the IBM Cloud Support Center.", "flavors": [ { - "label": "Fully Configurable", + "label": "Fully configurable", "name": "fully-configurable", "working_directory": "solutions/fully-configurable", "install_type": "fullstack", diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index 162d697..c9e0808 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -2,11 +2,11 @@ This solution supports provisioning and configuring the following infrastructure: -- A resource group, if one is not passed in. - A Security and Compliance Center Workload Protection instance. :exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers). +![Workload Protection](./reference-architecture/scc.svg) @@ -38,7 +38,7 @@ No resources. | [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes | | [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes | | [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no | -| [region](#input\_region) | The region to provision Security and Compliance Center resources in. | `string` | `"us-south"` | no | +| [region](#input\_region) | The region to provision Security and Compliance Center Workload Protection resources in. | `string` | `"us-south"` | no | | [scc\_workload\_protection\_access\_tags](#input\_scc\_workload\_protection\_access\_tags) | A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. [Learn more](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits). | `list(string)` | `[]` | no | | [scc\_workload\_protection\_instance\_name](#input\_scc\_workload\_protection\_instance\_name) | The name for the Workload Protection instance that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"scc-workload-protection"` | no | | [scc\_workload\_protection\_instance\_tags](#input\_scc\_workload\_protection\_instance\_tags) | The list of tags to add to the Workload Protection instance. | `list(string)` | `[]` | no | diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 119a3e9..e55e751 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -50,7 +50,7 @@ variable "scc_workload_protection_instance_name" { variable "region" { type = string default = "us-south" - description = "The region to provision Security and Compliance Center resources in." + description = "The region to provision Security and Compliance Center Workload Protection resources in." validation { condition = contains(["us-south", "us-east", diff --git a/tests/pr_test.go b/tests/pr_test.go index 7dc005f..1dfc332 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -14,7 +14,7 @@ import ( ) const resourceGroup = "geretain-test-resources" -const standardSolutionDir = "solutions/fully-configurable" +const fullyConfigurableDADir = "solutions/fully-configurable" // Define a struct with fields that match the structure of the YAML data. const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml" @@ -56,10 +56,10 @@ func TestDAInSchematics(t *testing.T) { Prefix: "wp-da", TarIncludePatterns: []string{ "*.tf", - standardSolutionDir + "/*.tf", + fullyConfigurableDADir + "/*.tf", }, ResourceGroup: resourceGroup, - TemplateFolder: standardSolutionDir, + TemplateFolder: fullyConfigurableDADir, Tags: []string{"test-schematic"}, DeleteWorkspaceOnFail: false, WaitJobCompleteMinutes: 60, @@ -89,10 +89,10 @@ func TestRunUpgradeDA(t *testing.T) { Prefix: "wp-da", TarIncludePatterns: []string{ "*.tf", - standardSolutionDir + "/*.tf", + fullyConfigurableDADir + "/*.tf", }, ResourceGroup: resourceGroup, - TemplateFolder: standardSolutionDir, + TemplateFolder: fullyConfigurableDADir, Tags: []string{"test-schematic"}, DeleteWorkspaceOnFail: false, WaitJobCompleteMinutes: 60,