Skip to content

feat: scc workload protection DA #181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ocofaigh merged 14 commits into from
Mar 14, 2025
Merged

feat: scc workload protection DA #181

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
78012df
feat: scc workload protection DA
Feb 20, 2025
bd68d59
SKIP UPGRADE TESTS
Feb 20, 2025
dc9d051
feat: review feedback
Feb 21, 2025
e217ab8
feat: review feedback
Feb 21, 2025
76770f2
fix: merge
Feb 24, 2025
21b1495
fix: merge
Feb 24, 2025
07d6527
fix: merge
Feb 24, 2025
285d9bc
fix: merge
Feb 24, 2025
86e0d37
Merge branch 'main' into wp-da
jor2 Mar 6, 2025
215881d
fix: address feedback
Mar 6, 2025
3c19ff4
Merge branch 'main' into wp-da
jor2 Mar 10, 2025
58bdd70
fix: address feedback
Mar 13, 2025
5ba2b6f
fix: address feedback
Mar 13, 2025
392aebb
fix: address feedback
Mar 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions .catalog-onboard-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
apiVersion: v1
offerings:
- name: deploy-arch-ibm-scc-workload-protection
kind: solution
catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
offering_id: 4322cf44-2289-49aa-a719-dd79e39b14dc
variations:
- name: fully-configurable
mark_ready: true
install_type: fullstack
scc:
instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
region: us-south
3 changes: 3 additions & 0 deletions .releaserc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@
}],
["@semantic-release/exec", {
"successCmd": "echo \"SEMVER_VERSION=${nextRelease.version}\" >> $GITHUB_ENV"
}],
["@semantic-release/exec", {
"publishCmd": "./ci/trigger-catalog-onboarding-pipeline.sh --version=v${nextRelease.version}"
}]
]
}
1 change: 0 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@
<!-- Add a description of module(s) in this repo -->
A module for provisioning an [IBM Cloud Security and Compliance Center Workload Protection instance](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started). The module will always create a Manager resource key that connects to the SCC WP instance.


<!-- Below content is automatically populated via pre-commit hook -->
<!-- BEGIN OVERVIEW HOOK -->
## Overview
Expand Down
198 changes: 198 additions & 0 deletions ibm_catalog.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,198 @@
{
"products": [
{
"name": "deploy-arch-ibm-scc-workload-protection",
"label": "Cloud automation for Security and Compliance Center Workload Protection",
"product_kind": "solution",
"tags": [
"ibm_created",
"target_terraform",
"terraform",
"solution",
"security"
],
"keywords": [
"SCC",
"security",
"compliance",
"workload-protection",
"IaC",
"infrastructure as code",
"terraform",
"solution"
],
"short_description": "Creates and configures IBM Security and Compliance Center Workload Protection resources",
"long_description": "This architecture supports creating and configuring IBM Security and Compliance Center Workload Protection resources.",
"offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/instances/README.md",
Copy link
Contributor

@ocofaigh ocofaigh Mar 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wrong directory

"offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/main/images/scc-icon.svg",
"provider_name": "IBM",
"features": [
{
"title": "Security and Compliance Center Workload Protection",
"description": "Creates and configures a Security and Compliance Center Workload Protection instance."
}
],
"support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/issues](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/issues). Please note this product is not supported via the IBM Cloud Support Center.",
"flavors": [
{
"label": "Fully configurable",
"name": "fully-configurable",
"working_directory": "solutions/fully-configurable",
"install_type": "fullstack",
"compliance": {
"authority": "scc-v3",
"profiles": [
{
"profile_name": "IBM Cloud Framework for Financial Services",
"profile_version": "1.7.0"
}
]
},
"configuration": [
{
"key": "ibmcloud_api_key",
"required": true
},
{
"key": "existing_resource_group_name",
"required": true
},
{
"key": "prefix",
"required": true,
"description": "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can enter the string `__NULL__`."
},
{
"key": "region",
"required": true,
"options": [
{
"value": "us-south"
},
{
"value": "eu-de"
},
{
"value": "eu-gb"
},
{
"value": "eu-es"
},
{
"value": "jp-osa"
},
{
"value": "br-sao"
},
{
"value": "au-syd"
},
{
"value": "jp-tok"
},
{
"value": "ca-tor"
},
{
"value": "us-east"
}
]
},
{
"key": "provider_visibility",
"options": [
{
"value": "private"
},
{
"value": "public"
},
{
"value": "public-and-private"
}
]
},
{
"key": "existing_monitoring_crn"
},
{
"key": "scc_workload_protection_instance_name"
},
{
"key": "scc_workload_protection_service_plan",
"options": [
{
"value": "free-trial"
},
{
"value": "graduated-tier"
}
]
},
{
"key": "scc_workload_protection_instance_tags",
"custom_config": {
"grouping": "deployment",
"original_grouping": "deployment",
"config_constraints": {
"type": "string"
}
}
},
{
"key": "scc_workload_protection_resource_key_tags",
"custom_config": {
"grouping": "deployment",
"original_grouping": "deployment",
"config_constraints": {
"type": "string"
}
}
},
{
"key": "scc_workload_protection_access_tags",
"custom_config": {
"grouping": "deployment",
"original_grouping": "deployment",
"config_constraints": {
"type": "string"
}
}
},
{
"key": "cbr_rules"
}
],
"iam_permissions": [
{
"service_name": "sysdig-secure",
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
]
}
],
"architecture": {
"descriptions": "This architecture supports creating and configuring a Security and Compliance Center Workload Protection instance.",
"features": [
{
"title": "Creates a Security and Compliance Center Workload Protection instance",
"description": "Creates and configures a Security and Compliance Center Workload Protection instance."
}
],
"diagrams": [
{
"diagram": {
"caption": "Security and Compliance Center Workload Protection",
"url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/main/reference-architecture/scc.svg",
"type": "image/svg+xml"
},
"description": "This architecture supports creating and configuring IBM Security and Compliance Center Workload Protection resources"
}
]
}
}
]
}
]
}
1 change: 1 addition & 0 deletions images/scc-icon.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
4 changes: 4 additions & 0 deletions reference-architecture/scc.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
60 changes: 60 additions & 0 deletions solutions/fully-configurable/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Cloud automation for Security and Compliance Center Workload Protection

This solution supports provisioning and configuring the following infrastructure:

- A Security and Compliance Center Workload Protection instance.

:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers).

![Workload Protection](./reference-architecture/scc.svg)

<!-- Below content is automatically populated via pre-commit hook -->
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
### Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.0 |
| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | 1.75.2 |

### Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.1.6 |
| <a name="module_scc_wp"></a> [scc\_wp](#module\_scc\_wp) | ../.. | n/a |

### Resources

No resources.

### Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/fully-configurable/cbr-rules.md) | <pre>list(object({<br/> description = string<br/> account_id = string<br/> rule_contexts = list(object({<br/> attributes = optional(list(object({<br/> name = string<br/> value = string<br/> }))) }))<br/> enforcement_mode = string<br/> tags = optional(list(object({<br/> name = string<br/> value = string<br/> })), [])<br/> operations = optional(list(object({<br/> api_types = list(object({<br/> api_type_id = string<br/> }))<br/> })))<br/> }))</pre> | `[]` | no |
| <a name="input_existing_monitoring_crn"></a> [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. | `string` | `null` | no |
| <a name="input_existing_resource_group_name"></a> [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of a an existing resource group in which to provision resources to. | `string` | `"Default"` | no |
| <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes |
| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
| <a name="input_provider_visibility"></a> [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no |
| <a name="input_region"></a> [region](#input\_region) | The region to provision Security and Compliance Center Workload Protection resources in. | `string` | `"us-south"` | no |
| <a name="input_scc_workload_protection_access_tags"></a> [scc\_workload\_protection\_access\_tags](#input\_scc\_workload\_protection\_access\_tags) | A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. [Learn more](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits). | `list(string)` | `[]` | no |
| <a name="input_scc_workload_protection_instance_name"></a> [scc\_workload\_protection\_instance\_name](#input\_scc\_workload\_protection\_instance\_name) | The name for the Workload Protection instance that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format. | `string` | `"scc-workload-protection"` | no |
| <a name="input_scc_workload_protection_instance_tags"></a> [scc\_workload\_protection\_instance\_tags](#input\_scc\_workload\_protection\_instance\_tags) | The list of tags to add to the Workload Protection instance. | `list(string)` | `[]` | no |
| <a name="input_scc_workload_protection_resource_key_tags"></a> [scc\_workload\_protection\_resource\_key\_tags](#input\_scc\_workload\_protection\_resource\_key\_tags) | The tags associated with the Workload Protection resource key. | `list(string)` | `[]` | no |
| <a name="input_scc_workload_protection_service_plan"></a> [scc\_workload\_protection\_service\_plan](#input\_scc\_workload\_protection\_service\_plan) | The pricing plan for the Workload Protection instance service. Possible values: `free-trial`, `graduated-tier`. | `string` | `"graduated-tier"` | no |

### Outputs

| Name | Description |
|------|-------------|
| <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | Resource group ID |
| <a name="output_resource_group_name"></a> [resource\_group\_name](#output\_resource\_group\_name) | Resource group name |
| <a name="output_scc_workload_protection_access_key"></a> [scc\_workload\_protection\_access\_key](#output\_scc\_workload\_protection\_access\_key) | SCC Workload Protection access key |
| <a name="output_scc_workload_protection_api_endpoint"></a> [scc\_workload\_protection\_api\_endpoint](#output\_scc\_workload\_protection\_api\_endpoint) | SCC Workload Protection API endpoint |
| <a name="output_scc_workload_protection_crn"></a> [scc\_workload\_protection\_crn](#output\_scc\_workload\_protection\_crn) | SCC Workload Protection instance CRN |
| <a name="output_scc_workload_protection_id"></a> [scc\_workload\_protection\_id](#output\_scc\_workload\_protection\_id) | SCC Workload Protection instance ID |
| <a name="output_scc_workload_protection_ingestion_endpoint"></a> [scc\_workload\_protection\_ingestion\_endpoint](#output\_scc\_workload\_protection\_ingestion\_endpoint) | SCC Workload Protection instance ingestion endpoint |
| <a name="output_scc_workload_protection_name"></a> [scc\_workload\_protection\_name](#output\_scc\_workload\_protection\_name) | SCC Workload Protection instance name |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
4 changes: 4 additions & 0 deletions solutions/fully-configurable/catalogValidationValues.json.template
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"ibmcloud_api_key": $VALIDATION_APIKEY,
"existing_resource_group_name": "geretain-test-resources"
}
77 changes: 77 additions & 0 deletions solutions/fully-configurable/cbr-rules.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# Configuring complex inputs for Workload Protection in IBM Cloud projects

Several optional input variables in the IBM Cloud [workload protection deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture.

* Context-Based Restrictions Rules (`cbr_rules`)


## Rules For Context-Based Restrictions <a name="cbr_rules"></a>

The `cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc.

- Variable name: `cbr_rules`.
- Type: A list of objects. Allows only one object representing a rule for the target service
- Default value: An empty list (`[]`).

### Options for cbr_rules

- `description` (required): The description of the rule to create.
- `account_id` (required): The IBM Cloud Account ID
- `rule_contexts` (required): (List) The contexts the rule applies to
- `attributes` (optional): (List) Individual context attributes
- `name` (required): The attribute name.
- `value` (required): The attribute value.

- `enforcement_mode` (required): The rule enforcement mode can have the following values:
- `enabled` - The restrictions are enforced and reported. This is the default.
- `disabled` - The restrictions are disabled. Nothing is enforced or reported.
- `report` - The restrictions are evaluated and reported, but not enforced.
- `tags` (optional): (List) Resource Tags .
- `name` (required): The Tag name.
- `value` (required): The Tag value.
- `operations` (optional): The operations this rule applies to
- `api_types`(required): (List) The API types this rule applies to.
- `api_type_id`(required):The API type ID

### Example Rule For Context-Based Restrictions Configuration

```hcl
[
{
description = "workload protection can be accessed from xyz"
account_id = "defc0df06b644a9cabc6e44f55b3880s."
rule_contexts= [
{
attributes = [
{
"name" : "endpointType",
"value" : "private"
},
{
name = "networkZoneId"
value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
}
]
}
]
enforcement_mode = "enabled"
resources = [
{
tags {
name = "tag_name"
value = "tag_value"
}
}
]
operations = [
{
api_types = [
{
api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
}
]
}
]
}
]
```
Loading