From f1d31514fd78e9b2398c70fdf259ef3e14013e04 Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Sun, 30 Mar 2025 01:45:24 +0000 Subject: [PATCH 01/23] chain of deploy created --- examples/basic/provider.tf | 8 ----- examples/complete/main.tf | 59 ++++++++++++++++++++++++++++++++++ examples/complete/outputs.tf | 16 +++++++++ examples/complete/variables.tf | 39 ++++++++++++++++++++++ examples/complete/version.tf | 11 +++++++ outputs.tf | 3 ++ 6 files changed, 128 insertions(+), 8 deletions(-) delete mode 100644 examples/basic/provider.tf create mode 100644 examples/complete/main.tf create mode 100644 examples/complete/outputs.tf create mode 100644 examples/complete/variables.tf create mode 100644 examples/complete/version.tf diff --git a/examples/basic/provider.tf b/examples/basic/provider.tf deleted file mode 100644 index 84b6985..0000000 --- a/examples/basic/provider.tf +++ /dev/null @@ -1,8 +0,0 @@ -######################################################################################################################## -# Provider config -######################################################################################################################## - -provider "ibm" { - ibmcloud_api_key = var.ibmcloud_api_key - region = var.region -} diff --git a/examples/complete/main.tf b/examples/complete/main.tf new file mode 100644 index 0000000..03860a8 --- /dev/null +++ b/examples/complete/main.tf @@ -0,0 +1,59 @@ +provider "ibm" { + region = var.region + ibmcloud_api_key = var.ibmcloud_api_key +} + +module "resource_group" { + source = "terraform-ibm-modules/resource-group/ibm" + version = "1.1.6" + resource_group_name = var.resource_group == null ? "${var.prefix}-rg" : null + existing_resource_group_name = var.resource_group +} + +data "ibm_iam_account_settings" "iam_account_settings" {} + +module "scc_wp" { + source = "../.." + name = var.prefix + region = var.region + resource_group_id = module.resource_group.resource_group_id + resource_tags = var.resource_tags + access_tags = var.access_tags +} + +module "app_config" { + source = "../../../terraform-ibm-app-configuration" + region = var.region + resource_group_id = module.resource_group.resource_group_id + app_config_name = "${var.prefix}-app-config" + app_config_tags = var.resource_tags + + app_config_collections = [ + { + name = "${var.prefix}-collection" + collection_id = "${var.prefix}-collection" + description = "Collection for ${var.prefix}" + } + ] +} + +module "trusted_profiles" { + source = "../../../terraform-ibm-trusted-profile/examples/enterprise" + region = var.region + app_config_crn = module.app_config.app_config_crn + scc_wp_crn = module.scc_wp.wp_instance_crn + ibmcloud_api_key = var.ibmcloud_api_key +} + +module "scc_wp_config_aggregator" { + source = "../../../terraform-ibm-app-configuration/modules/scc_wp_config_aggregator" + + app_config_instance_guid = module.app_config.app_config_guid + region = var.region + enterprise_id = var.enterprise_id + template_id = var.template_id + enterprise_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id + + depends_on = [module.trusted_profiles] +} + diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf new file mode 100644 index 0000000..56bca9b --- /dev/null +++ b/examples/complete/outputs.tf @@ -0,0 +1,16 @@ +output "scc_wp_config_aggregator_id" { + value = module.scc_wp_config_aggregator.scc_wp_config_aggregator_id +} + +output "trusted_profile_enterprise_id" { + value = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id +} + +output "app_config_guid" { + value = module.app_config.app_config_guid +} + +output "app_config_crn" { + value = module.app_config.app_config_crn +} + diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf new file mode 100644 index 0000000..8cd315a --- /dev/null +++ b/examples/complete/variables.tf @@ -0,0 +1,39 @@ +variable "region" { + type = string +} + +variable "prefix" { + type = string +} + +variable "resource_group" { + type = string + default = null +} + +variable "resource_tags" { + type = list(string) + default = [] +} + +variable "access_tags" { + type = list(string) + default = [] +} + +variable "enterprise_id" { + type = string + description = "Enterprise ID for App Configuration aggregator" +} + +variable "template_id" { + type = string + description = "Trusted Profile Template ID" +} + +variable "ibmcloud_api_key" { + type = string + description = "IBM Cloud API key" + sensitive = true +} + diff --git a/examples/complete/version.tf b/examples/complete/version.tf new file mode 100644 index 0000000..ac0f655 --- /dev/null +++ b/examples/complete/version.tf @@ -0,0 +1,11 @@ +terraform { + required_version = ">= 1.3.0" + + required_providers { + ibm = { + source = "ibm-cloud/ibm" + version = ">= 1.65.0, < 2.0.0" + } + } +} + diff --git a/outputs.tf b/outputs.tf index af53065..e6c104a 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,6 +1,9 @@ ######################################################################################################################## # Outputs ######################################################################################################################## +output "wp_instance_crn" { + value = ibm_resource_instance.scc_wp.crn +} output "name" { description = "Name of created SCC WP instance." From c36d6bd42ffdce16b0e0fe4ce481b3b6d8f462e3 Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Wed, 2 Apr 2025 13:21:45 +0000 Subject: [PATCH 02/23] correct templateID variable --- examples/complete/variables.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 8cd315a..090d499 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -27,8 +27,9 @@ variable "enterprise_id" { } variable "template_id" { + description = "The ID of the trusted profile template (optional if created later)" type = string - description = "Trusted Profile Template ID" + default = null } variable "ibmcloud_api_key" { From 215896e9e53b7c4e55b48c312b32315603b3419a Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Fri, 4 Apr 2025 00:30:37 +0000 Subject: [PATCH 03/23] output templateID generated correclty --- examples/complete/main.tf | 12 +++++++++++- examples/complete/outputs.tf | 3 +++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 03860a8..eed6395 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -45,13 +45,23 @@ module "trusted_profiles" { ibmcloud_api_key = var.ibmcloud_api_key } + +# Debug output BEFORE the aggregator to ensure value is ready +resource "null_resource" "debug_template_id" { + provisioner "local-exec" { + command = "echo ✅ Template ID (debug): ${module.trusted_profiles.trusted_profile_template_id}" + } + + depends_on = [module.trusted_profiles] +} + module "scc_wp_config_aggregator" { source = "../../../terraform-ibm-app-configuration/modules/scc_wp_config_aggregator" app_config_instance_guid = module.app_config.app_config_guid region = var.region enterprise_id = var.enterprise_id - template_id = var.template_id + template_id = module.trusted_profiles.trusted_profile_template_id enterprise_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id depends_on = [module.trusted_profiles] diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index 56bca9b..ab203c5 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -1,6 +1,9 @@ output "scc_wp_config_aggregator_id" { value = module.scc_wp_config_aggregator.scc_wp_config_aggregator_id } +output "trusted_profile_template_id" { + value = module.trusted_profiles.trusted_profile_template_id +} output "trusted_profile_enterprise_id" { value = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id From e4868fe72bcef3894c4ddd3a564a212efa4ea567 Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Fri, 4 Apr 2025 01:38:18 +0000 Subject: [PATCH 04/23] corrected the enterprise_id issue --- examples/complete/main.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index eed6395..5d26dc8 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -46,14 +46,6 @@ module "trusted_profiles" { } -# Debug output BEFORE the aggregator to ensure value is ready -resource "null_resource" "debug_template_id" { - provisioner "local-exec" { - command = "echo ✅ Template ID (debug): ${module.trusted_profiles.trusted_profile_template_id}" - } - - depends_on = [module.trusted_profiles] -} module "scc_wp_config_aggregator" { source = "../../../terraform-ibm-app-configuration/modules/scc_wp_config_aggregator" From 5004d5c92d7efc59f882a1de2970ff62facc178e Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Fri, 4 Apr 2025 10:21:48 +0000 Subject: [PATCH 05/23] trusted profile general correction --- examples/complete/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 5d26dc8..cb18253 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -55,7 +55,7 @@ module "scc_wp_config_aggregator" { enterprise_id = var.enterprise_id template_id = module.trusted_profiles.trusted_profile_template_id enterprise_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id - + general_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_general.profile_id depends_on = [module.trusted_profiles] } From c05350d358fdb0acabd6779a84719810900d21b3 Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Sat, 5 Apr 2025 01:48:05 +0000 Subject: [PATCH 06/23] adjustments done on account groups --- examples/complete/main.tf | 2 ++ examples/complete/outputs.tf | 4 ++++ examples/complete/variables.tf | 14 ++++++++++++++ variables.tf | 2 +- 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index cb18253..cd47f28 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -43,6 +43,8 @@ module "trusted_profiles" { app_config_crn = module.app_config.app_config_crn scc_wp_crn = module.scc_wp.wp_instance_crn ibmcloud_api_key = var.ibmcloud_api_key + onboard_account_groups = var.onboard_account_groups + account_group_ids = var.account_group_ids } diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index ab203c5..b3ba4fc 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -1,3 +1,7 @@ +output "scc_wp_crn" { + description = "CRN of the SCC Workload Protection instance" + value = module.scc_wp.wp_instance_crn +} output "scc_wp_config_aggregator_id" { value = module.scc_wp_config_aggregator.scc_wp_config_aggregator_id } diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 090d499..af04254 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -1,3 +1,4 @@ + variable "region" { type = string } @@ -6,6 +7,19 @@ variable "prefix" { type = string } + +variable "onboard_account_groups" { + type = bool + description = "Set to true if you also want to onboard account groups." +} + +variable "account_group_ids" { + type = list(string) + default = [] # ✅ ← IMPORTANT : éviter les prompts inutiles + description = "Liste des ID de groupes de comptes à assigner au modèle. Utilisé uniquement si onboard_account_groups est false." +} + + variable "resource_group" { type = string default = null diff --git a/variables.tf b/variables.tf index 5215dd4..fd0f802 100644 --- a/variables.tf +++ b/variables.tf @@ -26,7 +26,7 @@ variable "name" { variable "scc_wp_service_plan" { description = "IBM service pricing plan." type = string - default = "free-trial" + default = "graduated-tier" validation { error_message = "Plan for SCC Workload Protection instances can only be `free-trial` or `graduated-tier`." condition = contains( From 1959b55f38ba7f4b27f8453646d781f80a27fb0f Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Mon, 7 Apr 2025 12:41:08 +0000 Subject: [PATCH 07/23] added a README.md file --- examples/complete/README.md | 43 +++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 examples/complete/README.md diff --git a/examples/complete/README.md b/examples/complete/README.md new file mode 100644 index 0000000..ee6fe91 --- /dev/null +++ b/examples/complete/README.md @@ -0,0 +1,43 @@ +# Complete Example: SCC-WP with App Config and Trusted Profiles + +This example demonstrates the full deployment of: + +- IBM Cloud App Configuration +- IBM Cloud Security and Compliance Center Workload Protection (SCC-WP) +- IAM Trusted Profile Template with 3 Trusted Profiles +- Template assignment to account groups +- Configuration Aggregator to link SCC-WP with App Config + +--- + +## Flow Overview + +1. Create or reuse a resource group + A resource group is created. + +2. Deploy App Config + App Config is deployed along with a collection for organizing features and properties. + +3. Deploy SCC Workload Protection + SCC-WP is deployed with the `graduated-tier` plan (customizable via variable). + +4. Create a Trusted Profile Template with 3 profiles + - App Config - Enterprise + For IAM template management across the enterprise. + - App Config - General + For reading platform and IAM services. + - SCC-WP Profile + For integrating SCC-WP with App Config and enterprise usage. + +5. Assign the template to account groups + +6. Create SCC-WP Config Aggregator + The aggregator connects SCC-WP to App Config and uses the enterprise trusted profile and template ID to enforce secure access. + +--- + +## Usage + +terraform init +terraform apply + From 260f2336ca139a1a67eda3ac6d94f17bfbca906e Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Mon, 7 Apr 2025 12:44:38 +0000 Subject: [PATCH 08/23] added the provider back to basic folder --- examples/basic/provider.tf | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 examples/basic/provider.tf diff --git a/examples/basic/provider.tf b/examples/basic/provider.tf new file mode 100644 index 0000000..0356fc3 --- /dev/null +++ b/examples/basic/provider.tf @@ -0,0 +1,5 @@ +provider "ibm" { + ibmcloud_api_key = var.ibmcloud_api_key + region = var.region +} + From c97839adbb19e02bf8385fee3fd555af03e985da Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Mon, 7 Apr 2025 13:23:35 +0000 Subject: [PATCH 09/23] added graduated tier in the wp module calling --- examples/complete/main.tf | 1 + examples/complete/variables.tf | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index cd47f28..a2da973 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -16,6 +16,7 @@ module "scc_wp" { source = "../.." name = var.prefix region = var.region + scc_wp_service_plan = "graduated-tier" resource_group_id = module.resource_group.resource_group_id resource_tags = var.resource_tags access_tags = var.access_tags diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index af04254..c79c175 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -10,7 +10,8 @@ variable "prefix" { variable "onboard_account_groups" { type = bool - description = "Set to true if you also want to onboard account groups." + default = true + description = "Whether to onboard all account groups to the template." } variable "account_group_ids" { From e8567ea2797deb636570c17b2dccc8030d465e4d Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Mon, 7 Apr 2025 13:54:23 +0000 Subject: [PATCH 10/23] replaced the sources with module ones --- examples/complete/main.tf | 47 +++++++++++++++----------- examples/complete/main.tfOLD | 64 ++++++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+), 20 deletions(-) create mode 100644 examples/complete/main.tfOLD diff --git a/examples/complete/main.tf b/examples/complete/main.tf index a2da973..9c36a9c 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -6,24 +6,29 @@ provider "ibm" { module "resource_group" { source = "terraform-ibm-modules/resource-group/ibm" version = "1.1.6" - resource_group_name = var.resource_group == null ? "${var.prefix}-rg" : null + + resource_group_name = var.resource_group == null ? "${var.prefix}-rg" : null existing_resource_group_name = var.resource_group } data "ibm_iam_account_settings" "iam_account_settings" {} module "scc_wp" { - source = "../.." - name = var.prefix - region = var.region + source = "terraform-ibm-modules/scc-workload-protection/ibm" + version = "1.0.0" + + name = var.prefix + region = var.region scc_wp_service_plan = "graduated-tier" - resource_group_id = module.resource_group.resource_group_id - resource_tags = var.resource_tags - access_tags = var.access_tags + resource_group_id = module.resource_group.resource_group_id + resource_tags = var.resource_tags + access_tags = var.access_tags } module "app_config" { - source = "../../../terraform-ibm-app-configuration" + source = "terraform-ibm-modules/app-configuration/ibm" + version = "1.0.0" + region = var.region resource_group_id = module.resource_group.resource_group_id app_config_name = "${var.prefix}-app-config" @@ -39,26 +44,28 @@ module "app_config" { } module "trusted_profiles" { - source = "../../../terraform-ibm-trusted-profile/examples/enterprise" - region = var.region - app_config_crn = module.app_config.app_config_crn - scc_wp_crn = module.scc_wp.wp_instance_crn - ibmcloud_api_key = var.ibmcloud_api_key - onboard_account_groups = var.onboard_account_groups - account_group_ids = var.account_group_ids -} - + source = "terraform-ibm-modules/trusted-profile-enterprise/ibm" + version = "1.0.0" + region = var.region + app_config_crn = module.app_config.app_config_crn + scc_wp_crn = module.scc_wp.wp_instance_crn + ibmcloud_api_key = var.ibmcloud_api_key + onboard_account_groups = var.onboard_account_groups + account_group_ids = var.account_group_ids +} module "scc_wp_config_aggregator" { - source = "../../../terraform-ibm-app-configuration/modules/scc_wp_config_aggregator" + source = "terraform-ibm-modules/scc-wp-config-aggregator/ibm" + version = "1.0.0" app_config_instance_guid = module.app_config.app_config_guid region = var.region enterprise_id = var.enterprise_id template_id = module.trusted_profiles.trusted_profile_template_id - enterprise_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id - general_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_general.profile_id + enterprise_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id + general_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_general.profile_id + depends_on = [module.trusted_profiles] } diff --git a/examples/complete/main.tfOLD b/examples/complete/main.tfOLD new file mode 100644 index 0000000..a2da973 --- /dev/null +++ b/examples/complete/main.tfOLD @@ -0,0 +1,64 @@ +provider "ibm" { + region = var.region + ibmcloud_api_key = var.ibmcloud_api_key +} + +module "resource_group" { + source = "terraform-ibm-modules/resource-group/ibm" + version = "1.1.6" + resource_group_name = var.resource_group == null ? "${var.prefix}-rg" : null + existing_resource_group_name = var.resource_group +} + +data "ibm_iam_account_settings" "iam_account_settings" {} + +module "scc_wp" { + source = "../.." + name = var.prefix + region = var.region + scc_wp_service_plan = "graduated-tier" + resource_group_id = module.resource_group.resource_group_id + resource_tags = var.resource_tags + access_tags = var.access_tags +} + +module "app_config" { + source = "../../../terraform-ibm-app-configuration" + region = var.region + resource_group_id = module.resource_group.resource_group_id + app_config_name = "${var.prefix}-app-config" + app_config_tags = var.resource_tags + + app_config_collections = [ + { + name = "${var.prefix}-collection" + collection_id = "${var.prefix}-collection" + description = "Collection for ${var.prefix}" + } + ] +} + +module "trusted_profiles" { + source = "../../../terraform-ibm-trusted-profile/examples/enterprise" + region = var.region + app_config_crn = module.app_config.app_config_crn + scc_wp_crn = module.scc_wp.wp_instance_crn + ibmcloud_api_key = var.ibmcloud_api_key + onboard_account_groups = var.onboard_account_groups + account_group_ids = var.account_group_ids +} + + + +module "scc_wp_config_aggregator" { + source = "../../../terraform-ibm-app-configuration/modules/scc_wp_config_aggregator" + + app_config_instance_guid = module.app_config.app_config_guid + region = var.region + enterprise_id = var.enterprise_id + template_id = module.trusted_profiles.trusted_profile_template_id + enterprise_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id + general_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_general.profile_id + depends_on = [module.trusted_profiles] +} + From 4b219759b040aad9e869764751f8829016f3ba2a Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Tue, 8 Apr 2025 13:40:01 +0000 Subject: [PATCH 11/23] cleaning and adjusting --- examples/basic/provider.tf | 5 ++- examples/complete/main.tfOLD | 64 ------------------------------------ variables.tf | 2 +- 3 files changed, 5 insertions(+), 66 deletions(-) delete mode 100644 examples/complete/main.tfOLD diff --git a/examples/basic/provider.tf b/examples/basic/provider.tf index 0356fc3..84b6985 100644 --- a/examples/basic/provider.tf +++ b/examples/basic/provider.tf @@ -1,5 +1,8 @@ +######################################################################################################################## +# Provider config +######################################################################################################################## + provider "ibm" { ibmcloud_api_key = var.ibmcloud_api_key region = var.region } - diff --git a/examples/complete/main.tfOLD b/examples/complete/main.tfOLD deleted file mode 100644 index a2da973..0000000 --- a/examples/complete/main.tfOLD +++ /dev/null @@ -1,64 +0,0 @@ -provider "ibm" { - region = var.region - ibmcloud_api_key = var.ibmcloud_api_key -} - -module "resource_group" { - source = "terraform-ibm-modules/resource-group/ibm" - version = "1.1.6" - resource_group_name = var.resource_group == null ? "${var.prefix}-rg" : null - existing_resource_group_name = var.resource_group -} - -data "ibm_iam_account_settings" "iam_account_settings" {} - -module "scc_wp" { - source = "../.." - name = var.prefix - region = var.region - scc_wp_service_plan = "graduated-tier" - resource_group_id = module.resource_group.resource_group_id - resource_tags = var.resource_tags - access_tags = var.access_tags -} - -module "app_config" { - source = "../../../terraform-ibm-app-configuration" - region = var.region - resource_group_id = module.resource_group.resource_group_id - app_config_name = "${var.prefix}-app-config" - app_config_tags = var.resource_tags - - app_config_collections = [ - { - name = "${var.prefix}-collection" - collection_id = "${var.prefix}-collection" - description = "Collection for ${var.prefix}" - } - ] -} - -module "trusted_profiles" { - source = "../../../terraform-ibm-trusted-profile/examples/enterprise" - region = var.region - app_config_crn = module.app_config.app_config_crn - scc_wp_crn = module.scc_wp.wp_instance_crn - ibmcloud_api_key = var.ibmcloud_api_key - onboard_account_groups = var.onboard_account_groups - account_group_ids = var.account_group_ids -} - - - -module "scc_wp_config_aggregator" { - source = "../../../terraform-ibm-app-configuration/modules/scc_wp_config_aggregator" - - app_config_instance_guid = module.app_config.app_config_guid - region = var.region - enterprise_id = var.enterprise_id - template_id = module.trusted_profiles.trusted_profile_template_id - enterprise_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id - general_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_general.profile_id - depends_on = [module.trusted_profiles] -} - diff --git a/variables.tf b/variables.tf index fd0f802..5215dd4 100644 --- a/variables.tf +++ b/variables.tf @@ -26,7 +26,7 @@ variable "name" { variable "scc_wp_service_plan" { description = "IBM service pricing plan." type = string - default = "graduated-tier" + default = "free-trial" validation { error_message = "Plan for SCC Workload Protection instances can only be `free-trial` or `graduated-tier`." condition = contains( From 0b2bd41eedb5bba8da625befc326f06c3a37b402 Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Tue, 8 Apr 2025 21:23:19 +0000 Subject: [PATCH 12/23] Refactor: use variables to dynamically create IAM policy templates with roles and service --- examples/complete/main.tf | 129 +++++++++++++++++--------------------- 1 file changed, 59 insertions(+), 70 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 9c36a9c..6191309 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,71 +1,60 @@ provider "ibm" { - region = var.region - ibmcloud_api_key = var.ibmcloud_api_key -} - -module "resource_group" { - source = "terraform-ibm-modules/resource-group/ibm" - version = "1.1.6" - - resource_group_name = var.resource_group == null ? "${var.prefix}-rg" : null - existing_resource_group_name = var.resource_group -} - -data "ibm_iam_account_settings" "iam_account_settings" {} - -module "scc_wp" { - source = "terraform-ibm-modules/scc-workload-protection/ibm" - version = "1.0.0" - - name = var.prefix - region = var.region - scc_wp_service_plan = "graduated-tier" - resource_group_id = module.resource_group.resource_group_id - resource_tags = var.resource_tags - access_tags = var.access_tags -} - -module "app_config" { - source = "terraform-ibm-modules/app-configuration/ibm" - version = "1.0.0" - - region = var.region - resource_group_id = module.resource_group.resource_group_id - app_config_name = "${var.prefix}-app-config" - app_config_tags = var.resource_tags - - app_config_collections = [ - { - name = "${var.prefix}-collection" - collection_id = "${var.prefix}-collection" - description = "Collection for ${var.prefix}" - } - ] -} - -module "trusted_profiles" { - source = "terraform-ibm-modules/trusted-profile-enterprise/ibm" - version = "1.0.0" - - region = var.region - app_config_crn = module.app_config.app_config_crn - scc_wp_crn = module.scc_wp.wp_instance_crn - ibmcloud_api_key = var.ibmcloud_api_key - onboard_account_groups = var.onboard_account_groups - account_group_ids = var.account_group_ids -} - -module "scc_wp_config_aggregator" { - source = "terraform-ibm-modules/scc-wp-config-aggregator/ibm" - version = "1.0.0" - - app_config_instance_guid = module.app_config.app_config_guid - region = var.region - enterprise_id = var.enterprise_id - template_id = module.trusted_profiles.trusted_profile_template_id - enterprise_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id - general_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_general.profile_id - - depends_on = [module.trusted_profiles] -} - + region = var.region + ibmcloud_api_key = var.ibmcloud_api_key + } + + module "resource_group" { + source = "terraform-ibm-modules/resource-group/ibm" + version = "1.1.6" + resource_group_name = var.resource_group == null ? "${var.prefix}-rg" : null + existing_resource_group_name = var.resource_group + } + + data "ibm_iam_account_settings" "iam_account_settings" {} + + module "scc_wp" { + source = "../.." + name = var.prefix + region = var.region + resource_group_id = module.resource_group.resource_group_id + resource_tags = var.resource_tags + access_tags = var.access_tags + scc_wp_service_plan = "graduated-tier" + } + + module "app_config" { + source = "../../../terraform-ibm-app-configuration" + region = var.region + resource_group_id = module.resource_group.resource_group_id + app_config_name = "${var.prefix}-app-config" + app_config_tags = var.resource_tags + + app_config_collections = [ + { + name = "${var.prefix}-collection" + collection_id = "${var.prefix}-collection" + description = "Collection for ${var.prefix}" + } + ] + } + + module "trusted_profiles" { + source = "../../../terraform-ibm-trusted-profile/examples/enterprise" + region = var.region + app_config_crn = module.app_config.app_config_crn + scc_wp_crn = module.scc_wp.wp_instance_crn + ibmcloud_api_key = var.ibmcloud_api_key + } + + module "scc_wp_config_aggregator" { + source = "../../../terraform-ibm-app-configuration/modules/scc_wp_config_aggregator" + + app_config_instance_guid = module.app_config.app_config_guid + region = var.region + enterprise_id = var.enterprise_id + template_id = module.trusted_profiles.trusted_profile_template_id + enterprise_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id + general_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_general.profile_id + + depends_on = [module.trusted_profiles] + } From 6907e5e6d6398e232a1e32b0c9ea8f531e9d1a1d Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Tue, 8 Apr 2025 21:37:13 +0000 Subject: [PATCH 13/23] adjusted sources from local to modules --- examples/complete/main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 6191309..c64fe77 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -13,7 +13,7 @@ provider "ibm" { data "ibm_iam_account_settings" "iam_account_settings" {} module "scc_wp" { - source = "../.." + source = "terraform-ibm-modules/scc-workload-protection/ibm" name = var.prefix region = var.region resource_group_id = module.resource_group.resource_group_id @@ -23,7 +23,7 @@ provider "ibm" { } module "app_config" { - source = "../../../terraform-ibm-app-configuration" + source = "terraform-ibm-modules/app-configuration/ibm" region = var.region resource_group_id = module.resource_group.resource_group_id app_config_name = "${var.prefix}-app-config" @@ -39,7 +39,7 @@ provider "ibm" { } module "trusted_profiles" { - source = "../../../terraform-ibm-trusted-profile/examples/enterprise" + source = "terraform-ibm-modules/trusted-profile-enterprise/ibm" region = var.region app_config_crn = module.app_config.app_config_crn scc_wp_crn = module.scc_wp.wp_instance_crn @@ -47,7 +47,7 @@ provider "ibm" { } module "scc_wp_config_aggregator" { - source = "../../../terraform-ibm-app-configuration/modules/scc_wp_config_aggregator" + source = "terraform-ibm-modules/scc-wp-config-aggregator/ibm" app_config_instance_guid = module.app_config.app_config_guid region = var.region From 2df6577833a620fcd6415349689e53cacafdcfd7 Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Thu, 10 Apr 2025 01:44:13 +0000 Subject: [PATCH 14/23] adjusting as per IBM standards --- examples/complete/main.tf | 60 -------------------- examples/complete/variables.tf | 55 ------------------ examples/{complete => enterprise}/README.md | 0 examples/enterprise/main.tf | 56 ++++++++++++++++++ examples/{complete => enterprise}/outputs.tf | 8 ++- examples/enterprise/provider.tf | 5 ++ examples/enterprise/variables.tf | 40 +++++++++++++ examples/{complete => enterprise}/version.tf | 2 +- outputs.tf | 3 - 9 files changed, 107 insertions(+), 122 deletions(-) delete mode 100644 examples/complete/main.tf delete mode 100644 examples/complete/variables.tf rename examples/{complete => enterprise}/README.md (100%) create mode 100644 examples/enterprise/main.tf rename examples/{complete => enterprise}/outputs.tf (75%) create mode 100644 examples/enterprise/provider.tf create mode 100644 examples/enterprise/variables.tf rename examples/{complete => enterprise}/version.tf (77%) diff --git a/examples/complete/main.tf b/examples/complete/main.tf deleted file mode 100644 index c64fe77..0000000 --- a/examples/complete/main.tf +++ /dev/null @@ -1,60 +0,0 @@ -provider "ibm" { - region = var.region - ibmcloud_api_key = var.ibmcloud_api_key - } - - module "resource_group" { - source = "terraform-ibm-modules/resource-group/ibm" - version = "1.1.6" - resource_group_name = var.resource_group == null ? "${var.prefix}-rg" : null - existing_resource_group_name = var.resource_group - } - - data "ibm_iam_account_settings" "iam_account_settings" {} - - module "scc_wp" { - source = "terraform-ibm-modules/scc-workload-protection/ibm" - name = var.prefix - region = var.region - resource_group_id = module.resource_group.resource_group_id - resource_tags = var.resource_tags - access_tags = var.access_tags - scc_wp_service_plan = "graduated-tier" - } - - module "app_config" { - source = "terraform-ibm-modules/app-configuration/ibm" - region = var.region - resource_group_id = module.resource_group.resource_group_id - app_config_name = "${var.prefix}-app-config" - app_config_tags = var.resource_tags - - app_config_collections = [ - { - name = "${var.prefix}-collection" - collection_id = "${var.prefix}-collection" - description = "Collection for ${var.prefix}" - } - ] - } - - module "trusted_profiles" { - source = "terraform-ibm-modules/trusted-profile-enterprise/ibm" - region = var.region - app_config_crn = module.app_config.app_config_crn - scc_wp_crn = module.scc_wp.wp_instance_crn - ibmcloud_api_key = var.ibmcloud_api_key - } - - module "scc_wp_config_aggregator" { - source = "terraform-ibm-modules/scc-wp-config-aggregator/ibm" - - app_config_instance_guid = module.app_config.app_config_guid - region = var.region - enterprise_id = var.enterprise_id - template_id = module.trusted_profiles.trusted_profile_template_id - enterprise_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id - general_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_general.profile_id - - depends_on = [module.trusted_profiles] - } diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf deleted file mode 100644 index c79c175..0000000 --- a/examples/complete/variables.tf +++ /dev/null @@ -1,55 +0,0 @@ - -variable "region" { - type = string -} - -variable "prefix" { - type = string -} - - -variable "onboard_account_groups" { - type = bool - default = true - description = "Whether to onboard all account groups to the template." -} - -variable "account_group_ids" { - type = list(string) - default = [] # ✅ ← IMPORTANT : éviter les prompts inutiles - description = "Liste des ID de groupes de comptes à assigner au modèle. Utilisé uniquement si onboard_account_groups est false." -} - - -variable "resource_group" { - type = string - default = null -} - -variable "resource_tags" { - type = list(string) - default = [] -} - -variable "access_tags" { - type = list(string) - default = [] -} - -variable "enterprise_id" { - type = string - description = "Enterprise ID for App Configuration aggregator" -} - -variable "template_id" { - description = "The ID of the trusted profile template (optional if created later)" - type = string - default = null -} - -variable "ibmcloud_api_key" { - type = string - description = "IBM Cloud API key" - sensitive = true -} - diff --git a/examples/complete/README.md b/examples/enterprise/README.md similarity index 100% rename from examples/complete/README.md rename to examples/enterprise/README.md diff --git a/examples/enterprise/main.tf b/examples/enterprise/main.tf new file mode 100644 index 0000000..ddb6f09 --- /dev/null +++ b/examples/enterprise/main.tf @@ -0,0 +1,56 @@ +module "resource_group" { + source = "terraform-ibm-modules/resource-group/ibm" + version = "1.1.6" + + resource_group_name = var.resource_group == null ? "${var.prefix}-rg" : null + existing_resource_group_name = var.resource_group +} + + +module "scc_wp" { + source = "../.." + name = var.prefix + region = var.region + resource_group_id = module.resource_group.resource_group_id + resource_tags = var.resource_tags + access_tags = var.access_tags + scc_wp_service_plan = "graduated-tier" +} + +module "app_config" { + source = "../../../terraform-ibm-app-configuration" + region = var.region + resource_group_id = module.resource_group.resource_group_id + app_config_name = "${var.prefix}-app-config" + app_config_tags = var.resource_tags + + app_config_collections = [ + { + name = "${var.prefix}-collection" + collection_id = "${var.prefix}-collection" + description = "Collection for ${var.prefix}" + } + ] +} + +module "trusted_profiles" { + source = "../../../terraform-ibm-trusted-profile/examples/enterprise" + region = var.region + app_config_crn = module.app_config.app_config_crn + scc_wp_crn = module.scc_wp.crn + ibmcloud_api_key = var.ibmcloud_api_key + + onboard_account_groups = true +} +module "config_aggregator" { + source = "../../../terraform-ibm-app-configuration/modules/config_aggregator" + + app_config_instance_guid = module.app_config.app_config_guid + region = var.region + enterprise_id = var.enterprise_id + trusted_profile_template_id = module.trusted_profiles.trusted_profile_template_id + enterprise_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id + general_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_general.profile_id + +} + diff --git a/examples/complete/outputs.tf b/examples/enterprise/outputs.tf similarity index 75% rename from examples/complete/outputs.tf rename to examples/enterprise/outputs.tf index b3ba4fc..f1b8393 100644 --- a/examples/complete/outputs.tf +++ b/examples/enterprise/outputs.tf @@ -1,10 +1,12 @@ output "scc_wp_crn" { description = "CRN of the SCC Workload Protection instance" - value = module.scc_wp.wp_instance_crn + value = module.scc_wp.crn } -output "scc_wp_config_aggregator_id" { - value = module.scc_wp_config_aggregator.scc_wp_config_aggregator_id + +output "config_aggregator_id" { + value = module.config_aggregator.scc_wp_config_aggregator_id } + output "trusted_profile_template_id" { value = module.trusted_profiles.trusted_profile_template_id } diff --git a/examples/enterprise/provider.tf b/examples/enterprise/provider.tf new file mode 100644 index 0000000..722ac7c --- /dev/null +++ b/examples/enterprise/provider.tf @@ -0,0 +1,5 @@ +provider "ibm" { + region = var.region + ibmcloud_api_key = var.ibmcloud_api_key +} + diff --git a/examples/enterprise/variables.tf b/examples/enterprise/variables.tf new file mode 100644 index 0000000..ecbc244 --- /dev/null +++ b/examples/enterprise/variables.tf @@ -0,0 +1,40 @@ +variable "enterprise_id" { + type = string + description = "The Enterprise ID used to scope the Config Aggregator or IAM templates." +} + +variable "region" { + type = string + description = "IBM Cloud region where resources will be deployed." +} + +variable "prefix" { + type = string + description = "Prefix used for naming all provisioned resources." +} + +variable "resource_group" { + type = string + default = null + description = "Name of an existing resource group to use. If null, a new one will be created using the prefix." +} + +variable "resource_tags" { + type = list(string) + default = [] + description = "List of tags to apply to resources for tracking and organization." +} + +variable "access_tags" { + type = list(string) + default = [] + description = "List of access tags to apply to resources for IAM policy scoping." +} + + +variable "ibmcloud_api_key" { + type = string + description = "IBM Cloud API key used for authentication." + sensitive = true +} + diff --git a/examples/complete/version.tf b/examples/enterprise/version.tf similarity index 77% rename from examples/complete/version.tf rename to examples/enterprise/version.tf index ac0f655..c6826b6 100644 --- a/examples/complete/version.tf +++ b/examples/enterprise/version.tf @@ -4,7 +4,7 @@ terraform { required_providers { ibm = { source = "ibm-cloud/ibm" - version = ">= 1.65.0, < 2.0.0" + version = ">= 1.70.0, < 2.0.0" } } } diff --git a/outputs.tf b/outputs.tf index e6c104a..af53065 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,9 +1,6 @@ ######################################################################################################################## # Outputs ######################################################################################################################## -output "wp_instance_crn" { - value = ibm_resource_instance.scc_wp.crn -} output "name" { description = "Name of created SCC WP instance." From 87d99cce5b9977b2d7cc6aec1ea13c687f9d5939 Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Sat, 12 Apr 2025 13:54:35 +0000 Subject: [PATCH 15/23] adjustments --- examples/enterprise/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/enterprise/main.tf b/examples/enterprise/main.tf index ddb6f09..794ebf6 100644 --- a/examples/enterprise/main.tf +++ b/examples/enterprise/main.tf @@ -40,7 +40,6 @@ module "trusted_profiles" { scc_wp_crn = module.scc_wp.crn ibmcloud_api_key = var.ibmcloud_api_key - onboard_account_groups = true } module "config_aggregator" { source = "../../../terraform-ibm-app-configuration/modules/config_aggregator" From 7c83e01ddd64c29ccb7760462f93f5d8db0b59fe Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Tue, 15 Apr 2025 12:43:36 +0000 Subject: [PATCH 16/23] App Config Config Aggregator sub-module moved to Resource --- examples/enterprise/main.tf | 23 +++++++++++++++-------- examples/enterprise/outputs.tf | 4 ---- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/examples/enterprise/main.tf b/examples/enterprise/main.tf index 794ebf6..b513559 100644 --- a/examples/enterprise/main.tf +++ b/examples/enterprise/main.tf @@ -41,15 +41,22 @@ module "trusted_profiles" { ibmcloud_api_key = var.ibmcloud_api_key } -module "config_aggregator" { - source = "../../../terraform-ibm-app-configuration/modules/config_aggregator" - app_config_instance_guid = module.app_config.app_config_guid - region = var.region - enterprise_id = var.enterprise_id - trusted_profile_template_id = module.trusted_profiles.trusted_profile_template_id - enterprise_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id - general_trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_general.profile_id +resource "ibm_config_aggregator_settings" "scc_wp_aggregator" { + instance_id = module.app_config.app_config_guid + region = var.region + resource_collection_enabled = true + resource_collection_regions = ["all"] + trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_general.profile_id + additional_scope { + type = "Enterprise" + enterprise_id = var.enterprise_id + + profile_template { + id = module.trusted_profiles.trusted_profile_template_id + trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id + } + } } diff --git a/examples/enterprise/outputs.tf b/examples/enterprise/outputs.tf index f1b8393..ef4860f 100644 --- a/examples/enterprise/outputs.tf +++ b/examples/enterprise/outputs.tf @@ -3,10 +3,6 @@ output "scc_wp_crn" { value = module.scc_wp.crn } -output "config_aggregator_id" { - value = module.config_aggregator.scc_wp_config_aggregator_id -} - output "trusted_profile_template_id" { value = module.trusted_profiles.trusted_profile_template_id } From 279fed688610eefdc3f6cf4da83f9a99d41f2810 Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Tue, 15 Apr 2025 15:20:56 +0000 Subject: [PATCH 17/23] Move trusted relationship sub-module to main Trusted Profile module and delete the trusted profile examples calling --- examples/enterprise/main.tf | 156 ++++++++++++++++++++++++++++++--- examples/enterprise/outputs.tf | 4 +- 2 files changed, 148 insertions(+), 12 deletions(-) diff --git a/examples/enterprise/main.tf b/examples/enterprise/main.tf index b513559..39852cf 100644 --- a/examples/enterprise/main.tf +++ b/examples/enterprise/main.tf @@ -6,7 +6,6 @@ module "resource_group" { existing_resource_group_name = var.resource_group } - module "scc_wp" { source = "../.." name = var.prefix @@ -33,13 +32,150 @@ module "app_config" { ] } -module "trusted_profiles" { - source = "../../../terraform-ibm-trusted-profile/examples/enterprise" - region = var.region - app_config_crn = module.app_config.app_config_crn - scc_wp_crn = module.scc_wp.crn - ibmcloud_api_key = var.ibmcloud_api_key +module "trusted_profile_app_config_general" { + source = "../../../terraform-ibm-trusted-profile" + trusted_profile_name = "app-config-general-profile" + trusted_profile_description = "Trusted Profile for App Config general permissions" + create_trusted_relationship = true + + trusted_profile_identity = { + identifier = module.app_config.app_config_crn + identity_type = "crn" + type = "crn" + } + + trusted_profile_policies = [ + { + roles = ["Viewer", "Service Configuration Reader"] + account_management = true + description = "All Account Management Services" + }, + { + roles = ["Viewer", "Service Configuration Reader", "Reader"] + resource_attributes = [{ + name = "serviceType" + value = "service" + operator = "stringEquals" + }] + description = "All Identity and Access enabled services" + } + ] + + trusted_profile_links = [{ + cr_type = "VSI" + links = [{ + crn = module.app_config.app_config_crn + }] + }] +} +# Creates the custom role inline +resource "ibm_iam_custom_role" "template_assignment_reader" { + name = "TemplateAssignmentReader" + service = "iam-identity" + display_name = "Template Assignment Reader" + description = "Custom role to allow reading template assignments" + actions = ["iam-identity.profile-assignment.read"] +} + +# Trusted Profile for App Config enterprise-level permissions +module "trusted_profile_app_config_enterprise" { + source = "../../../terraform-ibm-trusted-profile" + trusted_profile_name = "app-config-enterprise-profile" + trusted_profile_description = "Trusted Profile for App Config to manage IAM templates" + create_trusted_relationship = true + + trusted_profile_identity = { + identifier = module.app_config.app_config_crn + identity_type = "crn" + type = "crn" + } + + trusted_profile_policies = [ + { + roles = ["Viewer", "Template Assignment Reader"] + resource_attributes = [{ + name = "service_group_id" + value = "IAM" + operator = "stringEquals" + }] + description = "IAM access with custom role" + }, + { + roles = ["Viewer"] + resources = [{ + service = "enterprise" + }] + description = "Enterprise access" + } + ] + + trusted_profile_links = [{ + cr_type = "VSI" + links = [{ + crn = module.app_config.app_config_crn + }] + }] +} + +module "trusted_profile_scc_wp" { + source = "../../../terraform-ibm-trusted-profile" + trusted_profile_name = "scc-wp-profile" + trusted_profile_description = "Trusted Profile for SCC-WP to access App Config and enterprise" + create_trusted_relationship = true + + trusted_profile_identity = { + identifier = module.scc_wp.crn + identity_type = "crn" + type = "crn" + } + + trusted_profile_policies = [ + { + roles = ["Viewer", "Service Configuration Reader", "Manager"] + resources = [{ + service = "apprapp" + }] + description = "App Config access" + }, + { + roles = ["Viewer", "Usage Report Viewer"] + resources = [{ + service = "enterprise" + }] + description = "Enterprise access" + } + ] + + trusted_profile_links = [{ + cr_type = "VSI" + links = [{ + crn = module.scc_wp.crn + }] + }] +} + +module "trusted_profile_template" { + source = "../../../terraform-ibm-trusted-profile/modules/trusted-profile-template" + profile_name = "Trusted Profile for IBM Cloud CSPM in SCC-WP" + profile_description = "Template profile used to onboard child accounts" + identity_crn = module.app_config.app_config_crn + onboard_account_groups = true + + policy_templates = [ + { + name = "identity-access" + description = "Policy template for identity services" + roles = ["Viewer", "Reader"] + service = "service" + }, + { + name = "platform-access" + description = "Policy template for platform services" + roles = ["Viewer", "Service Configuration Reader"] + service = "platform_service" + } + ] } resource "ibm_config_aggregator_settings" "scc_wp_aggregator" { @@ -47,15 +183,15 @@ resource "ibm_config_aggregator_settings" "scc_wp_aggregator" { region = var.region resource_collection_enabled = true resource_collection_regions = ["all"] - trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_general.profile_id + trusted_profile_id = module.trusted_profile_app_config_general.profile_id additional_scope { type = "Enterprise" enterprise_id = var.enterprise_id profile_template { - id = module.trusted_profiles.trusted_profile_template_id - trusted_profile_id = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id + id = module.trusted_profile_template.trusted_profile_template_id + trusted_profile_id = module.trusted_profile_app_config_enterprise.profile_id } } } diff --git a/examples/enterprise/outputs.tf b/examples/enterprise/outputs.tf index ef4860f..17fd12c 100644 --- a/examples/enterprise/outputs.tf +++ b/examples/enterprise/outputs.tf @@ -4,11 +4,11 @@ output "scc_wp_crn" { } output "trusted_profile_template_id" { - value = module.trusted_profiles.trusted_profile_template_id + value = module.trusted_profile_template.trusted_profile_template_id } output "trusted_profile_enterprise_id" { - value = module.trusted_profiles.trusted_profile_app_config_enterprise.profile_id + value = module.trusted_profile_app_config_enterprise.profile_id } output "app_config_guid" { From 319c0669de1de15f61b826d116cfb8dc5dea5ea2 Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Wed, 16 Apr 2025 14:13:00 +0000 Subject: [PATCH 18/23] adjustments --- examples/enterprise/README.md | 45 ++++++++++++++++++++++++++--------- examples/enterprise/main.tf | 26 ++++++++------------ 2 files changed, 44 insertions(+), 27 deletions(-) diff --git a/examples/enterprise/README.md b/examples/enterprise/README.md index ee6fe91..dc0da38 100644 --- a/examples/enterprise/README.md +++ b/examples/enterprise/README.md @@ -1,5 +1,7 @@ # Complete Example: SCC-WP with App Config and Trusted Profiles +> Only supported in an enterprise account. + This example demonstrates the full deployment of: - IBM Cloud App Configuration @@ -12,32 +14,53 @@ This example demonstrates the full deployment of: ## Flow Overview -1. Create or reuse a resource group - A resource group is created. +1. **Create or reuse a resource group** + A resource group is created or reused. -2. Deploy App Config +2. **Deploy App Config** App Config is deployed along with a collection for organizing features and properties. -3. Deploy SCC Workload Protection - SCC-WP is deployed with the `graduated-tier` plan (customizable via variable). +3. **Deploy SCC Workload Protection** + SCC-WP is deployed with the `graduated-tier` plan. -4. Create a Trusted Profile Template with 3 profiles - - App Config - Enterprise +4. **Create a Trusted Profile Template with 3 profiles** + - **App Config -- Enterprise** For IAM template management across the enterprise. - - App Config - General + - **App Config -- General** For reading platform and IAM services. - - SCC-WP Profile + - **SCC-WP Profile** For integrating SCC-WP with App Config and enterprise usage. -5. Assign the template to account groups +5. **Assign the template to account groups** + All child accounts or specific account groups receive the profile template. -6. Create SCC-WP Config Aggregator +6. **Create SCC-WP Config Aggregator** The aggregator connects SCC-WP to App Config and uses the enterprise trusted profile and template ID to enforce secure access. --- +## Notes + +- The `trusted_profile_links` block in each trusted profile is used to **link the profile to a specific CRN**, like a VSI or App Config instance, enabling the identity to assume the trusted profile. + +--- + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement_terraform) | >= 1.3.0 | +| [ibm](#requirement_ibm) | >= 1.76.1, < 2.0.0 | + +--- + ## Usage +```bash terraform init terraform apply +``` + +--- + diff --git a/examples/enterprise/main.tf b/examples/enterprise/main.tf index 39852cf..ad41a1b 100644 --- a/examples/enterprise/main.tf +++ b/examples/enterprise/main.tf @@ -22,21 +22,12 @@ module "app_config" { resource_group_id = module.resource_group.resource_group_id app_config_name = "${var.prefix}-app-config" app_config_tags = var.resource_tags - - app_config_collections = [ - { - name = "${var.prefix}-collection" - collection_id = "${var.prefix}-collection" - description = "Collection for ${var.prefix}" - } - ] } module "trusted_profile_app_config_general" { source = "../../../terraform-ibm-trusted-profile" trusted_profile_name = "app-config-general-profile" trusted_profile_description = "Trusted Profile for App Config general permissions" - create_trusted_relationship = true trusted_profile_identity = { identifier = module.app_config.app_config_crn @@ -70,6 +61,9 @@ module "trusted_profile_app_config_general" { } # Creates the custom role inline +# This role, "Template Assignment Reader", is used in the trusted profile +# to grant permission to read IAM template assignments. It is required +# by the App Config enterprise-level trusted profile to manage IAM templates. resource "ibm_iam_custom_role" "template_assignment_reader" { name = "TemplateAssignmentReader" service = "iam-identity" @@ -83,7 +77,6 @@ module "trusted_profile_app_config_enterprise" { source = "../../../terraform-ibm-trusted-profile" trusted_profile_name = "app-config-enterprise-profile" trusted_profile_description = "Trusted Profile for App Config to manage IAM templates" - create_trusted_relationship = true trusted_profile_identity = { identifier = module.app_config.app_config_crn @@ -122,7 +115,6 @@ module "trusted_profile_scc_wp" { source = "../../../terraform-ibm-trusted-profile" trusted_profile_name = "scc-wp-profile" trusted_profile_description = "Trusted Profile for SCC-WP to access App Config and enterprise" - create_trusted_relationship = true trusted_profile_identity = { identifier = module.scc_wp.crn @@ -156,11 +148,13 @@ module "trusted_profile_scc_wp" { } module "trusted_profile_template" { - source = "../../../terraform-ibm-trusted-profile/modules/trusted-profile-template" - profile_name = "Trusted Profile for IBM Cloud CSPM in SCC-WP" - profile_description = "Template profile used to onboard child accounts" - identity_crn = module.app_config.app_config_crn - onboard_account_groups = true + source = "../../../terraform-ibm-trusted-profile/modules/trusted-profile-template" + template_name = "Trusted Profile Template for SCC-WP" + template_description = "IAM trusted profile template to onboard accounts for CSPM" + profile_name = "Trusted Profile for IBM Cloud CSPM in SCC-WP" + profile_description = "Template profile used to onboard child accounts" + identity_crn = module.app_config.app_config_crn + onboard_account_groups = true policy_templates = [ { From e093d1d035600c2461966cda886d5bef30dcf90c Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Wed, 16 Apr 2025 15:04:39 +0000 Subject: [PATCH 19/23] other adjustments --- examples/enterprise/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/enterprise/main.tf b/examples/enterprise/main.tf index ad41a1b..36eee9e 100644 --- a/examples/enterprise/main.tf +++ b/examples/enterprise/main.tf @@ -154,7 +154,7 @@ module "trusted_profile_template" { profile_name = "Trusted Profile for IBM Cloud CSPM in SCC-WP" profile_description = "Template profile used to onboard child accounts" identity_crn = module.app_config.app_config_crn - onboard_account_groups = true + onboard_all_account_groups = true policy_templates = [ { From cfdd65e0905d6c2040c3e15d9134cd5b45192156 Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Wed, 16 Apr 2025 15:15:28 +0000 Subject: [PATCH 20/23] corrected README --- examples/enterprise/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/enterprise/README.md b/examples/enterprise/README.md index dc0da38..72c1c79 100644 --- a/examples/enterprise/README.md +++ b/examples/enterprise/README.md @@ -1,4 +1,4 @@ -# Complete Example: SCC-WP with App Config and Trusted Profiles +# Enterprise Example: SCC-WP with App Config and Trusted Profiles > Only supported in an enterprise account. From a648fa8470e54c02c053bbd79675e23f3fd1c7fc Mon Sep 17 00:00:00 2001 From: RiadhJ Date: Wed, 16 Apr 2025 15:47:52 +0000 Subject: [PATCH 21/23] adjusting the modules syntax --- examples/enterprise/main.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/enterprise/main.tf b/examples/enterprise/main.tf index 36eee9e..6b02c91 100644 --- a/examples/enterprise/main.tf +++ b/examples/enterprise/main.tf @@ -17,7 +17,7 @@ module "scc_wp" { } module "app_config" { - source = "../../../terraform-ibm-app-configuration" + source = "terraform-ibm-modules/app-configuration/ibm" region = var.region resource_group_id = module.resource_group.resource_group_id app_config_name = "${var.prefix}-app-config" @@ -25,7 +25,7 @@ module "app_config" { } module "trusted_profile_app_config_general" { - source = "../../../terraform-ibm-trusted-profile" + source = "terraform-ibm-modules/trusted-profile/ibm" trusted_profile_name = "app-config-general-profile" trusted_profile_description = "Trusted Profile for App Config general permissions" @@ -74,7 +74,7 @@ resource "ibm_iam_custom_role" "template_assignment_reader" { # Trusted Profile for App Config enterprise-level permissions module "trusted_profile_app_config_enterprise" { - source = "../../../terraform-ibm-trusted-profile" + source = "terraform-ibm-modules/trusted-profile/ibm" trusted_profile_name = "app-config-enterprise-profile" trusted_profile_description = "Trusted Profile for App Config to manage IAM templates" @@ -112,7 +112,7 @@ module "trusted_profile_app_config_enterprise" { } module "trusted_profile_scc_wp" { - source = "../../../terraform-ibm-trusted-profile" + source = "terraform-ibm-modules/trusted-profile/ibm" trusted_profile_name = "scc-wp-profile" trusted_profile_description = "Trusted Profile for SCC-WP to access App Config and enterprise" @@ -148,7 +148,7 @@ module "trusted_profile_scc_wp" { } module "trusted_profile_template" { - source = "../../../terraform-ibm-trusted-profile/modules/trusted-profile-template" + source = "terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template" template_name = "Trusted Profile Template for SCC-WP" template_description = "IAM trusted profile template to onboard accounts for CSPM" profile_name = "Trusted Profile for IBM Cloud CSPM in SCC-WP" From 03b8f64f0a5308d0dc6f3829a814ab1b670a132a Mon Sep 17 00:00:00 2001 From: RiadhJ <60111478+RiadhJouini@users.noreply.github.com> Date: Thu, 17 Apr 2025 15:37:00 +0200 Subject: [PATCH 22/23] added versions --- examples/enterprise/main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/examples/enterprise/main.tf b/examples/enterprise/main.tf index 6b02c91..53ba67c 100644 --- a/examples/enterprise/main.tf +++ b/examples/enterprise/main.tf @@ -18,6 +18,7 @@ module "scc_wp" { module "app_config" { source = "terraform-ibm-modules/app-configuration/ibm" + version = "v1.3.0" region = var.region resource_group_id = module.resource_group.resource_group_id app_config_name = "${var.prefix}-app-config" @@ -26,6 +27,7 @@ module "app_config" { module "trusted_profile_app_config_general" { source = "terraform-ibm-modules/trusted-profile/ibm" + version = "2.1.0" trusted_profile_name = "app-config-general-profile" trusted_profile_description = "Trusted Profile for App Config general permissions" @@ -75,6 +77,7 @@ resource "ibm_iam_custom_role" "template_assignment_reader" { # Trusted Profile for App Config enterprise-level permissions module "trusted_profile_app_config_enterprise" { source = "terraform-ibm-modules/trusted-profile/ibm" + version = "2.1.0" trusted_profile_name = "app-config-enterprise-profile" trusted_profile_description = "Trusted Profile for App Config to manage IAM templates" @@ -113,6 +116,7 @@ module "trusted_profile_app_config_enterprise" { module "trusted_profile_scc_wp" { source = "terraform-ibm-modules/trusted-profile/ibm" + version = "2.1.0" trusted_profile_name = "scc-wp-profile" trusted_profile_description = "Trusted Profile for SCC-WP to access App Config and enterprise" @@ -149,6 +153,7 @@ module "trusted_profile_scc_wp" { module "trusted_profile_template" { source = "terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template" + version = "2.1.0" template_name = "Trusted Profile Template for SCC-WP" template_description = "IAM trusted profile template to onboard accounts for CSPM" profile_name = "Trusted Profile for IBM Cloud CSPM in SCC-WP" From 9b752bc42bcdeb0589f98951023e0d7fddd9bdbf Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Thu, 17 Apr 2025 15:55:50 +0100 Subject: [PATCH 23/23] cleanup --- README.md | 1 + examples/enterprise/README.md | 142 +++++++++++++++++++++++---- examples/enterprise/main.tf | 161 +++++++++++++++++-------------- examples/enterprise/outputs.tf | 13 ++- examples/enterprise/provider.tf | 1 - examples/enterprise/variables.tf | 1 - examples/enterprise/version.tf | 1 - 7 files changed, 223 insertions(+), 97 deletions(-) diff --git a/README.md b/README.md index 58e47fe..c088a91 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ A module for provisioning an [IBM Cloud Security and Compliance Center Workload * [Examples](./examples) * [Advanced example](./examples/advanced) * [Basic example](./examples/basic) + * [Enterprise Example: SCC-WP with App Config and Trusted Profiles](./examples/enterprise) * [Contributing](#contributing) diff --git a/examples/enterprise/README.md b/examples/enterprise/README.md index 72c1c79..2765fbd 100644 --- a/examples/enterprise/README.md +++ b/examples/enterprise/README.md @@ -14,27 +14,27 @@ This example demonstrates the full deployment of: ## Flow Overview -1. **Create or reuse a resource group** +1. **Create or reuse a resource group** A resource group is created or reused. -2. **Deploy App Config** +2. **Deploy App Config** App Config is deployed along with a collection for organizing features and properties. -3. **Deploy SCC Workload Protection** +3. **Deploy SCC Workload Protection** SCC-WP is deployed with the `graduated-tier` plan. 4. **Create a Trusted Profile Template with 3 profiles** - - **App Config -- Enterprise** + - **App Config -- Enterprise** For IAM template management across the enterprise. - - **App Config -- General** + - **App Config -- General** For reading platform and IAM services. - - **SCC-WP Profile** + - **SCC-WP Profile** For integrating SCC-WP with App Config and enterprise usage. -5. **Assign the template to account groups** +5. **Assign the template to account groups** All child accounts or specific account groups receive the profile template. -6. **Create SCC-WP Config Aggregator** +6. **Create SCC-WP Config Aggregator** The aggregator connects SCC-WP to App Config and uses the enterprise trusted profile and template ID to enforce secure access. --- @@ -45,15 +45,6 @@ This example demonstrates the full deployment of: --- -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement_terraform) | >= 1.3.0 | -| [ibm](#requirement_ibm) | >= 1.76.1, < 2.0.0 | - ---- - ## Usage ```bash @@ -63,4 +54,119 @@ terraform apply --- - +## Known issue + +There is a [known issue](https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6164) which you will face if you attempt a re-apply of this example after the initial apply has complete. + +- The `ibm_iam_trusted_profile_template` will detect a update in place which looks something like this: + ``` + Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + ~ update in-place + + Terraform will perform the following actions: + + # module.trusted_profile_template.ibm_iam_trusted_profile_template.trusted_profile_template_instance will be updated in-place + ~ resource "ibm_iam_trusted_profile_template" "trusted_profile_template_instance" { + id = "ProfileTemplate-8b16cb82-b9b4-434a-b678-12c82033e9a7/1" + name = "Trusted Profile Template for SCC-WP" + # (11 unchanged attributes hidden) + + ~ profile { + name = "Trusted Profile for IBM Cloud CSPM in SCC-WP" + # (1 unchanged attribute hidden) + + ~ identities { + ~ iam_id = "crn-crn:v1:bluemix:public:apprapp:us-south:a/1f27e30e31f0486980cb0b2657d483f7:c89c16ce-3505-453e-8990-c7473657779b::" -> "crn:v1:bluemix:public:apprapp:us-south:a/1f27e30e31f0486980cb0b2657d483f7:c89c16ce-3505-453e-8990-c7473657779b::" + # (4 unchanged attributes hidden) + } + } + + # (2 unchanged blocks hidden) + } + ``` +- Any account groups that were assigned the trusted profile template will also see an update in place. For example: + ``` + # module.trusted_profile_template.ibm_iam_trusted_profile_template_assignment.account_settings_template_assignment_instance["AccountGroup-3596923e5a674a7fa7eb01c5b17fce8e"] will be updated in-place + ~ resource "ibm_iam_trusted_profile_template_assignment" "account_settings_template_assignment_instance" { + id = "TemplateAssignment-befcf82f-6bd2-4922-b2c1-5c161685488c" + + resources = (known after apply) + # (13 unchanged attributes hidden) + } + ``` +- If you then proceed with the apply, it will fail with the following error: + ``` + module.trusted_profile_template.ibm_iam_trusted_profile_template.trusted_profile_template_instance: Modifying... [id=ProfileTemplate-8b16cb82-b9b4-434a-b678-12c82033e9a7/1] + ╷ + │ Error: UpdateProfileTemplateVersionWithContext failed Template in committed state. + │ { + │ "StatusCode": 422, + │ "Headers": { + │ "Akamai-Grn": [ + │ "0.bdb01302.1744900183.cacb5e65" + │ ], + │ "Cache-Control": [ + │ "no-cache, no-store, must-revalidate" + │ ], + │ "Content-Language": [ + │ "en-US" + │ ], + │ "Content-Length": [ + │ "334" + │ ], + │ "Content-Type": [ + │ "application/json" + │ ], + │ "Date": [ + │ "Thu, 17 Apr 2025 14:29:43 GMT" + │ ], + │ "Expires": [ + │ "0" + │ ], + │ "Ibm-Cloud-Service-Name": [ + │ "iam-identity" + │ ], + │ "Pragma": [ + │ "no-cache" + │ ], + │ "Set-Cookie": [ + │ "ak_bmsc=540034860F090FE00019133754696C9B~000000000000000000000000000000~YAAQvbATAmL0BRuWAQAA59YnRBuMehleeYJJD1yOUDM/362Yj0eaMmjUwIsm8G4Muf/XUfjIHA5XJGWRI1lc21CDcPI7yVqdHcX5h4l59hxg+cqzHDBeNUIojafPY7k82U8X9ECSo5XFuyfFx4tlSOVclDZ05o2vLfNlpsi+Gr8kBbwySy/XGjfPi5g0ZLRq1Segl+vK7mV2HNdboRRw2MKdZpxYUgIrx/WhFgsuIgZBx6xzDLVjLYZHfFhZ1pF/s/vgOC9pPv8oAOxbas8pvR0hfeL4/9tNLiqws2kMal8wDeuytpy0qEzFLvlFRTa9YG0GYXthz5MxlA/VX5fnxfPcc7SGW2dTu1JFYKig/SapnDnqJCo/n/YlJLrjfguPWQjK; Domain=.cloud.ibm.com; Path=/; Expires=Thu, 17 Apr 2025 16:29:43 GMT; Max-Age=7200" + │ ], + │ "Strict-Transport-Security": [ + │ "max-age=31536000; includeSubDomains" + │ ], + │ "Transaction-Id": [ + │ "OXRxZ2M-8c573b755d4f4a28bb60756766ea1c64" + │ ], + │ "X-Content-Type-Options": [ + │ "nosniff" + │ ], + │ "X-Correlation-Id": [ + │ "OXRxZ2M-8c573b755d4f4a28bb60756766ea1c64" + │ ], + │ "X-Proxy-Upstream-Service-Time": [ + │ "127" + │ ], + │ "X-Request-Id": [ + │ "81085e6c-1d77-4916-84c5-e4574956e456" + │ ] + │ }, + │ "Result": { + │ "errors": [ + │ { + │ "code": "invalid_state", + │ "details": "Unable to process this request as Template with ID 'ProfileTemplate-8b16cb82-b9b4-434a-b678-12c82033e9a7' and version '1' is in a committed state.", + │ "message": "Template in committed state.", + │ "message_code": "BXNIM0908E" + │ } + │ ], + │ "status_code": 422, + │ "trace": "OXRxZ2M-8c573b755d4f4a28bb60756766ea1c64" + │ }, + │ "RawResult": null + │ } + │ + │ + │ with module.trusted_profile_template.ibm_iam_trusted_profile_template.trusted_profile_template_instance, + │ on .terraform/modules/trusted_profile_template/modules/trusted-profile-template/main.tf line 26, in resource "ibm_iam_trusted_profile_template" "trusted_profile_template_instance": + │ 26: resource "ibm_iam_trusted_profile_template" "trusted_profile_template_instance" { + ``` diff --git a/examples/enterprise/main.tf b/examples/enterprise/main.tf index 53ba67c..49a441e 100644 --- a/examples/enterprise/main.tf +++ b/examples/enterprise/main.tf @@ -1,11 +1,19 @@ -module "resource_group" { - source = "terraform-ibm-modules/resource-group/ibm" - version = "1.1.6" +######################################################################################################################## +# Resource group +######################################################################################################################## +module "resource_group" { + source = "terraform-ibm-modules/resource-group/ibm" + version = "1.1.6" resource_group_name = var.resource_group == null ? "${var.prefix}-rg" : null existing_resource_group_name = var.resource_group } +######################################################################################################################## +# SCC Workload Protection +######################################################################################################################## + +# Create SCC Workload Protection instance module "scc_wp" { source = "../.." name = var.prefix @@ -16,20 +24,64 @@ module "scc_wp" { scc_wp_service_plan = "graduated-tier" } +# Create Trusted profile for SCC Workload Protection instance +module "trusted_profile_scc_wp" { + source = "terraform-ibm-modules/trusted-profile/ibm" + version = "2.1.0" + trusted_profile_name = "${var.prefix}-scc-wp-profile" + trusted_profile_description = "Trusted Profile for SCC-WP to access App Config and enterprise" + + trusted_profile_identity = { + identifier = module.scc_wp.crn + identity_type = "crn" + type = "crn" + } + + trusted_profile_policies = [ + { + roles = ["Viewer", "Service Configuration Reader", "Manager"] + resources = [{ + service = "apprapp" + }] + description = "App Config access" + }, + { + roles = ["Viewer", "Usage Report Viewer"] + resources = [{ + service = "enterprise" + }] + description = "Enterprise access" + } + ] + + trusted_profile_links = [{ + cr_type = "VSI" + links = [{ + crn = module.scc_wp.crn + }] + }] +} + +######################################################################################################################## +# App Config +######################################################################################################################## + +# Create new App Config instance module "app_config" { source = "terraform-ibm-modules/app-configuration/ibm" - version = "v1.3.0" + version = "1.3.0" region = var.region resource_group_id = module.resource_group.resource_group_id app_config_name = "${var.prefix}-app-config" app_config_tags = var.resource_tags } +# Create trusted profile for App Config instance module "trusted_profile_app_config_general" { - source = "terraform-ibm-modules/trusted-profile/ibm" - version = "2.1.0" - trusted_profile_name = "app-config-general-profile" - trusted_profile_description = "Trusted Profile for App Config general permissions" + source = "terraform-ibm-modules/trusted-profile/ibm" + version = "2.1.0" + trusted_profile_name = "${var.prefix}-app-config-general-profile" + trusted_profile_description = "Trusted Profile for App Config general permissions" trusted_profile_identity = { identifier = module.app_config.app_config_crn @@ -76,10 +128,10 @@ resource "ibm_iam_custom_role" "template_assignment_reader" { # Trusted Profile for App Config enterprise-level permissions module "trusted_profile_app_config_enterprise" { - source = "terraform-ibm-modules/trusted-profile/ibm" - version = "2.1.0" - trusted_profile_name = "app-config-enterprise-profile" - trusted_profile_description = "Trusted Profile for App Config to manage IAM templates" + source = "terraform-ibm-modules/trusted-profile/ibm" + version = "2.1.0" + trusted_profile_name = "app-config-enterprise-profile" + trusted_profile_description = "Trusted Profile for App Config to manage IAM templates" trusted_profile_identity = { identifier = module.app_config.app_config_crn @@ -114,52 +166,38 @@ module "trusted_profile_app_config_enterprise" { }] } -module "trusted_profile_scc_wp" { - source = "terraform-ibm-modules/trusted-profile/ibm" - version = "2.1.0" - trusted_profile_name = "scc-wp-profile" - trusted_profile_description = "Trusted Profile for SCC-WP to access App Config and enterprise" +# Enable the config aggregator +resource "ibm_config_aggregator_settings" "scc_wp_aggregator" { + instance_id = module.app_config.app_config_guid + region = var.region + resource_collection_enabled = true + resource_collection_regions = ["all"] + trusted_profile_id = module.trusted_profile_app_config_general.profile_id - trusted_profile_identity = { - identifier = module.scc_wp.crn - identity_type = "crn" - type = "crn" - } + additional_scope { + type = "Enterprise" + enterprise_id = var.enterprise_id - trusted_profile_policies = [ - { - roles = ["Viewer", "Service Configuration Reader", "Manager"] - resources = [{ - service = "apprapp" - }] - description = "App Config access" - }, - { - roles = ["Viewer", "Usage Report Viewer"] - resources = [{ - service = "enterprise" - }] - description = "Enterprise access" + profile_template { + id = module.trusted_profile_template.trusted_profile_template_id + trusted_profile_id = module.trusted_profile_app_config_enterprise.profile_id } - ] - - trusted_profile_links = [{ - cr_type = "VSI" - links = [{ - crn = module.scc_wp.crn - }] - }] + } } +######################################################################################################################## +# Trusted profile template +######################################################################################################################## + module "trusted_profile_template" { - source = "terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template" - version = "2.1.0" - template_name = "Trusted Profile Template for SCC-WP" - template_description = "IAM trusted profile template to onboard accounts for CSPM" - profile_name = "Trusted Profile for IBM Cloud CSPM in SCC-WP" - profile_description = "Template profile used to onboard child accounts" - identity_crn = module.app_config.app_config_crn - onboard_all_account_groups = true + source = "terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template" + version = "2.1.0" + template_name = "Trusted Profile Template for SCC-WP-${var.prefix}" + template_description = "IAM trusted profile template to onboard accounts for CSPM" + profile_name = "Trusted Profile for IBM Cloud CSPM in SCC-WP" + profile_description = "Template profile used to onboard child accounts" + identity_crn = module.app_config.app_config_crn + onboard_all_account_groups = true policy_templates = [ { @@ -176,22 +214,3 @@ module "trusted_profile_template" { } ] } - -resource "ibm_config_aggregator_settings" "scc_wp_aggregator" { - instance_id = module.app_config.app_config_guid - region = var.region - resource_collection_enabled = true - resource_collection_regions = ["all"] - trusted_profile_id = module.trusted_profile_app_config_general.profile_id - - additional_scope { - type = "Enterprise" - enterprise_id = var.enterprise_id - - profile_template { - id = module.trusted_profile_template.trusted_profile_template_id - trusted_profile_id = module.trusted_profile_app_config_enterprise.profile_id - } - } -} - diff --git a/examples/enterprise/outputs.tf b/examples/enterprise/outputs.tf index 17fd12c..f1820fa 100644 --- a/examples/enterprise/outputs.tf +++ b/examples/enterprise/outputs.tf @@ -4,18 +4,21 @@ output "scc_wp_crn" { } output "trusted_profile_template_id" { - value = module.trusted_profile_template.trusted_profile_template_id + description = "Trusted profile template ID" + value = module.trusted_profile_template.trusted_profile_template_id } output "trusted_profile_enterprise_id" { - value = module.trusted_profile_app_config_enterprise.profile_id + description = "Trusted profile enterprise ID" + value = module.trusted_profile_app_config_enterprise.profile_id } output "app_config_guid" { - value = module.app_config.app_config_guid + description = "App Config guid" + value = module.app_config.app_config_guid } output "app_config_crn" { - value = module.app_config.app_config_crn + description = "App Config CRN" + value = module.app_config.app_config_crn } - diff --git a/examples/enterprise/provider.tf b/examples/enterprise/provider.tf index 722ac7c..75b9612 100644 --- a/examples/enterprise/provider.tf +++ b/examples/enterprise/provider.tf @@ -2,4 +2,3 @@ provider "ibm" { region = var.region ibmcloud_api_key = var.ibmcloud_api_key } - diff --git a/examples/enterprise/variables.tf b/examples/enterprise/variables.tf index ecbc244..e4a077c 100644 --- a/examples/enterprise/variables.tf +++ b/examples/enterprise/variables.tf @@ -37,4 +37,3 @@ variable "ibmcloud_api_key" { description = "IBM Cloud API key used for authentication." sensitive = true } - diff --git a/examples/enterprise/version.tf b/examples/enterprise/version.tf index c6826b6..d7da690 100644 --- a/examples/enterprise/version.tf +++ b/examples/enterprise/version.tf @@ -8,4 +8,3 @@ terraform { } } } -