feat: scc wp cspm

README.md

@@ -123,6 +123,7 @@ statement instead the previous block.
 | Name | Description |
 |------|-------------|
 | <a name="output_access_key"></a> [access\_key](#output\_access\_key) | Workload Protection instance access key. |
+| <a name="output_account_id"></a> [account\_id](#output\_account\_id) | Account ID of created SCC WP instance. |
 | <a name="output_api_endpoint"></a> [api\_endpoint](#output\_api\_endpoint) | API endpoint. |
 | <a name="output_crn"></a> [crn](#output\_crn) | CRN of created SCC WP instance. |
 | <a name="output_guid"></a> [guid](#output\_guid) | GUID of created SCC WP instance. |

ibm_catalog.json

@@ -182,6 +182,31 @@
                   }
                 }
               },
+              {
+                "key": "cspm_enabled",
+                "options": [
+                  {
+                    "displayname": "Enabled",
+                    "value": true
+                  },
+                  {
+                    "displayname": "Disabled",
+                    "value": false
+                  }
+                ]
+              },
+              {
+                "key": "app_config_crn"
+              },
+              {
+                "key": "config_service_trusted_profile_name"
+              },
+              {
+                "key": "resource_controller_uri"
+              },
+              {
+                "key": "scc_workload_protection_trusted_profile_name"
+              },
               {
                 "key": "cbr_rules"
               }

outputs.tf

@@ -22,6 +22,11 @@ output "crn" {
   value       = ibm_resource_instance.scc_wp.crn
 }
 
+output "account_id" {
+  description = "Account ID of created SCC WP instance."
+  value       = ibm_resource_instance.scc_wp.account_id
+}
+
 output "ingestion_endpoint" {
   description = "Ingestion endpoint."
   value       = ibm_resource_key.scc_wp_resource_key.credentials["Sysdig Collector Endpoint"]

solutions/fully-configurable/README.md

@@ -16,34 +16,47 @@ This solution supports provisioning and configuring the following infrastructure
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | 1.78.0 |
+| <a name="requirement_restapi"></a> [restapi](#requirement\_restapi) | 1.20.0 |
 
 ### Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_crn_parser"></a> [crn\_parser](#module\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.2.0 |
 | <a name="module_scc_wp"></a> [scc\_wp](#module\_scc\_wp) | ../.. | n/a |
+| <a name="module_trusted_profile_app_config"></a> [trusted\_profile\_app\_config](#module\_trusted\_profile\_app\_config) | terraform-ibm-modules/trusted-profile/ibm | 2.1.1 |
+| <a name="module_trusted_profile_scc_wp"></a> [trusted\_profile\_scc\_wp](#module\_trusted\_profile\_scc\_wp) | terraform-ibm-modules/trusted-profile/ibm | 2.1.1 |
 
 ### Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [ibm_config_aggregator_settings.config_aggregator_settings_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.78.0/docs/resources/config_aggregator_settings) | resource |
+| [restapi_object.enable_cspm](https://registry.terraform.io/providers/Mastercard/restapi/1.20.0/docs/resources/object) | resource |
+| [ibm_iam_auth_token.auth_token](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.78.0/docs/data-sources/iam_auth_token) | data source |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_app_config_crn"></a> [app\_config\_crn](#input\_app\_config\_crn) | The CRN of the App Config instance to use with the Workload Protection instance. | `string` | `null` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/fully-configurable/cbr-rules.md) | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    tags = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })), [])<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
+| <a name="input_config_service_trusted_profile_name"></a> [config\_service\_trusted\_profile\_name](#input\_config\_service\_trusted\_profile\_name) | The name for the trusted profile that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format. | `string` | `"config-service-trusted-profile"` | no |
+| <a name="input_cspm_enabled"></a> [cspm\_enabled](#input\_cspm\_enabled) | Enable Cloud Security Posture Management (CSPM) for the Workload Protection instance. | `bool` | `true` | no |
 | <a name="input_existing_monitoring_crn"></a> [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. | `string` | `null` | no |
 | <a name="input_existing_resource_group_name"></a> [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of a an existing resource group in which to provision resources to. | `string` | `"Default"` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
 | <a name="input_provider_visibility"></a> [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision Security and Compliance Center Workload Protection resources in. | `string` | `"us-south"` | no |
+| <a name="input_resource_controller_uri"></a> [resource\_controller\_uri](#input\_resource\_controller\_uri) | The URI of the Resource Controller service. This is used to create the Workload Protection instance. | `string` | `"https://private.resource-controller.cloud.ibm.com"` | no |
 | <a name="input_scc_workload_protection_access_tags"></a> [scc\_workload\_protection\_access\_tags](#input\_scc\_workload\_protection\_access\_tags) | A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. [Learn more](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits). | `list(string)` | `[]` | no |
 | <a name="input_scc_workload_protection_instance_name"></a> [scc\_workload\_protection\_instance\_name](#input\_scc\_workload\_protection\_instance\_name) | The name for the Workload Protection instance that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format. | `string` | `"scc-workload-protection"` | no |
 | <a name="input_scc_workload_protection_instance_tags"></a> [scc\_workload\_protection\_instance\_tags](#input\_scc\_workload\_protection\_instance\_tags) | The list of tags to add to the Workload Protection instance. | `list(string)` | `[]` | no |
 | <a name="input_scc_workload_protection_resource_key_tags"></a> [scc\_workload\_protection\_resource\_key\_tags](#input\_scc\_workload\_protection\_resource\_key\_tags) | The tags associated with the Workload Protection resource key. | `list(string)` | `[]` | no |
 | <a name="input_scc_workload_protection_service_plan"></a> [scc\_workload\_protection\_service\_plan](#input\_scc\_workload\_protection\_service\_plan) | The pricing plan for the Workload Protection instance service. Possible values: `free-trial`, `graduated-tier`. | `string` | `"graduated-tier"` | no |
+| <a name="input_scc_workload_protection_trusted_profile_name"></a> [scc\_workload\_protection\_trusted\_profile\_name](#input\_scc\_workload\_protection\_trusted\_profile\_name) | The name for the trusted profile that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format. | `string` | `"workload-protection-trusted-profile"` | no |
 
 ### Outputs
 

solutions/fully-configurable/main.tf

@@ -1,8 +1,18 @@
+#######################################################################################################################
+# Locals
+#######################################################################################################################
+
 locals {
   prefix_is_valid = var.prefix != null || trimspace(var.prefix) != "" ? true : false
 
-  scc_workload_protection_instance_name     = local.prefix_is_valid ? "${var.prefix}-${var.scc_workload_protection_instance_name}" : var.scc_workload_protection_instance_name
-  scc_workload_protection_resource_key_name = local.prefix_is_valid ? "${var.prefix}-${var.scc_workload_protection_instance_name}-key" : "${var.scc_workload_protection_instance_name}-key"
+  # Compute names for SCC Workload Protection instance and trusted profile
+  scc_workload_protection_instance_name        = local.prefix_is_valid ? "${var.prefix}-${var.scc_workload_protection_instance_name}" : var.scc_workload_protection_instance_name
+  scc_workload_protection_resource_key_name    = local.prefix_is_valid ? "${var.prefix}-${var.scc_workload_protection_instance_name}-key" : "${var.scc_workload_protection_instance_name}-key"
+  scc_workload_protection_trusted_profile_name = local.prefix_is_valid ? "${var.prefix}-${var.scc_workload_protection_trusted_profile_name}" : var.scc_workload_protection_trusted_profile_name
+  config_service_trusted_profile_name          = local.prefix_is_valid ? "${var.prefix}-${var.config_service_trusted_profile_name}" : var.config_service_trusted_profile_name
+
+  # Get account ID
+  account_id = module.scc_wp.account_id
 }
 
 #######################################################################################################################
@@ -32,3 +42,139 @@ module "scc_wp" {
   scc_wp_service_plan           = var.scc_workload_protection_service_plan
   cbr_rules                     = var.cbr_rules
 }
+
+########################################################################################################################
+# Beginning of Cloud Security Posture Management (CSPM) Configuration
+########################################################################################################################
+# SCC Workload Protection Trusted Profile
+########################################################################################################################
+
+# Create Trusted profile for SCC Workload Protection instance
+module "trusted_profile_scc_wp" {
+  count                       = var.cspm_enabled ? 1 : 0
+  source                      = "terraform-ibm-modules/trusted-profile/ibm"
+  version                     = "2.1.1"
+  trusted_profile_name        = local.scc_workload_protection_trusted_profile_name
+  trusted_profile_description = "Trusted Profile for SCC-WP to access App Config"
+
+  trusted_profile_identity = {
+    identifier    = module.scc_wp.crn
+    identity_type = "crn"
+  }
+
+  trusted_profile_policies = [
+    {
+      roles = ["Service Configuration Reader", "Viewer", "Configuration Aggregator Reader"]
+      resources = [{
+        service = "apprapp"
+      }]
+      description = "App Config access"
+    },
+  ]
+
+  trusted_profile_links = [{
+    cr_type = "VSI"
+    links = [{
+      crn = module.scc_wp.crn
+    }]
+  }]
+}
+
+##############################################################
+# App Config Trusted Profile
+##############################################################
+
+# Create Trusted profile for App Config instance
+module "trusted_profile_app_config" {
+  count                       = var.cspm_enabled ? 1 : 0
+  source                      = "terraform-ibm-modules/trusted-profile/ibm"
+  version                     = "2.1.1"
+  trusted_profile_name        = local.config_service_trusted_profile_name
+  trusted_profile_description = "Trusted Profile for App Config"
+
+  trusted_profile_identity = {
+    identifier    = var.app_config_crn
+    identity_type = "crn"
+  }
+
+  trusted_profile_policies = [
+    {
+      roles = ["Viewer", "Service Configuration Reader"]
+      resources = [{
+        service = "All Account Management services"
+      }]
+      description = "All Account Management services"
+    },
+    {
+      roles = ["Viewer", "Service Configuration Reader"]
+      resources = [{
+        service = "All Identity and Access enabled services"
+      }]
+      description = "All Identity and Access enabled services"
+    },
+  ]
+}
+
+##############################################################
+# CRN Parser
+##############################################################
+
+module "crn_parser" {
+  count   = var.cspm_enabled ? 1 : 0
+  source  = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+  version = "1.1.0"
+  crn     = var.app_config_crn
+}
+
+################################################################
+# Config Service Instance
+################################################################
+
+resource "ibm_config_aggregator_settings" "config_aggregator_settings_instance" {
+  count       = var.cspm_enabled ? 1 : 0
+  instance_id = module.crn_parser[0].service_instance
+  region      = var.region
+
+  resource_collection_regions = ["all"]
+  resource_collection_enabled = true
+  trusted_profile_id          = module.trusted_profile_app_config[0].profile_id
+}
+
+################################################################
+# IAM Auth Token
+################################################################
+
+data "ibm_iam_auth_token" "auth_token" {}
+
+################################################################
+# Enable CSPM for SCC Workload Protection instance
+################################################################
+
+# CSPM can only be enabled after the trusted profile exists,
+# but profile can only exist after instance has been created
+# hence we cannot directly enable CSPM in the instance creation
+# and need to use a separate resource to enable it
+resource "restapi_object" "enable_cspm" {
+  count = var.cspm_enabled ? 1 : 0
+
+  path = "/v2/resource_instances/${module.scc_wp.guid}"
+
+  data = jsonencode({
+    parameters = {
+      enable_cspm = true
+      target_accounts = [
+        {
+          account_id         = local.account_id
+          config_crn         = var.app_config_crn
+          trusted_profile_id = module.trusted_profile_scc_wp[0].profile_id
+        }
+      ]
+    }
+  })
+  create_method = "PATCH" # Specify the HTTP method for updates
+
+  depends_on = [
+    module.scc_wp,
+    module.trusted_profile_scc_wp
+  ]
+}

solutions/fully-configurable/provider.tf

@@ -7,3 +7,13 @@ provider "ibm" {
   region           = var.region
   visibility       = var.provider_visibility
 }
+
+# Null resource replaced with restapi_object to enable CSPM
+provider "restapi" {
+  uri = var.resource_controller_uri
+  headers = {
+    Authorization  = data.ibm_iam_auth_token.auth_token.iam_access_token
+    "Content-Type" = "application/json"
+  }
+  write_returns_object = true
+}

solutions/fully-configurable/variables.tf

@@ -105,6 +105,44 @@ variable "scc_workload_protection_service_plan" {
   }
 }
 
+variable "scc_workload_protection_trusted_profile_name" {
+  description = "The name for the trusted profile that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
+  type        = string
+  default     = "workload-protection-trusted-profile"
+}
+
+##############################################################
+# App Config
+##############################################################
+
+variable "cspm_enabled" {
+  description = "Enable Cloud Security Posture Management (CSPM) for the Workload Protection instance."
+  type        = bool
+  default     = true
+}
+
+variable "app_config_crn" {
+  description = "The CRN of the App Config instance to use with the Workload Protection instance."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.cspm_enabled ? var.app_config_crn != null : true
+    error_message = "Cannot be `null` if CSPM is enabled. Must be a valid App Config CRN."
+  }
+}
+
+variable "config_service_trusted_profile_name" {
+  description = "The name for the trusted profile that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
+  type        = string
+  default     = "config-service-trusted-profile"
+}
+
+variable "resource_controller_uri" {
+  description = "The URI of the Resource Controller service. This is used to create the Workload Protection instance."
+  type        = string
+  default     = "https://private.resource-controller.cloud.ibm.com"
+}
+
 ##############################################################
 # Context-based restriction (CBR)
 ##############################################################

solutions/fully-configurable/version.tf

@@ -6,5 +6,9 @@ terraform {
       source  = "IBM-Cloud/ibm"
       version = "1.78.0"
     }
+    restapi = {
+      source  = "Mastercard/restapi"
+      version = "1.20.0"
+    }
   }
 }