terraform-ibm-modules · ocofaigh · May 23, 2025 · Apr 30, 2025 · Apr 30, 2025 · May 1, 2025
@@ -182,6 +182,12 @@
                   }
                 }
               },
+              {
+                "key": "cspm_enabled"
+              },
+              {
+                "key": "app_config_crn"
+              },
               {
                 "key": "cbr_rules"
               }

@@ -15,9 +15,12 @@ resource "ibm_resource_instance" "scc_wp" {
   plan              = var.scc_wp_service_plan
   location          = var.region
   tags              = var.resource_tags
-  parameters = {
-    cloud_monitoring_connected_instance : var.cloud_monitoring_instance_crn
-  }
+  parameters_json   = <<PARAMETERS_JSON
+     {
+      "cloud_monitoring_instance_crn" : "${var.cloud_monitoring_instance_crn}",
+      "enable_cspm" : false
+     }
+  PARAMETERS_JSON
 }
 
 ##############################################################################

@@ -16,28 +16,44 @@ This solution supports provisioning and configuring the following infrastructure
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | 1.77.1 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.2 |
 
 ### Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_crn_parser"></a> [crn\_parser](#module\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.2.0 |
 | <a name="module_scc_wp"></a> [scc\_wp](#module\_scc\_wp) | ../.. | n/a |
 
 ### Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [ibm_config_aggregator_settings.config_aggregator_settings_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.77.1/docs/resources/config_aggregator_settings) | resource |
+| [ibm_iam_trusted_profile.config_service_profile](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.77.1/docs/resources/iam_trusted_profile) | resource |
+| [ibm_iam_trusted_profile.workload_protection_profile](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.77.1/docs/resources/iam_trusted_profile) | resource |
+| [ibm_iam_trusted_profile_identity.trust_relationship_config_service](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.77.1/docs/resources/iam_trusted_profile_identity) | resource |
+| [ibm_iam_trusted_profile_identity.trust_relationship_workload_protection](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.77.1/docs/resources/iam_trusted_profile_identity) | resource |
+| [ibm_iam_trusted_profile_policy.policy_config_service_all_account](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.77.1/docs/resources/iam_trusted_profile_policy) | resource |
+| [ibm_iam_trusted_profile_policy.policy_config_service_all_identity](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.77.1/docs/resources/iam_trusted_profile_policy) | resource |
+| [ibm_iam_trusted_profile_policy.policy_workload_protection_apprapp](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.77.1/docs/resources/iam_trusted_profile_policy) | resource |
+| [ibm_resource_instance.app_configuration_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.77.1/docs/resources/resource_instance) | resource |
+| [null_resource.enable_cspm](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.77.1/docs/data-sources/iam_account_settings) | data source |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_app_config_crn"></a> [app\_config\_crn](#input\_app\_config\_crn) | The CRN of the App Config instance to use with the Workload Protection instance. | `string` | `null` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection/blob/main/solutions/fully-configurable/cbr-rules.md) | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    tags = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })), [])<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
+| <a name="input_cspm_enabled"></a> [cspm\_enabled](#input\_cspm\_enabled) | Enable Cloud Security Posture Management (CSPM) for the Workload Protection instance. | `bool` | `true` | no |
 | <a name="input_existing_monitoring_crn"></a> [existing\_monitoring\_crn](#input\_existing\_monitoring\_crn) | The CRN of an IBM Cloud Monitoring instance to to send Workload Protection data. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. | `string` | `null` | no |
 | <a name="input_existing_resource_group_name"></a> [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of a an existing resource group in which to provision resources to. | `string` | `"Default"` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes |
-| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
-| <a name="input_provider_visibility"></a> [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string. | `string` | `"test"` | no |
+| <a name="input_provider_visibility"></a> [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"public"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision Security and Compliance Center Workload Protection resources in. | `string` | `"us-south"` | no |
 | <a name="input_scc_workload_protection_access_tags"></a> [scc\_workload\_protection\_access\_tags](#input\_scc\_workload\_protection\_access\_tags) | A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. [Learn more](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits). | `list(string)` | `[]` | no |
 | <a name="input_scc_workload_protection_instance_name"></a> [scc\_workload\_protection\_instance\_name](#input\_scc\_workload\_protection\_instance\_name) | The name for the Workload Protection instance that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format. | `string` | `"scc-workload-protection"` | no |

@@ -15,6 +15,13 @@ module "resource_group" {
   existing_resource_group_name = var.existing_resource_group_name
 }
 
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
 #######################################################################################################################
 # SCC Workload Protection
 #######################################################################################################################
@@ -32,3 +39,121 @@ module "scc_wp" {
   scc_wp_service_plan           = var.scc_workload_protection_service_plan
   cbr_rules                     = var.cbr_rules
 }
+
+########################################################################################################################
+# Cloud Security Posture Management (CSPM)
+########################################################################################################################
+
+resource "ibm_resource_instance" "app_configuration_instance" {
+  plan              = "basic"
+  name              = "${var.prefix}-conf-agg"
+  location          = var.region
+  resource_group_id = module.resource_group.resource_group_id
+  service           = "apprapp"
+}
+
+# Trusted Profile for Workload Protection
+resource "ibm_iam_trusted_profile" "workload_protection_profile" {
+  count = var.cspm_enabled ? 1 : 0
+  name  = "${var.prefix}-workload-protection-trusted-profile"
+}
+
+# Null resource to enable CSPM via CLI
+resource "null_resource" "enable_cspm" {
+  count = var.cspm_enabled ? 1 : 0
+
+  provisioner "local-exec" {
+    command = <<EOT
+      ibmcloud login --apikey ${var.ibmcloud_api_key} -g ${module.resource_group.resource_group_name} --no-region && \
+      ibmcloud resource service-instance-update ${module.scc_wp.id} \
+        -p '{"enable_cspm": true, "target_accounts": [{"account_id": "${data.ibm_iam_account_settings.iam_account_settings.account_id}", "config_crn": "${ibm_resource_instance.app_configuration_instance.crn}", "trusted_profile_id": "${ibm_iam_trusted_profile.workload_protection_profile[0].id}"}]}' \
+        -g ${module.resource_group.resource_group_name}
+    EOT
+  }
+
+  depends_on = [
+    module.scc_wp,
+    ibm_iam_trusted_profile.workload_protection_profile
+  ]
+}
+
+# Trusted Profile Policiy for All Identify and Access enabled services for WP
+resource "ibm_iam_trusted_profile_policy" "policy_workload_protection_apprapp" {
+  count       = var.cspm_enabled ? 1 : 0
+  profile_id  = ibm_iam_trusted_profile.workload_protection_profile[0].id
+  roles       = ["Service Configuration Reader", "Viewer", "Configuration Aggregator Reader"]
+  description = "apprapp"
+  resources {
+    service = "apprapp"
+  }
+}
+
+# Trusted Profile Trust Relationship for Config Service
+resource "ibm_iam_trusted_profile_identity" "trust_relationship_workload_protection" {
+  count         = var.cspm_enabled ? 1 : 0
+  identifier    = module.scc_wp.crn
+  identity_type = "crn"
+  profile_id    = ibm_iam_trusted_profile.workload_protection_profile[0].id
+  type          = "crn"
+}
+
+##############################################################
+# App Config
+##############################################################
+
+module "crn_parser" {
+  source  = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+  version = "1.1.0"
+  crn     = ibm_resource_instance.app_configuration_instance.crn
+}
+
+# Trusted Profile for Config Service
+resource "ibm_iam_trusted_profile" "config_service_profile" {
+  count = var.cspm_enabled ? 1 : 0
+  name  = "${var.prefix}-config-service-trusted-profile"
+  depends_on = [
+    module.scc_wp,
+  ]
+}
+
+# Config Service Aggregator
+resource "ibm_config_aggregator_settings" "config_aggregator_settings_instance" {
+  count       = var.cspm_enabled ? 1 : 0
+  instance_id = module.crn_parser.service_instance
+  region      = var.region
+
+  resource_collection_regions = ["all"]
+  resource_collection_enabled = true
+  trusted_profile_id          = ibm_iam_trusted_profile.config_service_profile[0].id
+}
+
+# Trusted Profile Policy for All Account Management services for Config Service
+resource "ibm_iam_trusted_profile_policy" "policy_config_service_all_account" {
+  count       = var.cspm_enabled ? 1 : 0
+  profile_id  = ibm_iam_trusted_profile.config_service_profile[0].id
+  roles       = ["Viewer", "Service Configuration Reader"]
+  description = "All Account Management services"
+  resources {
+    service = "All Account Management services"
+  }
+}
+
+# Trusted Profile Policiy for All Identify and Access enabled services for Config Service
+resource "ibm_iam_trusted_profile_policy" "policy_config_service_all_identity" {
+  count       = var.cspm_enabled ? 1 : 0
+  profile_id  = ibm_iam_trusted_profile.config_service_profile[0].id
+  roles       = ["Viewer", "Service Configuration Reader"]
+  description = "All Identity and Access enabled services"
+  resources {
+    service = "All Identity and Access enabled services"
+  }
+}
+
+# Trusted Profile Trust Relationship for Config Service
+resource "ibm_iam_trusted_profile_identity" "trust_relationship_config_service" {
+  count         = var.cspm_enabled ? 1 : 0
+  identifier    = ibm_resource_instance.app_configuration_instance.crn
+  identity_type = "crn"
+  profile_id    = ibm_iam_trusted_profile.config_service_profile[0].id
+  type          = "crn"
+}
@@ -24,12 +24,13 @@ variable "existing_monitoring_crn" {
 variable "prefix" {
   type        = string
   description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string."
+  default     = "test"
 }
 
 variable "provider_visibility" {
   description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)."
   type        = string
-  default     = "private"
+  default     = "public"
 
   validation {
     condition     = contains(["public", "private", "public-and-private"], var.provider_visibility)
@@ -105,6 +106,22 @@ variable "scc_workload_protection_service_plan" {
   }
 }
 
+##############################################################
+# App Config
+##############################################################
+
+variable "cspm_enabled" {
+  description = "Enable Cloud Security Posture Management (CSPM) for the Workload Protection instance."
+  type        = bool
+  default     = true
+}
+
+variable "app_config_crn" {
+  description = "The CRN of the App Config instance to use with the Workload Protection instance."
+  type        = string
+  default     = null
+}
+
 ##############################################################
 # Context-based restriction (CBR)
 ##############################################################

@@ -6,5 +6,9 @@ terraform {
       source  = "IBM-Cloud/ibm"
       version = "1.77.1"
     }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.2"
+    }
   }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -182,6 +182,12 @@ @@
                       }
                     }
                   },
+                  {
+                    "key": "cspm_enabled"
+                  },
+                  {
+                    "key": "app_config_crn"
+                  },
                   {
                     "key": "cbr_rules"
                   }
@@ Expand Down @@