terraform-ibm-modules · ocofaigh · Jun 18, 2025 · May 25, 2025 · Jun 12, 2025 · Jun 12, 2025
@@ -17,7 +17,7 @@ A module for provisioning an [IBM Cloud Security and Compliance Center Workload
 * [Examples](./examples)
     * [Advanced example](./examples/advanced)
     * [Basic example](./examples/basic)
-    * [Enterprise Example: SCC-WP with App Config and Trusted Profiles](./examples/enterprise)
+    * [Enterprise example with CSPM enabled](./examples/enterprise)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
 

@@ -1,61 +1,6 @@
-# Enterprise Example: SCC-WP with App Config and Trusted Profiles
+# Enterprise example with CSPM enabled
 
-> Only supported in an enterprise account.
+The following example shows how to configure IBM Cloud Security and Compliance Center Workload Protection for Cloud Security Posture Management (CSPM) in an enterprise.
 
-This example demonstrates a full deployment using modular Terraform code, including:
-
-- **IBM Cloud App Configuration** (App Config)
-- **IBM Cloud Security and Compliance Center Workload Protection** (SCC-WP)
-- **IAM Trusted Profiles** for secure integration
-- **Resource Group** creation or reuse
-- **Configuration Aggregator** to link SCC-WP with App Config
-
----
-
-## Module Overview
-
-- **Resource Group Module**
-  Creates or reuses a resource group for all resources.
-
-- **SCC Workload Protection Module**
-  Deploys the SCC-WP instance, attaches tags, and (optionally) enables CSPM and trusted profiles based on input variables.
-
-- **App Config Module**
-  Deploys an App Config instance with enterprise plan, tags, and enables the configuration aggregator with a trusted profile.
-
----
-
-## Flow Overview
-
-1. **Resource Group**
-   A resource group is created or reused for all resources.
-
-2. **App Config**
-   Deploys App Config with the enterprise plan, tags, and enables the configuration aggregator with a trusted profile.
-
-3. **SCC Workload Protection**
-   Deploys SCC-WP with the `graduated-tier` plan, attaches resource and access tags, and (optionally) enables CSPM and trusted profiles for secure integration.
-
-4. **Trusted Profiles**
-   Trusted profiles are created and linked as needed for App Config and SCC-WP, with enterprise access policies conditionally included if enabled.
-
-5. **Configuration Aggregator**
-   Connects SCC-WP to App Config using the trusted profile and template ID for secure access across the enterprise.
-
----
-
-## Notes
-
-- The `trusted_profile_links` block in each trusted profile links the profile to a specific CRN (e.g., VSI or App Config instance), enabling the identity to assume the trusted profile.
-- Enterprise-specific access policies are conditionally added based on input variables (e.g., `enterprise_enabled`).
-
----
-
-## Usage
-
-```bash
-terraform init
-terraform apply
-```
-
----
+- Use the App Config module to create an App Config instance with configuration aggregator enabled. This module will also create a trusted profile with viewer / reader access for all Account Management and Identity and Access enabled services. It will also create a trusted profile template which will be applied to the given enterprise sub-accounts to scan the resources in those accounts.
+- Use the Security and Compliance Center Workload Protection module to create a new instance of SCC Workload Protection with Cloud Security Posture Management (CSPM) enabled. The module will also create a trusted profile with viewer access to the App Config instance in order to be able to populate the inventory.
@@ -10,34 +10,41 @@ module "resource_group" {
 }
 
 ########################################################################################################################
-# SCC Workload Protection
+# App Config with config aggregator enabled
 ########################################################################################################################
 
-# Create SCC Workload Protection instance
-module "scc_wp" {
-  source              = "../.."
-  name                = var.prefix
-  region              = var.region
-  resource_group_id   = module.resource_group.resource_group_id
-  resource_tags       = var.resource_tags
-  access_tags         = var.access_tags
-  scc_wp_service_plan = "graduated-tier"
+module "app_config" {
+  source                                                     = "terraform-ibm-modules/app-configuration/ibm"
+  version                                                    = "1.8.2"
+  region                                                     = var.region
+  resource_group_id                                          = module.resource_group.resource_group_id
+  app_config_plan                                            = "basic"
+  app_config_name                                            = "${var.prefix}-app-config"
+  app_config_tags                                            = var.resource_tags
+  enable_config_aggregator                                   = true
+  config_aggregator_trusted_profile_name                     = "${var.prefix}-app-config-tp"
+  config_aggregator_resource_collection_regions              = ["all"] # supports passing list of regions, or "all" for all regions
+  config_aggregator_enterprise_id                            = var.enterprise_id
+  config_aggregator_enterprise_trusted_profile_template_name = "${var.prefix}-app-config-tp-template"
+  config_aggregator_enterprise_account_group_ids_to_assign   = ["all"] # supports passing list of account groups. Use 'config_aggregator_enterprise_account_ids_to_assign' to pass individual accounts
 }
 
 ########################################################################################################################
-# App Config
+# SCC Workload Protection with CSPM enabled
 ########################################################################################################################
 
-# Create new App Config instance
-module "app_config" {
-  source                                 = "terraform-ibm-modules/app-configuration/ibm"
-  version                                = "1.8.2"
-  region                                 = var.region
-  resource_group_id                      = module.resource_group.resource_group_id
-  app_config_plan                        = "enterprise"
-  app_config_name                        = "${var.prefix}-app-config"
-  app_config_tags                        = var.resource_tags
-  enable_config_aggregator               = true
-  config_aggregator_trusted_profile_name = "${var.prefix}-app-config-tp"
-  config_aggregator_enterprise_id        = var.enterprise_id
+module "scc_wp" {
+  source = "../.."
+  # remove the above line and uncomment the below 2 lines to consume the module from the registry
+  # source            = "terraform-ibm-modules/scc-workload-protection/ibm"
+  # version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
+  name                                         = var.prefix
+  region                                       = var.region
+  resource_group_id                            = module.resource_group.resource_group_id
+  resource_tags                                = var.resource_tags
+  access_tags                                  = var.access_tags
+  scc_wp_service_plan                          = "graduated-tier"
+  cspm_enabled                                 = true
+  app_config_crn                               = module.app_config.app_config_crn
+  scc_workload_protection_trusted_profile_name = "${var.prefix}-scc-wp-tp"
 }
@@ -3,8 +3,8 @@ output "scc_wp_crn" {
   value       = module.scc_wp.crn
 }
 
-output "trusted_profile_enterprise_id" {
-  description = "Trusted profile enterprise ID"
+output "enterprise_id" {
+  description = "Enterprise ID"
   value       = var.enterprise_id
 }
 

@@ -5,9 +5,8 @@ provider "ibm" {
 
 data "ibm_iam_auth_token" "auth_token" {}
 
-# Null resource replaced with restapi_object to enable CSPM
 provider "restapi" {
-  uri = "https://resource-controller.cloud.ibm.com"
+  uri = "https://resource-controller.cloud.ibm.com" # See https://cloud.ibm.com/apidocs/resource-controller/resource-controller#endpoint-url for all possible endpoints
   headers = {
     Authorization = data.ibm_iam_auth_token.auth_token.iam_access_token
   }

@@ -1,6 +1,6 @@
 variable "enterprise_id" {
   type        = string
-  description = "The Enterprise ID used to scope the Config Aggregator or IAM templates."
+  description = "The ID of the enterprise."
 }
 
 variable "region" {