diff --git a/ibm_catalog.json b/ibm_catalog.json index 69e507c..55e66b9 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -88,7 +88,7 @@ ], "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", "id": "045c1169-d15a-4046-ae81-aa3d3348421f-global", - "version": "v1.7.0", + "version": "v1.10.0", "optional": true, "input_mapping": [ { @@ -134,18 +134,17 @@ "on_by_default": true }, { - "name": "deploy-arch-ibm-observability", - "description": "Enable to provision and configure IBM Cloud Logs, Cloud Monitoring, Metrics routing and Activity Tracker event routing for analysing logs and metrics generated by the SCC Workload Protection instance.", + "name": "deploy-arch-ibm-cloud-logs", + "description": "Configure IBM Cloud Logs instance to analyse the platform logs.", + "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", "flavors": [ - "instances" + "fully-configurable" ], - "id": "a3137d28-79e0-479d-8a24-758ebd5a0eab-global", - "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", + "id": "63d8ae58-fbf3-41ce-b844-0fb5b85882ab-global", + "version": "v1.6.11", + "optional": true, + "on_by_default": true, "input_mapping": [ - { - "dependency_output": "cloud_monitoring_crn", - "version_input": "existing_monitoring_crn" - }, { "dependency_input": "prefix", "version_input": "prefix", @@ -156,20 +155,69 @@ "version_input": "region", "reference_version": true }, + { + "dependency_input": "logs_routing_tenant_regions", + "version_input": "logs_routing_tenant_regions", + "reference_version": true + } + ] + }, + { + "name": "deploy-arch-ibm-cloud-monitoring", + "description": "Configure IBM Cloud Monitoring to collect the platform metrics.", + "id": "73debdbf-894f-4c14-81c7-5ece3a70b67d-global", + "version": "v1.6.4", + "flavors": [ + "fully-configurable" + ], + "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", + "optional": true, + "on_by_default": false, + "input_mapping": [ + { + "dependency_output": "cloud_monitoring_crn", + "version_input": "existing_monitoring_crn" + }, { "dependency_input": "enable_platform_metrics", "version_input": "enable_platform_metrics", "reference_version": true }, { - "dependency_input": "logs_routing_tenant_regions", - "version_input": "logs_routing_tenant_regions", + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "region", + "version_input": "region", "reference_version": true } + ] + }, + { + "name": "deploy-arch-ibm-activity-tracker", + "description": "Configure Activity Tracker Event Routing to route the auditing events.", + "id": "918453c3-4f97-4583-8c4a-83ef12fc7916-global", + "version": "v1.2.12", + "flavors": [ + "fully-configurable" ], + "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", "optional": true, "on_by_default": true, - "version": "v3.0.3" + "input_mapping": [ + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "region", + "version_input": "region", + "reference_version": true + } + ] } ], "configuration": [ @@ -417,7 +465,85 @@ "role_crns": [ "crn:v1:bluemix:public:iam::::serviceRole:Manager", "crn:v1:bluemix:public:iam::::role:Editor" - ] + ], + "notes":"Required for creating and managing SCC Workload Protection instance." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Viewer" + ], + "service_name": "Resource group only", + "notes": "Viewer access is required in the resource group you want to provision in." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator", + "crn:v1:bluemix:public:iam::::serviceRole:Manager" + ], + "service_name": "apprapp", + "notes": "[Optional] Required for provisioning the App Configuration instance." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "service_name": "All Account Management services", + "notes": "[Optional] Required to deploy Cloud automation for account configuration which creates resource group and to create trusted profile for App Configuration aggregator." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "service_name": "All Identity and Access enabled services", + "notes": "[Optional] Required to deploy Cloud automation for account configuration which creates foundational IBM Cloud account resources, like resource group with account settings and to create trusted profile for App Configuration aggregator." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Writer", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "atracker", + "notes": "[Optional] Required when enabling the Activity Tracker Event Routing." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "sysdig-monitor", + "notes": "[Optional] Required to create an instance of Cloud Monitoring." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "logs", + "notes": "[Optional] Required to create an instance of Cloud Logs." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "hs-crypto", + "notes": "[Optional] Required if Hyper Protect Crypto Services is used for encryption." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "kms", + "notes": "[Optional] Required to deploy Cloud automation for Key Protect, so you can use your own managed encryption keys." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "cloud-object-storage", + "notes": "[Optional] Required to deploy Cloud automation for Object Storage." } ], "architecture": { diff --git a/reference-architecture/scc.svg b/reference-architecture/scc.svg index da2b653..ecabbaf 100644 --- a/reference-architecture/scc.svg +++ b/reference-architecture/scc.svg @@ -1,4 +1,4 @@ -
IBM Cloud
IBM Cloud
Existing Monitoring Instance
Existing Monitorin...
Region
Region
Resource Group
Resource Group
SCC Workload Protection
SCC Workload Protect...
Metrics
MetricsText is not SVG - cannot display \ No newline at end of file +
ACL
ACL
IBM Cloud
IBM Cloud
Region
Region
 Observability
Observabi...
 [Optional]
[Optio...Cloud MonitoringResource Group
SCC Workload Protection
SCC Workload Protecti...Activity Tracker Event Routing
App Configuration
App Config...Cloud LogsText is not SVG - cannot display \ No newline at end of file diff --git a/tests/go.mod b/tests/go.mod index 2a08bac..52181a4 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -7,7 +7,7 @@ toolchain go1.25.0 require ( github.com/gruntwork-io/terratest v0.50.0 github.com/stretchr/testify v1.10.0 - github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.59.1 + github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.59.3 ) require ( diff --git a/tests/go.sum b/tests/go.sum index 538a020..43b5bb5 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -295,8 +295,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.59.1 h1:9/uYvUFFLIH91F16AiJqP/LZeGi4t2CYtc8iz3bBXdQ= -github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.59.1/go.mod h1:kdhZ+FeS71D+tB0E2Sh1ISD3zQ+RThPX5SyFqduo7G8= +github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.59.3 h1:Z5lZaaka8ilzOws9BrtJgmU4Kdt+ntVKWHnebMJUhvU= +github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.59.3/go.mod h1:kdhZ+FeS71D+tB0E2Sh1ISD3zQ+RThPX5SyFqduo7G8= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tmccombs/hcl2json v0.6.4 h1:/FWnzS9JCuyZ4MNwrG4vMrFrzRgsWEOVi+1AyYUVLGw= github.com/tmccombs/hcl2json v0.6.4/go.mod h1:+ppKlIW3H5nsAsZddXPy2iMyvld3SHxyjswOZhavRDk= diff --git a/tests/pr_test.go b/tests/pr_test.go index 457b473..f269bc6 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -4,19 +4,20 @@ package test import ( "fmt" "log" + "math/rand" "os" "strings" "testing" - "math/rand/v2" - "github.com/gruntwork-io/terratest/modules/files" "github.com/gruntwork-io/terratest/modules/logger" "github.com/gruntwork-io/terratest/modules/random" "github.com/gruntwork-io/terratest/modules/terraform" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/cloudinfo" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common" + "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testaddons" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic" ) @@ -59,7 +60,7 @@ func TestMain(m *testing.M) { func TestFullyConfigurable(t *testing.T) { t.Parallel() - var region = validRegions[rand.IntN(len(validRegions))] + var region = validRegions[rand.Intn(len(validRegions))] // ------------------------------------------------------------------------------------ // Provision App Config first @@ -146,7 +147,7 @@ func TestFullyConfigurable(t *testing.T) { func TestFullyConfigurableUpgrade(t *testing.T) { t.Parallel() - var region = validRegions[rand.IntN(len(validRegions))] + var region = validRegions[rand.Intn(len(validRegions))] // ------------------------------------------------------------------------------------ // Provision App Config first @@ -231,3 +232,46 @@ func TestFullyConfigurableUpgrade(t *testing.T) { logger.Log(t, "END: Destroy (prereq resources)") } } + +func TestSccWpAddonDefaultConfiguration(t *testing.T) { + t.Parallel() + + options := testaddons.TestAddonsOptionsDefault(&testaddons.TestAddonOptions{ + Testing: t, + Prefix: "scc-def", + ResourceGroup: resourceGroup, + QuietMode: true, // Suppress logs except on failure + }) + + options.AddonConfig = cloudinfo.NewAddonConfigTerraform( + options.Prefix, + "deploy-arch-ibm-scc-workload-protection", + "fully-configurable", + map[string]interface{}{ + "prefix": options.Prefix, + "region": validRegions[rand.Intn(len(validRegions))], + }, + ) + + err := options.RunAddonTest() + require.NoError(t, err) +} + +// TestDependencyPermutations runs dependency permutations for SCC WP and all its dependencies +func TestSccWpDependencyPermutations(t *testing.T) { + options := testaddons.TestAddonsOptionsDefault(&testaddons.TestAddonOptions{ + Testing: t, + Prefix: "scc-per", + AddonConfig: cloudinfo.AddonConfig{ + OfferingName: "deploy-arch-ibm-scc-workload-protection", + OfferingFlavor: "fully-configurable", + Inputs: map[string]interface{}{ + "prefix": "scc-per", + "region": validRegions[rand.Intn(len(validRegions))], + }, + }, + }) + + err := options.RunAddonPermutationTest() + assert.NoError(t, err, "Dependency permutation test should not fail") +}