Add SCC DA (Fully configurable + Security-enforced variations)

.catalog-onboard-pipeline.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+offerings:
+  - name: deploy-arch-ibm-scc
+    kind: solution
+    catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
+    offering_id: 9423f9bc-1290-4c71-a9ac-01898bfa7ccc
+    variations:
+      - name: fully-configurable
+        mark_ready: true
+        install_type: fullstack
+        scc:
+          instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
+          region: us-south
+      - name: security-enforced
+        mark_ready: true
+        install_type: fullstack
+        scc:
+          instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
+          region: us-south

.github/settings.yml

@@ -25,4 +25,4 @@ repository:
   description: "Configures an IBM Cloud Security and Compliance instance"
 
   # Use a comma-separated list of topics to set on the repo (ensure not to use any caps in the topic string).
-  topics: terraform, ibm-cloud, terraform-module, core-team, supported, stable, scc, security, compliance
+  topics: terraform, ibm-cloud, terraform-module, core-team, supported, stable, scc, security, compliance, deployable-architecture

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-12-13T06:40:44Z",
+  "generated_at": "2025-03-13T14:35:20Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -76,7 +76,46 @@
       "name": "TwilioKeyDetector"
     }
   ],
-  "results": {},
+  "results": {
+    "solutions/fully-configurable/DA-cbr_rules.md": [
+      {
+        "hashed_secret": "91bd6d8889493222b850338327aa2f54b7ab25d0",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 42,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      }
+    ],
+    "solutions/fully-configurable/scopes_attachments.md": [
+      {
+        "hashed_secret": "3b5bf5f75003778663c521c8c35ad277227dd4f5",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 42,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "a1dc91d03edccb97baada9b08525963807fb9d37",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 46,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      }
+    ],
+    "tests/pr_test.go": [
+      {
+        "hashed_secret": "3b5bf5f75003778663c521c8c35ad277227dd4f5",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 44,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      }
+    ]
+  },
   "version": "0.13.1+ibm.62.dss",
   "word_list": {
     "file": null,

README.md

@@ -17,8 +17,8 @@ This module configures an IBM Cloud Security and Compliance instance.
 * [Submodules](./modules)
     * [attachment](./modules/attachment)
 * [Examples](./examples)
+    * [Advanced example with CBR rules](./examples/advanced)
     * [Basic example](./examples/basic)
-    * [Complete example with CBR rules](./examples/complete)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
 

cra-config.yaml

@@ -1,6 +1,13 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/basic" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+  - CRA_TARGET: "solutions/fully-configurable" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
     PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3"         # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).
+    CRA_ENVIRONMENT_VARIABLES:
+      TF_VAR_prefix: "test"
+      TF_VAR_existing_resource_group_name: "Default"
+      TF_VAR_kms_encryption_enabled_bucket: true
+      TF_VAR_existing_kms_instance_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::"
+      TF_VAR_existing_cos_instance_crn: "crn:v1:bluemix:public:cloud-object-storage:global:a/abac0df06b644a9cabc6e44f55b3880e:855ed836-05ce-4f39-98fa-508774f29323::"
+      TF_VAR_provider_visibility: "public"

cra-tf-validate-ignore-rules.json

@@ -1,10 +1,3 @@
 {
-    "scc_rules": [
-        {
-            "scc_rule_id": "rule-c97259ee-336d-4c5f-b436-1868107a9558",
-            "description": "Check whether Cloud Object Storage is enabled with customer-managed encryption and Keep Your Own Key (KYOK)",
-            "ignore_reason": "This rule is not relevant to the module itself, just the COS resource that is used in the example that is scanned",
-            "is_valid": false
-        }
-    ]
+    "scc_rules": []
 }

examples/complete/README.md → examples/advanced/README.md

@@ -1,4 +1,4 @@
-# Complete example with CBR rules
+# Advanced example with CBR rules
 
 A complete example that will provision the following:
 - A new resource group if one is not passed in.