feat: Add a rules submodule

README.md

@@ -16,9 +16,11 @@ This module configures an IBM Cloud Security and Compliance instance.
 * [terraform-ibm-scc](#terraform-ibm-scc)
 * [Submodules](./modules)
     * [attachment](./modules/attachment)
+    * [rules](./modules/rules)
 * [Examples](./examples)
     * [Basic example](./examples/basic)
     * [Complete example](./examples/complete)
+    * [Rules example](./examples/custom)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
 

examples/custom/README.md

@@ -0,0 +1,12 @@
+# Rules example
+
+<!--
+The basic example should call the module(s) stored in this repository with a basic configuration.
+Note, there is a pre-commit hook that will take the title of each example and include it in the repos main README.md.
+The text below should describe exactly what resources are provisioned / configured by the example.
+-->
+
+A basic example that will provision the following:
+- A new resource group if one is not passed in.
+- A new Security and Compliance Center instance with COS bucket configuration
+- Creates 3 new custom SCC rules for a Security and Compliance Center instance

examples/custom/main.tf

@@ -0,0 +1,136 @@
+module "resource_group" {
+  source                       = "terraform-ibm-modules/resource-group/ibm"
+  version                      = "1.1.5"
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+module "cos" {
+  source                 = "terraform-ibm-modules/cos/ibm"
+  version                = "7.5.1"
+  cos_instance_name      = "${var.prefix}-cos"
+  kms_encryption_enabled = false
+  retention_enabled      = false
+  resource_group_id      = module.resource_group.resource_group_id
+  bucket_name            = "${var.prefix}-cb"
+}
+
+module "create_scc_instance" {
+  source                            = "../.."
+  instance_name                     = "${var.prefix}-instance"
+  region                            = var.region
+  resource_group_id                 = module.resource_group.resource_group_id
+  resource_tags                     = var.resource_tags
+  cos_bucket                        = module.cos.bucket_name
+  cos_instance_crn                  = module.cos.cos_instance_id
+  skip_cos_iam_authorization_policy = false
+}
+
+module "create_scc_rules" {
+  source          = "../../modules/rules"
+  scc_instance_id = module.create_scc_instance.guid
+  rules_version   = "1.0.0"
+  rules = [
+    {
+      description = "new rule 1"
+      import = {
+        parameters = []
+      }
+      required_config = {
+        description = "restrict endpoints"
+        and = [
+          {
+            property = "endpoints_restricted",
+            operator = "is_true"
+          }
+        ]
+      }
+      target = {
+        service_name  = "kms"
+        resource_kind = "instance"
+        additional_target_attributes = [
+          {
+            "name" : "location",
+            operator : "string_equals",
+            value : "us-south"
+          }
+        ]
+      }
+    },
+    {
+      description = "new rule 2"
+      import = {
+        parameters = []
+      }
+      required_config = {
+        description = "required config"
+        and = [
+          {
+            property = "cloud_directory_enabled",
+            operator = "is_true"
+          },
+          {
+            property = "email_dispatcher_provider",
+            operator = "string_not_equals"
+            value    = "appid"
+          }
+        ]
+      }
+      target = {
+        service_name                 = "appid",
+        service_display_name         = "App ID",
+        resource_kind                = "instance",
+        additional_target_attributes = []
+      }
+    },
+    {
+      description = "new rule 3"
+      import = {
+        parameters = []
+      }
+      required_config = {
+        description = "required config"
+        or = [
+          {
+            and = [
+              {
+                property : "endpoints_restricted",
+                operator : "is_true"
+              },
+              {
+                property : "cbr_private_public_allowed_ip_list",
+                operator : "is_empty"
+              }
+            ]
+          },
+          {
+            and = [
+              {
+                property : "endpoints_restricted",
+                operator : "is_true"
+              },
+              {
+                property : "cbr_private_public_allowed_ip_list",
+                operator : "is_not_empty"
+              },
+            ]
+          },
+          {
+            and = [
+              {
+                property : "firewall.allowed_ip",
+                operator : "is_not_empty"
+              },
+            ]
+          }
+        ]
+      }
+      target = {
+        service_name                 = "cloud-object-storage",
+        service_display_name         = "Cloud Object Storage",
+        resource_kind                = "bucket",
+        additional_target_attributes = []
+      }
+    }
+  ]
+}

examples/custom/outputs.tf

@@ -0,0 +1,53 @@
+########################################################################################################################
+# Outputs
+########################################################################################################################
+
+output "resource_group_id" {
+  description = "The id of the resource group where SCC instance is created by this module"
+  value       = module.resource_group.resource_group_id
+}
+
+output "id" {
+  description = "The id of the SCC instance created by this module"
+  value       = module.create_scc_instance.id
+}
+
+output "guid" {
+  description = "The GUID of the SCC instance created by this module"
+  value       = module.create_scc_instance.guid
+}
+
+output "crn" {
+  description = "The CRN of the SCC instance created by this module"
+  value       = module.create_scc_instance.crn
+}
+
+output "name" {
+  description = "The name of the SCC instance created by this module"
+  value       = module.create_scc_instance.name
+}
+
+output "location" {
+  description = "The location of the SCC instance created by this module"
+  value       = module.create_scc_instance.location
+}
+
+output "plan" {
+  description = "The pricing plan used to create SCC instance in this module"
+  value       = module.create_scc_instance.plan
+}
+
+output "cos_instance_id" {
+  description = "The COS instance ID created in this example"
+  value       = module.cos.cos_instance_id
+}
+
+output "cos_bucket" {
+  description = "The COS bucket created in this example"
+  value       = module.cos.bucket_name
+}
+
+output "rule_ids" {
+  description = "SCC profile attachment parameters"
+  value       = module.create_scc_rules.rule_ids
+}

examples/custom/provider.tf

@@ -0,0 +1,8 @@
+########################################################################################################################
+# Provider config
+########################################################################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/custom/variables.tf

@@ -0,0 +1,33 @@
+########################################################################################################################
+# Input variables
+########################################################################################################################
+
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key"
+  sensitive   = true
+}
+
+variable "region" {
+  type        = string
+  description = "Region to provision all resources created by this example"
+  default     = "us-south"
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to append to all resources created by this example"
+  default     = "scc"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "The name of an existing resource group to provision resources in to. If not set a new resource group will be created using the prefix variable"
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}

examples/custom/version.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_version = ">= 1.3.0, <1.7.0"
+
+  # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
+  # module's version.tf (usually a basic example), and 1 example that will always use the latest provider version.
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.63.0"
+    }
+  }
+}

modules/rules/README.md

@@ -0,0 +1,87 @@
+# SCC Rules module
+
+A module to configure SCC Rules.
+
+Features:
+- Create scc rules for an scc instance
+
+### Usage
+
+```hcl
+module "create_scc_rules" {
+  source          = "terraform-ibm-modules/scc/ibm//modules/rules"
+  version         = "X.X.X"
+  scc_instance_id = "123-XXX-XXX"
+  rules = [
+    {
+      description = "new rule 1"
+      version     = "1.0.0"
+      import = {
+        parameters = []
+      }
+      target = {
+        service_name  = "kms"
+        resource_kind = "instance"
+        additional_target_attributes = [
+          {
+            "name" : "location",
+            "operator" : "string_equals",
+            "value" : "us-south"
+          }
+        ]
+      }
+    },
+    {
+      description = "new rule 2"
+      version     = "1.0.0"
+      import = {
+        parameters = []
+      }
+      target = {
+        service_name  = "kms"
+        resource_kind = "instance"
+        additional_target_attributes = [
+          {
+            "name" : "location",
+            "operator" : "string_equals",
+            "value" : "eu-de"
+          }
+        ]
+      }
+    }
+  ]
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0, <1.7.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >=1.63.0, <2.0.0 |
+
+### Modules
+
+No modules.
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [ibm_scc_rule.scc_rule_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/scc_rule) | resource |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_rules"></a> [rules](#input\_rules) | The rules to set for the SCC rules. | <pre>list(object({<br>    description = optional(string)<br>    operator    = optional(string)<br>    property    = optional(string)<br>    value       = optional(string)<br>    import = object({<br>      parameters = list(object({<br>        name         = optional(string)<br>        display_name = optional(string)<br>        description  = optional(string)<br>        type         = optional(string)<br>      }))<br>    })<br>    required_config = object({<br>      description = optional(string)<br>      operator    = optional(string)<br>      property    = optional(string)<br>      value       = optional(string)<br>      and = optional(list(<br>        object({<br>          description = optional(string)<br>          operator    = string<br>          property    = string<br>          value       = optional(string)<br>          and = optional(list(<br>            object({<br>              description = optional(string)<br>              operator    = string<br>              property    = string<br>              value       = optional(string)<br>            })<br>          ))<br>          or = optional(list(<br>            object({<br>              description = optional(string)<br>              operator    = string<br>              property    = string<br>              value       = optional(string)<br>            })<br>          ))<br>        })<br>      ))<br>      or = optional(list(<br>        object({<br>          description = optional(string)<br>          operator    = optional(string)<br>          property    = optional(string)<br>          value       = optional(string)<br>          and = optional(list(<br>            object({<br>              description = optional(string)<br>              operator    = string<br>              property    = string<br>              value       = optional(string)<br>            })<br>          ))<br>          or = optional(list(<br>            object({<br>              description = optional(string)<br>              operator    = string<br>              property    = string<br>              value       = optional(string)<br>            })<br>          ))<br>        })<br>      ))<br>    })<br>    target = object({<br>      service_name         = optional(string)<br>      service_display_name = optional(string)<br>      resource_kind        = optional(string)<br>      additional_target_attributes = list(object({<br>        name     = optional(string)<br>        operator = optional(string)<br>        value    = optional(string)<br>      }))<br>    })<br>  }))</pre> | n/a | yes |
+| <a name="input_rules_version"></a> [rules\_version](#input\_rules\_version) | The version number of a rule. | `string` | n/a | yes |
+| <a name="input_scc_instance_id"></a> [scc\_instance\_id](#input\_scc\_instance\_id) | ID of the SCC instance in which to create the rules. | `string` | n/a | yes |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_rule_ids"></a> [rule\_ids](#output\_rule\_ids) | The ids for the rules created by this module. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->