From fa892f018a0f7b14485391f58ab3126ec6042210 Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Mon, 25 Mar 2024 21:31:20 +0000 Subject: [PATCH 1/6] feat: add controls submodule --- modules/controls/README.md | 161 ++++++++++++++++++++++++++++++++++ modules/controls/main.tf | 57 ++++++++++++ modules/controls/outputs.tf | 13 +++ modules/controls/variables.tf | 80 +++++++++++++++++ modules/controls/version.tf | 10 +++ 5 files changed, 321 insertions(+) create mode 100644 modules/controls/README.md create mode 100644 modules/controls/main.tf create mode 100644 modules/controls/outputs.tf create mode 100644 modules/controls/variables.tf create mode 100644 modules/controls/version.tf diff --git a/modules/controls/README.md b/modules/controls/README.md new file mode 100644 index 0000000..1ee7aa3 --- /dev/null +++ b/modules/controls/README.md @@ -0,0 +1,161 @@ +# SCC Controls Module + +This module creates an SCC Control library (https://cloud.ibm.com/docs/security-compliance?topic=security-compliance-custom-library&interface=ui). A control library is a grouping of controls that are added to Security and Compliance Center. + +The module supports the following actions: +- Create SCC Controls Library + +### Usage + +```hcl +provider "ibm" { + ibmcloud_api_key = "XXXXXXXXXX" # pragma: allowlist secret + region = "us-south" +} + +# - SCC Controls Library +module "create_scc_controls" { + source = "../../controls/." + instance_id = module.create_scc_instance.guid + control_library_name = "control_library_name" + control_library_description = "control_library_description" + control_library_type = "custom" + latest = true + version_group_label = "de38e8c4-2212-4e4b-8dcf-b021b98d8e43" + controls = [ + { + control_id = "032a81ca-6ef7-4ac2-81ac-20ee4a780e3b" + control_name = "${var.prefix}-control-name" + control_description = "Boundary Protection" + control_category = "System and Communications Protection" + control_requirement = true + status = "enabled" + control_tags = [] + control_docs = [{}] + control_specifications = [ + { + control_specification_id = "5c7d6f88-a92f-4734-9b49-bd22b0900184" + control_specification_description = "IBM Cloud" + component_id = "iam-identity" + component_name = "IAM Identity Service" + environment = "ibm-cloud" + assessments = [ + { + assessment_type = "automated" + assessment_method = "ibm-cloud-rule" + assessment_id = "rule-a637949b-7e51-46c4-afd4-b96619001bf1" + assessment_description = "All assessments related to iam_identity" + parameters = [ + { + parameter_name = "session_invalidation_in_seconds" + parameter_display_name = "Sign out due to inactivity in seconds" + parameter_type = "numeric" + } + ] + } + ] + responsibility = "user" + } + ] + } + ] +} +``` + +The above will create a new scc controls library with the controls listed above and output them: +``` +scc_control_library_id = "c98d8210-0d30-4a4f-967b-c4fc8c91964f" +scc_controls = tolist([ + { + "control_category" = "System and Communications Protection" + "control_description" = "Boundary Protection" + "control_docs" = tolist([ + { + "control_docs_id" = tostring(null) + "control_docs_type" = tostring(null) + }, + ]) + "control_id" = "032a81ca-6ef7-4ac2-81ac-20ee4a780e3b" + "control_name" = "scc-control-name" + "control_parent" = "" + "control_requirement" = true + "control_specifications" = tolist([ + { + "assessments" = tolist([ + { + "assessment_description" = "All assessments related to iam_identity" + "assessment_id" = "rule-a637949b-7e51-46c4-afd4-b96619001bf1" + "assessment_method" = "ibm-cloud-rule" + "assessment_type" = "automated" + "parameter_count" = 1 + "parameters" = tolist([ + { + "parameter_display_name" = "Sign out due to inactivity in seconds" + "parameter_name" = "session_invalidation_in_seconds" + "parameter_type" = "numeric" + }, + ]) + }, + ]) + "assessments_count" = 1 + "component_id" = "iam-identity" + "component_name" = "IAM Identity Service" + "control_specification_description" = "IBM Cloud" + "control_specification_id" = "5c7d6f88-a92f-4734-9b49-bd22b0900184" + "environment" = "ibm-cloud" + "responsibility" = "user" + }, + ]) + "control_tags" = tolist([]) + "status" = "enabled" + }, +]) +``` + +### Required IAM access policies +You need the following permissions to run this module. + +- Account Management + - Security and Compliance Center service + - `Administrator` platform access +- IAM Services + - Event Notifications service + - `Manager` service access + + +### Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3.0, <1.7.0 | +| [ibm](#requirement\_ibm) | >= 1.62.0, <2.0.0 | + +### Modules + +No modules. + +### Resources + +| Name | Type | +|------|------| +| [ibm_scc_control_library.scc_control_library_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/scc_control_library) | resource | + +### Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [control\_library\_description](#input\_control\_library\_description) | The control library description. Constraints: The maximum length is `256` characters. The minimum length is `2` characters. The value must match regular expression `/[A-Za-z0-9]+/`. | `string` | n/a | yes | +| [control\_library\_name](#input\_control\_library\_name) | The control library name. Constraints: The maximum length is `64` characters. The minimum length is `2` characters. The value must match regular expression `/^[a-zA-Z0-9_\s\-]*$/`. | `string` | n/a | yes | +| [control\_library\_type](#input\_control\_library\_type) | The control library type. Constraints: Allowable values are: `predefined`, `custom`. | `string` | n/a | yes | +| [controls](#input\_controls) | The list of controls that are used to create the profile. Constraints: The maximum length is `600` items. The minimum length is `0` items. Full nested schema description can be found here: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/scc_control_library#controls. | 
list(object({
    control_id              = optional(string)
    control_library_version = optional(string)
    control_name            = optional(string)
    control_description     = optional(string)
    control_category        = optional(string)
    control_parent          = optional(string)
    status                  = optional(string)
    control_tags            = optional(list(string))
    control_requirement     = optional(string)
    control_docs = list(object({
      control_docs_id   = optional(string)
      control_docs_type = optional(string)
    }))
    control_specifications_count = optional(string)
    control_specifications = list(object({
      control_specification_id          = optional(string)
      responsibility                    = optional(string)
      component_id                      = optional(string)
      component_name                    = optional(string)
      environment                       = optional(string)
      control_specification_description = optional(string)
      assessments_count                 = optional(string)
      assessments = list(object({
        assessment_id          = optional(string)
        assessment_method      = optional(string)
        assessment_type        = optional(string)
        assessment_description = optional(string)
        parameter_count        = optional(string)
        parameters = list(object({
          parameter_name         = optional(string)
          parameter_display_name = optional(string)
          parameter_type         = optional(string)
        }))
      }))
    }))
    profile_description = optional(string)
    profile_name        = optional(string)
    profile_type        = optional(string)
  }))
| `[]` | no | +| [instance\_id](#input\_instance\_id) | The ID of the SCC instance in a particular region. | `string` | n/a | yes | +| [latest](#input\_latest) | Choose whether you want the latest version of the control library. | `bool` | `true` | no | +| [version\_group\_label](#input\_version\_group\_label) | (Optional) The version group label. Constraints: The maximum length is `36` characters. The minimum length is `36` characters. The value must match regular expression `/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/`. | `string` | `null` | no | + +### Outputs + +| Name | Description | +|------|-------------| +| [control\_library\_id](#output\_control\_library\_id) | The id of the SCC control library created by this module | +| [controls](#output\_controls) | The SCC controls created in this module | + diff --git a/modules/controls/main.tf b/modules/controls/main.tf new file mode 100644 index 0000000..e8aa63c --- /dev/null +++ b/modules/controls/main.tf @@ -0,0 +1,57 @@ +resource "ibm_scc_control_library" "scc_control_library_instance" { + instance_id = var.instance_id + control_library_name = var.control_library_name + control_library_description = var.control_library_description + control_library_type = var.control_library_type + latest = var.latest + + dynamic "controls" { + for_each = var.controls != null ? var.controls : [] + content { + control_name = controls.value.control_name + control_id = controls.value.control_id + control_description = controls.value.control_description + control_category = controls.value.control_category + control_parent = controls.value.control_parent + control_tags = controls.value.control_tags + dynamic "control_specifications" { + for_each = controls.value.control_specifications != null ? controls.value.control_specifications : [] + content { + control_specification_id = control_specifications.value.control_specification_id + responsibility = control_specifications.value.responsibility + component_id = control_specifications.value.component_id + component_name = control_specifications.value.component_name + environment = control_specifications.value.environment + control_specification_description = control_specifications.value.control_specification_description + dynamic "assessments" { + for_each = control_specifications.value.assessments != null ? control_specifications.value.assessments : [] + content { + assessment_id = assessments.value.assessment_id + assessment_method = assessments.value.assessment_method + assessment_type = assessments.value.assessment_type + assessment_description = assessments.value.assessment_description + dynamic "parameters" { + for_each = assessments.value.parameters != null ? assessments.value.parameters : [] + content { + parameter_name = parameters.value.parameter_name + parameter_display_name = parameters.value.parameter_display_name + parameter_type = parameters.value.parameter_type + } + } + } + } + } + } + dynamic "control_docs" { + for_each = controls.value.control_docs != null ? controls.value.control_docs : [] + content { + control_docs_id = control_docs.value.control_docs_id + control_docs_type = control_docs.value.control_docs_type + } + } + control_requirement = controls.value.control_requirement + status = controls.value.status + } + } + version_group_label = var.version_group_label +} diff --git a/modules/controls/outputs.tf b/modules/controls/outputs.tf new file mode 100644 index 0000000..ad0fa00 --- /dev/null +++ b/modules/controls/outputs.tf @@ -0,0 +1,13 @@ +######################################################################################################################## +# Outputs +######################################################################################################################## + +output "control_library_id" { + description = "The id of the SCC control library created by this module" + value = ibm_scc_control_library.scc_control_library_instance.control_library_id +} + +output "controls" { + description = "The SCC controls created in this module" + value = resource.ibm_scc_control_library.scc_control_library_instance.controls +} diff --git a/modules/controls/variables.tf b/modules/controls/variables.tf new file mode 100644 index 0000000..b077f2a --- /dev/null +++ b/modules/controls/variables.tf @@ -0,0 +1,80 @@ +######################################################################################################################## +# Input variables +######################################################################################################################## + +variable "instance_id" { + type = string + description = "The ID of the SCC instance in a particular region." +} + +variable "control_library_name" { + type = string + description = "The control library name. Constraints: The maximum length is `64` characters. The minimum length is `2` characters. The value must match regular expression `/^[a-zA-Z0-9_\\s\\-]*$/`." +} + +variable "control_library_description" { + type = string + description = "The control library description. Constraints: The maximum length is `256` characters. The minimum length is `2` characters. The value must match regular expression `/[A-Za-z0-9]+/`." +} + +variable "control_library_type" { + type = string + description = "The control library type. Constraints: Allowable values are: `predefined`, `custom`." +} + +variable "version_group_label" { + type = string + description = "(Optional) The version group label. Constraints: The maximum length is `36` characters. The minimum length is `36` characters. The value must match regular expression `/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/`." + default = null +} + +variable "latest" { + type = bool + description = "Choose whether you want the latest version of the control library." + default = true +} + +variable "controls" { + type = list(object({ + control_id = optional(string) + control_library_version = optional(string) + control_name = optional(string) + control_description = optional(string) + control_category = optional(string) + control_parent = optional(string) + status = optional(string) + control_tags = optional(list(string)) + control_requirement = optional(string) + control_docs = list(object({ + control_docs_id = optional(string) + control_docs_type = optional(string) + })) + control_specifications_count = optional(string) + control_specifications = list(object({ + control_specification_id = optional(string) + responsibility = optional(string) + component_id = optional(string) + component_name = optional(string) + environment = optional(string) + control_specification_description = optional(string) + assessments_count = optional(string) + assessments = list(object({ + assessment_id = optional(string) + assessment_method = optional(string) + assessment_type = optional(string) + assessment_description = optional(string) + parameter_count = optional(string) + parameters = list(object({ + parameter_name = optional(string) + parameter_display_name = optional(string) + parameter_type = optional(string) + })) + })) + })) + profile_description = optional(string) + profile_name = optional(string) + profile_type = optional(string) + })) + default = [] + description = "The list of controls that are used to create the profile. Constraints: The maximum length is `600` items. The minimum length is `0` items. Full nested schema description can be found here: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/scc_control_library#controls." +} diff --git a/modules/controls/version.tf b/modules/controls/version.tf new file mode 100644 index 0000000..3dd5fb1 --- /dev/null +++ b/modules/controls/version.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3.0, <1.7.0" + + required_providers { + ibm = { + source = "IBM-Cloud/ibm" + version = ">= 1.62.0, <2.0.0" + } + } +} From 24e266dded11a384280e14f77c0a27bd98886bdf Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Tue, 26 Mar 2024 00:47:01 +0000 Subject: [PATCH 2/6] fix: example --- common-dev-assets | 2 +- examples/complete/main.tf | 96 +++++++++++++++++++++++++++-------- examples/complete/outputs.tf | 16 +++--- modules/controls/main.tf | 12 ++++- modules/controls/variables.tf | 6 --- 5 files changed, 94 insertions(+), 38 deletions(-) diff --git a/common-dev-assets b/common-dev-assets index 8405107..465a57d 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 8405107509b351b346887674d06ee37e98140493 +Subproject commit 465a57d227d66bf8c80e75ec934c91dd7dd3d2d8 diff --git a/examples/complete/main.tf b/examples/complete/main.tf index ddac7b9..55d4707 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -54,28 +54,80 @@ module "create_scc_instance" { } ############################################################################## -# SCC attachment +# SCC controls ############################################################################## -module "create_profile_attachment" { - source = "../../modules/attachment" - profile_id = "f54b4962-06c6-46bb-bb04-396d9fa9bd60" # temporarily default to SOC 2 profile until provider add support to do data lookup by name https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5185) - scc_instance_id = module.create_scc_instance.guid - attachment_name = "${var.prefix}-attachment" - attachment_description = "profile-attachment-description" - attachment_schedule = "every_7_days" - # scope the attachment to a specific resource group - scope = [{ - environment = "ibm-cloud" - properties = [ - { - name = "scope_type" - value = "account.resource_group" - }, - { - name = "scope_id" - value = module.resource_group.resource_group_id - } - ] - }] +module "create_scc_controls" { + source = "../../controls/." + instance_id = module.create_scc_instance.guid + control_library_name = "control_library_complete" + control_library_description = "control_library_complete_description" + control_library_type = "custom" + latest = true + # version_group_label = "de38e8c4-2212-4e4b-8dcf-b021b98d8e43" + controls = [ + { + control_id = "032a81ca-6ef7-4ac2-81ac-20ee4a780e3b" + control_name = "${var.prefix}-control-name" + control_description = "Boundary Protection" + control_category = "System and Communications Protection" + control_requirement = true + status = "enabled" + control_tags = [] + control_docs = [{}] + control_specifications = [ + { + control_specification_id = "5c7d6f88-a92f-4734-9b49-bd22b0900184" + control_specification_description = "IBM Cloud" + component_id = "iam-identity" + component_name = "IAM Identity Service" + environment = "ibm-cloud" + assessments = [ + { + assessment_type = "automated" + assessment_method = "ibm-cloud-rule" + assessment_id = "rule-a637949b-7e51-46c4-afd4-b96619001bf1" + assessment_description = "All assessments related to iam_identity" + parameters = [ + { + parameter_name = "session_invalidation_in_seconds" + parameter_display_name = "Sign out due to inactivity in seconds" + parameter_type = "numeric" + } + ] + } + ] + responsibility = "user" + } + ] + } + ] } + + +############################################################################## +# SCC attachment +############################################################################## + +# module "create_profile_attachment" { +# source = "../../modules/attachment" +# profile_id = "f54b4962-06c6-46bb-bb04-396d9fa9bd60" # temporarily default to SOC 2 profile until provider add support to do data lookup by name https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5185) +# scc_instance_id = module.create_scc_instance.guid +# attachment_name = "${var.prefix}-attachment" +# attachment_description = "profile-attachment-description" +# attachment_schedule = "every_7_days" +# # scope the attachment to a specific resource group +# scope = [{ +# environment = "ibm-cloud" +# properties = [ +# { +# name = "scope_type" +# value = "account.resource_group" +# }, +# { +# name = "scope_id" +# value = module.resource_group.resource_group_id +# } +# ] +# }] +# } diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index ef7b1b5..7896042 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -53,12 +53,12 @@ output "cos_bucket" { depends_on = [module.create_scc_instance] } -output "scc_profile_attachment_id" { - description = "SCC profile attachment ID" - value = module.create_profile_attachment.id -} +# output "scc_profile_attachment_id" { +# description = "SCC profile attachment ID" +# value = module.create_profile_attachment.id +# } -output "scc_profile_attachment_parameters" { - description = "SCC profile attachment ID" - value = module.create_profile_attachment.attachment_parameters -} +# output "scc_profile_attachment_parameters" { +# description = "SCC profile attachment ID" +# value = module.create_profile_attachment.attachment_parameters +# } diff --git a/modules/controls/main.tf b/modules/controls/main.tf index e8aa63c..0ef59c2 100644 --- a/modules/controls/main.tf +++ b/modules/controls/main.tf @@ -1,9 +1,20 @@ +data "ibm_scc_control_libraries" "scc_control_libraries" { + instance_id = var.instance_id +} + + +locals { + control_library_index = index(data.ibm_scc_control_libraries.scc_control_libraries[0].control_libraries[*].name, var.control_library_name) + control_library = data.ibm_scc_control_libraries.scc_control_libraries[0].control_libraries[local.control_library_index] +} + resource "ibm_scc_control_library" "scc_control_library_instance" { instance_id = var.instance_id control_library_name = var.control_library_name control_library_description = var.control_library_description control_library_type = var.control_library_type latest = var.latest + version_group_label = local.control_library.version_group_label dynamic "controls" { for_each = var.controls != null ? var.controls : [] @@ -53,5 +64,4 @@ resource "ibm_scc_control_library" "scc_control_library_instance" { status = controls.value.status } } - version_group_label = var.version_group_label } diff --git a/modules/controls/variables.tf b/modules/controls/variables.tf index b077f2a..821c87c 100644 --- a/modules/controls/variables.tf +++ b/modules/controls/variables.tf @@ -22,12 +22,6 @@ variable "control_library_type" { description = "The control library type. Constraints: Allowable values are: `predefined`, `custom`." } -variable "version_group_label" { - type = string - description = "(Optional) The version group label. Constraints: The maximum length is `36` characters. The minimum length is `36` characters. The value must match regular expression `/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/`." - default = null -} - variable "latest" { type = bool description = "Choose whether you want the latest version of the control library." From e5d21b70e94f7b5cd3cf49f01a6b2221ca048f73 Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Mon, 8 Apr 2024 00:45:58 +0100 Subject: [PATCH 3/6] fix: add updates --- examples/complete/main.tf | 3 +-- examples/complete/outputs.tf | 10 ++++++++++ examples/complete/variables.tf | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 55d4707..01836d8 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -58,7 +58,7 @@ module "create_scc_instance" { ############################################################################## module "create_scc_controls" { - source = "../../controls/." + source = "../../modules/controls/." instance_id = module.create_scc_instance.guid control_library_name = "control_library_complete" control_library_description = "control_library_complete_description" @@ -104,7 +104,6 @@ module "create_scc_controls" { ] } - ############################################################################## # SCC attachment ############################################################################## diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index 7896042..2aed1fb 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -62,3 +62,13 @@ output "cos_bucket" { # description = "SCC profile attachment ID" # value = module.create_profile_attachment.attachment_parameters # } + +output "control_library_map" { + description = "The name of the SCC instance created by this module" + value = module.create_scc_controls.control_library_map +} + +output "controls_map" { + description = "The location of the SCC instance created by this module" + value = module.create_scc_controls.controls_map +} diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 8c44c2a..17662a4 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -17,7 +17,7 @@ variable "region" { variable "prefix" { type = string description = "Prefix to append to all resources created by this example" - default = "scc" + default = "scc-new" } variable "resource_group" { From 5f23b0fa09ba28cd9c6eb1ba61e7a749c600fffb Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Mon, 8 Apr 2024 01:03:23 +0100 Subject: [PATCH 4/6] fix: add updates --- README.md | 1 + examples/complete/main.tf | 46 +++++++++++++++++------------------ examples/complete/outputs.tf | 22 +++++------------ modules/controls/README.md | 5 ++-- modules/controls/main.tf | 26 +++++++++++++++----- modules/controls/variables.tf | 11 +++++---- 6 files changed, 58 insertions(+), 53 deletions(-) diff --git a/README.md b/README.md index 04a6012..9c48da9 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ This module configures an IBM Cloud Security and Compliance instance. * [terraform-ibm-scc](#terraform-ibm-scc) * [Submodules](./modules) * [attachment](./modules/attachment) + * [controls](./modules/controls) * [Examples](./examples) * [Basic example](./examples/basic) * [Complete example](./examples/complete) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 01836d8..794ba14 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -62,9 +62,7 @@ module "create_scc_controls" { instance_id = module.create_scc_instance.guid control_library_name = "control_library_complete" control_library_description = "control_library_complete_description" - control_library_type = "custom" latest = true - # version_group_label = "de38e8c4-2212-4e4b-8dcf-b021b98d8e43" controls = [ { control_id = "032a81ca-6ef7-4ac2-81ac-20ee4a780e3b" @@ -108,25 +106,25 @@ module "create_scc_controls" { # SCC attachment ############################################################################## -# module "create_profile_attachment" { -# source = "../../modules/attachment" -# profile_id = "f54b4962-06c6-46bb-bb04-396d9fa9bd60" # temporarily default to SOC 2 profile until provider add support to do data lookup by name https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5185) -# scc_instance_id = module.create_scc_instance.guid -# attachment_name = "${var.prefix}-attachment" -# attachment_description = "profile-attachment-description" -# attachment_schedule = "every_7_days" -# # scope the attachment to a specific resource group -# scope = [{ -# environment = "ibm-cloud" -# properties = [ -# { -# name = "scope_type" -# value = "account.resource_group" -# }, -# { -# name = "scope_id" -# value = module.resource_group.resource_group_id -# } -# ] -# }] -# } +module "create_profile_attachment" { + source = "../../modules/attachment" + profile_id = "f54b4962-06c6-46bb-bb04-396d9fa9bd60" # temporarily default to SOC 2 profile until provider add support to do data lookup by name https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5185) + scc_instance_id = module.create_scc_instance.guid + attachment_name = "${var.prefix}-attachment" + attachment_description = "profile-attachment-description" + attachment_schedule = "every_7_days" + # scope the attachment to a specific resource group + scope = [{ + environment = "ibm-cloud" + properties = [ + { + name = "scope_type" + value = "account.resource_group" + }, + { + name = "scope_id" + value = module.resource_group.resource_group_id + } + ] + }] +} diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index 2aed1fb..ef7b1b5 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -53,22 +53,12 @@ output "cos_bucket" { depends_on = [module.create_scc_instance] } -# output "scc_profile_attachment_id" { -# description = "SCC profile attachment ID" -# value = module.create_profile_attachment.id -# } - -# output "scc_profile_attachment_parameters" { -# description = "SCC profile attachment ID" -# value = module.create_profile_attachment.attachment_parameters -# } - -output "control_library_map" { - description = "The name of the SCC instance created by this module" - value = module.create_scc_controls.control_library_map +output "scc_profile_attachment_id" { + description = "SCC profile attachment ID" + value = module.create_profile_attachment.id } -output "controls_map" { - description = "The location of the SCC instance created by this module" - value = module.create_scc_controls.controls_map +output "scc_profile_attachment_parameters" { + description = "SCC profile attachment ID" + value = module.create_profile_attachment.attachment_parameters } diff --git a/modules/controls/README.md b/modules/controls/README.md index 1ee7aa3..cd39f1a 100644 --- a/modules/controls/README.md +++ b/modules/controls/README.md @@ -139,6 +139,8 @@ No modules. | Name | Type | |------|------| | [ibm_scc_control_library.scc_control_library_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/scc_control_library) | resource | +| [ibm_scc_control_libraries.scc_control_libraries](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/scc_control_libraries) | data source | +| [ibm_scc_control_library.scc_control_library](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/scc_control_library) | data source | ### Inputs @@ -146,11 +148,10 @@ No modules. |------|-------------|------|---------|:--------:| | [control\_library\_description](#input\_control\_library\_description) | The control library description. Constraints: The maximum length is `256` characters. The minimum length is `2` characters. The value must match regular expression `/[A-Za-z0-9]+/`. | `string` | n/a | yes | | [control\_library\_name](#input\_control\_library\_name) | The control library name. Constraints: The maximum length is `64` characters. The minimum length is `2` characters. The value must match regular expression `/^[a-zA-Z0-9_\s\-]*$/`. | `string` | n/a | yes | -| [control\_library\_type](#input\_control\_library\_type) | The control library type. Constraints: Allowable values are: `predefined`, `custom`. | `string` | n/a | yes | | [controls](#input\_controls) | The list of controls that are used to create the profile. Constraints: The maximum length is `600` items. The minimum length is `0` items. Full nested schema description can be found here: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/scc_control_library#controls. | 
list(object({
    control_id              = optional(string)
    control_library_version = optional(string)
    control_name            = optional(string)
    control_description     = optional(string)
    control_category        = optional(string)
    control_parent          = optional(string)
    status                  = optional(string)
    control_tags            = optional(list(string))
    control_requirement     = optional(string)
    control_docs = list(object({
      control_docs_id   = optional(string)
      control_docs_type = optional(string)
    }))
    control_specifications_count = optional(string)
    control_specifications = list(object({
      control_specification_id          = optional(string)
      responsibility                    = optional(string)
      component_id                      = optional(string)
      component_name                    = optional(string)
      environment                       = optional(string)
      control_specification_description = optional(string)
      assessments_count                 = optional(string)
      assessments = list(object({
        assessment_id          = optional(string)
        assessment_method      = optional(string)
        assessment_type        = optional(string)
        assessment_description = optional(string)
        parameter_count        = optional(string)
        parameters = list(object({
          parameter_name         = optional(string)
          parameter_display_name = optional(string)
          parameter_type         = optional(string)
        }))
      }))
    }))
    profile_description = optional(string)
    profile_name        = optional(string)
    profile_type        = optional(string)
  }))
| `[]` | no | | [instance\_id](#input\_instance\_id) | The ID of the SCC instance in a particular region. | `string` | n/a | yes | | [latest](#input\_latest) | Choose whether you want the latest version of the control library. | `bool` | `true` | no | -| [version\_group\_label](#input\_version\_group\_label) | (Optional) The version group label. Constraints: The maximum length is `36` characters. The minimum length is `36` characters. The value must match regular expression `/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/`. | `string` | `null` | no | +| [version\_group\_label](#input\_version\_group\_label) | The version group label. | `string` | `null` | no | ### Outputs diff --git a/modules/controls/main.tf b/modules/controls/main.tf index 0ef59c2..18f7a38 100644 --- a/modules/controls/main.tf +++ b/modules/controls/main.tf @@ -1,26 +1,40 @@ data "ibm_scc_control_libraries" "scc_control_libraries" { - instance_id = var.instance_id + instance_id = var.instance_id } +locals { + control_library_map = { + for control_library in data.ibm_scc_control_libraries.scc_control_libraries.control_libraries : + control_library.control_library_name => control_library if control_library.control_library_name == var.control_library_name + } +} + +data "ibm_scc_control_library" "scc_control_library" { + count = lookup(local.control_library_map, var.control_library_name, null) != null ? 1 : 0 + instance_id = var.instance_id + control_library_id = local.control_library_map[var.control_library_name].id +} locals { - control_library_index = index(data.ibm_scc_control_libraries.scc_control_libraries[0].control_libraries[*].name, var.control_library_name) - control_library = data.ibm_scc_control_libraries.scc_control_libraries[0].control_libraries[local.control_library_index] + controls_map = { + for control in data.ibm_scc_control_library.scc_control_library[*].controls : + control[0].control_name => control[0] + } } resource "ibm_scc_control_library" "scc_control_library_instance" { instance_id = var.instance_id control_library_name = var.control_library_name control_library_description = var.control_library_description - control_library_type = var.control_library_type + control_library_type = "custom" latest = var.latest - version_group_label = local.control_library.version_group_label + version_group_label = var.version_group_label == null ? data.ibm_scc_control_library.scc_control_library[0].version_group_label : var.version_group_label dynamic "controls" { for_each = var.controls != null ? var.controls : [] content { control_name = controls.value.control_name - control_id = controls.value.control_id + control_id = lookup(local.controls_map, controls.value.control_name, null) == null ? controls.value.control_id : local.controls_map[controls.value.control_name].control_id control_description = controls.value.control_description control_category = controls.value.control_category control_parent = controls.value.control_parent diff --git a/modules/controls/variables.tf b/modules/controls/variables.tf index 821c87c..ce6bfb1 100644 --- a/modules/controls/variables.tf +++ b/modules/controls/variables.tf @@ -17,17 +17,18 @@ variable "control_library_description" { description = "The control library description. Constraints: The maximum length is `256` characters. The minimum length is `2` characters. The value must match regular expression `/[A-Za-z0-9]+/`." } -variable "control_library_type" { - type = string - description = "The control library type. Constraints: Allowable values are: `predefined`, `custom`." -} - variable "latest" { type = bool description = "Choose whether you want the latest version of the control library." default = true } +variable "version_group_label" { + type = string + description = "The version group label." + default = null +} + variable "controls" { type = list(object({ control_id = optional(string) From 6eb54930958d55a9024a88dc712c474acfcd1702 Mon Sep 17 00:00:00 2001 From: Jordan Date: Mon, 8 Apr 2024 17:45:52 +0100 Subject: [PATCH 5/6] Update variables.tf --- examples/complete/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 17662a4..8c44c2a 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -17,7 +17,7 @@ variable "region" { variable "prefix" { type = string description = "Prefix to append to all resources created by this example" - default = "scc-new" + default = "scc" } variable "resource_group" { From 07ffce6483b00aaf5d1ca7a4f63d9a47c58d316d Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Mon, 1 Jul 2024 15:34:03 +0100 Subject: [PATCH 6/6] fix: add comments --- common-dev-assets | 2 +- modules/controls/main.tf | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/common-dev-assets b/common-dev-assets index b4db5fd..2365130 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit b4db5fd318a7b55182da9bc143a49e2b2d909d4e +Subproject commit 23651307a050e56d75bfeaf0efa1c31412da092f diff --git a/modules/controls/main.tf b/modules/controls/main.tf index 18f7a38..b710db4 100644 --- a/modules/controls/main.tf +++ b/modules/controls/main.tf @@ -1,14 +1,17 @@ +// Get list of all control libraries data "ibm_scc_control_libraries" "scc_control_libraries" { instance_id = var.instance_id } locals { + // Create map of control libraries control_library_map = { for control_library in data.ibm_scc_control_libraries.scc_control_libraries.control_libraries : control_library.control_library_name => control_library if control_library.control_library_name == var.control_library_name } } +// Get specified control library by id data "ibm_scc_control_library" "scc_control_library" { count = lookup(local.control_library_map, var.control_library_name, null) != null ? 1 : 0 instance_id = var.instance_id @@ -16,6 +19,7 @@ data "ibm_scc_control_library" "scc_control_library" { } locals { + // Create map of controls controls_map = { for control in data.ibm_scc_control_library.scc_control_library[*].controls : control[0].control_name => control[0]