Security and Compliance Center Workload Protection module

A module for provisioning an IBM Cloud Security and Compliance Center Workload Protection instance. The module will always create a Manager resource key that connects to the SCC WP instance.

Overview

• terraform-ibm-scc-workload-protection
• Submodules
  • account_check
• Examples
  • Advanced example
    
  • Basic example
    
  • Enterprise example with CSPM enabled
    
• Contributing

Known issues

restapi_object.enable_cspm resource always identified for creation

There is currently a known issue where you will always see the restapi_object.enable_cspm resource included in the terraform plan for creation, even after it has already been applied. It is safe to proceed with this apply and will be a no-op if the resource has already been applied.

terraform-ibm-scc-workload-protection

Usage

data "ibm_iam_auth_token" "auth_token" {}

provider "restapi" {
  # see https://cloud.ibm.com/apidocs/resource-controller/resource-controller#endpoint-url for full list of available resource controller endpoints
  uri = "https://resource-controller.cloud.ibm.com"
  headers = {
    Authorization  = data.ibm_iam_auth_token.auth_token.iam_access_token
  }
  write_returns_object = true
}

module "scc_wp" {
  source                        = "terraform-ibm-modules/scc-workload-protection/ibm"
  version                       = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  name                          = "my-scc-wp-service"
  region                        = "us-south"
  resource_group_id             = "65xxxxxxxxxxxxxxxa3fd"
  resource_key_tags             = ["scc-wp-tag"]
  cloud_monitoring_instance_crn = "crn:v1:bluemix:public:sysdig-monitor:us-south:a/xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX:xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX::"
  app_config_crn                = "crn:v1:bluemix:public:apprap:us-south:a/xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX:xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX::"
}

Known issues

restapi_object.enable_cspm resource always identified for creation

There is currently a known issue where you will always see the restapi_object.enable_cspm resource included in the terraform plan for creation, even after it has already been applied. It is safe to proceed with this apply and will be a no-op if the resource has already been applied.

Required IAM access policies

You need the following permissions to run this module.

• IAM Services
  • IBM Cloud Security and Compliance Center Workload Protection service
    • Editor platform access
    • Writer service access

Requirements

Name	Version
terraform	>= 1.9.0
ibm	>= 1.79.2, <2.0.0
restapi	>=2.0.1, <3.0.0

Modules

Name	Source	Version
account_type_check	./modules/account_check	n/a
cbr_rule	terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module	1.34.0
trusted_profile_scc_wp	terraform-ibm-modules/trusted-profile/ibm	3.2.0

Resources

Name	Type
ibm_resource_instance.scc_wp	resource
ibm_resource_key.scc_wp_resource_key	resource
ibm_resource_tag.scc_wp_access_tag	resource
restapi_object.cspm	resource
ibm_iam_auth_token.token	data source

Inputs

Name	Description	Type	Default	Required
access_tags	A list of access tags to apply to the SCC WP instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial.	list(string)	[]	no
app_config_crn	The CRN of an existing App Config instance to use with the SCC Workload Protection instance. Required if cspm_enabled is true. NOTE: Ensure the App Config instance has configuration aggregator enabled.	string	null	no
cbr_rules	The context-based restrictions rule to create. Only one rule is allowed.	list(object({ description = string account_id = string tags = optional(list(object({ name = string value = string })), []) rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string }))	[]	no
cloud_monitoring_instance_crn	To collect and analyze metrics and security data on hosts using both Monitoring and Workload Protection, pass the CRN of an existing IBM Cloud Monitoring instance to create the connection. Once the connection is created, the Monitoring instance CRN cannot be changed.	string	null	no
cspm_enabled	Enable Cloud Security Posture Management (CSPM) for the Workload Protection instance. This will create a trusted profile associated with the SCC Workload Protection instance that has viewer / reader access to the App Config service and viewer access to the Enterprise service. Learn more.	bool	true	no
name	The name to give the SCC Workload Protection instance that will be provisioned by this module.	string	n/a	yes
region	IBM Cloud region where all resources will be deployed	string	"us-south"	no
resource_group_id	The resource group ID where resources will be provisioned.	string	n/a	yes
resource_key_name	The name to give the IBM Cloud SCC WP resource key.	string	"SCCWPManagerKey"	no
resource_key_tags	Tags associated with the IBM Cloud SCC WP resource key.	list(string)	[]	no
resource_tags	Optional list of tags to be added to created SCC WP instance.	list(string)	[]	no
scc_workload_protection_trusted_profile_name	The name to give the trusted profile that is created by this module if cspm_enabled is true. Must begin with a letter.	string	"workload-protection-trusted-profile"	no
scc_wp_service_plan	IBM service pricing plan.	string	"free-trial"	no

Outputs

Name	Description
access_key	Workload Protection instance access key.
account_id	Account ID of created SCC WP instance.
api_endpoint	API endpoint.
crn	CRN of created SCC WP instance.
guid	GUID of created SCC WP instance.
id	ID of created SCC WP instance.
ingestion_endpoint	Ingestion endpoint.
name	Name of created SCC WP instance.

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.