/terraform-ibm-scc

Configures an IBM Cloud Security and Compliance instance

Primary LanguageHCLApache License 2.0Apache-2.0

IBM Security and Compliance Center module

Graduated (Supported) latest release pre-commit Renovate enabled semantic-release

This module configures an IBM Cloud Security and Compliance instance.

Known limitations

There is currently a known issue with the IBM provider (IBM-Cloud/terraform-provider-ibm#5131) where the provider is always trying to use the us-south endpoint when trying to configure the instance, even if the instance is not in us-south. You will see the following error on apply:

│ Error: UpdateSettingsWithContext failed The requested resource was not found
│ {
│     "StatusCode": 404,
│     "Headers": {
│         "Cache-Control": [
│             "no-store"
│         ],
│         "Cf-Cache-Status": [
│             "DYNAMIC"
│         ],
│         "Cf-Ray": [
│             "854ebcb0de6ebb06-MXP"
│         ],
│         "Content-Type": [
│             "application/json; charset=utf-8"
│         ],
│         "Date": [
│             "Tue, 13 Feb 2024 17:19:35 GMT"
│         ],
│         "Server": [
│             "cloudflare"
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000; includeSubDomains"
│         ],
│         "Transaction-Id": [
│             "e2d78bad-a4c6-4dd9-8c47-ffe11088fcde"
│         ],
│         "X-Content-Type-Options": [
│             "nosniff"
│         ],
│         "X-Correlation-Id": [
│             "e2d78bad-a4c6-4dd9-8c47-ffe11088fcde"
│         ],
│         "X-Envoy-Upstream-Service-Time": [
│             "27"
│         ],
│         "X-Request-Id": [
│             "c3eaf1cb-f54b-4fcd-bda6-78f9da654e2c"
│         ]
│     },
│     "Result": {
│         "errors": [
│             {
│                 "code": "not_found",
│                 "message": "The requested resource was not found",
│                 "more_info": "https://cloud.ibm.com/apidocs/security-compliance-admin"
│             }
│         ],
│         "status_code": 404,
│         "trace": "e2d78bad-a4c6-4dd9-8c47-ffe11088fcde"
│     },
│     "RawResult": null
│ }
│
│
│   with module.create_scc_instance.ibm_scc_instance_settings.scc_instance_settings,
│   on ../../main.tf line 42, in resource "ibm_scc_instance_settings" "scc_instance_settings":
│   42: resource "ibm_scc_instance_settings" "scc_instance_settings" {

As a workaround, you can set the following environment variable before running apply:

export IBMCLOUD_SCC_API_ENDPOINT=https://REGION.compliance.cloud.ibm.com

where REGION is the value you have set for the modules region input variable.

Overview

terraform-ibm-scc

Usage

module "create_scc_instance" {
  source            = "terraform-ibm-modules/scc/ibm"
  version           = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  instance_name     = "my-scc-instance"
  plan              = "security-compliance-center-standard-plan"
  region            = "us-south"
  resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
}

Required IAM access policies

You need the following permissions to run this module.

  • Account Management
    • Security and Compliance Center service
      • Administrator platform access
  • IAM Services
    • Event Notifications service
      • Manager service access

Requirements

Name Version
terraform >= 1.3.0, <1.6.0
ibm >=1.62.0, <2.0.0

Modules

No modules.

Resources

Name Type
ibm_iam_authorization_policy.scc_cos_s2s_access resource
ibm_resource_instance.scc_instance resource
ibm_scc_instance_settings.scc_instance_settings resource
ibm_iam_account_settings.iam_account_settings data source

Inputs

Name Description Type Default Required
cos_bucket The name of the Cloud Object Storage bucket to be used in SCC instance string n/a yes
cos_instance_crn CRN of the Cloud Object Storage to store SCC data string n/a yes
en_instance_crn The CRN of Event Notifications instance to be used with SCC. If no value is provided, Event Notifications will not be enabled for this SCC instance string null no
instance_name Name of the security and compliance instance that will be provisioned by this module string n/a yes
plan Pricing plan to create SCC instance. Options include security-compliance-center-standard-plan or security-compliance-center-trial-plan string "security-compliance-center-standard-plan" no
region Region where SCC instance will be created string "us-south" no
resource_group_id The id of the resource group to create the SCC instance string n/a yes
resource_tags A list of tags applied to the resources created by the module list(string) [] no
skip_cos_iam_authorization_policy Set to true to skip the creation of an IAM authorization policy that permits the SCC instance created by this module to write access to the provided COS instance bool false no

Outputs

Name Description
crn The CRN of the SCC instance created by this module
guid The GUID of the SCC instance created by this module
id The id of the SCC instance created by this module
location The location of the SCC instance created by this module
name The name of the SCC instance created by this module
plan The pricing plan used to create SCC instance in this module

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.