generated from terraform-ibm-modules/terraform-ibm-module-template
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add scc workload protection agent DA flavor (#91)
- Loading branch information
Showing
28 changed files
with
530 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,10 @@ | ||
# Security and Compliance Center Workload Protection Agent solution | ||
|
||
(Coming soon) | ||
This solution supports installing and configuring [IBM Cloud Security and Compliance Center Workload Protection agent](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started). It uses [sysdig-deploy charts](https://github.com/sysdiglabs/charts/tree/master/charts/sysdig-deploy) which deploys the following components into your cluster: | ||
- Agent | ||
- Node Analyzer | ||
- KSPM Collector | ||
|
||
This solution will deploy and configure the Workload Protections components in an existing cluster to an existing IBM Cloud Security and Compliance Center Workload Protection instance. | ||
|
||
![scc-wp-agent](../../reference-architecture/scc-wp-agent.svg) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
{ | ||
"ibmcloud_api_key": $VALIDATION_APIKEY | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# Ignore everything | ||
* | ||
|
||
# But not these files... | ||
!.gitignore | ||
!README.md |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
This directory must exist in source control so the `ibm_container_cluster_config` data lookup can use it to place the | ||
config.yml used to connect to a kubernetes cluster. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
####################################################################################################################### | ||
# SCC WP Agent | ||
####################################################################################################################### | ||
|
||
module "scc_wp_agent" { | ||
source = "terraform-ibm-modules/scc-workload-protection-agent/ibm" | ||
version = "1.2.3" | ||
access_key = var.access_key | ||
cluster_name = var.cluster_name | ||
region = var.region | ||
endpoint_type = var.endpoint_type | ||
name = var.name | ||
namespace = var.namespace | ||
deployment_tag = var.deployment_tag | ||
kspm_deploy = var.kspm_deploy | ||
node_analyzer_deploy = var.node_analyzer_deploy | ||
host_scanner_deploy = var.host_scanner_deploy | ||
cluster_scanner_deploy = var.cluster_scanner_deploy | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
######################################################################################################################## | ||
# Outputs | ||
######################################################################################################################## | ||
|
||
output "name" { | ||
description = "Helm chart release name." | ||
value = module.scc_wp_agent.name | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
######################################################################################################################## | ||
# Provider config | ||
######################################################################################################################## | ||
|
||
provider "ibm" { | ||
ibmcloud_api_key = var.ibmcloud_api_key | ||
region = var.region | ||
} | ||
|
||
provider "kubernetes" { | ||
host = data.ibm_container_cluster_config.cluster_dconfig.host | ||
token = data.ibm_container_cluster_config.cluster_config.token | ||
} | ||
|
||
provider "helm" { | ||
kubernetes { | ||
host = data.ibm_container_cluster_config.cluster_config.host | ||
token = data.ibm_container_cluster_config.cluster_config.token | ||
} | ||
} | ||
|
||
data "ibm_container_cluster_config" "cluster_config" { | ||
cluster_name_id = var.cluster_name | ||
config_dir = "${path.module}/kubeconfig" | ||
endpoint_type = var.cluster_endpoint_type | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
######################################################################################################################## | ||
# Common variables | ||
######################################################################################################################## | ||
|
||
variable "ibmcloud_api_key" { | ||
type = string | ||
description = "The API Key to use for IBM Cloud." | ||
sensitive = true | ||
} | ||
|
||
######################################################################################################################## | ||
# SCC Workload Protection Agent variables | ||
######################################################################################################################## | ||
|
||
variable "name" { | ||
type = string | ||
description = "Helm release name." | ||
default = "ibm-scc-wp-agent" | ||
} | ||
|
||
variable "namespace" { | ||
type = string | ||
description = "Namespace of the Security and Compliance Workload Protection agent." | ||
default = "ibm-scc-wp" | ||
} | ||
|
||
variable "cluster_name" { | ||
type = string | ||
description = "Cluster name to add Security and Compliance Workload Protection agent to." | ||
} | ||
|
||
variable "access_key" { | ||
type = string | ||
description = "Security and Compliance Workload Protection instance access key." | ||
sensitive = true | ||
} | ||
|
||
variable "region" { | ||
type = string | ||
description = "Region where Security and Compliance Workload Protection agent is created." | ||
} | ||
|
||
variable "endpoint_type" { | ||
type = string | ||
description = "Specify the endpoint (public or private) for the Security and Compliance Center Workload Protection service." | ||
default = "private" | ||
validation { | ||
error_message = "The specified endpoint_type can be private or public only." | ||
condition = contains(["private", "public"], var.endpoint_type) | ||
} | ||
} | ||
|
||
variable "deployment_tag" { | ||
type = string | ||
description = "Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...)." | ||
default = "terraform" | ||
} | ||
|
||
variable "kspm_deploy" { | ||
type = bool | ||
description = "Deploy Security and Compliance Workload Protection KSPM component." | ||
default = true | ||
} | ||
|
||
variable "node_analyzer_deploy" { | ||
type = bool | ||
description = "Deploy Security and Compliance Workload Protection node analyzer component." | ||
default = true | ||
} | ||
|
||
variable "host_scanner_deploy" { | ||
type = bool | ||
description = "Deploy Security and Compliance Workload Protection host scanner component. If node_analyzer_deploy false, this component will not be deployed." | ||
default = true | ||
} | ||
|
||
variable "cluster_scanner_deploy" { | ||
type = bool | ||
description = "Deploy Security and Compliance Workload Protection cluster scanner component." | ||
default = true | ||
} | ||
|
||
|
||
variable "cluster_endpoint_type" { | ||
type = string | ||
description = "Specify the endpoint (public or private) for the cluster." | ||
default = "private" | ||
validation { | ||
error_message = "The specified cluster_endpoint_type can be private or public only." | ||
condition = contains(["private", "public"], var.cluster_endpoint_type) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
terraform { | ||
required_version = ">= 1.3.0, <1.7.0" | ||
|
||
required_providers { | ||
# Lock DA into an exact provider version - renovate automation will keep it updated | ||
ibm = { | ||
source = "ibm-cloud/ibm" | ||
version = "1.65.0" | ||
} | ||
helm = { | ||
source = "hashicorp/helm" | ||
version = "2.13.2" | ||
} | ||
kubernetes = { | ||
source = "hashicorp/kubernetes" | ||
version = "2.30.0" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.