feat: add scc workload protection agent DA flavor (#91)

terraform-ibm-modules · Jun 11, 2024 · 9b8f529 · 9b8f529
1 parent befaed2
commit 9b8f529
Show file tree

Hide file tree

Showing 28 changed files with 530 additions and 4 deletions.
diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml
@@ -12,3 +12,8 @@ offerings:
         scc:
           instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
           region: us-south
+      - name: agents
+        mark_ready: true
+        install_type: extension
+        pre_validation: "tests/scripts/pre-validation-deploy-slz-roks-and-scc-wp-instances.sh"
+        post_validation: "tests/scripts/post-validation-destroy-slz-roks-and-scc-wp-instances.sh"
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -284,7 +284,7 @@
                         }
                     ],
                     "architecture": {
-                        "descriptions": "This architecture supports creating and configuring an Key Protect instance.",
+                        "descriptions": "This architecture supports creating and configuring a Security and Compliance Center Workload Protection instance.",
                         "features": [
                             {
                                 "title": "Creates a Security and Compliance Center instance.",
@@ -310,7 +310,75 @@
                             }
                         ]
                     }
-                }
+                },
+                {
+                  "label": "Agents",
+                  "name": "agents",
+                  "install_type": "fullstack",
+                  "working_directory": "solutions/agents",
+                  "compliance": {},
+                  "configuration": [
+                      {
+                        "key": "ibmcloud_api_key"
+                      },
+                      {
+                        "key": "scc_workload_protection_agent_agent_name"
+                      },
+                      {
+                        "key": "scc_workload_protection_agent_agent_namespace"
+                      },
+                      {
+                        "key": "scc_workload_protection_agent_cluster_name"
+                      },
+                      {
+                        "key": "scc_workload_protection_agent_access_key"
+                      },
+                      {
+                        "key": "scc_workload_protection_instance_region"
+                      },
+                      {
+                        "key": "scc_workload_protection_agent_endpoint_type",
+                        "options": [
+                          {
+                            "displayname": "Public",
+                            "value": "public"
+                          },
+                          {
+                            "displayname": "Private",
+                            "value": "private"
+                          }
+                        ]
+                      }
+                    ],
+                  "iam_permissions": [
+                      {
+                          "service_name": "compliance",
+                          "role_crns": [
+                              "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+                              "crn:v1:bluemix:public:iam::::role:Editor"
+                          ]
+                      }
+                  ],
+                  "architecture": {
+                      "descriptions": "This architecture supports creating and configuring Security and Compliance Center Workload Protection agents.",
+                      "features": [
+                          {
+                              "title": "Creates a Security and Compliance Center Workload Protection agents.",
+                              "description": "Creates and configures a Security and Compliance Center Workload Protection agents."
+                          }
+                      ],
+                      "diagrams": [
+                          {
+                              "diagram": {
+                                  "caption": "Security and Compliance Center Workload Protection Agent",
+                                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-scc-da/main/reference-architecture/scc-wp-agent.svg",
+                                  "type": "image/svg+xml"
+                              },
+                              "description": "This architecture supports creating and configuring Security and Compliance Center Workload Protection agent resources."
+                          }
+                      ]
+                  }
+              }
             ]
         }
     ]

diff --git a/reference-architecture/scc-wp-agent.svg b/reference-architecture/scc-wp-agent.svg
diff --git a/solutions/agents/README.md b/solutions/agents/README.md
@@ -1,3 +1,10 @@
 # Security and Compliance Center Workload Protection Agent solution
 
-(Coming soon)
+This solution supports installing and configuring [IBM Cloud Security and Compliance Center Workload Protection agent](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started). It uses [sysdig-deploy charts](https://github.com/sysdiglabs/charts/tree/master/charts/sysdig-deploy) which deploys the following components into your cluster:
+- Agent
+- Node Analyzer
+- KSPM Collector
+
+This solution will deploy and configure the Workload Protections components in an existing cluster to an existing IBM Cloud Security and Compliance Center Workload Protection instance.
+
+![scc-wp-agent](../../reference-architecture/scc-wp-agent.svg)
diff --git a/solutions/agents/catalogValidationValues.json.template b/solutions/agents/catalogValidationValues.json.template
@@ -0,0 +1,3 @@
+{
+  "ibmcloud_api_key": $VALIDATION_APIKEY
+}
diff --git a/solutions/agents/kubeconfig/.gitignore b/solutions/agents/kubeconfig/.gitignore
@@ -0,0 +1,6 @@
+# Ignore everything
+*
+
+# But not these files...
+!.gitignore
+!README.md
diff --git a/solutions/agents/kubeconfig/README.md b/solutions/agents/kubeconfig/README.md
@@ -0,0 +1,2 @@
+This directory must exist in source control so the `ibm_container_cluster_config` data lookup can use it to place the
+config.yml used to connect to a kubernetes cluster.
diff --git a/solutions/agents/main.tf b/solutions/agents/main.tf
@@ -0,0 +1,20 @@
+#######################################################################################################################
+# SCC WP Agent
+#######################################################################################################################
+
+module "scc_wp_agent" {
+  source                 = "terraform-ibm-modules/scc-workload-protection-agent/ibm"
+  version                = "1.2.3"
+  access_key             = var.access_key
+  cluster_name           = var.cluster_name
+  region                 = var.region
+  endpoint_type          = var.endpoint_type
+  name                   = var.name
+  namespace              = var.namespace
+  deployment_tag         = var.deployment_tag
+  kspm_deploy            = var.kspm_deploy
+  node_analyzer_deploy   = var.node_analyzer_deploy
+  host_scanner_deploy    = var.host_scanner_deploy
+  cluster_scanner_deploy = var.cluster_scanner_deploy
+
+}
diff --git a/solutions/agents/outputs.tf b/solutions/agents/outputs.tf
@@ -0,0 +1,8 @@
+########################################################################################################################
+# Outputs
+########################################################################################################################
+
+output "name" {
+  description = "Helm chart release name."
+  value       = module.scc_wp_agent.name
+}
diff --git a/solutions/agents/provider.tf b/solutions/agents/provider.tf
@@ -0,0 +1,26 @@
+########################################################################################################################
+# Provider config
+########################################################################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
+
+provider "kubernetes" {
+  host  = data.ibm_container_cluster_config.cluster_dconfig.host
+  token = data.ibm_container_cluster_config.cluster_config.token
+}
+
+provider "helm" {
+  kubernetes {
+    host  = data.ibm_container_cluster_config.cluster_config.host
+    token = data.ibm_container_cluster_config.cluster_config.token
+  }
+}
+
+data "ibm_container_cluster_config" "cluster_config" {
+  cluster_name_id = var.cluster_name
+  config_dir      = "${path.module}/kubeconfig"
+  endpoint_type   = var.cluster_endpoint_type
+}
diff --git a/solutions/agents/variables.tf b/solutions/agents/variables.tf
@@ -0,0 +1,92 @@
+########################################################################################################################
+# Common variables
+########################################################################################################################
+
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The API Key to use for IBM Cloud."
+  sensitive   = true
+}
+
+########################################################################################################################
+# SCC Workload Protection Agent variables
+########################################################################################################################
+
+variable "name" {
+  type        = string
+  description = "Helm release name."
+  default     = "ibm-scc-wp-agent"
+}
+
+variable "namespace" {
+  type        = string
+  description = "Namespace of the Security and Compliance Workload Protection agent."
+  default     = "ibm-scc-wp"
+}
+
+variable "cluster_name" {
+  type        = string
+  description = "Cluster name to add Security and Compliance Workload Protection agent to."
+}
+
+variable "access_key" {
+  type        = string
+  description = "Security and Compliance Workload Protection instance access key."
+  sensitive   = true
+}
+
+variable "region" {
+  type        = string
+  description = "Region where Security and Compliance Workload Protection agent is created."
+}
+
+variable "endpoint_type" {
+  type        = string
+  description = "Specify the endpoint (public or private) for the Security and Compliance Center Workload Protection service."
+  default     = "private"
+  validation {
+    error_message = "The specified endpoint_type can be private or public only."
+    condition     = contains(["private", "public"], var.endpoint_type)
+  }
+}
+
+variable "deployment_tag" {
+  type        = string
+  description = "Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...)."
+  default     = "terraform"
+}
+
+variable "kspm_deploy" {
+  type        = bool
+  description = "Deploy Security and Compliance Workload Protection KSPM component."
+  default     = true
+}
+
+variable "node_analyzer_deploy" {
+  type        = bool
+  description = "Deploy Security and Compliance Workload Protection node analyzer component."
+  default     = true
+}
+
+variable "host_scanner_deploy" {
+  type        = bool
+  description = "Deploy Security and Compliance Workload Protection host scanner component. If node_analyzer_deploy false, this component will not be deployed."
+  default     = true
+}
+
+variable "cluster_scanner_deploy" {
+  type        = bool
+  description = "Deploy Security and Compliance Workload Protection cluster scanner component."
+  default     = true
+}
+
+
+variable "cluster_endpoint_type" {
+  type        = string
+  description = "Specify the endpoint (public or private) for the cluster."
+  default     = "private"
+  validation {
+    error_message = "The specified cluster_endpoint_type can be private or public only."
+    condition     = contains(["private", "public"], var.cluster_endpoint_type)
+  }
+}
diff --git a/solutions/agents/version.tf b/solutions/agents/version.tf
@@ -0,0 +1,19 @@
+terraform {
+  required_version = ">= 1.3.0, <1.7.0"
+
+  required_providers {
+    # Lock DA into an exact provider version - renovate automation will keep it updated
+    ibm = {
+      source  = "ibm-cloud/ibm"
+      version = "1.65.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "2.13.2"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.30.0"
+    }
+  }
+}
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -22,6 +22,8 @@ import (
 
 const resourceGroup = "geretain-test-resources"
 const instanceFlavorDir = "solutions/instances"
+const agentFlavorDir = "solutions/agents"
+const agentsKubeconfigDir = "solutions/agents/kubeconfig"
 
 // Define a struct with fields that match the structure of the YAML data
 const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml"
@@ -47,6 +49,85 @@ func TestMain(m *testing.M) {
 	os.Exit(m.Run())
 }
 
+func TestAgentsInSchematics(t *testing.T) {
+	t.Parallel()
+
+	var region = validRegions[rand.Intn(len(validRegions))]
+
+	// ------------------------------------------------------------------------------------------------------
+	// Deploy SLZ ROKS Cluster and SCC Workload Protection instance since it is needed to deploy SCC Workload Protection Agents
+	// ------------------------------------------------------------------------------------------------------
+
+	prefix := fmt.Sprintf("slz-%s", strings.ToLower(random.UniqueId()))
+	realTerraformDir := "./resources/existing-resources/agents"
+	tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId())))
+
+	// Verify ibmcloud_api_key variable is set
+	checkVariable := "TF_VAR_ibmcloud_api_key"
+	val, present := os.LookupEnv(checkVariable)
+	require.True(t, present, checkVariable+" environment variable not set")
+	require.NotEqual(t, "", val, checkVariable+" environment variable is empty")
+
+	logger.Log(t, "Tempdir: ", tempTerraformDir)
+	existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
+		TerraformDir: tempTerraformDir,
+		Vars: map[string]interface{}{
+			"prefix": prefix,
+			"region": region,
+		},
+		// Set Upgrade to true to ensure latest version of providers and modules are used by terratest.
+		// This is the same as setting the -upgrade=true flag with terraform.
+		Upgrade: true,
+	})
+
+	terraform.WorkspaceSelectOrNew(t, existingTerraformOptions, prefix)
+	_, existErr := terraform.InitAndApplyE(t, existingTerraformOptions)
+
+	if existErr != nil {
+		assert.True(t, existErr == nil, "Init and Apply of temp resources (SLZ-ROKS and Workload SCC Protection Instances) failed")
+	} else {
+
+		options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
+			Testing: t,
+			Prefix:  "scc-wp-agents",
+			TarIncludePatterns: []string{
+				agentFlavorDir + "/*.*",
+				agentsKubeconfigDir + "/*.*",
+			},
+			ResourceGroup:          resourceGroup,
+			TemplateFolder:         agentFlavorDir,
+			Tags:                   []string{"test-schematic"},
+			DeleteWorkspaceOnFail:  false,
+			WaitJobCompleteMinutes: 60,
+			Region:                 region,
+		})
+
+		options.TerraformVars = []testschematic.TestSchematicTerraformVar{
+			{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
+			{Name: "access_key", Value: terraform.Output(t, existingTerraformOptions, "access_key"), DataType: "string"},
+			{Name: "cluster_name", Value: terraform.Output(t, existingTerraformOptions, "workload_cluster_name"), DataType: "string"},
+			{Name: "region", Value: region, DataType: "string"},
+			{Name: "endpoint_type", Value: "private", DataType: "string"},
+			{Name: "name", Value: options.Prefix, DataType: "string"},
+		}
+
+		err := options.RunSchematicTest()
+		assert.Nil(t, err, "This should not have errored")
+	}
+
+	// Check if "DO_NOT_DESTROY_ON_FAILURE" is set
+	envVal, _ := os.LookupEnv("DO_NOT_DESTROY_ON_FAILURE")
+	// Destroy the temporary existing resources if required
+	if t.Failed() && strings.ToLower(envVal) == "true" {
+		fmt.Println("Terratest failed. Debug the test and delete resources manually.")
+	} else {
+		logger.Log(t, "START: Destroy (existing resources)")
+		terraform.Destroy(t, existingTerraformOptions)
+		terraform.WorkspaceDelete(t, existingTerraformOptions, prefix)
+		logger.Log(t, "END: Destroy (existing resources)")
+	}
+}
+
 func TestInstancesInSchematics(t *testing.T) {
 	t.Parallel()
 
@@ -118,7 +199,7 @@ func TestRunExistingResourcesInstances(t *testing.T) {
 	// ------------------------------------------------------------------------------------
 
 	prefix := fmt.Sprintf("scc-exist-%s", strings.ToLower(random.UniqueId()))
-	realTerraformDir := "./resources/existing-resources"
+	realTerraformDir := "./resources/existing-resources/instances"
 	tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId())))
 	tags := common.GetTagsFromTravis()
 	region := "us-south"