feat: added support to create Event Notifications destinations, topic…

…s and subscriptions (#99)
terraform-ibm-modules · Jun 18, 2024 · e2e3659 · e2e3659
1 parent 520c40a
commit e2e3659
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 0 deletions.
diff --git a/solutions/instances/README.md b/solutions/instances/README.md
@@ -33,6 +33,9 @@ This solution supports the following:
 
 | Name | Type |
 |------|------|
+| [ibm_en_subscription_email.email_subscription](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/resources/en_subscription_email) | resource |
+| [ibm_en_topic.en_topic](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/resources/en_topic) | resource |
+| [ibm_en_destinations.en_destinations](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/data-sources/en_destinations) | data source |
 | [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/data-sources/iam_account_settings) | data source |
 
 ### Inputs
@@ -63,6 +66,9 @@ This solution supports the following:
 | <a name="input_scc_cos_bucket_name"></a> [scc\_cos\_bucket\_name](#input\_scc\_cos\_bucket\_name) | The name to use when creating the SCC Cloud Object Storage bucket (NOTE: bucket names are globally unique). If 'add\_bucket\_name\_suffix' is set to true, a random 4 characters will be added to this name to help ensure bucket name is globally unique. If prefix input variable is passed then it will get prefixed infront of the value in the format of '<prefix>-value'. | `string` | `"base-security-services-bucket"` | no |
 | <a name="input_scc_cos_key_name"></a> [scc\_cos\_key\_name](#input\_scc\_cos\_key\_name) | The name to give the Key which will be created for the SCC COS bucket. Not used if supplying an existing Key. If prefix input variable is passed then it will get prefixed infront of the value in the format of '<prefix>-value'. | `string` | `"scc-cos-key"` | no |
 | <a name="input_scc_cos_key_ring_name"></a> [scc\_cos\_key\_ring\_name](#input\_scc\_cos\_key\_ring\_name) | The name to give the Key Ring which will be created for the SCC COS bucket Key. Not used if supplying an existing Key. If prefix input variable is passed then it will get prefixed infront of the value in the format of '<prefix>-value'. | `string` | `"scc-cos-key-ring"` | no |
+| <a name="input_scc_en_email_list"></a> [scc\_en\_email\_list](#input\_scc\_en\_email\_list) | The list of email address to target out when Security and Compliance Center triggers an event | `list(string)` | `[]` | no |
+| <a name="input_scc_en_from_email"></a> [scc\_en\_from\_email](#input\_scc\_en\_from\_email) | The email address in the used in the 'from' of any Security and Compliance Center event coming from Event Notifications | `string` | `"[email protected]"` | no |
+| <a name="input_scc_en_reply_to_email"></a> [scc\_en\_reply\_to\_email](#input\_scc\_en\_reply\_to\_email) | The email address used in the 'reply\_to' of any Security and Compliance Center event coming from Event Notifications | `string` | `"[email protected]"` | no |
 | <a name="input_scc_instance_name"></a> [scc\_instance\_name](#input\_scc\_instance\_name) | The name to give the SCC instance that will be provisioned by this solution. If prefix input variable is passed then it will get prefixed infront of the value in the format of '<prefix>-value'. | `string` | `"base-security-services-scc"` | no |
 | <a name="input_scc_instance_tags"></a> [scc\_instance\_tags](#input\_scc\_instance\_tags) | Optional list of tags to be added to SCC instance. | `list(string)` | `[]` | no |
 | <a name="input_scc_region"></a> [scc\_region](#input\_scc\_region) | The region in which to provision SCC resources. | `string` | `"us-south"` | no |

diff --git a/solutions/instances/main.tf b/solutions/instances/main.tf
@@ -202,3 +202,47 @@ module "scc_wp" {
   access_tags                   = var.scc_workload_protection_access_tags
   scc_wp_service_plan           = var.scc_workload_protection_service_plan
 }
+
+#######################################################################################################################
+# SCC Event Notifications Configuration
+#######################################################################################################################
+
+locals {
+  parsed_existing_en_instance_crn = var.existing_en_crn != null ? split(":", var.existing_en_crn) : []
+  existing_en_guid                = length(local.parsed_existing_en_instance_crn) > 0 ? local.parsed_existing_en_instance_crn[7] : null
+}
+
+data "ibm_en_destinations" "en_destinations" {
+  count         = var.existing_en_crn != null ? 1 : 0
+  instance_guid = local.existing_en_guid
+}
+
+resource "ibm_en_topic" "en_topic" {
+  count         = var.existing_en_crn != null ? 1 : 0
+  instance_guid = local.existing_en_guid
+  name          = "SCC Topic"
+  description   = "Topic for SCC events routing"
+  sources {
+    id = module.scc.crn
+    rules {
+      enabled           = true
+      event_type_filter = "$.*"
+    }
+  }
+}
+
+resource "ibm_en_subscription_email" "email_subscription" {
+  count          = var.existing_en_crn != null && length(var.scc_en_email_list) > 0 ? 1 : 0
+  instance_guid  = local.existing_en_guid
+  name           = "Email for Security and Compliance Center Subscription"
+  description    = "Subscription for Security and Compliance Center Events"
+  destination_id = [for s in toset(data.ibm_en_destinations.en_destinations[count.index].destinations) : s.id if s.type == "smtp_ibm"][0]
+  topic_id       = ibm_en_topic.en_topic[count.index].topic_id
+  attributes {
+    add_notification_payload = true
+    reply_to_mail            = var.scc_en_reply_to_email
+    reply_to_name            = "SCC Event Notifications Bot"
+    from_name                = var.scc_en_from_email
+    invited                  = var.scc_en_email_list
+  }
+}
diff --git a/solutions/instances/variables.tf b/solutions/instances/variables.tf
@@ -273,3 +273,25 @@ variable "scc_workload_protection_access_tags" {
     error_message = "Tags must match the regular expression \"[\\w\\-_\\.]+:[\\w\\-_\\.]+\", see https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits for more details"
   }
 }
+
+########################################################################################################################
+# EN Configuration variables
+########################################################################################################################
+
+variable "scc_en_from_email" {
+  type        = string
+  description = "The email address in the used in the 'from' of any Security and Compliance Center event coming from Event Notifications"
+  default     = "[email protected]"
+}
+
+variable "scc_en_reply_to_email" {
+  type        = string
+  description = "The email address used in the 'reply_to' of any Security and Compliance Center event coming from Event Notifications"
+  default     = "[email protected]"
+}
+
+variable "scc_en_email_list" {
+  type        = list(string)
+  description = "The list of email address to target out when Security and Compliance Center triggers an event"
+  default     = []
+}