Skip to content

Commit

Permalink
added SCC FS Cloud
Browse files Browse the repository at this point in the history
  • Loading branch information
lionelmace committed Jul 4, 2024
1 parent de943cd commit abc14ab
Show file tree
Hide file tree
Showing 4 changed files with 193 additions and 1 deletion.
83 changes: 83 additions & 0 deletions openshift/ingress-route/test-nginx-route.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
---
# Create a namespace
apiVersion: v1
kind: Namespace
metadata:
name: ns-route
labels:
environment: production

---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
namespace: ns-route
labels:
app: test
spec:
replicas: 1
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- name: mtls-test
# image: nginx
image: openshift/hello-openshift
imagePullPolicy: Always
resources:
requests:
cpu: 250m
memory: 128Mi
limits:
cpu: 500m
memory: 384Mi
ports:
- name: http
containerPort: 8080
protocol: TCP

---
apiVersion: v1
kind: Service
metadata:
name: test
namespace: ns-route
labels:
app: test
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
selector:
app: test

---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
haproxy.router.openshift.io/hsts_header: max-age=31536000;includeSubDomains;preload
labels:
app: test
name: test
namespace: ns-route
spec:
host: sandbox-48e132e329a93b062aefe96ed994cafc-0000.eu-de.containers.appdomain.cloud
port:
targetPort: 8080
tls:
termination: edge
to:
kind: Service
name: test
weight: 100
wildcardPolicy: None
2 changes: 1 addition & 1 deletion terraform/scc/provider.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ terraform {
required_providers {
ibm = {
source = "IBM-Cloud/ibm"
version = "1.63.0"
version = "1.67.0"
}
http-full = {
source = "salrashid123/http-full"
Expand Down
File renamed without changes.
109 changes: 109 additions & 0 deletions terraform/scc/security-scc-fscloud.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@

## SCC Instance
##############################################################################
resource "ibm_resource_instance" "scc_instance" {
name = format("%s-%s", local.basename, "scc")
service = "compliance"
plan = "security-compliance-center-standard-plan"
location = var.region
resource_group_id = ibm_resource_group.group.id
}

resource "ibm_scc_instance_settings" "scc_instance_settings" {
instance_id = ibm_resource_instance.scc_instance.guid
event_notifications {
instance_crn = ibm_resource_instance.event-notifications.crn
}
object_storage {
instance_crn = ibm_resource_instance.cos.crn
bucket = ibm_cos_bucket.scc-bucket.bucket_name
}
}

## SCC Profile Attachment
##############################################################################
resource "ibm_scc_profile_attachment" "scc_profile_attachment_instance" {
name = format("%s-%s", local.basename, "cis")
depends_on = [ibm_scc_instance_settings.scc_instance_settings]
profile_id = "bfacb71d-4b84-41ac-9825-e8a3a3eb7405" # FS Cloud Profile v1.6.0
instance_id = ibm_resource_instance.scc_instance.guid
description = "scc-profile-attachment"
scope {
environment = "ibm-cloud"
properties {
name = "scope_id"
# value = local.account_id
value = ibm_resource_group.group.id
}
properties {
name = "scope_type"
# value = "account"
value = "account.resource_group"
}
# properties {
# name = "exclusions"
# value = []
# }
}
schedule = "daily"
status = "enabled"
notifications {
enabled = false
controls {
failed_control_ids = []
threshold_limit = 14
}
}
attachment_parameters {
parameter_name = "tls_version"
parameter_display_name = "IBM Cloud Internet Services TLS version"
parameter_type = "string"
parameter_value = "1.3"
assessment_type = "automated"
assessment_id = "rule-e16fcfea-fe21-4d30-a721-423611481fea"
}
attachment_parameters {
parameter_name = "ssh_port"
parameter_display_name = "Network ACL rule for allowed IPs to SSH port"
parameter_type = "numeric"
parameter_value = "22"
assessment_type = "automated"
assessment_id = "rule-f9137be8-2490-4afb-8cd5-a201cb167eb2"
}
attachment_parameters {
parameter_name = "rdp_port"
parameter_display_name = "Security group rule RDP allow port number"
parameter_type = "numeric"
parameter_value = "3389"
assessment_type = "automated"
assessment_id = "rule-9653d2c7-6290-4128-a5a3-65487ba40370"
}
attachment_parameters {
parameter_name = "ssh_port"
parameter_display_name = "Security group rule SSH allow port number"
parameter_type = "numeric"
parameter_value = "22"
assessment_type = "automated"
assessment_id = "rule-7c5f6385-67e4-4edf-bec8-c722558b2dec"
}
attachment_parameters {
parameter_name = "rdp_port"
parameter_display_name = "Disallowed IPs for ingress to RDP port"
parameter_type = "numeric"
parameter_value = "3389"
assessment_type = "automated"
assessment_id = "rule-f1e80ee7-88d5-4bf2-b42f-c863bb24601c"
}
}

## IAM
##############################################################################
# resource "ibm_iam_access_group_policy" "iam-scc" {
# access_group_id = ibm_iam_access_group.accgrp.id
# roles = ["Reader", "Viewer"]

# resources {
# service = "compliance"
# resource_group_id = ibm_resource_group.group.id
# }
# }

0 comments on commit abc14ab

Please sign in to comment.