diff --git a/openshift/ingress-route/test-nginx-route.yml b/openshift/ingress-route/test-nginx-route.yml new file mode 100644 index 0000000..06467f4 --- /dev/null +++ b/openshift/ingress-route/test-nginx-route.yml @@ -0,0 +1,83 @@ +--- +# Create a namespace +apiVersion: v1 +kind: Namespace +metadata: + name: ns-route + labels: + environment: production + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: ns-route + labels: + app: test +spec: + replicas: 1 + selector: + matchLabels: + app: test + template: + metadata: + labels: + app: test + spec: + containers: + - name: mtls-test + # image: nginx + image: openshift/hello-openshift + imagePullPolicy: Always + resources: + requests: + cpu: 250m + memory: 128Mi + limits: + cpu: 500m + memory: 384Mi + ports: + - name: http + containerPort: 8080 + protocol: TCP + +--- +apiVersion: v1 +kind: Service +metadata: + name: test + namespace: ns-route + labels: + app: test +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + name: http + selector: + app: test + +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + annotations: + haproxy.router.openshift.io/hsts_header: max-age=31536000;includeSubDomains;preload + labels: + app: test + name: test + namespace: ns-route +spec: + host: sandbox-48e132e329a93b062aefe96ed994cafc-0000.eu-de.containers.appdomain.cloud + port: + targetPort: 8080 + tls: + termination: edge + to: + kind: Service + name: test + weight: 100 + wildcardPolicy: None \ No newline at end of file diff --git a/terraform/scc/provider.tf b/terraform/scc/provider.tf index d326074..64574cf 100644 --- a/terraform/scc/provider.tf +++ b/terraform/scc/provider.tf @@ -7,7 +7,7 @@ terraform { required_providers { ibm = { source = "IBM-Cloud/ibm" - version = "1.63.0" + version = "1.67.0" } http-full = { source = "salrashid123/http-full" diff --git a/terraform/scc/security-scc.tf b/terraform/scc/security-scc-cis.tf similarity index 100% rename from terraform/scc/security-scc.tf rename to terraform/scc/security-scc-cis.tf diff --git a/terraform/scc/security-scc-fscloud.tf b/terraform/scc/security-scc-fscloud.tf new file mode 100644 index 0000000..54be30a --- /dev/null +++ b/terraform/scc/security-scc-fscloud.tf @@ -0,0 +1,109 @@ + +## SCC Instance +############################################################################## +resource "ibm_resource_instance" "scc_instance" { + name = format("%s-%s", local.basename, "scc") + service = "compliance" + plan = "security-compliance-center-standard-plan" + location = var.region + resource_group_id = ibm_resource_group.group.id +} + +resource "ibm_scc_instance_settings" "scc_instance_settings" { + instance_id = ibm_resource_instance.scc_instance.guid + event_notifications { + instance_crn = ibm_resource_instance.event-notifications.crn + } + object_storage { + instance_crn = ibm_resource_instance.cos.crn + bucket = ibm_cos_bucket.scc-bucket.bucket_name + } +} + +## SCC Profile Attachment +############################################################################## +resource "ibm_scc_profile_attachment" "scc_profile_attachment_instance" { + name = format("%s-%s", local.basename, "cis") + depends_on = [ibm_scc_instance_settings.scc_instance_settings] + profile_id = "bfacb71d-4b84-41ac-9825-e8a3a3eb7405" # FS Cloud Profile v1.6.0 + instance_id = ibm_resource_instance.scc_instance.guid + description = "scc-profile-attachment" + scope { + environment = "ibm-cloud" + properties { + name = "scope_id" + # value = local.account_id + value = ibm_resource_group.group.id + } + properties { + name = "scope_type" + # value = "account" + value = "account.resource_group" + } + # properties { + # name = "exclusions" + # value = [] + # } + } + schedule = "daily" + status = "enabled" + notifications { + enabled = false + controls { + failed_control_ids = [] + threshold_limit = 14 + } + } + attachment_parameters { + parameter_name = "tls_version" + parameter_display_name = "IBM Cloud Internet Services TLS version" + parameter_type = "string" + parameter_value = "1.3" + assessment_type = "automated" + assessment_id = "rule-e16fcfea-fe21-4d30-a721-423611481fea" + } + attachment_parameters { + parameter_name = "ssh_port" + parameter_display_name = "Network ACL rule for allowed IPs to SSH port" + parameter_type = "numeric" + parameter_value = "22" + assessment_type = "automated" + assessment_id = "rule-f9137be8-2490-4afb-8cd5-a201cb167eb2" + } + attachment_parameters { + parameter_name = "rdp_port" + parameter_display_name = "Security group rule RDP allow port number" + parameter_type = "numeric" + parameter_value = "3389" + assessment_type = "automated" + assessment_id = "rule-9653d2c7-6290-4128-a5a3-65487ba40370" + } + attachment_parameters { + parameter_name = "ssh_port" + parameter_display_name = "Security group rule SSH allow port number" + parameter_type = "numeric" + parameter_value = "22" + assessment_type = "automated" + assessment_id = "rule-7c5f6385-67e4-4edf-bec8-c722558b2dec" + } + attachment_parameters { + parameter_name = "rdp_port" + parameter_display_name = "Disallowed IPs for ingress to RDP port" + parameter_type = "numeric" + parameter_value = "3389" + assessment_type = "automated" + assessment_id = "rule-f1e80ee7-88d5-4bf2-b42f-c863bb24601c" + } +} + +## IAM +############################################################################## +# resource "ibm_iam_access_group_policy" "iam-scc" { +# access_group_id = ibm_iam_access_group.accgrp.id +# roles = ["Reader", "Viewer"] + +# resources { +# service = "compliance" +# resource_group_id = ibm_resource_group.group.id +# } +# }