feat: Enable traffic flow from SCC to COS is added (#525)

* feat: cos enf mode enabled and SCC to COS added

* addressed review comments

* update output description

* update output description

modules/cbr-zone-module/README.md

@@ -62,9 +62,9 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_zone_crn"></a> [zone\_crn](#output\_zone\_crn) | CBR zone resource crn |
-| <a name="output_zone_description"></a> [zone\_description](#output\_zone\_description) | CBR zone resource description |
-| <a name="output_zone_href"></a> [zone\_href](#output\_zone\_href) | CBR zone resource link |
-| <a name="output_zone_id"></a> [zone\_id](#output\_zone\_id) | CBR zone resource id |
-| <a name="output_zone_names"></a> [zone\_names](#output\_zone\_names) | CBR zone resource name |
+| <a name="output_zone_crn"></a> [zone\_crn](#output\_zone\_crn) | CBR zone crn |
+| <a name="output_zone_description"></a> [zone\_description](#output\_zone\_description) | CBR zone description |
+| <a name="output_zone_href"></a> [zone\_href](#output\_zone\_href) | CBR zone link |
+| <a name="output_zone_id"></a> [zone\_id](#output\_zone\_id) | CBR zone id |
+| <a name="output_zone_names"></a> [zone\_names](#output\_zone\_names) | CBR zone name |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/cbr-zone-module/outputs.tf

@@ -4,25 +4,25 @@
 
 output "zone_names" {
   value       = var.existing_zone_id == null ? ibm_cbr_zone.cbr_zone[0].name : null
-  description = "CBR zone resource name"
+  description = "CBR zone name"
 }
 
 output "zone_description" {
   value       = var.existing_zone_id == null ? var.zone_description : null
-  description = "CBR zone resource description"
+  description = "CBR zone description"
 }
 
 output "zone_id" {
   value       = var.existing_zone_id == null ? ibm_cbr_zone.cbr_zone[0].id : ibm_cbr_zone_addresses.update_cbr_zone_address[0].id
-  description = "CBR zone resource id"
+  description = "CBR zone id"
 }
 
 output "zone_crn" {
   value       = var.existing_zone_id == null ? ibm_cbr_zone.cbr_zone[0].crn : null
-  description = "CBR zone resource crn"
+  description = "CBR zone crn"
 }
 
 output "zone_href" {
   value       = var.existing_zone_id == null ? ibm_cbr_zone.cbr_zone[0].href : null
-  description = "CBR zone resource link"
+  description = "CBR zone link"
 }

modules/fscloud/README.md

@@ -5,13 +5,13 @@ This module creates default coarse-grained CBR rules in a given account followin
 - Block Storage -> Hyper Protect Crypto Services (HPCS)
 - IBM Cloud Kubernetes Service (IKS) -> Hyper Protect Crypto Services (HPCS)
 - All IBM Cloud Databases (ICD) services -> Hyper Protect Crypto Services (HPCS)
-- Activity Tracker route -> Cloud Object Storage (COS)
+- Event Streams (Messagehub) -> Hyper Protect Crypto Services (HPCS)
 - Virtual Private Clouds (VPCs) where clusters are deployed -> Cloud Object Storage (COS)
+- Activity Tracker route -> Cloud Object Storage (COS)
 - IBM Cloud VPC Infrastructure Services (IS) -> Cloud Object Storage (COS)
+- Security and Compliance Center (SCC) -> Cloud Object Storage (COS)
 - Virtual Private Clouds (VPCs) workload (eg: Kubernetes worker nodes) -> IBM Cloud Container Registry
-- IBM Cloud Databases (ICD) -> Hyper Protect Crypto Services (HPCS)
 - IBM Cloud Kubernetes Service (IKS) -> VPC Infrastructure Services (IS)
-- Event Streams (Messagehub) -> Hyper Protect Crypto Services (HPCS)
 
 
 **Note on KMS**: the module supports setting up rules for Key Protect, and Hyper Protect Crypto Services. By default the modules set rules for Hyper Protect Crypto Services, but this can be modified to use Key Protect, Hyper Protect, or both Key Protect and Hyper Protect Crypto Services using the input variable `kms_service_targeted_by_prewired_rules`.
@@ -30,6 +30,8 @@ Important: In order to avoid unexpected breakage in the account against which th
 
 **Note on `mqcloud`**: Region and/or instance_id is/are required for service `mqcloud` to create the CBR rule. This service is only available in eu-fr2 region.
 
+**Note on `Security and Compliance Center (SCC) scan`**: Compliance can only be claimed after all the enforcement mode have been set to enabled.
+
 ## Note
 The services 'directlink', 'globalcatalog-collection', 'iam-groups' and 'user-management' do not support restriction per location.
 
@@ -120,6 +122,7 @@ module "cbr_fscloud" {
 | <a name="input_allow_iks_to_is"></a> [allow\_iks\_to\_is](#input\_allow\_iks\_to\_is) | Set rule for IKS to IS (VPC Infrastructure Services), default is true | `bool` | `true` | no |
 | <a name="input_allow_is_to_cos"></a> [allow\_is\_to\_cos](#input\_allow\_is\_to\_cos) | Set rule for IS (VPC Infrastructure Services) to COS, default is true | `bool` | `true` | no |
 | <a name="input_allow_roks_to_kms"></a> [allow\_roks\_to\_kms](#input\_allow\_roks\_to\_kms) | Set rule for ROKS to KMS, default is true | `bool` | `true` | no |
+| <a name="input_allow_scc_to_cos"></a> [allow\_scc\_to\_cos](#input\_allow\_scc\_to\_cos) | Set rule for SCC (Security and Compliance Center) to COS, default is true | `bool` | `true` | no |
 | <a name="input_allow_vpcs_to_container_registry"></a> [allow\_vpcs\_to\_container\_registry](#input\_allow\_vpcs\_to\_container\_registry) | Set rule for VPCs to container registry, default is true | `bool` | `true` | no |
 | <a name="input_allow_vpcs_to_cos"></a> [allow\_vpcs\_to\_cos](#input\_allow\_vpcs\_to\_cos) | Set rule for VPCs to COS, default is true | `bool` | `true` | no |
 | <a name="input_custom_rule_contexts_by_service"></a> [custom\_rule\_contexts\_by\_service](#input\_custom\_rule\_contexts\_by\_service) | Any additional context to add to the CBR rules created by this module. The context are added to the CBR rule targetting the service passed as a key. The module looks up the zone id when service\_ref\_names or add\_managed\_vpc\_zone are passed in. | <pre>map(list(object(<br>    {<br>      endpointType = string # "private, public or direct"<br><br>      # Service-name (module lookup for existing network zone) and/or CBR zone id<br>      service_ref_names    = optional(list(string), [])<br>      add_managed_vpc_zone = optional(bool, false)<br>      zone_ids             = optional(list(string), [])<br>  })))</pre> | `{}` | no |

modules/fscloud/main.tf

@@ -246,6 +246,8 @@ locals {
   is_cbr_zone_id = local.cbr_zones["is"].zone_id
   # tflint-ignore: terraform_naming_convention
   event_streams_cbr_zone_id = local.cbr_zones["messagehub"].zone_id
+  # tflint-ignore: terraform_naming_convention
+  scc_cbr_zone_id = local.cbr_zones["compliance"].zone_id
 
   prewired_rule_contexts_by_service = merge({
     # COS -> HPCS, Block storage -> HPCS, ROKS -> HPCS, ICD -> HPCS, Event Streams (Messagehub) -> HPCS
@@ -266,7 +268,7 @@ locals {
         var.allow_event_streams_to_kms ? [local.event_streams_cbr_zone_id] : []
       ])
     }] }, {
-    # Fs VPCs -> COS, AT -> COS, VPC Infrastructure Services (IS) -> COS
+    # Fs VPCs -> COS, AT -> COS, VPC Infrastructure Services (IS) -> COS, Security and Compliance Center (SCC) -> COS
     "cloud-object-storage" : [{
       endpointType : "direct",
       networkZoneIds : flatten([
@@ -276,7 +278,8 @@ locals {
       endpointType : "private",
       networkZoneIds : flatten([
         var.allow_at_to_cos ? [local.logdnaat_cbr_zone_id] : [],
-        var.allow_is_to_cos ? [local.is_cbr_zone_id] : []
+        var.allow_is_to_cos ? [local.is_cbr_zone_id] : [],
+        var.allow_scc_to_cos ? [local.scc_cbr_zone_id] : [],
       ])
     }] }, {
     # VPCs -> container registry

modules/fscloud/variables.tf

@@ -69,6 +69,12 @@ variable "allow_is_to_cos" {
   default     = true
 }
 
+variable "allow_scc_to_cos" {
+  type        = bool
+  description = "Set rule for SCC (Security and Compliance Center) to COS, default is true"
+  default     = true
+}
+
 variable "zone_service_ref_list" {
   type = object({
     cloud-object-storage = optional(object({