feat: Added support to create SCC attachment using the new [attachment](

https://github.com/terraform-ibm-modules/terraform-ibm-scc/tree/main/modules/attachment) submodule (#30)

README.md

@@ -14,6 +14,8 @@ This module configures an IBM Cloud Security and Compliance instance.
 <!-- BEGIN OVERVIEW HOOK -->
 ## Overview
 * [terraform-ibm-scc](#terraform-ibm-scc)
+* [Submodules](./modules)
+    * [attachment](./modules/attachment)
 * [Examples](./examples)
     * [Basic example](./examples/basic)
     * [Complete example](./examples/complete)

examples/complete/README.md

@@ -2,5 +2,6 @@
 
 A complete example that will provision the following:
 - A new resource group if one is not passed in.
-- A new event notification service instance
-- A new Security and Compliance Center instance with COS bucket and event notification configuration
+- A new event notification service instance.
+- A new Security and Compliance Center instance with COS bucket and event notifications enabled.
+- An SCC attachment scoped to a resource group.

examples/complete/main.tf

@@ -1,20 +1,32 @@
+##############################################################################
+# Resource group
+##############################################################################
+
 module "resource_group" {
   source                       = "terraform-ibm-modules/resource-group/ibm"
   version                      = "1.1.5"
   resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
   existing_resource_group_name = var.resource_group
 }
 
+##############################################################################
+# COS instance and bucket
+##############################################################################
+
 module "cos" {
   source                 = "terraform-ibm-modules/cos/ibm"
-  version                = "7.5.0"
+  version                = "7.5.1"
   cos_instance_name      = "${var.prefix}-cos"
   kms_encryption_enabled = false
   retention_enabled      = false
   resource_group_id      = module.resource_group.resource_group_id
   bucket_name            = "${var.prefix}-cb"
 }
 
+##############################################################################
+# Event Notifications
+##############################################################################
+
 module "event_notification" {
   source            = "terraform-ibm-modules/event-notifications/ibm"
   version           = "1.2.2"
@@ -26,14 +38,44 @@ module "event_notification" {
   region            = var.region
 }
 
+##############################################################################
+# SCC instance
+##############################################################################
+
 module "create_scc_instance" {
-  source                            = "../.."
-  instance_name                     = "${var.prefix}-instance"
-  region                            = var.region
-  resource_group_id                 = module.resource_group.resource_group_id
-  resource_tags                     = var.resource_tags
-  cos_bucket                        = module.cos.bucket_name
-  cos_instance_crn                  = module.cos.cos_instance_id
-  en_instance_crn                   = module.event_notification.crn
-  skip_cos_iam_authorization_policy = false
+  source            = "../.."
+  instance_name     = "${var.prefix}-instance"
+  region            = var.region
+  resource_group_id = module.resource_group.resource_group_id
+  resource_tags     = var.resource_tags
+  cos_bucket        = module.cos.bucket_name
+  cos_instance_crn  = module.cos.cos_instance_id
+  en_instance_crn   = module.event_notification.crn
+}
+
+##############################################################################
+# SCC attachment
+##############################################################################
+
+module "create_profile_attachment" {
+  source                 = "../../modules/attachment"
+  profile_id             = "f54b4962-06c6-46bb-bb04-396d9fa9bd60" # temporarily default to SOC 2 profile until provider add support to do data lookup by name https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5185)
+  scc_instance_id        = module.create_scc_instance.guid
+  attachment_name        = "${var.prefix}-attachment"
+  attachment_description = "profile-attachment-description"
+  attachment_schedule    = "every_7_days"
+  # scope the attachment to a specific resource group
+  scope = [{
+    environment = "ibm-cloud"
+    properties = [
+      {
+        name  = "scope_type"
+        value = "account.resource_group"
+      },
+      {
+        name  = "scope_id"
+        value = module.resource_group.resource_group_id
+      }
+    ]
+  }]
 }

examples/complete/outputs.tf

@@ -50,4 +50,15 @@ output "cos_instance_id" {
 output "cos_bucket" {
   description = "The COS bucket created in this example"
   value       = module.cos.bucket_name
+  depends_on  = [module.create_scc_instance]
+}
+
+output "scc_profile_attachment_id" {
+  description = "SCC profile attachment ID"
+  value       = module.create_profile_attachment.id
+}
+
+output "scc_profile_attachment_parameters" {
+  description = "SCC profile attachment ID"
+  value       = module.create_profile_attachment.attachment_parameters
 }

modules/attachment/README.md

@@ -0,0 +1,75 @@
+# SCC Profile Attachment module
+
+A module to configure an SCC Profile Attachment.
+
+Features:
+- Create an attachment using a profile ID
+- Use the default profile parameters, or pass a custom parameter list
+- Configure a scan schedule for the attachment
+- Configure notifications for the attachment
+
+### Usage
+
+```hcl
+module "create_scc_profile_attachment " {
+  source                         = "terraform-ibm-modules/scc/ibm//modules/attachment"
+  ibmcloud_api_key               = "XXXXXXXXXX" # pragma: allowlist secret
+  scc_instance_id                = "57b7ac52-e837-484c-aa07-e3c2db815c44" # replace with the ID of your SCC instance
+  profile_id                     = "f54b4962-06c6-46bb-bb04-396d9fa9bd60" # select the ID of the profile you want to use
+  use_profile_default_parameters = true # if setting this to false, custom parameters must be passed using the 'custom_attachment_parameters' variable
+  attachment_name                = "My attachment"
+  attachment_description         = "My attachment description"
+  attachment_schedule            = "daily"
+  # Configure the scope for the attachment - below scope will scan the whole account
+  scope {
+    environment   = "ibm-cloud"
+    properties {
+        name                = "scope-type"
+        value               = "account"
+    }
+  }
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0, <1.7.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >=1.63.0, <2.0.0 |
+
+### Modules
+
+No modules.
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [ibm_scc_profile_attachment.scc_profile_attachment](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/scc_profile_attachment) | resource |
+| [ibm_scc_profile.scc_profile](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/scc_profile) | data source |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_attachment_description"></a> [attachment\_description](#input\_attachment\_description) | The description for the SCC profile attachment. | `string` | n/a | yes |
+| <a name="input_attachment_name"></a> [attachment\_name](#input\_attachment\_name) | The name to give to SCC profile attachment. | `string` | n/a | yes |
+| <a name="input_attachment_schedule"></a> [attachment\_schedule](#input\_attachment\_schedule) | The schedule of an attachment. Allowable values are: daily, every\_7\_days, every\_30\_days, none. | `string` | `"daily"` | no |
+| <a name="input_custom_attachment_parameters"></a> [custom\_attachment\_parameters](#input\_custom\_attachment\_parameters) | A list of custom attachement parameters to use. Only used if 'use\_profile\_default\_parameters' is set to false. | <pre>list(object({<br>    parameter_name          = string<br>    parameter_display_name  = string<br>    parameter_type          = string<br>    parameter_default_value = string<br>    assessment_type         = string<br>    assessment_id           = string<br>  }))</pre> | `null` | no |
+| <a name="input_enable_notification"></a> [enable\_notification](#input\_enable\_notification) | To enable notifications. | `bool` | `false` | no |
+| <a name="input_notification_threshold_limit"></a> [notification\_threshold\_limit](#input\_notification\_threshold\_limit) | The threshold limit for notifications. | `number` | `14` | no |
+| <a name="input_notify_failed_control_ids"></a> [notify\_failed\_control\_ids](#input\_notify\_failed\_control\_ids) | A list of control IDs to send notifcations for when they fail. | `list(string)` | `[]` | no |
+| <a name="input_profile_id"></a> [profile\_id](#input\_profile\_id) | ID of the profile you wish to use for the attachment. | `string` | n/a | yes |
+| <a name="input_scc_instance_id"></a> [scc\_instance\_id](#input\_scc\_instance\_id) | ID of the SCC instance in which to create the attachment. | `string` | n/a | yes |
+| <a name="input_scope"></a> [scope](#input\_scope) | The scope to set for the SCC profile attachment. | <pre>list(object({<br>    environment = optional(string, "ibm-cloud")<br>    properties = list(object({<br>      name  = string<br>      value = string<br>    }))<br>  }))</pre> | n/a | yes |
+| <a name="input_use_profile_default_parameters"></a> [use\_profile\_default\_parameters](#input\_use\_profile\_default\_parameters) | A boolean indicating whether to use the profiles default parameters. If set to false, a value must be passed for the `custum_attachment_parameters` input variable. | `bool` | `true` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_attachment_parameters"></a> [attachment\_parameters](#output\_attachment\_parameters) | SCC profile attachment parameters |
+| <a name="output_id"></a> [id](#output\_id) | SCC profile attachment ID |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/attachment/main.tf

@@ -0,0 +1,67 @@
+##############################################################################
+# Variable validation
+##############################################################################
+
+locals {
+  # tflint-ignore: terraform_unused_declarations
+  validate_attachment_parameters = var.custom_attachment_parameters == null && !var.use_profile_default_parameters ? tobool("A value must be passed for 'custom_attachment_parameters' if 'use_profile_default_parameters' is set to false.") : true
+}
+
+##############################################################################
+# SCC profile attachment
+##############################################################################
+
+data "ibm_scc_profile" "scc_profile" {
+  instance_id = var.scc_instance_id
+  profile_id  = var.profile_id
+}
+
+locals {
+  attachment_parameters = var.use_profile_default_parameters ? data.ibm_scc_profile.scc_profile.default_parameters : var.custom_attachment_parameters
+}
+
+# Create the attachment
+resource "ibm_scc_profile_attachment" "scc_profile_attachment" {
+  profile_id  = var.profile_id
+  instance_id = var.scc_instance_id
+  name        = var.attachment_name
+  description = var.attachment_description
+  # To workaround https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5207 we set schedule to 'daily' here even though 'none' was passed in.
+  # The end result will be the schedule being set to none since the 'status' option below sets that.
+  schedule = var.attachment_schedule == "none" ? "daily" : var.attachment_schedule
+  status   = var.attachment_schedule == "none" ? "disabled" : "enabled"
+
+  dynamic "scope" {
+    for_each = var.scope
+    content {
+      environment = scope.value["environment"]
+      dynamic "properties" {
+        for_each = scope.value["properties"]
+        content {
+          name  = properties.value["name"]
+          value = properties.value["value"]
+        }
+      }
+    }
+  }
+
+  dynamic "attachment_parameters" {
+    for_each = local.attachment_parameters
+    content {
+      parameter_name         = attachment_parameters.value["parameter_name"]
+      parameter_display_name = attachment_parameters.value["parameter_display_name"]
+      parameter_type         = attachment_parameters.value["parameter_type"]
+      parameter_value        = attachment_parameters.value["parameter_default_value"]
+      assessment_type        = attachment_parameters.value["assessment_type"]
+      assessment_id          = attachment_parameters.value["assessment_id"]
+    }
+  }
+
+  notifications {
+    enabled = var.enable_notification
+    controls {
+      failed_control_ids = var.notify_failed_control_ids
+      threshold_limit    = var.notification_threshold_limit
+    }
+  }
+}

modules/attachment/outputs.tf

@@ -0,0 +1,9 @@
+output "id" {
+  description = "SCC profile attachment ID"
+  value       = resource.ibm_scc_profile_attachment.scc_profile_attachment.id
+}
+
+output "attachment_parameters" {
+  description = "SCC profile attachment parameters"
+  value       = resource.ibm_scc_profile_attachment.scc_profile_attachment.attachment_parameters
+}

modules/attachment/variables.tf

@@ -0,0 +1,78 @@
+variable "profile_id" {
+  type        = string
+  description = "ID of the profile you wish to use for the attachment."
+}
+
+variable "scc_instance_id" {
+  type        = string
+  description = "ID of the SCC instance in which to create the attachment."
+}
+
+variable "attachment_name" {
+  type        = string
+  description = "The name to give to SCC profile attachment."
+}
+
+variable "attachment_description" {
+  type        = string
+  description = "The description for the SCC profile attachment."
+}
+
+variable "attachment_schedule" {
+  type        = string
+  description = "The schedule of an attachment. Allowable values are: daily, every_7_days, every_30_days, none."
+  default     = "daily"
+
+  validation {
+    condition     = contains(["daily", "every_7_days", "every_30_days", "none"], var.attachment_schedule)
+    error_message = "Allowed schedule can be - daily, every_7_days, every_30_days, none."
+  }
+}
+
+variable "scope" {
+  description = "The scope to set for the SCC profile attachment."
+  type = list(object({
+    environment = optional(string, "ibm-cloud")
+    properties = list(object({
+      name  = string
+      value = string
+    }))
+  }))
+}
+
+variable "use_profile_default_parameters" {
+  description = "A boolean indicating whether to use the profiles default parameters. If set to false, a value must be passed for the `custum_attachment_parameters` input variable."
+  type        = bool
+  default     = true
+}
+
+variable "custom_attachment_parameters" {
+  description = "A list of custom attachement parameters to use. Only used if 'use_profile_default_parameters' is set to false."
+  type = list(object({
+    parameter_name          = string
+    parameter_display_name  = string
+    parameter_type          = string
+    parameter_default_value = string
+    assessment_type         = string
+    assessment_id           = string
+  }))
+  default = null
+}
+
+variable "enable_notification" {
+  type        = bool
+  description = "To enable notifications."
+  default     = false
+}
+
+variable "notify_failed_control_ids" {
+  type        = list(string)
+  description = "A list of control IDs to send notifcations for when they fail."
+  default     = []
+}
+
+variable "notification_threshold_limit" {
+  type        = number
+  description = "The threshold limit for notifications."
+  default     = 14
+}

modules/attachment/version.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0, <1.7.0"
+
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = ">=1.63.0, <2.0.0"
+    }
+  }
+}

outputs.tf

@@ -1,16 +1,22 @@
 output "id" {
   description = "The id of the SCC instance created by this module"
   value       = resource.ibm_resource_instance.scc_instance.id
+  # Don't return the SCC ID until it has been configred with COS, as it can't be used until COS integration complete
+  depends_on = [ibm_scc_instance_settings.scc_instance_settings]
 }
 
 output "guid" {
   description = "The GUID of the SCC instance created by this module"
   value       = resource.ibm_resource_instance.scc_instance.guid
+  # Don't return the SCC GUI until it has been configred with COS, as it can't be used until COS integration complete
+  depends_on = [ibm_scc_instance_settings.scc_instance_settings]
 }
 
 output "crn" {
   description = "The CRN of the SCC instance created by this module"
   value       = resource.ibm_resource_instance.scc_instance.crn
+  # Don't return the SCC GUI until it has been configred with COS, as it can't be used until COS integration complete
+  depends_on = [ibm_scc_instance_settings.scc_instance_settings]
 }
 
 output "name" {