Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection-agent

A module that supports deploying the Security and Compliance Center Workload Protection agent
https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection-agent

core-team ibm-cloud scc-workload-protection-agent stable supported terraform terraform-module

Last synced: about 2 months ago
JSON representation

A module that supports deploying the Security and Compliance Center Workload Protection agent

Awesome Lists containing this project

README 

        

# Security and Compliance Center Workload Protection Agent module



[![Stable (With quality checks)](https://img.shields.io/badge/Status-Stable%20(With%20quality%20checks)-green)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)

[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-scc-workload-protection-agent?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection-agent/releases/latest)

[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)

[![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)

[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)



A module for provisioning an [IBM Cloud Security and Compliance Center Workload Protection agent](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started). The module uses [sysdig-deploy charts](https://github.com/sysdiglabs/charts/tree/master/charts/sysdig-deploy) which deploys the following components into your cluster:

- Agent

- Node Analyzer

- KSPM Collector



## Overview

* [terraform-ibm-scc-workload-protection-agent](#terraform-ibm-scc-workload-protection-agent)

* [Examples](./examples)

    * [Basic example](./examples/basic)

    * [Secure private example](./examples/secure)

* [Contributing](#contributing)



## terraform-ibm-scc-workload-protection-agent



### Prerequisite

[Security and Compliance Center Workload Protection Instance](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started#getting-started-step2) must be provision beforehand. Instance can be deployed with [terraform-ibm-scc-workload-protection](https://github.com/terraform-ibm-modules/terraform-ibm-scc-workload-protection) module.



### Usage



```hcl

module "scc_wp_agent {

    source             = "terraform-ibm-modules/scc-workload-protection-agent/ibm"

    version            = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release

    access_key         = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"

    cluster_name       = "example-cluster-name"

    region             = "example-region"

    endpoint_type      = "public"

    name               = "example-name"

}

```



### Required IAM access policies



You need the following permissions to run this module.



- Account Management

    - IAM Services

        - **IBM Cloud Security and Compliance Center Workload Protection** service

            - `Editor` platform access

    - **Kubernetes** service

        - `Viewer` platform access

        - `Manager` service access



### Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.3.0 |

|  [helm](#requirement\_helm) | >= 2.8.0, < 3.0.0 |



### Modules



No modules.



### Resources



| Name | Type |

|------|------|

| [helm_release.scc_wp_agent](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |



### Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [access\_key](#input\_access\_key) | Security and Compliance Workload Protection instance access key. | `string` | n/a | yes |

|  [agent\_limits\_cpu](#input\_agent\_limits\_cpu) | Specifies the CPU limit for the agent. | `string` | `"1"` | no |

|  [agent\_limits\_memory](#input\_agent\_limits\_memory) | Specifies the memory limit for the agent. | `string` | `"1024Mi"` | no |

|  [agent\_requests\_cpu](#input\_agent\_requests\_cpu) | Specifies the CPU requested to run in a node for the agent. | `string` | `"1"` | no |

|  [agent\_requests\_memory](#input\_agent\_requests\_memory) | Specifies the memory requested to run in a node for the agent. | `string` | `"1024Mi"` | no |

|  [cluster\_name](#input\_cluster\_name) | Cluster name to add Security and Compliance Workload Protection agent to. | `string` | n/a | yes |

|  [cluster\_scanner\_deploy](#input\_cluster\_scanner\_deploy) | Deploy SCC Workload Protection cluster scanner component. | `bool` | `true` | no |

|  [cluster\_scanner\_imagesbomextractor\_limits\_cpu](#input\_cluster\_scanner\_imagesbomextractor\_limits\_cpu) | Specifies the CPU limit for the image SBOM Extractor that runs on the cluster scanner. | `string` | `"1"` | no |

|  [cluster\_scanner\_imagesbomextractor\_limits\_memory](#input\_cluster\_scanner\_imagesbomextractor\_limits\_memory) | Specifies the memory limit for the image SBOM Extractor that runs on the cluster scanner. | `string` | `"350Mi"` | no |

|  [cluster\_scanner\_imagesbomextractor\_requests\_cpu](#input\_cluster\_scanner\_imagesbomextractor\_requests\_cpu) | Specifies the CPU requested to run in a node for the image SBOM Extractor that runs on the cluster scanner. | `string` | `"350m"` | no |

|  [cluster\_scanner\_imagesbomextractor\_requests\_memory](#input\_cluster\_scanner\_imagesbomextractor\_requests\_memory) | Specifies the memory requested to run in a node for the image SBOM Extractor that runs on the cluster scanner. | `string` | `"350Mi"` | no |

|  [cluster\_scanner\_runtimestatusintegrator\_limits\_cpu](#input\_cluster\_scanner\_runtimestatusintegrator\_limits\_cpu) | Specifies the CPU limit for the runtime status integrator that runs on the cluster scanner. | `string` | `"1"` | no |

|  [cluster\_scanner\_runtimestatusintegrator\_limits\_memory](#input\_cluster\_scanner\_runtimestatusintegrator\_limits\_memory) | Specifies the memory limit for the runtime status integrator that runs on the cluster scanner. | `string` | `"350Mi"` | no |

|  [cluster\_scanner\_runtimestatusintegrator\_requests\_cpu](#input\_cluster\_scanner\_runtimestatusintegrator\_requests\_cpu) | Specifies the CPU requested to run in a node for the runtime status integrator that runs on the cluster scanner. | `string` | `"350m"` | no |

|  [cluster\_scanner\_runtimestatusintegrator\_requests\_memory](#input\_cluster\_scanner\_runtimestatusintegrator\_requests\_memory) | Specifies the memory requested to run in a node for the runtime status integrator that runs on the cluster scanner. | `string` | `"350Mi"` | no |

|  [cluster\_shield\_deploy](#input\_cluster\_shield\_deploy) | Deploy Cluster Shield component. If enabled, kspm collector and cluster scanner will not be enabled. | `bool` | `false` | no |

|  [deployment\_tag](#input\_deployment\_tag) | Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...). | `string` | `"terraform"` | no |

|  [endpoint\_type](#input\_endpoint\_type) | Specify the endpoint (public or private) for the IBM Cloud Security and Compliance Center Workload Protection service. | `string` | `"private"` | no |

|  [host\_scanner\_deploy](#input\_host\_scanner\_deploy) | Deploy SCC Workload Protection host scanner component. If node\_analyzer\_deploy false, this component will not be deployed. | `bool` | `true` | no |

|  [host\_scanner\_limits\_cpu](#input\_host\_scanner\_limits\_cpu) | Specifies the CPU limit for the host scanner that runs on the node analyzer. | `string` | `"500m"` | no |

|  [host\_scanner\_limits\_memory](#input\_host\_scanner\_limits\_memory) | Specifies the memory limit for the host scanner that runs on the node analyzer. | `string` | `"1Gi"` | no |

|  [host\_scanner\_requests\_cpu](#input\_host\_scanner\_requests\_cpu) | Specifies the CPU requested to run in a node for the host scanner that runs on the node analyzer. | `string` | `"150m"` | no |

|  [host\_scanner\_requests\_memory](#input\_host\_scanner\_requests\_memory) | Specifies the memory requested to run in a node for the host scanner that runs on the node analyzer. | `string` | `"512Mi"` | no |

|  [kspm\_analyzer\_limits\_cpu](#input\_kspm\_analyzer\_limits\_cpu) | Specifies the CPU limit for the kspm analyzer that runs on the node analyzer. | `string` | `"500m"` | no |

|  [kspm\_analyzer\_limits\_memory](#input\_kspm\_analyzer\_limits\_memory) | Specifies the memory limit for the kspm analyzer that runs on the node analyzer. | `string` | `"1536Mi"` | no |

|  [kspm\_analyzer\_requests\_cpu](#input\_kspm\_analyzer\_requests\_cpu) | Specifies the CPU requested to run in a node for the kspm analyzer that runs on the node analyzer. | `string` | `"150m"` | no |

|  [kspm\_analyzer\_requests\_memory](#input\_kspm\_analyzer\_requests\_memory) | Specifies the memory requested to run in a node for the kspm analyzer that runs on the node analyzer. | `string` | `"256Mi"` | no |

|  [kspm\_collector\_limits\_cpu](#input\_kspm\_collector\_limits\_cpu) | Specifies the CPU limit for the kspm collector. | `string` | `"500m"` | no |

|  [kspm\_collector\_limits\_memory](#input\_kspm\_collector\_limits\_memory) | Specifies the memory limit for the kspm collector. | `string` | `"1536Mi"` | no |

|  [kspm\_collector\_requests\_cpu](#input\_kspm\_collector\_requests\_cpu) | Specifies the CPU requested to run in a node for the kspm collector. | `string` | `"150m"` | no |

|  [kspm\_collector\_requests\_memory](#input\_kspm\_collector\_requests\_memory) | Specifies the memory requested to run in a node for the kspm collector. | `string` | `"256Mi"` | no |

|  [kspm\_deploy](#input\_kspm\_deploy) | Deploy SCC Workload Protection KSPM component. | `bool` | `true` | no |

|  [name](#input\_name) | Helm release name. | `string` | n/a | yes |

|  [namespace](#input\_namespace) | Namespace of the Security and Compliance Workload Protection agent. | `string` | `"ibm-scc-wp"` | no |

|  [node\_analyzer\_deploy](#input\_node\_analyzer\_deploy) | Deploy SCC Workload Protection node analyzer component. | `bool` | `true` | no |

|  [region](#input\_region) | Region where Security and Compliance Workload Protection instance is created. | `string` | n/a | yes |



### Outputs



| Name | Description |

|------|-------------|

|  [name](#output\_name) | Helm chart release name. |



## Contributing



You can report issues and request features for this module in GitHub issues in the module repo. See [Report an issue or request a feature](https://github.com/terraform-ibm-modules/.github/blob/main/.github/SUPPORT.md).



To set up your local development environment, see [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation.