Skip to content

A module that supports deploying the Security and Compliance Center Workload Protection agent

License

Notifications You must be signed in to change notification settings

terraform-ibm-modules/terraform-ibm-scc-workload-protection-agent

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Security and Compliance Center Workload Protection Agent module

Stable (With quality checks) latest release pre-commit Renovate enabled semantic-release

A module for provisioning an IBM Cloud Security and Compliance Center Workload Protection agent. The module uses sysdig-deploy charts which deploys the following components into your cluster:

  • Agent
  • Node Analyzer
  • KSPM Collector

Overview

terraform-ibm-scc-workload-protection-agent

Prerequisite

Security and Compliance Center Workload Protection Instance must be provision beforehand. Instance can be deployed with terraform-ibm-scc-workload-protection module.

Usage

module "scc_wp_agent {
    source             = "terraform-ibm-modules/scc-workload-protection-agent/ibm"
    version            = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
    access_key         = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
    cluster_name       = "example-cluster-name"
    region             = "example-region"
    endpoint_type      = "public"
    name               = "example-name"
}

Required IAM access policies

You need the following permissions to run this module.

  • Account Management
    • IAM Services
      • IBM Cloud Security and Compliance Center Workload Protection service
        • Editor platform access
    • Kubernetes service
      • Viewer platform access
      • Manager service access

Requirements

Name Version
terraform >= 1.3.0
helm >= 2.8.0, < 3.0.0

Modules

No modules.

Resources

Name Type
helm_release.scc_wp_agent resource

Inputs

Name Description Type Default Required
access_key Security and Compliance Workload Protection instance access key. string n/a yes
agent_limits_cpu Specifies the CPU limit for the agent. string "1" no
agent_limits_memory Specifies the memory limit for the agent. string "1024Mi" no
agent_requests_cpu Specifies the CPU requested to run in a node for the agent. string "1" no
agent_requests_memory Specifies the memory requested to run in a node for the agent. string "1024Mi" no
cluster_name Cluster name to add Security and Compliance Workload Protection agent to. string n/a yes
cluster_scanner_deploy Deploy SCC Workload Protection cluster scanner component. bool true no
cluster_scanner_imagesbomextractor_limits_cpu Specifies the CPU limit for the image SBOM Extractor that runs on the cluster scanner. string "1" no
cluster_scanner_imagesbomextractor_limits_memory Specifies the memory limit for the image SBOM Extractor that runs on the cluster scanner. string "350Mi" no
cluster_scanner_imagesbomextractor_requests_cpu Specifies the CPU requested to run in a node for the image SBOM Extractor that runs on the cluster scanner. string "350m" no
cluster_scanner_imagesbomextractor_requests_memory Specifies the memory requested to run in a node for the image SBOM Extractor that runs on the cluster scanner. string "350Mi" no
cluster_scanner_runtimestatusintegrator_limits_cpu Specifies the CPU limit for the runtime status integrator that runs on the cluster scanner. string "1" no
cluster_scanner_runtimestatusintegrator_limits_memory Specifies the memory limit for the runtime status integrator that runs on the cluster scanner. string "350Mi" no
cluster_scanner_runtimestatusintegrator_requests_cpu Specifies the CPU requested to run in a node for the runtime status integrator that runs on the cluster scanner. string "350m" no
cluster_scanner_runtimestatusintegrator_requests_memory Specifies the memory requested to run in a node for the runtime status integrator that runs on the cluster scanner. string "350Mi" no
cluster_shield_deploy Deploy Cluster Shield component. If enabled, kspm collector and cluster scanner will not be enabled. bool false no
deployment_tag Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...). string "terraform" no
endpoint_type Specify the endpoint (public or private) for the IBM Cloud Security and Compliance Center Workload Protection service. string "private" no
host_scanner_deploy Deploy SCC Workload Protection host scanner component. If node_analyzer_deploy false, this component will not be deployed. bool true no
host_scanner_limits_cpu Specifies the CPU limit for the host scanner that runs on the node analyzer. string "500m" no
host_scanner_limits_memory Specifies the memory limit for the host scanner that runs on the node analyzer. string "1Gi" no
host_scanner_requests_cpu Specifies the CPU requested to run in a node for the host scanner that runs on the node analyzer. string "150m" no
host_scanner_requests_memory Specifies the memory requested to run in a node for the host scanner that runs on the node analyzer. string "512Mi" no
kspm_analyzer_limits_cpu Specifies the CPU limit for the kspm analyzer that runs on the node analyzer. string "500m" no
kspm_analyzer_limits_memory Specifies the memory limit for the kspm analyzer that runs on the node analyzer. string "1536Mi" no
kspm_analyzer_requests_cpu Specifies the CPU requested to run in a node for the kspm analyzer that runs on the node analyzer. string "150m" no
kspm_analyzer_requests_memory Specifies the memory requested to run in a node for the kspm analyzer that runs on the node analyzer. string "256Mi" no
kspm_collector_limits_cpu Specifies the CPU limit for the kspm collector. string "500m" no
kspm_collector_limits_memory Specifies the memory limit for the kspm collector. string "1536Mi" no
kspm_collector_requests_cpu Specifies the CPU requested to run in a node for the kspm collector. string "150m" no
kspm_collector_requests_memory Specifies the memory requested to run in a node for the kspm collector. string "256Mi" no
kspm_deploy Deploy SCC Workload Protection KSPM component. bool true no
name Helm release name. string n/a yes
namespace Namespace of the Security and Compliance Workload Protection agent. string "ibm-scc-wp" no
node_analyzer_deploy Deploy SCC Workload Protection node analyzer component. bool true no
region Region where Security and Compliance Workload Protection instance is created. string n/a yes

Outputs

Name Description
name Helm chart release name.

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.