IBM Cloud Docs
Setting up Terraform for Security and Compliance Center

Setting up Terraform for Security and Compliance Center

Terraform on IBM Cloud enables predictable and consistent creation of IBM Cloud services, so that you can rapidly build complex, multitier cloud environments that follow Infrastructure as Code (IaC) principles. Similar to using the IBM Cloud CLI or API and SDKs, you can automate the creation, update, and deletion of your Security and Compliance Center instances by using HashiCorp Configuration Language (HCL).

Looking for a managed Terraform on IBM Cloud solution? Try out IBM Cloud® Schematics. With Schematics, you can use the Terraform scripting language that you are familiar with. But you don't need to worry about setting up and maintaining the Terraform command line and the IBM Cloud Provider plug-in. Schematics also provides pre-defined Terraform templates that you can easily install from the IBM Cloud catalog.

Installing Terraform and configuring resources for Security and Compliance Center

Before you can create an authorization by using Terraform, make sure that you completed the following steps:

  • Make sure that you have the required access to create and work with Security and Compliance Center resources.
  • Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
  • Create a Terraform configuration file that is named main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.
  1. After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.

    terraform init
    
  2. Create a Security and Compliance Center instance by using the ibm_resource_instance resource argument in your main.tf file.

    • The Security and Compliance Center instance in the following example is named security-compliance-us-south and is created with the standard plan in the us-south region. The user@ibm.com is assigned the Administrator role in the IAM access policy. For other supported regions, see Regions and endpoints. Plan options include security-compliance-center-trial-plan and security-compliance-center-standard-plan.

      data "ibm_resource_group" "group" {
      name = "Default"
      }
      
      resource "ibm_resource_instance" "scc_instance" {
      name              = "security-compliance-us-south"
      service           = "compliance"
      plan              = "security-compliance-center-standard-plan"
      location          = "us-south"
      resource_group_id = data.ibm_resource_group.group.id
      }
      

      To view a complete list of the supported attributes, see ibm_scc_instance.

    • Optionally, you can create a data source to retrieve information about an existing Security and Compliance Center instance from IBM Cloud by running the following command with the example from step 2 in your main.tf file.

      terraform import ibm_resource_instance.scc_instance <scc_instance_crn>
      
      

    For a complete list of the supported attributes, see ibm_resource_instance.

  3. Before you can manage the settings of your Security and Compliance Center instance, you must establish an authorization between the Security and Compliance Center instance and a Cloud Object Storage bucket. If you choose to receive notifications, you must also create an authorization between Security and Compliance Center and Event Notifications. To add an authorization, add the following example to your main.tf file.

    data "ibm_iam_account_settings" "iam-account" {}
    
    resource "ibm_iam_authorization_policy" "compliance-center_cos-s2s-access" {
    source_service_name         = "compliance"
    source_resource_instance_id = ibm_resource_instance.scc_instance.guid
    roles                       = ["Writer"]
    
    resource_attributes {
        name     = "serviceName"
        operator = "stringEquals"
        value    = "cloud-object-storage"
    }
    
    resource_attributes {
        name     = "accountId"
        operator = "stringEquals"
        value    = data.ibm_iam_account_settings.iam-account.account_id
    }
    
    depends_on = [
        ibm_resource_instance.scc_instance
    ]
    }   
    
  4. Manage the settings of your Security and Compliance Center instance, such as to configure Event Notifications and Cloud Object Storage, by using the ibm_scc_instance_settings resource argument in your main.tf file.

    resource "ibm_scc_instance_settings" "scc_instance_settings_instance" {
        instance_id = ibm_resource_instance.scc_instance.guid
        event_notifications {
            instance_crn = "<event_notifications_crn>"
        }
        object_storage {
                instance_crn = "<cloud_object_storage_crn>"
                bucket = "<cloud_object_storage_bucket>"
        }
    }
    

    If you don't plan to configure Event Notifications, you must keep the event_notifications parameter and remove the instance_crn field as shown in the following snippet:

    event_notifications {
    
    }
    

    For a complete list of the supported attributes, see ibm_scc_instance_settings.

  5. Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.

    1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.

      terraform plan
      
    2. Run terraform apply to create the resources that are defined in the plan.

    terraform apply
    
  6. Define local values for your Security and Compliance Center instance to be used when you are creating resources.

    locals {
        instance_id = resource.ibm_resource_instance.scc_resource_instance.guid
    }
    
  7. From the IBM Cloud resource list in the UI, select the Security and Compliance Center instance that you created and note the instance ID.

  8. Verify that the access policy is successfully assigned. For more information, see Reviewing assigned access in the console.

What's next?

Now that you successfully created your first Security and Compliance Center service instance with Terraform on IBM Cloud, you can scan your resources on a recurring schedule by creating an attachment. For more information about attachments, see Creating an attachment.

You can also review how to manage your Security and Compliance Center resources by following the Terraform steps that are included in the How to section. For example, you can follow the directions on how to create custom libraries by using Terraform.