Setting up Terraform for Security and Compliance Center

Installing Terraform and configuring resources for Security and Compliance Center

Before you can create an authorization by using Terraform, make sure that you completed the following steps:

• Make sure that you have the required access to create and work with Security and Compliance Center resources.
• Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
• Create a Terraform configuration file that is named main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.

1. After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.

   terraform init
   

2. Create a Security and Compliance Center instance by using the ibm_resource_instance resource argument in your main.tf file.

   • The Security and Compliance Center instance in the following example is named security-compliance-us-south and is created with the standard plan in the us-south region. The user@ibm.com is assigned the Administrator role in the IAM access policy. For other supported regions, see Regions and endpoints. Plan options include security-compliance-center-trial-plan and security-compliance-center-standard-plan.

     data "ibm_resource_group" "group" {
     name = "Default"
     }
     
     resource "ibm_resource_instance" "scc_instance" {
     name              = "security-compliance-us-south"
     service           = "compliance"
     plan              = "security-compliance-center-standard-plan"
     location          = "us-south"
     resource_group_id = data.ibm_resource_group.group.id
     }
     

     To view a complete list of the supported attributes, see ibm_scc_instance.

   • Optionally, you can create a data source to retrieve information about an existing Security and Compliance Center instance from IBM Cloud by running the following command with the example from step 2 in your main.tf file.

     terraform import ibm_resource_instance.scc_instance <scc_instance_crn>
     
     

   For a complete list of the supported attributes, see ibm_resource_instance.

3. Before you can manage the settings of your Security and Compliance Center instance, you must establish an authorization between the Security and Compliance Center instance and a Cloud Object Storage bucket. If you choose to receive notifications, you must also create an authorization between Security and Compliance Center and Event Notifications. To add an authorization, add the following example to your main.tf file.

   data "ibm_iam_account_settings" "iam-account" {}
   
   resource "ibm_iam_authorization_policy" "compliance-center_cos-s2s-access" {
   source_service_name         = "compliance"
   source_resource_instance_id = ibm_resource_instance.scc_instance.guid
   roles                       = ["Writer"]
   
   resource_attributes {
       name     = "serviceName"
       operator = "stringEquals"
       value    = "cloud-object-storage"
   }
   
   resource_attributes {
       name     = "accountId"
       operator = "stringEquals"
       value    = data.ibm_iam_account_settings.iam-account.account_id
   }
   
   depends_on = [
       ibm_resource_instance.scc_instance
   ]
   }   
   

4. Manage the settings of your Security and Compliance Center instance, such as to configure Event Notifications and Cloud Object Storage, by using the ibm_scc_instance_settings resource argument in your main.tf file.

   resource "ibm_scc_instance_settings" "scc_instance_settings_instance" {
       instance_id = ibm_resource_instance.scc_instance.guid
       event_notifications {
           instance_crn = "<event_notifications_crn>"
       }
       object_storage {
               instance_crn = "<cloud_object_storage_crn>"
               bucket = "<cloud_object_storage_bucket>"
       }
   }
   

   If you don't plan to configure Event Notifications, you must keep the event_notifications parameter and remove the instance_crn field as shown in the following snippet:

   event_notifications {
   
   }
   

   For a complete list of the supported attributes, see ibm_scc_instance_settings.

5. Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.

   1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.

      terraform plan
      

   2. Run terraform apply to create the resources that are defined in the plan.

   terraform apply
   

6. Define local values for your Security and Compliance Center instance to be used when you are creating resources.

   locals {
       instance_id = resource.ibm_resource_instance.scc_resource_instance.guid
   }
   

7. From the IBM Cloud resource list in the UI, select the Security and Compliance Center instance that you created and note the instance ID.

8. Verify that the access policy is successfully assigned. For more information, see Reviewing assigned access in the console.

What's next?

Now that you successfully created your first Security and Compliance Center service instance with Terraform on IBM Cloud, you can scan your resources on a recurring schedule by creating an attachment. For more information about attachments, see Scanning your resources.

You can also review how to manage your Security and Compliance Center resources by following the Terraform steps that are included in the How to section. For example, you can follow the directions on how to create custom libraries by using Terraform.