Release notes for the Essential Security and Observability Services deployable architecture
Use these release notes to learn about the latest updates to the Essential Security and Observability Services deployable architecture. The entries are grouped by date.
June 2025
17 June 2025
- Version 3.0.0 of the Essential Security and Observability Services deployable architecture deployable architecture is available
-
The Essential Security and Observability Services deployable architecture deployable architecture version 3.0.0 is released.
- Migration to Security and Compliance Center Workload Protection for Cloud Security Posture Management
- This solution will no longer provision an instance of the Security and Compliance Center service as it has been deprecated and new instances cannot be provisioned after 17th July 2025.
- The solution will now provision a new instance of App Configuration and Security and Compliance Center Worklaod Protection with Cloud Security Posture Management (CSPM) enabled by default.
- If you are upgrading from a previous version of the solution, you will continue to see the member named
4a - Security and Compliance Center
so that you can decide when you want to delete the Security and Compliance Center instance and associated Object Storage bucket. Please be aware that this config also has an instance of Security and Compliance Center Worklaod Protection deployed as part of it, however it is not enabled with Cloud Security Posture Management (CSPM) and is safe to delete as the new instance that is now created by the solution will be used going forward. - For more information, see Security and Compliance Center transition.
- The service to service authorization that is used to allow the ATracker service write to Object Storage has been updated so that the scope of the policy is scoped to the exact Object Storage bucket.
- If upgrading from an older version, you will see the old authorization policy being deleted, a new ones being created. The new one is created before the old one is deleted to prevent any disruption to every day services.
- Migration to Security and Compliance Center Workload Protection for Cloud Security Posture Management
April 2025
3 April 2025
- Version 2.2.0 of the Essential Security and Observability Services deployable architecture deployable architecture is available
-
The Essential Security and Observability Services deployable architecture deployable architecture version 2.2.0 is released.
- When you upgrade, all deployable architecture stack members are updated to their latest versions.
- Updates to the way the Secrets Manager IAM credentials engine is managed:
- The input
secret_manager_iam_engine_enabled
has changed. The UI now shows the option:Disable Secrets Manager IAM credentials engine auth policy creation?
. The default value of this isfalse
so that the Secrets Manager IAM credentials engine is enabled by default. - The enablement of the engine is now handled by service to service authorisation policies:
- grants the Secrets Manager instance 'Operator' access to the IAM identity service
- grants the Secrets Manager instance 'Groups Service Member Manage' access to the IAM groups service
- If upgrading from a previous release where you had set
secret_manager_iam_engine_enabled
totrue
, you will now see the expected deletion of the service ID and related apikey as these are no longer needed due to the new service to service authorisation policies.
- The input
- The scope of the service authorization policy that is created in the Secrets Manager member to allow the instance to read the encryption key from the Key Protect service has been updated to only grant access to read the exact encryption key that is being used. Previously the scope was allowing reader access to the whole Key Protect instance. If upgrading from an older version, you will see the old authorization policy being deleted, a new ones being created. The new one is created before the old one is deleted to prevent any disruption to every day services.
- The Security and Compliance Center deployable architecture now creates a service authorization policy that grants the Security and Compliance Center instance
Event Source Manager
access to the Event Notifications instance. - Observability updates:
- The
enable_platform_logs_metrics
input has been split into 2 separate inputs:enable_platform_metrics
: To enable platform metrics on the Cloud Monitoring instance that is provisionedlogs_routing_tenant_regions
: To define a list of regions you want platform logs routed from into the Cloud Logs instance
- Metrics routing is now enabled by default:
- A new target is set up that points to the Cloud Monitoring instance that is provisioned
- A new route is set up to route metrics to the new target
- The primary metrics region will be set to the same region that the Cloud Monitoring instance was provisioned to
- The default receiver will be set to the Cloud Monitoring instance that is provisioned
- The service authorisation policy between Cloud Logs and Event Notifications has been updated to allow the
Viewer
role. Previously it only had theEvent Source Manager
role.
- The
November 2024
18 November 2024
- Essential Security and Observability Services deployable architecture deployable architecture version 2.1.0
-
The Essential Security and Observability Services deployable architecture deployable architecture version 2.1.0 is now available with the following changes.
Due to the deprecation and subsequent replacement of functionality in the Observability architecture, you must be currently using version 1.5.0 or higher to upgrade to this version.
- When you upgrade, all deployable architecture stack members are updated to their latest versions.
- A fix was added to the Security and Compliance Center deployable architecture to fix a backend change which was causing the below error to occur when configuring integration with Event Notifications:
Error setting event_notifications: Invalid address to set: []string{"event_notifications", "0", "source_description"}
- All of the deployable architecture stack members (with the exception of the Observability member due to this provider bug), will now use the IBM Cloud regional
private endpoint or global private endpoint by default. The regional private endpoint is given higher precedence. In order to use the private endpoint from an IBM Cloud resource, one must have a VRF-enabled account. This can be overriden and set back to public by editing each of the deployable architecture stack members and changing the value of the
provider_visibility
input.
4 November 2024
- Essential Security and Observability Services deployable architecture deployable architecture version 2.0.0
-
The Essential Security and Observability Services deployable architecture deployable architecture version 2.0.0 is now available with the following changes.
Due to the deprecation and subsequent replacement of functionality in the Observability architecture, you must be currently using version 1.5.0 to upgrade to this version.
- IBM Cloud Logs is now used to manage logging within the solution and is configured in the Event Notifications architecture by default.
- The authorization policies that are created as part of the Observability, Event Notifications, and Security and Compliance Center deployments are updated to allow the Cloud Object Storage service to read only the encryption key provided that is used by the {[kp]} service. Previously, the policy allowed read access for the entirety of the {[kp]} service. When the architecture is updated from a previous version, the old authorization policy is automatically deleted after the new one is created to ensure that there are no disruptions to every day workflows.
- The Cloud Object Storage bucket that is created during the Event Notifications deployment is updated to prevent the Monitoring instance from being explicitly passed to it. The bucket metrics are still monitored, but they are forwarded to the instance that is associated with the container's location unless otherwise specified in the Metrics Router service configuration.
- An update in place is done on the key management service key ring that is created by the included architectures as the
force_delete
option is deprecated by the service. There is no impact to any of the included services.
October 2024
11 October 2024
- Version 1.5.0 of the Essential Security and Observability Services deployable architecture deployable architecture
-
The Essential Security and Observability Services deployable architecture deployable architecture version 1.5.0 is now available with the following changes.
-
All deployable architectures are updated to use the latest version.
-
The Event Notifications integration is not enabled for this version.
-
The Observability architecture now deploys IBM Cloud Logs and an activity tracking target is configured. An additional route is set up for events to be sent to both a Cloud Object Storage bucket for long term storage and to the Cloud Logs service so that they can be easily viewed.
-
Due to the deprecation and subsequent replacement of technology in the Observability architecture, log archiving is now disabled. The Cloud Object Storage bucket that was created by previous versions of this architecture will be destroyed by default. If you'd like to keep the bucket and want to keep managing it through the Observability architecture, you can use the following steps to prevent deletion.
- In the IBM Cloud console, click the Navigation menu icon
> Projects.
- Click the project with the stacked deployable architecture that you want to update.
- Click the Configurations tab.
- Update the version to 1.5.0 but do not proceed to validate or deploy yet.
- In the row for the member configuration named
2 - Observability
, click the Options iconand select Edit.
- Click the Optional tab in the Configure section.
- Find the manage_log_archive_cos_bucket input variable and change the value to
true
. - Click Save.
- Follow the steps in Step 3. Validate and deploy the architecture to validate and deploy all deployable architectures in the stack.
- In the IBM Cloud console, click the Navigation menu icon
-
September 2024
6 September 2024
- Version 1.4.1 of the Essential Security and Observability Services deployable architecture
-
The Essential Security and Observability Services deployable architecture version 1.4.1 is now available with the following changes.
-
When you upgrade, all deployable architecture members are updated to their latest versions.
-
Adds the
existing_en_instance_crn
input variable to specify an existing Event Notifications instance. -
Fixes an issue deploying the
4a - Security and Compliance Center
member with the profile attachment.If you received the
CreateAttachmentWithContext failed
error in version 1.3.1 and you removed the attachment as a workaround, follow these steps to add back the profile attachment:-
Upgrade to version 1.4.1 or later.
-
In the IBM Cloud console, click the Navigation menu icon
> Projects.
-
Click the project with the stacked deployable architecture that you want to update.
-
Click the Configurations tab.
-
In the row for the member configuration named
4a - Security and Compliance Center
, click the Options iconand select Edit.
-
Click the Optional tab in the Configure section.
-
Find the profile_attachments input variable and click the Edit icon
.
-
Replace the empty list in the array with the following profile name:
[ "IBM Cloud Framework for Financial Services" ]
-
Click Save.
-
Follow the steps in Step 3. Validate and deploy the architecture to validate and deploy the updated deployable architecture.
-
-
August 2024
2 August 2024
- Version 1.3.1 of the Essential Security and Observability Services deployable architecture
-
The Essential Security and Observability Services deployable architecture version 1.3.1 is now available with the following changes.
- To support the use of
existing_secrets_manager_crn
, the Essential Security and Observability Services deployable architecture is now updated to use version 1.17.1 of the {[sm]} architecture. - The input variable
secret_manager_iam_engine_enabled
is added to configure credentials for the {[sm]} IAM credentials engine. The default value isfalse
.
- To support the use of
July 2024
29 July 2024
- Version 1.2.1 of the Essential Security and Observability Services deployable architecture
-
The Essential Security and Observability Services deployable architecture version 1.2.1 is now available with the following changes.
- When you upgrade, all deployable architecture members are updated to their latest versions.
- A new
existing_kms_instance_crn
input variable adds support to use an existing key management service instance. By default, a new Key Protect instance is created. - Fixes an issue in which activity tracking was not enabled for IBM Cloud Object Storage buckets. By default, Object Storage buckets that are created by the deployable architecture now have activity tracking enabled. When you upgrade, existing buckets are updated when you upgrade to this version.
- Fixes an issue in which the Event Notifications member created Object Storage destinations instead of Object Storage integrations that are needed to store failed events. When you upgrade, these destinations are destroyed.
1 July 2024
- Version 1.1.1 of the Essential Security and Observability Services deployable architecture
-
The Essential Security and Observability Services deployable architecture version 1.1.1 is now avaialble with the following updates.
-
A destination and topic are created in the Event Notifications instance that is deployed for {[sm]}. Email subscriptions are also configured for the new destination and topic from the list of emails that is passed in the
en_email_list
input. -
The attachment that is created by the Security and Compliance Center deployment is updated to use the CIS IBM Cloud Foundations v1.1.0 profile as the previous version is deprecated.
You must update the profile attachment input value in the
4a - Security and Compliance Center
member configuration toCIS IBM Cloud Foundations Benchmark v1.1.0
when you update.
-
June 2024
24 June 2024
- Introducing the Essential Security and Observability Services deployable architecture
-
The Essential Security and Observability Services deployable architecture is released. The deployable architecture deploys the following: Key Protect, Secrets Manager, Security and Compliance Center, and IBM Cloud Security and Compliance Center Workload Protection. The deployable architecture also deploys Event Notifications and Observability.
For more information about using deployable architectures with projects, see the blog posts Projects and Cost Estimation: How IBM Cloud is Revolutionizing Complex Workloads for Enterprises and Turn Your Terraform Templates into Deployable Architectures.