IBM Cloud Docs
Release notes for the Essential Security and Observability Services deployable architecture

Release notes for the Essential Security and Observability Services deployable architecture

Use these release notes to learn about the latest updates to the Essential Security and Observability Services deployable architecture. The entries are grouped by date.

June 2025

17 June 2025

Version 3.0.0 of the Essential Security and Observability Services deployable architecture deployable architecture is available

The Essential Security and Observability Services deployable architecture deployable architecture version 3.0.0 is released.

  • Migration to Security and Compliance Center Workload Protection for Cloud Security Posture Management
    • This solution will no longer provision an instance of the Security and Compliance Center service as it has been deprecated and new instances cannot be provisioned after 17th July 2025.
    • The solution will now provision a new instance of App Configuration and Security and Compliance Center Worklaod Protection with Cloud Security Posture Management (CSPM) enabled by default.
    • If you are upgrading from a previous version of the solution, you will continue to see the member named 4a - Security and Compliance Center so that you can decide when you want to delete the Security and Compliance Center instance and associated Object Storage bucket. Please be aware that this config also has an instance of Security and Compliance Center Worklaod Protection deployed as part of it, however it is not enabled with Cloud Security Posture Management (CSPM) and is safe to delete as the new instance that is now created by the solution will be used going forward.
    • For more information, see Security and Compliance Center transition.
  • The service to service authorization that is used to allow the ATracker service write to Object Storage has been updated so that the scope of the policy is scoped to the exact Object Storage bucket.
    • If upgrading from an older version, you will see the old authorization policy being deleted, a new ones being created. The new one is created before the old one is deleted to prevent any disruption to every day services.

April 2025

3 April 2025

Version 2.2.0 of the Essential Security and Observability Services deployable architecture deployable architecture is available

The Essential Security and Observability Services deployable architecture deployable architecture version 2.2.0 is released.

  • When you upgrade, all deployable architecture stack members are updated to their latest versions.
  • Updates to the way the Secrets Manager IAM credentials engine is managed:
    • The input secret_manager_iam_engine_enabled has changed. The UI now shows the option: Disable Secrets Manager IAM credentials engine auth policy creation?. The default value of this is false so that the Secrets Manager IAM credentials engine is enabled by default.
    • The enablement of the engine is now handled by service to service authorisation policies:
      • grants the Secrets Manager instance 'Operator' access to the IAM identity service
      • grants the Secrets Manager instance 'Groups Service Member Manage' access to the IAM groups service
    • If upgrading from a previous release where you had set secret_manager_iam_engine_enabled to true, you will now see the expected deletion of the service ID and related apikey as these are no longer needed due to the new service to service authorisation policies.
  • The scope of the service authorization policy that is created in the Secrets Manager member to allow the instance to read the encryption key from the Key Protect service has been updated to only grant access to read the exact encryption key that is being used. Previously the scope was allowing reader access to the whole Key Protect instance. If upgrading from an older version, you will see the old authorization policy being deleted, a new ones being created. The new one is created before the old one is deleted to prevent any disruption to every day services.
  • The Security and Compliance Center deployable architecture now creates a service authorization policy that grants the Security and Compliance Center instance Event Source Manager access to the Event Notifications instance.
  • Observability updates:
    • The enable_platform_logs_metrics input has been split into 2 separate inputs:
      • enable_platform_metrics: To enable platform metrics on the Cloud Monitoring instance that is provisioned
      • logs_routing_tenant_regions: To define a list of regions you want platform logs routed from into the Cloud Logs instance
    • Metrics routing is now enabled by default:
      • A new target is set up that points to the Cloud Monitoring instance that is provisioned
      • A new route is set up to route metrics to the new target
      • The primary metrics region will be set to the same region that the Cloud Monitoring instance was provisioned to
      • The default receiver will be set to the Cloud Monitoring instance that is provisioned
    • The service authorisation policy between Cloud Logs and Event Notifications has been updated to allow the Viewer role. Previously it only had the Event Source Manager role.

November 2024

18 November 2024

Essential Security and Observability Services deployable architecture deployable architecture version 2.1.0

The Essential Security and Observability Services deployable architecture deployable architecture version 2.1.0 is now available with the following changes.

Due to the deprecation and subsequent replacement of functionality in the Observability architecture, you must be currently using version 1.5.0 or higher to upgrade to this version.

  • When you upgrade, all deployable architecture stack members are updated to their latest versions.
  • A fix was added to the Security and Compliance Center deployable architecture to fix a backend change which was causing the below error to occur when configuring integration with Event Notifications:
    Error setting event_notifications: Invalid address to set: []string{"event_notifications", "0", "source_description"}
  • All of the deployable architecture stack members (with the exception of the Observability member due to this provider bug), will now use the IBM Cloud regional private endpoint or global private endpoint by default. The regional private endpoint is given higher precedence. In order to use the private endpoint from an IBM Cloud resource, one must have a VRF-enabled account. This can be overriden and set back to public by editing each of the deployable architecture stack members and changing the value of the provider_visibility input.

4 November 2024

Essential Security and Observability Services deployable architecture deployable architecture version 2.0.0

The Essential Security and Observability Services deployable architecture deployable architecture version 2.0.0 is now available with the following changes.

Due to the deprecation and subsequent replacement of functionality in the Observability architecture, you must be currently using version 1.5.0 to upgrade to this version.

  • IBM Cloud Logs is now used to manage logging within the solution and is configured in the Event Notifications architecture by default.
  • The authorization policies that are created as part of the Observability, Event Notifications, and Security and Compliance Center deployments are updated to allow the Cloud Object Storage service to read only the encryption key provided that is used by the {[kp]} service. Previously, the policy allowed read access for the entirety of the {[kp]} service. When the architecture is updated from a previous version, the old authorization policy is automatically deleted after the new one is created to ensure that there are no disruptions to every day workflows.
  • The Cloud Object Storage bucket that is created during the Event Notifications deployment is updated to prevent the Monitoring instance from being explicitly passed to it. The bucket metrics are still monitored, but they are forwarded to the instance that is associated with the container's location unless otherwise specified in the Metrics Router service configuration.
  • An update in place is done on the key management service key ring that is created by the included architectures as the force_delete option is deprecated by the service. There is no impact to any of the included services.

October 2024

11 October 2024

Version 1.5.0 of the Essential Security and Observability Services deployable architecture deployable architecture

The Essential Security and Observability Services deployable architecture deployable architecture version 1.5.0 is now available with the following changes.

  • All deployable architectures are updated to use the latest version.

  • The Event Notifications integration is not enabled for this version.

  • The Observability architecture now deploys IBM Cloud Logs and an activity tracking target is configured. An additional route is set up for events to be sent to both a Cloud Object Storage bucket for long term storage and to the Cloud Logs service so that they can be easily viewed.

  • Due to the deprecation and subsequent replacement of technology in the Observability architecture, log archiving is now disabled. The Cloud Object Storage bucket that was created by previous versions of this architecture will be destroyed by default. If you'd like to keep the bucket and want to keep managing it through the Observability architecture, you can use the following steps to prevent deletion.

    1. In the IBM Cloud console, click the Navigation menu icon Navigation menu icon > Projects.
    2. Click the project with the stacked deployable architecture that you want to update.
    3. Click the Configurations tab.
    4. Update the version to 1.5.0 but do not proceed to validate or deploy yet.
    5. In the row for the member configuration named 2 - Observability, click the Options icon Options icon and select Edit.
    6. Click the Optional tab in the Configure section.
    7. Find the manage_log_archive_cos_bucket input variable and change the value to true.
    8. Click Save.
    9. Follow the steps in Step 3. Validate and deploy the architecture to validate and deploy all deployable architectures in the stack.

September 2024

6 September 2024

Version 1.4.1 of the Essential Security and Observability Services deployable architecture

The Essential Security and Observability Services deployable architecture version 1.4.1 is now available with the following changes.

  • When you upgrade, all deployable architecture members are updated to their latest versions.

  • Adds the existing_en_instance_crn input variable to specify an existing Event Notifications instance.

  • Fixes an issue deploying the 4a - Security and Compliance Center member with the profile attachment.

    If you received the CreateAttachmentWithContext failed error in version 1.3.1 and you removed the attachment as a workaround, follow these steps to add back the profile attachment:

    1. Upgrade to version 1.4.1 or later.

    2. In the IBM Cloud console, click the Navigation menu icon Navigation menu icon > Projects.

    3. Click the project with the stacked deployable architecture that you want to update.

    4. Click the Configurations tab.

    5. In the row for the member configuration named 4a - Security and Compliance Center, click the Options icon Options icon and select Edit.

    6. Click the Optional tab in the Configure section.

    7. Find the profile_attachments input variable and click the Edit icon Edit icon.

    8. Replace the empty list in the array with the following profile name:

       [
       	"IBM Cloud Framework for Financial Services"
       ]
      
    9. Click Save.

    10. Follow the steps in Step 3. Validate and deploy the architecture to validate and deploy the updated deployable architecture.

August 2024

2 August 2024

Version 1.3.1 of the Essential Security and Observability Services deployable architecture

The Essential Security and Observability Services deployable architecture version 1.3.1 is now available with the following changes.

  • To support the use of existing_secrets_manager_crn, the Essential Security and Observability Services deployable architecture is now updated to use version 1.17.1 of the {[sm]} architecture.
  • The input variable secret_manager_iam_engine_enabled is added to configure credentials for the {[sm]} IAM credentials engine. The default value is false.

July 2024

29 July 2024

Version 1.2.1 of the Essential Security and Observability Services deployable architecture

The Essential Security and Observability Services deployable architecture version 1.2.1 is now available with the following changes.

  • When you upgrade, all deployable architecture members are updated to their latest versions.
  • A new existing_kms_instance_crn input variable adds support to use an existing key management service instance. By default, a new Key Protect instance is created.
  • Fixes an issue in which activity tracking was not enabled for IBM Cloud Object Storage buckets. By default, Object Storage buckets that are created by the deployable architecture now have activity tracking enabled. When you upgrade, existing buckets are updated when you upgrade to this version.
  • Fixes an issue in which the Event Notifications member created Object Storage destinations instead of Object Storage integrations that are needed to store failed events. When you upgrade, these destinations are destroyed.

1 July 2024

Version 1.1.1 of the Essential Security and Observability Services deployable architecture

The Essential Security and Observability Services deployable architecture version 1.1.1 is now avaialble with the following updates.

  • A destination and topic are created in the Event Notifications instance that is deployed for {[sm]}. Email subscriptions are also configured for the new destination and topic from the list of emails that is passed in the en_email_list input.

  • The attachment that is created by the Security and Compliance Center deployment is updated to use the CIS IBM Cloud Foundations v1.1.0 profile as the previous version is deprecated.

    You must update the profile attachment input value in the 4a - Security and Compliance Center member configuration to CIS IBM Cloud Foundations Benchmark v1.1.0 when you update.

June 2024

24 June 2024

Introducing the Essential Security and Observability Services deployable architecture

The Essential Security and Observability Services deployable architecture is released. The deployable architecture deploys the following: Key Protect, Secrets Manager, Security and Compliance Center, and IBM Cloud Security and Compliance Center Workload Protection. The deployable architecture also deploys Event Notifications and Observability.

For more information about using deployable architectures with projects, see the blog posts Projects and Cost Estimation: How IBM Cloud is Revolutionizing Complex Workloads for Enterprises and Turn Your Terraform Templates into Deployable Architectures.