feat: Migration to Security and Compliance Center Workload Protection for Cloud Security Posture Management (#251)

BREAKING CHANGE: This solution will no longer provision an instance of the Security and Compliance Center service as it has been deprecated and new instances cannot be provisioned after 16th June 2025.

Author: ocofaigh

README.md

@@ -31,7 +31,7 @@ This architecture can help you achieve the following goals:
 - Establish trust: The architecture configures the IBM Cloud account to align with the compliance settings that are defined in the [IBM Cloud for Financial Services](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-about) framework, and the [AI Security Guardrails 2.0](https://cloud.ibm.com/docs/security-compliance?topic=security-compliance-ai-security-change-log) profile.
 - Ensure observability: The architecture provides observability by deploying services such as IBM Log Analysis, IBM Monitoring, IBM Activity Tracker, and log retention through IBM Cloud Object Storage buckets.
 - Implement security: The architecture deploys instances of IBM Key Protect and IBM Secrets Manager.
-- Achieve regulatory compliance: The architecture implements CI, CD, and CC pipelines along with IBM Security Compliance Center (SCC) for secure application lifecycle management.
+- Achieve regulatory compliance: The architecture implements CI, CD, and CC pipelines along with IBM Security Compliance Center Workload Protection for secure application lifecycle management.
 
 ## Before you begin
 

ibm_catalog.json

@@ -5,7 +5,9 @@
 			"name": "Retrieval_Augmented_Generation_Pattern",
 			"product_kind": "solution",
 			"tags": [
+				"solution",
 				"watson",
+				"security",
 				"banking",
 				"ibm_created"
 			],
@@ -25,7 +27,10 @@
 				"secure",
 				"secret manager",
 				"key protect",
-				"scc"
+				"security and compliance center workload protection",
+				"cspm",
+				"config aggregator",
+				"app config"
 			],
 			"short_description": "Automate RAG deployment with supporting IBM Cloud and watsonx services, embed your enterprise data in generative AI solutions.",
 			"long_description": "Utilize data from your enterprise to achieve productivity gains in activities related to question/answer conversations, content search, summarization and generation. RAG can be deployed in multiple configurations and is applicable to various industry use cases and solutions.\n\nThis deployable architecture provides a comprehensive foundation for trust, observability, security, and regulatory compliance by configuring and deploying various services and a sample application for a [RAG pattern](https://cloud.ibm.com/docs/pattern-genai-rag?topic=pattern-genai-rag-genai-pattern), including:\n- Configuring IBM Cloud Account with best practices from [IBM Cloud Framework for Financial Services](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-about)\n- Deploying key and secrets management services for storage and management of encryption keys and secrets\n- Deploying controls for continuous compliance\n- Deploying observability services for application and platform logging and monitoring\n- Deploying a suite of watsonx services to provide generative AI RAG capabilities\n- Deploying content databases for storing vector embeddings of the documents and content search/retrieval\n- Deploying a sample application in a variety of run times including CI/CD/CC pipelines for secure application lifecycle management\n\nThe above configured and deployed services enable a secure and trustworthy deployment of generative AI applications on IBM Cloud.\n\nThe configurations are flexible and be changed to meet the needs for several types of RAG patterns depending on the chosen combination of technologies and services.\n\nThe generative AI RAG pattern services include:\n- [watsonx.ai](https://dataplatform.cloud.ibm.com/docs/content/wsj/getting-started/welcome-main.html?context=wx)\n- [watsonx.data](https://cloud.ibm.com/docs/watsonxdata) (with Milvus)\n- [watsonx.governance](https://dataplatform.cloud.ibm.com/docs/content/svc-welcome/aiopenscale.html?context=wx)\n- [watsonx Assistant](https://cloud.ibm.com/docs/watson-assistant?topic=watson-assistant-welcome-new-assistant)\n- [watsonx Orchestrate](https://www.ibm.com/docs/en/watsonx/watson-orchestrate/current)\n- [Watson Discovery](https://cloud.ibm.com/docs/discovery-data)\n- [Elasticsearch](https://cloud.ibm.com/docs/databases-for-elasticsearch) Enterprise and Platinum edition\n\nThe supporting services include:\n- [Secrets Manager](https://cloud.ibm.com/docs/secrets-manager)\n- [Key Protect](https://cloud.ibm.com/docs/key-protect)\n- [Security and Compliance Center](https://cloud.ibm.com/docs/security-compliance)\n- [Event Notifications](https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-getting-started)\n- [Logs](https://cloud.ibm.com/docs/cloud-logs)\n- [Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started)\n- [Object Storage](https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-getting-started-cloud-object-storage)\n- [Continuous Delivery](https://cloud.ibm.com/docs/ContinuousDelivery) toolchains\n- [Container Registry](https://cloud.ibm.com/docs/Registry)\n\nA [sample RAG application](https://github.com/IBM/gen-ai-rag-watsonx-sample-application) is deployed to [Code Engine](https://cloud.ibm.com/docs/codeengine) or [Red Hat OpenShift](https://cloud.ibm.com/docs/openshift) cluster.\n\nBy leveraging this architecture, you can accelerate your deployment and tailor it to meet your unique business needs and enterprise goals.",
@@ -43,7 +48,7 @@
 				},
 				{
 					"title": "Achieve Regulatory Compliance",
-					"description": "Ensures regulatory compliance by implementing CI/CD/CC pipelines, along with Security and Compliance Center for continuous compliance."
+					"description": "Ensures regulatory compliance by implementing CI/CD/CC pipelines, along with Security and Compliance Center Workload Protection for continuous compliance."
 				},
 				{
 					"title": "Ensure Observability",
@@ -104,7 +109,14 @@
 							"service_name": "kms"
 						},
 						{
-							"service_name": "compliance",
+							"service_name": "sysdig-secure",
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::serviceRole:Manager",
+								"crn:v1:bluemix:public:iam::::role:Editor"
+							]
+						},
+						{
+							"service_name": "apprapp",
 							"role_crns": [
 								"crn:v1:bluemix:public:iam::::serviceRole:Manager",
 								"crn:v1:bluemix:public:iam::::role:Editor"
@@ -306,7 +318,7 @@
 						},
 						{
 							"key": "skip_iam_authorization_policy",
-							"display_name": "Disable Secrets Manager IAM credentials engine auth policy creation?",
+							"display_name": "disable_secrets_manager_iam_credentials_engine",
 							"type": "boolean",
 							"default_value": false,
 							"description": "Whether to skip the creation of the IAM authorization policies required to enable the Secrets Manager IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service.",
@@ -326,6 +338,69 @@
 							"description": "Pass a list of regions to create a tenant that is targeted to the Cloud Logs instance created by this solution. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants.",
 							"required": false
 						},
+						{
+							"key": "app_config_service_plan",
+							"type": "string",
+							"default_value": "basic",
+							"description": "The pricing plan to use for the IBM Cloud App Configuration instance.",
+							"required": false,
+							"options": [
+							  {
+								"displayname": "Basic",
+								"value": "basic"
+							  },
+							  {
+								"displayname": "Standard",
+								"value": "standardv2"
+							  },
+							  {
+								"displayname": "Enterprise",
+								"value": "enterprise"
+							  }
+							]
+						},
+						{
+							"key": "scc_workload_protection_service_plan",
+							"type": "string",
+							"default_value": "graduated-tier",
+							"description": "The pricing plan to use for the IBM Cloud Security and Compliance Center Workload Protection instance.",
+							"required": false,
+							"options": [
+							  {
+								"displayname": "Graduated Tier",
+								"value": "graduated-tier"
+							  },
+							  {
+								"displayname": "Free Trial",
+								"value": "free-trial"
+							  }
+							]
+						},
+						{
+							"key": "enterprise_id",
+							"type": "string",
+							"default_value": "__NULL__",
+							"description": "If the account is an enterprise account and you want to scan sub-accounts for compliance, this value should be set to the enterprise ID (this is different to the account ID).",
+							"required": false
+						},
+						{
+							"key": "enterprise_account_group_ids_to_assign",
+							"type": "array",
+							"default_value": [
+							  "all"
+							],
+							"description": "A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned for compliance. Supports passing the string 'all' in the list to assign to all account groups. Only applies if a value is being passed for `enterprise_id`.",
+							"required": false
+						},
+						{
+							"key": "enterprise_account_ids_to_assign",
+							"type": "array",
+							"default_value": [
+							  "all"
+							],
+							"description": "A list of enterprise account IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all accounts. Only applies if a value is being passed for `enterprise_id`.",
+							"required": false
+						},
 						{
 							"key": "sample_app_git_url",
 							"type": "string",
@@ -475,7 +550,14 @@
 							"service_name": "kms"
 						},
 						{
-							"service_name": "compliance",
+							"service_name": "sysdig-secure",
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::serviceRole:Manager",
+								"crn:v1:bluemix:public:iam::::role:Editor"
+							]
+						},
+						{
+							"service_name": "apprapp",
 							"role_crns": [
 								"crn:v1:bluemix:public:iam::::serviceRole:Manager",
 								"crn:v1:bluemix:public:iam::::role:Editor"
@@ -690,7 +772,7 @@
 						},
 						{
 							"key": "skip_iam_authorization_policy",
-							"display_name": "Disable Secrets Manager IAM credentials engine auth policy creation?",
+							"display_name": "disable_secrets_manager_iam_credentials_engine",
 							"type": "boolean",
 							"default_value": false,
 							"description": "Whether to skip the creation of the IAM authorization policies required to enable the Secrets Manager IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service.",
@@ -710,6 +792,133 @@
 							"description": "Pass a list of regions to create a tenant that is targeted to the Cloud Logs instance created by this solution. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants.",
 							"required": false
 						},
+					    {
+							"key": "app_config_service_plan",
+							"type": "string",
+							"default_value": "basic",
+							"description": "The pricing plan to use for the IBM Cloud App Configuration instance.",
+							"required": false,
+							"options": [
+							  {
+								"displayname": "Basic",
+								"value": "basic"
+							  },
+							  {
+								"displayname": "Standard",
+								"value": "standardv2"
+							  },
+							  {
+								"displayname": "Enterprise",
+								"value": "enterprise"
+							  }
+							]
+						},
+						{
+							"key": "scc_workload_protection_service_plan",
+							"type": "string",
+							"default_value": "graduated-tier",
+							"description": "The pricing plan to use for the IBM Cloud Security and Compliance Center Workload Protection instance.",
+							"required": false,
+							"options": [
+							  {
+								"displayname": "Graduated Tier",
+								"value": "graduated-tier"
+							  },
+							  {
+								"displayname": "Free Trial",
+								"value": "free-trial"
+							  }
+							]
+						},
+						{
+							"key": "enterprise_id",
+							"type": "string",
+							"default_value": "__NULL__",
+							"description": "If the account is an enterprise account and you want to scan sub-accounts for compliance, this value should be set to the enterprise ID (this is different to the account ID).",
+							"required": false
+						},
+						{
+							"key": "enterprise_account_group_ids_to_assign",
+							"type": "array",
+							"default_value": [
+							  "all"
+							],
+							"description": "A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned for compliance. Supports passing the string 'all' in the list to assign to all account groups. Only applies if a value is being passed for `enterprise_id`.",
+							"required": false
+						},
+						{
+							"key": "enterprise_account_ids_to_assign",
+							"type": "array",
+							"default_value": [
+							  "all"
+							],
+							"description": "A list of enterprise account IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all accounts. Only applies if a value is being passed for `enterprise_id`.",
+							"required": false
+						},
+						{
+
+							"key": "app_config_service_plan",
+							"type": "string",
+							"default_value": "basic",
+							"description": "The pricing plan to use for the IBM Cloud App Configuration instance.",
+							"required": false,
+							"options": [
+							  {
+								"displayname": "Basic",
+								"value": "basic"
+							  },
+							  {
+								"displayname": "Standard",
+								"value": "standardv2"
+							  },
+							  {
+								"displayname": "Enterprise",
+								"value": "enterprise"
+							  }
+							]
+						},
+						{
+							"key": "scc_workload_protection_service_plan",
+							"type": "string",
+							"default_value": "graduated-tier",
+							"description": "The pricing plan to use for the IBM Cloud Security and Compliance Center Workload Protection instance.",
+							"required": false,
+							"options": [
+							  {
+								"displayname": "Graduated Tier",
+								"value": "graduated-tier"
+							  },
+							  {
+								"displayname": "Free Trial",
+								"value": "free-trial"
+							  }
+							]
+						},
+						{
+							"key": "enterprise_id",
+							"type": "string",
+							"default_value": "__NULL__",
+							"description": "If the account is an enterprise account and you want to scan sub-accounts for compliance, this value should be set to the enterprise ID (this is different to the account ID).",
+							"required": false
+						},
+						{
+							"key": "enterprise_account_group_ids_to_assign",
+							"type": "array",
+							"default_value": [
+							  "all"
+							],
+							"description": "A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned for compliance. Supports passing the string 'all' in the list to assign to all account groups. Only applies if a value is being passed for `enterprise_id`.",
+							"required": false
+						},
+						{
+							"key": "enterprise_account_ids_to_assign",
+							"type": "array",
+							"default_value": [
+							  "all"
+							],
+							"description": "A list of enterprise account IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all accounts. Only applies if a value is being passed for `enterprise_id`.",
+							"required": false
+						},
 						{
 							"key": "sample_app_git_url",
 							"type": "string",