terraform-ibm-modules · ocofaigh · Mar 4, 2025 · Feb 20, 2025 · Feb 24, 2025 · Feb 24, 2025
@@ -176,15 +176,28 @@
             },
             {
               "key": "scc_cos_bucket_region",
-              "type": "string",
-              "custom_config": {
-                "config_constraints": {
-                  "generationType": "2"
+              "options": [
+                {
+                  "displayname": "Same region as SCC instance",
+                  "value": "__NULL__"
                 },
-                "grouping": "deployment",
-                "original_grouping": "deployment",
-                "type": "region"
-              }
+                {
+                  "displayname": "Dallas (us-south)",
+                  "value": "us-south"
+                },
+                {
+                  "displayname": "Frankfurt (eu-de)",
+                  "value": "eu-de"
+                },
+                {
+                  "displayname": "Madrid (eu-es)",
+                  "value": "eu-es"
+                },
+                {
+                  "displayname": "Toronto (ca-tor)",
+                  "value": "ca-tor"
+                }
+              ]
             },
             {
               "key": "add_bucket_name_suffix"
@@ -248,7 +261,7 @@
               "key": "existing_monitoring_crn"
             },
             {
-              "key": "skip_scc_cos_auth_policy"
+              "key": "skip_scc_cos_iam_auth_policy"
             },
             {
               "key": "existing_scc_cos_kms_key_crn"
@@ -270,7 +283,7 @@
               ]
             },
             {
-              "key": "skip_cos_kms_auth_policy"
+              "key": "skip_cos_kms_iam_auth_policy"
             },
             {
               "key": "scc_cos_key_ring_name"
@@ -355,7 +368,7 @@
               }
             },
             {
-              "key": "skip_scc_workload_protection_auth_policy"
+              "key": "skip_scc_workload_protection_iam_auth_policy"
             },
             {
               "key": "existing_event_notifications_crn"

@@ -98,9 +98,9 @@ This solution supports provisioning and configuring the following infrastructure
 | <a name="input_scc_workload_protection_instance_tags"></a> [scc\_workload\_protection\_instance\_tags](#input\_scc\_workload\_protection\_instance\_tags) | The list of tags to add to the Workload Protection instance. | `list(string)` | `[]` | no |
 | <a name="input_scc_workload_protection_resource_key_tags"></a> [scc\_workload\_protection\_resource\_key\_tags](#input\_scc\_workload\_protection\_resource\_key\_tags) | The tags associated with the Workload Protection resource key. | `list(string)` | `[]` | no |
 | <a name="input_scc_workload_protection_service_plan"></a> [scc\_workload\_protection\_service\_plan](#input\_scc\_workload\_protection\_service\_plan) | The pricing plan for the Workload Protection instance service. Possible values: `free-trial`, `graduated-tier`. | `string` | `"graduated-tier"` | no |
-| <a name="input_skip_cos_kms_auth_policy"></a> [skip\_cos\_kms\_auth\_policy](#input\_skip\_cos\_kms\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Object Storage instance created to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
-| <a name="input_skip_scc_cos_auth_policy"></a> [skip\_scc\_cos\_auth\_policy](#input\_skip\_scc\_cos\_auth\_policy) | Set to `true` to skip creation of an IAM authorization policy that permits the Security and Compliance Center to write to the Object Storage instance created by this solution. Applies only if `existing_scc_instance_crn` is not provided. | `bool` | `false` | no |
-| <a name="input_skip_scc_workload_protection_auth_policy"></a> [skip\_scc\_workload\_protection\_auth\_policy](#input\_skip\_scc\_workload\_protection\_auth\_policy) | Set to `true` to skip creating an IAM authorization policy that permits the Security and Compliance Center instance to read from the Workload Protection instance. Applies only if `provision_scc_workload_protection` is true. | `bool` | `false` | no |
+| <a name="input_skip_cos_kms_iam_auth_policy"></a> [skip\_cos\_kms\_iam\_auth\_policy](#input\_skip\_cos\_kms\_iam\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Object Storage instance created to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
+| <a name="input_skip_scc_cos_iam_auth_policy"></a> [skip\_scc\_cos\_iam\_auth\_policy](#input\_skip\_scc\_cos\_iam\_auth\_policy) | Set to `true` to skip creation of an IAM authorization policy that permits the Security and Compliance Center to write to the Object Storage instance created by this solution. Applies only if `existing_scc_instance_crn` is not provided. | `bool` | `false` | no |
+| <a name="input_skip_scc_workload_protection_iam_auth_policy"></a> [skip\_scc\_workload\_protection\_iam\_auth\_policy](#input\_skip\_scc\_workload\_protection\_iam\_auth\_policy) | Set to `true` to skip creating an IAM authorization policy that permits the Security and Compliance Center instance to read from the Workload Protection instance. Applies only if `provision_scc_workload_protection` is true. | `bool` | `false` | no |
 | <a name="input_use_existing_resource_group"></a> [use\_existing\_resource\_group](#input\_use\_existing\_resource\_group) | Whether to use an existing resource group. | `bool` | `false` | no |
 
 ### Outputs

@@ -10,7 +10,7 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   validate_more_cos_inputs = var.existing_scc_cos_bucket_name != null && var.existing_cos_instance_crn == null ? tobool("A value for 'existing_cos_instance_crn' must be passed if 'existing_scc_cos_bucket_name' is passed in.") : true
   # tflint-ignore: terraform_unused_declarations
-  validate_auth_inputs = !var.skip_scc_cos_auth_policy && var.existing_cos_instance_crn == null && var.existing_scc_cos_bucket_name != null ? tobool("A value must be passed for 'existing_cos_instance_crn' in order to create auth policy.") : true
+  validate_auth_inputs = !var.skip_scc_cos_iam_auth_policy && var.existing_cos_instance_crn == null && var.existing_scc_cos_bucket_name != null ? tobool("A value must be passed for 'existing_cos_instance_crn' in order to create auth policy.") : true
   # tflint-ignore: terraform_unused_declarations
   validate_en_integration = var.existing_event_notifications_crn != null && var.event_notifications_source_name == null ? tobool("When passing a value for 'existing_event_notifications_crn', a value must also be passed for 'event_notifications_source_name'.") : false
 }
@@ -58,7 +58,7 @@ locals {
   scc_cos_key_ring_name                     = try("${local.prefix}-${var.scc_cos_key_ring_name}", var.scc_cos_key_ring_name)
   scc_cos_key_name                          = try("${local.prefix}-${var.scc_cos_key_name}", var.scc_cos_key_name)
   cos_instance_name                         = try("${local.prefix}-${var.cos_instance_name}", var.cos_instance_name)
-  scc_cos_bucket_region                     = var.scc_cos_bucket_region != null ? var.scc_cos_bucket_region : var.scc_region
+  scc_cos_bucket_region                     = var.scc_cos_bucket_region != null && var.scc_cos_bucket_region != "" ? var.scc_cos_bucket_region : var.scc_region
   scc_instance_name                         = try("${local.prefix}-${var.scc_instance_name}", var.scc_instance_name)
   scc_workload_protection_instance_name     = try("${local.prefix}-${var.scc_workload_protection_instance_name}", var.scc_workload_protection_instance_name)
   scc_workload_protection_resource_key_name = try("${local.prefix}-${var.scc_workload_protection_instance_name}-key", "${var.scc_workload_protection_instance_name}-key")
@@ -67,7 +67,7 @@ locals {
   # Final COS bucket name - either passed in or after being created by COS
   scc_cos_bucket_name = var.existing_scc_cos_bucket_name != null ? var.existing_scc_cos_bucket_name : local.create_cross_account_auth_policy ? module.buckets[0].buckets[local.created_scc_cos_bucket_name].bucket_name : module.cos[0].buckets[local.created_scc_cos_bucket_name].bucket_name
 
-  create_cross_account_auth_policy = !var.skip_cos_kms_auth_policy && var.ibmcloud_kms_api_key == null ? false : (data.ibm_iam_account_settings.iam_account_settings.account_id != module.existing_kms_crn_parser[0].account_id)
+  create_cross_account_auth_policy = !var.skip_cos_kms_iam_auth_policy && var.ibmcloud_kms_api_key == null ? false : (data.ibm_iam_account_settings.iam_account_settings.account_id != module.existing_kms_crn_parser[0].account_id)
   use_kms_module                   = !(var.existing_scc_cos_kms_key_crn != null || var.existing_scc_cos_bucket_name != null || var.existing_scc_instance_crn != null)
 }
 
@@ -171,7 +171,7 @@ locals {
     kms_encryption_enabled        = true
     kms_guid                      = local.existing_kms_guid
     kms_key_crn                   = local.scc_cos_kms_key_crn
-    skip_iam_authorization_policy = local.create_cross_account_auth_policy || var.skip_cos_kms_auth_policy
+    skip_iam_authorization_policy = local.create_cross_account_auth_policy || var.skip_cos_kms_iam_auth_policy
     management_endpoint_type      = var.management_endpoint_type_for_bucket
     storage_class                 = var.scc_cos_bucket_class
     resource_instance_id          = local.cos_instance_crn
@@ -253,11 +253,11 @@ module "scc" {
   en_instance_crn                   = var.existing_event_notifications_crn
   en_source_name                    = var.event_notifications_source_name
   en_source_description             = var.event_notifications_source_description
-  skip_cos_iam_authorization_policy = var.skip_scc_cos_auth_policy
+  skip_cos_iam_authorization_policy = var.skip_scc_cos_iam_auth_policy
   resource_tags                     = var.scc_instance_tags
   attach_wp_to_scc_instance         = var.provision_scc_workload_protection && var.existing_scc_instance_crn == null
   wp_instance_crn                   = var.provision_scc_workload_protection && var.existing_scc_instance_crn == null ? module.scc_wp[0].crn : null
-  skip_scc_wp_auth_policy           = var.skip_scc_workload_protection_auth_policy
+  skip_scc_wp_auth_policy           = var.skip_scc_workload_protection_iam_auth_policy
   cbr_rules                         = var.scc_instance_cbr_rules
 }
 

@@ -166,7 +166,7 @@ variable "existing_scc_cos_bucket_name" {
   description = "The name of an existing bucket inside the existing Object Storage instance to use for Security and Compliance Center. If not specified, a bucket is created."
 }
 
-variable "skip_cos_kms_auth_policy" {
+variable "skip_cos_kms_iam_auth_policy" {
   type        = bool
   description = "Set to `true` to skip the creation of an IAM authorization policy that permits the Object Storage instance created to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account."
   default     = false
@@ -204,7 +204,7 @@ variable "scc_region" {
   description = "The region to provision Security and Compliance Center resources in."
 }
 
-variable "skip_scc_cos_auth_policy" {
+variable "skip_scc_cos_iam_auth_policy" {
   type        = bool
   default     = false
   description = "Set to `true` to skip creation of an IAM authorization policy that permits the Security and Compliance Center to write to the Object Storage instance created by this solution. Applies only if `existing_scc_instance_crn` is not provided."
@@ -245,7 +245,7 @@ variable "scc_instance_tags" {
   default     = []
 }
 
-variable "skip_scc_workload_protection_auth_policy" {
+variable "skip_scc_workload_protection_iam_auth_policy" {
   type        = bool
   default     = false
   description = "Set to `true` to skip creating an IAM authorization policy that permits the Security and Compliance Center instance to read from the Workload Protection instance. Applies only if `provision_scc_workload_protection` is true."