feat: Update CBR config to support SCC Workload Protection and App Configuration aggregator (#374)

aatreyee257 · web-flow · commit 4c87346f77bc · 2025-10-23T08:35:07.000+01:00
* incorporated cbr changes

* updated variable names and description
diff --git a/README.md b/README.md
@@ -89,7 +89,7 @@ You need the following permissions to run this module.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_account_settings"></a> [account\_settings](#module\_account\_settings) | terraform-ibm-modules/iam-account-settings/ibm | 2.12.0 |
-| <a name="module_cbr_fscloud"></a> [cbr\_fscloud](#module\_cbr\_fscloud) | terraform-ibm-modules/cbr/ibm//modules/fscloud | 1.32.6 |
+| <a name="module_cbr_fscloud"></a> [cbr\_fscloud](#module\_cbr\_fscloud) | terraform-ibm-modules/cbr/ibm//modules/fscloud | 1.33.5 |
 | <a name="module_existing_resource_group"></a> [existing\_resource\_group](#module\_existing\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.3.0 |
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.3.0 |
 | <a name="module_trusted_profile_projects"></a> [trusted\_profile\_projects](#module\_trusted\_profile\_projects) | terraform-ibm-modules/trusted-profile/ibm | 2.3.1 |
@@ -106,6 +106,7 @@ No resources.
 | <a name="input_active_session_timeout"></a> [active\_session\_timeout](#input\_active\_session\_timeout) | Specify how long, in seconds, a user is allowed to work continuously in the account. This variable is ignored when `skip_iam_account_settings` is set to `true`. | `number` | `86400` | no |
 | <a name="input_allowed_ip_addresses"></a> [allowed\_ip\_addresses](#input\_allowed\_ip\_addresses) | List of the IP addresses and subnets that can create IAM tokens for the account. This variable is ignored when `skip_iam_account_settings` is set to `true`. | `list(any)` | `[]` | no |
 | <a name="input_api_creation"></a> [api\_creation](#input\_api\_creation) | When this variable is set to `RESTRICTED`, only users who are assigned the User API key creator role on the IAM Identity Service can create API keys, including the account owner. When set to `NOT_SET`, the previous value for this variable is cleared. Allowed values are `RESTRICTED`, `NOT_RESTRICTED`, or `NOT_SET`. This variable is ignored when `skip_iam_account_settings` is set to `true`. | `string` | `"RESTRICTED"` | no |
+| <a name="input_appconfig_aggregator_service_access"></a> [appconfig\_aggregator\_service\_access](#input\_appconfig\_aggregator\_service\_access) | Set rule for App Configuration to a list of services supported by the configuration aggregator. The default is true. The full list of services can be found [here](https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator#ac-list-of-services-configaggregator). However, CBR rules will only be created for the CBR-supported services. Service references in the CBR zone are not supported for databases. | `map(bool)` | <pre>{<br/>  "IAM": true,<br/>  "apprapp": true,<br/>  "atracker": true,<br/>  "cloud-object-storage": true,<br/>  "codeengine": true,<br/>  "container-registry": true,<br/>  "dns-svcs": true,<br/>  "event-notifications": true,<br/>  "globalcatalog-collection": true,<br/>  "hs-crypto": true,<br/>  "is": true,<br/>  "kms": true,<br/>  "logs": true,<br/>  "messagehub": true,<br/>  "schematics": true,<br/>  "secrets-manager": true,<br/>  "sysdig-monitor": true,<br/>  "sysdig-secure": true,<br/>  "transit": true<br/>}</pre> | no |
 | <a name="input_audit_resource_group_name"></a> [audit\_resource\_group\_name](#input\_audit\_resource\_group\_name) | The name of the audit resource group to create. | `string` | `"audit-rg"` | no |
 | <a name="input_cbr_allow_at_to_cos"></a> [cbr\_allow\_at\_to\_cos](#input\_cbr\_allow\_at\_to\_cos) | Set to `true` to allow Activity Tracker Event Routing access to Object Storage. Default is `true` if `provision_cbr` is set to `true`. | `bool` | `true` | no |
 | <a name="input_cbr_allow_block_storage_to_kms"></a> [cbr\_allow\_block\_storage\_to\_kms](#input\_cbr\_allow\_block\_storage\_to\_kms) | Set to `true` to allow Block Storage for VPC access to the key management service. Default is `true` if `provision_cbr` is set to `true`. | `bool` | `true` | no |
@@ -116,6 +117,8 @@ No resources.
 | <a name="input_cbr_allow_is_to_cos"></a> [cbr\_allow\_is\_to\_cos](#input\_cbr\_allow\_is\_to\_cos) | Set to `true` to allow Virtual Private Cloud Infrastructure Services access to Object Storage. Default is `true` if `provision_cbr` is set to `true`. | `bool` | `true` | no |
 | <a name="input_cbr_allow_roks_to_kms"></a> [cbr\_allow\_roks\_to\_kms](#input\_cbr\_allow\_roks\_to\_kms) | Set to `true` to allow Red Hat OpenShift access to the key management service. Default is `true` if `provision_cbr` is set to `true`. | `bool` | `true` | no |
 | <a name="input_cbr_allow_scc_to_cos"></a> [cbr\_allow\_scc\_to\_cos](#input\_cbr\_allow\_scc\_to\_cos) | Set to `true` to allow Security and Compliance Center access to Object Storage. Default is `true` if `provision_cbr` is `true`. | `bool` | `true` | no |
+| <a name="input_cbr_allow_scc_wp_to_appconfig"></a> [cbr\_allow\_scc\_wp\_to\_appconfig](#input\_cbr\_allow\_scc\_wp\_to\_appconfig) | Set to `true` to allow Security and Compliance Center access to App Configuration. Default is `true` if `provision_cbr` is `true`. | `bool` | `true` | no |
+| <a name="input_cbr_allow_scc_wp_to_cloud_monitoring"></a> [cbr\_allow\_scc\_wp\_to\_cloud\_monitoring](#input\_cbr\_allow\_scc\_wp\_to\_cloud\_monitoring) | Set to `true` to allow Security and Compliance Center access to Cloud Monitoring. Default is `true` if `provision_cbr` is `true`. | `bool` | `true` | no |
 | <a name="input_cbr_allow_vpcs_to_container_registry"></a> [cbr\_allow\_vpcs\_to\_container\_registry](#input\_cbr\_allow\_vpcs\_to\_container\_registry) | Set to `true` to allow Virtual Private Clouds access to the Container Registry. Default is `true` if `provision_cbr` is set to `true`. | `bool` | `true` | no |
 | <a name="input_cbr_allow_vpcs_to_cos"></a> [cbr\_allow\_vpcs\_to\_cos](#input\_cbr\_allow\_vpcs\_to\_cos) | Set to `true` to allows Virtual Private Clouds access to Object Storage. Default is `true` if `provision_cbr` is set to `true`. | `bool` | `true` | no |
 | <a name="input_cbr_allow_vpcs_to_iam_access_management"></a> [cbr\_allow\_vpcs\_to\_iam\_access\_management](#input\_cbr\_allow\_vpcs\_to\_iam\_access\_management) | Set to `true` to allow Virtual Private Clouds access to IAM access management. Default is `true` if `provision_cbr` is set to `true`. | `bool` | `true` | no |
diff --git a/main.tf b/main.tf
@@ -188,7 +188,7 @@ module "trusted_profile_projects" {
 module "cbr_fscloud" {
   count                                  = var.provision_cbr ? 1 : 0
   source                                 = "terraform-ibm-modules/cbr/ibm//modules/fscloud"
-  version                                = "1.32.6"
+  version                                = "1.33.5"
   prefix                                 = var.cbr_prefix
   zone_vpc_crn_list                      = []
   allow_cos_to_kms                       = var.cbr_allow_cos_to_kms
@@ -204,6 +204,9 @@ module "cbr_fscloud" {
   allow_scc_to_cos                       = var.cbr_allow_scc_to_cos
   allow_vpcs_to_iam_groups               = var.cbr_allow_vpcs_to_iam_groups
   allow_vpcs_to_iam_access_management    = var.cbr_allow_vpcs_to_iam_access_management
+  allow_scc_wp_to_appconfig              = var.cbr_allow_scc_wp_to_appconfig
+  allow_scc_wp_to_cloud_monitoring       = var.cbr_allow_scc_wp_to_cloud_monitoring
+  appconfig_aggregator_service_access    = var.appconfig_aggregator_service_access
   kms_service_targeted_by_prewired_rules = var.cbr_kms_service_targeted_by_prewired_rules
   target_service_details                 = var.cbr_target_service_details
 }
diff --git a/variables.tf b/variables.tf
@@ -384,3 +384,41 @@ variable "cbr_target_service_details" {
   description = "Details of the target service for which a rule is created. The key is the service name."
   default     = {}
 }
+
+variable "cbr_allow_scc_wp_to_appconfig" {
+  description = "Set to `true` to allow Security and Compliance Center access to App Configuration. Default is `true` if `provision_cbr` is `true`."
+  type        = bool
+  default     = true
+}
+
+variable "cbr_allow_scc_wp_to_cloud_monitoring" {
+  description = "Set to `true` to allow Security and Compliance Center access to Cloud Monitoring. Default is `true` if `provision_cbr` is `true`."
+  type        = bool
+  default     = true
+}
+
+variable "appconfig_aggregator_service_access" {
+  description = "Set rule for App Configuration to a list of services supported by the configuration aggregator. The default is true. The full list of services can be found [here](https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator#ac-list-of-services-configaggregator). However, CBR rules will only be created for the CBR-supported services. Service references in the CBR zone are not supported for databases."
+  type        = map(bool)
+  default = {
+    cloud-object-storage     = true
+    is                       = true
+    secrets-manager          = true
+    IAM                      = true
+    kms                      = true
+    container-registry       = true
+    codeengine               = true
+    dns-svcs                 = true
+    messagehub               = true
+    transit                  = true
+    schematics               = true
+    sysdig-monitor           = true
+    sysdig-secure            = true
+    hs-crypto                = true
+    apprapp                  = true
+    globalcatalog-collection = true
+    event-notifications      = true
+    atracker                 = true
+    logs                     = true
+  }
+}
