terraform-ibm-modules · Aashiq-J · Sep 12, 2025 · Sep 12, 2025 · Sep 16, 2025 · Sep 16, 2025
@@ -5,6 +5,7 @@ offerings:
     kind: solution
     catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
     offering_id: b0a00765-ee91-4c2a-87fc-df46dbc58cdb
+    include_git_submodules: true # Including submodules in the tar package to avoid SHA validation errors during Ansible playbook execution.
     variations:
       - name: fully-configurable
         mark_ready: true

@@ -24,7 +24,7 @@
       ],
       "provider_name": "IBM",
       "short_description": "Deploys an agent to monitor metrics and security data on an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster",
-      "long_description": "This architecture supports the provisioning of an agent to an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster. The agent can be configured for:<li>Metrics monitoring with [IBM Cloud Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started)</li><li>Security and compliance with [IBM Cloud Security and Compliance Center Workload Protection](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started).</li><h1>Key considerations</h1><li>Multiple instances of the agent cannot be deployed on the same host. However, by creating a connection between instances, a single agent can collect both metrics and security data for each instance.</li><li>You can use the [Cloud automation for Cloud Monitoring](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-cloud-monitoring-73debdbf-894f-4c14-81c7-5ece3a70b67d-global) deployable architecture to provision a new instance of IBM Cloud Monitoring</li><li>You can use the [Cloud automation for Security and Compliance Center Workload Protection](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-scc-workload-protection-4322cf44-2289-49aa-a719-dd79e39b14dc-global) deployable architecture to provision a new instance of IBM Cloud Security and Compliance Center Workload Protection. This deployable architecture has an input called `cloud_monitoring_instance_crn` which allows you to create a connection between instances.</li><li>Both instances must be in the same region.</li><li>You can connect only one Monitoring instance to one Workload Protection instance.</li><li>Connections can only be established between two new instances or between one new and one existing instance.<br><br>This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
+      "long_description": "This architecture supports the provisioning of an agent to an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster. The agent can be configured for:<li>Metrics monitoring with [IBM Cloud Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started)</li><li>Security and compliance with [IBM Cloud Security and Compliance Center Workload Protection](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started).</li><h1>Key considerations</h1><li>Multiple instances of the agent cannot be deployed on the same host. However, by creating a connection between instances, a single agent can collect both metrics and security data for each instance.</li><li>You can use the [Cloud automation for Cloud Monitoring](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-cloud-monitoring-73debdbf-894f-4c14-81c7-5ece3a70b67d-global) deployable architecture to provision a new instance of IBM Cloud Monitoring</li><li>You can use the [Cloud automation for Security and Compliance Center Workload Protection](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-scc-workload-protection-4322cf44-2289-49aa-a719-dd79e39b14dc-global) deployable architecture to provision a new instance of IBM Cloud Security and Compliance Center Workload Protection. This deployable architecture has an input called `cloud_monitoring_instance_crn` which allows you to create a connection between instances.</li><li>Both instances must be in the same region.</li><li>You can connect only one Monitoring instance to one Workload Protection instance.</li><li>Connections can only be established between two new instances or between one new and one existing instance.</li><li>Once deployment is complete, a post-deployment action runs to apply user tags to the cluster.</li><br><br>This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
       "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/README.md",
       "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/main/images/monitoring-icon.svg",
       "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in the repository [https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/issues](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/issues). Please note this product is not supported via the IBM Cloud Support Center.",

@@ -0,0 +1,63 @@
+- name: post deploy playbook
+  hosts: localhost
+  tasks:
+    - name: get running ansible env variables
+      set_fact:
+        workspace_id: "{{ lookup('env', 'workspace_id') }}"
+        ibmcloud_api_key: "{{ lookup('env', 'ibmcloud_api_key')}}" # pragma: allowlist secret
+        cluster_id: "{{ lookup('env', 'cluster_id') }}"
+        access_key: "{{ lookup('env', 'access_key') }}"
+        existing_access_key_secret_name: "{{ lookup('env', 'existing_access_key_secret_name') }}"
+        use_scc_wp_endpoint: "{{ lookup('env', 'use_scc_wp_endpoint') }}"
+        instance_region: "{{ lookup('env', 'instance_region') }}"
+    - name: Creating script
+      copy:
+        dest: "script.sh"
+        content: |
+          #!/bin/bash
+
+          workspace_id="{{ workspace_id }}"
+          ibmcloud_api_key="{{ ibmcloud_api_key }}" # pragma: allowlist secret
+          cluster_id="{{ cluster_id }}"
+          access_key="{{ access_key }}"
+          existing_access_key_secret_name="{{ existing_access_key_secret_name }}"
+          use_scc_wp_endpoint="{{ use_scc_wp_endpoint }}"
+          instance_region="{{ instance_region }}"
+
+          attempts=1
+          # Expects the environment variable $IBMCLOUD_API_KEY to be set
+          until ibmcloud login --apikey "$ibmcloud_api_key" -q --no-region || [ $attempts -ge 3 ]; do
+              attempts=$((attempts+1))
+              echo "Error logging in to IBM Cloud CLI..." >&2
+              sleep 5
+          done
+
+          if [[ -n "$access_key" && "$use_scc_wp_endpoint" = "true" ]]; then
+            input=$(ibmcloud resource service-keys -o json | jq -r --arg endpoint "$instance_region.security-compliance-secure.cloud.ibm.com" --arg access_key "$access_key" '.[] | select((.credentials."Sysdig Access Key" == $access_key) and (.credentials."Sysdig Collector Endpoint" | contains($endpoint))).source_crn')
+          elif [[ -n "$access_key" && "$use_scc_wp_endpoint" = "false" ]]; then
+            input=$(ibmcloud resource service-keys -o json | jq -r --arg endpoint "$instance_region.monitoring.cloud.ibm.com" --arg access_key "$access_key" '.[] | select((.credentials."Sysdig Access Key" == $access_key) and (.credentials."Sysdig Collector Endpoint" | contains($endpoint))).source_crn')
+          elif [  -n "$existing_access_key_secret_name" ]; then
+            input=$(ibmcloud resource service-key "$existing_access_key_secret_name" -o json | jq -r --arg name "$existing_access_key_secret_name" '.[] | select(.name == $name).source_crn')
+          fi
+
+          if [ -n "$input" ]; then
+            tmp_instance="${input%%::}"
+            instance_id="${tmp_instance##*:}"
+            tmp_type="${input#*:*:*:*:}"
+            resource_type="${tmp_type%%:*}"
+          fi
+
+          if [[ -n "$instance_id" && "$resource_type" = "sysdig-monitor" ]]; then
+          ibmcloud resource tag-attach --resource-id "$(ibmcloud resource service-instance "$cluster_id" --crn -q)" --tag-names "monitoring-instance:$instance_id,mwp-workspace:$workspace_id"
+          fi
+
+          if [[ -n "$instance_id" && "$resource_type" = "sysdig-secure" ]]; then
+          ibmcloud resource tag-attach --resource-id "$(ibmcloud resource service-instance "$cluster_id" --crn -q)" --tag-names "workload-protection-instance:$instance_id,mwp-workspace:$workspace_id"
+          fi
+
+    - name: Run the script
+      ansible.builtin.script:
+        cmd: ./script.sh
+      register: move_list
+      changed_when: false
+      ignore_errors: yes