Adding cluster shield

README.md

@@ -131,6 +131,7 @@ No modules.
 | <a name="input_cluster_scanner_runtimestatusintegrator_limits_memory"></a> [cluster\_scanner\_runtimestatusintegrator\_limits\_memory](#input\_cluster\_scanner\_runtimestatusintegrator\_limits\_memory) | Specifies the memory limit for the runtime status integrator that runs on the cluster scanner. | `string` | `"350Mi"` | no |
 | <a name="input_cluster_scanner_runtimestatusintegrator_requests_cpu"></a> [cluster\_scanner\_runtimestatusintegrator\_requests\_cpu](#input\_cluster\_scanner\_runtimestatusintegrator\_requests\_cpu) | Specifies the CPU requested to run in a node for the runtime status integrator that runs on the cluster scanner. | `string` | `"350m"` | no |
 | <a name="input_cluster_scanner_runtimestatusintegrator_requests_memory"></a> [cluster\_scanner\_runtimestatusintegrator\_requests\_memory](#input\_cluster\_scanner\_runtimestatusintegrator\_requests\_memory) | Specifies the memory requested to run in a node for the runtime status integrator that runs on the cluster scanner. | `string` | `"350Mi"` | no |
+| <a name="input_cluster_shield_deploy"></a> [cluster\_shield\_deploy](#input\_cluster\_shield\_deploy) | Deploy Cluster Shield component. If enabled, kspm collector and cluster scanner will not be enabled. | `bool` | `false` | no |
 | <a name="input_deployment_tag"></a> [deployment\_tag](#input\_deployment\_tag) | Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...). | `string` | `"terraform"` | no |
 | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | Specify the endpoint (public or private) for the IBM Cloud Security and Compliance Center Workload Protection service. | `string` | `"private"` | no |
 | <a name="input_host_scanner_deploy"></a> [host\_scanner\_deploy](#input\_host\_scanner\_deploy) | Deploy SCC Workload Protection host scanner component. If node\_analyzer\_deploy false, this component will not be deployed. | `bool` | `true` | no |

examples/basic/main.tf

@@ -174,12 +174,16 @@ resource "time_sleep" "wait_operators" {
 ##############################################################################
 
 module "scc_wp_agent" {
-  source       = "../.."
-  depends_on   = [time_sleep.wait_operators]
-  cluster_name = (!var.is_vpc_cluster ? ibm_container_cluster.cluster[0].name : (var.is_openshift ? module.ocp_base[0].cluster_name : ibm_container_vpc_cluster.cluster[0].name))
-  access_key   = module.scc_wp.access_key
-  region       = var.region
-  name         = "${var.prefix}-scc-wp-agent"
+  source                 = "../.."
+  depends_on             = [time_sleep.wait_operators]
+  cluster_name           = (!var.is_vpc_cluster ? ibm_container_cluster.cluster[0].name : (var.is_openshift ? module.ocp_base[0].cluster_name : ibm_container_vpc_cluster.cluster[0].name))
+  access_key             = module.scc_wp.access_key
+  region                 = var.region
+  name                   = var.prefix
+  cluster_scanner_deploy = var.cluster_scanner_deploy
+  kspm_deploy            = var.kspm_deploy
+  cluster_shield_deploy  = var.cluster_shield_deploy
+
 }
 
 ##############################################################################

examples/basic/variables.tf

@@ -54,4 +54,22 @@ variable "datacenter" {
   default     = "syd01"
 }
 
+variable "cluster_scanner_deploy" {
+  type        = bool
+  description = "Deploy SCC Workload Protection cluster scanner component."
+  default     = true
+}
+
+variable "kspm_deploy" {
+  type        = bool
+  description = "Deploy SCC Workload Protection KSPM component."
+  default     = true
+}
+
+variable "cluster_shield_deploy" {
+  type        = bool
+  description = "Deploy Cluster Shield component. If enabled, kspm collector and cluster scanner will not be enabled."
+  default     = false
+}
+
 ##############################################################################

ibm_catalog.json

@@ -154,6 +154,9 @@
               {
                 "key": "cluster_scanner_deploy"
               },
+              {
+                "key": "cluster_shield_deploy"
+              },
               {
                 "key": "cluster_endpoint_type",
                 "options": [

main.tf

@@ -22,8 +22,14 @@ locals {
   sbom_extractor_image_tag_digest            = "0.10.0@sha256:59543aa19bcdea4973f3d70351b8e1df60c5de998eb829c143a9f9deaed10a7b" # datasource: icr.io/ext/sysdig/image-sbom-extractor
   runtime_status_integrator_image_repo       = "runtime-status-integrator"
   runtime_status_integrator_image_tag_digest = "0.10.0@sha256:524cadd672c276c04845081c6fff4999c37f860a60117821c60d173b9d50a0ab" # datasource: icr.io/ext/sysdig/runtime-status-integrator
+  cluster_shield_image_repo                  = "cluster-shield"
+  cluster_shield_image_tag_digest            = "1.5.0@sha256:d803dfe16afad5a364dfa424c78c2e724f0b55b8648b87edb078854c84a5aa29" # datasource: icr.io/ext/sysdig/cluster-shield
   image_registry                             = "icr.io"
   image_namespace                            = "ext/sysdig"
+
+  # input variable validation
+  # tflint-ignore: terraform_unused_declarations
+  validate_cluster_shield = var.cluster_shield_deploy && (var.cluster_scanner_deploy || var.kspm_deploy) ? tobool("var.kspm_deploy or var.cluster_scanner_deploy cannot be enabled if var.cluster_shield_deploy is true") : true
 }
 
 resource "helm_release" "scc_wp_agent" {
@@ -122,6 +128,11 @@ resource "helm_release" "scc_wp_agent" {
     value = local.api_endpoint
   }
 
+  set {
+    name  = "kspmCollector.enabled"
+    value = var.kspm_deploy && !var.cluster_shield_deploy # Only enable kspm collector if cluster shield not enabled
+  }
+
   set {
     name  = "kspmCollector.apiEndpoint"
     type  = "string"
@@ -130,7 +141,7 @@ resource "helm_release" "scc_wp_agent" {
 
   set {
     name  = "clusterScanner.enabled"
-    value = var.cluster_scanner_deploy
+    value = var.cluster_scanner_deploy && !var.cluster_shield_deploy # Only enable cluster scanner if cluster shield not enabled
   }
 
   set {
@@ -383,4 +394,51 @@ resource "helm_release" "scc_wp_agent" {
     value = var.cluster_scanner_imagesbomextractor_limits_memory
   }
 
+  set {
+    name  = "clusterShield.enabled"
+    value = var.cluster_shield_deploy
+  }
+
+  set {
+    name  = "clusterShield.image.repository"
+    value = local.cluster_shield_image_repo
+  }
+
+  set {
+    name  = "clusterShield.image.tag"
+    value = local.cluster_shield_image_tag_digest
+  }
+
+  set {
+    name  = "clusterShield.cluster_shield.sysdig_endpoint.region"
+    type  = "string"
+    value = "custom"
+  }
+
+  set {
+    name  = "clusterShield.cluster_shield.log_level"
+    type  = "string"
+    value = "info"
+  }
+
+  set {
+    name  = "clusterShield.cluster_shield.features.admission_control.enabled"
+    value = true
+  }
+
+  set {
+    name  = "clusterShield.cluster_shield.features.container_vulnerability_management.enabled"
+    value = true
+  }
+
+  set {
+    name  = "clusterShield.cluster_shield.features.audit.enabled"
+    value = true
+  }
+
+  set {
+    name  = "clusterShield.cluster_shield.features.posture.enabled"
+    value = true
+  }
+
 }

solutions/standard/main.tf

@@ -15,6 +15,7 @@ module "scc_wp_agent" {
   node_analyzer_deploy   = var.node_analyzer_deploy
   host_scanner_deploy    = var.host_scanner_deploy
   cluster_scanner_deploy = var.cluster_scanner_deploy
+  cluster_shield_deploy  = var.cluster_shield_deploy
 
   agent_requests_cpu                                      = var.agent_requests_cpu
   agent_requests_memory                                   = var.agent_requests_memory

solutions/standard/variables.tf

@@ -94,6 +94,11 @@ variable "cluster_scanner_deploy" {
   default     = true
 }
 
+variable "cluster_shield_deploy" {
+  type        = bool
+  description = "Deploy Cluster Shield component. If enabled, kspm collector and cluster scanner will not be enabled."
+  default     = false
+}
 
 variable "cluster_endpoint_type" {
   type        = string

tests/pr_test.go

@@ -119,6 +119,9 @@ func TestRunBasicAgentsVPCKubernetes(t *testing.T) {
 
 	options := setupOptions(t, "scc-wp-a-vpc-k8s", basicExampleDir)
 	options.TerraformVars["is_openshift"] = false
+	options.TerraformVars["cluster_shield_deploy"] = true
+	options.TerraformVars["kspm_deploy"] = false
+	options.TerraformVars["cluster_scanner_deploy"] = false
 
 	output, err := options.RunTestConsistency()
 	assert.Nil(t, err, "This should not have errored")

variables.tf

@@ -69,6 +69,12 @@ variable "deployment_tag" {
   default     = "terraform"
 }
 
+variable "cluster_shield_deploy" {
+  type        = bool
+  description = "Deploy Cluster Shield component. If enabled, kspm collector and cluster scanner will not be enabled."
+  default     = false
+}
+
 ########################################################################################################################
 # Resource Management Variables
 ########################################################################################################################