diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml
index 1bd8ee69..d13760bf 100644
--- a/.catalog-onboard-pipeline.yaml
+++ b/.catalog-onboard-pipeline.yaml
@@ -5,6 +5,7 @@ offerings:
kind: solution
catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
offering_id: b0a00765-ee91-4c2a-87fc-df46dbc58cdb
+ include_git_submodules: true # Including submodules in the tar package to avoid SHA validation errors during Ansible playbook execution.
variations:
- name: fully-configurable
mark_ready: true
diff --git a/ibm_catalog.json b/ibm_catalog.json
index 3e5893fb..ecfde182 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -24,7 +24,7 @@
],
"provider_name": "IBM",
"short_description": "Deploys an agent to monitor metrics and security data on an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster",
- "long_description": "This architecture supports the provisioning of an agent to an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster. The agent can be configured for:Metrics monitoring with [IBM Cloud Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started)Security and compliance with [IBM Cloud Security and Compliance Center Workload Protection](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started).Key considerations
Multiple instances of the agent cannot be deployed on the same host. However, by creating a connection between instances, a single agent can collect both metrics and security data for each instance.You can use the [Cloud automation for Cloud Monitoring](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-cloud-monitoring-73debdbf-894f-4c14-81c7-5ece3a70b67d-global) deployable architecture to provision a new instance of IBM Cloud MonitoringYou can use the [Cloud automation for Security and Compliance Center Workload Protection](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-scc-workload-protection-4322cf44-2289-49aa-a719-dd79e39b14dc-global) deployable architecture to provision a new instance of IBM Cloud Security and Compliance Center Workload Protection. This deployable architecture has an input called `cloud_monitoring_instance_crn` which allows you to create a connection between instances.Both instances must be in the same region.You can connect only one Monitoring instance to one Workload Protection instance.Connections can only be established between two new instances or between one new and one existing instance.
This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
+ "long_description": "This architecture supports the provisioning of an agent to an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster. The agent can be configured for:Metrics monitoring with [IBM Cloud Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started)Security and compliance with [IBM Cloud Security and Compliance Center Workload Protection](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started).Key considerations
Multiple instances of the agent cannot be deployed on the same host. However, by creating a connection between instances, a single agent can collect both metrics and security data for each instance.You can use the [Cloud automation for Cloud Monitoring](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-cloud-monitoring-73debdbf-894f-4c14-81c7-5ece3a70b67d-global) deployable architecture to provision a new instance of IBM Cloud MonitoringYou can use the [Cloud automation for Security and Compliance Center Workload Protection](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-scc-workload-protection-4322cf44-2289-49aa-a719-dd79e39b14dc-global) deployable architecture to provision a new instance of IBM Cloud Security and Compliance Center Workload Protection. This deployable architecture has an input called `cloud_monitoring_instance_crn` which allows you to create a connection between instances.Both instances must be in the same region.You can connect only one Monitoring instance to one Workload Protection instance.Connections can only be established between two new instances or between one new and one existing instance.Once deployment is complete, a post-deployment action runs to apply user tags to the cluster.
This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
"offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/README.md",
"offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/main/images/monitoring-icon.svg",
"support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in the repository [https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/issues](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/issues). Please note this product is not supported via the IBM Cloud Support Center.",
diff --git a/solutions/fully-configurable/scripts/deploy-post-ansible-playbook.yaml b/solutions/fully-configurable/scripts/deploy-post-ansible-playbook.yaml
new file mode 100644
index 00000000..b7cbe66a
--- /dev/null
+++ b/solutions/fully-configurable/scripts/deploy-post-ansible-playbook.yaml
@@ -0,0 +1,63 @@
+- name: post deploy playbook
+ hosts: localhost
+ tasks:
+ - name: get running ansible env variables
+ set_fact:
+ workspace_id: "{{ lookup('env', 'workspace_id') }}"
+ ibmcloud_api_key: "{{ lookup('env', 'ibmcloud_api_key')}}" # pragma: allowlist secret
+ cluster_id: "{{ lookup('env', 'cluster_id') }}"
+ access_key: "{{ lookup('env', 'access_key') }}"
+ existing_access_key_secret_name: "{{ lookup('env', 'existing_access_key_secret_name') }}"
+ use_scc_wp_endpoint: "{{ lookup('env', 'use_scc_wp_endpoint') }}"
+ instance_region: "{{ lookup('env', 'instance_region') }}"
+ - name: Creating script
+ copy:
+ dest: "script.sh"
+ content: |
+ #!/bin/bash
+
+ workspace_id="{{ workspace_id }}"
+ ibmcloud_api_key="{{ ibmcloud_api_key }}" # pragma: allowlist secret
+ cluster_id="{{ cluster_id }}"
+ access_key="{{ access_key }}"
+ existing_access_key_secret_name="{{ existing_access_key_secret_name }}"
+ use_scc_wp_endpoint="{{ use_scc_wp_endpoint }}"
+ instance_region="{{ instance_region }}"
+
+ attempts=1
+ # Expects the environment variable $IBMCLOUD_API_KEY to be set
+ until ibmcloud login --apikey "$ibmcloud_api_key" -q --no-region || [ $attempts -ge 3 ]; do
+ attempts=$((attempts+1))
+ echo "Error logging in to IBM Cloud CLI..." >&2
+ sleep 5
+ done
+
+ if [[ -n "$access_key" && "$use_scc_wp_endpoint" = "true" ]]; then
+ input=$(ibmcloud resource service-keys -o json | jq -r --arg endpoint "$instance_region.security-compliance-secure.cloud.ibm.com" --arg access_key "$access_key" '.[] | select((.credentials."Sysdig Access Key" == $access_key) and (.credentials."Sysdig Collector Endpoint" | contains($endpoint))).source_crn')
+ elif [[ -n "$access_key" && "$use_scc_wp_endpoint" = "false" ]]; then
+ input=$(ibmcloud resource service-keys -o json | jq -r --arg endpoint "$instance_region.monitoring.cloud.ibm.com" --arg access_key "$access_key" '.[] | select((.credentials."Sysdig Access Key" == $access_key) and (.credentials."Sysdig Collector Endpoint" | contains($endpoint))).source_crn')
+ elif [ -n "$existing_access_key_secret_name" ]; then
+ input=$(ibmcloud resource service-key "$existing_access_key_secret_name" -o json | jq -r --arg name "$existing_access_key_secret_name" '.[] | select(.name == $name).source_crn')
+ fi
+
+ if [ -n "$input" ]; then
+ tmp_instance="${input%%::}"
+ instance_id="${tmp_instance##*:}"
+ tmp_type="${input#*:*:*:*:}"
+ resource_type="${tmp_type%%:*}"
+ fi
+
+ if [[ -n "$instance_id" && "$resource_type" = "sysdig-monitor" ]]; then
+ ibmcloud resource tag-attach --resource-id "$(ibmcloud resource service-instance "$cluster_id" --crn -q)" --tag-names "monitoring-instance:$instance_id,mwp-workspace:$workspace_id"
+ fi
+
+ if [[ -n "$instance_id" && "$resource_type" = "sysdig-secure" ]]; then
+ ibmcloud resource tag-attach --resource-id "$(ibmcloud resource service-instance "$cluster_id" --crn -q)" --tag-names "workload-protection-instance:$instance_id,mwp-workspace:$workspace_id"
+ fi
+
+ - name: Run the script
+ ansible.builtin.script:
+ cmd: ./script.sh
+ register: move_list
+ changed_when: false
+ ignore_errors: yes