From a6e5a9857e546e1b5da48ffb833725c0f238a2c4 Mon Sep 17 00:00:00 2001
From: "aashiq.jacob@ibm.com" <aashiq.jacob@ibm.com>
Date: Fri, 12 Sep 2025 13:16:51 +0530
Subject: [PATCH 1/4] feat: add support to tag cluster

---
 .catalog-onboard-pipeline.yaml                |  1 +
 .../scripts/deploy-post-ansible-playbook.yaml | 51 +++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 solutions/fully-configurable/scripts/deploy-post-ansible-playbook.yaml

diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml
index 1bd8ee69..5dc0be2f 100644
--- a/.catalog-onboard-pipeline.yaml
+++ b/.catalog-onboard-pipeline.yaml
@@ -5,6 +5,7 @@ offerings:
     kind: solution
     catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
     offering_id: b0a00765-ee91-4c2a-87fc-df46dbc58cdb
+    include_git_submodules: true
     variations:
       - name: fully-configurable
         mark_ready: true
diff --git a/solutions/fully-configurable/scripts/deploy-post-ansible-playbook.yaml b/solutions/fully-configurable/scripts/deploy-post-ansible-playbook.yaml
new file mode 100644
index 00000000..34b918c8
--- /dev/null
+++ b/solutions/fully-configurable/scripts/deploy-post-ansible-playbook.yaml
@@ -0,0 +1,51 @@
+- name: post deploy playbook
+  hosts: localhost
+  tasks:
+    - name: get running ansible env variables
+      set_fact:
+        workspace_id: "{{ lookup('env', 'workspace_id') }}"
+        ibmcloud_api_key: "{{ lookup('env', 'ibmcloud_api_key')}}" # pragma: allowlist secret
+        cluster_id: "{{ lookup('env', 'cluster_id') }}"
+        access_key: "{{ lookup('env', 'access_key') }}"
+        existing_access_key_secret_name: "{{ lookup('env', 'existing_access_key_secret_name') }}"
+        cluster_resource_group_id: "{{ lookup('env', 'cluster_resource_group_id') }}"
+    - name: Creating script
+      copy:
+        dest: "script.sh"
+        content: |
+          #!/bin/bash
+
+          workspace_id="{{ workspace_id }}"
+          ibmcloud_api_key="{{ ibmcloud_api_key }}" # pragma: allowlist secret
+          cluster_id="{{ cluster_id }}"
+          access_key="{{ access_key }}"
+          existing_access_key_secret_name="{{ existing_access_key_secret_name }}"
+
+          attempts=1
+          # Expects the environment variable $IBMCLOUD_API_KEY to be set
+          until ibmcloud login --apikey "$ibmcloud_api_key" -q --no-region || [ $attempts -ge 3 ]; do
+              attempts=$((attempts+1))
+              echo "Error logging in to IBM Cloud CLI..." >&2
+              sleep 5
+          done
+
+          if [ -n "$access_key" ]; then
+            input=$(ibmcloud resource service-keys -o json | jq -r --arg access_key "$access_key" '.[] | select(.credentials."Sysdig Access Key" == $access_key).source_crn')
+            tmp="${input%%::}"
+            instance_id="${tmp##*:}"
+          elif [  -n "$existing_access_key_secret_name" ]; then
+            input=$(ibmcloud resource service-key "$existing_access_key_secret_name" -o json | jq -r --arg name "$existing_access_key_secret_name" '.[] | select(.name == $name).source_crn')
+            tmp="${input%%::}"
+            instance_id="${tmp##*:}"
+          fi
+
+          if [ -n "$instance_id" ]; then
+          ibmcloud resource tag-attach --resource-id "$(ibmcloud resource service-instance "$cluster_id" --crn -q)" --tag-names "monitoring-instance:$instance_id,mwp-workspace:$workspace_id"
+          fi
+
+    - name: Run the script
+      ansible.builtin.script:
+        cmd: ./script.sh
+      register: move_list
+      changed_when: false
+      ignore_errors: yes

From c57e061b781d721f7a043fda42a32b9c4cf833e4 Mon Sep 17 00:00:00 2001
From: "aashiq.jacob@ibm.com" <aashiq.jacob@ibm.com>
Date: Tue, 16 Sep 2025 10:01:54 +0530
Subject: [PATCH 2/4] update

---
 .catalog-onboard-pipeline.yaml                |  2 +-
 .../scripts/deploy-post-ansible-playbook.yaml | 28 +++++++++++++------
 2 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml
index 5dc0be2f..d13760bf 100644
--- a/.catalog-onboard-pipeline.yaml
+++ b/.catalog-onboard-pipeline.yaml
@@ -5,7 +5,7 @@ offerings:
     kind: solution
     catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
     offering_id: b0a00765-ee91-4c2a-87fc-df46dbc58cdb
-    include_git_submodules: true
+    include_git_submodules: true # Including submodules in the tar package to avoid SHA validation errors during Ansible playbook execution.
     variations:
       - name: fully-configurable
         mark_ready: true
diff --git a/solutions/fully-configurable/scripts/deploy-post-ansible-playbook.yaml b/solutions/fully-configurable/scripts/deploy-post-ansible-playbook.yaml
index 34b918c8..b7cbe66a 100644
--- a/solutions/fully-configurable/scripts/deploy-post-ansible-playbook.yaml
+++ b/solutions/fully-configurable/scripts/deploy-post-ansible-playbook.yaml
@@ -8,7 +8,8 @@
         cluster_id: "{{ lookup('env', 'cluster_id') }}"
         access_key: "{{ lookup('env', 'access_key') }}"
         existing_access_key_secret_name: "{{ lookup('env', 'existing_access_key_secret_name') }}"
-        cluster_resource_group_id: "{{ lookup('env', 'cluster_resource_group_id') }}"
+        use_scc_wp_endpoint: "{{ lookup('env', 'use_scc_wp_endpoint') }}"
+        instance_region: "{{ lookup('env', 'instance_region') }}"
     - name: Creating script
       copy:
         dest: "script.sh"
@@ -20,6 +21,8 @@
           cluster_id="{{ cluster_id }}"
           access_key="{{ access_key }}"
           existing_access_key_secret_name="{{ existing_access_key_secret_name }}"
+          use_scc_wp_endpoint="{{ use_scc_wp_endpoint }}"
+          instance_region="{{ instance_region }}"
 
           attempts=1
           # Expects the environment variable $IBMCLOUD_API_KEY to be set
@@ -29,20 +32,29 @@
               sleep 5
           done
 
-          if [ -n "$access_key" ]; then
-            input=$(ibmcloud resource service-keys -o json | jq -r --arg access_key "$access_key" '.[] | select(.credentials."Sysdig Access Key" == $access_key).source_crn')
-            tmp="${input%%::}"
-            instance_id="${tmp##*:}"
+          if [[ -n "$access_key" && "$use_scc_wp_endpoint" = "true" ]]; then
+            input=$(ibmcloud resource service-keys -o json | jq -r --arg endpoint "$instance_region.security-compliance-secure.cloud.ibm.com" --arg access_key "$access_key" '.[] | select((.credentials."Sysdig Access Key" == $access_key) and (.credentials."Sysdig Collector Endpoint" | contains($endpoint))).source_crn')
+          elif [[ -n "$access_key" && "$use_scc_wp_endpoint" = "false" ]]; then
+            input=$(ibmcloud resource service-keys -o json | jq -r --arg endpoint "$instance_region.monitoring.cloud.ibm.com" --arg access_key "$access_key" '.[] | select((.credentials."Sysdig Access Key" == $access_key) and (.credentials."Sysdig Collector Endpoint" | contains($endpoint))).source_crn')
           elif [  -n "$existing_access_key_secret_name" ]; then
             input=$(ibmcloud resource service-key "$existing_access_key_secret_name" -o json | jq -r --arg name "$existing_access_key_secret_name" '.[] | select(.name == $name).source_crn')
-            tmp="${input%%::}"
-            instance_id="${tmp##*:}"
           fi
 
-          if [ -n "$instance_id" ]; then
+          if [ -n "$input" ]; then
+            tmp_instance="${input%%::}"
+            instance_id="${tmp_instance##*:}"
+            tmp_type="${input#*:*:*:*:}"
+            resource_type="${tmp_type%%:*}"
+          fi
+
+          if [[ -n "$instance_id" && "$resource_type" = "sysdig-monitor" ]]; then
           ibmcloud resource tag-attach --resource-id "$(ibmcloud resource service-instance "$cluster_id" --crn -q)" --tag-names "monitoring-instance:$instance_id,mwp-workspace:$workspace_id"
           fi
 
+          if [[ -n "$instance_id" && "$resource_type" = "sysdig-secure" ]]; then
+          ibmcloud resource tag-attach --resource-id "$(ibmcloud resource service-instance "$cluster_id" --crn -q)" --tag-names "workload-protection-instance:$instance_id,mwp-workspace:$workspace_id"
+          fi
+
     - name: Run the script
       ansible.builtin.script:
         cmd: ./script.sh

From 0545eb793e7a4dfe1ec4bd46c1209401476644f6 Mon Sep 17 00:00:00 2001
From: "aashiq.jacob@ibm.com" <aashiq.jacob@ibm.com>
Date: Tue, 16 Sep 2025 13:56:54 +0530
Subject: [PATCH 3/4] update

---
 ibm_catalog.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ibm_catalog.json b/ibm_catalog.json
index 3e5893fb..ff53598c 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -24,7 +24,7 @@
       ],
       "provider_name": "IBM",
       "short_description": "Deploys an agent to monitor metrics and security data on an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster",
-      "long_description": "This architecture supports the provisioning of an agent to an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster. The agent can be configured for:<li>Metrics monitoring with [IBM Cloud Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started)</li><li>Security and compliance with [IBM Cloud Security and Compliance Center Workload Protection](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started).</li><h1>Key considerations</h1><li>Multiple instances of the agent cannot be deployed on the same host. However, by creating a connection between instances, a single agent can collect both metrics and security data for each instance.</li><li>You can use the [Cloud automation for Cloud Monitoring](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-cloud-monitoring-73debdbf-894f-4c14-81c7-5ece3a70b67d-global) deployable architecture to provision a new instance of IBM Cloud Monitoring</li><li>You can use the [Cloud automation for Security and Compliance Center Workload Protection](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-scc-workload-protection-4322cf44-2289-49aa-a719-dd79e39b14dc-global) deployable architecture to provision a new instance of IBM Cloud Security and Compliance Center Workload Protection. This deployable architecture has an input called `cloud_monitoring_instance_crn` which allows you to create a connection between instances.</li><li>Both instances must be in the same region.</li><li>You can connect only one Monitoring instance to one Workload Protection instance.</li><li>Connections can only be established between two new instances or between one new and one existing instance.<br><br>This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
+      "long_description": "This architecture supports the provisioning of an agent to an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster. The agent can be configured for:<li>Metrics monitoring with [IBM Cloud Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started)</li><li>Security and compliance with [IBM Cloud Security and Compliance Center Workload Protection](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started).</li><h1>Key considerations</h1><li>Multiple instances of the agent cannot be deployed on the same host. However, by creating a connection between instances, a single agent can collect both metrics and security data for each instance.</li><li>You can use the [Cloud automation for Cloud Monitoring](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-cloud-monitoring-73debdbf-894f-4c14-81c7-5ece3a70b67d-global) deployable architecture to provision a new instance of IBM Cloud Monitoring</li><li>You can use the [Cloud automation for Security and Compliance Center Workload Protection](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-scc-workload-protection-4322cf44-2289-49aa-a719-dd79e39b14dc-global) deployable architecture to provision a new instance of IBM Cloud Security and Compliance Center Workload Protection. This deployable architecture has an input called `cloud_monitoring_instance_crn` which allows you to create a connection between instances.</li><li>Both instances must be in the same region.</li><li>You can connect only one Monitoring instance to one Workload Protection instance.</li><li>Connections can only be established between two new instances or between one new and one existing instance.<br><br>This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.<li>Once deployment is complete, a post-deployment action runs to apply user tags to the cluster.</li>",
       "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/README.md",
       "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/main/images/monitoring-icon.svg",
       "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in the repository [https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/issues](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/issues). Please note this product is not supported via the IBM Cloud Support Center.",

From 0bb6320cf1c4ebdec924a4a4655b44b1f38d9de9 Mon Sep 17 00:00:00 2001
From: "aashiq.jacob@ibm.com" <aashiq.jacob@ibm.com>
Date: Tue, 16 Sep 2025 14:03:27 +0530
Subject: [PATCH 4/4] update

---
 ibm_catalog.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ibm_catalog.json b/ibm_catalog.json
index ff53598c..ecfde182 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -24,7 +24,7 @@
       ],
       "provider_name": "IBM",
       "short_description": "Deploys an agent to monitor metrics and security data on an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster",
-      "long_description": "This architecture supports the provisioning of an agent to an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster. The agent can be configured for:<li>Metrics monitoring with [IBM Cloud Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started)</li><li>Security and compliance with [IBM Cloud Security and Compliance Center Workload Protection](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started).</li><h1>Key considerations</h1><li>Multiple instances of the agent cannot be deployed on the same host. However, by creating a connection between instances, a single agent can collect both metrics and security data for each instance.</li><li>You can use the [Cloud automation for Cloud Monitoring](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-cloud-monitoring-73debdbf-894f-4c14-81c7-5ece3a70b67d-global) deployable architecture to provision a new instance of IBM Cloud Monitoring</li><li>You can use the [Cloud automation for Security and Compliance Center Workload Protection](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-scc-workload-protection-4322cf44-2289-49aa-a719-dd79e39b14dc-global) deployable architecture to provision a new instance of IBM Cloud Security and Compliance Center Workload Protection. This deployable architecture has an input called `cloud_monitoring_instance_crn` which allows you to create a connection between instances.</li><li>Both instances must be in the same region.</li><li>You can connect only one Monitoring instance to one Workload Protection instance.</li><li>Connections can only be established between two new instances or between one new and one existing instance.<br><br>This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.<li>Once deployment is complete, a post-deployment action runs to apply user tags to the cluster.</li>",
+      "long_description": "This architecture supports the provisioning of an agent to an IBM Cloud Red Hat OpenShift Container Platform or Kubernetes cluster. The agent can be configured for:<li>Metrics monitoring with [IBM Cloud Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started)</li><li>Security and compliance with [IBM Cloud Security and Compliance Center Workload Protection](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started).</li><h1>Key considerations</h1><li>Multiple instances of the agent cannot be deployed on the same host. However, by creating a connection between instances, a single agent can collect both metrics and security data for each instance.</li><li>You can use the [Cloud automation for Cloud Monitoring](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-cloud-monitoring-73debdbf-894f-4c14-81c7-5ece3a70b67d-global) deployable architecture to provision a new instance of IBM Cloud Monitoring</li><li>You can use the [Cloud automation for Security and Compliance Center Workload Protection](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-scc-workload-protection-4322cf44-2289-49aa-a719-dd79e39b14dc-global) deployable architecture to provision a new instance of IBM Cloud Security and Compliance Center Workload Protection. This deployable architecture has an input called `cloud_monitoring_instance_crn` which allows you to create a connection between instances.</li><li>Both instances must be in the same region.</li><li>You can connect only one Monitoring instance to one Workload Protection instance.</li><li>Connections can only be established between two new instances or between one new and one existing instance.</li><li>Once deployment is complete, a post-deployment action runs to apply user tags to the cluster.</li><br><br>This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
       "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/README.md",
       "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/main/images/monitoring-icon.svg",
       "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in the repository [https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/issues](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/issues). Please note this product is not supported via the IBM Cloud Support Center.",