Scope SCC attachment to a resource group and expose schedule in RAG stack - Githubissues

terraform-ibm-modules / stack-retrieval-augmented-generation

A deployable architecture that automates the deployment of a sample gen AI Pattern on IBM Cloud, including all underlying IBM Cloud and WatsonX infrastructure.

Apache License 2.0

1 stars 11 forks source link

Scope SCC attachment to a resource group and expose schedule in RAG stack #188

Closed ocofaigh closed 2 months ago

ocofaigh commented 2 months ago

Its not currently possible to use a string ref (ref:../Account Infrastructure Base/outputs/security_resource_group_name) with an array input (which resource_groups_scope is in the SCC DA).

Currently SCC does not supporting scoping to more than 1 resource group, so we could maybe change the input to be a string for now

ocofaigh commented 2 months ago

Had a chat with Igor on this..

Currently the AI Guardrails profile attachment won’t scan anything if its resource group scoped, and now that the RAG stack defaults to this profile, we agreed not to scope it right now to any group
Instead of exposing the the schedule as yet another stack level input, we agreed to default the schedule to monthly in the SCC DA, and allow the RAG stack to use the default value of the DA

ocofaigh commented 2 months ago

In https://github.com/terraform-ibm-modules/terraform-ibm-scc-da/releases/tag/v1.18.0 the default scan has been set to 30 days. Not taking any other actions right now

ocofaigh commented 2 months ago

Actually going to keep open until its added to the RAG stack (dev tile)

ocofaigh commented 2 months ago

We found more issues around attachments so in https://github.com/terraform-ibm-modules/dev-rag/releases/tag/v0.4.1 we decided to disable attachments for now