IBM Cloud Docs
Managing compliance information for your deployable architecture

Managing compliance information for your deployable architecture

By using the ibm_cloud.json manifest file, you can claim that your deployable architecture meets specific compliance requirements. After you onboard and publish your deployable architecture to the catalog, users can view which controls or IBM Cloud Security and Compliance Center Workload Protection policies your product adheres to. You verify the compliance information before you onboard your deployable architecture.

Here's an example from the VSI on VPC landing zone's catalog page where the Standard variation meets the IBM Cloud Framework for Financial Services v1.6.0 profile:

Deployable architecture compliance on the catalog details page
Deployable architecture compliance

The process to claim compliance for your deployable architecture includes steps that must be completed before and during the onboarding process to a catalog:

  1. Set up an instance of Workload Protection
  2. Add compliance information to your ibm_cloud.json manifest file
  3. Deploy your resources and add your inventory information to your deployable architecture when you onboard

Setting up Workload Protection

Set up an instance of Workload Protection and implement Cloud Security Posture Management (CSPM) for your IBM Cloud account:

  1. Provision an instance of Workload Protection from the catalog if you haven't done so already.
  2. Complete the steps to integrate with either an existing Workload Protection instance or a new instance.
  3. Workload Protection provides default policies to verify compliance, or you can create your own custom policies.

Updating the compliance information in the manifest

After you identify the Workload Protection policy you'd like to use, you must add that information to the ibm_cloud.json catalog manifest file in your source repo.

  1. If one does not exist, create a catalog manifest file at the root of your repo. For an example catalog manifest file, see the terraform-ibm-landing-zone repo.

  2. Open the ibm_catalog.json file.

  3. Find or add the flavors.compliance field for the variation (flavor) that you want to update.

  4. Set authority to scc-wp-v1.

  5. Find or add a profiles[] array:

    1. Set profile_name to the policy display name in Workload Protection.
    2. Set profile_version to the version of the policy in Workload Protection.

    For example:

       "authority": "scc-wp-v1`",
     "profiles": [
       {
         "profile_name": "IBM Cloud for Financial Services",
         "profile_version": "1.3.0"
       }
     ]

  6. Save the file.

Adding compliance verification during onboarding

When you onboard your deployable architecture in the console, you can add the inventory from Workload Protection so that users can see the claimed compliance when they evaluate your product in the catalog.

In Workload Protection, your inventory is updated once every day. You must deploy your resources and wait for the inventory to be updated before you add the inventory to your catalog listing. For more information, go to Inventory

  1. On the Manage compliance page, click Add inventory.
  2. Select the Workload Protection instance that you provisioned in the previous step.
  3. Click Apply.

Now that your inventory is added, you can complete onboarding and choose to share the deployable architecture to other accounts or enterprises, or publish to the IBM Cloud catalog.

Cleaning up your resources

To add compliance information to your deployable architecture, you had to create the resources in your account and a Workload Protection instance. To reduce future costs, you can delete all of the resources that you created during this process that you no longer need.