From fce4ec86f0266fc458f67aa61054c157ebf1e8de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Conall=20=C3=93=20Cofaigh?= <ocofaigh@ie.ibm.com>
Date: Wed, 6 Sep 2023 11:25:06 +0100
Subject: [PATCH] ci: enable CRA scan (#243)

---
 .github/workflows/ci.yml                              |  7 +++----
 cra-config.yaml                                       | 11 +++++++++++
 ...re-goals.json => cra-tf-validate-ignore-rules.json |  3 +--
 3 files changed, 15 insertions(+), 6 deletions(-)
 create mode 100644 cra-config.yaml
 rename cra-tf-validate-ignore-goals.json => cra-tf-validate-ignore-rules.json (75%)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6511825d..bb8564c1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,7 +9,6 @@ jobs:
   call-terraform-ci-pipeline:
     uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/common-terraform-module-ci-v2.yml@v1.17.0
     secrets: inherit
-#     with:
-#       craSCCv2: true
-#       craTarget: "./"
-#       craEnvironmentVariables: "TF_VAR_enable_key_protect=true,TF_VAR_kp_name=prodkeys, TF_VAR_enable_secrets_manager=false"
+    with:
+      craSCCv2: true
+      craConfigYamlFile: "cra-config.yaml"
diff --git a/cra-config.yaml b/cra-config.yaml
new file mode 100644
index 00000000..d0808d99
--- /dev/null
+++ b/cra-config.yaml
@@ -0,0 +1,11 @@
+# More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
+version: "v1"
+CRA_TARGETS:
+  - CRA_TARGET: "./" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+    CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
+    PROFILE_ID: "0e6e7b5a-817d-4344-ab6f-e5d7a9c49520" # SCC profile ID (currently set to the FSCloud 1.4.0 profile).
+    SCC_INSTANCE_ID: "293a81bc-b706-4a2b-b2f8-36010a0373f6" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.
+    SCC_REGION: "us-south" # The IBM Cloud region that the SCC instance is in. If not provided, a default global value will be used.
+    # CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
+    #   TF_VAR_sample: "sample value"
+    #   TF_VAR_other:  "another value"
diff --git a/cra-tf-validate-ignore-goals.json b/cra-tf-validate-ignore-rules.json
similarity index 75%
rename from cra-tf-validate-ignore-goals.json
rename to cra-tf-validate-ignore-rules.json
index 3a6ea617..526e0e1d 100644
--- a/cra-tf-validate-ignore-goals.json
+++ b/cra-tf-validate-ignore-rules.json
@@ -1,5 +1,4 @@
 {
     "description": "Ignore goals list for Terraform IBM DevSecOps ALM",
-    "scc_goals": [
-    ]
+    "scc_rules": []
 }