fix: Removal of ICN Validation for license check

* Removal of the ICN support and fix on the security issue

* Upgrading the CIS profile version

---------

Co-authored-by: Sagar BK <Sagar.BK1@ibm.com>

Author: bksagar

.releaserc

@@ -10,7 +10,7 @@
     }],
     ["@semantic-release/exec", {
       "successCmd": "echo \"SEMVER_VERSION=${nextRelease.version}\" >> $GITHUB_ENV",
-      "publishCmd": "./ci/trigger-catalog-onboarding-pipeline.sh --version=${nextRelease.version}"
+      "publishCmd": "./ci/trigger-catalog-onboarding-pipeline.sh --version=v${nextRelease.version}"
     }]
   ]
 }

.tekton/lsf/lsf-pr-pipeline/listener-git-pr-status.yaml

@@ -73,9 +73,6 @@ spec:
     - name: solution
       description: Provide the value for the solution that is needed for the support of lsf and HPC.
       default: "lsf"
-    - name: ibm_customer_number
-      description: Comma-separated list of the IBM Customer Number(s) (ICN) that is used for the Bring Your Own License (BYOL) entitlement check. For more information on how to find your ICN, see [What is my IBM Customer Number (ICN)?](https://www.ibm.com/support/pages/what-my-ibm-customer-number-icn)..
-      default: ""
   resourcetemplates:
     - apiVersion: v1
       kind: PersistentVolumeClaim
@@ -142,8 +139,6 @@ spec:
             value: $(params.git_user_email)
           - name: solution
             value: $(params.solution)
-          - name: ibm_customer_number
-            value: $(params.ibm_customer_number)
         workspaces:
           - name: pipeline-ws
             persistentVolumeClaim:

.tekton/lsf/lsf-pr-pipeline/lsf-pipeline-git-pr-status.yaml

@@ -78,9 +78,6 @@ spec:
     - name: solution
       description: Provide the value for the solution that is needed for the support of lsf and HPC.
       default: "lsf"
-    - name: ibm_customer_number
-      description: Comma-separated list of the IBM Customer Number(s) (ICN) that is used for the Bring Your Own License (BYOL) entitlement check. For more information on how to find your ICN, see [What is my IBM Customer Number (ICN)?](https://www.ibm.com/support/pages/what-my-ibm-customer-number-icn)..
-      default: ""
   workspaces:
     - name: pipeline-ws
   tasks:
@@ -223,8 +220,6 @@ spec:
           value: $(params.git_user_email)
         - name: solution
           value: $(params.solution)
-        - name: ibm_customer_number
-          value: $(params.ibm_customer_number)
     # - name: wes-lsf-da-ubuntu-pr
     #   runAfter: [git-clone, pre-requisites-install, ssh-key-creation]
     #   taskRef:

.tekton/lsf/lsf-regression-pipeline/listener-git-trigger.yaml

@@ -80,9 +80,6 @@ spec:
     - name: solution
       description: Provide the value for the solution that is needed for the support of lsf and HPC.
       default: "lsf"
-    - name: ibm_customer_number
-      description: Comma-separated list of the IBM Customer Number(s) (ICN) that is used for the Bring Your Own License (BYOL) entitlement check. For more information on how to find your ICN, see [What is my IBM Customer Number (ICN)?](https://www.ibm.com/support/pages/what-my-ibm-customer-number-icn)..
-      default: ""
     - name: pac_ha_exist_certificate
       description: PAC HA Existing Certificate
       default: ""
@@ -142,8 +139,6 @@ spec:
             value: $(params.cos_api_key)
           - name: solution
             value: $(params.solution)
-          - name: ibm_customer_number
-            value: $(params.ibm_customer_number)
           - name: hpc_custom_reports_repo
             value: $(params.hpc_custom_reports_repo)
           - name: hpc_custom_reports_branch
@@ -199,8 +194,6 @@ spec:
       value: $(params.git_user_email)
     - name: solution
       value: $(params.solution)
-    - name: ibm_customer_number
-      value: $(params.ibm_customer_number)
     - name: pac_ha_exist_certificate
       value: $(params.pac_ha_exist_certificate)
 ---
@@ -266,8 +259,6 @@ spec:
       value: $(event.ref)
     - name: solution
       value: $(event.ref)
-    - name: ibm_customer_number
-      value: $(event.ref)
     - name: pac_ha_exist_certificate
       value: $(event.ref)
 ---

.tekton/lsf/lsf-regression-pipeline/lsf-pipeline-git-trigger.yaml

@@ -71,9 +71,6 @@ spec:
     - name: solution
       description: Provide the value for the solution that is needed for the support of lsf and HPC.
       default: "lsf"
-    - name: ibm_customer_number
-      description: Comma-separated list of the IBM Customer Number(s) (ICN) that is used for the Bring Your Own License (BYOL) entitlement check. For more information on how to find your ICN, see [What is my IBM Customer Number (ICN)?](https://www.ibm.com/support/pages/what-my-ibm-customer-number-icn)..
-      default: ""
     - name: pac_ha_exist_certificate
       description: PAC HA Existing Certificate
       default: ""
@@ -177,8 +174,6 @@ spec:
           value: $(params.git_user_email)
         - name: solution
           value: $(params.solution)
-        - name: ibm_customer_number
-          value: $(params.ibm_customer_number)
     - name: wes-lsf-da-rhel-2
       runAfter: [git-clone, pre-requisites-install, ssh-key-creation]
       taskRef:
@@ -225,8 +220,6 @@ spec:
           value: $(params.git_user_email)
         - name: solution
           value: $(params.solution)
-        - name: ibm_customer_number
-          value: $(params.ibm_customer_number)
     - name: wes-lsf-da-rhel-3
       runAfter: [git-clone, pre-requisites-install, ssh-key-creation]
       taskRef:
@@ -273,8 +266,6 @@ spec:
           value: $(params.git_user_email)
         - name: solution
           value: $(params.solution)
-        - name: ibm_customer_number
-          value: $(params.ibm_customer_number)
     - name: wes-lsf-da-rhel-4
       runAfter: [git-clone, pre-requisites-install, ssh-key-creation]
       taskRef:
@@ -321,8 +312,6 @@ spec:
           value: $(params.git_user_email)
         - name: solution
           value: $(params.solution)
-        - name: ibm_customer_number
-          value: $(params.ibm_customer_number)
         - name: pac_ha_exist_certificate
           value: $(params.pac_ha_exist_certificate)
     # - name: wes-lsf-da-ubuntu
@@ -415,8 +404,6 @@ spec:
           value: $(params.git_user_email)
         - name: solution
           value: $(params.solution)
-        - name: ibm_customer_number
-          value: $(params.ibm_customer_number)
     - name: wes-lsf-da-negative
       runAfter: [git-clone, pre-requisites-install, ssh-key-creation]
       taskRef:
@@ -461,8 +448,6 @@ spec:
           value: $(params.git_user_name)
         - name: git_user_email
           value: $(params.git_user_email)
-        - name: ibm_customer_number
-          value: $(params.ibm_customer_number)
     - name: ssh-key-deletion
       runAfter:
         [

.tekton/lsf/lsf_task/lsf-task-infra-rhel-1.yaml

@@ -71,9 +71,6 @@ spec:
     - name: solution
       description: Provide the value for the solution that is needed for the support of lsf and HPC.
       default: "lsf"
-    - name: ibm_customer_number
-      description: Comma-separated list of the IBM Customer Number(s) (ICN) that is used for the Bring Your Own License (BYOL) entitlement check. For more information on how to find your ICN, see [What is my IBM Customer Number (ICN)?](https://www.ibm.com/support/pages/what-my-ibm-customer-number-icn)..
-      default: ""
   workspaces:
     - name: workspace
       mountPath: /artifacts
@@ -121,8 +118,6 @@ spec:
         value: $(params.git_access_token)
       - name: solution
         value: $(params.solution)
-      - name: ibm_customer_number
-        value: $(params.ibm_customer_number)
       - name: management_image_name
         value: $(params.management_image_name)
   steps:

.tekton/lsf/lsf_task/lsf-task-infra-rhel-2.yaml

@@ -71,9 +71,6 @@ spec:
     - name: solution
       description: Provide the value for the solution that is needed for the support of lsf and HPC.
       default: "lsf"
-    - name: ibm_customer_number
-      description: Comma-separated list of the IBM Customer Number(s) (ICN) that is used for the Bring Your Own License (BYOL) entitlement check. For more information on how to find your ICN, see [What is my IBM Customer Number (ICN)?](https://www.ibm.com/support/pages/what-my-ibm-customer-number-icn)..
-      default: ""
   workspaces:
     - name: workspace
       mountPath: /artifacts
@@ -121,8 +118,6 @@ spec:
         value: $(params.git_access_token)
       - name: solution
         value: $(params.solution)
-      - name: ibm_customer_number
-        value: $(params.ibm_customer_number)
       - name: management_image_name
         value: $(params.management_image_name)
   steps:

.tekton/lsf/lsf_task/lsf-task-infra-rhel-3.yaml

@@ -71,9 +71,6 @@ spec:
     - name: solution
       description: Provide the value for the solution that is needed for the support of lsf and HPC.
       default: "lsf"
-    - name: ibm_customer_number
-      description: Comma-separated list of the IBM Customer Number(s) (ICN) that is used for the Bring Your Own License (BYOL) entitlement check. For more information on how to find your ICN, see [What is my IBM Customer Number (ICN)?](https://www.ibm.com/support/pages/what-my-ibm-customer-number-icn)..
-      default: ""
   workspaces:
     - name: workspace
       mountPath: /artifacts
@@ -121,8 +118,6 @@ spec:
         value: $(params.git_access_token)
       - name: solution
         value: $(params.solution)
-      - name: ibm_customer_number
-        value: $(params.ibm_customer_number)
       - name: management_image_name
         value: $(params.management_image_name)
   steps:

.tekton/lsf/lsf_task/lsf-task-infra-rhel-4.yaml

@@ -71,9 +71,6 @@ spec:
     - name: solution
       description: Provide the value for the solution that is needed for the support of lsf and HPC.
       default: "lsf"
-    - name: ibm_customer_number
-      description: Comma-separated list of the IBM Customer Number(s) (ICN) that is used for the Bring Your Own License (BYOL) entitlement check. For more information on how to find your ICN, see [What is my IBM Customer Number (ICN)?](https://www.ibm.com/support/pages/what-my-ibm-customer-number-icn)..
-      default: ""
     - name: pac_ha_exist_certificate
       description: PAC HA Existing Certificate
       default: ""
@@ -124,8 +121,6 @@ spec:
         value: $(params.git_access_token)
       - name: solution
         value: $(params.solution)
-      - name: ibm_customer_number
-        value: $(params.ibm_customer_number)
       - name: management_image_name
         value: $(params.management_image_name)
       - name: pac_ha_exist_certificate

.tekton/lsf/lsf_task/lsf-task-negative.yaml

@@ -71,9 +71,6 @@ spec:
     - name: solution
       description: Provide the value for the solution that is needed for the support of lsf and HPC.
       default: "lsf"
-    - name: ibm_customer_number
-      description: Comma-separated list of the IBM Customer Number(s) (ICN) that is used for the Bring Your Own License (BYOL) entitlement check. For more information on how to find your ICN, see [What is my IBM Customer Number (ICN)?](https://www.ibm.com/support/pages/what-my-ibm-customer-number-icn)..
-      default: ""
   workspaces:
     - name: workspace
       mountPath: /artifacts
@@ -121,8 +118,6 @@ spec:
         value: $(params.git_access_token)
       - name: solution
         value: $(params.solution)
-      - name: ibm_customer_number
-        value: $(params.ibm_customer_number)
       - name: management_image_name
         value: $(params.management_image_name)
   steps:

.tekton/lsf/lsf_task/lsf-task-pr-rhel.yaml

@@ -72,9 +72,6 @@ spec:
     - name: solution
       description: Provide the value for the solution that is needed for the support of lsf and HPC.
       default: "lsf"
-    - name: ibm_customer_number
-      description: Comma-separated list of the IBM Customer Number(s) (ICN) that is used for the Bring Your Own License (BYOL) entitlement check. For more information on how to find your ICN, see [What is my IBM Customer Number (ICN)?](https://www.ibm.com/support/pages/what-my-ibm-customer-number-icn)..
-      default: ""
   workspaces:
     - name: workspace
       mountPath: /artifacts
@@ -127,8 +124,6 @@ spec:
           value: $(params.git_access_token)
         - name: solution
           value: $(params.solution)
-        - name: ibm_customer_number
-          value: $(params.ibm_customer_number)
         - name: management_image_name
           value: $(params.management_image_name)
       workingDir: "/artifacts"

.tekton/lsf/lsf_task/lsf-task-region.yaml

@@ -71,9 +71,6 @@ spec:
     - name: solution
       description: Provide the value for the solution that is needed for the support of lsf and HPC.
       default: "lsf"
-    - name: ibm_customer_number
-      description: Comma-separated list of the IBM Customer Number(s) (ICN) that is used for the Bring Your Own License (BYOL) entitlement check. For more information on how to find your ICN, see [What is my IBM Customer Number (ICN)?](https://www.ibm.com/support/pages/what-my-ibm-customer-number-icn)..
-      default: ""
   workspaces:
     - name: workspace
       mountPath: /artifacts
@@ -121,8 +118,6 @@ spec:
         value: $(params.git_access_token)
       - name: solution
         value: $(params.solution)
-      - name: ibm_customer_number
-        value: $(params.ibm_customer_number)
       - name: management_image_name
         value: $(params.management_image_name)
   steps:

.tekton/scripts/issue_track.sh

@@ -7,7 +7,7 @@ error_check_on_all_file() {
     for file in "$DIRECTORY"/$pattern; do
         if [ -f "$file" ]; then
             if [[ "${file}" == *"negative"* ]]; then
-                infra_validation_negative_log_fail_check=$(eval "grep -v 'Terraform upgrade output:' $file" | grep -E -w 'FAIL')
+                infra_validation_negative_log_fail_check=$(grep -v -e 'Terraform upgrade output:' -e 'Error retrieving reservation ID from secrets:' -e 'Field validation for' "$file" | grep -E -w 'FAIL')
                 if [[ "$infra_validation_negative_log_fail_check" ]]; then
                     results+=("true")
                     if [[ "${infra_or_validation}" == "infra" ]]; then
@@ -17,7 +17,7 @@ error_check_on_all_file() {
                     fi
                 fi
             else
-                infra_validation_log_error_check=$(eval "grep -v 'Terraform upgrade output:' $file" | grep -E -w 'FAIL|Error|ERROR')
+                infra_validation_log_error_check=$(grep -v -e 'Terraform upgrade output:' -e 'Error retrieving reservation ID from secrets:' -e 'Field validation for' "$file" | grep -E -w 'FAIL|Error|ERROR')
                 if [[ "$infra_validation_log_error_check" ]]; then
                     results+=("true")
                     if [[ "${infra_or_validation}" == "infra" ]]; then
@@ -45,15 +45,15 @@ issue_track() {
     DIRECTORY="/artifacts/tests"
     if [ -d "$DIRECTORY" ]; then
         if [[ "${LOG_FILE_NAME}" == *"negative"* ]]; then
-            negative_log_error_check=$(eval "grep -v 'Terraform upgrade output:' $DIRECTORY/$LOG_FILE_NAME" | grep 'FAIL')
+            negative_log_error_check=$(grep -v -e 'Terraform upgrade output:' -e 'Error retrieving reservation ID from secrets:' -e 'Field validation for' $DIRECTORY/"$LOG_FILE_NAME" | grep 'FAIL')
             if [[ "$negative_log_error_check" ]]; then
                 echo "${negative_log_error_check}"
                 echo "Found FAIL in plan/apply log. Please check log : ${LOG_FILE_NAME}"
                 exit 1
             fi
         else
             # Track error/fail from the suites log file
-            log_error_check=$(eval "grep -v 'Terraform upgrade output:' $DIRECTORY/$LOG_FILE_NAME" | grep -E -w 'FAIL|Error|ERROR')
+            log_error_check=$(grep -v -e 'Terraform upgrade output:' -e 'Error retrieving reservation ID from secrets:' -e 'Field validation for' $DIRECTORY/"$LOG_FILE_NAME" | grep -E -w 'FAIL|Error|ERROR')
             if [[ "$log_error_check" ]]; then
                 echo "${log_error_check}"
                 echo "Found Error/FAIL/ERROR in plan/apply log. Please check log : ${LOG_FILE_NAME}"
@@ -103,9 +103,9 @@ display_validation_log() {
             echo "##################################################################################"
             echo "##################################################################################"
             if [[ "${LOG_FILE_NAME}" == *"negative"* ]]; then
-                validation_log_error_check=$(eval "grep -v 'Terraform upgrade output:' $DIRECTORY/logs/$LOG_FILE_NAME" | grep -E -w 'FAIL')
+                validation_log_error_check=$(grep -v -e 'Terraform upgrade output:' -e 'Error retrieving reservation ID from secrets:' -e 'Field validation for' $DIRECTORY/logs/"$LOG_FILE_NAME" | grep -E -w 'FAIL')
             else
-                validation_log_error_check=$(eval "grep -v 'Terraform upgrade output:' $DIRECTORY/logs/$LOG_FILE_NAME" | grep -E -w 'FAIL|Error|ERROR')
+                validation_log_error_check=$(grep -v -e 'Terraform upgrade output:' -e 'Error retrieving reservation ID from secrets:' -e 'Field validation for' $DIRECTORY/logs/"$LOG_FILE_NAME" | grep -E -w 'FAIL|Error|ERROR')
             fi
 
             # Display if any error in validation log

.tekton/scripts/suites.sh

@@ -40,7 +40,7 @@ common_suite() {
                 # get ssh-key created based on pr-id
                 get_pr_ssh_key "${PR_REVISION}" "${CHECK_SOLUTION}"
                 SSH_KEY=${CICD_SSH_KEY:?} COMPUTE_IMAGE_NAME=${compute_image_name:?} LOGIN_NODE_IMAGE_NAME=${login_image_name:?} MANAGEMENT_IMAGE_NAME=${management_image_name:?} \
-                    ZONE=${zone:?} SOLUTION=${solution:?} IBM_CUSTOMER_NUMBER=${ibm_customer_number:?} DEFAULT_EXISTING_RESOURCE_GROUP=${resource_group:?} \
+                    ZONE=${zone:?} SOLUTION=${solution:?} DEFAULT_EXISTING_RESOURCE_GROUP=${resource_group:?} \
                     go test -v -timeout 9000m -run "${test_cases}" | tee -a "$LOG_FILE"
                 # Upload log/test_output files to cos bucket
                 cos_upload "PR" "${CHECK_SOLUTION}" "${DIRECTORY}"
@@ -78,7 +78,7 @@ common_suite() {
                 # get ssh-key created based on commit-id
                 get_commit_ssh_key "${REVISION}" "${CHECK_SOLUTION}"
                 SSH_KEY=${CICD_SSH_KEY:?} COMPUTE_IMAGE_NAME=${compute_image_name:?} LOGIN_NODE_IMAGE_NAME=${login_image_name:?} MANAGEMENT_IMAGE_NAME=${management_image_name:?} \
-                    ZONE=${zone:?} SOLUTION=${solution:?} IBM_CUSTOMER_NUMBER=${ibm_customer_number:?} DEFAULT_EXISTING_RESOURCE_GROUP=${resource_group:?} \
+                    ZONE=${zone:?} SOLUTION=${solution:?} DEFAULT_EXISTING_RESOURCE_GROUP=${resource_group:?} \
                     go test -v -timeout 9000m -run "${test_cases}" | tee -a "$LOG_FILE"
                 # Upload log/test_output files to cos bucket
                 cos_upload "REGRESSION" "${CHECK_SOLUTION}" "${DIRECTORY}" "${VALIDATION_LOG_FILE_NAME}"

cra-config.yaml

@@ -10,5 +10,4 @@ CRA_TARGETS:
       TF_VAR_bastion_ssh_keys: "[\"geretain-hpc\"]"
       TF_VAR_compute_ssh_keys: "[\"geretain-hpc\"]"
       TF_VAR_remote_allowed_ips: "[\"49.207.216.50\"]"
-      TF_VAR_ibm_customer_number: "051700"
       TF_VAR_solution: "lsf"

ibm_catalog.json

@@ -51,8 +51,8 @@
                         "authority": "scc-v3",
                         "profiles": [
                             {
-                                "profile_name": "CIS IBM Cloud Foundations Benchmark",
-                                "profile_version": "1.0.0"
+                                "profile_name": "CIS IBM Cloud Foundations Benchmark v1.1.0",
+                                "profile_version": "1.1.0"
                             }
                         ]
                     },
@@ -77,10 +77,6 @@
                         {
                             "key": "remote_allowed_ips"
                         },
-                        {
-                            "key": "ibm_customer_number",
-                            "required": true
-                        },
                         {
                             "key": "zones",
                             "required": true,