Skip to content

Commit

Permalink
Add support for Modular Onboarding (#45)
Browse files Browse the repository at this point in the history 
* feat(modular-onboarding) Add support for foundation onboarding & feature/integrations (#40)

* feat(modular-onboarding) Add foundation onboarding & SP integration

- Adding module for foundational onboarding
- Adding module for service-principal integration
- Adding test example snippets for both single & org case

* Remove redundant role creation and misc fixes

* Refactored TF repo changes for Modular Onboarding

- Refactored some changes in onboarding module with cspm
- Added modules for CDR & AS
- Added test examples
- Added READMEs within each of the modules and at repo level

* Incorporate existing RG vars and fmt

* Update integrations and module vars

* Update provider version to consume datasources

- minor updates to input and output vars to only include what's
  required.
- minor updates to cross-module references

* Update README.md

* Update Onboarding module README.md

* fix: add dependency to component id outputs (#43)

Because the values referenced are static, they don't implicitly form a hard dependency on the component resource.  Add an explicit dependency

* fix(config_posture): add subscription reader role (#42)

* fix(config_posture): add subscription reader role

* docs(config_posture): update

* fix(agentless-scanning): Add Lighthouse definition id in metadata

* Fixes for Azure modular improvements

* Move explicit depends_on to feature resource (#44)

* Remove explicit depends_on in config posture

* Remove explicit dependency as not needed

* Tests: Add module-level depends_on in feature resource

---------

Co-authored-by: cgeers <[email protected]>
  • Loading branch information
@ravinadhruve10 @cgeers
ravinadhruve10 and cgeers authored Jul 17, 2024
1 parent 103f8f1 commit 59099ca
Show file tree
Hide file tree
Showing 33 changed files with 1,553 additions and 5 deletions.
71 changes: 70 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1 +1,70 @@
# terraform-azure-secure
# Sysdig Secure for Cloud in Azure

Terraform module that deploys the Sysdig Secure for Cloud stack in Azure.

With Modular Onboarding, introducing the following design and install structure for `terraform-azurerm-secure`:

* **[Onboarding]**: It onboards an Azure subscription or Tenant for the first time to Sysdig Secure for Cloud, and collects
inventory and organizational hierarchy in the given tenant. Managed through `onboarding` module. <br/>

Provides unified threat-detection, compliance, forensics and analysis through these major components:

* **[CSPM](https://docs.sysdig.com/en/docs/sysdig-secure/posture/)**: It evaluates periodically your cloud configuration, using Cloud Custodian, against some benchmarks and returns the results and remediation you need to fix. Managed through `config-posture` module. <br/>

* **[CDR (Cloud Detection and Response)]**: It sends periodically activity logs to Sysdig by directing those to a dedicated Event Hub which will be queried by the Sysdig backend to retrieve the data for log ingestion. Enabled via `event-hub` integrations module. <br/>

* **[Vulnerability Management Agentless Host Scanning](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/)**: It uses disk snapshots to provide highly accurate views of vulnerability risk, access to public exploits, and risk management. Managed through `agentless-scanning` module. <br/>

For other Cloud providers check: [AWS](https://github.com/draios/terraform-aws-secure-for-cloud) , [GCP](https://github.com/draios/terraform-google-secure-for-cloud)

## Modules

### Feature modules

These are independent feature modules which deploy and manage all the required Cloud resources and Sysdig resources
for the respective Sysdig features. They manage both, onboarding a single Azure Subscription or an Azure Tenant to Sysdig Secure for Cloud.

`onboarding`, `config-posture` and `agentless-scanning` are independent feature modules.

### Integrations

The modules under `integrations` are feature agnostic modules which deploy and manage all the required Cloud resources and Sysdig resources
for shared Sysdig integrations. That is to say, one or more Sysdig features can be enabled by installing an integration.

These modules manage both, onboarding a single Azure Subscription or an Azure Tenant to Sysdig Secure for Cloud.

`event-hub` is an integration module.

## Examples and usage

The modules in this repository can be installed on a single Azure subscription, or on an entire Azure Tenant, or management groups within the Tenant.

The `test` directory has sample `examples` for all these module deployments i.e under `single_subscription`, or `organization` sub-folders.

For example, to onboard a single Azure subscription, with CSPM enabled, with modular installation :-
1. Run the terraform snippet under `test/examples/modular_single_subscription/onboarding_with_posture.tf` with
the appropriate attribute values populated.
2. This will install the `onboarding` module, which will also create a Cloud Account on Sysdig side.
3. It will also install the `config-posture` module, which will also install cloud resources as well as Sysdig resources
for successfully running CSPM scans.
4. On Sysdig side, you will be able to see the Cloud account onboarded with required components, and CSPM feature installed and enabled.

## Best practices

For contributing to existing modules or adding new modules, below are some of the best practices recommended :-
* Module names referred and used in deployment snippets should be consistent with those in their source path.
* A module can fall into one of two categories - feature module or an integrations module.
* Every user-facing deployment snippet will,
- at the top level first call the feature module or integrations module from this repo. These modules deploy corresponding cloud resources and Sysdig component resources.
- the corresponding feature resource will be added as the last block and enabled from the module installed component resource reference.
See sample deployment snippets in `test/examples` for more.
* integrations modules are shared and could enable multiple features. Hence, one should be careful with changes to them.
* Module naming follows the pattern with "-" , resource and variable naming follows the pattern with "_".

## Authors

Module is maintained and supported by [Sysdig](https://sysdig.com).

## License

Apache 2 Licensed. See LICENSE for full details.
75 changes: 75 additions & 0 deletions modules/agentless-scanning/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# Azure Agentless Host Scanning Module

This module is used for Volume Access integration in Azure. The module will deploy a
LightHouse Definition and Assignment in Azure for a single subscription, , or for an Azure Tenant.
These resources enable Agentless Scanning in the given single subscription, or Azure Tenant.

If instrumenting an Azure subscription, the following resources will be created:
- LightHouse Definition associated with Sysdig Service Principal and the VM Scanner Operator role.
- LightHouse Assignment associated with the LightHouse Definition and the Azure subscription provided.

If instrumenting an Azure Tenant, the following resources will be created:
- LightHouse Definition associated with Sysdig Service Principal and the VM Scanner Operator role.
- LightHouse Assignment associated with the LightHouse Definition and the Azure subscriptions under each of the
instrumented Management Groups within the Tenant provided, if no Management Groups are provided, all subscriptions under Root Management Group level.

This module will also deploy a Service Principal Component in Sysdig Backend for onboarded Sysdig Cloud Account for creating the Agentless Host scanning feature.

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | >= 2.43.0 |
| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.76.0 |
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 1.28.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 3.76.0 |
| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | >= 1.28.0 |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [azurerm_lighthouse_assignment.lighthouse_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/lighthouse_assignment) | resource |
| [azurerm_lighthouse_assignment.lighthouse_assignment_for_tenant](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/lighthouse_assignment) | resource |
| [azurerm_lighthouse_definition.lighthouse_definition](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/lighthouse_definition) | resource |
| [sysdig_secure_cloud_auth_account_component.azure_service_principal](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
| [azurerm_management_group.management_groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source |
| [azurerm_management_group.root_management_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source |
| [azurerm_subscription.primary](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
| [sysdig_secure_agentless_scanning_assets.assets](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_agentless_scanning_assets) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant. | `bool` | `false` | no |
| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Subscription ID in which to create a trust relationship | `string` | n/a | yes |
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_lighthouse_definition_display_id"></a> [lighthouse\_definition\_display\_id](#output\_lighthouse\_definition\_display\_id) | Display id of the Light House definition created |
| <a name="output_service_principal_component_id"></a> [service\_principal\_component\_id](#output\_service\_principal\_component\_id) | Component identifier of Service Principal created in Sysdig Backend for Agentless Scanning |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Authors

Module is maintained by [Sysdig](https://sysdig.com).

## License

Apache 2 Licensed. See LICENSE for full details.
47 changes: 47 additions & 0 deletions modules/agentless-scanning/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
#---------------------------------------------------------------------------------------------
# Fetch the subscription data
#---------------------------------------------------------------------------------------------
data "azurerm_subscription" "primary" {
subscription_id = var.subscription_id
}

data "sysdig_secure_agentless_scanning_assets" "assets" {}

resource "azurerm_lighthouse_definition" "lighthouse_definition" {
name = "Sysdig Agentless Host Scanner"
description = "Lighthouse definition for Sysdig Agentless Host Scanner"
managing_tenant_id = data.sysdig_secure_agentless_scanning_assets.assets.azure.tenant_id
scope = "/subscriptions/${var.subscription_id}"
authorization {
principal_id = data.sysdig_secure_agentless_scanning_assets.assets.azure.service_principal_id
principal_display_name = "Sysdig Service Principal Agentless Host Scanner"
# Uses VM Scanner Operator role
role_definition_id = "d24ecba3-c1f4-40fa-a7bb-4588a071e8fd"
}
}

resource "azurerm_lighthouse_assignment" "lighthouse_assignment" {
count = var.is_organizational ? 0 : 1
scope = "/subscriptions/${var.subscription_id}"
lighthouse_definition_id = azurerm_lighthouse_definition.lighthouse_definition.id
}

#-----------------------------------------------------------------------------------------------------------------
# Call Sysdig Backend to add the service-principal integration for Agentless Scanning to the Sysdig Cloud Account
# Agentless scanning uses Azure Lighthouse for service-principal integration.
#
# Note (optional): To ensure this gets called after all cloud resources are created, add
# explicit dependency using depends_on
#-----------------------------------------------------------------------------------------------------------------
resource "sysdig_secure_cloud_auth_account_component" "azure_service_principal" {
account_id = var.sysdig_secure_account_id
type = "COMPONENT_SERVICE_PRINCIPAL"
instance = "secure-scanning"
service_principal_metadata = jsonencode({
azure = {
active_directory_service_principal = {
id = azurerm_lighthouse_definition.lighthouse_definition.lighthouse_definition_id
}
}
})
}
25 changes: 25 additions & 0 deletions modules/agentless-scanning/organizational.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#---------------------------------------------------------------------------------------------
# Fetch the management groups for customer tenant and onboard subscriptions under them
#---------------------------------------------------------------------------------------------
# If no management group is present, then the root management group is used to onboard all the subscriptions
data "azurerm_management_group" "root_management_group" {
count = var.is_organizational && length(var.management_group_ids) == 0 ? 1 : 0
display_name = "Tenant Root Group"
}

data "azurerm_management_group" "management_groups" {
for_each = var.is_organizational && length(var.management_group_ids) > 0 ? var.management_group_ids : []
name = each.value
}

locals {
subscriptions = toset(var.is_organizational && length(var.management_group_ids) == 0 ? data.azurerm_management_group.root_management_group[0].subscription_ids :
flatten([for m in data.azurerm_management_group.management_groups : m.subscription_ids]))
}

resource "azurerm_lighthouse_assignment" "lighthouse_assignment_for_tenant" {
for_each = var.is_organizational ? toset(local.subscriptions) : toset([])

scope = "/subscriptions/${each.value}"
lighthouse_definition_id = azurerm_lighthouse_definition.lighthouse_definition.id
}
10 changes: 10 additions & 0 deletions modules/agentless-scanning/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
output "lighthouse_definition_display_id" {
value = azurerm_lighthouse_definition.lighthouse_definition.id
description = "Display id of the Light House definition created"
}

output "service_principal_component_id" {
value = "${sysdig_secure_cloud_auth_account_component.azure_service_principal.type}/${sysdig_secure_cloud_auth_account_component.azure_service_principal.instance}"
description = "Component identifier of Service Principal created in Sysdig Backend for Agentless Scanning"
depends_on = [ sysdig_secure_cloud_auth_account_component.azure_service_principal ]
}
21 changes: 21 additions & 0 deletions modules/agentless-scanning/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
variable "subscription_id" {
type = string
description = "Subscription ID in which to create a trust relationship"
}

variable "is_organizational" {
description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant."
type = bool
default = false
}

variable "management_group_ids" {
description = "(Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups."
type = set(string)
default = []
}

variable "sysdig_secure_account_id" {
type = string
description = "ID of the Sysdig Cloud Account to enable Agentless Scanning for (incase of organization, ID of the Sysdig management account)"
}
18 changes: 18 additions & 0 deletions modules/agentless-scanning/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
terraform {
required_version = ">= 1.0.0"

required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.76.0"
}
azuread = {
source = "hashicorp/azuread"
version = ">= 2.43.0"
}
sysdig = {
source = "sysdiglabs/sysdig"
version = ">= 1.28.0"
}
}
}
Loading

0 comments on commit 59099ca

Please sign in to comment.