From f305bfecc1efe665c67dc8b7dd9646010ffc5c11 Mon Sep 17 00:00:00 2001 From: matteopasa <146732818+matteopasa@users.noreply.github.com> Date: Fri, 12 Apr 2024 10:11:11 +0200 Subject: [PATCH] feat(event-hub): add aad diagnostic settings (SSPROD-38091) (#31) * add entra logs in main * add variable for entra logs * disable retention policy * remove providers * added sub hash also to entra ds * update readme * default to false for entra * update readme * fix enable entra condition * remove providers added for testing --- .../services/event-hub-data-source/README.md | 18 ++- .../services/event-hub-data-source/main.tf | 129 ++++++++++++++++++ .../event-hub-data-source/variables.tf | 12 ++ 3 files changed, 156 insertions(+), 3 deletions(-) diff --git a/modules/services/event-hub-data-source/README.md b/modules/services/event-hub-data-source/README.md index dc8ee17..d65f1c6 100644 --- a/modules/services/event-hub-data-source/README.md +++ b/modules/services/event-hub-data-source/README.md @@ -20,8 +20,9 @@ The following resources will be created in each instrumented account: | Name | Version | |------|---------| -| [azuread](#provider\_azuread) | 2.45.0 | -| [azurerm](#provider\_azurerm) | 3.76.0 | +| [azuread](#provider\_azuread) | 2.47.0 | +| [azurerm](#provider\_azurerm) | 3.94.0 | +| [random](#provider\_random) | 3.6.0 | ## Modules @@ -36,9 +37,16 @@ No modules. | [azurerm_eventhub_consumer_group.sysdig_consumer_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/eventhub_consumer_group) | resource | | [azurerm_eventhub_namespace.sysdig_event_hub_namespace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/eventhub_namespace) | resource | | [azurerm_eventhub_namespace_authorization_rule.sysdig_rule](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/eventhub_namespace_authorization_rule) | resource | +| [azurerm_monitor_aad_diagnostic_setting.sysdig_entra_diagnostic_setting](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_aad_diagnostic_setting) | resource | | [azurerm_monitor_diagnostic_setting.sysdig_diagnostic_setting](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource | +| [azurerm_monitor_diagnostic_setting.sysdig_org_diagnostic_setting](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource | | [azurerm_resource_group.sysdig_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_role_assignment.sysdig_data_receiver](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [random_string.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +| [azurerm_management_group.onboarded_management_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source | +| [azurerm_management_group.root_management_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source | +| [azurerm_subscription.onboarded_subscriptions](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | | [azurerm_subscription.sysdig_subscription](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | ## Inputs @@ -48,9 +56,13 @@ No modules. | [auto\_inflate\_enabled](#input\_auto\_inflate\_enabled) | Whether or not auto-inflate is enabled for the Event Hub | `bool` | `true` | no | | [consumer\_group\_name](#input\_consumer\_group\_name) | Name of the consumer group to be created | `string` | `"sysdig-consumer-group"` | no | | [diagnostic\_settings\_name](#input\_diagnostic\_settings\_name) | Name of the diagnostic settings to be created | `string` | `"sysdig-diagnostic-settings"` | no | +| [enable\_entra](#input\_enable\_entra) | (Optional) Used to enable or disable Entra logs, defaults to false. | `bool` | `false` | no | +| [entra\_diagnostic\_settings\_name](#input\_entra\_diagnostic\_settings\_name) | Name of the Entra diagnostic settings to be created | `string` | `"sysdig-entra-diagnostic-settings"` | no | | [event\_hub\_name](#input\_event\_hub\_name) | Name of the Event Hub to be created | `string` | `"sysdig-event-hub"` | no | -| [event\_hub\_namespace\_name](#input\_event\_hub\_namespace\_name) | Name of the Event Hub Namespace to be created | `string` | `"sysdig-event-hub-namespace"` | no | +| [event\_hub\_namespace\_name](#input\_event\_hub\_namespace\_name) | Name of the Event Hub Namespace to be created | `string` | n/a | yes | | [eventhub\_authorization\_rule\_name](#input\_eventhub\_authorization\_rule\_name) | Name of the authorization rule to be created | `string` | `"sysdig-send-listen-rule"` | no | +| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant. | `bool` | `false` | no | +| [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no | | [maximum\_throughput\_units](#input\_maximum\_throughput\_units) | The maximum number of throughput units to be allocated to the Event Hub | `number` | `20` | no | | [message\_retention\_days](#input\_message\_retention\_days) | Number of days during which messages will be retained in the Event Hub | `number` | `1` | no | | [namespace\_sku](#input\_namespace\_sku) | SKU (Plan) for the namespace that will be created | `string` | `"Standard"` | no | diff --git a/modules/services/event-hub-data-source/main.tf b/modules/services/event-hub-data-source/main.tf index 2394464..ed25546 100644 --- a/modules/services/event-hub-data-source/main.tf +++ b/modules/services/event-hub-data-source/main.tf @@ -117,3 +117,132 @@ resource "azurerm_monitor_diagnostic_setting" "sysdig_diagnostic_setting" { category = "Policy" } } + +resource "azurerm_monitor_aad_diagnostic_setting" "sysdig_entra_diagnostic_setting" { + count = var.enable_entra ? 1 : 0 + + name = "${var.entra_diagnostic_settings_name}-${local.subscription_hash}" + eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.sysdig_rule.id + eventhub_name = azurerm_eventhub.sysdig_event_hub.name + + enabled_log { + category = "AuditLogs" + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "SignInLogs" + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "NonInteractiveUserSignInLogs" + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "ServicePrincipalSignInLogs" + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "ManagedIdentitySignInLogs" + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "ProvisioningLogs" + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "ADFSSignInLogs" + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "RiskyUsers" + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "UserRiskEvents" + + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "NetworkAccessTrafficLogs" + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "RiskyServicePrincipals" + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "ServicePrincipalRiskEvents" + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "EnrichedOffice365AuditLogs" + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "MicrosoftGraphActivityLogs" + + retention_policy { + enabled = false + } + } + + enabled_log { + category = "RemoteNetworkHealthLogs" + + retention_policy { + enabled = false + } + } +} diff --git a/modules/services/event-hub-data-source/variables.tf b/modules/services/event-hub-data-source/variables.tf index 790cd71..61dd7b2 100644 --- a/modules/services/event-hub-data-source/variables.tf +++ b/modules/services/event-hub-data-source/variables.tf @@ -84,6 +84,12 @@ variable "diagnostic_settings_name" { default = "sysdig-diagnostic-settings" } +variable "entra_diagnostic_settings_name" { + type = string + description = "Name of the Entra diagnostic settings to be created" + default = "sysdig-entra-diagnostic-settings" +} + variable "is_organizational" { description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant." type = bool @@ -95,3 +101,9 @@ variable "management_group_ids" { type = set(string) default = [] } + +variable "enable_entra" { + description = "(Optional) Used to enable or disable Entra logs, defaults to false." + type = bool + default = false +}