Skip to content

Commit

Permalink
[SSPROD-48175] Changes to onboarding of AKS Discovery within VM Workl…
Browse files Browse the repository at this point in the history 
…oad Scanning module (#68)
  • Loading branch information
@miguelpais
miguelpais authored Oct 25, 2024
1 parent 80a654a commit 5008cf2
Show file tree
Hide file tree
Showing 17 changed files with 158 additions and 51 deletions.
1 change: 1 addition & 0 deletions modules/config-posture/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ No modules.
| Name | Description |
|------|-------------|
| <a name="output_service_principal_component_id"></a> [service\_principal\_component\_id](#output\_service\_principal\_component\_id) | Component identifier of Service Principal created in Sysdig Backend for Config Posture |
| <a name="sysdig_cspm_sp_object_id"></a> [service\_principal\_component\_id](#output\_service\_principal\_component\_id) | Object ID of the CSPM SP within the client's infra |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Authors
Expand Down
2 changes: 1 addition & 1 deletion modules/config-posture/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@ output "sysdig_cspm_sp_object_id" {
value = azuread_service_principal.sysdig_cspm_sp.object_id
description = "Object ID of the CSPM SP within the client's infra"
depends_on = [azuread_service_principal.sysdig_cspm_sp]
}
}
17 changes: 11 additions & 6 deletions modules/vm-workload-scanning/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,12 +74,17 @@ No modules.

## Inputs

| Name | Description | Type | Default | Required |
|------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable VM Workload Scanning with optional AKS discovery | `string` | n/a | yes |
| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | The identifier of the Azure Subscription in which to create secure-for-cloud vm workload scanning resources | `string` | n/a | yes |
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | true/false whether vm workload scanning resources should be deployed in an organizational setup (all subscriptions of tenant) or not (only on default azure provider subscription) | `bool` | `false` | no |
| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | List of Azure Management Group IDs. vm workload scanning will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
| Name | Description | Type | Default | Required |
|---------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable VM Workload Scanning with optional AKS discovery | `string` | n/a | yes |
| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | The identifier of the Azure Subscription in which to create secure-for-cloud vm workload scanning resources | `string` | n/a | yes |
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | true/false whether vm workload scanning resources should be deployed in an organizational setup (all subscriptions of tenant) or not (only on default azure provider subscription) | `bool` | `false` | no |
| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | List of Azure Management Group IDs. vm workload scanning will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
| <a name="aks_enabled"></a> [aks\_enabled](#output\_service\_principal\_component\_id) | Set this field to 'true' to grant AKS discovery permissions to the secure-posture service principal | `bool` | false | no |
| <a name="functions_enabled"></a> [functions\_enabled](#output\_service\_principal\_component\_id) | Set this field to 'true' to grant Functions Storage permissions to the secure-vm-workload-scanning service principal | `bool` | false | no |
| <a name="sysdig_cspm_sp_object_id"></a> [sysdig\_cspm\_sp\_object\_id](#output\_service\_principal\_component\_id) | Object ID of the CSPM SP within the client's infra | `string` | n/a | yes |



## Outputs

Expand Down
12 changes: 6 additions & 6 deletions modules/vm-workload-scanning/aks-discovery/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,13 @@ No modules.

## Inputs

| Name | Description | Type | Default | Required |
|------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
| Name | Description | Type | Default | Required |
|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Subscription ID in which to create secure-for-cloud onboarding resources | `string` | n/a | yes |
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant | `bool` | `false` | no |
| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups | `set(string)` | `[]` | no |
| <a name="sysdig_cspm_sp_object_id"></a> [management\_group\_ids](#input\_management\_group\_ids) | Object ID of the CSPM SP within the client's infra | `string` | `[]` | yes |
| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Subscription ID in which to create secure-for-cloud onboarding resources | `string` | n/a | yes |
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant | `bool` | `false` | no |
| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups | `set(string)` | `[]` | no |
| <a name="sysdig_cspm_sp_object_id"></a> [sysdig\_cspm\_sp\_object\_id](#input\_sysdig\_cspm\_sp\_object\_id) | Object ID of the CSPM SP within the client's infra | `string` | n/a | yes |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

Expand Down
16 changes: 2 additions & 14 deletions modules/vm-workload-scanning/aks-discovery/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ data "azurerm_subscription" "primary" {
}

locals {
agentless_aks_connection_permissions_actions = "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"
agentless_aks_connection_permissions_actions = ["Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"]
}

#---------------------------------------------------------------------------------------------
Expand Down Expand Up @@ -36,18 +36,6 @@ resource "azurerm_role_assignment" "sysdig_cspm_role_aks_discovery_assignment" {
count = var.is_organizational ? 0 : 1

scope = data.azurerm_subscription.primary.id
role_definition_id = azurerm_role_definition.sysdig_cspm_aks_discovery_role.role_definition_resource_id
role_definition_id = azurerm_role_definition.sysdig_cspm_aks_discovery_role[0].role_definition_resource_id
principal_id = var.sysdig_cspm_sp_object_id
}

resource "sysdig_secure_cloud_auth_account_component" "azure_aks_discovery_component" {
account_id = var.sysdig_secure_account_id
type = "COMPONENT_UNSPECIFIED"
instance = "secure-aks-discovery"

depends_on = [azurerm_role_definition.sysdig_cspm_aks_discovery_role,
azurerm_role_assignment.sysdig_cspm_role_aks_discovery_assignment,
azurerm_role_definition.sysdig_cspm_role_aks_discovery_for_tenant,
azurerm_role_assignment.sysdig_cspm_role_assignment_for_tenant,
]
}
2 changes: 1 addition & 1 deletion modules/vm-workload-scanning/aks-discovery/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,4 @@ variable "management_group_ids" {
variable "sysdig_cspm_sp_object_id" {
description = "Object ID of the CSPM SP within the client's infra"
type = string
}
}
2 changes: 1 addition & 1 deletion modules/vm-workload-scanning/aks-discovery/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ terraform {
}
sysdig = {
source = "sysdiglabs/sysdig"
version = "~> 1.29.2"
version = "~> 1.29"
}
}
}
21 changes: 12 additions & 9 deletions modules/vm-workload-scanning/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
module "aks_discovery" {
count = var.aks_discovery_permission_grant ? 1 : 0
count = var.aks_enabled ? 1 : 0

source = "sysdiglabs/secure/azurerm//modules/vm-workload-scanning/aks-discovery"

sysdig_secure_account_id = var.sysdig_secure_account_id
subscription_id = var.subscription_id
is_organizational = var.is_organizational
management_group_ids = var.management_group_ids

sysdig_cspm_sp_object_id = var.sysdig_cspm_sp_object_id
}

Expand Down Expand Up @@ -48,15 +49,19 @@ locals {
}

data "azurerm_role_definition" "storage_file_reader" {
count = var.functions_enabled ? 1 : 0

name = "Storage File Data Privileged Reader"
}

data "azurerm_role_definition" "storage_blob_reader" {
count = var.functions_enabled ? 1 : 0

name = "Storage Blob Data Reader"
}

resource "azurerm_role_definition" "sysdig_vm_workload_scanning_func_app_config_role" {
count = var.is_organizational ? 0 : 1
count = var.is_organizational ? 0 : (var.functions_enabled ? 1 : 0)

name = "sysdig-vm-workload-scanning-workload-function-app-reader-role-${var.subscription_id}"
scope = data.azurerm_subscription.primary.id
Expand All @@ -74,7 +79,7 @@ resource "azurerm_role_definition" "sysdig_vm_workload_scanning_func_app_config_
# Assign custom permissions to Sysdig Vm Agentless Workload SP for Accessing AppConfig and Determining where Azure Functions Code is located
#---------------------------------------------------------------------------------------------
resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_func_app_config_role_assignment" {
count = var.is_organizational ? 0 : 1
count = var.is_organizational ? 0 : (var.functions_enabled ? 1 : 0)

scope = data.azurerm_subscription.primary.id
role_definition_id = azurerm_role_definition.sysdig_vm_workload_scanning_func_app_config_role[0].role_definition_resource_id
Expand All @@ -85,21 +90,21 @@ resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_func_app_config_
# Assign "Storage File Data Privileged Reader" role to Sysdig Vm Agentless Workload SP for Accessing Azure Functions Code
#---------------------------------------------------------------------------------------------
resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_file_reader_role_assignment" {
count = var.is_organizational ? 0 : 1
count = var.is_organizational ? 0 : (var.functions_enabled ? 1 : 0)

scope = data.azurerm_subscription.primary.id
role_definition_id = data.azurerm_role_definition.storage_file_reader.role_definition_id
role_definition_id = data.azurerm_role_definition.storage_file_reader[0].role_definition_id
principal_id = azuread_service_principal.sysdig_vm_workload_scanning_sp.object_id
}

#---------------------------------------------------------------------------------------------
# Assign "Storage Blob Data Reader" role to Sysdig Vm Agentless Workload SP for Accessing Azure Functions Code
#---------------------------------------------------------------------------------------------
resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_blob_reader_role_assignment" {
count = var.is_organizational ? 0 : 1
count = var.is_organizational ? 0 : (var.functions_enabled ? 1 : 0)

scope = data.azurerm_subscription.primary.id
role_definition_id = data.azurerm_role_definition.storage_blob_reader.role_definition_id
role_definition_id = data.azurerm_role_definition.storage_blob_reader[0].role_definition_id
principal_id = azuread_service_principal.sysdig_vm_workload_scanning_sp.object_id
}

Expand Down Expand Up @@ -133,8 +138,6 @@ resource "sysdig_secure_cloud_auth_account_component" "azure_workload_scanning_c
app_id = azuread_service_principal.sysdig_vm_workload_scanning_sp.client_id
app_owner_organization_id = azuread_service_principal.sysdig_vm_workload_scanning_sp.application_tenant_id
}

aks_discovery_permission_grant = var.aks_discovery_permission_grant
}
})

Expand Down
12 changes: 6 additions & 6 deletions modules/vm-workload-scanning/organizational.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ locals {
# Create a custom role for accessing function app config
#---------------------------------------------------------------------------------------------
resource "azurerm_role_definition" "sysdig_vm_workload_scanning_func_app_config_role_for_tenant" {
for_each = var.is_organizational ? local.management_groups : []
for_each = var.is_organizational && var.functions_enabled ? local.management_groups : []

name = "sysdig-vm-workload-scanning-function-app-reader-role-for-tenant-${each.key}"
scope = each.key
Expand Down Expand Up @@ -46,7 +46,7 @@ resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_acrpull_for_tena
# Custom role assignment for accessing function app config
#---------------------------------------------------------------------------------------------
resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_func_app_config_role_assignment_for_tenant" {
for_each = var.is_organizational ? local.management_groups : []
for_each = var.is_organizational && var.functions_enabled ? local.management_groups : []

scope = each.key
role_definition_id = azurerm_role_definition.sysdig_vm_workload_scanning_func_app_config_role_for_tenant[each.key].role_definition_resource_id
Expand All @@ -58,10 +58,10 @@ resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_func_app_config_
# Storage File Data Privileged Reader
#---------------------------------------------------------------------------------------------
resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_file_reader_role_assignment_for_tenant" {
for_each = var.is_organizational ? local.management_groups : []
for_each = var.is_organizational && var.functions_enabled ? local.management_groups : []

scope = each.key
role_definition_id = data.azurerm_role_definition.storage_file_reader.role_definition_id
role_definition_id = data.azurerm_role_definition.storage_file_reader[0].role_definition_id
principal_id = azuread_service_principal.sysdig_vm_workload_scanning_sp.object_id
}

Expand All @@ -70,9 +70,9 @@ resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_file_reader_role
# Storage Blob Data Reader
#---------------------------------------------------------------------------------------------
resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_blob_reader_role_assignment_for_tenant" {
for_each = var.is_organizational ? local.management_groups : []
for_each = var.is_organizational && var.functions_enabled ? local.management_groups : []

scope = each.key
role_definition_id = data.azurerm_role_definition.storage_blob_reader.role_definition_id
role_definition_id = data.azurerm_role_definition.storage_blob_reader[0].role_definition_id
principal_id = azuread_service_principal.sysdig_vm_workload_scanning_sp.object_id
}
14 changes: 10 additions & 4 deletions modules/vm-workload-scanning/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,19 @@ variable "management_group_ids" {
default = []
}

variable "aks_discovery_permission_grant" {
variable "aks_enabled" {
description = "(Optional) Set this field to 'true' to grant AKS discovery permissions to the secure-posture service principal."
type = bool
default = false
}

variable "sysdig_cspm_sp_object_id" {
description = "Object ID of the CSPM SP within the client's infra"
type = string
variable "functions_enabled" {
description = "(Optional) Set this field to 'true' to grant Functions Storage permissions to the secure-vm-workload-scanning service principal."
type = bool
default = false
}

variable "sysdig_cspm_sp_object_id" {
description = "Object ID of the CSPM SP within the client's infra"
type = string
}
2 changes: 1 addition & 1 deletion modules/vm-workload-scanning/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ terraform {
}
sysdig = {
source = "sysdiglabs/sysdig"
version = "~> 1.29.2"
version = "~> 1.29"
}
}
}
5 changes: 5 additions & 0 deletions test/examples/modular_organization/workload-scanning-containers.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@ module "vm-workload-scanning" {
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
is_organizational = module.onboarding.is_organizational
management_group_ids = module.onboarding.management_group_ids

sysdig_cspm_sp_object_id = module.config-posture.sysdig_cspm_sp_object_id

aks_enabled = true
functions_enabled = true
}

resource "sysdig_secure_cloud_auth_account_feature" "vm-workload-scanning-aca-aci" {
Expand Down
Loading

0 comments on commit 5008cf2

Please sign in to comment.