-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support for Azure Org Onboarding using service-principal (#8)
* Add support for Azure Org Onboarding using service-principal Change summary: ---------------- - Supporting single vs org resources creation (using is_organizational) - Role assignments for Root Mgmt Group at Tenant level - Added README.md for the service-principal module - Updated sysdig provider version Pending: --------- Add support for conditional creation of azuread sp resource * Parameterize mgmt group with default and handle SP creation * Fix resource naming and indexing * Add org test and cleanup single subscription test * Prevent unintended SP deletes
- Loading branch information
1 parent
8d60bed
commit cad1e6c
Showing
7 changed files
with
235 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
# Azure Service Prinicpal Module | ||
|
||
This module will deploy a Service Principal in Azure for a single subscription, or for an Azure Tenant. | ||
|
||
The following resources will be created: | ||
- A Service Principal in your tenant, associated with the application ID of the service client in the Sysdig tenant. | ||
- Role assignments with associated role permissions to grant Sysdig read only permissions to secure your Azure subscription, or Azure Tenant. | ||
|
||
If instrumenting an Azure Tenant, the role assignments will be created at the Root Management Group level by default for the Tenant. | ||
|
||
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 | | ||
| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.76.0 | | ||
| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | >= 2.43.0 | | ||
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 1.18.0 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 3.76.0 | | ||
|
||
## Modules | ||
|
||
No modules. | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [azuread_service_principal.sysdig_sp](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource | | ||
| [azurerm_role_assignment.sysdig_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | ||
| [azurerm_role_assignment.sysdig_k8s_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | ||
| [azurerm_role_assignment.sysdig_vm_user](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | ||
| [azurerm_role_assignment.sysdig_reader_for_tenant](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | ||
| [azurerm_role_assignment.sysdig_k8s_reader_for_tenant](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | ||
| [azurerm_role_assignment.sysdig_vm_user_for_tenant](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | ||
| [azurerm_subscription.primary](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | | ||
| [azurerm_management_group.sysdig_management_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | The identifier of the Azure Subscription in which to create a trust relationship | `string` | n/a | yes | | ||
| <a name="input_sysdig_client_id"></a> [sysdig\_client\_id](#input\_sysdig\_client\_id) | The application ID of the service client in the Sysdig tenant. Service principal will be created for this application client ID | `string` | n/a | yes | | ||
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all subscriptions of tenant) or not (only on default azure provider subscription) | `bool` | `false` | no | | ||
| <a name="input_management_group"></a> [management\_group](#input\_management\_group) | Display name of the Azure Management Group. secure-for-cloud will be deployed to all subscriptions under this management group | `string` | `"Tenant Root Group"` | no | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| <a name="output_service_principal_display_name"></a> [service\_principal\_display\_name](#output\_service\_principal\_display\_name) | Display name of the Service Principal created | | ||
| <a name="output_service_principal_client_id"></a> [service\_principal\_client\_id](#output\_service\_principal\_client\_id) | Client ID of the Service Principal created | | ||
| <a name="output_service_principal_id"></a> [service\_principal\_id](#output\_service\_principal\_id) | Service Principal ID on the customer tenant | | ||
| <a name="output_service_principal_app_display_name"></a> [service\_principal\_app\_display\_name](#output\_service\_principal\_app\_display\_name) | Display name of the Application created | | ||
| <a name="output_service_principal_app_owner_organization_id"></a> [service\_principal\_app\_owner\_organization\_id](#output\_service\_principal\_app\_owner\_organization\_id) | Organization ID of the Application created | | ||
| <a name="output_subscription_tenant_id"></a> [subscription\_tenant\_id](#output\_subscription\_tenant\_id) | Tenant ID of the Subscription | | ||
| <a name="output_subscription_alias"></a> [subscription\_alias](#output\_subscription\_alias) | Display name of the subscription | | ||
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
|
||
## Authors | ||
|
||
Module is maintained by [Sysdig](https://sysdig.com). | ||
|
||
## License | ||
|
||
Apache 2 Licensed. See LICENSE for full details. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
#--------------------------------------------------------------------------------------------- | ||
# Fetch the management group for customer tenant and onboard subscriptions under it | ||
#--------------------------------------------------------------------------------------------- | ||
data "azurerm_management_group" "sysdig_management_group" { | ||
count = var.is_organizational ? 1 : 0 | ||
display_name = var.management_group | ||
} | ||
|
||
#--------------------------------------------------------------------------------------------- | ||
# Assign "Reader" role to Sysdig SP for customer tenant | ||
#--------------------------------------------------------------------------------------------- | ||
resource "azurerm_role_assignment" "sysdig_reader_for_tenant" { | ||
count = var.is_organizational ? 1 : 0 | ||
|
||
scope = data.azurerm_management_group.sysdig_management_group[0].id | ||
role_definition_name = "Reader" | ||
principal_id = azuread_service_principal.sysdig_sp.object_id | ||
} | ||
|
||
#--------------------------------------------------------------------------------------------- | ||
# Assign "Azure Kubernetes Service Cluster User Role" role to Sysdig SP for customer tenant | ||
#--------------------------------------------------------------------------------------------- | ||
resource "azurerm_role_assignment" "sysdig_k8s_reader_for_tenant" { | ||
count = var.is_organizational ? 1 : 0 | ||
|
||
scope = data.azurerm_management_group.sysdig_management_group[0].id | ||
role_definition_name = "Azure Kubernetes Service Cluster User Role" | ||
principal_id = azuread_service_principal.sysdig_sp.object_id | ||
} | ||
|
||
#--------------------------------------------------------------------------------------------- | ||
# Assign "Virtual Machine User Login" role to Sysdig SP for customer tenant | ||
#--------------------------------------------------------------------------------------------- | ||
resource "azurerm_role_assignment" "sysdig_vm_user_for_tenant" { | ||
count = var.is_organizational ? 1 : 0 | ||
|
||
scope = data.azurerm_management_group.sysdig_management_group[0].id | ||
role_definition_name = "Virtual Machine User Login" | ||
principal_id = azuread_service_principal.sysdig_sp.object_id | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,7 +12,7 @@ terraform { | |
} | ||
sysdig = { | ||
source = "sysdiglabs/sysdig" | ||
version = ">= 1.15.0" | ||
version = ">= 1.18.0" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
provider "azurerm" { | ||
features {} | ||
} | ||
terraform { | ||
required_providers { | ||
sysdig = { | ||
source = "local/sysdiglabs/sysdig" | ||
version = "~> 1.0.0" | ||
} | ||
} | ||
} | ||
|
||
provider "sysdig" { | ||
sysdig_secure_url = "https://secure-staging.sysdig.com" | ||
sysdig_secure_api_token = "<client_secret>" | ||
} | ||
|
||
module "organization-posture" { | ||
source = "../modules/services/service-principal" | ||
subscription_id = "test-azure-provider" | ||
sysdig_client_id = "<sysdig_application_client_id>" | ||
is_organizational = true | ||
} | ||
|
||
resource "sysdig_secure_cloud_auth_account" "azure_subscription_test" { | ||
enabled = true | ||
provider_id = "test-azure-provider" | ||
provider_type = "PROVIDER_AZURE" | ||
provider_tenant_id = module.organization-posture.subscription_tenant_id | ||
provider_alias = module.organization-posture.subscription_alias | ||
|
||
feature { | ||
|
||
secure_config_posture { | ||
enabled = true | ||
components = ["COMPONENT_SERVICE_PRINCIPAL/secure-posture"] | ||
} | ||
} | ||
component { | ||
type = "COMPONENT_SERVICE_PRINCIPAL" | ||
instance = "secure-posture" | ||
service_principal_metadata = jsonencode({ | ||
azure = { | ||
active_directory_service_principal = { | ||
account_enabled = true | ||
display_name = module.organization-posture.service_principal_display_name | ||
id = module.organization-posture.service_principal_id | ||
app_display_name = module.organization-posture.service_principal_app_display_name | ||
app_id = module.organization-posture.service_principal_client_id | ||
app_owner_organization_id = module.organization-posture.service_principal_app_owner_organization_id | ||
} | ||
} | ||
}) | ||
} | ||
component { | ||
type = "COMPONENT_SERVICE_PRINCIPAL" | ||
instance = "secure-onboarding" | ||
service_principal_metadata = jsonencode({ | ||
azure = { | ||
active_directory_service_principal = { | ||
account_enabled = true | ||
display_name = module.organization-posture.service_principal_display_name | ||
id = module.organization-posture.service_principal_id | ||
app_display_name = module.organization-posture.service_principal_app_display_name | ||
app_id = module.organization-posture.service_principal_client_id | ||
app_owner_organization_id = module.organization-posture.service_principal_app_owner_organization_id | ||
} | ||
} | ||
}) | ||
} | ||
depends_on = [module.organization-posture] | ||
} | ||
|
||
resource "sysdig_secure_organization" "azure_organization_test" { | ||
management_account_id = sysdig_secure_cloud_auth_account.azure_subscription_test.id | ||
depends_on = [module.organization-posture] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters