feat(event-hub): add aad diagnostic settings (SSPROD-38091) (#31)

* add entra logs in main * add variable for entra logs * disable retention policy * remove providers * added sub hash also to entra ds * update readme * default to false for entra * update readme * fix enable entra condition * remove providers added for testing
sysdiglabs · Apr 12, 2024 · f305bfe · f305bfe
1 parent 0e2a4ab
commit f305bfe
Show file tree

Hide file tree

Showing 3 changed files with 156 additions and 3 deletions.
diff --git a/modules/services/event-hub-data-source/README.md b/modules/services/event-hub-data-source/README.md
@@ -20,8 +20,9 @@ The following resources will be created in each instrumented account:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.45.0 |
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.76.0 |
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.47.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.94.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.0 |
 
 ## Modules
 
@@ -36,9 +37,16 @@ No modules.
 | [azurerm_eventhub_consumer_group.sysdig_consumer_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/eventhub_consumer_group) | resource |
 | [azurerm_eventhub_namespace.sysdig_event_hub_namespace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/eventhub_namespace) | resource |
 | [azurerm_eventhub_namespace_authorization_rule.sysdig_rule](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/eventhub_namespace_authorization_rule) | resource |
+| [azurerm_monitor_aad_diagnostic_setting.sysdig_entra_diagnostic_setting](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_aad_diagnostic_setting) | resource |
 | [azurerm_monitor_diagnostic_setting.sysdig_diagnostic_setting](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
+| [azurerm_monitor_diagnostic_setting.sysdig_org_diagnostic_setting](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
 | [azurerm_resource_group.sysdig_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_role_assignment.sysdig_data_receiver](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [random_string.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_management_group.onboarded_management_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source |
+| [azurerm_management_group.root_management_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source |
+| [azurerm_subscription.onboarded_subscriptions](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
 | [azurerm_subscription.sysdig_subscription](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
 
 ## Inputs
@@ -48,9 +56,13 @@ No modules.
 | <a name="input_auto_inflate_enabled"></a> [auto\_inflate\_enabled](#input\_auto\_inflate\_enabled) | Whether or not auto-inflate is enabled for the Event Hub | `bool` | `true` | no |
 | <a name="input_consumer_group_name"></a> [consumer\_group\_name](#input\_consumer\_group\_name) | Name of the consumer group to be created | `string` | `"sysdig-consumer-group"` | no |
 | <a name="input_diagnostic_settings_name"></a> [diagnostic\_settings\_name](#input\_diagnostic\_settings\_name) | Name of the diagnostic settings to be created | `string` | `"sysdig-diagnostic-settings"` | no |
+| <a name="input_enable_entra"></a> [enable\_entra](#input\_enable\_entra) | (Optional) Used to enable or disable Entra logs, defaults to false. | `bool` | `false` | no |
+| <a name="input_entra_diagnostic_settings_name"></a> [entra\_diagnostic\_settings\_name](#input\_entra\_diagnostic\_settings\_name) | Name of the Entra diagnostic settings to be created | `string` | `"sysdig-entra-diagnostic-settings"` | no |
 | <a name="input_event_hub_name"></a> [event\_hub\_name](#input\_event\_hub\_name) | Name of the Event Hub to be created | `string` | `"sysdig-event-hub"` | no |
-| <a name="input_event_hub_namespace_name"></a> [event\_hub\_namespace\_name](#input\_event\_hub\_namespace\_name) | Name of the Event Hub Namespace to be created | `string` | `"sysdig-event-hub-namespace"` | no |
+| <a name="input_event_hub_namespace_name"></a> [event\_hub\_namespace\_name](#input\_event\_hub\_namespace\_name) | Name of the Event Hub Namespace to be created | `string` | n/a | yes |
 | <a name="input_eventhub_authorization_rule_name"></a> [eventhub\_authorization\_rule\_name](#input\_eventhub\_authorization\_rule\_name) | Name of the authorization rule to be created | `string` | `"sysdig-send-listen-rule"` | no |
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant. | `bool` | `false` | no |
+| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
 | <a name="input_maximum_throughput_units"></a> [maximum\_throughput\_units](#input\_maximum\_throughput\_units) | The maximum number of throughput units to be allocated to the Event Hub | `number` | `20` | no |
 | <a name="input_message_retention_days"></a> [message\_retention\_days](#input\_message\_retention\_days) | Number of days during which messages will be retained in the Event Hub | `number` | `1` | no |
 | <a name="input_namespace_sku"></a> [namespace\_sku](#input\_namespace\_sku) | SKU (Plan) for the namespace that will be created | `string` | `"Standard"` | no |

diff --git a/modules/services/event-hub-data-source/main.tf b/modules/services/event-hub-data-source/main.tf
@@ -117,3 +117,132 @@ resource "azurerm_monitor_diagnostic_setting" "sysdig_diagnostic_setting" {
     category = "Policy"
   }
 }
+
+resource "azurerm_monitor_aad_diagnostic_setting" "sysdig_entra_diagnostic_setting" {
+  count = var.enable_entra ? 1 : 0
+
+  name               = "${var.entra_diagnostic_settings_name}-${local.subscription_hash}"
+  eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.sysdig_rule.id
+  eventhub_name                  = azurerm_eventhub.sysdig_event_hub.name
+
+  enabled_log {
+    category = "AuditLogs"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "SignInLogs"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "NonInteractiveUserSignInLogs"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "ServicePrincipalSignInLogs"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "ManagedIdentitySignInLogs"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "ProvisioningLogs"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "ADFSSignInLogs"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "RiskyUsers"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "UserRiskEvents"
+
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "NetworkAccessTrafficLogs"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "RiskyServicePrincipals"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "ServicePrincipalRiskEvents"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "EnrichedOffice365AuditLogs"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "MicrosoftGraphActivityLogs"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  enabled_log {
+    category = "RemoteNetworkHealthLogs"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+}
diff --git a/modules/services/event-hub-data-source/variables.tf b/modules/services/event-hub-data-source/variables.tf
@@ -84,6 +84,12 @@ variable "diagnostic_settings_name" {
   default = "sysdig-diagnostic-settings"
 }
 
+variable "entra_diagnostic_settings_name" {
+  type = string
+  description = "Name of the Entra diagnostic settings to be created"
+  default = "sysdig-entra-diagnostic-settings"
+}
+
 variable "is_organizational" {
   description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant."
   type        = bool
@@ -95,3 +101,9 @@ variable "management_group_ids" {
   type        = set(string)
   default     = []
 }
+
+variable "enable_entra" {
+  description = "(Optional) Used to enable or disable Entra logs, defaults to false."
+  type        = bool
+  default     = false
+}