feat: add permissions for aks agentless discovery (#38)

sysdiglabs · Jun 5, 2024 · 103f8f1 · 103f8f1
1 parent 2c5236a
commit 103f8f1
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 4 deletions.
diff --git a/modules/services/service-principal/README.md b/modules/services/service-principal/README.md
@@ -55,6 +55,7 @@ No modules.
 | <a name="input_sysdig_client_id"></a> [sysdig\_client\_id](#input\_sysdig\_client\_id) | The application ID of the service client in the Sysdig tenant. Service principal will be created for this application client ID | `string` | n/a | yes |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all subscriptions of tenant) or not (only on default azure provider subscription) | `bool` | `false` | no |
 | <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
+| <a name="agentless_aks_connection_enabled"></a> [agentless\_aks\_connection\_enabled](#input\_agentless\_aks\_connection\_enabled) | true/false whether secure-for-cloud should be deployed with access to the Azure AKS clusters | `bool` | `false` | no |
 
 ## Outputs
 

diff --git a/modules/services/service-principal/main.tf b/modules/services/service-principal/main.tf
@@ -6,6 +6,14 @@ data "azurerm_subscription" "primary" {
   subscription_id = var.subscription_id
 }
 
+
+locals {
+  sysdig_cspm_role_default_permissions_actions = ["Microsoft.Web/sites/config/list/action"]
+  agentless_aks_connection_permissions_actions = var.agentless_aks_connection_enabled ? ["Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"] : []
+
+  sysdig_cspm_role_permissions_actions = tolist(setunion(local.sysdig_cspm_role_default_permissions_actions, local.agentless_aks_connection_permissions_actions))
+}
+
 #---------------------------------------------------------------------------------------------
 # Create service principal in customer tenant
 #
@@ -50,9 +58,7 @@ resource "azurerm_role_definition" "sysdig_cspm_role" {
   description = "Custom role for collecting Authsettings for CIS Benchmark"
 
   permissions {
-    actions = [
-      "Microsoft.Web/sites/config/list/action"
-    ]
+    actions     = local.sysdig_cspm_role_permissions_actions
     not_actions = []
   }
 
@@ -68,4 +74,4 @@ resource "azurerm_role_assignment" "sysdig_cspm_role_assignment" {
   scope              = data.azurerm_subscription.primary.id
   role_definition_id = azurerm_role_definition.sysdig_cspm_role.role_definition_resource_id
   principal_id       = azuread_service_principal.sysdig_sp.object_id
-}
+}
diff --git a/modules/services/service-principal/variables.tf b/modules/services/service-principal/variables.tf
@@ -19,3 +19,9 @@ variable "management_group_ids" {
   type        = set(string)
   default     = []
 }
+
+variable "agentless_aks_connection_enabled" {
+  type        = bool
+  description = "Enable the Agentless AKS connection to the K8s clusters within the cloud. This allows admin access. Read more about why this is needed in the official docs."
+  default     = false
+}