From 103f8f1afa4c942bcfde11ec036bcc7170521981 Mon Sep 17 00:00:00 2001 From: Fede Barcelona Date: Wed, 5 Jun 2024 09:17:33 +0200 Subject: [PATCH] feat: add permissions for aks agentless discovery (#38) --- modules/services/service-principal/README.md | 1 + modules/services/service-principal/main.tf | 14 ++++++++++---- modules/services/service-principal/variables.tf | 6 ++++++ 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/modules/services/service-principal/README.md b/modules/services/service-principal/README.md index df1f8c5..5400367 100644 --- a/modules/services/service-principal/README.md +++ b/modules/services/service-principal/README.md @@ -55,6 +55,7 @@ No modules. | [sysdig\_client\_id](#input\_sysdig\_client\_id) | The application ID of the service client in the Sysdig tenant. Service principal will be created for this application client ID | `string` | n/a | yes | | [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all subscriptions of tenant) or not (only on default azure provider subscription) | `bool` | `false` | no | | [management\_group\_ids](#input\_management\_group\_ids) | List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no | +| [agentless\_aks\_connection\_enabled](#input\_agentless\_aks\_connection\_enabled) | true/false whether secure-for-cloud should be deployed with access to the Azure AKS clusters | `bool` | `false` | no | ## Outputs diff --git a/modules/services/service-principal/main.tf b/modules/services/service-principal/main.tf index 6b9b067..c3d04ad 100644 --- a/modules/services/service-principal/main.tf +++ b/modules/services/service-principal/main.tf @@ -6,6 +6,14 @@ data "azurerm_subscription" "primary" { subscription_id = var.subscription_id } + +locals { + sysdig_cspm_role_default_permissions_actions = ["Microsoft.Web/sites/config/list/action"] + agentless_aks_connection_permissions_actions = var.agentless_aks_connection_enabled ? ["Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"] : [] + + sysdig_cspm_role_permissions_actions = tolist(setunion(local.sysdig_cspm_role_default_permissions_actions, local.agentless_aks_connection_permissions_actions)) +} + #--------------------------------------------------------------------------------------------- # Create service principal in customer tenant # @@ -50,9 +58,7 @@ resource "azurerm_role_definition" "sysdig_cspm_role" { description = "Custom role for collecting Authsettings for CIS Benchmark" permissions { - actions = [ - "Microsoft.Web/sites/config/list/action" - ] + actions = local.sysdig_cspm_role_permissions_actions not_actions = [] } @@ -68,4 +74,4 @@ resource "azurerm_role_assignment" "sysdig_cspm_role_assignment" { scope = data.azurerm_subscription.primary.id role_definition_id = azurerm_role_definition.sysdig_cspm_role.role_definition_resource_id principal_id = azuread_service_principal.sysdig_sp.object_id -} \ No newline at end of file +} diff --git a/modules/services/service-principal/variables.tf b/modules/services/service-principal/variables.tf index e26f75b..73f14ae 100644 --- a/modules/services/service-principal/variables.tf +++ b/modules/services/service-principal/variables.tf @@ -19,3 +19,9 @@ variable "management_group_ids" { type = set(string) default = [] } + +variable "agentless_aks_connection_enabled" { + type = bool + description = "Enable the Agentless AKS connection to the K8s clusters within the cloud. This allows admin access. Read more about why this is needed in the official docs." + default = false +}