-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SSPROD-48175] VM Workload Scanning Component with Azure AKS discover…
…y sub-module (#67) * First version of AKS sub-module * Some fixes * Adding component for aks-discovery * Making sure that AKS discovery is baked into the vm workload scanning component * Fixing path * Comments from code review * nitpick
- Loading branch information
1 parent
84e15de
commit 80a654a
Showing
11 changed files
with
236 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| # Azure AKS Discovery Submodule | ||
|
|
||
| This module create a custom role definition with full Kubernetes management permissions and assign it to the service principal created within the client's infrastructure for secure-posture. | ||
|
|
||
| These permissions are required in order to enable CSPM to fully discover AKS clusters within Azure. | ||
|
|
||
| If instrumenting an Azure subscription, the following resources will be created: | ||
| - A custom role for full kubernetes cluster management | ||
| - A role assignment for the above role against secure-posture Service principal created during foundational onboarding | ||
|
|
||
| If instrumenting an Azure Tenant, the following resources will be created: | ||
| - Role definitions for full kubernetes cluster management for each management group selected | ||
| - Role assignments for the above roles against secure-posture Service principal created during foundational onboarding | ||
|
|
||
| <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
| ## Requirements | ||
|
|
||
| | Name | Version | | ||
| |------|-----------| | ||
| | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 | | ||
| | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.76.0 | | ||
| | <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | >= 2.43.0 | | ||
| | <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 1.29.2 | | ||
|
|
||
| ## Providers | ||
|
|
||
| | Name | Version | | ||
| |------|---------| | ||
| | <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 3.76.0 | | ||
|
|
||
| ## Modules | ||
|
|
||
| No modules. | ||
|
|
||
| ## Resources | ||
|
|
||
| | Name | Type | | ||
| |------|------| | ||
| | [azurerm_role_definition.sysdig_cspm_aks_discovery_role](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource | | ||
| | [azurerm_role_assignment.sysdig_cspm_role_aks_discovery_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | | ||
| | [azurerm_role_definition.sysdig_cspm_role_aks_discovery_for_tenant](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | | ||
| | [azurerm_role_assignment.sysdig_cspm_role_assignment_for_tenant](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | | ||
|
|
||
| ## Inputs | ||
|
|
||
| | Name | Description | Type | Default | Required | | ||
| |------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:| | ||
| | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes | | ||
| | <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Subscription ID in which to create secure-for-cloud onboarding resources | `string` | n/a | yes | | ||
| | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant | `bool` | `false` | no | | ||
| | <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups | `set(string)` | `[]` | no | | ||
| | <a name="sysdig_cspm_sp_object_id"></a> [management\_group\_ids](#input\_management\_group\_ids) | Object ID of the CSPM SP within the client's infra | `string` | `[]` | yes | | ||
|
|
||
| <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
|
|
||
| ## Authors | ||
|
|
||
| Module is maintained by [Sysdig](https://sysdig.com). | ||
|
|
||
| ## License | ||
|
|
||
| Apache 2 Licensed. See LICENSE for full details. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| #--------------------------------------------------------------------------------------------- | ||
| # Fetch the subscription data | ||
| #--------------------------------------------------------------------------------------------- | ||
| data "azurerm_subscription" "primary" { | ||
| subscription_id = var.subscription_id | ||
| } | ||
|
|
||
| locals { | ||
| agentless_aks_connection_permissions_actions = "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action" | ||
| } | ||
|
|
||
| #--------------------------------------------------------------------------------------------- | ||
| # Create a Custom role for collecting authsettings | ||
| #--------------------------------------------------------------------------------------------- | ||
| resource "azurerm_role_definition" "sysdig_cspm_aks_discovery_role" { | ||
| count = var.is_organizational ? 0 : 1 | ||
|
|
||
| name = "sysdig-cspm-role-aks-discovery-${var.subscription_id}" | ||
| scope = data.azurerm_subscription.primary.id | ||
| description = "Custom role for AKS Discovery" | ||
|
|
||
| permissions { | ||
| actions = local.agentless_aks_connection_permissions_actions | ||
| not_actions = [] | ||
| } | ||
|
|
||
| assignable_scopes = [ | ||
| data.azurerm_subscription.primary.id, | ||
| ] | ||
| } | ||
|
|
||
| #--------------------------------------------------------------------------------------------- | ||
| # Custom role assignment for AKS Discovery | ||
| #--------------------------------------------------------------------------------------------- | ||
| resource "azurerm_role_assignment" "sysdig_cspm_role_aks_discovery_assignment" { | ||
| count = var.is_organizational ? 0 : 1 | ||
|
|
||
| scope = data.azurerm_subscription.primary.id | ||
| role_definition_id = azurerm_role_definition.sysdig_cspm_aks_discovery_role.role_definition_resource_id | ||
| principal_id = var.sysdig_cspm_sp_object_id | ||
| } | ||
|
|
||
| resource "sysdig_secure_cloud_auth_account_component" "azure_aks_discovery_component" { | ||
| account_id = var.sysdig_secure_account_id | ||
| type = "COMPONENT_UNSPECIFIED" | ||
| instance = "secure-aks-discovery" | ||
|
|
||
| depends_on = [azurerm_role_definition.sysdig_cspm_aks_discovery_role, | ||
| azurerm_role_assignment.sysdig_cspm_role_aks_discovery_assignment, | ||
| azurerm_role_definition.sysdig_cspm_role_aks_discovery_for_tenant, | ||
| azurerm_role_assignment.sysdig_cspm_role_assignment_for_tenant, | ||
| ] | ||
| } |
41 changes: 41 additions & 0 deletions
41
modules/vm-workload-scanning/aks-discovery/organizational.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| #--------------------------------------------------------------------------------------------- | ||
| # Fetch the management groups for customer tenant and onboard subscriptions under them | ||
| #--------------------------------------------------------------------------------------------- | ||
| data "azurerm_management_group" "root_management_group" { | ||
| count = var.is_organizational && length(var.management_group_ids) == 0 ? 1 : 0 | ||
| display_name = "Tenant Root Group" | ||
| } | ||
|
|
||
| locals { | ||
| # when empty, this will be the root management group whose default display name is "Tenant root group" | ||
| management_groups = var.is_organizational && length(var.management_group_ids) == 0 ? [data.azurerm_management_group.root_management_group[0].id] : toset( | ||
| [for m in var.management_group_ids : format("%s/%s", "/providers/Microsoft.Management/managementGroups", m)]) | ||
| } | ||
|
|
||
| resource "azurerm_role_definition" "sysdig_cspm_role_aks_discovery_for_tenant" { | ||
| for_each = var.is_organizational ? local.management_groups : [] | ||
|
|
||
| name = "sysdig_cspm_role_for_tenant_${each.key}" | ||
| scope = each.key | ||
| description = "Custom role for collecting Authsettings for CIS Benchmark" | ||
|
|
||
| permissions { | ||
| actions = local.agentless_aks_connection_permissions_actions | ||
| not_actions = [] | ||
| } | ||
|
|
||
| assignable_scopes = [ | ||
| each.key, | ||
| ] | ||
| } | ||
|
|
||
| #--------------------------------------------------------------------------------------------- | ||
| # Custom role assignment for collecting authsettings | ||
| #--------------------------------------------------------------------------------------------- | ||
| resource "azurerm_role_assignment" "sysdig_cspm_role_assignment_for_tenant" { | ||
| for_each = var.is_organizational ? local.management_groups : [] | ||
|
|
||
| scope = each.key | ||
| role_definition_id = azurerm_role_definition.sysdig_cspm_role_aks_discovery_for_tenant[each.key].role_definition_resource_id | ||
| principal_id = var.sysdig_cspm_sp_object_id | ||
| } |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| variable "sysdig_secure_account_id" { | ||
| type = string | ||
| description = "ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)" | ||
| } | ||
|
|
||
| variable "subscription_id" { | ||
| type = string | ||
| description = "Subscription ID in which to create secure-for-cloud onboarding resources" | ||
| } | ||
|
|
||
| variable "is_organizational" { | ||
| description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant." | ||
| type = bool | ||
| default = false | ||
| } | ||
|
|
||
| variable "management_group_ids" { | ||
| description = "(Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups." | ||
| type = set(string) | ||
| default = [] | ||
| } | ||
|
|
||
| variable "sysdig_cspm_sp_object_id" { | ||
| description = "Object ID of the CSPM SP within the client's infra" | ||
| type = string | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| terraform { | ||
| required_version = ">= 1.0.0" | ||
|
|
||
| required_providers { | ||
| azurerm = { | ||
| source = "hashicorp/azurerm" | ||
| version = ">= 3.76.0" | ||
| } | ||
| azuread = { | ||
| source = "hashicorp/azuread" | ||
| version = ">= 2.43.0" | ||
| } | ||
| sysdig = { | ||
| source = "sysdiglabs/sysdig" | ||
| version = "~> 1.29.2" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,7 +12,7 @@ terraform { | |
| } | ||
| sysdig = { | ||
| source = "sysdiglabs/sysdig" | ||
| version = ">= 1.29.2" | ||
| version = "~> 1.29.2" | ||
| } | ||
| } | ||
| } | ||