From 917593eaab7304a2571a76cf02b21abe296165a4 Mon Sep 17 00:00:00 2001
From: Sanja Kosier <43904019+SKosier@users.noreply.github.com>
Date: Mon, 2 Sep 2024 16:39:37 +0200
Subject: [PATCH] feat(azure): customize entra and platform logs (SSPROD-43735)
(#52)
---
modules/integrations/event-hub/README.md | 47 +++----
modules/integrations/event-hub/main.tf | 145 ++------------------
modules/integrations/event-hub/variables.tf | 14 +-
3 files changed, 52 insertions(+), 154 deletions(-)
diff --git a/modules/integrations/event-hub/README.md b/modules/integrations/event-hub/README.md
index 0fa2fd6..f9334f8 100644
--- a/modules/integrations/event-hub/README.md
+++ b/modules/integrations/event-hub/README.md
@@ -59,29 +59,30 @@ No modules.
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [auto\_inflate\_enabled](#input\_auto\_inflate\_enabled) | Whether or not auto-inflate is enabled for the Event Hub | `bool` | `true` | no |
-| [consumer\_group\_name](#input\_consumer\_group\_name) | Name of the consumer group to be created | `string` | `"sysdig-consumer-group"` | no |
-| [diagnostic\_settings\_name](#input\_diagnostic\_settings\_name) | Name of the diagnostic settings to be created | `string` | `"sysdig-diagnostic-settings"` | no |
-| [enable\_entra](#input\_enable\_entra) | (Optional) Used to enable or disable Entra logs, defaults to true. | `bool` | `true` | no |
-| [entra\_diagnostic\_settings\_name](#input\_entra\_diagnostic\_settings\_name) | Name of the Entra diagnostic settings to be created | `string` | `"sysdig-entra-diagnostic-settings"` | no |
-| [event\_hub\_name](#input\_event\_hub\_name) | Name of the Event Hub to be created | `string` | `"sysdig-event-hub"` | no |
-| [event\_hub\_namespace\_name](#input\_event\_hub\_namespace\_name) | Name of the Event Hub Namespace to be created | `string` | `"sysdig-event-hub-namespace"` | no |
-| [eventhub\_authorization\_rule\_name](#input\_eventhub\_authorization\_rule\_name) | Name of the authorization rule to be created | `string` | `"sysdig-send-listen-rule"` | no |
-| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant. | `bool` | `false` | no |
-| [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
-| [maximum\_throughput\_units](#input\_maximum\_throughput\_units) | The maximum number of throughput units to be allocated to the Event Hub | `number` | `20` | no |
-| [message\_retention\_days](#input\_message\_retention\_days) | Number of days during which messages will be retained in the Event Hub | `number` | `1` | no |
-| [namespace\_sku](#input\_namespace\_sku) | SKU (Plan) for the namespace that will be created | `string` | `"Standard"` | no |
-| [partition\_count](#input\_partition\_count) | The number of partitions in the Event Hub | `number` | `4` | no |
-| [region](#input\_region) | Datacenter where Sysdig-related resources will be created | `string` | n/a | yes |
-| [resource\_group](#input\_resource\_group) | Name of the existing resource group | `string` | `null` | no |
-| [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group to be created | `string` | `"sysdig-resource-group"` | no |
-| [subscription\_id](#input\_subscription\_id) | Identifier of the subscription to be onboarded | `string` | n/a | yes |
-| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Hub integration for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
-| [throughput\_units](#input\_throughput\_units) | The number of throughput units to be allocated to the Event Hub | `number` | `1` | no |
-
+| Name | Description | Type | Default | Required |
+|------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|----------------|-------|:--------:|
+| [auto\_inflate\_enabled](#input\_auto\_inflate\_enabled) | Whether or not auto-inflate is enabled for the Event Hub | `bool` | `true` | no |
+| [consumer\_group\_name](#input\_consumer\_group\_name) | Name of the consumer group to be created | `string` | `"sysdig-consumer-group"` | no |
+| [diagnostic\_settings\_name](#input\_diagnostic\_settings\_name) | Name of the diagnostic settings to be created | `string` | `"sysdig-diagnostic-settings"` | no |
+| [enable\_entra](#input\_enable\_entra) | (Deprecated, see [enabled_entra_logs](#input\_enabled\_entra\_logs)) Used to enable or disable Entra logs, defaults to true. | `bool` | `true` | no |
+| [entra\_diagnostic\_settings\_name](#input\_entra\_diagnostic\_settings\_name) | Name of the Entra diagnostic settings to be created | `string` | `"sysdig-entra-diagnostic-settings"` | no |
+| [event\_hub\_name](#input\_event\_hub\_name) | Name of the Event Hub to be created | `string` | `"sysdig-event-hub"` | no |
+| [event\_hub\_namespace\_name](#input\_event\_hub\_namespace\_name) | Name of the Event Hub Namespace to be created | `string` | `"sysdig-event-hub-namespace"` | no |
+| [eventhub\_authorization\_rule\_name](#input\_eventhub\_authorization\_rule\_name) | Name of the authorization rule to be created | `string` | `"sysdig-send-listen-rule"` | no |
+| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant. | `bool` | `false` | no |
+| [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
+| [maximum\_throughput\_units](#input\_maximum\_throughput\_units) | The maximum number of throughput units to be allocated to the Event Hub | `number` | `20` | no |
+| [message\_retention\_days](#input\_message\_retention\_days) | Number of days during which messages will be retained in the Event Hub | `number` | `1` | no |
+| [namespace\_sku](#input\_namespace\_sku) | SKU (Plan) for the namespace that will be created | `string` | `"Standard"` | no |
+| [partition\_count](#input\_partition\_count) | The number of partitions in the Event Hub | `number` | `4` | no |
+| [region](#input\_region) | Datacenter where Sysdig-related resources will be created | `string` | n/a | yes |
+| [resource\_group](#input\_resource\_group) | Name of the existing resource group | `string` | `null` | no |
+| [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group to be created | `string` | `"sysdig-resource-group"` | no |
+| [subscription\_id](#input\_subscription\_id) | Identifier of the subscription to be onboarded | `string` | n/a | yes |
+| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Hub integration for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
+| [throughput\_units](#input\_throughput\_units) | The number of throughput units to be allocated to the Event Hub | `number` | `1` | no |
+| [enabled\_platform\_logs](#input\_enabled\_platform\_logs) | List of platform logs to enable | `list(string)` | `["Administrative", "Security", "Policy"]` | no |
+| [enabled\_entra\_logs](#input\_enabled\_entra\_logs) | List of Entra logs to enable | `list(string)` | `["AuditLogs","SignInLogs","NonInteractiveUserSignInLogs","ServicePrincipalSignInLogs","ManagedIdentitySignInLogs","ProvisioningLogs","ADFSSignInLogs","RiskyUsers","UserRiskEvents","NetworkAccessTrafficLogs","RiskyServicePrincipals","ServicePrincipalRiskEvents","EnrichedOffice365AuditLogs","MicrosoftGraphActivityLogs","RemoteNetworkHealthLogs"]` | no |
## Outputs
| Name | Description |
diff --git a/modules/integrations/event-hub/main.tf b/modules/integrations/event-hub/main.tf
index dc840f3..31d2f86 100644
--- a/modules/integrations/event-hub/main.tf
+++ b/modules/integrations/event-hub/main.tf
@@ -121,151 +121,36 @@ resource "azurerm_role_assignment" "sysdig_data_receiver" {
# Create diagnostic settings for the subscription
#---------------------------------------------------------------------------------------------
resource "azurerm_monitor_diagnostic_setting" "sysdig_diagnostic_setting" {
- count = var.is_organizational ? 0 : 1
-
+ count = length(var.enabled_platform_logs) > 0 ? 1 : 0
+
name = "${var.diagnostic_settings_name}-${random_string.random.result}-${local.subscription_hash}"
target_resource_id = data.azurerm_subscription.sysdig_subscription.id
eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.sysdig_rule.id
eventhub_name = azurerm_eventhub.sysdig_event_hub.name
- enabled_log {
- category = "Administrative"
- }
-
- enabled_log {
- category = "Security"
- }
-
- enabled_log {
- category = "Policy"
+ dynamic "enabled_log" {
+ for_each = var.enabled_platform_logs
+ content {
+ category = enabled_log.value
+ }
}
}
resource "azurerm_monitor_aad_diagnostic_setting" "sysdig_entra_diagnostic_setting" {
- count = var.enable_entra ? 1 : 0
+ count = var.enable_entra && length(var.enabled_entra_logs) > 0 ? 1 : 0
name = "${var.entra_diagnostic_settings_name}-${local.subscription_hash}"
eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.sysdig_rule.id
eventhub_name = azurerm_eventhub.sysdig_event_hub.name
- enabled_log {
- category = "AuditLogs"
-
- retention_policy {
- enabled = false
- }
- }
-
- enabled_log {
- category = "SignInLogs"
-
- retention_policy {
- enabled = false
- }
- }
-
- enabled_log {
- category = "NonInteractiveUserSignInLogs"
-
- retention_policy {
- enabled = false
- }
- }
-
- enabled_log {
- category = "ServicePrincipalSignInLogs"
-
- retention_policy {
- enabled = false
- }
- }
-
- enabled_log {
- category = "ManagedIdentitySignInLogs"
-
- retention_policy {
- enabled = false
- }
- }
-
- enabled_log {
- category = "ProvisioningLogs"
-
- retention_policy {
- enabled = false
- }
- }
-
- enabled_log {
- category = "ADFSSignInLogs"
-
- retention_policy {
- enabled = false
- }
- }
-
- enabled_log {
- category = "RiskyUsers"
-
- retention_policy {
- enabled = false
- }
- }
-
- enabled_log {
- category = "UserRiskEvents"
-
-
- retention_policy {
- enabled = false
- }
- }
-
- enabled_log {
- category = "NetworkAccessTrafficLogs"
-
- retention_policy {
- enabled = false
- }
- }
-
- enabled_log {
- category = "RiskyServicePrincipals"
-
- retention_policy {
- enabled = false
- }
- }
-
- enabled_log {
- category = "ServicePrincipalRiskEvents"
-
- retention_policy {
- enabled = false
- }
- }
-
- enabled_log {
- category = "EnrichedOffice365AuditLogs"
-
- retention_policy {
- enabled = false
- }
- }
-
- enabled_log {
- category = "MicrosoftGraphActivityLogs"
-
- retention_policy {
- enabled = false
- }
- }
+ dynamic "enabled_log" {
+ for_each = var.enabled_entra_logs
+ content {
+ category = enabled_log.value
- enabled_log {
- category = "RemoteNetworkHealthLogs"
-
- retention_policy {
- enabled = false
+ retention_policy {
+ enabled = false
+ }
}
}
}
diff --git a/modules/integrations/event-hub/variables.tf b/modules/integrations/event-hub/variables.tf
index 9be4aa1..2532495 100644
--- a/modules/integrations/event-hub/variables.tf
+++ b/modules/integrations/event-hub/variables.tf
@@ -113,4 +113,16 @@ variable "enable_entra" {
variable "sysdig_secure_account_id" {
type = string
description = "ID of the Sysdig Cloud Account to enable Event Hub integration for (incase of organization, ID of the Sysdig management account)"
-}
\ No newline at end of file
+}
+
+variable "enabled_platform_logs" {
+ description = "List of platform logs to enable. Options are: 'Administrative', 'Policy', 'Security'."
+ type = list(string)
+ default = ["Administrative", "Security", "Policy"]
+}
+
+variable "enabled_entra_logs" {
+ description = "List of Entra logs to enable"
+ type = list(string)
+ default = ["AuditLogs","SignInLogs","NonInteractiveUserSignInLogs","ServicePrincipalSignInLogs","ManagedIdentitySignInLogs","ProvisioningLogs","ADFSSignInLogs","RiskyUsers","UserRiskEvents","NetworkAccessTrafficLogs","RiskyServicePrincipals","ServicePrincipalRiskEvents","EnrichedOffice365AuditLogs","MicrosoftGraphActivityLogs","RemoteNetworkHealthLogs"]
+}