Pull work into working branch (#74)

* add the shellcheck extension to the devcontainer (#70)

Co-authored-by: Glenn Musa <[email protected]>

* Enable Azure Security Center in MLZ subscriptions (#55)

* Updated documentation in script

* - Added execution flag to shell scripts
- Added configure_asc.sh script
- Added code to create subs array to mlz_tf_setup.sh
- Added code to call configure_asc.sh from mlz_tf_setup.sh

* - Added executable flag to unzipprovider.sh script

* - Added executable flag to check scripts

* - Updated loop code for workspace setting

* - Created folder for ASC scripts
- Copied generate_names.sh script into ASC folder

* - Removed ASC calling code from setup script
- Updated naming in asc script
- Added ASC naming to generate script

* - Moved LAWS name generation into generate names
- Moved generate names call into loop
- Updated wait loop to use variables

* - Removed message for elapsed time
- Added quotes consistently for echo's

* - Updated Copyright statement
- Added set -e
- Modified variables to use env & location from vars file

* - Corrected counter logic
- Corrected description in names script

* output number of attempts remaining

* add a comment that this may fail

* - Removed creater comment

* unusually typo

Co-authored-by: Glenn Musa <[email protected]>

Co-authored-by: Glenn Musa <[email protected]>
Co-authored-by: Glenn Musa <[email protected]>
Co-authored-by: Byron Boudreaux <[email protected]>

.devcontainer/devcontainer.json

@@ -7,7 +7,7 @@
 	},
 
 	// Set *default* container specific settings.json values on container create.
-	"settings": { 
+	"settings": {
 		"terminal.integrated.shell.linux": "/bin/bash"
 	},
 
@@ -16,7 +16,8 @@
 		"hashicorp.terraform",
 		"ms-vscode-remote.vscode-remote-extensionpack",
 		"davidanson.vscode-markdownlint",
-		"github.vscode-pull-request-github"
+		"github.vscode-pull-request-github",
+		"timonwong.shellcheck"
 	],
 
 	// Additional args to pass to the 'docker run' command

.vscode/settings.json

@@ -3,5 +3,6 @@
 {
     "[terraform]": {
         "editor.formatOnSave": true
-    }
+    },
+    "shellcheck.enableQuickFix": true
 }

scripts/security-center/configure_asc.sh

@@ -0,0 +1,153 @@
+#!/bin/bash
+#
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+#
+# shellcheck disable=SC1090,SC2154
+# SC1090: Can't follow non-constant source. Use a directive to specify location.
+# SC2154: "var is referenced but not assigned". These values come from an external file.
+#
+# Configures the landing zone subscriptions for Azure Security Center
+
+set -e
+
+PGM=$(basename "${0}")
+
+if [[ "${PGM}" == "configure_asc.sh" && "$#" -lt 1 ]]; then
+    echo "${PGM}: Initializes Azure Security Center Standard tier for Storage Accounts and Virtual Machines"
+    echo "usage: ${PGM} <mlz tf config vars>"
+    exit 1
+elif [[ ! "${PGM}" == "mlz_tf_setup.sh" ]];then
+
+    mlz_tf_cfg=$(realpath "${1}")
+
+    # Source variables
+    . "${mlz_tf_cfg}"
+
+    mlz_sub_pattern="mlz_.*._subid"
+    mlz_subs=$(< "$(realpath "${1}")" sed 's:#.*$::g' | grep -w "${mlz_sub_pattern}")
+    subs=()
+
+    for mlz_sub in $mlz_subs
+    do
+        # Grab value of variable
+        mlz_sub_id=$(echo "${mlz_sub#*=}" | tr -d '"')
+        if [[ ! "${subs[*]}" =~ ${mlz_sub_id} ]];then
+            subs+=("${mlz_sub_id}")
+        fi
+    done
+fi
+
+# Configure Azure Security Center
+for sub in "${subs[@]}"
+do
+    ascAutoProv=$(az security auto-provisioning-setting show \
+        --subscription "${sub}" \
+        --name "default" \
+        --query autoProvision \
+        --output tsv \
+        --only-show-errors)
+    if [[ ${ascAutoProv} == "Off" ]]; then
+
+    # generate names
+    . "${BASH_SOURCE%/*}"/generate_names.sh "${mlz_env_name}" "${sub}"
+
+        # Create Resource Group for Log Analytics workspace
+        if [[ -z $(az group show --name "${mlz_lawsrg_name}" --subscription "${sub}" --query name --output tsv) ]]; then
+            echo "Resource Group does not exist...creating resource group ${mlz_lawsrg_name}"
+            az group create \
+                --subscription "${sub}" \
+                --location "${mlz_config_location}" \
+                --name "${mlz_lawsrg_name}"
+        else
+            echo "Resource Group ${mlz_lawsrg_name} already exists. Verify desired ASC configuration and re-run script"
+            exit 1
+        fi
+
+        # Create Log Analytics workspace
+        if [[ -z $(az monitor log-analytics workspace show --resource-group "${mlz_lawsrg_name}" --workspace-name "${mlz_laws_name}" --subscription "${sub}") ]]; then
+            echo "Log Analytics workspace does not exist...creating workspace ${mlz_laws_name}"
+            lawsId=$(az monitor log-analytics workspace create \
+            --resource-group "${mlz_lawsrg_name}" \
+            --workspace-name "${mlz_laws_name}" \
+            --location "${mlz_config_location}" \
+            --subscription "${sub}" \
+            --query id \
+            --output tsv)
+        else
+            echo "Log Analytics workspace ${mlz_laws_name} already exists. Verify desired ASC configuration and re-run script"
+            exit 1
+        fi
+
+        # Set ASC pricing tier on Virtual Machines
+        if [[ $(az security pricing show --name VirtualMachines --subscription "${sub}" --only-show-errors --query pricingTier --output tsv) == "Free" ]]; then
+            echo "Setting ASC pricing tier for Virtual Machines to Standard..."
+            az security pricing create \
+            --name VirtualMachines \
+            --subscription "${sub}" \
+            --tier "Standard"
+        fi
+
+        # Set ASC pricing tier on Storage Accounts
+        if [[ $(az security pricing show --name StorageAccounts --subscription "${sub}" --only-show-errors --query pricingTier --output tsv --only-show-errors) == "Free" ]]; then
+            echo "Setting ASC pricing tier for Storage Accounts to Standard..."
+            az security pricing create \
+            --name StorageAccounts \
+            --subscription "${sub}" \
+            --tier "Standard"
+        fi
+
+        # Create default setting for ASC Log Analytics workspace
+        if [[ -z $(az security workspace-setting show --name default --subscription "${sub}" --only-show-errors) ]];then
+
+            sleep_time_in_seconds=30
+            max_wait_in_minutes=30
+            max_wait_in_seconds=$((max_wait_in_minutes*60))
+            max_retries=$((max_wait_in_seconds/sleep_time_in_seconds))
+
+            echo "Maximum time to wait in seconds = ${max_wait_in_seconds}"
+            echo "Maximum number of retries = ${max_retries}"
+
+            echo "ASC Log Analytics workspace setting does not exist...creating default setting"
+            echo "This script will attempt to create the setting for ${max_wait_in_minutes} minutes and then timeout if the setting has not been created"
+
+            az security workspace-setting create \
+                --name "default" \
+                --target-workspace "${lawsId}" \
+                --subscription "${sub}"
+
+            count=1
+
+            # TODO (20210309): this could take an unusually long time and even fail altogether.
+            # This is under investigation by the `az security` team.
+            while [ -z "$(az security workspace-setting show --name default --subscription  "${sub}" --query workspaceId --output tsv --only-show-errors)" ]
+            do
+
+                echo "Waiting for ASC workspace setting to finish provisioning (${count}/${max_retries})"
+                echo "Trying again in ${sleep_time_in_seconds} seconds..."
+                sleep "${sleep_time_in_seconds}"
+
+                if [[ ${count} -eq max_retries ]];then
+                    echo "Provisioning the workspace setting has exceeded ${max_wait_in_minutes} minutes. Investigate and re-run script."
+                    exit 1
+                fi
+
+                count=$((count + 1))
+
+            done
+        else
+            echo "ASC already has a \"default\" Log Analytics workspace configuration. Verify desired ASC configuration and re-run script"
+            exit 1
+        fi
+
+        # Set ASC auto-provisioning to On
+        az security auto-provisioning-setting update \
+            --auto-provision "On" \
+            --subscription  "${sub}" \
+            --name "default" \
+            --only-show-errors
+    else
+        echo "ASC auto-provisioning is already set to \"On\". Verify desired ASC configuration and re-run script"
+        exit 1
+    fi
+done

scripts/security-center/generate_names.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+#
+# Generate Azure Security Center resource names
+
+set -e
+
+error_log() {
+  echo "${1}" 1>&2;
+}
+
+usage() {
+  echo "${0}: Generate Security Center resource names"
+  error_log "usage: ${0} <enclave name> <sub ID>"
+}
+
+if [[ "$#" -ne 2 ]]; then
+   usage
+   exit 1
+fi
+
+mlz_enclave_name_raw=$1
+sub_raw=$2
+
+# remove hyphens for resource naming restrictions
+# in the future, do more cleansing
+mlz_enclave_name="${mlz_enclave_name_raw//-}"
+safeSubId="${sub_raw//-}"
+
+
+# Name MLZ config resources
+export mlz_lawsrg_name="rg-mlz-laws-${mlz_enclave_name}"
+export mlz_laws_name="laws-${mlz_enclave_name}-${safeSubId}"

src/provider_archive/unzipprovider.sh

@@ -3,7 +3,7 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 #
-# Unzips the azurerm 2.45.1 terraform provider into the provider_cache directory
+# Unzips the terraform providers into the provider_cache directory
 # then sets it to executable
 
 parentdir="$(dirname "$(realpath "${BASH_SOURCE%/*}")")"