diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md
index 396fcf7..c0fc456 100644
--- a/modules/config-posture/README.md
+++ b/modules/config-posture/README.md
@@ -68,6 +68,7 @@ No modules.
| Name | Description |
|------|-------------|
| [service\_principal\_component\_id](#output\_service\_principal\_component\_id) | Component identifier of Service Principal created in Sysdig Backend for Config Posture |
+| [service\_principal\_component\_id](#output\_service\_principal\_component\_id) | Object ID of the CSPM SP within the client's infra |
## Authors
diff --git a/modules/config-posture/outputs.tf b/modules/config-posture/outputs.tf
index e14c263..5200f9c 100644
--- a/modules/config-posture/outputs.tf
+++ b/modules/config-posture/outputs.tf
@@ -8,4 +8,4 @@ output "sysdig_cspm_sp_object_id" {
value = azuread_service_principal.sysdig_cspm_sp.object_id
description = "Object ID of the CSPM SP within the client's infra"
depends_on = [azuread_service_principal.sysdig_cspm_sp]
-}
+}
\ No newline at end of file
diff --git a/modules/vm-workload-scanning/README.md b/modules/vm-workload-scanning/README.md
index a4f178f..7c01379 100644
--- a/modules/vm-workload-scanning/README.md
+++ b/modules/vm-workload-scanning/README.md
@@ -74,12 +74,17 @@ No modules.
## Inputs
-| Name | Description | Type | Default | Required |
-|------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
-| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable VM Workload Scanning with optional AKS discovery | `string` | n/a | yes |
-| [subscription\_id](#input\_subscription\_id) | The identifier of the Azure Subscription in which to create secure-for-cloud vm workload scanning resources | `string` | n/a | yes |
-| [is\_organizational](#input\_is\_organizational) | true/false whether vm workload scanning resources should be deployed in an organizational setup (all subscriptions of tenant) or not (only on default azure provider subscription) | `bool` | `false` | no |
-| [management\_group\_ids](#input\_management\_group\_ids) | List of Azure Management Group IDs. vm workload scanning will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
+| Name | Description | Type | Default | Required |
+|---------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
+| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable VM Workload Scanning with optional AKS discovery | `string` | n/a | yes |
+| [subscription\_id](#input\_subscription\_id) | The identifier of the Azure Subscription in which to create secure-for-cloud vm workload scanning resources | `string` | n/a | yes |
+| [is\_organizational](#input\_is\_organizational) | true/false whether vm workload scanning resources should be deployed in an organizational setup (all subscriptions of tenant) or not (only on default azure provider subscription) | `bool` | `false` | no |
+| [management\_group\_ids](#input\_management\_group\_ids) | List of Azure Management Group IDs. vm workload scanning will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
+| [aks\_enabled](#output\_service\_principal\_component\_id) | Set this field to 'true' to grant AKS discovery permissions to the secure-posture service principal | `bool` | false | no |
+| [functions\_enabled](#output\_service\_principal\_component\_id) | Set this field to 'true' to grant Functions Storage permissions to the secure-vm-workload-scanning service principal | `bool` | false | no |
+| [sysdig\_cspm\_sp\_object\_id](#output\_service\_principal\_component\_id) | Object ID of the CSPM SP within the client's infra | `string` | n/a | yes |
+
+
## Outputs
diff --git a/modules/vm-workload-scanning/aks-discovery/README.md b/modules/vm-workload-scanning/aks-discovery/README.md
index 57c4d6d..9c81689 100644
--- a/modules/vm-workload-scanning/aks-discovery/README.md
+++ b/modules/vm-workload-scanning/aks-discovery/README.md
@@ -43,13 +43,13 @@ No modules.
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
+| Name | Description | Type | Default | Required |
+|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
-| [subscription\_id](#input\_subscription\_id) | Subscription ID in which to create secure-for-cloud onboarding resources | `string` | n/a | yes |
-| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant | `bool` | `false` | no |
-| [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups | `set(string)` | `[]` | no |
-| [management\_group\_ids](#input\_management\_group\_ids) | Object ID of the CSPM SP within the client's infra | `string` | `[]` | yes |
+| [subscription\_id](#input\_subscription\_id) | Subscription ID in which to create secure-for-cloud onboarding resources | `string` | n/a | yes |
+| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant | `bool` | `false` | no |
+| [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups | `set(string)` | `[]` | no |
+| [sysdig\_cspm\_sp\_object\_id](#input\_sysdig\_cspm\_sp\_object\_id) | Object ID of the CSPM SP within the client's infra | `string` | n/a | yes |
diff --git a/modules/vm-workload-scanning/aks-discovery/main.tf b/modules/vm-workload-scanning/aks-discovery/main.tf
index b74c10b..f3007b9 100644
--- a/modules/vm-workload-scanning/aks-discovery/main.tf
+++ b/modules/vm-workload-scanning/aks-discovery/main.tf
@@ -6,7 +6,7 @@ data "azurerm_subscription" "primary" {
}
locals {
- agentless_aks_connection_permissions_actions = "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"
+ agentless_aks_connection_permissions_actions = ["Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"]
}
#---------------------------------------------------------------------------------------------
@@ -36,18 +36,6 @@ resource "azurerm_role_assignment" "sysdig_cspm_role_aks_discovery_assignment" {
count = var.is_organizational ? 0 : 1
scope = data.azurerm_subscription.primary.id
- role_definition_id = azurerm_role_definition.sysdig_cspm_aks_discovery_role.role_definition_resource_id
+ role_definition_id = azurerm_role_definition.sysdig_cspm_aks_discovery_role[0].role_definition_resource_id
principal_id = var.sysdig_cspm_sp_object_id
-}
-
-resource "sysdig_secure_cloud_auth_account_component" "azure_aks_discovery_component" {
- account_id = var.sysdig_secure_account_id
- type = "COMPONENT_UNSPECIFIED"
- instance = "secure-aks-discovery"
-
- depends_on = [azurerm_role_definition.sysdig_cspm_aks_discovery_role,
- azurerm_role_assignment.sysdig_cspm_role_aks_discovery_assignment,
- azurerm_role_definition.sysdig_cspm_role_aks_discovery_for_tenant,
- azurerm_role_assignment.sysdig_cspm_role_assignment_for_tenant,
- ]
}
\ No newline at end of file
diff --git a/modules/vm-workload-scanning/aks-discovery/variables.tf b/modules/vm-workload-scanning/aks-discovery/variables.tf
index 0f3b16b..13b0511 100644
--- a/modules/vm-workload-scanning/aks-discovery/variables.tf
+++ b/modules/vm-workload-scanning/aks-discovery/variables.tf
@@ -23,4 +23,4 @@ variable "management_group_ids" {
variable "sysdig_cspm_sp_object_id" {
description = "Object ID of the CSPM SP within the client's infra"
type = string
-}
+}
\ No newline at end of file
diff --git a/modules/vm-workload-scanning/aks-discovery/versions.tf b/modules/vm-workload-scanning/aks-discovery/versions.tf
index 98f74b3..e88e128 100644
--- a/modules/vm-workload-scanning/aks-discovery/versions.tf
+++ b/modules/vm-workload-scanning/aks-discovery/versions.tf
@@ -12,7 +12,7 @@ terraform {
}
sysdig = {
source = "sysdiglabs/sysdig"
- version = "~> 1.29.2"
+ version = "~> 1.29"
}
}
}
\ No newline at end of file
diff --git a/modules/vm-workload-scanning/main.tf b/modules/vm-workload-scanning/main.tf
index 177cb93..3cce52b 100644
--- a/modules/vm-workload-scanning/main.tf
+++ b/modules/vm-workload-scanning/main.tf
@@ -1,5 +1,5 @@
module "aks_discovery" {
- count = var.aks_discovery_permission_grant ? 1 : 0
+ count = var.aks_enabled ? 1 : 0
source = "sysdiglabs/secure/azurerm//modules/vm-workload-scanning/aks-discovery"
@@ -7,6 +7,7 @@ module "aks_discovery" {
subscription_id = var.subscription_id
is_organizational = var.is_organizational
management_group_ids = var.management_group_ids
+
sysdig_cspm_sp_object_id = var.sysdig_cspm_sp_object_id
}
@@ -48,15 +49,19 @@ locals {
}
data "azurerm_role_definition" "storage_file_reader" {
+ count = var.functions_enabled ? 1 : 0
+
name = "Storage File Data Privileged Reader"
}
data "azurerm_role_definition" "storage_blob_reader" {
+ count = var.functions_enabled ? 1 : 0
+
name = "Storage Blob Data Reader"
}
resource "azurerm_role_definition" "sysdig_vm_workload_scanning_func_app_config_role" {
- count = var.is_organizational ? 0 : 1
+ count = var.is_organizational ? 0 : (var.functions_enabled ? 1 : 0)
name = "sysdig-vm-workload-scanning-workload-function-app-reader-role-${var.subscription_id}"
scope = data.azurerm_subscription.primary.id
@@ -74,7 +79,7 @@ resource "azurerm_role_definition" "sysdig_vm_workload_scanning_func_app_config_
# Assign custom permissions to Sysdig Vm Agentless Workload SP for Accessing AppConfig and Determining where Azure Functions Code is located
#---------------------------------------------------------------------------------------------
resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_func_app_config_role_assignment" {
- count = var.is_organizational ? 0 : 1
+ count = var.is_organizational ? 0 : (var.functions_enabled ? 1 : 0)
scope = data.azurerm_subscription.primary.id
role_definition_id = azurerm_role_definition.sysdig_vm_workload_scanning_func_app_config_role[0].role_definition_resource_id
@@ -85,10 +90,10 @@ resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_func_app_config_
# Assign "Storage File Data Privileged Reader" role to Sysdig Vm Agentless Workload SP for Accessing Azure Functions Code
#---------------------------------------------------------------------------------------------
resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_file_reader_role_assignment" {
- count = var.is_organizational ? 0 : 1
+ count = var.is_organizational ? 0 : (var.functions_enabled ? 1 : 0)
scope = data.azurerm_subscription.primary.id
- role_definition_id = data.azurerm_role_definition.storage_file_reader.role_definition_id
+ role_definition_id = data.azurerm_role_definition.storage_file_reader[0].role_definition_id
principal_id = azuread_service_principal.sysdig_vm_workload_scanning_sp.object_id
}
@@ -96,10 +101,10 @@ resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_file_reader_role
# Assign "Storage Blob Data Reader" role to Sysdig Vm Agentless Workload SP for Accessing Azure Functions Code
#---------------------------------------------------------------------------------------------
resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_blob_reader_role_assignment" {
- count = var.is_organizational ? 0 : 1
+ count = var.is_organizational ? 0 : (var.functions_enabled ? 1 : 0)
scope = data.azurerm_subscription.primary.id
- role_definition_id = data.azurerm_role_definition.storage_blob_reader.role_definition_id
+ role_definition_id = data.azurerm_role_definition.storage_blob_reader[0].role_definition_id
principal_id = azuread_service_principal.sysdig_vm_workload_scanning_sp.object_id
}
@@ -133,8 +138,6 @@ resource "sysdig_secure_cloud_auth_account_component" "azure_workload_scanning_c
app_id = azuread_service_principal.sysdig_vm_workload_scanning_sp.client_id
app_owner_organization_id = azuread_service_principal.sysdig_vm_workload_scanning_sp.application_tenant_id
}
-
- aks_discovery_permission_grant = var.aks_discovery_permission_grant
}
})
diff --git a/modules/vm-workload-scanning/organizational.tf b/modules/vm-workload-scanning/organizational.tf
index 9cf2a1d..68a5c6d 100644
--- a/modules/vm-workload-scanning/organizational.tf
+++ b/modules/vm-workload-scanning/organizational.tf
@@ -17,7 +17,7 @@ locals {
# Create a custom role for accessing function app config
#---------------------------------------------------------------------------------------------
resource "azurerm_role_definition" "sysdig_vm_workload_scanning_func_app_config_role_for_tenant" {
- for_each = var.is_organizational ? local.management_groups : []
+ for_each = var.is_organizational && var.functions_enabled ? local.management_groups : []
name = "sysdig-vm-workload-scanning-function-app-reader-role-for-tenant-${each.key}"
scope = each.key
@@ -46,7 +46,7 @@ resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_acrpull_for_tena
# Custom role assignment for accessing function app config
#---------------------------------------------------------------------------------------------
resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_func_app_config_role_assignment_for_tenant" {
- for_each = var.is_organizational ? local.management_groups : []
+ for_each = var.is_organizational && var.functions_enabled ? local.management_groups : []
scope = each.key
role_definition_id = azurerm_role_definition.sysdig_vm_workload_scanning_func_app_config_role_for_tenant[each.key].role_definition_resource_id
@@ -58,10 +58,10 @@ resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_func_app_config_
# Storage File Data Privileged Reader
#---------------------------------------------------------------------------------------------
resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_file_reader_role_assignment_for_tenant" {
- for_each = var.is_organizational ? local.management_groups : []
+ for_each = var.is_organizational && var.functions_enabled ? local.management_groups : []
scope = each.key
- role_definition_id = data.azurerm_role_definition.storage_file_reader.role_definition_id
+ role_definition_id = data.azurerm_role_definition.storage_file_reader[0].role_definition_id
principal_id = azuread_service_principal.sysdig_vm_workload_scanning_sp.object_id
}
@@ -70,9 +70,9 @@ resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_file_reader_role
# Storage Blob Data Reader
#---------------------------------------------------------------------------------------------
resource "azurerm_role_assignment" "sysdig_vm_workload_scanning_blob_reader_role_assignment_for_tenant" {
- for_each = var.is_organizational ? local.management_groups : []
+ for_each = var.is_organizational && var.functions_enabled ? local.management_groups : []
scope = each.key
- role_definition_id = data.azurerm_role_definition.storage_blob_reader.role_definition_id
+ role_definition_id = data.azurerm_role_definition.storage_blob_reader[0].role_definition_id
principal_id = azuread_service_principal.sysdig_vm_workload_scanning_sp.object_id
}
\ No newline at end of file
diff --git a/modules/vm-workload-scanning/variables.tf b/modules/vm-workload-scanning/variables.tf
index f1b5e0c..8b68e92 100644
--- a/modules/vm-workload-scanning/variables.tf
+++ b/modules/vm-workload-scanning/variables.tf
@@ -20,13 +20,19 @@ variable "management_group_ids" {
default = []
}
-variable "aks_discovery_permission_grant" {
+variable "aks_enabled" {
description = "(Optional) Set this field to 'true' to grant AKS discovery permissions to the secure-posture service principal."
type = bool
default = false
}
-variable "sysdig_cspm_sp_object_id" {
- description = "Object ID of the CSPM SP within the client's infra"
- type = string
+variable "functions_enabled" {
+ description = "(Optional) Set this field to 'true' to grant Functions Storage permissions to the secure-vm-workload-scanning service principal."
+ type = bool
+ default = false
}
+
+variable "sysdig_cspm_sp_object_id" {
+ description = "Object ID of the CSPM SP within the client's infra"
+ type = string
+}
\ No newline at end of file
diff --git a/modules/vm-workload-scanning/versions.tf b/modules/vm-workload-scanning/versions.tf
index 98f74b3..e88e128 100644
--- a/modules/vm-workload-scanning/versions.tf
+++ b/modules/vm-workload-scanning/versions.tf
@@ -12,7 +12,7 @@ terraform {
}
sysdig = {
source = "sysdiglabs/sysdig"
- version = "~> 1.29.2"
+ version = "~> 1.29"
}
}
}
\ No newline at end of file
diff --git a/test/examples/modular_organization/workload-scanning-containers.tf b/test/examples/modular_organization/workload-scanning-containers.tf
index 23e6484..37e5747 100644
--- a/test/examples/modular_organization/workload-scanning-containers.tf
+++ b/test/examples/modular_organization/workload-scanning-containers.tf
@@ -9,6 +9,11 @@ module "vm-workload-scanning" {
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
is_organizational = module.onboarding.is_organizational
management_group_ids = module.onboarding.management_group_ids
+
+ sysdig_cspm_sp_object_id = module.config-posture.sysdig_cspm_sp_object_id
+
+ aks_enabled = true
+ functions_enabled = true
}
resource "sysdig_secure_cloud_auth_account_feature" "vm-workload-scanning-aca-aci" {
diff --git a/test/examples/modular_organization/workload-scanning-functions.tf b/test/examples/modular_organization/workload-scanning-functions.tf
new file mode 100644
index 0000000..53e6e97
--- /dev/null
+++ b/test/examples/modular_organization/workload-scanning-functions.tf
@@ -0,0 +1,25 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "vm-workload-scanning" {
+ source = "sysdiglabs/secure/azurerm//modules/vm-workload-scanning"
+ subscription_id = module.onboarding.subscription_id
+ sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+ is_organizational = module.onboarding.is_organizational
+ management_group_ids = module.onboarding.management_group_ids
+
+ sysdig_cspm_sp_object_id = module.config-posture.sysdig_cspm_sp_object_id
+
+ aks_enabled = false
+ functions_enabled = true
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "vm-workload-scanning-functions" {
+ account_id = module.onboarding.sysdig_secure_account_id
+ type = "FEATURE_SECURE_WORKLOAD_SCANNING_FUNCTIONS"
+ enabled = true
+ components = [module.vm-workload-scanning.service_principal_component_id]
+ depends_on = [ module.vm-workload-scanning ]
+}
diff --git a/test/examples/modular_organization/workload-scanning-kubernetes.tf b/test/examples/modular_organization/workload-scanning-kubernetes.tf
new file mode 100644
index 0000000..8b88148
--- /dev/null
+++ b/test/examples/modular_organization/workload-scanning-kubernetes.tf
@@ -0,0 +1,25 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "vm-workload-scanning" {
+ source = "sysdiglabs/secure/azurerm//modules/vm-workload-scanning"
+ subscription_id = module.onboarding.subscription_id
+ sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+ is_organizational = module.onboarding.is_organizational
+ management_group_ids = module.onboarding.management_group_ids
+
+ sysdig_cspm_sp_object_id = module.config-posture.sysdig_cspm_sp_object_id
+
+ aks_enabled = true
+ functions_enabled = false
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "vm-workload-scanning-kubernetes" {
+ account_id = module.onboarding.sysdig_secure_account_id
+ type = "FEATURE_SECURE_WORKLOAD_SCANNING_KUBERNETES"
+ enabled = true
+ components = [module.vm-workload-scanning.service_principal_component_id]
+ depends_on = [ module.vm-workload-scanning ]
+}
diff --git a/test/examples/modular_single_subscription/workload-scanning-containers.tf b/test/examples/modular_single_subscription/workload-scanning-containers.tf
index 23e6484..009370e 100644
--- a/test/examples/modular_single_subscription/workload-scanning-containers.tf
+++ b/test/examples/modular_single_subscription/workload-scanning-containers.tf
@@ -7,8 +7,11 @@ module "vm-workload-scanning" {
source = "sysdiglabs/secure/azurerm//modules/vm-workload-scanning"
subscription_id = module.onboarding.subscription_id
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
- is_organizational = module.onboarding.is_organizational
- management_group_ids = module.onboarding.management_group_ids
+
+ sysdig_cspm_sp_object_id = module.config-posture.sysdig_cspm_sp_object_id
+
+ aks_enabled = true
+ functions_enabled = true
}
resource "sysdig_secure_cloud_auth_account_feature" "vm-workload-scanning-aca-aci" {
diff --git a/test/examples/modular_single_subscription/workload-scanning-functions.tf b/test/examples/modular_single_subscription/workload-scanning-functions.tf
new file mode 100644
index 0000000..5493e90
--- /dev/null
+++ b/test/examples/modular_single_subscription/workload-scanning-functions.tf
@@ -0,0 +1,23 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "vm-workload-scanning" {
+ source = "sysdiglabs/secure/azurerm//modules/vm-workload-scanning"
+ subscription_id = module.onboarding.subscription_id
+ sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+
+ sysdig_cspm_sp_object_id = module.config-posture.sysdig_cspm_sp_object_id
+
+ aks_enabled = false
+ functions_enabled = true
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "vm-workload-scanning-functions" {
+ account_id = module.onboarding.sysdig_secure_account_id
+ type = "FEATURE_SECURE_WORKLOAD_SCANNING_FUNCTIONS"
+ enabled = true
+ components = [module.vm-workload-scanning.service_principal_component_id]
+ depends_on = [ module.vm-workload-scanning ]
+}
diff --git a/test/examples/modular_single_subscription/workload-scanning-kubernetes.tf b/test/examples/modular_single_subscription/workload-scanning-kubernetes.tf
new file mode 100644
index 0000000..ecf97c5
--- /dev/null
+++ b/test/examples/modular_single_subscription/workload-scanning-kubernetes.tf
@@ -0,0 +1,23 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "vm-workload-scanning" {
+ source = "sysdiglabs/secure/azurerm//modules/vm-workload-scanning"
+ subscription_id = module.onboarding.subscription_id
+ sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+
+ sysdig_cspm_sp_object_id = module.config-posture.sysdig_cspm_sp_object_id
+
+ aks_enabled = true
+ functions_enabled = false
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "vm-workload-scanning-kubernetes" {
+ account_id = module.onboarding.sysdig_secure_account_id
+ type = "FEATURE_SECURE_WORKLOAD_SCANNING_KUBERNETES"
+ enabled = true
+ components = [module.vm-workload-scanning.service_principal_component_id]
+ depends_on = [ module.vm-workload-scanning ]
+}