diff --git a/modules/services/service-principal/main.tf b/modules/services/service-principal/main.tf index a672d8f..6e993e1 100644 --- a/modules/services/service-principal/main.tf +++ b/modules/services/service-principal/main.tf @@ -41,21 +41,31 @@ resource "azurerm_role_assignment" "sysdig_reader" { role_definition_name = "Reader" principal_id = azuread_service_principal.sysdig_sp.object_id } - #--------------------------------------------------------------------------------------------- -# Assign "Azure Kubernetes Service Cluster User Role" role to Sysdig SP for primary subscription +# Create a Custom role for collecting authsettings #--------------------------------------------------------------------------------------------- -resource "azurerm_role_assignment" "sysdig_k8s_reader" { - scope = data.azurerm_subscription.primary.id - role_definition_name = "Azure Kubernetes Service Cluster User Role" - principal_id = azuread_service_principal.sysdig_sp.object_id +resource "azurerm_role_definition" "sysdig_cspm_role" { + name = "sysdig-cspm-role" + scope = data.azurerm_subscription.primary.id + description = "Custom role for collecting Authsettings for CIS Benchmark" + + permissions { + actions = [ + "Microsoft.Web/sites/config/list/action" + ] + not_actions = [] + } + + assignable_scopes = [ + data.azurerm_subscription.primary.id, + ] } #--------------------------------------------------------------------------------------------- -# Assign "Virtual Machine User Login" role to Sysdig SP for primary subscription +# Custom role assignment for collecting authsettings #--------------------------------------------------------------------------------------------- -resource "azurerm_role_assignment" "sysdig_vm_user" { +resource "azurerm_role_assignment" "sysdig_cspm_role_assignment" { scope = data.azurerm_subscription.primary.id - role_definition_name = "Virtual Machine User Login" + role_definition_id = azurerm_role_definition.sysdig_cspm_role.role_definition_resource_id principal_id = azuread_service_principal.sysdig_sp.object_id } \ No newline at end of file diff --git a/modules/services/service-principal/organizational.tf b/modules/services/service-principal/organizational.tf index dd6e3dd..92ecd78 100644 --- a/modules/services/service-principal/organizational.tf +++ b/modules/services/service-principal/organizational.tf @@ -24,23 +24,34 @@ resource "azurerm_role_assignment" "sysdig_reader_for_tenant" { } #--------------------------------------------------------------------------------------------- -# Assign "Azure Kubernetes Service Cluster User Role" role to Sysdig SP for customer tenant +# Create a Custom role for collecting authsettings #--------------------------------------------------------------------------------------------- -resource "azurerm_role_assignment" "sysdig_k8s_reader_for_tenant" { +resource "azurerm_role_definition" "sysdig_cspm_role_for_tenant" { for_each = var.is_organizational ? local.management_groups : [] - scope = each.key - role_definition_name = "Azure Kubernetes Service Cluster User Role" - principal_id = azuread_service_principal.sysdig_sp.object_id + name = "sysdig_cspm_role_for_tenant_${each.key}" + scope = each.key + description = "Custom role for collecting Authsettings for CIS Benchmark" + + permissions { + actions = [ + "Microsoft.Web/sites/config/list/action" + ] + not_actions = [] + } + + assignable_scopes = [ + each.key, + ] } #--------------------------------------------------------------------------------------------- -# Assign "Virtual Machine User Login" role to Sysdig SP for customer tenant +# Custom role assignment for collecting authsettings #--------------------------------------------------------------------------------------------- -resource "azurerm_role_assignment" "sysdig_vm_user_for_tenant" { +resource "azurerm_role_assignment" "sysdig_cspm_role_assignment_for_tenant" { for_each = var.is_organizational ? local.management_groups : [] scope = each.key - role_definition_name = "Virtual Machine User Login" + role_definition_id = azurerm_role_definition.sysdig_cspm_role_for_tenant[each.key].role_definition_resource_id principal_id = azuread_service_principal.sysdig_sp.object_id } diff --git a/modules/services/service-principal/versions.tf b/modules/services/service-principal/versions.tf index 0a6430b..a1bfc6a 100644 --- a/modules/services/service-principal/versions.tf +++ b/modules/services/service-principal/versions.tf @@ -12,7 +12,7 @@ terraform { } sysdig = { source = "sysdiglabs/sysdig" - version = ">= 1.18.0" + version = ">= 1.19.0" } } } \ No newline at end of file