feat(host-scanner): add azure organization tf scritp [SSPROD-37679] @…

…frasecci (#32)

modules/services/host-scanner/main.tf

@@ -1,11 +1,12 @@
 provider "azurerm" {
-  alias           = "subscription"
+  features { }
+}
+
+data "azurerm_subscription" "primary" {
   subscription_id = var.subscription_id
-  features {}
 }
 
 resource "azurerm_lighthouse_definition" "lighthouse_definition" {
-  provider           = azurerm.subscription
   name               = "Sysdig Agentless Host Scanner"
   description        = "Lighthouse definition for Sysdig Agentless Host Scanner"
   managing_tenant_id = var.sysdig_tenant_id
@@ -19,7 +20,7 @@ resource "azurerm_lighthouse_definition" "lighthouse_definition" {
 }
 
 resource "azurerm_lighthouse_assignment" "lighthouse_assignment" {
-  provider                 = azurerm.subscription
+  count = var.is_organizational ? 0 : 1
   scope                    = "/subscriptions/${var.subscription_id}"
   lighthouse_definition_id = azurerm_lighthouse_definition.lighthouse_definition.id
 }

modules/services/host-scanner/organizational.tf

@@ -0,0 +1,25 @@
+#---------------------------------------------------------------------------------------------
+# Fetch the management groups for customer tenant and onboard subscriptions under them
+#---------------------------------------------------------------------------------------------
+# If no management group is present, then the root management group is used to onboard all the subscriptions
+data "azurerm_management_group" "root_management_group" {
+  count  = var.is_organizational && length(var.management_group_ids) == 0 ? 1 : 0
+  display_name = "Tenant Root Group"
+}
+
+data "azurerm_management_group" "management_groups" {
+  for_each = var.is_organizational && length(var.management_group_ids) > 0 ? var.management_group_ids : []
+  name = each.value
+}
+
+locals {
+  subscriptions = toset(var.is_organizational && length(var.management_group_ids) == 0 ? data.azurerm_management_group.root_management_group[0].subscription_ids :
+    flatten([for m in data.azurerm_management_group.management_groups : m.subscription_ids]))
+}
+
+resource "azurerm_lighthouse_assignment" "lighthouse_assignment_for_tenant" {
+  for_each = var.is_organizational ? toset(local.subscriptions) : toset([])
+
+  scope                    = "/subscriptions/${each.value}"
+  lighthouse_definition_id = azurerm_lighthouse_definition.lighthouse_definition.id
+}

modules/services/host-scanner/output.tf

@@ -3,7 +3,7 @@ output "lighthouse_definition_display_id" {
   description = "Display id of the Light House definition created"
 }
 
-output "lighthouse_assignment_display_id" {
-  value       = azurerm_lighthouse_assignment.lighthouse_assignment.id
-  description = "Display id of the Light House assignment created"
+output "subscription_alias" {
+  value = data.azurerm_subscription.primary.display_name
+  description = "Display name of the subscription"
 }

modules/services/host-scanner/variables.tf

@@ -12,3 +12,15 @@ variable "sysdig_service_principal_id" {
   type = string
   description = "Service Principal ID in the Sysdig tenant"
 }
+
+variable "is_organizational" {
+  description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant."
+  type        = bool
+  default     = false
+}
+
+variable "management_group_ids" {
+  description = "(Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups."
+  type        = set(string)
+  default     = []
+}

modules/services/host-scanner/versions.tf

@@ -6,9 +6,13 @@ terraform {
       source  = "hashicorp/azurerm"
       version = ">= 3.76.0"
     }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = ">= 2.43.0"
+    }
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = ">= 1.18.2"
+      version = ">= 1.19.0"
     }
   }
 }