Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(azure): customize entra and platform logs (SSPROD-43735) #52

Merged
merged 9 commits into from
Sep 2, 2024
Merged

feat(azure): customize entra and platform logs (SSPROD-43735) #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
522a921
feat(azure): customize entra and platform logs
Aug 27, 2024
15c7ea8
add empty line
Aug 27, 2024
6c07997
Update entra default settings
SKosier Aug 29, 2024
e7b0022
update if entra will be enabled
SKosier Aug 29, 2024
d2c25a8
deprecate enable_entra variable
Sep 2, 2024
d3c748e
Merge branch 'main' into skosier/modular-onboarding/entra-logs
SKosier Sep 2, 2024
5695fae
add new input variables into README
Sep 2, 2024
6766bf3
Merge remote-tracking branch 'refs/remotes/origin/skosier/modular-onb…
Sep 2, 2024
2730c1c
apply feedback
SKosier Sep 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 24 additions & 23 deletions modules/integrations/event-hub/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,29 +59,30 @@ No modules.

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_auto_inflate_enabled"></a> [auto\_inflate\_enabled](#input\_auto\_inflate\_enabled) | Whether or not auto-inflate is enabled for the Event Hub | `bool` | `true` | no |
| <a name="input_consumer_group_name"></a> [consumer\_group\_name](#input\_consumer\_group\_name) | Name of the consumer group to be created | `string` | `"sysdig-consumer-group"` | no |
| <a name="input_diagnostic_settings_name"></a> [diagnostic\_settings\_name](#input\_diagnostic\_settings\_name) | Name of the diagnostic settings to be created | `string` | `"sysdig-diagnostic-settings"` | no |
| <a name="input_enable_entra"></a> [enable\_entra](#input\_enable\_entra) | (Optional) Used to enable or disable Entra logs, defaults to true. | `bool` | `true` | no |
| <a name="input_entra_diagnostic_settings_name"></a> [entra\_diagnostic\_settings\_name](#input\_entra\_diagnostic\_settings\_name) | Name of the Entra diagnostic settings to be created | `string` | `"sysdig-entra-diagnostic-settings"` | no |
| <a name="input_event_hub_name"></a> [event\_hub\_name](#input\_event\_hub\_name) | Name of the Event Hub to be created | `string` | `"sysdig-event-hub"` | no |
| <a name="input_event_hub_namespace_name"></a> [event\_hub\_namespace\_name](#input\_event\_hub\_namespace\_name) | Name of the Event Hub Namespace to be created | `string` | `"sysdig-event-hub-namespace"` | no |
| <a name="input_eventhub_authorization_rule_name"></a> [eventhub\_authorization\_rule\_name](#input\_eventhub\_authorization\_rule\_name) | Name of the authorization rule to be created | `string` | `"sysdig-send-listen-rule"` | no |
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant. | `bool` | `false` | no |
| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
| <a name="input_maximum_throughput_units"></a> [maximum\_throughput\_units](#input\_maximum\_throughput\_units) | The maximum number of throughput units to be allocated to the Event Hub | `number` | `20` | no |
| <a name="input_message_retention_days"></a> [message\_retention\_days](#input\_message\_retention\_days) | Number of days during which messages will be retained in the Event Hub | `number` | `1` | no |
| <a name="input_namespace_sku"></a> [namespace\_sku](#input\_namespace\_sku) | SKU (Plan) for the namespace that will be created | `string` | `"Standard"` | no |
| <a name="input_partition_count"></a> [partition\_count](#input\_partition\_count) | The number of partitions in the Event Hub | `number` | `4` | no |
| <a name="input_region"></a> [region](#input\_region) | Datacenter where Sysdig-related resources will be created | `string` | n/a | yes |
| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | Name of the existing resource group | `string` | `null` | no |
| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group to be created | `string` | `"sysdig-resource-group"` | no |
| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Identifier of the subscription to be onboarded | `string` | n/a | yes |
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Hub integration for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
| <a name="input_throughput_units"></a> [throughput\_units](#input\_throughput\_units) | The number of throughput units to be allocated to the Event Hub | `number` | `1` | no |

| Name | Description | Type | Default | Required |
|------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|----------------|-------|:--------:|
| <a name="input_auto_inflate_enabled"></a> [auto\_inflate\_enabled](#input\_auto\_inflate\_enabled) | Whether or not auto-inflate is enabled for the Event Hub | `bool` | `true` | no |
| <a name="input_consumer_group_name"></a> [consumer\_group\_name](#input\_consumer\_group\_name) | Name of the consumer group to be created | `string` | `"sysdig-consumer-group"` | no |
| <a name="input_diagnostic_settings_name"></a> [diagnostic\_settings\_name](#input\_diagnostic\_settings\_name) | Name of the diagnostic settings to be created | `string` | `"sysdig-diagnostic-settings"` | no |
| <a name="input_enable_entra"></a> [enable\_entra](#input\_enable\_entra) | (Deprecated, see [enabled_entra_logs](#input\_enabled\_entra\_logs)) Used to enable or disable Entra logs, defaults to true. | `bool` | `true` | no |
| <a name="input_entra_diagnostic_settings_name"></a> [entra\_diagnostic\_settings\_name](#input\_entra\_diagnostic\_settings\_name) | Name of the Entra diagnostic settings to be created | `string` | `"sysdig-entra-diagnostic-settings"` | no |
| <a name="input_event_hub_name"></a> [event\_hub\_name](#input\_event\_hub\_name) | Name of the Event Hub to be created | `string` | `"sysdig-event-hub"` | no |
| <a name="input_event_hub_namespace_name"></a> [event\_hub\_namespace\_name](#input\_event\_hub\_namespace\_name) | Name of the Event Hub Namespace to be created | `string` | `"sysdig-event-hub-namespace"` | no |
| <a name="input_eventhub_authorization_rule_name"></a> [eventhub\_authorization\_rule\_name](#input\_eventhub\_authorization\_rule\_name) | Name of the authorization rule to be created | `string` | `"sysdig-send-listen-rule"` | no |
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant. | `bool` | `false` | no |
| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
| <a name="input_maximum_throughput_units"></a> [maximum\_throughput\_units](#input\_maximum\_throughput\_units) | The maximum number of throughput units to be allocated to the Event Hub | `number` | `20` | no |
| <a name="input_message_retention_days"></a> [message\_retention\_days](#input\_message\_retention\_days) | Number of days during which messages will be retained in the Event Hub | `number` | `1` | no |
| <a name="input_namespace_sku"></a> [namespace\_sku](#input\_namespace\_sku) | SKU (Plan) for the namespace that will be created | `string` | `"Standard"` | no |
| <a name="input_partition_count"></a> [partition\_count](#input\_partition\_count) | The number of partitions in the Event Hub | `number` | `4` | no |
| <a name="input_region"></a> [region](#input\_region) | Datacenter where Sysdig-related resources will be created | `string` | n/a | yes |
| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | Name of the existing resource group | `string` | `null` | no |
| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group to be created | `string` | `"sysdig-resource-group"` | no |
| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Identifier of the subscription to be onboarded | `string` | n/a | yes |
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Hub integration for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
| <a name="input_throughput_units"></a> [throughput\_units](#input\_throughput\_units) | The number of throughput units to be allocated to the Event Hub | `number` | `1` | no |
| <a name="input_enabled_platform_logs"></a> [enabled\_platform\_logs](#input\_enabled\_platform\_logs) | List of platform logs to enable | `list(string)` | `["Administrative", "Security", "Policy"]` | no |
| <a name="input_enabled_entra_logs"></a> [enabled\_entra\_logs](#input\_enabled\_entra\_logs) | List of Entra logs to enable | `list(string)` | `["AuditLogs","SignInLogs","NonInteractiveUserSignInLogs","ServicePrincipalSignInLogs","ManagedIdentitySignInLogs","ProvisioningLogs","ADFSSignInLogs","RiskyUsers","UserRiskEvents","NetworkAccessTrafficLogs","RiskyServicePrincipals","ServicePrincipalRiskEvents","EnrichedOffice365AuditLogs","MicrosoftGraphActivityLogs","RemoteNetworkHealthLogs"]` | no |
## Outputs

| Name | Description |
Expand Down
145 changes: 15 additions & 130 deletions modules/integrations/event-hub/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,151 +121,36 @@ resource "azurerm_role_assignment" "sysdig_data_receiver" {
# Create diagnostic settings for the subscription
#---------------------------------------------------------------------------------------------
resource "azurerm_monitor_diagnostic_setting" "sysdig_diagnostic_setting" {
count = var.is_organizational ? 0 : 1
count = length(var.enabled_platform_logs) > 0 ? 1 : 0

name = "${var.diagnostic_settings_name}-${random_string.random.result}-${local.subscription_hash}"
target_resource_id = data.azurerm_subscription.sysdig_subscription.id
eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.sysdig_rule.id
eventhub_name = azurerm_eventhub.sysdig_event_hub.name

enabled_log {
category = "Administrative"
}

enabled_log {
category = "Security"
}

enabled_log {
category = "Policy"
dynamic "enabled_log" {
for_each = var.enabled_platform_logs
content {
category = enabled_log.value
}
}
}

resource "azurerm_monitor_aad_diagnostic_setting" "sysdig_entra_diagnostic_setting" {
count = var.enable_entra ? 1 : 0
count = var.enable_entra && length(var.enabled_entra_logs) > 0 ? 1 : 0

name = "${var.entra_diagnostic_settings_name}-${local.subscription_hash}"
eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.sysdig_rule.id
eventhub_name = azurerm_eventhub.sysdig_event_hub.name

enabled_log {
category = "AuditLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "SignInLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "NonInteractiveUserSignInLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "ServicePrincipalSignInLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "ManagedIdentitySignInLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "ProvisioningLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "ADFSSignInLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "RiskyUsers"

retention_policy {
enabled = false
}
}

enabled_log {
category = "UserRiskEvents"


retention_policy {
enabled = false
}
}

enabled_log {
category = "NetworkAccessTrafficLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "RiskyServicePrincipals"

retention_policy {
enabled = false
}
}

enabled_log {
category = "ServicePrincipalRiskEvents"

retention_policy {
enabled = false
}
}

enabled_log {
category = "EnrichedOffice365AuditLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "MicrosoftGraphActivityLogs"

retention_policy {
enabled = false
}
}
dynamic "enabled_log" {
for_each = var.enabled_entra_logs
content {
category = enabled_log.value

enabled_log {
category = "RemoteNetworkHealthLogs"

retention_policy {
enabled = false
retention_policy {
enabled = false
}
}
}
}
Expand Down
14 changes: 13 additions & 1 deletion modules/integrations/event-hub/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,4 +113,16 @@ variable "enable_entra" {
variable "sysdig_secure_account_id" {
type = string
description = "ID of the Sysdig Cloud Account to enable Event Hub integration for (incase of organization, ID of the Sysdig management account)"
}
}

variable "enabled_platform_logs" {
description = "List of platform logs to enable. Options are: 'Administrative', 'Policy', 'Security'."
type = list(string)
default = ["Administrative", "Security", "Policy"]
}

variable "enabled_entra_logs" {
description = "List of Entra logs to enable"
type = list(string)
default = ["AuditLogs","SignInLogs","NonInteractiveUserSignInLogs","ServicePrincipalSignInLogs","ManagedIdentitySignInLogs","ProvisioningLogs","ADFSSignInLogs","RiskyUsers","UserRiskEvents","NetworkAccessTrafficLogs","RiskyServicePrincipals","ServicePrincipalRiskEvents","EnrichedOffice365AuditLogs","MicrosoftGraphActivityLogs","RemoteNetworkHealthLogs"]
}