Skip to content

Commit

Permalink
feat(azure): customize entra and platform logs (SSPROD-43735) (#52)
Browse files Browse the repository at this point in the history
  • Loading branch information
@SKosier
SKosier authored Sep 2, 2024
1 parent f5ca091 commit 917593e
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 154 deletions.
47 changes: 24 additions & 23 deletions modules/integrations/event-hub/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,29 +59,30 @@ No modules.

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_auto_inflate_enabled"></a> [auto\_inflate\_enabled](#input\_auto\_inflate\_enabled) | Whether or not auto-inflate is enabled for the Event Hub | `bool` | `true` | no |
| <a name="input_consumer_group_name"></a> [consumer\_group\_name](#input\_consumer\_group\_name) | Name of the consumer group to be created | `string` | `"sysdig-consumer-group"` | no |
| <a name="input_diagnostic_settings_name"></a> [diagnostic\_settings\_name](#input\_diagnostic\_settings\_name) | Name of the diagnostic settings to be created | `string` | `"sysdig-diagnostic-settings"` | no |
| <a name="input_enable_entra"></a> [enable\_entra](#input\_enable\_entra) | (Optional) Used to enable or disable Entra logs, defaults to true. | `bool` | `true` | no |
| <a name="input_entra_diagnostic_settings_name"></a> [entra\_diagnostic\_settings\_name](#input\_entra\_diagnostic\_settings\_name) | Name of the Entra diagnostic settings to be created | `string` | `"sysdig-entra-diagnostic-settings"` | no |
| <a name="input_event_hub_name"></a> [event\_hub\_name](#input\_event\_hub\_name) | Name of the Event Hub to be created | `string` | `"sysdig-event-hub"` | no |
| <a name="input_event_hub_namespace_name"></a> [event\_hub\_namespace\_name](#input\_event\_hub\_namespace\_name) | Name of the Event Hub Namespace to be created | `string` | `"sysdig-event-hub-namespace"` | no |
| <a name="input_eventhub_authorization_rule_name"></a> [eventhub\_authorization\_rule\_name](#input\_eventhub\_authorization\_rule\_name) | Name of the authorization rule to be created | `string` | `"sysdig-send-listen-rule"` | no |
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant. | `bool` | `false` | no |
| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
| <a name="input_maximum_throughput_units"></a> [maximum\_throughput\_units](#input\_maximum\_throughput\_units) | The maximum number of throughput units to be allocated to the Event Hub | `number` | `20` | no |
| <a name="input_message_retention_days"></a> [message\_retention\_days](#input\_message\_retention\_days) | Number of days during which messages will be retained in the Event Hub | `number` | `1` | no |
| <a name="input_namespace_sku"></a> [namespace\_sku](#input\_namespace\_sku) | SKU (Plan) for the namespace that will be created | `string` | `"Standard"` | no |
| <a name="input_partition_count"></a> [partition\_count](#input\_partition\_count) | The number of partitions in the Event Hub | `number` | `4` | no |
| <a name="input_region"></a> [region](#input\_region) | Datacenter where Sysdig-related resources will be created | `string` | n/a | yes |
| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | Name of the existing resource group | `string` | `null` | no |
| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group to be created | `string` | `"sysdig-resource-group"` | no |
| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Identifier of the subscription to be onboarded | `string` | n/a | yes |
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Hub integration for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
| <a name="input_throughput_units"></a> [throughput\_units](#input\_throughput\_units) | The number of throughput units to be allocated to the Event Hub | `number` | `1` | no |

| Name | Description | Type | Default | Required |
|------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|----------------|-------|:--------:|
| <a name="input_auto_inflate_enabled"></a> [auto\_inflate\_enabled](#input\_auto\_inflate\_enabled) | Whether or not auto-inflate is enabled for the Event Hub | `bool` | `true` | no |
| <a name="input_consumer_group_name"></a> [consumer\_group\_name](#input\_consumer\_group\_name) | Name of the consumer group to be created | `string` | `"sysdig-consumer-group"` | no |
| <a name="input_diagnostic_settings_name"></a> [diagnostic\_settings\_name](#input\_diagnostic\_settings\_name) | Name of the diagnostic settings to be created | `string` | `"sysdig-diagnostic-settings"` | no |
| <a name="input_enable_entra"></a> [enable\_entra](#input\_enable\_entra) | (Deprecated, see [enabled_entra_logs](#input\_enabled\_entra\_logs)) Used to enable or disable Entra logs, defaults to true. | `bool` | `true` | no |
| <a name="input_entra_diagnostic_settings_name"></a> [entra\_diagnostic\_settings\_name](#input\_entra\_diagnostic\_settings\_name) | Name of the Entra diagnostic settings to be created | `string` | `"sysdig-entra-diagnostic-settings"` | no |
| <a name="input_event_hub_name"></a> [event\_hub\_name](#input\_event\_hub\_name) | Name of the Event Hub to be created | `string` | `"sysdig-event-hub"` | no |
| <a name="input_event_hub_namespace_name"></a> [event\_hub\_namespace\_name](#input\_event\_hub\_namespace\_name) | Name of the Event Hub Namespace to be created | `string` | `"sysdig-event-hub-namespace"` | no |
| <a name="input_eventhub_authorization_rule_name"></a> [eventhub\_authorization\_rule\_name](#input\_eventhub\_authorization\_rule\_name) | Name of the authorization rule to be created | `string` | `"sysdig-send-listen-rule"` | no |
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant. | `bool` | `false` | no |
| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
| <a name="input_maximum_throughput_units"></a> [maximum\_throughput\_units](#input\_maximum\_throughput\_units) | The maximum number of throughput units to be allocated to the Event Hub | `number` | `20` | no |
| <a name="input_message_retention_days"></a> [message\_retention\_days](#input\_message\_retention\_days) | Number of days during which messages will be retained in the Event Hub | `number` | `1` | no |
| <a name="input_namespace_sku"></a> [namespace\_sku](#input\_namespace\_sku) | SKU (Plan) for the namespace that will be created | `string` | `"Standard"` | no |
| <a name="input_partition_count"></a> [partition\_count](#input\_partition\_count) | The number of partitions in the Event Hub | `number` | `4` | no |
| <a name="input_region"></a> [region](#input\_region) | Datacenter where Sysdig-related resources will be created | `string` | n/a | yes |
| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | Name of the existing resource group | `string` | `null` | no |
| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group to be created | `string` | `"sysdig-resource-group"` | no |
| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Identifier of the subscription to be onboarded | `string` | n/a | yes |
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Hub integration for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
| <a name="input_throughput_units"></a> [throughput\_units](#input\_throughput\_units) | The number of throughput units to be allocated to the Event Hub | `number` | `1` | no |
| <a name="input_enabled_platform_logs"></a> [enabled\_platform\_logs](#input\_enabled\_platform\_logs) | List of platform logs to enable | `list(string)` | `["Administrative", "Security", "Policy"]` | no |
| <a name="input_enabled_entra_logs"></a> [enabled\_entra\_logs](#input\_enabled\_entra\_logs) | List of Entra logs to enable | `list(string)` | `["AuditLogs","SignInLogs","NonInteractiveUserSignInLogs","ServicePrincipalSignInLogs","ManagedIdentitySignInLogs","ProvisioningLogs","ADFSSignInLogs","RiskyUsers","UserRiskEvents","NetworkAccessTrafficLogs","RiskyServicePrincipals","ServicePrincipalRiskEvents","EnrichedOffice365AuditLogs","MicrosoftGraphActivityLogs","RemoteNetworkHealthLogs"]` | no |
## Outputs

| Name | Description |
Expand Down
145 changes: 15 additions & 130 deletions modules/integrations/event-hub/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,151 +121,36 @@ resource "azurerm_role_assignment" "sysdig_data_receiver" {
# Create diagnostic settings for the subscription
#---------------------------------------------------------------------------------------------
resource "azurerm_monitor_diagnostic_setting" "sysdig_diagnostic_setting" {
count = var.is_organizational ? 0 : 1
count = length(var.enabled_platform_logs) > 0 ? 1 : 0

name = "${var.diagnostic_settings_name}-${random_string.random.result}-${local.subscription_hash}"
target_resource_id = data.azurerm_subscription.sysdig_subscription.id
eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.sysdig_rule.id
eventhub_name = azurerm_eventhub.sysdig_event_hub.name

enabled_log {
category = "Administrative"
}

enabled_log {
category = "Security"
}

enabled_log {
category = "Policy"
dynamic "enabled_log" {
for_each = var.enabled_platform_logs
content {
category = enabled_log.value
}
}
}

resource "azurerm_monitor_aad_diagnostic_setting" "sysdig_entra_diagnostic_setting" {
count = var.enable_entra ? 1 : 0
count = var.enable_entra && length(var.enabled_entra_logs) > 0 ? 1 : 0

name = "${var.entra_diagnostic_settings_name}-${local.subscription_hash}"
eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.sysdig_rule.id
eventhub_name = azurerm_eventhub.sysdig_event_hub.name

enabled_log {
category = "AuditLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "SignInLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "NonInteractiveUserSignInLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "ServicePrincipalSignInLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "ManagedIdentitySignInLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "ProvisioningLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "ADFSSignInLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "RiskyUsers"

retention_policy {
enabled = false
}
}

enabled_log {
category = "UserRiskEvents"


retention_policy {
enabled = false
}
}

enabled_log {
category = "NetworkAccessTrafficLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "RiskyServicePrincipals"

retention_policy {
enabled = false
}
}

enabled_log {
category = "ServicePrincipalRiskEvents"

retention_policy {
enabled = false
}
}

enabled_log {
category = "EnrichedOffice365AuditLogs"

retention_policy {
enabled = false
}
}

enabled_log {
category = "MicrosoftGraphActivityLogs"

retention_policy {
enabled = false
}
}
dynamic "enabled_log" {
for_each = var.enabled_entra_logs
content {
category = enabled_log.value

enabled_log {
category = "RemoteNetworkHealthLogs"

retention_policy {
enabled = false
retention_policy {
enabled = false
}
}
}
}
Expand Down
14 changes: 13 additions & 1 deletion modules/integrations/event-hub/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,4 +113,16 @@ variable "enable_entra" {
variable "sysdig_secure_account_id" {
type = string
description = "ID of the Sysdig Cloud Account to enable Event Hub integration for (incase of organization, ID of the Sysdig management account)"
}
}

variable "enabled_platform_logs" {
description = "List of platform logs to enable. Options are: 'Administrative', 'Policy', 'Security'."
type = list(string)
default = ["Administrative", "Security", "Policy"]
}

variable "enabled_entra_logs" {
description = "List of Entra logs to enable"
type = list(string)
default = ["AuditLogs","SignInLogs","NonInteractiveUserSignInLogs","ServicePrincipalSignInLogs","ManagedIdentitySignInLogs","ProvisioningLogs","ADFSSignInLogs","RiskyUsers","UserRiskEvents","NetworkAccessTrafficLogs","RiskyServicePrincipals","ServicePrincipalRiskEvents","EnrichedOffice365AuditLogs","MicrosoftGraphActivityLogs","RemoteNetworkHealthLogs"]
}

0 comments on commit 917593e

Please sign in to comment.