feat: Active directory (#50)

* feat: add active directory diagnostic settings * chore: downgrade azurerm provider version * fix: use namespace rule instead of eventhub rule * fix: Remove the list of subscriptions from cloud-connector module * feat: Can use an existing container registry * feat: add deploy active directory features flag Co-authored-by: David González Diez <[email protected]>
sysdiglabs · Dec 23, 2021 · 5d12341 · 5d12341
1 parent d063c6c
commit 5d12341
Show file tree

Hide file tree

Showing 37 changed files with 226 additions and 109 deletions.
diff --git a/examples/single-subscription-k8s/README.md b/examples/single-subscription-k8s/README.md
@@ -57,14 +57,14 @@ Notice that:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 2.87.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 2.85.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >=2.3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 2.87.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 2.85.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | >=2.3.0 |
 
 ## Modules
@@ -83,19 +83,22 @@ Notice that:
 | Name | Type |
 |------|------|
 | [helm_release.cloud_connector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/2.87.0/docs/data-sources/subscription) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/2.85.0/docs/data-sources/subscription) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig's Secure API Token | `string` | n/a | yes |
 | <a name="input_cloud_connector_image"></a> [cloud\_connector\_image](#input\_cloud\_connector\_image) | Cloud-connector image to deploy | `string` | `"quay.io/sysdig/cloud-connector"` | no |
-| <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | whether benchmark module is to be deployed | `bool` | `true` | no |
+| <a name="input_deploy_active_directory"></a> [deploy\_active\_directory](#input\_deploy\_active\_directory) | whether the Active Directory features are to be deployed | `bool` | `true` | no |
+| <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | whether benchmark module is to be deployed | `bool` | `false` | no |
 | <a name="input_deploy_scanning"></a> [deploy\_scanning](#input\_deploy\_scanning) | whether scanning module is to be deployed | `bool` | `true` | no |
 | <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"westus"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_region"></a> [region](#input\_region) | Region in which to run benchmarks. Azure accepts one of [AzureCloud, AzureChinaCloud, AzureGermanCloud, AzureUSGovernment]. | `string` | `"AzureCloud"` | no |
+| <a name="input_registry_name"></a> [registry\_name](#input\_registry\_name) | The existing Container Registry name | `string` | `""` | no |
+| <a name="input_registry_resource_group_name"></a> [registry\_resource\_group\_name](#input\_registry\_resource\_group\_name) | The existing Container Registry name resource group name when is different than workload resource group name | `string` | `""` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The resource group name to deploy Secure for Cloud stack | `string` | `""` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be added to the resources | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |

diff --git a/examples/single-subscription-k8s/main.tf b/examples/single-subscription-k8s/main.tf
@@ -6,6 +6,7 @@ locals {
   tenant_id                            = length(module.infrastructure_enterprise_app) > 0 ? module.infrastructure_enterprise_app[0].tenant_id : ""
   client_id                            = length(module.infrastructure_enterprise_app) > 0 ? module.infrastructure_enterprise_app[0].client_id : ""
   client_secret                        = length(module.infrastructure_enterprise_app) > 0 ? module.infrastructure_enterprise_app[0].client_secret : ""
+  registry_resource_group_name         = var.registry_resource_group_name == "" ? module.infrastructure_resource_group.resource_group_name : var.registry_resource_group_name
 }
 
 module "infrastructure_resource_group" {
@@ -19,11 +20,12 @@ module "infrastructure_resource_group" {
 module "infrastructure_eventhub" {
   source = "../../modules/infrastructure/eventhub"
 
-  subscription_ids    = [data.azurerm_subscription.current.subscription_id]
-  location            = var.location
-  name                = var.name
-  tags                = var.tags
-  resource_group_name = module.infrastructure_resource_group.resource_group_name
+  subscription_ids             = [data.azurerm_subscription.current.subscription_id]
+  location                     = var.location
+  name                         = var.name
+  tags                         = var.tags
+  resource_group_name          = module.infrastructure_resource_group.resource_group_name
+  deploy_ad_diagnostic_setting = var.deploy_active_directory
 }
 
 module "infrastructure_eventgrid_eventhub" {
@@ -51,6 +53,7 @@ module "infrastructure_container_registry" {
 
   location             = var.location
   name                 = var.name
-  resource_group_name  = module.infrastructure_resource_group.resource_group_name
+  registry_name        = var.registry_name
+  resource_group_name  = local.registry_resource_group_name
   eventhub_endpoint_id = local.eventgrid_eventhub_id
 }
diff --git a/examples/single-subscription-k8s/variables.tf b/examples/single-subscription-k8s/variables.tf
@@ -33,7 +33,7 @@ variable "deploy_scanning" {
 variable "deploy_benchmark" {
   type        = bool
   description = "whether benchmark module is to be deployed"
-  default     = true
+  default     = false
 }
 
 variable "region" {
@@ -69,3 +69,21 @@ variable "cloud_connector_image" {
   description = "Cloud-connector image to deploy"
   default     = "quay.io/sysdig/cloud-connector"
 }
+
+variable "deploy_active_directory" {
+  type        = bool
+  default     = true
+  description = "whether the Active Directory features are to be deployed"
+}
+
+variable "registry_name" {
+  type        = string
+  default     = ""
+  description = "The existing Container Registry name"
+}
+
+variable "registry_resource_group_name" {
+  type        = string
+  default     = ""
+  description = "The existing Container Registry name resource group name when is different than workload resource group name"
+}
diff --git a/examples/single-subscription-k8s/versions.tf b/examples/single-subscription-k8s/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "2.87.0"
+      version = "2.85.0"
     }
     helm = {
       source  = "hashicorp/helm"

diff --git a/examples/single-subscription/README.md b/examples/single-subscription/README.md
@@ -53,14 +53,14 @@ Notice that:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 2.87.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 2.85.0 |
 | <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.27 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 2.87.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 2.85.0 |
 
 ## Modules
 
@@ -78,18 +78,21 @@ Notice that:
 
 | Name | Type |
 |------|------|
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/2.87.0/docs/data-sources/subscription) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/2.85.0/docs/data-sources/subscription) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig's Secure API Token | `string` | n/a | yes |
+| <a name="input_deploy_active_directory"></a> [deploy\_active\_directory](#input\_deploy\_active\_directory) | whether the Active Directory features are to be deployed | `bool` | `true` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | whether benchmark module is to be deployed | `bool` | `true` | no |
 | <a name="input_deploy_scanning"></a> [deploy\_scanning](#input\_deploy\_scanning) | whether scanning module is to be deployed | `bool` | `true` | no |
 | <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"westus"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_region"></a> [region](#input\_region) | Region in which to run benchmarks. Azure accepts one of [AzureCloud, AzureChinaCloud, AzureGermanCloud, AzureUSGovernment]. | `string` | `"AzureCloud"` | no |
+| <a name="input_registry_name"></a> [registry\_name](#input\_registry\_name) | The existing Container Registry name | `string` | `""` | no |
+| <a name="input_registry_resource_group_name"></a> [registry\_resource\_group\_name](#input\_registry\_resource\_group\_name) | The existing Container Registry name resource group name when is different than workload resource group name | `string` | `""` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The resource group name to deploy cloud vision stack | `string` | `""` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be added to the resources | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |

diff --git a/examples/single-subscription/main.tf b/examples/single-subscription/main.tf
@@ -6,6 +6,7 @@ locals {
   tenant_id                            = length(module.infrastructure_enterprise_app) > 0 ? module.infrastructure_enterprise_app[0].tenant_id : ""
   client_id                            = length(module.infrastructure_enterprise_app) > 0 ? module.infrastructure_enterprise_app[0].client_id : ""
   client_secret                        = length(module.infrastructure_enterprise_app) > 0 ? module.infrastructure_enterprise_app[0].client_secret : ""
+  registry_resource_group_name         = var.registry_resource_group_name == "" ? module.infrastructure_resource_group.resource_group_name : var.registry_resource_group_name
 }
 
 provider "sysdig" {
@@ -25,10 +26,11 @@ module "infrastructure_resource_group" {
 module "infrastructure_eventhub" {
   source = "../../modules/infrastructure/eventhub"
 
-  subscription_ids    = [data.azurerm_subscription.current.subscription_id]
-  location            = var.location
-  name                = var.name
-  resource_group_name = module.infrastructure_resource_group.resource_group_name
+  subscription_ids             = [data.azurerm_subscription.current.subscription_id]
+  location                     = var.location
+  name                         = var.name
+  resource_group_name          = module.infrastructure_resource_group.resource_group_name
+  deploy_ad_diagnostic_setting = var.deploy_active_directory
 }
 
 module "infrastructure_eventgrid_eventhub" {
@@ -48,7 +50,8 @@ module "infrastructure_container_registry" {
 
   location             = var.location
   name                 = var.name
-  resource_group_name  = module.infrastructure_resource_group.resource_group_name
+  registry_name        = var.registry_name
+  resource_group_name  = local.registry_resource_group_name
   eventhub_endpoint_id = local.eventgrid_eventhub_id
 }
 
@@ -76,5 +79,5 @@ module "cloud_connector" {
   sysdig_secure_endpoint                     = var.sysdig_secure_endpoint
   verify_ssl                                 = local.verify_ssl
   tags                                       = var.tags
-  subscription_ids                           = [data.azurerm_subscription.current.subscription_id]
+  subscription_id                            = data.azurerm_subscription.current.subscription_id
 }
diff --git a/examples/single-subscription/variables.tf b/examples/single-subscription/variables.tf
@@ -41,6 +41,30 @@ variable "resource_group_name" {
   description = "The resource group name to deploy cloud vision stack"
 }
 
+variable "deploy_scanning" {
+  type        = bool
+  description = "whether scanning module is to be deployed"
+  default     = true
+}
+
+variable "registry_name" {
+  type        = string
+  default     = ""
+  description = "The existing Container Registry name"
+}
+
+variable "registry_resource_group_name" {
+  type        = string
+  default     = ""
+  description = "The existing Container Registry name resource group name when is different than workload resource group name"
+}
+
+variable "deploy_active_directory" {
+  type        = bool
+  default     = true
+  description = "whether the Active Directory features are to be deployed"
+}
+
 # benchmark
 variable "region" {
   type        = string
@@ -53,9 +77,3 @@ variable "deploy_benchmark" {
   description = "whether benchmark module is to be deployed"
   default     = true
 }
-
-variable "deploy_scanning" {
-  type        = bool
-  description = "whether scanning module is to be deployed"
-  default     = true
-}
diff --git a/examples/single-subscription/versions.tf b/examples/single-subscription/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "2.87.0"
+      version = "2.85.0"
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"

diff --git a/examples/tenant-subscriptions/README.md b/examples/tenant-subscriptions/README.md
@@ -75,14 +75,14 @@ Notice that:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 2.87.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 2.85.0 |
 | <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.27 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 2.87.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 2.85.0 |
 
 ## Modules
 
@@ -100,21 +100,24 @@ Notice that:
 
 | Name | Type |
 |------|------|
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
 | [azurerm_subscriptions.available](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscriptions) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig's Secure API Token | `string` | n/a | yes |
-| <a name="input_tenant_id"></a> [tenant\_id](#input\_tenant\_id) | Azure Tenant ID | `string` | n/a | yes |
 | <a name="input_benchmark_subscription_ids"></a> [benchmark\_subscription\_ids](#input\_benchmark\_subscription\_ids) | Azure subscription IDs to run Benchmarks on. If no subscriptions are specified, all of the tenant will be used. | `list(string)` | `[]` | no |
+| <a name="input_deploy_active_directory"></a> [deploy\_active\_directory](#input\_deploy\_active\_directory) | whether the Active Directory features are to be deployed | `bool` | `true` | no |
 | <a name="input_deploy_bench"></a> [deploy\_bench](#input\_deploy\_bench) | whether benchmark module is to be deployed | `bool` | `true` | no |
 | <a name="input_deploy_scanning"></a> [deploy\_scanning](#input\_deploy\_scanning) | whether scanning module is to be deployed | `bool` | `true` | no |
 | <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"westus"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_region"></a> [region](#input\_region) | Region in which to run benchmarks. Azure accepts one of [AzureCloud, AzureChinaCloud, AzureGermanCloud, AzureUSGovernment]. | `string` | `"AzureCloud"` | no |
-| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The resource group name to deploy cloud vision stack | `string` | `""` | no |
+| <a name="input_registry_name"></a> [registry\_name](#input\_registry\_name) | The existing Container Registry name | `string` | `""` | no |
+| <a name="input_registry_resource_group_name"></a> [registry\_resource\_group\_name](#input\_registry\_resource\_group\_name) | The existing Container Registry name resource group name when is different than workload resource group name | `string` | `""` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The resource group name to deploy secure for cloud stack | `string` | `""` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be added to the resources | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 | <a name="input_threat_detection_subscription_ids"></a> [threat\_detection\_subscription\_ids](#input\_threat\_detection\_subscription\_ids) | Azure subscription IDs to run threat detection on. If no subscriptions are specified, all of the tenant will be used. | `list(string)` | `[]` | no |

diff --git a/examples/tenant-subscriptions/data.tf b/examples/tenant-subscriptions/data.tf
@@ -1 +1,2 @@
+data "azurerm_subscription" "current" {}
 data "azurerm_subscriptions" "available" {}
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		data "azurerm_subscription" "current" {}
		data "azurerm_subscriptions" "available" {}