This module will deploy VM Workload Scanning resources in Azure for a single subscription, or for an Azure Tenant. The resources serve the following functions:
- pulling docker images from ACR for single subscription, or for all subscriptions within Azure Tenant.
- reading AppSettings for single subscription, or for all subscriptions within Azure Tenant.
- list azure functions for a single subscription, or for all subscriptions within Azure Tenant.
- storage file data reader for a single subscription, or for all subscriptions within Azure Tenant.
- storage blob data reader for a single subscription, or for all subscriptions within Azure Tenant.
- access to Kudu API for a single subscription, or for all subscriptions within Azure Tenant.
All of the above permissions will ensure the following actions are possible when authenticating as the VMWorkloadScanning Azure Service Principal:
- Pull docker images from ACR
- List Azure Functions
- Understand where Azure Functions code is located
- Read the code content of Azure Functions
All of these permissions are everything that is currently required to enabled VM Agentless Workload Scanning.
If instrumenting an Azure subscription, the following resources will be created:
- A Service Principal in your tenant, associated with the application ID of the VM Workload Scanning service client / app registration in the Sysdig tenant.
- Role assignments with minimal set of permissions for Azure subscription.
- A component creation in Sysdig Backend associated with the cloudAuth created during foundational onboarding
If instrumenting an Azure Tenant, the following resources will be created:
- A Service Principal in your tenant, associated with the application ID of the VM Workload Scanning service client / app registration in the Sysdig tenant.
- Role assignments with minimal set of permissions for Azure subscription provided as management account/subscription.
- Role assignments with minimal set of permissions at the Root Management Group level by default for the Tenant, or at each of the instrumented Management Groups within the Tenant if provided, for retrieving inventory.
- A component creation in Sysdig Backend associated with the cloudAuth created during foundational onboarding
Important. If using a pre-existing Service Principal is needed, creating a service principal associated with the Sysdig VM Workload Scanning Application ID is required:
- The Sysdig VM Workload Scanning Application ID can be found as part of the output of the
sysdig_secure_trusted_azure_appdata source created in this module. Also, it can be retrieved by hitting the Sysdig onboarding API using thesysdig_secure_api_tokenprovided within the Sysdig UI > Settings > Sysdig Secure API Token, the API curl command uses theapp=vm_workload_scanningquery parameter:curl --location 'https://<sysdig-secure>/api/secure/onboarding/v2/trustedAzureApp?app=vm_workload_scanning' \ --header 'Authorization: Bearer <token>'
- From the previous call, use the
applicationIdfield from the response to create the Service Principal in your Azure Tenant. - Provide the Service Principal ID as input to the
vm_workload_scanning_service_principalvariable in this module. This will skip the creation of a new Service Principal and use the one provided instead. - Contact Sysdig Support if you need assistance with this process.
Note:
- The outputs from the foundational module, such as
sysdig_secure_account_idare needed as inputs to the other features/integrations modules for subsequent modular installs.
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| azurerm | >= 3.76.0 |
| azuread | >= 2.43.0 |
| sysdig | ~> 3.3 |
| Name | Version |
|---|---|
| azurerm | >= 3.76.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| sysdig_secure_account_id | ID of the Sysdig Cloud Account to enable VM Workload Scanning with optional AKS discovery | string |
n/a | yes |
| subscription_id | The identifier of the Azure Subscription in which to create secure-for-cloud vm workload scanning resources | string |
n/a | yes |
| is_organizational | true/false whether vm workload scanning resources should be deployed in an organizational setup (all subscriptions of tenant) or not (only on default azure provider subscription) | bool |
false |
no |
| aks_enabled | Set this field to 'true' to grant AKS discovery permissions to the secure-posture service principal | bool |
false | no |
| functions_enabled | Set this field to 'true' to grant Functions Storage permissions to the secure-vm-workload-scanning service principal | bool |
false | no |
| sysdig_cspm_sp_object_id | Object ID of the CSPM SP within the client's infra | string |
n/a | yes |
| vm_workload_\scanning_service_principal | (Optional) Service Principal to be used for VM Workload Scanning, this SP needs to be associated to the Sysdig VM Workload Scanning Application ID. If not provided, a new one will be created. | string |
"" |
no |
| suffix | management_groups to include for organization in the format '<management_group_idt>' i.e: management_group_id_1 | set(string) |
[] |
no |
| suffix | management_groups to exclude for organization in the format '<management_group_idt>' i.e: management_group_id_1 | set(string) |
[] |
no |
| suffix | subscriptions to include for organization. i.e: 12345678-1234-1234-1234-123456789abc | set(string) |
[] |
no |
| suffix | subscriptions to exclude for organization. i.e: 12345678-1234-1234-1234-123456789abc | set(string) |
[] |
no |
| Name | Description |
|---|---|
| service_principal_component_id | Component identifier of the Component created in Sysdig Backend for VM Workload Scanning |
Module is maintained by Sysdig.
Apache 2 Licensed. See LICENSE for full details.