-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathonboarding_with_posture.tf
More file actions
84 lines (71 loc) · 2.71 KB
/
Copy pathonboarding_with_posture.tf
File metadata and controls
84 lines (71 loc) · 2.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# tflint-ignore: terraform_required_providers
provider "azurerm" {
features { }
subscription_id = "test-subscription"
tenant_id = "test-tenant"
}
# tflint-ignore: terraform_required_providers
provider "azuread" {
tenant_id = "test-tenant"
}
# tflint-ignore: terraform_required_version
terraform {
required_providers {
sysdig = {
source = "sysdiglabs/sysdig"
version = "~> 3.3"
}
}
}
provider "sysdig" {
sysdig_secure_url = "https://secure-staging.sysdig.com"
sysdig_secure_api_token = "<client_secret>"
}
module "onboarding" {
source = "../../../modules/onboarding"
subscription_id = "test-subscription"
tenant_id = "test-tenant"
is_organizational = true
# Optional: pre-existing SP pointing to Sysdig Onboarding App ID
onboarding_service_principal = "onboarding-service-principal-id"
# Include/Exclude specific parameters
include_management_groups = ["mgmt-group-id1", "mgmt-group-id2"]
exclude_management_groups = []
include_subscriptions = []
exclude_subscriptions = []
# optionally pass automatic onboarding for orgs (defaults to false)
enable_automatic_onboarding = false
}
module "config-posture" {
source = "../../../modules/config-posture"
subscription_id = module.onboarding.subscription_id
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
is_organizational = module.onboarding.is_organizational
# Optional: pre-existing SP pointing to Sysdig CSPM App ID
# config_posture_service_principal = "config-posture-service-principal-id"
# Include/Exclude specific parameters from onboarding module
include_management_groups = module.onboarding.include_management_groups
exclude_management_groups = module.onboarding.exclude_management_groups
include_subscriptions = module.onboarding.include_subscriptions
exclude_subscriptions = module.onboarding.exclude_subscriptions
}
resource "sysdig_secure_cloud_auth_account_feature" "config_posture" {
account_id = module.onboarding.sysdig_secure_account_id
type = "FEATURE_SECURE_CONFIG_POSTURE"
enabled = true
components = [module.config-posture.service_principal_component_id]
depends_on = [ module.config-posture ]
}
resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_basic" {
account_id = module.onboarding.sysdig_secure_account_id
type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
enabled = true
components = [module.config-posture.service_principal_component_id]
depends_on = [module.config-posture, sysdig_secure_cloud_auth_account_feature.config_posture]
flags = {
"CIEM_FEATURE_MODE": "basic"
}
lifecycle {
ignore_changes = [flags, components]
}
}