feat(azure): add diagnostic settings for additional resources (SSPROD…

…-44285) (#56)

modules/integrations/additional-resources/README.md

@@ -0,0 +1,50 @@
+# Azure Additional Resources Module
+
+This module creates diagnostic settings for all the resources specified by the client and directs the logs for those specified resources to the existing Event Hub, which will be queried by the Sysdig backend for log ingestion.
+The resources will forward only the logs specified by the user.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.76.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 3.76.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name                                                                                                                                                                               | Type |
+|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
+| [azurerm_monitor_diagnostic_setting.sysdig_custom_diagnostic_settings](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
+
+## Inputs
+
+| Name                                                                                                        | Description                                                                                                                              | Type     | Default | Required |
+|-------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|----------|---------|:--------:|
+| <a name="input_event_hub_name"></a> [event\_hub\_name](#input\_event\_hub\_name)                            | Event Hub integration created for Sysdig Log Ingestion | `string` | n/a	    |   yes    |
+| <a name="input_sysdig_authorization_id"></a> [sysdig\_authorization\_id](#input\_sysdig\_authorization\_id) | Identifier of Authorization Rule for the Sysdig Namespace | `string`       | n/a	    |   yes    |
+| <a name="input_deployment_identifier"></a> [deployment\_identifier](#input\_deployment\_identifier)         | Identifier of Deployment that gets added to provisioned resources | `string`       | n/a	    |   yes    |
+| <a name="input_diagnostic_settings"></a> [diagnostic\_settings](#input\_diagnostic\_settings)               | Map of resource IDs to the list of logs to enable | `map(list(string))`       | {}	     |   yes    |
+## Outputs
+
+No outputs.
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.

modules/integrations/additional-resources/main.tf

@@ -0,0 +1,15 @@
+# M2
+resource "azurerm_monitor_diagnostic_setting" "sysdig_custom_diagnostic_settings" {
+  for_each                       = var.diagnostic_settings
+  name                           = "sysdig-diagnostic-settings-${substr(md5(each.key), 0, 8)}-${var.deployment_identifier}"
+  target_resource_id             = each.key
+  eventhub_authorization_rule_id = var.sysdig_authorization_id
+  eventhub_name                  = var.event_hub_name
+
+  dynamic "enabled_log" {
+    for_each = each.value
+    content {
+      category = enabled_log.value
+    }
+  }
+}

modules/integrations/additional-resources/variables.tf

@@ -0,0 +1,20 @@
+variable "sysdig_authorization_id" {
+  type = string
+  description = "Identifier of Authorization Rule for the Sysdig Namespace"
+}
+
+variable "event_hub_name" {
+  type = string
+  description = "Event Hub integration created for Sysdig Log Ingestion"
+}
+
+variable "diagnostic_settings" {
+  type = map(list(string))
+  description = "Map of resource IDs to the list of logs to enable"
+  default = {}
+}
+
+variable "deployment_identifier" {
+  type = string
+  description = "Identifier of Deployment that gets added to provisioned resources"
+}

modules/integrations/additional-resources/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.76.0"
+    }
+  }
+}

modules/integrations/event-hub/README.md

@@ -85,9 +85,12 @@ No modules.
 | <a name="input_enabled_entra_logs"></a> [enabled\_entra\_logs](#input\_enabled\_entra\_logs)                                             | List of Entra logs to enable                                                                          | `list(string)` | `["AuditLogs","SignInLogs","NonInteractiveUserSignInLogs","ServicePrincipalSignInLogs","ManagedIdentitySignInLogs","ProvisioningLogs","ADFSSignInLogs","RiskyUsers","UserRiskEvents","NetworkAccessTrafficLogs","RiskyServicePrincipals","ServicePrincipalRiskEvents","EnrichedOffice365AuditLogs","MicrosoftGraphActivityLogs","RemoteNetworkHealthLogs"]` | no |
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| <a name="output_event_hub_component_id"></a> [event\_hub\_component\_id](#output\_event\_hub\_component\_id) | Component identifier of Event Hub integration created in Sysdig Backend for Log Ingestion |
+| Name                                                                                                                  | Description |
+|-----------------------------------------------------------------------------------------------------------------------|-------------|
+| <a name="output_event_hub_component_id"></a> [event\_hub\_component\_id](#output\_event\_hub\_component\_id)          | Component identifier of Event Hub integration created in Sysdig Backend for Log Ingestion |
+| <a name="output_event_hub_name"></a> [event\_hub\_name](#output\_event\_hub\_name)                          | Event Hub integration created for Sysdig Log Ingestion |
+| <a name="output_sysdig_authorization_id"></a> [sysdig\_authorization\_id](#output\_sysdig\_authorization\_id)         | Identifier of Authorization Rule for the Sysdig Namespace |
+| <a name="output_unique_deployment_id"></a> [unique\_deployment\_id](#output\_unique\_deployment\_id) | Identifier of Deployment that gets added to provisioned resources |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Authors

modules/integrations/event-hub/main.tf

@@ -184,4 +184,4 @@ resource "sysdig_secure_cloud_auth_account_component" "azure_event_hub" {
       }
     }
   })
-}
+}

modules/integrations/event-hub/outputs.tf

@@ -2,4 +2,19 @@ output "event_hub_component_id" {
   value       = "${sysdig_secure_cloud_auth_account_component.azure_event_hub.type}/${sysdig_secure_cloud_auth_account_component.azure_event_hub.instance}"
   description = "Component identifier of Event Hub integration created in Sysdig Backend for Log Ingestion"
   depends_on = [ sysdig_secure_cloud_auth_account_component.azure_event_hub ]
-}
+}
+
+output "event_hub_name" {
+  value = azurerm_eventhub.sysdig_event_hub.name
+  description = "Event Hub integration created for Sysdig Log Ingestion"
+}
+
+output "sysdig_authorization_id" {
+  value = azurerm_eventhub_namespace_authorization_rule.sysdig_rule.id
+  description = "Identifier of Authorization Rule for the Sysdig Namespace"
+}
+
+output "unique_deployment_id" {
+  value = "${random_string.random.result}-${local.subscription_hash}"
+  description = "Identifier of Deployment that gets added to provisioned resources"
+}