SSPROD-35351: Azure CSPM roles (#23)

mdkulkarni15 · web-flow · commit 5838afe0fd1b · 2024-01-05T09:58:01.000-08:00
* Update

* SSPROD-35351: Add custom CSPM role for Authsettings and remove other roles

* Update lifecycle macro

* Updating version for sysdig provider
diff --git a/modules/services/service-principal/main.tf b/modules/services/service-principal/main.tf
@@ -41,21 +41,31 @@ resource "azurerm_role_assignment" "sysdig_reader" {
   role_definition_name = "Reader"
   principal_id         = azuread_service_principal.sysdig_sp.object_id
 }
-
 #---------------------------------------------------------------------------------------------
-# Assign "Azure Kubernetes Service Cluster User Role" role to Sysdig SP for primary subscription
+# Create a Custom role for collecting authsettings
 #---------------------------------------------------------------------------------------------
-resource "azurerm_role_assignment" "sysdig_k8s_reader" {
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = "Azure Kubernetes Service Cluster User Role"
-  principal_id         = azuread_service_principal.sysdig_sp.object_id
+resource "azurerm_role_definition" "sysdig_cspm_role" {
+  name        = "sysdig-cspm-role"
+  scope       = data.azurerm_subscription.primary.id
+  description = "Custom role for collecting Authsettings for CIS Benchmark"
+
+  permissions {
+    actions     = [
+      "Microsoft.Web/sites/config/list/action"
+    ]
+    not_actions = []
+  }
+
+  assignable_scopes = [
+    data.azurerm_subscription.primary.id,
+  ]
 }
 
 #---------------------------------------------------------------------------------------------
-# Assign "Virtual Machine User Login" role to Sysdig SP for primary subscription
+# Custom role assignment for collecting authsettings
 #---------------------------------------------------------------------------------------------
-resource "azurerm_role_assignment" "sysdig_vm_user" {
+resource "azurerm_role_assignment" "sysdig_cspm_role_assignment" {
   scope                = data.azurerm_subscription.primary.id
-  role_definition_name = "Virtual Machine User Login"
+  role_definition_id   = azurerm_role_definition.sysdig_cspm_role.role_definition_resource_id
   principal_id         = azuread_service_principal.sysdig_sp.object_id
 }
diff --git a/modules/services/service-principal/organizational.tf b/modules/services/service-principal/organizational.tf
@@ -24,23 +24,34 @@ resource "azurerm_role_assignment" "sysdig_reader_for_tenant" {
 }
 
 #---------------------------------------------------------------------------------------------
-# Assign "Azure Kubernetes Service Cluster User Role" role to Sysdig SP for customer tenant
+# Create a Custom role for collecting authsettings
 #---------------------------------------------------------------------------------------------
-resource "azurerm_role_assignment" "sysdig_k8s_reader_for_tenant" {
+resource "azurerm_role_definition" "sysdig_cspm_role_for_tenant" {
   for_each = var.is_organizational ? local.management_groups : []
 
-  scope                = each.key
-  role_definition_name = "Azure Kubernetes Service Cluster User Role"
-  principal_id         = azuread_service_principal.sysdig_sp.object_id
+  name        = "sysdig_cspm_role_for_tenant_${each.key}"
+  scope       = each.key
+  description = "Custom role for collecting Authsettings for CIS Benchmark"
+
+  permissions {
+    actions     = [
+      "Microsoft.Web/sites/config/list/action"
+    ]
+    not_actions = []
+  }
+
+  assignable_scopes = [
+    each.key,
+  ]
 }
 
 #---------------------------------------------------------------------------------------------
-# Assign "Virtual Machine User Login" role to Sysdig SP for customer tenant
+# Custom role assignment for collecting authsettings
 #---------------------------------------------------------------------------------------------
-resource "azurerm_role_assignment" "sysdig_vm_user_for_tenant" {
+resource "azurerm_role_assignment" "sysdig_cspm_role_assignment_for_tenant" {
   for_each = var.is_organizational ? local.management_groups : []
 
   scope                = each.key
-  role_definition_name = "Virtual Machine User Login"
+  role_definition_id   = azurerm_role_definition.sysdig_cspm_role_for_tenant[each.key].role_definition_resource_id
   principal_id         = azuread_service_principal.sysdig_sp.object_id
 }
diff --git a/modules/services/service-principal/versions.tf b/modules/services/service-principal/versions.tf
@@ -12,7 +12,7 @@ terraform {
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = ">= 1.18.0"
+      version = ">= 1.19.0"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ terraform {`
`12`	`12`	`}`
`13`	`13`	`sysdig = {`
`14`	`14`	`source = "sysdiglabs/sysdig"`
`15`		`- version = ">= 1.18.0"`
	`15`	`+ version = ">= 1.19.0"`
`16`	`16`	`}`
`17`	`17`	`}`
`18`	`18`	`}`