feat(azure): customize entra and platform logs (SSPROD-43735) (#52)

SKosier · web-flow · commit 917593eaab73 · 2024-09-02T16:39:37.000+02:00
diff --git a/modules/integrations/event-hub/README.md b/modules/integrations/event-hub/README.md
@@ -59,29 +59,30 @@ No modules.
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_auto_inflate_enabled"></a> [auto\_inflate\_enabled](#input\_auto\_inflate\_enabled) | Whether or not auto-inflate is enabled for the Event Hub | `bool` | `true` | no |
-| <a name="input_consumer_group_name"></a> [consumer\_group\_name](#input\_consumer\_group\_name) | Name of the consumer group to be created | `string` | `"sysdig-consumer-group"` | no |
-| <a name="input_diagnostic_settings_name"></a> [diagnostic\_settings\_name](#input\_diagnostic\_settings\_name) | Name of the diagnostic settings to be created | `string` | `"sysdig-diagnostic-settings"` | no |
-| <a name="input_enable_entra"></a> [enable\_entra](#input\_enable\_entra) | (Optional) Used to enable or disable Entra logs, defaults to true. | `bool` | `true` | no |
-| <a name="input_entra_diagnostic_settings_name"></a> [entra\_diagnostic\_settings\_name](#input\_entra\_diagnostic\_settings\_name) | Name of the Entra diagnostic settings to be created | `string` | `"sysdig-entra-diagnostic-settings"` | no |
-| <a name="input_event_hub_name"></a> [event\_hub\_name](#input\_event\_hub\_name) | Name of the Event Hub to be created | `string` | `"sysdig-event-hub"` | no |
-| <a name="input_event_hub_namespace_name"></a> [event\_hub\_namespace\_name](#input\_event\_hub\_namespace\_name) | Name of the Event Hub Namespace to be created | `string` | `"sysdig-event-hub-namespace"` | no |
-| <a name="input_eventhub_authorization_rule_name"></a> [eventhub\_authorization\_rule\_name](#input\_eventhub\_authorization\_rule\_name) | Name of the authorization rule to be created | `string` | `"sysdig-send-listen-rule"` | no |
-| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant. | `bool` | `false` | no |
-| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
-| <a name="input_maximum_throughput_units"></a> [maximum\_throughput\_units](#input\_maximum\_throughput\_units) | The maximum number of throughput units to be allocated to the Event Hub | `number` | `20` | no |
-| <a name="input_message_retention_days"></a> [message\_retention\_days](#input\_message\_retention\_days) | Number of days during which messages will be retained in the Event Hub | `number` | `1` | no |
-| <a name="input_namespace_sku"></a> [namespace\_sku](#input\_namespace\_sku) | SKU (Plan) for the namespace that will be created | `string` | `"Standard"` | no |
-| <a name="input_partition_count"></a> [partition\_count](#input\_partition\_count) | The number of partitions in the Event Hub | `number` | `4` | no |
-| <a name="input_region"></a> [region](#input\_region) | Datacenter where Sysdig-related resources will be created | `string` | n/a | yes |
-| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | Name of the existing resource group | `string` | `null` | no |
-| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group to be created | `string` | `"sysdig-resource-group"` | no |
-| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Identifier of the subscription to be onboarded | `string` | n/a | yes |
-| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Hub integration for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
-| <a name="input_throughput_units"></a> [throughput\_units](#input\_throughput\_units) | The number of throughput units to be allocated to the Event Hub | `number` | `1` | no |
-
+| Name                                                                                                                                     | Description                                                                                                                              | Type           | Default | Required |
+|------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|----------------|-------|:--------:|
+| <a name="input_auto_inflate_enabled"></a> [auto\_inflate\_enabled](#input\_auto\_inflate\_enabled)                                       | Whether or not auto-inflate is enabled for the Event Hub                                                                                 | `bool`         | `true` | no |
+| <a name="input_consumer_group_name"></a> [consumer\_group\_name](#input\_consumer\_group\_name)                                          | Name of the consumer group to be created                                                                                                 | `string`       | `"sysdig-consumer-group"` | no |
+| <a name="input_diagnostic_settings_name"></a> [diagnostic\_settings\_name](#input\_diagnostic\_settings\_name)                           | Name of the diagnostic settings to be created                                                                                            | `string`       | `"sysdig-diagnostic-settings"` | no |
+| <a name="input_enable_entra"></a> [enable\_entra](#input\_enable\_entra)                                                                 | (Deprecated, see [enabled_entra_logs](#input\_enabled\_entra\_logs)) Used to enable or disable Entra logs, defaults to true.                                                                             | `bool`         | `true` | no |
+| <a name="input_entra_diagnostic_settings_name"></a> [entra\_diagnostic\_settings\_name](#input\_entra\_diagnostic\_settings\_name)       | Name of the Entra diagnostic settings to be created                                                                                      | `string`       | `"sysdig-entra-diagnostic-settings"` | no |
+| <a name="input_event_hub_name"></a> [event\_hub\_name](#input\_event\_hub\_name)                                                         | Name of the Event Hub to be created                                                                                                      | `string`       | `"sysdig-event-hub"` | no |
+| <a name="input_event_hub_namespace_name"></a> [event\_hub\_namespace\_name](#input\_event\_hub\_namespace\_name)                         | Name of the Event Hub Namespace to be created                                                                                            | `string`       | `"sysdig-event-hub-namespace"` | no |
+| <a name="input_eventhub_authorization_rule_name"></a> [eventhub\_authorization\_rule\_name](#input\_eventhub\_authorization\_rule\_name) | Name of the authorization rule to be created                                                                                             | `string`       | `"sysdig-send-listen-rule"` | no |
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                                                  | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant.                                                       | `bool`         | `false` | no |
+| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids)                                       | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)`  | `[]` | no |
+| <a name="input_maximum_throughput_units"></a> [maximum\_throughput\_units](#input\_maximum\_throughput\_units)                           | The maximum number of throughput units to be allocated to the Event Hub                                                                  | `number`       | `20` | no |
+| <a name="input_message_retention_days"></a> [message\_retention\_days](#input\_message\_retention\_days)                                 | Number of days during which messages will be retained in the Event Hub                                                                   | `number`       | `1` | no |
+| <a name="input_namespace_sku"></a> [namespace\_sku](#input\_namespace\_sku)                                                              | SKU (Plan) for the namespace that will be created                                                                                        | `string`       | `"Standard"` | no |
+| <a name="input_partition_count"></a> [partition\_count](#input\_partition\_count)                                                        | The number of partitions in the Event Hub                                                                                                | `number`       | `4` | no |
+| <a name="input_region"></a> [region](#input\_region)                                                                                     | Datacenter where Sysdig-related resources will be created                                                                                | `string`       | n/a | yes |
+| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group)                                                           | Name of the existing resource group                                                                                                      | `string`       | `null` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name)                                          | Name of the resource group to be created                                                                                                 | `string`       | `"sysdig-resource-group"` | no |
+| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id)                                                        | Identifier of the subscription to be onboarded                                                                                           | `string`       | n/a | yes |
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id)                         | ID of the Sysdig Cloud Account to enable Event Hub integration for (incase of organization, ID of the Sysdig management account)         | `string`       | n/a | yes |
+| <a name="input_throughput_units"></a> [throughput\_units](#input\_throughput\_units)                                                     | The number of throughput units to be allocated to the Event Hub                                                                          | `number`       | `1` | no |
+| <a name="input_enabled_platform_logs"></a> [enabled\_platform\_logs](#input\_enabled\_platform\_logs)                                    | List of platform logs to enable                                                                          | `list(string)` | `["Administrative", "Security", "Policy"]` | no |
+| <a name="input_enabled_entra_logs"></a> [enabled\_entra\_logs](#input\_enabled\_entra\_logs)                                             | List of Entra logs to enable                                                                          | `list(string)` | `["AuditLogs","SignInLogs","NonInteractiveUserSignInLogs","ServicePrincipalSignInLogs","ManagedIdentitySignInLogs","ProvisioningLogs","ADFSSignInLogs","RiskyUsers","UserRiskEvents","NetworkAccessTrafficLogs","RiskyServicePrincipals","ServicePrincipalRiskEvents","EnrichedOffice365AuditLogs","MicrosoftGraphActivityLogs","RemoteNetworkHealthLogs"]` | no |
 ## Outputs
 
 | Name | Description |
diff --git a/modules/integrations/event-hub/main.tf b/modules/integrations/event-hub/main.tf
@@ -121,151 +121,36 @@ resource "azurerm_role_assignment" "sysdig_data_receiver" {
 # Create diagnostic settings for the subscription
 #---------------------------------------------------------------------------------------------
 resource "azurerm_monitor_diagnostic_setting" "sysdig_diagnostic_setting" {
-  count = var.is_organizational ? 0 : 1 
-  
+  count = length(var.enabled_platform_logs) > 0 ? 1 : 0
+
   name                           = "${var.diagnostic_settings_name}-${random_string.random.result}-${local.subscription_hash}"
   target_resource_id             = data.azurerm_subscription.sysdig_subscription.id
   eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.sysdig_rule.id
   eventhub_name                  = azurerm_eventhub.sysdig_event_hub.name
 
-  enabled_log {
-    category = "Administrative"
-  }
-
-  enabled_log {
-    category = "Security"
-  }
-
-  enabled_log {
-    category = "Policy"
+  dynamic "enabled_log" {
+    for_each = var.enabled_platform_logs
+    content {
+      category = enabled_log.value
+    }
   }
 }
 
 resource "azurerm_monitor_aad_diagnostic_setting" "sysdig_entra_diagnostic_setting" {
-  count = var.enable_entra ? 1 : 0
+  count = var.enable_entra && length(var.enabled_entra_logs) > 0 ? 1 : 0
 
   name                           = "${var.entra_diagnostic_settings_name}-${local.subscription_hash}"
   eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.sysdig_rule.id
   eventhub_name                  = azurerm_eventhub.sysdig_event_hub.name
 
-  enabled_log {
-    category = "AuditLogs"
-
-    retention_policy {
-      enabled = false
-    }
-  }
-
-  enabled_log {
-    category = "SignInLogs"
-
-    retention_policy {
-      enabled = false
-    }
-  }
-
-  enabled_log {
-    category = "NonInteractiveUserSignInLogs"
-
-    retention_policy {
-      enabled = false
-    }
-  }
-
-  enabled_log {
-    category = "ServicePrincipalSignInLogs"
-
-    retention_policy {
-      enabled = false
-    }
-  }
-
-  enabled_log {
-    category = "ManagedIdentitySignInLogs"
-
-    retention_policy {
-      enabled = false
-    }
-  }
-
-  enabled_log {
-    category = "ProvisioningLogs"
-
-    retention_policy {
-      enabled = false
-    }
-  }
-
-  enabled_log {
-    category = "ADFSSignInLogs"
-
-    retention_policy {
-      enabled = false
-    }
-  }
-
-  enabled_log {
-    category = "RiskyUsers"
-
-    retention_policy {
-      enabled = false
-    }
-  }
-
-  enabled_log {
-    category = "UserRiskEvents"
-
-
-    retention_policy {
-      enabled = false
-    }
-  }
-
-  enabled_log {
-    category = "NetworkAccessTrafficLogs"
-
-    retention_policy {
-      enabled = false
-    }
-  }
-
-  enabled_log {
-    category = "RiskyServicePrincipals"
-
-    retention_policy {
-      enabled = false
-    }
-  }
-
-  enabled_log {
-    category = "ServicePrincipalRiskEvents"
-
-    retention_policy {
-      enabled = false
-    }
-  }
-
-  enabled_log {
-    category = "EnrichedOffice365AuditLogs"
-
-    retention_policy {
-      enabled = false
-    }
-  }
-
-  enabled_log {
-    category = "MicrosoftGraphActivityLogs"
-
-    retention_policy {
-      enabled = false
-    }
-  }
+  dynamic "enabled_log" {
+    for_each = var.enabled_entra_logs
+    content {
+      category = enabled_log.value
 
-  enabled_log {
-    category = "RemoteNetworkHealthLogs"
-
-    retention_policy {
-      enabled = false
+      retention_policy {
+        enabled = false
+      }
     }
   }
 }
diff --git a/modules/integrations/event-hub/variables.tf b/modules/integrations/event-hub/variables.tf
@@ -113,4 +113,16 @@ variable "enable_entra" {
 variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Event Hub integration for (incase of organization, ID of the Sysdig management account)"
-}
+}
+
+variable "enabled_platform_logs" {
+  description = "List of platform logs to enable. Options are: 'Administrative', 'Policy', 'Security'."
+  type        = list(string)
+  default     = ["Administrative", "Security", "Policy"]
+}
+
+variable "enabled_entra_logs" {
+  description = "List of Entra logs to enable"
+  type        = list(string)
+  default     = ["AuditLogs","SignInLogs","NonInteractiveUserSignInLogs","ServicePrincipalSignInLogs","ManagedIdentitySignInLogs","ProvisioningLogs","ADFSSignInLogs","RiskyUsers","UserRiskEvents","NetworkAccessTrafficLogs","RiskyServicePrincipals","ServicePrincipalRiskEvents","EnrichedOffice365AuditLogs","MicrosoftGraphActivityLogs","RemoteNetworkHealthLogs"]
+}
