Merge pull request #8 from kumarvna/develop

adding terraform v0.15 support

Author: kumarvna

.gitignore

@@ -5,6 +5,7 @@
 *.tfstate
 *.tfstate.*
 *.vscode/*
+*.terraform.lock.hcl
 
 # Crash log files
 crash.log

README.md

@@ -9,11 +9,18 @@ Security Center collects data from the Azure virtual machines (VMs), virtual mac
 ```hcl
 module "security-center" {
   source  = "kumarvna/security-center/azurerm"
-  version = "1.0.0"
+  version = "1.1.0"
 
   # Resource Group, location, log analytics details
   resource_group_name          = "rg-shared-westeurope-01"
-  log_analytics_workspace_name = "loganalytics-we-sharedtest"
+  log_analytics_workspace_name = "loganalytics-we-sharedtest2"
+
+  # Enable Security Center API Setting
+  enable_security_center_setting = true
+  security_center_setting_name   = "MCAS"
+
+  # Enable auto provision of log analytics agents on VM's if they doesn't exist. 
+  enable_security_center_auto_provisioning = on
 
   # Subscription Security Center contacts
   # One or more email addresses seperated by commas not supported by Azure proivider currently
@@ -26,18 +33,30 @@ module "security-center" {
 }
 ```
 
+## Security Center API Settings
+
+This module support enable/disable Microsoft Cloud App Security data access (MCAS) and Windows Defender ATP data access (WDATP). Use `enable_security_center_setting` and `security_center_setting_name` to use this feature.
+
+## Agents Auto Provisioning
+
+Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats.
+
+Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection. Data collection is only needed for compute resources such as VMs, virtual machine scale sets, IaaS containers, and non-Azure computers.
+
+Auto provisioning reduces management overhead by installing all required agents and extensions on existing - and new - machines to ensure faster security coverage for all supported resources. To enable this feature with this module declare the `enable_security_center_auto_provisioning = "On"` variable.
+
 ## Requirements
 
 Name | Version
 -----|--------
 terraform | >= 0.13
-azurerm | ~> 2.27
+azurerm | >= 2.59.0
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-azurerm | 2.27.0
+azurerm | >= 2.59.0
 
 ## Inputs
 
@@ -47,6 +66,11 @@ Name | Description | Type | Default
 `log_analytics_workspace_name`|The name of log analytics workspace name|string|`""`
 `security_center_contacts`|Manages the subscription's Security Center Contact|object|{}
 `scope_resource_id`|The scope of VMs to send their security data to the desired workspace, unless overridden by a setting with more specific scope|string|`current Subscripion id`
+`security_center_subscription_pricing`| The pricing tier to use. Possible values are `Free` and `Standard`|string|`Standard`
+`resource_type`|The resource type this setting affects. Possible values are `AppServices`, `ContainerRegistry`, `KeyVaults`, `KubernetesService`, `SqlServers`, `SqlServerVirtualMachines`, `StorageAccounts`, `VirtualMachines`, `Arm` and `Dns`|string|`VirtualMachines`
+`enable_security_center_setting`|Boolean flag to enable/disable data access|string|`false`
+`security_center_setting_name`|The setting to manage. Possible values are `MCAS` and `WDAT`|string|`MCAS`
+`enable_security_center_auto_provisioning`|Should the security agent be automatically provisioned on Virtual Machines in this subscription? Possible values are `On` (to install the security agent automatically, if it's missing) or `Off` (to not install the security agent automatically).|string|`"Off"`
 
 ## Outputs
 
@@ -67,4 +91,4 @@ Originally created by [Kumaraswamy Vithanala](mailto:kumarvna@gmail.com)
 ## Other resources
 
 * [Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction)
-* [Terraform AzureRM Provider Documentation](https://www.terraform.io/docs/providers/azurerm/index.html)
+* [Terraform AzureRM Provider Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)

examples/complete/README.md

@@ -6,12 +6,20 @@ Terraform module to create Azure Security Center resources for Azure Landing Zon
 
 ```hcl
 module "security-center" {
-  source  = "kumarvna/security-center/azurerm"
-  version = "1.0.0"
+   source  = "kumarvna/security-center/azurerm"
+   version = "1.1.0"
+
 
   # Resource Group, location, log analytics details
   resource_group_name          = "rg-shared-westeurope-01"
-  log_analytics_workspace_name = "loganalytics-we-sharedtest"
+  log_analytics_workspace_name = "loganalytics-we-sharedtest2"
+
+  # Enable Security Center API Setting
+  enable_security_center_setting = true
+  security_center_setting_name   = "MCAS"
+
+  # Enable auto provision of log analytics agents on VM's if they doesn't exist. 
+  enable_security_center_auto_provisioning = on
 
   # Subscription Security Center contacts
   # One or more email addresses seperated by commas not supported by Azure proivider currently

examples/complete/main.tf

@@ -1,10 +1,18 @@
 module "security-center" {
   source  = "kumarvna/security-center/azurerm"
-  version = "1.0.0"
+  version = "1.1.0"
+
 
   # Resource Group, location, log analytics details
   resource_group_name          = "rg-shared-westeurope-01"
-  log_analytics_workspace_name = "loganalytics-we-sharedtest"
+  log_analytics_workspace_name = "loganalytics-we-sharedtest2"
+
+  # Enable Security Center API Setting
+  enable_security_center_setting = true
+  security_center_setting_name   = "MCAS"
+
+  # Enable auto provision of log analytics agents on VM's if they doesn't exist. 
+  enable_security_center_auto_provisioning = on
 
   # Subscription Security Center contacts
   # One or more email addresses seperated by commas not supported by Azure proivider currently

graph.png

@@ -30,7 +30,8 @@ resource "azurerm_security_center_workspace" "main" {
 #----------------------------------------------------------
 
 resource "azurerm_security_center_subscription_pricing" "main" {
-  tier = var.security_center_subscription_pricing
+  tier          = var.security_center_subscription_pricing
+  resource_type = var.resource_type
 }
 
 #----------------------------------------------------------
@@ -42,3 +43,14 @@ resource "azurerm_security_center_contact" "main" {
   alert_notifications = lookup(var.security_center_contacts, "alert_notifications", true)
   alerts_to_admins    = lookup(var.security_center_contacts, "alerts_to_admins", true)
 }
+
+resource "azurerm_security_center_setting" "main" {
+  count        = var.enable_security_center_setting ? 1 : 0
+  setting_name = var.security_center_setting_name
+  enabled      = var.enable_security_center_setting
+}
+
+resource "azurerm_security_center_auto_provisioning" "main" {
+  count          = var.enable_security_center_auto_provisioning == "On" ? 1 : 0
+  auto_provision = var.enable_security_center_auto_provisioning
+}

main.tf

@@ -13,6 +13,11 @@ variable "security_center_subscription_pricing" {
   default     = "Standard"
 }
 
+variable "resource_type" {
+  description = "The resource type this setting affects"
+  default     = "VirtualMachines"
+}
+
 variable "security_center_contacts" {
   type        = map(string)
   description = "Manages the subscription's Security Center Contact"
@@ -23,3 +28,18 @@ variable "scope_resource_id" {
   description = "The scope of VMs to send their security data to the desired workspace, unless overridden by a setting with more specific scope"
   default     = null
 }
+
+variable "security_center_setting_name" {
+  description = "The setting to manage. Possible values are `MCAS` and `WDAT`"
+  default     = "MCAS"
+}
+
+variable "enable_security_center_setting" {
+  description = "Boolean flag to enable/disable data access"
+  default     = false
+}
+
+variable "enable_security_center_auto_provisioning" {
+  description = "Should the security agent be automatically provisioned on Virtual Machines in this subscription?"
+  default     = "Off"
+}

variables.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~>2.27.0"
+      version = ">= 2.59.0"
     }
   }
   required_version = ">= 0.13"