[SSPROD-48175] VM Workload Scanning Component with Azure AKS discovery sub-module (#67)

* First version of AKS sub-module

* Some fixes

* Adding component for aks-discovery

* Making sure that AKS discovery is baked into the vm workload scanning component

* Fixing path

* Comments from code review

* nitpick

Author: miguelpais

modules/config-posture/outputs.tf

@@ -2,4 +2,10 @@ output "service_principal_component_id" {
   value       = "${sysdig_secure_cloud_auth_account_component.azure_service_principal.type}/${sysdig_secure_cloud_auth_account_component.azure_service_principal.instance}"
   description = "Component identifier of Service Principal created in Sysdig Backend for Config Posture"
   depends_on = [ sysdig_secure_cloud_auth_account_component.azure_service_principal ]
-}
+}
+
+output "sysdig_cspm_sp_object_id" {
+  value = azuread_service_principal.sysdig_cspm_sp.object_id
+  description = "Object ID of the CSPM SP within the client's infra"
+  depends_on = [azuread_service_principal.sysdig_cspm_sp]
+}

modules/vm-workload-scanning/README.md

@@ -76,7 +76,7 @@ No modules.
 
 | Name | Description                                                                                                                                                                        | Type | Default | Required |
 |------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
-| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable VM Workload Scanning for (incase of organization, ID of the Sysdig management account)                                                    | `string` | n/a | yes |
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable VM Workload Scanning with optional AKS discovery                            | `string` | n/a | yes |
 | <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | The identifier of the Azure Subscription in which to create secure-for-cloud vm workload scanning resources                                                                        | `string` | n/a | yes |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | true/false whether vm workload scanning resources should be deployed in an organizational setup (all subscriptions of tenant) or not (only on default azure provider subscription) | `bool` | `false` | no |
 | <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | List of Azure Management Group IDs. vm workload scanning will be deployed to all the subscriptions under these management groups.                                                  | `set(string)` | `[]` | no |

modules/vm-workload-scanning/aks-discovery/README.md

@@ -0,0 +1,62 @@
+# Azure AKS Discovery Submodule
+
+This module create a custom role definition with full Kubernetes management permissions and assign it to the service principal created within the client's infrastructure for secure-posture.
+
+These permissions are required in order to enable CSPM to fully discover AKS clusters within Azure.
+
+If instrumenting an Azure subscription, the following resources will be created:
+- A custom role for full kubernetes cluster management
+- A role assignment for the above role against secure-posture Service principal created during foundational onboarding
+
+If instrumenting an Azure Tenant, the following resources will be created:
+- Role definitions for full kubernetes cluster management for each management group selected
+- Role assignments for the above roles against secure-posture Service principal created during foundational onboarding
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version   |
+|------|-----------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0  |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.76.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | >= 2.43.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 1.29.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 3.76.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_role_definition.sysdig_cspm_aks_discovery_role](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
+| [azurerm_role_assignment.sysdig_cspm_role_aks_discovery_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
+| [azurerm_role_definition.sysdig_cspm_role_aks_discovery_for_tenant](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
+| [azurerm_role_assignment.sysdig_cspm_role_assignment_for_tenant](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
+
+## Inputs
+
+| Name | Description                                                                                                                                                                       | Type | Default | Required |
+|------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)                                                   | `string` | n/a | yes |
+| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Subscription ID in which to create secure-for-cloud onboarding resources                                                                       | `string` | n/a |   yes    |
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant | `bool` | `false` |    no    |
+| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups                                                 | `set(string)` | `[]` |    no    |
+| <a name="sysdig_cspm_sp_object_id"></a> [management\_group\_ids](#input\_management\_group\_ids) | Object ID of the CSPM SP within the client's infra                                                                        | `string` | `[]` |   yes    |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.

modules/vm-workload-scanning/aks-discovery/main.tf

@@ -0,0 +1,53 @@
+#---------------------------------------------------------------------------------------------
+# Fetch the subscription data
+#---------------------------------------------------------------------------------------------
+data "azurerm_subscription" "primary" {
+  subscription_id = var.subscription_id
+}
+
+locals {
+  agentless_aks_connection_permissions_actions = "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"
+}
+
+#---------------------------------------------------------------------------------------------
+# Create a Custom role for collecting authsettings
+#---------------------------------------------------------------------------------------------
+resource "azurerm_role_definition" "sysdig_cspm_aks_discovery_role" {
+  count = var.is_organizational ? 0 : 1
+
+  name        = "sysdig-cspm-role-aks-discovery-${var.subscription_id}"
+  scope       = data.azurerm_subscription.primary.id
+  description = "Custom role for AKS Discovery"
+
+  permissions {
+    actions     = local.agentless_aks_connection_permissions_actions
+    not_actions = []
+  }
+
+  assignable_scopes = [
+    data.azurerm_subscription.primary.id,
+  ]
+}
+
+#---------------------------------------------------------------------------------------------
+# Custom role assignment for AKS Discovery
+#---------------------------------------------------------------------------------------------
+resource "azurerm_role_assignment" "sysdig_cspm_role_aks_discovery_assignment" {
+  count = var.is_organizational ? 0 : 1
+
+  scope              = data.azurerm_subscription.primary.id
+  role_definition_id = azurerm_role_definition.sysdig_cspm_aks_discovery_role.role_definition_resource_id
+  principal_id       = var.sysdig_cspm_sp_object_id
+}
+
+resource "sysdig_secure_cloud_auth_account_component" "azure_aks_discovery_component" {
+  account_id                 = var.sysdig_secure_account_id
+  type                       = "COMPONENT_UNSPECIFIED"
+  instance                   = "secure-aks-discovery"
+
+  depends_on = [azurerm_role_definition.sysdig_cspm_aks_discovery_role,
+                azurerm_role_assignment.sysdig_cspm_role_aks_discovery_assignment,
+                azurerm_role_definition.sysdig_cspm_role_aks_discovery_for_tenant,
+                azurerm_role_assignment.sysdig_cspm_role_assignment_for_tenant,
+  ]
+}

modules/vm-workload-scanning/aks-discovery/organizational.tf

@@ -0,0 +1,41 @@
+#---------------------------------------------------------------------------------------------
+# Fetch the management groups for customer tenant and onboard subscriptions under them
+#---------------------------------------------------------------------------------------------
+data "azurerm_management_group" "root_management_group" {
+  count        = var.is_organizational && length(var.management_group_ids) == 0 ? 1 : 0
+  display_name = "Tenant Root Group"
+}
+
+locals {
+  # when empty, this will be the root management group whose default display name is "Tenant root group"
+  management_groups = var.is_organizational && length(var.management_group_ids) == 0 ? [data.azurerm_management_group.root_management_group[0].id] : toset(
+    [for m in var.management_group_ids : format("%s/%s", "/providers/Microsoft.Management/managementGroups", m)])
+}
+
+resource "azurerm_role_definition" "sysdig_cspm_role_aks_discovery_for_tenant" {
+  for_each = var.is_organizational ? local.management_groups : []
+
+  name        = "sysdig_cspm_role_for_tenant_${each.key}"
+  scope       = each.key
+  description = "Custom role for collecting Authsettings for CIS Benchmark"
+
+  permissions {
+    actions = local.agentless_aks_connection_permissions_actions
+    not_actions = []
+  }
+
+  assignable_scopes = [
+    each.key,
+  ]
+}
+
+#---------------------------------------------------------------------------------------------
+# Custom role assignment for collecting authsettings
+#---------------------------------------------------------------------------------------------
+resource "azurerm_role_assignment" "sysdig_cspm_role_assignment_for_tenant" {
+  for_each = var.is_organizational ? local.management_groups : []
+
+  scope              = each.key
+  role_definition_id = azurerm_role_definition.sysdig_cspm_role_aks_discovery_for_tenant[each.key].role_definition_resource_id
+  principal_id       = var.sysdig_cspm_sp_object_id
+}

modules/vm-workload-scanning/aks-discovery/outputs.tf

@@ -0,0 +1,26 @@
+variable "sysdig_secure_account_id" {
+  type        = string
+  description = "ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)"
+}
+
+variable "subscription_id" {
+  type        = string
+  description = "Subscription ID in which to create secure-for-cloud onboarding resources"
+}
+
+variable "is_organizational" {
+  description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant."
+  type        = bool
+  default     = false
+}
+
+variable "management_group_ids" {
+  description = "(Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups."
+  type        = set(string)
+  default     = []
+}
+
+variable "sysdig_cspm_sp_object_id" {
+  description = "Object ID of the CSPM SP within the client's infra"
+  type = string
+}

modules/vm-workload-scanning/aks-discovery/variables.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.76.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = ">= 2.43.0"
+    }
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      version = "~> 1.29.2"
+    }
+  }
+}

modules/vm-workload-scanning/aks-discovery/versions.tf

@@ -1,3 +1,15 @@
+module "aks_discovery" {
+  count = var.aks_discovery_permission_grant ? 1 : 0
+
+  source = "sysdiglabs/secure/azurerm//modules/vm-workload-scanning/aks-discovery"
+
+  sysdig_secure_account_id = var.sysdig_secure_account_id
+  subscription_id = var.subscription_id
+  is_organizational = var.is_organizational
+  management_group_ids = var.management_group_ids
+  sysdig_cspm_sp_object_id = var.sysdig_cspm_sp_object_id
+}
+
 data "azurerm_subscription" "primary" {
   subscription_id = var.subscription_id
 }
@@ -121,10 +133,13 @@ resource "sysdig_secure_cloud_auth_account_component" "azure_workload_scanning_c
         app_id                    = azuread_service_principal.sysdig_vm_workload_scanning_sp.client_id
         app_owner_organization_id = azuread_service_principal.sysdig_vm_workload_scanning_sp.application_tenant_id
       }
+
+      aks_discovery_permission_grant = var.aks_discovery_permission_grant
     }
   })
 
   depends_on = [
+    module.aks_discovery,
     azurerm_role_assignment.sysdig_vm_workload_scanning_func_app_config_role_assignment,
     azurerm_role_assignment.sysdig_vm_workload_scanning_file_reader_role_assignment,
     azurerm_role_assignment.sysdig_vm_workload_scanning_blob_reader_role_assignment,

modules/vm-workload-scanning/main.tf

@@ -1,6 +1,6 @@
 variable "sysdig_secure_account_id" {
   type        = string
-  description = "Sysdig Secure Account ID within cloudAuth"
+  description = "ID of the Sysdig Cloud Account to enable VM Workload Scanning with optional AKS discovery"
 }
 
 variable "subscription_id" {
@@ -19,3 +19,14 @@ variable "management_group_ids" {
   type        = set(string)
   default     = []
 }
+
+variable "aks_discovery_permission_grant" {
+    description = "(Optional) Set this field to 'true' to grant AKS discovery permissions to the secure-posture service principal."
+    type        = bool
+    default     = false
+}
+
+variable "sysdig_cspm_sp_object_id" {
+  description = "Object ID of the CSPM SP within the client's infra"
+  type = string
+}