sysdiglabs
diff --git a/‎README.md
Lines changed: 4 additions & 0 deletions b/‎README.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎modules/config-posture/README.md
Lines changed: 20 additions & 7 deletions b/‎modules/config-posture/README.md
Lines changed: 20 additions & 7 deletions
diff --git a/‎modules/config-posture/main.tf
Lines changed: 16 additions & 8 deletions b/‎modules/config-posture/main.tf
Lines changed: 16 additions & 8 deletions
diff --git a/‎modules/config-posture/organizational.tf
Lines changed: 2 additions & 2 deletions b/‎modules/config-posture/organizational.tf
Lines changed: 2 additions & 2 deletions
diff --git a/‎modules/config-posture/outputs.tf
Lines changed: 1 addition & 1 deletion b/‎modules/config-posture/outputs.tf
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/config-posture/variables.tf
Lines changed: 6 additions & 0 deletions b/‎modules/config-posture/variables.tf
Lines changed: 6 additions & 0 deletions
@@ -26,6 +26,8 @@ for the respective Sysdig features. They manage both, onboarding a single Azure
 
 `onboarding`, `config-posture` and `agentless-scanning` are independent feature modules.
 
+A Service Principal is created per each independent module due to permission scoping, if you want to use a pre-existing one instead of creating a new one, refer to each module's README file.
+
 ### Integrations
 
 The modules under `integrations` are feature agnostic modules which deploy and manage all the required Cloud resources and Sysdig resources
@@ -35,6 +37,8 @@ These modules manage both, onboarding a single Azure Subscription or an Azure Te
 
 `event-hub` is an integration module.
 
+A Service Principal is created per each independent integration module due to permission scoping, if you want to use a pre-existing one instead of creating a new one, refer to each module's README file.
+
 ## Examples and usage
 
 The modules in this repository can be installed on a single Azure subscription, or on an entire Azure Tenant, or management groups within the Tenant.
 
@@ -12,6 +12,18 @@ If instrumenting an Azure Tenant, the following resources will be created:
 - Role assignments with associated role permissions at the Root Management Group level by default for the Tenant, or at each of the
 instrumented Management Groups within the Tenant if provided.
 
+**Important**. If using a pre-existing Service Principal is needed, creating a service principal associated with the Sysdig Config Posture Application ID is required:
+- The Sysdig Config Posture Application ID can be found as part of the output of the `sysdig_secure_trusted_azure_app` data source created in this module. Also, it can be retrieved by hitting the Sysdig onboarding API using the `sysdig_secure_api_token` provided within the Sysdig UI > Settings > Sysdig Secure API Token, the API curl command uses the `app=config_posture` query parameter:
+    ```bash
+    curl --location 'https://<sysdig-secure>/api/secure/onboarding/v2/trustedAzureApp?app=config_posture' \
+    --header 'Authorization: Bearer <token>'
+    ```
+- From the previous call, use the `applicationId` field from the response to create the Service Principal in your Azure Tenant.
+- Assign the [Directory Reader role](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#directory-readers) to the Service Principal created in your Azure Tenant. This is a required permission, the role template ID for this role is `88d8e3e3-8f55-4a1e-953a-9b9898b8876b`.
+- Provide the Service Principal ID as input to the `config_posture_service_principal` variable in this module. This will
+  skip the creation of a new Service Principal and use the one provided instead.
+- Contact Sysdig Support if you need assistance with this process.
+
 This module will also deploy a Service Principal Component in Sysdig Backend for onboarded Sysdig Cloud Account.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -55,13 +67,14 @@ No modules.
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_agentless_aks_connection_enabled"></a> [agentless\_aks\_connection\_enabled](#input\_agentless\_aks\_connection\_enabled) | Enable the Agentless AKS connection to the K8s clusters within the cloud. This allows admin access. Read more about why this is needed in the official docs. | `bool` | `false` | no |
-| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant. | `bool` | `false` | no |
-| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups. | `set(string)` | `[]` | no |
-| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Subscription ID in which to create resources for secure-for-cloud | `string` | n/a | yes |
-| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
+| Name                                                                                                                                     | Description                                                                                                                                                               | Type          | Default | Required |
+|------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
+| <a name="input_agentless_aks_connection_enabled"></a> [agentless\_aks\_connection\_enabled](#input\_agentless\_aks\_connection\_enabled) | Enable the Agentless AKS connection to the K8s clusters within the cloud. This allows admin access. Read more about why this is needed in the official docs.              | `bool`        | `false` |    no    |
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                                                  | (Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant.                                                                                        | `bool`        | `false` |    no    |
+| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids)                                       | (Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups.                                  | `set(string)` | `[]`    |    no    |
+| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id)                                                        | Subscription ID in which to create resources for secure-for-cloud                                                                                                         | `string`      | n/a     |   yes    |
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id)                         | ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)                                                 | `string`      | n/a     |   yes    |
+| <a name="input_config_posture_service_principal"></a> [config\_posture\_service\_principal](#input\_config\_posture\_service\_principal) | (Optional) Service Principal to be used for CSPM, this SP needs to be associated to the Sysdig Config Posture Application ID. If not provided, a new one will be created. | `string`      | `""`    |    no    |
 
 ## Outputs
 
 
@@ -27,7 +27,13 @@ locals {
 # Note: Once created, this cannot be deleted via Terraform. It can be manually deleted from Azure.
 #       This is to safeguard against unintended deletes if the service principal is in use.
 #--------------------------------------------------------------------------------------------------------------
+data "azuread_service_principal" "sysdig_cspm_sp" {
+  count     = var.config_posture_service_principal != "" ? 1 : 0
+  object_id = var.config_posture_service_principal
+}
+
 resource "azuread_service_principal" "sysdig_cspm_sp" {
+  count        = var.config_posture_service_principal != "" ? 0 : 1
   client_id    = data.sysdig_secure_trusted_azure_app.config_posture.application_id
   use_existing = true
   notes        = "Service Principal linked to the Sysdig Secure CNAPP - CSPM module"
@@ -36,9 +42,11 @@ resource "azuread_service_principal" "sysdig_cspm_sp" {
 #---------------------------------------------------------------------------------------------
 # Assign "Directory Reader" AD role to Sysdig SP
 #---------------------------------------------------------------------------------------------
+
 resource "azuread_directory_role_assignment" "sysdig_ad_reader" {
+  count        = var.config_posture_service_principal != "" ? 0 : 1
   role_id             = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b" // template ID of Directory Reader AD role
-  principal_object_id = azuread_service_principal.sysdig_cspm_sp.object_id
+  principal_object_id = azuread_service_principal.sysdig_cspm_sp[0].object_id
 }
 
 #---------------------------------------------------------------------------------------------
@@ -47,7 +55,7 @@ resource "azuread_directory_role_assignment" "sysdig_ad_reader" {
 resource "azurerm_role_assignment" "sysdig_reader" {
   scope                = data.azurerm_subscription.primary.id
   role_definition_name = "Reader"
-  principal_id         = azuread_service_principal.sysdig_cspm_sp.object_id
+  principal_id         = var.config_posture_service_principal != "" ? data.azuread_service_principal.sysdig_cspm_sp[0].object_id : azuread_service_principal.sysdig_cspm_sp[0].object_id
 }
 
 #---------------------------------------------------------------------------------------------
@@ -74,7 +82,7 @@ resource "azurerm_role_definition" "sysdig_cspm_role" {
 resource "azurerm_role_assignment" "sysdig_cspm_role_assignment" {
   scope              = data.azurerm_subscription.primary.id
   role_definition_id = azurerm_role_definition.sysdig_cspm_role.role_definition_resource_id
-  principal_id       = azuread_service_principal.sysdig_cspm_sp.object_id
+  principal_id       = var.config_posture_service_principal != "" ? data.azuread_service_principal.sysdig_cspm_sp[0].object_id : azuread_service_principal.sysdig_cspm_sp[0].object_id
 }
 
 #--------------------------------------------------------------------------------------------------------------
@@ -91,11 +99,11 @@ resource "sysdig_secure_cloud_auth_account_component" "azure_service_principal"
     azure = {
       active_directory_service_principal = {
         account_enabled           = true
-        display_name              = azuread_service_principal.sysdig_cspm_sp.display_name
-        id                        = azuread_service_principal.sysdig_cspm_sp.object_id
-        app_display_name          = azuread_service_principal.sysdig_cspm_sp.display_name
-        app_id                    = azuread_service_principal.sysdig_cspm_sp.client_id
-        app_owner_organization_id = azuread_service_principal.sysdig_cspm_sp.application_tenant_id
+        display_name              = var.config_posture_service_principal != "" ? data.azuread_service_principal.sysdig_cspm_sp[0].display_name : azuread_service_principal.sysdig_cspm_sp[0].display_name
+        id                        = var.config_posture_service_principal != "" ? data.azuread_service_principal.sysdig_cspm_sp[0].object_id : azuread_service_principal.sysdig_cspm_sp[0].object_id
+        app_display_name          = var.config_posture_service_principal != "" ? data.azuread_service_principal.sysdig_cspm_sp[0].display_name : azuread_service_principal.sysdig_cspm_sp[0].display_name
+        app_id                    = var.config_posture_service_principal != "" ? data.azuread_service_principal.sysdig_cspm_sp[0].client_id : azuread_service_principal.sysdig_cspm_sp[0].client_id
+        app_owner_organization_id = var.config_posture_service_principal != "" ? data.azuread_service_principal.sysdig_cspm_sp[0].application_tenant_id : azuread_service_principal.sysdig_cspm_sp[0].application_tenant_id
       }
     }
   })
 
@@ -20,7 +20,7 @@ resource "azurerm_role_assignment" "sysdig_reader_for_tenant" {
 
   scope                = each.key
   role_definition_name = "Reader"
-  principal_id         = azuread_service_principal.sysdig_cspm_sp.object_id
+  principal_id         = var.config_posture_service_principal != "" ? data.azuread_service_principal.sysdig_cspm_sp[0].object_id : azuread_service_principal.sysdig_cspm_sp[0].object_id
 }
 
 #---------------------------------------------------------------------------------------------
@@ -53,5 +53,5 @@ resource "azurerm_role_assignment" "sysdig_cspm_role_assignment_for_tenant" {
 
   scope              = each.key
   role_definition_id = azurerm_role_definition.sysdig_cspm_role_for_tenant[each.key].role_definition_resource_id
-  principal_id       = azuread_service_principal.sysdig_cspm_sp.object_id
+  principal_id       = var.config_posture_service_principal != "" ? data.azuread_service_principal.sysdig_cspm_sp[0].object_id : azuread_service_principal.sysdig_cspm_sp[0].object_id
 }
@@ -5,7 +5,7 @@ output "service_principal_component_id" {
 }
 
 output "sysdig_cspm_sp_object_id" {
-  value = azuread_service_principal.sysdig_cspm_sp.object_id
+  value = var.config_posture_service_principal != "" ? data.azuread_service_principal.sysdig_cspm_sp[0].object_id : azuread_service_principal.sysdig_cspm_sp[0].object_id
   description = "Object ID of the CSPM SP within the client's infra"
   depends_on = [azuread_service_principal.sysdig_cspm_sp]
 }
@@ -25,3 +25,9 @@ variable "agentless_aks_connection_enabled" {
   description = "Enable the Agentless AKS connection to the K8s clusters within the cloud. This allows admin access. Read more about why this is needed in the official docs."
   default     = false
 }
+
+variable "config_posture_service_principal" {
+  description = "(Optional) Service Principal to be used for CSPM. If not provided, a new one will be created."
+  type        = string
+  default     = ""
+}
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ resource "azurerm_role_assignment" "sysdig_reader_for_tenant" {`
`20`	`20`
`21`	`21`	`scope = each.key`
`22`	`22`	`role_definition_name = "Reader"`
`23`		`- principal_id = azuread_service_principal.sysdig_cspm_sp.object_id`
	`23`	`+ principal_id = var.config_posture_service_principal != "" ? data.azuread_service_principal.sysdig_cspm_sp[0].object_id : azuread_service_principal.sysdig_cspm_sp[0].object_id`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`#---------------------------------------------------------------------------------------------`
`@@ -53,5 +53,5 @@ resource "azurerm_role_assignment" "sysdig_cspm_role_assignment_for_tenant" {`
`53`	`53`
`54`	`54`	`scope = each.key`
`55`	`55`	`role_definition_id = azurerm_role_definition.sysdig_cspm_role_for_tenant[each.key].role_definition_resource_id`
`56`		`- principal_id = azuread_service_principal.sysdig_cspm_sp.object_id`
	`56`	`+ principal_id = var.config_posture_service_principal != "" ? data.azuread_service_principal.sysdig_cspm_sp[0].object_id : azuread_service_principal.sysdig_cspm_sp[0].object_id`
`57`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ output "service_principal_component_id" {`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`output "sysdig_cspm_sp_object_id" {`
`8`		`- value = azuread_service_principal.sysdig_cspm_sp.object_id`
	`8`	`+ value = var.config_posture_service_principal != "" ? data.azuread_service_principal.sysdig_cspm_sp[0].object_id : azuread_service_principal.sysdig_cspm_sp[0].object_id`
`9`	`9`	`description = "Object ID of the CSPM SP within the client's infra"`
`10`	`10`	`depends_on = [azuread_service_principal.sysdig_cspm_sp]`
`11`	`11`	`}`