🎊 initial commit and v0.1.0 release

Signed-off-by: Salim Afiune Maya <afiune@lacework.net>

.circleci/config.yml

@@ -0,0 +1,120 @@
+version: 2.1
+
+parameters:
+  slack-mentions:
+    type: string
+    default: 'afiune,scottford'
+  only_for_branches:
+    type: string
+    default: 'main'
+
+orbs:
+  slack: circleci/slack@3.4.2
+  jq: circleci/jq@2.1.0
+
+executors:
+  terraform12:
+    docker:
+      - image: techallylw/terraform:12
+  terraform13:
+    docker:
+      - image: techallylw/terraform:13
+  alpine:
+    docker:
+      - image: cibuilds/base:latest
+    resource_class: small
+
+jobs:
+  terraform12-test:
+    executor: terraform12
+    steps:
+      - checkout
+      - run: scripts/ci_tests.sh
+      - slack/status:
+          fail_only: true
+          mentions: << pipeline.parameters.slack-mentions >>
+          only_for_branches: <<pipeline.parameters.only_for_branches>>
+  terraform13-test:
+    executor: terraform13
+    steps:
+      - checkout
+      - run: scripts/ci_tests.sh
+      - slack/status:
+          fail_only: true
+          mentions: << pipeline.parameters.slack-mentions >>
+          only_for_branches: <<pipeline.parameters.only_for_branches>>
+  verify-release:
+    executor: alpine
+    steps:
+      - checkout
+      - run: scripts/release.sh verify
+  trigger-release:
+    executor: alpine
+    steps:
+      - checkout
+      - add_ssh_keys:
+          fingerprints:
+            - "04:ea:9d:e5:99:37:e5:c9:0e:23:e1:46:6d:a8:e2:38"
+      - run: scripts/release.sh trigger
+  release:
+    executor: alpine
+    steps:
+      - checkout
+      - jq/install
+      - slack/notify:
+          mentions: << pipeline.parameters.slack-mentions >>
+          message: Releasing new version of this repository
+      - run: scripts/release.sh publish
+      - slack/status:
+          mentions: << pipeline.parameters.slack-mentions >>
+
+workflows:
+  version: 2
+  test-trigger-release:
+    jobs:
+      - terraform12-test:
+          context:
+            - techally_api_key
+      - terraform13-test:
+          context:
+            - techally_api_key
+      - trigger-release:
+          requires:
+            - terraform12-test
+            - terraform13-test
+          filters:
+            branches:
+              only: main
+
+  verify-release:
+    jobs:
+      - verify-release:
+          filters:
+             branches:
+               only: release
+
+  release-from-tag:
+    jobs:
+      - release:
+          filters:
+            tags:
+               only: /^v.*/
+            branches:
+              ignore: /.*/
+          context:
+            - techally_releases
+
+  nightly:
+    triggers:
+      - schedule:
+          cron: "0 12 * * *"
+          filters:
+            branches:
+              only: main
+    jobs:
+      - terraform12-test:
+          context:
+            - techally_api_key
+      - terraform13-test:
+          context:
+            - techally_api_key

.gitignore

@@ -0,0 +1,43 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Credentials Files
+**/credentials.json
+**/*.json
+
+# Local testing variables
+*.tfvars
+
+# vim
+*.swp
+
+/.idea/
+.DS_Store

CHANGELOG.md

@@ -0,0 +1,3 @@
+# v0.1.0
+
+🎊 Initial commit

GNUmakefile

@@ -0,0 +1,7 @@
+default: ci
+
+ci:
+	scripts/ci_tests.sh
+
+release: ci
+	scripts/release.sh prepare

README.md

@@ -0,0 +1,8 @@
+<a href="https://lacework.com"><img src="https://techally-content.s3-us-west-1.amazonaws.com/public-content/lacework_logo_full.png" width="600"></a>
+
+# terraform-azure-activity-log
+
+[![GitHub release](https://img.shields.io/github/release/lacework/terraform-azure-activity-log.svg)](https://github.com/lacework/terraform-azure-activity-log/releases/)
+[![CircleCI status](https://circleci.com/gh/lacework/terraform-azure-activity-log.svg?style=shield)](https://circleci.com/gh/lacework/terraform-azure-activity-log)
+
+Terraform module for configuring an integration with Azure Subscriptions and Tenants for Activity Log analysis.

RELEASE_NOTES.md

@@ -0,0 +1,2 @@
+# Release Notes
+Another day, another module. This is the initial release of this module!

VERSION

@@ -0,0 +1 @@
+0.1.0

examples/custom-activity-log/main.tf

@@ -0,0 +1,23 @@
+provider "azuread" {}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "lacework" {}
+
+module "az_activity_log" {
+  source                      = "../../"
+  application_identifier_uris = ["https://account.lacework.net"]
+  application_name            = "my-custom-application-name"
+  tenant_id                   = "123abc12-abcd-1234-abcd-abcd12340123"
+  password_length             = 16
+  lacework_integration_name   = "custom name"
+  prefix                      = "customprefix"
+  location                    = "Central US"
+  key_vault_ids = [
+    "/subscriptions/1234abcd-1234-abcd-a1b3-abcd12345xyz/resourceGroups/lwresourcegroup/providers/Microsoft.KeyVault/vaults/keyvault1",
+    "/subscriptions/1234abcd-1234-abcd-a1b3-abcd12345xyz/resourceGroups/lwresourcegroup/providers/Microsoft.KeyVault/vaults/keyvault2",
+    "/subscriptions/1234abcd-1234-abcd-a1b3-abcd12345xyz/resourceGroups/lwresourcegroup/providers/Microsoft.KeyVault/vaults/keyvault3"
+  ]
+}

examples/custom-activity-log/versions.tf

@@ -0,0 +1,8 @@
+# required for Terraform 13
+terraform {
+  required_providers {
+    lacework = {
+      source = "lacework/lacework"
+    }
+  }
+}

examples/default-activity-log/main.tf

@@ -0,0 +1,11 @@
+provider "azuread" {}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "lacework" {}
+
+module "az_activity_log" {
+  source = "../../"
+}

examples/default-activity-log/versions.tf

@@ -0,0 +1,8 @@
+# required for Terraform 13
+terraform {
+  required_providers {
+    lacework = {
+      source = "lacework/lacework"
+    }
+  }
+}

main.tf

@@ -0,0 +1,134 @@
+locals {
+  application_id       = var.use_existing_ad_application ? var.application_id : module.az_al_ad_application.application_id
+  application_password = var.use_existing_ad_application ? var.application_password : module.az_al_ad_application.application_password
+  service_principal_id = var.use_existing_ad_application ? var.service_principal_id : module.az_al_ad_application.service_principal_id
+}
+
+module "az_al_ad_application" {
+  source                      = "lacework/ad-application/azure"
+  version                     = "0.1.0"
+  create                      = var.use_existing_ad_application ? false : true
+  application_name            = var.application_name
+  application_identifier_uris = var.application_identifier_uris
+  subscription_ids            = var.subscription_ids
+  all_subscriptions           = var.all_subscriptions
+  key_vault_ids               = var.key_vault_ids
+  tenant_id                   = var.tenant_id
+  password_length             = var.password_length
+}
+
+resource "azurerm_resource_group" "lacework" {
+  name     = "${var.prefix}-group"
+  location = var.location
+}
+
+# NOTE: storage name can only consist of lowercase letters and numbers,
+# and must be between 3 and 24 characters long
+resource "azurerm_storage_account" "lacework" {
+  name                      = "${var.prefix}storage"
+  account_kind              = "StorageV2"
+  account_tier              = "Standard"
+  account_replication_type  = "LRS"
+  enable_https_traffic_only = true
+  location                  = var.location
+  resource_group_name       = azurerm_resource_group.lacework.name
+  #enable_blob_encryption    = true
+}
+
+resource "azurerm_storage_queue" "lacework" {
+  name                 = "${var.prefix}-queue"
+  storage_account_name = azurerm_storage_account.lacework.name
+}
+
+resource "azurerm_eventgrid_event_subscription" "lacework" {
+  name  = "${var.prefix}-subscription"
+  scope = azurerm_storage_account.lacework.id
+
+  storage_queue_endpoint {
+    queue_name         = azurerm_storage_queue.lacework.name
+    storage_account_id = azurerm_storage_account.lacework.id
+  }
+
+  subject_filter {
+    subject_begins_with = "/blobServices/default/containers/insights-operational-logs/"
+  }
+
+  included_event_types = [
+    "Microsoft.Storage.BlobCreated"
+  ]
+}
+
+resource "azurerm_monitor_log_profile" "lacework" {
+  name               = "${var.prefix}-log-profile"
+  locations          = var.log_profile_locations
+  storage_account_id = azurerm_storage_account.lacework.id
+
+  categories = [
+    "Action",
+    "Delete",
+    "Write",
+  ]
+
+  # TODO @afiune customize these settings
+  retention_policy {
+    enabled = true
+    days    = 7
+  }
+}
+
+# TODO @afiune maybe we could add a subscription_id variable
+data "azurerm_subscription" "primary" {}
+resource "azurerm_role_definition" "lacework" {
+  name        = "${var.prefix}-role"
+  description = "Used by Lacework to monitor Activity Logs"
+  scope       = data.azurerm_subscription.primary.id
+
+  assignable_scopes = [
+    data.azurerm_subscription.primary.id
+  ]
+
+  permissions {
+    actions = [
+      "Microsoft.Resources/subscriptions/resourceGroups/read",
+      "Microsoft.Storage/storageAccounts/read",
+      "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+      "Microsoft.Storage/storageAccounts/queueServices/queues/read",
+      "Microsoft.EventGrid/eventSubscriptions/read",
+      "Microsoft.Storage/storageAccounts/listkeys/action"
+    ]
+
+    data_actions = [
+      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
+      "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
+      "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete"
+    ]
+  }
+}
+
+resource "azurerm_role_assignment" "lacework" {
+  role_definition_id = azurerm_role_definition.lacework.id
+  principal_id       = local.service_principal_id
+  scope              = data.azurerm_subscription.primary.id
+}
+
+# wait for X seconds for the Azure resources to be created
+resource "time_sleep" "wait_time" {
+  create_duration = var.wait_time
+  depends_on = [
+    azurerm_eventgrid_event_subscription.lacework,
+    azurerm_monitor_log_profile.lacework,
+    azurerm_role_assignment.lacework,
+    module.az_al_ad_application
+  ]
+}
+
+resource "lacework_integration_azure_al" "default" {
+  name      = var.lacework_integration_name
+  tenant_id = module.az_al_ad_application.tenant_id
+  queue_url = "https://${azurerm_storage_account.lacework.name}.queue.core.windows.net/${azurerm_storage_queue.lacework.name}"
+  credentials {
+    client_id     = local.application_id
+    client_secret = local.application_password
+  }
+  depends_on = [time_sleep.wait_time]
+}