Merge pull request #112 from stackrox/add-azure-sentinel-terraform

Add Azure Sentinel terraform scripts

Author: SimonBaeumer

.gitignore

@@ -1,5 +1,7 @@
 # Based on https://gist.github.com/octocat/9257657
 
+.idea
+
 # Compiled source #
 ###################
 *.com
@@ -42,5 +44,6 @@ Thumbs.db
 ##############
 sensor*.zip
 tmp
-/central-bundle/
-
+/central-bundle
+/**/.terraform
+/terraform/**/.terraform.lock.hcl

acs-export-example/go.mod

@@ -82,7 +82,6 @@ require (
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-hclog v1.5.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect

acs-export-example/go.sum

@@ -133,7 +133,6 @@ github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc=
 github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8=
 github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
-github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -272,13 +271,12 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
-github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=
-github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
+github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
 github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
@@ -574,7 +572,6 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
@@ -753,11 +750,8 @@ golang.org/x/sys v0.0.0-20201126233918-771906719818/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

terraform/azure-sentinel/README.md

@@ -0,0 +1,57 @@
+# Azure Log Analytics - Sentinel Terraform
+
+This terraform script will provide all resources to setup an integration with Sentinel and Log Analytics Workspace. 
+
+This terraform script will provision following resources:
+
+ - Resource group 
+ - Log Analytics Workspace
+ - Data Collection Endpoint
+ - Data Collection Rule
+
+This script can be used to provision a custom environment and is used for CI testing.
+
+For more information visit the documentation in the [stackrox repo's Sentinel notifier](https://github.com/stackrox/stackrox/tree/master/central/notifiers/microsoftsentinel).
+
+## Quick start
+
+Requirements:
+
+ - Install azcli
+ - Authenticating via a [Service Principal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret)
+ - Access to the Microsoft Azure StackRox tenant
+ - Access to bitwarden
+
+```
+# Login into Azure, select the subscription. 
+$ az login
+
+$ export ARM_SUBSCRIPTION_ID="<id>"
+$ export ARM_CLIENT_SECRET="<password>"
+$ export ARM_TENANT_ID="<tenant_id>"
+$ export ARM_CLIENT_ID="<client_d>"
+
+$ terraform init
+$ terraform fmt
+$ terraform validate
+$ terraform apply
+```
+
+For later reference example Data Collection Rule configuration: https://github.com/hashicorp/terraform-provider-azurerm/blob/main/examples/azure-monitoring/data-collection-rule/main.tf
+
+### Create a service principal
+
+In case you need a new service principal you can run the command below. Please only use this if you are
+sure you need new credentials. Make sure to save them in bitwarden.
+
+```
+# Create a service principal for authentication
+$ az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/$ARM_SUBSCRIPTION_ID"
+
+{
+  "appId": "<appid>",
+  "displayName": "azure-cli-2024-10-07-08-49-10",
+  "password": "<password>",
+  "tenant": "<tenanid>"
+}
+```

terraform/azure-sentinel/main.tf

@@ -0,0 +1,96 @@
+resource "azurerm_resource_group" "rg" {
+  name     = "${var.prefix}-resources"
+  location = var.region
+}
+
+resource "azurerm_monitor_data_collection_endpoint" "endpoint" {
+  name                          = "${var.prefix}-data-collection-endpoint"
+  resource_group_name           = azurerm_resource_group.rg.name
+  location                      = azurerm_resource_group.rg.location
+  public_network_access_enabled = true
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "azurerm_log_analytics_workspace" "logworkspace" {
+  name                = "${var.prefix}-log-analytics-workspace"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  sku                 = "PerGB2018"
+  retention_in_days   = 30
+}
+
+# We are using the azapi provider to create custom tables because it is unsupported in the Azure provider.
+# This resource links to the data_flow.output_stream field in the `azurerm_monitor_data_collection_rule` resource.
+resource "azapi_resource" "data_collection_logs_table" {
+  name      = "stackrox_alerts_CL"
+  parent_id = azurerm_log_analytics_workspace.logworkspace.id
+  type      = "Microsoft.OperationalInsights/workspaces/tables@2022-10-01"
+  body = jsonencode(
+    {
+      "properties" : {
+        "schema" : {
+          "name" : "stackrox_alerts_CL",
+          "columns" : [
+            {
+              "name" : "TimeGenerated",
+              "type" : "datetime",
+              "description" : "The time at which the data was generated"
+            },
+            {
+              "name" : "msg",
+              "type" : "dynamic",
+              "description" : "StackRox alert message sent by a notifer"
+            }
+          ]
+        },
+        "retentionInDays" : 30,
+        "totalRetentionInDays" : 30
+      }
+    }
+  )
+}
+
+# Data Collection Rule
+resource "azurerm_monitor_data_collection_rule" "rule" {
+  name                        = "${var.prefix}-data-collection-rule"
+  resource_group_name         = azurerm_resource_group.rg.name
+  location                    = azurerm_resource_group.rg.location
+  data_collection_endpoint_id = azurerm_monitor_data_collection_endpoint.endpoint.id
+  description                 = "StackRox data collection rule to forward StackRox alerts to the Log Analytics Workspace."
+
+  destinations {
+    log_analytics {
+      workspace_resource_id = azurerm_log_analytics_workspace.logworkspace.id
+      name                  = "destination-logs"
+    }
+  }
+
+  data_flow {
+    streams      = ["Custom-stackrox_alerts_CL"]
+    destinations = ["destination-logs"]
+
+    # From `data_collection_logs_table.name`. The prefix is prepended by Azure automatically.
+    output_stream = "Custom-stackrox_alerts_CL"
+  }
+
+  stream_declaration {
+    stream_name = "Custom-stackrox_alerts_CL"
+    column {
+      name = "msg"
+      type = "dynamic"
+    }
+    column {
+      name = "TimeGenerated"
+      type = "datetime"
+    }
+  }
+
+  depends_on = [
+    azurerm_log_analytics_workspace.logworkspace,
+    azapi_resource.data_collection_logs_table
+  ]
+}
+

terraform/azure-sentinel/provider.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 4.4.0"
+    }
+    azapi = {
+      source  = "Azure/azapi"
+      version = "~> 1.8.0"
+    }
+  }
+
+  required_version = ">= 1.1.0"
+}
+
+provider "azurerm" {
+  features {}
+}

terraform/azure-sentinel/variables.tf

@@ -0,0 +1,10 @@
+variable "region" {
+  type        = string
+  default     = "westus2"
+  description = "The Azure region where the resources should be deployed to."
+}
+
+variable "prefix" {
+  type    = string
+  default = "stackrox-sentinel"
+}