{"id":21392157,"url":"https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud","last_synced_at":"2025-10-12T22:20:21.650Z","repository":{"id":39801805,"uuid":"370636658","full_name":"sysdiglabs/terraform-azurerm-secure-for-cloud","owner":"sysdiglabs","description":"Terraform module that deploys the Sysdig Secure For Cloud stack in Azure","archived":false,"fork":false,"pushed_at":"2024-11-12T22:55:41.000Z","size":1638,"stargazers_count":1,"open_issues_count":1,"forks_count":10,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-07-13T18:43:34.072Z","etag":null,"topics":["azure","sysdig-secure","terraform","terraform-modules"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/sysdiglabs/secure-for-cloud/azurerm/latest","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sysdiglabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-05-25T09:27:24.000Z","updated_at":"2024-11-11T18:59:53.000Z","dependencies_parsed_at":"2024-04-09T19:47:10.498Z","dependency_job_id":"7621a71c-868c-4826-b821-198cba3e6ee3","html_url":"https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud","commit_stats":null,"previous_names":[],"tags_count":40,"template":false,"template_full_name":null,"purl":"pkg:github/sysdiglabs/terraform-azurerm-secure-for-cloud","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fterraform-azurerm-secure-for-cloud","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fterraform-azurerm-secure-for-cloud/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fterraform-azurerm-secure-for-cloud/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fterraform-azurerm-secure-for-cloud/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sysdiglabs","download_url":"https://codeload.github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fterraform-azurerm-secure-for-cloud/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279013247,"owners_count":26085250,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-12T02:00:06.719Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","sysdig-secure","terraform","terraform-modules"],"created_at":"2024-11-22T13:39:23.689Z","updated_at":"2025-10-12T22:20:21.613Z","avatar_url":"https://github.com/sysdiglabs.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Sunset Notice\n\n\u003e [!CAUTION]\n\u003e Sysdig released a new onboarding experience for Azure in August 2024. We recommend connecting your cloud accounts by [following these instructions](https://docs.sysdig.com/en/docs/sysdig-secure/connect-cloud-accounts/).\n\u003e\n\u003e This repository should be used solely in cases where Agentless Threat Detection cannot be used.\n\n## Usage\n\nThere are several ways to deploy Secure for Cloud in you Azure infrastructure,\n- [Single Subscription](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/tree/master/examples/single-subscription/README.md)\n- [Single Subscription with a pre-existing Kubernetes Cluster](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/tree/master/examples/single-subscription-k8s/README.md)\n- [Tenant Subscriptions](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/tree/master/examples/tenant-subscriptions/README.md)\n\nIf you're unsure about how to use this module, please contact your Sysdig representative. Our experts will guide you through the process and assist you in setting up your account securely and correctly.\n\n## Required Permissions\n\nTerraform provider credentials/token, requires administrative permissions (`Contributor` or `Owner`) in order to be able to create the\nresources specified in the per-example diagram.\n\nSome components may vary, or may be deployed on different accounts (depending on the example). You can check full resources on each module \"Resources\" section in their README's. You can also check our source code and suggest changes.\n\nThis would be an overall schema of the **created resources**, for the default setup.\n\n- Event Hub\n- Sysdig Workload: Container Instance / For K8s cluter is pre-requied, not create\n- For Scanning: Event-Grid, Event Hub, and Enterprise App in the ActiveDirectory\n\n### Provisioning Roles\n\n- Threat Detection feature requires `Contributor` subscription-level role user assignment\n    - For AD diagnostic on [selected log types](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/blob/master/modules/infrastructure/eventhub/variables.tf#L80) `Security Administrator` role must be granted to at Organizational level.\n      - Otherwise, it can be disabled setting `deploy_active_directory=false` on all examples\n\n- For scanning (disabled by defaul), an App (with its Service Principal) is required to be created in the ActiveDirectory, to enable\n  ContainerRegistry Task to run the image scanning This requires subscription-level `Security Administrator` role.\n\nNote: Beware that previous roles in AD are found in two different levels; Organizational level (user AD **Assigned\nRoles**), and Subscription level (user AD **Azure role assignments**). This role assignments take some time to\nconsolidate.\n\n![Azure AD roles](./resources/troubleshoot-ad-roles.png)\n\n### Provisioning Permissions\n\nA custom role could be created with following permissions\n\n```\n  # threat-detection\n  \"Microsoft.Authorization/roleAssignments/*\",\n  \"Microsoft.Authorization/roleDefinitions/*\",\n  \"Microsoft.ContainerInstance/containerGroups/*\",\n  \"Microsoft.ContainerRegistry/checkNameAvailability/read\"\n  \"Microsoft.ContainerRegistry/registries/*\",\n  \"Microsoft.ContainerInstance/locations/operations/read\",\n  \"Microsoft.EventGrid/eventSubscriptions/*\",\n  \"Microsoft.EventHub/namespaces/*\",\n  \"Microsoft.Insights/diagnosticSettings/*\",\n  \"Microsoft.ManagedServices/registrationAssignments/*\",\n  \"Microsoft.ManagedServices/registrationDefinitions/*\",\n  \"Microsoft.Network/networkProfiles/*\",\n  \"Microsoft.Network/networkSecurityGroups/*\",\n  \"Microsoft.Network/virtualNetworks/*\",\n  \"Microsoft.Resources/subscriptions/resourceGroups/*\",\n  \"Microsoft.Resources/subscriptions/resourcegroups/resources/read\",\n  \"Microsoft.ManagedServices/operationStatuses/read\",\n  \"Microsoft.ContainerRegistry/checkNameAvailability/read\"\n\n  # image scanning-specific\n  \"Microsoft.ContainerRegistry/registries/*\",\n  \"Microsoft.ContainerRegistry/checkNameAvailability/read\"\n```\n\n\u003cbr/\u003e\n\n\n## Confirm the Services are Working\n\nCheck official documentation on [Secure for cloud - Azure, Confirm the Services are working](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/deploy-sysdig-secure-for-cloud-on-azure/#confirm-the-services-are-working)\n\n### Forcing Events - Threat Detection\n\nChoose one of the rules contained in an activated Runtime Policies for Azure, and execute it in your Azure account.\n\nAlternativelly, use Terraform example module to trigger _Azure Access Level creation attempt for Blob Container Set to Public_ event can be\nfound on [examples/trigger-events](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/blob/master/examples/trigger-events).\n\n### Forcing Events - Image Scanning\n\n- For registry image scanning (ACR), upload any image to a registry repository.\n  ```shell\n  $ docker login -u xxx -p  xxx your-registry.azurecr.io  # acr access-key user and password\n  $ docker tag your-registry.azurecr.io/artifact:tag\n  $ docker push your-registry.azurecr.io/artifact:tag\n  ```\n- For workload image scanning in AzureContainerInstances (ACI), deploy any workload to an instance. Azure gives you the option for a quickstart\n  ![azure aci quickstart](./resources/aci-quickstart.png)\n\n\u003cbr/\u003e\u003cbr/\u003e\n\n## Troubleshooting\n\n### Q-Scanning: I see no image result on Secure\n\nA: 1. Check that the repository where you're uploading images to, is from a registry that has been configured on the\ndeployment, otherwise configure it through `registry_name` input variable \u003cbr/\u003e\n\n2. Check that in this registry 'Tasks \u003e Runs' a new image scanning deployment has been spawned\u003cbr/\u003e\n3. Check if in the CloudConnector ContainerInstance any log shows that a new image has been detected\u003cbr/\u003e\n\n### Q-Azure: Getting Error 403 on Monitor AAD Diagnostic Setting\n\n```shell\n│ Error: checking for presence of existing Monitor AAD Diagnostic Setting: (Name \"iru-aad-diagnostic-setting\"):\naad.DiagnosticSettingsClient#Get: Failure responding to request: StatusCode=403\n-- Original Error: autorest/azure: Service returned an error.\nStatus=403 Code=\"AuthorizationFailed\" Message=\"The client 'iru@***.onmicrosoft.com' with object id '***' does not have authorization to perform action\n'microsoft.aadiam/diagnosticSettings/read' over scope '/providers/microsoft.aadiam/diagnosticSettings/iru-aad-diagnostic-setting' or the scope is invalid.\nIf access was recently granted, please refresh your credentials.\"\n```\n\nA: Deployment user has not enough permissions to enable AD diagnostic settings for threat-detection.\u003cbr/\u003e\nS:  Check [Permissions](#permissions) section\n\n### Q-Azure: Getting Error 404 could not configure MSI Authorizer: NewMsiConfig: could not validate MSI endpoint\n\n```shell\n╷\n│ Error: could not configure MSI Authorizer: NewMsiConfig: could not validate MSI endpoint: received HTTP status 404\n│\n│   with provider[\"registry.terraform.io/hashicorp/azuread\"],\n│   on main.tf line 1, in provider \"azuread\":\n│    1: provider \"azuread\" {\n```\n\nA: This may happen if you're using Azure console shell to deploy terraform. MSI (managed service identity has connection\nlimitations)\u003cbr/\u003e\nS: Unset `MSI_ENDPOINT` environment variable [[1](https://github.com/hashicorp/terraform-provider-azuread/issues/633)].\nWe will upgrade provider soon to avoid this.\n\n\u003cbr/\u003e\u003cbr/\u003e\n\n\n## Upgrading\n\n1. Uninstall previous deployment resources before upgrading\n  ```\n  $ terraform destroy\n  ```\n\n2. Upgrade the full terraform example with\n  ```\n  $ terraform init -upgrade\n  $ terraform plan\n  $ terraform apply\n  ```\n\n- If the event-source is created throuh SFC, some events may get lost while upgrading with this approach. however, if the cloudtrail is re-used (normal production setup) events will be recovered once the ingestion resumes.\n\n- If required, you can upgrade cloud-connector component by restarting the task (stop task). Because it's not pinned to an specific version, it will download the `latest` one.\n\n\u003cbr/\u003e\n\n## Authors\n\nModule is maintained and supported by [Sysdig](https://sysdig.com).\n\n## License\n\nApache 2 Licensed. See LICENSE for full details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fterraform-azurerm-secure-for-cloud","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsysdiglabs%2Fterraform-azurerm-secure-for-cloud","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fterraform-azurerm-secure-for-cloud/lists"}