Azure CSPM Terraform Configuration

Configuration Guide

Updated May 26, 2023

Azure CSPM Terraform Configuration

Configure Azure cloud monitoring Direct link to this section

You can configure scanning for your Microsoft Azure cloud environment configurations using Terraform. Cloud scans are part of your Cloud Security Posture Management (CSPM) service.

Notes:

Requirements Direct link to this section

Steps Direct link to this section

  1. Configure CSPM Terraform
  2. Provide credentials to Arctic Wolf

Step 1: Configure the CSPM Terraform script Direct link to this section

  1. Sign in to the Azure Portal.
  2. Click Cloud Shell from the top navigation of the Azure portal.
  3. If this is your first time using Azure Cloud Shell, create an Azure Storage account for the Azure file share:

    Note: This may incur subscription fees.

    1. Select the subscription used to create the storage account and file share.
    2. Click Create storage.
  4. Choose either Bash or PowerShell as your command line environment.
  5. Run the following command to verify that you are using the Azure subscription you intend to run Terraform with:

    Note: If the Azure subscription is incorrect, see the Microsoft documentation for Terraform configuration in Azure Cloud Shell for steps to authenticate with a different subscription.

    az account show
  6. Initialize Terraform:
    terraform init
  7. Run the following commands to confirm that the module has been properly implemented:
    terraform validate
    terraform plan
    terraform apply

Step 2: Provide credentials to Arctic Wolf Direct link to this section

  1. Sign in to the Arctic Wolf Portal.

  2. In the navigation menu, click Connected Accounts to open the Connected Accounts page.

  3. Click + Add Account to open the Add Account form.

  4. Select Cloud Security Posture Management as the Account Type.

  5. Click Azure, and then fill in the form:

    Tip: When you configure the CSPM Terraform script, the command output includes values for the following. However, you can also retrieve them at any time. See Retrieve environment values for instructions.

    • Account Name
    • Directory ID
    • Application ID
    • Subscription ID
    • Secret Key
  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then click Done.

    You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team adds this account to your scan configuration, the status of your credentials changes to Connected.

Manage your Terraform CSPM configuration Direct link to this section

These are different tasks you can perform to manage and alter your Terraform CSPM configuration once it has been set up.

Retrieve environment values Direct link to this section

Editable Terraform values Direct link to this section

main.tf contains default values which can be adjusted based on specific needs or use cases.

Subscription Direct link to this section

By default, the CSPM configuration module creates the necessary resources for the primary environment subscription.

Note: If your Azure environment contains multiple subscriptions, modify the azurerm_subscription data block to specify the appropriate subscription ID.

data "azurerm_subscription" "example" {
  id = "12345678-12234-5678-9012-123456789012"
}

Application display name Direct link to this section

You can change the azuread_application resource block to better suit preferred naming conventions.

resource "azuread_application" "example" {
  display_name = "AWN Cloud Scanner"
}

Application secrets key rotation Direct link to this section

By default, the application secrets key rotates every 365 days. You can modify this based on specific preferences or compliance requirements.

Note:

resource "time_rotating" "example" {
  rotation_days = 365
}

Application secrets key display name Direct link to this section

You can change the azuread_application_password resource block to better suit preferred naming conventions.

Note: If you remove the time_rotating resource call block, you must also remove the rotate_when_changed parameter from the azuread_application_password resource call block.

resource "azuread_application_password" "example" {
  application_object_id = azuread_application.example.object_id
  display_name = "AWN Cloud Scan Credentials"
  rotate_when_changed = {
    rotation = time_rotating.example.id
  }
}

Enable Terraform debugging Direct link to this section

To troubleshoot potential issues with the Terraform configuration, debug logging must be configured and enabled.

  1. If you don’t suspect an existing configuration to be present, set up the log level:
    export TF_LOG="DEBUG"
  2. Verify the log level:
    echo $TF_LOG
  3. Set up the log path:
    export TF__LOG_PATH="./example/"
  4. Verify the logs generated by Terraform:
    terraform apply
  5. Verify that the debug logs are available at the path that you set earlier.

Remove your Terraform configuration Direct link to this section

Note: This may remove other Terraform configurations in your environment as well.

See also Direct link to this section

Terraform documentation