Azure CSPM Terraform Configuration
Configure Azure cloud monitoring Direct link to this section
You can configure scanning for your Microsoft Azure cloud environment configurations using Terraform. Cloud scans are part of your Cloud Security Posture Management (CSPM) service.
Notes:
- This page details how to configure CSPM using a Terraform script. For instructions on how to configure it manually, see Configuring Azure Cloud Environment Scanning.
- Multi-subscription and multi-tenant configurations are not supported. This process must be repeated for each subscription or tenant you want to scan.
Requirements Direct link to this section
- A valid Arctic Wolf® Managed Risk license
- Terraform binary version 1.3.7 or newer installed on your Azure Cloud Shell
Tip: Run
terraform version
to verify your existing Terraform version. - Azure Active Directory (AD) version 2.0.0 or newer
- Azure Resource Manager (RM) version 2.0.0 or newer
- CSPM Azure Terraform script
- A user principal role with the Global Administrator role
Steps Direct link to this section
Step 1: Configure the CSPM Terraform script Direct link to this section
- Sign in to the Azure Portal.
- Click Cloud Shell from the top navigation of the Azure portal.
- If this is your first time using Azure Cloud Shell, create an Azure Storage account for the Azure file share:
Note: This may incur subscription fees.
- Select the subscription used to create the storage account and file share.
- Click Create storage.
- Choose either Bash or PowerShell as your command line environment.
- Run the following command to verify that you are using the Azure subscription you intend to run Terraform with:
Note: If the Azure subscription is incorrect, see the Microsoft documentation for Terraform configuration in Azure Cloud Shell for steps to authenticate with a different subscription.
az account show
- Initialize Terraform:
terraform init
- Run the following commands to confirm that the module has been properly implemented:
terraform validate terraform plan terraform apply
Step 2: Provide credentials to Arctic Wolf Direct link to this section
-
Sign in to the Arctic Wolf Portal.
-
In the navigation menu, click Connected Accounts to open the Connected Accounts page.
-
Click + Add Account to open the Add Account form.
-
Select Cloud Security Posture Management as the Account Type.
-
Click Azure, and then fill in the form:
Tip: When you configure the CSPM Terraform script, the command output includes values for the following. However, you can also retrieve them at any time. See Retrieve environment values for instructions.
- Account Name
- Directory ID
- Application ID
- Subscription ID
- Secret Key
-
Click Submit to CST.
-
When prompted with the confirmation message, review your submission, and then click Done.
You are returned to the Connected Accounts page.
-
Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.
After your Concierge Security® Team adds this account to your scan configuration, the status of your credentials changes to Connected.
Manage your Terraform CSPM configuration Direct link to this section
These are different tasks you can perform to manage and alter your Terraform CSPM configuration once it has been set up.
Retrieve environment values Direct link to this section
- Retrieve registration details:
terraform output registration`
- Retrieve the secret key:
Note: The
-raw
parameter displays the key in plain text. Sensitive output is redacted by default.terraform output -raw secret_key
- Retrieve the roles assigned to the Azure Cloud Environment Scanner:
terraform output assigned_roles
Editable Terraform values Direct link to this section
main.tf
contains default values which can be adjusted based on specific needs or use cases.
Subscription Direct link to this section
By default, the CSPM configuration module creates the necessary resources for the primary environment subscription.
Note: If your Azure environment contains multiple subscriptions, modify the azurerm_subscription
data block to specify the appropriate subscription ID.
data "azurerm_subscription" "example" {
id = "12345678-12234-5678-9012-123456789012"
}
Application display name Direct link to this section
You can change the azuread_application
resource block to better suit preferred naming conventions.
resource "azuread_application" "example" {
display_name = "AWN Cloud Scanner"
}
Application secrets key rotation Direct link to this section
By default, the application secrets key rotates every 365 days. You can modify this based on specific preferences or compliance requirements.
Note:
- You can remove the
time_rotating
if desired. If you remove thetime_rotating
resource call block, you must also remove therotate_when_changed
from theazuread_application_password
resource call block. - You must provide new credentials through the Arctic Wolf Portal for registration each time the secrets key rotate.
resource "time_rotating" "example" {
rotation_days = 365
}
Application secrets key display name Direct link to this section
You can change the azuread_application_password
resource block to better suit preferred naming conventions.
Note: If you remove the time_rotating
resource call block, you must also remove the rotate_when_changed
parameter from the azuread_application_password
resource call block.
resource "azuread_application_password" "example" {
application_object_id = azuread_application.example.object_id
display_name = "AWN Cloud Scan Credentials"
rotate_when_changed = {
rotation = time_rotating.example.id
}
}
Enable Terraform debugging Direct link to this section
To troubleshoot potential issues with the Terraform configuration, debug logging must be configured and enabled.
- If you don’t suspect an existing configuration to be present, set up the log level:
export TF_LOG="DEBUG"
- Verify the log level:
echo $TF_LOG
- Set up the log path:
export TF__LOG_PATH="./example/"
- Verify the logs generated by Terraform:
terraform apply
- Verify that the debug logs are available at the path that you set earlier.
Remove your Terraform configuration Direct link to this section
Note: This may remove other Terraform configurations in your environment as well.
- If you need to remove your Terraform configuration, run
terraform destroy
in the CLI.