Azure Deployment

This section covers installation methods.
Review the offering description on Sysdig Secure for cloud - Azure.

Deployments on Azure use a Terraform file.

Onboarding Using Terraform

Terraform-based install instructions differ depending on what type of account you are using.

At this time, the options include:

  • Install for a single subscription
  • Install for tenant subscriptions

The default code provided in the Get Started page of Sysdig Secure is pre-populated with your Secure API token and will automatically install threat detection, benchmarks, and container registry and image scanning.

Prerequisites and Permissions

  • A Sysdig Secure SaaS account, with administrator permissions
  • An Azure subscription/tenant you would like to connect to Sysdig
    • The installing user must have (Organizational level) Security Administrator and (Subscription level) Owner role
    • More permissions detail
  • Terraform installed on the machine from which you will deploy the installation code.

Steps

  1. Log in to Sysdig Secure as Admin and select Get Started > Connect your Cloud account and choose the Azure tab.

    OR

    select Integrations > Data Sources | Cloud Account and choose Connect Account | Azure

  2. Copy the code snippet under Single Subscription or Tenant Subscriptions and paste it into a Terraform Manifest (.tf file). It should be pre-configured with your Sysdig API token.

  3. Then run:

    $ terraform init
    

    When complete, run:

    $ terraform apply
    

    which will present the changes to be made, ask you to confirm them, then make the changes.

  4. Confirm the Services are Working

    Check Troubleshooting in case of permissions or account conflict errors.

Customizing the Install

Both the Single Account and Organizational Account code examples are configured with sensible defaults for the underlying inputs. But if desired, you can edit the region, module enablement, and other Inputs. See details for:

Enabling Image Scanner

Image Scanner feature is disabled by default. If you want to enable it, just use the deploy_scanning input variable on your snippet such as:

module "secure-for-cloud_example"{
 ...
 deploy_scanning = true
}

Resources Created by Each Module

Check full list of created resources

  • Cloud-bench
    • azurerm_lighthouse_assignment
    • azurerm_lighthouse_definition
    • azurerm_role_definition
    • azurerm_subscription
    • sysdig_secure_cloud_account
    • sysdig_secure_benchmark_task
  • Cloud-connector
    • azurerm_container_group
    • azurerm_network_profile
    • azurerm_storage_account
    • azurerm_storage_blob
    • azurerm_storage_container
    • azurerm_subnet
    • azurerm_virtual_network

If Cloud-connector is installed, these additional modules will also be installed:

  • Container-registry
    • azurerm_container_registry
    • azurerm_eventgrid_event_subscription
  • Enterprise-application
    • azuread_application
    • azuread_application_password
    • azuread_service_principal
    • azuread_service_principal_password
    • azurerm_role_assignment
    • azurerm_role_definition
  • Eventhub
    • azurerm_eventhub
    • azurerm_eventhub_authorization_rule
    • azurerm_eventhub_namespace
    • azurerm_eventhub_namespace_authorization_rule
    • azurerm_monitor_diagnostic_setting
    • azurerm_resource_group

Troubleshooting

Find more troubleshooting options on the module source repository

1. Insufficient Permissions on Subscription

This error may occur if your current Azure authentication session does not have the required permissions to create resources in the specified subscription.

Solution: Ensure you are authenticated to Azure using a Non-Guest user with the Contributor or Owner role on the target subscription.

Error: Error Creating/Updating Lighthouse Definition "dd9be15b-0ee9-7daf-b942-5e173dae13fb" (Scope "/subscriptions/***"): managedservices.RegistrationDefinitionsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InsufficientPrivilegesForManagedServiceResource" Message="The requested user doesn't have sufficient privileges to perform the operation."
       
     with module.cloudvision_example_existing_resource_group.module.cloud_bench.module.trust_relationship["***"].azurerm_lighthouse_definition.lighthouse_definition,
         on ../../../modules/services/cloud-bench/trust_relationship/main.tf line 28, in resource "azurerm_lighthouse_definition" "lighthouse_definition":
         28: resource "azurerm_lighthouse_definition" "lighthouse_definition" {

2. Conflicting Resources

This error may occur if the specified Azure Subscription has already been onboarded to Sysdig

Solution: The resource can be imported into Terraform by using the terraform import command. This will bring the resource under management in the current Terraform workspace.

Error: A resource with the ID "/subscriptions/***/resourceGroups/sfc-resourcegroup" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_resource_group" for more information.
       
         with module.cloudvision_example_existing_resource_group.module.infrastructure_eventhub.azurerm_resource_group.rg[0],
         on ../../../modules/infrastructure/eventhub/main.tf line 6, in resource "azurerm_resource_group" "rg":
          6: resource "azurerm_resource_group" "rg" {

Confirm the Services are Working

Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

  • Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.
  • Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.

Check Threat Detection

  • Policies and Rules: Check Policies > Runtime Policies and confirm that the Sysdig Azure Threat Detection and Sysdig Azure Threat Intelligence policies are enabled.

    • These consist of the most-frequently-recommended rules for Azure DevOps.
  • Events: In the Events feed, search ‘cloud’ to show events from Azure.

See Also