Deploy Sysdig Secure for cloud on Azure

If needed, review the offering description on Sysdig Secure for cloud - Azure.

Deployments on Azure use a Terraform file.

Onboarding Using Terraform

Terraform-based install instructions differ depending on what type of account you are using.

At this time, the options include:

  • Install for a single subscription
  • Install for tenant subscriptions

The default code provided in the Get Started page of Sysdig Secure is pre-populated with your Secure API token and will automatically install threat detection, benchmarks, and container registry and image scanning.

Prerequisites

  • A Sysdig Secure SaaS account

  • An Azure account you would like to connect to Sysdig, with appropriate permissions to install.

  • Have Terraform installed on the machine from which you will deploy the installation code.

Permissions

  • Sysdig Secure administrator permissions
  • On Azure, the installing user must have the roles of Security Administrator and Owner or Contributor.

Steps

  1. Log in to Sysdig Secure as Admin and select Get Started > Connect your Cloud account. Choose the Azure tab.

    azure onboarding

  2. Copy the code snippet under Single Subscription or Tenant Subscriptions and paste it in the terminal of your local machine. It should be pre-configured with your Sysdig API token.

  3. Then run:

    $ terraform init
    

    When complete, run:

    $ terraform apply
    

    which will present the changes to be made, ask you to confirm them, then make the changes.

  4. Confirm the Services are Working

    Check Troubleshooting in case of permissions or account conflict errors.

Resources Created by Each Module

  • Cloud-bench
    • azurerm_lighthouse_assignment
    • azurerm_lighthouse_definition
    • azurerm_role_definition
    • azurerm_subscription
    • sysdig_secure_cloud_account
    • sysdig_secure_benchmark_task
  • Cloud-connector
    • azurerm_container_group
    • azurerm_network_profile
    • azurerm_storage_account
    • azurerm_storage_blob
    • azurerm_storage_container
    • azurerm_subnet
    • azurerm_virtual_network

If Cloud-connector is installed, these additional modules will also be installed:

  • Container-registry
    • azurerm_container_registry
    • azurerm_eventgrid_event_subscription
  • Enterprise-application
    • azuread_application
    • azuread_application_password
    • azuread_service_principal
    • azuread_service_principal_password
    • azurerm_role_assignment
    • azurerm_role_definition
  • Eventhub
    • azurerm_eventhub
    • azurerm_eventhub_authorization_rule
    • azurerm_eventhub_namespace
    • azurerm_eventhub_namespace_authorization_rule
    • azurerm_monitor_diagnostic_setting
    • azurerm_resource_group

Troubleshooting

1. Insufficient Permissions on Subscription

This error may occur if your current Azure authentication session does not have the required permissions to create resources in the specified subscription.

Solution: Ensure you are authenticated to Azure using a Non-Guest user with the Contributor or Owner role on the target subscription.

Error: Error Creating/Updating Lighthouse Definition "dd9be15b-0ee9-7daf-b942-5e173dae13fb" (Scope "/subscriptions/***"): managedservices.RegistrationDefinitionsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InsufficientPrivilegesForManagedServiceResource" Message="The requested user doesn't have sufficient privileges to perform the operation."
       
     with module.cloudvision_example_existing_resource_group.module.cloud_bench.module.trust_relationship["***"].azurerm_lighthouse_definition.lighthouse_definition,
         on ../../../modules/services/cloud-bench/trust_relationship/main.tf line 28, in resource "azurerm_lighthouse_definition" "lighthouse_definition":
         28: resource "azurerm_lighthouse_definition" "lighthouse_definition" {

2. Conflicting Resources

This error may occur if the specified Azure Subscription has already been onboarded to Sysdig

Solution: The resource can be imported into Terraform by using the terraform import command. This will bring the resource under management in the current Terraform workspace.

Error: A resource with the ID "/subscriptions/***/resourceGroups/sfc-resourcegroup" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_resource_group" for more information.
       
         with module.cloudvision_example_existing_resource_group.module.infrastructure_eventhub.azurerm_resource_group.rg[0],
         on ../../../modules/infrastructure/eventhub/main.tf line 6, in resource "azurerm_resource_group" "rg":
          6: resource "azurerm_resource_group" "rg" {

Confirm the Services are Working

Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

  • Data Sources: Select Data Sources from the User menu to see all connected cloud accounts.

  • Subscription: Select Settings > Subscription to see an overview of your account activity, including cloud accounts.

  • Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.

Check Threat Detection

  • Policies: Check Policies > Runtime Policies and confirm that the Azure Best Practices policy is enabled. This consists of the most-frequently-recommended rules for Azure DevOps.

  • Events: In the Events feed, search ‘cloud’ to show events from Azure.

Check Benchmarks

  • Tasks: Select Compliance > Benchmarks > Tasks and confirm a task with the name Sysdig Secure for Cloud (Azure) exists.
  • Results: After a few minutes, check results of the benchmark are available by clicking on the Sysdig Secure for Cloud (Azure) task. Note that results may take up to 15 minutes to appear.

Check Scanning

  • Scan Results: CheckImage Scanning > Scan Resultsand choose the Origins drop-down.

    Confirm that Azure is listed.

  • Filter by the desired origin and review scan results.

See Also



Last modified January 15, 2022