Deploy Sysdig Secure for cloud on Azure

If needed, review the offering description on Sysdig Secure for cloud - Azure.

Deployments on Azure use a Terraform file.

Onboarding Using Terraform

Terraform-based install instructions differ depending on what type of account you are using.

At this time, the options include:

Install for a single subscription
Install for tenant subscriptions

The default code provided in the Get Started page of Sysdig Secure is pre-populated with your Secure API token and will automatically install threat detection, benchmarks, and container registry and image scanning.

Prerequisites

A Sysdig Secure SaaS account
An Azure account you would like to connect to Sysdig, with appropriate permissions to install.
Have Terraform installed on the machine from which you will deploy the installation code.

Permissions

Sysdig Secure administrator permissions
On Azure, the installing user must have the roles of Security Administrator and Owner or Contributor.

Steps

Log in to Sysdig Secure as Admin and select Get Started > Connect your Cloud account. Choose the Azure tab.
Copy the code snippet under Single Subscription or Tenant Subscriptions and paste it in the terminal of your local machine. It should be pre-configured with your Sysdig API token.
Then run:
```
$ terraform init
```
When complete, run:
```
$ terraform apply
```
which will present the changes to be made, ask you to confirm them, then make the changes.
Confirm the Services are Working
Check Troubleshooting in case of permissions or account conflict errors.

Resources Created by Each Module

Cloud-bench
- azurerm_lighthouse_assignment
- azurerm_lighthouse_definition
- azurerm_role_definition
- azurerm_subscription
- sysdig_secure_cloud_account
- sysdig_secure_benchmark_task
Cloud-connector
- azurerm_container_group
- azurerm_network_profile
- azurerm_storage_account
- azurerm_storage_blob
- azurerm_storage_container
- azurerm_subnet
- azurerm_virtual_network

If Cloud-connector is installed, these additional modules will also be installed:

Container-registry
- azurerm_container_registry
- azurerm_eventgrid_event_subscription
Enterprise-application
- azuread_application
- azuread_application_password
- azuread_service_principal
- azuread_service_principal_password
- azurerm_role_assignment
- azurerm_role_definition
Eventhub
- azurerm_eventhub
- azurerm_eventhub_authorization_rule
- azurerm_eventhub_namespace
- azurerm_eventhub_namespace_authorization_rule
- azurerm_monitor_diagnostic_setting
- azurerm_resource_group

Troubleshooting

1. Insufficient Permissions on Subscription

This error may occur if your current Azure authentication session does not have the required permissions to create resources in the specified subscription.

Solution: Ensure you are authenticated to Azure using a Non-Guest user with the Contributor or Owner role on the target subscription.

Error: Error Creating/Updating Lighthouse Definition "dd9be15b-0ee9-7daf-b942-5e173dae13fb" (Scope "/subscriptions/***"): managedservices.RegistrationDefinitionsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InsufficientPrivilegesForManagedServiceResource" Message="The requested user doesn't have sufficient privileges to perform the operation."
       
     with module.cloudvision_example_existing_resource_group.module.cloud_bench.module.trust_relationship["***"].azurerm_lighthouse_definition.lighthouse_definition,
         on ../../../modules/services/cloud-bench/trust_relationship/main.tf line 28, in resource "azurerm_lighthouse_definition" "lighthouse_definition":
         28: resource "azurerm_lighthouse_definition" "lighthouse_definition" {

2. Conflicting Resources

This error may occur if the specified Azure Subscription has already been onboarded to Sysdig

Solution: The resource can be imported into Terraform by using the terraform import command. This will bring the resource under management in the current Terraform workspace.

Error: A resource with the ID "/subscriptions/***/resourceGroups/sfc-resourcegroup" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_resource_group" for more information.
       
         with module.cloudvision_example_existing_resource_group.module.infrastructure_eventhub.azurerm_resource_group.rg[0],
         on ../../../modules/infrastructure/eventhub/main.tf line 6, in resource "azurerm_resource_group" "rg":
          6: resource "azurerm_resource_group" "rg" {

Confirm the Services are Working

Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

Data Sources: Select Data Sources from the User menu to see all connected cloud accounts.
Subscription: Select Settings > Subscription to see an overview of your account activity, including cloud accounts.
Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.

Check Threat Detection

Policies: Check Policies > Runtime Policies and confirm that the Azure Best Practices policy is enabled. This consists of the most-frequently-recommended rules for Azure DevOps.
Events: In the Events feed, search ‘cloud’ to show events from Azure.

Check Benchmarks

Tasks: Select Compliance > Benchmarks > Tasks and confirm a task with the name Sysdig Secure for Cloud (Azure) exists.
Results: After a few minutes, check results of the benchmark are available by clicking on the Sysdig Secure for Cloud (Azure) task. Note that results may take up to 15 minutes to appear.

Check Scanning

Scan Results: CheckImage Scanning > Scan Resultsand choose the Origins drop-down.
Confirm that Azure is listed.
Filter by the desired origin and review scan results.