Azure Deployment
This section covers installation methods.
Review the offering description on Sysdig Secure for cloud - Azure.
Deployments on Azure use a Terraform file.
Onboarding Using Terraform
Terraform-based install instructions differ depending on what type of account you are using.
At this time, the options include:
- Install for a single subscription
- Install for tenant subscriptions
The default code provided in the Data Sources page of Sysdig Secure is pre-populated with your Secure API token and will automatically install threat detection, benchmarks, and container registry and image scanning.
Prerequisites and Permissions
- A Sysdig Secure SaaS account, with administrator permissions
- An Azure subscription/tenant you would like to connect to Sysdig
- The installing user must have (Organizational level) Security Administrator and (Subscription level) Owner role
- More permissions detail
- Terraform installed on the
machine from which you will deploy the installation code.
- Terraform Azure Platform Provider properly configured
Available Options
- Workload Types: AzureContainerInstances, K8S
- Optionals so that Sysdig Secure for Cloud Azure module can re-use available resources on customer’s infrastructure: ResourceGroup
Check each example input parameters for these, and more configuration options.
Steps
Log in to Sysdig Secure as
Admin
and selectIntegrations > Data Sources | Cloud Account
and chooseConnect Account | Azure
Copy the code snippet under Single Subscription or Tenant Subscriptions and paste it into a Terraform Manifest (.tf file). It should be pre-configured with your Sysdig API token.
Then run:
$ terraform init
When complete, run:
$ terraform apply
which will present the changes to be made, ask you to confirm them, then make the changes.
Confirm the Services are Working
Check Troubleshooting in case of permissions or account conflict errors.
Customizing the Install
Both the Single Account and Organizational Account code examples are configured with sensible defaults for the underlying inputs. But if desired, you can edit the region, module enablement, and other Inputs. See details for:
Enabling Image Scanner
Image Scanner feature is disabled by default. If you want to enable it, just use the deploy_scanning
input variable on your snippet such as:
module "secure-for-cloud_example"{
...
deploy_scanning = true
}
Resources Created by Each Module
Check full list of created resources
- Cloud-bench
azurerm_lighthouse_assignment
azurerm_lighthouse_definition
azurerm_role_definition
azurerm_subscription
sysdig_secure_cloud_account
sysdig_secure_benchmark_task
- Cloud-connector
azurerm_container_group
azurerm_network_profile
azurerm_storage_account
azurerm_storage_blob
azurerm_storage_container
azurerm_subnet
azurerm_virtual_network
If Cloud-connector is installed, these additional modules will also be installed:
- Container-registry
azurerm_container_registry
azurerm_eventgrid_event_subscription
- Enterprise-application
azuread_application
azuread_application_password
azuread_service_principal
azuread_service_principal_password
azurerm_role_assignment
azurerm_role_definition
- Eventhub
azurerm_eventhub
azurerm_eventhub_authorization_rule
azurerm_eventhub_namespace
azurerm_eventhub_namespace_authorization_rule
azurerm_monitor_diagnostic_setting
azurerm_resource_group
Troubleshooting
Find more troubleshooting options on the Secure for Cloud - Terraform Azure module source repository
1. Insufficient Permissions on Subscription
This error may occur if your current Azure authentication session does not have the required permissions to create resources in the specified subscription.
Solution: Ensure you are authenticated to Azure using a Non-Guest user with the Contributor or Owner role on the target subscription.
Error: Error Creating/Updating Lighthouse Definition "dd9be15b-0ee9-7daf-b942-5e173dae13fb" (Scope "/subscriptions/***"): managedservices.RegistrationDefinitionsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InsufficientPrivilegesForManagedServiceResource" Message="The requested user doesn't have sufficient privileges to perform the operation."
with module.cloudvision_example_existing_resource_group.module.cloud_bench.module.trust_relationship["***"].azurerm_lighthouse_definition.lighthouse_definition,
on ../../../modules/services/cloud-bench/trust_relationship/main.tf line 28, in resource "azurerm_lighthouse_definition" "lighthouse_definition":
28: resource "azurerm_lighthouse_definition" "lighthouse_definition" {
2. Conflicting Resources
This error may occur if the specified Azure Subscription has already been onboarded to Sysdig
Solution:
The resource can be imported into Terraform by using the terraform import
command. This will bring the resource under management in the current Terraform workspace.
Error: A resource with the ID "/subscriptions/***/resourceGroups/sfc-resourcegroup" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_resource_group" for more information.
with module.cloudvision_example_existing_resource_group.module.infrastructure_eventhub.azurerm_resource_group.rg[0],
on ../../../modules/infrastructure/eventhub/main.tf line 6, in resource "azurerm_resource_group" "rg":
6: resource "azurerm_resource_group" "rg" {
Confirm the Services are Working
Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.
Check Overall Connection Status
- Data Sources: Select
Integrations > Data Sources | Cloud Accounts
to see all connected cloud accounts. - Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.
Check Threat Detection
Policies and Rules: Check
Policies > Runtime Policies
and confirm that theSysdig Azure Threat Detection
andSysdig Azure Threat Intelligence
policies are enabled.- These consist of the most-frequently-recommended rules for Azure DevOps.
Events: In the
Events
feed, search ‘cloud’ to show events from Azure.If you need a more technical checkup, visit Secure for Cloud - Terraform Azure source repository
Check Image Scanning
- Check details in Terraform - Azure module source repository
See Also
- Secure for Cloud - Terraform Azure - Terraform registry module
- Secure for Cloud - Terraform Azure - Source Github repo
- Insights
- Integrate with Container Registries
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.