Azure

Connect your Azure subscriptions and tenant to Sysdig Secure using Terraform and choose from agent-based or agentless installs.

Azure Installation Options

Full Install using Wizard
This installation option includes:
- Agentless CSPM
- Agent-Based Cloud Detection and Response (CDR)
Agentless CSPM Only
This installation option offers a lightweight, agentless install that only supports CSPM.

Prerequisites and Permissions

Installed Applications

Sysdig Secure SaaS with administrator permissions
Terraform must be installed on the machine from which you deploy the installation code, along with the providers:
- Azure Active Directory Provider (azuread)
- Azure Provider (azurem)
- Have both providers configured with your chosen authentication method. For further guidance, see Hashicorp’s documentation: azuread; azurem.

Azure Roles and Permissions

An Azure Subscription or Tenant that you would like to connect to Sysdig is required. Ensure that you configure the azuread and azurerm providers with credentials that have:

Azure RBAC Owner role on each subscription to be onboarded
Entra ID Security Administrator role (for Wizard install with CDR only )
- This role is required to enable selected log types used by Sysdig to detect suspicious activity in your cloud account. The log types are listed in Sysdig’s variables.tf file.
  If you do not have access to this level of permission or prefer not to enable these log types, you can disable them by setting deploy_active_directory=false on all examples.
Microsoft.ManagedService - Register this resource provider in each subscription to be onboarded.
For further guidance, see Azure’s registration instructions.

Available Options

Workload Types: AzureContainerInstances, Kubernetes
Optional: ResourceGroup - Allows Sysdig’s cloud account Azure module to reuse available resources on your infrastructure.

Full Install using Wizard

To install CSPM and CDR, follow the Wizard Quick Start.

Log in to Sysdig Secure as admin and select Integrations > Data Sources|Cloud Accounts.
Click +Add Account and select Azure. Select which installation method matches your enterprise methods:
- Terraform Single Subscription
- Terraform Tenant (Multi-Subscription)
As prompted, specify the following:
- AZURE_SUBSCRIPTION_ID: The Azure Subscription ID that you are onboarding.
The Wizard will auto-populate a code snippet, along with autodetected Sysdig Secure endpoint and Sysdig Secure API token information.
Apply Terraform by running:
```
terraform init && terraform apply
```
After deploying, validate the services are working.

Install Agentless CSPM Only

This method is an alternative to the full installation (above). This method will only support CSPM Compliance.

If you use this method, Threat Detection and Response, Identity and Access (CIEM), and Image Scanning will not work.

You can perform this installation for a single Subscription or a whole Tenant in Terraform. These instructions detail how to deploy from an individual workstation, and may need to be adapted for use in other environments such as Terraform Cloud or within automation.

Single Subscription

In a terminal window, ensure you are authenticated to the Azure subscription you would like to connect. You can authenticate using the Azure CLI by running az login.

Save the following to a file named main.tf on your local machine:

terraform {
  required_providers {
    sysdig = {
      source = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = "<SYSDIG_URL>"
  sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
}

provider "azurerm" {
  features { }
  subscription_id = "<AZURE_SUBSCRIPTION_ID>"
}

module "sysdig-sfc-agentless" {
  source          = "sysdiglabs/secure-for-cloud/azurerm//modules/services/cloud-bench"
  subscription_id = "<AZURE_SUBSCRIPTION_ID>"

  # See Important Note below about the relationship between reader user role and posture controls.

  use_reader_role = false
}

Replace the following placeholders in main.tf:
- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
  - US East: https://secure.sysdig.com.
  - US West: https://us2.app.sysdig.com
  - European Union:https://eu1.app.sysdig.com
- SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
- AZURE_SUBSCRIPTION_ID: The Azure Subscription ID that you are onboarding
- use_reader_role: By default, set to false. It is possible to use a Reader role as opposed to the Contributor role, by setting use_reader_role = true, but note the important caveat:

 If you choose to set the reader role to `true`, note that it will cause the **AppService - Enabled App Service Authentication** posture control to pass without being evaluated.

Apply Terraform by running:
```
terraform init && terraform apply
```
After deploying, validate that CSPM is working.

Tenant

In a terminal window, ensure you are authenticated to the Azure tenant you would like to connect. You can authenticate using the Azure CLI by running az login --tenant <TENANT_ID>.

Save the following to a file named main.tf on your local machine:

terraform {
  required_providers {
    sysdig = {
      source = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = "<SYSDIG_URL>"
  sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
}

provider "azurerm" {
  features { }
}

module "sysdig-sfc-agentless" {
  source    = "sysdiglabs/secure-for-cloud/azurerm//modules/services/cloud-bench"
  is_tenant = true
}

Replace the following placeholders in main.tf:
- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
  - US East: https://secure.sysdig.com.
  - US West: https://us2.app.sysdig.com
  - European Union:https://eu1.app.sysdig.com
- SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
Apply Terraform by running
```
terraform init && terraform apply
```
After deploying, validate that CSPM is working.

Validate

Log in to Sysdig Secure and check that each module you deployed is functioning. It might take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.

Check CSPM

Inventory: Select the Inventory module and filter for subscription =. Check for your Azure cloud account in the drop-down.

Check CDR

Policies: Select Policies > Runtime Policies and filter for Azure to confirm that Azure-specific managed policies are listed and enabled.

Events: Select Events > Cloud Events and filter for Platform in Azure.

Available on Azure

Agentless CSPM

Resources Created

azurerm_lighthouse_assignment
azurerm_lighthouse_definition

Threat Detection (CDR)

Resources Created

azuread_application
azuread_application_password
azuread_service_principal
azuread_service_principal_password
azurerm_container_group
azurerm_container_registry
azurerm_eventgrid_event_subscription
azurerm_eventgrid_event_subscription
azurerm_eventhub
azurerm_eventhub_authorization_rule
azurerm_eventhub_namespace
azurerm_eventhub_namespace_authorization_rule
azurerm_monitor_aad_diagnostic_setting
azurerm_monitor_diagnostic_setting
azurerm_network_profile
azurerm_network_security_group
azurerm_resource_group
azurerm_role_assignment
azurerm_role_definition
azurerm_subnet
azurerm_subnet_network_security_group_association
azurerm_virtual_network

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.