Azure

Connect an Azure cloud account to Sysdig Secure using Terraform via a wizard. You can connect single subscription or a tenant. It is also possible to connect agentless CSPM alone.

Installation Options

Full Install using Wizard

To install all the features offered, follow the Wizard Quick Start.

Log in to Sysdig Secure as admin and select Integrations > Data Sources|Cloud Accounts.
Click +Add Account and select Azure. Select which installation method matches your enterprise methods:
- Terraform Single Subscription
- Terraform Tenant (Multi-Subscription)
As prompted by the Wizard screen, specify the following:
- AZURE_SUBSCRIPTION_ID: The Azure Subscription ID that you are onboarding.
The Wizard will autopopulate a code snippet, along with autodetected Sysdig Secure endpoint and Sysdig Secure API token information.
- Apply Terraform by running
```
$ terraform init
```
  When complete, run:
```
$ terraform apply
```
After deploying, perform any necessary configuration steps and confirm the services are working.

Install Agentless CSPM Only

This method of installation will only support CSPM Compliance.

The following features will not work: Threat Detection, Identity and Access, Image Scanning.

This installation is manual and can be performed for a single subscription or a tenant in Terraform.

Single Subscription

In a terminal window, ensure you are authenticated to the Azure subscription you would like to connect. You can authenticate using the Azure CLI by running az login

Save the following to a file named main.tf on your local machine:

terraform {
  required_providers {
    sysdig = {
      source = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = "<SYSDIG_URL>"
  sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
}

provider "azurerm" {
  features { }
  subscription_id = "<AZURE_SUBSCRIPTION_ID>"
}

module "sysdig-sfc-agentless" {
  source          = "sysdiglabs/secure-for-cloud/azurerm//modules/services/cloud-bench"
  subscription_id = "<AZURE_SUBSCRIPTION_ID>"
}

Replace the following placeholders in main.tf:
- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
  - US East: https://secure.sysdig.com.
  - US West: https://us2.app.sysdig.com
  - European Union: https://eu1.app.sysdig.com
- SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
- AZURE_SUBSCRIPTION_ID: The Azure Subscription ID that you are onboarding.
Apply Terraform by running
```
$ terraform init
```
When complete, run:
```
$ terraform apply
```
After deploying, confirm that Compliance is working.

Tenant

In a terminal window, ensure you are authenticated to the Azure tenant you would like to connect. You can authenticate using the Azure CLI by running az login --tenant <TENANT_ID>

Save the following to a file named main.tf on your local machine:

terraform {
  required_providers {
    sysdig = {
      source = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = "<SYSDIG_URL>"
  sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
}

provider "azurerm" {
  features { }
}

module "sysdig-sfc-agentless" {
  source    = "sysdiglabs/secure-for-cloud/azurerm//modules/services/cloud-bench"
  is_tenant = true
}

Replace the following placeholders in main.tf:
- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
  - US East: https://secure.sysdig.com.
  - US West: https://us2.app.sysdig.com
  - European Union: https://eu1.app.sysdig.com
- SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
Apply Terraform by running
```
$ terraform init
```
When complete, run:
```
$ terraform apply
```
After deploying, confirm that Compliance is working.

Validate

Log in to Sysdig Secure and check that each module you deployed is functioning. It might take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.
Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.

Check CSPM

Check Inventory and filter for subscription =. Check for your Azure cloud account in the drop-down.

Check Threat Detection

Policies and Rules: Check Policies > Runtime Policies and confirm that the Sysdig Azure Threat Detection and Sysdig Azure Threat Intelligence policies are enabled.
- These consist of the most-frequently-recommended rules for Azure DevOps.
Events: In the Events feed, filter for azure.subscriptionid = and check for your cloud account.
More technical details: Secure for Cloud - Terraform Azure source repository

Available on Azure

Agentless CSPM

Available as a stand-alone manual install or as part of the full install.

Resources Created

azurerm_lighthouse_assignment
azurerm_lighthouse_definition

Threat Detection

Resources Created

azuread_application
azuread_application_password
azuread_service_principal
azuread_service_principal_password
azurerm_container_group
azurerm_container_registry
azurerm_eventgrid_event_subscription
azurerm_eventgrid_event_subscription
azurerm_eventhub
azurerm_eventhub_authorization_rule
azurerm_eventhub_namespace
azurerm_eventhub_namespace_authorization_rule
azurerm_monitor_aad_diagnostic_setting
azurerm_monitor_diagnostic_setting
azurerm_network_profile
azurerm_network_security_group
azurerm_resource_group
azurerm_role_assignment
azurerm_role_definition
azurerm_subnet
azurerm_subnet_network_security_group_association
azurerm_virtual_network

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.