Merge pull request #22 from quantum-sec/feature/XDR-4688

XDR-4688: Move playbook module from infra-module to package
quantum-sec · Sep 22, 2023 · 500d1e5 · 500d1e5
2 parents 3776544 + 92c5e49
commit 500d1e5
Show file tree

Hide file tree

Showing 4 changed files with 168 additions and 0 deletions.
diff --git a/modules/sentinel-playbook/README.md b/modules/sentinel-playbook/README.md
@@ -0,0 +1,49 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.22 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.2.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.42.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.1 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_azure_role_assignment"></a> [azure\_role\_assignment](#module\_azure\_role\_assignment) | git::[email protected]:quantum-sec/package-azure.git//modules/azure-role-assignment | 1.6.1 |
+| <a name="module_azure_sentinel_playbooks"></a> [azure\_sentinel\_playbooks](#module\_azure\_sentinel\_playbooks) | git::[email protected]:quantum-sec/package-azure.git//modules/azure-arm-deployment | 1.6.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [null_resource.template_hash](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [azuread_service_principal.builtin_app](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_arm_deployment_name_prefix"></a> [arm\_deployment\_name\_prefix](#input\_arm\_deployment\_name\_prefix) | A unique string prepended to the ARM deployment name to ensure it is globally unique (i.e. your company name). | `string` | n/a | yes |
+| <a name="input_parameters_override"></a> [parameters\_override](#input\_parameters\_override) | Key/Value map to be applied to the arm script parameters. | `map(string)` | `{}` | no |
+| <a name="input_playbook_template"></a> [playbook\_template](#input\_playbook\_template) | The JSON template of the playbook to be deployed | `string` | n/a | yes |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which this resource will be provisioned. | `string` | n/a | yes |
+| <a name="input_role_definition_name"></a> [role\_definition\_name](#input\_role\_definition\_name) | The name of role definitiion in Azure subscription that is required to be assigned. | `string` | `"Microsoft Sentinel Automation Contributor"` | no |
+| <a name="input_sentinel_principal_id"></a> [sentinel\_principal\_id](#input\_sentinel\_principal\_id) | This is the Microsoft Sentinel Application ID that we can extract from Azure AD enterprise application. | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_logic_app_id"></a> [logic\_app\_id](#output\_logic\_app\_id) | The ID of the LogicApp. |
+| <a name="output_output_content"></a> [output\_content](#output\_output\_content) | The JSON content of the outputs of the ARM template deployment. |
+<!-- END_TF_DOCS -->
diff --git a/modules/sentinel-playbook/main.tf b/modules/sentinel-playbook/main.tf
@@ -0,0 +1,78 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# DEPLOY A MICROSOFT SENTINEL PLAYBOOK
+# ---------------------------------------------------------------------------------------------------------------------
+
+terraform {
+  required_version = ">= 1.2"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~> 2.22"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.2.1"
+    }
+  }
+}
+
+resource "null_resource" "template_hash" {
+  # null_resource.parameters.id used to force recreation of module.azure_sentinel_playbooks via local.arm_deployment_name
+  # this null_resource will get a new id when any of the triggers change
+  triggers = {
+    template_md5   = md5(var.playbook_template)
+    parameters_md5 = md5(jsonencode(var.parameters_override))
+  }
+}
+
+module "azure_sentinel_playbooks" {
+  source = "git::[email protected]:quantum-sec/package-azure.git//modules/azure-arm-deployment?ref=1.6.1"
+
+  depends_on = [
+    null_resource.template_hash,
+  ]
+
+  # logic_app_name is not controlled via this name - this is the deployment
+  name                = substr("${var.arm_deployment_name_prefix}-playbook-${null_resource.template_hash.id}", 0, 64)
+  resource_group_name = var.resource_group_name
+  deployment_mode     = "Incremental"
+
+  # Note that updating this file after the initial deployment will fail to `apply` because the corresponding
+  # parameters are not sent. You will need to first `destroy` then `apply` with the changes.
+  # See https://github.com/terraform-providers/terraform-provider-azurerm/issues/8840
+  arm_script          = var.playbook_template
+  parameters_override = var.parameters_override
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# DATA SOURCE FOR AZURE ROLE ASSIGNMENT
+# ---------------------------------------------------------------------------------------------------------------------
+
+locals {
+  playbooks_template_output = jsondecode(module.azure_sentinel_playbooks.output_content)
+}
+
+data "azuread_service_principal" "builtin_app" {
+  count        = var.sentinel_principal_id == null ? 1 : 0
+  display_name = "Azure Security Insights"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# CREATE AZURE ROLE ASSIGNMENT FOR AZURE SECURITY INSIGHT APP
+# ---------------------------------------------------------------------------------------------------------------------
+
+module "azure_role_assignment" {
+  source = "git::[email protected]:quantum-sec/package-azure.git//modules/azure-role-assignment?ref=1.6.1"
+
+  depends_on = [
+    module.azure_sentinel_playbooks,
+  ]
+
+  scope                = local.playbooks_template_output["logicAppId"]["value"]
+  role_definition_name = var.role_definition_name
+  principal_id         = coalesce(var.sentinel_principal_id, (can(data.azuread_service_principal.builtin_app[0].id) ? data.azuread_service_principal.builtin_app[0].id : null))
+}
diff --git a/modules/sentinel-playbook/outputs.tf b/modules/sentinel-playbook/outputs.tf
@@ -0,0 +1,9 @@
+output "logic_app_id" {
+  description = "The ID of the LogicApp."
+  value       = local.playbooks_template_output["logicAppId"].value
+}
+
+output "output_content" {
+  description = "The JSON content of the outputs of the ARM template deployment."
+  value       = module.azure_sentinel_playbooks.output_content
+}
diff --git a/modules/sentinel-playbook/vars.tf b/modules/sentinel-playbook/vars.tf
@@ -0,0 +1,32 @@
+variable "resource_group_name" {
+  description = "The name of the resource group in which this resource will be provisioned."
+  type        = string
+}
+
+variable "arm_deployment_name_prefix" {
+  description = "A unique string prepended to the ARM deployment name to ensure it is globally unique (i.e. your company name)."
+  type        = string
+}
+
+variable "playbook_template" {
+  description = "The JSON template of the playbook to be deployed"
+  type        = string
+}
+
+variable "parameters_override" {
+  description = "Key/Value map to be applied to the arm script parameters."
+  type        = map(string)
+  default     = {}
+}
+
+variable "role_definition_name" {
+  description = "The name of role definitiion in Azure subscription that is required to be assigned."
+  type        = string
+  default     = "Microsoft Sentinel Automation Contributor"
+}
+
+variable "sentinel_principal_id" {
+  description = "This is the Microsoft Sentinel Application ID that we can extract from Azure AD enterprise application."
+  type        = string
+  default     = null
+}