diff --git a/samples/IaCMapping/azure-pipelines.yml b/samples/IaCMapping/azure-pipelines.yml new file mode 100644 index 00000000..fb662d51 --- /dev/null +++ b/samples/IaCMapping/azure-pipelines.yml @@ -0,0 +1,30 @@ +trigger: none + +pool: + vmImage: 'windows-latest' + +steps: +- task: TerraformInstaller@0 + inputs: + terraformVersion: '1.0.0' +- checkout: self + +- task: AzureCLI@2 + inputs: + azureSubscription: '' + scriptType: 'bash' + scriptLocation: 'inlineScript' + inlineScript: | + az account show + cd ./Modules-Prod + terraform init + terraform plan + terraform apply -auto-approve + +- task: MicrosoftSecurityDevOps@1 + displayName: 'Microsoft Security DevOps' + task: MicrosoftSecurityDevOps@1 + displayName: 'Microsoft Security DevOps' + # If you want to only run iacfilescanner, uncomment the below lines + # inputs: + # tools: 'iacfilescanner' diff --git a/samples/IaCMapping/main.tf b/samples/IaCMapping/main.tf new file mode 100644 index 00000000..ead97cb4 --- /dev/null +++ b/samples/IaCMapping/main.tf @@ -0,0 +1,29 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.0" # adjust this as per your requirements + } + } +} + +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "resourcegroup" { + name = "iacmappingdemo" + location = "Central US" +} + +resource "azurerm_storage_account" "terraformaccount1" { + name = "iacmapping1212" + resource_group_name = azurerm_resource_group.resourcegroup.name + location = "Central US" + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + "mapping_tag" = "6189b638-15a5-42ec-b934-0d2b8e035ce1" + } +} diff --git a/samples/IaCMapping/readme.md b/samples/IaCMapping/readme.md new file mode 100644 index 00000000..51cd158d --- /dev/null +++ b/samples/IaCMapping/readme.md @@ -0,0 +1,12 @@ +## Introduction + +This folder provides samples for using [Infrastructure as Code mapping](https://learn.microsoft.com/azure/defender-for-cloud/iac-template-mapping) within DevOps security in Microsoft Defender for Cloud. + +This sample deployment should only be performed in non-production subscriptions with **no other Terraform managed resources**. + +Note that we do not choose a backend location to store the state file in this demo. Terraform utilizes a state file to store information about the current state of your managed infrastructure and associated configuration. This file will need to be persisted between different runs of the workflow. The recommended approach is to store this file within an Azure Storage Account or other similar remote backend. Normally, this storage would be provisioned manually or via a separate workflow. The Terraform backend block will need to be updated with your selected storage location (see here for documentation). To learn how to incorporate this, see [here](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm). + +## Contents +* [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). +* [azure-pipelines.yml](azure-pipelines.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. It is important to include the MSDO task in your ADO pipeline. + * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription.