From 0d93d6733ab8ae753b6b7eebf3bf1ceecdcd7e2f Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Tue, 12 Dec 2023 13:45:42 -0600 Subject: [PATCH 01/35] Create main.tf Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/main.tf | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 samples/IaC Mapping/main.tf diff --git a/samples/IaC Mapping/main.tf b/samples/IaC Mapping/main.tf new file mode 100644 index 00000000..ead97cb4 --- /dev/null +++ b/samples/IaC Mapping/main.tf @@ -0,0 +1,29 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.0" # adjust this as per your requirements + } + } +} + +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "resourcegroup" { + name = "iacmappingdemo" + location = "Central US" +} + +resource "azurerm_storage_account" "terraformaccount1" { + name = "iacmapping1212" + resource_group_name = azurerm_resource_group.resourcegroup.name + location = "Central US" + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + "mapping_tag" = "6189b638-15a5-42ec-b934-0d2b8e035ce1" + } +} From f4d13c0071dc35471fc91af9a1eaa10bb2dc26cc Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Tue, 12 Dec 2023 13:46:41 -0600 Subject: [PATCH 02/35] Create readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 samples/IaC Mapping/readme.md diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/samples/IaC Mapping/readme.md @@ -0,0 +1 @@ + From e9799d8ee8445b4c2867d6c4f428b19fda7c318a Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Tue, 12 Dec 2023 13:53:26 -0600 Subject: [PATCH 03/35] Update readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md index 8b137891..48d43b62 100644 --- a/samples/IaC Mapping/readme.md +++ b/samples/IaC Mapping/readme.md @@ -1 +1,9 @@ +## Introduction + +This folder provides samples for using the Infrastructure as Code mapping feature within DevOps security in Microsoft Defender for Cloud. + +## Contents +* [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/) +* [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. +* [github-workflow.yml](github-workflow.yml) is a sample GitHub workflow that can be used to provision the Terraform code in main.tf as a resource within Azure. From 1f9022c920e3f764e42a32fc7b208b6aa89e810c Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Tue, 12 Dec 2023 13:53:36 -0600 Subject: [PATCH 04/35] Update readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md index 48d43b62..6520c83b 100644 --- a/samples/IaC Mapping/readme.md +++ b/samples/IaC Mapping/readme.md @@ -3,7 +3,7 @@ This folder provides samples for using the Infrastructure as Code mapping feature within DevOps security in Microsoft Defender for Cloud. ## Contents -* [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/) +* [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). * [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. * [github-workflow.yml](github-workflow.yml) is a sample GitHub workflow that can be used to provision the Terraform code in main.tf as a resource within Azure. From d6bc2fb9f5fa2ab5dd33d848acf4047e37e0948f Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Tue, 12 Dec 2023 13:54:34 -0600 Subject: [PATCH 05/35] Update readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md index 6520c83b..9c03a668 100644 --- a/samples/IaC Mapping/readme.md +++ b/samples/IaC Mapping/readme.md @@ -1,9 +1,8 @@ ## Introduction -This folder provides samples for using the Infrastructure as Code mapping feature within DevOps security in Microsoft Defender for Cloud. +This folder provides samples for using [Infrastructure as Code mapping](https://learn.microsoft.com/azure/defender-for-cloud/iac-template-mapping) within DevOps security in Microsoft Defender for Cloud. ## Contents * [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). * [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. * [github-workflow.yml](github-workflow.yml) is a sample GitHub workflow that can be used to provision the Terraform code in main.tf as a resource within Azure. - From 2cccb02b97ef5d234857bcf533d16de245104d08 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Tue, 12 Dec 2023 13:55:41 -0600 Subject: [PATCH 06/35] Create azure-pipeline.yml Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/azure-pipeline.yml | 27 ++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 samples/IaC Mapping/azure-pipeline.yml diff --git a/samples/IaC Mapping/azure-pipeline.yml b/samples/IaC Mapping/azure-pipeline.yml new file mode 100644 index 00000000..51f432b2 --- /dev/null +++ b/samples/IaC Mapping/azure-pipeline.yml @@ -0,0 +1,27 @@ +trigger: none + +pool: + vmImage: 'windows-latest' + +steps: +- task: TerraformInstaller@0 + inputs: + terraformVersion: '1.0.0' +- checkout: self + +- task: AzureCLI@2 + inputs: + azureSubscription: '' + scriptType: 'bash' + scriptLocation: 'inlineScript' + inlineScript: | + az account show + cd ./Modules-Prod + terraform init + terraform plan + terraform apply -auto-approve + +- task: MicrosoftSecurityDevOps@1 + displayName: 'Microsoft Security DevOps' + inputs: + tools: 'iacfilescanner' From dd848a6121bba79991d6097c6c78739f0a1b5f91 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Tue, 12 Dec 2023 14:00:19 -0600 Subject: [PATCH 07/35] Update readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md index 9c03a668..e32c9bf2 100644 --- a/samples/IaC Mapping/readme.md +++ b/samples/IaC Mapping/readme.md @@ -2,6 +2,8 @@ This folder provides samples for using [Infrastructure as Code mapping](https://learn.microsoft.com/azure/defender-for-cloud/iac-template-mapping) within DevOps security in Microsoft Defender for Cloud. +This deployment should only be performed in non-production subscriptions with no other Terraform managed resources. + ## Contents * [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). * [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. From 5d2d0906ffcecebf96be19d70739ad7aabda4639 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Tue, 12 Dec 2023 14:08:41 -0600 Subject: [PATCH 08/35] Create github-workflow.yml Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/github-workflow.yml | 146 ++++++++++++++++++++++++ 1 file changed, 146 insertions(+) create mode 100644 samples/IaC Mapping/github-workflow.yml diff --git a/samples/IaC Mapping/github-workflow.yml b/samples/IaC Mapping/github-workflow.yml new file mode 100644 index 00000000..1e979007 --- /dev/null +++ b/samples/IaC Mapping/github-workflow.yml @@ -0,0 +1,146 @@ +name: 'Terraform Plan/Apply' + +on: + push: + branches: + - main + pull_request: + branches: + - main + +#Special permissions required for OIDC authentication +permissions: + id-token: write + contents: read + pull-requests: write + +#These environment variables are used by the terraform azure provider to setup OIDD authenticate. +env: + ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}" + ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" + ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}" + +jobs: + terraform-plan: + name: 'Terraform Plan' + runs-on: ubuntu-latest + env: + #this is needed since we are running terraform with read-only permissions + ARM_SKIP_PROVIDER_REGISTRATION: true + outputs: + tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }} + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + + # Install the latest version of the Terraform CLI + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + with: + terraform_wrapper: false + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + run: terraform init + + # Checks that all Terraform configuration files adhere to a canonical format + # Will fail the build if not + - name: Terraform Format + run: terraform fmt -check + + # Generates an execution plan for Terraform + # An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes. + - name: Terraform Plan + id: tf-plan + run: | + export exitcode=0 + terraform plan -detailed-exitcode -no-color -out tfplan || export exitcode=$? + + echo "exitcode=$exitcode" >> $GITHUB_OUTPUT + + if [ $exitcode -eq 1 ]; then + echo Terraform Plan Failed! + exit 1 + else + exit 0 + fi + + # Save plan to artifacts + - name: Publish Terraform Plan + uses: actions/upload-artifact@v3 + with: + name: tfplan + path: tfplan + + # Create string output of Terraform Plan + - name: Create String Output + id: tf-plan-string + run: | + TERRAFORM_PLAN=$(terraform show -no-color tfplan) + + delimiter="$(openssl rand -hex 8)" + echo "summary<<${delimiter}" >> $GITHUB_OUTPUT + echo "## Terraform Plan Output" >> $GITHUB_OUTPUT + echo "
Click to expand" >> $GITHUB_OUTPUT + echo "" >> $GITHUB_OUTPUT + echo '```terraform' >> $GITHUB_OUTPUT + echo "$TERRAFORM_PLAN" >> $GITHUB_OUTPUT + echo '```' >> $GITHUB_OUTPUT + echo "
" >> $GITHUB_OUTPUT + echo "${delimiter}" >> $GITHUB_OUTPUT + + # Publish Terraform Plan as task summary + - name: Publish Terraform Plan to Task Summary + env: + SUMMARY: ${{ steps.tf-plan-string.outputs.summary }} + run: | + echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY + + # If this is a PR post the changes + - name: Push Terraform Output to PR + if: github.ref != 'refs/heads/main' + uses: actions/github-script@v6 + env: + SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}" + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const body = `${process.env.SUMMARY}`; + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: body + }) + + terraform-apply: + name: 'Terraform Apply' + if: github.ref == 'refs/heads/main' && needs.terraform-plan.outputs.tfplanExitCode == 2 + runs-on: ubuntu-latest + environment: production + needs: [terraform-plan] + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + run: terraform init + + # Download saved plan from artifacts + - name: Download Terraform Plan + uses: actions/download-artifact@v3 + with: + name: tfplan + + # Terraform Apply + - name: Terraform Apply + run: terraform apply -auto-approve tfplan From 1d8ef5753d75090f46452de0c93680eda27ed704 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Tue, 12 Dec 2023 14:09:13 -0600 Subject: [PATCH 09/35] Update github-workflow.yml Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/github-workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/IaC Mapping/github-workflow.yml b/samples/IaC Mapping/github-workflow.yml index 1e979007..af492a0a 100644 --- a/samples/IaC Mapping/github-workflow.yml +++ b/samples/IaC Mapping/github-workflow.yml @@ -119,7 +119,7 @@ jobs: name: 'Terraform Apply' if: github.ref == 'refs/heads/main' && needs.terraform-plan.outputs.tfplanExitCode == 2 runs-on: ubuntu-latest - environment: production + environment: iacdemo needs: [terraform-plan] steps: From b86b1f0d5dd3912f5efc12fa11c518708f059281 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Tue, 12 Dec 2023 14:13:10 -0600 Subject: [PATCH 10/35] Update readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md index e32c9bf2..1f312a03 100644 --- a/samples/IaC Mapping/readme.md +++ b/samples/IaC Mapping/readme.md @@ -2,9 +2,20 @@ This folder provides samples for using [Infrastructure as Code mapping](https://learn.microsoft.com/azure/defender-for-cloud/iac-template-mapping) within DevOps security in Microsoft Defender for Cloud. -This deployment should only be performed in non-production subscriptions with no other Terraform managed resources. +This deployment should only be performed in non-production subscriptions with **no other Terraform managed resources**. + +Note that we do not choose a backend location to store the state file in this demo. Terraform utilizes a state file to store information about the current state of your managed infrastructure and associated configuration. This file will need to be persisted between different runs of the workflow. The recommended approach is to store this file within an Azure Storage Account or other similar remote backend. Normally, this storage would be provisioned manually or via a separate workflow. The Terraform backend block will need updated with your selected storage location (see here for documentation). To learn how to incorporate this, see [here](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm). ## Contents * [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). * [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. * [github-workflow.yml](github-workflow.yml) is a sample GitHub workflow that can be used to provision the Terraform code in main.tf as a resource within Azure. + * Requires [GitHub environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-protection-rules). For this demo, name the environment "iacdemo". + * Requires [Microsoft Entra application for authentication](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-openid-connect). + * Requires GitHub Secrets to be added to repository and the environment. + * Repository - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-a-repository) + * AZURE_CLIENT_ID : The application (client) ID of the app registration in Azure + * AZURE_TENANT_ID : The tenant ID of Azure Active Directory where the app registration is defined. + * AZURE_SUBSCRIPTION_ID : The subscription ID where the app registration is defined. + * Environment - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-an-environment) + * AZURE_CLIENT_ID : The application (client) ID of the app registration in Azure From 06fb850d4de7e1e2d4dd34a496274a7c83fe9778 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Tue, 12 Dec 2023 14:16:11 -0600 Subject: [PATCH 11/35] Update readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md index 1f312a03..475bb856 100644 --- a/samples/IaC Mapping/readme.md +++ b/samples/IaC Mapping/readme.md @@ -9,9 +9,10 @@ Note that we do not choose a backend location to store the state file in this de ## Contents * [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). * [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. + * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/en-us/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription. * [github-workflow.yml](github-workflow.yml) is a sample GitHub workflow that can be used to provision the Terraform code in main.tf as a resource within Azure. - * Requires [GitHub environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-protection-rules). For this demo, name the environment "iacdemo". - * Requires [Microsoft Entra application for authentication](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-openid-connect). + * Requires [GitHub environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-protection-rules). For this demo, name the environment "iacdemo". If you need guidance on deploying Terraform from GitHub, use [this documentation](https://learn.microsoft.com/devops/deliver/iac-github-actions#deploy-with-github-actions). + * Requires [Microsoft Entra application for authentication](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-openid-connect). * Requires GitHub Secrets to be added to repository and the environment. * Repository - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-a-repository) * AZURE_CLIENT_ID : The application (client) ID of the app registration in Azure From 7efc97d78e79c491dc352667794242f62fd6573d Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Tue, 12 Dec 2023 14:16:32 -0600 Subject: [PATCH 12/35] Update readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md index 475bb856..67f151f8 100644 --- a/samples/IaC Mapping/readme.md +++ b/samples/IaC Mapping/readme.md @@ -16,7 +16,7 @@ Note that we do not choose a backend location to store the state file in this de * Requires GitHub Secrets to be added to repository and the environment. * Repository - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-a-repository) * AZURE_CLIENT_ID : The application (client) ID of the app registration in Azure - * AZURE_TENANT_ID : The tenant ID of Azure Active Directory where the app registration is defined. + * AZURE_TENANT_ID : The tenant ID of Entra ID where the app registration is defined. * AZURE_SUBSCRIPTION_ID : The subscription ID where the app registration is defined. * Environment - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-an-environment) * AZURE_CLIENT_ID : The application (client) ID of the app registration in Azure From b4d6250014805e243ecdb2d1baef362d4d13719a Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Tue, 12 Dec 2023 14:21:30 -0600 Subject: [PATCH 13/35] Update github-workflow.yml Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/github-workflow.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/samples/IaC Mapping/github-workflow.yml b/samples/IaC Mapping/github-workflow.yml index af492a0a..f93c5fc1 100644 --- a/samples/IaC Mapping/github-workflow.yml +++ b/samples/IaC Mapping/github-workflow.yml @@ -144,3 +144,23 @@ jobs: # Terraform Apply - name: Terraform Apply run: terraform apply -auto-approve tfplan + + # Run analyzers + - name: Run Microsoft Security DevOps Analysis + uses: microsoft/security-devops-action@latest + id: msdo + with: + tools: 'iacfilescanner' + + # Upload alerts to the Security tab + - name: Upload alerts to Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} + + # Upload alerts file as a workflow artifact + - name: Upload alerts file as a workflow artifact + uses: actions/upload-artifact@v3 + with: + name: alerts + path: ${{ steps.msdo.outputs.sarifFile }} From 1ca218dd25a41b4ea7a1416530ff59640c2f0c4a Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:54:25 -0600 Subject: [PATCH 14/35] Create IaCMapping Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping | 1 + 1 file changed, 1 insertion(+) create mode 100644 samples/IaCMapping diff --git a/samples/IaCMapping b/samples/IaCMapping new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/samples/IaCMapping @@ -0,0 +1 @@ + From 7e0af0cd41986cce2fcd1cdad6e49f0d0e865d91 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:54:57 -0600 Subject: [PATCH 15/35] Delete samples/IaCMapping Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping | 1 - 1 file changed, 1 deletion(-) delete mode 100644 samples/IaCMapping diff --git a/samples/IaCMapping b/samples/IaCMapping deleted file mode 100644 index 8b137891..00000000 --- a/samples/IaCMapping +++ /dev/null @@ -1 +0,0 @@ - From 7b691570141d6092dba82c1ef4d2611d785faf2b Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:55:07 -0600 Subject: [PATCH 16/35] Create readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping/readme.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 samples/IaCMapping/readme.md diff --git a/samples/IaCMapping/readme.md b/samples/IaCMapping/readme.md new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/samples/IaCMapping/readme.md @@ -0,0 +1 @@ + From 5df898318433becaa7ec48440135bf5a8ee6aa04 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:55:24 -0600 Subject: [PATCH 17/35] Update readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping/readme.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/samples/IaCMapping/readme.md b/samples/IaCMapping/readme.md index 8b137891..67f151f8 100644 --- a/samples/IaCMapping/readme.md +++ b/samples/IaCMapping/readme.md @@ -1 +1,22 @@ +## Introduction +This folder provides samples for using [Infrastructure as Code mapping](https://learn.microsoft.com/azure/defender-for-cloud/iac-template-mapping) within DevOps security in Microsoft Defender for Cloud. + +This deployment should only be performed in non-production subscriptions with **no other Terraform managed resources**. + +Note that we do not choose a backend location to store the state file in this demo. Terraform utilizes a state file to store information about the current state of your managed infrastructure and associated configuration. This file will need to be persisted between different runs of the workflow. The recommended approach is to store this file within an Azure Storage Account or other similar remote backend. Normally, this storage would be provisioned manually or via a separate workflow. The Terraform backend block will need updated with your selected storage location (see here for documentation). To learn how to incorporate this, see [here](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm). + +## Contents +* [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). +* [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. + * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/en-us/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription. +* [github-workflow.yml](github-workflow.yml) is a sample GitHub workflow that can be used to provision the Terraform code in main.tf as a resource within Azure. + * Requires [GitHub environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-protection-rules). For this demo, name the environment "iacdemo". If you need guidance on deploying Terraform from GitHub, use [this documentation](https://learn.microsoft.com/devops/deliver/iac-github-actions#deploy-with-github-actions). + * Requires [Microsoft Entra application for authentication](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-openid-connect). + * Requires GitHub Secrets to be added to repository and the environment. + * Repository - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-a-repository) + * AZURE_CLIENT_ID : The application (client) ID of the app registration in Azure + * AZURE_TENANT_ID : The tenant ID of Entra ID where the app registration is defined. + * AZURE_SUBSCRIPTION_ID : The subscription ID where the app registration is defined. + * Environment - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-an-environment) + * AZURE_CLIENT_ID : The application (client) ID of the app registration in Azure From 752fe43f1bf963ade22e6924f5ede3f18dab36ba Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:55:45 -0600 Subject: [PATCH 18/35] Create azure-pipelines.yml Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping/azure-pipelines.yml | 27 ++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 samples/IaCMapping/azure-pipelines.yml diff --git a/samples/IaCMapping/azure-pipelines.yml b/samples/IaCMapping/azure-pipelines.yml new file mode 100644 index 00000000..51f432b2 --- /dev/null +++ b/samples/IaCMapping/azure-pipelines.yml @@ -0,0 +1,27 @@ +trigger: none + +pool: + vmImage: 'windows-latest' + +steps: +- task: TerraformInstaller@0 + inputs: + terraformVersion: '1.0.0' +- checkout: self + +- task: AzureCLI@2 + inputs: + azureSubscription: '' + scriptType: 'bash' + scriptLocation: 'inlineScript' + inlineScript: | + az account show + cd ./Modules-Prod + terraform init + terraform plan + terraform apply -auto-approve + +- task: MicrosoftSecurityDevOps@1 + displayName: 'Microsoft Security DevOps' + inputs: + tools: 'iacfilescanner' From 57e3124ac99a48042da04155c23930f75915f6f1 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:56:07 -0600 Subject: [PATCH 19/35] Create github-workflows.yml Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping/github-workflows.yml | 166 ++++++++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100644 samples/IaCMapping/github-workflows.yml diff --git a/samples/IaCMapping/github-workflows.yml b/samples/IaCMapping/github-workflows.yml new file mode 100644 index 00000000..f93c5fc1 --- /dev/null +++ b/samples/IaCMapping/github-workflows.yml @@ -0,0 +1,166 @@ +name: 'Terraform Plan/Apply' + +on: + push: + branches: + - main + pull_request: + branches: + - main + +#Special permissions required for OIDC authentication +permissions: + id-token: write + contents: read + pull-requests: write + +#These environment variables are used by the terraform azure provider to setup OIDD authenticate. +env: + ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}" + ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" + ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}" + +jobs: + terraform-plan: + name: 'Terraform Plan' + runs-on: ubuntu-latest + env: + #this is needed since we are running terraform with read-only permissions + ARM_SKIP_PROVIDER_REGISTRATION: true + outputs: + tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }} + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + + # Install the latest version of the Terraform CLI + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + with: + terraform_wrapper: false + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + run: terraform init + + # Checks that all Terraform configuration files adhere to a canonical format + # Will fail the build if not + - name: Terraform Format + run: terraform fmt -check + + # Generates an execution plan for Terraform + # An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes. + - name: Terraform Plan + id: tf-plan + run: | + export exitcode=0 + terraform plan -detailed-exitcode -no-color -out tfplan || export exitcode=$? + + echo "exitcode=$exitcode" >> $GITHUB_OUTPUT + + if [ $exitcode -eq 1 ]; then + echo Terraform Plan Failed! + exit 1 + else + exit 0 + fi + + # Save plan to artifacts + - name: Publish Terraform Plan + uses: actions/upload-artifact@v3 + with: + name: tfplan + path: tfplan + + # Create string output of Terraform Plan + - name: Create String Output + id: tf-plan-string + run: | + TERRAFORM_PLAN=$(terraform show -no-color tfplan) + + delimiter="$(openssl rand -hex 8)" + echo "summary<<${delimiter}" >> $GITHUB_OUTPUT + echo "## Terraform Plan Output" >> $GITHUB_OUTPUT + echo "
Click to expand" >> $GITHUB_OUTPUT + echo "" >> $GITHUB_OUTPUT + echo '```terraform' >> $GITHUB_OUTPUT + echo "$TERRAFORM_PLAN" >> $GITHUB_OUTPUT + echo '```' >> $GITHUB_OUTPUT + echo "
" >> $GITHUB_OUTPUT + echo "${delimiter}" >> $GITHUB_OUTPUT + + # Publish Terraform Plan as task summary + - name: Publish Terraform Plan to Task Summary + env: + SUMMARY: ${{ steps.tf-plan-string.outputs.summary }} + run: | + echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY + + # If this is a PR post the changes + - name: Push Terraform Output to PR + if: github.ref != 'refs/heads/main' + uses: actions/github-script@v6 + env: + SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}" + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const body = `${process.env.SUMMARY}`; + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: body + }) + + terraform-apply: + name: 'Terraform Apply' + if: github.ref == 'refs/heads/main' && needs.terraform-plan.outputs.tfplanExitCode == 2 + runs-on: ubuntu-latest + environment: iacdemo + needs: [terraform-plan] + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + run: terraform init + + # Download saved plan from artifacts + - name: Download Terraform Plan + uses: actions/download-artifact@v3 + with: + name: tfplan + + # Terraform Apply + - name: Terraform Apply + run: terraform apply -auto-approve tfplan + + # Run analyzers + - name: Run Microsoft Security DevOps Analysis + uses: microsoft/security-devops-action@latest + id: msdo + with: + tools: 'iacfilescanner' + + # Upload alerts to the Security tab + - name: Upload alerts to Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} + + # Upload alerts file as a workflow artifact + - name: Upload alerts file as a workflow artifact + uses: actions/upload-artifact@v3 + with: + name: alerts + path: ${{ steps.msdo.outputs.sarifFile }} From acb5323bd9372555e9ac3f5bb500d36f129d8aa4 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:56:23 -0600 Subject: [PATCH 20/35] Create main.tf Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping/main.tf | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 samples/IaCMapping/main.tf diff --git a/samples/IaCMapping/main.tf b/samples/IaCMapping/main.tf new file mode 100644 index 00000000..ead97cb4 --- /dev/null +++ b/samples/IaCMapping/main.tf @@ -0,0 +1,29 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.0" # adjust this as per your requirements + } + } +} + +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "resourcegroup" { + name = "iacmappingdemo" + location = "Central US" +} + +resource "azurerm_storage_account" "terraformaccount1" { + name = "iacmapping1212" + resource_group_name = azurerm_resource_group.resourcegroup.name + location = "Central US" + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + "mapping_tag" = "6189b638-15a5-42ec-b934-0d2b8e035ce1" + } +} From 26266ea459399107e7b315dc96fc9222c1b58584 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:57:51 -0600 Subject: [PATCH 21/35] Update samples/IaC Mapping/readme.md Co-authored-by: Anais Miller Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 1 - 1 file changed, 1 deletion(-) diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md index 67f151f8..9f4d8cab 100644 --- a/samples/IaC Mapping/readme.md +++ b/samples/IaC Mapping/readme.md @@ -11,7 +11,6 @@ Note that we do not choose a backend location to store the state file in this de * [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/en-us/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription. * [github-workflow.yml](github-workflow.yml) is a sample GitHub workflow that can be used to provision the Terraform code in main.tf as a resource within Azure. - * Requires [GitHub environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-protection-rules). For this demo, name the environment "iacdemo". If you need guidance on deploying Terraform from GitHub, use [this documentation](https://learn.microsoft.com/devops/deliver/iac-github-actions#deploy-with-github-actions). * Requires [Microsoft Entra application for authentication](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-openid-connect). * Requires GitHub Secrets to be added to repository and the environment. * Repository - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-a-repository) From a675972a2a1bc75461a24ed2914068687362baf5 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:57:58 -0600 Subject: [PATCH 22/35] Update samples/IaC Mapping/readme.md Co-authored-by: Anais Miller Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 1 - 1 file changed, 1 deletion(-) diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md index 9f4d8cab..fc33b26e 100644 --- a/samples/IaC Mapping/readme.md +++ b/samples/IaC Mapping/readme.md @@ -10,7 +10,6 @@ Note that we do not choose a backend location to store the state file in this de * [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). * [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/en-us/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription. -* [github-workflow.yml](github-workflow.yml) is a sample GitHub workflow that can be used to provision the Terraform code in main.tf as a resource within Azure. * Requires [Microsoft Entra application for authentication](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-openid-connect). * Requires GitHub Secrets to be added to repository and the environment. * Repository - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-a-repository) From 044077895fcc2073f1f731d4988c82de0f39434d Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:58:03 -0600 Subject: [PATCH 23/35] Update samples/IaC Mapping/readme.md Co-authored-by: Anais Miller Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md index fc33b26e..764ce0b9 100644 --- a/samples/IaC Mapping/readme.md +++ b/samples/IaC Mapping/readme.md @@ -9,7 +9,7 @@ Note that we do not choose a backend location to store the state file in this de ## Contents * [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). * [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. - * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/en-us/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription. + * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription. * Requires [Microsoft Entra application for authentication](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-openid-connect). * Requires GitHub Secrets to be added to repository and the environment. * Repository - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-a-repository) From 943bc7a07156cba9ab0e3c94cdbb316aa6398191 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:58:09 -0600 Subject: [PATCH 24/35] Update samples/IaC Mapping/readme.md Co-authored-by: Anais Miller Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md index 764ce0b9..d2e6dd12 100644 --- a/samples/IaC Mapping/readme.md +++ b/samples/IaC Mapping/readme.md @@ -8,7 +8,7 @@ Note that we do not choose a backend location to store the state file in this de ## Contents * [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). -* [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. +* [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. It is important to include the MSDO task in your ADO pipeline. * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription. * Requires [Microsoft Entra application for authentication](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-openid-connect). * Requires GitHub Secrets to be added to repository and the environment. From e5ce624bcce9f97a11c33eb11320719fff53cacf Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:58:51 -0600 Subject: [PATCH 25/35] Update samples/IaC Mapping/azure-pipeline.yml Co-authored-by: Anais Miller Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/azure-pipeline.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/samples/IaC Mapping/azure-pipeline.yml b/samples/IaC Mapping/azure-pipeline.yml index 51f432b2..2a81c3dd 100644 --- a/samples/IaC Mapping/azure-pipeline.yml +++ b/samples/IaC Mapping/azure-pipeline.yml @@ -23,5 +23,9 @@ steps: - task: MicrosoftSecurityDevOps@1 displayName: 'Microsoft Security DevOps' - inputs: + task: MicrosoftSecurityDevOps@1 + displayName: 'Microsoft Security DevOps' + # If you want to only run iacfilescanner, uncomment the below lines + # inputs: + # tools: 'iacfilescanner' tools: 'iacfilescanner' From a464b89d5ff57d1fb9a3bf7ab42671160affe92d Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:58:56 -0600 Subject: [PATCH 26/35] Update samples/IaC Mapping/readme.md Co-authored-by: Anais Miller Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md index d2e6dd12..c7703f84 100644 --- a/samples/IaC Mapping/readme.md +++ b/samples/IaC Mapping/readme.md @@ -2,7 +2,7 @@ This folder provides samples for using [Infrastructure as Code mapping](https://learn.microsoft.com/azure/defender-for-cloud/iac-template-mapping) within DevOps security in Microsoft Defender for Cloud. -This deployment should only be performed in non-production subscriptions with **no other Terraform managed resources**. +This sample deployment should only be performed in non-production subscriptions with **no other Terraform managed resources**. Note that we do not choose a backend location to store the state file in this demo. Terraform utilizes a state file to store information about the current state of your managed infrastructure and associated configuration. This file will need to be persisted between different runs of the workflow. The recommended approach is to store this file within an Azure Storage Account or other similar remote backend. Normally, this storage would be provisioned manually or via a separate workflow. The Terraform backend block will need updated with your selected storage location (see here for documentation). To learn how to incorporate this, see [here](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm). From a27d9307b9205efc74bf22078e00e90690814689 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:59:08 -0600 Subject: [PATCH 27/35] Update samples/IaC Mapping/readme.md Co-authored-by: Anais Miller Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md index c7703f84..cfbea75b 100644 --- a/samples/IaC Mapping/readme.md +++ b/samples/IaC Mapping/readme.md @@ -4,7 +4,7 @@ This folder provides samples for using [Infrastructure as Code mapping](https:// This sample deployment should only be performed in non-production subscriptions with **no other Terraform managed resources**. -Note that we do not choose a backend location to store the state file in this demo. Terraform utilizes a state file to store information about the current state of your managed infrastructure and associated configuration. This file will need to be persisted between different runs of the workflow. The recommended approach is to store this file within an Azure Storage Account or other similar remote backend. Normally, this storage would be provisioned manually or via a separate workflow. The Terraform backend block will need updated with your selected storage location (see here for documentation). To learn how to incorporate this, see [here](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm). +> Note that we do not choose a backend location to store the state file in this demo. Terraform utilizes a state file to store information about the current state of your managed infrastructure and associated configuration. This file will need to be persisted between different runs of the workflow. The recommended approach is to store this file within an Azure Storage Account or other similar remote backend. Normally, this storage would be provisioned manually or via a separate workflow. The Terraform backend block will need to be updated with your selected storage location. To learn how to incorporate this, see [here](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm). ## Contents * [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). From 8cdf1d97b5dfa38cd2984ddf7fad22d50343c278 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 12:59:45 -0600 Subject: [PATCH 28/35] Update azure-pipelines.yml Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping/azure-pipelines.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/samples/IaCMapping/azure-pipelines.yml b/samples/IaCMapping/azure-pipelines.yml index 51f432b2..fb662d51 100644 --- a/samples/IaCMapping/azure-pipelines.yml +++ b/samples/IaCMapping/azure-pipelines.yml @@ -23,5 +23,8 @@ steps: - task: MicrosoftSecurityDevOps@1 displayName: 'Microsoft Security DevOps' - inputs: - tools: 'iacfilescanner' + task: MicrosoftSecurityDevOps@1 + displayName: 'Microsoft Security DevOps' + # If you want to only run iacfilescanner, uncomment the below lines + # inputs: + # tools: 'iacfilescanner' From c5b54c416d749501662424ec8dd88287cfc25e12 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 13:00:00 -0600 Subject: [PATCH 29/35] Delete samples/IaCMapping/github-workflows.yml Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping/github-workflows.yml | 166 ------------------------ 1 file changed, 166 deletions(-) delete mode 100644 samples/IaCMapping/github-workflows.yml diff --git a/samples/IaCMapping/github-workflows.yml b/samples/IaCMapping/github-workflows.yml deleted file mode 100644 index f93c5fc1..00000000 --- a/samples/IaCMapping/github-workflows.yml +++ /dev/null @@ -1,166 +0,0 @@ -name: 'Terraform Plan/Apply' - -on: - push: - branches: - - main - pull_request: - branches: - - main - -#Special permissions required for OIDC authentication -permissions: - id-token: write - contents: read - pull-requests: write - -#These environment variables are used by the terraform azure provider to setup OIDD authenticate. -env: - ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}" - ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" - ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}" - -jobs: - terraform-plan: - name: 'Terraform Plan' - runs-on: ubuntu-latest - env: - #this is needed since we are running terraform with read-only permissions - ARM_SKIP_PROVIDER_REGISTRATION: true - outputs: - tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }} - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Install the latest version of the Terraform CLI - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_wrapper: false - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform init - - # Checks that all Terraform configuration files adhere to a canonical format - # Will fail the build if not - - name: Terraform Format - run: terraform fmt -check - - # Generates an execution plan for Terraform - # An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes. - - name: Terraform Plan - id: tf-plan - run: | - export exitcode=0 - terraform plan -detailed-exitcode -no-color -out tfplan || export exitcode=$? - - echo "exitcode=$exitcode" >> $GITHUB_OUTPUT - - if [ $exitcode -eq 1 ]; then - echo Terraform Plan Failed! - exit 1 - else - exit 0 - fi - - # Save plan to artifacts - - name: Publish Terraform Plan - uses: actions/upload-artifact@v3 - with: - name: tfplan - path: tfplan - - # Create string output of Terraform Plan - - name: Create String Output - id: tf-plan-string - run: | - TERRAFORM_PLAN=$(terraform show -no-color tfplan) - - delimiter="$(openssl rand -hex 8)" - echo "summary<<${delimiter}" >> $GITHUB_OUTPUT - echo "## Terraform Plan Output" >> $GITHUB_OUTPUT - echo "
Click to expand" >> $GITHUB_OUTPUT - echo "" >> $GITHUB_OUTPUT - echo '```terraform' >> $GITHUB_OUTPUT - echo "$TERRAFORM_PLAN" >> $GITHUB_OUTPUT - echo '```' >> $GITHUB_OUTPUT - echo "
" >> $GITHUB_OUTPUT - echo "${delimiter}" >> $GITHUB_OUTPUT - - # Publish Terraform Plan as task summary - - name: Publish Terraform Plan to Task Summary - env: - SUMMARY: ${{ steps.tf-plan-string.outputs.summary }} - run: | - echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY - - # If this is a PR post the changes - - name: Push Terraform Output to PR - if: github.ref != 'refs/heads/main' - uses: actions/github-script@v6 - env: - SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}" - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const body = `${process.env.SUMMARY}`; - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: body - }) - - terraform-apply: - name: 'Terraform Apply' - if: github.ref == 'refs/heads/main' && needs.terraform-plan.outputs.tfplanExitCode == 2 - runs-on: ubuntu-latest - environment: iacdemo - needs: [terraform-plan] - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform init - - # Download saved plan from artifacts - - name: Download Terraform Plan - uses: actions/download-artifact@v3 - with: - name: tfplan - - # Terraform Apply - - name: Terraform Apply - run: terraform apply -auto-approve tfplan - - # Run analyzers - - name: Run Microsoft Security DevOps Analysis - uses: microsoft/security-devops-action@latest - id: msdo - with: - tools: 'iacfilescanner' - - # Upload alerts to the Security tab - - name: Upload alerts to Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.msdo.outputs.sarifFile }} - - # Upload alerts file as a workflow artifact - - name: Upload alerts file as a workflow artifact - uses: actions/upload-artifact@v3 - with: - name: alerts - path: ${{ steps.msdo.outputs.sarifFile }} From 27b891605eb44a5439bed4575c851ab367a13cd6 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 13:00:43 -0600 Subject: [PATCH 30/35] Update readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping/readme.md | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/samples/IaCMapping/readme.md b/samples/IaCMapping/readme.md index 67f151f8..a4519bdb 100644 --- a/samples/IaCMapping/readme.md +++ b/samples/IaCMapping/readme.md @@ -10,13 +10,4 @@ Note that we do not choose a backend location to store the state file in this de * [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). * [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/en-us/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription. -* [github-workflow.yml](github-workflow.yml) is a sample GitHub workflow that can be used to provision the Terraform code in main.tf as a resource within Azure. - * Requires [GitHub environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-protection-rules). For this demo, name the environment "iacdemo". If you need guidance on deploying Terraform from GitHub, use [this documentation](https://learn.microsoft.com/devops/deliver/iac-github-actions#deploy-with-github-actions). - * Requires [Microsoft Entra application for authentication](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-openid-connect). - * Requires GitHub Secrets to be added to repository and the environment. - * Repository - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-a-repository) - * AZURE_CLIENT_ID : The application (client) ID of the app registration in Azure - * AZURE_TENANT_ID : The tenant ID of Entra ID where the app registration is defined. - * AZURE_SUBSCRIPTION_ID : The subscription ID where the app registration is defined. - * Environment - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-an-environment) - * AZURE_CLIENT_ID : The application (client) ID of the app registration in Azure + From 9de04d4f23b423efccd8b2fd490252fdee0712e8 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 13:00:56 -0600 Subject: [PATCH 31/35] Delete samples/IaC Mapping directory Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaC Mapping/azure-pipeline.yml | 31 ----- samples/IaC Mapping/github-workflow.yml | 166 ------------------------ samples/IaC Mapping/main.tf | 29 ----- samples/IaC Mapping/readme.md | 20 --- 4 files changed, 246 deletions(-) delete mode 100644 samples/IaC Mapping/azure-pipeline.yml delete mode 100644 samples/IaC Mapping/github-workflow.yml delete mode 100644 samples/IaC Mapping/main.tf delete mode 100644 samples/IaC Mapping/readme.md diff --git a/samples/IaC Mapping/azure-pipeline.yml b/samples/IaC Mapping/azure-pipeline.yml deleted file mode 100644 index 2a81c3dd..00000000 --- a/samples/IaC Mapping/azure-pipeline.yml +++ /dev/null @@ -1,31 +0,0 @@ -trigger: none - -pool: - vmImage: 'windows-latest' - -steps: -- task: TerraformInstaller@0 - inputs: - terraformVersion: '1.0.0' -- checkout: self - -- task: AzureCLI@2 - inputs: - azureSubscription: '' - scriptType: 'bash' - scriptLocation: 'inlineScript' - inlineScript: | - az account show - cd ./Modules-Prod - terraform init - terraform plan - terraform apply -auto-approve - -- task: MicrosoftSecurityDevOps@1 - displayName: 'Microsoft Security DevOps' - task: MicrosoftSecurityDevOps@1 - displayName: 'Microsoft Security DevOps' - # If you want to only run iacfilescanner, uncomment the below lines - # inputs: - # tools: 'iacfilescanner' - tools: 'iacfilescanner' diff --git a/samples/IaC Mapping/github-workflow.yml b/samples/IaC Mapping/github-workflow.yml deleted file mode 100644 index f93c5fc1..00000000 --- a/samples/IaC Mapping/github-workflow.yml +++ /dev/null @@ -1,166 +0,0 @@ -name: 'Terraform Plan/Apply' - -on: - push: - branches: - - main - pull_request: - branches: - - main - -#Special permissions required for OIDC authentication -permissions: - id-token: write - contents: read - pull-requests: write - -#These environment variables are used by the terraform azure provider to setup OIDD authenticate. -env: - ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}" - ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" - ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}" - -jobs: - terraform-plan: - name: 'Terraform Plan' - runs-on: ubuntu-latest - env: - #this is needed since we are running terraform with read-only permissions - ARM_SKIP_PROVIDER_REGISTRATION: true - outputs: - tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }} - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Install the latest version of the Terraform CLI - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_wrapper: false - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform init - - # Checks that all Terraform configuration files adhere to a canonical format - # Will fail the build if not - - name: Terraform Format - run: terraform fmt -check - - # Generates an execution plan for Terraform - # An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes. - - name: Terraform Plan - id: tf-plan - run: | - export exitcode=0 - terraform plan -detailed-exitcode -no-color -out tfplan || export exitcode=$? - - echo "exitcode=$exitcode" >> $GITHUB_OUTPUT - - if [ $exitcode -eq 1 ]; then - echo Terraform Plan Failed! - exit 1 - else - exit 0 - fi - - # Save plan to artifacts - - name: Publish Terraform Plan - uses: actions/upload-artifact@v3 - with: - name: tfplan - path: tfplan - - # Create string output of Terraform Plan - - name: Create String Output - id: tf-plan-string - run: | - TERRAFORM_PLAN=$(terraform show -no-color tfplan) - - delimiter="$(openssl rand -hex 8)" - echo "summary<<${delimiter}" >> $GITHUB_OUTPUT - echo "## Terraform Plan Output" >> $GITHUB_OUTPUT - echo "
Click to expand" >> $GITHUB_OUTPUT - echo "" >> $GITHUB_OUTPUT - echo '```terraform' >> $GITHUB_OUTPUT - echo "$TERRAFORM_PLAN" >> $GITHUB_OUTPUT - echo '```' >> $GITHUB_OUTPUT - echo "
" >> $GITHUB_OUTPUT - echo "${delimiter}" >> $GITHUB_OUTPUT - - # Publish Terraform Plan as task summary - - name: Publish Terraform Plan to Task Summary - env: - SUMMARY: ${{ steps.tf-plan-string.outputs.summary }} - run: | - echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY - - # If this is a PR post the changes - - name: Push Terraform Output to PR - if: github.ref != 'refs/heads/main' - uses: actions/github-script@v6 - env: - SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}" - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const body = `${process.env.SUMMARY}`; - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: body - }) - - terraform-apply: - name: 'Terraform Apply' - if: github.ref == 'refs/heads/main' && needs.terraform-plan.outputs.tfplanExitCode == 2 - runs-on: ubuntu-latest - environment: iacdemo - needs: [terraform-plan] - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform init - - # Download saved plan from artifacts - - name: Download Terraform Plan - uses: actions/download-artifact@v3 - with: - name: tfplan - - # Terraform Apply - - name: Terraform Apply - run: terraform apply -auto-approve tfplan - - # Run analyzers - - name: Run Microsoft Security DevOps Analysis - uses: microsoft/security-devops-action@latest - id: msdo - with: - tools: 'iacfilescanner' - - # Upload alerts to the Security tab - - name: Upload alerts to Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.msdo.outputs.sarifFile }} - - # Upload alerts file as a workflow artifact - - name: Upload alerts file as a workflow artifact - uses: actions/upload-artifact@v3 - with: - name: alerts - path: ${{ steps.msdo.outputs.sarifFile }} diff --git a/samples/IaC Mapping/main.tf b/samples/IaC Mapping/main.tf deleted file mode 100644 index ead97cb4..00000000 --- a/samples/IaC Mapping/main.tf +++ /dev/null @@ -1,29 +0,0 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.0" # adjust this as per your requirements - } - } -} - -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "resourcegroup" { - name = "iacmappingdemo" - location = "Central US" -} - -resource "azurerm_storage_account" "terraformaccount1" { - name = "iacmapping1212" - resource_group_name = azurerm_resource_group.resourcegroup.name - location = "Central US" - account_tier = "Standard" - account_replication_type = "GRS" - - tags = { - "mapping_tag" = "6189b638-15a5-42ec-b934-0d2b8e035ce1" - } -} diff --git a/samples/IaC Mapping/readme.md b/samples/IaC Mapping/readme.md deleted file mode 100644 index cfbea75b..00000000 --- a/samples/IaC Mapping/readme.md +++ /dev/null @@ -1,20 +0,0 @@ -## Introduction - -This folder provides samples for using [Infrastructure as Code mapping](https://learn.microsoft.com/azure/defender-for-cloud/iac-template-mapping) within DevOps security in Microsoft Defender for Cloud. - -This sample deployment should only be performed in non-production subscriptions with **no other Terraform managed resources**. - -> Note that we do not choose a backend location to store the state file in this demo. Terraform utilizes a state file to store information about the current state of your managed infrastructure and associated configuration. This file will need to be persisted between different runs of the workflow. The recommended approach is to store this file within an Azure Storage Account or other similar remote backend. Normally, this storage would be provisioned manually or via a separate workflow. The Terraform backend block will need to be updated with your selected storage location. To learn how to incorporate this, see [here](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm). - -## Contents -* [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). -* [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. It is important to include the MSDO task in your ADO pipeline. - * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription. - * Requires [Microsoft Entra application for authentication](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-openid-connect). - * Requires GitHub Secrets to be added to repository and the environment. - * Repository - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-a-repository) - * AZURE_CLIENT_ID : The application (client) ID of the app registration in Azure - * AZURE_TENANT_ID : The tenant ID of Entra ID where the app registration is defined. - * AZURE_SUBSCRIPTION_ID : The subscription ID where the app registration is defined. - * Environment - For guidance, see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-an-environment) - * AZURE_CLIENT_ID : The application (client) ID of the app registration in Azure From 63ac3d54f1eff9fe4ac1845f1f176199c9341eee Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 13:03:11 -0600 Subject: [PATCH 32/35] Update readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping/readme.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/samples/IaCMapping/readme.md b/samples/IaCMapping/readme.md index a4519bdb..0da13940 100644 --- a/samples/IaCMapping/readme.md +++ b/samples/IaCMapping/readme.md @@ -2,12 +2,14 @@ This folder provides samples for using [Infrastructure as Code mapping](https://learn.microsoft.com/azure/defender-for-cloud/iac-template-mapping) within DevOps security in Microsoft Defender for Cloud. -This deployment should only be performed in non-production subscriptions with **no other Terraform managed resources**. +This sample deployment should only be performed in non-production subscriptions with **no other Terraform managed resources**. Note that we do not choose a backend location to store the state file in this demo. Terraform utilizes a state file to store information about the current state of your managed infrastructure and associated configuration. This file will need to be persisted between different runs of the workflow. The recommended approach is to store this file within an Azure Storage Account or other similar remote backend. Normally, this storage would be provisioned manually or via a separate workflow. The Terraform backend block will need updated with your selected storage location (see here for documentation). To learn how to incorporate this, see [here](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm). ## Contents * [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). -* [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. +* [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. It is important to include the MSDO task in your ADO pipeline. * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/en-us/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription. + * + From 3cf089d4ea409f52e36c12967bd6d533a8d2a66c Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 13:04:09 -0600 Subject: [PATCH 33/35] Update readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/samples/IaCMapping/readme.md b/samples/IaCMapping/readme.md index 0da13940..17b380bc 100644 --- a/samples/IaCMapping/readme.md +++ b/samples/IaCMapping/readme.md @@ -4,12 +4,12 @@ This folder provides samples for using [Infrastructure as Code mapping](https:// This sample deployment should only be performed in non-production subscriptions with **no other Terraform managed resources**. -Note that we do not choose a backend location to store the state file in this demo. Terraform utilizes a state file to store information about the current state of your managed infrastructure and associated configuration. This file will need to be persisted between different runs of the workflow. The recommended approach is to store this file within an Azure Storage Account or other similar remote backend. Normally, this storage would be provisioned manually or via a separate workflow. The Terraform backend block will need updated with your selected storage location (see here for documentation). To learn how to incorporate this, see [here](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm). +Note that we do not choose a backend location to store the state file in this demo. Terraform utilizes a state file to store information about the current state of your managed infrastructure and associated configuration. This file will need to be persisted between different runs of the workflow. The recommended approach is to store this file within an Azure Storage Account or other similar remote backend. Normally, this storage would be provisioned manually or via a separate workflow. The Terraform backend block will need to be updated with your selected storage location (see here for documentation). To learn how to incorporate this, see [here](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm). ## Contents * [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). * [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. It is important to include the MSDO task in your ADO pipeline. * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/en-us/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription. - * + From 0b26c867403be7dfc3f5eec5958283f92b142d6a Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 13:19:02 -0600 Subject: [PATCH 34/35] Update readme.md Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping/readme.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/samples/IaCMapping/readme.md b/samples/IaCMapping/readme.md index 17b380bc..e5ccace4 100644 --- a/samples/IaCMapping/readme.md +++ b/samples/IaCMapping/readme.md @@ -8,8 +8,5 @@ Note that we do not choose a backend location to store the state file in this de ## Contents * [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). -* [azure-pipeline.yml](azure-pipeline.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. It is important to include the MSDO task in your ADO pipeline. +* [azure-pipelines.yml](azure-pipelines.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. It is important to include the MSDO task in your ADO pipeline. * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/en-us/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription. - - - From c7131afbd6cbb7f7fb1a83e35936efd909ad0e80 Mon Sep 17 00:00:00 2001 From: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> Date: Fri, 15 Dec 2023 13:21:19 -0600 Subject: [PATCH 35/35] Update samples/IaCMapping/readme.md Co-authored-by: Anais Miller Signed-off-by: Lara Goldstein <97191407+laragoldstein13@users.noreply.github.com> --- samples/IaCMapping/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/IaCMapping/readme.md b/samples/IaCMapping/readme.md index e5ccace4..51cd158d 100644 --- a/samples/IaCMapping/readme.md +++ b/samples/IaCMapping/readme.md @@ -9,4 +9,4 @@ Note that we do not choose a backend location to store the state file in this de ## Contents * [main.tf](main.tf) provisions an Azure Storage account through Terraform with a unique mapping_tag. To use this template, ensure you modify the locations, names, and unique GUID. To generate a GUID, use [this website](https://guidgenerator.com/). * [azure-pipelines.yml](azure-pipelines.yml) is a sample Azure DevOps pipeline that can be used to provision the Terraform code in main.tf as a resource within Azure. It is important to include the MSDO task in your ADO pipeline. - * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/en-us/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription. + * Requires [Azure Resource Manager service connection](https://learn.microsoft.com/troubleshoot/azure/devops/overview-of-azure-resource-manager-service-connections#create-an-azure-rm-service-connection) with permissions to an Azure subscription.