-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
225 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| --- | ||
| name: Privileged Access Management | ||
| summary: | | ||
| Privileged Access Management (PAM) refers to the implementation of security measures and best practices to control and monitor access to critical resources within cloud platforms. For cloud foundation teams, it is about safeguarding administrative roles that enable access to core infrastructure, ensuring the security, compliance, and visibility needed to oversee application teams' cloud usage. | ||
| # optional: add additional metadata about implemented security controls | ||
| --- | ||
|
|
||
| # Privileged Access Management | ||
|
|
||
| This kit provides a Terraform configuration for setting up PAM in Azure. | ||
|
|
||
| <!-- BEGIN_TF_DOCS --> | ||
| ## Requirements | ||
|
|
||
| No requirements. | ||
|
|
||
| ## Modules | ||
|
|
||
| No modules. | ||
|
|
||
| ## Resources | ||
|
|
||
| | Name | Type | | ||
| |------|------| | ||
| | [azuread_group.billing_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource | | ||
| | [azuread_group.billing_readers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource | | ||
| | [azuread_group.security_auditors](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource | | ||
| | [azurerm_role_assignment.billing_admins](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | ||
| | [azurerm_role_assignment.billing_readers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | ||
| | [azurerm_role_assignment.security_auditors](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | ||
| | [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source | | ||
| | [azuread_users.billing_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/users) | data source | | ||
| | [azuread_users.billing_readers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/users) | data source | | ||
| | [azuread_users.security_auditors](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/users) | data source | | ||
| | [azurerm_management_group.root](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source | | ||
| | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | | ||
|
|
||
| ## Inputs | ||
|
|
||
| | Name | Description | Type | Default | Required | | ||
| |------|-------------|------|---------|:--------:| | ||
| | <a name="input_billing_admin_members"></a> [billing\_admin\_members](#input\_billing\_admin\_members) | Set up a group of platform engineers. If enabled, this group will receive access to terraform\_state\_storage | <pre>list(object({<br> email = string,<br> upn = string,<br> }))</pre> | n/a | yes | | ||
| | <a name="input_billing_reader_members"></a> [billing\_reader\_members](#input\_billing\_reader\_members) | Set up a group of platform engineers. If enabled, this group will receive access to terraform\_state\_storage | <pre>list(object({<br> email = string,<br> upn = string,<br> }))</pre> | n/a | yes | | ||
| | <a name="input_security_auditor_members"></a> [security\_auditor\_members](#input\_security\_auditor\_members) | Set up a group of platform engineers. If enabled, this group will receive access to terraform\_state\_storage | <pre>list(object({<br> email = string,<br> upn = string,<br> }))</pre> | n/a | yes | | ||
|
|
||
| ## Outputs | ||
|
|
||
| | Name | Description | | ||
| |------|-------------| | ||
| | <a name="output_billing_admins_azuread_group_id"></a> [billing\_admins\_azuread\_group\_id](#output\_billing\_admins\_azuread\_group\_id) | n/a | | ||
| | <a name="output_billing_readers_azuread_group_id"></a> [billing\_readers\_azuread\_group\_id](#output\_billing\_readers\_azuread\_group\_id) | n/a | | ||
| | <a name="output_documentation_md"></a> [documentation\_md](#output\_documentation\_md) | n/a | | ||
| | <a name="output_security_auditors_azuread_group_id"></a> [security\_auditors\_azuread\_group\_id](#output\_security\_auditors\_azuread\_group\_id) | n/a | | ||
| <!-- END_TF_DOCS --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| output "documentation_md" { | ||
| value = <<EOF | ||
| # Privileged Access Management | ||
| The following groups are used for managing privileged access to the cloud foundation. | ||
| | Group | Membership managed via | Function | Object ID | | ||
| |--------------------------------|-------------------------------|-----------------------------------------| | ||
| | `${azuread_group.billing_admins.display_name}` | The collie PAM kit in the collie repository | Manage financial aspects of cloud usage and allocate costs to various teams or projects. | ${azuread_group.billing_admins.object_id} | | ||
| | `${azuread_group.billing_readers.display_name}` | The collie PAM kit in the collie repository | View financial aspects of cloud usage and allocate costs to various teams or projects. | ${azuread_group.billing_admins.object_id} | | ||
| | `${azuread_group.security_auditors.display_name}` | The collie PAM kit in the collie repository | Responsible for ensuring compliance and security across cloud resources. | ${azuread_group.security_auditors.object_id} | | ||
| The `${azuread_group.billing_admins.display_name}` group has the following members: | ||
| ${join("\n", formatlist("- %s", var.billing_admin_members[*].email))} | ||
| The `${azuread_group.billing_readers.display_name}` group has the following members: | ||
| ${join("\n", formatlist("- %s", var.billing_reader_members[*].email))} | ||
| The `${azuread_group.security_auditors.display_name}` group has the following members: | ||
| ${join("\n", formatlist("- %s", var.security_auditor_members[*].email))} | ||
| Group memberships to the other groups are managed outside of the module. This is more convenient for e.g. granting temporary access for trouble shooting or audit purposes. | ||
| EOF | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| output "billing_admins_azuread_group_id" { | ||
| value = azuread_group.billing_admins.id | ||
| } | ||
|
|
||
| output "billing_readers_azuread_group_id" { | ||
| value = azuread_group.billing_readers.id | ||
| } | ||
|
|
||
| output "security_auditors_azuread_group_id" { | ||
| value = azuread_group.security_auditors.id | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # Set permissions for billing admins | ||
| resource "azurerm_role_assignment" "billing_admins" { | ||
| role_definition_name = "Cost Management Contributor" | ||
| principal_id = azuread_group.billing_admins.object_id | ||
| scope = data.azurerm_management_group.root.id | ||
| } | ||
|
|
||
| # Set permissions for billing reader | ||
| resource "azurerm_role_assignment" "billing_readers" { | ||
| role_definition_name = "Cost Management Reader" | ||
| principal_id = azuread_group.billing_readers.object_id | ||
| scope = data.azurerm_management_group.root.id | ||
| } | ||
|
|
||
| # Set permissions for security auditors | ||
| resource "azurerm_role_assignment" "security_auditors" { | ||
| role_definition_name = "Log Analytics Contributor" | ||
| principal_id = azuread_group.security_auditors.object_id | ||
| scope = data.azurerm_management_group.root.id | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| data "azuread_client_config" "current" {} | ||
|
|
||
| data "azurerm_subscription" "current" {} | ||
|
|
||
| data "azurerm_management_group" "root" { | ||
| name = data.azurerm_subscription.current.tenant_id | ||
| } | ||
|
|
||
| data "azuread_users" "billing_admins" { | ||
| user_principal_names = var.billing_admin_members[*].upn | ||
| } | ||
|
|
||
| data "azuread_users" "billing_readers" { | ||
| user_principal_names = var.billing_reader_members[*].upn | ||
| } | ||
|
|
||
| data "azuread_users" "security_auditors" { | ||
| user_principal_names = var.security_auditor_members[*].upn | ||
| } | ||
|
|
||
| resource "azuread_group" "billing_admins" { | ||
| display_name = "cloudfoundation-billing-admins" | ||
| owners = [data.azuread_client_config.current.object_id] | ||
| members = toset(data.azuread_users.billing_admins.object_ids) | ||
| security_enabled = true | ||
| } | ||
|
|
||
| resource "azuread_group" "billing_readers" { | ||
| display_name = "cloudfoundation-billing-readers" | ||
| owners = [data.azuread_client_config.current.object_id] | ||
| members = toset(data.azuread_users.billing_readers.object_ids) | ||
| security_enabled = true | ||
| } | ||
|
|
||
| resource "azuread_group" "security_auditors" { | ||
| display_name = "cloudfoundation-security-auditors" | ||
| owners = [data.azuread_client_config.current.object_id] | ||
| members = toset(data.azuread_users.security_auditors.object_ids) | ||
| security_enabled = true | ||
| } | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| include "platform" { | ||
| path = find_in_parent_folders("platform.hcl") | ||
| expose = true | ||
| } | ||
|
|
||
| dependency "bootstrap" { | ||
| config_path = "${path_relative_from_include()}/bootstrap" | ||
| } | ||
|
|
||
| terraform { | ||
| source = "${get_repo_root()}//kit/azure/pam" | ||
| } | ||
|
|
||
| generate "provider" { | ||
| path = "provider.tf" | ||
| if_exists = "overwrite" | ||
| contents = <<EOF | ||
| provider "azurerm" { | ||
| features {} | ||
| skip_provider_registration = true | ||
| tenant_id = "${include.platform.locals.platform.azure.aadTenantId}" | ||
| subscription_id = "${include.platform.locals.platform.azure.subscriptionId}" | ||
| client_id = "${dependency.bootstrap.outputs.client_id}" | ||
| client_secret = "${dependency.bootstrap.outputs.client_secret}" | ||
| } | ||
| EOF | ||
| } | ||
|
|
||
| inputs = { | ||
| billing_admin_members = [ | ||
| { | ||
| email = "financemeshi@meshithesheep.io" #TODO change, enter BILLING ADMIN MAIL here | ||
| upn = "financemeshi@meshithesheep.onmicrosoft.com" | ||
| } | ||
| ] | ||
| billing_reader_members = [ | ||
| { | ||
| email = "financemeshi@meshithesheep.io" #TODO change, enter BILLING READER MAIL here | ||
| upn = "financemeshi@meshithesheep.onmicrosoft.com" | ||
| } | ||
| ] | ||
| security_auditor_members = [ | ||
| { | ||
| email = "securitymeshi@meshithesheep.io" #TODO change, enter Security AUDITOR MAIL here | ||
| upn = "securitymeshi@meshithesheep.onmicrosoft.com" | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| variable "billing_admin_members" { | ||
| description = "Set up a group of platform engineers. If enabled, this group will receive access to terraform_state_storage" | ||
| type = list(object({ | ||
| email = string, | ||
| upn = string, | ||
| })) | ||
| } | ||
|
|
||
| variable "billing_reader_members" { | ||
| description = "Set up a group of platform engineers. If enabled, this group will receive access to terraform_state_storage" | ||
| type = list(object({ | ||
| email = string, | ||
| upn = string, | ||
| })) | ||
| } | ||
|
|
||
| variable "security_auditor_members" { | ||
| description = "Set up a group of platform engineers. If enabled, this group will receive access to terraform_state_storage" | ||
| type = list(object({ | ||
| email = string, | ||
| upn = string, | ||
| })) | ||
| } |