wayfair-incubator / terraform-azure-policy-alerts

This repository will help deploy an alerts workflow via Terraform, which performs an on-demand scan for policy compliance using logic app in Azure

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Azure Policy

Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources.

Use-case for Policy Alerts

The compliance results generated by the assigned policy or intiatives can be viewed from the Azure portal > Policy > Compliance. However, currently there is no direct alerting mechanism built into Azure Policy. This project will help with the following objectives:

  1. Deploy the infrastructure required for this setup using Terraform
  2. Schedule an on-demand scan (every hour) to get the latest non-compliance results
  3. Report non-compliant resources via email notifications to team members in order to improve remediation time

Getting Started

Here are a few learning resources to get started with:

  1. Azure Policy Overview
  2. Azure Resource Manager
  3. Azure Terraform
  4. Terraform Workflow

Prerequisites

  1. Install Terraform
  2. Install Atom
  3. Install Azure CLI
  4. Install OpenSSL
  5. Microsoft Azure account
  6. Roles & permissions in Azure: These are some Azure built-in roles that may be required, if you are not an Owner for a given subscription:

Azure Policy Alerts Workflow

The workflow is as follows:

Policy Architecture

  1. The Terraform code deploys all the required resources. However, you will have to manually authorize the automation accounts in the logic app (more information under post-deployment steps)
  2. The logic app is the backbone of this entire framework
  3. The logic app triggers the automation account to run the PowerShell-runbook once every hour to run an on-demand policy scan. This script looks for resources that are non-compliant in accordance to the assigned Azure policies that have effect as "deny". If you need all the non-compliant resources irrespective of the effect, you can change the command filter accordingly
  4. This non-compliant resource information is sent to the Log Analytics Workspace as custom logs
  5. The scheduled query runs every hour and gets the latest non-compliant resource information from logs and sends an email with the resource information to the notifiers

Pre-deployment Steps

Clone this repository, unzip it and open it in Atom (or any source code editor of your choice).

After you have opened the folder, add the values of your environment in the following placeholders:

  1. In variables.tf add the email address of the team members to be added to the notifications group (line 7)
  2. In variables.tf add tenant id, client id and subscription id (line 23-24, 30-31 and 38-39)
  3. (Optional) In variables.tf, you can change the app_id (line 12)
  4. (Optional) In deploy.tf, you can change the query values for the alert rule (line 162-167)
  5. Under the folder template:
    5.1 In azureautomation.json, add the subscription-id in the placeholder marked "subscription-id-here"
    5.2 In azureloganalytics.json, add the subscription-id in the placeholder marked "subscription-id-here>"
    5.3 In template.json, add the subscription-id in the placeholders marked "subscription-id-here" (line 10, 15, 96, 118, 133 and 139)
  6. Add OpenSSL to the environement variable and use the following to generate a certificate:
    openssl req -x509 -sha256 -nodes -days 730 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
    openssl pkcs12 -export -keypbe NONE -certpbe NONE -inkey privateKey.key -in certificate.crt -out certificate.pfx
  7. Add these generated certificates under the alert-scripts folder

Deployment

  1. Add Azure CLI, Terraform path in the environment variables

  2. Authenticate to Azure using az login command from the command prompt
    azlogin

  3. Open a command prompt (using elevated privilege) and redirect the directory to the azurepolicyalerts\alerts-script folder

  4. Type terraform init

  5. Once your Terraform is initialized, type terraform plan.

  6. After the plan is created, type terraform apply. It should take between 3-5 mins to create all of the resources

  7. Go to your portal and check for all the resources under rg-us-policy-resource-group

  8. Team members will also get an email notification as below
    Email_notification

Post-deployment Steps

After the Terraform deployment is complete, follow the steps below:

  1. Select the API connectors from the resource group and "Authorize" them using your Azure account – this will allow the API to perform the underlying actions on your part
  2. Next, go to the logic app and select the Logic app designer under Development Tools
    design
  3. Expand the Connections part and select the azureautomation radio button. This should auto-fill all the parameters. You can also authorize this using your Azure account
    la_connectors
  4. Expand the Condition action and further the True action. We need to add the log analytic workspace ID and primary key here for the collector API to send logs
    data_collector
  5. You can find these values from Log Analytics Workspace > Advanced Settings (under Settings) > Connected Sources > Agents Management

Note: You will not be able to see any custom logs until the logic app runs its schedule a couple of times.

Contributing

Please read CODE_OF_CONDUCT.md for details about our code of conduct, and the process for submitting pull requests to us.

Versions

  • Current version is 1.0

Please read version.md for details on versions.

Authors

  • Rachana Kamat - Initial work

See also the list of contributors who participated in this project.

License

This project is licensed under the MIT License - see the LICENSE.md file for details.

Acknowledgments

The concept for the workflow has been referenced from the following blogs:

Special thanks to my mentors - Mike Virginio & Chris O'Connor – Security, Wayfair

About

This repository will help deploy an alerts workflow via Terraform, which performs an on-demand scan for policy compliance using logic app in Azure

License:MIT License


Languages

Language:HCL 80.9%Language:PowerShell 19.1%