diff --git a/src/azure.go b/src/azure.go index 76c473a4..860a90fa 100644 --- a/src/azure.go +++ b/src/azure.go @@ -72,6 +72,8 @@ func GetAZUREResourcePermissions(result ResourceV2) ([]string, error) { "azurerm_security_center_contact": azurermSecurityCenterContact, "azurerm_security_center_setting": azurermSecurityCenterSetting, "azurerm_security_center_workspace": azurermSecurityCenterWorkspace, + "azurerm_log_analytics_solution": azurermLogAnalyticsSolution, + "azurerm_role_assignment": azurermRoleAssignment, } var Permissions []string diff --git a/src/files_azure.go b/src/files_azure.go index 3edda084..f66e4ce9 100644 --- a/src/files_azure.go +++ b/src/files_azure.go @@ -126,3 +126,9 @@ var azurermSecurityCenterSetting []byte //go:embed mapping/azurerm/resource/security/azurerm_security_center_workspace.json var azurermSecurityCenterWorkspace []byte + +//go:embed mapping/azurerm/resource/operationsmanagement/azurerm_log_analytics_solution.json +var azurermLogAnalyticsSolution []byte + +//go:embed mapping/azurerm/resource/authorization/azurerm_role_assignment.json +var azurermRoleAssignment []byte diff --git a/src/mapping/azurerm/resource/authorization/azurerm_role_assignment.json b/src/mapping/azurerm/resource/authorization/azurerm_role_assignment.json new file mode 100644 index 00000000..01098ca9 --- /dev/null +++ b/src/mapping/azurerm/resource/authorization/azurerm_role_assignment.json @@ -0,0 +1,17 @@ +[ + { + "apply": [ + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleAssignments/write", + "Microsoft.Authorization/roleAssignments/delete" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "Microsoft.Authorization/roleAssignments/delete" + ], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/azurerm/resource/operationsmanagement/azurerm_log_analytics_solution.json b/src/mapping/azurerm/resource/operationsmanagement/azurerm_log_analytics_solution.json new file mode 100644 index 00000000..128f73b5 --- /dev/null +++ b/src/mapping/azurerm/resource/operationsmanagement/azurerm_log_analytics_solution.json @@ -0,0 +1,17 @@ +[ + { + "apply": [ + "Microsoft.OperationsManagement/solutions/read", + "Microsoft.OperationsManagement/solutions/write", + "Microsoft.OperationsManagement/solutions/delete" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "Microsoft.OperationsManagement/solutions/delete" + ], + "modify": [], + "plan": [] + } +] diff --git a/terraform/azurerm/backup/azurerm_log_analytics_solution.tf b/terraform/azurerm/backup/azurerm_log_analytics_solution.tf new file mode 100644 index 00000000..4d206a1b --- /dev/null +++ b/terraform/azurerm/backup/azurerm_log_analytics_solution.tf @@ -0,0 +1,12 @@ +resource "azurerm_log_analytics_solution" "pike" { + solution_name = "ContainerInsights" + location = "uksouth" + resource_group_name = "pike" + workspace_resource_id = "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/pike/providers/Microsoft.OperationalInsights/workspaces/pike" + workspace_name = "pike" + + plan { + publisher = "Microsoft" + product = "OMSGallery/ContainerInsights" + } +} diff --git a/terraform/azurerm/backup/azurerm_role_assignment.tf b/terraform/azurerm/backup/azurerm_role_assignment.tf new file mode 100644 index 00000000..308c21b7 --- /dev/null +++ b/terraform/azurerm/backup/azurerm_role_assignment.tf @@ -0,0 +1,11 @@ +data "azurerm_subscription" "primary" { +} + +data "azurerm_client_config" "example" { +} + +resource "azurerm_role_assignment" "example" { + scope = data.azurerm_subscription.primary.id + role_definition_name = "Reader" + principal_id = data.azurerm_client_config.example.object_id +} diff --git a/terraform/azurerm/role/azurerm_role_definition.tf b/terraform/azurerm/role/azurerm_role_definition.tf index cdb89935..562e5cef 100644 --- a/terraform/azurerm/role/azurerm_role_definition.tf +++ b/terraform/azurerm/role/azurerm_role_definition.tf @@ -5,16 +5,17 @@ resource "azurerm_role_definition" "example" { permissions { actions = [ - "Microsoft.Security/workspaceSettings/read", - "Microsoft.Security/workspaceSettings/write", - "Microsoft.Security/workspaceSettings/delete", + #analytics + "Microsoft.OperationsManagement/solutions/read", + "Microsoft.OperationsManagement/solutions/write", + "Microsoft.OperationsManagement/solutions/delete", - "Microsoft.Security/securityContacts/read", - "Microsoft.Security/securityContacts/write", - "Microsoft.Security/securityContacts/delete", + "Microsoft.Resources/subscriptions/providers/read", - "Microsoft.Security/settings/read", - "Microsoft.Security/settings/write" + #role + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleAssignments/write", + "Microsoft.Authorization/roleAssignments/delete" ] not_actions = [] } diff --git a/todo_azure.md b/todo_azure.md index 45838ab9..714ec6c2 100644 --- a/todo_azure.md +++ b/todo_azure.md @@ -35,10 +35,6 @@ ./resource.ps1 azurerm_kusto_server azurerm_disk_encryption_set azurerm_kubernetes_cluster -azurerm_log_analytics_solution -./resource.ps1 azurerm_log_analytics_solution -./resource.ps1 azurerm_role_assignment - ./resource.ps1 azurerm_security_center_auto_provisioning ./resource.ps1 azurerm_security_center_automation ./resource.ps1 azurerm_security_center_subscription_pricing