Skip to content

Commit

Permalink
update docs to support azure aks cluster and azure virtual machine (#…
Browse files Browse the repository at this point in the history 
…2317)

(cherry picked from commit 4eda5d6)
  • Loading branch information
@gnmahanth @ramanan-ravi
gnmahanth authored and ramanan-ravi committed Sep 24, 2024
1 parent 1c596d1 commit babe137
Showing 1 changed file with 204 additions and 1 deletion.
205 changes: 204 additions & 1 deletion docs/docs/cloudscanner/azure.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,4 +97,207 @@ For full information, refer to [Operations: Compliance Scanning](/docs/operation

:::tip Maximizing Coverage
For maximum coverage, you can use both Cloud Scanner and local Sensor Agent compliance scans together. You could scan your Azure infrastructure using Cloud Scanner, and [scan selected VMs deployed within Azure](other) using the Sensor Agent.
:::
:::

## Cloud Scanner on AKS cluster

:::info

**Pre-requisite:**
1. AKS cluster is created and you have access to the cluster
2. azure cli is configured and is able to access the required project where cloud scanner will be deployed

:::

Cloud Scanner is deployed as a pod within your AKS cluster

You need to configure Terraform with the appropriate resources and inputs for your particular scenario, and you will need to provide the IP address or DNS name for the ThreatMapper management console and an API key.

Copy and paste the following (single project or multiple projects) into a new file cloud-scanner.tf. Edit the fields: region, mgmt-console-url and deepfence-key.

### Single Subscription Cloud Scanner on AKS Cluster

```terraform
provider "azurerm" {
subscription_id = "<SUBSCRIPTION_ID eg. XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>"
features {}
}
data "azurerm_subscription" "current" {}
data "azurerm_kubernetes_cluster" "default" {
name = "< AKS CLUSTER NAME >"
resource_group_name = "<AKS CLUSTER RESOURCE GROUP>"
}
module "cloud-scanner" {
source = "deepfence/cloud-scanner/azure//examples/aks"
version = "0.7.0"
name = "<name of the app>"
mgmt-console-url = "<Console URL> eg. XXX.XXX.XX.XXX"
deepfence-key = "<DEEPFENCE API KEY>"
# ThreatMapper
cloud_scanner_image = "quay.io/deepfenceio/cloud_scanner_ce"
# ThreatStryker
# cloud_scanner_image = "quay.io/deepfenceio/cloud_scanner"
location = "< LOCATION >"
subscription_id = data.azurerm_subscription.current.subscription_id
aks_host = data.azurerm_kubernetes_cluster.default.kube_config.0.host
aks_client_key = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_key)
aks_client_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_certificate)
aks_cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)
}
```

### Multiple Subscription Cloud Scanner on AKS cluster

```terraform
provider "azurerm" {
subscription_id = "<SUBSCRIPTION_ID eg. XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>"
features {}
}
data "azurerm_subscription" "current" {}
data "azurerm_kubernetes_cluster" "default" {
name = "< AKS CLUSTER NAME >"
resource_group_name = "<AKS CLUSTER RESOURCE GROUP>"
}
module "test" {
source = "deepfence/cloud-scanner/azure//examples/aks"
version = "0.7.0"
name = "<name of the app>"
mgmt-console-url = "<Console URL> eg. XXX.XXX.XX.XXX"
deepfence-key = "<DEEPFENCE API KEY>"
# ThreatMapper
cloud_scanner_image = "quay.io/deepfenceio/cloud_scanner_ce"
# ThreatStryker
# cloud_scanner_image = "quay.io/deepfenceio/cloud_scanner"
location = "< LOCATION >"
subscription_id = data.azurerm_subscription.current.subscription_id
aks_host = data.azurerm_kubernetes_cluster.default.kube_config.0.host
aks_client_key = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_key)
aks_client_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_certificate)
aks_cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)
isOrganizationDeployment = true
deployedAccountID = data.azurerm_subscription.current.subscription_id
subscription_ids_access = [ <list of tenants subscription id's> ]
}
```

## Cloud Scanner on Azure virtual machine

:::info

**Pre-requisite:**
1. Install docker and docker compose on the gcp compute instance([refer docker documentation for installation instructions](https://docs.docker.com/engine/install/))
2. If a existing gcp compute instance instance is used, check if docker and docker compose plugins are installed on the gcp compute instance.
3. azure cli is configured and is able to access the required project where cloud scanner will be deployed

:::

1. Copy and paste the following (single tenant or multiple tenant) into a new file cloud-scanner.tf. Edit the fields: SUBSCRIPTION_ID and subscription_ids_access if required.

- Single Subscription Cloud Scanner on Azure virtual machine

```terraform
provider "azurerm" {
subscription_id = "<SUBSCRIPTION_ID>"
features {}
}
data "azurerm_subscription" "current" {}
module "infrastructure_cloud-scanner-app" {
source = "deepfence/cloud-scanner/azure//modules/infrastructure/cloud-scanner-app"
version = "0.7.0"
name = "deepfence-cloud-scanner"
subscription_ids_access = [data.azurerm_subscription.current.subscription_id]
}
output "tenant_id" {
value = module.infrastructure_cloud-scanner-app.tenant_id
}
output "client_id" {
value = module.infrastructure_cloud-scanner-app.client_id
}
output "client_secret" {
value = module.infrastructure_cloud-scanner-app.client_secret
sensitive = true
}
```
- Multiple Subscription Cloud Scanner on Azure virtual machine
```terraform
provider "azurerm" {
subscription_id = "<SUBSCRIPTION_ID>"
features {}
}
data "azurerm_subscription" "current" {}
module "infrastructure_cloud-scanner-app" {
source = "deepfence/cloud-scanner/azure//modules/infrastructure/cloud-scanner-app"
version = "0.7.0"
name = "deepfence-cloud-scanner"
subscription_ids_access = [list of tenant subscriptions ids]
}
output "tenant_id" {
value = module.infrastructure_cloud-scanner-app.tenant_id
}
output "client_id" {
value = module.infrastructure_cloud-scanner-app.client_id
}
output "client_secret" {
value = module.infrastructure_cloud-scanner-app.client_secret
sensitive = true
}
```
2. Apply the terraform script and note the output `tenant_id`, `client_id` and `client_secret`
4. Create a directory **deepfence-cloud-scanner** and download docker-compose.yaml from the url
```
https://raw.githubusercontent.com/deepfence/cloud-scanner/main/docker-compose.yaml
```
```bash
mkdir deepfence-cloud-scanner && cd deepfence-cloud-scanner
wget https://raw.githubusercontent.com/deepfence/cloud-scanner/main/docker-compose.yaml
```
5. Update the environment vars account details and console details in the docker-compose.yaml, if deploying for multi tenants cloud scanner set `ORGANIZATION_DEPLOYMENT: true`
```
environment:
MGMT_CONSOLE_URL: "<Console URL>"
MGMT_CONSOLE_PORT: <Console PORT>
DEEPFENCE_KEY: "<DEEPFENCE KEY>"
CLOUD_PROVIDER: "azure"
CLOUD_REGION: "<LOCATION>"
CLOUD_ACCOUNT_ID: "<SUBSCRIPTION_ID>"
DEPLOYED_ACCOUNT_ID: "<SUBSCRIPTION_ID>"
CLOUD_ACCOUNT_NAME: ""
ORGANIZATION_DEPLOYMENT: false
CLOUD_ORGANIZATION_ID: "<tenant_id>"
ROLE_NAME: ""
CLOUD_AUDIT_LOG_IDS: ""
HTTP_SERVER_REQUIRED: "false"
SUCCESS_SIGNAL_URL: ""
DF_LOG_LEVEL: info
SCAN_INACTIVE_THRESHOLD: "21600"
CLOUD_SCANNER_POLICY: ""
AZURE_TENANT_ID: "<tenant_id>"
AZURE_REGION: <LOCATION>
AZURE_CLIENT_ID: "<client_id>"
AZURE_CLIENT_SECRET: "<client_secret>"
AZURE_SUBSCRIPTION_ID: "SUBSCRIPTION_ID"
```
6. Start the cloud scanner using docker compose
```
docker compose up -d
```

0 comments on commit babe137

Please sign in to comment.