From 80e7f42b376f66c8da0cb5fb8f8fcd334586caae Mon Sep 17 00:00:00 2001 From: Ava Silver Date: Mon, 20 Nov 2023 18:12:43 -0500 Subject: [PATCH] [AZURE] Update ARM templates to include resource collection (#711) Adds Resource Collection Toggle and Makes CSM dependent on Resource collection (ie will be false unless resource collection is enabled). Also cleaned some things up to match with the schema. --- .../CreateUIDefinition-managementgroups.json | 49 ++++++++++++--- .../azure-integration/CreateUIDefinition.json | 49 ++++++++++++--- .../azuredeploy-managementgroups.json | 63 ++++++++++++------- .../azure-integration/azuredeploy.json | 15 ++++- 4 files changed, 131 insertions(+), 45 deletions(-) diff --git a/azure/deploy-to-azure/azure-integration/CreateUIDefinition-managementgroups.json b/azure/deploy-to-azure/azure-integration/CreateUIDefinition-managementgroups.json index 0e06d6fb9..f440205a5 100644 --- a/azure/deploy-to-azure/azure-integration/CreateUIDefinition-managementgroups.json +++ b/azure/deploy-to-azure/azure-integration/CreateUIDefinition-managementgroups.json @@ -73,7 +73,6 @@ "steps": [ { "name": "servicePrincipal", - "type": "Microsoft.Common.Section", "label": "Service Principal", "elements": [ { @@ -121,7 +120,6 @@ }, { "name": "datadogConfig", - "type": "Microsoft.Common.Section", "label": "Datadog Configuration", "elements": [ { @@ -272,12 +270,6 @@ "toolTip": "Whether or not to use automute for hosts", "defaultValue": "true" }, - { - "name": "cspm_enabled", - "type": "Microsoft.Common.CheckBox", - "label": "Cloud Security Management", - "toolTip": "When enabled, Datadog performs configuration checks across your Azure environment by continuously scanning every resource. Use Datadog's executive reporting summaries to track conformance to industry benchmark criteria." - }, { "name": "custom_metrics_enabled", "type": "Microsoft.Common.CheckBox", @@ -286,6 +278,42 @@ } ], "visible": true + }, + { + "name": "resourceCollection", + "type": "Microsoft.Common.Section", + "label": "Resource Collection", + "elements": [ + { + "name": "resource_collection_info", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Collect configuration information about the resources monitored with this App Registration." + } + }, + { + "name": "resource_collection_enabled", + "type": "Microsoft.Common.CheckBox", + "label": "Enable Resource Collection", + "toolTip": "When enabled, Datadog collects metadata and configuration info from cloud resources (compute instances, databases, load balancers, etc.) in your Azure environment." + }, + { + "name": "cspm_enabled", + "type": "Microsoft.Common.CheckBox", + "label": "Enable Cloud Security Management:", + "toolTip": "When enabled, Datadog's Cloud Security Management product will scan resource configurations for resources monitored by this app registration. Note: This requires Resource Collection to be enabled.", + "visible": "[steps('datadogConfig').resourceCollection.resource_collection_enabled]" + }, + { + "name": "cspm_placeholder", + "type": "Microsoft.Common.TextBlock", + "visible": "[not(steps('datadogConfig').resourceCollection.resource_collection_enabled)]", + "options": { + "text": "Enable Cloud Security Management: Requires Resource Collection" + } + } + ], + "visible": true } ] } @@ -304,8 +332,9 @@ "appServicePlanFilters": "[steps('datadogConfig').metrics.appServicePlanFilters]", "containerAppFilters": "[steps('datadogConfig').metrics.containerAppFilters]", "automute": "[steps('datadogConfig').metrics.automute]", - "cspm_enabled": "[steps('datadogConfig').metrics.cspm_enabled]", - "custom_metrics_enabled": "[steps('datadogConfig').metrics.custom_metrics_enabled]" + "custom_metrics_enabled": "[steps('datadogConfig').metrics.custom_metrics_enabled]", + "resource_collection_enabled": "[steps('datadogConfig').resourceCollection.resource_collection_enabled]", + "cspm_enabled": "[and(steps('datadogConfig').resourceCollection.cspm_enabled, steps('datadogConfig').resourceCollection.resource_collection_enabled)]" } } } diff --git a/azure/deploy-to-azure/azure-integration/CreateUIDefinition.json b/azure/deploy-to-azure/azure-integration/CreateUIDefinition.json index d386d7209..93b01acdc 100644 --- a/azure/deploy-to-azure/azure-integration/CreateUIDefinition.json +++ b/azure/deploy-to-azure/azure-integration/CreateUIDefinition.json @@ -33,7 +33,6 @@ "steps": [ { "name": "servicePrincipal", - "type": "Microsoft.Common.Section", "label": "Service Principal", "elements": [ { @@ -81,7 +80,6 @@ }, { "name": "datadogConfig", - "type": "Microsoft.Common.Section", "label": "Datadog Configuration", "elements": [ { @@ -248,12 +246,6 @@ "toolTip": "Whether or not to use automute for hosts", "defaultValue": "true" }, - { - "name": "cspm_enabled", - "type": "Microsoft.Common.CheckBox", - "label": "Cloud Security Management", - "toolTip": "When enabled, Datadog performs configuration checks across your Azure environment by continuously scanning every resource. Use Datadog's executive reporting summaries to track conformance to industry benchmark criteria." - }, { "name": "custom_metrics_enabled", "type": "Microsoft.Common.CheckBox", @@ -262,6 +254,42 @@ } ], "visible": true + }, + { + "name": "resourceCollection", + "type": "Microsoft.Common.Section", + "label": "Resource Collection", + "elements": [ + { + "name": "resource_collection_info", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Collect configuration information about the resources monitored with this App Registration." + } + }, + { + "name": "resource_collection_enabled", + "type": "Microsoft.Common.CheckBox", + "label": "Enable Resource Collection", + "toolTip": "When enabled, Datadog collects metadata and configuration info from cloud resources (compute instances, databases, load balancers, etc.) in your Azure environment." + }, + { + "name": "cspm_enabled", + "type": "Microsoft.Common.CheckBox", + "label": "Enable Cloud Security Management:", + "toolTip": "When enabled, Datadog's Cloud Security Management product will scan resource configurations for resources monitored by this app registration. Note: This requires Resource Collection to be enabled.", + "visible": "[steps('datadogConfig').resourceCollection.resource_collection_enabled]" + }, + { + "name": "cspm_placeholder", + "type": "Microsoft.Common.TextBlock", + "visible": "[not(steps('datadogConfig').resourceCollection.resource_collection_enabled)]", + "options": { + "text": "Enable Cloud Security Management: Requires Resource Collection" + } + } + ], + "visible": true } ] } @@ -279,8 +307,9 @@ "appServicePlanFilters": "[steps('datadogConfig').integrationConfig.appServicePlanFilters]", "containerAppFilters": "[steps('datadogConfig').integrationConfig.containerAppFilters]", "automute": "[steps('datadogConfig').integrationConfig.automute]", - "cspm_enabled": "[steps('datadogConfig').integrationConfig.cspm_enabled]", - "custom_metrics_enabled": "[steps('datadogConfig').integrationConfig.custom_metrics_enabled]" + "custom_metrics_enabled": "[steps('datadogConfig').integrationConfig.custom_metrics_enabled]", + "resource_collection_enabled": "[steps('datadogConfig').resourceCollection.resource_collection_enabled]", + "cspm_enabled": "[and(steps('datadogConfig').resourceCollection.cspm_enabled, steps('datadogConfig').resourceCollection.resource_collection_enabled)]" } } } diff --git a/azure/deploy-to-azure/azure-integration/azuredeploy-managementgroups.json b/azure/deploy-to-azure/azure-integration/azuredeploy-managementgroups.json index e23fdd6e0..07fadceb5 100644 --- a/azure/deploy-to-azure/azure-integration/azuredeploy-managementgroups.json +++ b/azure/deploy-to-azure/azure-integration/azuredeploy-managementgroups.json @@ -4,86 +4,93 @@ "parameters": { "location": { "defaultValue": "westus2", - "type": "String", + "type": "string", "metadata": { "description": "Resources location" } }, "servicePrincipalClientId": { - "type": "String", + "type": "string", "metadata": { "description": "Service principal Client Id" } }, "servicePrincipalObjectId": { - "type": "String", + "type": "string", "metadata": { "description": "Service principal object Id, needed for Role Assignment" } }, "servicePrincipalClientSecret": { - "type": "SecureString", + "type": "securestring", "metadata": { "description": "Service principal client secret" } }, "subscriptionID": { - "type": "String", + "type": "string", "metadata": { "description": "Subscription Id" } }, "resourcegroup": { - "type": "String", + "type": "string", "metadata": { "description": "resource group" } }, "datadogApplicationKey": { - "type": "SecureString", + "type": "securestring", "metadata": { "description": "Your Datadog Application key" } }, "datadogApiKey": { - "type": "SecureString", + "type": "securestring", "metadata": { "description": "Your Datadog API key" } }, "hostFilters": { "defaultValue": "", - "type": "String", + "type": "string", "metadata": { "description": "Filter to include/exclude hosts" } }, "appServicePlanFilters": { "defaultValue": "", - "type": "String", + "type": "string", "metadata": { "description": "Filter to include/exclude app service plans" } }, "containerAppFilters": { "defaultValue": "", - "type": "String", + "type": "string", "metadata": { "description": "Filter to include/exclude container apps" } }, "automute": { "defaultValue": true, - "type": "Bool", + "type": "bool", "metadata": { "description": "Whether or not to use automute for hosts" } }, + "resource_collection_enabled": { + "defaultValue": true, + "type": "bool", + "metadata": { + "description": "Collect resources for various Datadog products" + } + }, "cspm_enabled": { "defaultValue": true, - "type": "Bool", + "type": "bool", "metadata": { - "description": "Collect resources for Cloud Security Management" + "description": "Enable the Cloud Security Management product" } }, "custom_metrics_enabled": { @@ -95,21 +102,21 @@ }, "datadogSite": { "defaultValue": "datadoghq.com", - "type": "String", + "type": "string", "metadata": { "description": "The datadog site, e.g. eu1.datadoghq.com" } }, "newguid": { "defaultValue": "[newGuid()]", - "type": "String", + "type": "string", "metadata": { "description": "Just a Guid to append to deployment script name" } }, "managementGroupName": { "defaultValue": "[managementGroup().name]", - "type": "String", + "type": "string", "metadata": { "description": "Management group Id, to assign a role assignment to" } @@ -167,6 +174,9 @@ "automute": { "value": "[parameters('automute')]" }, + "resource_collection_enabled": { + "value": "[parameters('resource_collection_enabled')]" + }, "cspm_enabled": { "value": "[parameters('cspm_enabled')]" }, @@ -208,15 +218,18 @@ "hostFilters": { "type": "string" }, - "appServicePlanFilters":{ + "appServicePlanFilters": { "type": "string" }, - "containerAppFilters":{ + "containerAppFilters": { "type": "string" }, "automute": { "type": "bool" }, + "resource_collection_enabled": { + "type": "bool" + }, "cspm_enabled": { "type": "bool" }, @@ -266,6 +279,10 @@ "name": "automute", "value": "[parameters('automute')]" }, + { + "name": "resource_collection_enabled", + "value": "[parameters('resource_collection_enabled')]" + }, { "name": "cspm_enabled", "value": "[parameters('cspm_enabled')]" @@ -283,12 +300,12 @@ "value": "[subscription().tenantId]" }, { - "name":"source", + "name": "source", "value": "arm_template_mgmt_group" }, { - "name":"managementGroupId", - "value":"[parameters('managementGroupName')]" + "name": "managementGroupId", + "value": "[parameters('managementGroupName')]" } ], "retentionInterval": "PT1H", @@ -296,7 +313,7 @@ "containerSettings": {}, "cleanupPreference": "Always", "azPowerShellVersion": "8.1", - "scriptContent": "Invoke-WebRequest -SkipCertificateCheck -ContentType \"application/json\" -Method Post -Uri \"https://api.$Env:datadogSite/api/v1/integration/azure\" -Headers @{\"Accept\"=\"application/json\"; \"DD-APPLICATION-KEY\"=$Env:datadogApplicationKey; \"DD-API-KEY\"=$Env:datadogApiKey} -Body (@{\"automute\"=[bool]::Parse($Env:automute); \"cspm_enabled\"=[bool]::Parse($Env:cspm_enabled); \"custom_metrics_enabled\"=[bool]::Parse($Env:custom_metrics_enabled); \"client_id\"=$Env:clientId; \"client_secret\"=$Env:clientSecret; \"tenant_name\"=$Env:tenantName; \"source\"=$Env:source; \"management_group_id\"=$Env:managementGroupId} | ConvertTo-Json )" + "scriptContent": "Invoke-WebRequest -SkipCertificateCheck -ContentType \"application/json\" -Method Post -Uri \"https://api.$Env:datadogSite/api/v1/integration/azure\" -Headers @{\"Accept\"=\"application/json\"; \"DD-APPLICATION-KEY\"=$Env:datadogApplicationKey; \"DD-API-KEY\"=$Env:datadogApiKey} -Body (@{\"automute\"=[bool]::Parse($Env:automute); \"resource_collection_enabled\"=[bool]::Parse($Env:resource_collection_enabled); \"cspm_enabled\"=[bool]::Parse($Env:cspm_enabled); \"custom_metrics_enabled\"=[bool]::Parse($Env:custom_metrics_enabled); \"client_id\"=$Env:clientId; \"client_secret\"=$Env:clientSecret; \"tenant_name\"=$Env:tenantName; \"source\"=$Env:source; \"management_group_id\"=$Env:managementGroupId} | ConvertTo-Json )" } }, { diff --git a/azure/deploy-to-azure/azure-integration/azuredeploy.json b/azure/deploy-to-azure/azure-integration/azuredeploy.json index adb7fd650..b14a5c1c7 100644 --- a/azure/deploy-to-azure/azure-integration/azuredeploy.json +++ b/azure/deploy-to-azure/azure-integration/azuredeploy.json @@ -78,11 +78,18 @@ "description": "Whether or not to use automute for hosts" } }, + "resource_collection_enabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Collect resources for various Datadog products" + } + }, "cspm_enabled": { "type": "bool", "defaultValue": true, "metadata": { - "description": "Collect resources for Cloud Security Management" + "description": "Enable the Cloud Security Management product" } }, "custom_metrics_enabled": { @@ -194,6 +201,10 @@ "name": "automute", "value": "[parameters('automute')]" }, + { + "name": "resource_collection_enabled", + "value": "[parameters('resource_collection_enabled')]" + }, { "name": "cspm_enabled", "value": "[parameters('cspm_enabled')]" @@ -220,7 +231,7 @@ "containerSettings": {}, "cleanupPreference": "Always", "azPowerShellVersion": "8.1", - "scriptContent": "Invoke-WebRequest -SkipCertificateCheck -ContentType \"application/json\" -Method Post -Uri \"https://api.$Env:datadogSite/api/v1/integration/azure\" -Headers @{\"Accept\"=\"application/json\"; \"DD-APPLICATION-KEY\"=$Env:datadogApplicationKey; \"DD-API-KEY\"=$Env:datadogApiKey} -Body (@{\"automute\"=[bool]::Parse($Env:automute); \"cspm_enabled\"=[bool]::Parse($Env:cspm_enabled); \"custom_metrics_enabled\"=[bool]::Parse($Env:custom_metrics_enabled); \"client_id\"=$Env:clientId; \"client_secret\"=$Env:clientSecret; \"tenant_name\"=$Env:tenantName; \"source\"=$Env:source; \"subscription_count\"=[int]::Parse($Env:subscription_count)} | ConvertTo-Json )" + "scriptContent": "Invoke-WebRequest -SkipCertificateCheck -ContentType \"application/json\" -Method Post -Uri \"https://api.$Env:datadogSite/api/v1/integration/azure\" -Headers @{\"Accept\"=\"application/json\"; \"DD-APPLICATION-KEY\"=$Env:datadogApplicationKey; \"DD-API-KEY\"=$Env:datadogApiKey} -Body (@{\"automute\"=[bool]::Parse($Env:automute); \"resource_collection_enabled\"=[bool]::Parse($Env:resource_collection_enabled); \"cspm_enabled\"=[bool]::Parse($Env:cspm_enabled); \"custom_metrics_enabled\"=[bool]::Parse($Env:custom_metrics_enabled); \"client_id\"=$Env:clientId; \"client_secret\"=$Env:clientSecret; \"tenant_name\"=$Env:tenantName; \"source\"=$Env:source; \"subscription_count\"=[int]::Parse($Env:subscription_count)} | ConvertTo-Json )" } }, {