terraform-azurerm-security-core

Description

This module is the first step for deploying the Coalfire-Azure-RAMPpak FedRAMP Framework. It will create the core resources needed to deploy the rest of the environment.

Learn more at Coalfire OpenSource.

Dependencies

• New Azure Commercial or Gov Subscription

Resource List

• Resource group
• Vnet
• Private DNS zone if desired
• Entra ID Diagnostic logs
• Storage account to store the terraform state files
• Key Vault
• Log Analytics workspace
• Subscription diagnostics monitor

Global-vars.tf

Update /coalfire-azure-pak/terraform/prod/global-vars.tf file variables:

Name	Description	Sample
subscription_id	The Azure subscription ID where resources are being deployed into. This should be the subscription for the management plane	00000000-0000-0000-0000-000000000000
tenant_id	The Azure tenant ID that owns the deployed resources. Found in Entra ID properties tab in the portal	00000000-0000-0000-0000-000000000000
app_subscription_ids	The Azure subscription IDs for client application subscriptions. This should be the subscription for the application plane	["00000000-0000-0000-0000-000000000000"]
app_abbreviation	two or three digit abbreviation for app resource naming	"CF"
cidrs_for_remote_access	List of CIDRs that will be allowed to access the resources	[""]
admin_principal_ids"	List of admin principal IDs that will be set as admins on resources. Found on each users properties in Entra ID	["00000000-0000-0000-0000-000000000000"]

/coalfire-azure-pak/terraform/prod/us-va/security-core/core.tf

The folder you will deploy from. Most of the folder calls from the vars the only updates you need to make are enable logs or Entra ID permissions. If you're developing/testing it's probably best to turn these off because of existing permissions/log conflicts. For a new environment you should enable these.

Deployment Steps

• Ensure the backend "azurerm" portion of the tstate.tf file is commented out for initial deployment. The state file will be created as part of this apply and we will migrate the state file to the newly created storage account.
• Ensure remote-data.tf file is commented out for initial deployment. This file will be used to access information in the state as the deployment progresses.
• Login to the Azure CLI: az login. If your subscription is in Azure Gov change the cloud first with: az login --environment AzureUSGovernment
• Change directories to the /coalfire-azure-pak/terraform/prod/us-va/security-core directory.
• Run terraform init.
• Run terraform plan to review the resources being created.
• If everything looks correct in the plan output, run terraform apply.

Warning It does take some time for the initial key vault permissions to propagate. If you get a 400 error about the Customer Managed Key for the state storage account, wait a few minutes and try again. The deployment should complete successfully.

Migrate State

Now that the storage account exists you need to migrate the local state file to the remote state storage account.

1. Uncomment the backend "azurerm" portion of the tstate.tf file.
2. update the resource_group_name, storage_account_name and container_name variables to match the newly created storage account.
3. Run terraform init to initialize the backend. You will be prompted to migrate the state file. Select yes.
4. Run terraform apply to migrate the state file to the remote storage account.
5. Delete the terraform.tfstate and terraform.tfstate.backup files.
6. Uncomment the remote-data.tf file for the Core block only.
7. Commit changes and push to repo.

Usage

provider "azurerm" {
  features {}
}

module "core" {
  source = "github.com/Coalfire-CF/terraform-azurerm-security-core"

  subscription_id          = var.subscription_id
  resource_prefix          = local.resource_prefix
  location_abbreviation    = var.location_abbreviation
  location                 = var.location
  app_abbreviation         = var.app_abbreviation
  tenant_id                = var.tenant_id
  regional_tags            = var.regional_tags
  global_tags              = merge(var.global_tags, local.global_local_tags)
  core_rg_name             = "${local.resource_prefix}-core-rg"
  cidrs_for_remote_access  = var.cidrs_for_remote_access
  ip_for_remote_access     = var.ip_for_remote_access
  admin_principal_ids      = var.admin_principal_ids
  private_dns_zone_name    = var.domain_name
  app_subscription_ids     = var.app_subscription_ids
  enable_sub_logs          = false
  enable_aad_logs          = false
  enable_aad_permissions   = false
  custom_private_dns_zones = [var.domain_name]
  azure_private_dns_zones = [
    "privatelink.azurecr.us",
    "privatelink.database.usgovcloudapi.net",
    "privatelink.blob.core.usgovcloudapi.net",
    "privatelink.table.core.usgovcloudapi.net",
    "privatelink.queue.core.usgovcloudapi.net",
    "privatelink.file.core.usgovcloudapi.net",
    "privatelink.postgres.database.usgovcloudapi.net"
  ]

  # uncomment and rerun terraform apply after the networks are created if you're using FWs
  #fw_virtual_network_subnet_ids = data.terraform_remote_state.usgv_mgmt_vnet.outputs.usgv_mgmt_vnet_subnet_ids["${local.resource_prefix}-bastion-sn-1"] #Uncomment and rerun terraform apply after the mgmt-network is created
}

Requirements

No requirements.

Providers

Name	Version
azuread	n/a
azurerm	n/a
tls	n/a

Modules

Name	Source	Version
core_kv	github.com/Coalfire-CF/terraform-azurerm-key-vault	n/a
diag_la_queries_sa	github.com/Coalfire-CF/terraform-azurerm-diagnostics	n/a
diag_law	github.com/Coalfire-CF/terraform-azurerm-diagnostics	n/a
diag_sub	github.com/Coalfire-CF/terraform-azurerm-diagnostics	n/a
diag_tf_state_sa	github.com/Coalfire-CF/terraform-azurerm-diagnostics	n/a

Resources

Name	Type
azuread_directory_role.app_owners	resource
azuread_directory_role.groups_administrator	resource
azuread_directory_role_assignment.assign_app_owners	resource
azuread_directory_role_assignment.assign_groups_administrator	resource
azurerm_key_vault_key.ad-cmk	resource
azurerm_key_vault_key.ars-cmk	resource
azurerm_key_vault_key.avd-cmk	resource
azurerm_key_vault_key.cloudshell-cmk	resource
azurerm_key_vault_key.docs-cmk	resource
azurerm_key_vault_key.flowlog-cmk	resource
azurerm_key_vault_key.install-cmk	resource
azurerm_key_vault_key.law_queries-cmk	resource
azurerm_key_vault_key.tstate-cmk	resource
azurerm_key_vault_secret.xadm_ssh	resource
azurerm_log_analytics_linked_storage_account.law_alerts	resource
azurerm_log_analytics_linked_storage_account.law_queries	resource
azurerm_log_analytics_workspace.core-la	resource
azurerm_monitor_aad_diagnostic_setting.aadlogs	resource
azurerm_private_dns_zone.default	resource
azurerm_resource_group.core	resource
azurerm_role_assignment.assign_app_sub_contributor	resource
azurerm_role_assignment.assign_app_sub_user_access	resource
azurerm_role_assignment.assign_sub_contributor	resource
azurerm_role_assignment.assign_sub_user_access	resource
azurerm_role_assignment.core_kv_administrator	resource
azurerm_role_assignment.law_queries_kv_crypto_user	resource
azurerm_role_assignment.tstate_kv_crypto_user	resource
azurerm_storage_account.law_queries	resource
azurerm_storage_account.tf_state	resource
azurerm_storage_account_customer_managed_key.enable_law_queries_cmk	resource
azurerm_storage_account_customer_managed_key.enable_tstate_cmk	resource
azurerm_storage_container.law_queries	resource
azurerm_storage_container.tf_state_lock	resource
azurerm_storage_management_policy.lifecycle_mgmt	resource
tls_private_key.xadm	resource
azurerm_client_config.current	data source
azurerm_subscription.primary	data source

Inputs

Name	Description	Type	Default	Required
admin_principal_ids	admin principal ids	set(string)	n/a	yes
app_abbreviation	The prefix for the blob storage account names	string	n/a	yes
app_subscription_ids	The Azure subscription IDs for org microservices	map(any)	n/a	yes
azure_private_dns_zones	List of Private DNS zones to create.	list(string)	[ "privatelink.azurecr.us", "privatelink.azuredatabricks.net", "privatelink.database.usgovcloudapi.net", "privatelink.datafactory.azure.net", "privatelink.blob.core.usgovcloudapi.net", "privatelink.table.core.usgovcloudapi.net", "privatelink.queue.core.usgovcloudapi.net", "privatelink.file.core.usgovcloudapi.net", "privatelink.documents.azure.us", "privatelink.mongo.cosmos.azure.us", "privatelink.table.cosmos.azure.us", "privatelink.postgres.database.usgovcloudapi.net", "privatelink.mysql.database.usgovcloudapi.net", "privatelink.vaultcore.usgovcloudapi.net", "privatelink.servicebus.usgovcloudapi.net", "privatelink.redis.cache.usgovcloudapi.net" ]	no
cidrs_for_remote_access	admin ciders	list(any)	n/a	yes
core_rg_name	Resource group name for core security services	string	"core-rg-1"	no
custom_private_dns_zones	List of custom private DNS zones to create.	list(string)	[]	no
dr_location	The Azure location/region for DR resources.	string	"usgovtexas"	no
enable_aad_logs	Enable/Disable Entra ID logging	bool	true	no
enable_aad_permissions	Enable/Disable provisioning basic Entra ID level permissions.	bool	true	no
enable_sub_logs	Enable/Disable subscription level logging	bool	true	no
global_tags	Global level tags	map(string)	n/a	yes
ip_for_remote_access	This is the same as 'cidrs_for_remote_access' but without the /32 on each of the files. The 'ip_rules' in the storage account will not accept a '/32' address and I gave up trying to strip and convert the values over	list(any)	n/a	yes
location	The Azure location/region to create resources in	string	n/a	yes
location_abbreviation	The Azure location/region in 4 letter code	string	n/a	yes
private_dns_zone_name	The name of the Private DNS Zone. Must be a valid domain name.	string	null	no
regional_tags	Regional level tags	map(string)	n/a	yes
resource_prefix	Name prefix used for resources	string	n/a	yes
subscription_id	The Azure subscription ID where resources are being deployed into	string	n/a	yes
tenant_id	The Azure tenant ID that owns the deployed resources	string	n/a	yes

Outputs

Name	Description
ad-cmk_id	AD SA CMK ID
ars-cmk_id	Azure Recovery Services SA CMK ID
avd-cmk_id	Azure Virtual Desktop CMK ID
cloudshell-cmk_id	Cloudshell SA CMK ID
core_kv_id	Value of the Core Key Vault ID
core_kv_name	Name of the Core Key vault
core_la_id	value of the core log analytics workspace id
core_la_primaryKey	value of the core log analytics workspace primary key
core_la_secondaryKey	value of the core log analytics workspace secondary key
core_la_workspace_id	value of the core log analytics workspace id
core_la_workspace_name	value of the core log analytics workspace name
core_private_dns_zone_id	Private DNS Zone IDs
core_private_dns_zones	Private DNS Zone names
core_rg_name	Name of the core resource group
core_xadm_ssh_public_key	Value of the SSH public key for xadm
docs-cmk_id	Docs SA CMK ID
flowlog-cmk_id	Flowlogs SA CMK ID
install-cmk_id	Installs SA CMK ID
law_queries-cmk_id	Log Analytics Workspace Queries SA CMK ID
tstate-cmk_id	Terraform State SA CMK ID

Contributing

Start Here

License

Contact Us

Coalfire

Copyright

Copyright © 2023 Coalfire Systems Inc.