Terraform Module for Azure Kubernetes Service (AKS)

This Terraform module configures Azure Kubernetes Service (AKS) to integrate with Expel Workbench. It sets up an Azure AD application registration and a custom role that Expel Workbench uses for onboarding.

Table of Contents

• Features
• Usage
• Example
• Permissions
• Limitations
• Issues
• Contributing
• Requirements
• Providers
• Inputs
• Outputs
• Resources

Features

• Creates an Azure AD application registration for Expel Workbench
• Creates a custom role for Expel Workbench
• Configures diagnostic logs for AKS clusters
• Creates a Storage Account for AKS logs
• Sends AKS logs to the Storage Account
• Retains AKS logs in the Storage Account for a specified number of days

Usage

module "expel_azure_aks_integration" {
  source  = "expel-io/aks/azure"

  # Tenant ID that will be onboarded
  tenant_id = "YOUR_TENANT_ID"
  # Subscription ID that will be onboarded
  subscription_id = "YOUR_SUBSCRIPTION_ID"
  # Name of Azure AD app to create
  azure_ad_app_name = "Expel AKS Integration"
  # Name of Custom Role to create
  azure_custom_role_name = "Expel AKS Role"
  # Resource group where storage account will be created
  resource_group_name = "YOUR_RESOURCE_GROUP_NAME"
  # Resource group location
  resource_group_location = "YOUR_LOCATION_NAME"
  # Storage account that will hold AKS logs
  storage_account_name = "YOUR_STORAGE_ACCOUNT_NAME"
  # AKS clusters to configure diagnostic logs for
  aks_clusters = ["/subscriptions/YOUR_SUBSCRIPTION_NAMEresourceGroups/YOUR_RESOURCE_GROUP/providers/Microsoft.ContainerService/managedClusters/YOUR_CLUSTER_NAME"]
  # Number of days to retain AKS logs in storage account
  retention_days = 7

}

After configuring your Azure environment, visit Expel Workbench to create an AKS security device. This enables Expel to start monitoring your AWS environment.

❗ Terraform state may contain sensitive information. Ensure you follow best security practices when securing your state.

Permissions

This module grants permissions that allow Expel Workbench to perform investigations and discover AKS clusters in the environment.

Example

• Basic

Limitations

1. This module will always create a new Azure Active Directory application registration.
2. It will always create a new Storage Account for logging.

Refer to Expel's Getting Started Guide for AKS for more onboarding information.

Issues

Found a bug or have an idea for a new feature? Please create an issue. We'll respond as soon as possible!

Contributing

We welcome contributions! Here's how you can help:

1. Fork the Project.
2. Create your Feature Branch (git checkout -b feature/AmazingFeature).
3. Commit your Changes (git commit -m 'Add some AmazingFeature').
4. Push to the Branch (git push origin feature/AmazingFeature).
5. Open a Pull Request.

Please read our Contributing Code of Conduct to get started.

Requirements

Name	Version
terraform	>= 1.1.0
azuread	~> 2.33.0
azurerm	~> 3.40.0

Providers

Name	Version
azuread	2.33.0
azurerm	3.40.0

Inputs

Name	Description	Type	Default	Required
resource_group_location	The resource group location where the Storage Account for AKS logs will be created.	string	n/a	yes
resource_group_name	The resource group name where the Storage Account for AKS logs will be created.	string	n/a	yes
storage_account_name	The name of the Storage Account to be created for AKS logs.	string	n/a	yes
subscription_id	The Azure Subscription ID that will be onboarded with Expel Workbench.	string	n/a	yes
tenant_id	The Azure Tenant ID that will be onboarded with Expel Workbench.	string	n/a	yes
aks_clusters	The list of AKS clusters to configure diagnostic logs for. If configured elsewhere, this can be left empty.	list(any)	[]	no
azure_ad_app_name	The name of the Azure AD app to be created.	string	"Expel AKS Integration"	no
azure_custom_role_name	The name of the Azure custom IAM role to be created.	string	"Expel AKS Role"	no
retention_days	The number of days to retain AKS logs in storage.	number	7	no

Outputs

Name	Description
application_client_id	Client ID of the Azure Application created for Expel
application_secret	The application secret that allows Expel to authenticate
storage_account_name	The name of the Storage Account where AKS logs will be sent
subscription_id	The ID of the Azure subscription where resources were created for Expel
tenant_id	The ID of the Azure tenant where resources were created for Expel

Resources

Name	Type
azuread_application.expel_azure_ad_app	resource
azuread_application_password.expel_app_creds	resource
azuread_service_principal.expel_svc_principal	resource
azurerm_monitor_diagnostic_setting.aks_diagnostic_logs_to_storage_account	resource
azurerm_resource_group.aks_logs_resource_group	resource
azurerm_role_assignment.expel_app_la_reader	resource
azurerm_role_assignment.expel_app_role_assignment	resource
azurerm_role_assignment.expel_app_sa_reader	resource
azurerm_role_definition.expel_aks_role	resource
azurerm_storage_account.aks_logs_storage_account	resource
azuread_client_config.current	data source