Files
smom-dbis-138/terraform/modules/security/main.tf

121 lines
3.2 KiB
Terraform
Raw Normal View History

# Security Module for Azure
# Configures Azure Security Center, Key Vault, and security policies
# Azure Security Center (Defender for Cloud)
resource "azurerm_security_center_subscription_pricing" "main" {
tier = "Standard"
resource_type = "VirtualMachines"
}
resource "azurerm_security_center_subscription_pricing" "storage" {
tier = "Standard"
resource_type = "StorageAccounts"
}
resource "azurerm_security_center_subscription_pricing" "sql" {
tier = "Standard"
resource_type = "SqlServers"
}
resource "azurerm_security_center_subscription_pricing" "app_services" {
tier = "Standard"
resource_type = "AppServices"
}
# Security Center Auto Provisioning
resource "azurerm_security_center_auto_provisioning" "main" {
auto_provision = "On"
}
# Security Center Contact
resource "azurerm_security_center_contact" "main" {
email = var.security_contact_email
phone = var.security_contact_phone
alert_notifications = true
alerts_to_admins = true
}
# Security Center Workspace
resource "azurerm_security_center_workspace" "main" {
scope = "/subscriptions/${var.subscription_id}"
workspace_id = azurerm_log_analytics_workspace.security.id
}
# Log Analytics Workspace for Security Center
resource "azurerm_log_analytics_workspace" "security" {
name = "${var.cluster_name}-security-workspace"
location = var.location
resource_group_name = var.resource_group_name
sku = "PerGB2018"
retention_in_days = 90
tags = merge(var.tags, {
Purpose = "Security-Monitoring"
})
}
# Security Center Assessment
resource "azurerm_security_center_assessment" "aks" {
assessment_policy_id = azurerm_security_center_assessment_policy.aks.id
target_resource_id = var.aks_cluster_id
status {
code = "Healthy"
}
}
# Security Center Assessment Policy
resource "azurerm_security_center_assessment_policy" "aks" {
display_name = "AKS Security Assessment"
description = "Security assessment for AKS cluster"
severity = "Medium"
categories = ["Security"]
implementation_effort = "Low"
remediation_description = "Follow AKS security best practices"
threats = ["DataExfiltration", "DataSpillage", "MaliciousInsider"]
user_impact = "Low"
}
# Variables
variable "security_contact_email" {
description = "Email for security contact"
type = string
}
variable "security_contact_phone" {
description = "Phone for security contact"
type = string
default = ""
}
variable "subscription_id" {
description = "Azure subscription ID"
type = string
}
variable "aks_cluster_id" {
description = "AKS cluster resource ID"
type = string
}
variable "cluster_name" {
description = "Cluster name"
type = string
}
variable "location" {
description = "Azure region"
type = string
}
variable "resource_group_name" {
description = "Resource group name"
type = string
}
variable "tags" {
description = "Tags to apply to resources"
type = map(string)
default = {}
}