If you are looking for a way to onboard Microsoft Defender for Cloud (MDC) with Terraform, you are in luck! In this blog post, we will introduce you to a new Terraform module that simplifies and enhances the onboarding experience for MDC in Azure. This module allows you to configure MDC plans for your Azure subscriptions or management groups with just a few lines of code. You will also learn how to use this module in different scenarios, such as onboarding a single subscription, multiple subscriptions, or all subscriptions where you have owner permissions. By the end of this blog post, you will be able to onboard MDC with Terraform in a fast and easy way. Let's get started!
Past Challenges
In the past, onboarding Microsoft Defender for Cloud via code required interacting with multiple Defender for Cloud ARM APIs. Although many security teams leverage the APIs to onboard Defender for Cloud, Terraform is a preferred tool many use as their infrastructure-as-code (IaC) engine.
The new Terraform Module
We are excited to introduce a new Terraform module that is now available on the HashiCorp Terraform Registry. The module is specifically designed to streamline the onboarding process in Azure, providing a new and improved onboarding experience with Terraform. This module is easy to use and supports configuration at both the subscription and tenant levels. It enables customers to verify that their security posture is running the correct Defender for Cloud plans, simplifying the process and providing additional oversight over securing their entire environment.
The new Terraform module is now available on the HashiCorp Terraform Registry.
What advantages does this Terraform module offer?
- Unified Experience: This module offers a portal-like experience through code, bringing the familiarity of the Azure portal into your Infrastructure as Code (IaC) workflows.
- Versatility: This module is adaptable to your needs. Whether you are onboarding a single subscription, multiple subscriptions, or all subscriptions where your account has owner permissions, this module has you covered. It even supports onboarding MDC plans for all subscriptions within a specified management group.
- Ease of Use: The module comes with clear instructions and examples. Simply navigate to the specific folder for your scenario (single, chosen, or all subscriptions), execute the terraform apply command, and watch as the module simplifies the process.
Getting Started
Requirements:
- Terraform: Version >= 1.3
- Terraform Provider for Azure (AzureRM): Version >= 3.47, but < 4.0
Steps:
- Configure Terraform for Azure using your service principal's credentials.
- Navigate to the specific scenario you want to implement (found in the examples directory).
-
The module supports the following onboarding types:
- Single Subscription: Onboard MDC plans for a single subscription.
- Chosen Subscriptions: Onboard MDC plans for a selected list of subscriptions.
- All Subscriptions: Onboard MDC plans for all subscriptions where your account holds owner permissions.
- Management Group: Onboard MDC plans for all subscriptions within a designated management group.
- Execute the command within the folder :
terraform apply​
- For more specific requirements, you can modify the main.tf file in the output directory and then execute terraform apply again.
Remember, you can easily reverse the onboarding using the terraform destroy command or turn off specific plans by modifying the mdc_plans_list variable accordingly.
Contributing and Tests
We highly encourage community contributions. Before contributing, please ensure you've agreed to our Contributor License Agreement (CLA). We're using Docker image, mcr.microsoft.com/azterraform:latest, to run pre-commit, pr-check, and tests for your convenience. It's super handy to ensure your code meets our pipeline requirements and aligns with our coding standards.
Links
- Hashicorp terraform module Azure/mdc-defender-plans-azure
- Source code - GitHub - Azure/terraform-azure-mdc-defender-plans-azure
In Conclusion
We're confident this will streamline the onboarding experience. Try it out, share your feedback, and let's continue to make cloud security simpler and stronger together