kogunlowo123/terraform-azure-security-center

# terraform-azure-security-center 用于部署 Microsoft Defender for Cloud 的生产就绪 Terraform 模块，包含安全联系人、自动配置、按资源定价层、自定义安全评估、合规性自动化、集成设置和安全工作流自动化。 ## 架构 ``` flowchart TB subgraph Defender["Microsoft Defender for Cloud"] SC[Security Center] CONTACT[Security Contact] end subgraph Plans["Defender Plans"] P1[VirtualMachines - P2] P2[AppServices] P3[SqlServers] P4[StorageAccounts] P5[KeyVaults] P6[Containers] P7[Arm / Dns] P8[CloudPosture CSPM] end subgraph Settings["Integration Settings"] MCAS[Microsoft Cloud App Security] WDATP[Defender for Endpoint] SENT[Sentinel Onboarding] end subgraph Provisioning["Auto-Provisioning"] AP[Log Analytics Agent] VA[Vulnerability Assessment] end subgraph Assessments["Security Assessments"] CA1[Encryption Check] CA2[Network Segmentation] CA3[MFA Enforcement] CA4[Logging Validation] end subgraph Automation["Security Automations"] AUTO1[High Severity Alerts] AUTO2[Compliance Changes] LA[Logic App Workflow] end subgraph Workspace["Log Analytics"] LAW[Log Analytics Workspace] end SC --> CONTACT SC --> P1 SC --> P2 SC --> P3 SC --> P4 SC --> P5 SC --> P6 SC --> P7 SC --> P8 SC --> MCAS SC --> WDATP SC --> SENT SC --> AP AP --> VA SC --> CA1 SC --> CA2 SC --> CA3 SC --> CA4 AUTO1 --> LA AUTO2 --> LA SC --> AUTO1 SC --> AUTO2 AP --> LAW SENT --> LAW style SC fill:#0078D4,stroke:#005A9E,color:#fff style CONTACT fill:#0078D4,stroke:#005A9E,color:#fff style P1 fill:#DD344C,stroke:#B02A3E,color:#fff style P2 fill:#DD344C,stroke:#B02A3E,color:#fff style P3 fill:#DD344C,stroke:#B02A3E,color:#fff style P4 fill:#DD344C,stroke:#B02A3E,color:#fff style P5 fill:#DD344C,stroke:#B02A3E,color:#fff style P6 fill:#DD344C,stroke:#B02A3E,color:#fff style P7 fill:#DD344C,stroke:#B02A3E,color:#fff style P8 fill:#DD344C,stroke:#B02A3E,color:#fff style MCAS fill:#8C4FFF,stroke:#6B3AC2,color:#fff style WDATP fill:#8C4FFF,stroke:#6B3AC2,color:#fff style SENT fill:#8C4FFF,stroke:#6B3AC2,color:#fff style AP fill:#3F8624,stroke:#2D6119,color:#fff style VA fill:#3F8624,stroke:#2D6119,color:#fff style CA1 fill:#FF9900,stroke:#CC7A00,color:#fff style CA2 fill:#FF9900,stroke:#CC7A00,color:#fff style CA3 fill:#FF9900,stroke:#CC7A00,color:#fff style CA4 fill:#FF9900,stroke:#CC7A00,color:#fff style AUTO1 fill:#3F8624,stroke:#2D6119,color:#fff style AUTO2 fill:#3F8624,stroke:#2D6119,color:#fff style LA fill:#3F8624,stroke:#2D6119,color:#fff style LAW fill:#0078D4,stroke:#005A9E,color:#fff ``` ## 用法 ``` module "security_center" { source = "path/to/terraform-azure-security-center" security_contact_email = "security@example.com" defender_plans = { "vm" = { resource_type = "VirtualMachines" tier = "Standard" } "storage" = { resource_type = "StorageAccounts" tier = "Standard" } } } ``` ## 示例 - [Basic](examples/basic/main.tf) - 包含基本 Defender 计划的安全联系人 - [Advanced](examples/advanced/main.tf) - 多个 Defender 计划、工作区集成和自定义评估 - [Complete](examples/complete/main.tf) - 完整部署，包含所有计划、自动化、Sentinel 和合规性工作流 ## 需求 | Name | Version | |------|---------| | [terraform](https://www.terraform.io/) | >= 1.5.0 | | [azurerm](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs) | >= 3.80.0 | ## 资源 | Name | Type | Documentation | |------|------|---------------| | [azurerm_security_center_contact](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact) | resource | Security contact | | [azurerm_security_center_subscription_pricing](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_subscription_pricing) | resource | Defender pricing tiers | | [azurerm_security_center_auto_provisioning](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_auto_provisioning) | resource | Auto-provisioning | | [azurerm_security_center_workspace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_workspace) | resource | Workspace assignment | | [azurerm_security_center_setting](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_setting) | resource | Integration settings | | [azurerm_security_center_assessment_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_assessment_policy) | resource | Custom assessments | | [azurerm_security_center_automation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_automation) | resource | Security automations | | [azurerm_subscription](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | Current subscription | ## 输入 | Name | Description | Type | Default | Required | |------|-------------|------|---------|----------| | security_contact_email | 安全联系人邮箱 | `string` | n/a | yes | | security_contact_phone | 安全联系人电话 | `string` | `null` | no | | security_contact_alert_notifications | 启用告警通知 | `bool` | `true` | no | | security_contact_alerts_to_admins | 向管理员发送告警 | `bool` | `true` | no | | defender_plans | Defender 计划配置 | `map(object)` | `{}` | no | | auto_provisioning_enabled | 启用自动配置 | `bool` | `true` | no | | log_analytics_workspace_id | Log Analytics 工作区 ID | `string` | `null` | no | | workspace_scope | 工作区分配范围 | `string` | `null` | no | | enable_server_vulnerability_assessment | 启用漏洞评估 | `bool` | `false` | no | | server_vulnerability_assessment_provider | VA 提供商 (mdeTvm/qualys) | `string` | `"mdeTvm"` | no | | security_assessments | 自定义评估策略 | `map(object)` | `{}` | no | | security_automations | 安全工作流自动化 | `map(object)` | `{}` | no | | setting_mcas_enabled | 启用 MCAS 集成 | `bool` | `true` | no | | setting_wdatp_enabled | 启用 WDATP/MDE 集成 | `bool` | `true` | no | | setting_sentinel_onboarding_enabled | 启用 Sentinel 载入 | `bool` | `false` | no | | tags | 可标记资源的标签 | `map(string)` | `{}` | no | ## 输出 | Name | Description | |------|-------------| | security_contact_id | 安全联系人的资源 ID | | defender_plan_ids | 计划键到资源 ID 的映射 | | defender_plan_resource_types | 计划键到资源类型和层的映射 | | auto_provisioning_id | 自动配置设置的资源 ID | | auto_provisioning_state | 自动配置状态 | | workspace_assignment_id | 工作区分配的资源 ID | | mcas_setting_enabled | MCAS 集成状态 | | wdatp_setting_enabled | WDATP/MDE 集成状态 | | assessment_policy_ids | 评估策略名称到 ID 的映射 | | assessment_policy_names | 评估键到显示名称的映射 | | automation_ids | 自动化名称到资源 ID 的映射 | | subscription_id | 已配置的订阅 ID | ## 许可证 MIT 许可证 - 详见 [LICENSE](LICENSE)。

标签：AES-256, Azure, Azure 安全基准, DevSecOps, ECS, IaC 模块, Log Analytics, Microsoft Defender for Cloud, Sentinel, Terraform, 上游代理, 云安全态势管理 (CSPM), 人工智能安全, 企业安全, 合规性, 威胁防护, 安全中心, 工作流自动化, 漏洞评估, 特权提升, 网络资产管理, 自动化部署