Introduction

This Terraform module enables registration and configuration of Azure accounts with CrowdStrike's Falcon Cloud Security. It provides a comprehensive solution for integrating Azure environments with CrowdStrike's cloud security services, including service principal creation, asset inventory configuration, and real-time visibility through log ingestion.

Key features: - Service Principal creation with Microsoft Graph permissions - Asset Inventory configuration for both subscription and management group scopes - Real-time visibility with log ingestion (Activity Logs and Entra ID logs) - Automatic discovery of active subscriptions within management groups

Pre-requisites

Generate API Keys

CrowdStrike API keys are required to use this module. It is highly recommended that you create a dedicated API client with only the required scopes.

1. In the CrowdStrike console, navigate to Support and resources > API Clients & Keys. Click Add new API Client.
2. Add the required scopes for your deployment:

Option	Scope Name	Permission
Automated account registration	CSPM registration	Read and Write
	Cloud security Azure registration	Read and Write

1. Click Add to create the API client. The next screen will display the API CLIENT ID, SECRET, and BASE URL. You will need all three for the next step.

   picture

   

[!NOTE] This page is only shown once. Make sure you copy CLIENT ID, SECRET, and BASE URL to a secure location.

Usage

```hcl terraform { requiredversion = ">= 1.9.0" requiredproviders { azurerm = { source = "hashicorp/azurerm" version = ">= 4.0.0" } azuread = { source = "hashicorp/azuread" version = ">= 1.6.0" }

crowdstrike = {
  source  = "CrowdStrike/crowdstrike"
  version = ">= 0.0.29"
}

} }

provider "azurerm" { subscription_id = "00000000-0000-0000-0000-000000000000" # Replace with your subscription ID that will host CrowdStrike's infrastructure resources features {} }

provider "azuread" { }

provider "crowdstrike" { clientid = "" clientsecret = "" }

module "crowdstrikeazureregistration" { source = "CrowdStrike/cloud-registration/azurerm"

# Azure configuration - You can use subscriptions, management groups, or both subscriptionids = ["subscription-id-1", "subscription-id-2"] managementgroup_ids = ["mg-id-1", "mg-id-2"]

# Azure subscription that will host CrowdStrike infrastructure. Required when enable_realtime_visibility is set to true. csinfrasubscription_id = "00000000-0000-0000-0000-000000000000"

# Optional: CrowdStrike API credential. Required when enable_realtime_visibility is set to true. falconclientid = "" falconclientsecret = ""

# Optional: CrowdStrike IP addresses for network security. Required when enable_realtime_visibility is set to true. falconipaddresses = ["1.2.3.4", "5.6.7.8"]

# Optional: Enable Real Time Visibility and Detection enablerealtimevisibility = true

# Optional: Configure log ingestion settings logingestionsettings = { activitylog = { enabled = true # To use existing Event Hub resource ID and consumer group name, specify this section with existingeventhub.use = true and provide existing Event Hub resource ID and consumer group name # existingeventhub = { # use = true # eventhubresourceid = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-existing-eventhub/providers/Microsoft.EventHub/namespaces/existing-eventhub-namespace/eventhubs/existing-eventhub" # eventhubconsumergroupname = "$Default" # } } entraidlog = { enabled = true # To use existing Event Hub resource ID and consumer group name, specify this section with existingeventhub.use = true and provide existing Event Hub resource ID and consumer group name # existingeventhub = { # use = true # eventhubresourceid = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-existing-eventhub/providers/Microsoft.EventHub/namespaces/existing-eventhub-namespace/eventhubs/existing-eventhub" # eventhubconsumergroup_name = "$Default" # } } }

# Optional: Customize Microsoft Graph app roles # microsoftgraphpermission_ids = [ # "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30", # Application.Read.All # "98830695-27a2-44f7-8c18-0c3ebc9698f6", # GroupMember.Read.All # "246dd0d5-5bd0-4def-940b-0421030a5b68", # Policy.Read.All # "230c1aed-a721-4c5d-9cb4-a90514e508ef", # Reports.Read.All # "483bed4a-2ad3-4361-a73b-c83ccdbdc53c", # RoleManagement.Read.All # "df021288-bdef-4463-88db-98f22de89214" # User.Read.All # ]

# Optional: Resource naming customization # env can be empty or exactly 4 alphanumeric characters env = "prod" # or "" for no environment suffix location = "westus" resourceprefix = "cs-" resourcesuffix = "-001"

# Optional: Custom tags tags = { Environment = "Production" Project = "CrowdStrike Integration" CSTagVendor = "CrowdStrike" } } ```

Providers

| Name | Version | |------|---------| | azurerm | >= 4.0.0 | | crowdstrike | >= 0.0.29 |

Resources

| Name | Type | |------|------| | azurermresourcegroup.this | resource | | crowdstrikecloudazure_tenant.this | resource | | crowdstrikecloudazuretenanteventhubsettings.updateeventhubsettings | resource | | azurermclientconfig.current | data source |

Inputs

| Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | cs_infra_subscription_id | Azure subscription ID where CrowdStrike infrastructure resources, such as Event Hubs, will be deployed. This subscription must be accessible with the current credentials. Required when enable_realtime_visibility is set to true. | string | "" | no | | enable_realtime_visibility | Controls whether to enable Real Time Visibility and Detection feature for CrowdStrike Falcon Cloud Security in Azure. | bool | false | no | | env | Environment label (for example, prod, stag, dev) used for resource naming and tagging. Helps distinguish between different deployment environments. Limited to 4 alphanumeric characters for compatibility with resource naming restrictions. | string | "prod" | no | | falcon_client_id | Falcon API client ID. Required when enable_realtime_visibility is set to true. | string | "" | no | | falcon_client_secret | Falcon API client secret. Required when enable_realtime_visibility is set to true. | string | "" | no | | falcon_ip_addresses | List of CrowdStrike Falcon service IP addresses to be allowed in network security configurations. Refer to https://falcon.crowdstrike.com/documentation/page/re07d589 for the IP address list specific to your Falcon cloud region. Required when enable_realtime_visibility is set to true. | list(string) | [] | no | | location | Azure location (region) where global resources such as role definitions and event hub will be deployed. These tenant-wide resources only need to be created once regardless of how many subscriptions are monitored. | string | "westus" | no | | log_ingestion_settings | Configuration settings for log ingestion. Controls whether to enable Azure Activity Logs and Microsoft Entra ID logs collection via Event Hubs, and allows using either newly created Event Hubs or existing ones. |

object({
    activitylog = optional(object({
      enabled = bool
      existingeventhub = optional(object({
        use                          = bool
        eventhubresourceid         = optional(string, "")
        eventhubconsumergroupname = optional(string, "")
      }), { use = false })
    }), { enabled = true })
    entraidlog = optional(object({
      enabled = bool
      existingeventhub = optional(object({
        use                          = bool
        eventhubresourceid         = optional(string, "")
        eventhubconsumergroupname = optional(string, "")
      }), { use = false })
    }), { enabled = true })
  })

| {} | no | | <a name="inputmanagementgroupids"> management_group_ids | List of Azure management group IDs to monitor with CrowdStrike Falcon Cloud Security. All subscriptions within these management groups will be automatically discovered and monitored. | list(string) | [] | no | | microsoft_graph_permission_ids | Optional list of Microsoft Graph permission IDs to assign to the service principal. If provided, these will replace the default permissions. | list(string) | null | no | | resource_prefix | Prefix to be added to all created resource names for identification | string | "" | no | | resource_suffix | Suffix to be added to all created resource names for identification | string | "" | no | | subscription_ids | List of specific Azure subscription IDs to monitor with CrowdStrike Falcon Cloud Security. Use this for targeted monitoring of individual subscriptions. | list(string) | [] | no | | tags | Map of tags to be applied to all resources created by this module. Default includes the CrowdStrike vendor tag. | map(string) |

{
  "CSTagVendor": "CrowdStrike"
}

| no |

Outputs

| Name | Description | |------|-------------| | active_subscriptions_in_groups | Map of Azure management group scopes to active Azure subscriptions discovered within those groups | | activity_log_eventhub_consumer_group_name | Consumer group name for Azure Activity Log ingestion via Event Hub | | activity_log_eventhub_id | Resource ID of the Event Hub used for Azure Activity Log ingestion | | entra_id_log_eventhub_consumer_group_name | Consumer group name for Microsoft Entra ID (formerly Azure AD) log ingestion via Event Hub | | entra_id_log_eventhub_id | Resource ID of the Event Hub used for Microsoft Entra ID (formerly Azure AD) log ingestion | | management_group_scopes | List of Azure management group scopes configured for CrowdStrike Falcon Cloud Security asset inventory | | service_principal_object_id | Object ID of the CrowdStrike service principal used for Azure resource access | | subscription_scopes | List of Azure subscription scopes configured for CrowdStrike Falcon Cloud Security asset inventory | | tenant_id | Azure tenant ID used for CrowdStrike Falcon Cloud Security integration | <!-- ENDTFDOCS -->