Azure Cloud Registration

This Terraform module enables registration and configuration of Azure accounts with CrowdStrike’s Falcon Cloud Security. It provides a comprehensive solution for integrating Azure environments with CrowdStrike’s cloud security services, including service principal creation, asset inventory configuration, and real-time visibility through log ingestion.

View on GitHub

Key Features

Service Principal creation with Microsoft Graph permissions
Asset Inventory configuration for both subscription and management group scopes
Real-time visibility with log ingestion (Activity Logs and Entra ID logs)
Automatic discovery of active subscriptions within management groups

Pre-requisites

Generate API Keys

CrowdStrike API keys are required to use this module. It is highly recommended that you create a dedicated API client with only the required scopes.

In the CrowdStrike console, navigate to Support and resources > API Clients & Keys. Click Add new API Client.
Add the required scopes for your deployment:

Option	Scope Name	Permission
Automated account registration	CSPM registration	Read and Write
Automated account registration	Cloud security Azure registration	Read and Write

Click Add to create the API client. The next screen will display the API CLIENT ID, SECRET, and BASE URL. You will need all three for the next step.

picture

Usage

terraform {
  required_version = ">= 1.9.0"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 4.13.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = ">= 3.0.0"
    }

    crowdstrike = {
      source  = "CrowdStrike/crowdstrike"
      version = ">= 0.0.66"
    }
  }
}

provider "azurerm" {
  subscription_id = "00000000-0000-0000-0000-000000000000" # Replace with your subscription ID that will host CrowdStrike's infrastructure resources
  features {}
}

provider "azuread" {
}

provider "crowdstrike" {
  client_id     = "<Falcon API client ID>"
  client_secret = "<Falcon API client secret>"
}

module "crowdstrike_azure_registration" {
  source = "CrowdStrike/cloud-registration/azurerm"
  subscription_ids     = ["subscription-id-1", "subscription-id-2"]
  management_group_ids = ["mg-id-1", "mg-id-2"]

  # Azure subscription that will host CrowdStrike infrastructure. Required when `enable_realtime_visibility` is set to `true`.
  cs_infra_subscription_id = "00000000-0000-0000-0000-000000000000"

  # Optional: CrowdStrike API credential. Required when `enable_dspm` is set to `true`.
  falcon_client_id     = "<Falcon API client ID>"
  falcon_client_secret = "<Falcon API client secret>"

  # Optional: CrowdStrike IP addresses for network security. Required when `enable_realtime_visibility` is set to `true`.
  falcon_ip_addresses = ["1.2.3.4", "5.6.7.8"]

  # Optional: Enable Real Time Visibility and Detection
  enable_realtime_visibility = true

  # Optional: Configure agentless scanning
  enable_dspm                  = true
  agentless_scanning_locations = ["westus"]

  # Optional: Configure log ingestion settings
  log_ingestion_settings = {
    activity_log = {
      enabled = true
      # To use existing Event Hub resource ID and consumer group name, specify this section with existing_eventhub.use = true and provide existing Event Hub resource ID and consumer group name
      # existing_eventhub = {
      #     use = true
      #     eventhub_resource_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-existing-eventhub/providers/Microsoft.EventHub/namespaces/existing-eventhub-namespace/eventhubs/existing-eventhub"
      #     eventhub_consumer_group_name = "$Default"
      # }
    }
    entra_id_log = {
      enabled = true
      # To use existing Event Hub resource ID and consumer group name, specify this section with existing_eventhub.use = true and provide existing Event Hub resource ID and consumer group name
      # existing_eventhub = {
      #     use = true
      #     eventhub_resource_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-existing-eventhub/providers/Microsoft.EventHub/namespaces/existing-eventhub-namespace/eventhubs/existing-eventhub"
      #     eventhub_consumer_group_name = "$Default"
      # }
    }
  }

  # Optional: Customize Microsoft Graph app roles
  # microsoft_graph_permission_ids = [
  #   "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30", # Application.Read.All
  #   "98830695-27a2-44f7-8c18-0c3ebc9698f6", # GroupMember.Read.All
  #   "246dd0d5-5bd0-4def-940b-0421030a5b68", # Policy.Read.All
  #   "230c1aed-a721-4c5d-9cb4-a90514e508ef", # Reports.Read.All
  #   "483bed4a-2ad3-4361-a73b-c83ccdbdc53c", # RoleManagement.Read.All
  #   "df021288-bdef-4463-88db-98f22de89214", # User.Read.All
  #   "dbb9058a-0e50-45d7-ae91-66909b5d4664", # Domain.Read.All
  #   "b0afded3-3588-46d8-8b3d-9842eff778da", # AuditLog.Read.All
  #   "7438b122-aefc-4978-80ed-43db9fcc7715"  # Device.Read.All
  # ]

  # Optional: Resource naming customization
  # env can be empty or exactly 4 alphanumeric characters
  env             = "prod" # or "" for no environment suffix
  location        = "westus"
  resource_prefix = "cs-"
  resource_suffix = "-001"

  # Optional: Custom tags
  tags = {
    Environment = "Production"
    Project     = "CrowdStrike Integration"
    CSTagVendor = "CrowdStrike"
  }
}

Providers

Name	Version
azurerm	>= 4.0.0
crowdstrike	>= 0.0.66

Resources

Name	Type
crowdstrike_cloud_azure_tenant.this	resource
crowdstrike_cloud_azure_tenant_eventhub_settings.update_event_hub_settings	resource
azurerm_client_config.current	data source

Inputs

Name	Description	Type	Default	Required
account_type	Account type can be either ‘commercial’ or ‘gov’	`string`	`"commercial"`	no
agentless_scanning_custom_vnet_configuration	Per-region custom VNet configuration for agentless scanning. Keys are Azure region names; values contain scanners_subnet_id and clones_subnet_id.	map(object({ scanners_subnet_id = string clones_subnet_id = string }))	`{}`	no
agentless_scanning_deploy_nat_gateway	Indicates Agentless Scanning environment will be deployed with NAT Gateway.	`bool`	`true`	no
agentless_scanning_locations	List of Azure locations (regions) where agentless scanning will be deployed.	`list(string)`	`[]`	no
agentless_scanning_locations_per_subscription	Map of Azure subscription IDs to lists of locations (regions) where agentless scanning will be deployed per subscription.	`map(list(string))`	`{}`	no
cs_infra_subscription_id	Azure subscription ID where CrowdStrike infrastructure resources, such as Event Hubs, will be deployed. This subscription must be accessible with the current credentials. Required when `enable_realtime_visibility` is set to `true`.	`string`	`""`	no
enable_dspm	Controls whether to enable DSPM (Data Security Posture Management) for CrowdStrike Falcon Cloud Security in Azure.	`bool`	`false`	no
enable_realtime_visibility	Controls whether to enable Real Time Visibility and Detection feature for CrowdStrike Falcon Cloud Security in Azure.	`bool`	`false`	no
env	Environment label (for example, prod, stag, dev) used for resource naming and tagging. Helps distinguish between different deployment environments. Limited to 4 alphanumeric characters for compatibility with resource naming restrictions.	`string`	`"prod"`	no
falcon_client_id	Falcon API client ID. Required when `enable_dspm` is set to `true`.	`string`	`""`	no
falcon_client_secret	Falcon API client secret. Required when `enable_dspm` is set to `true`.	`string`	`""`	no
falcon_ip_addresses	List of CrowdStrike Falcon service IP addresses to be allowed in network security configurations. Refer to https://falcon.crowdstrike.com/documentation/page/re07d589 for the IP address list specific to your Falcon cloud region. Required when `enable_realtime_visibility` is set to `true`.	`list(string)`	`[]`	no
key_vault_allowed_ip_rules	Allowed IP rules (IPs or CIDR blocks) for restricting Key Vault access. If empty all network access will be allowed.	`list(string)`	`[]`	no
location	Azure location (region) where global resources such as role definitions and event hub will be deployed. These tenant-wide resources only need to be created once regardless of how many subscriptions are monitored.	`string`	`"westus"`	no
log_ingestion_settings	Configuration settings for log ingestion. Controls whether to enable Azure Activity Logs and Microsoft Entra ID logs collection via Event Hubs, and allows using either newly created Event Hubs or existing ones.	object({ activity_log = optional(object({ enabled = bool existing_eventhub = optional(object({ use = bool eventhub_resource_id = optional(string, "") eventhub_consumer_group_name = optional(string, "") }), { use = false }) }), { enabled = true }) entra_id_log = optional(object({ enabled = bool existing_eventhub = optional(object({ use = bool eventhub_resource_id = optional(string, "") eventhub_consumer_group_name = optional(string, "") }), { use = false }) }), { enabled = true }) })	`{}`	no
management_group_ids	List of Azure management group IDs to monitor with CrowdStrike Falcon Cloud Security. All subscriptions within these management groups will be automatically discovered and monitored.	`list(string)`	`[]`	no
microsoft_graph_permission_ids	Optional list of Microsoft Graph permission IDs to assign to the service principal. If provided, these will replace the default permissions.	`list(string)`	`null`	no
resource_prefix	Prefix to be added to all created resource names for identification.	`string`	`""`	no
resource_suffix	Suffix to be added to all created resource names for identification.	`string`	`""`	no
subscription_ids	List of specific Azure subscription IDs to monitor with CrowdStrike Falcon Cloud Security. Use this for targeted monitoring of individual subscriptions.	`list(string)`	`[]`	no
tags	Map of tags to be applied to all resources created by this module. Default includes the CrowdStrike vendor tag.	`map(string)`	{ “CSTagVendor”: “CrowdStrike” }	no

Outputs

Name	Description
active_subscriptions_in_groups	Map of Azure management group scopes to active Azure subscriptions discovered within those groups
activity_log_eventhub_consumer_group_name	Consumer group name for Azure Activity Log ingestion via Event Hub
activity_log_eventhub_id	Resource ID of the Event Hub used for Azure Activity Log ingestion
agentless_scanning_managed_identity_principal_id	Map of subscription IDs to agentless scanning managed identity IDs
entra_id_log_eventhub_consumer_group_name	Consumer group name for Microsoft Entra ID (formerly Azure AD) log ingestion via Event Hub
entra_id_log_eventhub_id	Resource ID of the Event Hub used for Microsoft Entra ID (formerly Azure AD) log ingestion
management_group_scopes	List of Azure management group scopes configured for CrowdStrike Falcon Cloud Security asset inventory
scanning_role_definition_ids_by_mg	Map of management group ID to MG-scoped scanning role definition resource IDs. Pass to target agentless-scanning modules via scanning_role_definition_ids to avoid creating per-subscription role definitions.
service_principal_object_id	Object ID of the CrowdStrike service principal used for Azure resource access
subscription_scopes	List of Azure subscription scopes configured for CrowdStrike Falcon Cloud Security asset inventory
tenant_id	Azure tenant ID used for CrowdStrike Falcon Cloud Security integration