This Terraform module simplifies the deployment of the Maester tool, enabling you to quickly set it up in your Azure tenant. The primary goal is to provide valuable insights into the security of your Azure environment with minimal mandatory configuration. You can customize key settings as needed. For more information about Maester, visit the official website.
To use this module, you need to provide the maester.ps1 script as input. You can find examples of how to run the script and the available functions on Maester's website. There is also an example here
Ensure you have access to a privileged role that can grant Admin Consent (e.g., Global Administrator) for the managed identity running the runbook. For more details on granting Admin Consent, refer to the Microsoft documentation.
This solution uses an Azure Automation Account to execute a runbook using the managed identity of the automation account. This setup allows you to evaluate your tenant based on the tests defined in your PowerShell script. Simply provide your script as input to the module to get started.
The module provides the option to set up an web application to display the report from Maester. The web app is configured to only allow members of my organization access.
- Restrict access to the web application
- Implement other deployment options that are supported by
Maester. Such as:- Azure DevOps integration
- Slack integration
- GitHub integration
- Option for storing the report in a dedicated storage account
| Name | Version |
|---|---|
| terraform | ~>1.0 |
| azuread | ~>3.0 |
| azurerm | ~>4.0 |
| time | ~>0.12 |
| Name | Version |
|---|---|
| azuread | ~>3.0 |
| azurerm | ~>4.0 |
| local | n/a |
| random | n/a |
No modules.
| Name | Type |
|---|---|
| azuread_app_role_assignment.this | resource |
| azuread_application.this | resource |
| azuread_service_principal.msgraph | resource |
| azurerm_app_service.this | resource |
| azurerm_app_service_plan.this | resource |
| azurerm_automation_account.this | resource |
| azurerm_automation_job_schedule.this | resource |
| azurerm_automation_powershell72_module.this | resource |
| azurerm_automation_runbook.this | resource |
| azurerm_automation_schedule.this | resource |
| azurerm_automation_variable_string.this | resource |
| azurerm_resource_group.this | resource |
| azurerm_role_assignment.this | resource |
| random_pet.app_service_suffix | resource |
| azuread_application_published_app_ids.well_known | data source |
| azurerm_client_config.this | data source |
| local_file.powershell_runbook | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| app_roles | A map of app roles to assign to the managed identity for the automation account. This have as default every role you need to run Maester. But you need to give admin consent after assigning the roles. | list(string) |
[ |
no |
| app_service_name | The name of the App Service | string |
"app-maester" |
no |
| app_service_plan | The configuration of the App Service Plan | map(string) |
{ |
no |
| app_service_plan_name | The name of the App Service Plan | string |
"maester-app-service-plan" |
no |
| automation_account_name | The name of the Automation account | string |
"aa-maester" |
no |
| email_address | The email address of the user that will receive the reports | string |
null |
no |
| enable_web_app | Enable the creation of the web app | bool |
true |
no |
| file_path | The path to the file that will be uploaded to the storage account and used as the runbook. This should contain the Maester script. | string |
"runbooks/maester.ps1" |
no |
| location | The location/region where the resources will be created | string |
"westeurope" |
no |
| resource_group_name | The name of the resource group that will contain the resources | string |
"rg-maester" |
no |
| run_schedule | The schedule for the runbook. Valied inputs are day, week or month. The runbook will then once every day, week or month. | string |
"Month" |
no |
| tags | A map of tags to assign to the resources | map(string) |
{ |
no |
| Name | Description |
|---|---|
| app_service | n/a |
| automation_account | n/a |
| azuread_application | n/a |
| resource_group | n/a |