Prisma Cloud: How to set up Drift Detection in Code Security Module

• The objective is to successfully set up a Github repository and add Drift Detection support using Prisma Cloud or the 'Yor' tool.

• Prisma Cloud
  • Code Security
    • Projects
  • Version Control System (VCS)
    • Github repository

Prerequisites 

• This article uses Github and the cloud provider Azure. Drift Detection is also supported with GitLab and/or AWS.

1. Set up Github repository
2. Set up Azure environment

Procedure:

• Set up a repository using this link as a basis (either clone or create new files in your repository) 
• This creates 5 files: main.tf, outputs.tf, providers.tf, variables.tf and the Workflow tf.yml file (workflow is set up via the Actions tab in Github).

• Follow steps 2 and 3.1 in this link using the Cloud Shell in Azure:
  • Step 2: Copy and paste the output from this into Notepad
    • In the Azure portal, locate the subscription ID by navigating to Subscriptions > Subscription name > copy 'Subscription ID'
    • In the Github repository, click Settings > Secrets and Variables > Actions. Create four secrets. Do not include quotations.
      • ARM_CLIENT_ID - Client ID from creating the service principal
      • ARM_CLIENT_SECRET - Secret from creating the service principal
      • ARM_SUBSCRIPTION_ID - Subscription ID
      • ARM_TENANT_ID - Active Directory Tenant ID
  • Step 3.1 - After completing this step, copy the storage account name and the Key from the output.
    • Update the 'providers.tf' file with this information

Method One - Set up Drift Detection with Prisma Cloud

1. After completing the Prerequisites to set up the repository, integrate it with Prisma Cloud by following this documentation (or skip to step 2 if this has already been done) :
2. Navigate to Settings > Repositories > Add Repository button
3. Select Github. A screen will open displaying a list of available repositories.
4. Search for the relevant repository by using the search function or scrolling through the list.
5. Check the box to the left of the repository name and click Next. Changes will then be saved. Click Done.
6. Navigate to Code Security > Projects and click the Ellipses in the upper right corner of the screen. Select 'Manage Tags'

7. First on the list will be 'yor_trace'. Click the Edit button on the right.
8. Click the dropdown arrow and select your repository by checking the box to the left of the name.
9. Click 'Save'
10. In Github, navigate to Actions. Click Terraform on the left side of the screen.
11. Click 'Run Workflow,' which is found in the middle right of the window. If all steps up until now have been followed, this workflow should take around 15 minutes to complete.

12. Once the workflow has completed, wait a few minutes and you will receive a notification that Prisma Cloud has sent a Pull Request to add the 'yor' tags to the Terraform file and Azure resources. It will appear as 'Prisma Cloud has created this PR to tag your IaC to Cloud resources.'
13. Click the pull request name and scroll down to the bottom and look for the Merge button.
14. Merge the request and this will start a new workflow that will only take a minute or two to complete. When checking the Terraform file ‘main.tf’ and the resources in Azure, each trackable resource will now have the tag ‘yor_trace.’
15. This tag will be used by Prisma Cloud to detect any changes made to Azure resources and in any new commits in Github

Example:

resource "azurerm_resource_group" "rg" {
  location = var.resource_group_location
  name     = "${random_pet.prefix.id}-rg"
  tags = {
    yor_trace = "cce60e7c-509f-4309-9203-bcbb36861742"

Method Two - Set up Drift Detection with Yor

1. Once the Github repository is set up, integrate it with Prisma Cloud by following this documentation (or skip to step 2 if this has already been done) :
2. Navigate to Settings > Repositories > Click Add Repository button
3. Select Github. A screen will open displaying a list of available repositories.
4. Search for the repository by using the search function or scrolling through the list.
5. Check the box to the left of the repository name and click Next. Changes will then be saved.
6. Click Done.
7. Navigate to Code Security > Projects and click the Ellipses in the upper right corner of the screen.
8. Select 'Manage Tags.' (see screenshot in Method One)
9. First on the list will be 'yor_trace'. Click the Edit button on the right.
10. Click the dropdown arrow and select the correct repository by checking the box to the left of the name.
11. Click 'Save'
12. Open this link to the documentation on installing Yor
13. Copy the text in the box under the heading 'Integrate Yor with Github Actions.' Ensure that it lines up with the rest of the text in the tf.yaml file. See below as an example of how it should appear.
14. If it is not properly aligned, the text will be highlighted with a red underline. Once aligned the line will disappear.

15. In Github, navigate from the main repository screen > Workflows > tf.yaml
16. Click the edit button.
17. At the bottom of the file, paste the text from the Yor documentation. Ensure there is a space between it and the Terraform Apply text above it.
18. Commit the change.
19. This will trigger a workflow run that will create the resources in Azure.
20. Unlike the first method, Yor will add the tags to the main.tf Terraform file and Azure resources at the time of creation and will not require a separate pull request from Prisma Cloud.