This document outlines deploying the wiz-cli docker image as an Azure Container Instance.
By reusing the wiz-cli docker image (and changing its entrypoint) you leverage the supported docker image.
This TechNote illustrates scanning IaC templates, but can be extended or modified for other use cases.
The prerequisites are:
- Access to Wiz as a Global Contributor or Global Admin in order to create a Wiz Service Account
- Access to Azure to create an Azure Resource Group, Storage Account and Share, and Container Instance with network connectivity to your Wiz Console
A Wiz Service Account Key is required for wiz-cli to authenticate, download scan configuration, and upload scan results.
Follow the documentation to create a Service Account with:
- Account Type:
Custom Integration (GraphQL API)
- Permissions:
create:security_scans
Save the Client ID and Client Secret of the Wiz Service Account for use as secure environment variables of the Azure Container Instance.
Edit and execute the following to create the Azure Resource Group, Storage Account and Share.
export WIZ_CONTAINER_NAME=wizcli
export WIZ_LOCATION=westus3
export WIZ_RESOURCE_GROUP=Wiz-Group
export WIZ_CLIENTID=[REDACTED]
export WIZ_CLIENTSECRET=[REDACTED]
export WIZ_STORAGE_ACCOUNT=wizclidata
export WIZ_STORAGE_ACCOUNT_SHARE=wizclidatashare
az group create --name ${WIZ_RESOURCE_GROUP} --location ${WIZ_LOCATION}
az storage account create --name ${WIZ_STORAGE_ACCOUNT} --location ${WIZ_LOCATION} --resource-group ${WIZ_RESOURCE_GROUP} --sku Standard_LRS
az storage share create --name ${WIZ_STORAGE_ACCOUNT_SHARE} --account-name ${WIZ_STORAGE_ACCOUNT}
export WIZ_STORAGE_ACCOUNT_KEY=$(az storage account keys list --account-name ${WIZ_STORAGE_ACCOUNT} --resource-group ${WIZ_RESOURCE_GROUP} --query "[0].value" --output tsv)
You can upload files now, or after the Azure Container Instance is restarted.
Execute the following to create an Azure Container Instance that mounts and scans the files uploaded to the Azure Storage Account Share.
az container create \
--name ${WIZ_CONTAINER_NAME} \
--resource-group ${WIZ_RESOURCE_GROUP} \
--image wiziocli.azurecr.io/wizcli:latest \
--ip-address private \
--registry-username Null \
--registry-password Null \
--restart-policy Never \
--azure-file-volume-account-name ${WIZ_STORAGE_ACCOUNT} \
--azure-file-volume-account-key ${WIZ_STORAGE_ACCOUNT_KEY} \
--azure-file-volume-share-name ${WIZ_STORAGE_ACCOUNT_SHARE} \
--azure-file-volume-mount-path /data \
--secure-environment-variables WIZ_CLIENT_ID=${WIZ_CLIENTID} WIZ_CLIENT_SECRET=${WIZ_CLIENTSECRET} \
--command-line "/bin/sh -c '/entrypoint auth --id \$WIZ_CLIENT_ID --secret \$WIZ_CLIENT_SECRET; /entrypoint iac scan --path /data'"
The Azure Container Instance is configured to execute once and stop via --restart-policy Never
.
To restart the container after uploading files to scan, execute the following command.
az container start --name ${WIZ_CONTAINER_NAME} --resource-group ${WIZ_RESOURCE_GROUP}
Date | Revision | Author | Change Summary |
---|---|---|---|
05/04/2023 | 1.1 | Tom Kishel | Correct variable use |
05/01/2023 | 1.0 | Tom Kishel | Initial document |