Overview

This Terraform module implements an event forwarding system that captures Azure resource events and relays them to Stacklet's AWS-based platform for real-time policy execution and governance. It creates a cross-cloud event bridge that enables Stacklet's governance capabilities to extend from AWS into Azure environments.

Architecture

The system works through a four-step process:

1. Event Capture (Azure EventGrid)

• Sets up an Azure EventGrid System Topic to capture subscription-level events
• By default monitors these resource events:
  • Microsoft.Resources.ResourceWriteSuccess (resource creation/updates)
  • Microsoft.Resources.ResourceActionSuccess (resource actions)
  • Microsoft.Resources.ResourceDeleteSuccess (resource deletions)

2. Event Storage (Azure Storage Queue)

• Events are queued in an Azure Storage Queue for reliable processing
• Uses CloudEvent schema v1.0 format for standardized event structure

3. Event Processing (Azure Function)

• Python-based Azure Function processes events from the storage queue
• Uses queue trigger to automatically process incoming events
• Runs on Linux App Service Plan with Python 3.10

4. Cross-Cloud Authentication & Event Forwarding

• Uses Azure Managed Identity to get an identity token
• Performs AssumeRoleWithWebIdentity to obtain AWS credentials
• Forwards events to AWS EventBridge in the target Stacklet account

Key Components Deployed

1. Azure Resource Group - Contains all module resources
2. Azure EventGrid System Topic - Captures subscription-level events
3. Azure Storage Account & Queue - Provides reliable event storage
4. Azure Function App - Handles event processing and forwarding
5. Azure Application Insights - Enables monitoring and logging
6. Azure AD Application & Service Principal - Manages cross-cloud authentication
7. User Assigned Identity - Provides managed identity for the function

Benefits

This system enables:

• Event-driven policy execution - Real-time response to Azure resource changes
• Real-time compliance monitoring - Immediate visibility into compliance status
• Automated governance actions - Automated remediation and policy enforcement
• Cross-cloud resource visibility - Unified governance across Azure and AWS

Requirements

Azure Functions Core Tools must be installed.

Providers

Name	Version
azuread	n/a
azurerm	n/a
local	n/a
null	n/a
random	n/a

Modules

No modules.

Resources

Name	Type
azuread_application.stacklet_application	resource
azuread_service_principal.stacklet_sp	resource
azurerm_application_insights.stacklet	resource
azurerm_eventgrid_system_topic.azure_rm_events	resource
azurerm_eventgrid_system_topic_event_subscription.azure_rm_event_subscription	resource
azurerm_linux_function_app.stacklet	resource
azurerm_resource_group.stacklet_rg	resource
azurerm_service_plan.stacklet	resource
azurerm_storage_account.stacklet	resource
azurerm_storage_queue.stacklet	resource
azurerm_user_assigned_identity.stacklet_identity	resource
local_file.function_json	resource
null_resource.function_deploy	resource
null_resource.stacklet	resource
random_string.storage_account_suffix	resource
random_uuid.app_role_uuid	resource
azuread_application.stacklet_application	data source
azuread_client_config.current	data source
azuread_service_principal.stacklet_sp	data source
azurerm_client_config.current	data source
azurerm_eventgrid_system_topic.azure_rm_events	data source
azurerm_role_definition.builtin	data source
azurerm_subscription.current	data source

Inputs

Name	Description	Type	Default	Required
aws_target_account	AWS Target account for relay, to be provided by Stacklet.	string	n/a	yes
aws_target_event_bus	AWS Target event bus for relay, to be provided by Stacklet.	string	n/a	yes
aws_target_partition	AWS Target partition for relay, to be provided by Stacklet.	string	"aws"	no
aws_target_prefix	Deployment prefix for the target Stacklet instance, to be provided by Stacklet.	string	n/a	yes
aws_target_region	AWS Target region for relay, to be provided by Stacklet.	string	n/a	yes
aws_target_role_name	AWS Target role name for relay, to be provided by Stacklet.	string	n/a	yes
azuread_application	Azure AD Application. One per tenant.	string	null	no
event_grid_topic_name	System Topic Name for subscription events if it already exists	string	null	no
event_grid_topic_resource_group	System Topic resource group name for subscription events if it already exists	string	null	no
event_names	Event Names to filter	list(string)	[ "Microsoft.Resources.ResourceWriteSuccess", "Microsoft.Resources.ResourceActionSuccess", "Microsoft.Resources.ResourceDeleteSuccess" ]	no
prefix	A Prefix for all of the generated resources	string	n/a	yes
resource_group_location	Resource Group location for generated resoruces	string	n/a	yes
tags	Tags to apply to resources	map(any)	{}	no

Outputs

No outputs.