Skip to content

Commit

Permalink
refactor: update examples and format code for release (#31)
Browse files Browse the repository at this point in the history 
Jira https://lacework.atlassian.net/browse/ALLY-700

Signed-off-by: Salim Afiune Maya [email protected]
  • Loading branch information
@afiune
afiune authored Oct 13, 2021
1 parent 69fd49c commit 17d1bef
Show file tree
Hide file tree
Showing 22 changed files with 66 additions and 261 deletions.
38 changes: 19 additions & 19 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,25 +9,25 @@ Terraform module that creates an Azure Active Directory Application to provide L

## Inputs

| Name | Description | Type | Default | Required |
| --------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------- | --------------------------- | :------: |
| all_subscriptions | (DEPRECATED) If set to `true`, grant read access to ALL subscriptions within the selected Tenant (overrides `subscription_ids`) | `bool` | `false` | no |
| application_identifier_uris | A list of user-defined URI(s) for the Lacework AD Application | `list(string)` | `[]` | no |
| application_name | The name of the Azure Active Directory Application | `string` | `"lacework_security_audit"` | no |
| create | (DEPRECATED) Set to `false` to prevent the module from creating any resources | `bool` | `true` | no |
| key_vault_ids | (DEPRECATED) A list of Key Vault Ids used in your subscription for the Lacework AD App to have access to | `list(string)` | `[]` | no |
| management_group_id | (DEPRECATED) The ID of the Management Group | `string` | `""` | no |
| password_length | [DEPRECATED] The length of the Lacework AD Application password | `number` | `30` | no |
| subscription_ids | (DEPRECATED) List of subscriptions to grant read access to. By default the module will only use the primary subscription | `list(string)` | `[]` | no |
| tenant_id | A Tenant ID different from the default defined inside the provider | `string` | `""` | no |
| use_management_group | (DEPRECATED) If set to `true`, the AD Application will be set up to leverage a Management Group | `bool` | `false` | no |
| Name | Description | Type | Default | Required |
| --------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------- | --------------------------- | :------: |
| application_name | The name of the Azure Active Directory Application | `string` | `"lacework_security_audit"` | no |
| create | Set to `false` to prevent the module from creating any resources | `bool` | `true` | no |
| all_subscriptions | (DEPRECATED) If set to `true`, grant read access to ALL subscriptions within the selected Tenant (overrides `subscription_ids`) | `bool` | `false` | no |
| subscription_ids | (DEPRECATED) List of subscriptions to grant read access to. By default the module will only use the primary subscription | `list(string)` | `[]` | no |
| application_identifier_uris | (DEPRECATED) A list of user-defined URI(s) for the Lacework AD Application | `list(string)` | `[]` | no |
| key_vault_ids | (DEPRECATED) A list of Key Vault Ids used in your subscription for the Lacework AD App to have access to | `list(string)` | `[]` | no |
| management_group_id | (DEPRECATED) The ID of the Management Group | `string` | `""` | no |
| password_length | [DEPRECATED] The length of the Lacework AD Application password | `number` | `30` | no |
| tenant_id | A Tenant ID different from the default defined inside the provider | `string` | `""` | no |
| use_management_group | (DEPRECATED) If set to `true`, the AD Application will be set up to leverage a Management Group | `bool` | `false` | no |

## Outputs

| Name | Description |
| -------------------- | ------------------------------------------------ |
| application_id | The Lacework AD Application id |
| application_password | The Lacework AD Application password |
| created | Was the Active Directory Application created |
| service_principal_id | The Lacework Service Principal id |
| tenant_id | A Tenant ID used to configure the AD Application |
| Name | Description |
| -------------------- | ------------------------------------------------ |
| application_id | The Lacework AD Application id |
| application_password | The Lacework AD Application password |
| created | Was the Active Directory Application created |
| service_principal_id | The Lacework Service Principal id |
| tenant_id | (DEPRECATED) A Tenant ID used to configure the AD Application |
31 changes: 0 additions & 31 deletions examples/all-subscriptions-ad-application/README.md
View file

This file was deleted.

10 changes: 0 additions & 10 deletions examples/all-subscriptions-ad-application/main.tf
View file

This file was deleted.

8 changes: 0 additions & 8 deletions examples/all-subscriptions-ad-application/versions.tf
View file

This file was deleted.

35 changes: 7 additions & 28 deletions examples/custom-ad-application/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,39 +1,18 @@
# Custom AD Application to Integrate Azure Tenant and Select Subscriptions
# Default Creation of AD Application for Lacework

The following example shows how to deploy a new Azure AD application to integrate an Azure Tenant and select subscriptions with Lacework. This example provides examples of configuring the integration with module inputs.
The following example shows how to deploy a new Azure AD application to be used in other modules to integrate Azure Tenant and Subscriptions with Lacework.

This example provides examples of configuring the AD application with a custom name.

## Sample Code

```hcl
terraform {
required_providers {
lacework = {
source = "lacework/lacework"
}
}
}
provider "azuread" {}
provider "azurerm" {
features {}
}
provider "lacework" {}
module "ad_application" {
source = "lacework/ad-application/azure"
version = "~> 0.1"
application_name = "lacework_custom_ad_application_name"
application_identifier_uris = ["https://account.lacework.net"]
subscription_ids = ["subscription-id-1", "subscription-id-2", "subscription-id-3"]
tenant_id = "123abc12-abcd-1234-abcd-abcd12340123"
password_length = 16
key_vault_ids = [
"/subscriptions/1234abcd-1234-abcd-a1b3-abcd12345xyz/resourceGroups/lwresourcegroup/providers/Microsoft.KeyVault/vaults/keyvault1",
"/subscriptions/1234abcd-1234-abcd-a1b3-abcd12345xyz/resourceGroups/lwresourcegroup/providers/Microsoft.KeyVault/vaults/keyvault2",
"/subscriptions/1234abcd-1234-abcd-a1b3-abcd12345xyz/resourceGroups/lwresourcegroup/providers/Microsoft.KeyVault/vaults/keyvault3"
]
source = "lacework/ad-application/azure"
version = "~> 1.0"
application_name = "lacework_custom_ad_application_name"
}
```

Expand Down
17 changes: 2 additions & 15 deletions examples/custom-ad-application/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,6 @@
provider "azuread" {}

provider "azurerm" {
features {}
}

module "ad_application" {
source = "../../"
application_name = "lacework_custom_ad_application_name"
application_identifier_uris = ["https://account.lacework.net"]
subscription_ids = ["subscription-id-1", "subscription-id-2", "subscription-id-3"]
tenant_id = "123abc12-abcd-1234-abcd-abcd12340123"
password_length = 16
key_vault_ids = [
"/subscriptions/1234abcd-1234-abcd-a1b3-abcd12345xyz/resourceGroups/lwresourcegroup/providers/Microsoft.KeyVault/vaults/keyvault1",
"/subscriptions/1234abcd-1234-abcd-a1b3-abcd12345xyz/resourceGroups/lwresourcegroup/providers/Microsoft.KeyVault/vaults/keyvault2",
"/subscriptions/1234abcd-1234-abcd-a1b3-abcd12345xyz/resourceGroups/lwresourcegroup/providers/Microsoft.KeyVault/vaults/keyvault3"
]
source = "../../"
application_name = "lacework_custom_ad_application_name"
}
8 changes: 0 additions & 8 deletions examples/custom-ad-application/versions.tf
View file

This file was deleted.

18 changes: 2 additions & 16 deletions examples/default-ad-application/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,26 +1,12 @@
# Default AD Application to Integrate Azure Tenant and Default Subscription
# Default Creation of AD Application for Lacework

The following example shows how to deploy a new Azure AD application to integrate an Azure Tenant and select subscriptions with Lacework. This example provides examples of configuring the integration with module inputs.
The following example shows how to deploy a new Azure AD application to be used in other modules to integrate Azure Tenant and Subscriptions with Lacework.

## Sample Code

```hcl
terraform {
required_providers {
lacework = {
source = "lacework/lacework"
}
}
}
provider "azuread" {}
provider "azurerm" {
features {}
}
provider "lacework" {}
module "ad_application" {
source = "lacework/ad-application/azure"
version = "~> 0.1"
Expand Down
4 changes: 0 additions & 4 deletions examples/default-ad-application/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
provider "azuread" {}

provider "azurerm" {
features {}
}

module "ad_application" {
source = "../../"
}
8 changes: 0 additions & 8 deletions examples/default-ad-application/versions.tf
View file

This file was deleted.

32 changes: 0 additions & 32 deletions examples/management-group/README.md
View file

This file was deleted.

11 changes: 0 additions & 11 deletions examples/management-group/main.tf
View file

This file was deleted.

8 changes: 0 additions & 8 deletions examples/management-group/versions.tf
View file

This file was deleted.

16 changes: 1 addition & 15 deletions examples/skip-creation-ad-application/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,25 +5,11 @@ The following example shows how to use module inputs to skip the creation of the
## Sample Code

```hcl
terraform {
required_providers {
lacework = {
source = "lacework/lacework"
}
}
}
provider "azuread" {}
provider "azurerm" {
features {}
}
provider "lacework" {}
module "ad_application" {
source = "lacework/ad-application/azure"
version = "~> 0.1"
version = "~> 1.0"
create = false
}
```
Expand Down
4 changes: 0 additions & 4 deletions examples/skip-creation-ad-application/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
provider "azuread" {}

provider "azurerm" {
features {}
}

module "ad_application" {
source = "../../"
create = false
Expand Down
8 changes: 0 additions & 8 deletions examples/skip-creation-ad-application/versions.tf
View file

This file was deleted.

0 lacework_logo.png → imgs/lacework_logo.png
View file
File renamed without changes
31 changes: 15 additions & 16 deletions main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,4 @@
locals {
#To be removed [DEPRECATED] tenant_id
tenant_id = length(var.tenant_id) > 0 ? var.tenant_id : data.azuread_client_config.current.tenant_id

application_id = var.create ? (
length(azuread_application.lacework) > 0 ? azuread_application.lacework[0].application_id : ""
) : ""
Expand All @@ -18,16 +15,17 @@ data "azuread_client_config" "current" {}
## Create a service principal and assigned Directory Reader role in Azure AD
resource "azuread_application" "lacework" {
count = var.create ? 1 : 0
display_name = var.application_name
display_name = var.application_name
owners = [data.azuread_client_config.current.object_id]
logo_image = filebase64("${path.module}/lacework_logo.png")
marketing_url = "https://www.lacework.com/"
web{
homepage_url = "https://www.lacework.com"
logo_image = filebase64("${path.module}/imgs/lacework_logo.png")
marketing_url = "https://www.lacework.com/"
web {
homepage_url = "https://www.lacework.com/"
}
}
resource "azuread_directory_role" "dir-reader" {
display_name = "Directory Readers"

resource "azuread_directory_role" "dir_reader" {
display_name = "Directory Readers"
}

resource "azuread_service_principal" "lacework" {
Expand All @@ -42,12 +40,13 @@ resource "azuread_application_password" "client_secret" {
depends_on = [azuread_service_principal.lacework]
}

#https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#directory-readers
#When to use this role? When Granting service principals access to directory where Directory.Read.All is not an option.
#this way we avoid Grant Admin Consent issue
resource "azuread_directory_role_member" "lacework-dir-reader" {
# When to use this role? When Granting service principals access to directory where
# Directory.Read.All is not an option. This way we avoid Grant Admin Consent issue.
#
# => https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#directory-readers
resource "azuread_directory_role_member" "lacework_dir_reader" {
count = var.create ? 1 : 0
role_object_id = azuread_directory_role.dir-reader.object_id
role_object_id = azuread_directory_role.dir_reader.object_id
member_object_id = local.service_principal_id
depends_on = [azuread_service_principal.lacework]
}
}
6 changes: 4 additions & 2 deletions output.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,9 @@ output "service_principal_id" {
description = "The Lacework Service Principal id"
}

# @afiune We should remove these deprecations in a couple of months
# https://github.com/lacework/terraform-azure-ad-application/issues/30
output "tenant_id" {
value = local.tenant_id
description = "A Tenant ID used to configure the AD Application"
value = var.tenant_id
description = "[DEPRECATED] A Tenant ID used to configure the AD Application"
}
2 changes: 0 additions & 2 deletions scripts/ci_tests.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,8 @@ set -eou pipefail
readonly project_name=terraform-azure-ad-application

TEST_CASES=(
examples/all-subscriptions-ad-application
examples/custom-ad-application
examples/default-ad-application
examples/management-group
examples/skip-creation-ad-application
)

Expand Down
Loading

0 comments on commit 17d1bef

Please sign in to comment.