Skip to content

Commit

Permalink
refactor: remove Reader permissions from AD app and unbundle azurerm …
Browse files Browse the repository at this point in the history 
…stuff (#26)
  • Loading branch information
@marcosgm
marcosgm authored Oct 12, 2021
1 parent 106ad24 commit 6a38bc1
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 57 deletions.
12 changes: 6 additions & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,16 @@ Terraform module that creates an Azure Active Directory Application to provide L

| Name | Description | Type | Default | Required |
| --------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------- | --------------------------- | :------: |
| all_subscriptions | If set to `true`, grant read access to ALL subscriptions within the selected Tenant (overrides `subscription_ids`) | `bool` | `false` | no |
| all_subscriptions | (DEPRECATED) If set to `true`, grant read access to ALL subscriptions within the selected Tenant (overrides `subscription_ids`) | `bool` | `false` | no |
| application_identifier_uris | A list of user-defined URI(s) for the Lacework AD Application | `list(string)` | `[]` | no |
| application_name | The name of the Azure Active Directory Application | `string` | `"lacework_security_audit"` | no |
| create | Set to `false` to prevent the module from creating any resources | `bool` | `true` | no |
| key_vault_ids | A list of Key Vault Ids used in your subscription for the Lacework AD App to have access to | `list(string)` | `[]` | no |
| management_group_id | The ID of the Management Group | `string` | `""` | no |
| create | (DEPRECATED) Set to `false` to prevent the module from creating any resources | `bool` | `true` | no |
| key_vault_ids | (DEPRECATED) A list of Key Vault Ids used in your subscription for the Lacework AD App to have access to | `list(string)` | `[]` | no |
| management_group_id | (DEPRECATED) The ID of the Management Group | `string` | `""` | no |
| password_length | [DEPRECATED] The length of the Lacework AD Application password | `number` | `30` | no |
| subscription_ids | List of subscriptions to grant read access to. By default the module will only use the primary subscription | `list(string)` | `[]` | no |
| subscription_ids | (DEPRECATED) List of subscriptions to grant read access to. By default the module will only use the primary subscription | `list(string)` | `[]` | no |
| tenant_id | A Tenant ID different from the default defined inside the provider | `string` | `""` | no |
| use_management_group | If set to `true`, the AD Application will be set up to leverage a Management Group | `bool` | `false` | no |
| use_management_group | (DEPRECATED) If set to `true`, the AD Application will be set up to leverage a Management Group | `bool` | `false` | no |

## Outputs

Expand Down
49 changes: 4 additions & 45 deletions main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,6 @@
locals {
tenant_id = length(var.tenant_id) > 0 ? var.tenant_id : data.azurerm_subscription.primary.tenant_id
subscription_ids = var.all_subscriptions ? (
// the user wants to grant access to all subscriptions
[for s in data.azurerm_subscriptions.available.subscriptions : s.subscription_id]
) : (
// or, if the user wants to grant a list of subscriptions, if none then we default to the primary subscription
length(var.subscription_ids) > 0 ? var.subscription_ids : [data.azurerm_subscription.primary.subscription_id]
)
tenant_id = length(var.tenant_id) > 0 ? var.tenant_id : data.azuread_client_config.current.tenant_id

application_id = var.create ? (
length(azuread_application.lacework) > 0 ? azuread_application.lacework[0].application_id : ""
) : ""
Expand All @@ -18,7 +12,7 @@ locals {
) : ""
}

data "azurerm_subscription" "primary" {}
data "azuread_client_config" "current" {}
resource "azuread_application" "lacework" {
count = var.create ? 1 : 0
display_name = var.application_name
Expand Down Expand Up @@ -86,44 +80,9 @@ resource "azuread_service_principal" "lacework" {
}
}

resource "azurerm_key_vault_access_policy" "default" {
count = var.create ? length(var.key_vault_ids) : 0
key_vault_id = var.key_vault_ids[count.index]
object_id = local.service_principal_id
tenant_id = local.tenant_id

key_permissions = [
"List"
]
secret_permissions = [
"List"
]
}

data "azurerm_subscriptions" "available" {}
resource "azurerm_role_assignment" "grant_reader_role_to_subscriptions" {
count = var.create ? length(local.subscription_ids) : 0
scope = "/subscriptions/${local.subscription_ids[count.index]}"

principal_id = local.service_principal_id
role_definition_name = "Reader"
}

resource "azuread_application_password" "client_secret" {
count = var.create ? 1 : 0
application_object_id = azuread_application.lacework[count.index].object_id
end_date = "2299-12-31T01:02:03Z"
depends_on = [azuread_service_principal.lacework]
}

data "azurerm_management_group" "default" {
count = var.use_management_group ? 1 : 0
name = var.management_group_id
}

resource "azurerm_role_assignment" "default" {
count = var.use_management_group ? 1 : 0
scope = data.azurerm_management_group.default[0].id
principal_id = local.service_principal_id
role_definition_name = "Reader"
}
}
12 changes: 6 additions & 6 deletions variables.tf
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
variable "create" {
type = bool
default = true
description = "Set to `false` to prevent the module from creating any resources"
description = "[DEPRECATED] Set to `false` to prevent the module from creating any resources"
}

variable "subscription_ids" {
type = list(string)
description = "List of subscriptions to grant read access to. By default the module will only use the primary subscription"
description = "[DEPRECATED] List of subscriptions to grant read access to. By default the module will only use the primary subscription"
default = []
}

variable "all_subscriptions" {
type = bool
default = false
description = "If set to `true`, grant read access to ALL subscriptions within the selected Tenant (overrides `subscription_ids`)"
description = "[DEPRECATED] If set to `true`, grant read access to ALL subscriptions within the selected Tenant (overrides `subscription_ids`)"
}

variable "application_name" {
Expand All @@ -38,7 +38,7 @@ variable "password_length" {
# Azure App to have access to each Key Vault used in your subscriptions.
variable "key_vault_ids" {
type = list(string)
description = "A list of Key Vault Ids used in your subscription for the Lacework AD App to have access to"
description = "[DEPRECATED] A list of Key Vault Ids used in your subscription for the Lacework AD App to have access to"
default = []
}

Expand All @@ -52,11 +52,11 @@ variable "application_identifier_uris" {
variable "use_management_group" {
type = bool
default = false
description = "If set to `true`, the AD Application will be set up to leverage a Management Group"
description = "[DEPRECATED] If set to `true`, the AD Application will be set up to leverage a Management Group"
}

variable "management_group_id" {
type = string
default = ""
description = "The ID of the Management Group"
description = "[DEPRECATED] The ID of the Management Group"
}

0 comments on commit 6a38bc1

Please sign in to comment.