diff --git a/README.md b/README.md index 7fb2dae..93cbde5 100644 --- a/README.md +++ b/README.md @@ -11,16 +11,16 @@ Terraform module that creates an Azure Active Directory Application to provide L | Name | Description | Type | Default | Required | | --------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------- | --------------------------- | :------: | -| all_subscriptions | If set to `true`, grant read access to ALL subscriptions within the selected Tenant (overrides `subscription_ids`) | `bool` | `false` | no | +| all_subscriptions | (DEPRECATED) If set to `true`, grant read access to ALL subscriptions within the selected Tenant (overrides `subscription_ids`) | `bool` | `false` | no | | application_identifier_uris | A list of user-defined URI(s) for the Lacework AD Application | `list(string)` | `[]` | no | | application_name | The name of the Azure Active Directory Application | `string` | `"lacework_security_audit"` | no | -| create | Set to `false` to prevent the module from creating any resources | `bool` | `true` | no | -| key_vault_ids | A list of Key Vault Ids used in your subscription for the Lacework AD App to have access to | `list(string)` | `[]` | no | -| management_group_id | The ID of the Management Group | `string` | `""` | no | +| create | (DEPRECATED) Set to `false` to prevent the module from creating any resources | `bool` | `true` | no | +| key_vault_ids | (DEPRECATED) A list of Key Vault Ids used in your subscription for the Lacework AD App to have access to | `list(string)` | `[]` | no | +| management_group_id | (DEPRECATED) The ID of the Management Group | `string` | `""` | no | | password_length | [DEPRECATED] The length of the Lacework AD Application password | `number` | `30` | no | -| subscription_ids | List of subscriptions to grant read access to. By default the module will only use the primary subscription | `list(string)` | `[]` | no | +| subscription_ids | (DEPRECATED) List of subscriptions to grant read access to. By default the module will only use the primary subscription | `list(string)` | `[]` | no | | tenant_id | A Tenant ID different from the default defined inside the provider | `string` | `""` | no | -| use_management_group | If set to `true`, the AD Application will be set up to leverage a Management Group | `bool` | `false` | no | +| use_management_group | (DEPRECATED) If set to `true`, the AD Application will be set up to leverage a Management Group | `bool` | `false` | no | ## Outputs diff --git a/main.tf b/main.tf index 1683e0d..32dc16e 100644 --- a/main.tf +++ b/main.tf @@ -1,12 +1,6 @@ locals { - tenant_id = length(var.tenant_id) > 0 ? var.tenant_id : data.azurerm_subscription.primary.tenant_id - subscription_ids = var.all_subscriptions ? ( - // the user wants to grant access to all subscriptions - [for s in data.azurerm_subscriptions.available.subscriptions : s.subscription_id] - ) : ( - // or, if the user wants to grant a list of subscriptions, if none then we default to the primary subscription - length(var.subscription_ids) > 0 ? var.subscription_ids : [data.azurerm_subscription.primary.subscription_id] - ) + tenant_id = length(var.tenant_id) > 0 ? var.tenant_id : data.azuread_client_config.current.tenant_id + application_id = var.create ? ( length(azuread_application.lacework) > 0 ? azuread_application.lacework[0].application_id : "" ) : "" @@ -18,7 +12,7 @@ locals { ) : "" } -data "azurerm_subscription" "primary" {} +data "azuread_client_config" "current" {} resource "azuread_application" "lacework" { count = var.create ? 1 : 0 display_name = var.application_name @@ -86,44 +80,9 @@ resource "azuread_service_principal" "lacework" { } } -resource "azurerm_key_vault_access_policy" "default" { - count = var.create ? length(var.key_vault_ids) : 0 - key_vault_id = var.key_vault_ids[count.index] - object_id = local.service_principal_id - tenant_id = local.tenant_id - - key_permissions = [ - "List" - ] - secret_permissions = [ - "List" - ] -} - -data "azurerm_subscriptions" "available" {} -resource "azurerm_role_assignment" "grant_reader_role_to_subscriptions" { - count = var.create ? length(local.subscription_ids) : 0 - scope = "/subscriptions/${local.subscription_ids[count.index]}" - - principal_id = local.service_principal_id - role_definition_name = "Reader" -} - resource "azuread_application_password" "client_secret" { count = var.create ? 1 : 0 application_object_id = azuread_application.lacework[count.index].object_id end_date = "2299-12-31T01:02:03Z" depends_on = [azuread_service_principal.lacework] -} - -data "azurerm_management_group" "default" { - count = var.use_management_group ? 1 : 0 - name = var.management_group_id -} - -resource "azurerm_role_assignment" "default" { - count = var.use_management_group ? 1 : 0 - scope = data.azurerm_management_group.default[0].id - principal_id = local.service_principal_id - role_definition_name = "Reader" -} +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 195dea5..359d25c 100644 --- a/variables.tf +++ b/variables.tf @@ -1,19 +1,19 @@ variable "create" { type = bool default = true - description = "Set to `false` to prevent the module from creating any resources" + description = "[DEPRECATED] Set to `false` to prevent the module from creating any resources" } variable "subscription_ids" { type = list(string) - description = "List of subscriptions to grant read access to. By default the module will only use the primary subscription" + description = "[DEPRECATED] List of subscriptions to grant read access to. By default the module will only use the primary subscription" default = [] } variable "all_subscriptions" { type = bool default = false - description = "If set to `true`, grant read access to ALL subscriptions within the selected Tenant (overrides `subscription_ids`)" + description = "[DEPRECATED] If set to `true`, grant read access to ALL subscriptions within the selected Tenant (overrides `subscription_ids`)" } variable "application_name" { @@ -38,7 +38,7 @@ variable "password_length" { # Azure App to have access to each Key Vault used in your subscriptions. variable "key_vault_ids" { type = list(string) - description = "A list of Key Vault Ids used in your subscription for the Lacework AD App to have access to" + description = "[DEPRECATED] A list of Key Vault Ids used in your subscription for the Lacework AD App to have access to" default = [] } @@ -52,11 +52,11 @@ variable "application_identifier_uris" { variable "use_management_group" { type = bool default = false - description = "If set to `true`, the AD Application will be set up to leverage a Management Group" + description = "[DEPRECATED] If set to `true`, the AD Application will be set up to leverage a Management Group" } variable "management_group_id" { type = string default = "" - description = "The ID of the Management Group" + description = "[DEPRECATED] The ID of the Management Group" }