Views:

Connect or update multiple Azure subscriptions to Trend Vision One using a single app registration and service principal, reducing the amount of resources deployed to your environment.

If you manage a large number of Azure subscriptions and are concerned with the amount of resources created or deployed, you can use the following steps to reduce the amount of resources deployed to your environment by using a single app registration and service principal. These steps can be used when creating new connections with Trend Vision One or when updating legacy connections migrated from Server & Workload Protection.

Procedure

  1. Create the modified resource script terraform file.
    Copy the Azure reduced resource connection script and save the code to your local machine as a terraform (.TF) file.
  2. Connect or update one of your Azure subscriptions as normal.
  3. Copy the values from the following attributes in the terraform output:
    • app-registration-id
    • service-principal-object-id
  4. Create and download a terraform file for the account you want to connect.
    1. In the Trend Vision One console, go to Cloud SecurityCloud AccountsAzure.
    2. In the Cloud Accounts screen, click Add.
      The Connect Azure Subscription screen appears.
    3. Specify the Subscription ID for the Azure subscription you want to connect.
    4. Specify a Name for the subscription which appears in the Cloud Accounts list.
    5. Specify a Description to help identify the purpose of the connection.
    6. If you have more than one Server & Workload Protection Manager instance, select the instance to associate with the connected subscription.
    7. Click Download Azure Resource Creation Script.
  5. Open the resource creation script terraform file downloaded from Trend Vision One in a text or code editor program like Visual Studio Code.
  6. Use parameters from the resource creation script and the terraform output to modify the reduced resource connection script terraform file.
    1. Replace the first set of locals parameters with values form the resource creation script.
      The parameter set looks like the following example.
      locals {
        issuer_url                       = "https://cloudaccounts-us.xdr.trendmicro.com"
        subject_urn                      = "urn:visionone:identity:us:{your_v1_business_id}:account/{your_v1_business_id}"
        subscription_id                  = {your_subscription_id}
        cloud_account_name               = {your_cloud_account_name}
        cloud_account_description        = ""
        v1_account_id                    = {your_v1_business_id}
        api_key                          = {your_api_key}
        endpoint                         = "https://api.xdr.trendmicro.com/public/v2/direct/cam/public/cam/api/v1"
        connected_security_services_json = {your_connected_security_services_json}
      }
    2. Locate the second set of locals parameters.
      The parameter set looks like the following example.
      locals {
        custom-role-name              = "v1-custom-role-${local.subscription_id}"
        service-principal-id          = {first_deploy_output_service_principal_id}
        app-registration-id           = {first_deploy_output_app_registration_id}
      }
    3. Replace the following parameters using the terraform output values obtained from connecting your first subscription.
      • app-registration-id
      • service-principal-object-id
  7. Upload and apply the reduced resource connection script terraform file in the account you are connecting.
    1. In Azure Cloud Shell, access the command line interface.
      Note
      Note
      The Connect Azure Subscription screen in the Trend Vision One console provides a set of commands to help complete the following steps. To complete the connection process, you must copy each command provided in the screen to enable the Done button. While you can alter some parameters, Trend Micro recommends using the provided commands as is to prevent the deployment failing.
    2. Create a new directory for the deployment folder and then access the folder.
      Copy the command or type mkdir [directoryName] && cd [directoryName].
      Note
      Note
      The commands provided by Trend Vision One use your subscription ID as the directory name. While you can specify any directory name you want, you must ensure the folder has a unique name and that there are no other terraform files in the deployment folder.
    3. Upload the reduced resource connection script terraform file to your Azure Cloud Shell.
    4. Move the terraform file to the deployment folder.
      Important
      Important
      The reduced resource connection script terraform file must be the only terraform file in the directory. Having more than one terraform file in the folder interferes with the deployment process and might cause the connection to fail.
    5. Initiate and apply the terraform script.
      Copy the command or type terraform init && terraform apply.
    6. In the Trend Vision One console, in the Connect Azure Subscription screen, click Done.
      Once the terraform process is complete, your Azure subscription connects to Trend Vision One automatically. Refresh the Cloud Accounts screen to check the connection is complete.
  8. Repeat steps 4 through 7 for each additional Azure subscription you want to connect or update.