將以下代碼複製到文本或代碼編輯器(如 Visual Studio Code),並保存為 terraform (.TF) 文件。
terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "=3.112.0" } } } locals { issuer_url = "https://cloudaccounts-us.xdr.trendmicro.com" subject_urn = "urn:visionone:identity:us:{your_v1_business_id}:account/{your_v1_business_id}" subscription_id = {your_subscription_id} cloud_account_name = {your_cloud_account_name} cloud_account_description = "" v1_account_id = {your_v1_business_id} api_key = {your_api_key} endpoint = "https://api.xdr.trendmicro.com/public/v2/direct/cam/public/cam/api/v1" connected_security_services_json = {your_connected_security_services_json} } #Configure the Microsoft Azure Provider provider "azurerm" { features {} subscription_id = local.subscription_id skip_provider_registration = true } # static variables locals { custom-role-name = "v1-custom-role-${local.subscription_id}" service-principal-id = {first_deploy_output_service_principal_id} app-registration-id = {first_deploy_output_app_registration_id} } resource "azurerm_role_definition" "custom-role-definition" { name = local.custom-role-name scope = "/subscriptions/${local.subscription_id}" description = "This is a custom role created via Terraform" permissions { #start of role replace actions = ["Microsoft.ContainerService/managedClusters/listClusterUserCredential/action","Microsoft.ContainerService/managedClusters/read","Microsoft.Resources/subscriptions/resourceGroups/read","Microsoft.Authorization/roleAssignments/read","Microsoft.Authorization/roleDefinitions/read","*/read","Microsoft.AppConfiguration/configurationStores/ListKeyValue/action","Microsoft.Network/networkWatchers/queryFlowLogStatus/action","Microsoft.Web/sites/config/list/Action"] #end of role replace } } resource "azurerm_role_assignment" "role-assignment" { scope = "/subscriptions/${local.subscription_id}" role_definition_id = azurerm_role_definition.custom-role-definition.role_definition_resource_id principal_id = local.service-principal-id } resource "null_resource" "vision-one-cloud-account-sync" { provisioner "local-exec" { when = create command = <<-EOT #!/bin/bash echo "Setting parameters..." auth="${local.api_key}" subscription_id="${local.subscription_id}" v1_account_id="${local.v1_account_id}" http_endpoint="${local.endpoint}" list_accounts_url="$http_endpoint/azureSubscriptions/$subscription_id" add_account_url="$http_endpoint/azureSubscriptions" modify_account_url="$http_endpoint/azureSubscriptions/$subscription_id" x_task_id="$(uuidgen)" x_trace_id="$(uuidgen)" echo "Getting Azure account information..." list_response=$(curl -s -w "%%{http_code}" -X GET "$list_accounts_url" -H "Authorization: Bearer $auth" -H "Content-Type: application/json" -H "x-user-role: Master Administrator" -H "x-customer-id: $v1_account_id" -H "x-task-id: $x_task_id" -H "x-trace-id: $x_trace_id") status_code=$${list_response: -3} cloud_accountpayload=$${list_response:0:$(($${#list_response}-3))} application_id=$(echo "$cloud_accountpayload" | jq -r '.applicationId // empty') echo "status code is $status_code" echo "application ID is $application_id" if [ "$status_code" -eq 200 ] && [ -n "$application_id" ]; then echo "Common cloud account found, updating Azure account..." json_body='{ "name": "${local.cloud_account_name}", "description": "${local.cloud_account_description}" }' # Make HTTP request using cURL status_code=$(curl -i -o /dev/null -X PATCH \ -H "Authorization: Bearer $auth" \ -H "Content-Type: application/json" \ -H "x-user-role: Master Administrator" \ -H "x-customer-id: $v1_account_id" \ -H "x-task-id: $x_task_id" \ -H "x-trace-id: $x_trace_id" \ -d "$json_body" \ -w "%%{http_code}" \ "$modify_account_url" ) # Check the status_code status if [[ "$status_code" == "204" ]]; then echo "Calling cloud account API success status=$status_code" else echo "Response status: $status_code" echo "Error: Could not call cloud account API. Please see the logs attached." exit 1 fi elif [ "$status_code" -eq 404 ] || [ -z "$application_id" ]; then echo "No common cloud account found, connecting Azure account..." json_body='{ "tenantId": "${data.azurerm_client_config.current.tenant_id}", "applicationId": "${local.app-registration-id}", "subscriptionId": "${local.subscription_id}", "name": "${local.cloud_account_name}", "description": "${local.cloud_account_description}", "connectedSecurityServices": ${local.connected_security_services_json} }' # Make HTTP request using cURL status_code=$(curl -i -o /dev/null -X POST \ -H "Authorization: Bearer $auth" \ -H "Content-Type: application/json" \ -H "x-user-role: Master Administrator" \ -H "x-customer-id: $v1_account_id" \ -H "x-task-id: $x_task_id" \ -H "x-trace-id: $x_trace_id" \ -d "$json_body" \ -w "%%{http_code}" \ "$add_account_url" ) # Check the status_code status if [[ "$status_code" == "201" ]]; then echo "Calling cloud account API success status=$status_code" else echo "status_code status: $status_code" echo "Error: Could not call cloud account API. Please see the logs attached." exit 1 fi else echo "Unexpected error when getting Azure account information..." exit 1 fi EOT } triggers = { always_run = "${timestamp()}" } depends_on = [azurerm_role_definition.custom-role-definition, azurerm_role_assignment.role-assignment] } resource "null_resource" "grant_admin_consent_debug_info" { triggers = { service_principal_objectid = local.service-principal-id tenant_id = data.azurerm_client_config.current.tenant_id app_registration_id = local.app-registration-id } provisioner "local-exec" { command = <<-GRANTCONSENTCMD echo "service_principal_objectid=${self.triggers.service_principal_objectid}" echo "tenant_id=${self.triggers.tenant_id}" echo "app_registration_id=${self.triggers.app_registration_id}" GRANTCONSENTCMD } depends_on = [null_resource.vision-one-cloud-account-sync] } data "azurerm_client_config" "current" { } output "tenant-id" { value = data.azurerm_client_config.current.tenant_id } output "app-registration-id" { value = local.app-registration-id } output "service-principal-object-id" { value = local.service-principal-id }