檢視次數:
將以下代碼複製到文本或代碼編輯器(如 Visual Studio Code),並保存為 terraform (.TF) 文件。
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.112.0"
    }
  }
}

locals {
  issuer_url                       = "https://cloudaccounts-us.xdr.trendmicro.com"
  subject_urn                      = "urn:visionone:identity:us:{your_v1_business_id}:account/{your_v1_business_id}"
  subscription_id                  = {your_subscription_id}
  cloud_account_name               = {your_cloud_account_name}
  cloud_account_description        = ""
  v1_account_id                    = {your_v1_business_id}
  api_key                          = {your_api_key}
  endpoint                         = "https://api.xdr.trendmicro.com/public/v2/direct/cam/public/cam/api/v1"
  connected_security_services_json = {your_connected_security_services_json}
}

#Configure the Microsoft Azure Provider
provider "azurerm" {
  features {}
  subscription_id = local.subscription_id
  skip_provider_registration = true
}

# static variables
locals {
  custom-role-name              = "v1-custom-role-${local.subscription_id}"
  service-principal-id          = {first_deploy_output_service_principal_id}
  app-registration-id           = {first_deploy_output_app_registration_id}
}

resource "azurerm_role_definition" "custom-role-definition" {
  name        = local.custom-role-name
  scope       = "/subscriptions/${local.subscription_id}"
  description = "This is a custom role created via Terraform"
  permissions {
    #start of role replace
	actions = ["Microsoft.ContainerService/managedClusters/listClusterUserCredential/action","Microsoft.ContainerService/managedClusters/read","Microsoft.Resources/subscriptions/resourceGroups/read","Microsoft.Authorization/roleAssignments/read","Microsoft.Authorization/roleDefinitions/read","*/read","Microsoft.AppConfiguration/configurationStores/ListKeyValue/action","Microsoft.Network/networkWatchers/queryFlowLogStatus/action","Microsoft.Web/sites/config/list/Action"]
	#end of role replace
  }
}

resource "azurerm_role_assignment" "role-assignment" {
  scope              = "/subscriptions/${local.subscription_id}"
  role_definition_id = azurerm_role_definition.custom-role-definition.role_definition_resource_id
  principal_id       = local.service-principal-id
}

resource "null_resource" "vision-one-cloud-account-sync" {
  provisioner "local-exec" {
    when    = create
    command = <<-EOT
            #!/bin/bash

            echo "Setting parameters..."
            auth="${local.api_key}"
            subscription_id="${local.subscription_id}"
            v1_account_id="${local.v1_account_id}"
            http_endpoint="${local.endpoint}"
            list_accounts_url="$http_endpoint/azureSubscriptions/$subscription_id"
            add_account_url="$http_endpoint/azureSubscriptions"
            modify_account_url="$http_endpoint/azureSubscriptions/$subscription_id"
            x_task_id="$(uuidgen)"
            x_trace_id="$(uuidgen)"

            echo "Getting Azure account information..."
            list_response=$(curl -s -w "%%{http_code}" -X GET "$list_accounts_url" -H "Authorization: Bearer $auth" -H "Content-Type: application/json" -H "x-user-role: Master Administrator" -H "x-customer-id: $v1_account_id" -H "x-task-id: $x_task_id" -H "x-trace-id: $x_trace_id")
            status_code=$${list_response: -3}
            cloud_accountpayload=$${list_response:0:$(($${#list_response}-3))}
            application_id=$(echo "$cloud_accountpayload" | jq -r '.applicationId // empty')

            echo "status code is $status_code"
            echo "application ID is $application_id"

            if [ "$status_code" -eq 200 ] && [ -n "$application_id" ]; then
              echo "Common cloud account found, updating Azure account..."
              json_body='{
                  "name": "${local.cloud_account_name}",
                  "description": "${local.cloud_account_description}"
              }'

              # Make HTTP request using cURL
              status_code=$(curl -i -o /dev/null -X PATCH \
                  -H "Authorization: Bearer $auth" \
                  -H "Content-Type: application/json" \
                  -H "x-user-role: Master Administrator" \
                  -H "x-customer-id: $v1_account_id" \
                  -H "x-task-id: $x_task_id" \
                  -H "x-trace-id: $x_trace_id" \
                  -d "$json_body" \
                  -w "%%{http_code}" \
                  "$modify_account_url"
              )

              # Check the status_code status
              if [[ "$status_code" == "204" ]]; then
                  echo "Calling cloud account API success status=$status_code"
              else
                  echo "Response status: $status_code"
                  echo "Error: Could not call cloud account API. Please see the logs attached."
                  exit 1
              fi

            elif [ "$status_code" -eq 404 ] || [ -z "$application_id" ]; then
              echo "No common cloud account found, connecting Azure account..."
              json_body='{
                  "tenantId": "${data.azurerm_client_config.current.tenant_id}",
                  "applicationId": "${local.app-registration-id}",
                  "subscriptionId": "${local.subscription_id}",
                  "name": "${local.cloud_account_name}",
                  "description": "${local.cloud_account_description}",
                  "connectedSecurityServices": ${local.connected_security_services_json}
              }'

              # Make HTTP request using cURL
              status_code=$(curl -i -o /dev/null -X POST \
                  -H "Authorization: Bearer $auth" \
                  -H "Content-Type: application/json" \
                  -H "x-user-role: Master Administrator" \
                  -H "x-customer-id: $v1_account_id" \
                  -H "x-task-id: $x_task_id" \
                  -H "x-trace-id: $x_trace_id" \
                  -d "$json_body" \
                  -w "%%{http_code}" \
                  "$add_account_url"
              )

              # Check the status_code status
              if [[ "$status_code" == "201" ]]; then
                  echo "Calling cloud account API success status=$status_code"
              else
                  echo "status_code status: $status_code"
                  echo "Error: Could not call cloud account API. Please see the logs attached."
                  exit 1
              fi

            else
              echo "Unexpected error when getting Azure account information..."
              exit 1
            fi
        EOT
  }

  triggers = {
    always_run = "${timestamp()}"
  }

  depends_on = [azurerm_role_definition.custom-role-definition, azurerm_role_assignment.role-assignment]
}


resource "null_resource" "grant_admin_consent_debug_info" {
  triggers = {
    service_principal_objectid = local.service-principal-id
    tenant_id                  = data.azurerm_client_config.current.tenant_id
    app_registration_id        = local.app-registration-id
  }

  provisioner "local-exec" {
    command = <<-GRANTCONSENTCMD
      echo "service_principal_objectid=${self.triggers.service_principal_objectid}"
      echo "tenant_id=${self.triggers.tenant_id}"
      echo "app_registration_id=${self.triggers.app_registration_id}"
      GRANTCONSENTCMD
  }

  depends_on = [null_resource.vision-one-cloud-account-sync]

}


data "azurerm_client_config" "current" {
}

output "tenant-id" {
  value = data.azurerm_client_config.current.tenant_id
}

output "app-registration-id" {
  value = local.app-registration-id
}

output "service-principal-object-id" {
  value = local.service-principal-id
}