Create Azure AD App that is used by the Cisco Multicloud Defense Controller to manage your Azure Subscription(s). Create custom IAM role and assign the role to the app on your subscription(s). You can clone and use this as a module from your other terraform scripts.
- Enable terraform to access your Azure account. Check here for the options https://registry.terraform.io/providers/hashicorp/azuread/latest/docs and https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
- Set the default subscription
- Login to the Cisco Multicloud Defense Dashboard and generate an API Key using the instructions provided here: https://registry.terraform.io/providers/valtix-security/valtix/latest/docs
prefix
- (Required) App, Custom role are created with this prefixsubscription_guids_list
- (Optional) List of subscriptions (Ids) to which IAM role is assigned and prepared to be onboarded onto the Cisco Multicloud Defense. Default is to use the current active subscription on the current login
tenant_id
- Azure AD Directory/Tenant Idapp_id
- AD App Registration Idapp_name
- AD App Registration Namesecret_key
- Secret key for the above app (Sensitive, useterraform output -json | jq -r .secret_key.value
to see this value)subscription_ids
- List of Azure Subscription Idsiam_role
- Custom IAM Role name assigned to the application created
git clone https://github.com/valtix-security/terraform-azure-setup.git
cd terraform-azure-setup
mv provider provider.tf
cp values.sample values
Edit values
file with the appropriate values for the variables
terraform init
terraform apply -var-file values
To onboard the subscription onto the Valtix Controller, uncomment the valtix sections in the following example and change the other values appropriately
Create a tf file with the following content
terraform {
required_providers {
azuread = {
source = "hashicorp/azuread"
version = "~>1.6.0"
}
azurerm = {
source = "hashicorp/azurerm"
}
}
}
provider "azuread" {
}
provider "azurerm" {
features {}
}
module "csp_setup" {
source = "github.com/valtix-security/terraform-azure-setup"
prefix = "valtix"
subscription_guids_list = []
}
resource "valtix_cloud_account" "azure" {
count = length(module.csp_setup.subscription_ids)
name = "azure-${module.csp_setup.subscription_ids[count.index]}"
csp_type = "AZURE"
azure_directory_id = module.csp_setup.tenant_id
azure_subscription_id = module.csp_setup.subscription_ids[count.index]
azure_application_id = module.csp_setup.app_id
azure_client_secret = module.csp_setup.secret_key
inventory_monitoring {
regions = ["us-east1", "us-west1"]
}
}