Copy the following code into a text or code editor, such as Visual Studio Code, and
save as
a terraform (.TF) file.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.112.0"
}
}
}
locals {
issuer_url = "https://cloudaccounts-us.xdr.trendmicro.com"
subject_urn = "urn:visionone:identity:us:{your_v1_business_id}:account/{your_v1_business_id}"
subscription_id = {your_subscription_id}
cloud_account_name = {your_cloud_account_name}
cloud_account_description = ""
v1_account_id = {your_v1_business_id}
api_key = {your_api_key}
endpoint = "https://api.xdr.trendmicro.com/public/v2/direct/cam/public/cam/api/v1"
connected_security_services_json = {your_connected_security_services_json}
}
#Configure the Microsoft Azure Provider
provider "azurerm" {
features {}
subscription_id = local.subscription_id
skip_provider_registration = true
}
# static variables
locals {
custom-role-name = "v1-custom-role-${local.subscription_id}"
service-principal-id = {first_deploy_output_service_principal_id}
app-registration-id = {first_deploy_output_app_registration_id}
}
resource "azurerm_role_definition" "custom-role-definition" {
name = local.custom-role-name
scope = "/subscriptions/${local.subscription_id}"
description = "This is a custom role created via Terraform"
permissions {
#start of role replace
actions = ["Microsoft.ContainerService/managedClusters/listClusterUserCredential/action","Microsoft.ContainerService/managedClusters/read","Microsoft.Resources/subscriptions/resourceGroups/read","Microsoft.Authorization/roleAssignments/read","Microsoft.Authorization/roleDefinitions/read","*/read","Microsoft.AppConfiguration/configurationStores/ListKeyValue/action","Microsoft.Network/networkWatchers/queryFlowLogStatus/action","Microsoft.Web/sites/config/list/Action"]
#end of role replace
}
}
resource "azurerm_role_assignment" "role-assignment" {
scope = "/subscriptions/${local.subscription_id}"
role_definition_id = azurerm_role_definition.custom-role-definition.role_definition_resource_id
principal_id = local.service-principal-id
}
resource "null_resource" "vision-one-cloud-account-sync" {
provisioner "local-exec" {
when = create
command = <<-EOT
#!/bin/bash
echo "Setting parameters..."
auth="${local.api_key}"
subscription_id="${local.subscription_id}"
v1_account_id="${local.v1_account_id}"
http_endpoint="${local.endpoint}"
list_accounts_url="$http_endpoint/azureSubscriptions/$subscription_id"
add_account_url="$http_endpoint/azureSubscriptions"
modify_account_url="$http_endpoint/azureSubscriptions/$subscription_id"
x_task_id="$(uuidgen)"
x_trace_id="$(uuidgen)"
echo "Getting Azure account information..."
list_response=$(curl -s -w "%%{http_code}" -X GET "$list_accounts_url" -H "Authorization: Bearer $auth" -H "Content-Type: application/json" -H "x-user-role: Master Administrator" -H "x-customer-id: $v1_account_id" -H "x-task-id: $x_task_id" -H "x-trace-id: $x_trace_id")
status_code=$${list_response: -3}
cloud_accountpayload=$${list_response:0:$(($${#list_response}-3))}
application_id=$(echo "$cloud_accountpayload" | jq -r '.applicationId // empty')
echo "status code is $status_code"
echo "application ID is $application_id"
if [ "$status_code" -eq 200 ] && [ -n "$application_id" ]; then
echo "Common cloud account found, updating Azure account..."
json_body='{
"name": "${local.cloud_account_name}",
"description": "${local.cloud_account_description}"
}'
# Make HTTP request using cURL
status_code=$(curl -i -o /dev/null -X PATCH \
-H "Authorization: Bearer $auth" \
-H "Content-Type: application/json" \
-H "x-user-role: Master Administrator" \
-H "x-customer-id: $v1_account_id" \
-H "x-task-id: $x_task_id" \
-H "x-trace-id: $x_trace_id" \
-d "$json_body" \
-w "%%{http_code}" \
"$modify_account_url"
)
# Check the status_code status
if [[ "$status_code" == "204" ]]; then
echo "Calling cloud account API success status=$status_code"
else
echo "Response status: $status_code"
echo "Error: Could not call cloud account API. Please see the logs attached."
exit 1
fi
elif [ "$status_code" -eq 404 ] || [ -z "$application_id" ]; then
echo "No common cloud account found, connecting Azure account..."
json_body='{
"tenantId": "${data.azurerm_client_config.current.tenant_id}",
"applicationId": "${local.app-registration-id}",
"subscriptionId": "${local.subscription_id}",
"name": "${local.cloud_account_name}",
"description": "${local.cloud_account_description}",
"connectedSecurityServices": ${local.connected_security_services_json}
}'
# Make HTTP request using cURL
status_code=$(curl -i -o /dev/null -X POST \
-H "Authorization: Bearer $auth" \
-H "Content-Type: application/json" \
-H "x-user-role: Master Administrator" \
-H "x-customer-id: $v1_account_id" \
-H "x-task-id: $x_task_id" \
-H "x-trace-id: $x_trace_id" \
-d "$json_body" \
-w "%%{http_code}" \
"$add_account_url"
)
# Check the status_code status
if [[ "$status_code" == "201" ]]; then
echo "Calling cloud account API success status=$status_code"
else
echo "status_code status: $status_code"
echo "Error: Could not call cloud account API. Please see the logs attached."
exit 1
fi
else
echo "Unexpected error when getting Azure account information..."
exit 1
fi
EOT
}
triggers = {
always_run = "${timestamp()}"
}
depends_on = [azurerm_role_definition.custom-role-definition, azurerm_role_assignment.role-assignment]
}
resource "null_resource" "grant_admin_consent_debug_info" {
triggers = {
service_principal_objectid = local.service-principal-id
tenant_id = data.azurerm_client_config.current.tenant_id
app_registration_id = local.app-registration-id
}
provisioner "local-exec" {
command = <<-GRANTCONSENTCMD
echo "service_principal_objectid=${self.triggers.service_principal_objectid}"
echo "tenant_id=${self.triggers.tenant_id}"
echo "app_registration_id=${self.triggers.app_registration_id}"
GRANTCONSENTCMD
}
depends_on = [null_resource.vision-one-cloud-account-sync]
}
data "azurerm_client_config" "current" {
}
output "tenant-id" {
value = data.azurerm_client_config.current.tenant_id
}
output "app-registration-id" {
value = local.app-registration-id
}
output "service-principal-object-id" {
value = local.service-principal-id
}