Views:

Connect or update multiple Azure subscriptions to Trend Vision One using a single app registration and service principal, reducing the amount of resources deployed to your environment.

If you manage a large number of Azure subscriptions and are concerned with the amount of resources created or deployed, you can use the following steps to reduce the amount of resources deployed to your environment by using a single app registration and service principal. You can use these steps when creating new connections with Trend Vision One or when updating legacy connections migrated from Server & Workload Protection.

Procedure

  1. Create the modified resource script terraform file.
    Copy the Azure reduced resource connection script and save the code to your local machine as a terraform (.TF) file.
  2. Connect or update one of your Azure subscriptions as normal.
  3. Copy the values from the following attributes in the terraform output:
    • app-registration-id
    • service-principal-object-id
  4. Create and download a terraform file for the account you want to connect.
    1. In the Trend Vision One console, go to Cloud SecurityCloud AccountsAzure.
    2. In the Cloud Accounts screen, click Add.
      The Add Azure Subscription screen appears.
    3. Select Single Subscription and then click Next.
    4. Specify the Subscription ID for the Azure subscription you want to connect.
      The subscription ID is a twelve digit number unique to your subscription.
    5. Specify a Name for the subscription which appears in the Cloud Accounts list.
    6. Specify a Description to help identify the purpose of the connection.
    7. Specify the Region as the main region where the resources will be deployed.
    8. If you have more than one Server & Workload Protection Manager instance, select the instance to associate with the connected subscription.
    9. Click Next.
  5. Select the features and permissions you want to enable. For more information, see Azure features and permissions.
  6. Click Next.
  7. In the Download template section, select Manual to download the template to your local machine.
  8. Open the resource creation script terraform file downloaded from Trend Vision One in a text or code editor program like Visual Studio Code.
  9. Use parameters from the resource creation script and the terraform output to modify the reduced resource connection script terraform file.
    1. Replace the first set of locals parameters with values form the resource creation script.
      The parameter set looks like the following example.
      locals {
  issuer_url                       = "https://cloudaccounts-us.xdr.trendmicro.com"
  subject_urn                      = "urn:visionone:identity:us:{your_v1_business_id}:account/{your_v1_business_id}"
  subscription_id                  = {your_subscription_id}
  cloud_account_name               = {your_cloud_account_name}
  cloud_account_description        = ""
  v1_account_id                    = {your_v1_business_id}
  api_key                          = {your_api_key}
  endpoint                         = "https://api.xdr.trendmicro.com/public/v2/direct/cam/public/cam/api/v1"
  connected_security_services_json = {your_connected_security_services_json}
}
    2. Locate the second set of locals parameters.
      The parameter set looks like the following example.
      locals {
  custom-role-name              = "v1-custom-role-${local.subscription_id}"
  service-principal-id          = {first_deploy_output_service_principal_id}
  app-registration-id           = {first_deploy_output_app_registration_id}
}
    3. Replace the following parameters using the terraform output values obtained from connecting your first subscription.
      • app-registration-id
      • service-principal-object-id
  10. Upload and apply the reduced resource connection script terraform file in the account you are connecting.
    1. In Azure Cloud Shell, access the command line interface.
    2. Create a new directory for the deployment folder and then access the folder.
      Copy the command or type mkdir[Subscription ID] && cd [Subscription ID].
      Note
      Note
      The commands provided by Trend Vision One use your subscription ID as the directory name. While you can specify any directory name you want, you must ensure the folder has a unique name and that there are no other Terraform files in the deployment folder.
    3. Upload the reduced resource connection script terraform file to your Azure Cloud Shell.
    4. Move the terraform file to the deployment folder.
      Important
      Important
      The reduced resource connection script terraform file must be the only terraform file in the directory. Having more than one terraform file in the folder interferes with the deployment process and might cause the connection to fail.
    5. Run the deployment script.
      Copy the command or type ./deploy.sh. Azure Cloud Shell begins the Terraform process to deploy Trend Vision One security resources.
    6. In the Trend Vision One console, in the Connect Azure Subscription screen, click Done.
      Once the terraform process is complete, your Azure subscription connects to Trend Vision One automatically. Refresh the Cloud Accounts screen to check the connection is complete.
  11. Repeat steps 4 through 7 for each additional Azure subscription you want to connect or update.
Related information