-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathazure_connector_terraform.tf
163 lines (134 loc) · 6.54 KB
/
azure_connector_terraform.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
##################################
# THIS SCRIPT IS PROVIDED TO YOU "AS IS." TO THE EXTENT PERMITTED BY LAW, QUALYS HEREBY DISCLAIMS ALL WARRANTIES AND LIABILITY
# FOR THE PROVISION OR USE OF THIS SCRIPT. IN NO EVENT SHALL THESE SCRIPTS BE DEEMED TO BE CLOUD SERVICES AS PROVIDED BY QUALYS
#
# Author: Mikesh Khanal
#
# EDIT THE FOLLOWING PARAMETERS
#
# active_directory_id :Active directory's ID
# subscription_id:Subscription ID that you want to onboard to Qualys CloudView
# username: Username to login to Qualys CloudView
# Password: Password to login to Qualys CloudView
# baseurl: Qualys CloudView URL
##################################
variable "create_assetview_connector" {
description = "If set to true, creates assetview connector"
type = bool
}
variable "active_directory_id" {
type = string
default = "ff4e2413-65ab-4dc2-9e5b-1ea02d3d94eb"
}
variable "subscription_id" {
type = string
default = "30293558-9706-4c17-863a-016e35462650"
}
variable "username" {
type = string
description = "The username for Qualys CloudView."
}
variable "password" {
type = string
description = "The password for Qualys CloudView."
}
variable "baseurl" {
type = string
description = "The API server for Qualys CloudView eg: https://qualysguard.qg2.apps.qualys.com"
}
#############################
# Initializing the provider
##############################
provider "azuread" {
subscription_id = var.subscription_id
tenant_id = var.active_directory_id
}
provider "azurerm" {
version = "=2.0.0"
subscription_id = var.subscription_id
tenant_id = var.active_directory_id
features {}
}
#######################################################
# Creating an Application & associated Service Principal
#######################################################
resource "random_password" "password" {
length = 24
special = true
}
resource "random_id" "unique_id" {
byte_length = 8
}
resource "azuread_application" "qualys_cloudview_app" {
name = "Qualys CloudView Application for ${var.subscription_id} ${random_id.unique_id.dec}"
homepage = "https://www.qualys.com/apps/cloud-security-assessment/"
available_to_other_tenants = false
required_resource_access {
# the Azure AD Graph API
resource_app_id = "00000003-0000-0000-c000-000000000000"
# The "User Read all" permission. Get ID from:
# az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "oauth2Permissions[?value=='User.Read.All']"
resource_access {
id = "df021288-bdef-4463-88db-98f22de89214"
type = "Role"
}
}
required_resource_access {
# the Azure Service Management API
resource_app_id = "797f4846-ba00-4fd7-ba43-dac1f8f63013"
# The "Impersonate user" permission. Get ID from:
# az ad sp show --id 797f4846-ba00-4fd7-ba43-dac1f8f63013 --query "oauth2Permissions[?value=='user_impersonation']"
resource_access {
id = "41094075-9dad-400e-a0bd-54e686782033"
type = "Scope"
}
}
}
resource "azuread_service_principal" "qualys_cloudview_serviceprincipal" {
application_id = azuread_application.qualys_cloudview_app.application_id
}
resource "azuread_application_password" "password" {
application_id = azuread_application.qualys_cloudview_app.id
value = random_password.password.result
end_date = "2299-12-30T23:00:00Z"
}
#######################################################
# Role Assignment
#######################################################
resource "azurerm_role_assignment" "assign_reader" {
scope = "/subscriptions/${var.subscription_id}"
principal_id = azuread_service_principal.qualys_cloudview_serviceprincipal.id
role_definition_name = "Reader"
}
#######################################################
# Qualys API Call to create CloudView Azure Connector
#######################################################
module "QualysCloudViewConnector" {
source = "matti/resource/shell"
command = "curl -u '${var.username}:${var.password}' -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{\"applicationId\":\"${azuread_application.qualys_cloudview_app.application_id}\" , \"authenticationKey\":\"${random_password.password.result}\" , \"description\": \"${var.subscription_id}\", \"directoryId\": \"${var.active_directory_id}\", \"isGovCloud\": false, \"name\": \"Azure-coonector-${var.subscription_id}\", \"subscriptionId\": \"${var.subscription_id}\"}' ${var.baseurl}/cloudview-api/rest/v1/azure/connectors"
depends = [azurerm_role_assignment.assign_reader]
}
#########################################################
# Qualys API Call to create ClouAssetView Azure Connector
#########################################################
resource "local_file" "authentication_key" {
count = var.create_assetview_connector ? 1 : 0
content = "<ServiceRequest><data><AzureAssetDataConnector><name>Azure-connector-${var.subscription_id}</name><description>Sample Azure Connector</description><disabled>false</disabled><isGovCloudConfigured>false</isGovCloudConfigured><authRecord><applicationId>${azuread_application.qualys_cloudview_app.application_id}</applicationId><directoryId>${var.active_directory_id}</directoryId><subscriptionId>${var.subscription_id}</subscriptionId><authenticationKey>${random_password.password.result}</authenticationKey></authRecord></AzureAssetDataConnector></data></ServiceRequest>"
filename = "${path.module}/file.xml"
depends_on = [azurerm_role_assignment.assign_reader]
}
module "QualysAssetViewConnector" {
source = "matti/resource/shell"
command = "curl -u '${var.username}:${var.password}' -X POST --header 'Content-Type: text/xml' --header 'Accept: application/json' --data-binary @- \"${replace("${var.baseurl}", "guard", "api")}\"/qps/rest/2.0/create/am/azureassetdataconnector < file.xml"
depends = [local_file.authentication_key]
}
#######################################################
# Outputs
#######################################################
output "Qualys_CloudView__application_id" { value = azuread_application.qualys_cloudview_app.application_id}
output "Qualys_CloudView__authentication_key" { value = random_password.password.result}
output "Qualys_CloudView__application_name" { value = azuread_application.qualys_cloudview_app.name }
output "CLOUDVIEW-OUTPUT" { value = module.QualysCloudViewConnector.stdout }
output "CLOUDVIEW-EXIT-STATUS" { value = module.QualysCloudViewConnector.exitstatus }
output "ASSETVIEW-OUTPUT" { value = module.QualysAssetViewConnector.stdout }
output "ASSETVIEW-EXIT-STATUS" { value = module.QualysAssetViewConnector.exitstatus }