feat: 1.4.0

Author: radomarina

README.md

@@ -55,6 +55,8 @@ Choose one of the following installation options based on your needs:
 ### Option 1: Discovered Subscriptions
 
 Use this option if you want Firefly to automatically discover and monitor all accessible Azure subscriptions.
+We use delegated AD service principal to discover and monitor all accessible Azure subscriptions.
+Go to Option 3 if you want to use non delegated AD service principal.
 
 You can exclude subscriptions by adding a tag on them.
 
@@ -142,6 +144,49 @@ module "firefly_azure_subscription_2" {
 }
 ```
 
+### Option 3: Non delegated AD service principal
+
+```hcl
+provider "azuread" {
+  client_id     = var.client_id
+  client_secret = var.client_secret
+  tenant_id     = var.tenant_id
+}
+
+provider "azurerm" {
+  features {}
+  alias                           = "deployment_subscription"
+  tenant_id                       = var.tenant_id
+  subscription_id                 = var.subscription_id
+  resource_provider_registrations = "none"
+}
+
+module "firefly_azure" {
+  source  = "github.com/gofireflyio/terraform-firefly-azure-onboarding?ref=v1.3.0/modules/single_integration"
+  providers = {
+    azurerm.deployment_subscription = azurerm.deployment_subscription
+  }
+  
+  client_id       = var.client_id
+  client_secret   = var.client_secret
+  directory_domain = "your-organization.com"
+  tenant_id       = var.tenant_id
+  subscription_id = var.subscription_id
+  
+  firefly_access_key = var.firefly_access_key
+  firefly_secret_key = var.firefly_secret_key
+  
+  location = var.location
+  prefix   = var.prefix
+  tags     = var.tags
+  // existing_app_id = "00000000-0000-0000-0000-000000000000"
+  // existing_service_principal_id = "00000000-0000-0000-0000-000000000000"
+  
+  
+  create_resource_provider_registration = false
+}
+```
+
 ## Required Resources
 
 The Terraform module will create the following Azure resources:

modules/single_integration/data.tf

@@ -0,0 +1,18 @@
+data "azuread_client_config" "current" {}
+
+data "azuread_application_published_app_ids" "well_known" {}
+
+resource "azuread_service_principal" "msgraph" {
+  client_id    = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
+  use_existing = true
+}
+
+data "azuread_service_principal" "existing" {
+  count = var.existing_service_principal_id != "" ? 1 : 0
+  application_id = var.existing_service_principal_id
+}
+
+resource "azurerm_resource_provider_registration" "current" {
+  count = var.create_resource_provider_registration ? 1 : 0
+  name  = "microsoft.insights"
+}

modules/single_integration/eventdriven.tf

@@ -0,0 +1,109 @@
+resource "azurerm_resource_group" "current" {
+  count    = var.existing_resource_group_name == "" ? 1 : 0
+  provider = azurerm.deployment_subscription
+  location = var.location
+  name     = "${module.naming.resource_group.name}-${var.prefix}firefly${var.suffix}"
+  tags     = local.tags
+}
+
+resource "azurerm_storage_account" "current" {
+  count                            = var.existing_storage_account_id == "" ? 1 : 0
+  provider                         = azurerm.deployment_subscription
+  account_replication_type         = "LRS"
+  cross_tenant_replication_enabled = false
+  account_tier                     = "Standard"
+  location                         = var.location
+  name                             = "${module.naming.storage_account.name}${var.prefix != "" ? regex("\\w+", var.prefix) : ""}firefly${var.suffix != "" ? regex("\\w+", var.suffix) : ""}"
+  resource_group_name              = local.resource_group_name
+  tags                             = local.tags
+  dynamic "network_rules" {
+    for_each = var.enforce_storage_network_rules ? [1] : []
+    content {
+      default_action = "Deny"
+      ip_rules       = var.firefly_eips
+    }
+  }
+}
+
+resource "azurerm_eventgrid_system_topic" "current" {
+  count                  = var.existing_eventgrid_topic_name == "" ? 1 : 0
+  provider               = azurerm.deployment_subscription
+  name                   = "${module.naming.eventgrid_topic.name}-${var.prefix}firefly${var.suffix}"
+  location               = var.location
+  resource_group_name    = local.resource_group_name
+  source_arm_resource_id = local.storage_account_id
+  topic_type             = "microsoft.storage.storageaccounts"
+  tags                   = local.tags
+}
+
+resource "azurerm_eventgrid_system_topic_event_subscription" "current" {
+  count                = var.existing_eventgrid_topic_name == "" ? 1 : 0
+  provider             = azurerm.deployment_subscription
+  name                 = "${module.naming.eventgrid_event_subscription.name}-${var.prefix}firefly${var.suffix}"
+  resource_group_name  = local.resource_group_name
+  system_topic         = local.eventgrid_system_topic_name
+  included_event_types = ["Microsoft.Storage.BlobCreated"]
+
+  webhook_endpoint {
+    url                               = var.firefly_webhook_url
+    max_events_per_batch              = 1
+    preferred_batch_size_in_kilobytes = 64
+  }
+  retry_policy {
+    event_time_to_live    = 1440
+    max_delivery_attempts = 30
+  }
+}
+
+resource "azurerm_role_definition" "FireflyStorageAccountBlobReader" {
+  provider = azurerm.deployment_subscription
+
+  name        = "${module.naming.role_definition.name}-${var.prefix}FireflyStorageAccountBlobReader-${var.subscription_id}${var.suffix}"
+  scope       = "/subscriptions/${var.subscription_id}"
+  description = "Firefly's requested permissions"
+
+  permissions {
+    data_actions = [
+      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
+    ]
+  }
+  assignable_scopes = [
+    "/subscriptions/${var.subscription_id}"
+  ]
+}
+
+resource "azurerm_role_assignment" "FireflyStorageAccountBlobReader" {
+  provider = azurerm.deployment_subscription
+
+  principal_id         = local.service_principle_object_id
+  role_definition_name = azurerm_role_definition.FireflyStorageAccountBlobReader.name
+  scope                = "/subscriptions/${var.subscription_id}"
+  condition_version    = "2.0"
+  condition            = <<-EOT
+(
+	(
+		!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT
+	SubOperationMatches{'Blob.List'})
+	)
+OR
+	(
+		@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '*state'
+	)
+OR
+	(
+		@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '*.tfstateenv:*'
+	)
+)
+EOT
+}
+
+resource "azurerm_monitor_diagnostic_setting" "current" {
+  provider           = azurerm.deployment_subscription
+  name               = "${module.naming.monitor_diagnostic_setting.name}-${var.prefix}firefly${var.subscription_id}${var.suffix}"
+  target_resource_id = "/subscriptions/${var.subscription_id}"
+  storage_account_id = local.storage_account_id
+  enabled_log {
+    category = "Administrative"
+  }
+  depends_on = [local.storage_account_id]
+}

modules/single_integration/integration.tf

@@ -0,0 +1,29 @@
+data "http" "firefly_login" {
+  count  = var.firefly_secret_key != "" ? 1 : 0
+  url    = "${var.firefly_endpoint}/account/access_keys/login"
+  method = "POST"
+  request_headers = {
+    Content-Type = "application/json"
+  }
+  request_body = jsonencode({ "accessKey" = var.firefly_access_key, "secretKey" = var.firefly_secret_key })
+}
+
+locals {
+  response_obj = try(jsondecode(data.http.firefly_login[0].response_body), {})
+  token        = lookup(local.response_obj, "access_token", "error")
+}
+
+module "firefly_integrate" {
+  count                       = var.trigger_integrations ? 1 : 0
+  firefly_endpoint            = var.firefly_endpoint
+  source                      = "./modules/firefly_azure_integration"
+  firefly_token               = local.token
+  subscription_id             = var.subscription_id
+  subscription_name           = var.subscription_name
+  tenant_id                   = var.tenant_id
+  application_id              = local.service_principle_client_id
+  client_secret               = azuread_service_principal_password.current.value
+  directory_domain            = var.directory_domain
+  auto_discover_enabled       = false
+  is_prod                     = var.is_prod
+}

modules/single_integration/locals.tf

@@ -0,0 +1,15 @@
+locals {
+  resource_group_name = var.existing_resource_group_name != "" ? var.existing_resource_group_name : azurerm_resource_group.current[0].name
+  storage_account_id = var.existing_storage_account_id != "" ? var.existing_storage_account_id : azurerm_storage_account.current[0].id
+  app_id = var.existing_app_id != "" ? var.existing_app_id : azuread_application_registration.current[0].id
+  service_principle_client_id = var.existing_service_principal_id != "" ? var.existing_service_principal_id : azuread_service_principal.current[0].client_id
+  service_principle_object_id = var.existing_service_principal_id != "" ? data.azuread_service_principal.existing[0].object_id : azuread_service_principal.current[0].object_id
+  eventgrid_system_topic_name = azurerm_eventgrid_system_topic.current[0].name
+  tags = merge(var.tags, {
+    "firefly" = "true"
+  })
+}
+
+module "naming" {
+  source = "Azure/naming/azurerm"
+}

modules/single_integration/modules/firefly_azure_integration/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  version = "0.1.0"
+}

modules/single_integration/modules/firefly_azure_integration/main.tf

@@ -0,0 +1,27 @@
+data "http" "firefly_azure_integration_request" {
+  url    = "${var.firefly_endpoint}/integrations/azure/"
+  method = "POST"
+  request_headers = {
+    Content-Type  = "application/json"
+    Authorization = "Bearer ${var.firefly_token}"
+  }
+  retry {
+    attempts     = 3
+    max_delay_ms = 5000
+    min_delay_ms = 5000
+  }
+  request_body = jsonencode(
+    {
+      "name"                       = var.subscription_name,
+      "subscriptionId"             = var.subscription_id,
+      "tenantId"                   = var.tenant_id,
+      "applicationId"              = var.application_id,
+      "clientSecret"               = var.client_secret,
+      "directoryDomain"            = var.directory_domain,
+      "isProd"                     = var.is_prod,
+      "isEventDriven"              = var.eventdriven_enabled,
+      "isIacAutoDiscoveryDisabled" = var.iac_auto_discovery_disabled
+      "isAutoDiscover"             = var.auto_discover_enabled
+    }
+  )
+}

modules/single_integration/modules/firefly_azure_integration/terraform.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    http = {
+      source  = "hashicorp/http"
+      version = "3.4.2"
+    }
+  }
+}

modules/single_integration/modules/firefly_azure_integration/vars.tf

@@ -0,0 +1,58 @@
+variable "subscription_name" {
+  type        = string
+  description = "subscription_name"
+}
+
+variable "firefly_token" {
+  type        = string
+  description = "Token returned as result of login request, if provided firefly_access_key and firefly_secret_key are ignored"
+}
+
+variable "subscription_id" {
+  type        = string
+  description = "subscription id"
+}
+
+
+variable "firefly_endpoint" {
+  type        = string
+  description = "The Firefly endpoint to register account management"
+  default     = "https://prodapi.gofirefly.io/api"
+}
+
+variable "is_prod" {
+  type        = bool
+  default     = false
+  description = "Is Production?"
+}
+
+variable "tenant_id" {
+  type = string
+}
+
+variable "application_id" {
+  type = string
+}
+
+variable "client_secret" {
+  type = string
+}
+
+variable "directory_domain" {
+  type = string
+}
+
+variable "eventdriven_enabled" {
+  type    = bool
+  default = true
+}
+
+variable "auto_discover_enabled" {
+  type    = bool
+  default = true
+}
+
+variable "iac_auto_discovery_disabled" {
+  type    = bool
+  default = false
+}

modules/single_integration/outputs.tf

@@ -0,0 +1,33 @@
+output "firefly_service_principal_id" {
+  value = local.service_principle_client_id
+}
+
+output "firefly_service_principal_password" {
+  value = azuread_service_principal_password.current.value
+  sensitive = true
+}
+
+
+output "firefly_tenant_id" {
+  value = var.tenant_id
+}
+
+output "firefly_subscription_id" {
+  value = var.subscription_id
+}
+
+output "firefly_resource_group_name" {
+  value = local.resource_group_name
+}
+
+output "firefly_storage_account_id" {
+  value = local.storage_account_id
+}
+
+output "firefly_eventgrid_system_topic_name" {
+  value = local.eventgrid_system_topic_name
+}
+
+output "firefly_eips" {
+  value = var.firefly_eips
+}