This module adds an Azure tenant to Rubrik Security Cloud (RSC/Polaris). It is designed to be work with the Terraform Module - Azure Rubrik Cloud Native Subscription module.
There are a few services you'll need in order to get this project off the ground:
- Terraform v1.5.1 or greater
- Rubrik Polaris Provider for Terraform - provides Terraform functions for Rubrik Security Cloud (Polaris)
- Install the Azure CLI tools - Needed for Terraform to authenticate with Azure
- Properly configure the backend for this module. See Configure the Backend in this README.md.
terraform {
required_providers {
azuread = {
source = "hashicorp/azuread"
}
polaris = {
source = "rubrikinc/polaris"
version = ">=0.9.0-beta.8"
}
}
}
# Configure the Azure Active Directory Provider
provider "azuread" {
tenant_id = var.azure_tenant_id
}
# Point the provider to the RSC service account to use.
provider "polaris" {
credentials = var.polaris_credentials
}
module "polaris-azure-cloud-native_tenant" {
source = "rubrikinc/polaris-cloud-native_tenant/azure"
azure_tenant_id = "abcdef01-2345-6789-abcd-ef0123456789"
polaris_credentials = "../.creds/customer-service-account.json"
}| Name | Version |
|---|---|
| polaris | >=0.9.0-beta.3 |
| Name | Version |
|---|---|
| azuread | n/a |
| polaris | >=0.9.0-beta.3 |
| time | n/a |
| Name | Type |
|---|---|
| azuread_application.polaris | resource |
| azuread_service_principal.polaris | resource |
| azuread_service_principal_password.polaris | resource |
| polaris_azure_service_principal.polaris | resource |
| time_sleep.wait_for_sp | resource |
| azuread_client_config.current | data source |
| azuread_domains.polaris | data source |
| polaris_account.polaris | data source |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| azure_tenant_id | ID of Azure Tenant to protect. | string |
n/a | yes |
| polaris_credentials | Full path to credentials file for RSC/Polaris. | string |
n/a | yes |
| rsc_sync_delay | Delay so that Azure and RSC can sync on the new service principal. | string |
"60s" |
no |
| Name | Description |
|---|---|
| azure_service_principal_object_id | n/a |
| rsc_service_principal_tenant_domain | n/a |
Before running Terraform using the azurerm_* or azapi_* data sources and resources, an authentication with Azure is required. Terraform Module for AzureRM CLI Authentication
provides a complete guide on how to authenticate Terraform with Azure. The following commands can be used from a command line interface with the Microsoft Azure CLI
to manually run Terraform:
az login --tenant <tenant_id>
Where <tenant_id> is the ID of the tenant to login to. If you only have one tenant you can remove the --tenant option.
Next before running this module, the subscription must be selected. Do this by running the command:
az account set --subscription <subscription_id>
Where <subscription_id> is the ID of the subscription where CCES will be deployed.
The directory can be initialized for Terraform use by running the terraform init command:
-> terraform init
Initializing the backend...
Successfully configured the backend "local"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding latest version of hashicorp/azuread...
- Finding latest version of rubrikinc/polaris...
- Installing hashicorp/azuread v2.43.0...
- Installed hashicorp/azuread v2.43.0 (signed by HashiCorp)
- Installing rubrikinc/polaris v0.7.2...
- Installed rubrikinc/polaris v0.7.2 (signed by a HashiCorp partner, key ID 6B41B7EAD9DB76FB)
Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
Run terraform plan to get information about what will happen when we apply the configuration; this will test that everything is set up correctly.
We can now apply the configuration to add the Azure tenant to RSC using the terraform apply command.
Once the subscription no longer needs protection, it can be removed from RSC using the terraform destroy command, and entering yes when prompted.
│ Error: failed to lookup principal: failed to lookup app display name and object id for service principal: failed to get Azure service principal names using Graph: graphrbac.ServicePrincipalsClient#List: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_IdentityNotFound","date":"2023-10-02T18:43:00","message":{"lang":"en","value":"The identity of the calling application could not be established."},"requestId":"3df53cfb-0f10-494d-84a9-da86d4348353"}}]
│
│ with polaris_azure_service_principal.polaris,
│ on main.tf line 22, in resource "polaris_azure_service_principal" "polaris":
│ 22: resource "polaris_azure_service_principal" "polaris" {
Logout and back in again from Azure"
az logout
az login --tenant [Azure Tenant]
When the last subscription in an Azure tenant has been deleted you may get this error, as the tenant has also been deleted from RSC:
│ Error: failed to add subscription: failed to request addAzureCloudAccountWithoutOauth: graphql response body is an error (status code 200): NOT_FOUND: Failed to get service principal in the tenant. Azure may take some time to sync service principal. Please try after a minute (Azure error: [Unknown] Unknown service error) (code: 404, traceId: FWaZk7YsxjaRDF5NlWWsAw==)
│
│ with polaris_azure_subscription.polaris,
│ on main.tf line 84, in resource "polaris_azure_subscription" "polaris":
│ 84: resource "polaris_azure_subscription" "polaris" {
│
╵
Solution: Taint the polaris_azure_service_principal.polaris resource and re-running the apply operation.
We glady welcome contributions from the community. From updating the documentation to adding more functionality, all ideas are welcome. Thank you in advance for all of your issues, pull requests, and comments!
This README.md was created with terraform-docs. To update any of the auto generated parameters between the <!-- BEGIN_TF_DOCS --> and <!-- END_TF_DOCS --> lines first modify the .terraform-docs.yml file, if needed. Then run gen_docs.sh in this modules directory. For any documentation that needs to be modified outside of the <!-- BEGIN_TF_DOCS --> and <!-- END_TF_DOCS --> lines, modify this README.md file directly.