Azure flow logs from storage accounts (#21)

Add module to onboard azure flow storage accounts, and example on how to use it. Fix links in readme to submodules in terraform module page (now showing 404). Add outputs to the `azure_subscription` module with its variable values.
illumio · Nov 14, 2024 · 2f31be9 · 2f31be9
1 parent 0c6a5d1
commit 2f31be9
Show file tree

Hide file tree

Showing 21 changed files with 383 additions and 21 deletions.
diff --git a/README.md b/README.md
@@ -2,10 +2,11 @@
 Terraform submodules that add functionality to Illumio's CloudSecure Terraform provider. See the modules directory for the various submodules' usage.
 
 ## Available Nested Modules
-* [`aws_account`](./modules/aws_account/README.md): onboarding of an AWS account with CloudSecure.
-* [`azure_subscription`](./modules/azure_subscription/README.md): onboarding of an Azure subscription with CloudSecure.
-* [`aws_flow_logs_s3_buckets`](./modules/aws_flow_logs_s3_buckets/README.md): onboarding of AWS S3 buckets with CloudSecure to access flow logs.
-* [`k8s_cluster`](./modules/k8s_cluster/README.md): deployment and onboarding of CloudSecure's `cloud-operator` into a k8s cluster.
+* [`aws_account`](https://registry.terraform.io/modules/illumio/cloudsecure/illumio/latest/submodules/aws_account): onboarding of an AWS account with CloudSecure.
+* [`azure_subscription`](https://registry.terraform.io/modules/illumio/cloudsecure/illumio/latest/submodules/azure_subscription): onboarding of an Azure subscription with CloudSecure.
+* [`azure_flow_logs_storage_accounts`](https://registry.terraform.io/modules/illumio/cloudsecure/illumio/latest/submodules/azure_flow_logs_storage_accounts): onboarding of Azure Storage Accounts with CloudSecure to access flow logs.
+* [`aws_flow_logs_s3_buckets`](https://registry.terraform.io/modules/illumio/cloudsecure/illumio/latest/submodules/aws_flow_logs_s3_buckets): onboarding of AWS S3 buckets with CloudSecure to access flow logs.
+* [`k8s_cluster`](https://registry.terraform.io/modules/illumio/cloudsecure/illumio/latest/submodules/k8s_cluster): deployment and onboarding of CloudSecure's `cloud-operator` into a k8s cluster.
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements

diff --git a/examples/aws_account/README.md b/examples/aws_account/README.md
@@ -14,7 +14,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_aws_account_dev"></a> [aws\_account\_dev](#module\_aws\_account\_dev) | illumio/cloudsecure/illumio//modules/aws_account | 1.3.1 |
+| <a name="module_aws_account_dev"></a> [aws\_account\_dev](#module\_aws\_account\_dev) | illumio/cloudsecure/illumio//modules/aws_account | 1.4.0 |
 
 ## Resources
 

diff --git a/examples/aws_account/main.tf b/examples/aws_account/main.tf
@@ -9,7 +9,7 @@ provider "illumio-cloudsecure" {
 
 module "aws_account_dev" {
   source  = "illumio/cloudsecure/illumio//modules/aws_account"
-  version = "1.3.1"
+  version = "1.4.0"
   name    = "Test Account"
   tags    = {
     Name  = "CloudSecure Account Policy"

diff --git a/examples/aws_flow_logs_s3_buckets/README.md b/examples/aws_flow_logs_s3_buckets/README.md
@@ -14,8 +14,8 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_aws_account_dev"></a> [aws\_account\_dev](#module\_aws\_account\_dev) | illumio/cloudsecure/illumio//modules/aws_account | 1.3.1 |
-| <a name="module_aws_flow_logs_s3_buckets"></a> [aws\_flow\_logs\_s3\_buckets](#module\_aws\_flow\_logs\_s3\_buckets) | illumio/cloudsecure/illumio//modules/aws_flow_logs_s3_buckets | 1.3.1 |
+| <a name="module_aws_account_dev"></a> [aws\_account\_dev](#module\_aws\_account\_dev) | illumio/cloudsecure/illumio//modules/aws_account | 1.4.0 |
+| <a name="module_aws_flow_logs_s3_buckets"></a> [aws\_flow\_logs\_s3\_buckets](#module\_aws\_flow\_logs\_s3\_buckets) | illumio/cloudsecure/illumio//modules/aws_flow_logs_s3_buckets | 1.4.0 |
 
 ## Resources
 

diff --git a/examples/aws_flow_logs_s3_buckets/main.tf b/examples/aws_flow_logs_s3_buckets/main.tf
@@ -9,7 +9,7 @@ provider "illumio-cloudsecure" {
 
 module "aws_account_dev" {
   source  = "illumio/cloudsecure/illumio//modules/aws_account"
-  version = "1.3.1"
+  version = "1.4.0"
   name    = "Test Account"
   tags    = {
     Name  = "CloudSecure Account Policy"
@@ -19,7 +19,7 @@ module "aws_account_dev" {
 
 module "aws_flow_logs_s3_buckets" {
   source         = "illumio/cloudsecure/illumio//modules/aws_flow_logs_s3_buckets"
-  version        = "1.3.1"
+  version        = "1.4.0"
   role_id        = aws_account_dev.role_id
   s3_bucket_arns = [
     "arn:aws:s3:::flows-bucket-1",

diff --git a/examples/azure_flow_logs_storage_accounts/README.md b/examples/azure_flow_logs_storage_accounts/README.md
@@ -0,0 +1,38 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 4.0 |
+| <a name="requirement_illumio-cloudsecure"></a> [illumio-cloudsecure](#requirement\_illumio-cloudsecure) | >= 1.2.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_azure_flow_logs_storage_accounts"></a> [azure\_flow\_logs\_storage\_accounts](#module\_azure\_flow\_logs\_storage\_accounts) | illumio/cloudsecure/illumio//modules/azure_flow_logs_storage_accounts | 1.4.0 |
+| <a name="module_azure_subscription_dev"></a> [azure\_subscription\_dev](#module\_azure\_subscription\_dev) | illumio/cloudsecure/illumio//modules/azure_subscription | 1.4.0 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_azure_client_id"></a> [azure\_client\_id](#input\_azure\_client\_id) | The Azure Client ID. | `string` | n/a | yes |
+| <a name="input_azure_client_secret"></a> [azure\_client\_secret](#input\_azure\_client\_secret) | The Azure Client Secret. | `string` | n/a | yes |
+| <a name="input_azure_subscription_id"></a> [azure\_subscription\_id](#input\_azure\_subscription\_id) | The Azure Subscription ID. | `string` | n/a | yes |
+| <a name="input_azure_tenant_id"></a> [azure\_tenant\_id](#input\_azure\_tenant\_id) | The Azure Tenant ID. | `string` | n/a | yes |
+| <a name="input_illumio_cloudsecure_client_id"></a> [illumio\_cloudsecure\_client\_id](#input\_illumio\_cloudsecure\_client\_id) | The OAuth 2 client identifier used to authenticate against the CloudSecure Config API. | `string` | n/a | yes |
+| <a name="input_illumio_cloudsecure_client_secret"></a> [illumio\_cloudsecure\_client\_secret](#input\_illumio\_cloudsecure\_client\_secret) | The OAuth 2 client secret used to authenticate against the CloudSecure Config API. | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/examples/azure_flow_logs_storage_accounts/main.tf b/examples/azure_flow_logs_storage_accounts/main.tf
@@ -0,0 +1,54 @@
+provider "azurerm" {
+  features {}
+  client_id       = var.azure_client_id
+  client_secret   = var.azure_client_secret
+  tenant_id       = var.azure_tenant_id
+  subscription_id = var.azure_subscription_id
+}
+
+provider "azuread" {
+  client_id       = var.azure_client_id
+  client_secret   = var.azure_client_secret
+  tenant_id       = var.azure_tenant_id
+}
+
+provider "illumio-cloudsecure" {
+  client_id     = var.illumio_cloudsecure_client_id
+  client_secret = var.illumio_cloudsecure_client_secret
+}
+
+module "azure_subscription_dev" {
+  source                 = "illumio/cloudsecure/illumio//modules/azure_subscription"
+  version                = "1.4.0"
+  name                   = "Test Azure Subscription"
+  mode                   = "ReadWrite"
+  secret_expiration_days = 365
+  subscription_id        = "1681e851-ba2d-410b-a66a-9511887e1c1a" # Azure Subscription ID
+  tenant_id              = "b563cc25-a007-4837-981a-cbe2017228a4" # Azure Tenant ID
+
+  tags = [
+    "Environment=Dev",
+    "Owner=John Doe"
+  ]
+}
+
+module "azure_flow_logs_storage_accounts" {
+  source                      = "illumio/cloudsecure/illumio//modules/azure_flow_logs_storage_accounts"
+  version                     = "1.4.0"
+  service_principal_client_id = module.azure_subscription_dev.service_principal_client_id
+
+  storage_accounts = [
+    {
+      name                = "welcomegsk"
+      resource_group_name = "demo1"
+    },
+    {
+      name                = "secondstorage"
+      resource_group_name = "demo2"
+    },
+    {
+      name                = "thirdstorage"
+      resource_group_name = "demo3"
+    }
+  ]
+}
diff --git a/examples/azure_flow_logs_storage_accounts/variables.tf b/examples/azure_flow_logs_storage_accounts/variables.tf
@@ -0,0 +1,56 @@
+variable "illumio_cloudsecure_client_id" {
+  type        = string
+  description = "The OAuth 2 client identifier used to authenticate against the CloudSecure Config API."
+  validation {
+    condition     = length(var.illumio_cloudsecure_client_id) > 0
+    error_message = "The illumio_cloudsecure_client_id value must not be empty."
+  }
+}
+
+variable "illumio_cloudsecure_client_secret" {
+  type        = string
+  sensitive   = true
+  description = "The OAuth 2 client secret used to authenticate against the CloudSecure Config API."
+  validation {
+    condition     = length(var.illumio_cloudsecure_client_secret) > 0
+    error_message = "The illumio_cloudsecure_client_secret value must not be empty."
+  }
+}
+
+
+variable "azure_subscription_id" {
+  type        = string
+  description = "The Azure Subscription ID."
+  validation {
+    condition     = length(var.azure_subscription_id) > 0
+    error_message = "The azure_subscription_id value must not be empty."
+  }
+}
+
+variable "azure_client_id" {
+  type        = string
+  description = "The Azure Client ID."
+  validation {
+    condition     = length(var.azure_client_id) > 0
+    error_message = "The azure_client_id value must not be empty."
+  }
+}
+
+variable "azure_client_secret" {
+  type        = string
+  sensitive   = true
+  description = "The Azure Client Secret."
+  validation {
+    condition     = length(var.azure_client_secret) > 0
+    error_message = "The azure_client_secret value must not be empty."
+  }
+}
+
+variable "azure_tenant_id" {
+  type        = string
+  description = "The Azure Tenant ID."
+  validation {
+    condition     = length(var.azure_tenant_id) > 0
+    error_message = "The azure_tenant_id value must not be empty."
+  }
+}
diff --git a/examples/azure_flow_logs_storage_accounts/versions.tf b/examples/azure_flow_logs_storage_accounts/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    illumio-cloudsecure = {
+      source  = "illumio/illumio-cloudsecure"
+      version = ">= 1.2.0"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 4.0"
+    }
+  }
+}
diff --git a/examples/azure_subscription/README.md b/examples/azure_subscription/README.md
@@ -5,7 +5,7 @@
 |------|---------|
 | <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | >= 3.0 |
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 4.0 |
-| <a name="requirement_illumio-cloudsecure"></a> [illumio-cloudsecure](#requirement\_illumio-cloudsecure) | >= 1.1.0 |
+| <a name="requirement_illumio-cloudsecure"></a> [illumio-cloudsecure](#requirement\_illumio-cloudsecure) | >= 1.2.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.12.1 |
 
 ## Providers
@@ -16,7 +16,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_azure_subscription_dev"></a> [azure\_subscription\_dev](#module\_azure\_subscription\_dev) | illumio/cloudsecure/illumio//modules/azure_subscription | 1.3.1 |
+| <a name="module_azure_subscription_dev"></a> [azure\_subscription\_dev](#module\_azure\_subscription\_dev) | illumio/cloudsecure/illumio//modules/azure_subscription | 1.4.0 |
 
 ## Resources
 
@@ -26,6 +26,10 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_azure_client_id"></a> [azure\_client\_id](#input\_azure\_client\_id) | The Azure Client ID. | `string` | n/a | yes |
+| <a name="input_azure_client_secret"></a> [azure\_client\_secret](#input\_azure\_client\_secret) | The Azure Client Secret. | `string` | n/a | yes |
+| <a name="input_azure_subscription_id"></a> [azure\_subscription\_id](#input\_azure\_subscription\_id) | The Azure Subscription ID. | `string` | n/a | yes |
+| <a name="input_azure_tenant_id"></a> [azure\_tenant\_id](#input\_azure\_tenant\_id) | The Azure Tenant ID. | `string` | n/a | yes |
 | <a name="input_illumio_cloudsecure_client_id"></a> [illumio\_cloudsecure\_client\_id](#input\_illumio\_cloudsecure\_client\_id) | The OAuth 2 client identifier used to authenticate against the CloudSecure Config API. | `string` | n/a | yes |
 | <a name="input_illumio_cloudsecure_client_secret"></a> [illumio\_cloudsecure\_client\_secret](#input\_illumio\_cloudsecure\_client\_secret) | The OAuth 2 client secret used to authenticate against the CloudSecure Config API. | `string` | n/a | yes |
 

diff --git a/examples/azure_subscription/main.tf b/examples/azure_subscription/main.tf
@@ -1,8 +1,16 @@
-provider "aws" {
-  region = "us-west-1"
+provider "azurerm" {
+  features {}
+  client_id       = var.azure_client_id
+  client_secret   = var.azure_client_secret
+  tenant_id       = var.azure_tenant_id
+  subscription_id = var.azure_subscription_id
 }
 
-provider "time" {}
+provider "azuread" {
+  client_id       = var.azure_client_id
+  client_secret   = var.azure_client_secret
+  tenant_id       = var.azure_tenant_id
+}
 
 provider "illumio-cloudsecure" {
   client_id     = var.illumio_cloudsecure_client_id
@@ -11,7 +19,7 @@ provider "illumio-cloudsecure" {
 
 module "azure_subscription_dev" {
   source                 = "illumio/cloudsecure/illumio//modules/azure_subscription"
-  version                = "1.3.1"
+  version                = "1.4.0"
   name                   = "Test Azure Subscription"
   mode                   = "ReadWrite"
   secret_expiration_days = 365

diff --git a/examples/azure_subscription/variables.tf b/examples/azure_subscription/variables.tf
@@ -16,3 +16,40 @@ variable "illumio_cloudsecure_client_secret" {
     error_message = "The illumio_cloudsecure_client_secret value must not be empty."
   }
 }
+
+variable "azure_subscription_id" {
+  type        = string
+  description = "The Azure Subscription ID."
+  validation {
+    condition     = length(var.azure_subscription_id) > 0
+    error_message = "The azure_subscription_id value must not be empty."
+  }
+}
+
+variable "azure_client_id" {
+  type        = string
+  description = "The Azure Client ID."
+  validation {
+    condition     = length(var.azure_client_id) > 0
+    error_message = "The azure_client_id value must not be empty."
+  }
+}
+
+variable "azure_client_secret" {
+  type        = string
+  sensitive   = true
+  description = "The Azure Client Secret."
+  validation {
+    condition     = length(var.azure_client_secret) > 0
+    error_message = "The azure_client_secret value must not be empty."
+  }
+}
+
+variable "azure_tenant_id" {
+  type        = string
+  description = "The Azure Tenant ID."
+  validation {
+    condition     = length(var.azure_tenant_id) > 0
+    error_message = "The azure_tenant_id value must not be empty."
+  }
+}
diff --git a/examples/azure_subscription/versions.tf b/examples/azure_subscription/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     illumio-cloudsecure = {
       source  = "illumio/illumio-cloudsecure"
-      version = ">= 1.1.0"
+      version = ">= 1.2.0"
     }
     azurerm = {
       source  = "hashicorp/azurerm"
@@ -13,7 +13,7 @@ terraform {
       version = ">= 3.0"
     }
     time = {
-      source = "hashicorp/time"
+      source  = "hashicorp/time"
       version = ">= 0.12.1"
     }
   }

diff --git a/examples/k8s_cluster/README.md b/examples/k8s_cluster/README.md
@@ -14,7 +14,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_k8s_cluster_dev"></a> [k8s\_cluster\_dev](#module\_k8s\_cluster\_dev) | illumio/cloudsecure/illumio//modules/k8s_cluster | 1.3.1 |
+| <a name="module_k8s_cluster_dev"></a> [k8s\_cluster\_dev](#module\_k8s\_cluster\_dev) | illumio/cloudsecure/illumio//modules/k8s_cluster | 1.4.0 |
 
 ## Resources
 

diff --git a/examples/k8s_cluster/main.tf b/examples/k8s_cluster/main.tf
@@ -11,7 +11,7 @@ provider "illumio-cloudsecure" {
 
 module "k8s_cluster_dev" {
   source         = "illumio/cloudsecure/illumio//modules/k8s_cluster"
-  version        = "1.3.1"
+  version        = "1.4.0"
   illumio_region = "aws-us-west-2"
   name           = "example-release"
   description    = "Dev cluster in aws-us-west-2"