Prisma CSPM terraform.tf -> Azure WebShell execution But it has issue. Anyon who had the same problem and solved?

JKim57 — Thu, 08 Sep 2022 09:22:38 GMT

Yesterday, I tried to register Azure a tenant's subscription to Paloalto Prisma CSPM.

For the process, it required 5 values below.

output 'a__directory_tenant_id' { value = var.tenant_id}
output 'b__subscription_id' { value = var.subscription_id }
output 'c__application_client_id' { value = azuread_application.prisma_cloud_app.application_id}
output 'd__application_client_secret' { value = nonsensitive(azuread_application_password.password.value)}
output 'e__enterprise_application_object_id' { value = azuread_service_principal.prisma_cloud_sp.id}

so I downloaded terraform.tf file from the step 3 in Prisma Cloud

Settings -> Cloud Accounts -> Add Cloud Account -> Azure.

After I filled out right tenant ID & Subscription ID to blanks, I colud download the file, terraform.tf

and it's content's like below:

----------------------------------------------------------------------------------------

##################################
# EDIT THE FOLLOWING PARAMETERS
#
# tenant_id : Active directory's ID
# (Portal) Azure AD -> Properties -> Directory ID
#
# subscription_id: Subscription ID that you want to onboard
# Custom role are going to be created from this subscription
# Please use a permanent subscription
#
# cloud_environment: Cloud environment to be used.
# Default: public
# Possible values are public, usgovernment, german, and china
#

variable 'tenant_id' {
type = string
default = '8db7ee9a-5c88-49fb-b0f6-0a74cc4739a4'
}
variable 'subscription_id' {
type = string
default = '22fab5b8-0acb-4e61-8e37-fbeabc3f4266'
}
variable 'cloud_environment' {
type = string
default = 'public'
}

# By default setting the password to last for a year
variable 'application_password_expiration' {
type = string
default = '8760h'
}

# The list of permissions added to the custom role
variable 'custom_role_permissions' {
type = list(string)
default = [
'Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action',
'Microsoft.Network/networkInterfaces/effectiveRouteTable/action',
'Microsoft.Network/networkWatchers/securityGroupView/action',
'Microsoft.Network/networkWatchers/queryFlowLogStatus/*',
'Microsoft.Network/virtualwans/vpnconfiguration/action',
'Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action',
'Microsoft.Web/sites/config/list/action',
'Microsoft.Web/sites/publishxml/action',
'Microsoft.ContainerRegistry/registries/listCredentials/action',
'Microsoft.Web/sites/functions/action',
'Microsoft.ContainerInstance/containerGroups/containers/exec/action'
]
}

#############################
# Initializing the provider
##############################

terraform {
required_providers {
azuread = {
version = '=1.4.0'
}
azurerm = {
version = '=2.49.0'
}
random = {
version = '=3.1.0'
}
time = {
version = '=0.7.0'
}
}
}

provider 'azuread' {
tenant_id = var.tenant_id
environment = var.cloud_environment
}
provider 'azurerm' {
tenant_id = var.tenant_id
subscription_id = var.subscription_id
features {}
}
provider 'random' {}

provider 'time' {}

#######################################################
# Setting up an Application & Service Principal
# Will be shared by all of the onboarded subscriptions
#######################################################
resource 'random_string' 'unique_id' {
length = 5
min_lower = 5
special = false
}

resource 'azuread_application' 'prisma_cloud_app' {
display_name = 'Prisma Cloud App ${random_string.unique_id.result}'
homepage = 'https://www.paloaltonetworks.com/prisma/cloud'
available_to_other_tenants = true
}

resource 'azuread_service_principal' 'prisma_cloud_sp' {
application_id = azuread_application.prisma_cloud_app.application_id
}

#######################################################
# Generate Application Client Secret
#######################################################
resource 'random_password' 'application_client_secret' {
length = 32
special = true
}

resource 'azuread_application_password' 'password' {
value = random_password.application_client_secret.result
end_date = timeadd(timestamp(),var.application_password_expiration)
application_object_id = azuread_application.prisma_cloud_app.object_id
}

#######################################################
# Setting up custom roles
#######################################################

resource 'azurerm_role_definition' 'custom_prisma_role' {
name = 'Prisma Cloud ${random_string.unique_id.result}'
scope = '/subscriptions/${var.subscription_id}'
description = 'Prisma Cloud custom role created via Terraform'
assignable_scopes = ['/subscriptions/${var.subscription_id}']
permissions {
actions = var.custom_role_permissions
not_actions = []
}
timeouts {
create = '5m'
read = '5m'
}
}

resource 'time_sleep' 'wait_20_seconds' {
depends_on = [
azurerm_role_definition.custom_prisma_role
]
create_duration = '20s'
}

resource 'azurerm_role_assignment' 'assign_custom_prisma_role' {
scope = '/subscriptions/${var.subscription_id}'
principal_id = azuread_service_principal.prisma_cloud_sp.id
role_definition_id = azurerm_role_definition.custom_prisma_role.role_definition_resource_id
depends_on = [
time_sleep.wait_20_seconds
]
skip_service_principal_aad_check = true
}

resource 'azurerm_role_assignment' 'assign_reader' {
scope = '/subscriptions/${var.subscription_id}'
principal_id = azuread_service_principal.prisma_cloud_sp.id
role_definition_name = 'Reader'
skip_service_principal_aad_check = true
}

resource 'azurerm_role_assignment' 'assign_reader_data_access' {
scope = '/subscriptions/${var.subscription_id}'
principal_id = azuread_service_principal.prisma_cloud_sp.id
role_definition_name = 'Reader and Data Access'
skip_service_principal_aad_check = true
}

--------------------------------------------------------------------------

After that:

1. Logged in Azure account

2. Go to the Right directory(tenant)

3. Execute Azure Shell

4. Upload the file, terraform.tf

5. Input command: terraform init -> terraform apply

but it show me an error messages like this:

Error: Error obtaining Authorization Token from the Azure CLI: Error parsing json result from Azure CLI: Error waiting for the Azure CLI: exit status 1: ERROR: Tenant shouldn't be specified for cloud for cloud Shell account

with provider['registry.terraform.io/hashicorp/azuread'],
on:terraform.tf line 75, in provider 'azuread':
75: provider 'azuread' {

AND STILL CAN'T FIND THE REASON WHY.

Can anyone help me please?

Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.

Re: Prisma CSPM terraform.tf -> Azure WebShell execution But it has issue. Anyon who had the same problem and solved?

guoli — Tue, 13 Sep 2022 06:59:41 GMT

Please run "az login" first, and then login in another page, after login wait response from CLI, and then apply again.

Re: Prisma CSPM terraform.tf -> Azure WebShell execution But it has issue. Anyon who had the same problem and solved?

JensWegar — Wed, 05 Oct 2022 10:32:53 GMT

I had to use

az login --tenant <tenant_id>

where <tenant_id> is the guid of the tenant that I wanted to onboard. After that terraform apply worked.

topic Prisma CSPM terraform.tf -> Azure WebShell execution But it has issue. Anyon who had the same problem and solved? in General Topics

Prisma CSPM terraform.tf -> Azure WebShell execution But it has issue. Anyon who had the same problem and solved?

Re: Prisma CSPM terraform.tf -> Azure WebShell execution But it has issue. Anyon who had the same problem and solved?

Re: Prisma CSPM terraform.tf -> Azure WebShell execution But it has issue. Anyon who had the same problem and solved?