This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About JKim57
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About JKim57
10-13-2022
1Post
0Likes
0Solutions
Oct 13, 2022Last Visited
User
Activity
User
Profile
Latest posts by JKim57
| Subject | Views | Posted |
|---|---|---|
| 1764 | 09-08-2022 02:22 AM |
User Badges
Community Statistics
| Member Since | 09-07-2022 08:45 PM |
| Date Last Visited | 10-13-2022 11:17 PM |
| Posts | 1 |
09-08-2022
02:22 AM
Yesterday, I tried to register Azure a tenant's subscription to Paloalto Prisma CSPM.
For the process, it required 5 values below.
output 'a__directory_tenant_id' { value = var.tenant_id} output 'b__subscription_id' { value = var.subscription_id } output 'c__application_client_id' { value = azuread_application.prisma_cloud_app.application_id} output 'd__application_client_secret' { value = nonsensitive(azuread_application_password.password.value)} output 'e__enterprise_application_object_id' { value = azuread_service_principal.prisma_cloud_sp.id}
so I downloaded terraform.tf file from the step 3 in Prisma Cloud
Settings -> Cloud Accounts -> Add Cloud Account -> Azure.
After I filled out right tenant ID & Subscription ID to blanks, I colud download the file, terraform.tf
and it's content's like below:
----------------------------------------------------------------------------------------
################################## # EDIT THE FOLLOWING PARAMETERS # # tenant_id : Active directory's ID # (Portal) Azure AD -> Properties -> Directory ID # # subscription_id: Subscription ID that you want to onboard # Custom role are going to be created from this subscription # Please use a permanent subscription # # cloud_environment: Cloud environment to be used. # Default: public # Possible values are public, usgovernment, german, and china #
variable 'tenant_id' { type = string default = '8db7ee9a-5c88-49fb-b0f6-0a74cc4739a4' } variable 'subscription_id' { type = string default = '22fab5b8-0acb-4e61-8e37-fbeabc3f4266' } variable 'cloud_environment' { type = string default = 'public' }
# By default setting the password to last for a year variable 'application_password_expiration' { type = string default = '8760h' }
# The list of permissions added to the custom role variable 'custom_role_permissions' { type = list(string) default = [ 'Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action', 'Microsoft.Network/networkInterfaces/effectiveRouteTable/action', 'Microsoft.Network/networkWatchers/securityGroupView/action', 'Microsoft.Network/networkWatchers/queryFlowLogStatus/*', 'Microsoft.Network/virtualwans/vpnconfiguration/action', 'Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action', 'Microsoft.Web/sites/config/list/action', 'Microsoft.Web/sites/publishxml/action', 'Microsoft.ContainerRegistry/registries/listCredentials/action', 'Microsoft.Web/sites/functions/action', 'Microsoft.ContainerInstance/containerGroups/containers/exec/action' ] }
############################# # Initializing the provider ##############################
terraform { required_providers { azuread = { version = '=1.4.0' } azurerm = { version = '=2.49.0' } random = { version = '=3.1.0' } time = { version = '=0.7.0' } } }
provider 'azuread' { tenant_id = var.tenant_id environment = var.cloud_environment } provider 'azurerm' { tenant_id = var.tenant_id subscription_id = var.subscription_id features {} } provider 'random' {}
provider 'time' {}
####################################################### # Setting up an Application & Service Principal # Will be shared by all of the onboarded subscriptions ####################################################### resource 'random_string' 'unique_id' { length = 5 min_lower = 5 special = false }
resource 'azuread_application' 'prisma_cloud_app' { display_name = 'Prisma Cloud App ${random_string.unique_id.result}' homepage = 'https://www.paloaltonetworks.com/prisma/cloud' available_to_other_tenants = true }
resource 'azuread_service_principal' 'prisma_cloud_sp' { application_id = azuread_application.prisma_cloud_app.application_id }
####################################################### # Generate Application Client Secret ####################################################### resource 'random_password' 'application_client_secret' { length = 32 special = true }
resource 'azuread_application_password' 'password' { value = random_password.application_client_secret.result end_date = timeadd(timestamp(),var.application_password_expiration) application_object_id = azuread_application.prisma_cloud_app.object_id }
####################################################### # Setting up custom roles #######################################################
resource 'azurerm_role_definition' 'custom_prisma_role' { name = 'Prisma Cloud ${random_string.unique_id.result}' scope = '/subscriptions/${var.subscription_id}' description = 'Prisma Cloud custom role created via Terraform' assignable_scopes = ['/subscriptions/${var.subscription_id}'] permissions { actions = var.custom_role_permissions not_actions = [] } timeouts { create = '5m' read = '5m' } }
resource 'time_sleep' 'wait_20_seconds' { depends_on = [ azurerm_role_definition.custom_prisma_role ] create_duration = '20s' }
resource 'azurerm_role_assignment' 'assign_custom_prisma_role' { scope = '/subscriptions/${var.subscription_id}' principal_id = azuread_service_principal.prisma_cloud_sp.id role_definition_id = azurerm_role_definition.custom_prisma_role.role_definition_resource_id depends_on = [ time_sleep.wait_20_seconds ] skip_service_principal_aad_check = true }
resource 'azurerm_role_assignment' 'assign_reader' { scope = '/subscriptions/${var.subscription_id}' principal_id = azuread_service_principal.prisma_cloud_sp.id role_definition_name = 'Reader' skip_service_principal_aad_check = true }
resource 'azurerm_role_assignment' 'assign_reader_data_access' { scope = '/subscriptions/${var.subscription_id}' principal_id = azuread_service_principal.prisma_cloud_sp.id role_definition_name = 'Reader and Data Access' skip_service_principal_aad_check = true }
output 'a__directory_tenant_id' { value = var.tenant_id} output 'b__subscription_id' { value = var.subscription_id } output 'c__application_client_id' { value = azuread_application.prisma_cloud_app.application_id} output 'd__application_client_secret' { value = nonsensitive(azuread_application_password.password.value)} output 'e__enterprise_application_object_id' { value = azuread_service_principal.prisma_cloud_sp.id}
--------------------------------------------------------------------------
After that:
1. Logged in Azure account
2. Go to the Right directory(tenant)
3. Execute Azure Shell
4. Upload the file, terraform.tf
5. Input command: terraform init -> terraform apply
but it show me an error messages like this:
Error: Error obtaining Authorization Token from the Azure CLI: Error parsing json result from Azure CLI: Error waiting for the Azure CLI: exit status 1: ERROR: Tenant shouldn't be specified for cloud for cloud Shell account
with provider['registry.terraform.io/hashicorp/azuread'], on:terraform.tf line 75, in provider 'azuread': 75: provider 'azuread' {
AND STILL CAN'T FIND THE REASON WHY.
Can anyone help me please?
Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks