Building Azure Infrastructure

.github/workflows/ci.yaml

@@ -39,66 +39,59 @@ jobs:
 
   test:
     runs-on: ubuntu-latest
-    # Define any services needed for the test suite (or delete this section)
-    # services:
-    #   postgres:
-    #     image: postgres:16
-    #     ports:
-    #       - "5432:5432"
-    #     env:
-    #       POSTGRES_PASSWORD: secretpassword
     env:
       BATON_LOG_LEVEL: debug
-      # Add any environment variables needed to run baton-azure-infrastructure
-      # BATON_BASE_URL: 'http://localhost:8080'
-      # BATON_ACCESS_TOKEN: 'secret_token'
-      # The following parameters are passed to grant/revoke commands
-      # Change these to the correct IDs for your test data
-      CONNECTOR_GRANT: 'grant:entitlement:group:1234:member:user:9876'
-      CONNECTOR_ENTITLEMENT: 'entitlement:group:1234:member'
-      CONNECTOR_PRINCIPAL: 'user:9876'
-      CONNECTOR_PRINCIPAL_TYPE: 'user'
+      BATON: ./baton/baton
+      BATON_AZURE_CLIENT_ID: ${{ secrets.BATON_AZURE_CLIENT_ID }}
+      BATON_AZURE_CLIENT_SECRET: ${{ secrets.BATON_AZURE_CLIENT_SECRET }}
+      BATON_AZURE_TENANT_ID: ${{ secrets.BATON_AZURE_TENANT_ID }}
+      BATON_ENTITLEMENT: "enterprise_application:981c2ab3-9d18-4d39-ac6d-302ce3570ed1:assignment:18d14569-c3bd-439b-9a66-3a2aee01d14f"
+      BATON_GRANT: "-R1XXyanFUiUfTLnPpaQja1qxwmGWeRFsMnx2RyTki8"
+      BATON_PRINCIPAL: "5f571df9-a726-4815-947d-32e73e96908d"
+      BATON_PRINCIPAL_TYPE: "user"
     steps:
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
         with:
           go-version: 1.22.x
+
       - name: Checkout code
         uses: actions/checkout@v4
-      # Install any dependencies here (or delete this)
-      # - name: Install postgres client
-      #   run: sudo apt install postgresql-client
-      # Run any fixture setup here (or delete this)
-      # - name: Import sql into postgres
-      #   run: psql -h localhost --user postgres -f environment.sql
-      #   env:
-      #     PGPASSWORD: secretpassword
       - name: Build baton-azure-infrastructure
         run: go build ./cmd/baton-azure-infrastructure
       - name: Run baton-azure-infrastructure
         run: ./baton-azure-infrastructure
-
       - name: Install baton
         run: ./scripts/get-baton.sh && mv baton /usr/local/bin
 
-      - name: Check for grant before revoking
-
-        run:
-          baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\""
-
-
-      - name: Revoke grants
-        run: ./baton-azure-infrastructure --revoke-grant="${{ env.CONNECTOR_GRANT }}"
-
-      - name: Check grant was revoked
-        run: ./baton-azure-infrastructure && baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | jq --exit-status "if .grants then .grants[]?.principal.id.resource != \"${{ env.CONNECTOR_PRINCIPAL }}\" else . end"
-
-      - name: Grant entitlement
-        # Change the grant arguments to the correct IDs for your test data
-        run: ./baton-azure-infrastructure --grant-entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --grant-principal="${{ env.CONNECTOR_PRINCIPAL }}" --grant-principal-type="${{ env.CONNECTOR_PRINCIPAL_TYPE }}"
-
-      - name: Check grant was re-granted
-
-        run:
-          baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\""
+        # NOTE: need to make CI work with appRoleAssignment, this id will change every time is granted
 
+      # - name: Check for grant before revoking
+      #   run: |
+      #     baton grants --entitlement="${{ env.BATON_ENTITLEMENT }}" --output-format=json | \
+      #     jq --exit-status ".grants[].principal.id.resource == \"${{ env.BATON_PRINCIPAL }}\"" |\
+      #     grep -q true
+      #
+      # - name: Revoke grants
+      #   run: ./baton-azure-infrastructure --revoke-grant="${{ env.BATON_GRANT }}"
+      #
+      # - name: Check grant was revoked
+      #   run: |
+      #     ./baton-azure-infrastructure && \
+      #     baton grants --entitlement="${{ env.BATON_ENTITLEMENT }}" --output-format=json | \
+      #     jq --exit-status "if .grants then .grants[]?.principal.id.resource != \"${{ env.BATON_PRINCIPAL }}\" else . end" |\
+      #     grep -v -q true
+      #
+      # - name: Grant entitlement
+      #   run: |
+      #     ./baton-azure-infrastructure --grant-entitlement="${{ env.BATON_ENTITLEMENT }}" \
+      #                     --grant-principal="${{ env.BATON_PRINCIPAL }}" \
+      #                     --grant-principal-type="${{ env.BATON_PRINCIPAL_TYPE }}"
+      #
+      # - name: Check grant was re-granted
+      #   run: |
+      #     ./baton-azure-infrastructure && \
+      #     baton grants --entitlement="${{ env.BATON_ENTITLEMENT }}" --output-format=json | \
+      #     jq --exit-status ".grants[].principal.id.resource == \"${{ env.BATON_PRINCIPAL }}\"" |\
+      #     grep -q true
+      #

.golangci.yml

@@ -71,7 +71,6 @@ linters:
     - durationcheck # check for two durations multiplied together
     - errorlint # errorlint is a linter for that can be used to find code that will cause problems with the error wrapping scheme introduced in Go 1.13.
     - exhaustive # check exhaustiveness of enum switch statements
-    - exportloopref # checks for pointers to enclosing loop variables
     - forbidigo # Forbids identifiers
     - gochecknoinits # Checks that no init functions are present in Go code
     - goconst # Finds repeated strings that could be replaced by a constant

Makefile

@@ -26,3 +26,7 @@ add-dep:
 .PHONY: lint
 lint:
 	golangci-lint run
+
+.PHONY: run
+run:
+	go run ./cmd/baton-azure-infrastructure

README.md

@@ -6,6 +6,20 @@
 
 Check out [Baton](https://github.com/conductorone/baton) to learn more the project in general.
 
+# Requirements
+- You need a Microsoft tenant. You get one with an [Azure free trial](https://azure.microsoft.com/pricing/free-trial/). 
+- Once you have a tenant, you need to create an application in Azure AD. You can follow the instructions [here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).
+- When you create the application, you will get a `client_id` and a `client_secret`. You will need these to authenticate with the Azure API.
+- Then you will need to get the `tenant_id` of your Azure AD tenant. You can find this in the Azure Entra ID Overview page [here](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview).
+
+Finally you will need to set the following environment variables:
+
+```
+export BATON_AZURE_CLIENT_ID=<client_id>
+export BATON_AZURE_CLIENT_SECRET=<client_secret>
+export BATON_AZURE_TENANT_ID=<tenant_id>
+```
+
 # Getting Started
 
 ## brew
@@ -19,7 +33,7 @@ baton resources
 ## docker
 
 ```
-docker run --rm -v $(pwd):/out -e BATON_DOMAIN_URL=domain_url -e BATON_API_KEY=apiKey -e BATON_USERNAME=username ghcr.io/conductorone/baton-azure-infrastructure:latest -f "/out/sync.c1z"
+docker run --rm -v $(pwd):/out -e BATON_AZURE_CLIENT_ID=client_Id -e BATON_AZURE_CLIENT_SECRET=client_secret -e BATON_AZURE_TENANT_ID=tenant_Id ghcr.io/conductorone/baton-azure-infrastructure:latest -f "/out/sync.c1z"
 docker run --rm -v $(pwd):/out ghcr.io/conductorone/baton:latest -f "/out/sync.c1z" resources
 ```
 
@@ -29,6 +43,9 @@ docker run --rm -v $(pwd):/out ghcr.io/conductorone/baton:latest -f "/out/sync.c
 go install github.com/conductorone/baton/cmd/baton@main
 go install github.com/conductorone/baton-azure-infrastructure/cmd/baton-azure-infrastructure@main
 
+BATON_AZURE_CLIENT_SECRET=<client_secret>
+BATON_AZURE_CLIENT_ID=<client_id>
+BATON_AZURE_TENANT_ID=<tenant_id>
 baton-azure-infrastructure
 
 baton resources
@@ -37,7 +54,43 @@ baton resources
 # Data Model
 
 `baton-azure-infrastructure` will pull down information about the following resources:
-- Users
+- Users (entra users)
+- Groups (entra groups)
+- Roles (azure roles)
+- Tenants (azure tenants)
+- Enterprise Applications (entra service principals)
+- Managed Identities (entra service principals)
+- Resource Groups (azure resource groups)
+
+We also introduced resource_group_role_assignment(resource group ID, subscription ID and role ID) for provisioning resource Groups.
+
+## resource_group_role_assignment usage:
+
+- Let's use some IDs for this example
+```
+Resource Group `test_resource_group`
+Subscription `39ea64c5-86d5-4c29-8199-5b602c90e1c5`
+Role `11102f94-c441-49e6-a78b-ef80e0188abc`
+Principal `e4e9c5ae-2937-408b-ba3c-0f58cf417f0a`
+```
+
+- Granting resource group roles for users.
+```
+BATON_AZURE_CLIENT_ID='client_Id' \
+BATON_AZURE_CLIENT_SECRET='client_secret' \
+BATON_AZURE_TENANT_ID='tenant_Id' baton-azure-infrastructure \
+--grant-entitlement 'resource_group_role_assignment:test_resource_group:39ea64c5-86d5-4c29-8199-5b602c90e1c5:11102f94-c441-49e6-a78b-ef80e0188abc:assigned' --grant-principal-type 'user' --grant-principal 'e4e9c5ae-2937-408b-ba3c-0f58cf417f0a' 
+```
+
+In the previous example we granted the resource group role `11102f94-c441-49e6-a78b-ef80e0188abc` to user `e4e9c5ae-2937-408b-ba3c-0f58cf417f0a`.
+
+- Revoking resource group role grants
+```
+BATON_AZURE_CLIENT_ID='client_Id' \
+BATON_AZURE_CLIENT_SECRET='client_secret' \
+BATON_AZURE_TENANT_ID='tenant_Id' baton-azure-infrastructure \
+--revoke-grant 'resource_group_role_assignment:test_resource_group:39ea64c5-86d5-4c29-8199-5b602c90e1c5:11102f94-c441-49e6-a78b-ef80e0188abc:assigned:user:e4e9c5ae-2937-408b-ba3c-0f58cf417f0a'
+```
 
 # Contributing, Support and Issues
 
@@ -63,14 +116,21 @@ Available Commands:
   help               Help about any command
 
 Flags:
+      --azure-client-id string       Azure Client ID ($BATON_AZURE_CLIENT_ID)
+      --azure-client-secret string   Azure Client Secret ($BATON_AZURE_CLIENT_SECRET)
+      --azure-tenant-id string       Azure Tenant ID ($BATON_AZURE_TENANT_ID)
       --client-id string             The client ID used to authenticate with ConductorOne ($BATON_CLIENT_ID)
       --client-secret string         The client secret used to authenticate with ConductorOne ($BATON_CLIENT_SECRET)
   -f, --file string                  The path to the c1z file to sync with ($BATON_FILE) (default "sync.c1z")
   -h, --help                         help for baton-azure-infrastructure
       --log-format string            The output format for logs: json, console ($BATON_LOG_FORMAT) (default "json")
       --log-level string             The log level: debug, info, warn, error ($BATON_LOG_LEVEL) (default "info")
-  -p, --provisioning                 If this connector supports provisioning, this must be set in order for provisioning actions to be enabled ($BATON_PROVISIONING)
+      --mailboxSettings              If true, attempt to get mailbox settings for users to determine user purpose ($BATON_MAILBOXSETTINGS)
+  -p, --provisioning                 This must be set in order for provisioning actions to be enabled ($BATON_PROVISIONING)
+      --skip-ad-groups               If true, skip syncing Windows Server Active Directory groups ($BATON_SKIP_AD_GROUPS)
+      --skip-full-sync               This must be set to skip a full sync ($BATON_SKIP_FULL_SYNC)
       --ticketing                    This must be set to enable ticketing support ($BATON_TICKETING)
+      --use-cli-credentials          If true, uses the az cli to auth ($BATON_USE_CLI_CREDENTIALS)
   -v, --version                      version for baton-azure-infrastructure
 
 Use "baton-azure-infrastructure [command] --help" for more information about a command.

baton_capabilities.json

@@ -1,10 +1,113 @@
 {
   "@type":  "type.googleapis.com/c1.connector.v2.ConnectorCapabilities",
   "resourceTypeCapabilities":  [
+    {
+      "resourceType":  {
+        "id":  "enterprise_application",
+        "displayName":  "Enterprise Application of Azure Infrastructure",
+        "traits":  [
+          "TRAIT_APP"
+        ]
+      },
+      "capabilities":  [
+        "CAPABILITY_SYNC",
+        "CAPABILITY_PROVISION"
+      ]
+    },
+    {
+      "resourceType":  {
+        "id":  "group",
+        "displayName":  "Group of Azure Infrastructure",
+        "traits":  [
+          "TRAIT_GROUP"
+        ]
+      },
+      "capabilities":  [
+        "CAPABILITY_SYNC",
+        "CAPABILITY_PROVISION"
+      ]
+    },
+    {
+      "resourceType":  {
+        "id":  "managed_identity",
+        "displayName":  "Managed Identity of Azure Infrastructure",
+        "traits":  [
+          "TRAIT_USER"
+        ],
+        "annotations":  [
+          {
+            "@type":  "type.googleapis.com/c1.connector.v2.SkipEntitlementsAndGrants"
+          }
+        ]
+      },
+      "capabilities":  [
+        "CAPABILITY_SYNC"
+      ]
+    },
+    {
+      "resourceType":  {
+        "id":  "resource_group",
+        "displayName":  "Resource Group of Azure Infrastructure",
+        "traits":  [
+          "TRAIT_GROUP"
+        ]
+      },
+      "capabilities":  [
+        "CAPABILITY_SYNC"
+      ]
+    },
+    {
+      "resourceType":  {
+        "id":  "resource_group_role_assignment",
+        "displayName":  "Role Assignment Resource Group of Azure Infrastructure",
+        "traits":  [
+          "TRAIT_GROUP"
+        ]
+      },
+      "capabilities":  [
+        "CAPABILITY_SYNC",
+        "CAPABILITY_PROVISION"
+      ]
+    },
+    {
+      "resourceType":  {
+        "id":  "role",
+        "displayName":  "Role",
+        "traits":  [
+          "TRAIT_ROLE"
+        ],
+        "description":  "Role of Azure Infrastructure"
+      },
+      "capabilities":  [
+        "CAPABILITY_SYNC",
+        "CAPABILITY_PROVISION"
+      ]
+    },
+    {
+      "resourceType":  {
+        "id":  "subscription",
+        "displayName":  "Subscription of Azure Infrastructure",
+        "traits":  [
+          "TRAIT_APP"
+        ]
+      },
+      "capabilities":  [
+        "CAPABILITY_SYNC"
+      ]
+    },
+    {
+      "resourceType":  {
+        "id":  "tenant",
+        "displayName":  "Tenant of Azure Infrastructure"
+      },
+      "capabilities":  [
+        "CAPABILITY_SYNC"
+      ]
+    },
     {
       "resourceType":  {
         "id":  "user",
-        "displayName":  "User",
+        "displayName":  "User of Azure Infrastructure",
         "traits":  [
           "TRAIT_USER"
         ]
@@ -15,6 +118,7 @@
     }
   ],
   "connectorCapabilities":  [
+    "CAPABILITY_PROVISION",
     "CAPABILITY_SYNC"
   ],
   "credentialDetails":  {}