Apono Connector for Azure

The Apono connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximum security.

Once the connector has been installed in an Azure environment, you can use Apono to automate permission management in Azure.

Prerequisites

Item	Description
Apono Token	Account-specific Apono authentication value Follow these steps to obtain your token: On the Catalog tab, click Azure. The Connect Integrations Group page appears. Click Azure Subscription. Click an installation method. Copy the token from step 1.
Command Line Interface (CLI)	Tool that enables interacting with Azure services using your command-line shell: Azure CLI PowerShell \| Windows PowerShell Terraform CLI
Resource Group Name	Name of the Azure resource group
Subscription ID	Identifier for the Azure subscription
User Access Administrator Role	Azure subscription role that enables managing user access to Azure resources
User Administrator Role	Microsoft Entra role that enables the following tasks: Creating and managing users and groups Resetting passwords for users, helpdesk administrators, and user administrators

Install a new connector

Apono supports the following installation approaches:

Azure CLI
PowerShell | Windows PowerShell
Terraform CLI

Azure CLI

Follow these steps to set up a new connector:

At the shell prompt, set the APONO_CONNECTOR_ID environment variable to apono-connector.
```
export APONO_CONNECTOR_ID=apono-connector
```
Set the APONO_TOKEN environment variable to your account token.
```
export APONO_TOKEN=<APONO_TOKEN>
```
Set the SUBSCRIPTION_ID environment variable to the Azure subscription ID.
```
export SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID>
```
Set the RESOURCE_GROUP_NAME environment variable to the Azure resource group name.
```
export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
```

Set the REGION environment variable.

export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv)

Run the following command to deploy the connector on the Azure Container Instance service.

export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:v1.5.3 --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 1.5 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv)

Add the User Access Administrator role to the connector in the subscription scope.

az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /subscriptions/$SUBSCRIPTION_ID

Add the Director Readers role to the connector for Azure AD.

az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}'

On the Connectors page, verify that the connector has been updated.

PowerShell | Windows PowerShell

Follow these steps to set up a new connector:

At the shell prompt, set the APONO_CONNECTOR_ID environment variable to apono-connector.
```
$APONO_CONNECTOR_ID=apono-connector
```
Set the APONO_TOKEN environment variable to your account token.
```
$APONO_TOKEN=<APONO_TOKEN>
```
Set the SUBSCRIPTION_ID environment variable to the Azure subscription ID.
```
$SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID>
```
Set the RESOURCE_GROUP_NAME environment variable to the Azure resource group name.
```
$RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
```

Set the REGION environment variable.

$REGION=$(Get-AzResourceGroup -Name $RESOURCE_GROUP_NAME).Location

Run the following commands to deploy the connector on the Azure Container Instance service.

$port = New-AzContainerInstancePortObject -Port 80 -Protocol TCP

$env_var1 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_CONNECTOR_ID" -Value $APONO_CONNECTOR_ID

$env_var2 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_TOKEN" -Value $APONO_TOKEN

$env_var3 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_URL" -Value "api.apono.io"

$jsonValue = @{
    cloud_provider = "AZURE"
    subscription_id = $SUBSCRIPTION_ID
    resource_group = $RESOURCE_GROUP_NAME
    region = $REGION
    is_azure_admin = $true
} | ConvertTo-Json -Compress

$env_var4 = New-AzContainerInstanceEnvironmentVariableObject -Name "CONNECTOR_METADATA" -Value $jsonValue

$container = New-AzContainerInstanceObject -Image registry.apono.io/apono-connector:v1.5.3 -Name $APONO_CONNECTOR_ID -Port @($port) -EnvironmentVariable @($env_var1, $env_var2, $env_var3, $env_var4) -RequestCpu 1 -RequestMemoryInGb 1.5 

$imageRegistryCredential = New-AzContainerGroupImageRegistryCredentialObject -Server "registry.apono.io" -Username "apono" -Password (ConvertTo-SecureString $APONO_TOKEN -AsPlainText -Force)

$PRINCIPAL_ID=$(New-AzContainerGroup -SubscriptionId $SUBSCRIPTION_ID -ResourceGroupName $RESOURCE_GROUP_NAME -Name $APONO_CONNECTOR_ID -Container $container -OsType Linux -ImageRegistryCredential $imageRegistryCredential -Location $REGION -IdentityType "SystemAssigned").IdentityPrincipalId

Add the User Access Administrator role to the connector in the subscription scope.

New-AzRoleAssignment -ObjectId $PRINCIPAL_ID -ObjectType "ServicePrincipal" -RoleDefinitionName "User Access Administrator" -Scope /subscriptions/$SUBSCRIPTION_ID

Add the Director Readers role to the connector for Azure AD.

$payload = @{principalId=$PRINCIPAL_ID; roleDefinitionId="88d8e3e3-8f55-4a1e-953a-9b9898b8876b"; directoryScopeId="/"} | ConvertTo-Json -Depth 3

Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload

On the Connectors page, verify that the connector has been updated.

Terraform CLI

Follow these steps to set up a new connector:

At the shell prompt, set the APONO_TOKEN environment variable to your account token.
```
export APONO_TOKEN=<APONO_TOKEN>
```
Set the RESOURCE_GROUP_NAME environment variable to the Azure resource group name.
```
export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
```
Set the SUBNET_ID environment variable to the Azure resource group name.
```
export SUBNET_ID=[<SUBNET_ID>]
```

In a new or existing Terraform (.tf) file, add the following provider and module information to create a connector with permissions or without permissions:

With permissions: Enables installing the connector in the cloud environment and managing access to resources

module "connector" {
    source = "github.com/apono-io/terraform-modules/azure/connector-with-permissions/stacks/apono-connector"
    aponoToken = $APONO_TOKEN
    resourceGroup = $AZURE_RESOURCE_GROUP
    ipAddressType = // "Private" or "None"
    subnetIds = [$SUBNET_ID]
}

Without permissions: Enables installing the connector in the cloud environment but managing access to non-Azure resources, such as self-hosted databases

module "connector" {
    source = "github.com/apono-io/terraform-modules/azure/connector-without-permissions/stacks/apono-connector"
    aponoToken = $APONO_TOKEN
    resourceGroup = $AZURE_RESOURCE_GROUP
    ipAddressType = // "Private" or "None"
    subnetIds = [$SUBNET_ID]
}

At the Terraform CLI, download and install the provider plugin and module.
```
terraform init
```
Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.
```
terraform apply
```
Enter yes to confirm deploying the changes to your Azure account.
On the Connectors page, verify that the connector has been deployed.