Apono Connector for Azure

This guide is intended for admins who would like to install a Connector on an Azure environment and connect to automate permissions management in Azure using Apono

Overview

To integrate with Azure start managing JIT access to Azure cloud resources, you must first install a connector in your Azure environment.

This is can be done by one of the following methods:

  1. Using Terraform
  2. Using Azure CLI

πŸ“˜

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.

Read more about the recommended Azure Installation Architecture.

How to install the Connector

Using Terraform

Prerequisites

  • Required CLI: terraform
  • Administrator permission on the subscription you want to connect
  • Administrator permissions on AzureAD
  • Azure Container Instances service

Step 1 - Create a Connector

  1. From the Integration Catalog, select Azure
  2. Pick Subscription and then +Add new connector
  3. Pick Terraform (Container Instance)
  4. Copy the Token

Important: before you start, copy the connector Terraform params and export them in the terminal.

Step 2 - Install Apono Connector Module

Without permissions

If you would like to install the connector in Azure, but not grant Apono access to read or manage access to Azure resources, use this code:

module "connector" {
    source = "github.com/apono-io/terraform-modules/azure/connector-without-permissions/stacks/apono-connector"
    aponoToken = $APONO_TOKEN
    resourceGroup = $AZURE_RESOURCE_GROUP
    ipAddressType = // "Private" or "None"
    subnetIds = [$SUBNET_ID]
}

With permissions

If you would like to install the connector in Azure and grant Apono access to read and manage access to Azure resources, use this code:

module "connector" {
    source = "github.com/apono-io/terraform-modules/azure/connector-with-permissions/stacks/apono-connector"
    aponoToken = $APONO_TOKEN
    resourceGroup = $AZURE_RESOURCE_GROUP
    ipAddressType = // "Private" or "None"
    subnetIds = [$SUBNET_ID]
}

Run terraform init to validate it works

Validate the Connector is Connected

You can validate that the Connector is installed in the Connector status page.

Results

In the Apono app, you will see the connector was found and a green checkmark indication.

πŸ‘

You can now integrate an Azure Subscription

Using Azure CLI

Prerequisites

  • Required CLI: azure-cli
  • Administrator permission on the subscription you want to connect
  • Administrator permissions on AzureAD

Step 1 - Create a Connector

  1. From the Integration Catalog, select Azure
  2. Pick Subscription and then +Add new connector
  3. Pick CLI (Container Instance)
  4. Copy the Token

Step 2 - Install Apono Connector Module

  1. Fill and enter the following environment variables:
export APONO_CONNECTOR_ID=apono-connector
export APONO_TOKEN=

export SUBSCRIPTION_ID=
export RESOURCE_GROUP_NAME=

export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv)
  1. Run the following command to deploy the connector on the Azure Container Instance service:
export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:<<connectorVersion>> --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 1.5 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv)

*If you would like to install the connector in Azure, but not grant Apono access to read or manage access to Azure resources, do not continue to steps 3 and 4.

  1. Add the "User Access Administrator" role to the connector in the subscription scope:
az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /subscriptions/$SUBSCRIPTION_ID
  1. Add the "Directory Readers" role to the connector for Azure AD:
az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}'

Validate the Connector is Connected

You can validate that the Connector is installed in the Connector status page.

Results

In the Apono app, you will see the connector was found and a green checkmark indication.

πŸ‘

You can now integrate an Azure Subscription