Cloud Network Security Azure Onboarding Script
This Azure shell script automates the onboarding of a resource (a Subscription, Management Group, or Tenant) into ACE .
1. Initialize APP ID
APP_ID='<ALGOSEC_ONBOARDING_APP_ID>'
CF_ONBOARDING_URL='https://<HOST>/cloudflow/api/admin/v1/onboarding/azure'
TOKEN='<ONBOARDING_TOKEN>'
TARGET_RESOURCE='<AZURE_TARGET_RESOURCE>'Purpose:
The script starts by defining several variables:
-
APP_ID: The ID of the Algosec onboarding application
-
CF_ONBOARDING_URL: The URL for Algosec's onboarding API
-
TOKEN: An authentication token for the API
-
TARGET_RESOURCE: The Azure resource to be onboarded
2. Retrieve Azure Tenant ID
out=$(az account show)
az_tenant=$(echo "$out" | jq -r '.tenantId') Purpose: It then uses the Azure CLI to get the current Azure account information and extracts the tenant ID
3. Echo Information about the Target Resource
echo "Preparing to onboard the target resource [$TARGET_RESOURCE] of the Azure tenant ID [$az_tenant]" Purpose: Provides information about the target resource being onboarded, along with the Azure tenant ID, for logging purposes.
4. Retrieve Existing Service Principal
sp=$(az ad sp list --filter "appId eq '$APP_ID'" | jq length)
if [ $? -ne 0 ]; then
echo "ERROR: User does not have permission to view service principals"
exit 1
fi Purpose: The script checks if a service principal already exists for the AlgoSec Azure AD application:
5. Create Service Principal
if [ $sp -eq 0 ]; then
echo "Service Principal not found"
out=$(az ad sp create --id $APP_ID)
if [ $? -ne 0 ]; then
echo "ERROR: Failed to create service principal"
exit 1
fi
echo "Service Principal created successfully"
else
echo "Service Principal found"
fi Purpose:
The script checks if a service principal already exists for the AlgoSec Azure AD application:
-
If the user doesn't have permission to view service principals, the script exits with an error.
-
If the service principal doesn't exist, it creates one using the Azure CLI.
6. Initialize Roles
roles=(<AZURE_ROLES>) Purpose: Initialize roles based on selection Read OR Read / Write
7. Assign Roles to Target Resource
for role in "${roles[@]}"; do
echo "Assign a role to the [$TARGET_RESOURCE]: [$role]"
out=$(az role assignment create --role "$role" --assignee $APP_ID --scope $TARGET_RESOURCE)
if [ $? -ne 0 ]; then
echo "ERROR: The target resource [$TARGET_RESOURCE] wasn't found or the user has no permission to work with it"
echo "The onboarding process has failed — please ensure you have the required permissions"
exit 1
fi
donePurpose:
The script then assigns roles to the target resource:
-
It loops through a predefined array of roles. (e.g., 'Reader' 'Storage Account Contributor' 'Network Contributor','Contributor'.)
-
For each role, it uses the Azure CLI to assign the role to the service principal for the target resource.
-
If there's an error in role assignment (e.g., resource not found or lack of permissions), the script exits with an error.
8. Onboarding Call
response=$(curl -X POST "$CF_ONBOARDING_URL" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "Authorization: $TOKEN" \
--silent \
-d '{ "azure_tenant":"'$az_tenant'", "supportChanges": "<supportChanges>", "event": { "RequestType": "Create" } }')Purpose: Makes a POST request to the CloudFlow_onboarding_URL with the azure tenant and other details.
9. Response Handling
status=$(echo $response | jq -r '.initialOnboardResult' | jq -r '.status')
message=$(echo $response | jq -r '.initialOnboardResult' | jq -r '.message')
if [ "$status" == 200 ]; then
echo "The onboarding process is finished: $message"
echo "Press CTRL+D to close the terminal session"
else
echo "ERROR: The onboarding process has failed: $message"
fiPurpose:
Finally, the script processes the API response:
-
It extracts the status and message from the response.
-
If the status is 200, it prints a success message.
-
If the status is not 200, it prints an error message.
Clear your browser's cache
