Terraform for Azure Resource Manager
With our Terraform for Azure Resource Manager integration, you can collect evidence of your Azure configurations directly from your cloud infrastructure. Terraform integrations are a flexible, low-code solution that allow you to customize what evidence is collected from your cloud systems. Read more about our Terraform integrations.
Types of evidence you might collect with Terraform for Azure
There are a lot of different types of evidence that you can collect from Azure Resource Manager (AzureRM). The flexibility of this integration is limited only by what is available from Terraform in terms of data sources supported by their AzureRM provider.
Important note: You do not need to use Terraform in your tech stack in order to use Terraform for Azure Resource Manager to collect evidence.
Here is a short, non-exhaustive list of some of the possible evidence you may collect from Terraform for AzureRM:
Storage Blob data
Subscription information
Azure database information
Data about Azure VPN gateways
Data about an Azure Firewall
Follow the instructions on this page to get started collecting evidence from AzureRM using Terraform.
Configuring Terraform for Azure Resource Manager
To configure the Terraform integration with AzureRM, you (or someone in your organization) will need access and permissions to configure a new Azure Service Principal.
Get started by navigating to the Integration Manager in Strike Graph and opening the Terraform for Azure Resource Manager integration. Note: if you do not see this integration listed, it may not be available for your organization or role yet, reach out to customer success to inquire.
Click on the “+ Connect” button to begin configuring a new integration.
Next, in your Azure Portal, configure a new service principal within your Azure account that Strike Graph can use to collect evidence from your Azure systems. Alternatively, you can create a Service Principal using the Azure CLI. Instructions for creating a service principal via either the portal or CLI can be found here. The service principal that you create should have “Reader” access to the Azure subscription from which you want to collect evidence.
Remember: For proper security, only assign the “Reader” role to your service principal when connecting it with your Azure subscription id, as that is all that is required for evidence collection. More information about Azure roles can be found here.
Setting up your Azure Service Principal
We authenticate to Azure Resource Manager using a Service Principal with a Client Secret.
A service principal is a security identity used to access specific Azure data sources. You can think of it as a login identity (similar to a username/password) that has access to resources in a particular Azure tenant. Roles can be assigned to a service principal (for example a service principal can be given “read” access to data in a certain Azure subscription).
Each service principal has a Client ID (appID), Client Secret (password) and Tenant ID.
For more information about service principals, see Microsoft’s documentation.
When setting up an integration with Azure RM, you will need to provide service principal credentials in addition to a Subscription ID.
You will need to grant the service principal “Reader” access to the subscription id that you are providing; you can do this by following the steps to create a service principal outlined here.
For the AzureRM integration, we only support unique combinations of client_id/tenant_id/subscription_id
Note that while it is possible to create multiple client secrets in Azure for the same client_id/tenant/subscription, we don’t support that since it would be considered a duplicate integration
Configuring up the integration in Strike Graph
Back in the Strike Graph interface, enter your service principal credentials into the matching fields:
For the Display Name field, choose any unique name you want, probably something that helps you remember which set of credentials you are using.
For the Azure Subscription ID field, use the subscription_id to which you gave your service principal “Reader” access.
For the Azure Tenant ID field, use your service principal tenant.
For the Azure Client ID field, use your service principal appId.
For the Azure Client Secret field, use your service principal password.
Click the “Save” button to finalize the configuration of the integration.
Using Terraform for Azure Resource Manager to collect evidence
Once you have configured a Terraform for Azure Resource Manager integration, you can begin using it to collect evidence of your Azure resources and infrastructure.
Start by navigating in Strike Graph to the item that you want to collect evidence for. You can choose to attach evidence directly for one time evidence collection, or configure automated collection (recommended).
Click on one of the options, and then select the Terraform for Azure Resource Manager integration from the list of available integrations. If you have configured multiple Terraform integrations, make sure you select the one with the right permissions for the evidence that you plan to collect.
Define the data to collect
Terraform integrations allow you to use a few lines of code to define what data you would like to collect as evidence. These are called “data blocks” and more information about data blocks and local values can be found on the Terraform overview page.
With Terraform for Azure Resource Manager, you can collect evidence from almost any AzureRM resource that you use in your cloud environments. There is a list of which data sources may be available at the bottom of this page, as well as on the Terraform AzureRM provider page (data sources are listed under the sections on the left side of the page).
Step 1: Define the data block. Data blocks are extensible, but follow a typical pattern:
data_source: this defines which AzureRM resource we should read from. Terraform for Azure Resource Manager supports data collection from any resource with a supported data source from Terraform's AzureRM provider (see below for a list).
temp_name: this is a temporary name you define and is used to refer to this data block during execution. It only has labeling significance within the scope of this configuration. The temp name is used in the output's filename, so it's recommended that you name it with something recognizable. Names can be repeated across configurations, are limited to alphanumeric characters, and do not allow spaces.
query constraints / arguments – Many data sources require specific argument(s) to be included (like the name of the resource you're pulling data from), or provide methods for constraining the data based on specific queries so that you can tailor the output. These are written as key/value pairs and can include multiple arguments as accepted by the data source. Refer to the specific data source requirements in the Terraform AzureRM provider documentation.
Step 2: Define the local values used for the execution. This also follows a typical pattern that is derived from the data block: data.data_source.temp_name (sometimes followed by a key, like “metadata” in the example image above).
Run the data collection
After you have defined the data block and local values, click the "Attach" button to execute the data collection. This may take a few minutes as we set up the data pipeline to collect the attachment.
Once the collection is finished, the attachment modal will close and you can see the collected data has been added to the evidence. You can confirm what was collected by clicking on the attachment to view the data.
Using Terraform for Azure Resource Manager with Automated Collection
It is highly recommended that you configure your evidence collection with automated collection. With Automated Collection, Strike Graph can recollect evidence attachments from Azure Resource Manager a few days before expiration so that your evidence remains in an effective 'audit ready' state.
To configure your evidence with Automated Collection, follow the steps above after clicking on the "Automated Collection" button found on the evidence item detail pages. Additional information about Automated Collection is available here.
Removing your Terraform for Azure Resource Manager integration
You can remove the integration at any time. Please note that removing an integration does not delete any files that were attached using that integration. Removing an integration will also disrupt automated collection.
To remove:
Go to the Integrations Manager and click on the Terraform for Azure Resource Manager card to access the integration configurations.
Click the "Deactivate" button next to your configuration.
Note: You may have access to remove integrations for other users on your team.
If you are fully removing access between Strike Graph and your Azure system, you may also wish to delete the service principal that you set up during configuration from the Azure portal. Before deleting, verify that you are not using this service principal for other purposes.
Troubleshooting
For additional Terraform troubleshooting tips, click here.
Terraform integrations will return an error if we were unable to execute the collection request. The errors returned will be different depending on which step of the collection failed.
Errors when setting up an integration
If you receive an error while setting up an integration, check if there is a specific error message at the top of the form. If one or more of your service principal fields are invalid, this message should tell you which field(s) to double check. If you have multiple invalid fields, the error message will update with the next invalid field each time that you correct and submit the form.
General formatting errors
If the message returned is pretty generic (like "Something went wrong") it may be a formatting issue. Check that your temp_name is formatted correctly (no spaces, only alphanumeric characters) and that there are not any other unexpected characters or formatting issues in the data block or local values.
Check permissions
If it is a permissions error, ensure that you have given your service principal the necessary “Reader” role to access your subscription.
Confirm the data_source requirements
Check that the resource you defined in the data_source is available from the AzureRM Terraform provider, and ensure that you have included any required query constraints / arguments.
Confirm the local values
Confirm that the local values are formatted correctly. Typically, the local value should start with "data" (as described above) and include the data_source and temp_name. Check that the data_source and temp_name values are the same between the data block and local values.
The long list of supported Azure Resource Manager data sources
The following list is a snapshot of supported data sources from the AzureRM Terraform provider. For up to date support and specific data source requirements, visit the Terraform documentation.
AAD B2C
azurerm_aadb2c_directory
API Management
azurerm_api_management
azurerm_api_management_api
azurerm_api_management_api_version_set
azurerm_api_management_gateway
azurerm_api_management_group
azurerm_api_management_product
azurerm_api_management_user
Active Directory Domain Services
azurerm_active_directory_domain_service
Advisor
azurerm_advisor_recommendations
App Configuration
azurerm_app_configuration
azurerm_app_configuration_key
azurerm_app_configuration_keys
App Service (Web Apps)
azurerm_app_service
azurerm_app_service_certificate
azurerm_app_service_certificate_order
azurerm_app_service_environment
azurerm_app_service_environment_v3
azurerm_app_service_plan
azurerm_function_app
azurerm_function_app_host_keys
azurerm_linux_function_app
azurerm_linux_web_app
azurerm_service_plan
azurerm_source_control_token
azurerm_windows_function_app
azurerm_windows_web_app
Application Insights
azurerm_application_insights
Attestation
azurerm_attestation
Authorization
azurerm_role_definition
azurerm_user_assigned_identity
Automation
azurerm_automation_account
azurerm_automation_variable_bool
azurerm_automation_variable_datetime
azurerm_automation_variable_int
azurerm_automation_variable_string
Azure Stack HCI
azurerm_client_config
azurerm_extended_locations
azurerm_resource_group
azurerm_resources
azurerm_subscription
azurerm_subscriptions
Batch
azurerm_batch_account
azurerm_batch_application
azurerm_batch_certificate
azurerm_batch_pool
Billing
azurerm_billing_enrollment_account_scope
azurerm_billing_mca_account_scope
azurerm_billing_mpa_account_scope
Blueprints
azurerm_blueprint_definition
azurerm_blueprint_published_version
Bot
azurerm_cdn_frontdoor_endpoint
azurerm_cdn_frontdoor_origin_group
azurerm_cdn_frontdoor_profile
azurerm_cdn_frontdoor_rule_set
azurerm_cdn_profile
Cognitive Services
azurerm_cognitive_account
Compute
azurerm_availability_set
azurerm_dedicated_host
azurerm_dedicated_host_group
azurerm_disk_access
azurerm_disk_encryption_set
azurerm_image
azurerm_images
azurerm_managed_disk
azurerm_platform_image
azurerm_proximity_placement_group
azurerm_shared_image
azurerm_shared_image_gallery
azurerm_shared_image_version
azurerm_shared_image_versions
azurerm_snapshot
azurerm_ssh_public_key
azurerm_virtual_machine
azurerm_virtual_machine_scale_set
Confidential Ledger
azurerm_confidential_ledger
Connections
azurerm_managed_api
Consumption
azurerm_consumption_budget_resource_group
azurerm_consumption_budget_subscription
Container
azurerm_container_group
azurerm_container_registry
azurerm_container_registry_scope_map
azurerm_container_registry_token
azurerm_kubernetes_cluster
azurerm_kubernetes_cluster_node_pool
azurerm_kubernetes_service_versions
CosmosDB (DocumentDB)
azurerm_cosmosdb_account
azurerm_cosmosdb_mongo_database
azurerm_cosmosdb_restorable_database_accounts
Cost Management
azurerm_dns_a_record
azurerm_dns_aaaa_record
azurerm_dns_caa_record
azurerm_dns_cname_record
azurerm_dns_mx_record
azurerm_dns_ns_record
azurerm_dns_ptr_record
azurerm_dns_soa_record
azurerm_dns_srv_record
azurerm_dns_txt_record
azurerm_dns_zone
Data Explorer
azurerm_kusto_cluster
azurerm_kusto_database
Data Factory
azurerm_data_factory
Data Share
azurerm_data_share
azurerm_data_share_account
azurerm_data_share_dataset_blob_storage
azurerm_data_share_dataset_data_lake_gen2
azurerm_data_share_dataset_kusto_cluster
azurerm_data_share_dataset_kusto_database
DataProtection
azurerm_data_protection_backup_vault
Database
azurerm_mariadb_server
azurerm_mssql_database
azurerm_mssql_elasticpool
azurerm_mssql_managed_instance
azurerm_mssql_server
azurerm_mysql_flexible_server
azurerm_mysql_server
azurerm_postgresql_flexible_server
azurerm_postgresql_server
azurerm_sql_database
azurerm_sql_managed_instance
azurerm_sql_server
Database Migration
azurerm_database_migration_project
azurerm_database_migration_service
Databricks
azurerm_databricks_workspace
azurerm_databricks_workspace_private_endpoint_connection
Dev Test
azurerm_dev_test_lab
azurerm_dev_test_virtual_network
Digital Twins
azurerm_digital_twins_instance
Elastic
azurerm_elastic_cloud_elasticsearch
HDInsight
azurerm_hdinsight_cluster
Healthcare
azurerm_healthcare_dicom
azurerm_healthcare_fhir_service
azurerm_healthcare_medtech_service
azurerm_healthcare_service
azurerm_healthcare_workspace
IoT Hub
azurerm_iothub
azurerm_iothub_dps
azurerm_iothub_dps_shared_access_policy
azurerm_iothub_shared_access_policy
Key Vault
azurerm_key_vault
azurerm_key_vault_access_policy
azurerm_key_vault_certificate
azurerm_key_vault_certificate_data
azurerm_key_vault_certificate_issuer
azurerm_key_vault_encrypted_value
azurerm_key_vault_key
azurerm_key_vault_managed_hardware_security_module
azurerm_key_vault_secret
azurerm_key_vault_secrets
Load Balancer
azurerm_lb
azurerm_lb_backend_address_pool
azurerm_lb_rule
Log Analytics
azurerm_log_analytics_workspace
Logic App
azurerm_logic_app_integration_account
azurerm_logic_app_standard
azurerm_logic_app_workflow
Machine Learning
azurerm_machine_learning_workspace
Maintenance
azurerm_maintenance_configuration
azurerm_public_maintenance_configurations
Managed Applications
azurerm_managed_application_definition
Management
azurerm_management_group
Maps
azurerm_maps_account
Messaging
azurerm_eventgrid_domain
azurerm_eventgrid_domain_topic
azurerm_eventgrid_system_topic
azurerm_eventgrid_topic
azurerm_eventhub
azurerm_eventhub_authorization_rule
azurerm_eventhub_cluster
azurerm_eventhub_consumer_group
azurerm_eventhub_namespace
azurerm_eventhub_namespace_authorization_rule
azurerm_notification_hub
azurerm_notification_hub_namespace
azurerm_servicebus_namespace
azurerm_servicebus_namespace_authorization_rule
azurerm_servicebus_queue
azurerm_servicebus_queue_authorization_rule
azurerm_servicebus_subscription
azurerm_servicebus_topic
azurerm_servicebus_topic_authorization_rule
azurerm_signalr_service
Mixed Reality
azurerm_spatial_anchors_account
Monitor
azurerm_monitor_action_group
azurerm_monitor_data_collection_endpoint
azurerm_monitor_diagnostic_categories
azurerm_monitor_log_profile
azurerm_monitor_scheduled_query_rules_alert
azurerm_monitor_scheduled_query_rules_log
NetApp
azurerm_netapp_account
azurerm_netapp_pool
azurerm_netapp_snapshot
azurerm_netapp_snapshot_policy
azurerm_netapp_volume
Network
azurerm_application_gateway
azurerm_application_security_group
azurerm_express_route_circuit
azurerm_firewall
azurerm_firewall_policy
azurerm_ip_group
azurerm_local_network_gateway
azurerm_nat_gateway
azurerm_network_ddos_protection_plan
azurerm_network_interface
azurerm_network_security_group
azurerm_network_service_tags
azurerm_network_watcher
azurerm_private_endpoint_connection
azurerm_private_link_service
azurerm_private_link_service_endpoint_connections
azurerm_public_ip
azurerm_public_ip_prefix
azurerm_public_ips
azurerm_route_filter
azurerm_route_table
azurerm_subnet
azurerm_traffic_manager_geographical_location
azurerm_traffic_manager_profile
azurerm_virtual_hub
azurerm_virtual_network
azurerm_virtual_network_gateway
azurerm_virtual_network_gateway_connection
azurerm_virtual_wan
azurerm_vpn_gateway
azurerm_web_application_firewall_policy
Policy
azurerm_policy_assignment
azurerm_policy_definition
azurerm_policy_set_definition
azurerm_policy_virtual_machine_configuration_assignment
Portal
azurerm_portal_dashboard
Private DNS
azurerm_private_dns_a_record
azurerm_private_dns_aaaa_record
azurerm_private_dns_cname_record
azurerm_private_dns_mx_record
azurerm_private_dns_ptr_record
azurerm_private_dns_soa_record
azurerm_private_dns_srv_record
azurerm_private_dns_txt_record
azurerm_private_dns_zone
Recovery Services
azurerm_backup_policy_file_share
azurerm_backup_policy_vm
azurerm_recovery_services_vault
azurerm_site_recovery_fabric
azurerm_site_recovery_protection_container
azurerm_site_recovery_replication_policy
Redis
azurerm_redis_cache
Redis Enterprise
azurerm_redis_enterprise_database
Search
azurerm_search_service
Sentinel
azurerm_sentinel_alert_rule
azurerm_sentinel_alert_rule_template
Spring Cloud
azurerm_spring_cloud_app
azurerm_spring_cloud_service
Storage
azurerm_storage_account
azurerm_storage_account_blob_container_sas
azurerm_storage_account_sas
azurerm_storage_blob
azurerm_storage_container
azurerm_storage_encryption_scope
azurerm_storage_management_policy
azurerm_storage_share
azurerm_storage_sync
azurerm_storage_sync_group
azurerm_storage_table_entity
Stream Analytics
azurerm_stream_analytics_job
Synapse
azurerm_synapse_workspace
Template
azurerm_management_group_template_deployment
azurerm_resource_group_template_deployment
azurerm_subscription_template_deployment
azurerm_template_spec_version
azurerm_tenant_template_deployment
VMware (AVS)
azurerm_vmware_private_cloud
Web PubSub
azurerm_web_pubsub
azurerm_web_pubsub_private_link_resource
Questions?
Reach out through our chat feature for real-time Customer Success support 8 am - 5 pm PT Monday through Friday.