|
| 1 | +# cgns_onboarding_azure.sh |
| 2 | + |
| 3 | + |
| 4 | +This script automates onboarding of Azure accounts for the CloudGuard Network Security (CGNS) SaaS application. |
| 5 | + |
| 6 | +## Prerequisites |
| 7 | + |
| 8 | +- Sufficient Azure permissions (Owner permission over the selected subscription or management group for assigning ARM access role and Global Administrator role for creating new Azure application). |
| 9 | + |
| 10 | +## Overview |
| 11 | + |
| 12 | +This script supports onboarding at both the subscription or management group level supporting two modes: |
| 13 | + |
| 14 | +- **Customer-managed (single-tenant):** You create and own a dedicated Azure application and service principal within your tenant. |
| 15 | +- **CloudGuard-managed (multi-tenant):** You use a pre-existing CloudGuard-managed Azure application. CloudGuard owns and manages the app registration, while you only assign its service principal to your Azure resources. |
| 16 | + |
| 17 | + |
| 18 | +For customer-managed (single-tenant) onboarding, the script performs the following steps: |
| 19 | +- **Azure Application Registration:** Creates a dedicated Azure application for the customer’s tenant. |
| 20 | +- **Service Principal Creation:** Registers a service principal for the newly created application, enabling programmatic access to Azure resources. |
| 21 | +- **Role Assignment:** Assigns the necessary Azure roles (such as `Reader` or `Contributor`) to the service principal at the subscription or management group level to ensure CGNS can operate as required. |
| 22 | +- **Resource Cleanup (optional, using `--clean` flag):** Removes the application, service principal, and associated role assignments to fully clean up the integration if requested. |
| 23 | + > **Note:** When using the `--clean` option, you must also provide the `--app_name`, `--scope`, and the relevant `--subscription_id` or `--management_group_id` to ensure proper identification and removal of resources. |
| 24 | +
|
| 25 | +For CloudGuard-managed (multi-tenant) onboarding, the script performs the following steps: |
| 26 | +- **Service Principal Assignment:** Assigns a service principal for the pre-existing CloudGuard-managed Azure application to the customer’s subscription or management group. |
| 27 | +- **Role Assignment:** Ensures the service principal has the required permissions by assigning appropriate roles. |
| 28 | +- **Resource Cleanup (optional, using `--clean` flag):** Removes the service principal assignment and revokes permissions when offboarding. |
| 29 | + |
| 30 | +## Features |
| 31 | + |
| 32 | +### Script Support |
| 33 | + |
| 34 | +- Onboarding at both Subscription and Management Group scopes. |
| 35 | +- Single-tenant (customer-managed) and multi-tenant (CloudGuard-managed) app registrations. |
| 36 | +- Dry-run and quiet modes. |
| 37 | + |
| 38 | +### Script Actions |
| 39 | + |
| 40 | +- Assigns required Azure roles (`Reader`, `Contributor`, `User Access Administrator`). |
| 41 | +- Validates user permissions before making changes. |
| 42 | +- Optional clean up (delete) of created resources. |
| 43 | + |
| 44 | +## Usage |
| 45 | + |
| 46 | +```sh |
| 47 | +./cgns_onboarding_azure.sh [OPTIONS] |
| 48 | +``` |
| 49 | + |
| 50 | +### Options |
| 51 | + |
| 52 | +- `--scope` **[required]**: Specifies the onboarding scope. Can be either `subscription` or `management-group`. |
| 53 | +- `--subscription_id` **[required for subscription scope]**: Azure Subscription ID. |
| 54 | +- `--management_group_id` **[required for management-group scope]**: Azure Management Group ID. |
| 55 | +- `--onboarding_mode` **[required]**: Onboarding mode for CloudGuard_CGNS. Can be either `read-only`assigns 'Reader' role or `manage` assigns 'Contributor' and 'User Access Administrator'. |
| 56 | +- `--multi_tenant_app_id` **[required for CloudGuard-managed (multi-tenant) mode]**: CloudGuard_CGNS Azure application ID (for CloudGuard-managed application). |
| 57 | +- `--single_tenant_app_mode` **[required for customer-managed (single-tenant) mode]**: Use customer-managed Azure application registration. |
| 58 | +- `--app_name` **[required with --single_tenant_app_mode]**: Name for the Azure AD application. |
| 59 | +- `--dry_run` **[optional]**: Run in dry-run mode (no changes will be made). |
| 60 | +- `--clean` **[optional]**: Delete all resources created by the script. |
| 61 | +- `--quiet` **[optional]**: Suppress user interaction prompts. |
| 62 | +- `--help`: Show usage information. |
| 63 | + |
| 64 | +### Example |
| 65 | + |
| 66 | +Onboard a subscription with a new customer-managed application: |
| 67 | + |
| 68 | +```sh |
| 69 | +./cgns_onboarding_azure.sh \ |
| 70 | + --scope subscription \ |
| 71 | + --subscription_id <SUBSCRIPTION_ID> \ |
| 72 | + --onboarding_mode manage \ |
| 73 | + --single_tenant_app_mode true \ |
| 74 | + --app_name "CloudGuardApp" |
| 75 | +``` |
| 76 | + |
| 77 | +Onboard using an existing multi-tenant application: |
| 78 | + |
| 79 | +```sh |
| 80 | +./cgns_onboarding_azure.sh \ |
| 81 | + --scope management-group \ |
| 82 | + --management_group_id <MG_ID> \ |
| 83 | + --onboarding_mode read-only \ |
| 84 | + --multi_tenant_app_id <APP_ID> |
| 85 | +``` |
| 86 | + |
| 87 | +Clean up resources: |
| 88 | + |
| 89 | +```sh |
| 90 | +./cgns_onboarding_azure.sh --scope subscription --subscription_id <SUBSCRIPTION_ID> --onboarding_mode "read-only" --single_tenant_app_mode true --clean |
| 91 | +``` |
| 92 | + |
| 93 | + |
| 94 | + |
| 95 | +## Notes |
| 96 | + |
| 97 | +- The script will prompt for confirmation unless `--quiet` is specified. |
| 98 | +- Use `--dry_run` to preview actions without making changes. |
| 99 | +- Output includes sensitive credentials; handle with care. |
0 commit comments