fix: add missing subscription_id from azurerm block (#1177)

dmurray-lacework · web-flow · commit 20083ac278b1 · 2023-03-10T11:31:27.000Z
* fix: add missing subscription_id from azurerm block

Signed-off-by: Darren Murray &lt;darren.murray@lacework.net&gt;

* test: update azure generation tests

Signed-off-by: Darren Murray &lt;darren.murray@lacework.net&gt;

* refactor: address code review comments

Signed-off-by: Darren Murray &lt;darren.murray@lacework.net&gt;

* test: update azure generation tests

Signed-off-by: Darren Murray &lt;darren.murray@lacework.net&gt;

---------

Signed-off-by: Darren Murray &lt;darren.murray@lacework.net&gt;
diff --git a/cli/cmd/generate_azure.go b/cli/cmd/generate_azure.go
@@ -14,10 +14,12 @@ import (
 
 var (
 	// Define question text here so they can be reused in testing
-	QuestionAzureEnableConfig = "Enable Azure configuration integration?"
-	QuestionAzureConfigName   = "Specify custom configuration integration name: (optional)"
-	QuestionEnableActivityLog = "Enable Azure Activity Log Integration?"
-	QuestionActivityLogName   = "Specify custom Activity Log integration name: (optional)"
+	QuestionAzureEnableConfig      = "Enable Azure configuration integration?"
+	QuestionAzureConfigName        = "Specify custom configuration integration name: (optional)"
+	QuestionEnableActivityLog      = "Enable Azure Activity Log Integration?"
+	QuestionActivityLogName        = "Specify custom Activity Log integration name: (optional)"
+	QuestionAddAzureSubscriptionID = "Set Azure Subscription ID?"
+	QuestionAzureSubscriptionID    = "Specify the Azure Subscription ID to be used to provision Lacework resources: (optional)"
 
 	QuestionAzureAnotherAdvancedOpt      = "Configure another advanced integration option"
 	QuestionAzureConfigAdvanced          = "Configure advanced integration options?"
@@ -169,6 +171,7 @@ By default, this command will function interactively, prompting for the required
 			// Setup modifiers for NewTerraform constructor
 			mods := []azure.AzureTerraformModifier{
 				azure.WithLaceworkProfile(GenerateAzureCommandState.LaceworkProfile),
+				azure.WithSubscriptionID(GenerateAzureCommandState.SubscriptionID),
 				azure.WithAllSubscriptions(GenerateAzureCommandState.AllSubscriptions),
 				azure.WithManagementGroup(GenerateAzureCommandState.ManagementGroup),
 				azure.WithExistingStorageAccount(GenerateAzureCommandState.ExistingStorageAccount),
@@ -371,6 +374,12 @@ func initGenerateAzureTfCommandFlags() {
 		"",
 		"specify a custom configuration integration name")
 
+	generateAzureTfCommand.PersistentFlags().StringVar(
+		&GenerateAzureCommandState.SubscriptionID,
+		"subscription_id",
+		"",
+		"specify the Azure Subscription ID to be used to provision Lacework resources")
+
 	generateAzureTfCommand.PersistentFlags().BoolVar(
 		&GenerateAzureCommandState.CreateAdIntegration,
 		"ad_create",
@@ -601,6 +610,32 @@ func promptCustomizeAzureLoggingRegion(config *azure.GenerateAzureTfConfiguratio
 	return nil
 }
 
+func askAzureSubscriptionID(config *azure.GenerateAzureTfConfigurationArgs) error {
+	var addSubscription bool
+
+	// if subscription has been set by --subscription_id flag do not prompt
+	if config.SubscriptionID != "" {
+		return nil
+	}
+
+	if err := SurveyQuestionInteractiveOnly(SurveyQuestionWithValidationArgs{
+		Prompt:   &survey.Confirm{Message: QuestionAddAzureSubscriptionID, Default: false},
+		Response: &addSubscription,
+	}); err != nil {
+		return err
+	}
+
+	if addSubscription {
+		if err := survey.AskOne(&survey.Input{
+			Message: QuestionAzureSubscriptionID,
+		}, &config.SubscriptionID); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func askAdvancedAzureOptions(config *azure.GenerateAzureTfConfigurationArgs, extraState *AzureGenerateCommandExtraState) error {
 	answer := ""
 
@@ -738,6 +773,10 @@ func promptAzureGenerate(config *azure.GenerateAzureTfConfigurationArgs, extraSt
 		return errors.New("must enable activity log or config")
 	}
 
+	if err := askAzureSubscriptionID(config); err != nil {
+		return err
+	}
+
 	// Find out if the customer wants to specify more advanced features
 	if err := SurveyQuestionInteractiveOnly(SurveyQuestionWithValidationArgs{
 		Prompt:   &survey.Confirm{Message: QuestionAzureConfigAdvanced, Default: extraState.AskAdvanced},
diff --git a/integration/azure_generation_test.go b/integration/azure_generation_test.go
@@ -68,6 +68,7 @@ func TestGenerationAzureSimple(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "n"},
 				MsgRsp{cmd.QuestionRunTfPlan, "n"},
 			})
@@ -108,6 +109,7 @@ func TestGenerationAzureCustomizedOutputLocation(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "y"},
 				MsgMenu{cmd.AzureAdvancedOptDone, 5},
 				MsgRsp{cmd.QuestionAzureCustomizeOutputLocation, dir},
@@ -146,6 +148,7 @@ func TestGenerationAzureConfigOnly(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "n"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "n"},
 				MsgRsp{cmd.QuestionRunTfPlan, "n"},
 			})
@@ -179,6 +182,7 @@ func TestGenerationAzureActivityLogOnly(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "n"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "n"},
 				MsgRsp{cmd.QuestionRunTfPlan, "n"},
 			})
@@ -215,6 +219,7 @@ func TestGenerationAzureNoADEnabled(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "n"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "y"},
 				MsgMenu{cmd.AzureAdvancedOptLocation, 2},
 				MsgRsp{cmd.QuestionADApplicationPass, pass},
@@ -258,6 +263,7 @@ func TestGenerationAzureNamedConfig(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "n"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "y"},
 
 				MsgMenu{cmd.AzureAdvancedOptDone, 0},
@@ -300,6 +306,7 @@ func TestGenerationAzureNamedActivityLog(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "n"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "y"},
 
 				MsgMenu{cmd.AzureAdvancedOptDone, 0},
@@ -340,6 +347,7 @@ func TestGenerationAzureAdvancedOptsDone(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "y"},
 
 				MsgMenu{cmd.AzureAdvancedOptDone, 6},
@@ -387,6 +395,7 @@ func TestGenerationAzureWithExistingTerraform(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "y"},
 				MsgMenu{cmd.AzureAdvancedOptDone, 5},
 				MsgRsp{cmd.QuestionAzureCustomizeOutputLocation, dir},
@@ -425,6 +434,7 @@ func TestGenerationAzureConfigAllSubs(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "n"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "y"},
 				MsgMenu{cmd.AzureAdvancedOptDone, 1},
 				MsgRsp{cmd.QuestionEnableAllSubscriptions, "y"},
@@ -465,6 +475,7 @@ func TestGenerationAzureConfigMgmntGroup(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "n"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "y"},
 
 				MsgMenu{cmd.AzureAdvancedOptDone, 2},
@@ -508,6 +519,7 @@ func TestGenerationAzureConfigSubs(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "n"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "y"},
 
 				MsgMenu{cmd.AzureAdvancedOptDone, 1},
@@ -551,6 +563,7 @@ func TestGenerationAzureActivityLogSubs(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "n"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "y"},
 
 				MsgMenu{cmd.AzureAdvancedOptDone, 1},
@@ -595,6 +608,7 @@ func TestGenerationAzureActivityLogStorageAccount(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "n"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "y"},
 
 				MsgMenu{cmd.AzureAdvancedOptDone, 3},
@@ -641,6 +655,7 @@ func TestGenerationAzureActivityLogAllSubs(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "n"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "y"},
 
 				MsgMenu{cmd.AzureAdvancedOptDone, 1},
@@ -683,6 +698,7 @@ func TestGenerationAzureActivityLogLocation(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "n"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "y"},
 
 				MsgMenu{cmd.AzureAdvancedOptDone, 2},
@@ -728,6 +744,7 @@ func TestGenerationAzureOverwrite(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "n"},
 				MsgRsp{cmd.QuestionRunTfPlan, "n"},
 			})
@@ -746,6 +763,7 @@ func TestGenerationAzureOverwrite(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "n"},
 				MsgRsp{"already exists, overwrite?", "n"},
 				MsgRsp{cmd.QuestionRunTfPlan, "n"},
@@ -781,6 +799,7 @@ func TestGenerationAzureOverwriteOutput(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "n"},
 				MsgRsp{cmd.QuestionRunTfPlan, "n"},
 			})
@@ -801,6 +820,7 @@ func TestGenerationAzureOverwriteOutput(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "n"},
 				MsgRsp{"already exists, overwrite?", "n"},
 				MsgRsp{cmd.QuestionRunTfPlan, "n"},
@@ -830,6 +850,7 @@ func TestGenerationAzureLaceworkProfile(t *testing.T) {
 				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
 				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
 				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "n"},
 				MsgRsp{cmd.QuestionAzureConfigAdvanced, "n"},
 				MsgRsp{cmd.QuestionRunTfPlan, "n"},
 			})
@@ -851,6 +872,41 @@ func TestGenerationAzureLaceworkProfile(t *testing.T) {
 	assert.Equal(t, buildTf, tfResult)
 }
 
+func TestGenerationAzureWithSubscriptionID(t *testing.T) {
+	os.Setenv("LW_NOCACHE", "true")
+	defer os.Setenv("LW_NOCACHE", "")
+	var final string
+	var runError error
+	mockSubscriptionID := "111aaa1a-a1a1-11aa-a111-1aaaa1a11a11"
+
+	// Run CLI
+	tfResult := runGenerateAzureTest(t,
+		func(c *expect.Console) {
+			expectsCliOutput(t, c, []MsgRspHandler{
+				MsgRsp{cmd.QuestionAzureEnableConfig, "y"},
+				MsgRsp{cmd.QuestionEnableActivityLog, "y"},
+				MsgRsp{cmd.QuestionEnableAdIntegration, "y"},
+				MsgRsp{cmd.QuestionAddAzureSubscriptionID, "y"},
+				MsgRsp{cmd.QuestionAzureSubscriptionID, mockSubscriptionID},
+				MsgRsp{cmd.QuestionAzureConfigAdvanced, "n"},
+				MsgRsp{cmd.QuestionRunTfPlan, "n"},
+			})
+			final, _ = c.ExpectEOF()
+		},
+		"generate",
+		"cloud-account",
+		"az",
+	)
+
+	// Ensure CLI ran correctly
+	assert.Nil(t, runError)
+	assert.Contains(t, final, "Terraform code saved in")
+
+	// Create the TF directly with lwgenerate and validate same result via CLI
+	buildTf, _ := azure.NewTerraform(true, true, true, azure.WithSubscriptionID(mockSubscriptionID)).Generate()
+	assert.Equal(t, buildTf, tfResult)
+}
+
 func runGenerateAzureTest(t *testing.T, conditions func(*expect.Console), args ...string) string {
 	os.Setenv("HOME", tfPath)
 
diff --git a/integration/test_resources/help/generate_cloud-account_azure b/integration/test_resources/help/generate_cloud-account_azure
@@ -35,6 +35,7 @@ Flags:
       --output string                          location to write generated content (default is ~/lacework/azure)
       --storage_account_name string            specify storage account name
       --storage_resource_group string          specify storage resource group
+      --subscription_id string                 specify the Azure Subscription ID to be used to provision Lacework resources
       --subscription_ids strings               list of subscriptions to grant read access; format is id1,id2,id3
       --terraform-apply                        run terraform apply for the generated hcl
 
diff --git a/lwgenerate/azure/azure.go b/lwgenerate/azure/azure.go
@@ -40,6 +40,9 @@ type GenerateAzureTfConfigurationArgs struct {
 	// List of subscription Ids
 	SubscriptionIds []string
 
+	// Subscription ID configured in azurerm provider block
+	SubscriptionID string
+
 	// Grant read access to ALL subscriptions
 	AllSubscriptions bool
 
@@ -197,6 +200,12 @@ func WithLaceworkProfile(name string) AzureTerraformModifier {
 	}
 }
 
+func WithSubscriptionID(subcriptionID string) AzureTerraformModifier {
+	return func(c *GenerateAzureTfConfigurationArgs) {
+		c.SubscriptionID = subcriptionID
+	}
+}
+
 // Generate new Terraform code based on the supplied args.
 func (args *GenerateAzureTfConfigurationArgs) Generate() (string, error) {
 	// Validate inputs
@@ -220,7 +229,7 @@ func (args *GenerateAzureTfConfigurationArgs) Generate() (string, error) {
 		return "", errors.Wrap(err, "failed to generate AD provider")
 	}
 
-	azureRMProvider, err := createAzureRMProvider()
+	azureRMProvider, err := createAzureRMProvider(args.SubscriptionID)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to generate AM provider")
 	}
@@ -307,19 +316,25 @@ func createAzureADProvider() ([]*hclwrite.Block, error) {
 //            features = {}
 //         }
 //
-func createAzureRMProvider() ([]*hclwrite.Block, error) {
+func createAzureRMProvider(subscriptionID string) ([]*hclwrite.Block, error) {
 	blocks := []*hclwrite.Block{}
 	attrs := map[string]interface{}{}
+	featureAttrs := map[string]interface{}{}
+
+	if subscriptionID != "" {
+		attrs["subscription_id"] = subscriptionID
+	}
 
 	provider, err := lwgenerate.NewProvider(
 		"azurerm",
+		lwgenerate.HclProviderWithAttributes(attrs),
 	).ToBlock()
 
 	if err != nil {
 		return nil, err
 	}
 	// Create the features block
-	featuresBlock, err := lwgenerate.HclCreateGenericBlock("features", []string{}, attrs)
+	featuresBlock, err := lwgenerate.HclCreateGenericBlock("features", []string{}, featureAttrs)
 	provider.Body().AppendBlock(featuresBlock)
 
 	if err != nil {
diff --git a/lwgenerate/azure/azure_test.go b/lwgenerate/azure/azure_test.go
@@ -231,3 +231,13 @@ func TestGenerationWithLaceworkProvider(t *testing.T) {
 	assert.NotNil(t, hcl)
 	assert.Equal(t, laceworkProfile, hcl)
 }
+
+func TestGenerationAzureRmProviderWithSubscriptionID(t *testing.T) {
+	configWithSubscription, fileErr := getFileContent("test-data/config-with-azurerm-subscription.tf")
+	assert.Nil(t, fileErr)
+
+	hcl, err := azure.NewTerraform(true, false, true, azure.WithSubscriptionID("test-subscription")).Generate()
+	assert.Nil(t, err)
+	assert.NotNil(t, hcl)
+	assert.Equal(t, configWithSubscription, hcl)
+}
diff --git a/lwgenerate/azure/test-data/config-with-azurerm-subscription.tf b/lwgenerate/azure/test-data/config-with-azurerm-subscription.tf
