From 0b912b12aece3c101951c96e1ecf6ffdbee94ad4 Mon Sep 17 00:00:00 2001 From: aymanjarrousms <49946733+aymanjarrousms@users.noreply.github.com> Date: Fri, 26 Jun 2020 14:53:58 +0300 Subject: [PATCH] multi-cloud connector in azure security center (#9429) * aws connector in asc including API and examples - draft 1 * adding 'state' to the connector * when deleting aws connector that is not exist, return 404 * Updating connector is in put * aws connector status updated to enum * deleting post option in aws connector * aws connector adding state to the example files * adding description to aws connector * Renaming awsConnectors to connectors * renaming example files to connector without aws * aws dropped from the connector and adding connector type * update examples of connector based in the new schema * adding proxy to arc onboarding * updating example files * fixing typo * fixing arc to hybridComputeAutoProvision * update connectors.json (#1) * fixing file structure * updating examples * fixing connectorType to authenticationType * adding another block of properites * making two parts in the connector settings * updating required fields * Adding permission list * fixing error * changing name object * fixing permission name * adding all service principal fields * update documentation of app serivce secret * creating examples * location changed to region * create example changed to createupdate * moving account id insode the connection object * remove name fields in hybrid compute * Adding base for aws onboarding * two put and update examples * fixing examples based new body * fixing connector name * fixing aws connctor example * fixing readme and link to example file * adding correct example file * fixin example extension * fixing discriminator * provisioningState is required prop * fixing link in readme file * fixing typo in connectorName * fixing provisioningState * fixin authenticationType to authenticationType * removing readonly fields from examples * fixing credential fields * remove id from create * run Prettier on the files * running prettier * create two different x-ms-enum * update examples of connectors * update readme file * removing custom from secure score * fifixng enum permission prop * fixing extra space in readme * Adding gcp connector * adding gcp example * update example of get list * fixing name * running prettier * fixing errors of build * removing null values from examples * taking secureScore.json new file * all secret fields marked as format password * remove required fields * Adding relavent required fields * remove password format * writeonly fields are returned with value * fixing gcp connector fields * fixing delete response * fiximng examples to return empty string on writeonly fields * fixing delete response in the example * change structure of authentication * fixing inheretence in aws * fixing structure of cred in aws and gcp * write only fields are empty strings in the response of the examples * after Prettier check * clarifing the documentation of two fields * fixing documentation of region field in hybrid compute. Co-authored-by: Ayman Jarrous Co-authored-by: adzamri <49613774+adzamri@users.noreply.github.com> --- cSpell.json | 3 +- .../2020-01-01-preview/connectors.json | 618 ++++++++++++++++++ ...sumeRoleConnectorSubscription_example.json | 65 ++ ...eAwsCredConnectorSubscription_example.json | 65 ++ ...dentialsConnectorSubscription_example.json | 80 +++ .../DeleteConnectorSubscription_example.json | 11 + .../GetConnectorSubscription_example.json | 43 ++ .../GetListConnectorSubscription_example.json | 116 ++++ .../security/resource-manager/readme.md | 8 +- 9 files changed, 1007 insertions(+), 2 deletions(-) create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/connectors.json create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsAssumeRoleConnectorSubscription_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsCredConnectorSubscription_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateGcpCredentialsConnectorSubscription_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/DeleteConnectorSubscription_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/GetConnectorSubscription_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/GetListConnectorSubscription_example.json diff --git a/cSpell.json b/cSpell.json index 8cf7fe1c77ee..21bf185fc445 100644 --- a/cSpell.json +++ b/cSpell.json @@ -2,6 +2,7 @@ "version": "0.1", "language": "en", "words": [ + "Creds" ], "dictionaryDefinitions": [ { @@ -636,4 +637,4 @@ ] } ] -} +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/connectors.json b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/connectors.json new file mode 100644 index 000000000000..665e132c03d2 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/connectors.json @@ -0,0 +1,618 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Center", + "description": "API spec for Microsoft.Security (Azure Security Center) resource provider", + "version": "2020-01-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/connectors": { + "get": { + "x-ms-examples": { + "Get all Cloud accounts connectors of a subscription": { + "$ref": "./examples/Connectors/GetListConnectorSubscription_example.json" + } + }, + "tags": [ + "Connectors" + ], + "description": "Cloud accounts connectors of a subscription", + "operationId": "Connectors_List", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ConnectorSettingList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/connectors/{connectorName}": { + "get": { + "x-ms-examples": { + "Details of a specific cloud account connector": { + "$ref": "./examples/Connectors/GetConnectorSubscription_example.json" + } + }, + "tags": [ + "Connectors" + ], + "description": "Details of a specific cloud account connector", + "operationId": "Connectors_Get", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ConnectorName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ConnectorSetting" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "AwsCred - Create a cloud account connector for a subscription": { + "$ref": "./examples/Connectors/CreateUpdateAwsCredConnectorSubscription_example.json" + }, + "AwsAssumeRole - Create a cloud account connector for a subscription": { + "$ref": "./examples/Connectors/CreateUpdateAwsAssumeRoleConnectorSubscription_example.json" + }, + "gcpCredentials - Create a cloud account connector for a subscription": { + "$ref": "./examples/Connectors/CreateUpdateGcpCredentialsConnectorSubscription_example.json" + } + }, + "tags": [ + "Connectors" + ], + "description": "Create a cloud account connector or update an existing one. Connect to your AWS cloud account using either account credentials or role-based authentication.", + "operationId": "Connectors_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ConnectorName" + }, + { + "$ref": "#/parameters/ConnectorSetting" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ConnectorSetting" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a cloud account connector from a subscription": { + "$ref": "./examples/Connectors/DeleteConnectorSubscription_example.json" + } + }, + "tags": [ + "Connectors" + ], + "description": "Delete a cloud account connector from a subscription", + "operationId": "Connectors_Delete", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ConnectorName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "The connector is not found" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "ConnectorSettingList": { + "type": "object", + "description": "For a subscription, list of all cloud account connectors and their settings", + "properties": { + "value": { + "description": "List of all the cloud account connector settings", + "type": "array", + "items": { + "$ref": "#/definitions/ConnectorSetting" + } + }, + "nextLink": { + "readOnly": true, + "type": "string", + "description": "The URI to fetch the next page." + } + } + }, + "ConnectorSetting": { + "type": "object", + "description": "The connector setting", + "properties": { + "properties": { + "x-ms-client-flatten": true, + "description": "Connector setting data", + "$ref": "#/definitions/ConnectorSettingProperties" + } + }, + "allOf": [ + { + "$ref": "../../../common/v1/types.json#/definitions/Resource" + } + ] + }, + "ConnectorSettingProperties": { + "type": "object", + "description": "Describes properties of an connector setting", + "properties": { + "hybridComputeSettings": { + "description": "Settings for hybrid compute management, these settings are relevant only Arc autoProvision (Hybrid Compute).", + "type": "object", + "$ref": "#/definitions/HybridComputeSettingsProperties" + }, + "authenticationDetails": { + "description": "Settings for authentication management, these settings are relevant only for the cloud connector.", + "type": "object", + "$ref": "#/definitions/AuthenticationDetailsProperties" + } + } + }, + "HybridComputeSettingsProperties": { + "type": "object", + "description": "Settings for hybrid compute management", + "properties": { + "hybridComputeProvisioningState": { + "description": "State of the service principal and its secret", + "type": "string", + "readOnly": true, + "enum": [ + "Valid", + "Invalid", + "Expired" + ], + "x-ms-enum": { + "name": "hybridComputeProvisioningState", + "modelAsString": true, + "values": [ + { + "value": "Valid", + "description": "Valid service principal details." + }, + { + "value": "Invalid", + "description": "Invalid service principal details." + }, + { + "value": "Expired", + "description": "the service principal details are expired" + } + ] + } + }, + "autoProvision": { + "type": "string", + "description": "Whether or not to automatically install Azure Arc (hybrid compute) agents on machines", + "enum": [ + "On", + "Off" + ], + "x-ms-enum": { + "name": "autoProvision", + "modelAsString": true, + "values": [ + { + "value": "On", + "description": "Install missing Azure Arc agent on VMs automatically" + }, + { + "value": "Off", + "description": "Do not install Azure Arc agent on the VMs automatically" + } + ] + } + }, + "resourceGroupName": { + "type": "string", + "description": "The name of the resource group where Arc (Hybrid Compute) connectors are connected." + }, + "region": { + "type": "string", + "description": "The location where the meta data of machines will be stored", + "x-ms-mutability": [ + "create", + "read" + ] + }, + "proxyServer": { + "type": "object", + "description": "For a non-Azure machine that is not connected directly to the internet, specify a proxy server that the non-Azure machine can use.", + "$ref": "#/definitions/ProxyServerProperties" + }, + "servicePrincipal": { + "description": "An object to access resources that are secured by an Azure AD tenant.", + "type": "object", + "$ref": "#/definitions/ServicePrincipalProperties" + } + }, + "required": [ + "autoProvision" + ] + }, + "ServicePrincipalProperties": { + "type": "object", + "description": "Details of the service principal.", + "properties": { + "applicationId": { + "type": "string", + "description": "Application id of service principal." + }, + "secret": { + "type": "string", + "description": "A secret string that the application uses to prove its identity, also can be referred to as application password (write only)." + } + } + }, + "AuthenticationDetailsProperties": { + "type": "object", + "description": "Settings for cloud authentication management", + "discriminator": "authenticationType", + "properties": { + "authenticationProvisioningState": { + "description": "State of the multi-cloud connector", + "type": "string", + "readOnly": true, + "enum": [ + "Valid", + "Invalid", + "Expired", + "IncorrectPolicy" + ], + "x-ms-enum": { + "name": "authenticationProvisioningState", + "modelAsString": true, + "values": [ + { + "value": "Valid", + "description": "Valid connector" + }, + { + "value": "Invalid", + "description": "Invalid connector" + }, + { + "value": "Expired", + "description": "the connection is expired" + }, + { + "value": "IncorrectPolicy", + "description": "Incorrect policy of the connector" + } + ] + } + }, + "grantedPermissions": { + "description": "The permissions detected in the cloud account.", + "type": "array", + "readOnly": true, + "items": { + "$ref": "#/definitions/PermissionProperty" + } + }, + "authenticationType": { + "description": "Connect to your cloud account, for AWS use either account credentials or role-based authentication. For GCP use account organization credentials.", + "type": "string", + "enum": [ + "awsCreds", + "awsAssumeRole", + "gcpCredentials" + ], + "x-ms-enum": { + "name": "authenticationType", + "modelAsString": true, + "values": [ + { + "value": "awsCreds", + "description": "AWS cloud account connector user credentials authentication" + }, + { + "value": "awsAssumeRole", + "description": "AWS account connector assume role authentication" + }, + { + "value": "gcpCredentials", + "description": "GCP account connector service to service authentication" + } + ] + } + } + }, + "required": [ + "authenticationType" + ] + }, + "AwsCredsAuthenticationDetailsProperties": { + "type": "object", + "description": "AWS cloud account connector based credentials, the credentials is composed of access key id and secret key, for more details, refer to Creating an IAM User in Your AWS Account (write only)", + "x-ms-discriminator-value": "awsCreds", + "allOf": [ + { + "$ref": "#/definitions/AuthenticationDetailsProperties" + } + ], + "properties": { + "accountId": { + "description": "The ID of the cloud account", + "type": "string", + "readOnly": true + }, + "awsAccessKeyId": { + "type": "string", + "description": "Public key element of the AWS credential object (write only)" + }, + "awsSecretAccessKey": { + "type": "string", + "description": "Secret key element of the AWS credential object (write only)" + } + }, + "required": [ + "awsAccessKeyId", + "awsSecretAccessKey" + ] + }, + "AwAssumeRoleAuthenticationDetailsProperties": { + "type": "object", + "description": "AWS cloud account connector based assume role, the role enables delegating access to your AWS resources. The role is composed of role arn and external id, for more details, refer to Creating a Role to Delegate Permissions to an IAM User (write only)", + "x-ms-discriminator-value": "awsAssumeRole", + "allOf": [ + { + "$ref": "#/definitions/AuthenticationDetailsProperties" + } + ], + "properties": { + "accountId": { + "description": "The ID of the cloud account", + "type": "string", + "readOnly": true + }, + "awsAssumeRoleArn": { + "type": "string", + "description": "Assumed role ID is an identifier that you can use to create temporary security credentials." + }, + "awsExternalId": { + "type": "string", + "description": "A unique identifier that is required when you assume a role in another account." + } + }, + "required": [ + "awsAssumeRoleArn", + "awsExternalId" + ] + }, + "GcpCredentialsDetailsProperties": { + "type": "object", + "description": "GCP cloud account connector based service to service credentials, the credentials is composed of organization id and json api key (write only)", + "x-ms-discriminator-value": "gcpCredentials", + "allOf": [ + { + "$ref": "#/definitions/AuthenticationDetailsProperties" + } + ], + "properties": { + "organizationId": { + "description": "The Organization ID of the GCP cloud account", + "type": "string" + }, + "type": { + "type": "string", + "description": "Type field of the API key (write only)" + }, + "projectId": { + "type": "string", + "description": "Project Id field of the API key (write only)" + }, + "privateKeyId": { + "type": "string", + "description": "Private key Id field of the API key (write only)" + }, + "privateKey": { + "type": "string", + "description": "Private key field of the API key (write only)" + }, + "clientEmail": { + "type": "string", + "description": "Client email field of the API key (write only)" + }, + "clientId": { + "type": "string", + "description": "Client Id field of the API key (write only)" + }, + "authUri": { + "type": "string", + "description": "Auth Uri field of the API key (write only)" + }, + "tokenUri": { + "type": "string", + "description": "Token Uri field of the API key (write only)" + }, + "authProviderX509CertUrl": { + "type": "string", + "description": "Auth provider x509 certificate url field of the API key (write only)" + }, + "clientX509CertUrl": { + "type": "string", + "description": "Client x509 certificate url field of the API key (write only)" + } + }, + "required": [ + "organizationId", + "type", + "projectId", + "privateKeyId", + "privateKey", + "clientEmail", + "clientId", + "authUri", + "tokenUri", + "authProviderX509CertUrl", + "clientX509CertUrl" + ] + }, + "PermissionProperty": { + "description": "A permission detected in the cloud account.", + "type": "string", + "readOnly": true, + "enum": [ + "AWS::AWSSecurityHubReadOnlyAccess", + "AWS::SecurityAudit", + "AWS::AmazonSSMAutomationRole", + "GCP::Security Center Admin Viewer" + ], + "x-ms-enum": { + "name": "PermissionProperty", + "modelAsString": true, + "values": [ + { + "value": "AWS::AWSSecurityHubReadOnlyAccess", + "description": "This permission provides read only access to AWS Security Hub resources." + }, + { + "value": "AWS::SecurityAudit", + "description": "This permission grants access to read security configuration metadata." + }, + { + "value": "AWS::AmazonSSMAutomationRole", + "description": "The permission provides for EC2 Automation service to execute activities defined within Automation documents." + }, + { + "value": "GCP::Security Center Admin Viewer", + "description": "This permission provides read only access to GCP Security Command Center." + } + ] + } + }, + "ProxyServerProperties": { + "type": "object", + "description": "For a non-Azure machine that is not connected directly to the internet, specify a proxy server that the non-Azure machine can use.", + "properties": { + "ip": { + "type": "string", + "description": "Proxy server IP" + }, + "port": { + "type": "string", + "description": "Proxy server port" + } + } + } + }, + "parameters": { + "ConnectorName": { + "name": "connectorName", + "in": "path", + "required": true, + "type": "string", + "description": "Name of the cloud account connector", + "x-ms-parameter-location": "method" + }, + "ConnectorSetting": { + "name": "connectorSetting", + "in": "body", + "required": true, + "description": "Settings for the cloud account connector", + "schema": { + "$ref": "#/definitions/ConnectorSetting" + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsAssumeRoleConnectorSubscription_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsAssumeRoleConnectorSubscription_example.json new file mode 100644 index 000000000000..a4405f77bf03 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsAssumeRoleConnectorSubscription_example.json @@ -0,0 +1,65 @@ +{ + "parameters": { + "api-version": "2020-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "connectorName": "aws_dev2", + "connectorSetting": { + "properties": { + "hybridComputeSettings": { + "autoProvision": "On", + "resourceGroupName": "AwsConnectorRG", + "region": "West US 2", + "proxyServer": { + "ip": "167.220.197.140", + "port": "34" + }, + "servicePrincipal": { + "applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1", + "secret": "x2yS:FnCHssRkH0@CJY5pATzlEs@r5m." + } + }, + "authenticationDetails": { + "authenticationType": "awsAssumeRole", + "awsAssumeRoleArn": "arn:aws:iam::81231569658:role/AscConnector", + "awsExternalId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/aws_dev2", + "name": "aws_dev2", + "type": "Microsoft.Security/connectors", + "properties": { + "hybridComputeSettings": { + "hybridComputeProvisioningState": "Valid", + "autoProvision": "On", + "resourceGroupName": "AwsConnectorRG", + "region": "West US 2", + "proxyServer": { + "ip": "167.220.197.140", + "port": "34" + }, + "servicePrincipal": { + "applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1" + } + }, + "authenticationDetails": { + "authenticationProvisioningState": "Valid", + "grantedPermissions": [ + "AWS::AWSSecurityHubReadOnlyAccess", + "AWS::SecurityAudit", + "AWS::AmazonSSMAutomationRole" + ], + "authenticationType": "awsAssumeRole", + "accountId": "81231569658", + "awsAssumeRoleArn": "arn:aws:iam::81231569658:role/AscConnector", + "awsExternalId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" + } + } + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsCredConnectorSubscription_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsCredConnectorSubscription_example.json new file mode 100644 index 000000000000..8e89a390a07c --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsCredConnectorSubscription_example.json @@ -0,0 +1,65 @@ +{ + "parameters": { + "api-version": "2020-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "connectorName": "aws_dev1", + "connectorSetting": { + "properties": { + "hybridComputeSettings": { + "autoProvision": "On", + "resourceGroupName": "AwsConnectorRG", + "region": "West US 2", + "proxyServer": { + "ip": "167.220.197.140", + "port": "34" + }, + "servicePrincipal": { + "applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1", + "secret": "x2yS:FnCHssRkH0@CJY5pATzlEs@r5m." + } + }, + "authenticationDetails": { + "authenticationType": "awsCreds", + "awsAccessKeyId": "AKIARPZCNODDNAEQFSOE", + "awsSecretAccessKey": "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" + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/aws_dev1", + "name": "aws_dev1", + "type": "Microsoft.Security/connectors", + "properties": { + "hybridComputeSettings": { + "hybridComputeProvisioningState": "Valid", + "autoProvision": "On", + "resourceGroupName": "AwsConnectorRG", + "region": "West US 2", + "proxyServer": { + "ip": "287.221.107.152", + "port": "34" + }, + "servicePrincipal": { + "applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1" + } + }, + "authenticationDetails": { + "authenticationProvisioningState": "Valid", + "grantedPermissions": [ + "AWS::AWSSecurityHubReadOnlyAccess", + "AWS::SecurityAudit", + "AWS::AmazonSSMAutomationRole" + ], + "authenticationType": "awsCreds", + "accountId": "922315681122", + "awsAccessKeyId": "", + "awsSecretAccessKey": "" + } + } + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateGcpCredentialsConnectorSubscription_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateGcpCredentialsConnectorSubscription_example.json new file mode 100644 index 000000000000..5574f86fbdb1 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateGcpCredentialsConnectorSubscription_example.json @@ -0,0 +1,80 @@ +{ + "parameters": { + "api-version": "2020-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "connectorName": "gcp_dev", + "connectorSetting": { + "properties": { + "hybridComputeSettings": { + "autoProvision": "On", + "resourceGroupName": "GcpConnectorRG", + "region": "West US 2", + "proxyServer": { + "ip": "201.120.185.132", + "port": "34" + }, + "servicePrincipal": { + "applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1", + "secret": "x2yS:FnCHssRkH0@CJY5pATzlEs@r5m." + } + }, + "authenticationDetails": { + "authenticationType": "gcpCredentials", + "organizationId": "AscDemoOrg", + "type": "service_account", + "projectId": "asc-project-1234", + "privateKeyId": "6efg587hra2568as34d22326b044cc20dc2af", + "privateKey": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCpxYHcLzcDZ6/Q\nAeQZnQXM5GTb3p09Xsbjo2T2F61b6I7FZiQXBrbw3Zf0CUCkkqTTpD5xifl82yQ6\n89V7SAe8hxI7esAcVDhm/aJMqzVjHLISAU2L3li1sn0jjY2oYtndwN6bRivP8O6t\n9F+W6E0zMlbCxtpZEHLbb6WxlJJrwEQ0MPH2yOCwZUQi6NHksAtEzX2nNKJNyUC7\nQyBVHHMm34H2bmZwsuQp3y2otpcJ9tJnVmYfC3k/w4x2L+DIK7JnQP/C1wQqu2du\nc0w6sydF6RhLoHButrVdYRJTdfK4k03SsSTyMqZ+f7LNnKw3xenzw1VmEpk8mvoQ\nt08tCBOrAgMBAAECggEAByzz6iyMtLYjNjV+QJ7kad6VbL2iA8AHxANZ9xTVHPdd\nYXaJu/dqsA+NpqDlfI8+LDva782XH/HbPCqmMUnAGfXTjXQIvqnIoIHD5F2wKfpC\nhIRNlMXXFgbvRxtqi11yO+80+XcjzuwuCmgzyhsTeEB+bkkdXXpWgHPdmv3emnM6\nMQM9Zgrug0UndPmiUwKOcJSU4PlmlTpHEV4vA6JfA4bvphy9m1jxO5qWeah5yym2\n6FP5BRIDF98kFrDnSXJjajwgLCQ+MypFQXyax6XkxDxuKXbng1bv7eZDjqazIChk\nm0y14X0s0jnWc+AX8vfeSf7d+EsGdVinEwR1aAawEQKBgQDqDB0qxcIQ1oI1Kww8\n9vXefTiuWsf47F+fJ/DIOEbiRfE8IdCgmOABvcqJIoxW/DFMBEdLCcx73Km7pOmd\nKg1ddScnaO8cOj2v/Ub+fAqVrA4ki4ViYP0A7/Nogga3Jr/x3ey5bitrIfFImteS\nCgBHBzZvoQpvO4lB2tKVgo2P9wKBgQC5sgTEq4sasRGSAY6lIoJno0I8w28a/16D\nes60XQeY1ger8uTGwlT02v/u/arDUmRLPClpujXq6gK29KvtRCHy7JkpGbqW2bZs\nPFKKWR7Tk3XPKYyjv94AIi5/xoFeDhS4lpAvy3Z5tQhYS6wqWKvT6yZQ3kM+Hfxs\npHgvu3mU7QKBgQC9/E1k3hj1cBtMK4CIsHPPQljTd4+iacYJPPPAo6YuoVX8WPqw\nksgrwbN59Fh1d8xQh5yTtgWOegYx8uFMGcm1lpbM7+pBQKm4hWGuzGQPMRZd5f/F\nZzOZIi61I+9tlv/yxxIVR+/ozCm/pSneO04UWi9/F/uPZYW6tnWAtfRR6wKBgGsZ\n8MQaCK4JaI/klAhMghgSQnbXZXKVzUZaA3Rln6cX8u7KtgapOOTMlwaZie8Dy1LV\nTTFstAJcm9o3/h1nyYjZy3C4JTUyNpPwqs6enjf7edxVI4eidwFutZD+xcigqHTa\naikW2atSrZB3fMIjyF7+5meH+hKOqvNiXOty3qn1AoGAZuVxYQy5FVq3YZxzr3Aa\nAm0ShoXTF6QYIbsaUiUGoa/NlHcw9V/lj4AqBRbxbaYMD+hz2J/od9cb268eJKY8\n3b6MvaUqdNhNnWodJXLhgtmGEHDKmTppz2JSTx/tVzCfhFdcOC79StZvcKLhtoFQ\n+/3lEw6NCIXzm5E4+dtJG4k=\n-----END PRIVATE KEY-----\n", + "clientEmail": "asc-135@asc-project-1234.iam.gserviceaccount.com", + "clientId": "105889053725632919854", + "authUri": "https://accounts.google.com/o/oauth2/auth", + "tokenUri": "https://oauth2.googleapis.com/token", + "authProviderX509CertUrl": "https://www.googleapis.com/oauth2/v1/certs", + "clientX509CertUrl": "https://www.googleapis.com/robot/v1/metadata/x509/asc-135%40asc-project-1234.iam.gserviceaccount.com" + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/gcp_dev", + "name": "gcp_dev", + "type": "Microsoft.Security/connectors", + "properties": { + "hybridComputeSettings": { + "hybridComputeProvisioningState": "Valid", + "autoProvision": "On", + "resourceGroupName": "GcpConnectorRG", + "region": "West US 2", + "proxyServer": { + "ip": "201.120.185.132", + "port": "34" + }, + "servicePrincipal": { + "applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1" + } + }, + "authenticationDetails": { + "authenticationProvisioningState": "Valid", + "grantedPermissions": [ + "GCP::Security Center Admin Viewer" + ], + "authenticationType": "gcpCredentials", + "organizationId": "AscDemoOrg", + "type": "", + "projectId": "", + "privateKeyId": "", + "privateKey": "", + "clientEmail": "", + "clientId": "", + "authUri": "", + "tokenUri": "", + "authProviderX509CertUrl": "", + "clientX509CertUrl": "" + } + } + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/DeleteConnectorSubscription_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/DeleteConnectorSubscription_example.json new file mode 100644 index 000000000000..b387c969aaa5 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/DeleteConnectorSubscription_example.json @@ -0,0 +1,11 @@ +{ + "parameters": { + "api-version": "2020-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "connectorName": "aws_dev1" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/GetConnectorSubscription_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/GetConnectorSubscription_example.json new file mode 100644 index 000000000000..d5dc6f6126dc --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/GetConnectorSubscription_example.json @@ -0,0 +1,43 @@ +{ + "parameters": { + "api-version": "2020-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "connectorName": "aws_dev1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/aws_dev1", + "name": "aws_dev1", + "type": "Microsoft.Security/connectors", + "properties": { + "hybridComputeSettings": { + "hybridComputeProvisioningState": "Valid", + "autoProvision": "On", + "resourceGroupName": "AwsConnectorRG", + "region": "West US 2", + "proxyServer": { + "ip": "287.221.107.152", + "port": "34" + }, + "servicePrincipal": { + "applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1" + } + }, + "authenticationDetails": { + "authenticationProvisioningState": "Valid", + "grantedPermissions": [ + "AWS::AWSSecurityHubReadOnlyAccess", + "AWS::SecurityAudit", + "AWS::AmazonSSMAutomationRole" + ], + "authenticationType": "awsCreds", + "accountId": "922315681122", + "awsAccessKeyId": "", + "awsSecretAccessKey": "" + } + } + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/GetListConnectorSubscription_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/GetListConnectorSubscription_example.json new file mode 100644 index 000000000000..3f2ffbc17f7a --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/GetListConnectorSubscription_example.json @@ -0,0 +1,116 @@ +{ + "parameters": { + "api-version": "2020-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/aws_dev1", + "name": "aws_dev1", + "type": "Microsoft.Security/connectors", + "properties": { + "hybridComputeSettings": { + "hybridComputeProvisioningState": "Valid", + "autoProvision": "On", + "resourceGroupName": "AwsConnectorRG", + "region": "West US 2", + "proxyServer": { + "ip": "287.221.107.152", + "port": "34" + }, + "servicePrincipal": { + "applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1" + } + }, + "authenticationDetails": { + "authenticationProvisioningState": "Valid", + "grantedPermissions": [ + "AWS::AWSSecurityHubReadOnlyAccess", + "AWS::SecurityAudit", + "AWS::AmazonSSMAutomationRole" + ], + "authenticationType": "awsCreds", + "accountId": "922315681122", + "awsAccessKeyId": "", + "awsSecretAccessKey": "" + } + } + }, + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/aws_dev2", + "name": "aws_dev2", + "type": "Microsoft.Security/connectors", + "properties": { + "hybridComputeSettings": { + "hybridComputeProvisioningState": "Valid", + "autoProvision": "On", + "resourceGroupName": "AwsConnectorRG", + "region": "West US 2", + "proxyServer": { + "ip": "167.210.187.160", + "port": "34" + }, + "servicePrincipal": { + "applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1" + } + }, + "authenticationDetails": { + "authenticationProvisioningState": "Valid", + "grantedPermissions": [ + "AWS::AWSSecurityHubReadOnlyAccess", + "AWS::SecurityAudit", + "AWS::AmazonSSMAutomationRole" + ], + "authenticationType": "awsAssumeRole", + "accountId": "81231569658", + "awsAssumeRoleArn": "arn:aws:iam::81231569658:role/AscConnector", + "awsExternalId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" + } + } + }, + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/gcp_dev", + "name": "gcp_dev", + "type": "Microsoft.Security/connectors", + "properties": { + "hybridComputeSettings": { + "hybridComputeProvisioningState": "Valid", + "autoProvision": "On", + "resourceGroupName": "GcpConnectorRG", + "region": "West US 2", + "proxyServer": { + "ip": "201.120.185.132", + "port": "34" + }, + "servicePrincipal": { + "applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1" + } + }, + "authenticationDetails": { + "authenticationProvisioningState": "Valid", + "grantedPermissions": [ + "GCP::Security Center Admin Viewer" + ], + "authenticationType": "gcpCredentials", + "organizationId": "AscDemoOrg", + "type": "", + "projectId": "", + "privateKeyId": "", + "privateKey": "", + "clientEmail": "", + "clientId": "", + "authUri": "", + "tokenUri": "", + "authProviderX509CertUrl": "", + "clientX509CertUrl": "" + } + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/readme.md b/specification/security/resource-manager/readme.md index ea3392274978..59da08fd7551 100644 --- a/specification/security/resource-manager/readme.md +++ b/specification/security/resource-manager/readme.md @@ -60,6 +60,7 @@ These settings apply only when `--tag=package-composite-v1` is specified on the ``` yaml $(tag) == 'package-composite-v1' input-file: - Microsoft.Security/preview/2020-01-01-preview/secureScore.json +- Microsoft.Security/preview/2020-01-01-preview/connectors.json - Microsoft.Security/preview/2019-01-01-preview/automations.json - Microsoft.Security/preview/2019-01-01-preview/subAssessments.json - Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json @@ -97,6 +98,7 @@ These settings apply only when `--tag=package-composite-v2` is specified on the ``` yaml $(tag) == 'package-composite-v2' input-file: - Microsoft.Security/preview/2020-01-01-preview/secureScore.json +- Microsoft.Security/preview/2020-01-01-preview/connectors.json - Microsoft.Security/preview/2019-01-01-preview/automations.json - Microsoft.Security/preview/2019-01-01-preview/subAssessments.json - Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json @@ -167,6 +169,7 @@ input-file: - Microsoft.Security/stable/2020-01-01/discoveredSecuritySolutions.json - Microsoft.Security/stable/2020-01-01/externalSecuritySolutions.json - Microsoft.Security/preview/2020-01-01-preview/secureScore.json +- Microsoft.Security/preview/2020-01-01-preview/connectors.json # Needed when there is more than one input file override-info: @@ -242,6 +245,7 @@ These settings apply only when `--tag=package-2020-01-preview-only` is specified ``` yaml $(tag) == 'package-2020-01-preview-only' input-file: - Microsoft.Security/preview/2020-01-01-preview/secureScore.json +- Microsoft.Security/preview/2020-01-01-preview/connectors.json # Needed when there is more than one input file override-info: @@ -385,13 +389,15 @@ AutoRest V3 generators require the use of `--tag=all-api-versions` to select api This block is updated by an automatic script. Edits may be lost! -``` yaml $(tag) == 'all-api-versions' /* autogenerated */ + +``` yaml $(tag) == 'all-api-versions' /*autogenerated*/ # include the azure profile definitions from the standard location require: $(this-folder)/../../../profiles/readme.md # all the input files across all versions input-file: - $(this-folder)/Microsoft.Security/preview/2020-01-01-preview/secureScore.json + - $(this-folder)/Microsoft.Security/preview/2020-01-01-preview/connectors.json - $(this-folder)/Microsoft.Security/preview/2019-01-01-preview/automations.json - $(this-folder)/Microsoft.Security/preview/2019-01-01-preview/subAssessments.json - $(this-folder)/Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json