Implement Azure resource fetching in the Discovery service #48843
Conversation
mvbrock
force-pushed
the
mvbrock/azure-integration-grpc
branch
3 times, most recently
from
6c2c286 to
7d10b7c
Compare
mvbrock
force-pushed
the
mvbrock/azure-integration-fetch
branch
from
6e1c97f to
4c2df44
Compare
mvbrock
force-pushed
the
mvbrock/azure-integration-grpc
branch
from
7d10b7c to
61e626b
Compare
mvbrock
force-pushed
the
mvbrock/azure-integration-fetch
branch
2 times, most recently
from
dae5182 to
b20ff8b
Compare
mvbrock
force-pushed
the
mvbrock/azure-integration-fetch
branch
from
9f7e308 to
a3b84e8
Compare
mvbrock
requested review from
rosstimothy
and removed request for
bernardjkim and
hugoShaka
|
@mvbrock - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes. |
There was a problem hiding this comment.
we already have a entraid graph client in lib/msgraph
There was a problem hiding this comment.
I will see if it can be used or slightly modified to work here.
There was a problem hiding this comment.
I should probably do this in a followup PR since some significant changes may need to be made to the entraid graph client.
| accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" | ||
| ) | ||
|
|
||
| const groupType = "#microsoft.graph.group" |
There was a problem hiding this comment.
all this can be replaced with msgraph
|
This PR is quite large. This make reviewing hard, as reviewers we are more likely to miss bugs, and this makes reverting/backporting your PR harder because of the conflicts and potential protobuf breaking changes. Working on a single branch to get the full thing working is positive as this avoids having to backtrack and fix things we forgot on a previous PR. However it might be useful to split the resulting changeset into smaller PRs. You will get a higher quality review and it will take less time to get merged. Teleporters tend to split the PR into at least:
This does not apply to every PR but as a rule of thumb, splitting large PRs into smaller chunks is a best practice and you might want to consider breaking PRs larger than 500 locs. |
mvbrock
force-pushed
the
mvbrock/azure-integration-fetch
branch
2 times, most recently
from
a386665 to
fd9cc3e
Compare
| // Azure is a configuration for Azure Access Graph service poll service. | ||
| repeated AccessGraphAzureSync Azure = 3 [(gogoproto.jsontag) = "azure,omitempty"]; |
There was a problem hiding this comment.
Can we please update the PollInterval comment? I assume it will be applied to Azure Sync as well.
| repeated string Regions = 1 [(gogoproto.jsontag) = "regions,omitempty"]; | ||
| string SubscriptionID = 2 [(gogoproto.jsontag) = "subscription_id,omitempty"]; | ||
| string Integration = 3 [(gogoproto.jsontag) = "integration,omitempty"]; |
There was a problem hiding this comment.
Can you please add comments to those?
I assume Integration is required but for the others, can we use the wildcard to indicate all the regions or all the subscriptions?
There was a problem hiding this comment.
What about resource groups? Should that also be used to filter out resources?
I imagine someone trying TAG and maybe they only want a couple of ResourceGroups to see how it works, before applying to everything
There was a problem hiding this comment.
Added the suggestion for resource group configuration in https://github.com/gravitational/access-graph/issues/1376
| ) | ||
|
|
||
| func (a *Fetcher) fetchVirtualMachines(ctx context.Context) ([]*accessgraphv1alpha.AzureVirtualMachine, error) { | ||
| // Fetch the VMs |
There was a problem hiding this comment.
| // Fetch the VMs |
💅 I don't think this comment is helpful.
| return nil, trace.Wrap(err) | ||
| } | ||
|
|
||
| // Return the VMs as protobuf messages |
There was a problem hiding this comment.
| // Return the VMs as protobuf messages |
💅 I don't think this comment is helpful.
|
|
||
| func (a *Fetcher) fetchVirtualMachines(ctx context.Context) ([]*accessgraphv1alpha.AzureVirtualMachine, error) { | ||
| // Fetch the VMs | ||
| vms, err := a.vmClient.ListVirtualMachines(ctx, "*") |
There was a problem hiding this comment.
Can we have a variable saying that "*" is used to get all resource groups?
| s.muDynamicTAGAWSFetchers.Lock() | ||
| s.dynamicTAGAWSFetchers[dc.GetName()] = awsSyncMatchers | ||
| s.muDynamicTAGAWSFetchers.Unlock() |
There was a problem hiding this comment.
No azure dynamic matchers for TAG Sync?
| reconcile(old.VirtualMachines, new.VirtualMachines, azureVmKey, azureVmWrap), | ||
| reconcile(old.Principals, new.Principals, azurePrincipalsKey, azurePrincipalsWrap), | ||
| reconcile(old.RoleDefinitions, new.RoleDefinitions, azureRoleDefKey, azureRoleDefWrap), | ||
| reconcile(old.RoleAssignments, new.RoleAssignments, azureRoleAssignKey, azureRoleAssignWrap), |
There was a problem hiding this comment.
Just a 💅
If we always order the type of resources alphabetically, it will be easier to spot issues/typos
| featNameVms = "azure/virtualmachines" | ||
| ) | ||
|
|
||
| const FetcherConcurrency = 5 |
There was a problem hiding this comment.
Can you please add a godoc here?
Do we have concurrency in fetching resources? Or is it resources and regions?
| }, nil | ||
| } | ||
|
|
||
| type Features struct { |
There was a problem hiding this comment.
We have lib/msgraph. Can we use that instead?
If something's missing there, can we add it instead of replicating most of the code here?
mvbrock
force-pushed
the
mvbrock/azure-integration-fetch
branch
from
4947312 to
21da3f3
Compare
Part of of https://github.com/gravitational/access-graph/issues/640 to implement Azure resource fetching in the Discovery service, and originating from the Azure integration POC branch master...mvbrock/azure-integration-poc. This PR is dependent on #48628 which specifies the gRPC messages/methods for transmitting Azure resources to the Access Graph. A new Azure fetcher is introduced alongside the AWS fetcher, as well as the addition of Azure role definition/assignment clients in the Cloud library, per https://github.com/gravitational/access-graph/issues/1314.