feat(deployment): FSS Deployment tool for Azure

.gitignore

@@ -14,3 +14,10 @@ packaged.yaml
 .terraform.lock.hcl
 terraform.tfstate
 terraform.tfstate.backup
+
+# macOS
+**/.dccache
+**/.DS_Store
+
+# VSCode
+**/.vscode

deployment/azure-python-deploy-to-all-existing-storage/README.md

@@ -0,0 +1,74 @@
+# Deploy to All Existing Azure Resource
+This script will deploy File Storage Security Stack to all storage accounts unless defined in `exclude.txt` text file. After deployment, the stacks will be registered with the Cloud One Console. 
+
+**Before you deploy**
+
+   * Obtain your Cloud One API Key
+      - Generate API Key: [Cloud One API Key](https://cloudone.trendmicro.com/docs/account-and-user-management/c1-api-key/)
+
+<hr>
+
+**1. Clone Repo**
+ - Clone this repository `git clone https://github.com/trendmicro/cloudone-community.git`
+ - After cloning repo:
+```
+   cd .\cloudone-community\File-Storage-Security/Deployment/azure-python-deploy-to-all-existing-Azure   
+```
+
+**2. Configure the Exclusions text file `exclude.txt`**
+   * Create a new file called `exclude.txt` with names of Azure storage accounts to exclude from FSS deployment.
+   - 1 per line, Example: [exclude.txt](https://github.com/trendmicro/cloudone-community/blob/main/File-Storage-Security/Deployment/python-deploy-to-all-existing/exclude.txt)
+   * For organizations with a large number of storage accounts, a list of Azure storage accounts can be piped into `exclude.txt` using `azure-cli` or `PowerShell`:
+   ```
+   # Bash
+   az storage account list --query "[?tags.AutoDeployFSS != 'True'].name" --output tsv > exclude.txt
+   cat exclude.txt
+
+   # PowerShell
+   Clear-Content -Path exclude.txt
+   Get-AzStorageAccount |  Where-Object {$_.tags.AutoDeployFSS -ne 'True'} | Select-Object -Property StorageAccountName | ConvertTo-JSON | Out-File -FilePath exclude.json
+   $json = (Get-Content "exclude.json" -Raw) | ConvertFrom-Json
+   foreach($v in $json.StorageAccountName) {
+      Write-Output "${v}" >> exclude.txt
+   }
+   more exclude.txt
+   ```
+**3. Configuration file**
+
+* Complete the `config.json` configuration file with valid input.
+
+| Fields | Environment Variable | Type | Description | Required? |
+|--------| ---- | ----------- | --------- | --------- |
+| `app_id` | | String | Azure Application ID | Yes |
+| `tenant_id` | | String | Azure Tenant ID | Yes |
+| `subscription_id` | AZURE_SUBSCRIPTION_ID | String | Azure Subscription ID | Yes |
+| `keyvault_uri` | | String | Azure KeyVault URI | Yes |
+|`cloudone.region` | CLOUDONE_REGION | String | Cloud One Region Example: us-1 or ca-1 | Yes |
+| `cloudone.api_key` | CLOUDONE_API_KEY | String | Cloud One File Storage Security API Key. You can create an API Key using these instructions - https://cloudone.trendmicro.com/docs/workload-security/api-cookbook-set-up/#create-an-api-key | Yes |
+| `cloudone.max_storage_stack_per_scanner_stack` | MAX_STORAGE_STACK_PER_SCANNER_STACK | Number | Recommended to set to 50, i.e, for every 50 Storage stacks, 1 Scanner stack would be created. Contact the product team for your usecase requirements. | Yes |
+| `azure_creds.key` | | Boolean | Azure Credentials Client Value | Yes |
+| `azure_creds.secret` | | String | Azure Credentials Secret Value | Yes  |
+
+**4. Deploy Tool via the Serverless Framework**
+* Open terminal/cmd:
+   ```
+      serverless deploy -s dev
+   ```
+
+# Additional Notes
+
+### Tags
+
+The Script will choose whether or not to deploy a storage stack depending on a storage accounts' tags. **See below for details**:
+
+| Tag             | Value                 | Behavior                                                      |
+| --------------  | --------------------- |-------------------------------------------------------------- |
+| [no tag]        | [none]                | No action                                                     |
+| `AutoDeployFSS` | `True`                | Storage Stack and Scanner Stack will be deployed              |
+| `AutoDeployFSS` | `(any other value)`   | Skip                                                          |
+| `FSSMonitored`  | `yes`                 | Storage Stack Already Exists, Scanner Stack associated (skip) |
+| `FSSMonitored`  | `(any other value)`   | Skip                                                          |
+
+### Supported FSS regions
+
+Please note this script deploys Scanner Stacks to select Azure locations as listed in the supported document here - [What Azure services and regions are supported?](https://cloudone.trendmicro.com/docs/file-storage-security/supported-azure/). Storage Stacks that are not present in the same Azure locations will be mapped to Scanner Stacks deployed in the same geographyGroup as defined by Azure. Any data transfer cost(s) incurred in this data transfer would be your responsibility.

deployment/azure-python-deploy-to-all-existing-storage/deploy.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/bash
+
+# Function app and storage account names must be unique.
+
+# Variable block
+let "randomIdentifier=$RANDOM*$RANDOM"
+location="eastus"
+resourceGroup="azure-functions-deployfss-rg-$randomIdentifier"
+tag="function-app-deployfss"
+storage="deployfss$randomIdentifier"
+functionApp="deployfss-serverless-function-$randomIdentifier"
+skuStorage="Standard_LRS"
+functionsVersion="4"
+pythonVersion="3.9" #Allowed values: 3.7, 3.8, and 3.9
+
+# Create a resource group
+echo "Creating $resourceGroup in "$location"..."
+az group create --name $resourceGroup --location "$location" --tags $tag
+
+# Create an Azure storage account in the resource group.
+echo "Creating $storage"
+az storage account create --name $storage --location "$location" --resource-group $resourceGroup --sku $skuStorage
+
+# Create a serverless python function app in the resource group.
+echo "Creating $functionApp"
+az functionapp create --name $functionApp --storage-account $storage --consumption-plan-location "$location" --resource-group $resourceGroup --os-type Linux --runtime python --runtime-version $pythonVersion --functions-version $functionsVersion 
+
+# Publish function app
+cd deployToAllExistingStorageAccounts
+func azure functionapp publish $functionApp

deployment/azure-python-deploy-to-all-existing-storage/deployToAllExistingStorageAccounts/.funcignore

@@ -0,0 +1 @@
+.env

deployment/azure-python-deploy-to-all-existing-storage/deployToAllExistingStorageAccounts/deploymentHandler/Deployer.py

@@ -0,0 +1,95 @@
+"""
+Modified class. Original version can be found at https://raw.githubusercontent.com/Azure-Samples/resource-manager-python-template-deployment/master/deployer.py
+
+Modifications include
+    - uuid7 instead of Haikunator, for a shorter random suffix.
+    - using dynamic regions for deployment
+"""
+
+"""A deployer class to deploy a template on Azure"""
+import os.path
+import json
+from azure.identity import ClientSecretCredential
+from azure.mgmt.resource import ResourceManagementClient
+from azure.mgmt.resource.resources.models import DeploymentMode
+from azure.mgmt.resource.resources.models import Deployment
+from azure.mgmt.resource.resources.models import DeploymentProperties
+
+import keyvault
+
+class Deployer(object):
+    """ Initialize the deployer class with subscription, resource group and public key.
+
+    :raises IOError: If the public key path cannot be read (access or not exists)
+    :raises KeyError: If AZURE_CLIENT_ID, AZURE_CLIENT_SECRET or AZURE_TENANT_ID env
+        variables or not defined
+    """
+
+    def __init__(self, subscription_id, resource_group_name):
+        self.subscription_id = subscription_id
+        self.resource_group_name = resource_group_name
+        # self.credentials = DefaultAzureCredential(exclude_environment_credential=False)
+
+        # TODO: Store credentials in the Azure Key Vault, instead of environment variables
+        # print("\nClient ID : " + str(keyvault.get_secret_from_keyvault('FSS-AUTODEPLOY-CLIENT-ID')) + "\nClient Secret : " +  str(keyvault.get_secret_from_keyvault('FSS-AUTODEPLOY-CLIENT-SECRET')))
+
+        # self.credentials = ServicePrincipalCredentials(
+        #     client_id=os.environ['AZURE_CLIENT_ID'],
+        #     secret=os.environ['AZURE_CLIENT_SECRET'],
+        #     tenant=os.environ['AZURE_TENANT_ID']
+        # )
+        self.credentials = ClientSecretCredential(
+            client_id=os.environ['AZURE_CLIENT_ID'],
+            client_secret=os.environ['AZURE_CLIENT_SECRET'],
+            tenant_id=os.environ['AZURE_TENANT_ID']       
+        )
+        self.client = ResourceManagementClient(self.credentials, self.subscription_id)
+
+    def deploy(self, azure_location, stack_type, stack_params={}):
+        """Deploy the template to a resource group."""
+        self.client.resource_groups.create_or_update(
+            self.resource_group_name,
+            {
+                'location': azure_location
+            }
+        )
+
+        template_file_name = None
+        if stack_type == "scanner":
+            template_file_name = "FSS-Scanner-Stack-Template.json"
+        elif stack_type == "storage":
+            template_file_name = "FSS-Storage-Stack-Template.json"
+
+        template_path = os.path.join(os.path.dirname(__file__), 'templates', template_file_name)
+        with open(template_path, 'r') as template_file_fd:
+            template = json.load(template_file_fd)        
+
+        parameters = {}
+        if stack_params:
+            parameters.update(stack_params)
+        parameters = {k: {'value': v} for k, v in parameters.items()}
+
+        deployment_properties = DeploymentProperties(
+            mode = DeploymentMode.incremental,
+            template = template,
+            parameters = parameters
+        )
+
+        # TODO: Tag your deployments so you can keep track
+        deployment_async_operation = self.client.deployments.begin_create_or_update(
+            resource_group_name = self.resource_group_name,
+            deployment_name = self.resource_group_name + '-dep',
+            parameters = Deployment(properties = deployment_properties)
+        )
+        deployment_async_operation.wait()
+
+        deployment_outputs = self.client.deployments.get(
+            resource_group_name = self.resource_group_name,
+            deployment_name = self.resource_group_name + '-dep'
+        )
+
+        return deployment_outputs.properties.outputs 
+
+    def destroy(self):
+        """Destroy the given resource group"""
+        self.client.resource_groups.delete(self.resource_group_name)