Updating parameters

lib/config/configuration.go

@@ -290,11 +290,11 @@ type IntegrationConfAccessGraphAWSSync struct {
 type IntegrationConfAccessGraphAzureSync struct {
 	// ManagedIdentity is the principal performing the discovery
 	ManagedIdentity string
-	// Role is the Azure Role associated with the integration
-	Role string
+	// RoleName is the name of the Azure Role to create and assign to the managed identity
+	RoleName string
 	// SubscriptionID is the Azure subscription containing resources for sync
 	SubscriptionID string
-	// AutoConfirm skips user confirmation of the operation plan if true.
+	// AutoConfirm skips user confirmation of the operation plan if true
 	AutoConfirm bool
 }
 

lib/integrations/azureoidc/accessgraph_sync.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization"
-	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi"
 	"github.com/google/uuid"
 	"github.com/gravitational/teleport/lib/cloud/provisioning"
 	"github.com/gravitational/teleport/lib/config"
@@ -109,7 +108,8 @@ func newManagedIdAction(cred *azidentity.DefaultAzureCredential, subId string, m
 	}
 	cfg := provisioning.ActionConfig{
 		Name:     "NewSyncManagedId",
-		Summary:  "Creates a new Azure managed ID for the discovery service to use",
+		Summary:  "Creates a new Azure role and attaches it to a managed identity for the Discovery service",
+		Details:  "Creates a new Azure role and attaches it to a managed identity for the Discovery service",
 		RunnerFn: runnerFn,
 	}
 	return provisioning.NewAction(cfg)
@@ -122,7 +122,7 @@ func ConfigureAccessGraphSyncAzure(ctx context.Context, params config.Integratio
 	if err != nil {
 		return trace.Wrap(err)
 	}
-	managedIdAction, err := newManagedIdAction(cred, params.SubscriptionID, params.ManagedIdentity)
+	managedIdAction, err := newManagedIdAction(cred, params.SubscriptionID, params.ManagedIdentity, params.RoleName)
 	if err != nil {
 		return trace.Wrap(err)
 	}

tool/teleport/common/teleport.go

@@ -514,8 +514,8 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con
 	integrationConfAccessGraphAWSSyncCmd.Flag("confirm", "Apply changes without confirmation prompt.").BoolVar(&ccf.IntegrationConfAccessGraphAWSSyncArguments.AutoConfirm)
 
 	integrationConfAccessGraphAzureSyncCmd := integrationConfAccessGraphCmd.Command("azure", "Creates/updates permissions for syncing data into Access Graph service.")
-	integrationConfAccessGraphAzureSyncCmd.Flag("managed-identity", "The managed identity runs the Discovery service.").Required().StringVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.ManagedIdentity)
-	integrationConfAccessGraphAzureSyncCmd.Flag("role", "The role attached to the managed identity with the discovery permissions.").Required().StringVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.Role)
+	integrationConfAccessGraphAzureSyncCmd.Flag("managed-identity", "The ID of the managed identity to run the Discovery service.").Required().StringVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.ManagedIdentity)
+	integrationConfAccessGraphAzureSyncCmd.Flag("role-name", "The name of the Azure Role to create and assign to the managed identity").Required().StringVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.RoleName)
 	integrationConfAccessGraphAzureSyncCmd.Flag("subscription-id", "The subscription ID in which to discovery resources.").StringVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.SubscriptionID)
 	integrationConfAccessGraphAzureSyncCmd.Flag("confirm", "Apply changes without confirmation prompt.").BoolVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.AutoConfirm)