diff --git a/lib/config/configuration.go b/lib/config/configuration.go index 5725b80ef82ba..8916254716452 100644 --- a/lib/config/configuration.go +++ b/lib/config/configuration.go @@ -290,11 +290,11 @@ type IntegrationConfAccessGraphAWSSync struct { type IntegrationConfAccessGraphAzureSync struct { // ManagedIdentity is the principal performing the discovery ManagedIdentity string - // Role is the Azure Role associated with the integration - Role string + // RoleName is the name of the Azure Role to create and assign to the managed identity + RoleName string // SubscriptionID is the Azure subscription containing resources for sync SubscriptionID string - // AutoConfirm skips user confirmation of the operation plan if true. + // AutoConfirm skips user confirmation of the operation plan if true AutoConfirm bool } diff --git a/lib/integrations/azureoidc/accessgraph_sync.go b/lib/integrations/azureoidc/accessgraph_sync.go index 3ec1047ba2118..7147512cd64d7 100644 --- a/lib/integrations/azureoidc/accessgraph_sync.go +++ b/lib/integrations/azureoidc/accessgraph_sync.go @@ -5,7 +5,6 @@ import ( "fmt" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization" - "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi" "github.com/google/uuid" "github.com/gravitational/teleport/lib/cloud/provisioning" "github.com/gravitational/teleport/lib/config" @@ -109,7 +108,8 @@ func newManagedIdAction(cred *azidentity.DefaultAzureCredential, subId string, m } cfg := provisioning.ActionConfig{ Name: "NewSyncManagedId", - Summary: "Creates a new Azure managed ID for the discovery service to use", + Summary: "Creates a new Azure role and attaches it to a managed identity for the Discovery service", + Details: "Creates a new Azure role and attaches it to a managed identity for the Discovery service", RunnerFn: runnerFn, } return provisioning.NewAction(cfg) @@ -122,7 +122,7 @@ func ConfigureAccessGraphSyncAzure(ctx context.Context, params config.Integratio if err != nil { return trace.Wrap(err) } - managedIdAction, err := newManagedIdAction(cred, params.SubscriptionID, params.ManagedIdentity) + managedIdAction, err := newManagedIdAction(cred, params.SubscriptionID, params.ManagedIdentity, params.RoleName) if err != nil { return trace.Wrap(err) } diff --git a/tool/teleport/common/teleport.go b/tool/teleport/common/teleport.go index af460e08ddd91..912b01186a52a 100644 --- a/tool/teleport/common/teleport.go +++ b/tool/teleport/common/teleport.go @@ -514,8 +514,8 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con integrationConfAccessGraphAWSSyncCmd.Flag("confirm", "Apply changes without confirmation prompt.").BoolVar(&ccf.IntegrationConfAccessGraphAWSSyncArguments.AutoConfirm) integrationConfAccessGraphAzureSyncCmd := integrationConfAccessGraphCmd.Command("azure", "Creates/updates permissions for syncing data into Access Graph service.") - integrationConfAccessGraphAzureSyncCmd.Flag("managed-identity", "The managed identity runs the Discovery service.").Required().StringVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.ManagedIdentity) - integrationConfAccessGraphAzureSyncCmd.Flag("role", "The role attached to the managed identity with the discovery permissions.").Required().StringVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.Role) + integrationConfAccessGraphAzureSyncCmd.Flag("managed-identity", "The ID of the managed identity to run the Discovery service.").Required().StringVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.ManagedIdentity) + integrationConfAccessGraphAzureSyncCmd.Flag("role-name", "The name of the Azure Role to create and assign to the managed identity").Required().StringVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.RoleName) integrationConfAccessGraphAzureSyncCmd.Flag("subscription-id", "The subscription ID in which to discovery resources.").StringVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.SubscriptionID) integrationConfAccessGraphAzureSyncCmd.Flag("confirm", "Apply changes without confirmation prompt.").BoolVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.AutoConfirm)