Azure integration command (#47541)

* Initial command to create the managed identity and role

* Adding permissions and applying command params

* Adding graph permissions to the MSI

* Updating parameters

* Adding some details and cleaning up comments

* Fixing go.sum

* Linting

* License

* PR feedback

* Decoupling sync config with an interface for testing

* Tweaks to test mocking

* PR feedback

* Rebase adjustments

* PR feedback

* Switch to empty struct maps instead of bool maps for set representation

* Godocs

go.mod

@@ -16,6 +16,7 @@ require (
 	connectrpc.com/connect v1.18.0
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6 v6.3.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.2.0

go.sum

@@ -668,6 +668,8 @@ github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLC
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0 h1:Hp+EScFOu9HeCbeW8WU2yQPJd4gGwhMgKxWe+G6jNzw=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0/go.mod h1:/pz8dyNQe+Ey3yBp/XuYz7oqX8YDNWVpPB0hH3XWfbc=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0 h1:JAebRMoc3vL+Nd97GBprHYHucO4+wlW+tNbBIumqJlk=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0/go.mod h1:zflC9v4VfViJrSvcvplqws/yGXVbUEMZi/iHpZdSPWA=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v5 v5.0.0 h1:5n7dPVqsWfVKw+ZiEKSd3Kzu7gwBkbEBkeXb8rgaE9Q=

integrations/terraform/go.sum

@@ -644,6 +644,8 @@ github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0 h1:+m0M/LFxN43KvUL
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0/go.mod h1:PwOyop78lveYMRs6oCxjiVyBdyCgIYH6XHIVZO9/SFQ=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0 h1:Hp+EScFOu9HeCbeW8WU2yQPJd4gGwhMgKxWe+G6jNzw=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0/go.mod h1:/pz8dyNQe+Ey3yBp/XuYz7oqX8YDNWVpPB0hH3XWfbc=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0 h1:JAebRMoc3vL+Nd97GBprHYHucO4+wlW+tNbBIumqJlk=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0/go.mod h1:zflC9v4VfViJrSvcvplqws/yGXVbUEMZi/iHpZdSPWA=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v5 v5.0.0 h1:5n7dPVqsWfVKw+ZiEKSd3Kzu7gwBkbEBkeXb8rgaE9Q=

lib/config/configuration.go

@@ -242,6 +242,10 @@ type CommandLineFlags struct {
 	// `teleport integration configure access-graph aws-iam` command
 	IntegrationConfAccessGraphAWSSyncArguments IntegrationConfAccessGraphAWSSync
 
+	// IntegrationConfAccessGarphAzureSyncArguments contains the arguments of
+	// `teleport integration configure access-graph azure` command
+	IntegrationConfAccessGraphAzureSyncArguments IntegrationConfAccessGraphAzureSync
+
 	// IntegrationConfAzureOIDCArguments contains the arguments of
 	// `teleport integration configure azure-oidc` command
 	IntegrationConfAzureOIDCArguments IntegrationConfAzureOIDC
@@ -274,6 +278,19 @@ type IntegrationConfAccessGraphAWSSync struct {
 	AutoConfirm bool
 }
 
+// IntegrationConfAccessGraphAzureSync contains the arguments of
+// `teleport integration configure access-graph azure` command.
+type IntegrationConfAccessGraphAzureSync struct {
+	// ManagedIdentity is the principal performing the discovery
+	ManagedIdentity string
+	// RoleName is the name of the Azure Role to create and assign to the managed identity
+	RoleName string
+	// SubscriptionID is the Azure subscription containing resources for sync
+	SubscriptionID string
+	// AutoConfirm skips user confirmation of the operation plan if true
+	AutoConfirm bool
+}
+
 // IntegrationConfAzureOIDC contains the arguments of
 // `teleport integration configure azure-oidc` command
 type IntegrationConfAzureOIDC struct {

lib/integrations/azureoidc/accessgraph_sync.go

@@ -0,0 +1,258 @@
+/*
+ * Teleport
+ * Copyright (C) 2025  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package azureoidc
+
+import (
+	"context"
+	"io"
+	"maps"
+	"slices"
+	"strings"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2"
+	"github.com/google/uuid"
+	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/lib/cloud/provisioning"
+	"github.com/gravitational/teleport/lib/msgraph"
+	libslices "github.com/gravitational/teleport/lib/utils/slices"
+)
+
+// graphAppID is the pre-defined application ID of the Graph API
+// Ref: [https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications].
+const graphAppID = "00000003-0000-0000-c000-000000000000"
+
+// requiredGraphRoleNames is the list of Graph API roles required for the managed identity to fetch resources from Azure
+var requiredGraphRoleNames = map[string]struct{}{
+	"User.ReadBasic.All": {},
+	"Group.Read.All":     {},
+	"Directory.Read.All": {},
+	"User.Read.All":      {},
+	"Policy.Read.All":    {},
+}
+
+// AccessGraphAzureConfigureClient provides an interface for granting the managed identity the necessary permissions
+// to fetch Azure resources
+type AccessGraphAzureConfigureClient interface {
+	// CreateRoleDefinition creates an Azure role definition
+	CreateRoleDefinition(ctx context.Context, scope string, roleDefinition armauthorization.RoleDefinition) (string, error)
+	// CreateRoleAssignment assigns a role to an Azure principal
+	CreateRoleAssignment(ctx context.Context, scope string, roleAssignment armauthorization.RoleAssignmentCreateParameters) error
+	// GetServicePrincipalByAppID returns a service principal based on its application ID
+	GetServicePrincipalByAppID(ctx context.Context, appID string) (*msgraph.ServicePrincipal, error)
+	// GrantAppRoleToServicePrincipal grants a specific type of application role to a service principal
+	GrantAppRoleToServicePrincipal(ctx context.Context, roleAssignment msgraph.AppRoleAssignment) error
+}
+
+// azureConfigClient wraps the role definition, role assignments, and Graph API clients
+type azureConfigClient struct {
+	roleDefCli    *armauthorization.RoleDefinitionsClient
+	roleAssignCli *armauthorization.RoleAssignmentsClient
+	graphCli      *msgraph.Client
+}
+
+// NewAzureConfigClient returns a new config client for granting the managed identity the necessary permissions
+// to fetch Azure resources
+func NewAzureConfigClient(subscriptionID string) (AccessGraphAzureConfigureClient, error) {
+	cred, err := azidentity.NewDefaultAzureCredential(nil)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	roleDefCli, err := armauthorization.NewRoleDefinitionsClient(cred, nil)
+	if err != nil {
+		return nil, trace.BadParameter("failed to create role definitions client: %v", err)
+	}
+	roleAssignCli, err := armauthorization.NewRoleAssignmentsClient(subscriptionID, cred, nil)
+	if err != nil {
+		return nil, trace.BadParameter("failed to create role assignments client: %v", err)
+	}
+	graphCli, err := msgraph.NewClient(msgraph.Config{
+		TokenProvider: cred,
+	})
+	if err != nil {
+		return nil, trace.BadParameter("failed to create msgraph client: %v", err)
+	}
+	return &azureConfigClient{
+		roleDefCli:    roleDefCli,
+		roleAssignCli: roleAssignCli,
+		graphCli:      graphCli,
+	}, nil
+}
+
+// CreateRoleDefinition creates an Azure role definition
+func (c *azureConfigClient) CreateRoleDefinition(ctx context.Context, scope string, roleDefinition armauthorization.RoleDefinition) (string, error) {
+	newUuid, err := uuid.NewRandom()
+	if err != nil {
+		return "", trace.Wrap(err)
+	}
+	roleDefID := newUuid.String()
+	roleRes, err := c.roleDefCli.CreateOrUpdate(ctx, scope, roleDefID, roleDefinition, nil)
+	if err != nil {
+		return "", trace.Wrap(err)
+	}
+	return *roleRes.ID, err
+}
+
+// CreateRoleAssignment assigns a role to an Azure principal
+func (c *azureConfigClient) CreateRoleAssignment(ctx context.Context, scope string, roleAssignment armauthorization.RoleAssignmentCreateParameters) error {
+	newUuid, err := uuid.NewRandom()
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	assignID := newUuid.String()
+	if _, err = c.roleAssignCli.Create(ctx, scope, assignID, roleAssignment, nil); err != nil {
+		return trace.Wrap(err)
+	}
+	return nil
+}
+
+// GetServicePrincipalByAppID returns a service principal based on its application ID
+func (c *azureConfigClient) GetServicePrincipalByAppID(ctx context.Context, appID string) (*msgraph.ServicePrincipal, error) {
+	graphPrincipal, err := c.graphCli.GetServicePrincipalByAppId(ctx, appID)
+	if err != nil {
+		return nil, trace.BadParameter("failed to get the graph API service principal: %v", err)
+	}
+	return graphPrincipal, nil
+}
+
+// GrantAppRoleToServicePrincipal grants a specific type of application role to a service principal
+func (c *azureConfigClient) GrantAppRoleToServicePrincipal(ctx context.Context, roleAssignment msgraph.AppRoleAssignment) error {
+	_, err := c.graphCli.GrantAppRoleToServicePrincipal(ctx, *roleAssignment.PrincipalID, &roleAssignment)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	return nil
+}
+
+// AccessGraphAzureConfigureRequest is a request to configure the required Policies to use the TAG AWS Sync.
+type AccessGraphAzureConfigureRequest struct {
+	// ManagedIdentity is the principal performing the discovery
+	ManagedIdentity string
+	// RoleName is the name of the Azure Role to create and assign to the managed identity
+	RoleName string
+	// SubscriptionID is the Azure subscription containing resources for sync
+	SubscriptionID string
+	// AutoConfirm skips user confirmation of the operation plan if true
+	AutoConfirm bool
+	// stdout is used to override stdout output in tests.
+	stdout io.Writer
+}
+
+// roleAssignmentAction assigns both the Azure role and Graph API roles to the managed identity
+func roleAssignmentAction(clt AccessGraphAzureConfigureClient, subscriptionID string, managedID string, roleName string) (*provisioning.Action, error) {
+	customRole := "CustomRole"
+	scope := "/subscriptions/" + subscriptionID
+	runnerFn := func(ctx context.Context) error {
+		// Create the role
+		roleDefinition := armauthorization.RoleDefinition{
+			Name: &roleName,
+			Properties: &armauthorization.RoleDefinitionProperties{
+				RoleName: &roleName,
+				RoleType: &customRole,
+				Permissions: []*armauthorization.Permission{
+					{
+						Actions: libslices.ToPointers([]string{
+							"Microsoft.Compute/virtualMachines/read",
+							"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
+							"Microsoft.Authorization/roleDefinitions/read",
+							"Microsoft.Authorization/roleAssignments/read",
+						}),
+					},
+				},
+				AssignableScopes: []*string{&scope}, // Scope must be provided
+			},
+		}
+		roleID, err := clt.CreateRoleDefinition(ctx, scope, roleDefinition)
+		if err != nil {
+			return trace.Errorf("failed to create custom role: %v", err)
+		}
+
+		// Assign the new role to the managed identity
+		roleAssignParams := armauthorization.RoleAssignmentCreateParameters{
+			Properties: &armauthorization.RoleAssignmentProperties{
+				PrincipalID:      &managedID,
+				RoleDefinitionID: &roleID,
+			},
+		}
+		if err = clt.CreateRoleAssignment(ctx, scope, roleAssignParams); err != nil {
+			return trace.Errorf("failed to assign role %s to principal %s: %v", roleName, managedID, err)
+		}
+
+		// Assign the Graph API permissions to the managed identity
+		graphPrincipal, err := clt.GetServicePrincipalByAppID(ctx, graphAppID)
+		if err != nil {
+			return trace.Errorf("could not get the graph API service principal: %v", err)
+		}
+		rolesNotAssigned := make(map[string]struct{})
+		for k, v := range requiredGraphRoleNames {
+			rolesNotAssigned[k] = v
+		}
+		for _, appRole := range graphPrincipal.AppRoles {
+			if _, ok := requiredGraphRoleNames[*appRole.Value]; ok {
+				roleAssignment := msgraph.AppRoleAssignment{
+					AppRoleID:   appRole.ID,
+					PrincipalID: &managedID,
+					ResourceID:  graphPrincipal.ID,
+				}
+				if err = clt.GrantAppRoleToServicePrincipal(ctx, roleAssignment); err != nil {
+					return trace.Errorf("failed to assign graph API role to %s: %v", managedID, err)
+				}
+				delete(rolesNotAssigned, *appRole.Value)
+			}
+		}
+		if len(rolesNotAssigned) > 0 {
+			return trace.Errorf("could not assign all required roles: %v", slices.Collect(maps.Keys(rolesNotAssigned)))
+		}
+		return nil
+	}
+	cfg := provisioning.ActionConfig{
+		Name:    "AssignRole",
+		Summary: "Creates a new Azure role and attaches it to a managed identity for the Discovery service",
+		Details: strings.Join([]string{
+			"The Discovery Service needs to run as a credentialed Azure managed identity. This managed identity ",
+			"can be system assigned (i.e. tied to the lifecycle of a virtual machine running the Discovery service), ",
+			"or user-assigned (i.e. a persistent identity). The managed identity requires two types of permissions:\n\n",
+			"\t1) Azure resource permissions in order to fetch virtual machines, role definitions, etc, and\n",
+			"\t2) Graph API permissions to fetch users, groups, and service principals.\n\n",
+			"The command assigns both Azure resource permissions as well as Graph API permissions to the specified ",
+			"managed identity.",
+		}, ""),
+		RunnerFn: runnerFn,
+	}
+	return provisioning.NewAction(cfg)
+}
+
+// ConfigureAccessGraphSyncAzure sets up the managed identity and role required for Teleport to be able to pull
+// Azure resources into Teleport.
+func ConfigureAccessGraphSyncAzure(ctx context.Context, clt AccessGraphAzureConfigureClient, req AccessGraphAzureConfigureRequest) error {
+	managedIDAction, err := roleAssignmentAction(clt, req.SubscriptionID, req.ManagedIdentity, req.RoleName)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	opCfg := provisioning.OperationConfig{
+		Name: "access-graph-azure-sync",
+		Actions: []provisioning.Action{
+			*managedIDAction,
+		},
+		AutoConfirm: req.AutoConfirm,
+		Output:      req.stdout,
+	}
+	return trace.Wrap(provisioning.Run(ctx, opCfg))
+}