Add subscription id in Azure-api

api/external/secrets/secrets.proto

@@ -24,6 +24,7 @@ service SecretsService {
 		service_now: username, password
 		aws: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
 		azure: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID
+		azure: AZURE_SUBSCRIPTION_ID is optional 
 		gcp: GOOGLE_CREDENTIALS_JSON
 
 	Example:

components/automate-ui/src/app/pages/integrations/add/integrations-add.component.ts

@@ -61,7 +61,8 @@ export class IntegrationsAddComponent implements OnDestroy {
         credentials: fb.group({
           azure_client_id: '',
           azure_client_secret: '',
-          azure_tenant_id: ''
+          azure_tenant_id: '',
+          azure_subscription_id: ''
         })
       }),
       gcp: fb.group({

components/automate-ui/src/app/pages/integrations/azure-form/azure-form.component.html

@@ -28,6 +28,10 @@
       <span class="label">Tenant ID</span>
       <input chefInput type="password" formControlName="azure_tenant_id" />
     </label>
+    <label class="form-field" *ngIf="isApiServiceType()">
+      <span class="label">Subscription ID</span>
+      <input chefInput type="password" formControlName="azure_subscription_id" />
+    </label>
   </ng-container>
-
+  
 </ng-container>

components/automate-ui/src/app/pages/integrations/azure-form/azure-form.component.ts

@@ -16,4 +16,7 @@ export class IntegrationsAzureFormComponent {
     const no_creds = get('no_creds', formData);
     return !no_creds;
   }
+  isApiServiceType() {
+    return this.formGroup.value.service_type === 'azure-api';
+  }
 }

components/automate-ui/src/app/pages/integrations/edit/integrations-edit.component.ts

@@ -87,7 +87,8 @@ export class IntegrationsEditComponent implements OnDestroy {
         credentials: fb.group({
           azure_client_id: '',
           azure_client_secret: '',
-          azure_tenant_id: ''
+          azure_tenant_id: '',
+          azure_subscription_id: ''
         })
       }),
       gcp: fb.group({

components/compliance-service/inspec-agent/resolver/resolver.go

@@ -168,7 +168,7 @@ func (r *Resolver) handleAzureApiNodes(ctx context.Context, m *manager.NodeManag
 	if err != nil {
 		return nil, fmt.Errorf("unable to fetch credential id:%s %s", m.CredentialId, err.Error())
 	}
-	clientID, clientSecret, tenantID := managers.GetAzureCreds(secret)
+	clientID, clientSecret, tenantID, subscriptionID := managers.GetAzureCreds(secret)
 
 	jobArray := []*types.InspecJob{}
 	for _, group := range nodeCollections {
@@ -192,9 +192,10 @@ func (r *Resolver) handleAzureApiNodes(ctx context.Context, m *manager.NodeManag
 				SubscriptionId: node.ID,
 			}
 			secrets := inspec.Secrets{
-				AzureClientID:     clientID,
-				AzureClientSecret: clientSecret,
-				AzureTenantID:     tenantID,
+				AzureClientID:       clientID,
+				AzureClientSecret:   clientSecret,
+				AzureTenantID:       tenantID,
+				AzureSubscriptionID: subscriptionID,
 			}
 			inspecJob, err := assembleJob(job, nodeInfo, []*inspec.Secrets{&secrets}, tc)
 			if err != nil {
@@ -554,7 +555,7 @@ func (r *Resolver) handleInstanceCredentials(ctx context.Context, instanceCreds
 
 func (r *Resolver) handleManagerNodes(ctx context.Context, m *manager.NodeManager, nodeCollections map[string]managerNodes, job *jobs.Job) ([]*types.InspecJob, error) {
 	jobArray := []*types.InspecJob{}
-	var clientID, clientSecret, tenantID string
+	var clientID, clientSecret, tenantID, subscriptionID string
 	if m.Type == "azure-vm" {
 		if len(m.CredentialId) == 0 {
 			logrus.Infof("GetAzureCreds attempting to use environment credentials")
@@ -564,7 +565,7 @@ func (r *Resolver) handleManagerNodes(ctx context.Context, m *manager.NodeManage
 				logrus.Errorf("Failed to get manager credentials for node manager %s: %s", m.Id, err.Error())
 			}
 			if m.Type == "azure-vm" {
-				clientID, clientSecret, tenantID = managers.GetAzureCreds(mgrCreds)
+				clientID, clientSecret, tenantID, subscriptionID = managers.GetAzureCreds(mgrCreds)
 			}
 		}
 	}
@@ -616,9 +617,10 @@ func (r *Resolver) handleManagerNodes(ctx context.Context, m *manager.NodeManage
 				}
 				if m.Type == "azure-vm" {
 					credsArr = append(credsArr, &inspec.Secrets{
-						AzureClientID:     clientID,
-						AzureClientSecret: clientSecret,
-						AzureTenantID:     tenantID,
+						AzureClientID:       clientID,
+						AzureClientSecret:   clientSecret,
+						AzureTenantID:       tenantID,
+						AzureSubscriptionID: subscriptionID,
 					})
 				}
 				inspecJob, err := assembleJob(job, nodeDetails, credsArr, tc)

components/compliance-service/inspec-agent/runner/runner.go

@@ -441,7 +441,6 @@ func (t *InspecJobTask) Run(ctx context.Context, task cereal.Task) (interface{},
 
 	cleanupKeys(job.TargetConfig.KeyFiles)
 	logrus.Debugf("job '%s' finished", job.JobID)
-
 	if job.NodeStatus == types.StatusRunning {
 		job.NodeStatus = types.StatusFailed
 	}
@@ -702,6 +701,7 @@ func cloudEnvVars(tc *inspec.TargetConfig) (map[string]string, map[string]string
 		envsMap["AZURE_CLIENT_ID"] = tc.AzureClientID
 		envsMap["AZURE_CLIENT_SECRET"] = tc.AzureClientSecret
 		envsMap["AZURE_TENANT_ID"] = tc.AzureTenantID
+		envsMap["AZURE_SUBSCRIPTION_ID"] = tc.AzureSubscriptionID
 		return envsMap, inputs, nil
 	case "gcp":
 		if tc.GcpCredsJson != "" {

components/compliance-service/inspec/cli.go

@@ -94,7 +94,6 @@ func Scan(paths []string, target *TargetConfig, timeout time.Duration, env map[s
 	}
 
 	stdOut, stdErr, err := run(args, target, timeout, env)
-
 	stdOutErr := ""
 	if len(stdOut) == 0 {
 		stdOutErr = "Empty STDOUT, we have a problem..."
@@ -163,7 +162,7 @@ func sanitizeEnv(env map[string]string) map[string]string {
 	outEnv := make(map[string]string, len(env))
 	for k, v := range env {
 		switch k {
-		case "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN", "AZURE_CLIENT_SECRET":
+		case "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN", "AZURE_CLIENT_SECRET", "AZURE_SUBSCRIPTION_ID":
 			outEnv[k] = "REDACTED"
 		default:
 			outEnv[k] = v

components/compliance-service/inspec/types.go

@@ -243,18 +243,19 @@ type Error struct {
 }
 
 type Secrets struct {
-	User              string   `json:"user,omitempty"`
-	Password          string   `json:"password,omitempty"`
-	KeyFiles          []string `json:"key_files,omitempty"`
-	SudoPassword      string   `json:"sudo_password,omitempty"`
-	SudoOptions       string   `json:"sudo_options,omitempty"`
-	AwsUser           string   `json:"aws_user,omitempty"`
-	AwsPassword       string   `json:"aws_password,omitempty"`
-	AzureClientID     string   `json:"azure_client_id,omitempty"`
-	AzureClientSecret string   `json:"azure_client_secret,omitempty"`
-	AzureTenantID     string   `json:"azure_tenant_id,omitempty"`
-	GcpCredsJson      string   `json:"gcp_creds_json,omitempty"`
-	AwsSessionToken   string   `json:"aws_session_token,omitempty"`
+	User                string   `json:"user,omitempty"`
+	Password            string   `json:"password,omitempty"`
+	KeyFiles            []string `json:"key_files,omitempty"`
+	SudoPassword        string   `json:"sudo_password,omitempty"`
+	SudoOptions         string   `json:"sudo_options,omitempty"`
+	AwsUser             string   `json:"aws_user,omitempty"`
+	AwsPassword         string   `json:"aws_password,omitempty"`
+	AzureClientID       string   `json:"azure_client_id,omitempty"`
+	AzureClientSecret   string   `json:"azure_client_secret,omitempty"`
+	AzureTenantID       string   `json:"azure_tenant_id,omitempty"`
+	AzureSubscriptionID string   `json:"azure_subscription_id,omitempty"`
+	GcpCredsJson        string   `json:"gcp_creds_json,omitempty"`
+	AwsSessionToken     string   `json:"aws_session_token,omitempty"`
 }
 
 type TargetBaseConfig struct {

components/nodemanager-service/managers/azure/azure.go

@@ -28,12 +28,13 @@ import (
 )
 
 type Creds struct {
-	Token    *adal.ServicePrincipalToken
-	TenantID string
+	Token          *adal.ServicePrincipalToken
+	TenantID       string
+	SubscriptionID string
 }
 
 // New returns a Creds struct of ServicePrincipalToken and TenantID given azure creds
-func New(clientID string, clientSecret string, tenantID string) (Creds, error) {
+func New(clientID string, clientSecret string, tenantID string, subscriptionID string) (Creds, error) {
 	if len(clientID) == 0 && len(clientSecret) == 0 && len(tenantID) == 0 {
 		return Creds{}, nil
 	}
@@ -50,7 +51,7 @@ func New(clientID string, clientSecret string, tenantID string) (Creds, error) {
 		return Creds{}, errors.Wrap(err, "azure - New unable to get token")
 	}
 	token.SetAutoRefresh(true)
-	return Creds{Token: token, TenantID: tenantID}, nil
+	return Creds{Token: token, TenantID: tenantID, SubscriptionID: subscriptionID}, nil
 }
 
 func getAuthorizer(token *adal.ServicePrincipalToken) autorest.Authorizer {

components/nodemanager-service/managers/managers.go

@@ -54,9 +54,9 @@ func GetAWSCreds(secret *secrets.Secret) awsec2.AwsCreds {
 	}
 }
 
-// GetAzureCreds returns clientID, clientSecret, tenantID
-func GetAzureCreds(secret *secrets.Secret) (string, string, string) {
-	clientID, clientSecret, tenantID := "", "", ""
+// GetAzureCreds returns clientID, clientSecret, tenantID, subscriptionID
+func GetAzureCreds(secret *secrets.Secret) (string, string, string, string) {
+	clientID, clientSecret, tenantID, subscriptionID := "", "", "", ""
 	if secret != nil {
 		for _, item := range secret.Data {
 			if item.Key == "AZURE_CLIENT_ID" {
@@ -68,12 +68,16 @@ func GetAzureCreds(secret *secrets.Secret) (string, string, string) {
 			if item.Key == "AZURE_TENANT_ID" {
 				tenantID = item.Value
 			}
+			if item.Key == "AZURE_SUBSCRIPTION_ID" {
+				subscriptionID = item.Value
+			}
 		}
 	}
 	if len(clientID) == 0 || len(clientSecret) == 0 || len(tenantID) == 0 {
 		logrus.Infof("GetAzureCreds attempting to use environment credentials")
 	}
-	return clientID, clientSecret, tenantID
+
+	return clientID, clientSecret, tenantID, subscriptionID
 }
 
 func GetAWSManagerFromCredential(ctx context.Context, credential string, db *pgdb.DB, secretsClient secrets.SecretsServiceClient) (myaws *awsec2.AwsCreds, err error) {
@@ -91,16 +95,16 @@ func GetAWSManagerFromCredential(ctx context.Context, credential string, db *pgd
 }
 
 func GetAzureManagerFromCredential(ctx context.Context, credential string, db *pgdb.DB, secretsClient secrets.SecretsServiceClient) (myaws *azure.Creds, err error) {
-	var clientID, clientSecret, tenantID string
+	var clientID, clientSecret, tenantID, subscriptionID string
 	if len(credential) > 0 {
 		secret, err := secretsClient.Read(ctx, &secrets.Id{Id: credential})
 		if err != nil {
 			return nil, errors.Wrapf(err, "Could not find secret with id %s", credential)
 		}
 
-		clientID, clientSecret, tenantID = GetAzureCreds(secret)
+		clientID, clientSecret, tenantID, subscriptionID = GetAzureCreds(secret)
 	}
-	creds, err := azure.New(clientID, clientSecret, tenantID)
+	creds, err := azure.New(clientID, clientSecret, tenantID, subscriptionID)
 	if err != nil {
 		return nil, errors.Wrap(err, "GetAzureManagerFromCredential unable to initialize connection to azure api")
 	}
@@ -144,8 +148,8 @@ func GetAzureManagerFromID(ctx context.Context, id string, db *pgdb.DB, secretsC
 		return nil, errors.Wrapf(err, "Could not find secret with manager id %s", id)
 	}
 
-	clientID, clientSecret, tenantID := GetAzureCreds(azureSecret)
-	creds, err := azure.New(clientID, clientSecret, tenantID)
+	clientID, clientSecret, tenantID, subscriptionID := GetAzureCreds(azureSecret)
+	creds, err := azure.New(clientID, clientSecret, tenantID, subscriptionID)
 	if err != nil {
 		return nil, errors.Wrap(err, "GetAzureManagerFromID unable to initialize connection to azure api")
 	}
@@ -263,7 +267,7 @@ func SendRemoteExecutionJob(ctx context.Context, job *types.InspecJob, script st
 		s := awsec2.NewSSM()
 		return s.SendSSMJob(ctx, job, script, scriptType)
 	case inspec.BackendAZ, inspec.BackendAZWindows:
-		creds, err := azure.New(job.TargetConfig.AzureClientID, job.TargetConfig.AzureClientSecret, job.TargetConfig.AzureTenantID)
+		creds, err := azure.New(job.TargetConfig.AzureClientID, job.TargetConfig.AzureClientSecret, job.TargetConfig.AzureTenantID, job.TargetConfig.AzureSubscriptionID)
 		if err != nil {
 			return errors.Wrap(err, "SendRemoteExecutionJob unable to initialize connection to azure api")
 		}

components/nodemanager-service/managers/managers_test.go

@@ -39,3 +39,35 @@ func TestGetAWSCredsSetsRegionWhenProvided(t *testing.T) {
 		Region:          "user-provided-region",
 	}, creds)
 }
+
+//AZURE
+func TestAzureCredsWithOutSubscriptionID(t *testing.T) {
+	secret := &secrets.Secret{
+		Data: []*query.Kv{
+			{Key: "AZURE_CLIENT_ID", Value: "fake-1"},
+			{Key: "AZURE_CLIENT_SECRET", Value: "fake-2"},
+			{Key: "AZURE_TENANT_ID", Value: "fake-3"},
+		},
+	}
+	clientID, clientSecret, tenantID, subscriptionID := GetAzureCreds(secret)
+	assert.Equal(t, "fake-1", clientID)
+	assert.Equal(t, "fake-2", clientSecret)
+	assert.Equal(t, "fake-3", tenantID)
+	assert.Equal(t, "", subscriptionID)
+}
+
+func TestAzureCredsWithSubscriptionID(t *testing.T) {
+	secret := &secrets.Secret{
+		Data: []*query.Kv{
+			{Key: "AZURE_CLIENT_ID", Value: "fake-1"},
+			{Key: "AZURE_CLIENT_SECRET", Value: "fake-2"},
+			{Key: "AZURE_TENANT_ID", Value: "fake-3"},
+			{Key: "AZURE_SUBSCRIPTION_ID", Value: "fake-4"},
+		},
+	}
+	clientID, clientSecret, tenantID, subscriptionID := GetAzureCreds(secret)
+	assert.Equal(t, "fake-1", clientID)
+	assert.Equal(t, "fake-2", clientSecret)
+	assert.Equal(t, "fake-3", tenantID)
+	assert.Equal(t, "fake-4", subscriptionID)
+}