Azure · lanicolas · Nov 24, 2021 · Nov 25, 2021 · Nov 25, 2021 · Nov 25, 2021
diff --git a/templates/delegated-resource-management/terraform/README.md b/templates/delegated-resource-management/terraform/README.md
@@ -0,0 +1,49 @@
+# Deploy Azure Lighthouse using a Terraform template
+
+This template deploys Azure Lighthouse using Terraform.
+
+## Getting started
+
+Same as when using ARM templates to onboard a customer in Azure Lighthouse, you have to fill out parameters and configure your Terraform template and a user in the customer's tenant must deploy it within their tenant. A separate deployment is needed for each subscription that you want to onboard (or for each subscription that contains resource groups that you want to onboard). Make sure to review this procedure to understand [how to onboard a customer](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer).
+
+To run the terraform template the customer can use their own pipelines or Azure Cloud Shell as described here for [bash](https://docs.microsoft.com/en-us/azure/developer/terraform/get-started-cloud-shell-bash?tabs=bash) or for [PowerShell](https://docs.microsoft.com/en-us/azure/developer/terraform/get-started-cloud-shell-powershell?tabs=bash).
+
+## Running the template
+
+To run the automation from the customer tenant follow the next steps:
+
+- Provide the environment variables in the [vars.sh](./scripts/vars.sh). To obtain the values for the environment variables, review [this document](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer). Use this as an example:
+
+    ```bash
+    #!/bin/sh
+
+    # Provide the following environment variables according to your Azure environment 
+    export TF_VAR_mspoffername="Contoso Managed Services"
+    export TF_VAR_mspofferdescription="Contoso Managed Services"
+    export TF_VAR_managedbytenantid="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    export TF_VAR_principal_display_name="Admin users"
+    export TF_VAR_principal_id="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    export TF_VAR_scope="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    export TF_VAR_role_definition_id="b24988ac-6180-42a0-ab88-20f7382dd24c"
+    ```
+
+- From the scripts folder, run the [vars.sh](./scripts/vars.sh) script by executing this command:
+
+    ```bash
+    . ./vars.sh
+    ```
+
+- From the Terraform folder, run the terraform init command which will initialize Terraform, creating the state file to track our work:
+
+    ```bash
+    terraform init
+    ```
+
+- Onboard Azure Lighthouse by running the commands below. Wait for the plan to finish:
+
+    ```bash
+    terraform plan
+    terraform apply
+    ```
+
+- Once Terraform has completed its run crosstenant visibility should be enabled.
diff --git a/templates/delegated-resource-management/terraform/scripts/vars.sh b/templates/delegated-resource-management/terraform/scripts/vars.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Provide the following environment variables according to your Azure environment 
+export TF_VAR_mspoffername="<MSP offer name>"
+export TF_VAR_mspofferdescription="<MSP offer description>"
+export TF_VAR_managedbytenantid="<MSP tenant ID>"
+export TF_VAR_scopes="<subscription ID to scope authorizations>"
+export TF_VAR_principal_display_name="<Name to help your customer understand the purpose of the authorization>"
+export TF_VAR_principal_id="<Values for the users/groups/SPNs from your tenant>"
+export TF_VAR_role_definition_id="<Values for the users/groups/SPNs from your tenant>"
diff --git a/templates/delegated-resource-management/terraform/templates/main.tf b/templates/delegated-resource-management/terraform/templates/main.tf
@@ -0,0 +1,18 @@
+
+resource "azurerm_lighthouse_definition" "definition" {
+  name               = var.mspoffername
+  description        = var.mspofferdescription
+  managing_tenant_id = var.managedbytenantid
+  scope              = var.scope
+
+  authorization {
+    principal_id           = var.principal_id
+    role_definition_id     = var.role_definition_id
+    principal_display_name = var.principal_display_name
+  }
+}
+
+resource "azurerm_lighthouse_assignment" "assignment" {
+  scope                    = var.scope
+  lighthouse_definition_id = azurerm_lighthouse_definition.definition.id
+}
diff --git a/templates/delegated-resource-management/terraform/templates/provider.tf b/templates/delegated-resource-management/terraform/templates/provider.tf
@@ -0,0 +1,16 @@
+#
+# Providers Configuration
+#
+
+terraform {
+  required_providers {
+    azurerm = {
+      source = "hashicorp/azurerm"
+      version = "2.86.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
diff --git a/templates/delegated-resource-management/terraform/templates/variables.tf b/templates/delegated-resource-management/terraform/templates/variables.tf
@@ -0,0 +1,25 @@
+# Declare TF variables
+
+variable "mspoffername" {
+  default = "Contoso Managed Services"
+}
+
+variable "mspofferdescription" {
+  default = "Contoso Managed Services"
+}
+
+variable "managedbytenantid" {
+}
+
+variable "scope" {
+}
+
+variable "principal_id" {
+}
+
+variable "principal_display_name" {
+}
+
+variable "role_definition_id" {
+
+}