Azure meshPlatform Module

Terraform module to integrate Azure as a meshPlatform into meshStack instance. With this module, service principals used by meshStack are created with the required permissions. The output of this module is a set of credentials that need to be configured in meshStack as described in meshcloud public docs.

We currently support Microsoft Enterprise Agreements and Microsoft Customer Agreements when integrating Azure as a meshPlatform.

Prerequisites

To run this module, you need the following:

• Terraform installed (already installed in Azure Portal)
• Azure CLI installed (already installed in Azure Portal)
• Permissions on AAD level. If using Microsoft Customer Agreement, AAD level permissions must be set in the Tenant Directory that will create the subscriptions (Source Tenant) as well as the Tenant Directory that will receive the subscriptions (Destination Tenant). An Azure account with one of the following roles:
  1. Global Administrator
  2. Privileged Role Administrator AND (Cloud) Application Administrator
• Permissions on Azure Resource Level: User Access Administrator on the Management Group that should be managed by meshStack

If using an Enterprise Agreement

• Permissions on Enterprise Agreement level: Account Owner for the enrollment account that should be used for creating subscriptions

If using a Microsoft Customer Agreement

• Permissions in Source Tenant for granting access to the billing account used for subscription creation: Account Administrator

How to Use This Module

Using Azure Portal

If using a Microsoft Customer Agreement, go through these steps in the Destination Tenant

1. Login into Azure Portal with your Admin user.

2. Open a cloud shell.

3. Download the example main.tf and outputs.tf files.

   # Downloads main.tf and outputs.tf files into ~/terraform-azure-meshplatform
   wget https://raw.githubusercontent.com/meshcloud/terraform-azure-meshplatform/main/examples/basic-azure-integration/main.tf -P ~/terraform-azure-meshplatform
   wget https://raw.githubusercontent.com/meshcloud/terraform-azure-meshplatform/main/examples/basic-azure-integration/outputs.tf -P ~/terraform-azure-meshplatform

4. Open ~/terraform-azure-meshplatform/main.tf with a text editor. Modify the module variables and Terraform state backend settings in the file.

5. Execute the module.

   # Changes into ~/terraform-azure-meshplatform and applies terraform
   cd ~/terraform-azure-meshplatform
   terraform init
   terraform apply

6. Use the information from terraform output to configure the platform in meshStack.

   # The JSON output contains sensitive values that must not be transmitted anywhere other then the platform config screen in meshStack.
   terraform output -json

If Using an Enterprise Agreement

1. Grant access on the enrollment account as described in the section Use an Enteprise Enrollment.

If Using Microsoft Customer Agreement

1. Switch to the Tenant Directory that contains your Billing Account and follow the steps to Register an Application and Add Credentials. Make sure to copy down the Directory (tenant) ID, Application (client) ID, Object ID and the App Secret value that was generated. The App Secret is only visible during the creation process.
2. You must grant the Enterprise Application permissions on the Billing Account, Billing Profile, or Invoice Section so that it can generate new subscriptions. Follow the steps in this guide to grant the necessary permissions. You must grant one of the following permissions

• Billing Account or Billing Profile: Owner, Contributor
• Invoice Section: Owner, Contributor, Azure Subscription Creator

3. Write down the Billing Scope ID that looks something like this /providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx
4. Use the following information to configure the platform in meshStack

• Billing Scope
• Destination Tenant ID
• Source Tenant ID
• Billing Account Principal Client ID (Application Client ID that will be used to create new subscriptions)
• Principal Client Secret (Application Secret created in the Source Tenant)

Using CLI

1. Login with az CLI

   az login --tenant TENANT_ID

2. Follow the instructions for Azure Portal

Example Usages

Check examples for different use cases. As a quick start we recommend using basic-azure-integration example.

Requirements

Name	Version
terraform	>= 1.1
azuread	2.18.0
azurerm	3.3.0

Providers

Name	Version
azuread	2.18.0
azurerm	3.3.0

Modules

Name	Source	Version
idp_lookup_service_principal	./modules/meshcloud-idp-lookup-service-principal/	n/a
metering_service_principal	./modules/meshcloud-metering-service-principal/	n/a
replicator_service_principal	./modules/meshcloud-replicator-service-principal/	n/a
uami_blueprint_user_principal	./modules/uami-blueprint-user-principal/	n/a

Resources

Name	Type
azuread_client_config.current	data source
azurerm_management_group.root	data source

Inputs

Name	Description	Type	Default	Required
additional_permissions	Additional Subscription-Level Permissions the Service Principal needs.	list(string)	[]	no
additional_required_resource_accesses	Additional AAD-Level Resource Accesses the replicator Service Principal needs.	list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))	[]	no
idplookup_enabled	Whether to create idplookup Service Principal or not.	bool	true	no
metering_enabled	Whether to create Metering Service Principal or not.	bool	true	no
mgmt_group_name	The name or UUID of the Management Group.	string	n/a	yes
replicator_enabled	Whether to create replicator Service Principal or not.	bool	true	no
replicator_rg_enabled	Enables the replicator service principal to be used for Azure Resource Group replication. Implicitly enables the replicator_enabled flag.	bool	true	no
service_principal_name_suffix	Service principal name suffix. Make sure this is unique.	string	n/a	yes
subscriptions	The scope to which UAMI blueprint service principal role assignment is applied.	list(any)	[]	no

Outputs

Name	Description
azure_ad_tenant_id	The Azure AD tenant id.
idp_lookup_service_principal	IDP Lookup Service Principal.
idp_lookup_service_principal_password	Password for IDP Lookup Service Principal.
metering_service_principal	Metering Service Principal.
metering_service_principal_password	Password for Metering Service Principal.
replicator_service_principal	Replicator Service Principal.
replicator_service_principal_password	Password for Replicator Service Principal.
uami_blueprint_user_principal	UAMI Blueprint Assignment Service Principal.
uami_blueprint_user_principal_password	Password for UAMI Blueprint Assignment Service Principal.