Skip to content

meshcloud/terraform-azure-meshplatform

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Azure meshPlatform Module

Terraform module to integrate Azure as a meshPlatform into meshStack instance. With this module, service principals used by meshStack are created with the required permissions. The output of this module is a set of credentials that need to be configured in meshStack as described in meshcloud public docs.

We currently support Microsoft Enterprise Agreements and Microsoft Customer Agreements as well as pre-provisioned subscriptions when integrating Azure as a meshPlatform.

Prerequisites

To run this module, you need the following:

  • Terraform installed (already installed in Azure Portal)
  • Azure CLI installed (already installed in Azure Portal)
  • Permissions on AAD level. If using Microsoft Customer Agreement, AAD level permissions must be set in the Tenant Directory that will create the subscriptions (Source Tenant) as well as the Tenant Directory that will receive the subscriptions (Destination Tenant). An Azure account with one of the following roles:
    1. Global Administrator
    2. Privileged Role Administrator AND (Cloud) Application Administrator
  • Permissions on Azure Resource Level: User Access Administrator on the Management Group that should be managed by meshStack

How to Use This Module

Using Azure Portal

If using a Microsoft Customer Agreement, go through these steps in the Destination Tenant

  1. Login into Azure Portal with your Admin user.

  2. Open a cloud shell.

  3. Create a terraform file that calls this module and produces outputs. Similar to:

    module "meshplatform" {
      source = "git::https://github.com/meshcloud/terraform-azure-meshplatform.git"
      # FILL INPUTS
    }
    output "meshplatform" {
      sensitive = true
      value     = module.meshplatform
    }

    It is highly recommended to configure a terraform backend, otherwise you risk losing track of your applied resources.

  4. Execute the module.

    # Changes into ~/terraform-azure-meshplatform and applies terraform
    cd ~/terraform-azure-meshplatform
    terraform init
    terraform apply
  5. Use the information from terraform output to configure the platform in meshStack.

    # The JSON output contains sensitive values that must not be transmitted anywhere other then the platform config screen in meshStack.
    terraform output -json

Using CLI

  1. Login with az CLI

    az login --tenant TENANT_ID
  2. Follow the instructions for Azure Portal

Configuring the Azure meshPlatform module

Using an Enterprise Agreement

Using an Enterprise Agreement enrollment account requires manual steps outside of terraform.

  1. Ensure you have permissions on Enterprise Agreement level: Account Owner for the enrollment account that should be used for creating subscriptions
  2. Grant access on the enrollment account as described in the section Use an Enteprise Enrollment.

Using Microsoft Customer Agreement

Prerequisites:

  • Ensure you have permissions in the source AAD Tenant for granting access to the billing account used for subscription creation using the Account Administrator role

Create MCA service principals:

With this module, you can create multiple MCA service principals by passing a list of mca.service_principal_names. This is useful for environments with restricted acceses to the AAD tenant holding the MCA license.

Add an mca block when calling this module.

e.g.:

module "meshplatform" {
  source  = "meshcloud/meshplatform/azure"
  # required inputs

  mca = {
      service_principal_names = ["your-mca-sp-name-1", "your-mca-sp-name-2", "..."]
      billing_account_name    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx"
      billing_profile_name    = "xxxx-xxxx-xxx-xxx"
      invoice_section_name    = "xxxx-xxxx-xxx-xxx"
  }
}

Using Pre-provisioned Subscriptions

meshStack will need to be able to read subscriptions at the source location (typically the root of your management group hierarchy) and then have permission to rename them. Please include the following additional_permission when configuring this terraform module.

  additional_permissions = ["Microsoft.Subscription/rename/action"]

Enabling Azure Functions for Landing Zones

In order to enable meshStack to call Azure Functions as part of tenant replication for your landing zones, you must provide the SPN with access to the function.

  additional_required_resource_accesses = [
    # The block below configures replicator access
    # to the app with id `fe81736c-99c6-4fca-8cc2-2818a2365451` with the appRole with id `e29066a1-ecb1-4a8e-af2d-1627fae35711`
    #
    # This example configures access to an azure function
    {
      resource_app_id = "fe81736c-99c6-4fca-8cc2-2818a2365451" # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application#resource_app_id
      resource_accesses = [
        # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application#resource_access
        {
          id   = "e29066a1-ecb1-4a8e-af2d-1627fae35711"
          type = "Role"
        },
      ]
    },
  ]

Single Sign On (SSO) Integration

While this does not belong to a meshplatform, you can enable sso using this module. This is subject to change and sso can be moved out in the future.

To login to meshStack with Microsoft Entra ID, you can create an SSO service principal by adding the following inputs when calling this module:

sso_enabled = true

# This is required as it will construct the redirect uri. A default has been added only so that it's not mandatory to setup sso (i.e. when sso_enabled = false)
sso_meshstack_idp_domain = "sso.<domain>"

Contributing Guide

Before opening a Pull Request, please do the following:

  1. Install pre-commit

    We use pre-commit to perform several terraform related tasks such as terraform validate, terraform fmt, and generating terraform docs with terraform_docs

  2. Execute pre-commit install: Hooks configured in .pre-commit-config.yaml will be executed automatically on commit. For manual execution, you can use pre-commit run -a.

Requirements

Name Version
terraform > 1.1
azapi >=1.13.1
azuread >=3.0.2
azurerm >=4.11.0

Modules

Name Source Version
mca_service_principal ./modules/meshcloud-mca-service-principal n/a
metering_service_principal ./modules/meshcloud-metering-service-principal/ n/a
replicator_service_principal ./modules/meshcloud-replicator-service-principal/ n/a
sso_service_principal ./modules/meshcloud-sso/ n/a

Resources

Name Type
azuread_client_config.current data source
azurerm_management_group.metering_assignment_scopes data source
azurerm_management_group.replicator_assignment_scopes data source
azurerm_management_group.replicator_custom_role_scope data source

Inputs

Name Description Type Default Required
additional_permissions Additional Subscription-Level Permissions the Service Principal needs. list(string) [] no
additional_required_resource_accesses Additional AAD-Level Resource Accesses the replicator Service Principal needs. list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) })) [] no
application_owners List of user principals that should be added as owners to the created service principals. list(string) [] no
can_cancel_subscriptions_in_scopes The scopes to which Service Principal cancel subscription permission is assigned to. List of management group id of form /providers/Microsoft.Management/managementGroups/<mgmtGroupId>/. list(string) [] no
can_delete_rgs_in_scopes The scopes to which Service Principal delete resource group permission is assigned to. Only relevant when replicator_rg_enabled. List of subscription scopes of form /subscriptions/<subscriptionId>. list(string) [] no
create_passwords Create passwords for service principals. bool true no
mca n/a
object({
service_principal_names = list(string)
billing_account_name = string
billing_profile_name = string
invoice_section_name = string
})
null no
metering_assignment_scopes Names or UUIDs of the Management Groups that kraken should collect costs for. list(string) n/a yes
metering_enabled Whether to create Metering Service Principal or not. bool true no
metering_service_principal_name Service principal for collecting cost data. Kraken ist the name of the meshStack component. Name must be unique per Entra ID. string "kraken" no
replicator_assignment_scopes Names or UUIDs of the Management Groups which replicator should manage. list(string) n/a yes
replicator_custom_role_scope Name or UUID of the Management Group of the replicator custom role definition. The custom role definition must be available for all assignment scopes. string n/a yes
replicator_enabled Whether to create replicator Service Principal or not. bool true no
replicator_rg_enabled Whether the created replicator Service Principal should be usable for Azure Resource Group based replication. Implicitly enables replicator_enabled if set to true. bool false no
replicator_service_principal_name Service principal for managing subscriptions. Replicator is the name of the meshStack component. Name must be unique per Entra ID. string "replicator" no
sso_app_role_assignment_required Whether all users can login using the created application (false), or only assigned users (true) bool false no
sso_enabled Whether to create SSO Service Principal. This service principal is used to integrate meshStack identity provider with your own identity provider. bool false no
sso_identity_provider_alias Identity provider alias. This value needs to be passed to meshcloud to configure the identity provider. string "oidc" no
sso_meshstack_idp_domain meshStack identity provider domain that was provided by meshcloud. It is individual per meshStack. In most cases it is sso. string "replaceme" no
sso_service_principal_name Service principal for Entra ID SSO. Name must be unique per Entra ID. string "meshcloud SSO" no
workload_identity_federation Enable workload identity federation by creating federated credentials for enterprise applications. Usually you'd receive the required settings when attempting to configure a platform with workload identity federation in meshStack. object({ issuer = string, replicator_subject = string, kraken_subject = string }) null no

Outputs

Name Description
azure_ad_tenant_id The Azure AD tenant id.
mca_service_principal MCA Service Principal.
mca_service_principal_password Password for MCA Service Principal.
metering_service_principal Metering Service Principal.
metering_service_principal_password Password for Metering Service Principal.
replicator_service_principal Replicator Service Principal.
replicator_service_principal_password Password for Replicator Service Principal.
sso_discovery_url SSO applications's discovery url (OpenID Connect metadata document)
sso_service_principal_client_id SSO Service Principal.
sso_service_principal_password Password for SSO Service Principal.