Azure meshPlatform Module
Terraform module to integrate Azure as a meshPlatform into meshStack instance. With this module, service principals used by meshStack are created with the required permissions. The output of this module is a set of credentials that need to be configured in meshStack as described in meshcloud public docs.
Prerequisites
To run this module, you need the following:
- Permissions on AAD level. An Azure account with one of the following roles1:
- Global Administrator
- Privileged Role Administrator
- Cloud Application Administrator
- Application Administrator
- Permissions on Enterprise Agreement level. An Azure account that is Account Owner for an enrollment account.
- Terraform installed (already installed in Azure Portal)
- Azure CLI installed (already installed in Azure Portal)
How to Use This Module
Using Azure Portal
-
Login into Azure Portal with your Admin user.
-
Open a cloud shell.
-
Download the example
main.tfandoutputs.tffiles.# Downloads main.tf and outputs.tf files into ~/terraform-azure-meshplatform wget https://raw.githubusercontent.com/meshcloud/terraform-azure-meshplatform/main/examples/basic-azure-integration/main.tf -P ~/terraform-azure-meshplatform wget https://raw.githubusercontent.com/meshcloud/terraform-azure-meshplatform/main/examples/basic-azure-integration/outputs.tf -P ~/terraform-azure-meshplatform
-
Open
~/terraform-azure-meshplatform/main.tfwith a text editor. Modify the module variables and Terraform state backend settings in the file. -
Execute the module.
# Changes into ~/terraform-azure-meshplatform and applies terraform cd ~/terraform-azure-meshplatform terraform init terraform apply
-
Use the information from terraform output to configure the platform in meshStack.
# The JSON output contains sensitive values that must not be transmitted anywhere other then the platform config screen in meshStack. terraform output -json -
Grant access on the enrollment account as described in the meshcloud public docs.
Using CLI
-
Login with az CLI
az login --tenant TENANT_ID
-
Follow the instructions for Azure Portal
Example Usages
Check examples for different use cases. As a quick start we recommend using basic-azure-integration example.
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.1 |
| azuread | 2.18.0 |
| azurerm | 3.3.0 |
Providers
| Name | Version |
|---|---|
| azuread | 2.18.0 |
| azurerm | 3.3.0 |
Modules
| Name | Source | Version |
|---|---|---|
| idp_lookup_service_principal | ./modules/meshcloud-idp-lookup-service-principal/ | n/a |
| kraken_service_principal | ./modules/meshcloud-kraken-service-principal/ | n/a |
| replicator_service_principal | ./modules/meshcloud-replicator-service-principal/ | n/a |
| uami_blueprint_user_principal | ./modules/uami-blueprint-user-principal/ | n/a |
Resources
| Name | Type |
|---|---|
| azuread_client_config.current | data source |
| azurerm_management_group.root | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_permissions | Additional Subscription-Level Permissions the Service Principal needs. | list(string) |
[] |
no |
| additional_required_resource_accesses | Additional AAD-Level Resource Accesses the replicator Service Principal needs. | list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) })) |
[] |
no |
| idplookup_enabled | Whether to create idplookup Service Principal or not. | bool |
true |
no |
| kraken_enabled | Whether to create Metering Service Principal or not. | bool |
true |
no |
| mgmt_group_name | The name or UUID of the Management Group. | string |
n/a | yes |
| replicator_enabled | Whether to create replicator Service Principal or not. | bool |
true |
no |
| replicator_rg_enabled | Enables the replicator service principal to be used for Azure Resource Group replication. Implicitly enables the replicator_enabled flag. |
bool |
true |
no |
| service_principal_name_suffix | Service principal name suffix. Make sure this is unique. | string |
n/a | yes |
| subscriptions | The scope to which UAMI blueprint service principal role assignment is applied. | list(any) |
[] |
no |
Outputs
| Name | Description |
|---|---|
| azure_ad_tenant_id | The Azure AD tenant id. |
| idp_lookup_service_principal | IDP Lookup Service Principal. |
| idp_lookup_service_principal_password | Password for IDP Lookup Service Principal. |
| kraken_service_principal | Metering Service Principal. |
| kraken_service_principal_password | Password for Metering Service Principal. |
| replicator_service_principal | Replicator Service Principal. |
| replicator_service_principal_password | Password for Replicator Service Principal. |
| uami_blueprint_user_principal | UAMI Blueprint Assignment Service Principal. |
| uami_blueprint_user_principal_password | Password for UAMI Blueprint Assignment Service Principal. |
Footnotes
-
Tenant wide admin consent must be granted for a successful meshPlatform setup. See Azure public documentation for more details.
↩