Azure meshPlatform Module
Terraform module to integrate Azure as a meshPlatform into meshStack instance. With this module, service principals used by meshStack are created with the required permissions. The output of this module is a set of credentials that need to be configured in meshStack as described in meshcloud public docs.
Prerequisites
To run this module, you need the following:
- Permissions on AAD level. An Azure account with one of the following roles1:
- Global Administrator
- Privileged Role Administrator
- Cloud Application Administrator
- Application Administrator
- Permissions on Enterprise Agreement level. An Azure account that is Account Owner for an enrollment account.
- Terraform installed (already installed in Azure Portal)
- Azure CLI installed (already installed in Azure Portal)
How to Use This Module
Using Azure Portal
-
Login into Azure Portal with your Admin user.
-
Open a cloud shell.
-
Download the example
main.tf
andoutputs.tf
files.# Downloads main.tf and outputs.tf files into ~/terraform-azure-meshplatform wget https://raw.githubusercontent.com/meshcloud/terraform-azure-meshplatform/main/examples/basic-azure-integration/main.tf -P ~/terraform-azure-meshplatform wget https://raw.githubusercontent.com/meshcloud/terraform-azure-meshplatform/main/examples/basic-azure-integration/outputs.tf -P ~/terraform-azure-meshplatform
-
Open
~/terraform-azure-meshplatform/main.tf
with a text editor. Modify the module variables and Terraform state backend settings in the file. -
Execute the module.
# Changes into ~/terraform-azure-meshplatform and applies terraform cd ~/terraform-azure-meshplatform terraform init terraform apply
-
Use the information from terraform output to configure the platform in meshStack.
# The JSON output contains sensitive values that must not be transmitted anywhere other then the platform config screen in meshStack. terraform output -json
-
Grant access on the enrollment account as described in the meshcloud public docs.
Using CLI
-
Login with az CLI
az login --tenant TENANT_ID
-
Follow the instructions for Azure Portal
Example Usages
Check examples for different use cases. As a quick start we recommend using basic-azure-integration example.
Requirements
Name | Version |
---|---|
terraform | >= 1.1 |
azuread | 2.18.0 |
azurerm | 3.3.0 |
Providers
Name | Version |
---|---|
azuread | 2.18.0 |
azurerm | 3.3.0 |
Modules
Name | Source | Version |
---|---|---|
idp_lookup_service_principal | ./modules/meshcloud-idp-lookup-service-principal/ | n/a |
kraken_service_principal | ./modules/meshcloud-kraken-service-principal/ | n/a |
replicator_service_principal | ./modules/meshcloud-replicator-service-principal/ | n/a |
uami_blueprint_user_principal | ./modules/uami-blueprint-user-principal/ | n/a |
Resources
Name | Type |
---|---|
azuread_client_config.current | data source |
azurerm_management_group.root | data source |
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_permissions | Additional Subscription-Level Permissions the Service Principal needs. | list(string) |
[] |
no |
additional_required_resource_accesses | Additional AAD-Level Resource Accesses the replicator Service Principal needs. | list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) })) |
[] |
no |
idplookup_enabled | Whether to create idplookup Service Principal or not. | bool |
true |
no |
kraken_enabled | Whether to create Metering Service Principal or not. | bool |
true |
no |
mgmt_group_name | The name or UUID of the Management Group. | string |
n/a | yes |
replicator_enabled | Whether to create replicator Service Principal or not. | bool |
true |
no |
replicator_rg_enabled | Enables the replicator service principal to be used for Azure Resource Group replication. Implicitly enables the replicator_enabled flag. |
bool |
true |
no |
service_principal_name_suffix | Service principal name suffix. Make sure this is unique. | string |
n/a | yes |
subscriptions | The scope to which UAMI blueprint service principal role assignment is applied. | list(any) |
[] |
no |
Outputs
Name | Description |
---|---|
azure_ad_tenant_id | The Azure AD tenant id. |
idp_lookup_service_principal | IDP Lookup Service Principal. |
idp_lookup_service_principal_password | Password for IDP Lookup Service Principal. |
kraken_service_principal | Metering Service Principal. |
kraken_service_principal_password | Password for Metering Service Principal. |
replicator_service_principal | Replicator Service Principal. |
replicator_service_principal_password | Password for Replicator Service Principal. |
uami_blueprint_user_principal | UAMI Blueprint Assignment Service Principal. |
uami_blueprint_user_principal_password | Password for UAMI Blueprint Assignment Service Principal. |
Footnotes
-
Tenant wide admin consent must be granted for a successful meshPlatform setup. See Azure public documentation for more details.
↩