rpothin/PowerPlatform-Governance-With-Terraform

A sandbox to try and explore the Terraform provider for Power Platform

Power Platform Governance with Terraform

A sandbox to try and explore the Terraform provider for Power Platform

🏡 What is the PowerPlatform-Governance-With-Terraform project?

The PowerPlatform-Governance-With-Terraform project is a sandbox to try and explore the Terraform provider for Power Platform.

The goal is to see if the Terraform provider can be effectively used to automate the governance of Power Platform environments.

Inventory

Workflows

Workflow	Description
terraform-plan-apply	Manually plan and apply a Terraform configuration taking into consideration a specified set of variables
terraform-output	Automatically save the outputs of specified Terraform configurations into JSON files
terraform-destroy	Manually destroy the resources created by a Terraform configuration taking into consideration a specified set of variables

Infrastructure as code

Folder	Description
src/terraform-state-iac	Bicep infrastructure as code to deploy the Azure resources needed to manage the Terraform state files
src/power-plaform-connectors	Terraform configuration to synchronize Power Platform connectors to a JSON file
src/dlp-policies	Terraform configuration to manage DLP policies in Power Platform
src/billing-policies	Terraform configuration to manage billing policies in Power Platform

Notebooks

Notebook	Description
notebooks/convert-existing-dlp-policies-to-tfvars-files.dib	Notebook to convert existing DLP policies synchronized from Power Platform to Terraform variables files

📖 Log book

Workspace setup

Azure Resource Group for Terraform state

The Bicep infrastructure as code that need to be deployed to manage the Terraform state files related to our Terraform configurations for Power Platform governance is located in the src/terraform-state-iac folder.

To deploy it, you can follow one of the options below.

Option 1: Using the deployment pane from the VS Code extension

From VS Code, with the Bicep extension installed,

1. Right-click on the main.bicep file under src/terraform-state-iac
2. Select Show deployment pane
3. In the deployment pane, click on the Pick Scope button
4. Sign in to Azure
5. Select the Azure subscription where you want to deploy the resources
6. Enter the values for the different parameters
7. Click on the Validate button to validate the Bicep file combined with the parameters
8. Click on the What-If button to see what resources will be deployed
9. Click on the Deploy button to deploy the resources

Option 2: Using the Azure CLI

1. Update the main.bicepparam file with the values you want to use.
2. In a terminal positioned in the src/terraform-state-iac folder, run the following commands:

# Install the Bicep CLI
az bicep install
az bicep version

# Connect to Azure
az login

# Set the subscription
az account set --subscription "Your Subscription Name"

# Validate the Bicep file and parameters
az deployment sub validate --location "Your Location" --template-file main.bicep --parameters main.bicepparam

# Check the impact of the deployment
az deployment sub what-if --location "Your Location" --template-file main.bicep --parameters main.bicepparam

# Deploy the resources
az deployment sub create --location "Your Location" --template-file main.bicep --parameters main.bicepparam

Service principal

Note

From what I found, the Creating an App Registration to use the Power Platform Provider page in the documentation of the Terraform provider for Power Platform is the reference regarding how the application registration should be configured.

1. Create an application registration in Entra ID
2. Once the application registration is created, go to API Permissions
3. Add the following permissions

• Dynamics CRM | user_impersonation
• PowerApps Service | User
• Power Platform API
  • AppManagement.ApplicationPackages.Install
  • AppManagement.ApplicationPackages.Read
  • Licensing.BillingPolicies.Read
  • Licensing.BillingPolicies.ReadWrite

Note

If you don't find the Power Platform API API permission, you can follow this documentation.

4. Under Expose an API, add the documented configuration
5. Run the New-PowerAppManagementApp PowerShell command of the Microsoft.PowerApps.Administration.PowerShell PowerShell module specifying the Application (client) ID of the app registration created in the previous step

> Add-PowerAppsAccount
> New-PowerAppManagementApp -ApplicationId 00000000-0000-0000-0000-000000000000

6. In the considered Azure subscription, assign the Contributor role to the application registration
7. Configure your application registration for an authentication with OIDC in your GitHub repository

💡 Ideas

• Automate the workspace setup using a Polyglot Notebook - allowing to combine code and documentation in the same place
• Implement unit tests for the Terraform configurations - to ensure the configurations are working as expected

❗ Code of Conduct

I, Raphael Pothin (@rpothin), as creator of this project, am dedicated to providing a welcoming, diverse, and harrassment-free experience for everyone. I expect everyone visiting or participating in this project to abide by the following Code of Conduct. Please read it.

📝 License

All files in this repository are subject to the MIT license.

📚 Resources

Terraform provider for Power Platform

• Documentation
• Main repo
• Quickstarts

Terraform learning

• Terraform - Get started - Azure
• Write Terraform Tests