The PowerPlatform-Governance-With-Terraform project is a sandbox to try and explore the Terraform provider for Power Platform.
The goal is to see if the Terraform provider can be effectively used to automate the governance of Power Platform environments.
Workflow | Description |
---|---|
terraform-plan-apply | Manually plan and apply a Terraform configuration taking into consideration a specified set of variables |
terraform-output | Automatically save the outputs of specified Terraform configurations into JSON files |
terraform-destroy | Manually destroy the resources created by a Terraform configuration taking into consideration a specified set of variables |
Folder | Description |
---|---|
src/terraform-state-iac | Bicep infrastructure as code to deploy the Azure resources needed to manage the Terraform state files |
src/power-plaform-connectors | Terraform configuration to synchronize Power Platform connectors to a JSON file |
src/dlp-policies | Terraform configuration to manage DLP policies in Power Platform |
src/billing-policies | Terraform configuration to manage billing policies in Power Platform |
Notebook | Description |
---|---|
notebooks/convert-existing-dlp-policies-to-tfvars-files.dib | Notebook to convert existing DLP policies synchronized from Power Platform to Terraform variables files |
The Bicep infrastructure as code that need to be deployed to manage the Terraform state files related to our Terraform configurations for Power Platform governance is located in the src/terraform-state-iac folder.
To deploy it, you can follow one of the options below.
From VS Code, with the Bicep extension installed,
- Right-click on the
main.bicep
file under src/terraform-state-iac - Select
Show deployment pane
- In the deployment pane, click on the
Pick Scope
button - Sign in to Azure
- Select the Azure subscription where you want to deploy the resources
- Enter the values for the different parameters
- Click on the
Validate
button to validate the Bicep file combined with the parameters - Click on the
What-If
button to see what resources will be deployed - Click on the
Deploy
button to deploy the resources
- Update the
main.bicepparam
file with the values you want to use. - In a terminal positioned in the src/terraform-state-iac folder, run the following commands:
# Install the Bicep CLI
az bicep install
az bicep version
# Connect to Azure
az login
# Set the subscription
az account set --subscription "Your Subscription Name"
# Validate the Bicep file and parameters
az deployment sub validate --location "Your Location" --template-file main.bicep --parameters main.bicepparam
# Check the impact of the deployment
az deployment sub what-if --location "Your Location" --template-file main.bicep --parameters main.bicepparam
# Deploy the resources
az deployment sub create --location "Your Location" --template-file main.bicep --parameters main.bicepparam
Note
From what I found, the Creating an App Registration to use the Power Platform Provider page in the documentation of the Terraform provider for Power Platform is the reference regarding how the application registration should be configured.
- Create an application registration in Entra ID
- Once the application registration is created, go to
API Permissions
- Add the following permissions
- Dynamics CRM | user_impersonation
- PowerApps Service | User
- Power Platform API
- AppManagement.ApplicationPackages.Install
- AppManagement.ApplicationPackages.Read
- Licensing.BillingPolicies.Read
- Licensing.BillingPolicies.ReadWrite
Note
If you don't find the Power Platform API
API permission, you can follow this documentation.
- Under
Expose an API
, add the documented configuration - Run the New-PowerAppManagementApp PowerShell command of the Microsoft.PowerApps.Administration.PowerShell PowerShell module specifying the Application (client) ID of the app registration created in the previous step
> Add-PowerAppsAccount
> New-PowerAppManagementApp -ApplicationId 00000000-0000-0000-0000-000000000000
- In the considered Azure subscription, assign the
Contributor
role to the application registration - Configure your application registration for an authentication with OIDC in your GitHub repository
- Automate the workspace setup using a Polyglot Notebook - allowing to combine code and documentation in the same place
- Implement unit tests for the Terraform configurations - to ensure the configurations are working as expected
I, Raphael Pothin (@rpothin), as creator of this project, am dedicated to providing a welcoming, diverse, and harrassment-free experience for everyone. I expect everyone visiting or participating in this project to abide by the following Code of Conduct. Please read it.
All files in this repository are subject to the MIT license.