diff --git a/templates/delegated-resource-management/terraform/README.md b/templates/delegated-resource-management/terraform/README.md new file mode 100644 index 0000000..696c160 --- /dev/null +++ b/templates/delegated-resource-management/terraform/README.md @@ -0,0 +1,49 @@ +# Deploy Azure Lighthouse using a Terraform template + +This template deploys Azure Lighthouse using Terraform. + +## Getting started + +Same as when using ARM templates to onboard a customer in Azure Lighthouse, you have to fill out parameters and configure your Terraform template and a user in the customer's tenant must deploy it within their tenant. A separate deployment is needed for each subscription that you want to onboard (or for each subscription that contains resource groups that you want to onboard). Make sure to review this procedure to understand [how to onboard a customer](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer). + +To run the terraform template the customer can use their own pipelines or Azure Cloud Shell as described here for [bash](https://docs.microsoft.com/en-us/azure/developer/terraform/get-started-cloud-shell-bash?tabs=bash) or for [PowerShell](https://docs.microsoft.com/en-us/azure/developer/terraform/get-started-cloud-shell-powershell?tabs=bash). + +## Running the template + +To run the automation from the customer tenant follow the next steps: + +- Provide the environment variables in the [vars.sh](./scripts/vars.sh). To obtain the values for the environment variables, review [this document](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer). Use this as an example: + + ```bash + #!/bin/sh + + # Provide the following environment variables according to your Azure environment + export TF_VAR_mspoffername="Contoso Managed Services" + export TF_VAR_mspofferdescription="Contoso Managed Services" + export TF_VAR_managedbytenantid="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + export TF_VAR_principal_display_name="Admin users" + export TF_VAR_principal_id="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + export TF_VAR_scope="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + export TF_VAR_role_definition_id="b24988ac-6180-42a0-ab88-20f7382dd24c" + ``` + +- From the scripts folder, run the [vars.sh](./scripts/vars.sh) script by executing this command: + + ```bash + . ./vars.sh + ``` + +- From the Terraform folder, run the terraform init command which will initialize Terraform, creating the state file to track our work: + + ```bash + terraform init + ``` + +- Onboard Azure Lighthouse by running the commands below. Wait for the plan to finish: + + ```bash + terraform plan + terraform apply + ``` + +- Once Terraform has completed its run crosstenant visibility should be enabled. diff --git a/templates/delegated-resource-management/terraform/scripts/vars.sh b/templates/delegated-resource-management/terraform/scripts/vars.sh new file mode 100644 index 0000000..73d7660 --- /dev/null +++ b/templates/delegated-resource-management/terraform/scripts/vars.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +# Provide the following environment variables according to your Azure environment +export TF_VAR_mspoffername="" +export TF_VAR_mspofferdescription="" +export TF_VAR_managedbytenantid="" +export TF_VAR_scopes="" +export TF_VAR_principal_display_name="" +export TF_VAR_principal_id="" +export TF_VAR_role_definition_id="" diff --git a/templates/delegated-resource-management/terraform/templates/main.tf b/templates/delegated-resource-management/terraform/templates/main.tf new file mode 100644 index 0000000..a6187d8 --- /dev/null +++ b/templates/delegated-resource-management/terraform/templates/main.tf @@ -0,0 +1,18 @@ + +resource "azurerm_lighthouse_definition" "definition" { + name = var.mspoffername + description = var.mspofferdescription + managing_tenant_id = var.managedbytenantid + scope = var.scope + + authorization { + principal_id = var.principal_id + role_definition_id = var.role_definition_id + principal_display_name = var.principal_display_name + } +} + +resource "azurerm_lighthouse_assignment" "assignment" { + scope = var.scope + lighthouse_definition_id = azurerm_lighthouse_definition.definition.id +} \ No newline at end of file diff --git a/templates/delegated-resource-management/terraform/templates/provider.tf b/templates/delegated-resource-management/terraform/templates/provider.tf new file mode 100644 index 0000000..d706810 --- /dev/null +++ b/templates/delegated-resource-management/terraform/templates/provider.tf @@ -0,0 +1,16 @@ +# +# Providers Configuration +# + +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "2.86.0" + } + } +} + +provider "azurerm" { + features {} +} \ No newline at end of file diff --git a/templates/delegated-resource-management/terraform/templates/variables.tf b/templates/delegated-resource-management/terraform/templates/variables.tf new file mode 100644 index 0000000..9b100e2 --- /dev/null +++ b/templates/delegated-resource-management/terraform/templates/variables.tf @@ -0,0 +1,25 @@ +# Declare TF variables + +variable "mspoffername" { + default = "Contoso Managed Services" +} + +variable "mspofferdescription" { + default = "Contoso Managed Services" +} + +variable "managedbytenantid" { +} + +variable "scope" { +} + +variable "principal_id" { +} + +variable "principal_display_name" { +} + +variable "role_definition_id" { + +} \ No newline at end of file