From 182ed5022ebbf5b13898da945c7a75557d79a892 Mon Sep 17 00:00:00 2001 From: lanicolas Date: Wed, 24 Nov 2021 14:57:07 +0100 Subject: [PATCH 1/7] terraform template --- .../terraform/README.md | 38 +++++++++++++++++++ .../terraform/scripts/vars.sh | 10 +++++ .../terraform/templates/main.tf | 0 .../terraform/templates/provider.tf | 19 ++++++++++ .../terraform/templates/variables.tf | 24 ++++++++++++ 5 files changed, 91 insertions(+) create mode 100644 templates/delegated-resource-management/terraform/README.md create mode 100644 templates/delegated-resource-management/terraform/scripts/vars.sh create mode 100644 templates/delegated-resource-management/terraform/templates/main.tf create mode 100644 templates/delegated-resource-management/terraform/templates/provider.tf create mode 100644 templates/delegated-resource-management/terraform/templates/variables.tf diff --git a/templates/delegated-resource-management/terraform/README.md b/templates/delegated-resource-management/terraform/README.md new file mode 100644 index 0000000..dad4d9f --- /dev/null +++ b/templates/delegated-resource-management/terraform/README.md @@ -0,0 +1,38 @@ +# Deploy Azure Lighthouse using a Terraform template + +This template deploys Azure Lighthouse using Terraform. + +## Getting started + +Same as when using ARM templates to onboard a customer in Azure Lighthouse, you have to fill out parameters and configure your Terraform template and a user in the customer's tenant must deploy it within their tenant. A separate deployment is needed for each subscription that you want to onboard (or for each subscription that contains resource groups that you want to onboard). Make sure to review this procedure to understand [how to onboard a customer](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer). + +To run the terraform template the customer can use their own pipelines or Azure Cloud Shell as described here for [bash](https://docs.microsoft.com/en-us/azure/developer/terraform/get-started-cloud-shell-bash?tabs=bash) or for [PowerShell](https://docs.microsoft.com/en-us/azure/developer/terraform/get-started-cloud-shell-powershell?tabs=bash). + +## Running the template + +To run the automation from the customer tenant follow the next steps: + +- Provide the environment variables in the [vars.sh](./scripts/vars.sh). To obtain the values for the environment variables, review [this document](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer). For the scope, it can be either a subscription or a resource group, make sure it matches the format: + + - Subscription: "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + - Resource Group: "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup" + +- Run the [vars.sh](./scripts/vars.sh) script by executing this command: + + ```bash + . ./vars.sh + ``` + +- Run the terraform init command which will initialize Terraform, creating the state file to track our work: + + ```bash + terraform init + ``` + +- Onboard Azure Lighthouse by running the command below. Wait for the plan to finish: + + ```bash + terraform apply --auto-approve + ``` + +- Once Terraform has completed its run crosstenant visibility should be enabled. diff --git a/templates/delegated-resource-management/terraform/scripts/vars.sh b/templates/delegated-resource-management/terraform/scripts/vars.sh new file mode 100644 index 0000000..ceb31f7 --- /dev/null +++ b/templates/delegated-resource-management/terraform/scripts/vars.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +# Provide the following environment variables according to your Azure environment +export TF_VAR_mspoffername="" +export TF_VAR_mspofferdescription="" +export TF_VAR_managedbytenantid="" +export TF_VAR_scope="" +export TF_VAR_role_definition_id="" +export TF_VAR_principal_display_name="" +export TF_VAR_principal_id="" \ No newline at end of file diff --git a/templates/delegated-resource-management/terraform/templates/main.tf b/templates/delegated-resource-management/terraform/templates/main.tf new file mode 100644 index 0000000..e69de29 diff --git a/templates/delegated-resource-management/terraform/templates/provider.tf b/templates/delegated-resource-management/terraform/templates/provider.tf new file mode 100644 index 0000000..abd65c4 --- /dev/null +++ b/templates/delegated-resource-management/terraform/templates/provider.tf @@ -0,0 +1,19 @@ +# +# Providers Configuration +# + +terraform { + required_version = "~> 0.12" + required_providers { + local = "~> 1.4" + azurerm = "~> 2.9.0" + } +} + +provider "azurerm" { + features {} + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id +} \ No newline at end of file diff --git a/templates/delegated-resource-management/terraform/templates/variables.tf b/templates/delegated-resource-management/terraform/templates/variables.tf new file mode 100644 index 0000000..e6b3818 --- /dev/null +++ b/templates/delegated-resource-management/terraform/templates/variables.tf @@ -0,0 +1,24 @@ +# Declare TF variables + +variable "mspoffername" { + default = "Relecloud Managed Services" +} + +variable "mspofferdescription" { + default = "Relecloud Managed Services" +} + +variable "managedbytenantid" { +} + +variable "scope" { +} + +variable "role_definition_id{ +} + +variable "principal_display_name{ +} + +variable "principal_id{ +} \ No newline at end of file From ada6f758ae819720b3a46e254d8bd41f8f62dab3 Mon Sep 17 00:00:00 2001 From: lanicolas Date: Thu, 25 Nov 2021 14:53:34 +0100 Subject: [PATCH 2/7] terraform template --- .../terraform/README.md | 24 +++++++++++++------ .../terraform/scripts/vars.borrar | 9 +++++++ .../terraform/scripts/vars.sh | 5 ++-- .../terraform/templates/main.tf | 21 ++++++++++++++++ .../terraform/templates/provider.tf | 11 ++++----- .../terraform/templates/variables.tf | 7 ++---- 6 files changed, 55 insertions(+), 22 deletions(-) create mode 100644 templates/delegated-resource-management/terraform/scripts/vars.borrar diff --git a/templates/delegated-resource-management/terraform/README.md b/templates/delegated-resource-management/terraform/README.md index dad4d9f..e316738 100644 --- a/templates/delegated-resource-management/terraform/README.md +++ b/templates/delegated-resource-management/terraform/README.md @@ -12,27 +12,37 @@ To run the terraform template the customer can use their own pipelines or Azure To run the automation from the customer tenant follow the next steps: -- Provide the environment variables in the [vars.sh](./scripts/vars.sh). To obtain the values for the environment variables, review [this document](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer). For the scope, it can be either a subscription or a resource group, make sure it matches the format: +- Provide the environment variables in the [vars.sh](./scripts/vars.sh). To obtain the values for the environment variables, review [this document](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer). Use this as an example: - - Subscription: "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" - - Resource Group: "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup" + ```bash + #!/bin/sh + + # Provide the following environment variables according to your Azure environment + export TF_VAR_mspoffername="Contoso Managed Services" + export TF_VAR_mspofferdescription="Contoso Managed Services" + export TF_VAR_managedbytenantid="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + export TF_VAR_principal_display_name="Admin users" + export TF_VAR_principal_id="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + export TF_VAR_scope="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ``` -- Run the [vars.sh](./scripts/vars.sh) script by executing this command: +- From the scripts folder, run the [vars.sh](./scripts/vars.sh) script by executing this command: ```bash . ./vars.sh ``` -- Run the terraform init command which will initialize Terraform, creating the state file to track our work: +- From the Terraform folder, run the terraform init command which will initialize Terraform, creating the state file to track our work: ```bash terraform init ``` -- Onboard Azure Lighthouse by running the command below. Wait for the plan to finish: +- Onboard Azure Lighthouse by running the commands below. Wait for the plan to finish: ```bash - terraform apply --auto-approve + terraform plan + terraform apply ``` - Once Terraform has completed its run crosstenant visibility should be enabled. diff --git a/templates/delegated-resource-management/terraform/scripts/vars.borrar b/templates/delegated-resource-management/terraform/scripts/vars.borrar new file mode 100644 index 0000000..1ab1165 --- /dev/null +++ b/templates/delegated-resource-management/terraform/scripts/vars.borrar @@ -0,0 +1,9 @@ +#!/bin/sh + +# Provide the following environment variables according to your Azure environment +export TF_VAR_mspoffername="Lighthouse Terraform" +export TF_VAR_mspofferdescription="Lighthouse Terraform MSP offer" +export TF_VAR_managedbytenantid="72f988bf-86f1-41af-91ab-2d7cd011db47" +export TF_VAR_principal_display_name="Terraform users" +export TF_VAR_principal_id="4db8cc67-ca6e-4a2c-ab0f-7948490bd78b" +export TF_VAR_scope="/subscriptions/a15befbb-3730-4abf-a213-2150b9b088e7" diff --git a/templates/delegated-resource-management/terraform/scripts/vars.sh b/templates/delegated-resource-management/terraform/scripts/vars.sh index ceb31f7..93f6033 100644 --- a/templates/delegated-resource-management/terraform/scripts/vars.sh +++ b/templates/delegated-resource-management/terraform/scripts/vars.sh @@ -4,7 +4,6 @@ export TF_VAR_mspoffername="" export TF_VAR_mspofferdescription="" export TF_VAR_managedbytenantid="" -export TF_VAR_scope="" -export TF_VAR_role_definition_id="" +export TF_VAR_scopes="" export TF_VAR_principal_display_name="" -export TF_VAR_principal_id="" \ No newline at end of file +export TF_VAR_principal_id="" diff --git a/templates/delegated-resource-management/terraform/templates/main.tf b/templates/delegated-resource-management/terraform/templates/main.tf index e69de29..89669ed 100644 --- a/templates/delegated-resource-management/terraform/templates/main.tf +++ b/templates/delegated-resource-management/terraform/templates/main.tf @@ -0,0 +1,21 @@ +data "azurerm_role_definition" "contributor" { + role_definition_id = "b24988ac-6180-42a0-ab88-20f7382dd24c" +} + +resource "azurerm_lighthouse_definition" "definition" { + name = var.mspoffername + description = var.mspofferdescription + managing_tenant_id = var.managedbytenantid + scope = var.scope + + authorization { + principal_id = var.principal_id + role_definition_id = data.azurerm_role_definition.contributor.role_definition_id + principal_display_name = var.principal_display_name + } +} + +resource "azurerm_lighthouse_assignment" "assignment" { + scope = var.scope + lighthouse_definition_id = azurerm_lighthouse_definition.definition.id +} \ No newline at end of file diff --git a/templates/delegated-resource-management/terraform/templates/provider.tf b/templates/delegated-resource-management/terraform/templates/provider.tf index abd65c4..d706810 100644 --- a/templates/delegated-resource-management/terraform/templates/provider.tf +++ b/templates/delegated-resource-management/terraform/templates/provider.tf @@ -3,17 +3,14 @@ # terraform { - required_version = "~> 0.12" required_providers { - local = "~> 1.4" - azurerm = "~> 2.9.0" + azurerm = { + source = "hashicorp/azurerm" + version = "2.86.0" + } } } provider "azurerm" { features {} - subscription_id = var.subscription_id - client_id = var.client_id - client_secret = var.client_secret - tenant_id = var.tenant_id } \ No newline at end of file diff --git a/templates/delegated-resource-management/terraform/templates/variables.tf b/templates/delegated-resource-management/terraform/templates/variables.tf index e6b3818..a096c56 100644 --- a/templates/delegated-resource-management/terraform/templates/variables.tf +++ b/templates/delegated-resource-management/terraform/templates/variables.tf @@ -14,11 +14,8 @@ variable "managedbytenantid" { variable "scope" { } -variable "role_definition_id{ +variable "principal_id" { } -variable "principal_display_name{ -} - -variable "principal_id{ +variable "principal_display_name" { } \ No newline at end of file From df2383df8e98ec74689e88cead9705c566ea7853 Mon Sep 17 00:00:00 2001 From: lanicolas Date: Thu, 25 Nov 2021 14:53:49 +0100 Subject: [PATCH 3/7] terraform template --- .../terraform/scripts/vars.borrar | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 templates/delegated-resource-management/terraform/scripts/vars.borrar diff --git a/templates/delegated-resource-management/terraform/scripts/vars.borrar b/templates/delegated-resource-management/terraform/scripts/vars.borrar deleted file mode 100644 index 1ab1165..0000000 --- a/templates/delegated-resource-management/terraform/scripts/vars.borrar +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -# Provide the following environment variables according to your Azure environment -export TF_VAR_mspoffername="Lighthouse Terraform" -export TF_VAR_mspofferdescription="Lighthouse Terraform MSP offer" -export TF_VAR_managedbytenantid="72f988bf-86f1-41af-91ab-2d7cd011db47" -export TF_VAR_principal_display_name="Terraform users" -export TF_VAR_principal_id="4db8cc67-ca6e-4a2c-ab0f-7948490bd78b" -export TF_VAR_scope="/subscriptions/a15befbb-3730-4abf-a213-2150b9b088e7" From f858e71ba18af34de9ac90bb12455d8c3e863c18 Mon Sep 17 00:00:00 2001 From: lanicolas Date: Thu, 25 Nov 2021 15:08:17 +0100 Subject: [PATCH 4/7] terraform template --- .../terraform/scripts/vars.sh | 3 ++- .../terraform/templates/main.tf | 5 +---- .../terraform/templates/variables.tf | 8 ++++++-- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/templates/delegated-resource-management/terraform/scripts/vars.sh b/templates/delegated-resource-management/terraform/scripts/vars.sh index 93f6033..73d7660 100644 --- a/templates/delegated-resource-management/terraform/scripts/vars.sh +++ b/templates/delegated-resource-management/terraform/scripts/vars.sh @@ -4,6 +4,7 @@ export TF_VAR_mspoffername="" export TF_VAR_mspofferdescription="" export TF_VAR_managedbytenantid="" -export TF_VAR_scopes="" +export TF_VAR_scopes="" export TF_VAR_principal_display_name="" export TF_VAR_principal_id="" +export TF_VAR_role_definition_id="" diff --git a/templates/delegated-resource-management/terraform/templates/main.tf b/templates/delegated-resource-management/terraform/templates/main.tf index 89669ed..a6187d8 100644 --- a/templates/delegated-resource-management/terraform/templates/main.tf +++ b/templates/delegated-resource-management/terraform/templates/main.tf @@ -1,6 +1,3 @@ -data "azurerm_role_definition" "contributor" { - role_definition_id = "b24988ac-6180-42a0-ab88-20f7382dd24c" -} resource "azurerm_lighthouse_definition" "definition" { name = var.mspoffername @@ -10,7 +7,7 @@ resource "azurerm_lighthouse_definition" "definition" { authorization { principal_id = var.principal_id - role_definition_id = data.azurerm_role_definition.contributor.role_definition_id + role_definition_id = var.role_definition_id principal_display_name = var.principal_display_name } } diff --git a/templates/delegated-resource-management/terraform/templates/variables.tf b/templates/delegated-resource-management/terraform/templates/variables.tf index a096c56..9b100e2 100644 --- a/templates/delegated-resource-management/terraform/templates/variables.tf +++ b/templates/delegated-resource-management/terraform/templates/variables.tf @@ -1,11 +1,11 @@ # Declare TF variables variable "mspoffername" { - default = "Relecloud Managed Services" + default = "Contoso Managed Services" } variable "mspofferdescription" { - default = "Relecloud Managed Services" + default = "Contoso Managed Services" } variable "managedbytenantid" { @@ -18,4 +18,8 @@ variable "principal_id" { } variable "principal_display_name" { +} + +variable "role_definition_id" { + } \ No newline at end of file From 788741c70223c0cbc26193aa2f42c7d2f8f7a158 Mon Sep 17 00:00:00 2001 From: Laura Nicolas <51124125+lanicolas@users.noreply.github.com> Date: Thu, 25 Nov 2021 15:09:10 +0100 Subject: [PATCH 5/7] Update vars.sh --- .../delegated-resource-management/terraform/scripts/vars.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/delegated-resource-management/terraform/scripts/vars.sh b/templates/delegated-resource-management/terraform/scripts/vars.sh index 93f6033..f173d88 100644 --- a/templates/delegated-resource-management/terraform/scripts/vars.sh +++ b/templates/delegated-resource-management/terraform/scripts/vars.sh @@ -4,6 +4,6 @@ export TF_VAR_mspoffername="" export TF_VAR_mspofferdescription="" export TF_VAR_managedbytenantid="" -export TF_VAR_scopes="" +export TF_VAR_scopes="" export TF_VAR_principal_display_name="" export TF_VAR_principal_id="" From f134bac7d6c8a8ecff69e15b870a241dd2b90dd7 Mon Sep 17 00:00:00 2001 From: Laura Nicolas <51124125+lanicolas@users.noreply.github.com> Date: Thu, 25 Nov 2021 15:09:29 +0100 Subject: [PATCH 6/7] Update vars.sh --- .../delegated-resource-management/terraform/scripts/vars.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/delegated-resource-management/terraform/scripts/vars.sh b/templates/delegated-resource-management/terraform/scripts/vars.sh index f173d88..73d7660 100644 --- a/templates/delegated-resource-management/terraform/scripts/vars.sh +++ b/templates/delegated-resource-management/terraform/scripts/vars.sh @@ -7,3 +7,4 @@ export TF_VAR_managedbytenantid="" export TF_VAR_scopes="" export TF_VAR_principal_display_name="" export TF_VAR_principal_id="" +export TF_VAR_role_definition_id="" From 8fe0648fb6c8fbf7e6bdf5abeade6503443236ea Mon Sep 17 00:00:00 2001 From: lanicolas Date: Thu, 25 Nov 2021 15:12:09 +0100 Subject: [PATCH 7/7] Readme --- templates/delegated-resource-management/terraform/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/delegated-resource-management/terraform/README.md b/templates/delegated-resource-management/terraform/README.md index e316738..696c160 100644 --- a/templates/delegated-resource-management/terraform/README.md +++ b/templates/delegated-resource-management/terraform/README.md @@ -24,6 +24,7 @@ To run the automation from the customer tenant follow the next steps: export TF_VAR_principal_display_name="Admin users" export TF_VAR_principal_id="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" export TF_VAR_scope="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + export TF_VAR_role_definition_id="b24988ac-6180-42a0-ab88-20f7382dd24c" ``` - From the scripts folder, run the [vars.sh](./scripts/vars.sh) script by executing this command: