Azure Lighthouse

Azure terraform module to create a Lighthouse definition and assign it to scopes where management delegation is needed.

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "msp" {
  source  = "claranet/lighthouse/azurerm"
  version = "x.x.x"

  name                    = "Claranet MSP"
  description             = "Lighthouse delegation to let Claranet manage resources."
  managing_tenant_id      = local.claranet_tenant_id
  managed_subscription_id = local.subscription_id

  authorizations = [
    {
      principal_id   = "00000000-0000-0000-0000-000000000000"
      principal_name = "L1 Claranet CORE Team"
      role_name      = "Contributor"
    },
    {
      principal_id   = "00000000-0000-0000-0000-000000000000"
      principal_name = "L2 Claranet OnCall Build Team"
      role_name      = "Contributor"
    },
    {
      principal_id   = "00000000-0000-0000-0000-000000000000"
      principal_name = "Claranet SDM"
      role_name      = "Reader"
    },
    {
      principal_id   = "00000000-0000-0000-0000-000000000000"
      principal_name = "MSI Admin"
      # https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
      role_name            = "User Access Administrator"
      delegated_role_names = ["Contributor", "AcrPull", "AcrPush"]
    },
  ]

  scopes = {
    "Production Subscription" = local.subscription_id
  }
}

Providers

Name	Version
azurerm	~> 4.31

Modules

No modules.

Resources

Name	Type
azurerm_lighthouse_assignment.main	resource
azurerm_lighthouse_definition.main	resource
azurerm_role_definition.builtin_role	data source
azurerm_role_definition.builtin_role_delegated	data source

Inputs

Name	Description	Type	Default	Required
authorizations	List of Authorization objects.	list(object({ principal_id = string principal_name = string role_name = string delegated_role_names = optional(list(string)) }))	n/a	yes
description	A description of the Lighthouse Definition.	string	null	no
managed_subscription_id	The ID of the managed Subscription that will contains the Lighthouse Definition. (Recommended to use Management or Shared-Services Subscription in a Landing Zone context.)	string	n/a	yes
managing_tenant_id	The ID of the managing Tenant.	string	n/a	yes
name	The name of the Lighthouse Definition.	string	n/a	yes
scopes	Map of 'name => Scope IDs' to associate the Lighthouse definition (Subscription ID or Resource Group ID).	map(string)	n/a	yes

Outputs

Name	Description
id	Lighthouse definition ID.
resource	Lighthouse resource object.
resource_assignments	Lighthouse assignment resource objects.

Related documentation

• Microsoft Azure Lighthouse documentation: docs.microsoft.com/en-us/azure/lighthouse