feat: multiple mca service principals

Author: malhussan

CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v0.8.0]
+
+### Changed
+
+- Multiple MCA service principals support
+
 ## [v0.7.0]
 
 ### Added

README.md

@@ -85,7 +85,9 @@ To run this module, you need the following:
 
 - Ensure you have permissions in the source AAD Tenant for granting access to the billing account used for subscription creation using the `Account Administrator` role
 
-**Create an MCA service principal**:
+**Create MCA service principals**:
+
+> With this module, you can create multiple MCA service principals by passing a list of `mca.service_principal_names`. This is useful for environments with restricted acceses to the AAD tenant holding the MCA license.
 
 Add an `mca` block when calling this module.
 
@@ -97,17 +99,14 @@ module "meshplatform" {
   # required inputs
 
   mca = {
-      source_tenant          = "<aad-tenant-id>"
-      service_principal_name = "your-mca-sp-name"
-      billing_account_name   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx"
-      billing_profile_name   = "xxxx-xxxx-xxx-xxx"
-      invoice_section_name   = "xxxx-xxxx-xxx-xxx"
+      service_principal_names = ["your-mca-sp-name-1", "your-mca-sp-name-2", "..."]
+      billing_account_name    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx"
+      billing_profile_name    = "xxxx-xxxx-xxx-xxx"
+      invoice_section_name    = "xxxx-xxxx-xxx-xxx"
   }
 }
 ```
 
-> note that the source_tenant is the tenant ID of the AAD with the billing account in which you can create subscriptions. This module supports creating MCA and Replicator service principals in different AAD tenants.
-
 ### Using Pre-provisioned Subscriptions
 
 meshStack will need to be able to read subscriptions at the source location
@@ -197,7 +196,7 @@ Before opening a Pull Request, please do the following:
 | <a name="input_can_cancel_subscriptions_in_scopes"></a> [can\_cancel\_subscriptions\_in\_scopes](#input\_can\_cancel\_subscriptions\_in\_scopes) | The scopes to which Service Principal cancel subscription permission is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups/<mgmtGroupId>/`. | `list(string)` | `[]` | no |
 | <a name="input_can_delete_rgs_in_scopes"></a> [can\_delete\_rgs\_in\_scopes](#input\_can\_delete\_rgs\_in\_scopes) | The scopes to which Service Principal delete resource group permission is assigned to. Only relevant when `replicator_rg_enabled`. List of subscription scopes of form `/subscriptions/<subscriptionId>`. | `list(string)` | `[]` | no |
 | <a name="input_create_passwords"></a> [create\_passwords](#input\_create\_passwords) | Create passwords for service principals. | `bool` | `true` | no |
-| <a name="input_mca"></a> [mca](#input\_mca) | n/a | <pre>object({<br>    source_tenant          = string<br>    service_principal_name = string<br>    billing_account_name   = string<br>    billing_profile_name   = string<br>    invoice_section_name   = string<br>  })</pre> | `null` | no |
+| <a name="input_mca"></a> [mca](#input\_mca) | n/a | <pre>object({<br>    service_principal_names = list(string)<br>    billing_account_name    = string<br>    billing_profile_name    = string<br>    invoice_section_name    = string<br>  })</pre> | `null` | no |
 | <a name="input_metering_assignment_scopes"></a> [metering\_assignment\_scopes](#input\_metering\_assignment\_scopes) | Names or UUIDs of the Management Groups that kraken should collect costs for. | `list(string)` | n/a | yes |
 | <a name="input_metering_enabled"></a> [metering\_enabled](#input\_metering\_enabled) | Whether to create Metering Service Principal or not. | `bool` | `true` | no |
 | <a name="input_metering_service_principal_name"></a> [metering\_service\_principal\_name](#input\_metering\_service\_principal\_name) | Service principal for collecting cost data. Kraken ist the name of the meshStack component. Name must be unique per Entra ID. | `string` | `"kraken"` | no |

main.tf

@@ -16,22 +16,6 @@ terraform {
   }
 }
 
-provider "azapi" {
-  alias                      = "azapi_mca_source"
-  tenant_id                  = var.mca.source_tenant
-  skip_provider_registration = true
-}
-provider "azuread" {
-  alias     = "azuread_mca_source"
-  tenant_id = var.mca.source_tenant
-}
-provider "azurerm" {
-  features {}
-  alias                      = "azurerm_mca_source"
-  tenant_id                  = var.mca.source_tenant
-  skip_provider_registration = true
-}
-
 data "azurerm_management_group" "replicator_custom_role_scope" {
   name = var.replicator_custom_role_scope
 }
@@ -88,16 +72,10 @@ module "replicator_service_principal" {
 }
 
 module "mca_service_principal" {
-  providers = {
-    azapi   = azapi.azapi_mca_source
-    azurerm = azurerm.azurerm_mca_source
-    azuread = azuread.azuread_mca_source
-  }
-
   count  = var.mca != null ? 1 : 0
   source = "./modules/meshcloud-mca-service-principal"
 
-  service_principal_name = var.mca.service_principal_name
+  service_principal_names = var.mca.service_principal_names
 
   billing_account_name = var.mca.billing_account_name
   billing_profile_name = var.mca.billing_profile_name

modules/meshcloud-mca-service-principal/module.tf

@@ -28,11 +28,13 @@ data "azurerm_billing_mca_account_scope" "mca" {
 }
 
 resource "azuread_application" "mca" {
-  display_name = var.service_principal_name
+  for_each     = toset(var.service_principal_names)
+  display_name = each.key
 }
 
 resource "azuread_service_principal" "mca" {
-  client_id = azuread_application.mca.client_id
+  for_each  = toset(var.service_principal_names)
+  client_id = azuread_application.mca[each.key].client_id
 }
 
 data "azapi_resource_list" "billing_role_definitions" {
@@ -49,6 +51,8 @@ locals {
 }
 
 resource "azapi_resource_action" "add_role_assignment_subscription_creator" {
+  for_each = toset(var.service_principal_names)
+
   type                   = "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections@2019-10-01-preview"
   resource_id            = data.azurerm_billing_mca_account_scope.mca.id
   action                 = "createBillingRoleAssignment"
@@ -57,15 +61,17 @@ resource "azapi_resource_action" "add_role_assignment_subscription_creator" {
   response_export_values = ["*"]
   body = jsonencode({
     properties = {
-      principalId      = azuread_service_principal.mca.object_id
+      principalId      = azuread_service_principal.mca[each.key].object_id
       roleDefinitionId = local.azure_subscription_creator_role_id
     }
   })
 }
 
 resource "azapi_resource_action" "remove_role_assignment_subscription_creator" {
+  for_each = toset(var.service_principal_names)
+
   type        = "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingRoleAssignments@2019-10-01-preview"
-  resource_id = jsondecode(azapi_resource_action.add_role_assignment_subscription_creator.output).id
+  resource_id = jsondecode(azapi_resource_action.add_role_assignment_subscription_creator[each.key].output).id
   method      = "DELETE"
   when        = "destroy"
 }
@@ -78,7 +84,9 @@ resource "time_rotating" "mca_secret_rotation" {
 }
 
 resource "azuread_application_password" "mca" {
-  application_id = azuread_application.mca.id
+  for_each = toset(var.service_principal_names)
+
+  application_id = azuread_application.mca[each.key].id
   rotate_when_changed = {
     rotation = time_rotating.mca_secret_rotation.id
   }

modules/meshcloud-mca-service-principal/outputs.tf

@@ -5,15 +5,17 @@ output "billing_scope" {
 output "credentials" {
   description = "Service Principal application id and object id"
   value = {
-    Enterprise_Application_Object_ID = azuread_service_principal.mca.id
-    Application_Client_ID            = azuread_application.mca.client_id
-    Client_Secret                    = "Execute `terraform output mca_service_principal_password` to see the password"
+    for name in var.service_principal_names : name => {
+      Enterprise_Application_Object_ID = azuread_service_principal.mca[name].object_id
+      Application_Client_ID            = azuread_application.mca[name].client_id
+      Client_Secret                    = "Execute `terraform output mca_service_principal_password` to see the password"
+    }
   }
 }
 
 output "application_client_secret" {
   description = "Client Secret Of the Application."
-  value       = azuread_application_password.mca.value
+  value       = { for name in var.service_principal_names : name => azuread_application_password.mca[name].value }
   sensitive   = true
 }
 

modules/meshcloud-mca-service-principal/variables.tf

@@ -1,5 +1,5 @@
-variable "service_principal_name" {
-  type = string
+variable "service_principal_names" {
+  type = list(string)
 }
 
 variable "billing_account_name" {

variables.tf

@@ -107,11 +107,10 @@ variable "workload_identity_federation" {
 
 variable "mca" {
   type = object({
-    source_tenant          = string
-    service_principal_name = string
-    billing_account_name   = string
-    billing_profile_name   = string
-    invoice_section_name   = string
+    service_principal_names = list(string)
+    billing_account_name    = string
+    billing_profile_name    = string
+    invoice_section_name    = string
   })
   default = null
 }