feat: finer control over scope and service principal names

Author: Felix Zieger

main.tf

@@ -12,16 +12,30 @@ terraform {
   }
 }
 
-data "azurerm_management_group" "root" {
-  name = var.mgmt_group_name
+data "azurerm_management_group" "replicator_custom_role_scope" {
+  name = var.replicator_custom_role_scope
 }
 
+data "azurerm_management_group" "replicator_assignment_scopes" {
+  for_each = var.replicator_assignment_scopes
+  name     = each.key
+}
+
+locals {
+  replicator_assignment_scopes = [
+    for management_group in data.azurerm_management_group.replicator_assignment_scopes : management_group.id
+  ]
+}
+
+data "azuread_client_config" "current" {}
+
 module "replicator_service_principal" {
   count  = var.replicator_enabled || var.replicator_rg_enabled ? 1 : 0
   source = "./modules/meshcloud-replicator-service-principal/"
 
-  service_principal_name_suffix = var.service_principal_name_suffix
-  scope                         = data.azurerm_management_group.root.id
+  service_principal_name = var.replicator_service_principal_name
+  custom_role_scope      = data.azurerm_management_group.replicator_custom_role_scope.id
+  assignment_scopes      = local.replicator_assignment_scopes
 
   additional_required_resource_accesses = var.additional_required_resource_accesses
   additional_permissions                = var.additional_permissions
@@ -31,15 +45,8 @@ module "metering_service_principal" {
   count  = var.metering_enabled ? 1 : 0
   source = "./modules/meshcloud-metering-service-principal/"
 
-  service_principal_name_suffix = var.service_principal_name_suffix
-  scope                         = data.azurerm_management_group.root.id
-}
-
-module "idp_lookup_service_principal" {
-  count  = var.idplookup_enabled ? 1 : 0
-  source = "./modules/meshcloud-idp-lookup-service-principal/"
-
-  service_principal_name_suffix = var.service_principal_name_suffix
+  service_principal_name = var.metering_service_principal_name
+  assignment_scope       = data.azuread_client_config.current.tenant_id
 }
 
 # facilitate migration from v0.1.0 of the module

modules/meshcloud-metering-service-principal/module.tf

@@ -20,7 +20,7 @@ terraform {
 //---------------------------------------------------------------------------
 # For now we are using the following built-in role
 resource "azurerm_role_assignment" "meshcloud_metering" {
-  scope                = var.scope
+  scope                = var.assignment_scope
   role_definition_name = "Cost Management Reader"
   principal_id         = azuread_service_principal.meshcloud_metering.id
   depends_on           = [azuread_service_principal.meshcloud_metering]
@@ -31,7 +31,7 @@ resource "azurerm_role_assignment" "meshcloud_metering" {
 // Create New application in Microsoft Entra ID
 //---------------------------------------------------------------------------
 resource "azuread_application" "meshcloud_metering" {
-  display_name = "metering.${var.service_principal_name_suffix}"
+  display_name = var.service_principal_name
 
   feature_tags {
     enterprise = true

modules/meshcloud-metering-service-principal/variables.tf

@@ -1,9 +1,9 @@
-variable "service_principal_name_suffix" {
+variable "service_principal_name" {
   type        = string
-  description = "Service principal name suffix."
+  description = "Service principal name. Must be unique per Entra ID."
 }
 
-variable "scope" {
+variable "assignment_scope" {
   type        = string
   description = "The scope to which Service Principal permissions should be assigned to. Usually this is the management group id of form `/providers/Microsoft.Management/managementGroups/<tenantId>` that sits atop the subscriptions."
 }

modules/meshcloud-replicator-service-principal/module.tf

@@ -19,8 +19,8 @@ terraform {
 // Role Definition for the Replicator on the specified Scope
 //---------------------------------------------------------------------------
 resource "azurerm_role_definition" "meshcloud_replicator" {
-  name        = "replicator.${var.service_principal_name_suffix}"
-  scope       = var.scope
+  name        = var.service_principal_name
+  scope       = var.custom_role_scope
   description = "Permissions required by meshcloud in order to configure subscriptions and manage users"
 
   permissions {
@@ -59,7 +59,7 @@ resource "azurerm_role_definition" "meshcloud_replicator" {
   }
 
   assignable_scopes = [
-    var.scope
+    var.custom_role_scope
   ]
 }
 
@@ -83,7 +83,7 @@ data "azuread_application_template" "enterprise_app" {
   template_id = "8adf8e6e-67b2-4cf2-a259-e3dc5476c621"
 }
 resource "azuread_application" "meshcloud_replicator" {
-  display_name = "replicator.${var.service_principal_name_suffix}"
+  display_name = var.service_principal_name
   template_id  = data.azuread_application_template.enterprise_app.template_id
   feature_tags {
     enterprise = true
@@ -173,7 +173,8 @@ resource "azuread_service_principal" "meshcloud_replicator" {
 // Assign the created ARM role to the Enterprise application
 //---------------------------------------------------------------------------
 resource "azurerm_role_assignment" "meshcloud_replicator" {
-  scope              = var.scope
+  for_each           = var.assignment_scopes
+  scope              = each.key
   role_definition_id = azurerm_role_definition.meshcloud_replicator.role_definition_resource_id
   principal_id       = azuread_service_principal.meshcloud_replicator.id
   depends_on         = [azuread_service_principal.meshcloud_replicator]
@@ -213,7 +214,7 @@ resource "azurerm_policy_definition" "privilege_escalation_prevention" {
   policy_type         = "Custom"
   mode                = "All"
   display_name        = "meshcloud Privilege Escalation Prevention"
-  management_group_id = var.scope
+  management_group_id = var.custom_role_scope
 
   policy_rule = <<RULE
   {
@@ -240,5 +241,5 @@ RULE
 resource "azurerm_management_group_policy_assignment" "privilege-escalation-prevention" {
   name                 = "mesh-priv-escal-prev"
   policy_definition_id = azurerm_policy_definition.privilege_escalation_prevention.id
-  management_group_id  = var.scope
+  management_group_id  = var.custom_role_scope
 }

modules/meshcloud-replicator-service-principal/variables.tf

@@ -1,11 +1,16 @@
-variable "service_principal_name_suffix" {
+variable "service_principal_name" {
   type        = string
-  description = "Service principal name suffix."
+  description = "Display name of the replicator service principal."
 }
 
-variable "scope" {
+variable "custom_role_scope" {
   type        = string
-  description = "The scope to which Service Principal permissions should be assigned to. Usually this is the management group id of form `/providers/Microsoft.Management/managementGroups/<tenantId>` that sits atop the subscriptions."
+  description = "The scope to which Service Principal permissions can be assigned to. Usually this is the management group id of form `/providers/Microsoft.Management/managementGroups/<tenantId>` that sits atop the subscriptions."
+}
+
+variable "assignment_scopes" {
+  type        = list(string)
+  description = "The scopes to which Service Principal permissions is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups/<mgmtGroupId>/`."
 }
 
 variable "additional_required_resource_accesses" {
@@ -24,4 +29,4 @@ variable "replicator_rg_enabled" {
   type        = bool
   default     = false
   description = "Whether the created replicator Service Principal should be usable for Azure Resource Group based replication."
-}
+}

variables.tf

@@ -1,11 +1,18 @@
-variable "service_principal_name_suffix" {
+variable "replicator_service_principal_name" {
   type        = string
-  description = "Service principal name suffix. Make sure this is unique."
+  default     = "replicator"
+  description = "Service principal for managing subscriptions. Replicator is the name of the meshStack component. Name must be unique per Entra ID."
 }
 
-variable "mgmt_group_name" {
+variable "metering_service_principal_name" {
   type        = string
-  description = "The name or UUID of the Management Group."
+  default     = "kraken"
+  description = "Service principal for collecting cost data. Kraken ist the name of the meshStack component. Name must be unique per Entra ID."
+}
+
+variable "replicator_assignment_scopes" {
+  type        = list(string)
+  description = "Names or UUIDs of the Management Groups which replicator should manage."
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
@@ -19,6 +26,12 @@ variable "replicator_enabled" {
   description = "Whether to create replicator Service Principal or not."
 }
 
+variable "replicator_custom_role_scope" {
+  type        = string
+  default     = "Tenant Root Group"
+  description = "Name or UUID of the Management Group of the replicator custom role definition. The custom role definition must be available for all assignment scopes."
+}
+
 variable "replicator_rg_enabled" {
   type        = bool
   default     = false