feat: add comments for replicator and metering module

Author: ishabakeh

modules/meshcloud-metering-service-principal/README.md

@@ -0,0 +1,45 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.18.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.18.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.3.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azuread_application.meshcloud_metering](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/application) | resource |
+| [azuread_service_principal.meshcloud_metering](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal) | resource |
+| [azuread_service_principal_password.service_principal_pw](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal_password) | resource |
+| [azurerm_role_assignment.meshcloud_metering](https://registry.terraform.io/providers/hashicorp/azurerm/3.3.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.meshcloud_metering_cloud_inventory](https://registry.terraform.io/providers/hashicorp/azurerm/3.3.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.meshcloud_metering_cloud_inventory_role](https://registry.terraform.io/providers/hashicorp/azurerm/3.3.0/docs/resources/role_definition) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_scope"></a> [scope](#input\_scope) | The scope to which Service Principal permissions should be assigned to. Usually this is the management group id of form `/providers/Microsoft.Management/managementGroups/<tenantId>` that sits atop the subscriptions. | `string` | n/a | yes |
+| <a name="input_service_principal_name_suffix"></a> [service\_principal\_name\_suffix](#input\_service\_principal\_name\_suffix) | Service principal name suffix. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_service_principal"></a> [service\_principal](#output\_service\_principal) | Service Principal application id and object id |
+| <a name="output_service_principal_password"></a> [service\_principal\_password](#output\_service\_principal\_password) | Password for the Service Principal. |
+<!-- END_TF_DOCS -->

modules/meshcloud-metering-service-principal/module.tf

@@ -0,0 +1,122 @@
+//---------------------------------------------------------------------------
+// Terraform Settings
+//---------------------------------------------------------------------------
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.3.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.18.0"
+    }
+  }
+}
+
+# At this point, we would have liked to use a custom role for the following reasons:
+# - permissions are explicitedly stated and can easily be fine tuned in the future
+# - we are independent of changes to Built-In Roles by Microsoft
+# - we could have restricted the existence of the role to just it's scope
+# HOWEVER, since Microsoft decided you cannot assign the 'Microsoft.Billing/billingPeriods/read' via the api (Status=400 Code="InvalidActionOrNotAction" Message="'Microsoft.Billing/billingPeriods/read' does not match any of the actions supported by the providers.")
+# we have to use a built in role for now that has that permission. If in the future they fix this problem, we can use the following custom role snippet
+# resource azurerm_role_definition meshcloud_metering {
+#   name        = "metering.${var.service_principal_name_suffix}"
+#   scope       = var.scope
+#   description = "Permissions required by meshcloud in order to supply billing and usage data via its metering module"
+
+#   permissions {
+#     actions = [
+#       "Microsoft.Consumption/*/read",
+#       "Microsoft.CostManagement/*/read",
+#       "Microsoft.Billing/billingPeriods/read",
+#       "Microsoft.Resources/subscriptions/read",
+#       "Microsoft.Resources/subscriptions/resourceGroups/read",
+#       "Microsoft.Support/*",
+#       "Microsoft.Advisor/configurations/read",
+#       "Microsoft.Advisor/recommendations/read",
+#       "Microsoft.Management/managementGroups/read"
+#     ]
+#   }
+
+#   assignable_scopes = [
+#     var.scope
+#   ]
+# }
+
+//---------------------------------------------------------------------------
+// Assign Cost Management reader role to the enterprise application
+//---------------------------------------------------------------------------
+# For now we are using the following built-in role
+resource "azurerm_role_assignment" "meshcloud_metering" {
+  scope                = var.scope
+  role_definition_name = "Cost Management Reader"
+  principal_id         = azuread_service_principal.meshcloud_metering.id
+}
+
+//---------------------------------------------------------------------------
+// Create custom role definition 
+//---------------------------------------------------------------------------
+# If more resources are collected in the future, the permissions to read those should be added here.
+resource "azurerm_role_definition" "meshcloud_metering_cloud_inventory_role" {
+  name        = "metering.${var.service_principal_name_suffix}_cloud_inventory_role"
+  scope       = var.scope
+  description = "Permissions required by meshcloud in order to collect information about resources in the metering module"
+
+  permissions {
+    actions = [
+      "Microsoft.Network/publicIPAddresses/read",
+      "Microsoft.Network/networkInterfaces/read",
+      "Microsoft.Compute/virtualMachines/*/read"
+    ]
+  }
+
+  assignable_scopes = [
+    var.scope
+  ]
+}
+
+//---------------------------------------------------------------------------
+// Assign Custom role to the enterprise application
+//---------------------------------------------------------------------------
+resource "azurerm_role_assignment" "meshcloud_metering_cloud_inventory" {
+  scope              = var.scope
+  role_definition_id = azurerm_role_definition.meshcloud_metering_cloud_inventory_role.role_definition_resource_id
+  principal_id       = azuread_service_principal.meshcloud_metering.id
+}
+
+//---------------------------------------------------------------------------
+// Create New application in Microsoft Entra ID
+//---------------------------------------------------------------------------
+resource "azuread_application" "meshcloud_metering" {
+  display_name = "metering.${var.service_principal_name_suffix}"
+
+  web {
+    implicit_grant {
+      access_token_issuance_enabled = false
+    }
+  }
+
+}
+
+//---------------------------------------------------------------------------
+// Create New Enterprise application and associate it with the previously created app
+//---------------------------------------------------------------------------
+resource "azuread_service_principal" "meshcloud_metering" {
+  application_id = azuread_application.meshcloud_metering.application_id
+}
+
+//---------------------------------------------------------------------------
+// Create a password for the Enterprise application
+//---------------------------------------------------------------------------
+resource "azuread_service_principal_password" "service_principal_pw" {
+  service_principal_id = azuread_service_principal.meshcloud_metering.id
+  end_date             = "2999-01-01T01:02:03Z" # no expiry
+}
+
+# facilitate migration from v0.1.0 of the module
+moved {
+  from = azuread_service_principal_password.spp_pw
+  to   = azuread_service_principal_password.service_principal_pw
+}

modules/meshcloud-metering-service-principal/outputs.tf

@@ -0,0 +1,14 @@
+output "service_principal" {
+  description = "Service Principal application id and object id"
+  value = {
+    object_id = azuread_service_principal.meshcloud_metering.id
+    app_id    = azuread_service_principal.meshcloud_metering.application_id
+    password  = "Execute `terraform output service_principal_password` to see the password"
+  }
+}
+
+output "service_principal_password" {
+  description = "Password for the Service Principal."
+  value       = azuread_service_principal_password.service_principal_pw.value
+  sensitive   = true
+}

modules/meshcloud-metering-service-principal/variables.tf

@@ -0,0 +1,9 @@
+variable "service_principal_name_suffix" {
+  type        = string
+  description = "Service principal name suffix."
+}
+
+variable "scope" {
+  type        = string
+  description = "The scope to which Service Principal permissions should be assigned to. Usually this is the management group id of form `/providers/Microsoft.Management/managementGroups/<tenantId>` that sits atop the subscriptions."
+}

modules/meshcloud-replicator-service-principal/module.tf

@@ -1,4 +1,6 @@
-
+//---------------------------------------------------------------------------
+// Terraform Settings
+//---------------------------------------------------------------------------
 terraform {
   required_version = ">= 1.0"
   required_providers {
@@ -13,6 +15,9 @@ terraform {
   }
 }
 
+//---------------------------------------------------------------------------
+// Role Definition for the Replicator on the specified Scope
+//---------------------------------------------------------------------------
 resource "azurerm_role_definition" "meshcloud_replicator" {
   name        = "replicator.${var.service_principal_name_suffix}"
   scope       = var.scope
@@ -59,12 +64,20 @@ resource "azurerm_role_definition" "meshcloud_replicator" {
   ]
 }
 
+//---------------------------------------------------------------------------
+// Queries Entra ID for information about well-known application IDs.
+// Retrieve details about the service principal 
+//---------------------------------------------------------------------------
+
 data "azuread_application_published_app_ids" "well_known" {}
 
 data "azuread_service_principal" "msgraph" {
   application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
 }
 
+//---------------------------------------------------------------------------
+// Create New application in Microsoft Entra ID
+//---------------------------------------------------------------------------
 resource "azuread_application" "meshcloud_replicator" {
   display_name = "replicator.${var.service_principal_name_suffix}"
 
@@ -119,6 +132,9 @@ resource "azuread_application" "meshcloud_replicator" {
   }
 }
 
+//---------------------------------------------------------------------------
+// Create new Enterprise Application and associate it with the previous application
+//---------------------------------------------------------------------------
 resource "azuread_service_principal" "meshcloud_replicator" {
   application_id = azuread_application.meshcloud_replicator.application_id
   # The following tags are needed to create an Enterprise Application
@@ -128,12 +144,18 @@ resource "azuread_service_principal" "meshcloud_replicator" {
   ]
 }
 
+//---------------------------------------------------------------------------
+// Assign the created ARM role to the Enterprise application
+//---------------------------------------------------------------------------
 resource "azurerm_role_assignment" "meshcloud_replicator" {
   scope              = var.scope
   role_definition_id = azurerm_role_definition.meshcloud_replicator.role_definition_resource_id
   principal_id       = azuread_service_principal.meshcloud_replicator.id
 }
 
+//---------------------------------------------------------------------------
+// Assign Entra ID Roles to the Enterprise application
+//---------------------------------------------------------------------------
 resource "azuread_app_role_assignment" "meshcloud_replicator-directory" {
   app_role_id         = data.azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
   principal_object_id = azuread_service_principal.meshcloud_replicator.object_id
@@ -152,11 +174,19 @@ resource "azuread_app_role_assignment" "meshcloud_replicator-user" {
   resource_object_id  = data.azuread_service_principal.msgraph.object_id
 }
 
+//---------------------------------------------------------------------------
+// Generate new password for the service principal
+//---------------------------------------------------------------------------
 resource "azuread_service_principal_password" "service_principal_pw" {
   service_principal_id = azuread_service_principal.meshcloud_replicator.id
   end_date             = "2999-01-01T01:02:03Z" # no expiry
 }
 
+
+//---------------------------------------------------------------------------
+// Policy Definition for preventing the Application from assigning other privileges to itself
+// Assign it to the specified scope
+//---------------------------------------------------------------------------
 resource "azurerm_policy_definition" "privilege_escalation_prevention" {
   name                = "meshcloud-privilege-escalation-prevention"
   policy_type         = "Custom"
@@ -185,6 +215,7 @@ resource "azurerm_policy_definition" "privilege_escalation_prevention" {
 RULE
 }
 
+
 resource "azurerm_management_group_policy_assignment" "privilege-escalation-prevention" {
   name                 = "mesh-priv-escal-prev"
   policy_definition_id = azurerm_policy_definition.privilege_escalation_prevention.id