feat: initial azure tf modules

Author: malhussan

.gitignore

@@ -0,0 +1,2 @@
+.terraform
+.terraform.lock.hcl

README.md

@@ -1,2 +1,4 @@
-# terraform-azurerm-meshplatform
-Terraform module to integrate Azure as a meshPlatform
+# meshPlatform Azure Module
+
+Terraform module to integrate Azure as a meshPlatform into meshStack instance.
+

main.tf

@@ -0,0 +1,42 @@
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "2.12.0"
+    }
+  }
+  # Set backend here
+}
+
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_management_group" "root" {
+  name = var.mgmt_group_id
+}
+
+module "replicator_spp" {
+  source = "./modules/meshcloud-replicator-spp/"
+
+  spp_name_suffix = var.spp_name_suffix
+  scope           = data.azurerm_management_group.root.id
+
+  additional_required_resource_accesses = []
+  additional_permissions                = []
+}
+
+module "kraken_spp" {
+  source = "./modules/meshcloud-kraken-spp/"
+
+  spp_name_suffix = var.spp_name_suffix
+  scope           = data.azurerm_management_group.root.id
+}
+
+module "idp_lookup_spp" {
+  source = "./modules/meshcloud-idp-lookup-spp/"
+
+  spp_name_suffix = var.spp_name_suffix
+  scope           = data.azurerm_management_group.root.id
+}

modules/meshcloud-idp-lookup-spp/README.md

@@ -0,0 +1 @@
+This modules creates an Azure Service Principal (Azure SPP) that is used by meshStack for User lookups in AAD IDP.

modules/meshcloud-idp-lookup-spp/module.tf

@@ -0,0 +1,66 @@
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "2.12.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "2.2.1"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "0.9.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+resource "azuread_application" "meshcloud_idp_lookup" {
+  name = "idplookup.${var.spp_name_suffix}"
+
+  oauth2_allow_implicit_flow = false
+
+  required_resource_access {
+    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
+
+    # We only require this User.Read.All permission to see all of the Users in the AAD https://docs.microsoft.com/en-us/graph/permissions-reference#microsoft-graph-permission-names
+    # Since this is a role (and not a scope) permission, you also have to enable admin consent in azure portal
+    resource_access {
+      id   = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
+      type = "Role"
+    }
+
+  }
+
+  # NOTE: currently it is not possible to automate the "Grant admin consent button"
+  # https://github.com/terraform-providers/terraform-provider-azuread/issues/33
+  # As a result we have to ignore this value in terraform for now
+  # In addition please keep in mind you have to grant admin consent manually
+  lifecycle {
+    ignore_changes = [
+      app_role
+    ]
+  }
+}
+
+resource "azuread_service_principal" "meshcloud_idp_lookup" {
+  application_id = azuread_application.meshcloud_idp_lookup.application_id
+}
+
+resource "random_password" "spp_pw" {
+  length = 64
+  # Currently there are some passwords which do not allow you to login using az cli (see https://github.com/Azure/azure-cli/issues/12332)
+  # Which is the reason we have set the flag to false
+  special = false
+}
+
+resource "azuread_service_principal_password" "spp_pw" {
+  service_principal_id = azuread_service_principal.meshcloud_idp_lookup.id
+  value                = random_password.spp_pw.result
+  end_date             = "2999-01-01T01:02:03Z" # no expiry
+}

modules/meshcloud-idp-lookup-spp/outputs.tf

@@ -0,0 +1,16 @@
+output "service_principal" {
+  value = {
+    INFO      = "On the very first time running tf apply, you have to run 'az ad app permission admin-consent --id ${azuread_service_principal.meshcloud_idp_lookup.application_id}' or click the 'Grant Admin consent button' in the portal"
+    object_id = azuread_service_principal.meshcloud_idp_lookup.id
+    app_id    = azuread_service_principal.meshcloud_idp_lookup.application_id
+    password  = "Execute `terraform output idp_lookup_spp_password` to see the password"
+  }
+}
+
+output "service_principal_password" {
+  description = "Password for the Service Principal."
+  value = {
+    password = random_password.spp_pw.result
+  }
+  sensitive = true
+}

modules/meshcloud-idp-lookup-spp/variables.tf

@@ -0,0 +1,9 @@
+variable "spp_name_suffix" {
+  type        = string
+  description = "Service principal name suffix."
+}
+
+variable "scope" {
+  type        = string
+  description = "The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions"
+}

modules/meshcloud-kraken-spp/README.md

@@ -0,0 +1 @@
+This modules creates an Azure Service Principal (Azure SPP) that is used by meshStack to import metering data from Azure.

modules/meshcloud-kraken-spp/module.tf

@@ -0,0 +1,105 @@
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "2.12.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "2.2.1"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "0.9.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+# At this point, we would have liked to use a custom role for the following reasons:
+# - permissions are explicitedly stated and can easily be fine tuned in the future
+# - we are independent of changes to Built-In Roles by Microsoft
+# - we could have restricted the existence of the role to just it's scope
+# HOWEVER, since Microsoft decided you cannot assign the 'Microsoft.Billing/billingPeriods/read' via the api (Status=400 Code="InvalidActionOrNotAction" Message="'Microsoft.Billing/billingPeriods/read' does not match any of the actions supported by the providers.")
+# we have to use a built in role for now that has that permission. If in the future they fix this problem, we can use the following custom role snippet
+# resource azurerm_role_definition meshcloud_kraken {
+#   name        = "kraken.${var.spp_name_suffix}"
+#   scope       = var.scope
+#   description = "Permissions required by meshcloud in order to supply billing and usage data via its kraken module"
+
+#   permissions {
+#     actions = [
+#       "Microsoft.Consumption/*/read",
+#       "Microsoft.CostManagement/*/read",
+#       "Microsoft.Billing/billingPeriods/read",
+#       "Microsoft.Resources/subscriptions/read",
+#       "Microsoft.Resources/subscriptions/resourceGroups/read",
+#       "Microsoft.Support/*",
+#       "Microsoft.Advisor/configurations/read",
+#       "Microsoft.Advisor/recommendations/read",
+#       "Microsoft.Management/managementGroups/read"
+#     ]
+#   }
+
+#   assignable_scopes = [
+#     var.scope
+#   ]
+# }
+
+# For now we are using the following built-in role
+resource "azurerm_role_assignment" "meshcloud_kraken" {
+  scope                = var.scope
+  role_definition_name = "Cost Management Reader"
+  principal_id         = azuread_service_principal.meshcloud_kraken.id
+}
+
+# If more resources are collected in the future, the permissions to read those should be added here.
+resource "azurerm_role_definition" "meshcloud_kraken_cloud_inventory_role" {
+  name        = "kraken.${var.spp_name_suffix}_cloud_inventory_role"
+  scope       = var.scope
+  description = "Permissions required by meshcloud in order to collect information about resources in the kraken module"
+
+  permissions {
+    actions = [
+      "Microsoft.Network/publicIPAddresses/read",
+      "Microsoft.Network/networkInterfaces/read",
+      "Microsoft.Compute/virtualMachines/*/read"
+    ]
+  }
+
+  assignable_scopes = [
+    var.scope
+  ]
+}
+
+resource "azurerm_role_assignment" "meshcloud_kraken_cloud_inventory" {
+  scope                = var.scope
+  role_definition_name = azurerm_role_definition.meshcloud_kraken_cloud_inventory_role.name
+  principal_id         = azuread_service_principal.meshcloud_kraken.id
+}
+
+resource "azuread_application" "meshcloud_kraken" {
+  name                       = "kraken.${var.spp_name_suffix}"
+  oauth2_allow_implicit_flow = false
+}
+
+resource "azuread_service_principal" "meshcloud_kraken" {
+  application_id = azuread_application.meshcloud_kraken.application_id
+}
+
+resource "random_password" "spp_pw" {
+  length = 64
+  # Currently there are some passwords which do not allow you to login using az cli (see https://github.com/Azure/azure-cli/issues/12332)
+  # Which is the reason we have set the flag to false
+  special = false
+}
+
+resource "azuread_service_principal_password" "spp_pw" {
+  service_principal_id = azuread_service_principal.meshcloud_kraken.id
+  value                = random_password.spp_pw.result
+  end_date             = "2999-01-01T01:02:03Z" # no expiry
+}

modules/meshcloud-kraken-spp/outputs.tf

@@ -0,0 +1,16 @@
+output "service_principal" {
+  value = {
+    INFO      = "On the very first time running tf apply, you have to run 'az ad app permission admin-consent --id ${azuread_service_principal.meshcloud_kraken.application_id}' or click the 'Grant Admin consent button' in the portal"
+    object_id = azuread_service_principal.meshcloud_kraken.id
+    app_id    = azuread_service_principal.meshcloud_kraken.application_id
+    password  = "Execute `terraform output kraken_spp_password` to see the password"
+  }
+}
+
+output "service_principal_password" {
+  description = "Password for the Service Principal."
+  value = {
+    password = random_password.spp_pw.result
+  }
+  sensitive = true
+}