Upgrade azurerm and azuread providers

- Includes changes to parameters that were deprecated.
- Includes additions/modifications to the README file

Author: malhussan

README.md

@@ -15,11 +15,18 @@ Tenant wide admin consent must be granted for a succesful meshPlatform setup. Th
 
 ## How to use this module
 
+Prerequisites:
+
+- [Azure CLI installed](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
+- [Terraform installed](https://learn.hashicorp.com/tutorials/terraform/install-cli)
+
+### Using Azure Portal
+
 1. Login into [Azure Portal](https://portal.azure.com/) with your Admin user.
 
 2. Open a cloud shell.
 
-3. Create a directory and change into it 
+3. Create a directory and change into it
 
     ```sh
     mkdir terraform-azure-meshplatform
@@ -53,6 +60,34 @@ Tenant wide admin consent must be granted for a succesful meshPlatform setup. Th
     terraform output -json
     ```
 
+### Using CLI
+  
+1. Login with az CLI
+   ```sh
+   az login --tenant TENANT_ID
+   ```
+2. Create a directory and change into it
+   ```sh
+   mkdir terraform-azure-meshplatform
+   cd terraform-azure-meshplatform
+   ```
+
+3. Create a `main.tf` and an `output.tf` files in the created directory that references this module
+   > Sample files can be found in [examples](./examples/basic-azure-integration)
+
+4. Run
+
+    ```sh
+    terraform init
+    terraform apply
+    ```
+
+5. Access terraform output and pass it securely to meshcloud.
+
+    ```sh
+    # The JSON output contains sensitive values that must not be transmitted to meshcloud in plain text.
+    terraform output -json
+    ```
 ## Advanced Usage
 
 The default case creates kraken, replicator and idplookup service principals.
@@ -61,8 +96,8 @@ The default case creates kraken, replicator and idplookup service principals.
 module "meshplatform" {
   source = "git@github.com:meshcloud/terraform-azure-meshplatform.git"
 
-  spp_name_suffix = "unique-name"
-  mgmt_group_name = "management-group-name"
+  spp_name_suffix = "UNIQUE_NAME"
+  mgmt_group_name = "MANAGEMENT_GROUP_NAME|MANAGEMENT_GROUP_UUID"
 }
 ```
 
@@ -72,8 +107,8 @@ If UAMI blueprint user principal is needed, you also need to pass a list of subs
 module "meshplatform" {
   source = "git@github.com:meshcloud/terraform-azure-meshplatform.git"
 
-  spp_name_suffix = "unique-name"
-  mgmt_group_name = "management-group-name"
+  spp_name_suffix = "UNIQUE_NAME"
+  mgmt_group_name = "MANAGEMENT_GROUP_NAME|MANAGEMENT_GROUP_UUID"
 
   subscriptions = [
     "abcdefgh-abcd-efgh-abcd-abcdefgh1234"
@@ -87,8 +122,10 @@ module "meshplatform" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 2.12.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.18.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 2.97.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | 2.2.1 |
 
 ## Providers
 
@@ -109,7 +146,7 @@ module "meshplatform" {
 
 | Name | Type |
 |------|------|
-| [azurerm_management_group.root](https://registry.terraform.io/providers/hashicorp/azurerm/2.12.0/docs/data-sources/management_group) | data source |
+| [azurerm_management_group.root](https://registry.terraform.io/providers/hashicorp/azurerm/2.97.0/docs/data-sources/management_group) | data source |
 
 ## Inputs
 

examples/basic-azure-integration/main.tf

@@ -0,0 +1,15 @@
+# It is recommended to setup a backend to store the terraform state file
+# Removing the backend leads to terraform state output stored in the local filesystem.
+terraform {
+  backend "gcs" {
+    prefix = "meshplatforms/azure"
+    bucket = "my-terraform-states"
+  }
+}
+
+module "meshplatform" {
+  source = "git@github.com:meshcloud/terraform-azure-meshplatform.git"
+
+  spp_name_suffix = "UNIQUE_NAME"
+  mgmt_group_name = "MANAGEMENT_GROUP_NAME|MANAGEMENT_GROUP_UUID"
+}

examples/basic-azure-integration/outputs.tf

@@ -0,0 +1,45 @@
+
+output "replicator_spp" {
+  description = "Replicator Service Principal."
+  value = {
+    output = module.meshplatform.replicator_spp
+  }
+}
+
+output "replicator_spp_password" {
+  description = "Password for Replicator Service Principal."
+  value = {
+    password = module.meshplatform.replicator_spp_password
+  }
+  sensitive = true
+}
+
+output "kraken_spp" {
+  description = "Kraken Service Principal."
+  value = {
+    output = module.meshplatform.kraken_spp
+  }
+}
+
+output "kraken_spp_password" {
+  description = "Password for Kraken Service Principal."
+  value = {
+    password = module.meshplatform.kraken_spp_password
+  }
+  sensitive = true
+}
+
+output "uami_blueprint_user_principal" {
+  description = "UAMI Blueprint Assignment Service Principal."
+  value = {
+    output = module.meshplatform.uami_blueprint_user_principal
+  }
+}
+
+output "uami_blueprint_user_principal_password" {
+  description = "Password for UAMI Blueprint Assignment Service Principal."
+  value = {
+    password = module.meshplatform.uami_blueprint_user_principal_password
+  }
+  sensitive = true
+}

main.tf

@@ -1,12 +1,19 @@
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.0"
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "2.12.0"
+      version = "2.97.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "2.2.1"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.18.0"
     }
   }
-  # Set backend here
 }
 
 provider "azurerm" {

modules/meshcloud-idp-lookup-spp/README.md

@@ -3,16 +3,15 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 0.9.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 2.12.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.18.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 2.97.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | 2.2.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 0.9.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | 2.2.1 |
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.18.0 |
 
 ## Modules
 
@@ -22,10 +21,9 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azuread_application.meshcloud_idp_lookup](https://registry.terraform.io/providers/hashicorp/azuread/0.9.0/docs/resources/application) | resource |
-| [azuread_service_principal.meshcloud_idp_lookup](https://registry.terraform.io/providers/hashicorp/azuread/0.9.0/docs/resources/service_principal) | resource |
-| [azuread_service_principal_password.spp_pw](https://registry.terraform.io/providers/hashicorp/azuread/0.9.0/docs/resources/service_principal_password) | resource |
-| [random_password.spp_pw](https://registry.terraform.io/providers/hashicorp/random/2.2.1/docs/resources/password) | resource |
+| [azuread_application.meshcloud_idp_lookup](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/application) | resource |
+| [azuread_service_principal.meshcloud_idp_lookup](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal) | resource |
+| [azuread_service_principal_password.spp_pw](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal_password) | resource |
 
 ## Inputs
 

modules/meshcloud-idp-lookup-spp/module.tf

@@ -3,24 +3,27 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "2.12.0"
+      version = "2.97.0"
     }
     random = {
       source  = "hashicorp/random"
       version = "2.2.1"
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "0.9.0"
+      version = "2.18.0"
     }
   }
 }
 
 resource "azuread_application" "meshcloud_idp_lookup" {
-  name = "idplookup.${var.spp_name_suffix}"
-
-  oauth2_allow_implicit_flow = false
+  display_name = "idplookup.${var.spp_name_suffix}"
 
+  web {
+    implicit_grant {
+      access_token_issuance_enabled = false
+    }
+  }
   required_resource_access {
     resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
 
@@ -48,15 +51,7 @@ resource "azuread_service_principal" "meshcloud_idp_lookup" {
   application_id = azuread_application.meshcloud_idp_lookup.application_id
 }
 
-resource "random_password" "spp_pw" {
-  length = 64
-  # Currently there are some passwords which do not allow you to login using az cli (see https://github.com/Azure/azure-cli/issues/12332)
-  # Which is the reason we have set the flag to false
-  special = false
-}
-
 resource "azuread_service_principal_password" "spp_pw" {
   service_principal_id = azuread_service_principal.meshcloud_idp_lookup.id
-  value                = random_password.spp_pw.result
   end_date             = "2999-01-01T01:02:03Z" # no expiry
 }

modules/meshcloud-idp-lookup-spp/outputs.tf

@@ -10,7 +10,7 @@ output "service_principal" {
 output "service_principal_password" {
   description = "Password for the Service Principal."
   value = {
-    password = random_password.spp_pw.result
+    password = azuread_service_principal_password.spp_pw.value
   }
   sensitive = true
 }

modules/meshcloud-kraken-spp/README.md

@@ -3,17 +3,16 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 0.9.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 2.12.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.18.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 2.97.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | 2.2.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 0.9.0 |
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 2.12.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | 2.2.1 |
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.18.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 2.97.0 |
 
 ## Modules
 
@@ -23,13 +22,12 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azuread_application.meshcloud_kraken](https://registry.terraform.io/providers/hashicorp/azuread/0.9.0/docs/resources/application) | resource |
-| [azuread_service_principal.meshcloud_kraken](https://registry.terraform.io/providers/hashicorp/azuread/0.9.0/docs/resources/service_principal) | resource |
-| [azuread_service_principal_password.spp_pw](https://registry.terraform.io/providers/hashicorp/azuread/0.9.0/docs/resources/service_principal_password) | resource |
-| [azurerm_role_assignment.meshcloud_kraken](https://registry.terraform.io/providers/hashicorp/azurerm/2.12.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.meshcloud_kraken_cloud_inventory](https://registry.terraform.io/providers/hashicorp/azurerm/2.12.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.meshcloud_kraken_cloud_inventory_role](https://registry.terraform.io/providers/hashicorp/azurerm/2.12.0/docs/resources/role_definition) | resource |
-| [random_password.spp_pw](https://registry.terraform.io/providers/hashicorp/random/2.2.1/docs/resources/password) | resource |
+| [azuread_application.meshcloud_kraken](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/application) | resource |
+| [azuread_service_principal.meshcloud_kraken](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal) | resource |
+| [azuread_service_principal_password.spp_pw](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal_password) | resource |
+| [azurerm_role_assignment.meshcloud_kraken](https://registry.terraform.io/providers/hashicorp/azurerm/2.97.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.meshcloud_kraken_cloud_inventory](https://registry.terraform.io/providers/hashicorp/azurerm/2.97.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.meshcloud_kraken_cloud_inventory_role](https://registry.terraform.io/providers/hashicorp/azurerm/2.97.0/docs/resources/role_definition) | resource |
 
 ## Inputs
 

modules/meshcloud-kraken-spp/module.tf

@@ -3,15 +3,15 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "2.12.0"
+      version = "2.97.0"
     }
     random = {
       source  = "hashicorp/random"
       version = "2.2.1"
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "0.9.0"
+      version = "2.18.0"
     }
   }
 }
@@ -79,23 +79,21 @@ resource "azurerm_role_assignment" "meshcloud_kraken_cloud_inventory" {
 }
 
 resource "azuread_application" "meshcloud_kraken" {
-  name                       = "kraken.${var.spp_name_suffix}"
-  oauth2_allow_implicit_flow = false
+  display_name = "kraken.${var.spp_name_suffix}"
+
+  web {
+    implicit_grant {
+      access_token_issuance_enabled = false
+    }
+  }
+
 }
 
 resource "azuread_service_principal" "meshcloud_kraken" {
   application_id = azuread_application.meshcloud_kraken.application_id
 }
 
-resource "random_password" "spp_pw" {
-  length = 64
-  # Currently there are some passwords which do not allow you to login using az cli (see https://github.com/Azure/azure-cli/issues/12332)
-  # Which is the reason we have set the flag to false
-  special = false
-}
-
 resource "azuread_service_principal_password" "spp_pw" {
   service_principal_id = azuread_service_principal.meshcloud_kraken.id
-  value                = random_password.spp_pw.result
   end_date             = "2999-01-01T01:02:03Z" # no expiry
 }

modules/meshcloud-kraken-spp/outputs.tf

@@ -10,7 +10,7 @@ output "service_principal" {
 output "service_principal_password" {
   description = "Password for the Service Principal."
   value = {
-    password = random_password.spp_pw.result
+    password = azuread_service_principal_password.spp_pw.value
   }
   sensitive = true
 }