feat: configurable metering assignment scope

Author: Felix Zieger

main.tf

@@ -17,14 +17,22 @@ data "azurerm_management_group" "replicator_custom_role_scope" {
 }
 
 data "azurerm_management_group" "replicator_assignment_scopes" {
-  for_each = var.replicator_assignment_scopes
+  for_each = toset(var.replicator_assignment_scopes)
+  name     = each.key
+}
+
+data "azurerm_management_group" "metering_assignment_scopes" {
+  for_each = toset(var.metering_assignment_scopes)
   name     = each.key
 }
 
 locals {
   replicator_assignment_scopes = [
     for management_group in data.azurerm_management_group.replicator_assignment_scopes : management_group.id
   ]
+  metering_assignment_scopes = [
+    for management_group in data.azurerm_management_group.metering_assignment_scopes : management_group.id
+  ]
 }
 
 data "azuread_client_config" "current" {}
@@ -46,14 +54,15 @@ module "metering_service_principal" {
   source = "./modules/meshcloud-metering-service-principal/"
 
   service_principal_name = var.metering_service_principal_name
-  assignment_scope       = data.azuread_client_config.current.tenant_id
+  assignment_scopes       = local.metering_assignment_scopes
 }
 
 module "sso_service_principal" {
   count  = var.sso_enabled ? 1 : 0
   source = "./modules/meshcloud-sso/"
 
-  service_principal_name = var.metering_service_principal_name
+  service_principal_name = var.sso_service_principal_name
+  meshstack_redirect_uri = var.sso_meshstack_redirect_uri
 }
 
 # facilitate migration from v0.1.0 of the module

modules/meshcloud-metering-service-principal/module.tf

@@ -18,9 +18,9 @@ terraform {
 //---------------------------------------------------------------------------
 // Assign Cost Management reader role to the enterprise application
 //---------------------------------------------------------------------------
-# For now we are using the following built-in role
 resource "azurerm_role_assignment" "meshcloud_metering" {
-  scope                = var.assignment_scope
+  for_each             = toset(var.assignment_scopes)
+  scope                = each.key
   role_definition_name = "Cost Management Reader"
   principal_id         = azuread_service_principal.meshcloud_metering.id
   depends_on           = [azuread_service_principal.meshcloud_metering]

modules/meshcloud-metering-service-principal/variables.tf

@@ -3,7 +3,7 @@ variable "service_principal_name" {
   description = "Service principal name. Must be unique per Entra ID."
 }
 
-variable "assignment_scope" {
-  type        = string
-  description = "The scope to which Service Principal permissions should be assigned to. Usually this is the management group id of form `/providers/Microsoft.Management/managementGroups/<tenantId>` that sits atop the subscriptions."
+variable "assignment_scopes" {
+  type        = list(string)
+  description = "The scopes to which Service Principal permissions should be assigned to. Usually this is the management group id of form `/providers/Microsoft.Management/managementGroups/<tenantId>` that sits atop the subscriptions."
 }

modules/meshcloud-replicator-service-principal/module.tf

@@ -163,7 +163,7 @@ resource "azuread_service_principal" "meshcloud_replicator" {
 // Assign the created ARM role to the Enterprise application
 //---------------------------------------------------------------------------
 resource "azurerm_role_assignment" "meshcloud_replicator" {
-  for_each           = var.assignment_scopes
+  for_each           = toset(var.assignment_scopes)
   scope              = each.key
   role_definition_id = azurerm_role_definition.meshcloud_replicator.role_definition_resource_id
   principal_id       = azuread_service_principal.meshcloud_replicator.id

variables.tf

@@ -4,15 +4,25 @@ variable "replicator_service_principal_name" {
   description = "Service principal for managing subscriptions. Replicator is the name of the meshStack component. Name must be unique per Entra ID."
 }
 
+variable "replicator_custom_role_scope" {
+  type        = string
+  description = "Name or UUID of the Management Group of the replicator custom role definition. The custom role definition must be available for all assignment scopes."
+}
+
+variable "replicator_assignment_scopes" {
+  type        = list(string)
+  description = "Names or UUIDs of the Management Groups which replicator should manage."
+}
+
 variable "metering_service_principal_name" {
   type        = string
   default     = "kraken"
   description = "Service principal for collecting cost data. Kraken ist the name of the meshStack component. Name must be unique per Entra ID."
 }
 
-variable "replicator_assignment_scopes" {
+variable "metering_assignment_scopes" {
   type        = list(string)
-  description = "Names or UUIDs of the Management Groups which replicator should manage."
+  description = "Names or UUIDs of the Management Groups that kraken should collect costs for."
 }
 
 variable "sso_enabled" {
@@ -21,6 +31,18 @@ variable "sso_enabled" {
   description = "Whether to create SSO Service Principal or not."
 }
 
+variable "sso_service_principal_name" {
+  type        = string
+  default     = "sso"
+  description = "Service principal for Entra ID SSO. Name must be unique per Entra ID."
+}
+
+variable "sso_meshstack_redirect_uri" {
+  type        = string
+  default     = "<replace with uri>"
+  description = "Redirect URI that was provided by meshcloud. It is individual per meshStack."
+}
+
 # ---------------------------------------------------------------------------------------------------------------------
 # OPTIONAL PARAMETERS
 # These parameters have reasonable defaults.
@@ -32,12 +54,6 @@ variable "replicator_enabled" {
   description = "Whether to create replicator Service Principal or not."
 }
 
-variable "replicator_custom_role_scope" {
-  type        = string
-  default     = "Tenant Root Group"
-  description = "Name or UUID of the Management Group of the replicator custom role definition. The custom role definition must be available for all assignment scopes."
-}
-
 variable "replicator_rg_enabled" {
   type        = bool
   default     = false