constellation/hack/terraform/azure/iam/readme.md
Moritz Sanft dfe7f855cd
AB#2578 Implement Azure IAM in terraform (#562)
* AB#2578 Azure IAM init

* AB#2578 Fixed application owner privileges, added docs

* Add all supported providers to TF lockfile

* Using service principal for role assignment in cluster resource group

Co-authored-by: Malte Poll <mp@edgeless.systems>

* Rephrased header for Azure

Co-authored-by: Malte Poll <mp@edgeless.systems>

* Registry -> Registration typo

Co-authored-by: Malte Poll <mp@edgeless.systems>

* Download lockfile

* File name casing

Co-authored-by: Malte Poll <mp@edgeless.systems>
2022-11-16 20:19:10 +01:00

1.8 KiB

Terraform Azure IAM creation

This terraform configuration creates the necessary Azure resources that need to be available to host a Constellation cluster.

You can create the resources with the following commands:

mkdir constellation_azure_iam
cd constellation_azure_iam
curl --remote-name-all https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/terraform/azure/iam/{main.tf,output.tf,variables.tf,.terraform.lock.hcl}
terraform init
terraform apply

The following terraform output values are available (with their corresponding keys in the Constellation configuration file):

  • subscription_id (subscription)
  • tenant_id (tenant)
  • region (location)
  • base_resource_group_name (resourceGroup)
  • application_id (appClientID)
  • uami_id (userAssignedIdentity)
  • application_client_secret_value (clientSecretValue) - Sensitive Value

You can either get the profile names from the Terraform output and manually add them to your Constellation configuration file according to our Documentation. Or you can do this with a yq command:

yq -i "
  .provider.azure.subscription = $(terraform output subscription_id) |
  .provider.azure.tenant = $(terraform output tenant_id) |
  .provider.azure.location = $(terraform output region) |
  .provider.azure.resourceGroup = $(terraform output base_resource_group_name) |
  .provider.azure.appClientID = $(terraform output application_id) |
  .provider.azure.userAssignedIdentity = $(terraform output uami_id) |
  .provider.azure.clientSecretValue = $(terraform output application_client_secret_value)
  " path/to/constellation-conf.yaml

Where path/to/constellation-conf.yaml is the path to your Constellation configuration file.