This directory contains all the Azure Terraform modules.
aks-globalaks-regionalaksazure-pipelines-agent-vmsscoregithub-runnergovernance-globalgovernance-regionalhubnamesxkf-governance-global-dataxkf-governance-global
TBD
INFO: This service principal will be used to run governance-global, governance-regional, core, aks-global, aks and hub modules. Running other modules, like azure-pipelines-agent-vmss can be done with the service principals that are created and stored in the core Azure KeyVault.
Create and delegate access to the owner service principal:
- Create new service principal:
sp-sub-<subscription_name>-all-owner - Create three Azure AD groups:
- Owner group:
az-sub-<subscription_name>-all-owner - Contributor group:
az-sub-<subscription_name>-all-contributor - Reader group:
az-sub-<subscription_name>-all-reader
- Owner group:
- Grant service principal the following permissions:
- API Permissions: (Application)
Group.ReadWrite.All(Microsoft Graph)Application.ReadWrite.All(Microsoft Graph)
- API Permissions:
Grant admin consent for <Tenant> - Subscription permissions on all the subscriptions:
Owner - The service principal also needs to be member of the
User administratorrole
- API Permissions: (Application)
If you are using the Azure AD v1 provider and start using the v2 provider, please follow the below steps:
-
Add API permission
Application.ReadWrite.All(Microsoft Graph) to the service principal(s)- Remove the following from the state: module.governance_global.data.azuread_application.owner_spn (related issue)
make state-remove ENV=dev DIR=governance confirm: governance/dev regexp: data.azuread_application
-
Run plan / apply, validate that only
random_passwordresources are removed -
Remove service principal(s) from the
User administratorrole -
Remove the
Application.ReadWrite.All(Azure Active Directory Graph) permission and admin consent from the service principal(s) -
Remove the
Directory.ReadWrite.All(Azure Active Directory Graph) permission and admin consent from the service principal(s) if it exists