The purpose of this script is to execute all necessary high privileges actions needed by Claranet for Azure subscriptions management.
This includes:
- Creation of a "claranet-tools" (or any other given name) service principal
- Creation of a "claranet-deploy" (or any other given name) service principal
- Rights assignment of Reader service principal on selected Subscription(s) with following rights:
- Reader for inventory and monitoring purposes
- Cost Management Reader for FinOps purposes
- Log Analytics Reader for monitoring purpose
- Specific right assignment at the tenant level to read Reservations for FinOps purposes
- Rights assignment of Deployment service principal on selected Subscription(s) with following rights:
- Contributor for Claranet deployment tools
- User Access Administrator for Claranet deployment tools
- Optional creation of a "Claranet DevOps" user group and rights assignment on subscriptions
A report is generated at the end of the script and needs to be provided to Claranet in a secure way.
In order to play this script, you'll need:
- Azure Active Directory privileges for creating Service Principals
- A terminal with the Azure CLI configured (it can be Azure Cloud Shell)
- Azure Subscriptions to configure rights on them
If the given service principal name already exists, the script will re-use the existing one.
You can find Azure Cloud Shell documentation here: https://docs.microsoft.com/en-us/azure/cloud-shell/overview
Open Azure Cloud Shell from the Azure portal in Bash mode and launch the following command:
bash <(curl -s https://raw.githubusercontent.com/claranet/claranet-azure-pre-configuration/master/setup.sh)
Either clone this repository or download the script setup.sh locally and launch it in your terminal or launch the
following command locally:
bash <(curl -s https://raw.githubusercontent.com/claranet/claranet-azure-pre-configuration/master/setup.sh)If the subscription has been recently created, be sure to you've logged in with the Azure CLI after the subscription creation. This issue should not occur when using the Azure Cloud Shell method.
You can do this with the following command:
az login