Azure Bootstrap

Source code & Installation

The source code of this kit module can be found here

Run the following command to install the kit module:

collie kit import azure/bootstrap

This documentation is intended as a reference documentation for cloud foundation or platform engineers using this module.

Terraform State Storage

This module includes configuration to set up a state backend using Azure blob storage. You can activate this by configuring the terraform_state_storage variable.

Like all bootstrap modules published on collie hub, you will need to deploy this module twice to complete the bootstrap process. Please see the bootstrap tutorial for more info.

If you're not using terraform_state_storage, please configure your own backend in platform.hcl

Platform Engineers Group

This module sets up an AAD group for managing platform engineers. This is required in conjunction with enabling access to terraform state storage but can also be used to grant administrative access to Azure resources.

UPN handling for AAD Guest users

Useful if you need to translate emails into UPNs (User Principal Names) as necessary, especially for guest users. You can add this code block to your terragrunt.hcl file instead of using inputs."

locals {
upn_domain = "#EXT#@devmeshithesheep.onmicrosoft.com"
  platform_engineers_emails = [
    "meshi@meshithesheep.io" # #TODO change, enter PLATFORM ENGINEERS here
  ]

# change the upn_domain value above
  platform_engineers_members = [
    for x in local.platform_engineers_emails : {
      email = x
      upn   = "${replace(x, "@", "_")}${local.upn_domain}"
    }
  ]
}

Requirements

Name	Version
terraform	>= 1.0
azuread	~> 2.41.0
azurerm	~> 3.71.0

Modules

Name	Source	Version
terraform_state	./terraform-state	n/a

Resources

Name	Type
azuread_app_role_assignment.cloudfoundation_deploy-approle	resource
azuread_app_role_assignment.cloudfoundation_deploy-directory	resource
azuread_application.cloudfoundation_deploy	resource
azuread_group.platform_engineers	resource
azuread_service_principal.cloudfoundation_deploy	resource
azuread_service_principal_password.cloudfoundation_deploy	resource
azurerm_role_assignment.cloudfoundation_deploy	resource
azurerm_role_assignment.tfstates_engineers	resource
azurerm_role_definition.cloudfoundation_deploy	resource
time_rotating.key_rotation	resource
azuread_application_published_app_ids.well_known	data source
azuread_client_config.current	data source
azuread_service_principal.msgraph	data source
azuread_users.platform_engineers_members	data source
azurerm_management_group.root	data source
azurerm_subscription.current	data source

Inputs

Name	Description	Type	Default	Required
aad_tenant_id	Id of the AAD Tenant. This is also the simultaneously the id of the root management group.	string	n/a	yes
platform_engineers_members	Set up a group of platform engineers. If enabled, this group will receive access to terraform_state_storage	list(object({ email = string, upn = string, }))	n/a	yes
service_principal_name	name of the Service Principal used to perform all deployments in this platform	string	"cloudfoundation_tf_deploy_user"	no
terraform_state_storage	Configure this object to enable setting up a terraform state store in Azure Storage.	object({ location = string, name = string, config_file_path = string })	null	no

Outputs

Name	Description
client_id	n/a
client_principal_id	n/a
client_secret	n/a
documentation_md	n/a
platform_engineers_azuread_group_id	n/a