diff --git a/quickstart/201-virtual-network-manager-cross-tenant/cross-tenant-hns.tf b/quickstart/201-virtual-network-manager-cross-tenant/cross-tenant-hns.tf new file mode 100644 index 000000000..4044fefd4 --- /dev/null +++ b/quickstart/201-virtual-network-manager-cross-tenant/cross-tenant-hns.tf @@ -0,0 +1,155 @@ +/* + * This template will create a network manager + Hub&Spoke configuration in the 'home' tenant + * It will also create a vnet under a subscription in the 'away' tenant + * It will then establish a cross-tenant connection, and add the vnet in the 'away' tenant to a network group managed by the connect config + */ +variable "home_tenant" { + type = string + description = "The tenant (guid) the network manager is in." +} +variable "home_sub" { + type = string + description = "The subscription (guid) the network manager is created under." +} +variable "away_tenant" { + type = string + description = "The tenant (guid) the cross-tenant vnet is in." +} +variable "away_sub" { + type = string + description = "The subscription (guid) the cross-tenant vnet is created under." +} + +# Azure Provider source and version being used +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + # 3.83.0 or higher is required to retrieve aux tokens correctly + version = ">=4.15.0" + } + } +} + +# Setup initial 'home' tenant resources: +# Resource group, network manager, network group, vnet, static member, connectivity configuration +provider "azurerm" { + features {} + use_cli = true + subscription_id = var.home_sub + tenant_id = var.home_tenant + auxiliary_tenant_ids = [var.away_tenant] +} + +data "azurerm_subscription" "home" { + subscription_id = var.home_sub +} + +resource "azurerm_resource_group" "home" { + name = "anm-resources" + location = "East US" +} + +resource "azurerm_network_manager" "home" { + name = "terraform-network-manager" + location = azurerm_resource_group.home.location + resource_group_name = azurerm_resource_group.home.name + scope_accesses = ["Connectivity"] + scope { + subscription_ids = [data.azurerm_subscription.home.id] + } + description = "Network manager for cross-tenant management." +} +resource "azurerm_network_manager_network_group" "home" { + name = "network-group" + network_manager_id = azurerm_network_manager.home.id + description = "Network group for cross-tenant static members." +} + +resource "azurerm_virtual_network" "home" { + name = "home-tenant-vnet" + resource_group_name = azurerm_resource_group.home.name + location = azurerm_resource_group.home.location + address_space = ["10.0.0.0/16"] + subnet { + name = "subnet1" + address_prefixes = ["10.0.1.0/24"] + default_outbound_access_enabled = "false" + } +} + +# Connectivity configuration referencing in-tenant vnet as hub +resource "azurerm_network_manager_connectivity_configuration" "home" { + name = "cross-tenant-connectivity-conf" + network_manager_id = azurerm_network_manager.home.id + connectivity_topology = "HubAndSpoke" + applies_to_group { + group_connectivity = "DirectlyConnected" + network_group_id = azurerm_network_manager_network_group.home.id + } + + hub { + resource_id = azurerm_virtual_network.home.id + resource_type = "Microsoft.Network/virtualNetworks" + } +} + +# Setup initial 'away' tenant resources: +# Resource group, vnet +provider "azurerm" { + features {} + alias = "away" + use_cli = true + subscription_id = var.away_sub + tenant_id = var.away_tenant +} + +data "azurerm_subscription" "away" { + provider = azurerm.away + subscription_id = var.away_sub +} + +resource "azurerm_resource_group" "away" { + provider = azurerm.away + name = "away-tenant-resources" + location = "East US" +} + +resource "azurerm_virtual_network" "away" { + provider = azurerm.away + name = "away-tenant-vnet" + resource_group_name = azurerm_resource_group.away.name + location = azurerm_resource_group.away.location + address_space = ["192.168.1.0/24"] +} + +# Create the cross-tenant connection resources +resource "azurerm_network_manager_scope_connection" "home" { + name = "scope-connection" + network_manager_id = azurerm_network_manager.home.id + tenant_id = var.away_tenant + target_scope_id = data.azurerm_subscription.away.id + description = "Used to manage cross-tenant subscription." +} + +resource "azurerm_network_manager_subscription_connection" "away" { + provider = azurerm.away + name = "subscription-connection" + subscription_id = data.azurerm_subscription.away.id + network_manager_id = azurerm_network_manager.home.id + description = "Used to approve management from cross-tenant network manager." +} + +# Wait to ensure connection has been established async +resource "time_sleep" "wait" { + depends_on = [azurerm_network_manager_scope_connection.home, azurerm_network_manager_subscription_connection.away] + create_duration = "30s" +} + +# Create a static member for the vnet in the 'away' tenant after connection is established +resource "azurerm_network_manager_static_member" "home" { + name = "cross-tenant-static-member" + network_group_id = azurerm_network_manager_network_group.home.id + target_virtual_network_id = azurerm_virtual_network.away.id + depends_on = [time_sleep.wait] +} diff --git a/quickstart/201-virtual-network-manager-cross-tenant/main.tf b/quickstart/201-virtual-network-manager-cross-tenant/main.tf new file mode 100644 index 000000000..bebb3db4e --- /dev/null +++ b/quickstart/201-virtual-network-manager-cross-tenant/main.tf @@ -0,0 +1,138 @@ +/* + * This template will create a network manager + Hub&Spoke configuration in the 'home' tenant + * It will also create a vnet under a subscription in the 'away' tenant + * It will then establish a cross-tenant connection, and add the vnet in the 'away' tenant to a network group managed by the connect config + */ + +resource "random_pet" "rg_name_home" { + prefix = var.resource_group_name_prefix +} + +resource "random_pet" "rg_name_away" { + prefix = var.resource_group_name_prefix +} + + +resource "azurerm_resource_group" "rg_home" { + location = var.resource_group_location + name = random_pet.rg_name.id +} + +resource "azurerm_resource_group" "rg_away" { + location = var.resource_group_location + name = random_pet.rg_name.id +} +# Create three virtual networks +resource "random_string" "prefix" { + length = 4 + special = false + upper = false +} + +resource "random_pet" "virtual_network_name" { + prefix = "vnet-${random_string.prefix.result}" +} + +resource "azurerm_network_manager" "home" { + name = "terraform-network-manager" + location = azurerm_resource_group.home.location + resource_group_name = azurerm_resource_group.home.name + scope_accesses = ["Connectivity"] + scope { + subscription_ids = [data.azurerm_subscription.home.id] + } + description = "Network manager for cross-tenant management." +} +resource "azurerm_network_manager_network_group" "home" { + name = "network-group" + network_manager_id = azurerm_network_manager.home.id + description = "Network group for cross-tenant static members." +} + +resource "azurerm_virtual_network" "home" { + name = "home-tenant-vnet" + resource_group_name = azurerm_resource_group.home.name + location = azurerm_resource_group.home.location + address_space = ["10.0.0.0/16"] + subnet { + name = "subnet1" + address_prefixes = ["10.0.1.0/24"] + default_outbound_access_enabled = "false" + } +} + +# Connectivity configuration referencing in-tenant vnet as hub +resource "azurerm_network_manager_connectivity_configuration" "home" { + name = "cross-tenant-connectivity-conf" + network_manager_id = azurerm_network_manager.home.id + connectivity_topology = "HubAndSpoke" + applies_to_group { + group_connectivity = "DirectlyConnected" + network_group_id = azurerm_network_manager_network_group.home.id + } + + hub { + resource_id = azurerm_virtual_network.home.id + resource_type = "Microsoft.Network/virtualNetworks" + } +} + +# Setup initial 'away' tenant resources: +# Resource group, vnet +provider "azurerm" { + features {} + alias = "away" + use_cli = true + subscription_id = var.away_sub + tenant_id = var.away_tenant +} + +data "azurerm_subscription" "away" { + provider = azurerm.away + subscription_id = var.away_sub +} + +resource "azurerm_resource_group" "away" { + provider = azurerm.away + name = "away-tenant-resources" + location = "East US" +} + +resource "azurerm_virtual_network" "away" { + provider = azurerm.away + name = "away-tenant-vnet" + resource_group_name = azurerm_resource_group.away.name + location = azurerm_resource_group.away.location + address_space = ["192.168.1.0/24"] +} + +# Create the cross-tenant connection resources +resource "azurerm_network_manager_scope_connection" "home" { + name = "scope-connection" + network_manager_id = azurerm_network_manager.home.id + tenant_id = var.away_tenant + target_scope_id = data.azurerm_subscription.away.id + description = "Used to manage cross-tenant subscription." +} + +resource "azurerm_network_manager_subscription_connection" "away" { + provider = azurerm.away + name = "subscription-connection" + subscription_id = data.azurerm_subscription.away.id + network_manager_id = azurerm_network_manager.home.id + description = "Used to approve management from cross-tenant network manager." +} + +# Wait to ensure connection has been established async +resource "time_sleep" "wait" { + depends_on = [azurerm_network_manager_scope_connection.home, azurerm_network_manager_subscription_connection.away] + create_duration = "30s" +} + +# Create a static member for the vnet in the 'away' tenant after connection is established +resource "azurerm_network_manager_static_member" "home" { + name = "cross-tenant-static-member" + network_group_id = azurerm_network_manager_network_group.home.id + target_virtual_network_id = azurerm_virtual_network.away.id + depends_on = [time_sleep.wait] +} diff --git a/quickstart/201-virtual-network-manager-cross-tenant/outputs.tf b/quickstart/201-virtual-network-manager-cross-tenant/outputs.tf new file mode 100644 index 000000000..62816bd73 --- /dev/null +++ b/quickstart/201-virtual-network-manager-cross-tenant/outputs.tf @@ -0,0 +1,3 @@ +output "resource_group_name" { + value = azurerm_resource_group.rg.name +} diff --git a/quickstart/201-virtual-network-manager-cross-tenant/providers.tf b/quickstart/201-virtual-network-manager-cross-tenant/providers.tf new file mode 100644 index 000000000..5832f1f57 --- /dev/null +++ b/quickstart/201-virtual-network-manager-cross-tenant/providers.tf @@ -0,0 +1,21 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + # 3.83.0 or higher is required to retrieve aux tokens correctly + version = ">=4.15.0" + } + random = { + source = "hashicorp/random" + version = "~>3.0" + } + } +} + +provider "azurerm" { + features {} + use_cli = true + subscription_id = var.home_sub + tenant_id = var.home_tenant + auxiliary_tenant_ids = [var.away_tenant] +} \ No newline at end of file diff --git a/quickstart/201-virtual-network-manager-cross-tenant/readme.md b/quickstart/201-virtual-network-manager-cross-tenant/readme.md new file mode 100644 index 000000000..377234a30 --- /dev/null +++ b/quickstart/201-virtual-network-manager-cross-tenant/readme.md @@ -0,0 +1,19 @@ +# Azure resource group + +This template deploys an Azure resource group with a random name beginning with "rg-". + +## Terraform resource types + +- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) + +## Variables + +| Name | Description | Default | +|-|-|-| +| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription. | rg | +| `resource_group_location` | Location of the resource group. | eastus | + +## Example + +To see how to run this example, see [Create an Azure resource group using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-resource-group). \ No newline at end of file diff --git a/quickstart/201-virtual-network-manager-cross-tenant/variables.tf b/quickstart/201-virtual-network-manager-cross-tenant/variables.tf new file mode 100644 index 000000000..c28577da9 --- /dev/null +++ b/quickstart/201-virtual-network-manager-cross-tenant/variables.tf @@ -0,0 +1,28 @@ +variable "resource_group_location" { + type = string + default = "eastus" + description = "Location of the resource group." +} + +variable "resource_group_name_prefix" { + type = string + default = "rg" + description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription." +} + +variable "home_tenant" { + type = string + description = "The tenant (guid) the network manager is in." +} +variable "home_sub" { + type = string + description = "The subscription (guid) the network manager is created under." +} +variable "away_tenant" { + type = string + description = "The tenant (guid) the cross-tenant vnet is in." +} +variable "away_sub" { + type = string + description = "The subscription (guid) the cross-tenant vnet is created under." +} \ No newline at end of file