Azure · mbender-ms · Feb 18, 2025
diff --git a/quickstart/201-virtual-network-manager-cross-tenant/cross-tenant-hns.tf b/quickstart/201-virtual-network-manager-cross-tenant/cross-tenant-hns.tf
@@ -0,0 +1,155 @@
+/*
+ * This template will create a network manager + Hub&Spoke configuration in the 'home' tenant
+ * It will also create a vnet under a subscription in the 'away' tenant
+ * It will then establish a cross-tenant connection, and add the vnet in the 'away' tenant to a network group managed by the connect config
+ */
+variable "home_tenant" {
+  type        = string
+  description = "The tenant (guid) the network manager is in."
+}
+variable "home_sub" {
+  type        = string
+  description = "The subscription (guid) the network manager is created under."
+}
+variable "away_tenant" {
+  type        = string
+  description = "The tenant (guid) the cross-tenant vnet is in."
+}
+variable "away_sub" {
+  type        = string
+  description = "The subscription (guid) the cross-tenant vnet is created under."
+}
+
+# Azure Provider source and version being used
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      # 3.83.0 or higher is required to retrieve aux tokens correctly
+      version = ">=4.15.0"
+    }
+  }
+}
+
+# Setup initial 'home' tenant resources:
+# Resource group, network manager, network group, vnet, static member, connectivity configuration
+provider "azurerm" {
+  features {}
+  use_cli              = true
+  subscription_id      = var.home_sub
+  tenant_id            = var.home_tenant
+  auxiliary_tenant_ids = [var.away_tenant]
+}
+
+data "azurerm_subscription" "home" {
+  subscription_id = var.home_sub
+}
+
+resource "azurerm_resource_group" "home" {
+  name     = "anm-resources"
+  location = "East US"
+}
+
+resource "azurerm_network_manager" "home" {
+  name                = "terraform-network-manager"
+  location            = azurerm_resource_group.home.location
+  resource_group_name = azurerm_resource_group.home.name
+  scope_accesses = ["Connectivity"]
+  scope {
+    subscription_ids = [data.azurerm_subscription.home.id]
+  }
+  description    = "Network manager for cross-tenant management."
+}
+resource "azurerm_network_manager_network_group" "home" {
+  name               = "network-group"
+  network_manager_id = azurerm_network_manager.home.id
+  description        = "Network group for cross-tenant static members."
+}
+
+resource "azurerm_virtual_network" "home" {
+  name                = "home-tenant-vnet"
+  resource_group_name = azurerm_resource_group.home.name
+  location            = azurerm_resource_group.home.location
+  address_space       = ["10.0.0.0/16"]
+  subnet {
+    name             = "subnet1"
+    address_prefixes = ["10.0.1.0/24"]
+    default_outbound_access_enabled = "false"
+  }
+}
+
+# Connectivity configuration referencing in-tenant vnet as hub
+resource "azurerm_network_manager_connectivity_configuration" "home" {
+  name                  = "cross-tenant-connectivity-conf"
+  network_manager_id    = azurerm_network_manager.home.id
+  connectivity_topology = "HubAndSpoke"
+  applies_to_group {
+    group_connectivity = "DirectlyConnected"
+    network_group_id   = azurerm_network_manager_network_group.home.id
+  }
+
+  hub {
+    resource_id   = azurerm_virtual_network.home.id
+    resource_type = "Microsoft.Network/virtualNetworks"
+  }
+}
+
+# Setup initial 'away' tenant resources:
+# Resource group, vnet
+provider "azurerm" {
+  features {}
+  alias           = "away"
+  use_cli         = true
+  subscription_id = var.away_sub
+  tenant_id       = var.away_tenant
+}
+
+data "azurerm_subscription" "away" {
+  provider        = azurerm.away
+  subscription_id = var.away_sub
+}
+
+resource "azurerm_resource_group" "away" {
+  provider = azurerm.away
+  name     = "away-tenant-resources"
+  location = "East US"
+}
+
+resource "azurerm_virtual_network" "away" {
+  provider            = azurerm.away
+  name                = "away-tenant-vnet"
+  resource_group_name = azurerm_resource_group.away.name
+  location            = azurerm_resource_group.away.location
+  address_space       = ["192.168.1.0/24"]
+}
+
+# Create the cross-tenant connection resources
+resource "azurerm_network_manager_scope_connection" "home" {
+  name               = "scope-connection"
+  network_manager_id = azurerm_network_manager.home.id
+  tenant_id          = var.away_tenant
+  target_scope_id    = data.azurerm_subscription.away.id
+  description        = "Used to manage cross-tenant subscription."
+}
+
+resource "azurerm_network_manager_subscription_connection" "away" {
+  provider           = azurerm.away
+  name               = "subscription-connection"
+  subscription_id    = data.azurerm_subscription.away.id
+  network_manager_id = azurerm_network_manager.home.id
+  description        = "Used to approve management from cross-tenant network manager."
+}
+
+# Wait to ensure connection has been established async
+resource "time_sleep" "wait" {
+  depends_on      = [azurerm_network_manager_scope_connection.home, azurerm_network_manager_subscription_connection.away]
+  create_duration = "30s"
+}
+
+# Create a static member for the vnet in the 'away' tenant after connection is established
+resource "azurerm_network_manager_static_member" "home" {
+  name                      = "cross-tenant-static-member"
+  network_group_id          = azurerm_network_manager_network_group.home.id
+  target_virtual_network_id = azurerm_virtual_network.away.id
+  depends_on                = [time_sleep.wait]
+}
diff --git a/quickstart/201-virtual-network-manager-cross-tenant/main.tf b/quickstart/201-virtual-network-manager-cross-tenant/main.tf
@@ -0,0 +1,138 @@
+/*
+ * This template will create a network manager + Hub&Spoke configuration in the 'home' tenant
+ * It will also create a vnet under a subscription in the 'away' tenant
+ * It will then establish a cross-tenant connection, and add the vnet in the 'away' tenant to a network group managed by the connect config
+ */
+
+resource "random_pet" "rg_name_home" {
+  prefix = var.resource_group_name_prefix
+}
+
+resource "random_pet" "rg_name_away" {
+  prefix = var.resource_group_name_prefix
+}
+
+
+resource "azurerm_resource_group" "rg_home" {
+  location = var.resource_group_location
+  name     = random_pet.rg_name.id
+}
+
+resource "azurerm_resource_group" "rg_away" {
+  location = var.resource_group_location
+  name     = random_pet.rg_name.id
+}
+# Create three virtual networks
+resource "random_string" "prefix" {
+  length = 4
+  special = false
+  upper = false
+}
+
+resource "random_pet" "virtual_network_name" {
+  prefix = "vnet-${random_string.prefix.result}"
+}
+
+resource "azurerm_network_manager" "home" {
+  name                = "terraform-network-manager"
+  location            = azurerm_resource_group.home.location
+  resource_group_name = azurerm_resource_group.home.name
+  scope_accesses = ["Connectivity"]
+  scope {
+    subscription_ids = [data.azurerm_subscription.home.id]
+  }
+  description    = "Network manager for cross-tenant management."
+}
+resource "azurerm_network_manager_network_group" "home" {
+  name               = "network-group"
+  network_manager_id = azurerm_network_manager.home.id
+  description        = "Network group for cross-tenant static members."
+}
+
+resource "azurerm_virtual_network" "home" {
+  name                = "home-tenant-vnet"
+  resource_group_name = azurerm_resource_group.home.name
+  location            = azurerm_resource_group.home.location
+  address_space       = ["10.0.0.0/16"]
+  subnet {
+    name             = "subnet1"
+    address_prefixes = ["10.0.1.0/24"]
+    default_outbound_access_enabled = "false"
+  }
+}
+
+# Connectivity configuration referencing in-tenant vnet as hub
+resource "azurerm_network_manager_connectivity_configuration" "home" {
+  name                  = "cross-tenant-connectivity-conf"
+  network_manager_id    = azurerm_network_manager.home.id
+  connectivity_topology = "HubAndSpoke"
+  applies_to_group {
+    group_connectivity = "DirectlyConnected"
+    network_group_id   = azurerm_network_manager_network_group.home.id
+  }
+
+  hub {
+    resource_id   = azurerm_virtual_network.home.id
+    resource_type = "Microsoft.Network/virtualNetworks"
+  }
+}
+
+# Setup initial 'away' tenant resources:
+# Resource group, vnet
+provider "azurerm" {
+  features {}
+  alias           = "away"
+  use_cli         = true
+  subscription_id = var.away_sub
+  tenant_id       = var.away_tenant
+}
+
+data "azurerm_subscription" "away" {
+  provider        = azurerm.away
+  subscription_id = var.away_sub
+}
+
+resource "azurerm_resource_group" "away" {
+  provider = azurerm.away
+  name     = "away-tenant-resources"
+  location = "East US"
+}
+
+resource "azurerm_virtual_network" "away" {
+  provider            = azurerm.away
+  name                = "away-tenant-vnet"
+  resource_group_name = azurerm_resource_group.away.name
+  location            = azurerm_resource_group.away.location
+  address_space       = ["192.168.1.0/24"]
+}
+
+# Create the cross-tenant connection resources
+resource "azurerm_network_manager_scope_connection" "home" {
+  name               = "scope-connection"
+  network_manager_id = azurerm_network_manager.home.id
+  tenant_id          = var.away_tenant
+  target_scope_id    = data.azurerm_subscription.away.id
+  description        = "Used to manage cross-tenant subscription."
+}
+
+resource "azurerm_network_manager_subscription_connection" "away" {
+  provider           = azurerm.away
+  name               = "subscription-connection"
+  subscription_id    = data.azurerm_subscription.away.id
+  network_manager_id = azurerm_network_manager.home.id
+  description        = "Used to approve management from cross-tenant network manager."
+}
+
+# Wait to ensure connection has been established async
+resource "time_sleep" "wait" {
+  depends_on      = [azurerm_network_manager_scope_connection.home, azurerm_network_manager_subscription_connection.away]
+  create_duration = "30s"
+}
+
+# Create a static member for the vnet in the 'away' tenant after connection is established
+resource "azurerm_network_manager_static_member" "home" {
+  name                      = "cross-tenant-static-member"
+  network_group_id          = azurerm_network_manager_network_group.home.id
+  target_virtual_network_id = azurerm_virtual_network.away.id
+  depends_on                = [time_sleep.wait]
+}
diff --git a/quickstart/201-virtual-network-manager-cross-tenant/outputs.tf b/quickstart/201-virtual-network-manager-cross-tenant/outputs.tf
@@ -0,0 +1,3 @@
+output "resource_group_name" {
+  value = azurerm_resource_group.rg.name
+}
diff --git a/quickstart/201-virtual-network-manager-cross-tenant/providers.tf b/quickstart/201-virtual-network-manager-cross-tenant/providers.tf
@@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      # 3.83.0 or higher is required to retrieve aux tokens correctly
+      version = ">=4.15.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~>3.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+  use_cli              = true
+  subscription_id      = var.home_sub
+  tenant_id            = var.home_tenant
+  auxiliary_tenant_ids = [var.away_tenant]
+}
diff --git a/quickstart/201-virtual-network-manager-cross-tenant/readme.md b/quickstart/201-virtual-network-manager-cross-tenant/readme.md
@@ -0,0 +1,19 @@
+# Azure resource group
+
+This template deploys an Azure resource group with a random name beginning with "rg-".
+
+## Terraform resource types
+
+- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet)
+- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
+
+## Variables
+
+| Name | Description | Default |
+|-|-|-|
+| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription. | rg |
+| `resource_group_location` | Location of the resource group. | eastus |
+
+## Example
+
+To see how to run this example, see [Create an Azure resource group using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-resource-group).
diff --git a/quickstart/201-virtual-network-manager-cross-tenant/variables.tf b/quickstart/201-virtual-network-manager-cross-tenant/variables.tf
@@ -0,0 +1,28 @@
+variable "resource_group_location" {
+  type        = string
+  default     = "eastus"
+  description = "Location of the resource group."
+}
+
+variable "resource_group_name_prefix" {
+  type        = string
+  default     = "rg"
+  description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription."
+}
+
+variable "home_tenant" {
+  type        = string
+  description = "The tenant (guid) the network manager is in."
+}
+variable "home_sub" {
+  type        = string
+  description = "The subscription (guid) the network manager is created under."
+}
+variable "away_tenant" {
+  type        = string
+  description = "The tenant (guid) the cross-tenant vnet is in."
+}
+variable "away_sub" {
+  type        = string
+  description = "The subscription (guid) the cross-tenant vnet is created under."
+}