Create subscriptions programmatically using Azure Resource Manager

[IrfanAnsari]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Create subscriptions programmatically using Azure Resource Manager. Here are the details about the API being released from Azure https://docs.microsoft.com/en-gb/azure/azure-resource-manager/programmatically-create-subscription

New or Affected Resource(s)

Subscriptions

• azurerm_XXXXX

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• 0000

[jtracey93]

I have been doing some work on this to create EA subscriptions programmatically, currently using an Azure Function with PowerShell. But have found the permissions/RBAC are the complex part of this, due to the new API for the billing account having a different set of roles & assignments than the rest of ARM.

e.g.

• ID: providers/Microsoft.Billing/billingAccounts/xxxxxxxx/enrollmentAccounts/xxxxxx/billingRoleDefinitions/c15c22c0-9faf-424c-9b7e-bd91c06a240b
• Role Name: Enrollment account owner

&

• ID: /providers/Microsoft.Billing/billingAccounts/xxxxxxxx/enrollmentAccounts/xxxxxx/billingRoleDefinitions/a0bcee42-bf30-4d1b-926a-48d21664ef71
• Name: Enrollment account subscription creator

There is no Terraform provider to enable the creation of these role assignments as it stands which will need adding to enable support.

@laingsc how did you handle the RBAC side of this for your provider, or are you just expecting this to be in place for the principal that runs the Terraform apply?

Happy to discuss further 😄

[matt-FFFFFF]

@laingsc you ideally need to create the sub outside of Terraform as, at the moment, the provider declaration is linked to a single subscription. Therefore, if you use TF to create the sub, then you'll need another plan created with a new provider declaration to be able to deploy resources to that subscription.

Hopefully this will change in the future :)

[AdamCoulterOz]

Ideally the azurerm provider would be completely decoupled from a subscription, and just simply be a login.... you can then have a generic "context" attribute which can be for an enrolment account, management group, subscription or resource group ... or even better / in addition, have providers able to be treated as just another node in the terraform resource dependency graph

[TheKangaroo]

@matt-FFFFFF I never though of the fact, that an instance of azurerm provider is actually a reference to a specific subscription, even though we use it regularly. I actually love the idea of @AdamCoulterOz with the generic context (enrolment account/tenant, subscription or even resource group) but I'm not sure if this is something that can be done, because this sounds to me like a major architectural design change.

[AdamCoulterOz]

@matt-FFFFFF ... azurerm v3? or maybe even a new provider (terraform-provider-az .... 😜) ?

[jameswestall]

@matt-FFFFFF @TheKangaroo - While a generic context is definitely desirable, Could you not just have the Azure provider instantiation as part of a module? Realistically, a lot of people are probably looking at this functionality for some form of landing zone functionality, so a module to declare what a subscription looks like seems pretty reasonable.

The end flow theoretically would look something like this?

1. Central resources.tf would declare a subscription
2. Output of the subscription resource would be provided to the module block
3. Module will instantiate a new provider block, using the new subscription.

Unfortunately I don't readily have access to an EA account to test this with the aforementioned preview module. Happy to be corrected on my understanding of how Terraform providers work.

[TheKangaroo]

I don't think you can use values of an object and pass it to a provider for the run itself, but I never really tried that to be honest. Right now we create subscriptions with a python script and use some folder structure magic and terragrunt for managing the subscription. I think this could be way easier if we were able to have a provider for multiple resources.

This is not an absolut necessary feature for our use case, but I think this is necessary for this feature request since you cannot manage a subscription in terraform if the subscription itself is the boundary of a provider instance.

[matt-FFFFFF]

@jameswestall You cannot use generated values in a provider declaration. The providers are evaluated at init time so you must know the subscription ID at that point. You cannot do this if you are dynamically creating the subscription as part of the plan.

[jackofallops]

Hi All.

FWIW I have a branch in progress on this - but I've intentionally not pushed this at this time since it's not as usable as it first appears.

Whilst the API itself appears relatively simple, there's quite a bit to make it usable in Terraform/the Azure Provider due to the way this functionality works in Azure (primarily around usage and test coverage). On top of that, the API requires the calling user to have significant access to billing information, so I'm also looking into enabling the Billing provider to be able to access that safely. Be assured, we really want this too, so we're keeping things moving as much as we can.

Some additional info on the some of the limitations I mentioned:

• There are a maximum number of Subscriptions that can be created against an Account. This is a maximum ever, so once it's reached that account can never have any more new subscriptions. For EA/Enrolment accounts this is 2000, but other account types it is as low as 20. (The subscriptions team are looking at increases here, but they're still talking in finite terms so the problem will still exist just take longer to hit)

• Subscriptions cannot be deleted, only cancelled/deactivated. They are retained for up to 90 days for potential reactivation, then purged from the platform. They still exist in some backend systems, hence the previous lifetime limits above. Decoupling this is apparently being investigated.

• A high number of subscriptions can have negative impact on performance of some operations, particularly in the portal.

• Subscriptions created via the Alias API are always created in the Home Tenant of the user account that submitted the request, this may not be the desired location of the subscription, or even the tenant on which Terraform is operating when it calls the API, we're looking at what can be done here. (Side note - it appears that it must be a user account to create a subscription; MSI and SP do not appear to be supported, which obviously presents issues for most CI approaches.) There are APIs for moving Subscriptions between Tenants, I'm waiting on details from the Subscriptions team at Azure on these.

The broader discussion around the provider/client auth is tangentially related but off-topic - to keep this issue focused on the original issue, I'm going to mark those comments as off-topic for the moment - however should you wish to discuss this further I'd point you towards the community discuss forum.

---

Whilst we appreciate it's frustrating this isn't available natively at this time, we are working closely with the teams at Microsoft to unblock this in the background - but there's still a number of blockers for this which we need to solve before we can do so - we'll post an update once we have more information.

Thanks!

[matt-FFFFFF]

@jackofallops We now support SPNs with new API:

https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/enable-subscription-creation.md

[jtracey93]

@jackofallops They also support MSIs as well. Checkout this project I created where I use an Azure Function to create the subs with an MSI. https://github.com/jtracey93/AzureSubscriptionVendingFunction

[ghost]

This has been released in version 2.50.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.50.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!