Azure VNET

Objective

This document explains the various types of required policies that grant permissions for users to create or modify resources as part of deploying Volterra sites on Azure. This document also provides instructions to create a service principal using the Azure cloud reference scripts.

Azure VNET Policies

In case of Azure VNET site deployments, it is required that you have the owner role and create service principal subscription with contributer role for it.

The following is the JSON view of the required policy and permissions to deploy Azure VNET site:

Azure VNET Site Permissions
[
  {
    "assignableScopes": [
      "/subscriptions/$SUBSCRIPTION_ID"
    ],
    "description": "Volterra Custom Role to create Azure VNET site.",
    "permissions": [
      {
        "actions": [
          "*/read",
          "Microsoft.Authorization/roleAssignments/*",
          "Microsoft.Compute/disks/delete",
          "Microsoft.Compute/virtualMachineScaleSets/delete",
          "Microsoft.Compute/virtualMachineScaleSets/write",
          "Microsoft.Compute/virtualMachines/delete",
          "Microsoft.Compute/virtualMachines/write",
          "Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/*",
          "Microsoft.MarketplaceOrdering/agreements/offers/plans/cancel/action",
          "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/write",
          "Microsoft.Network/loadBalancers/*",
          "Microsoft.Network/locations/setLoadBalancerFrontendPublicIpAddresses/action",
          "Microsoft.Network/networkInterfaces/*",
          "Microsoft.Network/networkSecurityGroups/delete",
          "Microsoft.Network/networkSecurityGroups/join/action",
          "Microsoft.Network/networkSecurityGroups/securityRules/delete",
          "Microsoft.Network/networkSecurityGroups/securityRules/write",
          "Microsoft.Network/networkSecurityGroups/write",
          "Microsoft.Network/publicIPAddresses/delete",
          "Microsoft.Network/publicIPAddresses/join/action",
          "Microsoft.Network/publicIPAddresses/write",
          "Microsoft.Network/virtualNetworks/delete",
          "Microsoft.Network/virtualNetworks/subnets/*",
          "Microsoft.Network/virtualNetworks/write",
          "Microsoft.Resources/subscriptions/resourcegroups/*"
        ],
        "dataActions": [],
        "notActions": [],
        "notDataActions": []
      }
    ],
    "roleName": "volt-azure-vnet-role",
    "roleType": "CustomRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
]

Create Role and Service Principal

Perform the following steps to create a role in Azure portal with required permissions to create Azure VNET site and then create service principal subscription with contributer role for it.

Step 1: Log into Azure portal and navigate to access control section.

Go to Home -> Subscriptions. Change to your subscription for which you are owner and click Access Control IAM.

Step 2: Create a custom role with required permissions.

Change to Role assignments tab. Click Add and select Add custom role. Give a name in the Basics tab and click the JSON tab. Click Edit to add the permissions listed in the Azure VNET Policies chapter.

Step 3: Complete creating the role.

Click Review + create.

Step 4: Create the service principal account.

You can create service principal account using Volterra terraform tool or using Azure CLI.

Step 4.1: Enter terraform container or use Azure CLI.

In case you are deploying using Volterra terraform, perform the following to enter the terraform container:

  • Download the Volterra terraform container and start it.
docker run --entrypoint tail --name terraform-cli -d -it -w /terraform/templates -v ${HOME}/.ssh:/root/.ssh volterraio/volt-terraform:latest -f /dev/null
  • Enter volt-terraform container.
docker exec -it terraform-cli sh
  • In case you are deploying from VoltConsole using automatic deployment with Azure cloud credentials, install Azure CLI to your local machine.

Note: See Install the Azure CLI for information on Azure CLI installation.

Step 4.2: Create service principal.

Enter the following commands to create service principal:

az login
az account list --output table
SUBSCRIPTION_ID=<subscription_id>
az account set -s $SUBSCRIPTION_ID
az ad sp create-for-rbac -n <deployment-name> --role="Contributor" --scopes="/subscriptions/$SUBSCRIPTION_ID" 

Note: Replace subscription_id with your Azure subscription ID.

Note: In case service principal creation failing with error message stating that you have not accepted the legal terms on this subscription, enter the following command to accept the terms and conditions: az vm image terms accept --urn "volterraedgeservices:volterra-node:volterra-node:0.7.1"


Create Service Principal Using Cloud Reference Script

Perform the following steps:

Note: The Azure CLI is required. See Install the Azure CLI for more information.

Step 1: Run the Azure login command.
az login

The CLI opens your default browser and load an Azure sign-in page. Sign-in with your account credentials.

Step 1: List the Azure accounts and subscriptions.
az account list --output table

Get the desired Azure SubscriptionId from the output of above command.

Step 3: Set the active account to the subscription Id as per your choice.
export SUBSCRIPTION_ID=<subscription_id>
az account set -s $SUBSCRIPTION_ID
Step 4:Create the Azure custom role using the cloud reference script.

Download the script from the Azure Cloud Reference Script location in the JSON format. The name of the file is azure-custom-volterra-role.json. Enter the following command:

az role definition create --role-definition ./azure-custom-volterra-role.json

Note: Replace the value of $SUBSCRIPTION_ID to the relevant SubscriptionId in the JSON file.

Step 5: Create the service principal and assign the custom role created in Step 4.
az ad sp create-for-rbac --role="volt-azure-vnet-role" --scopes="/subscriptions/$SUBSCRIPTION_ID" -n "SP_NAME"

The following is the list of field descriptions for the above command:

  • volt-azure-vnet-role is the custom role created in Step 4.
  • SP_NAME is the service principal name that will be created.

The resulting JSON ouput can be used to create Azure Client Secret for Service Principal on VoltConsole. See Azure Cloud Credentials for more information.