Add support for Azure Lighthouse / Azure Delegated Resource Management

[richeney]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Add support for Azure Lighthouse, announced at Inspire 2019.

Many multi cloud partners are standardising on Terraform for customer deployments, and Lighthouse will be the default way to set up authorisations for service providers to gain the correct access, visibility and recognition in customer tenancies.

New or Affected Resource(s)

The new AzureRM provider, Microsoft.ManagedServices, provides two new types,

• Registration Assignments
• Registration Definitions

These are the Azure Delegated Resource Management calls.

Suggested Terraform resources to directly match:

• azurerm_registration_assignments
• azurerm_registration_definitions

Alternatively (or if synonyms are supported) then

• azurerm_lighthouse_assignments
• azurerm_lighthouse_definitions

Also data sources to match.

Potential Terraform Configuration

# To be defined, but similar to the role assignments bar argument / attribute differences.

References

Blog Posts

• https://azure.microsoft.com/blog/introducing-azure-lighthouse/
• https://azure.microsoft.com/blog/how-azure-lighthouse-enables-management-at-scale-for-service-providers/

Video

• Introducing Azure Lighthouse
• https://azure.microsoft.com/resources/videos/azure-lighthouse-demo-recording/

Documentation

• https://docs.microsoft.com/azure/lighthouse/overview

ARM Templates

• https://aka.ms/azurelighthouse-github

[RickB-2840]

I think it sounds like a good idea. I've only just learned of the existence of Lighthouse, but I've been reading about about it for a few hours and I can foresee a use case that's not about ongoing managed services, but about consulting - cloud architecture and security assessments in which Terraform compatibility would facilitate deployment of a proof of concept in the consulting client's cloud estate. We typically recommend clients adopt Terraform, and this might make it easier for us to do that.

[Humoiz]

I am working on this feature now. I should be submitting the PR by next week.

[lukiffer]

This is a really useful feature for us as an MSP who manages our customer environments with Terraform.

Based on PR comments, it appears that it's been deferred pending an internal discussion surrounding CI/testability. Would be interested to see how that unfolds, but I'm also curious as to the actual likelihood of the CI issues being resolved in time for the tagged milestones.

Totally understand it may not be a high priority; I'm just trying to gauge the level of effort we should put into looking for interim solutions, or if we should just wait it out and import state after the fact.

[jackofallops]

Closing as addressed by merge of #6560, due to be released in v2.28.0 of the provider.

[ghost]

This has been released in version 2.28.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.28.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!