From 429262b08e21061730ec8133d12811e4f67d2f5d Mon Sep 17 00:00:00 2001 From: Mark Garner Date: Tue, 18 Oct 2016 15:11:37 -0500 Subject: [PATCH] Update to new portal experience Added updated instructions for creating app registration in the new ARM portal. Updated instructions for granting permissions to the app registration as well. --- .../providers/azurerm/index.html.markdown | 29 +++++++++++++++---- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/website/source/docs/providers/azurerm/index.html.markdown b/website/source/docs/providers/azurerm/index.html.markdown index e1f74142a..2a03bf3a7 100644 --- a/website/source/docs/providers/azurerm/index.html.markdown +++ b/website/source/docs/providers/azurerm/index.html.markdown @@ -80,7 +80,26 @@ The following arguments are supported: Azure requires that an application is added to Azure Active Directory to generate the `client_id`, `client_secret`, and `tenant_id` needed by Terraform (`subscription_id` can be recovered from your Azure account details). -Using the 'Classic' Portal: +There are two high-level tasks to complete. The first is to create an App Registration with Azure Active Directory. You can do this in either the New ARM portal (http://portal.azure.com) or the older 'Classic' portal (http://manage.windowsazure.com). + +The second task is to grant permissions for the Application Registration in your Subscription. + +To create the App Registration using the New ARM portal: + +- Select **Azure Active Directory** from the left pane +- Select the **App Registrations** tile from the Overview Section +- Click **Endpoints** at the top of the App Registrations blade. This will display a list of URIs. Extract the GUID from the bottom URI for **OAUTH 2.0 AUTHORIZATION ENDPOINT**. This is the `tenant_id` +- Select **Add** from the top of the blade. +- Add a friendly name for the application e.g. **Terraform**. Choose **Web App / API** for Application Type +- Add a valid URI as the Sign-on URL. This isn't used and can be anything e.g. http://terra.form. +- Click **Create** at the bottom to create the App Registration +- Choose your new App Registration to show details +- You should now be on the blade for your App Registration. At the top, notice the "Application ID" GUID. You'll use this as the `client_id` +- If the Settings blade for your Application Registration is not showing, click on **All Settings** +- Click on **Keys**. Enter a name for your key in **Key description** and choose an expiration duration. When you click **Save** at the top of the blade, the key value will be displayed. Once it is displayed, you then use this as the value for `client_secret`. This will disappear once you move off the page +- Click **Required Permissions**. Click **Add**. This will allow us to add permission to use the Windows Azure Service Management API to the App Registration. On Step 1, choose Windows Azure Service Management API. Click **Select**. On Step 2, check the box next to "Access Azure Service Management as organization users". Click **Select**. Click **Done** to finish adding the permission. + +To create the App Reigstration using the 'Classic' portal: - Select **Active Directory** from the left pane and select the directory you wish to use - Select **Applications** from the options at the top of the page @@ -91,11 +110,11 @@ Using the 'Classic' Portal: - In the **Keys** section of the page, select a suitable duration and click **Save** at the bottom of the page. This will then display the value for `client_secret`. This will disappear once you move off the page - Click **View Endpoints** at the bottom of the page. This will display a list of URIs. Extract the GUID from the bottom URI for **OAUTH 2.0 AUTHORIZATION ENDPOINT**. This is the `tenant_id` -To enable the application for use with Azure RM, you now need to switch to the 'New' Portal: +To grant permissions to the App Registration to your subscription, you now must to use to the 'ARM' Portal: -- Select **Subscriptions** from the left panel. Select the subscription that you want to use. In the Subscription details pane, click **All Settings** and then **Users** -- Click **Add** and then select an appropriate role for the tasks you want to complete with Terraform. You can find details on the built in roles [here](https://azure.microsoft.com/en-gb/documentation/articles/role-based-access-built-in-roles/) -- Type in the name of the application added in the 'Classic' Portal. You need to type this as it won't be shown in the user list. Click on the appropriate user in the list and then click **Select** +- Select **Subscriptions** from the left panel. Select the subscription that you want to use. In the Subscription details pane, click **Access Control (IAM)** +- Click **Add**. For Step 1 select an appropriate role for the tasks you want to complete with Terraform. You can find details on the built in roles [here](https://azure.microsoft.com/en-gb/documentation/articles/role-based-access-built-in-roles/) +- Type in the name of the application added in the search box. You need to type this as it won't be shown in the user list. Click on the appropriate user in the list and then click **Select** - Click **OK** in the **Add Access** panel. The changes will now be saved Microsoft have a more complete guide in the Azure documentation: [Create Active Directory application and service principle](https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-service-principal-portal/)