chore: adding multiple mca scopes and scp's

Author: florianow

README.md

@@ -271,7 +271,7 @@ Before opening a Pull Request, please do the following:
 | <a name="input_can_cancel_subscriptions_in_scopes"></a> [can\_cancel\_subscriptions\_in\_scopes](#input\_can\_cancel\_subscriptions\_in\_scopes) | The scopes to which Service Principal cancel subscription permission is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups/<mgmtGroupId>/`. | `list(string)` | `[]` | no |
 | <a name="input_can_delete_rgs_in_scopes"></a> [can\_delete\_rgs\_in\_scopes](#input\_can\_delete\_rgs\_in\_scopes) | The scopes to which Service Principal delete resource group permission is assigned to. Only relevant when `replicator_rg_enabled`. List of subscription scopes of form `/subscriptions/<subscriptionId>`. | `list(string)` | `[]` | no |
 | <a name="input_create_passwords"></a> [create\_passwords](#input\_create\_passwords) | Create passwords for service principals. | `bool` | `true` | no |
-| <a name="input_mca"></a> [mca](#input\_mca) | n/a | <pre>object({<br>    service_principal_names = list(string)<br>    billing_account_name    = string<br>    billing_profile_name    = string<br>    invoice_section_name    = string<br>  })</pre> | `null` | no |
+| <a name="input_mca"></a> [mca](#input\_mca) | n/a | <pre>object({<br>    service_principals = map(object({<br>      billing_scopes = list(object({<br>        billing_account_name = string<br>        billing_profile_name = string<br>        invoice_section_name = string<br>      }))<br>    }))<br>  })</pre> | `null` | no |
 | <a name="input_metering_assignment_scopes"></a> [metering\_assignment\_scopes](#input\_metering\_assignment\_scopes) | Names or UUIDs of the Management Groups that kraken should collect costs for. | `list(string)` | n/a | yes |
 | <a name="input_metering_enabled"></a> [metering\_enabled](#input\_metering\_enabled) | Whether to create Metering Service Principal or not. | `bool` | `true` | no |
 | <a name="input_metering_service_principal_name"></a> [metering\_service\_principal\_name](#input\_metering\_service\_principal\_name) | Service principal for collecting cost data. Kraken ist the name of the meshStack component. Name must be unique per Entra ID. | `string` | `"kraken"` | no |
@@ -293,7 +293,7 @@ Before opening a Pull Request, please do the following:
 |------|-------------|
 | <a name="output_azure_ad_tenant_id"></a> [azure\_ad\_tenant\_id](#output\_azure\_ad\_tenant\_id) | The Azure AD tenant id. |
 | <a name="output_documentation"></a> [documentation](#output\_documentation) | Complete module documentation in markdown format |
-| <a name="output_mca_service_billing_scope"></a> [mca\_service\_billing\_scope](#output\_mca\_service\_billing\_scope) | n/a |
+| <a name="output_mca_service_billing_scopes"></a> [mca\_service\_billing\_scopes](#output\_mca\_service\_billing\_scopes) | n/a |
 | <a name="output_mca_service_principal"></a> [mca\_service\_principal](#output\_mca\_service\_principal) | MCA Service Principal. |
 | <a name="output_mca_service_principal_password"></a> [mca\_service\_principal\_password](#output\_mca\_service\_principal\_password) | Password for MCA Service Principal. |
 | <a name="output_metering_service_principal"></a> [metering\_service\_principal](#output\_metering\_service\_principal) | Metering Service Principal. |

main.tf

@@ -80,11 +80,7 @@ module "mca_service_principal" {
   count  = var.mca != null ? 1 : 0
   source = "./modules/meshcloud-mca-service-principal"
 
-  service_principal_names = var.mca.service_principal_names
-
-  billing_account_name = var.mca.billing_account_name
-  billing_profile_name = var.mca.billing_profile_name
-  invoice_section_name = var.mca.invoice_section_name
+  service_principals = var.mca.service_principals
 
   create_password = var.create_passwords
   workload_identity_federation = var.workload_identity_federation == null ? null : {

modules/meshcloud-mca-service-principal/module.tf

@@ -20,60 +20,84 @@ terraform {
   }
 }
 
+locals {
+  # Flatten all billing scopes from all service principals with unique keys
+  all_billing_scopes = merge([
+    for sp_name, sp_config in var.service_principals : {
+      for idx, scope in sp_config.billing_scopes :
+      "${sp_name}-${idx}" => scope
+    }
+  ]...)
+}
 
 data "azurerm_billing_mca_account_scope" "mca" {
-  billing_account_name = var.billing_account_name
-  billing_profile_name = var.billing_profile_name
-  invoice_section_name = var.invoice_section_name
+  for_each = local.all_billing_scopes
+
+  billing_account_name = each.value.billing_account_name
+  billing_profile_name = each.value.billing_profile_name
+  invoice_section_name = each.value.invoice_section_name
 }
 
 resource "azuread_application" "mca" {
-  for_each     = toset(var.service_principal_names)
+  for_each     = var.service_principals
   display_name = each.key
   owners       = var.application_owners
 }
 
 resource "azuread_service_principal" "mca" {
-  for_each  = toset(var.service_principal_names)
+  for_each  = var.service_principals
   client_id = azuread_application.mca[each.key].client_id
   owners    = var.application_owners
 }
 
 data "azapi_resource_list" "billing_role_definitions" {
+  for_each               = data.azurerm_billing_mca_account_scope.mca
   type                   = "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingRoleDefinitions@2020-05-01"
-  parent_id              = data.azurerm_billing_mca_account_scope.mca.id
+  parent_id              = each.value.id
   response_export_values = ["*"]
 }
 
 locals {
-  azure_subscription_creator_role_id = jsondecode(
-    data.azapi_resource_list.billing_role_definitions.output).value[
-    index(jsondecode(data.azapi_resource_list.billing_role_definitions.output).value[*].properties.roleName, "Azure subscription creator")
-  ].id
+  azure_subscription_creator_role_ids = {
+    for key, role_def in data.azapi_resource_list.billing_role_definitions : key => role_def.output.value[
+      index(role_def.output.value[*].properties.roleName, "Azure subscription creator")
+    ].id
+  }
 }
 
 resource "azapi_resource_action" "add_role_assignment_subscription_creator" {
-  for_each = toset(var.service_principal_names)
+  for_each = {
+    for item in flatten([
+      for sp_name, sp_config in var.service_principals : [
+        for idx, scope in sp_config.billing_scopes : {
+          key       = "${sp_name}-${idx}"
+          sp_name   = sp_name
+          scope_id  = data.azurerm_billing_mca_account_scope.mca["${sp_name}-${idx}"].id
+          scope_key = "${sp_name}-${idx}"
+        }
+      ]
+    ]) : item.key => item
+  }
 
   type                   = "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections@2019-10-01-preview"
-  resource_id            = data.azurerm_billing_mca_account_scope.mca.id
+  resource_id            = each.value.scope_id
   action                 = "createBillingRoleAssignment"
   method                 = "POST"
   when                   = "apply"
   response_export_values = ["*"]
-  body = jsonencode({
+  body = {
     properties = {
-      principalId      = azuread_service_principal.mca[each.key].object_id
-      roleDefinitionId = local.azure_subscription_creator_role_id
+      principalId      = azuread_service_principal.mca[each.value.sp_name].object_id
+      roleDefinitionId = local.azure_subscription_creator_role_ids[each.value.scope_key]
     }
-  })
+  }
 }
 
 resource "azapi_resource_action" "remove_role_assignment_subscription_creator" {
-  for_each = toset(var.service_principal_names)
+  for_each = azapi_resource_action.add_role_assignment_subscription_creator
 
   type        = "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingRoleAssignments@2019-10-01-preview"
-  resource_id = jsondecode(azapi_resource_action.add_role_assignment_subscription_creator[each.key].output).id
+  resource_id = each.value.output.id
   method      = "DELETE"
   when        = "destroy"
 }
@@ -88,7 +112,7 @@ resource "time_rotating" "mca_secret_rotation" {
 }
 
 resource "azuread_application_password" "mca" {
-  for_each = var.create_password ? toset(var.service_principal_names) : toset([])
+  for_each = var.create_password ? var.service_principals : {}
 
   application_id = azuread_application.mca[each.key].id
   rotate_when_changed = {
@@ -105,7 +129,7 @@ locals {
     var.workload_identity_federation.subjects != null
     ? var.workload_identity_federation.subjects
     : var.workload_identity_federation.subject != null
-    ? { for name in var.service_principal_names : name => var.workload_identity_federation.subject }
+    ? { for name in keys(var.service_principals) : name => var.workload_identity_federation.subject }
     : {}
   )
 }

modules/meshcloud-mca-service-principal/outputs.tf

@@ -1,11 +1,11 @@
-output "billing_scope" {
-  value = data.azurerm_billing_mca_account_scope.mca.id
+output "billing_scopes" {
+  value = [for scope in data.azurerm_billing_mca_account_scope.mca : scope.id]
 }
 
 output "credentials" {
   description = "Service Principal application id and object id"
   value = {
-    for name in var.service_principal_names : name => {
+    for name in keys(var.service_principals) : name => {
       Enterprise_Application_Object_ID = azuread_service_principal.mca[name].object_id
       Application_Client_ID            = azuread_application.mca[name].client_id
       Client_Secret                    = var.create_password ? "Execute `terraform output mca_service_principal_password` to see the password" : "No password was created"
@@ -15,6 +15,6 @@ output "credentials" {
 
 output "application_client_secret" {
   description = "Client Secret Of the Application."
-  value       = var.create_password ? { for name in var.service_principal_names : name => azuread_application_password.mca[name].value } : {}
+  value       = var.create_password ? { for name in keys(var.service_principals) : name => azuread_application_password.mca[name].value } : {}
   sensitive   = true
 }

modules/meshcloud-mca-service-principal/variables.tf

@@ -1,17 +1,14 @@
-variable "service_principal_names" {
-  type = list(string)
-}
-
-variable "billing_account_name" {
-  type = string
-}
 
-variable "billing_profile_name" {
-  type = string
-}
 
-variable "invoice_section_name" {
-  type = string
+variable "service_principals" {
+  type = map(object({
+    billing_scopes = list(object({
+      billing_account_name = string
+      billing_profile_name = string
+      invoice_section_name = string
+    }))
+  }))
+  description = "Map of service principal names to their respective billing scopes"
 }
 
 variable "application_owners" {

outputs.tf

@@ -20,8 +20,8 @@ output "mca_service_principal_password" {
   sensitive   = true
 }
 
-output "mca_service_billing_scope" {
-  value = length(module.mca_service_principal) > 0 ? module.mca_service_principal[0].billing_scope : null
+output "mca_service_billing_scopes" {
+  value = length(module.mca_service_principal) > 0 ? module.mca_service_principal[0].billing_scopes : null
 }
 
 output "metering_service_principal" {
@@ -153,7 +153,7 @@ The following outputs are available after deployment:
 | replicator_service_principal_password | Replicator service principal password | Yes | ${length(module.replicator_service_principal) > 0 ? "✅" : "❌"} |
 | mca_service_principal | MCA service principal credentials | No | ${length(module.mca_service_principal) > 0 ? "✅" : "❌"} |
 | mca_service_principal_password | MCA service principal password | Yes | ${length(module.mca_service_principal) > 0 ? "✅" : "❌"} |
-| mca_service_billing_scope | MCA billing scope | No | ${length(module.mca_service_principal) > 0 ? "✅" : "❌"} |
+| mca_service_billing_scopes | MCA billing scopes | No | ${length(module.mca_service_principal) > 0 ? "✅" : "❌"} |
 | metering_service_principal | Metering service principal credentials | No | ${length(module.metering_service_principal) > 0 ? "✅" : "❌"} |
 | metering_service_principal_password | Metering service principal password | Yes | ${length(module.metering_service_principal) > 0 ? "✅" : "❌"} |
 | sso_service_principal_client_id | SSO service principal client ID | No | ${length(module.sso_service_principal) > 0 ? "✅" : "❌"} |

variables.tf

@@ -141,10 +141,13 @@ variable "workload_identity_federation" {
 
 variable "mca" {
   type = object({
-    service_principal_names = list(string)
-    billing_account_name    = string
-    billing_profile_name    = string
-    invoice_section_name    = string
+    service_principals = map(object({
+      billing_scopes = list(object({
+        billing_account_name = string
+        billing_profile_name = string
+        invoice_section_name = string
+      }))
+    }))
   })
   default = null
 }