search

Automated using Terraform

This guide details the integration process and introduces a unified Terraform solution to fully automate onboarding, including App Registration, Cost Exports, and IAM role assignments.

circle-exclamation

The user executing the script must hold specific roles based on the target integration scope: Management Group: Owner or User Access Administrator at the Management Group level

Subscription: Owner at the Subscription level

Resource Group: Owner at the Resource Group level

OneLens is designed to adapt to your specific Azure organizational hierarchy. Whether your governance model relies on complex Management Groups, standalone Subscriptions with individual billing, or isolated Resource Groups, OneLens supports integration at the scope that best fits your needs.

To accelerate this process, we provide a unified Terraform solution that automates the complete onboarding workflow for all three scopes. This automation handles the end-to-end setup, including:

  • Infrastructure Setup: Creates the App Registration (Service Principal), Storage Accounts, and Blob Containers.

  • Data Configuration: Configures Cost Exports in Parquet format with Snappy compression and enables file partitioning.

  • Access Management: Assigns required IAM roles and manages external user invitations.

circle-exclamation

The following prerequisites must be met before deploying the Terraform onboarding script:

  • Azure CLI: Must be installed and authenticated (az login).

  • Terraform version: Version 1.0 or greater is required

  • Optional: jq is recommended for better JSON output formatting. Note: If you are using Azure Cloud Shell (recommended), the above prerequisites will already be satisfied.

1

hashtag
Uploading the Script

  • Login to the Azure Portal.

  • From the Azure homepage, click the Cloud Shell icon on the top navigation bar to launch Azure Cloud Shell.

  • The Azure Cloud Shell window would now be open. Authenticate your user if prompted.

  • Use the following command to set the working subscription in the Cloud Shell session. The cost export used by OneLens will be created in this subscription (applicable for all scopes).

az account set --subscription <subscription_ID>

  • Create a new folder using the following command:

mkdir onelens_onboarding_azure

  • Navigate into the newly created folder using the following command:

cd ./onelens_onboarding_azure/

  • Use the Manage files > Upload option to upload the Terraform script folder to Azure Cloud Shell.

circle-info

The script would have been provided to you in a ZIP format by the OneLens team. Please unzip the file into a folder and proceed to upload the files.

  • Select all 9 files from the unzipped folder to upload.

  • The Azure Cloud Shell window should display a successfully uploaded message.

  • Move all the files into the newly created folder using the following commands (for easier maintenance).

cd ..
mv backend.tf data.tf deploy.sh locals.tf main.tf outputs.tf provider.tf README.md variables.tf ./onelens_onboarding_azure/
cd onelens_onboarding_azure

2

hashtag
Setting variables for Terraform

  • Use the following commands to make the deploy.sh script executable and execute it:

chmod +x ./deploy.sh
./deploy,sh

This will initiate the deployment script and run pre-flight permission checks.

  • Choose the scope of deployment by entering:

    • 1 for Management Group

    • 2 for Subscription(s)

    • 3 for Resource Group(s)

In this guide, we are onboarding a single Subscription as an example.

  • The script will prompt you for your company name (use lowercase characters and hyphens only).

  • Next, enter the Subscription ID(s) separated by commas, or type "ALL" to onboard all available subscriptions.

circle-info

Depending on your scope of onboarding, the script will prompt you for the Management Group (tenant) ID(s) or the Resource Group ID(s).

  • Using the entered value, the script determines your Billing Account type (MOSP, MCA, EA) and the Billing Account ID and prints the same for your verification. Type yes to use the value.

  • Next, the script will prompt you to enter the External User email ID (unless explicitly provided by the OneLens team, you can hit Enter to use the default value).

  • Next, the script will prompt you to specify an Azure region where the new storage account (for storing the Cost export) is to be created. To use the default value (Central India), hit Enter.

circle-exclamation

You can specify any region by using the programmatic name from the below list. Azure regions listarrow-up-right

  • Next, the script will prompt you to enable AKS Cost Analysis for detailed usage and cost metrics for Azure Kubernetes clusters. If you do not use AKS in the selected scope, you can enter no. If yes, the script will check for available clusters in your scope and enable AKS cost analysis.

circle-info

For more details on how and why we enable AKS cost analysis, please refer to the below documentation from Microsoft: AKS Cost Analysisarrow-up-right

  • Next, the script will prompt you to enable Tag Inheritance. It is recommended to enable it for better tagged visibility on OneLens.

circle-info

For more details on how and why we enable Tag Inheritance, please refer to the below documentation from Microsoft: Enable Tag Inheritancearrow-up-right

  • Next, the script will prompt you to enter the client ID of the App Registration to enable integration with OneLens. It is recommended to create a new App Registration by pressing Enter.

  • Subsequently, the script prompts you to enter the name of the Storage Account to use for cost exports. It is recommended to create a new Storage Account by pressing Enter.

  • To keep the OneLens resources organized in your environment, the script creates a Resource Group called onelens-rg. If a resource group with that name is already present, press 1 to use it, or press 2 to create a new Resource Group with a custom name. By default, the script will create a new Resource Group.

  • The script will then prompt you for a Container name to be created in the Storage Account. By default, the script will use the value onelens-cost-usage-reports on pressing Enter.

3

hashtag
Executing the script

  • After validating all inputs, the script runs the terraform init and terraform plan commands, then prints a summary of the resources to be created for your reference. Upon entering yes, the script proceeds to run the terraform apply command.

  • On successful execution, the script saves the outputs into a Terraform statefile and outputs a summary.

circle-check

You have now successfully integrated your Azure environment with OneLens.

Please share the following values to the OneLens team to facilitate the connection on our end:

  • App Registration Tenant (Directory) ID

  • App Registration Client (Application) ID

  • App Registration Client Secret Value

  • App Registration Client Secret ID

  • Storage Account name

  • Container name

  • Subscription ID(s) / Resource Group ID(s) / Management Group ID(s)

4

hashtag
Optional: Backup the state file to Azure Storage (recommended)

  • As a final step, the script prompts you to backup the Terraform state file to the storage account used. It is recommended to enter yes, to streamline the process for deleting the OneLens resources in case of a future offboarding activity.

PreviousConnecting to AzureNextAt Management Group

Last updated