forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
azure-prepare-env.html.md.erb
194 lines (156 loc) · 9.07 KB
/
azure-prepare-env.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
---
title: Preparing to Deploy PCF on Azure
owner: Ops Manager
---
<strong><%= modified_date %></strong>
<html class="list-style-none"></html>
This topic describes how to prepare to deploy Pivotal Cloud Foundry (PCF) on Azure by creating a service principal to access resources in your Azure subscription.
After you complete this procedure, follow the instructions in either the [Launching an Ops Manager Director Instance with an ARM Template](azure-arm-template.html) topic or the [Launching an Ops Manager Director Instance on Azure without an ARM Template](azure-om-deploy.html) topic.
##<a id="install"></a> Step 1: Install and Configure the Azure CLI
1. Install the Azure CLI 2.0 by following the instructions for your operating system in the [Azure documentation](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli).
1. Set your cloud:
<pre class="terminal">
$ az cloud set --name AzureCloud
</pre>
<p class="note"><strong>Note</strong>: To use the Azure China environment, replace <code>AzureCloud</code> with <code>AzureChinaCloud</code>. If logging in to <code>AzureChinaCloud</code> fails with a <code>CERT_UNTRUSTED</code> <a href="https://github.com/Azure/azure-xplat-cli/issues/2725">error</a>, use the latest version of node, 4.x or later.</p>
1. Log in:
<pre class="terminal">
$ az login
</pre>
Authenticate by navigating to the URL in the output, entering the provided code, and clicking your account.
##<a id="default-subscription"></a> Step 2: Set Your Default Subscription
1. Run `az account list` to list your Azure subscriptions:
<pre class="terminal">
$ az account list
[
{
"id": "12345678-1234-5678-1234-567891234567",
"name": "Sample Subscription",
"user": {
"name": "Sample Account",
"type": "user"
},
"tenantId": "11111111-1234-5678-1234-678912345678",
"state": "Enabled",
"isDefault": true,
"registeredProviders": [],
"environmentName": "AzureCloud"
},
{
"id": "87654321-1234-5678-1234-678912345678",
"name": "Sample Subscription1",
"user": {
"name": "Sample Account1",
"type": "user"
},
"tenantId": "22222222-1234-5678-1234-678912345678",
"state": "Enabled",
"isDefault": false,
"registeredProviders": [],
"environmentName": "AzureCloud"
}
]
</pre>
1. Locate your default subscription by finding the subscription with `isDefault` set to `true`. If your default subscription is not where you want to deploy PCF, run `az account set --subscription SUBSCRIPTION_ID` to set a new default, where `SUBSCRIPTION_ID` is the value of the `id` field. For example: `"87654321-1234-5678-1234-567891234567"`.
<pre class="terminal">
$ az account set --subscription SUBSCRIPTION_ID
</pre>
1. Record the value of the `id` set as the default. You use this value in future configuration steps.
1. Record the value of `tenantID` for your default subscription. This is your `TENANT_ID` for creating a service principal. If your `tenantID` value is not defined, you may be using a personal account to log in to your Azure subscription.
##<a id='create-aad'></a> Step 3: Create an Azure Active Directory (AAD) Application
1. Run the following command to create an AAD application, replacing `PASSWORD` with a password of your choice. This is your `CLIENT_SECRET` for creating a service principal.
<pre class="terminal">$ az ad app create --display-name "Service Principal for BOSH" \
--password "PASSWORD" --homepage "<span>http:</span>//BOSHAzureCPI" \
--identifier-uris "<span>http</span>://BOSHAzureCPI"
</pre>
<p class="note"><strong>Note</strong>: You can provide any string for the <code>home-page</code> and <code>identifier-uris</code> flags, but the value of <code>identifer-uris</code> must be unique within the organization associated with your Azure subscription. For the <code>home-page</code>, Pivotal recommends using <code><span>http:</span>//BOSHAzureCPI</code>, as shown in the example above.
</p>
1. Record the value of `appId` from the output. This is your `APPLICATION_ID` for creating a service principal.
<pre class="terminal">
{
"appId": "5c552e8f-b977-45f5-a50b-981cfe17cb9d",
"appPermissions": null,
"availableToOtherTenants": false,
"displayName": "Service Principal for BOSH",
"homepage": "http<span>://</span>BOSHAzureCIP",
"identifierUris": [
"http<span>://</span>BOSHAzureCPI"
],
"objectId": "f3884df4-7d1d-4894-a78c-c1fe75750436",
"objectType": "Application",
"replyUrls": []
}
</pre>
##<a id="create-configure"></a> Step 4: Create and Configure a Service Principal
1. To create a service principal, run `az ad sp create --id YOUR-APPLICATION-ID`, replacing `YOUR-APPLICATION-ID` with the `APPLICATION_ID` you recorded in the [previous step](#create-aad):
<pre class="terminal">
$ az ad sp create --id YOUR-APPLICATION-ID
{
"appId": "5c552e8f-b977-45f5-a50b-981cfe17cb9d",
"displayName": "Service Principal for BOSH",
"objectId": "cc13c685-4c3b-461e-ae96-7a0563960b83",
"objectType": "ServicePrincipal",
"servicePrincipalNames": [
"5c552e8f-b977-45f5-a50b-981cfe17cb9d",
"http://BOSHAzureCPI"
]
}
</pre>
1. You must have the Contributor role on your service principal to deploy PCF. Run the following command to assign this role:
<pre class="terminal">
$ az role assignment create --assignee "SERVICE-PRINCIPAL-NAME" \
--role "Contributor" --scope /subscriptions/SUBSCRIPTION-ID
</pre>
* For `SERVICE-PRINCIPAL-NAME`, use any value of `Service Principal Names` from the output above, such as `YOUR-APPLICATION-ID`.
* For `SUBSCRIPTION-ID`, use the ID of the default subscription that you recorded in [Step 2](#default-subscription).
<p class="note"><strong>Note</strong>: If you need to use multiple resource groups for your PCF deployment on Azure, you can define custom roles for your Service Principal. These roles allow BOSH to deploy PCF to pre-existing network resources outside the PCF resource group. For more information, see <a href="../refarch/azure/azure_ref_arch.html#multiple_resource_groups">Reference Architecture for Pivotal Cloud Foundry on Azure</a>.</p>
For more information about Azure Role-Based Access Control, refer to the <a href="https://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in-roles/">RBAC: Built-in roles</a> topic in the Azure documentation.
1. Verify the assignment by running the following command:
<pre class="terminal">
$ az role assignment list --assignee "SERVICE-PRINCIPAL-NAME"
[
{
"id": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243/providers/Microsoft.Authorization/roleAssignments/32e644cf-ba1a-4f43-bf7c-68bf4583e463",
"name": "32e644cf-ba1a-4f43-bf7c-68bf4583e463",
"properties": {
"principalId": "cc13c685-4c3b-461e-ae96-7a0563960b83",
"principalName": "http://BOSHAzureCPI",
"roleDefinitionId": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"roleDefinitionName": "Contributor",
"scope": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243"
},
"type": "Microsoft.Authorization/roleAssignments"
}
]
</pre>
##<a id="verify-your-service-principal"></a> Step 5: Verify Your Service Principal
To verify your service principal, log in to your service principal with your `APPLICATION_ID`, `CLIENT_SECRET`, and `TENANT_ID`.
<pre class="terminal">
$ az login --username APPLICATION\_ID --password CLIENT\_SECRET \
--service-principal --tenant TENANT\_ID
[
{
"cloudName": "AzureCloud",
"id": "995b7eed-77ef-45ff-a5c9-1a405ffb8243",
"isDefault": true,
"name": "CF-Docs",
"state": "Enabled",
"tenantId": "29248f74-371f-4db2-9a50-c62a6877a0c1",
"user": {
"name": "5c552e8f-b977-45f5-a50b-981cfe17cb9d",
"type": "servicePrincipal"
}
}
]
</pre>
If you cannot log in, the service principal is invalid. Create a new service principal and try again.
##<a id='register'></a> Step 6: Perform Registrations
1. Register your subscription with Microsoft.Storage:
<pre class="terminal">$ az provider register --namespace Microsoft.Storage</pre>
1. Register your subscription with Microsoft.Network:
<pre class="terminal">$ az provider register --namespace Microsoft.Network</pre>
1. Register your subscription with Microsoft.Compute:
<pre class="terminal">$ az provider register --namespace Microsoft.Compute</pre>
After you complete this topic, continue to one of the following topics:
* [Launching an Ops Manager Director Instance with an ARM Template](azure-arm-template.html): Perform the procedures in this topic to deploy Ops Manager Director with an Azure Resource Manager (ARM) template. Pivotal recommends using an ARM template.
* [Launching an Ops Manager Director Instance on Azure without an ARM Template](azure-om-deploy.html): Perform the procedures in this topic to deploy Ops Manager Director manually.