Use a Terraform plan to deploy an Amazon Linux 2 instance on Amazon Elastic Compute Cloud and connect it to Azure Arc
This article provides guidance for using the provided Terraform plan to deploy an Amazon Web Services (AWS) Amazon Elastic Compute Cloud (EC2) Linux 2 instance and connect it as an Azure Arc-enabled server resource.
Prerequisites
Clone the Azure Arc Jumpstart repository.
git clone https://github.com/microsoft/azure_arc.git
Install or update Azure CLI. Azure CLI should be running version 2.7.0 or later. Use
az --version
to check your current installed version.Generate SSH key (or use existing SSH key)
Create an Azure service principal.
To connect the AWS virtual machine to Azure Arc, an Azure service principal assigned with the Contributor role is required. To create it, sign in to your Azure account and run the following commands:
az login az account set -s <Your Subscription ID> az ad sp create-for-rbac -n "<Unique SP Name>" --role contributor --scopes "/subscriptions/<Your Subscription ID>"
For example:
az ad sp create-for-rbac -n "http://AzureArcAWS" --role contributor --scopes "/subscriptions/00000000-0000-0000-0000-000000000000"
The output should look like this:
{ "appId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX", "displayName": "http://AzureArcAWS", "password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX", "tenant": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX" }
Note
We highly recommend that you scope the service principal to a specific Azure subscription and resource group.
Create an AWS identity
In order for Terraform to create resources in AWS, we will need to create a new AWS IAM role with appropriate permissions and configure Terraform to use it.
Sign in to the AWS management console
After signing in, select the Services dropdown list in the top left. Under Security, Identity, and Compliance, select IAM to access the identity and access management page
Click on Users from the left menu, and then select Add user to create a new IAM user.
On the Add User page, name the user
Terraform
and select the Programmatic Access checkbox, and then select NextOn the Set Permissions page, select Attach existing policies directly and then select the box next to AmazonEC2FullAccess as seen in the screenshot, and then select Next.
On the Tags page, assign a tag with a key of
azure-arc-demo
, then select Next to proceed to the review page.Verify that everything is correct, then select Create user.
After the user is created, you will see the user's access key ID and secret access key. Copy these values down before selecting Close. On the next page, you can see an example of what this should look like. Once you have these keys, you will be able to use them with Terraform to create AWS resources.
Configure Terraform
Before executing the Terraform plan, you must export the environment variables which will be used by the plan. These variables are based on your Azure subscription and tenant, the Azure service principal, and the AWS IAM user and keys you just created.
Retrieve your Azure subscription ID and tenant ID using the
az account list
command.The Terraform plan creates resources in both Microsoft Azure and AWS. It then executes a script on an AWS EC2 virtual machine to install the Azure Arc agent and all necessary artifacts. This script requires certain information about your AWS and Azure environments. Edit
scripts/vars.sh
and update each of the variables with the appropriate values.TF_VAR_subscription_id
= your Azure subscription IDTF_VAR_client_id
= your Azure service principal application IDTF_VAR_client_secret
= your Azure service principal passwordTF_VAR_tenant_id
= your Azure tenant IDAWS_ACCESS_KEY_ID
= AWS access keyAWS_SECRET_ACCESS_KEY
= AWS secret key
From the Azure CLI, navigate to the
azure_arc_servers_jumpstart/aws/al2/terraform
directory of the cloned repo.Export the environment variables you edited by running
scripts/vars.sh
with the source command as shown below. Terraform requires these to be set for the plan to execute properly. Note that this script will also be automatically executed remotely on the AWS virtual machine as part of the Terraform deployment.source ./scripts/vars.sh
Make sure your SSH keys are available in
~/.ssh
and namedid_rsa.pub
andid_rsa
. If you followed thessh-keygen
guide above to create your key then this should already be set up correctly. If not, you may need to modifymain.tf
to use a key with a different path.Run the
terraform init
command which will download the Terraform AzureRM provider.
Deployment
Run the
terraform apply --auto-approve
command and wait for the plan to finish. Upon completion, you will have an AWS Amazon Linux 2 EC2 instance deployed and connected as a new Azure Arc-enabled server inside a new resource group.Open the Azure portal and navigate to the
arc-servers-demo
resource group. The virtual machine created in AWS will be visible as a resource.
Semi-automated deployment (optional)
As you may have noticed, the last step of the run is to register the VM as a new Azure Arc-enabled server resource.
If you want to demo/control the actual registration process, do the following:
In the
install_arc_agent.sh.tmpl
script template, comment out therun connect command
section and save the file.Get the public IP of the AWS VM by running
terraform output
.SSH to the VM using the
ssh ec2-user@xx.xx.xx.xx
, wherexx.xx.xx.xx
is the host IP.Export all the environment variables in
vars.sh
Run the following command:
azcmagent connect --service-principal-id $TF_VAR_client_id --service-principal-secret $TF_VAR_client_secret --resource-group "Arc-Servers-Demo" --tenant-id $TF_VAR_tenant_id --location "westus2" --subscription-id $TF_VAR_subscription_id
When complete, your VM will be registered with Azure Arc and visible in the resource group via the Azure portal.
Delete the deployment
To delete all the resources you created as part of this demo, use the terraform destroy --auto-approve
command as shown below.
Alternatively, you can delete the AWS EC2 instance directly by terminating it from the AWS console.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for