forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathazure-prepare-env.html.md.erb
179 lines (144 loc) · 9.68 KB
/
azure-prepare-env.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
---
title: Preparing to Deploy PCF on Azure
owner: Ops Manager
---
<strong><%= modified_date %></strong>
<html class="list-style-none"></html>
This topic describes how to prepare to deploy Pivotal Cloud Foundry (PCF) on Azure by creating a service principal to access resources in your Azure subscription.
After you complete this procedure, follow the instructions in either the [Launching an Ops Manager Director Instance with an ARM Template](azure-arm-template.html) topic or the [Launching an Ops Manager Director Instance on Azure without an ARM Template](azure-om-deploy.html) topic.
##<a id="install"></a> Step 1: Install and Configure the Azure CLI
1. Use the `azure --version` command to verify you have installed Azure CLI v0.10.5 or higher.
<pre class="terminal">$ azure --version</pre>
If you have the correct version of the Azure CLI installed, skip the next step.
1. To install a new or updated Azure CLI, follow the instructions for your operating system:
* **Mac OS X**: [Download](http://aka.ms/mac-azure-cli) and run the **Mac OS X Azure CLI** installer.
* **Windows**: [Download](http://aka.ms/webpi-azure-cli) and run the **Windows Azure CLI** installer. Use the command line, not PowerShell, to run the Azure CLI.
* **Linux**:
1. If not already installed, install Node.js and npm.
1. [Download](http://aka.ms/linux-azure-cli) the Linux Azure CLI tar file.
1. Run <code>sudo npm install -g PATH-TO-TAR-FILE</code>.
1. If you encounter the error <code>/usr/bin/env: node: No such file or directory</code> when running <code>azure</code> commands, run <code>sudo ln -s /usr/bin/nodejs /usr/bin/node</code>.
1. Set the mode of the Azure CLI to Azure Resource Management:
<pre class="terminal">
$ azure config mode arm
</pre>
1. Log in to your Azure account:
<pre class="terminal">
$ azure login --environment AzureCloud
</pre>
<p class="note"><strong>Note</strong>: To target the Azure China environment, replace <code>AzureCloud</code> with <code>AzureChinaCloud</code>. If logging in to <code>AzureChinaCloud</code> fails with a <code>CERT_UNTRUSTED</code> <a href="https://github.com/Azure/azure-xplat-cli/issues/2725">error</a>, use the latest version of node, 4.x or later.</p>
##<a id="default-subscription"></a> Step 2: Set Your Default Subscription
1. Run `azure account list --json` to list your Azure subscriptions:
<pre class="terminal">
$ azure account list --json
[
{
"id": "12345678-1234-5678-1234-567891234567",
"name": "Sample Subscription",
"user": {
"name": "Sample Account",
"type": "user"
},
"tenantId": "11111111-1234-5678-1234-678912345678",
"state": "Enabled",
"isDefault": true,
"registeredProviders": [],
"environmentName": "AzureCloud"
},
{
"id": "87654321-1234-5678-1234-678912345678",
"name": "Sample Subscription1",
"user": {
"name": "Sample Account1",
"type": "user"
},
"tenantId": "22222222-1234-5678-1234-678912345678",
"state": "Enabled",
"isDefault": false,
"registeredProviders": [],
"environmentName": "AzureCloud"
}
]
</pre>
1. Locate your default subscription by finding the subscription with **isDefault** set to `true`. If your default subscription is not where you want to deploy PCF, run `azure account set SUBSCRIPTION_ID` to set a new default, where `SUBSCRIPTION_ID` is the value of the **id** field. For example: `"87654321-1234-5678-1234-567891234567"`.
<pre class="terminal">
$ azure account set SUBSCRIPTION_ID
info: Executing command account set
info: Setting subscription to "Sample Subscription" with id "SUBSCRIPTION-ID".
info: Changes saved
info: account set command OK
</pre>
1. Record the value of the **id** set as the default. You use this value in future configuration steps.
1. Record the value of **tenantID** for your default subscription. This is your `TENANT_ID` for creating a service principal. If your **tenantID** value is not defined, you may be using a personal account to log in to your Azure subscription.
##<a id='create-aad'></a> Step 3: Create an Azure Active Directory (AAD) Application
1. Run the following command to create an AAD application, replacing `PASSWORD` with a password of your choice. This is your `CLIENT_SECRET` for creating a service principal.
<pre class="terminal">$ azure ad app create --name "Service Principal for BOSH" \
--password "PASSWORD" --home-page "<span>http:</span>//BOSHAzureCPI" \
--identifier-uris "<span>http</span>://BOSHAzureCPI"
</pre>
<p class="note"><strong>Note</strong>: You can provide any string for the <code>home-page</code> and <code>identifier-uris</code> flags, but the value of <code>identifer-uris</code> must be unique within the organization associated with your Azure subscription. For the <code>home-page</code>, Pivotal recommends using <code><span>http:</span>//BOSHAzureCPI</code>, as shown in the example above.
</p>
1. Record the value of **AppId** from the output. This is your `APPLICATION_ID` for creating a service principal.
<pre class="terminal">
info: Executing command ad app create
<span>+</span> Creating application Service Principal for BOSH
data: AppId: 246e4af7-75b5-494a-89b5-363addb9f0fa
data: ObjectId: 208096bb-4899-49e2-83ea-1a270154f427
data: DisplayName: Service Principal for BOSH
data: IdentifierUris: 0=<span>http</span>://BOSHAzureCPI
data: ReplyUrls:
data: AvailableToOtherTenants: False
info: ad app create command OK
</pre>
##<a id="create-configure"></a> Step 4: Create and Configure a Service Principal
1. To create a service principal, run `azure ad sp create --applicationId YOUR-APPLICATION-ID`, replacing `YOUR-APPLICATION-ID` with the `APPLICATION_ID` you recorded in the [previous step](#create-aad):
<pre class="terminal">
$ azure ad sp create --applicationId YOUR-APPLICATION-ID
info: Executing command ad sp create
<span>+</span> Creating service principal for application YOUR-APPLICATION-ID
data: Object Id: fcf68d7a-262b-42c4-8ef8-6a4856611155
data: Display Name: Service Principal for BOSH
data: Service Principal Names:
data: YOUR-APPLICATION-ID
data: http://BOSHAzureCPI
info: ad sp create command OK
</pre>
1. You must have the Contributor role on your service principal to deploy PCF. Run the following command to assign this role:
<pre class="terminal">
$ azure role assignment create --spn "SERVICE-PRINCIPAL-NAME" \
--roleName "Contributor" --subscription SUBSCRIPTION-ID
</pre>
* For **SERVICE-PRINCIPAL-NAME**: Use any value of **Service Principal Names** from the output above, such as `YOUR-APPLICATION-ID`.
* For **SUBSCRIPTION-ID**: Use the ID of the default subscription that you recorded in [Step 2](#default-subscription).
<p class="note"><strong>Note</strong>: If you need to use multiple resource groups for your PCF deployment on Azure, you can define custom roles for your Service Principal. These roles allow BOSH to deploy PCF to pre-existing network resources outside the PCF resource group. For more information, see <a href="../refarch/azure/azure_ref_arch.html#multiple_resource_groups">Reference Architecture for Pivotal Cloud Foundry on Azure</a>.</p>
For more information about Azure Role-Based Access Control, refer to <a href="https://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in-roles/">RBAC: Built-in roles</a>.
1. Verify the assignment by running the following command:
<pre class="terminal">
$ azure role assignment list --spn "SERVICE-PRINCIPAL-NAME"
info: Executing command role assignment list
<span>+</span> Searching for role assignments
data: RoleAssignmentId : /subscriptions/112a3bbc-44de-56ff-a7b8-9a012bbc3456/providers/Microsoft.Authorization/roleAssignments/061581af-118b-45e9-95a5-4e4ccf22c75d
data: RoleDefinitionName : Contributor
data: RoleDefinitionId : b24988ac-6180-42a0-ab88-20f7382dd24c
data: Scope : /subscriptions/112a3bbc-44de-56ff-a7b8-9a012bbc3456
data: Display Name : Service Principal for BOSH
data: SignInName : undefined
data: ObjectId : 11b11a1-11c1-1111-a222-3df3f33e333f
data: ObjectType : ServicePrincipal
data:
info: role assignment list command OK
</pre>
##<a id="verify-your-service-principal"></a> Step 5: Verify Your Service Principal
To verify your service principal, log in to your service principal with your `APPLICATION_ID`, `CLIENT_SECRET`, and `TENANT_ID`. Replace `YOUR-ENVIRONMENT` with `AzureCloud` or `AzureChinaCloud`.
<pre class="terminal">
$ azure login --username APPLICATION\_ID --password CLIENT\_SECRET \
--service-principal --tenant TENANT\_ID --environment YOUR-ENVIRONMENT
info: Executing command login
-info: Added subscription Example
<span>+</span>
info: login command OK
</pre>
If you cannot log in, the service principal is invalid. Create a new service principal and try again.
After you complete this topic, continue to one of the following topics:
* [Launching an Ops Manager Director Instance with an ARM Template](azure-arm-template.html): Perform the procedures in this topic to deploy Ops Manager Director with an Azure Resource Manager (ARM) template. Pivotal recommends using an ARM template.
* [Launching an Ops Manager Director Instance on Azure without an ARM Template](azure-om-deploy.html): Perform the procedures in this topic to deploy Ops Manager Director manually.