Documentation

Azure Infrastructure Setup

Suggest Edits

📘

Have an existing Azure configuration?

If you have an existing Azure app in Opal that has not been configured to manage infrastructure resources, you can enable infrastructure management under the app's Setup tab in Opal.

To manage access to Azure Subscriptions and Resource Groups, you must grant additional permissions to the Opal application.

Requirements

  • Admin access to the Azure root management group.

Step 1: Create Opal Service Role

  1. In the Azure Portal, navigate to Tenant Root Management Group -> Access Control (IAM) -> Add -> Add custom role.

  1. Navigate to JSON -> Edit. Replace the default definition with the one in the following snippet, substituting in your management group ID.
{
    "properties": {
        "roleName": "Opal Service Role",
        "description": "Contains the necessary permissions for Opal to provision access",
        "assignableScopes": [
            "/providers/Microsoft.Management/managementGroups/<YOUR_MANAGEMENT_GROUP_ID>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Management/getEntities/action",
                    "Microsoft.Management/managementGroups/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/subscriptions/resourcegroups/resources/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/roleAssignments/read",
                    "Microsoft.Authorization/roleAssignments/write",
                    "Microsoft.Authorization/roleAssignments/delete"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
  1. Click Next, and then Create to create the role.

Step 2: Create Role Assignment

  1. In the Azure portal, navigate to Tenant Root Management Group -> Access control (IAM) -> Add role assignment.
  2. Under Role, select the Opal Service Role (found under "Privileged administrator roles").
  3. Select the Members tab. Add the Opal application as a member.
  4. Select the Conditions tab -> Add condition.

  1. Select Open advanced condition editor. Toggle Editor type from "Visual" to "Code".
  2. Paste in the following code, substituting in your Opal app's Object ID, and save. This condition prevents the Opal application from having the ability to escalate its own access by assigning roles to itself. 
    (
 (
  !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
 )
 OR 
 (
  @Request[Microsoft.Authorization/roleAssignments:PrincipalId] GuidNotEquals <OPAL_APP_OBJECT_ID>
 )
)
  3. Navigate to Review + assign. Complete assigning the role by clicking Review + assign.

Once this is completed, you should be all set!

Updated 10 months ago