Azure dynamic host catalogs

Boundary uses dynamic host catalogs to automatically discover Microsoft Azure resources available through Azure Resource Manager (ARM) and add them as hosts.

Dynamic host catalogs use filters to select which hosts are added to any host sets you create. For example, you can create a host catalog to sync hosts from Microsoft Azure, and then create a host set named production that selects all Azure Virtual Machines tagged with tagName eq 'production'.

To set up a dynamic host catalog, you should:

Authenticate the host catalog to your Microsoft Azure account using a supported authentication method.
Create a host set with a filter to select the hosts you want to sync.

The Azure plugin supports Azure Virtual Machines and Azure Virtual Machine Scale Sets in both Flexible and Uniform orchestration modes. It automatically discovers any individual virtual machines included in the scale sets and adds them as hosts.

Create a host catalog to connect with Azure

Boundary uses plugins to integrate with a variety of providers. To use a dynamic host catalog to integrate with Azure, you create a host catalog of the plugin type and set the plugin-name value to azure. You must also provide the specific fields needed for Boundary to authenticate with Azure.

Complete the following steps to create a dynamic host catalog for Azure:

Log in to Boundary.
Select the org, and then select the project you want to create a host catalog for.
Select Host Catalogs.
Select New Host Catalog.
Complete the following fields:
- Name: (Optional) An optional name for identification purposes. If you enter a name, it must be unique.
- Description: (Optional) An optional description of the host catalog for identification purposes.
- Type: (Required) Select Dynamic to create a dynamic host catalog.
- Provider: (Required) Select Azure to create a dynamic host catalog for your Azure resources.
- Tenant/Directory ID: (Required) The ARM tenant (directory) ID for your Azure Active Directory application.
- Subscription ID: (Required) The ARM subscription ID for the subscription that has read access.
- Client/Application ID: (Required) The client (application) ID of the Azure service principal that Boundary should use to authenticate and discover hosts.
- Client Secret Value: (Required) The ARM client secret value that Azure generates for authentication.
- Disable credential rotation: When enabled, Boundary does not rotate the credentials with Azure automatically. Azure host catalogs do not currently support credential rotation.
Select Save.

Log in to Boundary.
Use the following command to create a dynamic host catalog for Azure:
```
$ boundary host-catalogs create plugin \
  -scope-id $PROJECT_ID \
  -plugin-name azure \
  -attr disable_credential_rotation=true \
  -attr tenant_id=env://ARM_TENANT_ID \
  -attr subscription_id=env://ARM_SUBSCRIPTION_ID \
  -attr client_id=env://ARM_CLIENT_ID \
  -secret secret_value=env://ARM_CLIENT_SECRET
```
The scope-id and plugin-name fields are required when you create a dynamic host catalog.
The fields following the attr and secret flags are specific to Azure and are required by Boundary for authentication.
- disable_credential_rotation: When set to true, Boundary does not rotate the credentials automatically. Azure host catalogs do not currently support credential rotation.
- tenant_id: (Required) The ARM tenant (directory) ID for your Azure Active Directory application.
- subscription_id: (Required) The ARM subscription ID for the subscription that has read access.
- client_id: (Required) The client (application) ID of the Azure service principal that Boundary should use to authenticate and discover hosts.
- secret_value: (Required) The ARM client secret value that Azure generates for authentication.
Refer to the host catalogs domain model documentation for additional fields that you can use when you create host catalogs.

Refer to the Boundary Terraform provider documentation to learn about the requirements for the following example attributes.

Apply the following Terraform policy:

resource "boundary_host_catalog_plugin" "azure_host_catalog" {
  name        = "Azure Catalog"
  description = "Azure Host Catalog"
  scope_id    = boundary_scope.project.id
  plugin_name = "azure"

  # recommended to pass in aws secrets using a file() or using environment variables
  attributes_json = jsonencode({
    "tenant_id"       = "ARM_TENANT_ID",
    "subscription_id" = "ARM_SUBSCRIPTION_ID"
    "client_id"       = "ARM_CLIENT_ID"
    "disable_credential_rotation" = true })
  secrets_json = jsonencode({
    "secret_value" = "ARM_CLIENT_SECRET"})
}

The scope_id and plugin_name fields are required when you create a dynamic host catalog.

The fields following the attributes_json and secrets_json flags are specific to Azure and are required by Boundary for authentication.

disable_credential_rotation: When set to true, Boundary does not rotate the credentials automatically. Azure host catalogs do not currently support credential rotation.
tenant_id: (Required) The ARM tenant (directory) ID for your Azure Active Directory application.
subscription_id: (Required) The ARM subscription ID for the subscription that has read access.
client_id: (Required) The client (application) ID of the Azure service principal that Boundary should use to authenticate and discover hosts.
secret_value: (Required) The ARM client secret value that Azure generates for authentication.

Refer to the host catalogs domain model documentation for additional fields that you can use when you create host catalogs.

Create a host set to connect with Azure

Host sets specify which Azure Resource Manager (ARM) filters should be used to identify the discovered hosts that should be added as members.

Complete the following steps to create a host set:

Log in to Boundary.
Select the org, and then select the project you want to create a host set for.
Select Host Catalogs.
Select the dynamic host catalog to which you want add a host set.
Click the Host Sets tab, and then click New.
Complete the following fields:
- Name: (Optional) An optional name for identification purposes. If you enter a name, it must be unique.
- Description: (Optional) An optional description of the host catalog for identification purposes.
- Filter: (Optional) An array of string filters in the format key eq 'value'. The key corresponds to a filter option like tagName. A full example would be tagName eq 'application'.
  The filter field represents the ARM filter used to select resources that should be a part of this host set. There are some limitations with the filtering syntax. Specifically, when you use tags, other types of filters (such as on resource type) are not allowed. This means it is useful to filter directly on tag names or values as in the following examples:
  - tagName eq 'application'
  - tagName eq 'application' and tagValue eq 'app2'
Click Save.

Log in to Boundary.
Use the following command to create a host set:
```
$ boundary host-sets create plugin \
  -name database \
  -host-catalog-id $HOST_CATALOG_ID \
  -attr filter="tagName eq 'service-type' and tagValue eq 'database'"
```
The host-catalog-id value is a required field that specifies in which host catalog to create this host set.
The fields following the attr flag are specific to Azure.
The filter field represents the ARM filter used to select resources that should be a part of this host set. There are some limitations with the filtering syntax. Specifically, when you use tags, other types of filters (such as on resource type) are not allowed. This means it is useful to filter directly on tag names or values as in the following examples:
- tagName eq 'application'
- tagName eq 'application' and tagValue eq 'app2'
Refer to the host catalogs domain model documentation for additional fields that you can use when you create host catalogs.

Refer to the Boundary Terraform provider documentation to learn about the requirements for the following example attributes.

Apply the following Terraform policy:

  resource "boundary_host_set_plugin" "azure_host_set" {
  name        = "Azure Set"
  description = "Azure Host Set"
  host_catalog_id  = boundary_scope.azure_host_catalog.id
  attributes_json = jsonencode({
    "filter" = "tagName eq 'service-type' and tagValue eq 'database'" })
}

The host_catalog_id value is a required field that specifies in which host catalog to create this host set.

The fields following the attributes_json flag are specific to Azure.

The filter field represents the ARM filter used to select resources that should be a part of this host set. There are some limitations with the filtering syntax. Specifically, when you use tags, other types of filters (such as on resource type) are not allowed. This means it is useful to filter directly on tag names or values as in the following examples:

Refer to the host catalogs domain model documentation for additional fields that you can use when you create host catalogs.

More information

Refer to Filtering and listing resources for more information about Boundary's filter syntax and best practices.