From 75c6fa2455da04c8452eb6910c0719c83fb3a952 Mon Sep 17 00:00:00 2001
From: Michael Bender <michael.bender@microsoft.com>
Date: Thu, 16 Nov 2023 12:03:20 -0600
Subject: [PATCH 1/4] update terraform

---
 .../main.tf                                   | 166 ++++++++++++++++++
 .../outputs.tf                                |   7 +
 .../providers.tf                              |  16 ++
 .../readme.md                                 |  29 +++
 .../variables.tf                              |  11 ++
 5 files changed, 229 insertions(+)
 create mode 100644 quickstart/101-virtual-network-manager-create-management-group-scope/main.tf
 create mode 100644 quickstart/101-virtual-network-manager-create-management-group-scope/outputs.tf
 create mode 100644 quickstart/101-virtual-network-manager-create-management-group-scope/providers.tf
 create mode 100644 quickstart/101-virtual-network-manager-create-management-group-scope/readme.md
 create mode 100644 quickstart/101-virtual-network-manager-create-management-group-scope/variables.tf

diff --git a/quickstart/101-virtual-network-manager-create-management-group-scope/main.tf b/quickstart/101-virtual-network-manager-create-management-group-scope/main.tf
new file mode 100644
index 00000000..ee33b209
--- /dev/null
+++ b/quickstart/101-virtual-network-manager-create-management-group-scope/main.tf
@@ -0,0 +1,166 @@
+# Create the Resource Group
+
+resource "random_pet" "rg_name" {
+  prefix = var.resource_group_name_prefix
+}
+
+resource "azurerm_resource_group" "rg" {
+  location = var.resource_group_location
+  name     = random_pet.rg_name.id
+}
+
+# Create three virtual networks
+resource "random_string" "prefix" {
+  length = 4
+  special = false
+  upper = false
+}
+
+resource "random_pet" "virtual_network_name" {
+  prefix = "vnet-${random_string.prefix.result}"
+}
+resource "azurerm_virtual_network" "vnet" {
+  count = 3
+
+  name                = "${random_pet.virtual_network_name.id}-0${count.index}"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+  address_space       = ["10.${count.index}.0.0/16"]
+}
+
+# Add a subnet to each virtual network
+
+resource "azurerm_subnet" "subnet_vnet" {
+  count = 3
+
+  name                 = "default"
+  virtual_network_name = azurerm_virtual_network.vnet[count.index].name
+  resource_group_name  = azurerm_resource_group.rg.name
+  address_prefixes     = ["10.${count.index}.0.0/24"]
+}
+
+data "azurerm_subscription" "current" {
+}
+
+# Create a Management Group
+
+resource "random_pet" "management_group_name" {
+  prefix = "AVNM-management-group"
+}
+resource "azurerm_management_group" "mg" {
+  display_name = random_pet.management_group_name.id
+
+  subscription_ids = [
+    data.azurerm_subscription.current.subscription_id,
+  ]
+}
+
+# register Microsoft.Network to the Management Group
+
+resource "null_resource" "register_rp_to_mg" {
+  provisioner "local-exec" {
+    command = <<CMD
+         az provider register --namespace 'Microsoft.Network' -m ${azurerm_management_group.mg.name}
+    CMD
+  }
+}
+
+resource "time_sleep" "wait_5_seconds" {  
+  create_duration = "5s"
+  depends_on = [null_resource.register_rp_to_mg]
+}
+
+# Create a Virtual Network Manager instance
+
+resource "azurerm_network_manager" "network_manager_instance" {
+  name                = "network-manager"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  scope_accesses      = ["Connectivity"]
+  description         = "example network manager"
+  scope {
+    management_group_ids = [azurerm_management_group.mg.id]
+  }
+  depends_on = [time_sleep.wait_5_seconds]
+}
+
+# Create a network group
+
+resource "azurerm_network_manager_network_group" "network_group" {
+  name               = "network-group"
+  network_manager_id = azurerm_network_manager.network_manager_instance.id
+}
+
+# Add three virtual networks to a network group as dynamic members with Azure Policy
+
+resource "random_pet" "network_group_policy_name" {
+  prefix = "network-group-policy"
+}
+
+resource "azurerm_policy_definition" "network_group_policy" {
+  name         = "${random_pet.network_group_policy_name.id}"
+  policy_type  = "Custom"
+  mode         = "Microsoft.Network.Data"
+  display_name = "Policy Definition for Network Group"
+
+  metadata = <<METADATA
+    {
+      "category": "Azure Virtual Network Manager"
+    }
+  METADATA
+
+  policy_rule = <<POLICY_RULE
+    {
+      "if": {
+        "allOf": [
+          {
+              "field": "type",
+              "equals": "Microsoft.Network/virtualNetworks"
+          },
+          {
+            "allOf": [
+              {
+              "field": "Name",
+              "contains": "${random_pet.virtual_network_name.id}"
+              }
+            ]
+          }
+        ]
+      },
+      "then": {
+        "effect": "addToNetworkGroup",
+        "details": {
+          "networkGroupId": "${azurerm_network_manager_network_group.network_group.id}"
+        }
+      }
+    }
+  POLICY_RULE
+}
+
+resource "azurerm_subscription_policy_assignment" "azure_policy_assignment" {
+  name                 = "${random_pet.network_group_policy_name.id}-policy-assignment"
+  policy_definition_id = azurerm_policy_definition.network_group_policy.id
+  subscription_id      = data.azurerm_subscription.current.id
+}
+
+# Create a connectivity configuration
+
+resource "azurerm_network_manager_connectivity_configuration" "connectivity_config" {
+  name                  = "connectivity-config"
+  network_manager_id    = azurerm_network_manager.network_manager_instance.id
+  connectivity_topology = "Mesh"
+  applies_to_group {
+    group_connectivity = "None"
+    network_group_id   = azurerm_network_manager_network_group.network_group.id
+  }
+}
+
+
+# Commit deployment
+
+resource "azurerm_network_manager_deployment" "commit_deployment" {
+  network_manager_id = azurerm_network_manager.network_manager_instance.id
+  location           = azurerm_resource_group.rg.location
+  scope_access       = "Connectivity"
+  configuration_ids  = [azurerm_network_manager_connectivity_configuration.connectivity_config.id]
+}
diff --git a/quickstart/101-virtual-network-manager-create-management-group-scope/outputs.tf b/quickstart/101-virtual-network-manager-create-management-group-scope/outputs.tf
new file mode 100644
index 00000000..e43bc087
--- /dev/null
+++ b/quickstart/101-virtual-network-manager-create-management-group-scope/outputs.tf
@@ -0,0 +1,7 @@
+output "resource_group_name" {
+  value = azurerm_resource_group.rg.name
+}
+
+output "virtual_network_names" {
+  value = azurerm_virtual_network.vnet[*].name
+}
\ No newline at end of file
diff --git a/quickstart/101-virtual-network-manager-create-management-group-scope/providers.tf b/quickstart/101-virtual-network-manager-create-management-group-scope/providers.tf
new file mode 100644
index 00000000..fac66bf7
--- /dev/null
+++ b/quickstart/101-virtual-network-manager-create-management-group-scope/providers.tf
@@ -0,0 +1,16 @@
+terraform {
+  required_version = ">=1.0"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.56.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~>3.0"
+    }
+  }
+}
+provider "azurerm" {
+  features {}
+}
\ No newline at end of file
diff --git a/quickstart/101-virtual-network-manager-create-management-group-scope/readme.md b/quickstart/101-virtual-network-manager-create-management-group-scope/readme.md
new file mode 100644
index 00000000..60996245
--- /dev/null
+++ b/quickstart/101-virtual-network-manager-create-management-group-scope/readme.md
@@ -0,0 +1,29 @@
+# Azure resource group
+
+This template deploys an Azure Virtual Network Manager instance with a connectivity configuration for a Mesh topology using a management group scope. It includes resources including virtual networks, subnets, and more.
+
+## Terraform resource types
+
+- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet)
+- [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string)
+- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
+- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network)
+- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet)
+- [azurerm_virtual_network_manager](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager)
+- [azurerm_network_manager_network_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_network_group)
+- [azurerm_policy_definition](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition)
+- [azurerm_subscription_policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subscription_policy_assignment)
+- [azurerm_network_manager_connectivity_configuration](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_connectivity_configuration)
+- [azurerm_network_manager_deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_deployment)
+- [azurerm_management_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group)
+
+## Variables
+
+| **Name** | **Description** | **Default** |
+|---|---|---|
+| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription. | rg |
+| `resource_group_location` | Location of the resource group. | eastus |
+
+## Example
+
+To see how to run this example, see [Quickstart: Deploy a Virtual Network Manager in Azure using Terraform](https://learn.microsoft.com/azure/virtual-network-manager/create-virtual-network-manager-terraform).
diff --git a/quickstart/101-virtual-network-manager-create-management-group-scope/variables.tf b/quickstart/101-virtual-network-manager-create-management-group-scope/variables.tf
new file mode 100644
index 00000000..10af0af3
--- /dev/null
+++ b/quickstart/101-virtual-network-manager-create-management-group-scope/variables.tf
@@ -0,0 +1,11 @@
+variable "resource_group_location" {
+  type        = string
+  default     = "eastus"
+  description = "Location of the resource group."
+}
+
+variable "resource_group_name_prefix" {
+  type        = string
+  description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription."
+  default     = "rg"
+}
\ No newline at end of file

From 3e66747328bfef777436784210e0405898bd6a30 Mon Sep 17 00:00:00 2001
From: Michael Bender <michael.bender@microsoft.com>
Date: Thu, 16 Nov 2023 13:27:21 -0600
Subject: [PATCH 2/4] finished testing

---
 .../main.tf                                            | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/quickstart/101-virtual-network-manager-create-management-group-scope/main.tf b/quickstart/101-virtual-network-manager-create-management-group-scope/main.tf
index ee33b209..57069266 100644
--- a/quickstart/101-virtual-network-manager-create-management-group-scope/main.tf
+++ b/quickstart/101-virtual-network-manager-create-management-group-scope/main.tf
@@ -11,9 +11,9 @@ resource "azurerm_resource_group" "rg" {
 
 # Create three virtual networks
 resource "random_string" "prefix" {
-  length = 4
+  length  = 4
   special = false
-  upper = false
+  upper   = false
 }
 
 resource "random_pet" "virtual_network_name" {
@@ -65,9 +65,9 @@ resource "null_resource" "register_rp_to_mg" {
   }
 }
 
-resource "time_sleep" "wait_5_seconds" {  
+resource "time_sleep" "wait_5_seconds" {
   create_duration = "5s"
-  depends_on = [null_resource.register_rp_to_mg]
+  depends_on      = [null_resource.register_rp_to_mg]
 }
 
 # Create a Virtual Network Manager instance
@@ -98,7 +98,7 @@ resource "random_pet" "network_group_policy_name" {
 }
 
 resource "azurerm_policy_definition" "network_group_policy" {
-  name         = "${random_pet.network_group_policy_name.id}"
+  name         = random_pet.network_group_policy_name.id
   policy_type  = "Custom"
   mode         = "Microsoft.Network.Data"
   display_name = "Policy Definition for Network Group"

From 5895b4f1c47b43e075ef437a04d3c6484357b8ed Mon Sep 17 00:00:00 2001
From: Michael Bender <michael.bender@microsoft.com>
Date: Fri, 17 Nov 2023 09:33:04 -0600
Subject: [PATCH 3/4] updates from Review

---
 .../providers.tf                                                | 2 +-
 .../readme.md                                                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/quickstart/101-virtual-network-manager-create-management-group-scope/providers.tf b/quickstart/101-virtual-network-manager-create-management-group-scope/providers.tf
index fac66bf7..d6b429cc 100644
--- a/quickstart/101-virtual-network-manager-create-management-group-scope/providers.tf
+++ b/quickstart/101-virtual-network-manager-create-management-group-scope/providers.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.56.0"
+      version = "~> 3.56.0, < 4.0"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/quickstart/101-virtual-network-manager-create-management-group-scope/readme.md b/quickstart/101-virtual-network-manager-create-management-group-scope/readme.md
index 60996245..eb76db5e 100644
--- a/quickstart/101-virtual-network-manager-create-management-group-scope/readme.md
+++ b/quickstart/101-virtual-network-manager-create-management-group-scope/readme.md
@@ -1,4 +1,4 @@
-# Azure resource group
+# Azure Virtual Network Manager with management group scope
 
 This template deploys an Azure Virtual Network Manager instance with a connectivity configuration for a Mesh topology using a management group scope. It includes resources including virtual networks, subnets, and more.
 

From 99037bb0e53780825dffb6d82d3fb31f5e11b520 Mon Sep 17 00:00:00 2001
From: hezijie <lonegunmanb@hotmail.com>
Date: Tue, 21 Nov 2023 16:31:26 +0800
Subject: [PATCH 4/4] fix example and e2e test

---
 .../main.tf                                   | 14 ++++++--
 .../variables.tf                              |  6 ++++
 test/e2e/discard_writer.go                    | 11 ++++++
 test/e2e/quickstart_test.go                   | 34 ++++++++++++++++++-
 4 files changed, 61 insertions(+), 4 deletions(-)
 create mode 100644 test/e2e/discard_writer.go

diff --git a/quickstart/101-virtual-network-manager-create-management-group-scope/main.tf b/quickstart/101-virtual-network-manager-create-management-group-scope/main.tf
index 57069266..5ff10534 100644
--- a/quickstart/101-virtual-network-manager-create-management-group-scope/main.tf
+++ b/quickstart/101-virtual-network-manager-create-management-group-scope/main.tf
@@ -47,6 +47,7 @@ data "azurerm_subscription" "current" {
 resource "random_pet" "management_group_name" {
   prefix = "AVNM-management-group"
 }
+
 resource "azurerm_management_group" "mg" {
   display_name = random_pet.management_group_name.id
 
@@ -55,14 +56,21 @@ resource "azurerm_management_group" "mg" {
   ]
 }
 
+data "azurerm_client_config" "this" {}
+
+resource "azurerm_role_assignment" "management_group_owner" {
+  principal_id         = coalesce(var.msi_id, data.azurerm_client_config.this.object_id)
+  scope                = azurerm_management_group.mg.id
+  role_definition_name = "Contributor"
+}
+
 # register Microsoft.Network to the Management Group
 
 resource "null_resource" "register_rp_to_mg" {
   provisioner "local-exec" {
-    command = <<CMD
-         az provider register --namespace 'Microsoft.Network' -m ${azurerm_management_group.mg.name}
-    CMD
+    command = "az provider register --namespace Microsoft.Network -m ${azurerm_management_group.mg.name}"
   }
+  depends_on = [azurerm_role_assignment.management_group_owner]
 }
 
 resource "time_sleep" "wait_5_seconds" {
diff --git a/quickstart/101-virtual-network-manager-create-management-group-scope/variables.tf b/quickstart/101-virtual-network-manager-create-management-group-scope/variables.tf
index 10af0af3..b4c19d1b 100644
--- a/quickstart/101-virtual-network-manager-create-management-group-scope/variables.tf
+++ b/quickstart/101-virtual-network-manager-create-management-group-scope/variables.tf
@@ -8,4 +8,10 @@ variable "resource_group_name_prefix" {
   type        = string
   description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription."
   default     = "rg"
+}
+
+variable "msi_id" {
+  type    = string
+  description = "(Optional) Manage identity id that be used as authentication method. Defaults to `null`."
+  default = null
 }
\ No newline at end of file
diff --git a/test/e2e/discard_writer.go b/test/e2e/discard_writer.go
new file mode 100644
index 00000000..eaa1bb45
--- /dev/null
+++ b/test/e2e/discard_writer.go
@@ -0,0 +1,11 @@
+package e2e
+
+import "io"
+
+var discardWriter io.Writer = discard{}
+
+type discard struct{}
+
+func (d discard) Write(p []byte) (n int, err error) {
+	return len(p), nil
+}
diff --git a/test/e2e/quickstart_test.go b/test/e2e/quickstart_test.go
index da40dfc5..691995a3 100644
--- a/test/e2e/quickstart_test.go
+++ b/test/e2e/quickstart_test.go
@@ -3,6 +3,7 @@ package e2e
 import (
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -17,7 +18,8 @@ import (
 )
 
 var speicalTests = map[string]func(*testing.T){
-	"quickstart/201-vmss-packer-jumpbox": test201VmssPackerJumpbox,
+	"quickstart/201-vmss-packer-jumpbox":                                   test201VmssPackerJumpbox,
+	"quickstart/101-virtual-network-manager-create-management-group-scope": test101VirtualNetworkManagerCreateManagementGroupScope,
 }
 
 func Test_Quickstarts(t *testing.T) {
@@ -141,6 +143,36 @@ func test201VmssPackerJumpbox(t *testing.T) {
 	}, nil)
 }
 
+func test101VirtualNetworkManagerCreateManagementGroupScope(t *testing.T) {
+	rootPath := filepath.Join("..", "..")
+	f := filepath.Join("quickstart", "101-virtual-network-manager-create-management-group-scope")
+	tenantId := os.Getenv("ARM_TENANT_ID")
+	clientId := os.Getenv("ARM_CLIENT_ID")
+	clientSecret := os.Getenv("ARM_CLIENT_SECRET")
+	msiId := os.Getenv("MSI_ID")
+	var cmd *exec.Cmd
+	if tenantId != "" && clientId != "" && clientSecret != "" {
+		cmd = exec.Command("az", "login", "--service-principal", "-u", clientId, "-p", clientSecret, "--tenant", tenantId)
+		err := cmd.Run()
+		require.NoError(t, err, "cannot login via service principal: %+v", err)
+	} else if msiId != "" {
+		cmd = exec.Command("az", "login", "--identity", "--username", msiId)
+		err := cmd.Run()
+		require.NoError(t, err, "cannot login via identity: %+v", err)
+	} else {
+		t.Fatalf("To test `quickstart/101-virtual-network-manager-create-management-group-scope` you must set `ARM_TENANT_ID`, `ARM_CLIENT_ID`, `ARM_CLIENT_SECRET`, or set `MSI_ID` so we can run `az login`.")
+	}
+	cmd.Stdout = discardWriter
+	defer func() {
+		cmd := exec.Command("az", "logout")
+		cmd.Stdout = discardWriter
+		_ = cmd.Run()
+	}()
+	helper.RunE2ETest(t, rootPath, f, terraform.Options{
+		Upgrade: true,
+	}, nil)
+}
+
 func removeDuplicates(s []string) []string {
 	m := make(map[string]struct{})
 	result := []string{}