Preparing to Deploy Ops Manager on Azure Using Terraform

Page last updated:

Warning: Pivotal Operations Manager v2.3 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes how to prepare Azure to deploy Ops Manager. You must deploy Ops Manager in order to deploy PAS or Enterprise PKS.

Step 1: Install and Configure the Azure CLI

  1. Install the Azure CLI 2.0 by following the instructions for your operating system in Install the Azure CLI in the Microsoft Azure documentation.

  2. On the command line, set your cloud with a name value by running:

    az cloud set --name CLOUD-NAME

    Where CLOUD-NAME is one of the following values. Use the value that corresponds to the Azure environment on which you are installing Ops Manager:

    • Azure: AzureCloud.
    • Azure China: AzureChinaCloud. If logging in to AzureChinaCloud fails with a CERT_UNTRUSTED, use the latest version of node, 4.x or later. For more information about this error, see Failed to login AzureChinaCloud in the Azure/azure-xplat-cli GitHub repository.
    • Azure Government Cloud: AzureUSGovernment.
    • Azure Germany: AzureGermanCloud.

    For example:

    $ az cloud set --name AzureCloud

    Note: For more information about installing Ops Manager in the China Region, see Install in the China Region in the Installing PCF in Airgapped Environments topic.

  3. To log in, run:

    az login

    Authenticate by navigating to the URL in the output from the command, entering the provided code, and clicking your account.

Step 2: Set Your Default Subscription

  1. To list your Azure subscriptions, run:

    az account list

    For example:

    $ az account list
      "id": "12345678-1234-5678-1234-567891234567",
      "name": "Sample Subscription",
      "user": {
        "name": "Sample Account",
        "type": "user"
      "tenantId": "11111111-1234-5678-1234-678912345678",
      "state": "Enabled",
      "isDefault": true,
      "registeredProviders": [],
      "environmentName": "AzureCloud"
    { "id": "87654321-1234-5678-1234-678912345678", "name": "Sample Subscription1", "user": { "name": "Sample Account1", "type": "user" }, "tenantId": "22222222-1234-5678-1234-678912345678", "state": "Enabled", "isDefault": false, "registeredProviders": [], "environmentName": "AzureCloud" } ]

  2. Identify your default subscription in the output of this command by locating the subscription listed that has isDefault set to true. To deploy Ops Manager to a different subscription, you must set the other subscription as the default. To set a new default subscription, run:

    az account set --subscription SUBSCRIPTION-ID

    Where SUBSCRIPTION-ID is the value of the id field of the subscription that you want to set as the default.

    The following example sets the default to a subscription that has an id with the value of "87654321-1234-5678-1234-567891234567".

    $ az account set --subscription "87654321-1234-5678-1234-567891234567"

  3. Record the value of the id of the default subscription. You use this value in future configuration steps.

  4. Record the value of tenantID of the default subscription. This is your TENANT_ID for creating a service principal. If your tenantID value is not defined, you may be using a personal account to log in to your Azure subscription.

Step 3: Create an AAD App

  1. To create an Azure Active Directory (AAD) app, run:

    az ad app create --display-name "Service Principal for BOSH" \
    --password "PASSWORD" --homepage "http://BOSHAzureCPI" \
    --identifier-uris "http://BOSHAzureCPI"

    Where PASSWORD is a password of your choice. This is your CLIENT_SECRET for creating a service principal.

    For example:

    $ az ad app create --display-name "Service Principal for BOSH" \
    --password "Swordfish" --homepage "http://BOSHAzureCPI" \
    --identifier-uris "http://BOSHAzureCPI"

    Note: You can provide any string for the homepage and identifier-uris flags, but the value of identifer-uris must be unique within the organization associated with your Azure subscription. For the homepage, Pivotal recommends using http://BOSHAzureCPI as shown in the example above.

  2. From the output of the az ad app create that you ran in the previous step, locate and record the value of appId. This is your APP_ID for creating a service principal.

    The following example output shows "5c552e8f-b977-45f5-a50b-981cfe17cb9d" as the value of appId.

      "appId": "5c552e8f-b977-45f5-a50b-981cfe17cb9d",
      "appPermissions": null,
      "availableToOtherTenants": false,
      "displayName": "Service Principal for BOSH",
      "homepage": "http://BOSHAzureCIP",
      "identifierUris": [
      "objectId": "f3884df4-7d1d-4894-a78c-c1fe75750436",
      "objectType": "Application",
      "replyUrls": []

Step 4: Create and Configure a Service Principal

  1. To create a service principal, run:

    az ad sp create --id YOUR-APP-ID

    Where YOUR-APP-ID is the APP_ID that you recorded in Create an AAD App.

    For example:

    $ az ad sp create --id 5c552e8f-b977-45f5-a50b-981cfe17cb9d
      "appId": "5c552e8f-b977-45f5-a50b-981cfe17cb9d",
      "displayName": "Service Principal for BOSH",
      "objectId": "cc13c685-4c3b-461e-ae96-7a0563960b83",
      "objectType": "ServicePrincipal",
      "servicePrincipalNames": [

  2. You must have the Contributor role on your service principal to deploy Ops Manager to Azure. To assign the Contributor role on your service principal, run:

    az role assignment create --assignee "SERVICE-PRINCIPAL-NAME" \
    --role "Contributor" --scope /subscriptions/SUBSCRIPTION-ID


    • SERVICE-PRINCIPAL-NAME is any value of servicePrincipalNames from the output above, such as YOUR-APP-ID.
    • SUBSCRIPTION-ID is the value of the id of the default subscription that you recorded in Set Your Default Subscription.

    For example:

    $ az role assignment create \
    --assignee "5c552e8f-b977-45f5-a50b-981cfe17cb9d" \
    --role "Contributor" \
    --scope /subscriptions/87654321-1234-5678-1234-567891234567

    Note: If you need to use multiple resource groups for your deployment on Azure, you can define custom roles for your Service Principal. These roles allow BOSH to deploy to pre-existing network resources outside of the resource group.

    For more information about Azure Role-Based Access Control, see Built-in roles for Azure resource the Microsoft Azure documentation.

  3. To verify the role assignment, run:

    az role assignment list --assignee "SERVICE-PRINCIPAL-NAME"

    Where "SERVICE-PRINCIPAL-NAME" is any value of servicePrincipalNames from the output above, such as YOUR-APP-ID.

    For example:

    $ az role assignment list --assignee "5c552e8f-b977-45f5-a50b-981cfe17cb9d"
        "id": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243/providers/Microsoft.Authorization/roleAssignments/32e644cf-ba1a-4f43-bf7c-68bf4583e463",
        "name": "32e644cf-ba1a-4f43-bf7c-68bf4583e463",
        "properties": {
          "principalId": "cc13c685-4c3b-461e-ae96-7a0563960b83",
          "principalName": "http://BOSHAzureCPI",
          "roleDefinitionId": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
          "roleDefinitionName": "Contributor",
          "scope": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243"
        "type": "Microsoft.Authorization/roleAssignments"

Step 5: Verify Your Service Principal

To verify your service principal, run the following command to log in to your service principal:

az login --username APP_ID --password CLIENT_SECRET \
--service-principal --tenant TENANT_ID 


For example:

$ az login --username 5c552e8f-b977-45f5-a50b-981cfe17cb9d \
--password "Swordfish" \
--service-principal --tenant 22222222-1234-5678-1234-678912345678
    "cloudName": "AzureCloud",
    "id": "995b7eed-77ef-45ff-a5c9-1a405ffb8243",
    "isDefault": true,
    "name": "my-user-name",
    "state": "Enabled",
    "tenantId": "22222222-1234-5678-1234-678912345678",
    "user": {
      "name": "5c552e8f-b977-45f5-a50b-981cfe17cb9d",
      "type": "servicePrincipal"

If you cannot log in, the service principal is invalid. Create a new service principal and try again.

Step 6: Perform Registrations

  1. To register your subscription with Microsoft.Storage, run:

    az provider register --namespace Microsoft.Storage
  2. To register your subscription with Microsoft.Network, run:

    az provider register --namespace Microsoft.Network
  3. To register your subscription with Microsoft.Compute, run:

    az provider register --namespace Microsoft.Compute

Next Steps

After you complete this procedure, follow the instructions in Deploying Ops Manager on Azure Using Terraform.