Migration

Migration from Legacy Onboarding

For customers migrating from legacy onboarding approaches, choose the appropriate migration path:

Terraform-Based Migration

For customers using the legacy Terraform modules (azure-cloud-credentials, azure-cloudscanner-onboarding, azure-cloudscanner):

Step 1: Destroy Existing Terraform Modules

Before migrating to the new onboarding approach, you must destroy the existing Terraform modules used for onboarding.

Modules to remove:

azure-cloud-credentials

Step 2: Choose Your Migration Path

After destroying the existing modules, follow the appropriate onboarding approach from the instructions guide based on your access level:

Option A: Global Admin - Full Tenant instructions - Use if you have Global Administrator role and want to integrate all subscriptions with automatic discovery
Option B: Global Admin - Limited Scope instructions - Use if you have Global Administrator role and want to integrate only specific subscriptions
Option C: Subscription Owner - Pre-Created App Registration - Use if you have Owner role in specific subscriptions only, no Global Administrator privileges, and need IT admin to create application registration

Step 3: Deploy New Configuration

Follow the complete instructions steps for your chosen approach in the instructions guide.

Manual Onboarding Migration

For customers who performed manual onboarding and have existing application registrations, you have two options:

Option 1: Clean Start - Delete Existing App Registration

If you prefer a clean start:

Delete your existing application registration:
```
az ad app delete --id <your-application-id>
```
Choose Option A or B: Follow either Global Admin - Full Tenant instructions or Global Admin - Limited Scope instructions depending on your access level and requirements

Option 2: Reuse Existing App Registration

If you want to keep your existing application registration:

Find your app registration object ID:

Option A: Using Azure CLI

# Find by application name
az ad app list --display-name "your-app-name" --query "[].{DisplayName:displayName, ObjectId:id, AppId:appId}"

# Or find by application ID if you know it
az ad app show --id <your-application-id> --query "{DisplayName:displayName, ObjectId:id, AppId:appId}"

Option B: Using Azure Portal

Navigate to Azure Active Directory → App registrations
Find your application and click on it
Copy the Object ID from the overview page

Clean up existing role assignments on your current app registration:

# List current role assignments for your app registration
az role assignment list --assignee <your-app-registration-object-id>

# Remove existing role assignments (repeat for each assignment)
az role assignment delete --assignee <your-app-registration-object-id> --role <role-name> --scope <scope>

Follow Option C: Use the Subscription Owner - Pre-Created App Registration approach with your existing app registration
Configure the required API permissions as specified in Option C

Removing Existing Cloud Scanners

For customers who have existing Cloud Scanner deployments (regardless of how they were onboarded), you may need to clean up these resources before migrating:

Terraform-Deployed Scanners

If your scanners were deployed via Terraform modules, you need to remove:

Scanner modules to remove:

azure-cloudscanner-onboarding
azure-cloudscanner

Manually-Deployed Scanners

If your scanners were deployed manually, remove the following resources:

Resource Groups: Look for resource groups with names like:
- upwind-cs-rg-*
- upwind-cloudscanner-*
- Any custom resource groups containing scanner resources

Remove via Azure CLI:

# List resource groups to identify scanner resources
az group list --query "[?contains(name, 'upwind')].{Name:name, Location:location}"

# Delete scanner resource groups (replace with actual names)
az group delete --name "upwind-cs-rg-your-org-id" --yes --no-wait

Remove via Azure Portal:
- Navigate to Resource Groups
- Find and delete resource groups containing scanner resources
- Look for resources like Key Vaults, Managed Identities, and Container Apps

Mixed Deployments

If you have a combination of manual app registration with Terraform-deployed scanners:

First: Remove Terraform scanner modules as shown above
Then: Follow the manual onboarding migration options for your app registration

Important Migration Notes

Backup your current configuration before destroying existing modules
Plan for temporary service interruption during the migration process
Coordinate with your IT team if using Option C for application registration setup

Support

If you encounter any issues not covered in this guide:

Check the Azure Activity Log for any error messages
Review RBAC assignments and permissions
Contact Upwind support with:
- Detailed error messages
- Azure subscription ID
- Resource group name
- Relevant log entries

Migration from Legacy Onboarding​

Terraform-Based Migration​

Step 1: Destroy Existing Terraform Modules​

Step 2: Choose Your Migration Path​

Step 3: Deploy New Configuration​

Manual Onboarding Migration​

Option 1: Clean Start - Delete Existing App Registration​

Option 2: Reuse Existing App Registration​

Removing Existing Cloud Scanners​

Terraform-Deployed Scanners​

Manually-Deployed Scanners​

Mixed Deployments​

Support​