Skip to main content

Prerequisites

Overview

1. Required Tools

Ensure you have the following tools installed:

  • Terraform/OpenTofu – Required for infrastructure-as-code deployment

2. Azure CLI Authentication

Verify that you're authenticated and have access to the correct subscriptions:

az login
az account list
# Ensure the listed subscriptions include those you plan to onboard

3. Check Spot VM Quota

Upwind Cloud Scanners use Spot VMs. Ensure you have a quota of at least 40 vCPUs available for Spot instances:

az vm list-usage --location <region> --query "[?name.value=='lowPriorityCores']" --output table

If your quota is insufficient:

  1. Go to Azure Portal → Subscriptions → [Your Subscription]
  2. Click Settings → Usage + quotas
  3. Locate Spot vCPUs and submit a request to increase the quota

4. App Registration Authentication (CI/CD Only)

If you plan to run Terraform using an App Registration (client ID/client secret) instead of user credentials (common in CI/CD pipelines), the App Registration must be assigned the Cloud Application Administrator or Application Administrator Entra role at the tenant level:

  1. Navigate to your Azure tenant in the portal
  2. Click Roles and administrators in the sidebar
  3. Search for "Cloud Application Administrator" (or "Application Administrator") and click it
  4. Click Add assignments
  5. Search for your App Registration by name and select it
  6. Verify that your App Registration is listed in the role assignments

This can also be verified using the Azure CLI:

SPID=$(az ad sp show --id <appId> --query id -o tsv)
az rest --method GET --url "https://graph.microsoft.com/v1.0/servicePrincipals/${SPID}/memberOf"

Expected output:

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
  "value": [
    {
      "@odata.type": "#microsoft.graph.directoryRole",
      "deletedDateTime": null,
      "description": "Can create and manage all aspects of app registrations and enterprise apps except App Proxy.",
      "displayName": "Cloud Application Administrator",
      "id": "01262812-a988-4c2f-b901-830a3fe1df49",
      "roleTemplateId": "158c047a-c907-4556-b7ef-446551a6b5f7"
    }
  ]
}
note

This Entra role assignment is applied at the tenant level in the Azure portal's "Roles and administrators" section, not within the App Registration's own settings. This role is required in addition to the Owner/Reader RBAC permissions on the management group, as it allows the App Registration to manage Azure AD resources during Terraform operations.

Troubleshooting

If you encounter issues during deployment or operation, consult the Troubleshooting guide for solutions and best practices.