# Install an Azure connector on ACI using Terraform

Azure Container Instances (ACI) is a managed, serverless compute platform for running containerized applications. This guide explains how to install and configure an Apono connector on ACI in your Azure environment using Terraform.

***

### Prerequisites

<table><thead><tr><th width="249">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>Apono Token</strong></td><td><p>Account-specific Apono authentication value</p><p>Use the following steps to obtain your token:</p><ol><li>On the <a href="https://app.apono.io/connectors"><strong>Connectors</strong></a> page, click <strong>Install Connector</strong>. The <strong>Install Connector</strong> page appears.</li><li>Click <strong>Cloud installation > Azure > Install and Connect Azure Account > Terraform (Container Instance)</strong>.</li><li>Copy the token in step listed on the page in step <strong>1</strong>.</li></ol></td></tr><tr><td><strong>Terraform Command Line Interface (Terraform CLI)</strong></td><td><a href="https://developer.hashicorp.com/terraform/downloads">Tool</a> that enables interacting with Azure services using your command-line shell</td></tr><tr><td><strong>Azure Cloud Information</strong></td><td><p>Information for your Azure Cloud instance:</p><ul><li><a href="https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal#open-resource-groups">Resource group name</a></li><li><a href="https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-subnet?tabs=azure-portal#change-subnet-settings">Subnet IDs</a></li></ul></td></tr><tr><td><strong>Owner Role (Azure RBAC)</strong></td><td><p><a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner">Azure role</a> with the following permissions:</p><ul><li>Grants full access to manage all resources</li><li>Assigns roles in Azure RBAC</li></ul></td></tr><tr><td><strong>Global Administrator</strong></td><td><p><a href="https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#global-administrator">Microsoft Entra role</a> with the following permission:</p><ul><li>Manages all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities</li></ul><p>❗<strong>Apono does not require Global Administrator access. This is required for the admin following this guide.</strong> ❗</p></td></tr></tbody></table>

***

### Install a new connector

{% hint style="info" %}
The connector requires the following roles:

1. Directory Readers - to validate users in Azure
2. User Access Administrator - to provision and deprovision access in the Management Group

Read more about these Microsoft Entra ID roles [here](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#directory-readers).
{% endhint %}

Follow these steps to set up a new connector:

1. At the shell prompt, set the Apono environment variables to your account token.

```bash
export APONO_TOKEN=<APONO_TOKEN>
export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
export SUBNET_ID=[<SUBNET_ID>]
```

2. In a new or existing Terraform (.tf) file, add the following provider and module information to create a connector [with permissions](#with-permissions) or [without permissions](#without-permissions):

{% tabs %}
{% tab title="With Permissions" %}
Enables installing the connector in the cloud environment and managing access to resources

{% code overflow="wrap" %}

```hcl
module "connector" {
    source = "github.com/apono-io/terraform-modules/azure/connector-with-permissions/stacks/apono-connector"
    aponoToken = $APONO_TOKEN
    resourceGroup = $AZURE_RESOURCE_GROUP
    ipAddressType = // "Private" or "None"
    subnetIds = [$SUBNET_ID]
}
```

{% endcode %}
{% endtab %}

{% tab title="Without Permissions" %}
Enables installing the connector in the cloud environment but managing access to non-Azure resources, such as self-hosted databases

{% code overflow="wrap" %}

```hcl
module "connector" {
    source = "github.com/apono-io/terraform-modules/azure/connector-without-permissions/stacks/apono-connector"
    aponoToken = $APONO_TOKEN
    resourceGroup = $AZURE_RESOURCE_GROUP
    ipAddressType = // "Private" or "None"
    subnetIds = [$SUBNET_ID]
}

```

{% endcode %}
{% endtab %}
{% endtabs %}

3. At the Terraform CLI, download and install the provider plugin and module.

```hcl
terraform init
```

4. Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.

```
terraform apply
```

5. Enter *yes* to confirm deploying the changes to your Azure account.
6. On the [**Connectors**](https://app.apono.io/connectors) page, verify that the connector has been deployed.

You can now integrate with an [Azure Management Group or Azure Subscription](https://docs.apono.io/docs/azure-environment/azure-integrations/integrate-with-azure-management-groups-or-subscriptions).