# Install an Azure connector on ACI using Terraform

Azure Container Instances (ACI) is a managed, serverless compute platform for running containerized applications. This guide explains how to install and configure an Apono connector on ACI in your Azure environment using Terraform.

***

### Prerequisites

<table><thead><tr><th width="249">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>Apono Token</strong></td><td><p>Account-specific Apono authentication value</p><p>Use the following steps to obtain your token:</p><ol><li>On the <a href="https://app.apono.io/connectors"><strong>Connectors</strong></a> page, click <strong>Install Connector</strong>. The <strong>Install Connector</strong> page appears.</li><li>Click <strong>Cloud installation > Azure > Install and Connect Azure Account > Terraform (Container Instance)</strong>.</li><li>Copy the token in step listed on the page in step <strong>1</strong>.</li></ol></td></tr><tr><td><strong>Terraform Command Line Interface (Terraform CLI)</strong></td><td><a href="https://developer.hashicorp.com/terraform/downloads">Tool</a> that enables interacting with Azure services using your command-line shell</td></tr><tr><td><strong>Azure Cloud Information</strong></td><td><p>Information for your Azure Cloud instance:</p><ul><li><a href="https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal#open-resource-groups">Resource group name</a></li><li><a href="https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-subnet?tabs=azure-portal#change-subnet-settings">Subnet IDs</a></li></ul></td></tr><tr><td><strong>Owner Role (Azure RBAC)</strong></td><td><p><a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner">Azure role</a> with the following permissions:</p><ul><li>Grants full access to manage all resources</li><li>Assigns roles in Azure RBAC</li></ul></td></tr><tr><td><strong>Global Administrator</strong></td><td><p><a href="https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#global-administrator">Microsoft Entra role</a> with the following permission:</p><ul><li>Manages all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities</li></ul><p>❗<strong>Apono does not require Global Administrator access. This is required for the admin following this guide.</strong> ❗</p></td></tr></tbody></table>

***

### Install a new connector

{% hint style="info" %}
The connector requires the following roles:

1. Directory Readers - to validate users in Azure
2. User Access Administrator - to provision and deprovision access in the Management Group

Read more about these Microsoft Entra ID roles [here](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#directory-readers).
{% endhint %}

Follow these steps to set up a new connector:

1. At the shell prompt, set the Apono environment variables to your account token.

```bash
export APONO_TOKEN=<APONO_TOKEN>
export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
export SUBNET_ID=[<SUBNET_ID>]
```

2. In a new or existing Terraform (.tf) file, add the following provider and module information to create a connector [with permissions](#with-permissions) or [without permissions](#without-permissions):

{% tabs %}
{% tab title="With Permissions" %}
Enables installing the connector in the cloud environment and managing access to resources

{% code overflow="wrap" %}

```hcl
module "connector" {
    source = "github.com/apono-io/terraform-modules/azure/connector-with-permissions/stacks/apono-connector"
    aponoToken = $APONO_TOKEN
    resourceGroup = $AZURE_RESOURCE_GROUP
    ipAddressType = // "Private" or "None"
    subnetIds = [$SUBNET_ID]
}
```

{% endcode %}
{% endtab %}

{% tab title="Without Permissions" %}
Enables installing the connector in the cloud environment but managing access to non-Azure resources, such as self-hosted databases

{% code overflow="wrap" %}

```hcl
module "connector" {
    source = "github.com/apono-io/terraform-modules/azure/connector-without-permissions/stacks/apono-connector"
    aponoToken = $APONO_TOKEN
    resourceGroup = $AZURE_RESOURCE_GROUP
    ipAddressType = // "Private" or "None"
    subnetIds = [$SUBNET_ID]
}

```

{% endcode %}
{% endtab %}
{% endtabs %}

3. At the Terraform CLI, download and install the provider plugin and module.

```hcl
terraform init
```

4. Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.

```
terraform apply
```

5. Enter *yes* to confirm deploying the changes to your Azure account.
6. On the [**Connectors**](https://app.apono.io/connectors) page, verify that the connector has been deployed.

You can now integrate with an [Azure Management Group or Azure Subscription](/docs/azure-environment/azure-integrations/integrate-with-azure-management-groups-or-subscriptions.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.apono.io/docs/azure-environment/apono-connector-for-azure/install-azure-connector-on-aci-using-terraform.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.