Skip to content

Support wildcard Azure subscription VM discovery#64596

Open
GavinFrazar wants to merge 2 commits intomasterfrom
gavinfrazar/azure-subscription-wildcard-discovery
Open

Support wildcard Azure subscription VM discovery#64596
GavinFrazar wants to merge 2 commits intomasterfrom
gavinfrazar/azure-subscription-wildcard-discovery

Conversation

@GavinFrazar
Copy link
Contributor

@GavinFrazar GavinFrazar commented Mar 13, 2026

The wildcard "*" can now be used for VM discovery across all subscriptions. The subscriptions discovered will depend on the scope(s) that discovery service identity has Microsoft.Resources/subscriptions/read permission.

TODO in separate PRs:

  • Update docs for discovery config and for Azure discovery permissions. Docs reference for static discovery also needs to show the "integration" setting.
  • Add support for Azure wildcard subscription join token rule

Changelog: Azure VM discovery configuration now supports specifying a wildcard ("*") subscription to discover all VMs in all subscriptions where the Discovery service has Microsoft.Resources/subscriptions/read permission.

Manual Test Plan

Test Environment

  • Create multiple Azure subscriptions
  • Create VMs in each subscription
  • Create an Azure join token that allows joining from each subscription ID (wildcard Azure subscription join token is not implemented in this PR)
  • Create an Azure role for discovery and assign it to the discovery service at a high enough scope to discover each subscription. (I made an assignment for each subscription, but an Azure management group assignment could be used instead)

Test Cases

  • Start a discovery service with static config that uses wildcard Azure subscription
    • Verify that all expected VMs are discovered and join the cluster
  • Stop discovery service, remove all static configuration except for discovery_group, and disenroll all discovered VMs
  • Create a dynamic discovery_config that uses wildcard Azure subscription
    • Verify that all expected VMs are discovered and join the cluster

@GavinFrazar
Support wildcard Azure subscription VM discovery
cd86dd0 
The wildcard "*" can now be used for VM discovery across all subscriptions.
The subscriptions discovered will depend on the scope(s) that discovery service identity has Microsoft.Resources/subscriptions/read permission.
@GavinFrazar GavinFrazar self-assigned this Mar 13, 2026
GavinFrazar
GavinFrazar commented Mar 13, 2026
View reviewed changes
lib/srv/discovery/discovery.go
Comment on lines +2100 to +2102
// TODO(gavin): instead of listing subscriptions during init, do it
// on every fetch to prevent stale discovery configuration when
// subscriptions are added or removed
Copy link
Contributor Author

@GavinFrazar GavinFrazar Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to be clear: getAzureSubscriptions is used for setting up kube discovery fetchers. I did not touch it in this PR to keep the scope focused on VM discovery.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Tener Tener Awaiting requested review from Tener

@marcoandredinis marcoandredinis Awaiting requested review from marcoandredinis

@capnspacehook capnspacehook Awaiting requested review from capnspacehook

@eriktate eriktate Awaiting requested review from eriktate

At least 2 approving reviews are required to merge this pull request.

Assignees

@GavinFrazar GavinFrazar

Labels

azure backport/branch/v18 discover Issues related to Teleport Discover discovery size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GavinFrazar