Init

.gitignore

@@ -39,11 +39,11 @@ terraform.rc
 
 ### VisualStudioCode ###
 .vscode/*
-!.vscode/settings.json
-!.vscode/tasks.json
-!.vscode/launch.json
-!.vscode/extensions.json
-!.vscode/*.code-snippets
+#!.vscode/settings.json
+#!.vscode/tasks.json
+#!.vscode/launch.json
+#!.vscode/extensions.json
+#!.vscode/*.code-snippets
 
 # Local History for Visual Studio Code
 .history/

.terraform-docs.yml

@@ -41,7 +41,11 @@ content: |-
 
   {{ indent 0 "#" }} Usage
 
-  It's very easy to use!
+  To use this module, the source and target Management Groups you want to use for Subscription moving are required. 
+  The Management Groups are recommended to have the same display name as the ID for ease of use.
+
+  Only the main.tf needs to be run to deploy the function app with the function, which will run immediately.
+
   ```hcl
   {{ include "examples/basic/main.tf" }}
   ```

AzFunction/.gitignore

@@ -0,0 +1,51 @@
+bin
+obj
+csx
+.vs
+edge
+Publish
+
+*.user
+*.suo
+*.cscfg
+*.Cache
+project.lock.json
+
+/packages
+/TestResults
+
+/tools/NuGet.exe
+/App_Data
+/secrets
+/data
+.secrets
+appsettings.json
+local.settings.json
+
+node_modules
+dist
+
+# Local python packages
+.python_packages/
+
+# Python Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# Azurite artifacts
+__blobstorage__
+__queuestorage__
+__azurite_db*__.json
+
+### VisualStudioCode ###
+.vscode/*

AzFunction/SubMover/function.json

@@ -0,0 +1,10 @@
+{
+  "bindings": [
+    {
+      "name": "Timer",
+      "type": "timerTrigger",
+      "direction": "in",
+      "schedule": "0 */5 * * * *"
+    }
+  ]
+}

AzFunction/SubMover/host.json

@@ -0,0 +1,7 @@
+{
+  "version": "2.0",
+  "extensionBundle": {
+    "id": "Microsoft.Azure.Functions.ExtensionBundle",
+    "version": "[3.*, 4.0.0)"
+  }
+}

AzFunction/SubMover/readme.md

@@ -0,0 +1,7 @@
+# TimerTrigger 
+
+The `TimerTrigger` executes on a schedule. This function runs every 5 minutes.
+
+## How it works
+
+The Azure Function checks for every subscription within the source management group if the subscription's quota id matches the given quota id `MSDN_2014_09_01`. If that is the case, the subscription will be moved to the target management group. 

AzFunction/SubMover/run.ps1

@@ -0,0 +1,36 @@
+<#
+.SYNOPSIS
+    Moves VSE Subscriptions from Management Group "New" to "Sandbox"
+.DESCRIPTION
+    This script moves in management group "New" created VSE Subscriptions to "Sandbox" every 5 minutes.
+    This is done via checking for the Quota Id, which correlates with the Offer Id for VSE Subscriptions.
+.EXAMPLE
+#>
+
+param($Timer)
+
+#region Global variables
+$azQuotaID = 'MSDN_2014-09-01'
+$sourceManagementGroupName = $env:source_management_group_name
+$targetManagementGroup = $env:target_management_group_name
+$ErrorActionPreference = "Stop"
+#endregion
+
+
+#region move subscriptions matching the Quota ID from source management group to target management group
+$mgmtSubs = Get-AzManagementGroupSubscription -GroupName $sourceManagementGroupName
+foreach ($subscription in $mgmtSubs) {
+    try {
+        $subscriptionID = $subscription.Id -replace '.*/'               # Retrieve subscription ID (everything behind last '/')
+        $subscriptionObj = Get-AzSubscription -SubscriptionId $subscriptionID 
+        $subscriptionPolicies = $subscriptionObj.SubscriptionPolicies
+        if ($subscriptionPolicies.QuotaId -EQ $azQuotaID) {
+            New-AzManagementGroupSubscription -GroupId $targetManagementGroup -SubscriptionId $subscriptionID
+        }
+    }
+    catch {
+        Write-Error $_ -ErrorAction Continue
+    }
+
+}
+#endregion

AzFunction/host.json

@@ -0,0 +1,21 @@
+{
+  "version": "2.0",
+  "logging": {
+    "logLevel": {
+      "default": "Trace"
+    },
+    "applicationInsights": {
+      "samplingSettings": {
+        "isEnabled": true,
+        "excludedTypes": "Request"
+      }
+    }
+  },
+  "managedDependency": {
+    "enabled": true
+  },
+  "extensionBundle": {
+    "id": "Microsoft.Azure.Functions.ExtensionBundle",
+    "version": "[3.*, 4.0.0)"
+  }
+}

AzFunction/profile.ps1

@@ -0,0 +1,22 @@
+# Azure Functions profile.ps1
+#
+# This profile.ps1 will get executed every "cold start" of your Function App.
+# "cold start" occurs when:
+#
+# * A Function App starts up for the very first time
+# * A Function App starts up after being de-allocated due to inactivity
+#
+# You can define helper functions, run commands, or specify environment variables
+# NOTE: any variables defined that are not environment variables will get reset after the first execution
+
+# Authenticate with Azure PowerShell using MSI.
+# Remove this if you are not planning on using MSI or Azure PowerShell.
+if ($env:MSI_SECRET) {
+    Disable-AzContextAutosave -Scope Process | Out-Null
+    Connect-AzAccount -Identity
+}
+
+# Uncomment the next line to enable legacy AzureRm alias in Azure PowerShell.
+# Enable-AzureRmAlias
+
+# You can also define functions or aliases that can be referenced in any of your PowerShell functions.

AzFunction/requirements.psd1

@@ -0,0 +1,8 @@
+# This file enables modules to be automatically managed by the Functions service.
+# See https://aka.ms/functionsmanageddependency for additional information.
+#
+@{
+    # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'. 
+    # To use the Az module in your function app, please uncomment the line below.
+    'Az' = '10.*'
+}

README.md

@@ -1,20 +1,43 @@
-# Module
-[![GitHub tag](https://img.shields.io/github/tag/qbeyond/terraform-module-template.svg)](https://registry.terraform.io/modules/qbeyond/terraform-module-template/provider/latest)
-[![License](https://img.shields.io/github/license/qbeyond/terraform-module-template.svg)](https://github.com/qbeyond/terraform-module-template/blob/main/LICENSE)
+# Azure VSE Subscription Mover
+[![GitHub tag](https://img.shields.io/github/tag/qbeyond/terraform-azurerm-subscription-mover.svg)](https://registry.terraform.io/modules/qbeyond/subscription-mover/azurerm/latest)
+[![License](https://img.shields.io/github/license/qbeyond/terraform-azurerm-subscription-mover.svg)](https://github.com/qbeyond/terraform-azurerm-subscription-mover/blob/main/LICENSE)
 
 ----
-
-This is a template module. It just showcases how a module should look. This would be a short description of the module.
+## Description
+This module deploys an Azure Function App with a Function, which moves every VSE Subscription from a source management group to a target management group, based on the Quota ID MSDN_2014_09_01.
+The function runs every 5 minutes.
 
 <!-- BEGIN_TF_DOCS -->
 ## Usage
 
-It's very easy to use!
+To use this module, the source and target Management Groups you want to use for Subscription moving are required.
+The Management Groups are recommended to have the same display name as the ID for ease of use.
+
+Only the main.tf needs to be run to deploy the function app with the function, which will run immediately.
+
 ```hcl
 provider "azurerm" {
-  features {
+  features {}
+}
+
+resource "azurerm_management_group" "source" {
+  name = "Test-Source"
+}
 
-  }
+resource "azurerm_management_group" "target" {
+  name = "Test-Target"
+}
+
+module "vse_subscription_mover" {
+  source                    = "../.."
+  location                  = "westeurope"
+  resource_group_name       = "rg-SubMover-dev-01"
+  function_app_name         = "func-dev-SubMover-test-01"
+  app_service_plan_name     = "plan-dev-SubMover-test-01"
+  storage_account_name      = "stfuntestsubmover01"
+  application_insights_name = "appi-SubMover-dev-01"
+  source_management_group   = azurerm_management_group.source
+  target_management_group   = azurerm_management_group.target
 }
 ```
 
@@ -26,22 +49,58 @@ provider "azurerm" {
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_app_service_plan_name"></a> [app\_service\_plan\_name](#input\_app\_service\_plan\_name) | Name of the application service plan used for the Azure Function App. | `string` | n/a | yes |
+| <a name="input_application_insights_name"></a> [application\_insights\_name](#input\_application\_insights\_name) | Name of the Application Insights, which will show Monitoring information of the Azure Function App. | `string` | n/a | yes |
+| <a name="input_function_app_name"></a> [function\_app\_name](#input\_function\_app\_name) | Name of the Azure Function App in which the function will be deployed. | `string` | n/a | yes |
+| <a name="input_location"></a> [location](#input\_location) | Name of the location where the resources will be provisioned. | `string` | n/a | yes |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group in which to create the resources. Changing this forces new resources to be created. | `string` | n/a | yes |
+| <a name="input_source_management_group"></a> [source\_management\_group](#input\_source\_management\_group) | The source management group from which the Subscriptions will be moved from. The name used here is not the display name, it is the ID shown next to the display name in the Azure Portal Management Group view. | <pre>object({<br>    name = string<br>    id   = string<br>  })</pre> | n/a | yes |
+| <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Name of the storage account used for the Azure Function App. | `string` | n/a | yes |
+| <a name="input_target_management_group"></a> [target\_management\_group](#input\_target\_management\_group) | The target management group to which the subscriptions will be moved. The name used here is not the display name, it is the ID shown next to the display name in the Azure Portal Management Group view. | <pre>object({<br>    name = string<br>    id   = string<br>  })</pre> | n/a | yes |
 ## Outputs
 
 No outputs.
+
 ## Resource types
 
-No resources.
+| Type | Used |
+|------|-------|
+| [azurerm_application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_insights) | 1 |
+| [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | 1 |
+| [azurerm_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | 3 |
+| [azurerm_service_plan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_plan) | 1 |
+| [azurerm_storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | 1 |
+| [azurerm_storage_blob](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_blob) | 1 |
+| [azurerm_storage_container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | 1 |
+| [azurerm_windows_function_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_function_app) | 1 |
 
+**`Used` only includes resource blocks.** `for_each` and `count` meta arguments, as well as resource blocks of modules are not considered.
 
 ## Modules
 
 No modules.
-## Resources by Files
 
-No resources.
+## Resources by Files
 
+### main.tf
+
+| Name | Type |
+|------|------|
+| [azurerm_application_insights.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_insights) | resource |
+| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_role_assignment.role_assignment_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.source_mgmt_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.target_mgmt_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_service_plan.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_plan) | resource |
+| [azurerm_storage_account.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource |
+| [azurerm_storage_blob.storage_blob_function](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_blob) | resource |
+| [azurerm_storage_container.storage_container_function](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
+| [azurerm_windows_function_app.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_function_app) | resource |
+| [archive_file.file_function_app](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
+| [azurerm_role_definition.management_group_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |
+| [azurerm_role_definition.user_access_administrator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |
 <!-- END_TF_DOCS -->
 
 ## Contribute