Deployment of Infrastructure

Welcome to Codebeamer AI Help Center > Setting Up the Codebeamer AI > Customer-hosted Codebeamer AI > Deploying Customer-hosted Codebeamer AI > Deployment of Infrastructure

This section describes how to provision Azure resources required for customer-hosted Codebeamer AI by running Terraform.

Step 1: Download the infrastructure package (IaC zip)

Download the package cb-ai-chd-infra-<version>.zip from PTC Software Download - Codebeamer AI.

Step 2: Set the environment variables

Set the following environment variables using the values created for the infrastructure service principal.

• ARM_CLIENT_ID

• ARM_CLIENT_SECRET

• ARM_TENANT_ID

• ARM_SUBSCRIPTION_ID

Step 3: Configure Terraform infrastructure input parameters

Configure Terraform variables file, infra.tfvars, required for deployment.

Create a copy of infra.tfvars.template with name infra.tfvars.

1. Go to the template file terraform/deployment-profiles/infra-templates/infra.tfvars.template.

2. Create a copy of the file and rename it to infra.tfvars, and save in the same folder.

3. Update the file with the following required parameters.

Variable	Description
subscription_id	Azure subscription where resources will be deployed.
tenant_id	Azure AD tenant ID.
location	Azure region, for example, eastus2.
resource_group_name	Resource group name, maximum 20 characters, letters, numbers, hyphens only.
aks_admin_group_object_ids	Azure AD (Entra ID) group object IDs for AKS admin access.
kubernetes_version	AKS Kubernetes version , for example, 1.34.
environment	Deployment environment name. It must be unique per environment.
openai_gpt5_mini_capacity	Throughput capacity for GPT-5 Mini.
openai_gpt5_nano_capacity	Throughput capacity for GPT-5 Nano.
flow_log_storage_resource_group	Resource group for the flow logs storage account.
flow_log_storage_account_name	Storage account for flow logs.
allowed_ips	CIDR ranges allowed to access the AKS subnet.
aks_api_server_authorized_ip_ranges	List of IP ranges allowed to access the AKS API server (control plane).

4. Optionally, update the following parameters based on your requirements.

Variable	Description
aks_host_encryption_enabled	Enable AKS host encryption. Set to false if unsupported.
aks_user_pool_vm_size	VM size for the AKS user node pool.
aks_user_pool_min_count	Minimum nodes in the user pool.
aks_user_pool_max_count	Maximum nodes for auto-scaling.
aks_system_pool_vm_size	VM size for the system node pool.
aks_system_pool_min_count	Minimum nodes in the system pool.
aks_system_pool_max_count	Maximum nodes in system pool.
openai_gpt5_mini_sku_name	SKU for GPT-5 Mini. For example, DataZoneStandard, GlobalStandard, PTU SKUs.
openai_gpt5_nano_sku_name	SKU for GPT-5 Nano.
openai_gpt5_mini_spillover_sku_name	Spillover SKU for GPT-5 Mini. This is used only with PTU.
openai_gpt5_mini_spillover_capacity	Spillover capacity for GPT-5 Mini.
openai_gpt5_nano_spillover_sku_name	Spillover SKU for GPT-5 Nano.
openai_gpt5_nano_spillover_capacity	Spillover capacity for GPT-5 Nano.
flow_log_retention_days	Retention period for flow logs.

The following example shows the infra.tfvars file:

subscription_id        = "<subscription-id>"
tenant_id              = "<tenant-id>"
location               = "<region>"
resource_group_name    = "<resource_group_name>"

aks_admin_group_object_ids = ["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]

kubernetes_version     = "1.34"
environment            = "development"

aks_user_pool_vm_size   = "Standard_D8as_v5"
aks_user_pool_min_count = 3
aks_user_pool_max_count = 6

aks_system_pool_vm_size   = "Standard_D2s_v5"
aks_system_pool_min_count = 2
aks_system_pool_max_count = 3   

openai_gpt5_mini_sku_name = "DataZoneStandard"
openai_gpt5_nano_sku_name = "DataZoneStandard"

openai_gpt5_mini_capacity  = 10000
openai_gpt5_nano_capacity  = 10000

flow_log_storage_resource_group = "my-storage-rg"
flow_log_storage_account_name   = "myflowlogsaccount"
flow_log_retention_days         = 90

allowed_ips = ["1.2.3.4/32"]

aks_api_server_authorized_ip_ranges = ["1.2.3.4/32"]

Step 4: Configure the Terraform backend Azure storage account

Update backend.conf with the storage account details. For more information, see Prerequisites.

The file is located at: terraform\deployment-profiles\infra-templates\backend.conf.

The following example shows the file configuration:

resource_group_name  = "<resource_group_name>"
storage_account_name = "<storage_account_name>"
container_name       = "<container_name>"
key                  = "<terraform.tfstate>"

Step 5: Run Terraform deployment

1. Go to Azure resources for Terraform.

cd terraform/deployment-profiles/infra-templates

2. Initialize Terraform.

terraform init -backend-config=backend.conf

3. Plan the Terraform.

After running the Terraform plan, refer to Customer-hosted Codebeamer AI to validate the resources that will be created before proceeding with apply.

terraform plan -var-file=infra.tfvars

4. Apply the Terraform updates.

terraform apply -var-file=infra.tfvars

After performing the steps, verify that:

• The required resources were planned and created successfully.

• No errors occurred.

• Terraform output is saved for future reference during service and Azure Policy deployments.

Step 6: Create application registration

By default, Terraform does not create an Entra ID app registration because enable_app_registration = false. This avoids requiring tenant-wide Entra ID permissions for the Terraform service principal.

After the Terraform deployment completes successfully, the customer's Entra ID administrator must manually create the application registration and service principal. Note the client_id and audience values for configuring the Codebeamer AI service.

Skip this section if enable_app_registration is set to true in infra.tfvars. TIn this case, Terraform creates the application registration and the client_id and audience values are available in the Terraform output.

Create Entra ID App registration using the Azure portal

1. Go to Azure Portal > Microsoft Entra ID > App registrations > New registration.

2. Enter the following details in the registration form:

▪ Name: <resource_group_name>-oauth. Example: my-cbai-chd-prod-oauth.

▪ Supported account types: Accounts in this organizational directory only.

▪ Redirect URI: Leave blank.

3. Click Register.

4. On the Overview page, copy the Application (client) ID. This is the client_id.

5. In the left menu, click Expose an API.

6. Click Set next to Application ID URI. Set the value to api://<client_id>.

7. Click Save.

8. Click Add a scope. Configure the following fields.

▪ Scope name: access_as_application

▪ Who can consent: Admins only

▪ Admin consent display name: Access API

▪ Admin consent description: Access API

▪ State: Enabled

9. Click Add scope.

10. In the left menu, click Overview. Copy the Application ID URI, this is the audience.

11. Create the Service Principal.

▪ Go to Microsoft Entra ID > Enterprise applications.

▪ The service principal is created automatically with the app registration. Verify if it appears by searching for <resource_group_name>-oauth.

For more information, refer How to register an app in Microsoft Entra ID - Microsoft identity platform | Microsoft Learn.

To use the Azure CLI, reference to az ad app | Microsoft Learn.

After creating the App registration, copy the following values. These are required when configuring cb-ai-service:

Field	Where to find	Example
client_id	App Registration > Overview > Application (client) ID	12345678-abcd-efgh-ijkl-123456789012
audience	App Registration > Expose an API > Application ID URI	api://12345678-abcd-efgh-ijkl-123456789012

Was this helpful?