Authenticating Terraform to Azure using Service Principal

Continuing on my journey to learn Terraform, I wanted to explore the idea of authenticating Terraform to Azure. Terraform, as we know, is an infrastructure automation tool, and this authentication technique allows us to create/manage resources on the Azure cloud platform. I came across two insightful articles on Azure Service Principals that helped me understand the how’s and what’s of the service principal. Here are the links to those –Ned Belavance’s Demystifying Azure AD Service Principals and Microsoft Docs

Following the instructions there, I identified three steps to the objective.

Step 1: Create a Service Principal
Here is code of the service principal provisioning command I ran on Azure portal command prompt:

# az ad sp create-for-rbac –name "$(Service-Principal-Name)" –role "Contributor" –scope "/subscriptions/$(SubscriptionNumber)"
az ad sp create-for-rbac –name "Terraform-User-March-2021" –role "Contributor" –scope "/subscriptions/$(SubscriptionID)"
# I am replacing the tenant and subscription value with variable for security reasons
# Output from the commandline console:
Changing "Terraform-User-March-2021" to a valid URI of "http://Terraform-User-March-2021", which is the required format used for service principal names
Creating 'Contributor' role assignment under scope '/subscriptions/$(SubscriptionID)'
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see
"appId": "3a08aff0-9708-455b-855c-1747fcf7434d",
"displayName": "Terraform-User-March-2021",
"name": "http://Terraform-User-March-2021",
"password": "OJ-6-uMZt4a1v~ZjLl3EdzogUnkzn9GZga",
"tenant": "$(SubscriptionTenantID)"

With these values in hand, it was now time to head over to Terraform and provide those credentials for Terraform to be able to access my Azure subscription.
Step 2: Update terraform configuration files
I followed the instructions here to create the Azure provider usage and authentication.

# Configure the Azure provider
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "2.34.0"
provider "azurerm" {
version = "2.34.0"
subscription_id = var.subscription_id
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
features {}

view raw

hosted with ❤ by GitHub

resource "azurerm_resource_group" "t_rg" {
name = "Terraform-RG"
location = "westus2"
tags = {
Environment = "Dev"

The documentation was precise on what values were required. I also know that these are secured credentials and that they need to be managed carefully. I came across an approach to declare variables in a file and place actual values in a .tfvar

variable "subscription_id" {
description = "The subscription ID to be used to connect to Azure"
type = string
variable "client_id" {
description = "The client ID to be used to connect to Azure"
type = string
variable "client_secret" {
description = "The client secret to be used to connect to Azure"
type = string
variable "tenant_id" {
description = "The tenant ID to be used to connect to Azure"
type = string

Step 3: Execute terraform trio commands (init -> plan -> apply)
At the end of terraform apply I was able to verify that a resource group was created under my subscription on the Azure portal.
Conclusion:The purpose of this note was to authenticate Terraform, and we saw that with the creation of a resource group in Azure.
Other ideas to explore:Is this the best method to be able to authenticate Terraform? How to authenticate Terraform to AWS using an IAM user?

One thought on “Authenticating Terraform to Azure using Service Principal

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s