Continuing on my journey to learn Terraform, I wanted to explore the idea of authenticating Terraform to Azure. Terraform, as we know, is an infrastructure automation tool, and this authentication technique allows us to create/manage resources on the Azure cloud platform. I came across two insightful articles on Azure Service Principals that helped me understand the how’s and what’s of the service principal. Here are the links to those –Ned Belavance’s Demystifying Azure AD Service Principals and Microsoft Docs
Following the instructions there, I identified three steps to the objective.
Step 1: Create a Service Principal
Here is code of the service principal provisioning command I ran on Azure portal command prompt:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # az ad sp create-for-rbac –name "$(Service-Principal-Name)" –role "Contributor" –scope "/subscriptions/$(SubscriptionNumber)" | |
| az ad sp create-for-rbac –name "Terraform-User-March-2021" –role "Contributor" –scope "/subscriptions/$(SubscriptionID)" | |
| # I am replacing the tenant and subscription value with variable for security reasons | |
| # Output from the commandline console: | |
| Changing "Terraform-User-March-2021" to a valid URI of "http://Terraform-User-March-2021", which is the required format used for service principal names | |
| Creating 'Contributor' role assignment under scope '/subscriptions/$(SubscriptionID)' | |
| The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli | |
| { | |
| "appId": "3a08aff0-9708-455b-855c-1747fcf7434d", | |
| "displayName": "Terraform-User-March-2021", | |
| "name": "http://Terraform-User-March-2021", | |
| "password": "OJ-6-uMZt4a1v~ZjLl3EdzogUnkzn9GZga", | |
| "tenant": "$(SubscriptionTenantID)" | |
| } |
With these values in hand, it was now time to head over to Terraform and provide those credentials for Terraform to be able to access my Azure subscription.
Step 2: Update terraform configuration files
I followed the instructions here to create the Azure provider usage and authentication.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Configure the Azure provider | |
| terraform { | |
| required_providers { | |
| azurerm = { | |
| source = "hashicorp/azurerm" | |
| version = "2.34.0" | |
| } | |
| } | |
| } | |
| provider "azurerm" { | |
| version = "2.34.0" | |
| subscription_id = var.subscription_id | |
| client_id = var.client_id | |
| client_secret = var.client_secret | |
| tenant_id = var.tenant_id | |
| features {} | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "azurerm_resource_group" "t_rg" { | |
| name = "Terraform-RG" | |
| location = "westus2" | |
| tags = { | |
| Environment = "Dev" | |
| } | |
| } |
The documentation was precise on what values were required. I also know that these are secured credentials and that they need to be managed carefully. I came across an approach to declare variables in a variables.tf file and place actual values in a .tfvar
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| variable "subscription_id" { | |
| description = "The subscription ID to be used to connect to Azure" | |
| type = string | |
| } | |
| variable "client_id" { | |
| description = "The client ID to be used to connect to Azure" | |
| type = string | |
| } | |
| variable "client_secret" { | |
| description = "The client secret to be used to connect to Azure" | |
| type = string | |
| } | |
| variable "tenant_id" { | |
| description = "The tenant ID to be used to connect to Azure" | |
| type = string | |
| } |
Step 3: Execute terraform trio commands (init -> plan -> apply)
At the end of terraform apply I was able to verify that a resource group was created under my subscription on the Azure portal.
Conclusion:The purpose of this note was to authenticate Terraform, and we saw that with the creation of a resource group in Azure.
Other ideas to explore:Is this the best method to be able to authenticate Terraform? How to authenticate Terraform to AWS using an IAM user?
My Devops Journal 
One thought on “Authenticating Terraform to Azure using Service Principal”