Authenticating Terraform to Azure using Service Principal

Continuing on my journey to learn Terraform, I wanted to explore the idea of authenticating Terraform to Azure. Terraform, as we know, is an infrastructure automation tool, and this authentication technique allows us to create/manage resources on the Azure cloud platform. I came across two insightful articles on Azure Service Principals that helped me understand the how’s and what’s of the service principal. Here are the links to those –Ned Belavance’s Demystifying Azure AD Service Principals and Microsoft Docs

Following the instructions there, I identified three steps to the objective.

Step 1: Create a Service Principal
Here is code of the service principal provisioning command I ran on Azure portal command prompt:


# az ad sp create-for-rbac –name "$(Service-Principal-Name)" –role "Contributor" –scope "/subscriptions/$(SubscriptionNumber)"
az ad sp create-for-rbac –name "Terraform-User-March-2021" –role "Contributor" –scope "/subscriptions/$(SubscriptionID)"
# I am replacing the tenant and subscription value with variable for security reasons
# Output from the commandline console:
Changing "Terraform-User-March-2021" to a valid URI of "http://Terraform-User-March-2021", which is the required format used for service principal names
Creating 'Contributor' role assignment under scope '/subscriptions/$(SubscriptionID)'
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
{
"appId": "3a08aff0-9708-455b-855c-1747fcf7434d",
"displayName": "Terraform-User-March-2021",
"name": "http://Terraform-User-March-2021",
"password": "OJ-6-uMZt4a1v~ZjLl3EdzogUnkzn9GZga",
"tenant": "$(SubscriptionTenantID)"
}

With these values in hand, it was now time to head over to Terraform and provide those credentials for Terraform to be able to access my Azure subscription.
Step 2: Update terraform configuration files
I followed the instructions here to create the Azure provider usage and authentication.


# Configure the Azure provider
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "2.34.0"
}
}
}
provider "azurerm" {
version = "2.34.0"
subscription_id = var.subscription_id
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
features {}
}

view raw

provider.tf

hosted with ❤ by GitHub


resource "azurerm_resource_group" "t_rg" {
name = "Terraform-RG"
location = "westus2"
tags = {
Environment = "Dev"
}
}

The documentation was precise on what values were required. I also know that these are secured credentials and that they need to be managed carefully. I came across an approach to declare variables in a variables.tf file and place actual values in a .tfvar


variable "subscription_id" {
description = "The subscription ID to be used to connect to Azure"
type = string
}
variable "client_id" {
description = "The client ID to be used to connect to Azure"
type = string
}
variable "client_secret" {
description = "The client secret to be used to connect to Azure"
type = string
}
variable "tenant_id" {
description = "The tenant ID to be used to connect to Azure"
type = string
}

Step 3: Execute terraform trio commands (init -> plan -> apply)
At the end of terraform apply I was able to verify that a resource group was created under my subscription on the Azure portal.
terraform-azure-rg
Conclusion:The purpose of this note was to authenticate Terraform, and we saw that with the creation of a resource group in Azure.
Other ideas to explore:Is this the best method to be able to authenticate Terraform? How to authenticate Terraform to AWS using an IAM user?

One thought on “Authenticating Terraform to Azure using Service Principal

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s