Authenticating Terraform to Azure using Service Principal

~ sourav kundu

Continuing on my journey to learn Terraform, I wanted to explore the idea of authenticating Terraform to Azure. Terraform, as we know, is an infrastructure automation tool, and this authentication technique allows us to create/manage resources on the Azure cloud platform. I came across two insightful articles on Azure Service Principals that helped me understand the how’s and what’s of the service principal. Here are the links to those –Ned Belavance’s Demystifying Azure AD Service Principals and Microsoft Docs

Following the instructions there, I identified three steps to the objective.

Step 1: Create a Service Principal
Here is code of the service principal provisioning command I ran on Azure portal command prompt:
az ad sp create-for-rbac --name $(app-name) --role "Contributor" --scope "/subscriptions/$(your-subscription-id)" --years $(N)

Output received:

{
"appId": "$(appId)",
"displayName": "$(app-name)",
"name": "http://$(app-name)",
"password": "$(password)",
"tenant": "$(tenant)"
}

With these values in hand, it was now time to head over to Terraform and provide those credentials for Terraform to be able to access my Azure subscription.

Step 2: Update terraform configuration files
I followed the instructions here to create the Azure provider usage and authentication.

# Configure the Azure provider
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "2.34.0"
}
}
}
provider "azurerm" {
version = "2.34.0"
subscription_id = var.subscription_id
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
features {}
}
view raw provider.tf hosted with ❤ by GitHub
resource "azurerm_resource_group" "t_rg" {
name = "Terraform-RG"
location = "westus2"
tags = {
Environment = "Dev"
}
}
view raw azure_resourcegroup.tf hosted with ❤ by GitHub

The documentation was precise on what values were required. I also know that these are secured credentials and that they need to be managed carefully. I came across an approach to declare variables in a variables.tf file and place actual values in a .tfvars file. This .tfvars file should not be added to the repository (update .gitignore accordingly).

variable "subscription_id" {
description = "The subscription ID to be used to connect to Azure"
type = string
}
variable "client_id" {
description = "The client ID to be used to connect to Azure"
type = string
}
variable "client_secret" {
description = "The client secret to be used to connect to Azure"
type = string
}
variable "tenant_id" {
description = "The tenant ID to be used to connect to Azure"
type = string
}
view raw azure_variable.tf hosted with ❤ by GitHub

Step 3: Execute terraform trio commands (init -> plan -> apply)
At the end of terraform apply I was able to verify that a resource group was created under my subscription on the Azure portal.

Conclusion:
The purpose of this note was to authenticate Terraform, and we saw that with the creation of a resource group in Azure.

Other ideas to explore:
Is this the best method to be able to authenticate Terraform?
How to authenticate Terraform to AWS using an IAM user?

Published by sourav kundu

One thought on “Authenticating Terraform to Azure using Service Principal

  1. Pingback: Authenticating Terraform to AWS using IAM user – My Devops Journal

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s