c
c
cookbook.geuer-pollmann.de
Search…
⌃K

terraform

Azure loves Terraform

ARM and terraform - Side by Side

Terraform
JSON w/ comments
HCL
Variables
Variables
Local variables
Resources
Resources
Functions
Functions
Modules
Explicit
Automatic
Refer by reference or resourceId
Refer by resource or data source

Providers

  • Azure (i.e. Azure Resource Manager)
  • the 'old' Azure Service Management (ASM) provider
  • Azure Active Directory (AAD)
  • Azure Stack (on-premises)

Authentication

https://www.terraform.io/docs/providers/azurerm/index.html#authenticating-to-azure
  • AZ CLI - if environment has az CLI installed, re-use existing session
  • Azure Managed Identity (on Azure compute resource)
  • Azure Service Principals (with client secrets or X.509 certs)

The "azurerm" Provider (Azure Resource Manager)

  • https://www.terraform.io/docs/providers/azurerm/
  • http://aka.ms/terraform
provider "azurerm" {
version = "~> 1.40"
alias = "networking"
subscription_id = var.subscription_id
client_id = var.client_id
client_secret = var.client_secret
}

The "azure_ad" Provider (Azure Resource Manager)

https://www.terraform.io/docs/providers/azuread/index.html
provider "azure_rm" {
version = "~> 0.7"
subscription_id = var.subscription_id
client_id = var.client_id
client_secret = var.client_secret
}

Azure-specific environment variables

  • ARM_ENVIRONMENT - public, usgovernment, german, china
  • ARM_SUBSCRIPTION_ID - Azure subscription ID
  • ARM_TENANT_ID - Azure AD tenant ID for service principal
  • ARM_USE_MSI - Use Managed Service Identity
  • ARM_CLIENT_ID - Service principal ID
  • ARM_CLIENT_SECRET - Service principal secret

Remote state: the "azurerm" backend

Stores state in a blob, in a container, in an Azure storage account.
terraform {
backend "azurerm" {
resource_group_name = "longterm"
storage_account_name = "chgeuer"
container_name = "terraformstate"
key = "demo2.tfstate"
}
}

Authenticating to remote state backend

  • Inherit authN info from outer environment, such as az CLI or service principal
  • use_msi: Managed identity within Azure Compute
  • access_key: The storage account's access key
  • sas_token: A 'shared access signature' token
terraform init –backend-config="sas_token=gh67il=="`
Alternatively, Azure CosmosDB provides an etcd protocol head.

Data Sources

Many data sources, including

Azure Modules in the Terraform Registry

http://aka.ms/tfmodules
Screenshot from aka.ms/tfmodules

ARM / Terraform Interoperability

"azurerm_template_deployment": use ARM templates within Terraform

Example: https://github.com/chgeuer/azure-snippets/blob/master/logic-app-reading-xml/terraform/modules/logicapp/main.tf
resource "azurerm_template_deployment" "logicapp" {
name = "deployment-${formatdate("YYYY-MM-DD--hh-mm-ss", timestamp())}"
resource_group_name = var.resource_group_name
deployment_mode = "Incremental"
template_body = file(local.arm_template_file)
parameters = {
"logicAppName" = var.logic_app_name
"logicAppDefinition" = var.logic_app_definition
}
}

Terraform Resource Provider (RP) in Azure ARM

  • Private preview supporting three providers: Kubernetes, Cloudflare and Datadog
  • https://azure.microsoft.com/en-us/blog/introducing-the-azure-terraform-resource-provider/

Available environments

Screenshot from the Terraform VM marketplace image

Learning resources for terraform on Azure

Azure - Previous
Azure CLI
Next - Azure
Azure Logic Apps
Last modified 11mo ago