terraform

ARM and terraform - Side by Side

Providers

  • Azure (i.e. Azure Resource Manager)

  • the 'old' Azure Service Management (ASM) provider

  • Azure Active Directory (AAD)

  • Azure Stack (on-premises)

Authentication

https://www.terraform.io/docs/providers/azurerm/index.html#authenticating-to-azure

  • AZ CLI - if environment has az CLI installed, re-use existing session

  • Azure Managed Identity (on Azure compute resource)

  • Azure Service Principals (with client secrets or X.509 certs)

The "azurerm" Provider (Azure Resource Manager)

  • https://www.terraform.io/docs/providers/azurerm/

  • http://aka.ms/terraform

provider "azurerm" {
  version         = "~> 1.40"
  alias           = "networking"
  subscription_id = var.subscription_id
  client_id = var.client_id
  client_secret = var.client_secret
}

The "azure_ad" Provider (Azure Resource Manager)

https://www.terraform.io/docs/providers/azuread/index.html

provider "azure_rm" {
  version         = "~> 0.7"
  subscription_id = var.subscription_id
  client_id       = var.client_id
  client_secret   = var.client_secret
}

Azure-specific environment variables

  • ARM_ENVIRONMENT - public, usgovernment, german, china

  • ARM_SUBSCRIPTION_ID - Azure subscription ID

  • ARM_TENANT_ID - Azure AD tenant ID for service principal

  • ARM_USE_MSI - Use Managed Service Identity

  • ARM_CLIENT_ID - Service principal ID

  • ARM_CLIENT_SECRET - Service principal secret

Remote state: the "azurerm" backend

Stores state in a blob, in a container, in an Azure storage account.

terraform {
  backend "azurerm" {
    resource_group_name  = "longterm"
    storage_account_name = "chgeuer"
    container_name       = "terraformstate"
    key                  = "demo2.tfstate"
  }
}

Authenticating to remote state backend

  • Inherit authN info from outer environment, such as az CLI or service principal

  • use_msi: Managed identity within Azure Compute

  • access_key: The storage account's access key

  • sas_token: A 'shared access signature' token

terraform init –backend-config="sas_token=gh67il=="`

Alternatively, Azure CosmosDB provides an etcd protocol head.

Data Sources

Many data sources, including

Azure Modules in the Terraform Registry

http://aka.ms/tfmodules

ARM / Terraform Interoperability

"azurerm_template_deployment": use ARM templates within Terraform

Example: https://github.com/chgeuer/azure-snippets/blob/master/logic-app-reading-xml/terraform/modules/logicapp/main.tf

resource "azurerm_template_deployment" "logicapp" {
  name                   = "deployment-${formatdate("YYYY-MM-DD--hh-mm-ss", timestamp())}"
  resource_group_name    = var.resource_group_name
  deployment_mode        = "Incremental"
  template_body          = file(local.arm_template_file)
  parameters = {
    "logicAppName"       = var.logic_app_name
    "logicAppDefinition" = var.logic_app_definition
  }
}

Terraform Resource Provider (RP) in Azure ARM

  • Private preview supporting three providers: Kubernetes, Cloudflare and Datadog

  • https://azure.microsoft.com/en-us/blog/introducing-the-azure-terraform-resource-provider/

Available environments

Learning resources for terraform on Azure

Last updated