terraform
ARM and terraform - Side by Side
Terraform
JSON w/ comments
HCL
Variables
Local variables
Resources
Resources
Modules
Explicit
Automatic
Refer by reference or resourceId
Refer by resource or data source
Providers
Azure (i.e. Azure Resource Manager)
the 'old' AzureServiceManagement (ASM) providerAzure Active Directory (AAD)
Azure Stack (on-premises)
Authentication
https://www.terraform.io/docs/providers/azurerm/index.html#authenticating-to-azure
AZ CLI - if environment has
az
CLI installed, re-use existing sessionAzure Managed Identity (on Azure compute resource)
Azure Service Principals (with client secrets or X.509 certs)
The "azurerm"
Provider (Azure Resource Manager)
"azurerm"
Provider (Azure Resource Manager)https://www.terraform.io/docs/providers/azurerm/
http://aka.ms/terraform
provider "azurerm" {
version = "~> 1.40"
alias = "networking"
subscription_id = var.subscription_id
client_id = var.client_id
client_secret = var.client_secret
}
The "azure_ad"
Provider (Azure Resource Manager)
"azure_ad"
Provider (Azure Resource Manager)https://www.terraform.io/docs/providers/azuread/index.html
provider "azure_rm" {
version = "~> 0.7"
subscription_id = var.subscription_id
client_id = var.client_id
client_secret = var.client_secret
}
Azure-specific environment variables
ARM_ENVIRONMENT
-public
,usgovernment
,german
,china
ARM_SUBSCRIPTION_ID
- Azure subscription IDARM_TENANT_ID
- Azure AD tenant ID for service principalARM_USE_MSI
- Use Managed Service IdentityARM_CLIENT_ID
- Service principal IDARM_CLIENT_SECRET
- Service principal secret
Remote state: the "azurerm"
backend
"azurerm"
backendStores state in a blob, in a container, in an Azure storage account.
terraform {
backend "azurerm" {
resource_group_name = "longterm"
storage_account_name = "chgeuer"
container_name = "terraformstate"
key = "demo2.tfstate"
}
}
Authenticating to remote state backend
Inherit authN info from outer environment, such as
az
CLI or service principaluse_msi
: Managed identity within Azure Computeaccess_key
: The storage account's access keysas_token
: A 'shared access signature' token
terraform init –backend-config="sas_token=gh67il=="`
Alternatively, Azure CosmosDB provides an etcd protocol head.
Data Sources
Many data sources, including
azurerm
"azurerm_subscriptions"
: information about all the Subscriptions currently available"azurerm_subscription"
: information about an existing Subscription.KeyVault, Networking, API Management, Compute, ...
azuread
Users, Groups, Roles, ...
Azure Modules in the Terraform Registry
http://aka.ms/tfmodules

ARM / Terraform Interoperability
"azurerm_template_deployment"
: use ARM templates within Terraform
"azurerm_template_deployment"
: use ARM templates within TerraformExample: https://github.com/chgeuer/azure-snippets/blob/master/logic-app-reading-xml/terraform/modules/logicapp/main.tf
resource "azurerm_template_deployment" "logicapp" {
name = "deployment-${formatdate("YYYY-MM-DD--hh-mm-ss", timestamp())}"
resource_group_name = var.resource_group_name
deployment_mode = "Incremental"
template_body = file(local.arm_template_file)
parameters = {
"logicAppName" = var.logic_app_name
"logicAppDefinition" = var.logic_app_definition
}
}
Terraform Resource Provider (RP) in Azure ARM
Private preview supporting three providers: Kubernetes, Cloudflare and Datadog
https://azure.microsoft.com/en-us/blog/introducing-the-azure-terraform-resource-provider/
Available environments
TF installed in the Azure Cloud Shell shell.azure.com

Learning resources for terraform on Azure
Last updated