ARM and terraform - Side by Side

Providers

• Azure (i.e. Azure Resource Manager)

• the 'old' Azure Service Management (ASM) provider

• Azure Active Directory (AAD)

• Azure Stack (on-premises)

Authentication

https://www.terraform.io/docs/providers/azurerm/index.html#authenticating-to-azure

• AZ CLI - if environment has az CLI installed, re-use existing session

• Azure Managed Identity (on Azure compute resource)

• Azure Service Principals (with client secrets or X.509 certs)

The "azurerm" Provider (Azure Resource Manager)

• https://www.terraform.io/docs/providers/azurerm/

• http://aka.ms/terraform

provider "azurerm" {
  version         = "~> 1.40"
  alias           = "networking"
  subscription_id = var.subscription_id
  client_id = var.client_id
  client_secret = var.client_secret
}

The "azure_ad" Provider (Azure Resource Manager)

https://www.terraform.io/docs/providers/azuread/index.html

provider "azure_rm" {
  version         = "~> 0.7"
  subscription_id = var.subscription_id
  client_id       = var.client_id
  client_secret   = var.client_secret
}

Azure-specific environment variables

• ARM_ENVIRONMENT - public, usgovernment, german, china

• ARM_SUBSCRIPTION_ID - Azure subscription ID

• ARM_TENANT_ID - Azure AD tenant ID for service principal

• ARM_USE_MSI - Use Managed Service Identity

• ARM_CLIENT_ID - Service principal ID

• ARM_CLIENT_SECRET - Service principal secret

Remote state: the "azurerm" backend

Stores state in a blob, in a container, in an Azure storage account.

terraform {
  backend "azurerm" {
    resource_group_name  = "longterm"
    storage_account_name = "chgeuer"
    container_name       = "terraformstate"
    key                  = "demo2.tfstate"
  }
}

Authenticating to remote state backend

• Inherit authN info from outer environment, such as az CLI or service principal

• use_msi: Managed identity within Azure Compute

• access_key: The storage account's access key

• sas_token: A 'shared access signature' token

terraform init –backend-config="sas_token=gh67il=="`

Alternatively, Azure CosmosDB provides an etcd protocol head.

Data Sources

Many data sources, including

• azurerm

  • "azurerm_subscriptions": information about all the Subscriptions currently available

  • "azurerm_subscription": information about an existing Subscription.

  • "azurerm_resource_group"

  • KeyVault, Networking, API Management, Compute, ...

• azuread

  • "azuread_application"

  • "azuread_service_principal"

  • Users, Groups, Roles, ...

Azure Modules in the Terraform Registry

http://aka.ms/tfmodules

ARM / Terraform Interoperability

"azurerm_template_deployment": use ARM templates within Terraform

Example: https://github.com/chgeuer/azure-snippets/blob/master/logic-app-reading-xml/terraform/modules/logicapp/main.tf

resource "azurerm_template_deployment" "logicapp" {
  name                   = "deployment-${formatdate("YYYY-MM-DD--hh-mm-ss", timestamp())}"
  resource_group_name    = var.resource_group_name
  deployment_mode        = "Incremental"
  template_body          = file(local.arm_template_file)
  parameters = {
    "logicAppName"       = var.logic_app_name
    "logicAppDefinition" = var.logic_app_definition
  }
}

Terraform Resource Provider (RP) in Azure ARM

• Private preview supporting three providers: Kubernetes, Cloudflare and Datadog

• https://azure.microsoft.com/en-us/blog/introducing-the-azure-terraform-resource-provider/

Available environments

• TF installed in the Azure Cloud Shell shell.azure.com

• Marketplace VM images w/ terraform and MSI

• VS Code Plugin for terraform

Learning resources for terraform on Azure

• aka.ms/tfhub -- docs.microsoft.com

• Hashicorp Azure learning track

• chrismatteson/hashicorp_azure_training and the slides

• CardinalNow/TerraformWorkshop

• Source Code aka.ms/tfgit

• Using Azure DevOps pipelines to deploy via Terraform