terraform

ARM and terraform - Side by Side

ARM Templates

Terraform

JSON w/ comments

HCL

Parameters

Variables

Local variables

Resources

Functions

Nested templates

Modules

Explicit

Automatic

Refer by reference or resourceId

Refer by resource or data source

Providers

Azure (i.e. Azure Resource Manager)
~~the 'old' Azure~~ ~~Service~~ ~~Management (ASM) provider~~
Azure Active Directory (AAD)
Azure Stack (on-premises)

Authentication

https://www.terraform.io/docs/providers/azurerm/index.html#authenticating-to-azure

AZ CLI - if environment has az CLI installed, re-use existing session
Azure Managed Identity (on Azure compute resource)
Azure Service Principals (with client secrets or X.509 certs)

The `"azurerm"` Provider (Azure Resource Manager)

https://www.terraform.io/docs/providers/azurerm/
http://aka.ms/terraform

provider "azurerm" {
  version         = "~> 1.40"
  alias           = "networking"
  subscription_id = var.subscription_id
  client_id = var.client_id
  client_secret = var.client_secret
}

The `"azure_ad"` Provider (Azure Resource Manager)

https://www.terraform.io/docs/providers/azuread/index.html

provider "azure_rm" {
  version         = "~> 0.7"
  subscription_id = var.subscription_id
  client_id       = var.client_id
  client_secret   = var.client_secret
}

Azure-specific environment variables

ARM_ENVIRONMENT - public, usgovernment, german, china
ARM_SUBSCRIPTION_ID - Azure subscription ID
ARM_TENANT_ID - Azure AD tenant ID for service principal
ARM_USE_MSI - Use Managed Service Identity
ARM_CLIENT_ID - Service principal ID
ARM_CLIENT_SECRET - Service principal secret

Remote state: the `"azurerm"` backend

Stores state in a blob, in a container, in an Azure storage account.

terraform {
  backend "azurerm" {
    resource_group_name  = "longterm"
    storage_account_name = "chgeuer"
    container_name       = "terraformstate"
    key                  = "demo2.tfstate"
  }
}

Authenticating to remote state backend

Inherit authN info from outer environment, such as az CLI or service principal
use_msi: Managed identity within Azure Compute
access_key: The storage account's access key
sas_token: A 'shared access signature' token

terraform init –backend-config="sas_token=gh67il=="`

Alternatively, Azure CosmosDB provides an etcd protocol head.

Data Sources

Many data sources, including

azurerm
- "azurerm_subscriptions": information about all the Subscriptions currently available
- "azurerm_subscription": information about an existing Subscription.
- "azurerm_resource_group"
- KeyVault, Networking, API Management, Compute, ...
azuread
- "azuread_application"
- "azuread_service_principal"
- Users, Groups, Roles, ...

Azure Modules in the Terraform Registry

http://aka.ms/tfmodules

ARM / Terraform Interoperability

`"azurerm_template_deployment"`: use ARM templates within Terraform

Example: https://github.com/chgeuer/azure-snippets/blob/master/logic-app-reading-xml/terraform/modules/logicapp/main.tf

resource "azurerm_template_deployment" "logicapp" {
  name                   = "deployment-${formatdate("YYYY-MM-DD--hh-mm-ss", timestamp())}"
  resource_group_name    = var.resource_group_name
  deployment_mode        = "Incremental"
  template_body          = file(local.arm_template_file)
  parameters = {
    "logicAppName"       = var.logic_app_name
    "logicAppDefinition" = var.logic_app_definition
  }
}

Terraform Resource Provider (RP) in Azure ARM

Private preview supporting three providers: Kubernetes, Cloudflare and Datadog
https://azure.microsoft.com/en-us/blog/introducing-the-azure-terraform-resource-provider/

Available environments

TF installed in the Azure Cloud Shell shell.azure.com
Marketplace VM images w/ terraform and MSI
VS Code Plugin for terraform

Learning resources for terraform on Azure

PreviousAzure CLI NextAzure Logic Apps

Last updated 3 years ago