Authenticate to Microsoft Azure while using Terraform

In one of our previous posts, we discussed what is terraform and how we can use install it on the server. Terraform is getting popular day by day to define resource configuration for the applications. One of the providers supported for terraform is Azure Provider which allows one to define Azure Resource configuration using the APIs offered by Microsoft Azure Resource Manager or AzureRM. However, before one can start defining the same, one needs to Authenticate oneself to the Azure. In this blog post, we’ll learn what methods can be used to authenticate oneself against Azure.

1. Configuring the Azure CLI

This method is to be used when one is interactively working with Terraform. Azure CLI or Azure command line interface is a cross platform command line tool offered by Microsoft to work with Microsoft Azure and manage azure resources.

We can login to Azure by using following command and follow the instructions shared on the screen:

az login

Login into Azure by using Azure CLI

On successful login, one would receive the subscriptions details associated with one’s account in nice JSON format.

We can then specify the subscription that we want to work with by using below command:

az account set –subscription=”SUBSCRIPTION_ID”

Remember to not add any spaces before or after = sign in above command. One can also get the subscription associated with current context by using command

az account show

Setting and getting azure subscription in the current context

Once authenticated, you are now free to run Terraform configurations.

2. Using Azure Cloud Shell

To use this option, we need to open Azure Resource Manager portal in the browser and then select Azure Cloud Shell from the top ribbon:

Using the azure cloud shell from azure portal

Doing so would automatically result in an authenticated session. Azure Cloud Shell comes with Terraform pre-installed. So we can then run our Terraform configurations directly from within the shell.

3. Authenticate using a Service Principal

This option is recommended if you need to run the scripts on a CI/CD server in an automated way. There are many ways to create the service principal including using Azure CLI or Azure PowerShell commands. However, we’ll be discussing doing this using Azure Portal, which involves two steps:

a. Create an Application in Azure Active Directory (which acts as a Service Principal)
b. Grant the Application access to manage resources in the Azure Subscription

a. Create an Application in Azure Active Directory (which acts as a Service Principal)

Firstly navigate to the Azure Active Directory overview within the Azure Portal – then select the App Registration blade and click Endpoints at the top of the App Registration blade. A list of URIs will be displayed and you need to locate the URI for OAUTH 2.0 AUTHORIZATION ENDPOINT which contains a GUID. This is your Tenant ID / the tenant_id field mentioned above.

Next, navigate back to the App Registration blade – from here we’ll create the Application in Azure Active Directory. To do this click Add at the top to add a new Application within Azure Active Directory. On this page, set the following values then press Create:

Name – this is a friendly identifier and can be anything (e.g. “Terraform”)
Application Type – this should be set to “Web app / API”
Sign-on URL – this can be anything, providing it’s a valid URI (e.g. https://terra.form)
Once that’s done – select the Application you just created in the App Registration blade. At the top of this page, the “Application ID” GUID is the client_id you’ll need.

Finally, we can create the client_secret by selecting Keys and then generating a new key by entering a description, selecting how long the client_secret should be valid for – and finally pressing Save. This value will only be visible whilst on the page, so be sure to copy it now (otherwise you’ll need to regenerate a new key).

b. Create an Application in Azure Active Directory (which acts as a Service Principal)

Once the Application exists in Azure Active Directory – we can grant it permissions to modify resources in the Subscription. To do this, navigate to the Subscriptions blade within the Azure Portal, then select the Subscription you wish to use, then click Access Control (IAM), and finally Add.

Firstly, specify a Role which grants the appropriate permissions needed for the Service Principal (for example, Contributor will grant Read/Write on all resources in the Subscription). There’s more information about the built in roles available here.

Secondly, search for and select the name of the Application created in Azure Active Directory to assign it this role – then press Save.

After this, service principal credentials either need to be specified either as Environment Variables or in the Provider Block.

For example, consider below file:

#------- define main resources here -------------
# Configure the Azure Provider
provider "azurerm" {
    client_id  = "${var.service_principal_id}"
    client_secret = "${var.service_principal_key}"
    subscription_id = "${var.subscription_id}"
    tenant_id = "${var.tenant_id}"

# Create a resource group
resource "azurerm_resource_group" "network" {
  name     = "production"
  location = "West US"

Sample file for defining azure resource configuration

Consider we have defined the required variables in the file.

If we now run Terraform apply, we should get output like below:

Deploying azure resources using terraform

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s