Using Terraform to create Service Endpoints in Azure DevOps

This is the 6th part in the series of blog posts on managing the Azure DevOps using Terraform. You can find the series index here. In the last part, we discussed the build pipeline creation using Terraform, where we covered only build and testing stages. We could have added release stage as well, but before we deploy anything to Azure, AWS, etc, we need to create respective service endpoints in the Azure DevOps project. In this part, we’ll discuss how we can create service endpoints using Terraform. One of the pre-requisites to create service endpoints is to have a service principal ready, which is basically used for authentication.

Create AzureRM Service Endpoint

To create service endpoint for Azure RM, we’ll need to have service principal ready with required access. You can refer steps here for creating service principal. From terraform side, we need to use terraform resource azuredevops_serviceendpoint_azurerm. To use this resource, we need to supply below mandatory properties:

  • project_id – The ID for azure devops project, which will contain the endpoint
  • service_endpoint_name – Name for service endpoint
  • azurerm_spn_tenantid – The tenant id for the service principal
  • azurerm_subscription_id – The subscription id for the target subscription
  • azurerm_subscription_name – The name for the target subscription

We can optionally provide the resource group used for restricted scoping for the service endpoint. It also supports a credential block for supplying service principal id and key, which we’ll refer using the variables and supply those variables when running terraform apply. Below is our code for creating the endpoint:

# partially complete code block below – will not work in isolation
resource "azuredevops_serviceendpoint_azurerm" "endpointazure" {
project_id =
service_endpoint_name = "azurerm_endpoint_test"
description = "Managed by Terraform"
credentials {
serviceprincipalid = var.service_principal_id
serviceprincipalkey = var.service_principal_key
azurerm_spn_tenantid = var.azurerm_spn_tenant_id
azurerm_subscription_id = var.azurerm_subscription_id
azurerm_subscription_name = "pay-as-you-go"

Let’s also add variables in the file:

variable "service_principal_id" {
description = "Service Principal Id"
type = string
variable "service_principal_key" {
description = "Service Principal Password"
type = string
variable "azurerm_spn_tenant_id" {
description = "Tenant ID for the service principal"
type = string
variable "azurerm_subscription_id" {
description = "Subscription ID for the target subscription"
type = string

As you can see above, we have not mentioned the value for the variables as all these are sensitive values. In our case, we’ll be supplying those using TF_VAR_{variable_name} environment variable. In production scenarios, you’ll be creating these variables as part of the build and release pipelines or supply the respective key-values at terraform command line at run time.

Now we can run terraform plan to validate our changes:

At this point, we can also run terraform apply -auto-approve. Once its completes, hop over to Azure DevOps and verify that our endpoint is present:

There are many types of service endpoints available like for Azure Container Registry, Azure Kubernetes Service, GitHub, BitBucket etc. So you can mostly choose what you’ll need depending on your requirements.

One thought on “Using Terraform to create Service Endpoints in Azure DevOps

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s