This repository contains Terraform code for infrastructure deployment on Azure Public Cloud.
Below prerequisites must be fulfilled for successful execution of code.
Resources in this repository are meant for use with Terraform 1.0.0 (Check the version using terraform version). If you don't have the compatible version, download it from official Terraform repository. See Installation-Guide on how to install Terraform.
- Terraform >= 1.0.0
- terraform-provider-azurerm plugin = 2.46.0
- terraform-provider-random plugin = 3.0.0
In order to execute these templates you must have:
- An App registered on Azure Active Directory
- App ID is given "Owner" role on the subscription(s) where you want to deploy the resources
- For the azurerm backend authentication, you can choose any authentication like storage account access key or managed service identity. Check the terraform official documentation mentioned below in reference section.
Note:
-
Terraform recommends using either a Service Principal or Managed Service Identity when running Terraform non-interactively (such as when running Terraform in a CI server) - and authenticating using the Azure CLI when running Terraform locally.
-
Make sure to not pass the sensitive informations (like App ID, App Secret, Subscription ID, Tenant ID and Backend storage account access key) in your terraform code. Though store as an environment variables or as a secret variables in CICD, if using pipelines and then pass -
- Backend authentication credential using "-backend-config" argument while executing terraform init.
- Azure authentication credential using "-var" flags while executing terraform plan, apply or destroy commands.
-
An storage account must pre-exist in order to store the state files, if using remote backend. It is typically recommended to use some kind of remote backend (generally storage account, if deploying resources on azure) to ensure the safety of state file(s) and enable the collobaration of peers in project.
-
Access can be more fine-grained to follow Principle of least privilege (PoLP). But, typically AD APP used for infrastructure provisioning using terraform has privileged access in order to successfully deploy all the resources.
-
To deploy resources to different subscriptions with different credentials, you can utilize the alias attribute on the provider block in Terraform to have multiple azurerm providers configured for different Azure Subscription and/or different Azure Service Principal credentials (client id / secret).
To execute the Terraform code, go to command prompt and then run the following commands:
- [Required]
terraform init - [Optional]
terraform validate - [Optional]
terraform fmt - [Optional]
terraform plan - [Required]
terraform apply -auto-approve
Note: See Terraform-Guide to get real-quick overview of Terraform.
- https://medium.com/@gmusumeci/getting-started-with-terraform-and-microsoft-azure-a2fcb690eb67
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret
- https://developer.hashicorp.com/terraform/language/settings/backends/azurerm
- https://marileeturscak.medium.com/the-difference-between-app-registrations-enterprise-applications-and-service-principals-in-azure-4f70b9a80fe5