Terraform supports authenticating to Azure Stack using the Azure CLI or a Service Principal, either using a Client Secret (which is detailed in this guide) or using a Client Certificate.
A Service Principal is an application within Azure Active Directory whose authentication tokens can be used as the client_id
, client_secret
, and tenant_id
fields needed by Terraform (subscription_id
can be independently recovered from your Azure account details).
There are two tasks needed to create a Service Principal via the Azure Portal:
Firstly navigate to the Azure Active Directory overview within the Azure Portal - then select the App Registration blade and click Endpoints at the top of the App Registration blade. A list of URIs will be displayed and you need to locate the URI for OAUTH 2.0 AUTHORIZATION ENDPOINT which contains a GUID. This is your Tenant ID / the tenant_id
field mentioned above.
Next, navigate back to the App Registration blade - from here we'll create the Application in Azure Active Directory. To do this click Add at the top to add a new Application within Azure Active Directory. On this page, set the following values then press Create:
Finally need to create a Password for the Azure Active Directory Application - to do this select Settings and then Keys. This screen displays the Passwords (Client Secrets) and Public Keys (Client Certificates) which are associated with this Azure Active Directory Application.
Enter a description for the Key and select when this password should expire - and then press Save. At this point the Password should be displayed - you'll need to copy it now, since it's only displayed once - which is the client_secret
.
Once the Application exists in Azure Active Directory - we can grant it permissions to modify resources in the Subscription. To do this, navigate to the Subscriptions blade within the Azure Portal, then select the Subscription you wish to use, then click Access Control (IAM), and finally Add.
Firstly, specify a Role which grants the appropriate permissions needed for the Service Principal (for example, Contributor
will grant Read/Write on all resources in the Subscription). There's more information about the built in roles available here.
Secondly, search for and select the name of the Application created in Azure Active Directory to assign it this role - then press Save.
As we've obtained the credentials for this Service Principal - it's possible to configure it in a few different ways.
When storing the credentials as Environment Variables, for example:
$ export ARM_METADATA_HOST="my.stack.instance.ca"
$ export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000"
$ export ARM_CLIENT_SECRET="00000000-0000-0000-0000-000000000000"
$ export ARM_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000"
$ export ARM_TENANT_ID="00000000-0000-0000-0000-000000000000"
The following Provider block can be specified - where 0.5.0
is the version of the Azure Stack Provider that you'd like to use:
provider "azurestack" {
# Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
version = "=1.0.0"
}
More information on the fields supported in the Provider block can be found here.
It's also possible to configure these variables either in-line or from using variables in Terraform (as the client_secret
is in this example), like so:
variable "client_secret" {}
provider "azurestack" {
# Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
version = "=1.0.0"
metadata_host = "https://management.region.myazurestack.com"
subscription_id = "00000000-0000-0000-0000-000000000000"
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = "${var.client_secret}"
tenant_id = "00000000-0000-0000-0000-000000000000"
}
More information on the fields supported in the Provider block can be found here.