Terraform Overview and Uses to Provision Azure IaaS infrastructure:
Terraform is the Orchestration tool that means we can use same code to destroy infrastructure .Terraform uses Client-Only Architecture. Terraform Support Immutable infrastructure.
Terraform Work Flow
1) init Phase
$ terraform init
it will downlaod the Plugins and APi’s from the provider and store into .terraform directory
2) execution Phase
$ terraform validate
$ terraform plan
$ terraform apply
3) destroy phase
$ terraform destory
Connecting to Azure Cloud with the terraform client
Method to connect to Azure from terraform using the keys
- az login method ( not secure )
- Authenticate to Azure with service principal ( connect with azure AD now named changed as Entra ID)
https://learn.microsoft.com/en-us/azure/developer/terraform/authenticate-to-azure-with-service-principle?tabs=bash
(1) OS level , we can add them into env variables and save them into the profile file .bashrc under the home/login directory of the user
(2 ) hardcode the keys in the tf config file
Example: In vscode create main.tf
Terraform Settings Block
terraform {
required_providers {
azurerm = {
source = “hashicorp/azurerm”
version = “= 3.0.0” # Optional but recommended in production
}
}
}
provider “azurerm” {
features {}
}
Create Resource Group
resource “azurerm_resource_group” “my_demo_rg1” {
location = “east us”
name = “my-demo-rg1”
( save the file )
$ terraform init
$ terraform validate
$ terraform fmt
$ terraform plan
$ terraform.exe apply –auto-approve
( go back and check the rescource under rescource group it will be there , refresh the screen )
destroy
( go back and check the rescource under rescource group will be delete , refresh the screen )
$ terraform.exe destroy –auto-approve
authenticate via service principal
https://learn.microsoft.com/en-us/azure/developer/terraform/authenticate-to-azure-with-service-principle?tabs=bash
setup the service principal authentication
$ az ad sp create-for-rbac –name <service_principal_name> –role Contributor –scopes /subscriptions/<subscription_id>
( it show error , login to az login )
restore the vscode window
$ az login
( it show the error )
$ az account clear
$ az config set core.enable_broker_on_windows=false
login again
$ az login
$ az account show
( it will show the subscription id )
$ export MSYS_NO_PATHCONV=1
$ az ad sp create-for-rbac –name bofa-tf –role Contributor –scopes /subscriptions/<subs id>
( if it shows error , then add // )
$ az ad sp create-for-rbac –name bofa-tf –role Contributor –scopes //subscriptions//<subs id>
( it will show the details , copy and paste in some notepad )
(1) OS level , we can add them into env variables and save them into the profile file .bashrc under the home/login directory of the user
check the variable from os level
$ env | grep -i arm
( refer the variable from the website )
export ARM_SUBSCRIPTION_ID=”<azure_subscription_id>”
export ARM_TENANT_ID=”<azure_subscription_tenant_id>”
export ARM_CLIENT_ID=”<service_principal_appid>”
export ARM_CLIENT_SECRET=”<service_principal_password>”
$ env | grep -i arm
copy then output and paste it into notepad
logut out and delete the .azure directory
$ az logout
$ rm -rf ~/.azure
run the code
$ terraform plan
( it works )
$ terraform apply –auto-approve
( dash board and check )
destory
$ terraform destroy –auto-approve
$ exit
load the shell and change the directory
$ env | grep -i arm
( there wont be any variables )
$ terraform apply –auto-approve
it will fail
Solution add them in .bashrc file unde the home or login directory
/c/Users/Administrator
open the .bashrc from the vscode
paste it then add export keywork before eact ARM line
^s save the file
$ exit
and load the shell again
$ env | grep -i arm
$ cd rescoure-group
$ terraform plan
( it work )