Any Terraform project configuring resources in Azure has pre-requisites. These are (i) a storage account, a container in the storage account, and the access key to the storage account, and (ii) a service principal credential to be able to communicate with Azure to create-update-delete resources. In this post, I describe the process to set up Azure cloud resources using Azure CLI that is required before using/referring them in Terraform configuration. Step 1: Install Azure CLI on your local laptop and log in. Azure CLI docs: The Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. The Azure CLI is available across Azure services and is designed to get you working quickly with Azure, with an emphasis on automation. More info at Azure CLI. Once installed, open the “Windows Azure SDK Environment” command prompt and key in “az login”. That opens up a web browser requesting you to log in, and once done, the command prompt displays the subscription details. Step 2: Create a storage account and storage container. Before we create a storage account, we create a resource group to host that. I have the commands that need to be run to create a resource group, storage account, and storage container. https://gist.github.com/kunduso/70bb5e869a349d3d6c3a5ff2dbe9589c Note: Store the access key to the storage account securely. That key is required when configuring the Azure backend to use the Terraform remote state.

Step 3: Create a service principal with required permissions There is a single line command to create a service principal that will be sufficient to provision resources in Azure. Below is the command to do so from the Azure CLI. https://gist.github.com/kunduso/580b0c13875f1d841f252fe482d5db41 That command attaches a “contributor” role to the service principal, and the output is presented below that. As per the console output, these are credentials that you must protect. These credentials will be used by Terraform (in Terraform plan and destroy steps) to communicate with the Azure cloud to provision resources.

That is all that is required to set up before using Terraform. On the Terraform project side, we refer to these pre-requisites in the “terraform init”, “terraform plan”, and if applicable “terraform destroy” commands. I say “if applicable” because we do not “generally speaking” destroy all the resources; we alter them via the Terraform configuration as the project matures and evolves.

Below is an example of a Terraform backend configuration in Azure. https://gist.github.com/kunduso/8452cbd4f83f716dfd9f032f86a68473 Below is the “terraform init” command required to set up a remote backend in Azure. https://gist.github.com/kunduso/be8330bde2925b546540e1cd1d2b45f8 Below is the “terraform plan” command with the secured credentials being passed via the command line. https://gist.github.com/kunduso/7c71cb963a4804ad9248e8880bf1651e As an organization continues to use Terraform to automate the environment provisioning process, there is a tendency to reuse these resources like the storage account and the service principal. And, right at the beginning, every possible attempt should be made to keep the pre-requisites of a Terraform configuration project as isolated as possible. I am not suggesting that we keep resources isolated just for the sake of doing so. If we are careful, we can manage the reuse of these resources. We can use the same resource group to host all the storage accounts belonging to different Terraform configuration projects. We can even reuse the same storage account to host the state file of various Terraform configuration projects. However, the container inside the storage account must be different for different Terraform configuration projects. The service principal “generally speaking” should also be unique per Terraform configuration project. I’ll write a detailed note later on that.

And that brings us to the end of how to create Azure resources referred to in a Terraform project. I hope you found this post useful. Please let me know if you have any questions or suggestions. Until then, happy terraforming!

Note: The above Terraform commands are steps extracted out of an azure-pipelines.yaml file. I am using Powershell to run them.

Another Note: Please end the cloud session once the storage and service principal is created with the command “az logout”.