Creating a user for Terraform in Azure with the correct privileges typically involves setting up a Service Principal in Azure Active Directory (now Microsoft Entra ID) and assigning it the necessary roles. Terraform then uses this Service Principal to authenticate and manage Azure resources.
- Create an Azure Active Directory Application and Service Principal:
- Navigate to Azure Active Directory (or Microsoft Entra ID) in the Azure portal.
- Select App registrations and click New registration.
- Provide a Name for the application (e.g., “Terraform-SP”).
- Choose the Supported account types (e.g., “Accounts in this organizational directory only (single-tenant)”).
- Leave the Redirect URI blank or set it to “Web” with no specific URL if not needed for interactive logins.
- Click Register.
- After registration, note the Application (client) ID and Directory (tenant) ID.
- Create a Client Secret (if not using OpenID Connect):
- Within the registered application, navigate to Certificates & secrets.
- Click New client secret.
- Provide a Description and set an Expiration.
- Click Add.
- Crucially, copy the generated client secret value immediately, as it will not be visible again after leaving the page.
- Assign Roles to the Service Principal:
- Determine the scope at which the Service Principal needs permissions (e.g., Subscription, Resource Group, or specific resource).
- Navigate to the target scope (e.g., your Azure Subscription).
- Select Access control (IAM).
- Click Add and then Add role assignment.
- Role: Choose a role with the appropriate permissions for the resources Terraform will manage. For broad infrastructure management, consider “Contributor.” For more granular control, use custom roles or more specific built-in roles like “Network Contributor,” “Storage Blob Data Contributor,” etc.
- Assign access to: Select “Service principal.”
- Select members: Search for the name of the application you registered (e.g., “Terraform-SP”).
- Click Save.
- Configure Terraform with Service Principal Credentials:
You can provide these credentials to Terraform using environment variables or directly in your provider block.
Using Environment Variables (Recommended for Security):
export ARM_CLIENT_ID="<Application (client) ID>"
export ARM_CLIENT_SECRET="<Client Secret Value>"
export ARM_TENANT_ID="<Directory (tenant) ID>"
export ARM_SUBSCRIPTION_ID="<Azure Subscription ID>"Example:-
export ARM_CLIENT_ID="9c988g9d-v24d-s2bc-8225-e9abb324b8k6"
export ARM_CLIENT_SECRET="7c-9D~fGH0D3DvhlSP8Tda9LpJ8L814qdQgpSc8I"
export ARM_TENANT_ID="16e88b7f-vc13-4e9x-8fh1-f778h47d48eb"
export ARM_SUBSCRIPTION_ID="4j891085-h7e6-4892-4474-c0c955d67fh9"Using the Provider Block:
provider "azurerm" {
features {}
client_id = "<Application (client) ID>"
client_secret = "<Client Secret Value>"
tenant_id = "<Directory (tenant) ID>"
subscription_id = "<Azure Subscription ID>"
}Windows commadline login
az login --service-principal -u 9c988g9d-v24d-s2bc-8225-e9abb324b8k6 -p 7c-9D~fGH0D3DvhlSP8Tda9LpJ8L814qdQgpSc8I --tenant 16e88b7f-vc13-4e9x-8fh1-f778h47d48ebOutput:-
[
{
"cloudName": "AzureCloud",
"homeTenantId": "16e88b7f-vc13-4e9x-8fh1-f778h47d48eb",
"id": "9c988g9d-v24d-s2bc-8225-e9abb324b8k6",
"isDefault": true,
"managedByTenants": [],
"name": "Azure subscription 1",
"state": "Enabled",
"tenantId": "16e88b7f-vc13-4e9x-8fh1-f778h47d48eb",
"user": {
"name": "9c988g9d-v24d-s2bc-8225-e9abb324b8k6",
"type": "servicePrincipal"
}
}
]Discover more from Altgr Blog
Subscribe to get the latest posts sent to your email.
