Over the last few days, I was looking for a way to automate our deployment environments on Azure and also investigating automation frameworks for a customer. The debate was between Terraform and Ansible and the following article from Gruntwork did really good work on tilting the weight towards Terraform. We have similar considerations like the guys from Gruntwork so everything matched well. Now, the task was to get Terraform working with Azure, which was a small challenge compared to AWS.
For those of you interested in the background here is the Terraform documentation for Azure provider, which is pretty good but missed a small piece about assigning a role as described in this StackOverflow post. Of course, the post points to the Azure documentation about using the CLI to assign the role to the principal, which for me ended up with the following error:
Principals of type Application cannot validly be used in role assignments.
At the end of the day because of time pressure, I wasn’t able to figure out the CLI way to do that but it seems there is a way to do it through the Azure Management Portal so here are the steps with visuals:
Create Application Registration in Your Azure Subscription
- Go to the new Azure Portal at http://portal.azure.com and select Azure Active Directory in the navigation pane on the left:
- Select App Registrations from the tasks blade
- Click on the Add button at the top of the blade and fill in the information for the Terraform app. You can choose any name for the Name field as well as any valid URL string for the Sign-on URL field. Click on the Create button to create the app.
- Click on the newly created app and in the Settings blade select Required Permissions
- Click on the Add button at the top of the blade
- In Step 1 Select an API select the Windows Azure Service Management API and click on the Select button
- In Step 2 Select Permissions select Access Azure Service Management as organization users (preview) and click on the Select button
- Click on the Done button to complete the flow
Now, you have your App Registration complete however you still need to assign a role for your application. Here is how this is done.
Assign a Role for Terraform App to Use ARM
Assigning role to your application is done on a Subscription level in Azure Portal.
- Select Subscriptions in the navigation pane on the left
- Select the subscription where you have registered the app and select Access Control (IAM) in the task blade
- Click on the Add button at the top of the blade and in Step 1 Select a role choose the most appropriate role for your Terraform application
Although you may be tempted to choose Owner in this step I would suggest thinking your security policies through and selecting role that has more restrictive access. For example, if you have DevOps people running Terraform scripts you may want to give them Contributor role and prevent them from managing the user access. Also, if you have database team that wants to only manage Azure SQL and DocumentDB you may just restrict them to SQL DB Contributor and DocumentDB Account Contributor. List of built-in RBAC roles for Azure is available here.
- In Step 2 Add Users type the name of your app in the search field and select it from the list. Click on the Select button to confirm
- Click the OK button to complete the flow
Collecting ARM Credentials Information for Terraform
In order for Terraform to connect to Azure and manage the resources using Azure Resource Manager you need to collect the following information:
- Subscription ID
- Client ID is also known as Application ID in Azure terminology
- Client Secret is also known as Key in Azure terminology
- and Tenant ID is also known as Directory ID in Azure terminology
Here is where to obtain this information from.
Azure Subscription ID
Click on Subscriptions in the navigation pane -> Select the subscription where you created the Terraform app and copy the GUID highlighted in the picture below.
Azure Client ID
What Terraform refers to as Client ID is actually the Application ID for the app that you just registered. You can get it by selecting Azure Active Directory -> App registrations -> select the name of the app you just registered and copy the GUID highlighted in the picture below.
Azure Client Secret
What Terraform refers to as Azure Client Secret is a Key that you create in your App registration. Follow these steps to create the key:
- From Azure Active Directory -> App registrations select the application that you just created and then select Keys in the Settings blade
- Fill in the Key description, select Duration and click on the Save button at the top of the blade. The Key value will be shown after you click the Save button.
Note: Copy and save the key value immediately. If you navigate away from the blade you will not be able to see the value anymore. You can delete the key and create a new one in the future if you lose the value.
Azure Tenant ID
The last piece of information you will need to connect Terraform to Azure Resource Manager is a Tenant ID, which is also known as Directory ID in Azure terminology. This is actually the GUID used to identify your Azure Active Directory.
Select Azure Active Directory and scroll down to show the Properties in the tasks blade. Select Properties and copy the GUID highlighted on the picture below.
Terraform documentation describes a different method to obtain the Tenant ID that involves showing the OAuth Authorization Endpoint for the application that you just created and copying the GUID from the URL. I think, their approach is a bit more error prone but if you feel comfortable in your Copy/Paste abilities you may want to give it a try.
I hope that by describing this a bit convoluted registration process you will be able to be more productive managing your resources on Azure.