Test secure Azure provisioning using Terraform, utilising a Remote Backend and a Key Vault in Azure.
HashiCorp Terraform enables you to safely and predictably create, change, and improve infrastructure. It is an open source tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
Before you can securely use Terraform with Azure, you will need to action the following steps:
- Install the Azure PowerShell module.
- Ensure you are logged in to Azure (eg.
Connect-AzAccount
)
- Clone this repo:
git clone [email protected]:adamrushuk/terraform-azure.git
- Open
scripts\ConfigureAzureForSecureTerraformAccess.ps1
and update the$adminUserDisplayName
variable to match your Admin User Display Name (eg.Joe Bloggs
). - Run
scripts\ConfigureAzureForSecureTerraformAccess.ps1
The ConfigureAzureForSecureTerraformAccess.ps1
script does the following:
- Creates an Azure Service Principle for Terraform.
- Creates a new Resource Group.
- Creates a new Storage Account.
- Creates a new Storage Container.
- Creates a new Key Vault.
- Configures Key Vault Access Policies.
- Creates Key Vault Secrets for these sensitive Terraform login details:
- ARM_SUBSCRIPTION_ID
- ARM_CLIENT_ID
- ARM_CLIENT_SECRET
- ARM_TENANT_ID
- ARM_ACCESS_KEY
Now that Azure has been configured for secure Terraform access, the Key Vault secrets need to be loaded into environment variables, but only for the current PowerShell session.
- Run
scripts\LoadAzureTerraformSecretsToEnvVars.ps1
Either download Terraform and add to your path , or use the Chocolatey method below:
- Install Chocolatey
- Install Terraform:
choco install terraform
Now that Terraform is installed, the secure remote backend can be utilised whilst provisioning an Azure Resource Group and a Virtual Network:
- Navigate to the
examples\remote-backend\
folder. - Open
main.tf
and ensure you have updated thestorage_account_name
variable in thebackend
code block, to the new Storage Account Name created by theConfigureAzureForSecureTerraformAccess.ps1
script. - Initialise the Remote Backend and download plugins:
terraform init
- Create an execution plan (see planned changes):
terraform plan
- Apply the Terraform configuration:
terraform apply
- Enter
yes
to confirm the planned actions.
You should now have a new Azure Resource Group (eg: backend-test-rg
) with a Virtual Network (eg: test-vnet
).
To cleanup these Azure resources, you can also use Terraform to destroy what it created.
- If this is a new PowerShell session, you will have to run
scripts\LoadAzureTerraformSecretsToEnvVars.ps1
again to reload the environment variables needed to Terraform to access Azure. - Navigate to the
examples\remote-backend\
folder. - Remove the previously created Azure resources:
terraform destroy
- Enter
yes
to confirm the planned actions.