Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Terraform Azure provider passing multiple alias environment and credentials in child module

While working with Terraform modules I wanted to pass on multiple provider aliases with specific credentials and azure subscription details to child module. Ideas was to create resources with assigned privileged users. Non privileged users should not be able to create services in Azure.

In this step by step guide I defined two provider azurerm blocks, alias information each with dev and prod. For each provider block I have given assigned privileged service principal details as per the environment. Both providers  dev and prod information is passed in module block to source path (child module).

# Parent Module defined on the root directory - main.tf

provider "azurerm" {
  features {}
  alias           = "dev"
  client_id       = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  client_secret   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  tenant_id       = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

provider "azurerm" {
  features {}
  alias           = "prod"
  client_id       = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  client_secret   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  tenant_id       = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

########################

variable "sa_info" {
  type = list(object({
    environment = string
    name        = string
    location    = string
  }))
  default = [
    {
      environment = "dev"
      name        = "vcloudlabsadev"
      location    = "East US"
    },
    {
      environment = "prod"
      name        = "vcloudlabsaprod"
      location    = "East US"
    }
  ]
}

########################

module "storage_account" {
  source = "./module/storage_account"
  providers = {
    azurerm.dev  = azurerm.dev
    azurerm.prod = azurerm.prod
  }

  for_each = { for sa in var.sa_info : sa.name => sa }

  environment             = each.value.environment
  name                     = each.value.name
  location                 = each.value.location
  resource_group_name      = "v${each.value.environment}.vcloud-lab.com"
  account_tier             = "Standard"
  account_replication_type = "LRS"
}
########################

output "id" {
  value = { for id, sa in module.storage_account : id => flatten(sa[*].sa_info) }
}

output "only_ids" {
  value = { for id, sa in module.storage_account : id => flatten([for v in flatten(sa[*].sa_info) : values(v)[0]]) }
}

Download this script code Terraform_Module_Pass_Multiple_Credentials_Provider_Alias.zip here or it is also available on github.com.

Next inside the child module, I have mentioned terraform block with configuration_aliases, which has environment details of dev and prod, which is passed by parent module. To use these environments in the resources I mentioned provider for each in resource blocks. It will use to create services resource inside Azure. In the resources block I have added logic for_each to create correct resource with correct credentials in correct subscription/tenant.

# Child Module located ./module/storage_account - main.tf - Storage Account
terraform {
  required_providers {
    azurerm = {
      source                = "hashicorp/azurerm"
      version               = "~> 3.0"
      configuration_aliases = [azurerm.dev, azurerm.prod]
    }
  }
}

###########################

variable "name" {}
variable "location" {}
variable "resource_group_name" {}
variable "account_replication_type" {}
variable "account_tier" {}
variable "environment" {}

###########################

resource "azurerm_storage_account" "sa_object_dev" {
  #count                    = var.environment == "dev" ? 1 : 0
  for_each                 = var.environment == "dev" ? { "dev" = true } : {}
  name                     = var.name
  location                 = var.location
  resource_group_name      = var.resource_group_name
  account_replication_type = var.account_replication_type
  account_tier             = var.account_tier
  provider                 = azurerm.dev
}
resource "azurerm_storage_account" "sa_object_prod" {
  #count                    = var.environment == "prod" ? 1 : 0
  #for_each                 = { for env in toset(var.environment) : env => true if env == "prod" }  #When variable environment is type is list
  #for_each                 = { for env in var.environment : env => true if env == "prod" } #When variable environment is set to set
  for_each                 = var.environment == "prod" ? { "prod" = true } : {}
  name                     = var.name
  location                 = var.location
  resource_group_name      = var.resource_group_name
  account_replication_type = var.account_replication_type
  account_tier             = var.account_tier
  provider                 = azurerm.prod
}

###########################

output "sa_info" {
  value = merge(
    { for name, sa in azurerm_storage_account.sa_object_dev : name => sa.id },
    { for name, sa in azurerm_storage_account.sa_object_prod : name => sa.id }
  )
}

Additionally if you don't have any alias assigned to azurerm provider block you can simply pass inside module using as it is like provider = {azurerm = azurerm}.

Check the related articles:
Terraform Azure provider alias passing credentials and configuration in module resources
Terraform passing different credentials to different subscriptions with provider alias

Below is the information of output after initiating and apply configuration through Terraform module.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
terraform apply --auto-approve  

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.storage_account["vcloudlabsadev"].azurerm_storage_account.sa_object_dev["dev"] will be created
  + resource "azurerm_storage_account" "sa_object_dev" {
      + access_tier                        = (known after apply)
      + account_kind                       = "StorageV2"
      + account_replication_type           = "LRS"
      + account_tier                       = "Standard"
      + allow_nested_items_to_be_public    = true
      + cross_tenant_replication_enabled   = true
      + default_to_oauth_authentication    = false
      + dns_endpoint_type                  = "Standard"
      + enable_https_traffic_only          = (known after apply)
      + https_traffic_only_enabled         = (known after apply)
      + id                                 = (known after apply)
      + infrastructure_encryption_enabled  = false
      + is_hns_enabled                     = false
      + large_file_share_enabled           = (known after apply)
      + local_user_enabled                 = true
      + location                           = "eastus"
      + min_tls_version                    = "TLS1_2"
      + name                               = "vcloudlabsadev"
      + nfsv3_enabled                      = false
      + primary_access_key                 = (sensitive value)
      + primary_blob_connection_string     = (sensitive value)
      + primary_blob_endpoint              = (known after apply)
      + primary_blob_host                  = (known after apply)
      + primary_blob_internet_endpoint     = (known after apply)
      + primary_blob_internet_host         = (known after apply)
      + primary_blob_microsoft_endpoint    = (known after apply)
      + primary_blob_microsoft_host        = (known after apply)
      + primary_connection_string          = (sensitive value)
      + primary_dfs_endpoint               = (known after apply)
      + primary_dfs_host                   = (known after apply)
      + primary_dfs_internet_endpoint      = (known after apply)
      + primary_dfs_internet_host          = (known after apply)
      + primary_dfs_microsoft_endpoint     = (known after apply)
      + primary_dfs_microsoft_host         = (known after apply)
      + primary_file_endpoint              = (known after apply)
      + primary_file_host                  = (known after apply)
      + primary_file_internet_endpoint     = (known after apply)
      + primary_file_internet_host         = (known after apply)
      + primary_file_microsoft_endpoint    = (known after apply)
      + primary_file_microsoft_host        = (known after apply)
      + primary_location                   = (known after apply)
      + primary_queue_endpoint             = (known after apply)
      + primary_queue_host                 = (known after apply)
      + primary_queue_microsoft_endpoint   = (known after apply)
      + primary_queue_microsoft_host       = (known after apply)
      + primary_table_endpoint             = (known after apply)
      + primary_table_host                 = (known after apply)
      + primary_table_microsoft_endpoint   = (known after apply)
      + primary_table_microsoft_host       = (known after apply)
      + primary_web_endpoint               = (known after apply)
      + primary_web_host                   = (known after apply)
      + primary_web_internet_endpoint      = (known after apply)
      + primary_web_internet_host          = (known after apply)
      + primary_web_microsoft_endpoint     = (known after apply)
      + primary_web_microsoft_host         = (known after apply)
      + public_network_access_enabled      = true
      + queue_encryption_key_type          = "Service"
      + resource_group_name                = "vdev.vcloud-lab.com"
      + secondary_access_key               = (sensitive value)
      + secondary_blob_connection_string   = (sensitive value)
      + secondary_blob_endpoint            = (known after apply)
      + secondary_blob_host                = (known after apply)
      + secondary_blob_internet_endpoint   = (known after apply)
      + secondary_blob_internet_host       = (known after apply)
      + secondary_blob_microsoft_endpoint  = (known after apply)
      + secondary_blob_microsoft_host      = (known after apply)
      + secondary_connection_string        = (sensitive value)
      + secondary_dfs_endpoint             = (known after apply)
      + secondary_dfs_host                 = (known after apply)
      + secondary_dfs_internet_endpoint    = (known after apply)
      + secondary_dfs_internet_host        = (known after apply)
      + secondary_dfs_microsoft_endpoint   = (known after apply)
      + secondary_dfs_microsoft_host       = (known after apply)
      + secondary_file_endpoint            = (known after apply)
      + secondary_file_host                = (known after apply)
      + secondary_file_internet_endpoint   = (known after apply)
      + secondary_file_internet_host       = (known after apply)
      + secondary_file_microsoft_endpoint  = (known after apply)
      + secondary_file_microsoft_host      = (known after apply)
      + secondary_location                 = (known after apply)
      + secondary_queue_endpoint           = (known after apply)
      + secondary_queue_host               = (known after apply)
      + secondary_queue_microsoft_endpoint = (known after apply)
      + secondary_queue_microsoft_host     = (known after apply)
      + secondary_table_endpoint           = (known after apply)
      + secondary_table_host               = (known after apply)
      + secondary_table_microsoft_endpoint = (known after apply)
      + secondary_table_microsoft_host     = (known after apply)
      + secondary_web_endpoint             = (known after apply)
      + secondary_web_host                 = (known after apply)
      + secondary_web_internet_endpoint    = (known after apply)
      + secondary_web_internet_host        = (known after apply)
      + secondary_web_microsoft_endpoint   = (known after apply)
      + secondary_web_microsoft_host       = (known after apply)
      + sftp_enabled                       = false
      + shared_access_key_enabled          = true
      + table_encryption_key_type          = "Service"

      + blob_properties (known after apply)

      + network_rules (known after apply)

      + queue_properties (known after apply)

      + routing (known after apply)

      + share_properties (known after apply)
    }

  # module.storage_account["vcloudlabsaprod"].azurerm_storage_account.sa_object_prod["prod"] will be created
  + resource "azurerm_storage_account" "sa_object_prod" {
      + access_tier                        = (known after apply)
      + account_kind                       = "StorageV2"
      + account_replication_type           = "LRS"
      + account_tier                       = "Standard"
      + allow_nested_items_to_be_public    = true
      + cross_tenant_replication_enabled   = true
      + default_to_oauth_authentication    = false
      + dns_endpoint_type                  = "Standard"
      + enable_https_traffic_only          = (known after apply)
      + https_traffic_only_enabled         = (known after apply)
      + id                                 = (known after apply)
      + infrastructure_encryption_enabled  = false
      + is_hns_enabled                     = false
      + large_file_share_enabled           = (known after apply)
      + local_user_enabled                 = true
      + location                           = "eastus"
      + min_tls_version                    = "TLS1_2"
      + name                               = "vcloudlabsaprod"
      + nfsv3_enabled                      = false
      + primary_access_key                 = (sensitive value)
      + primary_blob_connection_string     = (sensitive value)
      + primary_blob_endpoint              = (known after apply)
      + primary_blob_host                  = (known after apply)
      + primary_blob_internet_endpoint     = (known after apply)
      + primary_blob_internet_host         = (known after apply)
      + primary_blob_microsoft_endpoint    = (known after apply)
      + primary_blob_microsoft_host        = (known after apply)
      + primary_connection_string          = (sensitive value)
      + primary_dfs_endpoint               = (known after apply)
      + primary_dfs_host                   = (known after apply)
      + primary_dfs_internet_endpoint      = (known after apply)
      + primary_dfs_internet_host          = (known after apply)
      + primary_dfs_microsoft_endpoint     = (known after apply)
      + primary_dfs_microsoft_host         = (known after apply)
      + primary_file_endpoint              = (known after apply)
      + primary_file_host                  = (known after apply)
      + primary_file_internet_endpoint     = (known after apply)
      + primary_file_internet_host         = (known after apply)
      + primary_file_microsoft_endpoint    = (known after apply)
      + primary_file_microsoft_host        = (known after apply)
      + primary_location                   = (known after apply)
      + primary_queue_endpoint             = (known after apply)
      + primary_queue_host                 = (known after apply)
      + primary_queue_microsoft_endpoint   = (known after apply)
      + primary_queue_microsoft_host       = (known after apply)
      + primary_table_endpoint             = (known after apply)
      + primary_table_host                 = (known after apply)
      + primary_table_microsoft_endpoint   = (known after apply)
      + primary_table_microsoft_host       = (known after apply)
      + primary_web_endpoint               = (known after apply)
      + primary_web_host                   = (known after apply)
      + primary_web_internet_endpoint      = (known after apply)
      + primary_web_internet_host          = (known after apply)
      + primary_web_microsoft_endpoint     = (known after apply)
      + primary_web_microsoft_host         = (known after apply)
      + public_network_access_enabled      = true
      + queue_encryption_key_type          = "Service"
      + resource_group_name                = "vprod.vcloud-lab.com"
      + secondary_access_key               = (sensitive value)
      + secondary_blob_connection_string   = (sensitive value)
      + secondary_blob_endpoint            = (known after apply)
      + secondary_blob_host                = (known after apply)
      + secondary_blob_internet_endpoint   = (known after apply)
      + secondary_blob_internet_host       = (known after apply)
      + secondary_blob_microsoft_endpoint  = (known after apply)
      + secondary_blob_microsoft_host      = (known after apply)
      + secondary_connection_string        = (sensitive value)
      + secondary_dfs_endpoint             = (known after apply)
      + secondary_dfs_host                 = (known after apply)
      + secondary_dfs_internet_endpoint    = (known after apply)
      + secondary_dfs_internet_host        = (known after apply)
      + secondary_dfs_microsoft_endpoint   = (known after apply)
      + secondary_dfs_microsoft_host       = (known after apply)
      + secondary_file_endpoint            = (known after apply)
      + secondary_file_host                = (known after apply)
      + secondary_file_internet_endpoint   = (known after apply)
      + secondary_file_internet_host       = (known after apply)
      + secondary_file_microsoft_endpoint  = (known after apply)
      + secondary_file_microsoft_host      = (known after apply)
      + secondary_location                 = (known after apply)
      + secondary_queue_endpoint           = (known after apply)
      + secondary_queue_host               = (known after apply)
      + secondary_queue_microsoft_endpoint = (known after apply)
      + secondary_queue_microsoft_host     = (known after apply)
      + secondary_table_endpoint           = (known after apply)
      + secondary_table_host               = (known after apply)
      + secondary_table_microsoft_endpoint = (known after apply)
      + secondary_table_microsoft_host     = (known after apply)
      + secondary_web_endpoint             = (known after apply)
      + secondary_web_host                 = (known after apply)
      + secondary_web_internet_endpoint    = (known after apply)
      + secondary_web_internet_host        = (known after apply)
      + secondary_web_microsoft_endpoint   = (known after apply)
      + secondary_web_microsoft_host       = (known after apply)
      + sftp_enabled                       = false
      + shared_access_key_enabled          = true
      + table_encryption_key_type          = "Service"

      + blob_properties (known after apply)

      + network_rules (known after apply)

      + queue_properties (known after apply)

      + routing (known after apply)

      + share_properties (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + id = [
      + {
          + vcloudlabsadev  = {
              + sa_info = {
                  + dev = (known after apply)
                }
            }
          + vcloudlabsaprod = {
              + sa_info = {
                  + prod = (known after apply)
                }
            }
        },
    ]
module.storage_account["vcloudlabsadev"].azurerm_storage_account.sa_object_dev["dev"]: Creating...
module.storage_account["vcloudlabsaprod"].azurerm_storage_account.sa_object_prod["prod"]: Creating...
module.storage_account["vcloudlabsadev"].azurerm_storage_account.sa_object_dev["dev"]: Still creating... [10s elapsed]
module.storage_account["vcloudlabsaprod"].azurerm_storage_account.sa_object_prod["prod"]: Still creating... [10s elapsed]
module.storage_account["vcloudlabsadev"].azurerm_storage_account.sa_object_dev["dev"]: Still creating... [20s elapsed]
module.storage_account["vcloudlabsaprod"].azurerm_storage_account.sa_object_prod["prod"]: Still creating... [20s elapsed]
module.storage_account["vcloudlabsadev"].azurerm_storage_account.sa_object_dev["dev"]: Still creating... [30s elapsed]
module.storage_account["vcloudlabsaprod"].azurerm_storage_account.sa_object_prod["prod"]: Still creating... [30s elapsed]
module.storage_account["vcloudlabsadev"].azurerm_storage_account.sa_object_dev["dev"]: Still creating... [41s elapsed]
module.storage_account["vcloudlabsaprod"].azurerm_storage_account.sa_object_prod["prod"]: Still creating... [40s elapsed]
module.storage_account["vcloudlabsadev"].azurerm_storage_account.sa_object_dev["dev"]: Still creating... [51s elapsed]
module.storage_account["vcloudlabsaprod"].azurerm_storage_account.sa_object_prod["prod"]: Still creating... [50s elapsed]
module.storage_account["vcloudlabsadev"].azurerm_storage_account.sa_object_dev["dev"]: Still creating... [1m1s elapsed]
module.storage_account["vcloudlabsaprod"].azurerm_storage_account.sa_object_prod["prod"]: Still creating... [1m0s elapsed]
module.storage_account["vcloudlabsadev"].azurerm_storage_account.sa_object_dev["dev"]: Still creating... [1m11s elapsed]
module.storage_account["vcloudlabsaprod"].azurerm_storage_account.sa_object_prod["prod"]: Still creating... [1m10s elapsed]
module.storage_account["vcloudlabsadev"].azurerm_storage_account.sa_object_dev["dev"]: Creation complete after 1m15s [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vdev.vcloud-lab.com/providers/Microsoft.Storage/storageAccounts/vcloudlabsadev]
module.storage_account["vcloudlabsaprod"].azurerm_storage_account.sa_object_prod["prod"]: Creation complete after 1m14s [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vprod.vcloud-lab.com/providers/Microsoft.Storage/storageAccounts/vcloudlabsaprod]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Outputs:

id = [
  {
    "vcloudlabsadev" = {
      "sa_info" = {
        "dev" = "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vdev.vcloud-lab.com/providers/Microsoft.Storage/storageAccounts/vcloudlabsadev"
      }
    }
    "vcloudlabsaprod" = {
      "sa_info" = {
        "prod" = "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vprod.vcloud-lab.com/providers/Microsoft.Storage/storageAccounts/vcloudlabsaprod"
      }
    }
  },
]

In this demo to the dev and prod Resource Groups I have assigned privileges with different App Registrations users accounts. I see in the activity logs resources are getting created with the correct assigned users.

Microsoft Azure Subscription sponsership-by-microsoft list storage account keys update storage account create audit policy action terraform module alias provider credential pass from parent to child.png

Useful Article
Terraform refactoring moved block example
Terraform create Azure Virtual Machines from map of objects
Terraform variable validation example
Configure Azure Storage Account Blob as Terraform backend to store tfstate file Examples of most used general purpose terraform functions
Create storage account and Service Principal using PowerShell for Terraform Azure Backend
Unlocking TF State File on Azure backend with PowerShell and Terraform Force-Unlock Command
Terraform passing different credentials to different subscriptions with provider alias
Terraform variable precedence and priority
Terraform filter map and list object with if condition in for_each loop examples
Azure DevOps Enable creation of classic build release pipelines grayed out
Adding parameters in Azure DevOps pipelines examples Part 1
Azure Web App Containers Cannot perform credential operations for providers Microsoft.ContainerRegistry ad admin user is disabled, enable it

Go Back

Comment

Blog Search

Page Views

11954735

Follow me on Blogarama