This article demonstrates how to deploy an Azure ARM template using Terraform. I encountered several scenarios where resources deployed through Terraform, Bicep, or the REST API didn't function as expected. However, when I deployed the same resources using an ARM template, they worked flawlessly.
For example, in one case involving Scheduled Query Rules with Action Groups or Log Analytics, the deployment succeeded only through ARM templates, while other methods encountered issues. As a result, I was able to use Terraform resource blocks but not working correctly. Since I’m using HashiCorp Terraform Cloud (HCP), combining Terraform configurations with ARM templates worked perfectly for me and create necessary pipelines.
For this demo, I prepared an ARM template in JSON to deploy multiple resources, including a Storage Account, Blob Service, and Web App Service Plan. I used the azurerm_resource_group_template_deployment
Terraform resource to deploy the ARM template. The entire JSON ARM template was copied into the template_content
Additionally, I specified the JSON ARM parameters within the parameter_content
attribute. After setting everything up, I deployed the template using the standard Terraform commands: terraform init
, terraform plan
, and terraform apply
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 |
terraform { required_version = "1.9.2" required_providers { azurerm = { source = "hashicorp/azurerm" version = "4.4" } } } ################################## provider "azurerm" { features {} subscription_id = "9exxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" } ################################## locals { #case sensitive storagePrefix = "vcloudlabsa" containerName = "testcontainer" webAppPrefix = "vcloudlabwa" } ################################## resource "azurerm_resource_group_template_deployment" "resources" { name = "" resource_group_name = "" deployment_mode = "Incremental" parameters_content = jsonencode({ "storagePrefix" : { "value" : "vcloudlabsa" }, "containerName" : { "value" : "testcontainer" }, "webAppPrefix" : { "value" : "vcloudlabwa" } }) template_content = <<TEMPLATE { "$schema": "", "contentVersion": "", "parameters": { "storagePrefix": { "type": "string", "minLength": 3, "maxLength": 11 }, "storageSKU": { "type": "string", "defaultValue": "Standard_LRS", "allowedValues": [ "Standard_LRS", "Standard_GRS", "Standard_RAGRS", "Standard_ZRS", "Premium_LRS", "Premium_ZRS", "Standard_GZRS", "Standard_RAGZRS" ] }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]" }, "containerName": { "defaultValue": "test", "type": "String" }, "appServicePlanName": { "type": "string", "defaultValue": "exampleplan" }, "webAppPrefix": { "type": "string", "metadata": { "description": "Base name of the resource such as web app name and app service plan " }, "minLength": 2 }, "linuxFxVersion": { "type": "string", "defaultValue": "php|7.0", "metadata": { "description": "The Runtime stack of current web app" } }, "resourceTags": { "type": "object", "defaultValue": { "Environment": "Dev", "Project": "Tutorial" } } }, "variables": { "uniqueStorageName": "[concat(parameters('storagePrefix'), uniqueString(resourceGroup().id))]", "webAppPortalName": "[concat(parameters('webAppPrefix'), uniqueString(resourceGroup().id))]" }, "resources": [ { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2021-09-01", "name": "[variables('uniqueStorageName')]", "location": "[parameters('location')]", "tags": "[parameters('resourceTags')]", "sku": { "name": "[parameters('storageSKU')]" }, "kind": "StorageV2", "properties": { "supportsHttpsTrafficOnly": true } }, { "type": "Microsoft.Storage/storageAccounts/blobServices", "apiVersion": "2023-05-01", "name": "[concat(variables('uniqueStorageName'), '/default')]", "sku": { "name": "Standard_RAGRS", "tier": "Standard" }, "properties": { "containerDeleteRetentionPolicy": { "enabled": true, "days": 7 }, "deleteRetentionPolicy": { "allowPermanentDelete": false, "enabled": true, "days": 7 } }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', variables('uniqueStorageName'))]" ] }, { "type": "Microsoft.Storage/storageAccounts/blobServices/containers", "apiVersion": "2023-05-01", "name": "[concat(variables('uniqueStorageName'), '/default/', parameters('containerName'))]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('uniqueStorageName'), 'default')]", "[resourceId('Microsoft.Storage/storageAccounts', variables('uniqueStorageName'))]" ], "properties": { "immutableStorageWithVersioning": { "enabled": false }, "defaultEncryptionScope": "$account-encryption-key", "denyEncryptionScopeOverride": false, "publicAccess": "None" } }, { "type": "Microsoft.Web/serverfarms", "apiVersion": "2021-03-01", "name": "[parameters('appServicePlanName')]", "location": "[parameters('location')]", "tags": "[parameters('resourceTags')]", "sku": { "name": "B1", "tier": "Basic", "size": "B1", "family": "B", "capacity": 1 }, "kind": "linux", "properties": { "perSiteScaling": false, "reserved": true, "targetWorkerCount": 0, "targetWorkerSizeId": 0 } }, { "type": "Microsoft.Web/sites", "apiVersion": "2021-03-01", "name": "[variables('webAppPortalName')]", "location": "[parameters('location')]", "dependsOn": [ "[parameters('appServicePlanName')]" ], "tags": "[parameters('resourceTags')]", "kind": "app", "properties": { "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", "siteConfig": { "linuxFxVersion": "[parameters('linuxFxVersion')]" } } } ], "outputs": { "storageEndpoint": { "type": "object", "value": "[reference(variables('uniqueStorageName')).primaryEndpoints]" } } } TEMPLATE // NOTE: whilst we show an inline template here, we recommend // sourcing this from a file for readability/editor support } output "arm_example_output" { value = jsondecode(azurerm_resource_group_template_deployment.resources.output_content).storageEndpoint.value } |
Download this script deploying_azure_ARM_templates_using_terraform here or it also available on the
Below is the output after applying terraform ARM configuration. It interprets JSON ARM template correctly and deploy services as required as can be seen in the plan.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 |
.\091-Complete_ARM_Template> terraform apply --auto-approve Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # azurerm_resource_group_template_deployment.resources will be created + resource "azurerm_resource_group_template_deployment" "resources" { + deployment_mode = "Incremental" + id = (known after apply) + name = "" + output_content = (known after apply) + parameters_content = jsonencode( { + containerName = { + value = "testcontainer" } + storagePrefix = { + value = "vcloudlabsa" } + webAppPrefix = { + value = "vcloudlabwa" } } ) + resource_group_name = "" + template_content = jsonencode( { + "$schema" = "" + contentVersion = "" + outputs = { + storageEndpoint = { + type = "object" + value = "[reference(variables('uniqueStorageName')).primaryEndpoints]" } } + parameters = { + appServicePlanName = { + defaultValue = "exampleplan" + type = "string" } + containerName = { + defaultValue = "test" + type = "String" } + linuxFxVersion = { + defaultValue = "php|7.0" + metadata = { + description = "The Runtime stack of current web app" } + type = "string" } + location = { + defaultValue = "[resourceGroup().location]" + type = "string" } + resourceTags = { + defaultValue = { + Environment = "Dev" + Project = "Tutorial" } + type = "object" } + storagePrefix = { + maxLength = 11 + minLength = 3 + type = "string" } + storageSKU = { + allowedValues = [ + "Standard_LRS", + "Standard_GRS", + "Standard_RAGRS", + "Standard_ZRS", + "Premium_LRS", + "Premium_ZRS", + "Standard_GZRS", + "Standard_RAGZRS", ] + defaultValue = "Standard_LRS" + type = "string" } + webAppPrefix = { + metadata = { + description = "Base name of the resource such as web app name and app service plan " } + minLength = 2 + type = "string" } } + resources = [ + { + apiVersion = "2021-09-01" + kind = "StorageV2" + location = "[parameters('location')]" + name = "[variables('uniqueStorageName')]" + properties = { + supportsHttpsTrafficOnly = true } + sku = { + name = "[parameters('storageSKU')]" } + tags = "[parameters('resourceTags')]" + type = "Microsoft.Storage/storageAccounts" }, + { + apiVersion = "2023-05-01" + dependsOn = [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('uniqueStorageName'))]", ] + name = "[concat(variables('uniqueStorageName'), '/default')]" + properties = { + containerDeleteRetentionPolicy = { + days = 7 + enabled = true } + deleteRetentionPolicy = { + allowPermanentDelete = false + days = 7 + enabled = true } } + sku = { + name = "Standard_RAGRS" + tier = "Standard" } + type = "Microsoft.Storage/storageAccounts/blobServices" }, + { + apiVersion = "2023-05-01" + dependsOn = [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('uniqueStorageName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('uniqueStorageName'))]", ] + name = "[concat(variables('uniqueStorageName'), '/default/', parameters('containerName'))]" + properties = { + defaultEncryptionScope = "$account-encryption-key" + denyEncryptionScopeOverride = false + immutableStorageWithVersioning = { + enabled = false } + publicAccess = "None" } + type = "Microsoft.Storage/storageAccounts/blobServices/containers" }, + { + apiVersion = "2021-03-01" + kind = "linux" + location = "[parameters('location')]" + name = "[parameters('appServicePlanName')]" + properties = { + perSiteScaling = false + reserved = true + targetWorkerCount = 0 + targetWorkerSizeId = 0 } + sku = { + capacity = 1 + family = "B" + name = "B1" + size = "B1" + tier = "Basic" } + tags = "[parameters('resourceTags')]" + type = "Microsoft.Web/serverfarms" }, + { + apiVersion = "2021-03-01" + dependsOn = [ + "[parameters('appServicePlanName')]", ] + kind = "app" + location = "[parameters('location')]" + name = "[variables('webAppPortalName')]" + properties = { + serverFarmId = "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" + siteConfig = { + linuxFxVersion = "[parameters('linuxFxVersion')]" } } + tags = "[parameters('resourceTags')]" + type = "Microsoft.Web/sites" }, ] + variables = { + uniqueStorageName = "[concat(parameters('storagePrefix'), uniqueString(resourceGroup().id))]" + webAppPortalName = "[concat(parameters('webAppPrefix'), uniqueString(resourceGroup().id))]" } } ) } Plan: 1 to add, 0 to change, 0 to destroy. Changes to Outputs: + arm_example_output = (known after apply) azurerm_resource_group_template_deployment.resources: Creating... azurerm_resource_group_template_deployment.resources: Still creating... [10s elapsed] azurerm_resource_group_template_deployment.resources: Still creating... [20s elapsed] azurerm_resource_group_template_deployment.resources: Still creating... [30s elapsed] azurerm_resource_group_template_deployment.resources: Still creating... [40s elapsed] azurerm_resource_group_template_deployment.resources: Still creating... [50s elapsed] azurerm_resource_group_template_deployment.resources: Still creating... [1m0s elapsed] azurerm_resource_group_template_deployment.resources: Still creating... [1m10s elapsed] azurerm_resource_group_template_deployment.resources: Creation complete after 1m13s [id=/subscriptions/9exxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/] ft.Resources/deployments/] Apply complete! Resources: 1 added, 0 changed, 0 destroyed. Outputs: arm_example_output = { "blob" = "" "dfs" = "" "file" = "" "queue" = "" "table" = "" "web" = "" } .\091-Complete_ARM_Template> |
After deployment I checked deployment section they looks good and successfully deployed. Check for more information.
The best part is that you can destroy the ARM template deployment easily. However, one drawback I found is that if the ARM template deployment fails for some reason, you cannot reuse the same deployment name. In such cases, you may need to delete the previous deployment before trying again with same deployment name. You can tackle this issue using creating random string for new deployments name only if deployment on resource group is failed..
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 |
.\091-Complete_ARM_Template> terraform destroy --auto-approve azurerm_resource_group_template_deployment.resources: Refreshing state... [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: - destroy Terraform will perform the following actions: # azurerm_resource_group_template_deployment.resources will be destroyed - resource "azurerm_resource_group_template_deployment" "resources" { - deployment_mode = "Incremental" -> null - id = "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/" -> null - name = "" -> null - output_content = jsonencode( { - storageEndpoint = { - type = "Object" - value = { - blob = "" - dfs = "" - file = "" - queue = "" - table = "" - web = "" } } } ) -> null - parameters_content = jsonencode( { - appServicePlanName = { - value = "exampleplan" } - containerName = { - value = "testcontainer" } - linuxFxVersion = { - value = "php|7.0" } - location = { - value = "eastus" } - resourceTags = { - value = { - Environment = "Dev" - Project = "Tutorial" } } - storagePrefix = { - value = "vcloudlabsa" } - storageSKU = { - value = "Standard_LRS" } - webAppPrefix = { - value = "vcloudlabwa" } } ) -> null - resource_group_name = "" -> null - tags = {} -> null - template_content = jsonencode( { - "$schema" = "" - contentVersion = "" - outputs = { - storageEndpoint = { - type = "Object" - value = "[reference(variables('uniqueStorageName')).primaryEndpoints]" } } - parameters = { - appServicePlanName = { - defaultValue = "exampleplan" - type = "String" } - containerName = { - defaultValue = "test" - type = "String" } - linuxFxVersion = { - defaultValue = "php|7.0" - metadata = { - description = "The Runtime stack of current web app" } - type = "String" } - location = { - defaultValue = "[resourceGroup().location]" - type = "String" } - resourceTags = { - defaultValue = { - Environment = "Dev" - Project = "Tutorial" } - type = "Object" } - storagePrefix = { - maxLength = 11 - minLength = 3 - type = "String" } - storageSKU = { - allowedValues = [ - "Standard_LRS", - "Standard_GRS", - "Standard_RAGRS", - "Standard_ZRS", - "Premium_LRS", - "Premium_ZRS", - "Standard_GZRS", - "Standard_RAGZRS", ] - defaultValue = "Standard_LRS" - type = "String" } - webAppPrefix = { - metadata = { - description = "Base name of the resource such as web app name and app service plan " } - minLength = 2 - type = "String" } } - resources = [ - { - apiVersion = "2021-09-01" - kind = "StorageV2" - location = "[parameters('location')]" - name = "[variables('uniqueStorageName')]" - properties = { - supportsHttpsTrafficOnly = true } - sku = { - name = "[parameters('storageSKU')]" } - tags = "[parameters('resourceTags')]" - type = "Microsoft.Storage/storageAccounts" }, - { - apiVersion = "2023-05-01" - dependsOn = [ - "[resourceId('Microsoft.Storage/storageAccounts', variables('uniqueStorageName'))]", ] - name = "[concat(variables('uniqueStorageName'), '/default')]" - properties = { - containerDeleteRetentionPolicy = { - days = 7 - enabled = true } - deleteRetentionPolicy = { - allowPermanentDelete = false - days = 7 - enabled = true } } - sku = { - name = "Standard_RAGRS" - tier = "Standard" } - type = "Microsoft.Storage/storageAccounts/blobServices" }, - { - apiVersion = "2023-05-01" - dependsOn = [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('uniqueStorageName'), 'default')]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('uniqueStorageName'))]", ] - name = "[concat(variables('uniqueStorageName'), '/default/', parameters('containerName'))]" - properties = { - defaultEncryptionScope = "$account-encryption-key" - denyEncryptionScopeOverride = false - immutableStorageWithVersioning = { - enabled = false } - publicAccess = "None" } - type = "Microsoft.Storage/storageAccounts/blobServices/containers" }, - { - apiVersion = "2021-03-01" - kind = "linux" - location = "[parameters('location')]" - name = "[parameters('appServicePlanName')]" - properties = { - perSiteScaling = false - reserved = true - targetWorkerCount = 0 - targetWorkerSizeId = 0 } - sku = { - capacity = 1 - family = "B" - name = "B1" - size = "B1" - tier = "Basic" } - tags = "[parameters('resourceTags')]" - type = "Microsoft.Web/serverfarms" }, - { - apiVersion = "2021-03-01" - dependsOn = [ - "[parameters('appServicePlanName')]", ] - kind = "app" - location = "[parameters('location')]" - name = "[variables('webAppPortalName')]" - properties = { - serverFarmId = "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" - siteConfig = { - linuxFxVersion = "[parameters('linuxFxVersion')]" } } - tags = "[parameters('resourceTags')]" - type = "Microsoft.Web/sites" }, ] - variables = { - uniqueStorageName = "[concat(parameters('storagePrefix'), uniqueString(resourceGroup().id))]" - webAppPortalName = "[concat(parameters('webAppPrefix'), uniqueString(resourceGroup().id))]" } } ) -> null # (2 unchanged attributes hidden) } Plan: 0 to add, 0 to change, 1 to destroy. Changes to Outputs: - arm_example_output = { - blob = "" - dfs = "" - file = "" - queue = "" - table = "" - web = "" } -> null azurerm_resource_group_template_deployment.resources: Destroying... [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/] azurerm_resource_group_template_deployment.resources: Still destroying... [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-...t.Resources/deployments/, 10s elapsed] azurerm_resource_group_template_deployment.resources: Still destroying... [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-...t.Resources/deployments/, 20s elapsed] azurerm_resource_group_template_deployment.resources: Still destroying... [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-...t.Resources/deployments/, 30s elapsed] azurerm_resource_group_template_deployment.resources: Still destroying... [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-...t.Resources/deployments/, 40s elapsed] azurerm_resource_group_template_deployment.resources: Still destroying... [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-...t.Resources/deployments/, 50s elapsed] azurerm_resource_group_template_deployment.resources: Still destroying... [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-...t.Resources/deployments/, 1m0s elapsed] azurerm_resource_group_template_deployment.resources: Destruction complete after 1m3s Destroy complete! Resources: 1 destroyed. .\091-Complete_ARM_Template> |
In the end, I will use Terraform with ARM template only as a last resort if things are not working as expected. Alternatively if you just want to deploy the ARM template you can make use of PowerShell as below.
Useful Articles
Azure resource group deployments with ARM JSON templates in Subscription with PowerShell
Create CPU quota usage alerts for subscription using Azure ARM templates
Configure CPU quota usage alerts for subscription using Azure Bicep templates
Deploy CPU quota usage alerts for subscription using Terraform azapi provider
Hashicorp Terraform map and object inside module and variable example
Terraform one module deploy null or multiple resources based on input
Terraform A reference to a resource type must be followed by at least one attribute access, specifying the resource name
Terraform fore_each for loop filter with if condition example
Terraform remote-exec provisioner with ssh connection in null_resource
Terraform count vs for_each for examples with map of objects