Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Terraform Azure provider alias passing credentials and configuration in module resources

In this article I will be configuring alias in AzureRM provider and passing it to child module. Which will allow me to configure/deploy resources with given settings and credentials. In this demo in my Parent module, I will use specific client_id, client_secret, subscription_id, tenant_id to authenticate to Azure and create Storage Account in specified Resource Group where service principle has privileges to create resource.

In the below example configuration code inside the azurerm provider block I have mentioned alias attribute with dev value. Same information I provided inside parent module block. In the providers attribute pass provider alias information as a map inside the parent module. 

Check my earlier related article for simple resources alias configuration: Terraform passing different credentials to different subscriptions with provider alias.

# Parent Module defined on the root directory - main.tf

provider "azurerm" {
  features {}
  alias           = "dev"
  client_id       = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  client_secret   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  tenant_id       = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

########################

module "storage_account" {
  providers = {
    azurerm.dev = azurerm.dev
  }
  source                   = "./module/storage_account"
  name                     = "vcloudlabsadev"
  location                 = "East US"
  resource_group_name      = "vdev.vcloud-lab.com"
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

########################

output "id" {
  value     = module.storage_account.sa_info
}

Next inside child module tf configuration files, I am providing which providers aliases will be passed to module in terraform block with configuration_aliases. It has list of values information about alias environment. Next in the resources block I am using provider attribute and passing dev alias. This dev credentials and configuration will be used to deploy the resource.

# Child Module located ./module/storage_account - main.tf - Storage Account

terraform {
  required_providers {
    azurerm = {
      source                = "hashicorp/azurerm"
      version               = "~> 3.0"
      configuration_aliases = [azurerm.dev]
    }
  }
}

###########################

variable "name" {}
variable "location" {}
variable "resource_group_name" {}
variable "account_replication_type" {}
variable "account_tier" {}

###########################

resource "azurerm_storage_account" "object" {
  name                     = var.name
  location                 = var.location
  resource_group_name      = var.resource_group_name
  account_replication_type = var.account_replication_type
  account_tier             = var.account_tier
  provider                 = azurerm.dev
}

###########################

output "sa_info" {
  value = azurerm_storage_account.object.id
}

Download this code Terraform_Module_Pass_Credentials_Provider_Alias.zip or it is also available on github.com.

I tested the and applied the configuration on Azure, Below is the output of the configuration.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
terraform apply --auto-approve

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.storage_account.azurerm_storage_account.object will be created
  + resource "azurerm_storage_account" "object" {
      + access_tier                        = (known after apply)
      + account_kind                       = "StorageV2"
      + account_replication_type           = "LRS"
      + account_tier                       = "Standard"
      + allow_nested_items_to_be_public    = true
      + cross_tenant_replication_enabled   = true
      + default_to_oauth_authentication    = false
      + dns_endpoint_type                  = "Standard"
      + enable_https_traffic_only          = (known after apply)
      + https_traffic_only_enabled         = (known after apply)
      + id                                 = (known after apply)
      + infrastructure_encryption_enabled  = false
      + is_hns_enabled                     = false
      + large_file_share_enabled           = (known after apply)
      + local_user_enabled                 = true
      + location                           = "eastus"
      + min_tls_version                    = "TLS1_2"
      + name                               = "vcloudlabsadev"
      + nfsv3_enabled                      = false
      + primary_access_key                 = (sensitive value)
      + primary_blob_connection_string     = (sensitive value)
      + primary_blob_endpoint              = (known after apply)
      + primary_blob_host                  = (known after apply)
      + primary_blob_internet_endpoint     = (known after apply)
      + primary_blob_internet_host         = (known after apply)
      + primary_blob_microsoft_endpoint    = (known after apply)
      + primary_blob_microsoft_host        = (known after apply)
      + primary_connection_string          = (sensitive value)
      + primary_dfs_endpoint               = (known after apply)
      + primary_dfs_host                   = (known after apply)
      + primary_dfs_internet_endpoint      = (known after apply)
      + primary_dfs_internet_host          = (known after apply)
      + primary_dfs_microsoft_endpoint     = (known after apply)
      + primary_dfs_microsoft_host         = (known after apply)
      + primary_file_endpoint              = (known after apply)
      + primary_file_host                  = (known after apply)
      + primary_file_internet_endpoint     = (known after apply)
      + primary_file_internet_host         = (known after apply)
      + primary_file_microsoft_endpoint    = (known after apply)
      + primary_file_microsoft_host        = (known after apply)
      + primary_location                   = (known after apply)
      + primary_queue_endpoint             = (known after apply)
      + primary_queue_host                 = (known after apply)
      + primary_queue_microsoft_endpoint   = (known after apply)
      + primary_queue_microsoft_host       = (known after apply)
      + primary_table_endpoint             = (known after apply)
      + primary_table_host                 = (known after apply)
      + primary_table_microsoft_endpoint   = (known after apply)
      + primary_table_microsoft_host       = (known after apply)
      + primary_web_endpoint               = (known after apply)
      + primary_web_host                   = (known after apply)
      + primary_web_internet_endpoint      = (known after apply)
      + primary_web_internet_host          = (known after apply)
      + primary_web_microsoft_endpoint     = (known after apply)
      + primary_web_microsoft_host         = (known after apply)
      + public_network_access_enabled      = true
      + queue_encryption_key_type          = "Service"
      + resource_group_name                = "vdev.vcloud-lab.com"
      + secondary_access_key               = (sensitive value)
      + secondary_blob_connection_string   = (sensitive value)
      + secondary_blob_endpoint            = (known after apply)
      + secondary_blob_host                = (known after apply)
      + secondary_blob_internet_endpoint   = (known after apply)
      + secondary_blob_internet_host       = (known after apply)
      + secondary_blob_microsoft_endpoint  = (known after apply)
      + secondary_blob_microsoft_host      = (known after apply)
      + secondary_connection_string        = (sensitive value)
      + secondary_dfs_endpoint             = (known after apply)
      + secondary_dfs_host                 = (known after apply)
      + secondary_dfs_internet_endpoint    = (known after apply)
      + secondary_dfs_internet_host        = (known after apply)
      + secondary_dfs_microsoft_endpoint   = (known after apply)
      + secondary_dfs_microsoft_host       = (known after apply)
      + secondary_file_endpoint            = (known after apply)
      + secondary_file_host                = (known after apply)
      + secondary_file_internet_endpoint   = (known after apply)
      + secondary_file_internet_host       = (known after apply)
      + secondary_file_microsoft_endpoint  = (known after apply)
      + secondary_file_microsoft_host      = (known after apply)
      + secondary_location                 = (known after apply)
      + secondary_queue_endpoint           = (known after apply)
      + secondary_queue_host               = (known after apply)
      + secondary_queue_microsoft_endpoint = (known after apply)
      + secondary_queue_microsoft_host     = (known after apply)
      + secondary_table_endpoint           = (known after apply)
      + secondary_table_host               = (known after apply)
      + secondary_table_microsoft_endpoint = (known after apply)
      + secondary_table_microsoft_host     = (known after apply)
      + secondary_web_endpoint             = (known after apply)
      + secondary_web_host                 = (known after apply)
      + secondary_web_internet_endpoint    = (known after apply)
      + secondary_web_internet_host        = (known after apply)
      + secondary_web_microsoft_endpoint   = (known after apply)
      + secondary_web_microsoft_host       = (known after apply)
      + sftp_enabled                       = false
      + shared_access_key_enabled          = true
      + table_encryption_key_type          = "Service"

      + blob_properties (known after apply)

      + network_rules (known after apply)

      + queue_properties (known after apply)

      + routing (known after apply)

      + share_properties (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + id = (known after apply)
module.storage_account.azurerm_storage_account.object: Creating...
module.storage_account.azurerm_storage_account.object: Still creating... [10s elapsed]
module.storage_account.azurerm_storage_account.object: Still creating... [20s elapsed]
module.storage_account.azurerm_storage_account.object: Still creating... [30s elapsed]
module.storage_account.azurerm_storage_account.object: Still creating... [40s elapsed]
module.storage_account.azurerm_storage_account.object: Still creating... [50s elapsed]
module.storage_account.azurerm_storage_account.object: Still creating... [1m0s elapsed]
module.storage_account.azurerm_storage_account.object: Still creating... [1m10s elapsed]
module.storage_account.azurerm_storage_account.object: Still creating... [1m20s elapsed]
module.storage_account.azurerm_storage_account.object: Creation complete after 1m29s [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vdev.vcloud-lab.com/providers/Microsoft.Storage/storageAccounts/vcloudlabsadev]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

id = "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vdev.vcloud-lab.com/providers/Microsoft.Storage/storageAccounts/vcloudlabsadev"

Just for the verification purpose. I checked on the Azure Portal under Resource Group >> Storage Account >> Activity logs, I see this SA got created by assigned client_id and to the subscription/tenant. ('auditifNotExists' Policy action shows, it created new Resource and who initiated it and List Storage Account Keys means I ran terraform apply multiple times with the given user)

Microsoft Azure Resource Group dev activity log access control IAM privideges configuration Terraform alias provider client_id client_secret subscription_id tenant_id audit not exist policy.png

Useful Articles
Terraform refactoring moved block example
Terraform create Azure Virtual Machines from map of objects
Terraform variable validation example
Configure Azure Storage Account Blob as Terraform backend to store tfstate file Examples of most used general purpose terraform functions
Create storage account and Service Principal using PowerShell for Terraform Azure Backend
Unlocking TF State File on Azure backend with PowerShell and Terraform Force-Unlock Command
Terraform passing different credentials to different subscriptions with provider alias
Terraform variable precedence and priority
Terraform filter map and list object with if condition in for_each loop examples
Azure DevOps Enable creation of classic build release pipelines grayed out
Adding parameters in Azure DevOps pipelines examples Part 1
Azure Web App Containers Cannot perform credential operations for providers Microsoft.ContainerRegistry ad admin user is disabled, enable it

Go Back

Comment

Blog Search

Page Views

11954766

Follow me on Blogarama