In this article I will be configuring alias in AzureRM provider and passing it to child module. Which will allow me to configure/deploy resources with given settings and credentials. In this demo in my Parent module, I will use specific client_id, client_secret, subscription_id, tenant_id to authenticate to Azure and create Storage Account in specified Resource Group where service principle has privileges to create resource.
In the below example configuration code inside the azurerm provider block I have mentioned alias attribute with dev value. Same information I provided inside parent module block. In the providers attribute pass provider alias information as a map inside the parent module.
Check my earlier related article for simple resources alias configuration: Terraform passing different credentials to different subscriptions with provider alias.
# Parent Module defined on the root directory - main.tf provider "azurerm" { features {} alias = "dev" client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" client_secret = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" } ######################## module "storage_account" { providers = { azurerm.dev = azurerm.dev } source = "./module/storage_account" name = "vcloudlabsadev" location = "East US" resource_group_name = "vdev.vcloud-lab.com" account_tier = "Standard" account_replication_type = "LRS" } ######################## output "id" { value = module.storage_account.sa_info }
Next inside child module tf configuration files, I am providing which providers aliases will be passed to module in terraform block with configuration_aliases. It has list of values information about alias environment. Next in the resources block I am using provider attribute and passing dev alias. This dev credentials and configuration will be used to deploy the resource.
# Child Module located ./module/storage_account - main.tf - Storage Account terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "~> 3.0" configuration_aliases = [azurerm.dev] } } } ########################### variable "name" {} variable "location" {} variable "resource_group_name" {} variable "account_replication_type" {} variable "account_tier" {} ########################### resource "azurerm_storage_account" "object" { name = var.name location = var.location resource_group_name = var.resource_group_name account_replication_type = var.account_replication_type account_tier = var.account_tier provider = azurerm.dev } ########################### output "sa_info" { value = azurerm_storage_account.object.id }
Download this code Terraform_Module_Pass_Credentials_Provider_Alias.zip or it is also available on github.com.
I tested the and applied the configuration on Azure, Below is the output of the configuration.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 |
terraform apply --auto-approve Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # module.storage_account.azurerm_storage_account.object will be created + resource "azurerm_storage_account" "object" { + access_tier = (known after apply) + account_kind = "StorageV2" + account_replication_type = "LRS" + account_tier = "Standard" + allow_nested_items_to_be_public = true + cross_tenant_replication_enabled = true + default_to_oauth_authentication = false + dns_endpoint_type = "Standard" + enable_https_traffic_only = (known after apply) + https_traffic_only_enabled = (known after apply) + id = (known after apply) + infrastructure_encryption_enabled = false + is_hns_enabled = false + large_file_share_enabled = (known after apply) + local_user_enabled = true + location = "eastus" + min_tls_version = "TLS1_2" + name = "vcloudlabsadev" + nfsv3_enabled = false + primary_access_key = (sensitive value) + primary_blob_connection_string = (sensitive value) + primary_blob_endpoint = (known after apply) + primary_blob_host = (known after apply) + primary_blob_internet_endpoint = (known after apply) + primary_blob_internet_host = (known after apply) + primary_blob_microsoft_endpoint = (known after apply) + primary_blob_microsoft_host = (known after apply) + primary_connection_string = (sensitive value) + primary_dfs_endpoint = (known after apply) + primary_dfs_host = (known after apply) + primary_dfs_internet_endpoint = (known after apply) + primary_dfs_internet_host = (known after apply) + primary_dfs_microsoft_endpoint = (known after apply) + primary_dfs_microsoft_host = (known after apply) + primary_file_endpoint = (known after apply) + primary_file_host = (known after apply) + primary_file_internet_endpoint = (known after apply) + primary_file_internet_host = (known after apply) + primary_file_microsoft_endpoint = (known after apply) + primary_file_microsoft_host = (known after apply) + primary_location = (known after apply) + primary_queue_endpoint = (known after apply) + primary_queue_host = (known after apply) + primary_queue_microsoft_endpoint = (known after apply) + primary_queue_microsoft_host = (known after apply) + primary_table_endpoint = (known after apply) + primary_table_host = (known after apply) + primary_table_microsoft_endpoint = (known after apply) + primary_table_microsoft_host = (known after apply) + primary_web_endpoint = (known after apply) + primary_web_host = (known after apply) + primary_web_internet_endpoint = (known after apply) + primary_web_internet_host = (known after apply) + primary_web_microsoft_endpoint = (known after apply) + primary_web_microsoft_host = (known after apply) + public_network_access_enabled = true + queue_encryption_key_type = "Service" + resource_group_name = "vdev.vcloud-lab.com" + secondary_access_key = (sensitive value) + secondary_blob_connection_string = (sensitive value) + secondary_blob_endpoint = (known after apply) + secondary_blob_host = (known after apply) + secondary_blob_internet_endpoint = (known after apply) + secondary_blob_internet_host = (known after apply) + secondary_blob_microsoft_endpoint = (known after apply) + secondary_blob_microsoft_host = (known after apply) + secondary_connection_string = (sensitive value) + secondary_dfs_endpoint = (known after apply) + secondary_dfs_host = (known after apply) + secondary_dfs_internet_endpoint = (known after apply) + secondary_dfs_internet_host = (known after apply) + secondary_dfs_microsoft_endpoint = (known after apply) + secondary_dfs_microsoft_host = (known after apply) + secondary_file_endpoint = (known after apply) + secondary_file_host = (known after apply) + secondary_file_internet_endpoint = (known after apply) + secondary_file_internet_host = (known after apply) + secondary_file_microsoft_endpoint = (known after apply) + secondary_file_microsoft_host = (known after apply) + secondary_location = (known after apply) + secondary_queue_endpoint = (known after apply) + secondary_queue_host = (known after apply) + secondary_queue_microsoft_endpoint = (known after apply) + secondary_queue_microsoft_host = (known after apply) + secondary_table_endpoint = (known after apply) + secondary_table_host = (known after apply) + secondary_table_microsoft_endpoint = (known after apply) + secondary_table_microsoft_host = (known after apply) + secondary_web_endpoint = (known after apply) + secondary_web_host = (known after apply) + secondary_web_internet_endpoint = (known after apply) + secondary_web_internet_host = (known after apply) + secondary_web_microsoft_endpoint = (known after apply) + secondary_web_microsoft_host = (known after apply) + sftp_enabled = false + shared_access_key_enabled = true + table_encryption_key_type = "Service" + blob_properties (known after apply) + network_rules (known after apply) + queue_properties (known after apply) + routing (known after apply) + share_properties (known after apply) } Plan: 1 to add, 0 to change, 0 to destroy. Changes to Outputs: + id = (known after apply) module.storage_account.azurerm_storage_account.object: Creating... module.storage_account.azurerm_storage_account.object: Still creating... [10s elapsed] module.storage_account.azurerm_storage_account.object: Still creating... [20s elapsed] module.storage_account.azurerm_storage_account.object: Still creating... [30s elapsed] module.storage_account.azurerm_storage_account.object: Still creating... [40s elapsed] module.storage_account.azurerm_storage_account.object: Still creating... [50s elapsed] module.storage_account.azurerm_storage_account.object: Still creating... [1m0s elapsed] module.storage_account.azurerm_storage_account.object: Still creating... [1m10s elapsed] module.storage_account.azurerm_storage_account.object: Still creating... [1m20s elapsed] module.storage_account.azurerm_storage_account.object: Creation complete after 1m29s [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vdev.vcloud-lab.com/providers/Microsoft.Storage/storageAccounts/vcloudlabsadev] Apply complete! Resources: 1 added, 0 changed, 0 destroyed. Outputs: id = "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vdev.vcloud-lab.com/providers/Microsoft.Storage/storageAccounts/vcloudlabsadev" |
Just for the verification purpose. I checked on the Azure Portal under Resource Group >> Storage Account >> Activity logs, I see this SA got created by assigned client_id and to the subscription/tenant. ('auditifNotExists' Policy action shows, it created new Resource and who initiated it and List Storage Account Keys means I ran terraform apply multiple times with the given user)
Useful Articles
Terraform refactoring moved block example
Terraform create Azure Virtual Machines from map of objects
Terraform variable validation example
Configure Azure Storage Account Blob as Terraform backend to store tfstate file Examples of most used general purpose terraform functions
Create storage account and Service Principal using PowerShell for Terraform Azure Backend
Unlocking TF State File on Azure backend with PowerShell and Terraform Force-Unlock Command
Terraform passing different credentials to different subscriptions with provider alias
Terraform variable precedence and priority
Terraform filter map and list object with if condition in for_each loop examples
Azure DevOps Enable creation of classic build release pipelines grayed out
Adding parameters in Azure DevOps pipelines examples Part 1
Azure Web App Containers Cannot perform credential operations for providers Microsoft.ContainerRegistry ad admin user is disabled, enable it