The simplest way to authenticate and authorize with Azure is to log in to your account using the Azure CLI. When you use the Azure provider within your Terraform file, it will automatically act as your account and do whatever it needs to. Now, this sounds dangerous. Admins generally have a lot of access, and having a tool that acts as an admin might not be a great idea. What if you want to plug Terraform into your CI/CD pipelines? Well, there is another way to do it – by using Azure service principals. Azure service principals allow you to access the required features without using a nameduser account. You can then apply the principle of least privilege to the service principal and provide only the necessary access.
Before configuring the service principal, let’s install the Azure CLI on our machine. To do so, run the following command:
$ curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
The preceding command will download a shell script and execute it using bash. The script will then automatically download and configure the Azure CLI. To confirm whether the Azure CLI is installed successfully, run the following command:
| $ az –version | |
| azure-cli | 2.49.0 |
We see that the Azure CLI is correctly installed on the system. Now, let’s go ahead and configure the service principal.
To configure the Azure service principal, follow these steps.
Log in to Azure using the following command and follow all the steps the command prompts. You must browse to a specified URL and enter the given code. Once you’ve logged in, you will get a JSON response that will include some details, something like the following:
$ az login
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter
the code XXXXXXXXX to authenticate:
[
{
“id”: “00000000-0000-0000-0000-0000000000000”,
…
}
]
Make a note of the id attribute, which is the subscription ID, and if you have more than one subscription, you can use the following to set it to the correct one:
$ export SUBSCRIPTION_ID=”<SUBSCRIPTION_ID>”
$ az account set –subscription=”$SUBSCRIPTION_ID”
Use the following command to create a service principal with the contributor role to allow Terraform to manage the subscription’s infrastructure.
Tip
Follow the principle of least privilege while granting access to the service principal. Do not give privileges thinking you might need them in the future. If any future access is required, you can grant it later.
We use contributor access for simplicity, but finer-grained access is possible and should be used:
$ az ad sp create-for-rbac –role=”Contributor” \
–scopes=”/subscriptions/$SUBSCRIPTION_ID”
Creating ‘Contributor’ role assignment under scope ‘/subscriptions/<SUBSCRIPTION_ID>’ The output includes credentials that you must protect. Ensure you do not include these credentials in your code or check the credentials into your source control (for more information, see https://aka.ms/azadsp-cli): {
“appId”: “00000000-0000-0000-0000-0000000000000”,
“displayName”: “azure-cli-2023-07-02-09-13-40”,
“password”: “00000000000.xx-00000000000000000”,
“tenant”: “00000000-0000-0000-0000-0000000000000”
}
We’ve successfully created the service principal. The response JSON consists of appId, password, and tenant. We will need these to configure Terraform to use the service principal. In the next section, let’s define the Azure Terraform provider with the details.
