Configure terraform on azure devops
July 29, 2021
Azure devops
Install terraform tasks: link
Terraform on azure pipelines best practice
All in code
Application code, infrastructure, CI/CD pipeline all in the same repository.
Terraform
Login into azure in order to run terraform:
az login
az logout
We don’t want that for automating - setup a service principal which is an automated user that terraform can access. It is a system account that can be created in azure devops.
Service principal environment variables:
- ARMCLIENTID
- ARMCLIENTSECRET
- ARMTENANTID
- ARMSUBSCRIPTIONID
These values are very sensitive. See docs
A service principal will be created when creating a service connection to ARM automatically on azure devops. It is possible to create a service principal manually and use it in a service connection when choosing service principal (manual):
az login
az account list # id is subscription_id
az account set -s "SUBSCRIPTION_ID"
az ad sp create-for-rbac -n "NAME" --role="Contributor" --scopes="/subscriptions/SUBSCRIPTION_ID"
az ad sp delete --id
Azure devops
Create a new project. Setup service connections to azure: project settings -> service connections. Create service connections to azure resource manager. Service connections - connections to other systems.
- create a new pipeline
Create a storage account for terraform state files
Deploy a storage account and create a container within it to hold the state json files. SAS Token to access it.
az storage account create \
--name terraformstorageacc \
--resource-group storageRg \
--kind StorageV2 \
--sku Standard_LRS \
--https-only true \
--allow-blob-public-access false
Terraform remote state via backend. Azure blob storage locking and workspaces.
Init with backend: terraform init -backend-config=backend-config.txt
TODO:
[] Per branch development [] Automate creating storage account with terraform