Skip to content

Latest commit

 

History

History
213 lines (158 loc) · 9.64 KB

README.md

File metadata and controls

213 lines (158 loc) · 9.64 KB

Open in Dev Containers

If you already have VS Code and Docker installed, you can click the badge above or here to get started. Clicking these links will cause VS Code to automatically install the Dev Containers extension if needed, clone the source code into a container volume, and spin up a dev container for use.

Topic Description
Event Date January 12, 2023
YouTube - HashiCorp https://youtu.be/ByCeAQlJQvM
YouTube - Ashish Singh Baghel https://youtu.be/0pNZ2UWkPfQ

Deploy Infrastructure as Code on Azure using Github Codespaces and Terraform Cloud

Concepts

Azure service principal

Terraform Cloud

Github CodeSpaces

Hands-On

  • Azure AD: Create a Service Principal with a Client Secret

    Automated tools that use Azure services should always have restricted permissions. Instead of having applications sign in as a fully privileged user, Azure offers service principals.

    An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.

    • Ensure you are using correct subscription

      List subscriptions

      az account list
      

      Set a subscription to be the current active subscription

      az account set --subscription=SUBSCRIPTION_ID​
      

      Check current subscription

      az account show
      
    • Create a service principal and configure its Contributor access to azure subscription

      ⚠ Warning: When you create an Azure service principal using the az ad sp create-for-rbac command, the output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control.

      # fetch subscription id
      SUBSCRIPTION_ID=$(az account show --query id -o tsv)
      
      # Create service principal
      az ad sp create-for-rbac --name TerraformCloud --role Contributor --scopes /subscriptions/$SUBSCRIPTION_ID
      

      The output for a service principal with password authentication includes the password key. Make sure you copy this value - it can't be retrieved. If you lose the password, reset the service principal credentials.

      Output:

      Creating 'Contributor' role assignment under scope '/subscriptions/<yourSubscriptionId>'
      The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
      {​
        "appId": "00111232-4466-6546-7897-7412321598756547",
        ​"displayName": "TerraformCloud",​
        "password": ".XX1X~Xxxx1XXxXXxXxxxxXX1xxxXXXxXXXXxxxX",​
        "tenant": "11111111-1111-1111-1111-111111111111"​
      }
      

      This creates an application object and a service principal object in your home tenant. Any changes that you make to your application object are also reflected in its service principal object in the application's home tenant only (the tenant where it was registered). This means that deleting an application object will also delete its home tenant service principal object.

      List app

      az ad app list --display-name TerraformCloud -o table
      

      Check your service principal

      az ad sp list --display-name TerraformCloud -o table
      

      Check role assignment

      SP_TERRAFORM_APP_ID=$(az ad sp list --display-name TerraformCloud --query "[].appId" -o tsv)
      az role assignment list --assignee $SP_TERRAFORM_APP_ID
      
  • Terraform: Setup Terraform Cloud

    • Sign In to Terraform Cloud - https://app.terraform.io/

    • Create New Organization

    • Create variable set Azure Credentials - Apply to all workspaces

      Key Value Category
      ARM_TENANT_ID tennant Environment Variable
      ARM_SUBSCRIPTION_ID SUBSCRIPTION_ID Environment Variable
      ARM_CLIENT_ID appId Environment Variable
      ARM_CLIENT_SECRET password Environment Variable

      Note: We get these values as output of Azure CLI create service principal command. If you lose If you lose the credentials for a service principal, use az ad sp credential reset. The reset command takes the same parameters as az ad sp create-for-rbac.

      az ad sp credential reset --name TerraformCloud --role Contributor --scopes /subscriptions/$SUBSCRIPTION_ID
      
  • GitHub Codespaces: Create codespaces for your GitHub repository

    • Add DevContainer configuration file

      • Select Ubuntu base image
      • Select Feature - Terraform, tflint and TFGrunt
      • Rebuild container
    • Login to Terraform Cloud

      terraform login
      

      Create Terraform User API Token (User settings > Tokens)

      Optional: Codespace Secrets

      Create Codespace Secrets. Secrets are environment variables that are encrypted and only exposed to Codespaces you create. You can store sensitive information, like tokens, that you want to access in your codespaces via environment variables. Once you have created a secret, it will be available when you create a new codespace or restart the codespace.

      Terraform CLI Environment Variable Credentials

      The value of a variable named TF_TOKEN_app_terraform_io will be used as a bearer authorization token when the CLI makes service requests to the hostname app.terraform.io

      TF_TOKEN_app_terraform_io
      
    • Define cloud block for Terraform Cloud Integration

      terraform {​
        required_version = ">=1.3.0"cloud {​
          organization = "<Your-Terraform-Cloud-Organization-Name-Here>"
          workspaces {​
            name = "workspace-name"​
          }​
        }​
        .........​
      }​

      This will create CLI-driven Terraform Cloud workflow, this allows developers to quickly iterate on configuration and work locally.

    • Initialize the configuration and create your new Terraform Cloud workspace

      terraform init
      
    • Create Infrastructure

      terraform apply
      
    • Destroy Infrastructure Important Note: Do not forget to destroy your unused infrastructure to save cost

      terraform destroy
      

Clean Up

  • Azure: Clean Up service principal and role assignment

    Delete Role Assignment

    # fetch `appId` of service principal
    SP_TERRAFORM_APP_ID=$(az ad sp list --display-name TerraformCloud --query "[].appId" -o tsv)
    
    # List Role Assignment
    az role assignment list --assignee $SP_TERRAFORM_APP_ID 
    
    # Delete Role Assignment
    az role assignment delete --assignee $SP_TERRAFORM_APP_ID 
    

    Delete Application object (This will also remove Service Principal)

    # List Regsitered App
    az ad app list --display-name TerraformCloud -o table
    
    # List Service Principal
    az ad sp list --display-name TerraformCloud -o table
    
    # fetch Object ID of Application
    TERRAFORM_APP_OBJECT_ID=$(az ad app list --display-name TerraformCloud --query "[].id" -o tsv)
    
    # Show Application
    az ad app show --id $TERRAFORM_APP_OBJECT_ID
    
    # Delete Application
    az ad app delete --id $TERRAFORM_APP_OBJECT_ID