Shulou(Shulou.com)05/31 Report--

This article will explain in detail what you should pay attention to about the configuration of Azure Provider in Terraform. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

According to the official Terraform documentation on the use of Azure Provider, first you have to configure the Azure-related authentication information. In fact, just like you usually use Azure, if you want to use Azure, the first step is that you must open Azure portal to log in, that is, log in to Azure with your user name and password authentication, and then get to work. Now that you want to use Terraform to manipulate Azure resources, you have to tell Terraform how to log in to Azure so that it can work for you.

Next, let's take a look at how to configure Azure provider when using Terraform. With regard to Azure authentication, Terraform officially, in fact, Microsoft has given four authentication methods, which you can configure in terraform, as shown in the following figure:

Terraform step on the pit: Azure Provider configuration has not used Terraform to manage resources on Azure for a long time. This week, I had time to review, but found that there was another moth when using Azure Provider.

According to the official Terraform documentation on the use of Azure Provider, first you have to configure the Azure-related authentication information. In fact, just like you usually use Azure, if you want to use Azure, the first step is that you must open Azure portal to log in, that is, log in to Azure with your user name and password authentication, and then get to work. Now that you want to use Terraform to manipulate Azure resources, you have to tell Terraform how to log in to Azure so that it can work for you.

Next, let's take a look at how to configure Azure provider when using Terraform. With regard to Azure authentication, Terraform officially, in fact, Microsoft has given four authentication methods, which you can configure in terraform, as shown in the following figure:

For more information, please move to:

Https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#authenticating-to-azure

The first way: Azure Provider: Authenticating using the Azure CLI

This is straightforward, first you need to install Azure CLI, and then run:

PS C:\ lab > az login

Then a web page will pop up and enter your username and password, and then you can happily use Terraform and Azure, log in to Azure and cache it on your local computer. So this is the easiest way, there is no need to mention your Azure authentication information in the Terraform code, but if you change your computer and run your code, it won't work. You must first install Azure CLI, then execute the az login command, and then follow the prompts to log in to Azure.

As for the second and third ways, let's not introduce them here, this time the pit is stepped on in the fourth way:

Authenticating using a Service Principal with a Client Secret

So here is a detailed description of this approach.

There is a prerequisite for this approach. You must first create a Service Principal on Azure. For detailed steps, please refer to this link:

Https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret#creating-a-service-principal-in-the-azure-portal

After the Service Principal is created, according to the reference documentation on the official website, you can configure the relevant information of provider azurerm in the provider.tf file. The whole project file structure is as follows:

PS C:\ lab\ dev > tree ─── dev │─── main.tf │─── provider.tf

The format of the provider.tf file is as follows:

Provider "azurerm" {# Whilst version is optional, we / strongly recommend/ using it to pin the version of the Provider being used version = "= 2.4.0" subscription_id = "00000000-0000-0000-0000-000000000000" client_id = "00000000-0000-0000-000000000000" client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" tenant_id = "00000000-0000-0000-0000-000000000000" features {}

Let me explain:

Subscription_id: your Azure subscription ID

Client_id: Application (client) ID after creating Service Principal

Client_secret: after creating the Service Principal, create the application secret

Tenant_id: Directory (tenant) ID of application after Service Principal is created

The main.tf file is as follows:

Resource "azurerm_resource_group"azure-tf-rg" {name = "terraform-eval" location = "chinaeast2" tags = {"env" = "dev"location" = "China East2"}}

Then terraform init walks, and initialization is fine.

PS C:\ lab\ dev > terraform initInitializing the backend...Initializing provider plugins...- Using previously-installed hashicorp/azurerm v2.40.0Terraform has been successfully initialized you may now begin working with Terraform. Try running "terraform plan" to seeany changes that are required for your infrastructure. All Terraform commandsshould now work.If you ever set or change modules or backend configuration for Terraform,rerun this command to reinitialize your working directory. If you forget, othercommands will detect it and remind you to do so if necessary.

Then execute terraform plan

PS C:\ lab\ dev > terraform planRefreshing Terraform state in-memory prior to plan...The refreshed state will be used to calculate this plan But will not bepersisted to local or remote state storage.----Error: Error building account: Error getting authenticated object ID: Error listing Service Principals: autorest.DetailedError {Original:adal.tokenRefreshError {message: "adal: Refresh request failed. Status Code = '400mm. Response body: {\ "error\":\ "invalid_request\",\ "error_description\":\ "AADSTS90002: Tenant '00000000-0000-0000-0000-000000000000' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.\\ r\\ nTrace ID: xxxx-1fxxx95-xxx6-xxx4-xxxxxx00\\ r\\ nCorrelation ID: xxxxxxx-xxx-xxxxx\\ r\\ nTimestamp: 2020-12-11 07 nTrace ID 02RV 40Z\ ",\" error_codes\ ": [90002],\" timestamp\ ":\" 2020-12-11 07 nTrace ID 0240Z\ ",\" trace_id\ ":\" xxxx-1fxxx95-xxx6-xxx4-xxxxxx00\ " \ "correlation_id\":\ "xxxx-1fxxx95-xxx6-xxx4xxxxxx00\",\ "error_uri\":\ "https://login.microsoftonline.com/error?code=90002\"}", resp: (* http.Response) (0xc0011c4b40)}, PackageType:" azure.BearerAuthorizer ", Method:" WithAuthorization ", StatusCode:400, Message:" Failed to refresh the Token for request to https://graph.windows.net/xxxx/servicePrincipals?%24filter=appId+eq+%xxxxxx00&api-version=1.6", ServiceError: [] uint8 (nil) " Response: (* http.Response) (0xc0011c4b40)} on provider.tf line 1, in provider "azurerm": 1: provider "azurerm" {

Not good, floating red, authentication problems, said that Tenant id can not be found, this is all copy, can not be wrong.

Then read on: error_uri ":" https://login.microsoftonline.com

Well, this is it. I created the Service Principal,terraform on the Chinese version of Azure. When I log in, I use the overseas version of URI of Azure. That's the problem.

Go back to the introduction of Azurerm Provider on Terraform's official website:

I see that although environment is optional, it defaults to public, which is the overseas version of Azure. The root of the problem has been found, change the terraform code! Add the parameter environment and set the value to china. The final code is as follows:

Provider "azurerm" {# Whilst version is optional, we / strongly recommend/ using it to pin the version of the Provider being used version = "= 2.4.0" environment = "china" subscription_id = "00000000-0000-0000-0000-000000000000" client_id = "00000000-0000-0000-0000-000000000000" client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" tenant_id = "00000000-0000-0000-0000-0000000000" features {}}

One more terraform plan.

PS C:\ lab\ dev > terraform planRefreshing Terraform state in-memory prior to plan...The refreshed state will be used to calculate this plan But will not be----An execution plan has been generated and is shown below.Resource actions are indicated with the following symbols: + createTerraform will perform the following actions: # azurerm_resource_group.azure-tf-rg will be Created + resource "azurerm_resource_group"azure-tf-rg" {+ id = (known after apply) + location = "chinaeast2" + name = "terraform-eval" + tags = {+ "env" = "dev" + "location" = "China East2"} Plan: 1 to add 0 to change, 0 to destroy.----Note: You didn't specify an "- out" parameter to save this plan, so Terraformcan't guarantee that exactly these actions will be performed if "terraform apply" is subsequently run.

Well, yes, the prompt will add a new resource, and then go to a terraform apply

PS C:\ lab\ dev > terraform applyAn execution plan has been generated and is shown below.Resource actions are indicated with the following symbols: + createTerraform will perform the following actions: # azurerm_resource_group.azure-tf-rg will be created + resource "azurerm_resource_group"azure-tf-rg" {+ id = (known after apply) + location = "chinaeast2" + name = "terraform-eval" + Tags = {+ "env" = "dev" + "location" = "China East2"}} Plan: 1 to add 0 to change, 0 to destroy.Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yesazurerm_resource_group.azure-tf-rg: Creating...azurerm_resource_group.azure-tf-rg: Creation complete after 5s [id=/subscriptions/0000000-0000-0000-0000-0000000000/resourceGroups/terraform-eval] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Log in to your Azure China portal and go to resource group. Terraform-eval this resource group has been created successfully. Got it!

In fact, this hole will only be stepped on when you use Azure Chinese version / US government version / German version, and you don't have to worry about using Azure overseas version. All right, this is the end of the trampling book. I hope I can help you. Another point is that when reading the relevant technical documents, we need to be careful to prevent mining.

For more information, please move to:

Https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#authenticating-to-azure

The first way: Azure Provider: Authenticating using the Azure CLI

This is straightforward, first you need to install Azure CLI, and then run:

PS C:\ lab > az login

Then a web page will pop up and enter your username and password, and then you can happily use Terraform and Azure, log in to Azure and cache it on your local computer. So this is the easiest way, there is no need to mention your Azure authentication information in the Terraform code, but if you change your computer and run your code, it won't work. You must first install Azure CLI, then execute the az login command, and then follow the prompts to log in to Azure.

As for the second and third ways, let's not introduce them here, this time the pit is stepped on in the fourth way:

Authenticating using a Service Principal with a Client Secret

So here is a detailed description of this approach.

There is a prerequisite for this approach. You must first create a Service Principal on Azure. For detailed steps, please refer to this link:

Https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret#creating-a-service-principal-in-the-azure-portal

After the Service Principal is created, according to the reference documentation on the official website, you can configure the relevant information of provider azurerm in the provider.tf file. The whole project file structure is as follows:

PS C:\ lab\ dev > tree ─── dev │─── main.tf │─── provider.tf

The format of the provider.tf file is as follows:

Provider "azurerm" {

Whilst version is optional, we / strongly recommend/ using it to pin the version of the Provider being used

Version = "= 2.4.0" subscription_id = "00000000-0000-0000-0000-000000000000"

Client_id = "00000000-0000-0000-0000-000000000000"

Client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

Tenant_id = "00000000-0000-0000-0000-000000000000" features {}}

Let me explain:

Subscription_id: your Azure subscription ID

Client_id: Application (client) ID after creating Service Principal

Client_secret: after creating the Service Principal, create the application secret

Tenant_id: Directory (tenant) ID of application after Service Principal is created

The main.tf file is as follows:

Resource "azurerm_resource_group"azure-tf-rg" {

Name = "terraform-eval"

Location = "chinaeast2"

Tags = {

"env" = "dev"

"location" = "China East2"

}}

Then terraform init walks, and initialization is fine.

PS C:\ lab\ dev > terraform init

Initializing the backend... Initializing provider plugins...

Using previously-installed hashicorp/azurerm v2.40.0

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to seeany changes that are required for your infrastructure. All Terraform commandsshould now work.

If you ever set or change modules or backend configuration for Terraform,rerun this command to reinitialize your working directory. If you forget, othercommands will detect it and remind you to do so if necessary.

Then execute terraform plan

PS C:\ lab\ dev > terraform plan

Refreshing Terraform state in-memory prior to plan...

The refreshed state will be used to calculate this plan, but will not bepersisted to local or remote state storage.

Error: Error building account: Error getting authenticated object ID: Error listing Service Principals: autorest.DetailedError {Original:adal.tokenRefreshError {message: "adal: Refresh request failed. Status Code = '4000.Response body: {" error ":" invalid_request "," error_description ":" AADSTS90002: Tenant' 00000000-0000-0000-0000-0000000000' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.\ r\ n Trace ID: xxxx-1fxxx95-xxx6-xxx4-xxxxxx00\ r\ n Correlation ID: xxxxxxx-xxx-xxxxx\ r\ nTimestamp: 2020-12-11 07 n Trace ID 02xxxx-1fxxx95-xxx6-xxx4-xxxxxx00 40Z "," error_codes ": [90002]," timestamp ":" 2020-12-11 07 n Trace ID 02xxxx-1fxxx95-xxx6-xxx4-xxxxxx00 40Z "," trace_id ":" xxxx-1fxxx95-xxx6-xxx4-xxxxxx00 "," correlation_id ":" xxxx-1fxxx95-xxx6-xxx4xxxxxx00 " "error_uri": "https://login.microsoftonline.com/error?code=90002"}", resp: (* http.Response) (0xc0011c4b40)}, PackageType:" azure.BearerAuthorizer ", Method:" WithAuthorization ", StatusCode:400, Message:" Failed to refresh the Token for request to https://graph.windows.net/xxxx/servicePrincipals?%24filter=appId+eq+%xxxxxx00&api-version=1.6", ServiceError: [] uint8 (nil), Response: (* http.Response) (0xc0011c4b40)} "

On provider.tf line 1, in provider "azurerm":

1: provider "azurerm" {

Not good, floating red, authentication problems, said that Tenant id can not be found, this is all copy, can not be wrong.

Then read on: error_uri ":" https://login.microsoftonline.com

Well, this is it. I created the Service Principal,terraform on the Chinese version of Azure. When I log in, I use the overseas version of URI of Azure. That's the problem.

Go back to the introduction of Azurerm Provider on Terraform's official website:

I see that although environment is optional, it defaults to public, which is the overseas version of Azure. The root of the problem has been found, change the terraform code! Add the parameter environment and set the value to china. The final code is as follows:

Provider "azurerm" {

Whilst version is optional, we / strongly recommend/ using it to pin the version of the Provider being used

Version = "= 2.4.0" environment = "china" subscription_id = "00000000-0000-0000-0000-000000000000"

Client_id = "00000000-0000-0000-0000-000000000000"

Client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

Tenant_id = "00000000-0000-0000-0000-000000000000" features {}}

One more terraform plan.

PS C:\ lab\ dev > terraform plan

Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be

An execution plan has been generated and is shown below.Resource actions are indicated with the following symbols:

Create Terraform will perform the following actions:

Azurerm_resource_group.azure-tf-rg will be created

Resource "azurerm_resource_group"azure-tf-rg" {

Id = (known after apply)

Location = "chinaeast2"

Name = "terraform-eval"

Tags = {

"env" = "dev"

"location" = "China East2"

}

} Plan: 1 to add, 0 to change, 0 to destroy.

Note: You didn't specify an "- out" parameter to save this plan, so Terraformcan't guarantee that exactly these actions will be performed if "terraform apply" is subsequently run.

Well, yes, the prompt will add a new resource, and then go to a terraform apply

PS C:\ lab\ dev > terraform apply

An execution plan has been generated and is shown below.Resource actions are indicated with the following symbols:

Create Terraform will perform the following actions:

Azurerm_resource_group.azure-tf-rg will be created

Resource "azurerm_resource_group"azure-tf-rg" {

Id = (known after apply)

Location = "chinaeast2"

Name = "terraform-eval"

Tags = {

"env" = "dev"

"location" = "China East2"

}

}

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve.

Enter a value: yes

Azurerm_resource_group.azure-tf-rg: Creating... Azurerm_resource_group.azure-tf-rg: Creation complete after 5s [id=/subscriptions/0000000-0000-0000-0000-0000000000/resourceGroups/terraform-eval]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Log in to your Azure China portal and go to resource group. Terraform-eval this resource group has been created successfully. Got it!

This is the end of this article on "what are the precautions for Azure Provider configuration in Terraform?". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.