Skip to content

Baseline Environment on Azure in Terraform is a set of reference Terraform template

License

Notifications You must be signed in to change notification settings

ks6088ts-labs/baseline-environment-on-azure-terraform

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

89 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

test deploy

Open in GitHub Codespaces

baseline-environment-on-azure-terraform

Baseline Environment on Azure in Terraform is a set of reference Terraform template

Prerequisites

For development:

Usage

See Makefile for details.

# Show helpcd infra; make help
ci-test                        ci test
deploy                         deploy resources
destroy                        destroy resources
format                         format terraform codes
info                           show information
install-deps-dev               install dependencies for development
test                           test codes

Scenarios

Scenario Overview
configure_github_secrets Configure GitHub secrets ( CLI version: configure-github-secrets.sh )
create_policies Create Azure Policy definitions and assignments
create_service_principal Create a service principal ( CLI version: create-service-principal.sh )
create_user_group Create a new user and group in Microsoft Entra ID
tfstate_backend Create Terraform state backend on Azure Storage
workshop_azure_openai Workshop for Azure OpenAI Service

How to manage infrastructure on Azure using Terraform

Azure Provider: Authenticating using the Azure CLI > Configuring Azure CLI authentication in Terraform

# Go to the `infra` directory
cd infra

# Log in to Azure
az login

# (Optional) Confirm the details for the currently logged-in user
az ad signed-in-user show

# Authenticate with a GitHub host.
gh auth login

# (Optional) Display active account and authentication state on each known GitHub host.
gh auth status

# Set variables
export ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
SCENARIO="YOUR_SCENARIO"

# Deploy infrastructure
make deploy SCENARIO=$SCENARIO

# Destroy infrastructure
make destroy SCENARIO=$SCENARIO

Customize deployment

# Override `name` variable defined in `variables.tf`
export TF_VAR_name="youruniquename"

# Deploy infrastructure
terraform apply

Currently, Terraform state is stored in the local file system by default. To store the state in Azure Storage, you can override the backend configuration by creating an override.tf file. Refer to the following documents for more information:

Here is an example of how to override the backend configuration:

SCENARIO="your_scenario_name" # e.g., "workshop_azure_openai"

# Go to the infra directory
cd infra/scenarios/$SCENARIO

# Create override.tf file to a specific scenario
cat <<EOF > override.tf
terraform {
  backend "azurerm" {
    container_name       = "yourcontainername"
    resource_group_name  = "yourresourcegroupname"
    storage_account_name = "yourstorageaccountname"
    key                  = "$SCENARIO.tfstate"
  }
}
EOF

# Do something like `terraform init`, `terraform apply`, etc.

To prevent shared key authorization for an Azure Storage account, you refer to Prevent Shared Key authorization for an Azure Storage account.

STORAGE_ACCOUNT_NAME="<YOUR_STORAGE_ACCOUNT_NAME>"
RESOURCE_GROUP_NAME="<YOUR_RESOURCE_GROUP_NAME>"

# Disable Shared Key authorization
az storage account update \
    --name $STORAGE_ACCOUNT_NAME \
    --resource-group $RESOURCE_GROUP_NAME \
    --allow-shared-key-access false

# Verify that Shared Key access is not allowed
az storage account show \
    --name $STORAGE_ACCOUNT_NAME \
    --resource-group $RESOURCE_GROUP_NAME \
    --query "allowSharedKeyAccess"

Development

Run local tests

# Set environment variables to authenticate using a service principal with a client secret
export ARM_CLIENT_ID=$appId
export ARM_CLIENT_SECRET=$password
export ARM_TENANT_ID=$tenant
export ARM_SUBSCRIPTION_ID=$SUBSCRIPTION_ID

# Run tests
cd infra
make ci-test

Set up GitHub Actions

Azure Provider: Authenticating using a Service Principal with a Client Secret describes several ways about how to authenticate with Azure.

Service Principal

This is not recommended for production use, since the client secret needs to be stored in GitHub Actions secrets. For production use, consider using OpenID Connect instead.

SUBSCRIPTION_ID=$(az account show --query id --output tsv)

az ad sp create-for-rbac \
    --name="test-baseline-environment-on-azure-terraform" \
    --role="Contributor" \
    --scopes="/subscriptions/$SUBSCRIPTION_ID"
# {
#   "appId": "<YOUR_APPLICATION_ID>",
#   "displayName": "test-baseline-environment-on-azure-terraform",
#   "password": "<YOUR_PASSWORD>",
#   "tenant": "<YOUR_TENANT>"
# }

# Register secrets on GitHub
gh secret set ARM_CLIENT_ID --body $appId
gh secret set ARM_CLIENT_SECRET --body $password
gh secret set ARM_TENANT_ID --body $tenant
gh secret set ARM_SUBSCRIPTION_ID --body $SUBSCRIPTION_ID

(Recommended) OpenID Connect

To configure the federated credential by following the two kinds of steps

1. Shell script

  1. Install GitHub CLI and authenticate with GitHub.
  2. Run the following commands to create a new service principal and configure OpenID Connect.
# Create a new service principal
bash scripts/create-service-principal.sh

# Configure GitHub secrets
bash scripts/configure-github-secrets.sh

2. Terraform

Details are described in Use GitHub Actions to connect to Azure with OpenID Connect.

References

About

Baseline Environment on Azure in Terraform is a set of reference Terraform template

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published