Baseline Environment on Azure in Terraform is a set of reference Terraform template
- GNU Make
- Terraform 1.6 or later
- Azure CLI
- GitHub CLI
For development:
See Makefile for details.
# Show help
❯ cd infra; make help
ci-test ci test
deploy deploy resources
destroy destroy resources
format format terraform codes
info show information
install-deps-dev install dependencies for development
test test codes
Scenario | Overview |
---|---|
configure_github_secrets | Configure GitHub secrets ( CLI version: configure-github-secrets.sh ) |
create_policies | Create Azure Policy definitions and assignments |
create_service_principal | Create a service principal ( CLI version: create-service-principal.sh ) |
create_user_group | Create a new user and group in Microsoft Entra ID |
tfstate_backend | Create Terraform state backend on Azure Storage |
workshop_azure_openai | Workshop for Azure OpenAI Service |
# Go to the `infra` directory
cd infra
# Log in to Azure
az login
# (Optional) Confirm the details for the currently logged-in user
az ad signed-in-user show
# Authenticate with a GitHub host.
gh auth login
# (Optional) Display active account and authentication state on each known GitHub host.
gh auth status
# Set variables
export ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
SCENARIO="YOUR_SCENARIO"
# Deploy infrastructure
make deploy SCENARIO=$SCENARIO
# Destroy infrastructure
make destroy SCENARIO=$SCENARIO
Override Input Variables
# Override `name` variable defined in `variables.tf`
export TF_VAR_name="youruniquename"
# Deploy infrastructure
terraform apply
Currently, Terraform state is stored in the local file system by default. To store the state in Azure Storage, you can override the backend configuration by creating an override.tf
file.
Refer to the following documents for more information:
Here is an example of how to override the backend configuration:
SCENARIO="your_scenario_name" # e.g., "workshop_azure_openai"
# Go to the infra directory
cd infra/scenarios/$SCENARIO
# Create override.tf file to a specific scenario
cat <<EOF > override.tf
terraform {
backend "azurerm" {
container_name = "yourcontainername"
resource_group_name = "yourresourcegroupname"
storage_account_name = "yourstorageaccountname"
key = "$SCENARIO.tfstate"
}
}
EOF
# Do something like `terraform init`, `terraform apply`, etc.
To prevent shared key authorization for an Azure Storage account, you refer to Prevent Shared Key authorization for an Azure Storage account.
STORAGE_ACCOUNT_NAME="<YOUR_STORAGE_ACCOUNT_NAME>"
RESOURCE_GROUP_NAME="<YOUR_RESOURCE_GROUP_NAME>"
# Disable Shared Key authorization
az storage account update \
--name $STORAGE_ACCOUNT_NAME \
--resource-group $RESOURCE_GROUP_NAME \
--allow-shared-key-access false
# Verify that Shared Key access is not allowed
az storage account show \
--name $STORAGE_ACCOUNT_NAME \
--resource-group $RESOURCE_GROUP_NAME \
--query "allowSharedKeyAccess"
# Set environment variables to authenticate using a service principal with a client secret
export ARM_CLIENT_ID=$appId
export ARM_CLIENT_SECRET=$password
export ARM_TENANT_ID=$tenant
export ARM_SUBSCRIPTION_ID=$SUBSCRIPTION_ID
# Run tests
cd infra
make ci-test
Azure Provider: Authenticating using a Service Principal with a Client Secret describes several ways about how to authenticate with Azure.
This is not recommended for production use, since the client secret needs to be stored in GitHub Actions secrets. For production use, consider using OpenID Connect instead.
SUBSCRIPTION_ID=$(az account show --query id --output tsv)
az ad sp create-for-rbac \
--name="test-baseline-environment-on-azure-terraform" \
--role="Contributor" \
--scopes="/subscriptions/$SUBSCRIPTION_ID"
# {
# "appId": "<YOUR_APPLICATION_ID>",
# "displayName": "test-baseline-environment-on-azure-terraform",
# "password": "<YOUR_PASSWORD>",
# "tenant": "<YOUR_TENANT>"
# }
# Register secrets on GitHub
gh secret set ARM_CLIENT_ID --body $appId
gh secret set ARM_CLIENT_SECRET --body $password
gh secret set ARM_TENANT_ID --body $tenant
gh secret set ARM_SUBSCRIPTION_ID --body $SUBSCRIPTION_ID
To configure the federated credential by following the two kinds of steps
- Install GitHub CLI and authenticate with GitHub.
- Run the following commands to create a new service principal and configure OpenID Connect.
# Create a new service principal
bash scripts/create-service-principal.sh
# Configure GitHub secrets
bash scripts/configure-github-secrets.sh
Details are described in Use GitHub Actions to connect to Azure with OpenID Connect.