Learn how to manage your Terraform Azure infrastructure efficiently by storing your Terraform state file in a separate subscription for improved security, organization, and collaboration.
Managing resources across multiple Azure subscriptions with Terraform requires a good understanding of authentication, authorization, and best practices for configuration and security. This article provides a comprehensive guide to effectively manage resources in such scenarios using Terraform.
To manage resources in different Azure subscriptions with Terraform, you need to handle authentication and authorization properly. Here's a breakdown:
1. Authentication:
az login
) with an account having access to all relevant subscriptions. Terraform will inherit these credentials.2. Terraform Configuration:
provider "azurerm"
), specify the subscription_id
for each target subscription. If using a Service Principal, provide its credentials here.azurerm
providers, each targeting a different subscription. Use aliases to distinguish them (e.g., provider "azurerm" { alias = "dev" ... }
).azurerm_subscription
to fetch subscription details dynamically.3. State File Management:
terraform { backend "azurerm" { ... } }
) to point to your chosen storage.4. Resource Deployment:
resource "azurerm_virtual_network" "example" { provider = azurerm.dev ... }
).5. Security Considerations:
Example (using Service Principal):
# Configure Azure Provider for "dev" subscription
provider "azurerm" {
alias = "dev"
features {}
subscription_id = "your-dev-subscription-id"
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
}
# Configure Azure Provider for "prod" subscription
provider "azurerm" {
alias = "prod"
features {}
subscription_id = "your-prod-subscription-id"
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
}
# Define a resource in the "dev" subscription
resource "azurerm_resource_group" "dev_rg" {
provider = azurerm.dev
name = "my-dev-rg"
location = "eastus"
}
Remember to adapt this example to your specific needs and always prioritize security best practices.
This Terraform code demonstrates managing resources across two Azure subscriptions, "dev" and "prod", using a single Service Principal for authentication. It outlines creating a Service Principal, assigning it the "Contributor" role in both subscriptions, and securely storing its credentials using environment variables or Azure Key Vault. The code then configures two Azure providers in Terraform, each targeting a different subscription with the shared credentials. It showcases creating a resource group in each subscription, highlighting how to deploy to multiple subscriptions within one Terraform configuration. The example emphasizes security considerations like avoiding hardcoded credentials, adhering to least privilege, encrypting state files, and regularly rotating credentials. It provides a foundation for managing multi-subscription Azure environments with Terraform, adaptable to specific needs and infrastructure.
This example demonstrates how to manage resources in two different Azure subscriptions ("dev" and "prod") using Terraform and a Service Principal for authentication.
1. Create a Service Principal and Assign Roles:
2. Store Service Principal Credentials Securely:
export ARM_CLIENT_ID="your-client-id"
export ARM_CLIENT_SECRET="your-client-secret"
export ARM_TENANT_ID="your-tenant-id"
3. Terraform Configuration (main.tf):
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0"
}
}
}
# Configure Azure Provider for "dev" subscription
provider "azurerm" {
alias = "dev"
features {}
subscription_id = "your-dev-subscription-id"
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
}
# Configure Azure Provider for "prod" subscription
provider "azurerm" {
alias = "prod"
features {}
subscription_id = "your-prod-subscription-id"
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
}
# Define variables for resource group names
variable "dev_rg_name" {
default = "my-dev-rg"
}
variable "prod_rg_name" {
default = "my-prod-rg"
}
# Create a resource group in the "dev" subscription
resource "azurerm_resource_group" "dev_rg" {
provider = azurerm.dev
name = var.dev_rg_name
location = "eastus"
}
# Create a resource group in the "prod" subscription
resource "azurerm_resource_group" "prod_rg" {
provider = azurerm.prod
name = var.prod_rg_name
location = "westus2"
}
4. Variables (variables.tf):
variable "client_id" {
type = string
}
variable "client_secret" {
type = string
sensitive = true
}
variable "tenant_id" {
type = string
}
5. Configure Terraform Backend (optional):
main.tf
file to store the state file in Azure Storage Account.# terraform {
# backend "azurerm" {
# resource_group_name = "your-tfstate-rg"
# storage_account_name = "your-tfstate-storage"
# container_name = "tfstate"
# key = "multi-subscription-example.tfstate"
# }
# }
6. Deploy the Infrastructure:
terraform init
terraform plan
terraform apply
Explanation:
Security Considerations:
This example provides a starting point for managing resources in multiple Azure subscriptions with Terraform. You can adapt and extend it to fit your specific needs and infrastructure requirements.
Authentication:
Terraform Configuration:
State File Management:
Resource Deployment:
depends_on
statements.Security Considerations:
Additional Tips:
By incorporating these additional notes and best practices, you can effectively manage resources across multiple Azure subscriptions with Terraform while maintaining a secure and well-organized infrastructure.
This table summarizes key aspects of managing resources across multiple Azure subscriptions using Terraform:
| Aspect | Options | Notes
By following the guidelines and examples presented, you can leverage Terraform's capabilities to manage multi-subscription environments effectively while adhering to security best practices. Remember to adapt the provided code snippets to your specific requirements and always prioritize the security of your infrastructure. As you gain more experience, explore advanced Terraform features and Azure services to optimize your multi-subscription management workflows further.