Get Started with Terraform Azure credentials in bash.
The most irritating part of every new technology you learn is set up which sometimes takes too much time to be done with. There are several commands in bash which could help you to manage azure Service Principal credentials. Link to official documentation about sp if you are unfamiliar with this.
Prerequisites
To have relevant information, I recommend following the HashiCorp get started in Azure tutorial. You are ready to continue if you already have Azure CLI and Terraform installed on your machine. Another solution is to use them pre-installed on Azure Cloud Shell.
Authenticating to Azure
First step is log in to Azure CLI.
az login
This will redirect you to browser for login with Microsoft account.
As the result you’ll have such a json with all of available subscriptions.
[
{
"cloudName": "AzureCloud",
"homeTenantId": "xxxx-xxxxx-xxxxx",
"id": "xxxx-xxxxx-xxxxx",
"isDefault": true,
"managedByTenants": [],
"name": "Azure subscription 1",
"state": "Enabled",
"tenantId": "xxxx-xxxxx-xxxxx",
"user": {
"name": "email@gmail.com",
"type": "user"
}
},
{...}
]
Take one and place it’s name in a variable:
#Name of your subscription
export SubName="Azure subscription 1"
Now you need to create a service principal. Terraform will use the service principal to authenticate and get access to your Azure subscription.
Create a Service Principal
To create a sp you need firstly find subscription ID.
#get subscription id
export ARM_SUBSCRIPTION_ID=$(az account list --query "[?name=='$SubName'] | [*].[id]" | jq -r '.[] | .[]')
And there is a trick: we use Azure CLI’s query flag and jq library to find information we need in the output json.
Once you have the subscription ID, then create a service principal using the Contributor role scoped to your subscription.
#create Service Principle
export sp=$(az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/$ARM_SUBSCRIPTION_ID")
Set Environment Variables
Terraform needs to know four different configuration items to successfully connect to Azure.
- The Azure subscription ID
- The service principal’s Azure AD application ID
- The service principal password
- The Azure AD tenant
We can use sp variable with credentials from the last step to parse them to environment.
#Parse sp on key value
$( echo "$sp" | jq -r 'keys[] as $k | "export \($k)=\(.[$k])"' )
The next step is to create variables in Terraform format.
#write to env
export ARM_CLIENT_ID=$appId
export ARM_CLIENT_SECRET=$password
export ARM_TENANT_ID=$tenant
#this will help us later
export displayName=$displayName
Which we could write to file to execute on another machine for the fast start.
#Write to file
echo \
"export ARM_CLIENT_ID=$appId \
export ARM_CLIENT_SECRET=$password \
export ARM_TENANT_ID=$tenant \
export displayName=$displayName" >> sp_cred.sh
#Exec to env
source ./sp_cred.sh
And if you need the creds to be persistent on this machine, you need to write them in .bashrc .
#Add to .bashrc
cat sp_cred.sh >> ~/.bashrc
Work with Terraform
At this point you able to execute Terraform configuration as you wish: init, plan, apply and destroy with the power of your imagination!
Clean Up
Since this was just a demonstration and you’re probably not planning on keeping this Service Principal around, be sure to do yourself a favor and remove everything you’ve done.
It’s a place we finally use displayName
saved earlier.
#Get sp id
export spID=$(az ad sp list --all --query "[?displayName=='$displayName'] | [*].[id]"| jq -r '.[] | .[]')
#Delete sp
az ad sp delete --id $spID
Then delete the creds from .bashrc (this command just delete the last line!)
sed -i '$d' ~/.bashrc
Instead of conclusion
I want to give a shout out to Adam Bertram with his article Get Started with Terraform by Building an Azure VM which I was based on. He uses a Windows PowerShell, so I decided to rewrite his code to bash. Give him a clap too!