Video Courtesy: https://www.youtube.com/watch?v=lH3KT9RUEOA&list=PLLc2nQDXYMHowSZ4Lkq2jnZ0gsJL3ArAw&index=1
The first 4 videos are just Introduction of Azure and terraform so I had nothing much to share and the actual content starts from the 5th.
The reason behind creating the app registration in Azure is “This registration provides your application with the necessary credentials to securely access Azure services and APIs, making your applications and services more secure and accessible“
Select the App registration.
Give a name for the app and select register.
We are creating an identity in Entra ID which can be used in the terraform configuration file and Azure can authenticate the same.
We can get the client id and the tenant id from this tab and we can create the client secret with the client credentials.
Generate the secret and add it the terraform configuration.
//main.tf
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.109.0"
}
}
}
provider "azurerm" {
subscription_id = ""
client_id = ""
tenant_id = ""
features {}
}
resource "azurerm_resource_group" "app_grp"{
name="app-grp"
location="canadacentral"
}
Now Azure throws an error stating that the authentication has failed. This has happened because we need a role based access control that needs to be assigned to the application object “terraform”. This will let give terraform(application object) to access the resources in Azure.
In the role assignment add the member terraform → click on Select and you can see the members are added.
Click on Review + assign.
Now run the command terraform plan and apply that will create the resource group.
The default parameters for creating the storage account are:
- Resource group
- Location
- Name
- Performance
- Redundancy
//main.tf
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.109.0"
}
}
}
provider "azurerm" {
subscription_id = ""
client_id = ""
tenant_id = ""
features {}
}
resource "azurerm_resource_group" "app_grp"{
name="app-grp"
location="canadacentral"
}
resource "azurerm_storage_account" "az-storage" {
name = "terraformstorage1092"
resource_group_name = azurerm_resource_group.app_grp.name
location = azurerm_resource_group.app_grp.location
account_tier = "Standard"
account_replication_type = "LRS" //Locally redundant storage
tags = {
environment = "staging"
}
}
There are different configuration settings in storage account and they can be passed as arguments in storage account resource.
The default value of Allow Blob public Enabled is false
We saw in the previous video that the default value of Allow Blob public Enabled is false.
Now if we manually change the value to true in the Azure portal then it is change of Terraform state which will be reflected when we try to other operations in Terraform.
Understand more about state locking in Azure from the below link: https://learn.microsoft.com/en-us/azure/developer/terraform/store-state-in-azure-storage?tabs=azure-cli
resource "azurerm_storage_container" "data_container" {
name = "data"
storage_account_name = azurerm_storage_account.az-storage.name
container_access_type = "private"
}
resource "azurerm_storage_blob" "az_blob" {
name = "my-awesome-content.zip"
storage_account_name = azurerm_storage_account.az-storage.name
storage_container_name = azurerm_storage_container.data_container.name
type = "Block"
source = "some-local-file.zip"
The container access type is the level of access to the object that is uploaded in the container. Now the option is Private which means we have no access to the object, once the container_access_type is changed to “blob” we can download the object from the URL that has been assigned to the object.
In every resource block we need to specify the depends on parameter so that when terraform creates the resources it makes sure that the dependencies are met while creating the resources. For example: if we need to create a blob storage we need to make sure that we have a container to store the blob. That can be specified in the block of code shown below:
name = "my-awesome-content.zip"
storage_account_name = azurerm_storage_account.az-storage.name
storage_container_name = azurerm_storage_container.data_container.name
type = "Block"
source = "some-local-file.zip"
depends_on = [ azurerm_storage_container.data_container ]
}
terraform destroy
command will delete the resource group which means this will delete all the resources associated with it, so we need to be mindful before using this command.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.109.0"
}
}
}
provider "azurerm" {
subscription_id = ""
client_id = ""
tenant_id = ""
features {}
}
resource "azurerm_resource_group" "app_grp"{
name=local.resource_group_name
location=local.location
}
resource "azurerm_storage_account" "az-storage" {
name = var.storage_account_name //"terraformstorage1092"
resource_group_name = local.resource_group_name
location = local.location
account_tier = "Standard"
account_replication_type = "LRS" //Locally redundant storage
public_network_access_enabled = true
depends_on = [ azurerm_resource_group.app_grp ]
}
resource "azurerm_storage_container" "data_container" {
name = "data"
storage_account_name = var.storage_account_name
container_access_type = "private"
depends_on = [ var.storage_account_name ]
}
resource "azurerm_storage_blob" "az_blob" {
name = "my-awesome-content.zip"
storage_account_name = var.storage_account_name
storage_container_name = azurerm_storage_container.data_container.name
type = "Block"
source = "some-local-file.zip"
depends_on = [ azurerm_storage_container.data_container ]
}
variable "storage_account_name" {
type = string
description = "Name of the storage account"
}
locals {
resource_group_name = "app-grp"
location = "canadacentral"
}
The changes that have been made in the above code are, we have added block called variables, which carries a string and when we run the terraform plan
command this will prompt us to enter the string (in our case it is storage account name).
We have also added a depends on argument inside the code block and mention the storage account can be created only after the resource group is created.
We have added a locals block where we can add variables that can be used in the current terraform configuration file. Ex: We have declared the resource group name and location in the locals and used it in other block of code.