This is my first attempt at creating a storage account with terraform hcl to be used as a backend state file storage. I have tried to use common/good/best practices and also verified with different lint tools to find bad practices and/or security problems.
Unfortunately, I haven't been able to "fix" all the checks because I choose to use the simplest Azure options on the storage which aren't the best options if the storage is supposed to be used in a production environment. Another problem I had was that I choose terraform cloud for the backend state file (can't use what I am creating, right? catch 22 ๐) which uses a runner with a dynamic ip address (different every apply) so I can't whitelist it (you need to upgrade to Business Plan to solve that problem) in the security rules.
-
You need an Azure account and if you don't have one, get a free one here.
-
Create a service principal (replace [ServicePrincipalName] with a name and [subscription-id] with your id) and copy the JSON output:
az ad sp create-for-rbac --name [ServicePrincipalName] --role Contributor --scopes /subscriptions/[subscription-id] --sdk-auth
-
Create a local backend file:
- Create a terraform API token.
- Create a new Terraform Cloud workspace.
- Create a terraform backend file, e.g.
config-terraform.tfbackend
. (Make sure to NOT commit this file in your repo!!)
hostname = "app.terraform.io" organization = "[your-terraform-cloud-organization]" workspaces { name = "[your-newly-created-workspace]" } token = "[your-terraform-api-token]"
-
Create variables in your Terraform Cloud workspace (values in the json output)
- ARM_CLIENT_ID = [clientId]
- ARM_CLIENT_SECRET = [clientSecret] Mark it as sensitive
- ARM_SUBSCRIPTION_ID = [subscriptionId]
- ARM_TENANT_ID = [tenantId]
-
If you don't want to change the variables in
variables.tf
you can use aterraform.tfvars
file to set the variables.
- Execute below terraform commands to deploy the storage
terraform init -backend-config=config.terraform.tfbackend
terraform fmt
terraform validate
terraform plan
terraform apply
MS Learn: Store Terraform state in Azure Storage
MS Learn: Customer-managed keys for Azure Storage encryption
-
Lint and static analysis tools
-
Terraform: