If you already have VS Code and Docker installed, you can click the badge above or here to get started. Clicking these links will cause VS Code to automatically install the Dev Containers extension if needed, clone the source code into a container volume, and spin up a dev container for use.

HashiTalks: India

Topic	Description
Event Date	January 12, 2023
YouTube - HashiCorp	https://youtu.be/ByCeAQlJQvM
YouTube - Ashish Singh Baghel	https://youtu.be/0pNZ2UWkPfQ

Deploy Infrastructure as Code on Azure using Github Codespaces and Terraform Cloud

Concepts

Azure service principal

• Azure Built-in roles
• Create an Azure service principal with the Azure CLI
• Apps and service principal objects in Azure Active Directory
• Securing cloud-based service accounts

Terraform Cloud

• What is Terraform Cloud?
• Get Started Azure
• Store Remote State

Github CodeSpaces

• Developing in a codespace
• Introduction to dev containers

Hands-On

• Azure AD: Create a Service Principal with a Client Secret

  Automated tools that use Azure services should always have restricted permissions. Instead of having applications sign in as a fully privileged user, Azure offers service principals.

  An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.

  • Ensure you are using correct subscription

    List subscriptions

    az account list
    

    Set a subscription to be the current active subscription

    az account set --subscription=SUBSCRIPTION_ID​
    

    Check current subscription

    az account show
    

  • Create a service principal and configure its Contributor access to azure subscription

    ⚠ Warning: When you create an Azure service principal using the az ad sp create-for-rbac command, the output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control.

    # fetch subscription id
    SUBSCRIPTION_ID=$(az account show --query id -o tsv)
    
    # Create service principal
    az ad sp create-for-rbac --name TerraformCloud --role Contributor --scopes /subscriptions/$SUBSCRIPTION_ID
    

    The output for a service principal with password authentication includes the password key. Make sure you copy this value - it can't be retrieved. If you lose the password, reset the service principal credentials.

    Output:

    Creating 'Contributor' role assignment under scope '/subscriptions/<yourSubscriptionId>'
    The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
    {​
      "appId": "00111232-4466-6546-7897-7412321598756547",
      ​"displayName": "TerraformCloud",​
      "password": ".XX1X~Xxxx1XXxXXxXxxxxXX1xxxXXXxXXXXxxxX",​
      "tenant": "11111111-1111-1111-1111-111111111111"​
    }
    

    This creates an application object and a service principal object in your home tenant. Any changes that you make to your application object are also reflected in its service principal object in the application's home tenant only (the tenant where it was registered). This means that deleting an application object will also delete its home tenant service principal object.

    List app

    az ad app list --display-name TerraformCloud -o table
    

    Check your service principal

    az ad sp list --display-name TerraformCloud -o table
    

    Check role assignment

    SP_TERRAFORM_APP_ID=$(az ad sp list --display-name TerraformCloud --query "[].appId" -o tsv)
    az role assignment list --assignee $SP_TERRAFORM_APP_ID
    

• Terraform: Setup Terraform Cloud

  • Sign In to Terraform Cloud - https://app.terraform.io/

  • Create New Organization

  • Create variable set Azure Credentials - Apply to all workspaces

    Key	Value	Category
    ARM_TENANT_ID	tennant	Environment Variable
    ARM_SUBSCRIPTION_ID	SUBSCRIPTION_ID	Environment Variable
    ARM_CLIENT_ID	appId	Environment Variable
    ARM_CLIENT_SECRET	password	Environment Variable

    Note: We get these values as output of Azure CLI create service principal command. If you lose If you lose the credentials for a service principal, use az ad sp credential reset. The reset command takes the same parameters as az ad sp create-for-rbac.

    az ad sp credential reset --name TerraformCloud --role Contributor --scopes /subscriptions/$SUBSCRIPTION_ID
    

• GitHub Codespaces: Create codespaces for your GitHub repository

  • Add DevContainer configuration file

    • Select Ubuntu base image
    • Select Feature - Terraform, tflint and TFGrunt
    • Rebuild container

  • Login to Terraform Cloud

    terraform login
    

    Create Terraform User API Token (User settings > Tokens)

    Optional: Codespace Secrets

    Create Codespace Secrets. Secrets are environment variables that are encrypted and only exposed to Codespaces you create. You can store sensitive information, like tokens, that you want to access in your codespaces via environment variables. Once you have created a secret, it will be available when you create a new codespace or restart the codespace.

    Terraform CLI Environment Variable Credentials

    The value of a variable named TF_TOKEN_app_terraform_io will be used as a bearer authorization token when the CLI makes service requests to the hostname app.terraform.io

    TF_TOKEN_app_terraform_io
    

  • Define cloud block for Terraform Cloud Integration

    terraform {​
      required_version = ">=1.3.0"​
      cloud {​
        organization = "<Your-Terraform-Cloud-Organization-Name-Here>"
        workspaces {​
          name = "workspace-name"​
        }​
      }​
      ...​
      ...​
      ...​
    }​

    This will create CLI-driven Terraform Cloud workflow, this allows developers to quickly iterate on configuration and work locally.

  • Initialize the configuration and create your new Terraform Cloud workspace

    terraform init
    

  • Create Infrastructure

    terraform apply
    

  • Destroy Infrastructure Important Note: Do not forget to destroy your unused infrastructure to save cost

    terraform destroy
    

Clean Up

• Azure: Clean Up service principal and role assignment

  Delete Role Assignment

  # fetch `appId` of service principal
  SP_TERRAFORM_APP_ID=$(az ad sp list --display-name TerraformCloud --query "[].appId" -o tsv)
  
  # List Role Assignment
  az role assignment list --assignee $SP_TERRAFORM_APP_ID 
  
  # Delete Role Assignment
  az role assignment delete --assignee $SP_TERRAFORM_APP_ID 
  

  Delete Application object (This will also remove Service Principal)

  # List Regsitered App
  az ad app list --display-name TerraformCloud -o table
  
  # List Service Principal
  az ad sp list --display-name TerraformCloud -o table
  
  # fetch Object ID of Application
  TERRAFORM_APP_OBJECT_ID=$(az ad app list --display-name TerraformCloud --query "[].id" -o tsv)
  
  # Show Application
  az ad app show --id $TERRAFORM_APP_OBJECT_ID
  
  # Delete Application
  az ad app delete --id $TERRAFORM_APP_OBJECT_ID