Test secure Azure provisioning using Terraform, utilising a Remote Backend and a Key Vault in Azure.

HashiCorp Terraform enables you to safely and predictably create, change, and improve infrastructure. It is an open source tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.

Before you can securely use Terraform with Azure, you will need to action the following steps:

1. Install the Azure PowerShell module.
2. Ensure you are logged in to Azure (eg. Connect-AzAccount)

1. Clone this repo: git clone [email protected]:adamrushuk/terraform-azure.git
2. Open scripts\ConfigureAzureForSecureTerraformAccess.ps1 and update the $adminUserDisplayName variable to match your Admin User Display Name (eg. Joe Bloggs).
3. Run scripts\ConfigureAzureForSecureTerraformAccess.ps1

The ConfigureAzureForSecureTerraformAccess.ps1 script does the following:

1. Creates an Azure Service Principle for Terraform.
2. Creates a new Resource Group.
3. Creates a new Storage Account.
4. Creates a new Storage Container.
5. Creates a new Key Vault.
6. Configures Key Vault Access Policies.
7. Creates Key Vault Secrets for these sensitive Terraform login details:
   • ARM_SUBSCRIPTION_ID
   • ARM_CLIENT_ID
   • ARM_CLIENT_SECRET
   • ARM_TENANT_ID
   • ARM_ACCESS_KEY

Now that Azure has been configured for secure Terraform access, the Key Vault secrets need to be loaded into environment variables, but only for the current PowerShell session.

1. Run scripts\LoadAzureTerraformSecretsToEnvVars.ps1

Either download Terraform and add to your path , or use the Chocolatey method below:

1. Install Chocolatey
2. Install Terraform: choco install terraform

Now that Terraform is installed, the secure remote backend can be utilised whilst provisioning an Azure Resource Group and a Virtual Network:

1. Navigate to the examples\remote-backend\ folder.
2. Open main.tf and ensure you have updated the storage_account_name variable in the backend code block, to the new Storage Account Name created by the ConfigureAzureForSecureTerraformAccess.ps1 script.
3. Initialise the Remote Backend and download plugins: terraform init
4. Create an execution plan (see planned changes): terraform plan
5. Apply the Terraform configuration: terraform apply
6. Enter yes to confirm the planned actions.

You should now have a new Azure Resource Group (eg: backend-test-rg) with a Virtual Network (eg: test-vnet). To cleanup these Azure resources, you can also use Terraform to destroy what it created.

1. If this is a new PowerShell session, you will have to run scripts\LoadAzureTerraformSecretsToEnvVars.ps1 again to reload the environment variables needed to Terraform to access Azure.
2. Navigate to the examples\remote-backend\ folder.
3. Remove the previously created Azure resources: terraform destroy
4. Enter yes to confirm the planned actions.