Terraform Cloud: Connect GitHub via OAuth Authentication, Create Terraform Workspace, Execute Terraform Azure Configuration via Terraform Run

Terraform Cloud

#

GitHub OAuth Authentication

#

• Go to: (Manage) Settings > (Version Control) Providers

• Click Add a VCS provider

• Select “GitHub” > “GitHub.com (Custom)”

• Open the “register a new OAuth Application” link. The necessary fields on GitHub should already be populated.

• Click “Register application”

• Copy the GitHub “Cliend ID” to Terraform Cloud

• Click “Generate a new client secret” and copy it to Terraform Cloud

• Click “Connect and continue”

• Click “Authorize jueklu”

• Click “Skip and finish”

• Go to: “Workspaces”

Create a GitHub Repository

#

Create a new GitHub repository with an “README.md” file (the repository is not allowed to be empty).

I’m using my GitHub repository named tf-cloud-example.

Create Terraform Workspace

#

• Go to “Workspaces”

• Click “New” > “Worksapace”

• Select the “Default Project”

• Click “Version Control Workflow”

• Select the “GitHub.com (Custom)” version control provider

• Select the previously created GitHub repository tf-cloud-example

• Define a workspace name (it defaults to the GitHub repository name)

• Click “Create”

Example: Terraform Azure Configuration

#

Azure Authentication

#

Create Service Principal

#

Find your Azure subscription ID: https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2

# Create a Service Principal: Syntax
az ad sp create-for-rbac --name "tf-cloud" --role contributor --scopes /subscriptions/SUBSCRIPTION_ID

# Create a Service Principal: Example
az ad sp create-for-rbac --name "tf-cloud" --role contributor --scopes /subscriptions/0176a19a-some-subscription-id...

# Shell output
{
  "appId": "f75607f9-some-app-id...",
  "displayName": "tf-cloud",
  "password": "4iG8Q~.some-password...",
  "tenant": "30d87815-some-tenant..."
}

Verify Service Principal

#

Login with service princial:

# Login with Service Princial: Syntax
az login --service-principal -u appId -p password --tenant tenant

# Login with Service Princial: Syntax
az login --service-principal -u f75607f9-some-app-id... -p 4iG8Q~.some-password... --tenant 30d87815-some-tenant...

Verify the login:

# List details about current user and subscription
az account show

Overview Terraform Variables

#

The Azure service principal values can be mapped to the following Terraform variables:

Find your Azure subscription ID: https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2

GitHub Repository

#

In this blog post I only provide the main Terraform configuration files provider.tf and vars.tf that are necessary for the Azure authentication.

The rest of the Terraform configuration that I’m using can be found in the following GitHub repository: https://github.com/jueklu/terraform-cloud-azure

Clone GitHub Repository

#

Clone the previously created empty GitHub repository named tf-cloud-example:

# Clone the GitHub repository
git clone git@github.com:jueklu/tf-cloud-example.git &&
cd tf-cloud-example/

Create SSH Key

#

Create a SSH key pair to access the Azure VM:

# Create a folder for the SSH key
mkdir .ssh

# Create a SSH key pair
ssh-keygen -t rsa -b 4096 -f .ssh/tf-azure

# Move the private SSH key in the home directory of the current user
mv .ssh/tf-azure ~/.ssh/

provider.tf

#

# Microsoft Azure Provider Authentication
provider "azurerm" {
  features {}
  subscription_id = var.subscription_id
  client_id       = var.client_id
  client_secret   = var.client_secret
  tenant_id       = var.tenant_id
}

# Azure Provider source and version
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.0.2"
    }
  }
}

vars.tf

#

The values of the variables are defined in the Terraform Cloud workspace.

# Azure Authentication
variable "client_secret" {
  description = "CLient Secret"
}

variable "client_id" {
  description = "Client Id"
}

variable "subscription_id" {
  description = "Subscription id"
}

variable "tenant_id" {
  description = "Tenant id"
}

Repository Folder Structure

#

The repository file and folder structure should look as follows:

├── main.tf
├── network.tf
├── outputs.tf
├── provider.tf
├── README.md
├── resource-group.tf
├── security-group.tf
├── .ssh
│   └── tf-azure.pub
└── vars.tf

Push to GitHub

#

Push the Terraform configuration files and the public SSH key into the GitHub repository:

# Configure git
git config --global user.email "juergen@jklug.work"
git config --global user.name "Juergen"

# Push the terraform configuration into the GitHub repository
git add . &&
git commit -m "Terraform configuration" &&
git push

Terraform Workspace

#

Add Terraform Workspace Variables

#

Add the Azure Service Principal authentication details and the Azure subscription ID as variables to the Terraform Cloud workspace.

Note: Check out the previous “Overview Terraform Variables” section.

• Go to: “tf-cloud-example” Workspace > “Variables”

• Click “Add variable”

• Add the variables and select the “Sensitive” checkbox for each variable

Add the following variables:

# Key
client_id

# Value
f75607f9-some-app-id...


# Key
client_secret

# Value
4iG8Q~.some-password...


# Key
tenant_id

# Value
30d87815-some-tenant...


# Key
subscription_id

# Value
0176a19a-some-subscription-id...

• The variables should look like this

Test Workplace Plan

#

• Go to: “tf-cloud-example” workspace > “Overview”

• Click “Start new plan”

• Click “Discard run”

Create Workplace Run

#

Optional enable the “Auto-apply” option for this workspace:

• Go to: “Workspace Settings” > “General”

• Scroll down to “Auto-apply”

• Enable the “Auto-apply run triggers” checkbox

Create Run:

• Go to: “tf-cloud-example” workspace > “Runs”

• Click “New run”

• Define a run name like First Deployment

• Click “Start”

• Click “Confirm & apply” to deploy the Azure resources

• Verify the applied Azure resources

Note: I forgot to push the “outputs.tf” file before I have started the first run. So I had to push the “outputs.tf” file and start another run, to show the VM IP:

Outputs

#

List the outputs of the Terraform configuration:

• Go to: “tf-cloud-example” workspace > “Overview”

• Select the “Outputs” tab

SSH into VM

#

# SSH into vm-1
ssh -i ~/.ssh/tf-azure tfadmin@13.81.59.92

Destroy Resources

#

• Go to: “Workspace Settings” > “Destruction and Deletion”

• Click “Queue destroy plan”

Delete Resources

#

Delete Azure Servive Principal

#

# Verify the service principal
az ad sp list --display-name "tf-cloud"

# Delete the service principal
az ad sp delete --id f75607f9-some-app-id...

Delete Terraform Cloud Worspace

#

• Go to: “tf-cloud-example” workspace > “Settings”

• Select the “Destruction and Delete” tab

• Scroll down to “Delete Workspace”

• Click “Delete from HCP Terraform”