Terraform on Azure

Terraform is a multi-cloud IaC tool that provides first-class support for Azure through the AzureRM provider. Many organisations choose Terraform for Azure because it supports multi-cloud deployments, has a mature ecosystem, and provides explicit state management. This lesson covers how to configure, authenticate, and deploy Azure resources with Terraform.

Setting Up Terraform for Azure

Install the Azure CLI and Terraform

# Install Azure CLI
brew install azure-cli    # macOS
# or: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash  # Linux

# Install Terraform
brew install terraform     # macOS
# or: sudo apt-get install terraform  # Linux (via HashiCorp repo)

# Verify
az version
terraform version

Authenticate with Azure

az login
az account set --subscription "My Subscription"

Terraform uses the Azure CLI credentials by default.

Configuring the AzureRM Provider

terraform {
  required_version = ">= 1.5"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.100"
    }
  }

  backend "azurerm" {
    resource_group_name  = "rg-terraform-state"
    storage_account_name = "stterraformstate"
    container_name       = "tfstate"
    key                  = "webapp.terraform.tfstate"
  }
}

provider "azurerm" {
  features {}
  subscription_id = var.subscription_id
}

Authentication Methods

Method	Use case
Azure CLI (`az login`)	Local development
Service Principal (client ID + secret)	CI/CD pipelines
Managed Identity	Azure-hosted runners (e.g., Azure DevOps agents)
OIDC (OpenID Connect)	GitHub Actions, Azure DevOps (recommended for CI/CD)

Service Principal Authentication

# Create a service principal
az ad sp create-for-rbac --name sp-terraform --role Contributor \
  --scopes /subscriptions/<sub-id>

provider "azurerm" {
  features {}
  subscription_id = var.subscription_id
  client_id       = var.client_id
  client_secret   = var.client_secret
  tenant_id       = var.tenant_id
}

Best practice: Use OIDC or Managed Identity in CI/CD to avoid storing long-lived secrets.

Deploying Azure Resources

Resource Group

resource "azurerm_resource_group" "main" {
  name     = "rg-webapp-${var.environment}"
  location = var.location

  tags = {
    environment = var.environment
    managed_by  = "terraform"
  }
}

Storage Account

resource "azurerm_storage_account" "main" {
  name                     = "stwebapp${var.environment}"
  resource_group_name      = azurerm_resource_group.main.name
  location                 = azurerm_resource_group.main.location
  account_tier             = "Standard"
  account_replication_type = var.environment == "prod" ? "GRS" : "LRS"
  min_tls_version          = "TLS1_2"

  tags = azurerm_resource_group.main.tags
}

Virtual Network and Subnet

resource "azurerm_virtual_network" "main" {
  name                = "vnet-webapp-${var.environment}"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
}

Terraform on Azure

Terraform on Azure

Setting Up Terraform for Azure

Install the Azure CLI and Terraform

Authenticate with Azure

Configuring the AzureRM Provider

Authentication Methods

Service Principal Authentication

Deploying Azure Resources

Resource Group

Storage Account

Virtual Network and Subnet

More in Cloud