0% found this document useful (0 votes)

2 views

Azure Developer Terraform

The document provides comprehensive guidance on using Terraform for provisioning Azure infrastructure, detailing the setup process, benefits, and various Terraform providers available for Azure. It covers key concepts, quickstart guides, and how-to instructions for managing resources like virtual machines and Kubernetes clusters. Additionally, it introduces the AzAPI provider for managing Azure resources and offers steps for configuring Terraform in different environments.

Uploaded by

faavend2815

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

2 views

Azure Developer Terraform

Uploaded by

faavend2815

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1302

Tell us about your PDF experience.

Terraform on Azure documentation

Learn how to use Terraform to reliably provision virtual machines and other
infrastructure on Azure.

Getting started

ｅ OVERVIEW

About Terraform on Azure

Terraform AzAPI provider

ｉ REFERENCE

AzureRM provider versions

Ｙ ARCHITECTURE

Terraform Azure Provider

ｐ CONCEPT

Comparing features of Terraform and Bicep

ｂ GET STARTED

Install and configure Terraform

Install the Azure Terraform Visual Studio Code extension

Authenticate Terraform to Azure

Store Terraform state in Azure Storage

Azure Export for Terraform

ｅ OVERVIEW

Azure Export for Terraform overview

ｐ CONCEPT
Azure Export for Terraform concepts

ｆ QUICKSTART

Export your first resources

Export resources to HCL code

ｃ HOW-TO GUIDE

Select custom resources

Advanced scenarios

Create an Azure resource group using Terraform

Create an AKS cluster

Create a Linux VM

Create a Windows VM

Create an Azure key vault and key using Terraform

Direct web traffic with Azure Application Gateway - Terraform

Create a single database in Azure SQL Database using Terraform

Create an Azure API Management service using Terraform

Create an Azure Front Door Standard/Premium profile using Terraform

Create an Azure Container Instance with a public IP address using Terraform

Networking

ｆ QUICKSTART

Deploy with IP Groups - Terraform

Deploy with multiple addresses - Terraform

Deploy with Availability Zones - Terraform

Create a NAT Gateway

Create a private endpoint

Manage infrastructure

ｆ QUICKSTART

Create a Linux VM

Create a Linux VM cluster

Create a Windows VM

Create a Windows VM cluster

ｃ HOW-TO GUIDE

Provision VM scale set with infrastructure

Provision VM scale set from a Packer custom image

Work with Containers (AKS, Application Gateway, ...)

ｆ QUICKSTART

Create an AKS cluster

Create an ACI instance with a public IP address

Deploy Azure Application Gateway v2

ｃ HOW-TO GUIDE

Create an Application Gateway ingress controller in AKS

Overview of Terraform on Azure - What
is Terraform?
Article • 02/05/2024

Hashicorp Terraform is an open-source IaC (Infrastructure-as-Code) tool for

configuring and deploying cloud infrastructure. It codifies infrastructure in configuration
files that describe the desired state for your topology. Terraform enables the
management of any infrastructure - such as public clouds, private clouds, and SaaS
services - by using Terraform providers .

Terraform providers for Azure infrastructure

There are several Terraform providers that enable the management of Azure
infrastructure:

AzureRM : Manage stable Azure resources and functionality such as virtual

machines, storage accounts, and networking interfaces.
AzureAD : Manage Microsoft Entra resources such as groups, users, service
principals, and applications.
AzureDevops : Manage Azure DevOps resources such as agents, repositories,
projects, pipelines, and queries.
AzAPI : Manage Azure resources and functionality using the Azure Resource
Manager APIs directly. This provider compliments the AzureRM provider by
enabling the management of Azure resources that aren't released. For more
information about the AzAPI provider, see Terraform AzAPI provider.
AzureStack : Manage Azure Stack Hub resources such as virtual machines, DNS,
virtual networks, and storage.

Benefits of Terraform with Azure

This section describes the benefits of using Terraform to manage Azure infrastructure.

Common IaC tool

Terraform Azure providers enable you to manage all of your Azure infrastructure using
the same declarative syntax and tooling. Using these providers you can:

1. Configure core platform capabilities such as management groups, policies, users,

groups, and policies. For more information, see Terraform implementation of Cloud
Adoption Framework Enterprise-scale .
2. Configure Azure DevOps projects and pipelines to automate regular infrastructure
and application deployments.
3. Deploy Azure resources required by your applications.

Automate infrastructure management

The Terraform template-based configuration file syntax enables you to configure Azure
resources in a repeatable and predictable manner. Automating infrastructure includes
the following benefits:

Lowers the potential for human errors while deploying and managing
infrastructure.
Deploys the same template multiple times to create identical development, test,
and production environments.
Reduces the cost of development and test environments by creating them on-
demand.

Understand infrastructure changes before being applied

As a resource topology becomes complex, understanding the meaning and impact of
infrastructure changes can be difficult.

The Terraform CLI enables users to validate and preview infrastructure changes before
application of the plan. Previewing infrastructure changes in a safe manner has several
benefits:

Team members can collaborate more effectively by understanding proposed

changes and their impact.
Unintended changes can be caught early in the development process.

Next steps
Based on your environment, install and configure Terraform:

Configure Terraform: If you haven't already done so, configure Terraform using
one of the following options:
Configure Terraform in Azure Cloud Shell with Bash
Configure Terraform in Azure Cloud Shell with PowerShell
Configure Terraform in Windows with Bash
Configure Terraform in Windows with PowerShell
Overview of the Terraform AzAPI
provider
Article • 05/20/2024

The AzAPI provider is a thin layer on top of the Azure ARM REST APIs. The AzAPI
provider enables you to manage any Azure resource type using any API version. This
provider complements the AzureRM provider by enabling the management of new
Azure resources and properties (including private preview).

Resources
To allow you to manage all Azure resources and features without requiring updates, the
AzAPI provider includes the following generic resources:

ﾉ Expand table

Resource Name Description

azapi_resource Used to fully manage any Azure (control plane) resource (API) with full
CRUD.
Example Use Cases:
New preview service
New feature added to existing service
Existing feature / service not currently covered

azapi_update_resource Used to manage resources or parts of resources that don't have full
CRUD
Example Use Cases:
Update new properties on an existing service
Update pre-created child resource - such as DNS SOA record.

Resource configuration examples

The following code snippet configures a resource that doesn't currently exist in the
AzureRM provider:

Terraform

resource "azapi_resource" "publicip" {

type = "Microsoft.Network/Customipprefixes@2021-03-01"
name = "exfullrange"
parent_id = azurerm_resource_group.example.id
location = "westus2"
body = jsonencode({
properties = {
cidr = "10.0.0.0/24"
signedMessage = "Sample Message for WAN"
}
})
}

The following code snippet configures a preview property for an existing resource from
AzureRM:

Terraform

resource "azapi_update_resource" "test" {

type = "Microsoft.ContainerRegistry/registries@2020-11-01-preview"
resource_id = azurerm_container_registry.acr.id

body = jsonencode({
properties = {
anonymousPullEnabled = var.bool_anonymous_pull
}
})
}

Authentication using the AzAPI provider

The AzAPI provider enables the same authentication methods as the AzureRM provider.
For more information on authentication options, see Authenticate Terraform to Azure.

Benefits of using the AzAPI provider

The AzAPI provider features the following benefits:

Supports all Azure services:

Private preview services and features
Public preview services and features
All API versions
Full Terraform state file fidelity
Properties and values are saved to state
No dependency on Swagger
Common and consistent Azure authentication

Experience and lifecycle of the AzAPI provider

This section describes some tools to help you use the AzAPI provider.

VS Code extension and Language Server

The AzAPI VS Code extension provides a rich authoring experience with the following
benefits:

List all available resource types and API versions.

Auto-completion of the allowed properties and values for any resource.

Show hints when hovering over a property.

Syntax validation

Auto-completion with code samples.

AzAPI2AzureRM migration tool

The AzureRM provider provides the most integrated Terraform experience for managing
Azure resources. Therefore, the recommended usage of the AzAPI and AzureRM
providers is as follows:

1. While the service or feature is in preview, use the AzAPI provider.

2. once the service is officially released, use the AzureRM provider.

The AzAPI2AzureRM tool is designed to help migrate from the AzAPI provider to the
AzureRM provider.

AzAPI2AzureRM is an open-source tool that automates the process of converting AzAPI

resources to AzureRM resources.

AzAPI2AzureRM has two modes: plan and migrate:

Plan displays the AzAPI resources that can be migrated.

Migrate migrates the AzAPI resources to AzureRM resources in both the HCL files
and the state.

AzAPI2AzureRM ensures after migration that your Terraform configuration and state are
aligned with your actual state. You can validate the state has been updated by running
terraform plan after completing the migration to see that nothing has changed.

Using the AzAPI provider

1. Install VS Code extension

2. Add the AzAPI provider to your Terraform configuration.

Terraform

terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}

provider "azapi" {
# More information on the authentication methods supported by
# the AzureRM Provider can be found here:
#
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs

# subscription_id = "..."
# client_id = "..."
# client_secret = "..."
# tenant_id = "..."
}

3. Declare one or more AzAPI resources as shown in the following example code:

Terraform

resource "azapi_resource" "example" {

name = "example"
parent_id = data.azurerm_machine_learning_workspace.existing.id
type = "Microsoft.MachineLearningServices/workspaces/computes@2021-
07-01"

location = "eastus"
body = jsonencode({
properties = {
computeType = "ComputeInstance"
disableLocalAuth = true
properties = {
vmSize = "STANDARD_NC6"
}
}
})
}

Next steps
Deploy your first resource with the AzAPI provider
Deploy your first Update Resource with the AzAPI provider

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Quickstart: Install and Configure
Terraform
Article • 06/13/2023

Terraform enables the definition, preview, and deployment of cloud infrastructure.

Using Terraform, you create configuration files using HCL syntax . The HCL syntax
allows you to specify the cloud provider - such as Azure - and the elements that make
up your cloud infrastructure. After you create your configuration files, you create an
execution plan that allows you to preview your infrastructure changes before they're
deployed. Once you verify the changes, you apply the execution plan to deploy the
infrastructure.

Configure in Azure Cloud Shell with Bash

Configure in Azure Cloud Shell with PowerShell
Configure in Windows with Bash
Configure in Windows with PowerShell

Prerequisites
Azure subscription: If you don't have an Azure subscription, create a free
account before you begin.

Configure in Azure Cloud Shell with Bash

Azure Cloud Shell includes Terraform and automatically updates to the latest version of
Terraform. However, the updates come within a couple of weeks of release. The
following article shows you how to download and install the current version of Terraform
using Bash within the Cloud Shell environment.

Configure Terraform in Azure Cloud Shell with Bash

Configure in Azure Cloud Shell with PowerShell

Configure Terraform in Azure Cloud Shell with PowerShell

Configure in Windows with Bash
The following article shows you how to install and test Terraform in Windows using a
Bash emulator.

Configure Terraform in Windows with Bash

Configure in Windows with PowerShell

The following article shows you how to install and test Terraform in Windows using
PowerShell.

Configure Terraform in Windows with PowerShell

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Create Azure resource group
Install the Azure Terraform Visual Studio
Code extension
Article • 05/10/2023

Terraform enables the definition, preview, and deployment of cloud infrastructure.

The Visual Studio Code Terraform extension enables you to work with Terraform from
the editor. With this extension, you can author, test, and run Terraform configurations.

In this article, you learn how to:

＂ Install the Azure Terraform Visual Studio Code extension

＂ Use the extension to create an Azure resource group
＂ Verify the resource group was created
＂ Delete the resource group when finished testing using the extension

1. Configure your environment

Azure subscription: If you don't have an Azure subscription, create a free
account before you begin.

Install Node.js .

2. Install the Azure Terraform Visual Studio

Code extension
1. Launch Visual Studio Code.
2. From the left menu, select Extensions, and enter Azure Terraform in the search
text box.

3. From the list of extensions, locate the Azure Terraform extension. (It should be the
first extension listed.)

4. If the extension isn't yet installed, select the extension's Install option.

Key points:

When you select Install for the Azure Terraform extension, Visual Studio Code
automatically installs the Azure Account extension.
Azure Account is a dependency file for the Azure Terraform extension. This
file is used to authenticate to Azure and Azure-related code extensions.

5. To confirm the installation of the extensions, enter @installed in the search text
box. Both the Azure Terraform extension and the Azure Account extension appear
in the list of installed extensions.
You can now run all supported Terraform commands in your Cloud Shell environment
from within Visual Studio Code.

3. Implement the Terraform code

1. Create a directory in which to test the sample Terraform code and make it the
current directory.

2. Create a file named providers.tf and insert the following code:

Terraform

terraform {
required_version = ">=0.12"

required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>2.0"
}
random = {
source = "hashicorp/random"
version = "~>3.0"
}
}
}

provider "azurerm" {
features {}
}

3. Create a file named main.tf and insert the following code:

Terraform

resource "random_pet" "rg_name" {

prefix = var.resource_group_name_prefix
}

resource "azurerm_resource_group" "rg" {

location = var.resource_group_location
name = random_pet.rg_name.id
}

4. Create a file named variables.tf to contain the project variables and insert the
following code:

Terraform

variable "resource_group_location" {
default = "eastus"
description = "Location of the resource group."
}

variable "resource_group_name_prefix" {
default = "rg"
description = "Prefix of the resource group name that's combined with
a random ID so name is unique in your Azure subscription."
}

5. Create a file named outputs.tf to contain the project variables and insert the
following code:

Terraform

output "resource_group_name" {
value = azurerm_resource_group.rg.name
}

4. Push your code to Cloud Shell

1. From the View menu, select Command Palette....

2. In the Command Palette text box, start entering Azure Terraform: Push and select
it when it displays.

3. Select OK to confirm the opening of Cloud Shell.

Key points:

Your workspace files that meet the filter defined in the azureTerraform.files
setting in your configuration are copied to Cloud Shell.

5. Initialize Terraform within Visual Studio Code

1. From the View menu, select Command Palette....

2. In the Command Palette text box, start entering Azure Terraform: Init and select
it when it displays.

Key points:

Selecting this option is the same as running terraform init from the
command line and initializes your Terraform deployment.
This command downloads the Azure modules required to create an Azure
resource group.

3. Follow the prompts to install any dependencies - such as the latest supported
version of nodejs.

4. If you're using Cloud Shell for the first time with your default Azure subscription,
follow the prompts to configure the environment.

6. Create a Terraform execution plan within

Visual Studio Code
1. From the View menu, select Command Palette....
2. In the Command Palette text box, start entering Azure Terraform: Plan and select
it when it displays.

Key points:

This command runs terraform plan to create an execution plan from the
Terraform configuration files in the current directory.

7. Apply a Terraform execution plan within

Visual Studio Code
1. From the View menu, select Command Palette....

2. In the Command Palette text box, start entering Azure Terraform: Apply and select
it when it displays.

3. When prompted for confirmation, enter yes and press <Enter> .

8. Verify the results

Azure CLI

1. From the View menu, select Command Palette....

2. In the Command Palette text box, start entering Azure: Open Bash in Cloud
Shell and select it when it displays.

3. Run az group show to display the resource group. Replace the

<resource_group_name> placeholder with the randomly generated name of the
resource group displayed after applying the Terraform execution plan.

Azure CLI

az group show --name <resource_group_name>

9. Clean up resources
1. From the View menu, select Command Palette....
2. In the Command Palette text box, start entering Azure Terraform: Destroy and
select it when it displays.

3. When prompted for confirmation, enter yes and press <Enter> .

4. To confirm that Terraform successfully destroyed your new resource group, run the
steps in the section, Verify the results.

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Read more about the Azure Terraform Visual Studio Code extension
Authenticate Terraform to Azure
Article • 06/20/2024

Terraform enables the definition, preview, and deployment of cloud infrastructure.

To use Terraform commands against your Azure subscription, you must first authenticate
Terraform to that subscription. This article covers some common scenarios for
authenticating to Azure.

In this article, you learn how to:

＂ See a list of available authentication methods.

＂ Select select and authentication method.
＂ Verify that you're authenticated.

1. Configure your environment

Azure subscription: If you don't have an Azure subscription, create a free
account before you begin.

2. Authenticate Terraform to Azure

Terraform only supports authenticating to Azure with the Azure CLI. Authenticating
using Azure PowerShell isn't supported. Therefore, while you can use the Azure
PowerShell module when doing your Terraform work, you first need to authenticate to
Azure using the Azure CLI.

Authenticate with a Microsoft account using Cloud Shell (with Bash or PowerShell)
Authenticate with a Microsoft account using Windows (with Bash or PowerShell)
Authenticate with a service principal
Authenticate with a managed identity for Azure services

3. Verify the results

Verify that you've authenticated to the Azure subscription by displaying the current
subscription.

Bash

To confirm the current Azure subscription with the Azure CLI, run az account show.

Azure CLI

az account show

Next steps
Your first Terraform project: Create an Azure resource group

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Create a Terraform base template in
Azure using Yeoman
Article • 03/20/2023

Terraform enables the definition, preview, and deployment of cloud infrastructure.

In this article, you learn how to use the combination of Terraform and Yeoman .
Terraform is a tool for creating infrastructure on Azure. Yeoman makes it easy to create
Terraform modules.

In this article, you learn how to do the following tasks:

＂ Create a base Terraform template using the Yeoman module generator.

＂ Test the Terraform template using two different methods.
＂ Run the Terraform module using a Docker file.
＂ Run the Terraform module natively in Azure Cloud Shell.

1. Configure your environment

Azure subscription: If you don't have an Azure subscription, create a free
account before you begin.

Visual Studio Code: Download Visual Studio Code for your platform.

Docker: Install Docker to run the module created by the Yeoman generator.

Go programming language: Install Go as Yeoman-generated test cases are code

using the Go language.
Nodejs: Install Node.js

Install Yeoman: Run the following command: npm install -g yo .

Yeoman template: Run the following command to install the Yeoman template for
Terraform module: npm install -g generator-az-terra-module .

2. Create directory for Yeoman-generated

module
The Yeoman template generates files in the current directory. For this reason, you need
to create a directory.

This empty directory is required to be put under $GOPATH/src. For more information
about this path, see the article Setting GOPATH .

1. Navigate to the parent directory from which to create a new directory.

2. Run the following command replacing the placeholder. For this example, a
directory name of GeneratorDocSample is used.

Bash

mkdir <new-directory-name>

3. Navigate to the new directory:

Bash

cd <new-directory-name>

3. Create base module template

1. Run the following command:

Bash

yo az-terra-module

2. Follow the on-screen instructions to provide the following information:

Terraform module project Name - A value of doc-sample-module is used for

the example.

Would you like to include the Docker image file? - Enter y . If you enter n ,
the generated module code will support running only in native mode.

3. List the directory contents to view the resulting files that are created:

Bash

ls
4. Review the generated module code
1. Launch Visual Studio Code

2. From the menu bar, select File > Open Folder and select the folder you created.

The following files were created by the Yeoman module generator:

main.tf - Defines a module called random-shuffle . The input is a string_list . The

output is the count of the permutations.
variables.tf - Defines the input and output variables used by the module.

outputs.tf - Defines what the module outputs. Here, it's the value returned by
random_shuffle , which is a built-in, Terraform module.

Rakefile - Defines the build steps. These steps include:

build - Validates the formatting of the main.tf file.

unit - The generated module skeleton doesn't include code for a unit test. If

you want to specify a unit test scenario, you would you add that code here.
e2e - Runs an end-to-end test of the module.

test
Test cases are written in Go.
All codes in test are end-to-end tests.
End-to-end tests attempt to provision all of the items defined under fixture .
The results in the template_output.go file are compared with the pre-defined
expected values.
Gopkg.lock and Gopkg.toml : Defines the dependencies.

For more information about the Yeoman generator for Azure

https://github.com/Azure/generator-az-terra-module , see the Terratest
documentation .

5. Test the Terraform module using a Docker

file
This section shows how to test a Terraform module using a Docker file.

７ Note

This example runs the module locally; not on Azure.

Confirm Docker is installed and running

From a command prompt, enter docker version .

The resulting output confirms that Docker is installed.

To confirm that Docker is actually running, enter docker info .

Set up a Docker container
1. From a command prompt, enter

docker build --build-arg BUILD_ARM_SUBSCRIPTION_ID= --build-arg

BUILD_ARM_CLIENT_ID= --build-arg BUILD_ARM_CLIENT_SECRET= --build-arg

BUILD_ARM_TENANT_ID= -t terra-mod-example . .

The message Successfully built will be displayed.

2. From the command prompt, enter docker image ls to see your created module
terra-mod-example listed.

3. Enter docker run -it terra-mod-example /bin/sh . After running the docker run
command, you're in the Docker environment. At that point, you can discover the
file by using the ls command.

Build the module

1. Run the following command:

Bash

bundle install

2. Run the following command:

Bash

rake build

Run the end-to-end test

1. Run the following command:

Bash

rake e2e

2. After a few moments, the PASS message will appear.

3. Enter exit to complete the test and exit the Docker environment.

6. Use Yeoman generator to create and test a

module
In this section, the Yeoman generator is used to create and test a module in Cloud Shell.
Using Cloud Shell instead of using a Docker file greatly simplifies the process. Using
Cloud Shell, the following products are all pre-installed:

Node.js
Yeoman
Terraform

Start a Cloud Shell session

1. Start an Azure Cloud Shell session via either the Azure portal , shell.azure.com ,
or the Azure mobile app .

2. The Welcome to Azure Cloud Shell page opens. Select Bash (Linux).

3. If you have not already set up an Azure storage account, the following screen
appears. Select Create storage.

4. Azure Cloud Shell launches in the shell you previously selected and displays
information for the cloud drive it just created for you.
Prepare a directory to hold your Terraform module
1. At this point, Cloud Shell will have already configured GOPATH in your
environment variables for you. To see the path, enter go env .

2. Create the $GOPATH directory, if one doesn't already exist: Enter mkdir ~/go .

3. Create a directory within the $GOPATH directory. This directory is used to hold the
different project directories created in this example.

Bash

mkdir ~/go/src

4. Create a directory to hold your Terraform module replacing the placeholder. For
this example, a directory name of my-module-name is used.

Bash

mkdir ~/go/src/<your-module-name>

5. Navigate to your module directory:

Bash

cd ~/go/src/<your-module-name>
Create and test your Terraform module
1. Run the following command and follow the instructions. When asked if you want
to create the Docker files, you enter N .

Bash

yo az-terra-module

2. Run the following command to install the dependencies:

Bash

bundle install

3. Run the following command to build the module:

Bash

rake build

4. Run the following command to run the test:

Bash

rake e2e

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Install and use the Azure Terraform Visual Studio Code extension .
Store Terraform state in Azure Storage
Article • 05/08/2023

Terraform enables the definition, preview, and deployment of cloud infrastructure.

Terraform state is used to reconcile deployed resources with Terraform configurations.

State allows Terraform to know what Azure resources to add, update, or delete.

By default, Terraform state is stored locally, which isn't ideal for the following reasons:

Local state doesn't work well in a team or collaborative environment.

Terraform state can include sensitive information.
Storing state locally increases the chance of inadvertent deletion.

In this article, you learn how to:

＂ Create an Azure storage account

＂ Use Azure storage to store remote Terraform state.
＂ Understand state locking
＂ Understand encryption at rest

1. Configure your environment

Azure subscription: If you don't have an Azure subscription, create a free
account before you begin.

2. Configure remote state storage account

Before you use Azure Storage as a backend, you must create a storage account.

Run the following commands or configuration to create an Azure storage account and
container:

Azure CLI

#!/bin/bash

RESOURCE_GROUP_NAME=tfstate
STORAGE_ACCOUNT_NAME=tfstate$RANDOM
CONTAINER_NAME=tfstate

# Create resource group

az group create --name $RESOURCE_GROUP_NAME --location eastus

# Create storage account

az storage account create --resource-group $RESOURCE_GROUP_NAME --name
$STORAGE_ACCOUNT_NAME --sku Standard_LRS --encryption-services blob

# Create blob container

az storage container create --name $CONTAINER_NAME --account-name
$STORAGE_ACCOUNT_NAME

Key points:

Azure storage accounts require a globally unique name. To learn more about
troubleshooting storage account names, see Resolve errors for storage account
names.
Terraform state is stored in plain text and may contain secrets. If the state is
incorrectly secured, unauthorized access to systems and data loss can result.
In this example, Terraform authenticates to the Azure storage account using an
Access Key. In a production deployment, it's recommended to evaluate the
available authentication options supported by the azurerm backend and to use
the most secure option for your use case.
In this example, public network access is allowed to this Azure storage account. In
a production deployment, it's recommended to restrict access to this storage
account using a storage firewall, service endpoint, or private endpoint.

3. Configure terraform backend state

To configure the backend state, you need the following Azure storage information:
storage_account_name: The name of the Azure Storage account.
container_name: The name of the blob container.
key: The name of the state store file to be created.
access_key: The storage access key.

Each of these values can be specified in the Terraform configuration file or on the
command line. We recommend that you use an environment variable for the access_key
value. Using an environment variable prevents the key from being written to disk.

Run the following commands to get the storage access key and store it as an
environment variable:

Azure CLI

ACCOUNT_KEY=$(az storage account keys list --resource-group

$RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query
'[0].value' -o tsv)
export ARM_ACCESS_KEY=$ACCOUNT_KEY

Key points:

To further protect the Azure Storage account access key, store it in Azure Key Vault.
The environment variable can then be set by using a command similar to the
following. For more information on Azure Key Vault, see the Azure Key Vault
documentation.

Bash

export ARM_ACCESS_KEY=$(az keyvault secret show --name terraform-

backend-key --vault-name myKeyVault --query value -o tsv)

Create a Terraform configuration with a backend configuration block.

HashiCorp Configuration Language

terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
}
backend "azurerm" {
resource_group_name = "tfstate"
storage_account_name = "<storage_account_name>"
container_name = "tfstate"
key = "terraform.tfstate"
}

provider "azurerm" {
features {}
}

resource "azurerm_resource_group" "state-demo-secure" {

name = "state-demo"
location = "eastus"
}

Replace <storage_account_name> with the name of your Azure storage account.

Run the following command to initialize the configuration:

Bash

terraform init

Run the following command to run the configuration:

Bash

terraform apply

You can now find the state file in the Azure Storage blob.

4. Understand state locking

Azure Storage blobs are automatically locked before any operation that writes state. This
pattern prevents concurrent state operations, which can cause corruption.

For more information, see State locking in the Terraform documentation.

You can see the lock when you examine the blob through the Azure portal or other
Azure management tooling.
5. Understand encryption-at-rest
Data stored in an Azure blob is encrypted before being persisted. When needed,
Terraform retrieves the state from the backend and stores it in local memory. If you use
this pattern, state is never written to your local disk.

For more information on Azure Storage encryption, see Azure Storage service
encryption for data at rest.

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Learn more about using Terraform in Azure
Implement compliance testing with
Terraform and Azure
Article • 03/20/2023

Terraform enables the definition, preview, and deployment of cloud infrastructure.

Many times, compliance testing is part of the continuous integration process and is used
to ensure that user-defined policies are followed. For example, you might define
geopolitical naming conventions for your Azure resources. Another common example is
creating virtual machines from a defined subset of images. Compliance testing would be
used to enforce rules in these and many other scenarios.

In this article, you learn how to:

＂ Understand when to use compliance testing

＂ Learn how to do a compliance test
＂ See and run an example compliance test

1. Configure your environment

Azure subscription: If you don't have an Azure subscription, create a free
account before you begin.

Docker: Install Docker .

Python: Install Python .

Terraform-compliance tool: Install the Terraform compliance tool by running the
following command: pip install terraform-compliance .

Example code and resources: Using the DownGit tool, download from GitHub the
compliance-testing project and unzip into a new directory to contain the
example code. This directory is referred to as the example directory.

2. Understand compliance testing and checks

Compliance testing is a nonfunctional testing technique to determine if a system meets
prescribed standards. Compliance testing is also known as conformance testing.

Most software teams do an analysis to check that the standards are properly enforced
and implemented. Often working simultaneously to improve the standards that, in turn,
lead to increased quality.

With compliance testing, there are two important concepts to consider: compliance
testing and compliance checks.

Compliance testing ensures that the output of each development lifecycle phase
conforms to agreed-upon requirements.
Compliance checks should be integrated into the development cycle at the
beginning of the projects. Attempting to add compliance checks at a later stage
becomes increasingly more difficult when the requirement itself isn't adequately
documented.

Doing compliance checks is straight forward. A set of standards and procedures is

developed and documented for each phase of the development lifecycle. The output of
each phase is compared against the documented requirements. The results of the test
are any "gaps" in not conforming to the predetermined standards. Compliance testing is
done through the inspection process and the outcome of the review process should be
documented.

Let's take a look at a specific example.

A common problem is environments that break when multiple developers apply

incompatible changes. Let's say one person works on a change and applies resources
such as creating a VM in a test environment. Another person then applies a different
version of the code that provisions different version of that VM. What is needed here is
oversight to ensure conformity to stated rules.

One way to address this issue would be to define a policy of tagging the resources -
such as with role and creator tags. Once you define the policies, a tool like Terraform-
compliance is used to ensure the policies are followed.

Terraform-compliance focuses on negative testing. Negative testing is the process of

ensuring that a system can gracefully handle unexpected input or unwanted behavior.
Fuzzing is an example of negative testing. With fuzzing, a system that receives input is
tested to ensure that it can safely handle unexpected input.

Fortunately, Terraform is an abstraction layer for any API that creates, updates, or
destroys cloud-infrastructure entities. Terraform also ensures the local configuration and
the remote API responses are in synch. Since Terraform is mostly used against Cloud
APIs, we still need a way to ensure the code deployed against the infrastructure follows
specific policies. Terraform-compliance - a free and open-source tool - provides this
functionality for Terraform configurations.

Using the VM example, a compliance policy might be as follows: "If you're creating an
Azure resource, it must contain a tag".

The Terraform-compliance tool provides a test framework where you create policies like
the example. You then run those policies against your Terraform execution plan.

Terraform-compliance allows you to apply BDD, or behavior-driven development,

principles. BDD is a collaborative process where all stakeholders work together to define
what a system should do. These stakeholders generally include the developers, testers,
and anyone with a vested interest in - or who will be impacted by - the system being
developed. The goal of BDD is to encourage teams to build concrete examples that
express a common understanding of how the system should behave.

3. Examine a compliance-test example

Previously in this article, you read about a compliance-testing example of creating a VM
for a test environment. This section shows how to translate that example into a BDD
Feature and Scenario. The rule is first expressed using Cucumber, which is a tool used to
support BDD.

Cucumber

when creating Azure resources, every new resource should have a tag

The previous rule is translated as follows:

Cucumber
If the resource supports tags
Then it must contain a tag
And its value must not be null

The Terraform HCL code would then adhere to the rule as follows.

HashiCorp Configuration Language

resource "random_uuid" "uuid" {}

resource "azurerm_resource_group" "rg" {

name = "rg-hello-tf-${random_uuid.uuid.result}"
location = var.location

tags = {
environment = "dev"
application = "Azure Compliance"
}
}

The first policy could be written as a BDD feature scenario as follows:

Cucumber

Feature: Test tagging compliance # /target/src/features/tagging.feature

Scenario: Ensure all resources have tags
If the resource supports tags
Then it must contain a tag
And its value must not be null

The following code shows a test for a specific tag:

Cucumber

Scenario Outline: Ensure that specific tags are defined

If the resource supports tags
Then it must contain a tag <tags>
And its value must match the "<value>" regex

4. Run the compliance-test example

In this section, you download and test the example.

1. Within the example directory, navigate to the src directory.

2. Run terraform init to initialize the working directory.

Console

terraform init

3. Run terraform validate to validate the syntax of the configuration files.

Console

terraform validate

Key points:

You see a message indicating that the Terraform configuration is valid.

4. Run terraform plan to create an execution plan.

Console

terraform plan -out main.tfplan

5. Run terraform show to convert the execution plan to JSON for the compliance
step.

Bash

terraform show -json main.tfplan > main.tfplan.json

6. Run docker pull to download the terraform-compliance image.

Console

docker pull eerkunt/terraform-compliance

7. Run docker run to run the tests in a docker container.

Console

docker run --rm -v $PWD:/target -it eerkunt/terraform-compliance -f

features -p main.tfplan.json
Key points:

The test will fail because - while the first rule requiring existence of tags
succeeds - the second rule fails in that the Role and Creator tags are
missing.

8. Fix the error by modifying main.tf as follows (where a Role and Creator tag are
added).

Terraform

tags = {
Environment = "dev"
Application = "Azure Compliance"
Creator = "Azure Compliance"
Role = "Azure Compliance"
}

Key points:

The configuration is now in compliance with the policy.

5. Verify the results

1. Run terraform validate again to verify the syntax.

Console

terraform validate

2. Run terraform plan again to create a new execution plan.

Console

terraform plan -out main.tfplan

3. Run terraform show to convert the execution plan to JSON for the compliance
step.

Bash

terraform show -json main.tfplan > main.tfplan.json

4. Run docker run again to test the configuration. If the full spec has been
implemented, the test succeeds.

Console

docker run --rm -v $PWD:/target -it eerkunt/terraform-compliance -f

features -p main.tfplan.json

5. Run terraform apply to apply the execution plan.

Console

terraform apply main.tfplan -target=random_uuid.uuid

Key points:

A resource group is created with a name following the pattern: rg-hello-tf-

<random_number> .

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Learn more about using Terraform in Azure
Implement end-to-end Terratest testing
on Terraform projects
Article • 09/01/2022

Terraform enables the definition, preview, and deployment of cloud infrastructure.

End-to-end (E2E) testing is used to validate a program works before deploying it to

production. An example scenario might be a Terraform module deploying two virtual
machines into a virtual network. You might want to prevent the two machines from
pinging each other. In this example, you could define a test to verify the intended
outcome before deployment.

E2E testing is typically a three-step process.

1. A configuration is applied to a test environment.

2. Code is run to verify the results.
3. The test environment is either reinitialized or taken down (such as deallocating a
virtual machine).

In this article, you learn how to:

Understand the basics of end-to-end testing with Terratest

Learn how to write end-to-end test using Golang
Learn how to use Azure DevOps to automatically trigger end-to-end tests
when code is committed to your repo

1. Configure your environment

Azure subscription: If you don't have an Azure subscription, create a free
account before you begin.

Go programming language: Install Go .

Example code and resources: Using the DownGit tool, download from GitHub the
end-to-end-testing project and unzip into a new directory to contain the
example code. This directory is referred to as the example directory.

2. Understand end-to-end testing

End-to-end tests validate a system works as a collective whole. This type of testing is as
opposed to testing specific modules. For Terraform projects, end-to-end testing allows
for the validation of what has been deployed. This type of testing differs from many
other types that test pre-deployment scenarios. End-to-end tests are critical for testing
complex systems that include multiple modules and act on multiple resources. In such
scenarios, end-to-end testing is the only way to determine if the various modules are
interacting correctly.

This article focuses on using Terratest to implement end-to-end testing. Terratest

provides all the plumbing that is required to do the following task:

Deploy a Terraform configuration

Enables you to write a test using the Go language to validate what has been
deployed
Orchestrate the tests into stages
Tear down the deployed infrastructure

3. Understand the test example

For this article, we're using a sample available in the Azure/terraform sample repo .

This sample defines a Terraform configuration that deploys two Linux virtual machines
into the same virtual network. One VM - named vm-linux-1 - has a public IP address.
Only port 22 is opened to allow SSH connections. The second VM - vm-linux-2 - has no
defined public IP address.

The test validates the following scenarios:

The infrastructure is deployed correctly

Using port 22, it's possible to open an SSH session to vm-linux-1
Using the SSH session on vm-linux-1 , it's possible to ping vm-linux-2
If you downloaded the sample, the Terraform configuration for this scenario can be
found in the src/main.tf file. The main.tf file contains everything necessary to deploy
the Azure infrastructure represented in the preceding figure.

If you're unfamiliar with how to create a virtual machine, see Create a Linux VM with
infrastructure in Azure using Terraform.

Ｕ Caution

The sample scenario presented in this article is for illustration purposes only. We've
purposely kept things simple in order to focus on the steps of an end-to-end test.
We don't recommend having production virtual machines that exposes SSH ports
over a public IP address.

4. Examine the test example

The end-to-end test is written in the Go language and uses the Terratest framework. If
you downloaded the sample, the test is defined in the src/test/end2end_test.go file.

The following source code shows the standard structure of a Golang test using Terratest:

package test

import (
"testing"

"github.com/gruntwork-io/terratest/modules/terraform"
test_structure "github.com/gruntwork-io/terratest/modules/test-
structure"
)

func TestEndToEndDeploymentScenario(t *testing.T) {

t.Parallel()

fixtureFolder := "../"

// Use Terratest to deploy the infrastructure

test_structure.RunTestStage(t, "setup", func() {
terraformOptions := &terraform.Options{
// Indicate the directory that contains the Terraform
configuration to deploy
TerraformDir: fixtureFolder,
}

// Save options for later test stages

test_structure.SaveTerraformOptions(t, fixtureFolder,
terraformOptions)

// Triggers the terraform init and terraform apply command

terraform.InitAndApply(t, terraformOptions)
})

test_structure.RunTestStage(t, "validate", func() {

// run validation checks here
terraformOptions := test_structure.LoadTerraformOptions(t,
fixtureFolder)
publicIpAddress := terraform.Output(t, terraformOptions,
"public_ip_address")
})

// When the test is completed, teardown the infrastructure by calling

terraform destroy
test_structure.RunTestStage(t, "teardown", func() {
terraformOptions := test_structure.LoadTerraformOptions(t,
fixtureFolder)
terraform.Destroy(t, terraformOptions)
})
}

As you can see in the previous code snippet, the test is composed by three stages:

setup: Runs Terraform to deploy the configuration

validate`: Does the validation checks and assertions
teardown: Cleans up the infrastructure after the test has run

The following list shows some of the key functions provided by the Terratest framework:

terraform.InitAndApply: Enables running terraform init and terraform apply

from Go code
terraform.Output: Retrieves the value of the deployment output variable.
terraform.Destroy: Runs the terraform destroy command from Go code.
test_structure.LoadTerraformOptions: Loads Terraform options - such as
configuration and variables - from the state
test_structure.SaveTerraformOptions: Saves Terraform options - such as
configuration and variables - to the state

5. Run the test example

The following steps run the test against the sample configuration and deployment.

1. Open a bash/terminal window.

2. Log in to your Azure account.

3. To run this sample test, you need an SSH private/public key pair name id_rsa and
id_rsa.pub in your home directory. Replace <your_user_name> with the name of

your home directory.

Bash

export TEST_SSH_KEY_PATH="~/.ssh/id_rsa"

4. Within the example directory, navigate to the src/test directory.

5. Run the test.

go test -v ./ -timeout 10m

6. Verify the results

After successfully running go test , you see results similar to the following output:

Output

--- PASS: TestEndToEndDeploymentScenario (390.99s)

PASS
ok test 391.052s
Troubleshoot Terraform on Azure
Troubleshoot common problems when using Terraform on Azure

Next steps
Learn more about using Terraform in Azure
Implement integration tests for
Terraform projects in Azure
Article • 03/23/2023

Terraform enables the definition, preview, and deployment of cloud infrastructure.

Integration tests validate that a newly introduced code change doesn't break existing
code. In DevOps, continuous integration (CI) refers to a process that builds the entire
system whenever the code base is changed - such as someone wanting to merge a PR
into a Git repo. The following list contains common examples of integration tests:

Static code analysis tools such as lint and format.

Run terraform validate to verify the syntax of the configuration file.
Run terraform plan to ensure the configuration will work as expected.

In this article, you learn how to:

＂ Learn the basics of integration testing for Terraform projects.

＂ Use Azure DevOps to configure a continuous integration pipeline.
＂ Run static code analysis on Terraform code.
＂ Run terraform validate to validate Terraform configuration files on the local
machine.
＂ Run terraform plan to validate that Terraform configuration files from a remote
services perspective.
＂ Use an Azure Pipeline to automate continuous integration.

1. Configure your environment

Azure subscription: If you don't have an Azure subscription, create a free
account before you begin.

Azure DevOps organization and project: If you don't have one, create an Azure
DevOps organization.

Terraform Build & Release Tasks extension: Install the Terraform build/release
tasks extension into your Azure DevOps organization.

Grant Azure DevOps access to your Azure Subscription: Create an Azure service
connection named terraform-basic-testing-azure-connection to allow Azure
Pipelines to connect to your Azure subscriptions

Example code and resources: Download from GitHub the integration-testing

project . The directory into which you download the sample is referred to as the
example directory.

2. Validate a local Terraform configuration

The terraform validate command is run from the command line in the directory
containing your Terraform files. This commands main goal is validating syntax.

1. Within the example directory, navigate to the src directory.

2. Run terraform init to initialize the working directory.

Console

terraform init

3. Run terraform validate to validate the syntax of the configuration files.

Console

terraform validate

Key points:

You see a message indicating that the Terraform configuration is valid.

4. Edit the main.tf file.

5. On line 5, insert a typo that invalidates the syntax. For example, replace
var.location with var.loaction

6. Save the file.

7. Run validation again.

Console

terraform validate

Key points:

You see an error message indicating the line of code in error and a
description of the error.

As you can see, Terraform has detected an issue in the syntax of the configuration code.
This issue prevents the configuration from being deployed.

It is a good practice to always run terraform validate against your Terraform files
before pushing them to your version control system. Also, this level of validation should
be a part of your continuous integration pipeline. Later in this article, we'll explore how
to configure an Azure pipeline to automatically validate.

3. Validate Terraform configuration

In the previous section, you saw how to validate a Terraform configuration. That level of
testing was specific to syntax. That test didn't take into consideration what might
already be deployed on Azure.

Terraform is a declarative language meaning that you declare what you want as an end-
result. For example, let's say you have 10 virtual machines in a resource group. Then, you
create a Terraform file defining three virtual machines. Applying this plan doesn't
increment the total count to 13. Instead, Terraform deletes seven of the virtual machines
so that you end with three. Running terraform plan allows you to confirm the potential
results of applying an execution plan to avoid surprises.

To generate the Terraform execution plan, you run terraform plan . This command
connects to the target Azure subscription to check what part of the configuration is
already deployed. Terraform then determines the necessary changes to meet the
requirements stated in the Terraform file. At this stage, Terraform isn't deploying
anything. It's telling you what will happen if you apply the plan.
If you're following along with the article and you've done the steps in the previous
section, run the terraform plan command:

Console

terraform plan

After running terraform plan , Terraform displays the potential outcome of applying the
execution plan. The output indicates the Azure resources that will be added, changed,
and destroyed.

By default, Terraform stores state in the same local directory as the Terraform file. This
pattern works well in single-user scenarios. However, when multiple people work on the
same Azure resources, local state files can get out of sync. To remedy this issue,
Terraform supports writing state files to a remote data store (such as Azure Storage). In
this scenario, it might be problematic to run terraform plan on a local machine and
target a remote machine. As a result, it might make sense to automate this validation
step as part of your continuous integration pipeline.

4. Run static code analysis

Static code analysis can be done directly on the Terraform configuration code, without
executing it. This analysis can be useful to detect issues such as security problems and
compliance inconsistency.

The following tools provide static analysis for Terraform files:

Checkov
Terrascan
tfsec
Deepsource

Static analysis is often executed part of a continuous integration pipeline. These tests
don't require the creation of an execution plan or deployment. As a result, they run
faster than other tests and are generally run first in the continuous integration process.

5. Automate integration tests using Azure

Pipeline
Continuous integration involves testing an entire system when a change is introduced.
In this section, you see an Azure Pipeline configuration used to implement continuous
integration.

1. Using your editor of choice, browse to the local clone of the Terraform sample
project on GitHub .

2. Open the samples/integration-testing/src/azure-pipeline.yaml file.

3. Scroll down to the steps section where you see a standard set of steps used to run
various installation and validation routines.

4. Review the line that reads, Step 1: run the Checkov Static Code Analysis. In this
step, the Checkov project mentioned earlier runs a static code analysis on the
sample Terraform configuration.

YAML

- bash: $(terraformWorkingDirectory)/checkov.sh
$(terraformWorkingDirectory)
displayName: Checkov Static Code Analysis

Key points:

This script is responsible for running Checkov in the Terraform workspace

mounted inside a Docker container. Microsoft-managed agents are Docker
enabled. Running tools inside a Docker container is easier and removes the
need to install Checkov on the Azure Pipeline agent.
The $(terraformWorkingDirectory) variable is defined in the azure-
pipeline.yaml file.

5. Review the line that reads, Step 2: install Terraform on the Azure Pipelines agent.
The Terraform Build & Release Task extension that you installed earlier has a
command to install Terraform on the agent running the Azure Pipeline. This task is
what is being done in this step.

YAML

- task: charleszipp.azure-pipelines-tasks-terraform.azure-pipelines-
tasks-terraform-installer.TerraformInstaller@0
displayName: 'Install Terraform'
inputs:
terraformVersion: $(terraformVersion)

Key points:
The version of Terraform to install is specified via an Azure Pipeline variable
named terraformVersion and defined in the azure-pipeline.yaml file.

6. Review the line that reads, Step 3: run Terraform init to initialize the workspace.
Now that Terraform is installed on the agent, the Terraform directory can be
initialized.

YAML

- task: charleszipp.azure-pipelines-tasks-terraform.azure-pipelines-
tasks-terraform-cli.TerraformCLI@0
displayName: 'Run terraform init'
inputs:
command: init
workingDirectory: $(terraformWorkingDirectory)

Key points:

The command input specifies which Terraform command to run.

The workingDirectory input indicates the path of the Terraform directory.
The $(terraformWorkingDirectory) variable is defined in the azure-
pipeline.yaml file.

7. Review the line that reads, Step 4: run Terraform validate to validate HCL syntax.
Once the project directory is initialized, terraform validate is run to validate the
configuration on the server.

YAML

- task: charleszipp.azure-pipelines-tasks-terraform.azure-pipelines-
tasks-terraform-cli.TerraformCLI@0
displayName: 'Run terraform validate'
inputs:
command: validate
workingDirectory: $(terraformWorkingDirectory)

8. Review the line that reads, Step 5: run Terraform plan to validate HCL syntax. As
explained earlier, generating the execution plan is done to verify if the Terraform
configuration is valid before deployment.

YAML

- task: charleszipp.azure-pipelines-tasks-terraform.azure-pipelines-
tasks-terraform-cli.TerraformCLI@0
displayName: 'Run terraform plan'
inputs:
command: plan
workingDirectory: $(terraformWorkingDirectory)
environmentServiceName: $(serviceConnection)
commandOptions: -var location=$(azureLocation)

Key points:

The environmentServiceName input refers to the name of the Azure service

connection created in Configure your environment. The connection allows
Terraform to access your Azure subscription.
The commandOptions input is used to pass arguments to the Terraform
command. In this case, a location is being specified. The $(azureLocation)
variable is defined earlier in the YAML file.

Import the pipeline into Azure DevOps

1. Open your Azure DevOps project and go into the Azure Pipelines section.

2. Select Create Pipeline button.

3. For the Where is your code? option, select GitHub (YAML).

4. At this point, you might have to authorize Azure DevOps to access your
organization. For more information on this topic, see the article, Build GitHub
repositories.

5. In the repositories list, select the fork of the repository you created in your GitHub
organization.

6. In the Configure your pipeline step, choose to start from an existing YAML
pipeline.

7. When the Select existing YAML pipeline page displays, specify the branch master
and enter the path to the YAML pipeline: samples/integration-testing/src/azure-
pipeline.yaml .

8. Select Continue to load the Azure YAML pipeline from GitHub.

9. When the Review your pipeline YAML page displays, select Run to create and
manually trigger the pipeline for the first time.

Verify the results

You can run the pipeline manually from the Azure DevOps UI. However, the point of the
article is to show automated continuous integration. Test the process by committing a
change to the samples/integration-testing/src folder of your forked repository. The
change will automatically trigger a new pipeline on the branch on which you're pushing
the code.

Once you've done that step, access the details in Azure DevOps to ensure that
everything ran correctly.
Troubleshoot Terraform on Azure
Troubleshoot common problems when using Terraform on Azure

Next steps
Learn more about using Terraform in Azure
Troubleshoot common problems when
using Terraform on Azure
Article • 09/01/2021

This article lists common problems and possible solutions when using Terraform on
Azure.

If you encounter a problem that is specific to Terraform, use one of HashiCorp's

community support channels.

Unable to list provider registration status

VPN errors

HashiCorp Terraform specific support channels

Questions, use-cases, and useful patterns: Terraform section of the HashiCorp
community portal
Provider-related questions: Terraform Providers section of the HashiCorp
community portal

Unable to list provider registration status

Error message:

Error: Unable to list provider registration status, it is possible that this is due to invalid
credentials or the service principal does not have permission to use the Resource Manager
API, Azure error: resources.ProvidersClient#List: Failure responding to request:
StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403
Code="AuthorizationFailed" Message="The client '00000000-0000-0000-0000-
000000000000' with object id '00000000-0000-0000-0000-000000000000' does not have
authorization to perform action 'Microsoft.Resources/subscriptions/providers/read' over
scope '/subscriptions/00000000-0000-0000-0000-000000000000' or the scope is invalid. If
access was recently granted, please refresh your credentials."

Background: If you're running Terraform commands from the Cloud Shell and
you've defined certain Terraform/Azure environment variables , you can sometimes
see conflicts. The environment variables and the Azure value they represent are listed in
the following table:
Environment variable Azure value

ARM_SUBSCRIPTION_ID Azure subscription ID

ARM_TENANT_ID Microsoft account tenant ID

ARM_CLIENT_ID Azure service principal app ID

ARM_CLIENT_SECRET Azure service principal password

Cause: As of this writing, the Terraform script that runs in Cloud Shell overwrites the
ARM_SUBSCRIPTION_ID and ARM_TENANT_ID environment variables using values from the
current Azure subscription. As a result, if the service principal referenced by the
environment variables doesn't have rights to the current Azure subscription, any
Terraform operations will fail.

Error acquiring the state lock

Error message:

Error: Error acquiring the state lock; Error message: 2 errors occurred:
* state blob is already locked
* blob metadata "terraformlockid" was empty
Terraform acquires a state lock to protect the state from being written by multiple users at
the same time. Please resolve the issue above and try again. For most commands, you can
disable locking with the "-lock=false" flag, but this is not recommended.

Background: If you're running Terraform commands against a Terraform state file and
this error is the only message that appears, the following causes might apply. Applies to
local and remote state files.

Cause: There are two potential causes for this error. The first is that a Terraform
command is already running against the state file and it has forced a lock on the file, so
nothing breaks. The second potential cause is that a connection interruption occurred
between the state file and the CLI when commands were running. This interruption most
commonly occurs when you're using remote state files.

Resolution: First, make sure that you aren't already running any commands against the
state file. If you're working with a local state file, check to see whether you have
terminals running any commands. Alternatively, check your deployment pipelines to see
whether something running might be using the state file. If this doesn't resolve the
issue, it's possible that the second cause triggered the error. For a remote state file
stored in an Azure Storage account container, you can locate the file and use the Break
lease button.

If you're using other back ends to store your state file, for recommendations, see the
HashiCorp documentation .

VPN errors
For information about resolving VPN errors, see the article, Troubleshoot a hybrid VPN
connection.
Overview of Azure Export for Terraform
Article • 05/10/2023

Azure Export for Terraform is a tool designed to help reduce friction in translation
between Azure and Terraform concepts.

Benefits
Azure Export for Terraform enables you to:

Simplify migration to Terraform on Azure. Azure Export for Terraform allows you
to migrate Azure resources to Terraform using a single command.
Export user-specified sets of resources to Terraform HCL code and state with a
single command. Azure Export for Terraform enables you to specify a
predetermined scope to export. The scope can be as granular as a single resource.
You can also export a resource group and its nested resources. Finally, you can
export an entire subscription.
Inspect preexisting infrastructure with all exposed properties. Whether learning a
newly released resource or investigating an issue in production, Azure Export for
Terraform supports a read-only export with the option to expose all configurable
resource properties.
Follow plan/apply workflow to integrate non-Terraform infrastructure into
Terraform. Export HCL code, inspect non-Terraform resources and easily integrate
them into your production infrastructure and remote backends.

Installation
The Azure Export for Terraform GitHub page lists releases of the tool with links to
installation for various platforms (Windows MSIs, Homebrew, and Linux installations)
and the source code.

Usage
At its most abstract, Azure Export is called as follows:

Console

aztfexport [command] [option] <scope>

The scope changes depending on the command being run, as do the available set of
option flags. There are three commands that should be used based on what you are
trying to export:

Task Description Example

Export a To export a single resource, specify the Azure aztfexport resource [option]
single resourceID associated with the resource. <resource id>
resource.

Export a To export a resource group (and its nested aztfexport resource-group

resource resources), specify the resource group name; not [option] <resource group
group. the ID. name>

Export The tool supports exporting with an Azure aztfexport query [option]
using a Resource Graph query. <ARG where predicate>
query.

Data-collection disclosure
By default, Azure Export for Terraform collects telemetry data. However, you can easily
disable this process.

Microsoft aggregates collected data to identify patterns of usage to identify common

issues and to improve the experience of Azure Export for Terraform. For example, the
usage data helps identify issues such as commands with low success and helps prioritize
our work. Azure Export for Terraform doesn't collect any private or personal data.

If you do want to disable data collection, run the following command after installing the
tool:

Console

aztfexport config set telemetry_enabled false

Next steps
Concepts:

Azure Export for Terraform concepts: Learn the workflows of Azure Export for Terraform
and its best practices and current design limitations.

Quickstart articles:
Export your first resources using Azure Export for Terraform
Export Azure resources to HCL code using Azure Export for Terraform

How-to articles:

How-to articles explain more complex scenarios along with explanations and options:

Exploring customized resource selection and naming using Azure Export for
Terraform
Using Azure Export for Terraform in advanced scenarios
Quickstart: Export your first resources
using Azure Export for Terraform
Article • 05/10/2023

This article shows how to export Azure resources into local state files using Azure Export
for Terraform.

＂ Create a test Azure resource group using Azure CLI or Azure PowerShell.
＂ Create a test Linux virtual machine using Azure CLI or Azure PowerShell.
＂ Export the state for the resource group and virtual machine from Azure to the local
state file.
＂ Test that the local state matches the state of the resources in Azure.

Prerequisites
Install and configure Terraform
Install Azure Export for Terraform

Create the test Azure resources

Create a Linux VM.

Azure CLI

1. Run az group create to create an Azure resource group.

Azure CLI

az group create --name myResourceGroup --location eastus

2. Run az vm create to create the virtual machine.

Azure CLI

az vm create \
--resource-group myResourceGroup \
--name myVM \
--image Debian \
--admin-username azureadmin \
--generate-ssh-keys \
--public-ip-sku Standard
Export an Azure resource
You can run the aztfexport tool in one of two modes: interactive and non-interactive.
For this demo, you use the interactive mode.

1. Create a directory in which to test.

2. Open a command prompt and navigate to the new directory.

3. Run aztfexport resource-group to export the resource group named

myResourceGroup .

Console

aztfexport resource-group myResourceGroup

4. After the tool initializes, a list of the resources to be exported is displayed. Each
line has an Azure resourceID matched to the corresponding AzureRM resource
type. The list of available commands displays at the bottom of the display. Using
one of the commands, scroll to the bottom and verify that the expected Azure
resources are properly mapped to their respective Terraform resource types.
5. Press w to run the export.

Key points:

For a non-interactive resource, add the --non-interactive flag: aztfexport

rg --non-interactive myResourceGroup .

７ Note

Running Azure Export for Terraform can take several minutes to complete.

Verify the results

After the tool has finished exporting your Azure resources, run the following commands
in the same directory that contains the generated files.

1. Run terraform init .

Console

terraform init --upgrade

2. Run terraform plan .

Console

terraform plan

If the terminal outputs No changes needed, then congratulations!

Your infrastructure and its corresponding state have been successfully exported to
Terraform.

Clean up resources
When you no longer need the resources created in this article, do the following steps:

1. Navigate to the directory containing your Terraform files for this article.

2. Run terraform destroy .

Console

terraform destroy

Next steps
Export resources into HCL code using Azure Export for Terraform
Quickstart: Export Azure resources into
HCL code using Azure Export for
Terraform
Article • 05/10/2023

In the article, Export your first resources using Azure Export for Terraform, you learn how
to export Azure resources into local state files using Azure Export for Terraform. In this
article, you learn how to generate the Terraform configuration files from your Azure
resources.

＂ Create a test Azure resource group using Azure CLI or Azure PowerShell.
＂ Create a test Linux virtual machine using Azure CLI or Azure PowerShell.
＂ Export the resource group and virtual machine from Azure to HCL files.
＂ Test that the local state matches the state of the resources in Azure.

Prerequisites
Install and configure Terraform
Install Azure Export for Terraform

Create the test Azure resources

Create a Linux VM.

Azure CLI

1. Run az group create to create an Azure resource group.

Azure CLI

az group create --name myResourceGroup --location eastus

2. Run az vm create to create the virtual machine.

Azure CLI

az vm create \
--resource-group myResourceGroup \
--name myVM \
--image Debian \
--admin-username azureadmin \
--generate-ssh-keys \
--public-ip-sku Standard

Understand the hcl-only flag

Azure Export for Terraform supports a flag - --hcl-only - that causes the generation of
the following files from the exported resource(s):

Generated .tf HCL files.

Mapping file aztfexportResourceMapping.json .
Skipped resources are listed in aztfexportSkippedResources.txt .

The --hcl-only flag is supported for all primary export commands used for exporting:

resource
resource-group
query
mapping-file

To view the available Azure Export for Terraform commands, run the following
command:

Console

aztfexport --help

The --hcl-only flag is useful in scenarios where you don't need the state or aren't sure
if you need to generate the state. To export all the generated configuration to state, run
aztfexport mapping-file .

 Tip

When using the --hcl-only flag, target an empty directory to avoid making
unwanted changes to any current state during the export stage.

Export an Azure resource

You can run the aztfexport tool in one of two modes: interactive and non-interactive.
For this demo, you use the non-interactive mode.

1. Create a directory in which to test.

2. Open a command prompt and navigate to the new directory.

3. Run aztfexport resource-group to export the resource group named

myResourceGroup .

Console

aztfexport resource-group --non-interactive --hcl-only myResourceGroup

７ Note

Running Azure Export for Terraform can take several minutes to complete.

Verify the results

After the tool has finished exporting your Azure resources, verify the following files in
the directory where you ran Azure Export for Terraform:

main.tf contains the HCL code that defines the exported resources.

aztfexportResourceMapping.json contains the Azure/Terraform mappings. The

mapping file includes the following information for each exported Azure resource:
Azure resource ID, Terraform resource type, and Terraform resource name. The
contents of the mapping file mirror what Azure Export for Terraform displays
during the export process.
aztfexportSkippedResources.txt contains the list of skipped resources. You

shouldn't see this file for this example.

Clean up resources
When you no longer need the resources created in this article, do the following steps:

1. Navigate to the directory containing your Terraform files for this article.

2. Run terraform destroy .

Console
terraform destroy

Next steps
How Azure Export for Terraform works
Customized resource selection and
naming using Azure Export for
Terraform
Article • 05/10/2023

Azure Export for Terraform provides various options to customize which resources you
export.

In this article, you learn pros and cons for each option.

＂ Using the UI
＂ Using Query Mode
＂ Using a Mapping File

Using the user interface

When you run Azure Export for Terraform in interactive mode, the specified resources
(via the parameters you specify when running) display. By default, all of the resources
are exported.

The Delete acts as a toggle in skipping or including resources. To remove resources

from being exported, use the arrow keys to select the desired resource and press Delete

. The resource is updated to display "Skip".

To undo the skip action, verify the skipped resource is selected, and press Delete again.

Pros:

Requires the use of a single toggle key.

Don’t need to know the resources you want before running the command.

Cons:

Action can be time consuming if you have many resources to scroll through and
skip.

Using query mode

Applying a filter using Azure Resource Graph query syntax is a powerful technique when
you know exactly what filters you need.
Console

aztfexport query [option] <ARG_where_predicate>

As an example, let's say you have a resource group named myResourceGroup that has
many resources including a network resource. If you want to export only the network
resource, you could use the following syntax:

Console

aztfexport query -n "resourceGroup =~ 'myResourceGroup' and type contains

'Microsoft.Network'"

Pros:

Single command with no manual editing required.

Supports an unlimited number of filters.
Handles large amount of resources efficiently.

Cons:

Easy to exclude resources you need to export.

Requires knowledge of Azure Resource Graph syntax.

Using a mapping file

The following syntax shows the basics to export a set of resources that is defined in a
resource mapping file:

Console

aztfexport mapping-file [option] <resource_mapping_file>

You can use a mapping file in either interactive or non-interactive modes:

Interactive mode: Press s when running interactively in the resource list view.
Non-interactive mode: You can generate the mapping file in all export commands
( resource , resource-group , query , mapping file ) by adding the --generate-
mapping-file flag.

If your use cases require pre-export modifications, you can manually construct or edit
the mapping file. Here are some examples of when you would want to manually edit
your own mapping file:
Use-case Steps

You have many resources in a resource group Delete the JSON objects from your editor of
but only need to export a select few. choice and save the file before exporting.

You want to rename all your resources in a Change the resource-name property to whatever
consistent manner. name matches your company compliance
standards.

You need to refactor a set of resources by Use your editor to find all Microsoft.Network or
their resource type - such as networking or Microsoft.Compute resources.
compute.

For example, let's say you run the following command for a resource group that
contains a virtual machine:

Console

aztfexport rg --generate-mapping-file --non-interactive myResourceGroup

The results are similar to the following JSON file:

JSON

{
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virt
ualMachines/vm-MyResourceGroup/extensions/OmsAgentForLinux": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virt
ualMachines/vm-MyResourceGroup/extensions/OmsAgentForLinux",
"resource_type": "azurerm_virtual_machine_extension",
"resource_name": "res-0"
},
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup",
"resource_type": "azurerm_resource_group",
"resource_name": "res-1"
},
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/sshP
ublicKeys/vm-MyResourceGroup_key": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/sshP
ublicKeys/vm-MyResourceGroup_key",
"resource_type": "azurerm_ssh_public_key",
"resource_name": "res-2"
},
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virt
ualMachines/vm-MyResourceGroup": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virt
ualMachines/vm-MyResourceGroup",
"resource_type": "azurerm_linux_virtual_machine",
"resource_name": "res-3"
},
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/netw
orkInterfaces/vm-myResourceGroup-vm-d146": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/netw
orkInterfaces/vm-myResourceGroup-vm-d146",
"resource_type": "azurerm_network_interface",
"resource_name": "res-4"
},
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/netw
orkInterfaces/vm-myResourceGroup-vm-
d146/networkSecurityGroups/L3N1YnNjcmlwdGlvbnMvZGJmM2I2Y2ItYzFkMC00ZDA0LTk0Y
jktNTE1MDliOGQzM2ZkL3Jlc291cmNlR3JvdXBzL2hhc2hpY29uZi12bS1kZW1vL3Byb3ZpZGVyc
y9NaWNyb3NvZnQuTmV0d29yay9uZXR3b3JrU2VjdXJpdHlHcm91cHMvdm0taGFzaGljb25mLXZtL
WRlbW8tbnNn": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/netw
orkInterfaces/vm-myResourceGroup-vm-d146|/subscriptions/00000000-0000-0000-
0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/netw
orkSecurityGroups/vm-MyResourceGroup-nsg",
"resource_type":
"azurerm_network_interface_security_group_association",
"resource_name": "res-5"
},
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/netw
orkSecurityGroups/vm-MyResourceGroup-nsg": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/netw
orkSecurityGroups/vm-MyResourceGroup-nsg",
"resource_type": "azurerm_network_security_group",
"resource_name": "res-6"
},
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/publ
icIPAddresses/vm-MyResourceGroup-ip": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/publ
icIPAddresses/vm-MyResourceGroup-ip",
"resource_type": "azurerm_public_ip",
"resource_name": "res-7"
},
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virt
ualNetworks/MyResourceGroup-vnet": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virt
ualNetworks/MyResourceGroup-vnet",
"resource_type": "azurerm_virtual_network",
"resource_name": "res-8"
},
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virt
ualNetworks/MyResourceGroup-vnet/subnets/default": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virt
ualNetworks/MyResourceGroup-vnet/subnets/default",
"resource_type": "azurerm_subnet",
"resource_name": "res-9"
}
}

Only the object value in the mapping file has significance. The key (defaults to the Azure
resource_id ) is just an identifier in this mode.

Now, let's say we want to keep the resource group and any compute-related resources,
and modify the resource_name value.

We could update the mapping file as follows:

JSON

{
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/myResourceGroup": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/myResourceGroup",
"resource_type": "azurerm_resource_group",
"resource_name": "myResourceGroup"
},
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virt
ualMachines/myVM": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virt
ualMachines/myVM",
"resource_type": "azurerm_linux_virtual_machine",
"resource_name": "myVM"
},
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/sshP
ublicKeys/myKey": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/sshP
ublicKeys/myKey",
"resource_type": "azurerm_ssh_public_key",
"resource_name": "myKey"
},
"/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virt
ualMachines/vm-myResourceGroup/extensions/OmsAgentForLinux": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virt
ualMachines/vm-myResourceGroup/extensions/OmsAgentForLinux",
"resource_type": "azurerm_virtual_machine_extension",
"resource_name": "myVMExtension"
}
}

Once you've edited the mapping file, you export the mapping file using the following
command:

Console

aztfexport map -n "aztfexportResourceMapping.json"

Pros:

Since you're editing a file, you can use an editor to find and replace what you need
to remove or edit.
JSON output enables unique functionality - such as scripting to filter.
Can rename resources to match your naming standards.
Can refactor JSON into multiple mapping files.
Handles large amounts of resources well.

Cons:

For simple scenarios, this technique might be overkill.

Requires manual modifications.

Summary
In this article, you learned about the various options to filter resources when exporting
with Azure Export for Terraform.

Next steps
Using Azure Export for Terraform in advanced scenarios
Using Azure Export for Terraform in
advanced scenarios
Article • 05/10/2023

This article explains how to do some of the more advanced tasks with Azure Export for
Terraform.

＂ Append resources to existing Terraform environments.

＂ Export resources into an existing Terraform environment with a remote backend
state

Appending to existing resources

By default, Azure Export for Terraform ensures the output directory is empty to avoid
any conflicts with existing user files. If you need to import resources to an existing state
file, add the --append flag.

Console

aztfexport [command] --append <scope>

When the --append flag is specified, Azure Export for Terraform verifies if there's a pre-
existing provider or terraform block in any of the files in the current directory. If not,
the tool creates a file for each block and then proceeds with exporting. If the output
directory has a state file, any exported resources are imported into the state file.

Additionally, the file generated has a .aztfexport suffix before the extension - such as
main.aztfexport.tf - to avoid potential file name conflicts.

If you run aztfexport --append multiple times, a single main.aztfexport.tf is created

with the export results appended to the file each time the command is run.

Bring your own Terraform configuration

By default, Azure Export for Terraform uses a local backend to store the state file.
However, it's also possible to use a remote backend. Azure Export for Terraform enables
you to define your own terraform or provider blocks to pass.
Define these blocks in a .tf file within your target directory, export with the --append
flag, and your config exports to the specified backend and provider version (if it's
provided).

） Important

If the specified version of AzureRM doesn't match your installed version when
exporting, the command fails.

Azure Storage example

This example is based on the article, Store Terraform state in Azure Storage.

Console

terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
}
backend "azurerm" {
resource_group_name = "tfstate"
storage_account_name = "storageacc"
container_name = "tfstate"
key = "terraform.tfstate"
}

provider "azurerm" {
features {}
}

Terraform Cloud example

Terraform

terraform {
cloud {
organization = "aztfexport-test"
workspaces {
name = "aztfexport-playground"
}
}
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
}
}
provider "azurerm" {
features {
}
}

Inline experience
To export to a backend inline, use the --backend-type and --backend-config options.
For more information about configuring a Terraform backend, see Terraform backend
configuration .

Using our Azure storage account example, you need the following as defined in the
AzureRM backend documentation .

Resource group name

Storage account name
Storage container name

Pass these parameters into the command along with your backend type:

Console

aztfexport [subcommand] --backend-type=azurerm \

--backend-config=resource_group_name=<resource group
name> \
--backend-config=storage_account_name=<account name>
\
--backend-config=container_name=<container name> \
--backend-config=key=terraform.tfstate

Key points:

In the previous example, I'm using the Unix line continuation character so that the
code displays well in the browser. You might need to change these characters to
match your command-line environment - such as PowerShell - or combine the
command onto one line.
If the backend state already exists, Azure Export for Terraform merges the new
resources with the existing state automatically. You don't need to specify the --
append option inline.
Export Azure resources to an existing Terraform
environment
Now, let's put it all together! Imagine new resources have been created outside of
Terraform that need to be moved into Terraform management. To complete the section,
make sure you have a backend configured. This tutorial uses the same configuration
that is specified in the Azure storage remote state tutorial.

1. In the parent directory of where you want the temporary directory created, run the
following command:

Console

aztfexport resource -o tempdir --hcl-only <resource_id>

Key points:

The -o flag specifies to create the directory if it doesn't exist.

The --hcl-only flag specifies to export the configured resources to HCL

2. After inspecting that the resource can be appended, utilize the generated mapping
file and the --append flag to ensure Azure Export respects the pre-existing remote
state and provider versions within our existing environment:

Console

aztfexport map --append `./tempdir/aztfexportResourceMapping.json`

3. Run terraform init .

Console

terraform init --upgrade

4. Run terraform plan .

5. Azure Export for Terraform should display No changes needed.

Congratulations! Your infrastructure and its corresponding state have been successfully
appended to your Terraform environment.

If your plan runs into issues, see Azure Export for Terraform concepts to understand
limitations regarding deploying code generated by --hcl-only . If that article doesn't
help you, open a GitHub issue .

Next steps
Azure Export for Terraform concepts
How Azure Export for Terraform Works
Article • 05/10/2023

This article introduces you to the Azure Export for Terraform workflows. In this article,
you learn about the tool's best practice guidance, current limitations, and how to
mitigate those limitations.

Interactive mode
By default, Azure Export for Terraform runs in interactive mode. When you run in
interactive mode, the available keyboard shortcuts are listed at the bottom of the
display.

Task Keyboard
shortcut(s)

Navigation

Select previous item in the resource list. ↑ -or- k

Select next item in the resource list. ↓ -or- j

Move to previous page in the resource list. ← -or- h -or-

Page Up

Move to next page in the resource list. → -or- l -or-

Page Down

Jump to the start of the resource list. g -or- Home

Jump to the end of the resource list. G -or- End

Selecting resources to skip

Skip resource (or unskip if marked as "Skip") Delete

Filter operations

Define a filter by text on the resource list. /

Clear any current filter Esc

Save operations

Save a mapping file of the resource list. The output file is affected by s
skipping (but not filtering).
Task Keyboard
shortcut(s)

Export resources to state (if --hcl-only isn't specified) and generates the w
config.

User experience

Display recommendations for current resource. r

Show resource export errors (if any). e

Display help. ?

Quit

Quit interactive mode. q

For each resource, Azure Export for Terraform tries to recognize the corresponding
Terraform resource type. If it finds a match, the line is marked with the following
indicator: 💡.

If the resource can't be resolved, you need to input the Terraform resource address in
the following form: <resource type>.<resource name> . For example,
azurerm_linux_virtual_machine.test refers to a Terraform resource type of
azurerm_linux_virtual_machine while the test refers to the name for the virtual
machine used in the configuration files.

To see the available resource type(s) for the selected resource, press r .

In some cases, there are Azure resources that have no corresponding Terraform
resources, such as if the resource lacks Terraform support. Some resources might also be
created as a side effect of provisioning another resource - such as the OS Disk resource
that is created when provisioning a virtual machine. In these cases, you can skip the
resources without assigning anything.

After going through all the resources to be imported, press w to begin generating the
Terraform configuration and (if --hcl-only isn't selected) importing to Terraform state.

Non-interactive mode
By default, Azure Export for Terraform runs in interactive mode. To specify that the tool
should run in non-interactive mode, specify the --non-interactive flag.

Console
aztfexport [command] --non-interactive <scope>

） Important

If the directory in which you're running Azure Export for Terraform isn't empty, you
must add the --overwrite flag to use the --hcl-only flag.

Best practices on core workflows

On a fundamental level, any user of Azure Export faces a decision between two options:

Export existing resources into state

Export existing resources into HCL

The following subsections provide guidance as to which option to take based on the
scenario.

Managing infrastructure
You may not need to export to state if you haven't verified the configured resources
behave within your environment in the desired manner.

If you're sure you wish to manage the set of resources in Terraform with terraform init
plan apply workflows, exporting to state is essential.

If you aren't sure you want to manage the resources yet, passing the --hcl-only flag is
recommended.

Existing infrastructure
In scenarios where you're exporting to existing Terraform environments, it may be
helpful to think of --hcl-only as a terraform plan equivalent, especially before
appending to existing environments.

The terraform apply command equates to exporting resources - during which their
config ties into the pre-existing state. In this scenario, using a mapping file saves run
time to list and map resources.

Discovering infrastructure
If you aren't sure what resources exist within an environment, you can verify by
specifying the --generate-mapping-file flag. For more information about this subject,
see Exploring customized resource selection and naming using Azure Export for
Terraform.

Limitations
Azure Export for Terraform is a complex tool that attempts to convert Azure
infrastructure into Terraform code and state. Its current known limitations are explained
in the following subsections.

Write-only properties
Certain properties within AzureRM are write-only and aren't included in the generated
code that Azure Export for Terraform creates. The issue is addressed by defining the
property after exporting to HCL code.

Cross-property constraints
The AzureRM provider can set two properties that conflict with each other. When
Azure Export for Terraform reads conflicting properties, it may set both properties to the
same value despite the user only configuring one. Further complications emerge when
multiple cross-property constraints exist within the same generated configuration. You
must know where cross-property conflicts exist within your configuration in order to
mitigate this issue.

Infrastructure outside resource scope

When you're using Azure Export for Terraform to target resource scopes, resources
required for the config might exist outside of the scope specified. One example is a role
assignment. The user needs to identify resources that are outside of scope.

Write-only properties
Azure Export can't generate write-only properties (such as passwords) within its config.
You need to know about the write-only properties and define them in a configuration to
create new sets of resources.

Modifying code to match coding standards

There are a few necessary operations if the user wishes to modify their code to abide by
coding standards. These steps would only be necessary if the user plans to use the code
in nonsandbox environments.

Property-defined resources
Certain resources in Azure can be defined as either a property in a parent Terraform
resource or an individual Terraform resource. One example is a subnet. Azure Export for
Terraform defines the resource as an individual resource, but it's best practice to match
your existing coding configuration.

Explicit dependencies
Azure Export for Terraform is currently able to declare only explicit dependencies. You
must know the mapping of the relationships between resources to refactor the code to
include any needed implicit dependencies.

Hardcoded values
Azure Export for Terraform currently generates hard-coded strings. As a best practice,
you should refactor these values to variables. Also, when you use the --full-properties
flag to expose all properties, some sensitive information (such as secrets) can be seen in
the generated config. Use recommended practices to protect the visibility of this code.

Next steps
Export your first resources using Azure Export for Terraform
Quickstart: Create an Azure resource
group using Terraform
Article • 02/23/2024
） AI-assisted content. This article was partially created with the help of AI. An author reviewed and
revised the content as needed. Learn more

This article shows how to create an Azure resource group using Terraform.

Terraform enables the definition, preview, and deployment of cloud infrastructure.

In this article, you learn how to:

＂ Create a random value for the Azure resource group name using random_pet .
＂ Create an Azure resource group using azurerm_resource_group .

Prerequisites
Install and configure Terraform

Implement the Terraform code

７ Note

The sample code for this article is located in the Azure Terraform GitHub repo .
You can view the log file containing the test results from current and previous
versions of Terraform .

See more articles and sample code showing how to use Terraform to manage
Azure resources

1. Create a directory in which to test the sample Terraform code and make it the
current directory.
2. Create a file named providers.tf and insert the following code:

Terraform

terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
random = {
source = "hashicorp/random"
version = "~>3.0"
}
}
}

provider "azurerm" {
features {}
}

3. Create a file named main.tf and insert the following code:

Terraform

resource "random_pet" "rg_name" {

prefix = var.resource_group_name_prefix
}

resource "azurerm_resource_group" "rg" {

location = var.resource_group_location
name = random_pet.rg_name.id
}

4. Create a file named variables.tf and insert the following code:

Terraform

variable "resource_group_location" {
type = string
default = "eastus"
description = "Location of the resource group."
}

variable "resource_group_name_prefix" {
type = string
default = "rg"
description = "Prefix of the resource group name that's combined with
a random ID so name is unique in your Azure subscription."
}
5. Create a file named outputs.tf and insert the following code:

Terraform

output "resource_group_name" {
value = azurerm_resource_group.rg.name
}

Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console

terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.

Console

terraform plan -out main.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute it.
Instead, it determines what actions are necessary to create the configuration
specified in your configuration files. This pattern allows you to verify whether the
execution plan matches your expectations before making any changes to actual
resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what is
applied.
Apply a Terraform execution plan
Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

Verify the results

Azure CLI

1. Get the Azure resource group name.

Console

resource_group_name=$(terraform output -raw resource_group_name)

2. Run az group show to display the resource group.

Azure CLI

az group show --name $resource_group_name

Clean up resources
When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console
terraform plan -destroy -out main.destroy.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.

2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Learn more about using Terraform in Azure
Quickstart: Deploy your first Azure
resource with the AzAPI Terraform
provider
Article • 03/20/2023

Article tested with the following Terraform and Terraform provider versions:

Terraform v1.1.8
AzureRM Provider v.3.0.2
AzAPI Provider v.0.1.0

Terraform enables the definition, preview, and deployment of cloud infrastructure.

In this article, you learn how to use the AzAPI Terraform provider to manage an Azure
service that is not currently supported by the AzureRM provider . The azapi_resource
will be used to manage an Azure Lab Services account as well as a lab.

＂ Define and configure the AzureRM and AzAPI providers.

＂ Use the AzureRM provider to create an Azure resource group
＂ Use the AzureRM provider to register the "Microsoft.LabServices" provider in your
subscription
＂ Use the AzAPI provider to create the Azure Lab Services resources

７ Note

The example code in this article is located in the Azure Terraform GitHub repo .

Prerequisites
Azure subscription: If you don't have an Azure subscription, create a free
account before you begin.
Configure Terraform: If you haven't already done so, configure Terraform using
one of the following options:
Configure Terraform in Azure Cloud Shell with Bash
Configure Terraform in Azure Cloud Shell with PowerShell
Configure Terraform in Windows with Bash
Configure Terraform in Windows with PowerShell

Implement the Terraform code

1. Create a directory in which to test the sample Terraform code and make it the
current directory.

2. Create a file named providers.tf and insert the following code:

Terraform

terraform {
required_providers {
azapi = {
source = "azure/azapi"
version = "=0.1.0"
}
azurerm = {
source = "hashicorp/azurerm"
version = "=3.0.2"
}
}
}

provider "azapi" {
default_location = "eastus"
default_tags = {
team = "Azure deployments"
}
}

provider "azurerm" {
features {}
}

3. Create a file named main.tf and insert the following code:

Terraform

resource "azurerm_resource_group" "qs101" {

name = "rg-qs101"
location = "westus2"
}
4. Create a file named main-generic.tf and insert the following code:

Terraform

# Provision a Lab Service Account and a Lab that are in public preview
resource "azapi_resource" "qs101-account" {
type = "Microsoft.LabServices/labaccounts@2018-10-15"
name = "qs101LabAccount"
parent_id = azurerm_resource_group.qs101.id

body = jsonencode({
properties = {
enabledRegionSelection = false
}
})
}

resource "azapi_resource" "qs101-lab" {

type = "Microsoft.LabServices/labaccounts/labs@2018-10-15"
name = "qs101Lab"
parent_id = azapi_resource.qs101-account.id

body = jsonencode({
properties = {
maxUsersInLab = 10
userAccessMode = "Restricted"
}
})
}

Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console

terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.

Console

terraform plan -out main.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute it.
Instead, it determines what actions are necessary to create the configuration
specified in your configuration files. This pattern allows you to verify whether the
execution plan matches your expectations before making any changes to actual
resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what is
applied.
To read more about persisting execution plans and security, see the security
warning section .

Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

Verify the results

1. In your Azure subscription browse to the rg-qs101 resource group.
2. A new Lab Services account named qs101LabAccount displays as a member of the
resource group.
Clean up resources
When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console

terraform plan -destroy -out main.destroy.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.
To read more about persisting execution plans and security, see the security
warning section .

2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Learn more about using Terraform in Azure
Quickstart: Deploy your first Azure
update resource with the AzAPI
Terraform provider
Article • 07/10/2023

Article tested with the following Terraform and Terraform provider versions:

Terraform v1.1.8
AzureRM Provider v.3.0.2
AzAPI Provider v.0.1.0

Terraform enables the definition, preview, and deployment of cloud infrastructure.

In this article, you learn how to use the AzAPI Terraform provider to manage a new
feature of an Azure service that isn't currently supported by the AzureRM provider .
The azapi_update_resource will be used to manage an Azure EventHub network rule set.

＂ Define and configure the AzureRM and AzAPI providers

＂ Generate a random name for the Event Hubs namespace
＂ Use the AzureRM provider to create an Azure resource group and the required
networking and Event Hubs resources
＂ Use the AzAPI provider to add a network rule set to the
azurerm_eventhub_namespace resources

７ Note

The example code in this article is located in the Azure Terraform GitHub repo .

Implement the Terraform code

1. Create a directory in which to test the sample Terraform code and make it the
current directory.

2. Create a file named providers.tf and insert the following code:

Terraform

terraform {
required_providers {
azapi = {
source = "azure/azapi"
version = "=0.1.0"
}

azurerm = {
source = "hashicorp/azurerm"
version = "=3.0.2"
}

random = {
source = "hashicorp/random"
version = "=3.1.2"
}
}
}

provider "azapi" {
}

provider "azurerm" {
features {}
}

provider "random" {
}

3. Create a file named main.tf and insert the following code:

Terraform
resource "azurerm_resource_group" "qs101" {
name = "rg-qs101-eh-rules"
location = "westus2"
}

resource "azurerm_virtual_network" "qs101" {

name = "myvnet"
location = azurerm_resource_group.qs101.location
resource_group_name = azurerm_resource_group.qs101.name
address_space = ["172.17.0.0/16"]
dns_servers = ["10.0.0.4", "10.0.0.5"]
}

resource "azurerm_subnet" "qs101" {

name = "default"
resource_group_name = azurerm_resource_group.qs101.name
virtual_network_name = azurerm_virtual_network.qs101.name
address_prefixes = ["172.17.0.0/24"]

service_endpoints = ["Microsoft.EventHub"]
}

resource "random_pet" "qs101_namespace" {

length = 3
separator = ""
}

resource "azurerm_eventhub_namespace" "qs101" {

name = random_pet.qs101_namespace.id
location = azurerm_resource_group.qs101.location
resource_group_name = azurerm_resource_group.qs101.name
sku = "Standard"
capacity = 2
}

4. Create a file named main-generic.tf and insert the following code:

Terraform

# AzAPI update resource is used to enable Network Rule sets on Event

Hub namespace
resource "azapi_update_resource" "qs101" {
type = "Microsoft.EventHub/namespaces/networkRuleSets@2021-11-
01"
name = "default"
parent_id = azurerm_eventhub_namespace.qs101.id

body = jsonencode({
properties = {
defaultAction = "Deny"
publicNetworkAccess = "Enabled"
virtualNetworkRules = [
{
ignoreMissingVnetServiceEndpoint = false
subnet = {
# API bug, returned id replaced `resourceGroups` with
`resourcegroups`
id = replace(azurerm_subnet.qs101.id, "resourceGroups",
"resourcegroups")
}
}
]
ipRules = [
{
action = "Allow"
ipMask = "1.1.1.1"
}
]
}
})
}

Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console

terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.

Console

terraform plan -out main.tfplan

Key points:
The terraform plan command creates an execution plan, but doesn't execute it.
Instead, it determines what actions are necessary to create the configuration
specified in your configuration files. This pattern allows you to verify whether the
execution plan matches your expectations before making any changes to actual
resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what is
applied.

Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

Verify the results

Azure CLI

Run az eventhubs namespace network-rule list to display the Event Hubs

Namespace network rules.

Azure CLI

az eventhubs namespace network-rule list --resource-group

<resource_group_name> --namespace-name <namespace_name>

Key points:
The resource group name and Event Hubs namespace name are displayed in
the terraform apply output.

Clean up resources
When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console

terraform plan -destroy -out main.destroy.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.

2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Learn more about using Terraform in Azure
Quickstart: Create an Azure AI services
resource using Terraform
Article • 02/23/2024
） AI-assisted content. This article was partially created with the help of AI. An author reviewed and
revised the content as needed. Learn more

This article shows how to use Terraform to create an Azure AI services account using
Terraform.

Azure AI services are cloud-based artificial intelligence (AI) services that help developers
build cognitive intelligence into applications without having direct AI or data science
skills or knowledge. They are available through REST APIs and client library SDKs in
popular development languages. Azure AI services enables developers to easily add
cognitive features into their applications with cognitive solutions that can see, hear,
speak, and analyze.

Terraform enables the definition, preview, and deployment of cloud infrastructure.

In this article, you learn how to:

＂ Create a random pet name for the Azure resource group name using random_pet
＂ Create an Azure resource group using azurerm_resource_group
＂ Create a random string using random_string
＂ Create an Azure AI services account using azurerm_cognitive_account

Prerequisites
Install and configure Terraform

Implement the Terraform code

７ Note
The sample code for this article is located in the Azure Terraform GitHub repo .
You can view the log file containing the test results from current and previous
versions of Terraform .

See more articles and sample code showing how to use Terraform to manage
Azure resources

1. Create a directory in which to test and run the sample Terraform code and make it
the current directory.

2. Create a file named main.tf and insert the following code:

Terraform

resource "random_pet" "rg_name" {

prefix = var.resource_group_name_prefix
}

resource "azurerm_resource_group" "rg" {

name = random_pet.rg_name.id
location = var.resource_group_location
}

resource "random_string" "azurerm_cognitive_account_name" {

length = 13
lower = true
numeric = false
special = false
upper = false
}

resource "azurerm_cognitive_account" "cognitive_service" {

name =
"CognitiveService-${random_string.azurerm_cognitive_account_name.result
}"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
sku_name = var.sku
kind = "CognitiveServices"
}

3. Create a file named outputs.tf and insert the following code:

Terraform

output "resource_group_name" {
value = azurerm_resource_group.rg.name
}
output "azurerm_cognitive_account_name" {
value = azurerm_cognitive_account.cognitive_service.name
}

4. Create a file named providers.tf and insert the following code:

Terraform

terraform {
required_version = ">=1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
random = {
source = "hashicorp/random"
version = "~>3.0"
}
}
}
provider "azurerm" {
features {}
}

5. Create a file named variables.tf and insert the following code:

Terraform

variable "resource_group_location" {
type = string
description = "Location for all resources."
default = "eastus"
}

variable "resource_group_name_prefix" {
type = string
description = "Prefix of the resource group name that's combined with
a random ID so name is unique in your Azure subscription."
default = "rg"
}

variable "sku" {
type = string
description = "The sku name of the Azure Analysis Services server to
create. Choose from: B1, B2, D1, S0, S1, S2, S3, S4, S8, S9. Some skus
are region specific. See https://docs.microsoft.com/en-
us/azure/analysis-services/analysis-services-overview#availability-by-
region"
default = "S0"
}

Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console

terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.

Console

terraform plan -out main.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute it.
Instead, it determines what actions are necessary to create the configuration
specified in your configuration files. This pattern allows you to verify whether the
execution plan matches your expectations before making any changes to actual
resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what is
applied.
To read more about persisting execution plans and security, see the security
warning section .

Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

Verify the results

Azure CLI

1. Get the Azure resource name in which the Azure AI services account was
created.

Console

resource_group_name=$(terraform output -raw resource_group_name)

2. Get the Azure AI services account name.

Console

azurerm_cognitive_account_name=$(terraform output -raw

azurerm_cognitive_account_name)

3. Run az cognitiveservices account show to show the Azure AI services account

you created in this article.

Azure CLI

az cognitiveservices account show --name

$azurerm_cognitive_account_name \
--resource-group
$resource_group_name

Clean up resources
When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console

terraform plan -destroy -out main.destroy.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.
To read more about persisting execution plans and security, see the security
warning section .

2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Learn more about Azure AI resources
Quickstart: Deploy Azure AI Search
service using Terraform
Article • 02/16/2024
） AI-assisted content. This article was partially created with the help of AI. An author reviewed and
revised the content as needed. Learn more

This article shows how to use Terraform to create an Azure AI Search service using
Terraform.

Terraform enables the definition, preview, and deployment of cloud infrastructure.

In this article, you learn how to:

Prerequisites
Install and configure Terraform

Implement the Terraform code

７ Note

See more articles and sample code showing how to use Terraform to manage
Azure resources

1. Create a directory in which to test and run the sample Terraform code and make it
the current directory.

2. Create a file named main.tf and insert the following code:

Terraform

resource "random_pet" "rg_name" {

prefix = var.resource_group_name_prefix
}

resource "azurerm_resource_group" "rg" {

name = random_pet.rg_name.id
location = var.resource_group_location
}

resource "random_string" "azurerm_search_service_name" {

length = 25
upper = false
numeric = false
special = false
}

resource "azurerm_search_service" "search" {

name =
random_string.azurerm_search_service_name.result
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku = var.sku
replica_count = var.replica_count
partition_count = var.partition_count
}

3. Create a file named outputs.tf and insert the following code:

Terraform

output "resource_group_name" {
value = azurerm_resource_group.rg.name
}

output "azurerm_search_service_name" {
value = azurerm_search_service.search.name
}

4. Create a file named providers.tf and insert the following code:

Terraform

5. Create a file named variables.tf and insert the following code:

Terraform

variable "resource_group_location" {
type = string
description = "Location for all resources."
default = "eastus"
}

variable "resource_group_name_prefix" {
type = string
description = "Prefix of the resource group name that's combined with
a random ID so name is unique in your Azure subscription."
default = "rg"
}

variable "sku" {
description = "The pricing tier of the search service you want to
create (for example, basic or standard)."
default = "standard"
type = string
validation {
condition = contains(["free", "basic", "standard", "standard2",
"standard3", "storage_optimized_l1", "storage_optimized_l2"], var.sku)
error_message = "The sku must be one of the following values: free,
basic, standard, standard2, standard3, storage_optimized_l1,
storage_optimized_l2."
}
}

variable "replica_count" {
type = number
description = "Replicas distribute search workloads across the
service. You need at least two replicas to support high availability of
query workloads (not applicable to the free tier)."
default = 1
validation {
condition = var.replica_count >= 1 && var.replica_count <= 12
error_message = "The replica_count must be between 1 and 12."
}
}
variable "partition_count" {
type = number
description = "Partitions allow for scaling of document count as well
as faster indexing by sharding your index over multiple search units."
default = 1
validation {
condition = contains([1, 2, 3, 4, 6, 12], var.partition_count)
error_message = "The partition_count must be one of the following
values: 1, 2, 3, 4, 6, 12."
}
}

Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console

terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.

Console

terraform plan -out main.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute it.
Instead, it determines what actions are necessary to create the configuration
specified in your configuration files. This pattern allows you to verify whether the
execution plan matches your expectations before making any changes to actual
resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what is
applied.
To read more about persisting execution plans and security, see the security
warning section .

Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

Verify the results

1. Get the Azure resource name in which the Azure AI Search service was created.

Console

resource_group_name=$(terraform output -raw resource_group_name)

2. Get the Azure AI Search service name.

Console

azurerm_search_service_name=$(terraform output -raw

azurerm_search_service_name)

3. Run az search service show to show the Azure AI Search service you created in this
article.

Azure CLI

az search service show --name $azurerm_search_service_name \

--resource-group $resource_group_name

Clean up resources
When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console

terraform plan -destroy -out main.destroy.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.
To read more about persisting execution plans and security, see the security
warning section .

2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Create an Azure AI Search index using the Azure portal
Quickstart: Create an Azure Analysis
Services server using Terraform
Article • 02/23/2024
） AI-assisted content. This article was partially created with the help of AI. An author reviewed and
revised the content as needed. Learn more

This article shows how to use Terraform to create an Azure Analysis Services server.

In this article, you learn how to:

＂ Create a random pet name for the Azure resource group name using random_pet
＂ Create an Azure resource group using azurerm_resource_group
＂ Create a random string for the Azure Analysis Services server name using
random_string
＂ Create an Azure Analysis Services server using azurerm_analysis_services_server

Prerequisites
Install and configure Terraform

Implement the Terraform code

７ Note

The sample code for this article is located in the Azure Terraform GitHub repo .
You can view the log file containing the test results from current and previous
versions of Terraform .

See more articles and sample code showing how to use Terraform to manage
Azure resources

1. Create a directory in which to test and run the sample Terraform code and make it
the current directory.

2. Create a file named main.tf and insert the following code:

Terraform

resource "random_pet" "rg_name" {

prefix = var.resource_group_name_prefix
}

resource "azurerm_resource_group" "rg" {

name = random_pet.rg_name.id
location = var.resource_group_location
}

resource "random_string" "azurerm_analysis_services_server_name" {

length = 25
upper = false
numeric = false
special = false
}

resource "azurerm_analysis_services_server" "server" {

name =
random_string.azurerm_analysis_services_server_name.result
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku = var.sku
backup_blob_container_uri = var.backup_blob_container_uri

ipv4_firewall_rule {
name = "AllowFromAll"
range_start = "0.0.0.0"
range_end = "255.255.255.255"
}
}

3. Create a file named outputs.tf and insert the following code:

Terraform

output "resource_group_name" {
value = azurerm_resource_group.rg.name
}

output "analysis_services_server_name" {
value = azurerm_analysis_services_server.server.name
}

4. Create a file named providers.tf and insert the following code:

Terraform

terraform {
required_version = ">=0.12"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
random = {
source = "hashicorp/random"
version = "~>3.0"
}
}
}
provider "azurerm" {
features {}
}

5. Create a file named variables.tf and insert the following code:

Terraform

variable "resource_group_location" {
type = string
default = "eastus"
description = "Location for all resources."
}

variable "resource_group_name_prefix" {
type = string
default = "rg"
description = "Prefix of the resource group name that's combined with
a random ID so name is unique in your Azure subscription."
}

variable "backup_blob_container_uri" {
type = string
description = "The SAS URI to a private Azure Blob Storage container
with read, write and list permissions. Required only if you intend to
use the backup/restore functionality. See
https://docs.microsoft.com/en-us/azure/analysis-services/analysis-
services-backup"
default = null
}

Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console

terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.

Console

terraform plan -out main.tfplan

Key points:

Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:
The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

Verify the results

1. Open a PowerShell command prompt.

2. Get the Azure resource group name.

Console

$resource_group_name=$(terraform output -raw resource_group_name)

3. Get the server name.

Console

$analysis_services_server_name=$(terraform output -raw

analysis_services_server_name)

4. Run Get-AzAnalysisServicesServer to display information about the new server.

Azure PowerShell

Get-AzAnalysisServicesServer -ResourceGroupName $resource_group_name `

-Name $analysis_services_server_name

Clean up resources
When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console

terraform plan -destroy -out main.destroy.tfplan

Key points:
The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.

2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Quickstart: Configure server firewall - Portal
Quickstart: Create an Azure Stream
Analytics job using Terraform
Article • 02/23/2024
） AI-assisted content. This article was partially created with the help of AI. An author reviewed and
revised the content as needed. Learn more

This article shows how to create an Azure Stream Analytics job using Terraform. Once
the job is created, you validate the deployment.

Terraform enables the definition, preview, and deployment of cloud infrastructure.

In this article, you learn how to:

＂ Create a random value for the Azure resource group name using random_pet .
＂ Create an Azure resource group using azurerm_resource_group .
＂ Create a random value for the Azure Stream Analytics job name using
random_pet .
＂ Create an Azure Stream Analytics job using azurerm_stream_analytics_job .

Prerequisites
Install and configure Terraform

Implement the Terraform code

７ Note

The sample code for this article is located in the Azure Terraform GitHub repo .
You can view the log file containing the test results from current and previous
versions of Terraform .

See more articles and sample code showing how to use Terraform to manage
Azure resources
1. Create a directory in which to test and run the sample Terraform code and make it
the current directory.

2. Create a file named providers.tf and insert the following code:

Terraform

3. Create a file named main.tf and insert the following code:

Terraform

resource "random_pet" "rg_name" {

prefix = "rg"
}

resource "azurerm_resource_group" "rg" {

name = random_pet.rg_name.id
location = var.resource_group_location
}

resource "random_pet" "stream_analytics_job_name" {

prefix = "job"
}

resource "azurerm_stream_analytics_job" "job" {

name =
random_pet.stream_analytics_job_name.id
resource_group_name =
azurerm_resource_group.rg.name
location =
azurerm_resource_group.rg.location
streaming_units =
var.number_of_streaming_units
events_out_of_order_max_delay_in_seconds = 0
events_late_arrival_max_delay_in_seconds = 5
data_locale = "en-US"
events_out_of_order_policy = "Adjust"
output_error_policy = "Stop"

transformation_query = <<QUERY
SELECT
*
INTO
[YourOutputAlias]
FROM
[YourInputAlias]
QUERY

4. Create a file named variables.tf and insert the following code:

Terraform

variable "resource_group_location" {
type = string
description = "Location for the resources."
default = "eastus"
}

variable "number_of_streaming_units" {
type = number
description = "Number of streaming units."
default = 1
validation {
condition = contains([1, 3, 6, 12, 18, 24, 30, 36, 42, 48],
var.number_of_streaming_units)
error_message = "Invalid value for: number_of_streaming_units. The
value should be one of the following: 1, 3, 6, 12, 18, 24, 30, 36, 42,
48."
}
}

5. Create a file named outputs.tf and insert the following code:

Terraform

output "resource_group_name" {
value = azurerm_resource_group.rg.name
}

output "stream_analytics_job_name" {
value = azurerm_stream_analytics_job.job.name
}
Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console

terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.

Console

terraform plan -out main.tfplan

Key points:

Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

Verify the results

Azure CLI

1. Get the Azure resource group name.

Console

resource_group_name=$(terraform output -raw resource_group_name)

2. Get the new Azure Stream Analytics job name.

Console

stream_analytics_job_name=$(terraform output -raw

stream_analytics_job_name)

3. Run az stream-analytics job show to display information about the job.

Azure CLI

az stream-analytics job show \

--resource-group $resource_group_name \
--job-name $stream_analytics_job_name

Clean up resources
When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console
terraform plan -destroy -out main.destroy.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.

2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Create a dedicated Azure Stream Analytics cluster using Azure portal
Quickstart: Deploy an Azure Kubernetes
Service (AKS) cluster using Terraform
Article • 06/21/2024

Azure Kubernetes Service (AKS) is a managed Kubernetes service that lets you quickly
deploy and manage clusters. In this quickstart, you:

Deploy an AKS cluster using Terraform.

Run a sample multi-container application with a group of microservices and web
front ends simulating a retail scenario.

７ Note

To get started with quickly provisioning an AKS cluster, this article includes steps to
deploy a cluster with default settings for evaluation purposes only. Before
deploying a production-ready cluster, we recommend that you familiarize yourself
with our baseline reference architecture to consider how it aligns with your
business requirements.

Before you begin

This quickstart assumes a basic understanding of Kubernetes concepts. For more
information, see Kubernetes core concepts for Azure Kubernetes Service (AKS).
You need an Azure account with an active subscription. If you don't have one,
create an account for free .
Follow the instructions based on your command line interface.

To learn more about creating a Windows Server node pool, see Create an AKS
cluster that supports Windows Server containers.

７ Note

The Azure Linux node pool is now in general availablility (GA). To learn about the
benefits and deployment steps, see the Introduction to the Azure Linux Container
Host for AKS.

Install and configure Terraform.

Download kubectl .
Create a random value for the Azure resource group name using random_pet .
Create an Azure resource group using azurerm_resource_group .
Access the configuration of the AzureRM provider to get the Azure Object ID using
azurerm_client_config .
Create a Kubernetes cluster using azurerm_kubernetes_cluster .
Create an AzAPI resource azapi_resource .
Create an AzAPI resource to generate an SSH key pair using
azapi_resource_action .

Login to your Azure account

First, log into your Azure account and authenticate using one of the methods described
in the following section.

Implement the Terraform code

７ Note

The sample code for this article is located in the Azure Terraform GitHub repo .
You can view the log file containing the test results from current and previous
versions of Terraform .

See more articles and sample code showing how to use Terraform to manage
Azure resources

1. Create a directory you can use to test the sample Terraform code and make it your
current directory.

2. Create a file named providers.tf and insert the following code:

Terraform

terraform {
required_version = ">=1.0"

required_providers {
azapi = {
source = "azure/azapi"
version = "~>1.5"
}
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
random = {
source = "hashicorp/random"
version = "~>3.0"
}
time = {
source = "hashicorp/time"
version = "0.9.1"
}
}
}

provider "azurerm" {
features {}
}

3. Create a file named ssh.tf and insert the following code:

Terraform

resource "random_pet" "ssh_key_name" {

prefix = "ssh"
separator = ""
}

resource "azapi_resource_action" "ssh_public_key_gen" {

type = "Microsoft.Compute/sshPublicKeys@2022-11-01"
resource_id = azapi_resource.ssh_public_key.id
action = "generateKeyPair"
method = "POST"

response_export_values = ["publicKey", "privateKey"]

}

resource "azapi_resource" "ssh_public_key" {

type = "Microsoft.Compute/sshPublicKeys@2022-11-01"
name = random_pet.ssh_key_name.id
location = azurerm_resource_group.rg.location
parent_id = azurerm_resource_group.rg.id
}

output "key_data" {
value =
jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
}
4. Create a file named main.tf and insert the following code:

Terraform

# Generate random resource group name

resource "random_pet" "rg_name" {
prefix = var.resource_group_name_prefix
}

resource "azurerm_resource_group" "rg" {

location = var.resource_group_location
name = random_pet.rg_name.id
}

resource "random_pet" "azurerm_kubernetes_cluster_name" {

prefix = "cluster"
}

resource "random_pet" "azurerm_kubernetes_cluster_dns_prefix" {

prefix = "dns"
}

resource "azurerm_kubernetes_cluster" "k8s" {

location = azurerm_resource_group.rg.location
name = random_pet.azurerm_kubernetes_cluster_name.id
resource_group_name = azurerm_resource_group.rg.name
dns_prefix =
random_pet.azurerm_kubernetes_cluster_dns_prefix.id

identity {
type = "SystemAssigned"
}

default_node_pool {
name = "agentpool"
vm_size = "Standard_D2_v2"
node_count = var.node_count
}
linux_profile {
admin_username = var.username

ssh_key {
key_data =
jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
}
}
network_profile {
network_plugin = "kubenet"
load_balancer_sku = "standard"
}
}

5. Create a file named variables.tf and insert the following code:

Terraform

variable "resource_group_location" {
type = string
default = "eastus"
description = "Location of the resource group."
}

variable "resource_group_name_prefix" {
type = string
default = "rg"
description = "Prefix of the resource group name that's combined with
a random ID so name is unique in your Azure subscription."
}

variable "node_count" {
type = number
description = "The initial quantity of nodes for the node pool."
default = 3
}

variable "msi_id" {
type = string
description = "The Managed Service Identity ID. Set this value if
you're running this example using Managed Identity as the
authentication method."
default = null
}

variable "username" {
type = string
description = "The admin username for the new cluster."
default = "azureadmin"
}

6. Create a file named outputs.tf and insert the following code:

Terraform

output "resource_group_name" {
value = azurerm_resource_group.rg.name
}

output "kubernetes_cluster_name" {
value = azurerm_kubernetes_cluster.k8s.name
}

output "client_certificate" {
value =
azurerm_kubernetes_cluster.k8s.kube_config[0].client_certificate
sensitive = true
}
output "client_key" {
value = azurerm_kubernetes_cluster.k8s.kube_config[0].client_key
sensitive = true
}

output "cluster_ca_certificate" {
value =
azurerm_kubernetes_cluster.k8s.kube_config[0].cluster_ca_certificate
sensitive = true
}

output "cluster_password" {
value = azurerm_kubernetes_cluster.k8s.kube_config[0].password
sensitive = true
}

output "cluster_username" {
value = azurerm_kubernetes_cluster.k8s.kube_config[0].username
sensitive = true
}

output "host" {
value = azurerm_kubernetes_cluster.k8s.kube_config[0].host
sensitive = true
}

output "kube_config" {
value = azurerm_kubernetes_cluster.k8s.kube_config_raw
sensitive = true
}

Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console

terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.
Console

terraform plan -out main.tfplan

Key points:

Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

Verify the results

1. Get the Azure resource group name using the following command.

Console

resource_group_name=$(terraform output -raw resource_group_name)

2. Display the name of your new Kubernetes cluster using the az aks list command.
Azure CLI

az aks list \
--resource-group $resource_group_name \
--query "[].{\"K8s cluster name\":name}" \
--output table

3. Get the Kubernetes configuration from the Terraform state and store it in a file that
kubectl can read using the following command.

Console

echo "$(terraform output kube_config)" > ./azurek8s

4. Verify the previous command didn't add an ASCII EOT character using the
following command.

Console

cat ./azurek8s

Key points:

If you see << EOT at the beginning and EOT at the end, remove these
characters from the file. Otherwise, you may receive the following error
message: error: error loading config file "./azurek8s": yaml: line 2:
mapping values are not allowed in this context

5. Set an environment variable so kubectl can pick up the correct config using the
following command.

Console

export KUBECONFIG=./azurek8s

6. Verify the health of the cluster using the kubectl get nodes command.

Console

kubectl get nodes

Key points:
When you created the AKS cluster, monitoring was enabled to capture health
metrics for both the cluster nodes and pods. These health metrics are available in
the Azure portal. For more information on container health monitoring, see
Monitor Azure Kubernetes Service health.
Several key values classified as output when you applied the Terraform execution
plan. For example, the host address, AKS cluster user name, and AKS cluster
password are output.

Deploy the application

To deploy the application, you use a manifest file to create all the objects required to
run the AKS Store application . A Kubernetes manifest file defines a cluster's desired
state, such as which container images to run. The manifest includes the following
Kubernetes deployments and services:

Store front: Web application for customers to view products and place orders.
Product service: Shows product information.
Order service: Places orders.
Rabbit MQ: Message queue for an order queue.

７ Note

We don't recommend running stateful containers, such as Rabbit MQ, without

persistent storage for production. These are used here for simplicity, but we
recommend using managed services, such as Azure CosmosDB or Azure Service
Bus.

1. Create a file named aks-store-quickstart.yaml and copy in the following manifest:

YAML
apiVersion: apps/v1
kind: Deployment
metadata:
name: rabbitmq
spec:
replicas: 1
selector:
matchLabels:
app: rabbitmq
template:
metadata:
labels:
app: rabbitmq
spec:
nodeSelector:
"kubernetes.io/os": linux
containers:
- name: rabbitmq
image: mcr.microsoft.com/mirror/docker/library/rabbitmq:3.10-
management-alpine
ports:
- containerPort: 5672
name: rabbitmq-amqp
- containerPort: 15672
name: rabbitmq-http
env:
- name: RABBITMQ_DEFAULT_USER
value: "username"
- name: RABBITMQ_DEFAULT_PASS
value: "password"
resources:
requests:
cpu: 10m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
volumeMounts:
- name: rabbitmq-enabled-plugins
mountPath: /etc/rabbitmq/enabled_plugins
subPath: enabled_plugins
volumes:
- name: rabbitmq-enabled-plugins
configMap:
name: rabbitmq-enabled-plugins
items:
- key: rabbitmq_enabled_plugins
path: enabled_plugins
---
apiVersion: v1
data:
rabbitmq_enabled_plugins: |
[rabbitmq_management,rabbitmq_prometheus,rabbitmq_amqp1_0].
kind: ConfigMap
metadata:
name: rabbitmq-enabled-plugins
---
apiVersion: v1
kind: Service
metadata:
name: rabbitmq
spec:
selector:
app: rabbitmq
ports:
- name: rabbitmq-amqp
port: 5672
targetPort: 5672
- name: rabbitmq-http
port: 15672
targetPort: 15672
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: order-service
spec:
replicas: 1
selector:
matchLabels:
app: order-service
template:
metadata:
labels:
app: order-service
spec:
nodeSelector:
"kubernetes.io/os": linux
containers:
- name: order-service
image: ghcr.io/azure-samples/aks-store-demo/order-
service:latest
ports:
- containerPort: 3000
env:
- name: ORDER_QUEUE_HOSTNAME
value: "rabbitmq"
- name: ORDER_QUEUE_PORT
value: "5672"
- name: ORDER_QUEUE_USERNAME
value: "username"
- name: ORDER_QUEUE_PASSWORD
value: "password"
- name: ORDER_QUEUE_NAME
value: "orders"
- name: FASTIFY_ADDRESS
value: "0.0.0.0"
resources:
requests:
cpu: 1m
memory: 50Mi
limits:
cpu: 75m
memory: 128Mi
initContainers:
- name: wait-for-rabbitmq
image: busybox
command: ['sh', '-c', 'until nc -zv rabbitmq 5672; do echo
waiting for rabbitmq; sleep 2; done;']
resources:
requests:
cpu: 1m
memory: 50Mi
limits:
cpu: 75m
memory: 128Mi
---
apiVersion: v1
kind: Service
metadata:
name: order-service
spec:
type: ClusterIP
ports:
- name: http
port: 3000
targetPort: 3000
selector:
app: order-service
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: product-service
spec:
replicas: 1
selector:
matchLabels:
app: product-service
template:
metadata:
labels:
app: product-service
spec:
nodeSelector:
"kubernetes.io/os": linux
containers:
- name: product-service
image: ghcr.io/azure-samples/aks-store-demo/product-
service:latest
ports:
- containerPort: 3002
resources:
requests:
cpu: 1m
memory: 1Mi
limits:
cpu: 1m
memory: 7Mi
---
apiVersion: v1
kind: Service
metadata:
name: product-service
spec:
type: ClusterIP
ports:
- name: http
port: 3002
targetPort: 3002
selector:
app: product-service
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: store-front
spec:
replicas: 1
selector:
matchLabels:
app: store-front
template:
metadata:
labels:
app: store-front
spec:
nodeSelector:
"kubernetes.io/os": linux
containers:
- name: store-front
image: ghcr.io/azure-samples/aks-store-demo/store-front:latest
ports:
- containerPort: 8080
name: store-front
env:
- name: VUE_APP_ORDER_SERVICE_URL
value: "http://order-service:3000/"
- name: VUE_APP_PRODUCT_SERVICE_URL
value: "http://product-service:3002/"
resources:
requests:
cpu: 1m
memory: 200Mi
limits:
cpu: 1000m
memory: 512Mi
---
apiVersion: v1
kind: Service
metadata:
name: store-front
spec:
ports:
- port: 80
targetPort: 8080
selector:
app: store-front
type: LoadBalancer

For a breakdown of YAML manifest files, see Deployments and YAML manifests.

If you create and save the YAML file locally, then you can upload the manifest file
to your default directory in CloudShell by selecting the Upload/Download files
button and selecting the file from your local file system.

2. Deploy the application using the kubectl apply command and specify the name of
your YAML manifest.

Console

kubectl apply -f aks-store-quickstart.yaml

The following example output shows the deployments and services:

Output

deployment.apps/rabbitmq created
service/rabbitmq created
deployment.apps/order-service created
service/order-service created
deployment.apps/product-service created
service/product-service created
deployment.apps/store-front created
service/store-front created

Test the application

When the application runs, a Kubernetes service exposes the application front end to
the internet. This process can take a few minutes to complete.

1. Check the status of the deployed pods using the kubectl get pods command.
Make all pods are Running before proceeding.
Console

kubectl get pods

2. Check for a public IP address for the store-front application. Monitor progress
using the kubectl get service command with the --watch argument.

Azure CLI

kubectl get service store-front --watch

The EXTERNAL-IP output for the store-front service initially shows as pending:

Output

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)

AGE
store-front LoadBalancer 10.0.100.10 <pending> 80:30025/TCP
4h4m

3. Once the EXTERNAL-IP address changes from pending to an actual public IP

address, use CTRL-C to stop the kubectl watch process.

The following example output shows a valid public IP address assigned to the
service:

Output

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)

AGE
store-front LoadBalancer 10.0.100.10 20.62.159.19 80:30025/TCP
4h5m

4. Open a web browser to the external IP address of your service to see the Azure
Store app in action.


Clean up resources

Delete AKS resources

When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console

terraform plan -destroy -out main.destroy.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.

2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Delete service principal
1. Get the service principal ID using the following command.

Azure CLI

sp=$(terraform output -raw sp)

2. Delete the service principal using the az ad sp delete command.

Azure CLI

az ad sp delete --id $sp

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure.

Next steps
In this quickstart, you deployed a Kubernetes cluster and then deployed a simple multi-
container application to it. This sample application is for demo purposes only and
doesn't represent all the best practices for Kubernetes applications. For guidance on
creating full solutions with AKS for production, see AKS solution guidance.

To learn more about AKS and walk through a complete code-to-deployment example,
continue to the Kubernetes cluster tutorial.

Learn more about using AKS.

） Note: The author created this article with assistance from AI. Learn more

６ Collaborate with us on Azure Kubernetes Service

GitHub feedback
The source for this content can Azure Kubernetes Service is an open
be found on GitHub, where you source project. Select a link to
can also create and review provide feedback:
issues and pull requests. For
more information, see our  Open a documentation issue
contributor guide.
 Provide product feedback
Quickstart: Provision Azure Spring Apps
using Terraform
Article • 04/23/2024

７ Note

Azure Spring Apps is the new name for the Azure Spring Cloud service. Although
the service has a new name, you'll see the old name in some places for a while as
we work to update assets such as screenshots, videos, and diagrams.

This article applies to: ❌ Basic ✔️Standard ✔️Enterprise

This quickstart describes how to use Terraform to deploy an Azure Spring Apps cluster
into an existing virtual network.

Azure Spring Apps makes it easy to deploy Spring applications to Azure without any
code changes. The service manages the infrastructure of Spring applications so
developers can focus on their code. Azure Spring Apps provides lifecycle management
using comprehensive monitoring and diagnostics, configuration management, service
discovery, CI/CD integration, blue-green deployments, and more.

The Enterprise deployment plan includes the following Tanzu components:

Build Service
Application Configuration Service
Service Registry
Spring Cloud Gateway
API Portal

The API Portal component will be included when it becomes available through the
AzureRM Terraform provider.

For more customization including custom domain support, see the Azure Spring Apps
Terraform provider documentation.

Prerequisites
An Azure subscription. If you don't have a subscription, create a free account
before you begin.
Hashicorp Terraform
Two dedicated subnets for the Azure Spring Apps cluster, one for the service
runtime and another for the Spring applications. For subnet and virtual network
requirements, see the Virtual network requirements section of Deploy Azure Spring
Apps in a virtual network.
An existing Log Analytics workspace for Azure Spring Apps diagnostics settings
and a workspace-based Application Insights resource. For more information, see
Analyze logs and metrics with diagnostics settings and Application Insights Java In-
Process Agent in Azure Spring Apps.
Three internal Classless Inter-Domain Routing (CIDR) ranges (at least /16 each) that
you've identified for use by the Azure Spring Apps cluster. These CIDR ranges
won't be directly routable and will be used only internally by the Azure Spring
Apps cluster. Clusters may not use 169.254.0.0/16, 172.30.0.0/16, 172.31.0.0/16, or
192.0.2.0/24 for the internal Azure Spring Apps CIDR. Clusters also may not use
any IP ranges included within the cluster virtual network address range.
Service permission granted to the virtual network. The Azure Spring Apps Resource
Provider requires Owner permission to your virtual network in order to grant a
dedicated and dynamic service principal on the virtual network for further
deployment and maintenance. For instructions and more information, see the
Grant service permission to the virtual network section of Deploy Azure Spring
Apps in a virtual network.
If you're using Azure Firewall or a Network Virtual Appliance (NVA), you'll also
need to satisfy the following prerequisites:
Network and fully qualified domain name (FQDN) rules. For more information,
see Virtual network requirements.
A unique User Defined Route (UDR) applied to each of the service runtime and
Spring application subnets. For more information about UDRs, see Virtual
network traffic routing. The UDR should be configured with a route for 0.0.0.0/0
with a destination of your NVA before deploying the Azure Spring Apps cluster.
For more information, see the Bring your own route table section of Deploy
Azure Spring Apps in a virtual network.
If you're deploying an Azure Spring Apps Enterprise plan instance for the first time
in the target subscription, see the Requirements section of Enterprise plan in Azure
Marketplace.

Review the Terraform plan

The configuration file used in this quickstart is from the Azure Spring Apps reference
architecture.

Enterprise plan
HashiCorp Configuration Language

# Azure provider version

terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "= 3.21.1"
}
}
}

provider "azurerm" {
features {}
}

### Create Resource group

resource "azurerm_resource_group" "sc_corp_rg" {
name = var.resource_group_name
location = var.location
}

### Create Application Insights

resource "azurerm_application_insights" "sc_app_insights" {
name = var.app_insights_name
location = var.location
resource_group_name = var.resource_group_name
application_type = "web"
workspace_id =
"/subscriptions/${var.subscription}/resourceGroups/${var.azurespringclou
dvnetrg}/providers/Microsoft.OperationalInsights/workspaces/${var.sc_law
_id}"

depends_on = [azurerm_resource_group.sc_corp_rg]
}

### Create Spring Cloud Service

resource "azurerm_spring_cloud_service" "sc" {
name = var.sc_service_name
resource_group_name = var.resource_group_name
location = var.location
sku_name = "E0"

# Tanzu service registry - Set to true if Enterprise Tier

service_registry_enabled = true
build_agent_pool_size = "S1"

network {
app_subnet_id =
"/subscriptions/${var.subscription}/resourceGroups/${var.azurespringclou
dvnetrg}/providers/Microsoft.Network/virtualNetworks/${var.vnet_spoke_na
me}/subnets/${var.app_subnet_id}"
service_runtime_subnet_id =
"/subscriptions/${var.subscription}/resourceGroups/${var.azurespringclou
dvnetrg}/providers/Microsoft.Network/virtualNetworks/${var.vnet_spoke_na
me}/subnets/${var.service_runtime_subnet_id}"
cidr_ranges = var.sc_cidr
}

timeouts {
create = "60m"
delete = "2h"
}

depends_on = [azurerm_resource_group.sc_corp_rg]
tags = var.tags

### Update Diags setting for Spring Cloud Service

resource "azurerm_monitor_diagnostic_setting" "sc_diag" {

name = "monitoring"
target_resource_id = azurerm_spring_cloud_service.sc.id
log_analytics_workspace_id =
"/subscriptions/${var.subscription}/resourceGroups/${var.azurespringclou
dvnetrg}/providers/Microsoft.OperationalInsights/workspaces/${var.sc_law
_id}"

log {
category = "ApplicationConsole"
enabled = true

retention_policy {
enabled = false
}
}

metric {
category = "AllMetrics"

retention_policy {
enabled = false
}
}
}

# Begin Tanzu Components

resource "azurerm_spring_cloud_build_pack_binding" "appinsights-binding"

{
name = "appins-binding"
spring_cloud_builder_id =
"${azurerm_spring_cloud_service.sc.id}/buildServices/default/builders/de
fault"
binding_type = "ApplicationInsights"
launch {
properties = {
sampling_percentage = "10"
}

secrets = {
connection-string =
azurerm_application_insights.sc_app_insights.connection_string
}
}
}

# Configuration service
resource "azurerm_spring_cloud_configuration_service" "configservice" {
name = "default"
spring_cloud_service_id = azurerm_spring_cloud_service.sc.id
}

# Gateway
resource "azurerm_spring_cloud_gateway" "scgateway" {
name = "default"
spring_cloud_service_id = azurerm_spring_cloud_service.sc.id
instance_count = 2
}

resource "azurerm_spring_cloud_api_portal" "apiportal" {

name = "default"
spring_cloud_service_id = azurerm_spring_cloud_service.sc.id
gateway_ids =
[azurerm_spring_cloud_gateway.scgateway.id]
https_only_enabled = false
public_network_access_enabled = true
instance_count = 1
}

Apply the Terraform plan

To apply the Terraform plan, follow these steps:

1. Save the variables.tf file for the Standard plan or the Enterprise plan locally,
then open it in an editor.

2. Edit the file to add the following values:

The subscription ID of the Azure account you'll be deploying to.

A deployment location from the regions where Azure Spring Apps is
available, as shown in Products available by region . You'll need the short
form of the location name. To get this value, use the following command to
generate a list of Azure locations, then look up the Name value for the region
you selected.

Azure CLI

az account list-locations --output table

3. Edit the file to add the following new deployment information:

The name of the resource group you'll deploy to.

A name of your choice for the Azure Spring Apps Deployment.
A name of your choice for the Application Insights resource.
Three CIDR ranges (at least /16) which are used to host the Azure Spring
Apps backend infrastructure. The CIDR ranges must not overlap with any
existing CIDR ranges in the target Subnet
The key/value pairs to be applied as tags on all resources that support tags.
For more information, see Use tags to organize your Azure resources and
management hierarchy

4. Edit the file to add the following existing infrastructure information:

The name of the resource group where the existing virtual network resides.
The name of the existing scope virtual network.
The name of the existing subnet to be used by the Azure Spring Apps
Application Service.
The name of the existing subnet to be used by the Azure Spring Apps
Runtime Service.
The name of the Azure Log Analytics workspace.

5. Run the following command to initialize the Terraform modules:

Bash

terraform init

6. Run the following command to create the Terraform deployment plan:

Bash

terraform plan -out=springcloud.plan

7. Run the following command to apply the Terraform deployment plan:

Bash

terraform apply springcloud.plan

Review deployed resources

You can either use the Azure portal to check the deployed resources, or use Azure CLI or
Azure PowerShell script to list the deployed resources.

Clean up resources
If you plan to continue working with subsequent quickstarts and tutorials, you might
want to leave these resources in place. When no longer needed, delete the resources
created in this article by using the following command.

Bash

terraform destroy -auto-approve

Next steps
In this quickstart, you deployed an Azure Spring Apps instance into an existing virtual
network using Terraform, and then validated the deployment. To learn more about Azure
Spring Apps, continue on to the resources below.

Deploy one of the following sample applications from the locations below:
Pet Clinic App with MySQL Integration
Simple Hello World
Use custom domains with Azure Spring Apps.
Expose applications in Azure Spring Apps to the internet using Azure Application
Gateway. For more information, see Expose applications with end-to-end TLS in a
virtual network.
View the secure end-to-end Azure Spring Apps reference architecture, which is
based on the Microsoft Azure Well-Architected Framework.
Quickstart: Create an Azure Batch
account using Terraform
Article • 04/14/2023
） AI-assisted content. This article was partially created with the help of AI. An author reviewed and
revised the content as needed. Learn more

Get started with Azure Batch by using Terraform to create a Batch account, including
storage. You need a Batch account to create compute resources (pools of compute
nodes) and Batch jobs. You can link an Azure Storage account with your Batch account.
This pairing is useful to deploy applications and store input and output data for most
real-world workloads.

After completing this quickstart, you'll understand the key concepts of the Batch service
and be ready to try Batch with more realistic workloads at larger scale.

Terraform enables the definition, preview, and deployment of cloud infrastructure.

In this article, you learn how to:

＂ Create a random value for the Azure resource group name using random_pet
＂ Create an Azure resource group using azurerm_resource_group
＂ Create a random value using random_string
＂ Create an Azure Storage account using azurerm_storage_account
＂ Create an Azure Batch account using azurerm_batch_account

Prerequisites
Install and configure Terraform

Implement the Terraform code

７ Note
The sample code for this article is located in the Azure Terraform GitHub repo .
You can view the log file containing the test results from current and previous
versions of Terraform .

See more articles and sample code showing how to use Terraform to manage
Azure resources

1. Create a directory in which to test and run the sample Terraform code and make it
the current directory.

2. Create a file named providers.tf and insert the following code:

Terraform

3. Create a file named main.tf and insert the following code:

Terraform

resource "random_pet" "rg_name" {

prefix = var.resource_group_name_prefix
}

resource "azurerm_resource_group" "rg" {

name = random_pet.rg_name.id
location = var.resource_group_location
}

resource "random_string" "azurerm_storage_account_name" {

length = 13
lower = true
numeric = false
special = false
upper = false
}

resource "random_string" "azurerm_batch_account_name" {

length = 13
lower = true
numeric = false
special = false
upper = false
}

resource "azurerm_storage_account" "storage" {

name =
"storage${random_string.azurerm_storage_account_name.result}"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
account_tier = element(split("_",
var.storage_account_type), 0)
account_replication_type = element(split("_",
var.storage_account_type), 1)
}

resource "azurerm_batch_account" "batch" {

name =
"batch${random_string.azurerm_batch_account_name.result}"
resource_group_name = azurerm_resource_group.rg.name
location =
azurerm_resource_group.rg.location
storage_account_id =
azurerm_storage_account.storage.id
storage_account_authentication_mode = "StorageKeys"
}

4. Create a file named variables.tf and insert the following code:

Terraform

variable "resource_group_location" {
type = string
default = "eastus"
description = "Location for all resources."
}

variable "resource_group_name_prefix" {
type = string
default = "rg"
description = "Prefix of the resource group name that's combined with
a random ID so name is unique in your Azure subscription."
}

variable "storage_account_type" {
type = string
default = "Standard_LRS"
description = "Azure Storage account type."
validation {
condition = contains(["Premium_LRS", "Premium_ZRS",
"Standard_GRS", "Standard_GZRS", "Standard_LRS", "Standard_RAGRS",
"Standard_RAGZRS", "Standard_ZRS"], var.storage_account_type)
error_message = "Invalid storage account type. The value should be
one of the following:
'Premium_LRS','Premium_ZRS','Standard_GRS','Standard_GZRS','Standard_LR
S','Standard_RAGRS','Standard_RAGZRS','Standard_ZRS'."
}
}

5. Create a file named outputs.tf and insert the following code:

Terraform

output "resource_group_name" {
value = azurerm_resource_group.rg.name
}

output "batch_name" {
value = azurerm_batch_account.batch.name
}

output "storage_name" {
value = azurerm_storage_account.storage.name
}

Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console

terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.
Console

terraform plan -out main.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute it.
Instead, it determines what actions are necessary to create the configuration
specified in your configuration files. This pattern allows you to verify whether the
execution plan matches your expectations before making any changes to actual
resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what is
applied.
To read more about persisting execution plans and security, see the security
warning section .

Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

Verify the results

Azure CLI

1. Get the Azure resource group name.

Console
resource_group_name=$(terraform output -raw resource_group_name)

2. Get the Batch account name.

Console

batch_name=$(terraform output -raw batch_name)

3. Run az batch account show to display information about the new Batch
account.

Azure CLI

az batch account show \

--resource-group $resource_group_name \
--name $batch_name

Clean up resources
When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console

terraform plan -destroy -out main.destroy.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.
To read more about persisting execution plans and security, see the security
warning section .
2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Run your first Batch job with the Azure CLI
Quickstart: Use Terraform to create a
Linux VM
Article • 02/23/2024
） AI-assisted content. This article was partially created with the help of AI. An author reviewed and
revised the content as needed. Learn more

Applies to: ✔️Linux VMs

Article tested with the following Terraform and Terraform provider versions:

This article shows you how to create a complete Linux environment and supporting
resources with Terraform. Those resources include a virtual network, subnet, public IP
address, and more.

Terraform enables the definition, preview, and deployment of cloud infrastructure.

In this article, you learn how to:

＂ Create a random value for the Azure resource group name using random_pet .
＂ Create an Azure resource group using azurerm_resource_group .
＂ Create a virtual network (VNET) using azurerm_virtual_network .
＂ Create a subnet using azurerm_subnet .
＂ Create a public IP using azurerm_public_ip .
＂ Create a network security group using azurerm_network_security_group .
＂ Create a network interface using azurerm_network_interface .
＂ Create an association between the network security group and the network
interface using azurerm_network_interface_security_group_association .
＂ Generate a random value for a unique storage account name using random_id .
＂ Create a storage account for boot diagnostics using azurerm_storage_account .
＂ Create a Linux VM using azurerm_linux_virtual_machine
＂ Create an AzAPI resource azapi_resource .
＂ Create an AzAPI resource to generate an SSH key pair using
azapi_resource_action .
Prerequisites
Install and configure Terraform

Implement the Terraform code

７ Note

The sample code for this article is located in the Azure Terraform GitHub repo .
You can view the log file containing the test results from current and previous
versions of Terraform .

See more articles and sample code showing how to use Terraform to manage
Azure resources

1. Create a directory in which to test the sample Terraform code and make it the
current directory.

2. Create a file named providers.tf and insert the following code:

Terraform

terraform {
required_version = ">=0.12"

required_providers {
azapi = {
source = "azure/azapi"
version = "~>1.5"
}
azurerm = {
source = "hashicorp/azurerm"
version = "~>2.0"
}
random = {
source = "hashicorp/random"
version = "~>3.0"
}
}
}

provider "azurerm" {
features {}
}

3. Create a file named ssh.tf and insert the following code:

Terraform

resource "random_pet" "ssh_key_name" {

prefix = "ssh"
separator = ""
}

resource "azapi_resource_action" "ssh_public_key_gen" {

type = "Microsoft.Compute/sshPublicKeys@2022-11-01"
resource_id = azapi_resource.ssh_public_key.id
action = "generateKeyPair"
method = "POST"

response_export_values = ["publicKey", "privateKey"]

}

resource "azapi_resource" "ssh_public_key" {

type = "Microsoft.Compute/sshPublicKeys@2022-11-01"
name = random_pet.ssh_key_name.id
location = azurerm_resource_group.rg.location
parent_id = azurerm_resource_group.rg.id
}

output "key_data" {
value =
jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
}

4. Create a file named main.tf and insert the following code:

Terraform

resource "random_pet" "rg_name" {

prefix = var.resource_group_name_prefix
}

resource "azurerm_resource_group" "rg" {

location = var.resource_group_location
name = random_pet.rg_name.id
}

# Create virtual network

resource "azurerm_virtual_network" "my_terraform_network" {
name = "myVnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}

# Create subnet
resource "azurerm_subnet" "my_terraform_subnet" {
name = "mySubnet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name =
azurerm_virtual_network.my_terraform_network.name
address_prefixes = ["10.0.1.0/24"]
}

# Create public IPs

resource "azurerm_public_ip" "my_terraform_public_ip" {
name = "myPublicIP"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
allocation_method = "Dynamic"
}

# Create Network Security Group and rule

resource "azurerm_network_security_group" "my_terraform_nsg" {
name = "myNetworkSecurityGroup"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name

security_rule {
name = "SSH"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}

# Create network interface

resource "azurerm_network_interface" "my_terraform_nic" {
name = "myNIC"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name

ip_configuration {
name = "my_nic_configuration"
subnet_id =
azurerm_subnet.my_terraform_subnet.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id =
azurerm_public_ip.my_terraform_public_ip.id
}
}

# Connect the security group to the network interface

resource "azurerm_network_interface_security_group_association"
"example" {
network_interface_id =
azurerm_network_interface.my_terraform_nic.id
network_security_group_id =
azurerm_network_security_group.my_terraform_nsg.id
}

# Generate random text for a unique storage account name

resource "random_id" "random_id" {
keepers = {
# Generate a new ID only when a new resource group is defined
resource_group = azurerm_resource_group.rg.name
}

byte_length = 8
}

# Create storage account for boot diagnostics

resource "azurerm_storage_account" "my_storage_account" {
name = "diag${random_id.random_id.hex}"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
account_tier = "Standard"
account_replication_type = "LRS"
}

# Create virtual machine

resource "azurerm_linux_virtual_machine" "my_terraform_vm" {
name = "myVM"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
network_interface_ids =
[azurerm_network_interface.my_terraform_nic.id]
size = "Standard_DS1_v2"

os_disk {
name = "myOsDisk"
caching = "ReadWrite"
storage_account_type = "Premium_LRS"
}

source_image_reference {
publisher = "Canonical"
offer = "0001-com-ubuntu-server-jammy"
sku = "22_04-lts-gen2"
version = "latest"
}

computer_name = "hostname"
admin_username = var.username

admin_ssh_key {
username = var.username
public_key =
jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
}

boot_diagnostics {
storage_account_uri =
azurerm_storage_account.my_storage_account.primary_blob_endpoint
}
}

5. Create a file named variables.tf and insert the following code:

Terraform

variable "resource_group_location" {
type = string
default = "eastus"
description = "Location of the resource group."
}

variable "resource_group_name_prefix" {
type = string
default = "rg"
description = "Prefix of the resource group name that's combined with
a random ID so name is unique in your Azure subscription."
}

variable "username" {
type = string
description = "The username for the local account that will be
created on the new VM."
default = "azureadmin"
}

6. Create a file named outputs.tf and insert the following code:

Terraform

output "resource_group_name" {
value = azurerm_resource_group.rg.name
}

output "public_ip_address" {
value =
azurerm_linux_virtual_machine.my_terraform_vm.public_ip_address
}

Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console
terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.

Console

terraform plan -out main.tfplan

Key points:

Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

Cost information isn't presented during the virtual machine creation process for
Terraform like it is for the Azure portal. If you want to learn more about how cost works
for virtual machines, see the Cost optimization Overview page.

Verify the results

Azure CLI

1. Get the Azure resource group name.

Console

resource_group_name=$(terraform output -raw resource_group_name)

2. Run az vm list with a JMESPath query to display the names of the virtual
machines created in the resource group.

Azure CLI

az vm list \
--resource-group $resource_group_name \
--query "[].{\"VM Name\":name}" -o table

Clean up resources
When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console

terraform plan -destroy -out main.destroy.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.

2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
In this quickstart, you deployed a simple virtual machine using Terraform. To learn more
about Azure virtual machines, continue to the tutorial for Linux VMs.

Azure Linux virtual machine tutorials

Quickstart: Create a Linux VM cluster in
Azure using Terraform
Article • 02/23/2024
） AI-assisted content. This article was partially created with the help of AI. An author reviewed and
revised the content as needed. Learn more

Applies to: ✔️Linux VMs

This article shows you how to create a Linux VM cluster (containing two Linux VM
instances) in Azure using Terraform.

In this article, you learn how to:

＂ Create a random value for the Azure resource group name using random_pet .
＂ Create an Azure resource group using azurerm_resource_group .
＂ Create a virtual network using azurerm_virtual_network
＂ Create a subnet using azurerm_subnet
＂ Create a public IP using azurerm_public_ip
＂ Create a load balancer using azurerm_lb
＂ Create a load balancer address pool using azurerm_lb_backend_address_pool
＂ Create a network interface using azurerm_network_interface
＂ Create a managed disk using azurerm_managed_disk
＂ Create a availability set using azurerm_availability_set
＂ Create a Linux virtual machine using azurerm_linux_virtual_machine
＂ Create an AzAPI resource azapi_resource .
＂ Create an AzAPI resource to generate an SSH key pair using
azapi_resource_action .

Prerequisites
Install and configure Terraform

Implement the Terraform code

７ Note

The sample code for this article is located in the Azure Terraform GitHub repo .
You can view the log file containing the test results from current and previous
versions of Terraform .
See more articles and sample code showing how to use Terraform to manage
Azure resources

1. Create a directory in which to test the sample Terraform code and make it the
current directory.

2. Create a file named providers.tf and insert the following code:

Terraform

terraform {
required_version = ">=1.0"
required_providers {
azapi = {
source = "azure/azapi"
version = "~>1.5"
}
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
random = {
source = "hashicorp/random"
version = "~>3.0"
}
}
}
provider "azurerm" {
features {}
}

3. Create a file named ssh.tf and insert the following code:

Terraform

resource "random_pet" "ssh_key_name" {

prefix = "ssh"
separator = ""
}

resource "azapi_resource_action" "ssh_public_key_gen" {

type = "Microsoft.Compute/sshPublicKeys@2022-11-01"
resource_id = azapi_resource.ssh_public_key.id
action = "generateKeyPair"
method = "POST"

response_export_values = ["publicKey", "privateKey"]

}

resource "azapi_resource" "ssh_public_key" {

type = "Microsoft.Compute/sshPublicKeys@2022-11-01"
name = random_pet.ssh_key_name.id
location = azurerm_resource_group.rg.location
parent_id = azurerm_resource_group.rg.id
}

output "key_data" {
value =
jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
}

4. Create a file named main.tf and insert the following code:

Terraform

resource "random_pet" "rg_name" {

prefix = var.resource_group_name_prefix
}

resource "azurerm_resource_group" "rg" {

name = random_pet.rg_name.id
location = var.resource_group_location
}

resource "random_pet" "azurerm_virtual_network_name" {

prefix = "vnet"
}

resource "azurerm_virtual_network" "test" {

name = random_pet.azurerm_virtual_network_name.id
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}

resource "random_pet" "azurerm_subnet_name" {

prefix = "sub"
}

resource "azurerm_subnet" "test" {

name = random_pet.azurerm_subnet_name.id
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefixes = ["10.0.2.0/24"]
}

resource "azurerm_public_ip" "test" {

name = "publicIPForLB"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
allocation_method = "Static"
}
resource "azurerm_lb" "test" {
name = "loadBalancer"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name

frontend_ip_configuration {
name = "publicIPAddress"
public_ip_address_id = azurerm_public_ip.test.id
}
}

resource "azurerm_lb_backend_address_pool" "test" {

loadbalancer_id = azurerm_lb.test.id
name = "BackEndAddressPool"
}

resource "azurerm_network_interface" "test" {

count = 2
name = "acctni${count.index}"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name

ip_configuration {
name = "testConfiguration"
subnet_id = azurerm_subnet.test.id
private_ip_address_allocation = "Dynamic"
}
}

resource "azurerm_availability_set" "avset" {

name = "avset"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
platform_fault_domain_count = 2
platform_update_domain_count = 2
managed = true
}

resource "random_pet" "azurerm_linux_virtual_machine_name" {

prefix = "vm"
}

resource "azurerm_linux_virtual_machine" "test" {

count = 2
name =
"${random_pet.azurerm_linux_virtual_machine_name.id}${count.index}"
location = azurerm_resource_group.rg.location
availability_set_id = azurerm_availability_set.avset.id
resource_group_name = azurerm_resource_group.rg.name
network_interface_ids =
[azurerm_network_interface.test[count.index].id]
size = "Standard_DS1_v2"

# Uncomment this line to delete the OS disk automatically when

deleting the VM
# delete_os_disk_on_termination = true

# Uncomment this line to delete the data disks automatically when

deleting the VM
# delete_data_disks_on_termination = true

source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}

admin_ssh_key {
username = var.username
public_key =
jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
}

os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
name = "myosdisk${count.index}"
}

computer_name = "hostname"
admin_username = var.username
}

resource "azurerm_managed_disk" "test" {

count = 2
name = "datadisk_existing_${count.index}"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1024"
}

resource "azurerm_virtual_machine_data_disk_attachment" "test" {

count = 2
managed_disk_id = azurerm_managed_disk.test[count.index].id
virtual_machine_id =
azurerm_linux_virtual_machine.test[count.index].id
lun = "10"
caching = "ReadWrite"
}

5. Create a file named variables.tf and insert the following code:

Terraform
variable "resource_group_location" {
type = string
description = "Location for all resources."
default = "eastus"
}

variable "resource_group_name_prefix" {
type = string
description = "Prefix of the resource group name that's combined with
a random ID so name is unique in your Azure subscription."
default = "rg"
}

variable "username" {
type = string
description = "The username for the local account that will be
created on the new VM."
default = "azureadmin"
}

6. Create a file named outputs.tf and insert the following code:

Terraform

output "resource_group_name" {
value = azurerm_resource_group.rg.name
}

output "virtual_network_name" {
value = azurerm_virtual_network.test.name
}

output "subnet_name" {
value = azurerm_subnet.test.name
}

output "linux_virtual_machine_names" {
value = [for s in azurerm_linux_virtual_machine.test : s.name[*]]
}

Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console

terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.

Console

terraform plan -out main.tfplan

Key points:

Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

If you specified a different filename for the -out parameter, use that same
filename in the call to terraform apply .
If you didn't use the -out parameter, call terraform apply without any parameters.
Cost information isn't presented during the virtual machine creation process for
Terraform like it is for the Azure portal. If you want to learn more about how cost works
for virtual machines, see the Cost optimization Overview page.

Verify the results

Azure CLI

1. Get the Azure resource group name.

Console

resource_group_name=$(terraform output -raw resource_group_name)

2. Run az vm list with a JMESPath query to display the names of the virtual
machines created in the resource group.

Azure CLI

az vm list \
--resource-group $resource_group_name \
--query "[].{\"VM Name\":name}" -o table

Clean up resources
When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console

terraform plan -destroy -out main.destroy.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.

2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Azure Linux virtual machine tutorials
Quickstart: Use Terraform to create a
Windows VM
Article • 07/20/2023

This article was partially created with the help of AI. An author reviewed and revised
the content as needed. Read more.

Applies to: ✔️Windows VMs

This article shows you how to create a complete Windows environment and supporting
resources with Terraform. Those resources include a virtual network, subnet, public IP
address, and more.

Terraform enables the definition, preview, and deployment of cloud infrastructure.

In this article, you learn how to:

＂ Create a random value for the Azure resource group name using random_pet .
＂ Create an Azure resource group using azurerm_resource_group .
＂ Create a virtual network (VNET) using azurerm_virtual_network .
＂ Create a subnet using azurerm_subnet .
＂ Create a public IP using azurerm_public_ip .
＂ Create a network security group using azurerm_network_security_group .
＂ Create a network interface using azurerm_network_interface .
＂ Create an association between the network security group and the network
interface using azurerm_network_interface_security_group_association .
＂ Generate a random value for a unique storage account name using random_id .
＂ Create a storage account for boot diagnostics using azurerm_storage_account .
＂ Create a Windows VM with an IIS web server using
azurerm_windows_virtual_machine .
＂ Create a Windows VM extension using azurerm_virtual_machine_extension .

Prerequisites
Azure subscription: If you don't have an Azure subscription, create a free
account before you begin.

Install and configure Terraform

Implement the Terraform code

７ Note

The sample code for this article is located in the Azure Terraform GitHub repo .
You can view the log file containing the test results from current and previous
versions of Terraform .

See more articles and sample code showing how to use Terraform to manage
Azure resources

1. Create a directory in which to test the sample Terraform code and make it the
current directory.

2. Create a file named providers.tf and insert the following code:

Terraform

terraform {
required_version = ">=1.0"

required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
random = {
source = "hashicorp/random"
version = "~>3.0"
}
}
}

provider "azurerm" {
features {}
}

3. Create a file named main.tf and insert the following code:

Terraform
resource "azurerm_resource_group" "rg" {
location = var.resource_group_location
name = "${random_pet.prefix.id}-rg"
}

# Create virtual network

resource "azurerm_virtual_network" "my_terraform_network" {
name = "${random_pet.prefix.id}-vnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}

# Create subnet
resource "azurerm_subnet" "my_terraform_subnet" {
name = "${random_pet.prefix.id}-subnet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name =
azurerm_virtual_network.my_terraform_network.name
address_prefixes = ["10.0.1.0/24"]
}

# Create public IPs

resource "azurerm_public_ip" "my_terraform_public_ip" {
name = "${random_pet.prefix.id}-public-ip"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
allocation_method = "Dynamic"
}

# Create Network Security Group and rules

resource "azurerm_network_security_group" "my_terraform_nsg" {
name = "${random_pet.prefix.id}-nsg"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name

security_rule {
name = "RDP"
priority = 1000
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "web"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}

# Create network interface

resource "azurerm_network_interface" "my_terraform_nic" {
name = "${random_pet.prefix.id}-nic"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name

# Connect the security group to the network interface

# Create storage account for boot diagnostics

# Create virtual machine

resource "azurerm_windows_virtual_machine" "main" {
name = "${var.prefix}-vm"
admin_username = "azureuser"
admin_password = random_password.password.result
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
network_interface_ids =
[azurerm_network_interface.my_terraform_nic.id]
size = "Standard_DS1_v2"

os_disk {
name = "myOsDisk"
caching = "ReadWrite"
storage_account_type = "Premium_LRS"
}

source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2022-datacenter-azure-edition"
version = "latest"
}

boot_diagnostics {
storage_account_uri =
azurerm_storage_account.my_storage_account.primary_blob_endpoint
}
}

# Install IIS web server to the virtual machine

resource "azurerm_virtual_machine_extension" "web_server_install" {
name = "${random_pet.prefix.id}-wsi"
virtual_machine_id = azurerm_windows_virtual_machine.main.id
publisher = "Microsoft.Compute"
type = "CustomScriptExtension"
type_handler_version = "1.8"
auto_upgrade_minor_version = true

settings = <<SETTINGS
{
"commandToExecute": "powershell -ExecutionPolicy Unrestricted
Install-WindowsFeature -Name Web-Server -IncludeAllSubFeature -
IncludeManagementTools"
}
SETTINGS
}

# Generate random text for a unique storage account name

resource "random_id" "random_id" {
keepers = {
# Generate a new ID only when a new resource group is defined
resource_group = azurerm_resource_group.rg.name
}

byte_length = 8
}

resource "random_password" "password" {

length = 20
min_lower = 1
min_upper = 1
min_numeric = 1
min_special = 1
special = true
}

resource "random_pet" "prefix" {

prefix = var.prefix
length = 1
}

4. Create a file named variables.tf and insert the following code:

Terraform

variable "resource_group_location" {
default = "eastus"
description = "Location of the resource group."
}

variable "prefix" {
type = string
default = "win-vm-iis"
description = "Prefix of the resource name"
}

5. Create a file named outputs.tf and insert the following code:

Terraform

output "resource_group_name" {
value = azurerm_resource_group.rg.name
}

output "public_ip_address" {
value = azurerm_windows_virtual_machine.main.public_ip_address
}

output "admin_password" {
sensitive = true
value = azurerm_windows_virtual_machine.main.admin_password
}

Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console

terraform init -upgrade

Key points:
The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.

Console

terraform plan -out main.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute it.
Instead, it determines what actions are necessary to create the configuration
specified in your configuration files. This pattern allows you to verify whether the
execution plan matches your expectations before making any changes to actual
resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what is
applied.
To read more about persisting execution plans and security, see the security
warning section .

Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

Azure CLI

echo $(terraform output -raw public_ip_address)

2. With IIS installed and port 80 now open on your VM from the Internet, use a web
browser of your choice to view the default IIS welcome page. Use the public IP
address of your VM obtained from the previous command. The following example
shows the default IIS web site:

Clean up resources
When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console
terraform plan -destroy -out main.destroy.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.
To read more about persisting execution plans and security, see the security
warning section .

2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
In this quickstart, you deployed a simple virtual machine using Terraform. To learn more
about Azure virtual machines, continue to the tutorial for Linux VMs.

Azure Linux virtual machine tutorials

Quickstart: Create a Windows VM
cluster in Azure using Terraform
Article • 01/04/2024
） AI-assisted content. This article was partially created with the help of AI. An author reviewed and
revised the content as needed. Learn more

Applies to: ✔️Windows VMs

This article shows you how to create a Windows VM cluster (containing three Windows
VM instances) in Azure using Terraform.

＂ Create a random value for the Azure resource group name using random_pet .
＂ Create an Azure resource group using azurerm_resource_group .
＂ Create a random value for the Windows VM host name random_string .
＂ Create a random password for the Windows VMs using random_password .
＂ Create a Windows VM using the compute module .
＂ Create a virtual network along with subnet using the network module .

Prerequisites
Install and configure Terraform

Implement the Terraform code

７ Note

The sample code for this article is located in the Azure Terraform GitHub repo .
You can view the log file containing the test results from current and previous
versions of Terraform .

See more articles and sample code showing how to use Terraform to manage
Azure resources

1. Create a directory in which to test the sample Terraform code and make it the
current directory.

2. Create a file named providers.tf and insert the following code:

Terraform
terraform {
required_version = ">=1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
random = {
source = "hashicorp/random"
version = "~>3.0"
}
}
}
provider "azurerm" {
features {}
}

3. Create a file named main.tf and insert the following code:

Terraform

resource "random_pet" "rg_name" {

prefix = var.resource_group_name_prefix
}

resource "azurerm_resource_group" "rg" {

name = random_pet.rg_name.id
location = var.resource_group_location
}

resource "random_string" "windows_server_vm_hostname" {

length = 8
lower = true
upper = false
special = false
}

resource "random_pet" "windows_server_public_ip_dns" {

prefix = "dns"
}

resource "random_password" "password" {

length = 16
special = true
lower = true
upper = true
numeric = true
}

# The following module is a Terraform Verified Module.

# For more information about Verified Modules, see
# https://github.com/azure/terraform-azure-modules/
module "windows_server" {
count = 3 # Define 3 Windows Server VMs
source = "Azure/compute/azurerm"
resource_group_name = azurerm_resource_group.rg.name
vnet_subnet_id = module.network.vnet_subnets[0]
is_windows_image = true
vm_hostname =
"vm-${random_string.windows_server_vm_hostname.result}-${count.index}"
delete_os_disk_on_termination = true
admin_password = random_password.password.result
vm_os_simple = "WindowsServer"
public_ip_dns =
["${random_pet.windows_server_public_ip_dns.id}-${count.index}"]
}

# The following module is a Terraform Verified Module.

# For more information about Verified Modules, see
# https://github.com/azure/terraform-azure-modules/
module "network" {
source = "Azure/network/azurerm"
resource_group_name = azurerm_resource_group.rg.name
version = "5.2.0"
subnet_prefixes = ["10.0.1.0/24"]
subnet_names = ["subnet1"]
use_for_each = true
}

4. Create a file named variables.tf and insert the following code:

Terraform

variable "resource_group_location" {
type = string
default = "eastus"
description = "Location for all resources."
}

variable "resource_group_name_prefix" {
type = string
default = "rg"
description = "Prefix of the resource group name that's combined with
a random value so name is unique in your Azure subscription."
}

5. Create a file named outputs.tf and insert the following code:

Terraform

output "resource_group_name" {
value = azurerm_resource_group.rg.name
}
output "windows_vm_public_names" {
value = module.windows_server[*].public_ip_dns_name
}

output "vm_public_ip_addresses" {
value = module.windows_server[*].public_ip_address
}

output "vm_private_ip_addresses" {
value = module.windows_server[*].network_interface_private_ip
}

output "vm_hostnames" {
value = module.windows_server[*].vm_names
}

Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console

terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.

Console

terraform plan -out main.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute it.
Instead, it determines what actions are necessary to create the configuration
specified in your configuration files. This pattern allows you to verify whether the
execution plan matches your expectations before making any changes to actual
resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what is
applied.
To read more about persisting execution plans and security, see the security
warning section .

Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

Verify the results

Azure CLI

1. Get the Azure resource group name.

Console

resource_group_name=$(terraform output -raw resource_group_name)

2. Run az vm list with a JMESPath query to display the names of the virtual
machines created in the resource group.
Azure CLI

az vm list \
--resource-group $resource_group_name \
--query "[].{\"VM Name\":name}" -o table

Clean up resources
When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console

terraform plan -destroy -out main.destroy.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.
To read more about persisting execution plans and security, see the security
warning section .

2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure
Next steps
Azure Linux virtual machine tutorials
Quickstart: Deploy an Azure Kubernetes
Service (AKS) cluster using Terraform
Article • 06/21/2024