0
  • I want to create a python script utilizing the Terraform VM deployment on Azure (It's an educational project - so no real reasoning behind this, but all should be done with a single script)
  • I have successfully created VM using Azure CLI and Terraform
az login
terraform init
terraform validate
terraform apply
  • The problem is az login use browser authentication, which is not allowed by an educational project (single .py script without any user interaction). Azure CLI can use login and password though (doesn't work with two-factor authentication enabled)
az login -u <username> -p <password>

  • It can be somewhat done, with a username and password, but it's barely ideal - to share your Microsoft account with teammates and utilize credentials in python script instead of a token.

  • How would you suggest granting my teammates and terraform access to Azure and therefore creating a deployment script which uses some external token-like file? (Managed identities for Azure resources can be used to authenticate to services that support Azure Active Directory authentication but I have no idea what is this about)

Denis Kovalev
  • 13
  • 3
  • 2
    hello @DenisKovalec, the best case scenario for your case will be to create a Service Principal which will be used for authentication and deployment of resources from both terraform and python. You can provide the Client Id and Client secret for the same and provide a contributor access / owner access to the Service principal based on the requirement. – Ansuman Bal Nov 01 '21 at 10:55

1 Answers1

1

You provided the azure-pipelines tag so not sure if that means you're using Azure DevOps.

If so, that will make it easier as you can just create a service connection within ADO (which will create a service principal in AAD in the background) that you can use to run your pipeline so you won't have to run az login within your scripts. You can check out Charles Zipp's ADO pipeline task for Terraform which I find is a bit more flexible than Microsoft's Terraform task. If you setup a pipeline you can then set access control on the pipeline (and even service connection) to allow only those you want to run the pipeline.

If you don't use ADO and just want to run things locally then you'd need to create a service principal and provide the credentials in the provider block as @AnsumanBal-MT mentions in the comments on your question.

nicksnb
  • 258
  • 1
  • 7