This repo creates a storage account which is used for bootstrapping your
terraform deployments. It is integrate into Github Actions as CI/CD pipline.
The storage account is later used for saving terraform state files.
Make sure you have an azure service principal account. To create one you can use to following command in the azure command line tool.
Replace your-azure-subscription-id with your real Scription ID. Feel free to also adjust the value of the --name
attribute.
Otherwise you can configure a service principal using the Azure Portal. Make sure it has Contributor
role in your Azure subscription.
If your service principal is later used in other repositories and needs to be able to assign RBAC roles to Azure resources then it needs the Owner
role instead of Contributor
.
# Login
az login
# Create service principal with Contributor role
az ad sp create-for-rbac \
--name="sp_plyg02" \
--role="Contributor" \
--scope="/subscriptions/your-azure-subscription-id" \
--years=2 \
> az_client_credentials.json
Adjust variables in file shared_vars.hcl for your Azure environment. Documentation on each variable is inside the sample file.
# Edit the file
nano shared_vars.hcl
Rename env.sample to .env
and fill in your azure credentials.
Step 3: Comment out backend
definition configuration in provider.tf for the initial build
Change in provider.tf from:
terraform {
backend "azurerm" {
}
}
to:
// terraform {
// backend "azurerm" {
// }
// }
This instructs terraform to store tfstate file locally. This is necessary because the storage account does not exist yet.
Before running the script make sure to source
your .env
file.
This script creates the following azure resources:
- resource group
- storage account
- storage container (bucket)
source .env
./build_initial.sh
Uncomment backend
configuration in provider.tf.
Change:
// terraform {
// backend "azurerm" {
// }
// }
to:
terraform {
backend "azurerm" {
}
}
Goto Azure Portal and find your newly create storage account. Goto Access keys and klick Show keys. Copy the first key and enter it as value for ARM_ACCESS_KEY
in your .env
file.
run:
source .env
./build.sh
The re-runs terraform and terraform will ask you if it should automatically migrate terraform state file. You can happily say yes.
Before pushing your repo changes to Github, make sure to enter your Azure credentials into the Action secrets
in Github.
Name the Action secrets
exactly in correspondence to the entries in the .env
file.
To destroy everything:
source .env
./destroy.sh
This script errors at the end, because the storage account is deleted and terraform tries to access the state file. This is OK.
When you start over again, make sure to delete the following ignored files and folders:
rm -rf ./.terraform
rm -f ./.terraform.lock.hcl
rm -f ./errored.tfstate
rm -f ./planfile
rm -f ./terraform.tfstate.backup
rm -f ./terraform.tfstate
if you would also like to delete the service principal, you can use:
az ad sp delete --id $ARM_CLIENT_ID