Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Terraform - initial config

This project folder contains all code for your initial Terraform configuration. The following configuration has been made and tested on macOS Mojave, Version 10.14.2.


This folder contains the following files:

File Description this file Azure CLI script to create Azure AD service principal Azure CLI script to create backend storage and Azure KeyVault to store storage account key Bash script to export environment variables

Install Terraform

You can install Terraform using brew:

brew install terraform

Azure AD Preparation

For Terraform being able to authenticate against Azure you need an Azure AD service principal.


# Create Azure AD service principal in subscription <yourSubscriptionID>
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<yourSubscriptionID>"

Azure Infrastructure Preparation

We create an Azure Storage Account that is used as Terraform Remote Backend for storing the .tfstore file. The following az cli script creates a new Azure Resource Group, Storage Account and Storage Container and stores the Storage Account key as a secret in a new Azure KeyVault.


# Change these variables according to your needs

# Create Resource Group, Storage Account and Container for Terraform backend (securely storing Terraform plan)

# Create resource group
    az group create --name $RESOURCE_GROUP_NAME --location westeurope

# Create storage account
    az storage account create --resource-group $RESOURCE_GROUP_NAME --name $STORAGE_ACCOUNT_NAME --sku Standard_LRS --encryption-services blob

# Get storage account key
    ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query [0].value -o tsv)

# Create blob container
    az storage container create --name $CONTAINER_NAME --account-name $STORAGE_ACCOUNT_NAME --account-key $ACCOUNT_KEY

    echo "storage_account_name: $STORAGE_ACCOUNT_NAME"
    echo "container_name: $CONTAINER_NAME"
    echo "access_key: $ACCOUNT_KEY"

# Create Azure KeyVault
    az keyvault create -g $RESOURCE_GROUP_NAME --name $VAULT_NAME 

# Set Azure KeyVault Secret value to storage account key
    az keyvault secret set --vault-name $VAULT_NAME --name $SECRET_NAME --value $ACCOUNT_KEY

Export Environment Variables

You can add the following lines to your .bashrc or .bash_profile (depending on the operating system you use). The ARM_ACCESS_KEY variable is the storage account key you need to access the storage account you created before. The storage account key is exported into your bash environment everytime you start a shell session.

echo "Setting environment variables for Terraform"
export ARM_SUBSCRIPTION_ID=yourSubscriptionID
export ARM_CLIENT_ID=yourServicePrincipalAppID
export ARM_CLIENT_SECRET=yourServicePrincipalPassword
export ARM_TENANT_ID=yourAzureADTenantID
export ARM_ACCESS_KEY=$(az keyvault secret show --name yourKeyVaultSecretName --vault-name yourKeyVaultName --query value -o tsv)
# Not needed for public, required for usgovernment, german, china
export ARM_ENVIRONMENT=public