How to Use Managed Identity with the Azure or AzureAD Provider in Terraform Cloud

Background

• It is possible to authenticate using managed identity with the azurerm or azuread provider.
• Microsoft supports authenticating with managed identity on these Azure resources.
• By default, the Terraform Cloud Workspaces execute Terraform remotely on HashiCorp-controlled infrastructure.
• It is only possible to use managed identity when you have control of the resource executing Terraform, and this resource is supported by Microsoft. 

Solution

Use Terraform Cloud Agents.

• The Agent must be run on supported Azure resources for managed identity.
• The Azure resource must meet the requirements for running Agents.

How to enable managed identity authentication

• Configure your Workspace to use the Agent.
• Follow the Azure resource-specific documentation for enabling managed identity. It is also possible to manage this with Terraform. Common examples:
  • Azure Virtual Machine / azurerm_linux_virtual_machine identity
  • Azure Container Instances / azurerm_container_group identity
• Ensure that the managed identity is associated with a role and subscription that will be used to run Terraform. Example with azurerm_role_assignment.
• Finally, follow the steps in the provider documentation to configure the provider to use managed identity in your Workspace. For the azuread provider this looks like:

provider "azuread" {
  use_msi   = true
  tenant_id = "72f988bf-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

Additional Information

• For additional assistance please contact HashiCorp Support.