Using Managed Identity with the Azure or AzureAD Provider in HCP Terraform

Background

It is possible to authenticate using managed identity with the azurerm or azuread provider. Microsoft supports authenticating with managed identity on these Azure resources. By default, the HCP Terraform Workspaces execute Terraform remotely on HashiCorp-controlled infrastructure. So, it is only possible to use managed identity to authenticate the Terraform Azure providers when executing on Azure resources you control that support managed identity.

Solution

Use HCP Terraform Agents.

• The Agent must be run on supported Azure resources for managed identity.
• The Azure resource must meet the requirements for running Agents.

How to enable managed identity authentication

• Configure your Workspace to use the Agent.
• Follow the Azure resource-specific documentation for enabling managed identity. It is also possible to manage this with Terraform. Common examples:
  • Azure Virtual Machine / azurerm_linux_virtual_machine identity
  • Azure Container Instances / azurerm_container_group identity
• Ensure that the managed identity is associated with a role and subscription that will be used to run Terraform. Example with azurerm_role_assignment.
• Finally, follow the steps in the provider documentation to configure the provider to use managed identity in your Workspace. For the azuread provider this looks like:

provider "azuread" {
  use_msi   = true
  tenant_id = "72f988bf-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}