How to authenticate an Azure Provider to deploy Terraform code to National clouds (US Government or China)

Introduction

Microsoft Azure provides national clouds, such as US Government and China, which are physically isolated instances of Azure. These environments ensure that data residency, sovereignty, and compliance requirements are honored within specific geographical boundaries.

This guide explains how to configure the Terraform Azure provider to authenticate and deploy resources to these national clouds.

Procedure

Follow these steps to configure your environment for an Azure national cloud.

1. Set the Azure CLI cloud environment.

   You must configure the Azure CLI to target the desired national cloud. Run one of the following commands.

   For the US Government cloud:

   $ az cloud set --name AzureUSGovernment

   For the China cloud:

   $ az cloud set --name AzureChinaCloud

2. Log in to the Azure CLI.

   After setting the cloud environment, authenticate your session.

   $ az login

3. Configure the Azure provider in Terraform.

   In your Terraform configuration, update the azurerm provider block to specify the national cloud environment. The skip_provider_registration argument is required to prevent the auto-registration of resource providers, which may not be available or may behave differently in these environments.

   provider "azurerm" {
     ## For China cloud, use "china". 
     ## For US Government cloud, use "usgovernment".
     environment = "china"
   
     skip_provider_registration = true
   
     features {}
   }

4. Deploy your Terraform configuration.

   Run terraform plan and terraform apply to test the deployment of your resources to the selected national cloud.

Additional Information

• Authenticating using Azure CLI
• AzureRM provider documentation
• Azure for US Government cloud documentation
• Azure China cloud documentation