How to Pass Azure Credentials in HCP Terraform

Introduction

HCP Terraform (formerly Terraform Cloud) provides a secure and scalable platform for managing infrastructure as code. When deploying resources to Microsoft Azure, it is essential to configure the environment to authenticate properly using Azure credentials. This guide describes the process of configuring HCP Terraform to use Azure credentials via a Service Principal, either newly created or pre-existing.

Expected Outcome

Upon completion, an HCP Terraform workspace will be correctly configured to authenticate with Azure using a Service Principal. This will enable successful execution of Terraform plans and applies that manage Azure infrastructure.

Prerequisites (if applicable)

• Microsoft Azure subscription

• An Azure Service Principal with sufficient permissions (e.g., Contributor)

• Access to HCP Terraform and an existing workspace

• Terraform configuration utilizing the azurerm provider

• Azure CLI installed (if a new Service Principal must be created)

Use Case

This configuration applies in scenarios where HCP Terraform is used to deploy and manage Azure infrastructure and secure authentication using a Service Principal is required. It supports both new and existing Service Principal credentials.

Procedure

• Step 1: Obtain Azure Service Principal Credentials

  • Option A: Create a New Service Principal

    For new configurations, a Service Principal can be created using the Azure CLI:

    az ad sp create-for-rbac --name "tf-sp" --role="Contributor" --scopes="/subscriptions/<subscription-id>"

     

     

    This command will return:

    • appId (Client ID)

    • password (Client Secret)

    • tenant (Tenant ID)

    • The Azure Subscription ID

    These values are essential for the next steps and must be stored securely.

  • Option B: Use an Existing Service Principal

    If a Service Principal has already been provisioned, the following details should be readily available:

    • Subscription ID associated with the Service Principal

    • Client ID (appId)

    • Client Secret (password)

    • Tenant ID

    If any of these values are missing, they can typically be retrieved from the Azure portal or by using the Azure CLI (az ad sp show and related commands).

• Step 2: Configure Environment Variables in HCP Terraform

  1. Navigate to the relevant workspace in HCP Terraform.

  2. Open Settings > Variables.

  3. Under Environment Variables, configure the following entries, marking each as Sensitive:

     • ARM_SUBSCRIPTION_ID = <subscription-id>

     • ARM_CLIENT_ID = <client-id>

     • ARM_CLIENT_SECRET = <client-secret>

     • ARM_TENANT_ID = <tenant-id>

  Sensitive marking ensures that these variables are securely encrypted and concealed from the interface.

   

• Step 3: Define the Azure Provider in the Terraform Configuration

  In the main Terraform configuration file, include the Azure provider block:

  provider "azurerm" {
    features {}
  }
  

  The azurerm provider will use the credentials set via environment variables in the HCP Terraform workspace.

• Step 4: Trigger a Terraform Run

  Once all configurations are in place, initiate a Terraform run. This can occur automatically via integration with version control (e.g., GitHub, GitLab, Bitbucket) or be triggered manually through the HCP Terraform UI. Terraform will authenticate to Azure using the Service Principal and execute the defined infrastructure tasks.

Additional Information

• Terraform: Authenticating via Service Principal with a Client Secret
• Azure Provider Configuration for HCP Terraform
• Terraform Cloud Documentation
•