HashiCorp Developer AI Private beta now available Sign up today
Terraform
Terraform Home

You are viewing documentation for version v202304-1. View latest version.

Dynamic Credentials with the Azure Provider

Important: Ensure you are using version 3.25.0 or later of the AzureRM provider and version 2.29.0 or later of the AzureAD provider as required OIDC functionality was introduced in these provider versions.

Important: If using self-managed agents, make sure you’re using v1.7.0 or later.

Warning: Dynamic Credentials with the Azure providers do not work when your TFE instance is using a custom or self-signed certificate due to restrictions on Azure's end.

You can use Terraform Cloud’s native OpenID Connect integration with Azure to get dynamic credentials for the AzureRM or AzureAD providers in your Terraform Cloud runs. Configuring the integration requires the following steps.

  1. Configure Azure: Set up a trust configuration between Azure and Terraform Cloud. Then, you must create Azure roles and policies for your Terraform Cloud workspaces.
  2. Configure Terraform Cloud: Add environment variables to the Terraform Cloud workspaces where you want to use Dynamic Credentials.

Once you complete the setup, Terraform Cloud automatically authenticates to Azure during each run. The Azure provider authentication is valid for the length of the plan or apply.

Configure Azure

You must enable and configure an application and service principal with accompanying federated credentials and permissions on Azure. These instructions use the Azure portal, but you can also use Terraform to configure Azure. Refer to our example Terraform configuration.

Create an Application and Service Principal

Follow the steps mentioned in the AzureRM provider docs here: Creating the Application and Service Principal.

As mentioned in the documentation it will be important to make note of the client_id for the application as you will use this later for authentication.

Note: you will want to skip the “Configure Azure Active Directory Application to Trust a GitHub Repository” section as this does not apply here.

Grant the Application Access to Manage Resources in Your Azure Subscription

You must now give the created Application permission to modify resources within your Subscription.

Follow the steps mentioned in the AzureRM provider docs here: Granting the Application access to manage resources in your Azure Subscription.

Configure Azure Active Directory Application to Trust a Generic Issuer

Finally, you must create federated identity credentials which validate the contents of the token sent to Azure from Terraform Cloud.

Follow the steps mentioned in the AzureRM provider docs here: Configure Azure Active Directory Application to Trust a Generic Issuer.

The following information should be specified:

  • Federated credential scenario: Must be set to Other issuer.
  • Issuer: The address of Terraform Cloud (e.g., https://app.terraform.io).
    • Important: make sure this value starts with https:// and does not have a trailing slash.
  • Subject identifier: The subject identifier from Terraform Cloud that this credential will match. This will be in the form organization:my-org-name:project:my-project-name:workspace:my-workspace-name:run_phase:plan where the run_phase can be one of plan or apply.
  • Name: A name for the federated credential, such as tfc-plan-credential. Note that this cannot be changed later.

The following is optional, but may be desired:

  • Audience: Enter the audience value that will be set when requesting the identity token. This will be api://AzureADTokenExchange by default. This should be set to the value of TFC_AZURE_WORKLOAD_IDENTITY_AUDIENCE if this has been configured.

Note: because the Subject identifier for federated credentials is a direct string match, two federated identity credentials need to be created for each workspace using dynamic credentials: one that matches run_phase:plan and one that matches run_phase:apply.

Configure Terraform Cloud

You’ll need to set some environment variables in your Terraform Cloud workspace in order to configure Terraform Cloud to authenticate with Azure using dynamic credentials. You can set these as workspace variables.

Required Environment Variables

VariableValueNotes
TFC_AZURE_PROVIDER_AUTHtrueMust be present and set to true, or Terraform Cloud will not attempt to authenticate to Azure.
TFC_AZURE_RUN_CLIENT_IDThe client ID for the Service Principal / Application used when authenticating to Azure.Optional if TFC_AZURE_PLAN_CLIENT_ID and TFC_AZURE_APPLY_CLIENT_ID are both provided. These variables are described below

Optional Environment Variables

You may need to set these variables, depending on your use case.

VariableValueNotes
TFC_AZURE_WORKLOAD_IDENTITY_AUDIENCEWill be used as the aud claim for the identity token. Defaults to api://AzureADTokenExchange.
TFC_AZURE_PLAN_CLIENT_IDThe client ID for the Service Principal / Application to use for the plan phase of a run.Will fall back to the value of TFC_AZURE_RUN_CLIENT_ID if not provided.
TFC_AZURE_APPLY_CLIENT_IDThe client ID for the Service Principal / Application to use for the apply phase of a run.Will fall back to the value of TFC_AZURE_RUN_CLIENT_ID if not provided.

Configure the AzureRM or AzureAD Provider

Make sure that you’re passing values for the subscription_id and tenant_id arguments into the provider configuration block or setting the ARM_SUBSCRIPTION_ID and ARM_TENANT_ID variables in your workspace.

Make sure that you’re not setting values for client_id, use_oidc, or oidc_token in the provider or setting any of ARM_CLIENT_ID, ARM_USE_OIDC, ARM_OIDC_TOKEN.