* Update azurerm backend docs
* Use support note notation
* Fix table format
* Tidy and enhance
* Tidy warnings
* Improvements
* Add comment to CLI option
* Add warnings
* Improve example resource names
* Follow convention for warning
* Update website/docs/language/settings/backends/azurerm.mdx
Co-authored-by: Luke Taylor <77284962+luke-taylor@users.noreply.github.com>
* Update website/docs/language/settings/backends/azurerm.mdx
Co-authored-by: Luke Taylor <77284962+luke-taylor@users.noreply.github.com>
* Update website/docs/language/settings/backends/azurerm.mdx
Co-authored-by: Luke Taylor <77284962+luke-taylor@users.noreply.github.com>
* Update website/docs/language/settings/backends/azurerm.mdx
Co-authored-by: Luke Taylor <77284962+luke-taylor@users.noreply.github.com>
* Update website/docs/language/settings/backends/azurerm.mdx
Co-authored-by: Luke Taylor <77284962+luke-taylor@users.noreply.github.com>
* Update website/docs/language/settings/backends/azurerm.mdx
Co-authored-by: Luke Taylor <77284962+luke-taylor@users.noreply.github.com>
* Update website/docs/language/settings/backends/azurerm.mdx
Co-authored-by: Luke Taylor <77284962+luke-taylor@users.noreply.github.com>
* Update website/docs/language/settings/backends/azurerm.mdx
Co-authored-by: Luke Taylor <77284962+luke-taylor@users.noreply.github.com>
* Update website/docs/language/settings/backends/azurerm.mdx
Co-authored-by: Luke Taylor <77284962+luke-taylor@users.noreply.github.com>
* Apply suggestions from code review
---------
Co-authored-by: Luke Taylor <77284962+luke-taylor@users.noreply.github.com>
Co-authored-by: Tom Bamford <tom@bamford.io>
@ -9,134 +9,324 @@ Stores the state as a Blob with the given Key within the Blob Container within [
This backend supports state locking and consistency checking with Azure Blob Storage native capabilities.
~> **Terraform 1.1 and 1.2 supported a feature-flag to allow enabling/disabling the use of Microsoft Graph (and MSAL) rather than Azure Active Directory Graph (and ADAL) - however this flag has since been removed in Terraform 1.3. Microsoft Graph (and MSAL) are now enabled by default and Azure Active Directory Graph (and ADAL) can no longer be used.
~> Terraform 1.1 and 1.2 supported a feature-flag to allow enabling/disabling the use of Microsoft Graph (and MSAL) rather than Azure Active Directory Graph (and ADAL) - however this flag has since been removed in Terraform 1.3. Microsoft Graph (and MSAL) are now enabled by default and Azure Active Directory Graph (and ADAL) can no longer be used.
## Example Configuration
## Authentication
When authenticating using the Azure CLI or a Service Principal (either with a Client Certificate or a Client Secret):
The `azurerm` backend supports 3 methods of authenticating to the storage account:
- **Access Key** (default)
- **Azure Active Directory**
- **SAS Token**
The *Access Key* method can be used directly, by specifying the access key, or in combination with an Azure AD principal (e.g. user, service principal or managed identity). To use an Access Key directly you must generate one for your state file blob and specify it in the backend configuration. If neither an access key or client ID is specified, Terraform will attempt to use Azure CLI. In both cases where no access key is given, Terraform will attempt to retrieve the access key for the storage account, using the authenticated Azure AD principal.
The *Azure Active Directory* method can only be used in combination with an Azure AD principal. To use the Azure Active Directory method you must set the `use_azuread_auth` variable to `true` in your backend configuration. This will cause the backend to use the Access Token of the Azure AD principal to authenticate to the state file blob, nstead of authenticating using a shared access key.
The *SAS Token* method can only be used directly. You must generate a SAS Token for your state file blob and pass it to the backend config.
The `azurerm` backend supports the following authentication scenarios to connect to the storage account, based on the configuration variables provided:
| User Principal via Azure CLI | Access Key | N/A |
| User Principal via Azure CLI | Azure AD | `use_azuread_auth = true` |
| Service Principal or User Assigned Managed Identity via OIDC (Workload identity federation) | Access Key | `use_oidc = true` |
| Service Principal or User Assigned Managed Identity via OIDC (Workload identity federation) | Azure AD | `use_azuread_auth = true`, `use_oidc = true` |
| SAS Token direct | SAS Token | `sas_token = "..."` |
-> * There are sometimes more options needed for successful authentication. The variable shown is the one that triggers the backend to use a given authentication scenario. You can see examples of each option below.
-> Sensitive values should not be hardcoded into your configuration, and should instead be specified using environment variables or partial configuration flags in the `init` command of Terraform CLI.
## Example Backend Configurations
### Backend: Azure AD User via Azure CLI
This method is not suitable for automation since it only supports a User Principal. To check which tenant and subscription you are pointed to, run `az account show`.
resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name=<resource group name>"` in the `init` command.
storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name=<storage account name>"` in the `init` command.
container_name = "tfstate" # Can be passed via `-backend-config=`"container_name=<container name>"` in the `init` command.
key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key=<blob key name>"` in the `init` command.
}
}
```
***
*Connect to Storage Account with Azure Active Directory authentication*
When authenticating using Managed Service Identity (MSI):
```hcl
terraform {
backend "azurerm" {
resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name=<resource group name>"` in the `init` command.
storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name=<storage account name>"` in the `init` command.
container_name = "tfstate" # Can be passed via `-backend-config=`"container_name=<container name>"` in the `init` command.
key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key=<blob key name>"` in the `init` command.
use_azuread_auth = true # Can also be set via `ARM_USE_AZUREAD` environment variable.
}
}
```
### Backend: Azure AD Service Principal or User Assigned Managed Identity via OIDC (Workload Identity Federation)
You can use an App Registration (Service Principal) or a User Assigned Managed Identity to configure federated credentials. You must supply the Client ID of the principal.
resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name=<resource group name>"` in the `init` command.
storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name=<storage account name>"` in the `init` command.
container_name = "tfstate" # Can be passed via `-backend-config=`"container_name=<container name>"` in the `init` command.
key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key=<blob key name>"` in the `init` command.
use_oidc = true # Can also be set via `ARM_USE_OIDC` environment variable.
client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable.
subscription_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_SUBSCRIPTION_ID` environment variable.
tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable.
}
}
```
***
*Connect to Storage Account with Azure Active Directory authentication*
When authenticating using OpenID Connect (OIDC):
```hcl
terraform {
backend "azurerm" {
resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name=<resource group name>"` in the `init` command.
storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name=<storage account name>"` in the `init` command.
container_name = "tfstate" # Can be passed via `-backend-config=`"container_name=<container name>"` in the `init` command.
key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key=<blob key name>"` in the `init` command.
use_oidc = true # Can also be set via `ARM_USE_OIDC` environment variable.
client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable.
subscription_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_SUBSCRIPTION_ID` environment variable.
tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable.
use_azuread_auth = true # Can also be set via `ARM_USE_AZUREAD` environment variable.
}
}
```
### Backend: Azure AD Managed Identity Principal
You can use a User Assigned Managed Identity as well as a System Assigned Managed Identity on your agent / runner compute environment. However the backend does not currently support specifying the Client ID of the User Assigned Managed Identity, so you can only supply one per compute instance.
resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name=<resource group name>"` in the `init` command.
storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name=<storage account name>"` in the `init` command.
container_name = "tfstate" # Can be passed via `-backend-config=`"container_name=<container name>"` in the `init` command.
key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key=<blob key name>"` in the `init` command.
use_msi = true # Can also be set via `ARM_USE_MSI` environment variable.
client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable.
subscription_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_SUBSCRIPTION_ID` environment variable.
tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable.
}
}
```
***
*Connect to Storage Account with Azure Active Directory authentication*
```hcl
terraform {
backend "azurerm" {
resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name=<resource group name>"` in the `init` command.
storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name=<storage account name>"` in the `init` command.
container_name = "tfstate" # Can be passed via `-backend-config=`"container_name=<container name>"` in the `init` command.
key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key=<blob key name>"` in the `init` command.
use_msi = true # Can also be set via `ARM_USE_MSI` environment variable.
client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable.
subscription_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_SUBSCRIPTION_ID` environment variable.
tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable.
use_azuread_auth = true # Can also be set via `ARM_USE_AZUREAD` environment variable.
}
}
```
When authenticating using Azure AD Authentication:
### Backend: Azure AD Service Principal via Client Secret
~> **Warning!**: This method requires you to manage and rotate a secret. Consider using OIDC as a more secure approach.
resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name=<resource group name>"` in the `init` command.
storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name=<storage account name>"` in the `init` command.
container_name = "tfstate" # Can be passed via `-backend-config=`"container_name=<container name>"` in the `init` command.
key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key=<blob key name>"` in the `init` command.
client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable.
client_secret = "************************************" # Can also be set via `ARM_CLIENT_SECRET` environment variable.
subscription_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_SUBSCRIPTION_ID` environment variable.
tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable.
}
}
```
-> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned.
*Connect to Storage Account with Azure Active Directory authentication*
***
```hcl
terraform {
backend "azurerm" {
resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name=<resource group name>"` in the `init` command.
storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name=<storage account name>"` in the `init` command.
container_name = "tfstate" # Can be passed via `-backend-config=`"container_name=<container name>"` in the `init` command.
key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key=<blob key name>"` in the `init` command.
client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable.
client_secret = "************************************" # Can also be set via `ARM_CLIENT_SECRET` environment variable.
subscription_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_SUBSCRIPTION_ID` environment variable.
tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable.
use_azuread_auth = true # Can also be set via `ARM_USE_AZUREAD` environment variable.
}
}
```
When authenticating using the Access Key associated with the Storage Account:
### Backend: Azure AD Service Principal via Client Certificate
~> **Warning!**: This method requires you to manage and rotate a secret. Consider using OIDC as a more secure approach.
*Connect to Storage Account with Access Key*
```hcl
terraform {
backend "azurerm" {
storage_account_name = "abcd1234"
container_name = "tfstate"
key = "prod.terraform.tfstate"
resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name=<resource group name>"` in the `init` command.
storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name=<storage account name>"` in the `init` command.
container_name = "tfstate" # Can be passed via `-backend-config=`"container_name=<container name>"` in the `init` command.
key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key=<blob key name>"` in the `init` command.
client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable.
client_certificate_path = "/path/to/bundle.pfx" # Can also be set via `ARM_CLIENT_CERTIFICATE_PATH` environment variable.
client_certificate_password = "************************************" # Can also be set via `ARM_CLIENT_CERTIFICATE_PASSWORD` environment variable.
subscription_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_SUBSCRIPTION_ID` environment variable.
tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable.
}
}
```
*Connect to Storage Account with Azure Active Directory authentication*
# rather than defining this inline, the Access Key can also be sourced
# from an Environment Variable - more information is available below.
resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name=<resource group name>"` in the `init` command.
storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name=<storage account name>"` in the `init` command.
container_name = "tfstate" # Can be passed via `-backend-config=`"container_name=<container name>"` in the `init` command.
key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key=<blob key name>"` in the `init` command.
client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable.
client_certificate_path = "/path/to/bundle.pfx" # Can also be set via `ARM_CLIENT_CERTIFICATE_PATH` environment variable.
client_certificate_password = "************************************" # Can also be set via `ARM_CLIENT_CERTIFICATE_PASSWORD` environment variable.
subscription_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_SUBSCRIPTION_ID` environment variable.
tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable.
use_azuread_auth = true # Can also be set via `ARM_USE_AZUREAD` environment variable.
}
}
```
***
### Backend: Access Key Direct
When authenticating using a SAS Token associated with the Storage Account:
~> **Warning!**: This method requires you to manage and rotate a secret. Consider using OIDC as a more secure approach.
```hcl
terraform {
backend "azurerm" {
storage_account_name = "abcd1234"
resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name=<resource group name>"` in the `init` command.
storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name=<storage account name>"` in the `init` command.
container_name = "tfstate" # Can be passed via `-backend-config=`"container_name=<container name>"` in the `init` command.
key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key=<blob key name>"` in the `init` command.
access_key = "abcdefghijklmnopqrstuvwxyz0123456789..." # Can also be set via `ARM_ACCESS_KEY` environment variable.
}
}
```
### Backend: SAS Token
~> **Warning!**: This method requires you to manage and rotate a secret. Consider using OIDC as a more secure approach.
```hcl
terraform {
backend "azurerm" {
resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name=<resource group name>"` in the `init` command.
storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name=<storage account name>"` in the `init` command.
container_name = "tfstate" # Can be passed via `-backend-config=`"container_name=<container name>"` in the `init` command.
key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key=<blob key name>"` in the `init` command.
sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..." # Can also be set via `ARM_SAS_TOKEN` environment variable.
}
}
```
## Example Data Source Configurations
### Data Source: Azure AD User Principal via Azure CLI
This method is not suitable for automation since it only supports a User Principal. To check which tenant and subscription you are pointed to, run `az account show`.
use_azuread_auth = true # Can also be set via `ARM_USE_AZUREAD` environment variable.
}
}
```
-> **NOTE:** When using a Service Principal or an Access Key - we recommend using a [Partial Configuration](/terraform/language/settings/backends/configuration#partial-configuration) for the credentials.
### Data Source: Azure AD Service Principal or User Assigned Managed Identity via OIDC (Workload Identity Federation)
## Data Source Configuration
You can use an App Registration (Service Principal) or a User Assigned Managed Identity to configure federated credentials. You must supply the Client ID of the principal.
When authenticating using a Service Principal (either with a Client Certificate or a Client Secret):
use_oidc = true # Can also be set via `ARM_USE_OIDC` environment variable.
client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable.
subscription_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_SUBSCRIPTION_ID` environment variable.
tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable.
use_azuread_auth = true # Can also be set via `ARM_USE_AZUREAD` environment variable.
}
}
```
***
### Data Source: Azure AD Managed Identity Principal
You can use a User Assigned Managed Identity as well as a System Assigned Managed Identity on your agent / runner compute environment. However the backend does not currently support specifying the Client ID of the User Assigned Managed Identity, so you can only supply one per compute instance.
When authenticating using OpenID Connect (OIDC):
*Connect to Storage Account with Access Key*
```hcl
data "terraform_remote_state" "foo" {
@ -163,69 +357,147 @@ data "terraform_remote_state" "foo" {
sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..." # Can also be set via `ARM_SAS_TOKEN` environment variable.
}
}
```
@ -234,7 +506,6 @@ data "terraform_remote_state" "foo" {
!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both the `.terraform` subdirectory and in plan files. Refer to [Credentials and Sensitive Data](/terraform/language/settings/backends/configuration#credentials-and-sensitive-data) for details.
The following configuration options are supported:
* `storage_account_name` - (Required) The Name of [the Storage Account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account).
@ -255,7 +526,7 @@ The following configuration options are supported:
***
When authenticating using the Managed Service Identity (MSI) - the following fields are also supported:
When authenticating using a Managed Identity (MSI) - the following fields are also supported:
* `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists.
@ -269,7 +540,7 @@ When authenticating using the Managed Service Identity (MSI) - the following fie
***
When authenticating using a Service Principal with OpenID Connect (OIDC) - the following fields are also supported:
When authenticating using a Service Principal with OpenID Connect (OIDC / Workload Identity Federation) - the following fields are also supported:
* `oidc_request_url` - (Optional) The URL for the OIDC provider from which to request an ID token. This can also be sourced from the `ARM_OIDC_REQUEST_URL` or `ACTIONS_ID_TOKEN_REQUEST_URL` environment variables.
@ -295,11 +566,11 @@ When authenticating using the Storage Account's Access Key - the following field
***
When authenticating using AzureAD Authentication - the following fields are also supported:
When authenticating using an AzureAD Service Principal, you have the option to use Azure Active Directory authentication for the storage account (rather than by an Access Key or SAS Token) - the following fields are also supported:
* `use_azuread_auth` - (Optional) Should AzureAD Authentication be used to access the Blob Storage Account. This can also be sourced from the `ARM_USE_AZUREAD` environment variable.
* `use_azuread_auth` - (Optional) Whether Azure Active Directory Authentication should be used to access the Blob Storage Account. This can also be sourced from the `ARM_USE_AZUREAD` environment variable.
-> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned.
-> **Note:** When using Azure Active Directory Authentication, you must ensure the `Storage Blob Data Owner` or `Container Blob Data Owner` roles are assigned to your Storage Account.
Jared Holgate
2 years ago
committed by
GitHub