Skip to content

Latest commit

 

History

History
111 lines (76 loc) · 4.69 KB

README.md

File metadata and controls

111 lines (76 loc) · 4.69 KB

Azure Terraform Backend Template

GitHub License GitHub Release Conventional Commits SCM Compliance

Deploy to Azure

Azure Resource Manager (ARM) template that creates an Azure Storage account to store Terraform state files:

  • Creates a storage account with the specified name.
  • Configures the storage account according to security recommendations.
  • Creates a blob container with the specified name.
  • Grants access to the storage account for specified user, group and service principals.
  • Creates a read-only lock to prevent changes to the storage account.

Prerequisites

Usage

Create Azure Storage account

  1. Login to Azure:

    az login

  2. Set active subscription:

    az account set --name <SUBSCRIPTION_NAME>

  3. Create resource group:

    az group create --name <RESOURCE_GROUP_NAME> --location <LOCATION>

    Requires Azure role Contributor at subscription.

  4. Create a deployment at resource group from the template URI:

    az deployment group create --name terraform-backend --resource-group <RESOURCE_GROUP_NAME> --template-uri https://raw.githubusercontent.com/equinor/azure-terraform-backend-template/main/azuredeploy.json --parameters storageAccountName=<STORAGE_ACCOUNT_NAME>

    Requires Azure role Owner at resource group.

Configure Terraform backend

  1. Create a Terraform configuration file main.tf and add the following backend configuration:

    terraform {
  backend "azurerm" {
    resource_group_name  = "<RESOURCE_GROUP_NAME>"
    storage_account_name = "<STORAGE_ACCOUNT_NAME>"
    container_name       = "tfstate"
    key                  = "terraform.tfstate"
    use_azuread_auth     = true
  }
}

  2. Initialize Terraform backend:

    terraform init

Parameters

Name Description Type Default
storageAccountName The name of the storage account to create. string
containerName The name of the blob container to create. string tfstate
allowSharedAccessKey Allow authenticating to the storage account using a shared access key? bool false
ipRules An array of IP addresses or ranges that should be granted access to the storage account. If empty, all IP addresses and ranges will be granted access to the storage account. array []
principalIds An array of object IDs for user, group or service principals that should be allowed to authenticate to the storage account using Microsoft Entra. array []

Tip

Rather than passing parameters as inline values, create a parameter file.

Outputs

When the deployment succeeds, the following output values are automatically returned in the results of the deployment:

Name Description Type
storageAccountName The name of the storage account that was created. string
containerName The name of the blob container that was created. string

References

Contributing

See contributing guidelines.

License

This project is licensed under the terms of the MIT license.