This past week I started working on a new proof of concept in Azure. Since I had not really done any Terraform in Azure before, I figured this would be a good project to try it out with. When working in AWS, I have generally used S3 as the backend, so I decided to look at using Azure Storage for this project. As with AWS, there is a little bit of a chicken and egg problem, where the storage needs to be created prior to Terraform being able to use it.

I suppose I could have written some Terraform to run locally and create it, but I decided to just use the Azure CLI to get more familiar with it.

Preparing the Environment

Since the Azure CLI is written in Python, the first thing that I did was create a virtual environment with Virtualenvwrapper and install the azure-cli package.

mkvirtualenv -p python3 azure
pip install azure-cli

Once the azure-cli package is installed you need to authenticate with Azure.

az login

Create the Storage Account and Container to Use with Terraform

Once authenticated, configuring Azure to use as a Terraform backend is relatively straight forward. I decided to created a separate resource group just for my Terraform state files. This way I can lock the resource and prevent accidental deletion. You can create the resource group via the CLI:

az group create --location eastus --name terraform-state

The next step is to create the storage account. Since it has to be globally unique string between 3 and 24 characters, I generated something unique rather than mess around with trying to figure out a name that works.

cat /dev/urandom | env LC_CTYPE=C tr -dc 'a-z0-9' | head -c 24
b4go1zc0ih6swsus92beh8a6

az storage account create --resource-group terraform-state --name b4go1zc0ih6swsus92beh8a6

Now that the storage account is created, we can create the storage container.

az storage container create --name tfstate --account-name b4go1zc0ih6swsus92beh8a6

Finally, you can lock the resource group to prevent changes.  Locks are inherited from parent resources, so I just lock the resource group.

az lock create --name LockTfResource --lock-type CanNotDelete --resource-group terraform-state

Configure Terraform to use Azure Storage

With the storage for the tfstate files set up, we can now configure Terraform to use it. Start by creating a file called backend.tf and adding the following to it:

terraform {
  backend "azurerm" {
    storage_account_name = "b4go1zc0ih6swsus92beh8a6"
    container_name = "tfstate"
  }
}

Next, create a file called provider.tf and add the following. You can get the subscription-id by running the command az account list --query '[].[name, id]' --output tsv and selecting the ID for the subscription you are working with.

provider "azurerm" {
  subscription_id = "cbe70a88-0da5-4bca-88b8-c8b9c0350557"
}

Once the files are created, you will need to get the storage access key and then initialize the backend.

export AZURE_ACCESS_KEY=$(az storage account keys list -n b4go1zc0ih6swsus92beh8a6 --query [0].value --output tsv)

terraform init \
  -backend-config="access_key=${AZURE_ACCESS_KEY}" \
  -backend-config="key=hackathon-poc2.terraform.tfstate"

That’s it. Now you can start creating resources in your main.tf file and building out your Azure infrastructure.