This module can be used to provision a primary terraform resource group and a backend terraform resource group.
The primary resource group will be assigned with a service principal that is linked with a custom rbac role: terraform-contributor. The primary resource group can then be utilized with the azureRM provider by a remote team using the provided service principal to build future projects or solutions within the Primary resource group.
The backend resource group will not be associated with the newly created terraform-SPN AAD Application & service principal created by this module.
The backend resource group will contain a backend storage account and two containers named: backend-state and primary-state for storing remote states.
Storage containers are kept separated to keep the backend state separate from the primary state as the primary state will be utilized by the remote team using the principal created by this module. The provided terraform-SPN AAD Application & service principal will only have access to the backend storage account container primary-state to access the remote state of future deployments by the remote teams terraform deployments.
The backend resource group will also contain a backend key vault where the terraform-SPN AAD Application service principal ID and secret will be stored as secrets that can be given to the remote team to configure their provider with.
The terraform-SPN service principal will also only have access to get and list keys from the backend key vault.
The admin user who sets up the environment using this module will have full access to the backend key vault and can distribute the details to the remote team.
This secure backend module should be created by a privileged admin user who has sufficient access to the subscription.
After the backend and primary resources have been created the admin can migrate the backend state to the provided storage account container if required and pass on the details of the terraform-SPN service principal to a team who will use Terraform to configure their azureRM provider to start using the primary resource group for their deployments.
The teams azureRM provider they configure with the provided service principal, will only have access to the backend storage container primary-state to store state files for deployments made in the primary resource group.
The provided service principal will have contributor rights to only the Primary resource group and not the backend resource group.
The provided service principal will also only have access to get and list keys from the backend key vault.
- Create Primary resource group.
- Create Backend resource group.
- Create Backend storage account:
- Create container:
backend-state, where admin can migrate this module terraform state. - Create container:
primary-state, where "terraform-SPN" service principal can migrate future projects terraform state.
- Create container:
- Create the custom role definition
- assigned to the primary resource group with
terraform-contributor. - assigned to backend storage account container:
primary-state(Storage Blob Data Contributor).
- assigned to the primary resource group with
- Create
terraform-SPNAAD Application & service principal with theterraform-contributorcustom role definition assigned to use in the azureRM provider. - Create Backend terraform key vault to home created
terraformService principal ID and Secret:- The service principal ARM_CLIENT_ID:
tf-arm-client-idand ARM_CLIENT_SECRET:tf-arm-client-secretwill be stored in the created backend key vault. - Assign access policy to key vault for
terraform-SPNservice principal (Get/List)
- The service principal ARM_CLIENT_ID:
A setup log (setup.log) is also generated as part of the initial deployment.
State files are kept in separate storage containers so that terraform destroy does not destroy the backend.
Anyone who utilise the Primary resource group for terraform deployments, using the service principal: terraform-SPN provisioned by this module can thus store state inside of the primary-state container which the terraform-SPN principal will have access to.
The initial setup needs to be performed by an admin user who has sufficient permissions to Azure via CLI. (See examples readme for more info)
| Name | Version |
|---|---|
| terraform | >= 1.10.0 |
| azuread | ~> 3.0 |
| azurerm | ~> 4.0 |
| Name | Version |
|---|---|
| azuread | ~> 3.0 |
| azurerm | ~> 4.0 |
| null | n/a |
No modules.
| Name | Type |
|---|---|
| azuread_application.terraform_app | resource |
| azuread_service_principal.terraform_app_sp | resource |
| azuread_service_principal_password.terraform_app_sp_pwd | resource |
| azurerm_key_vault.backend_kv | resource |
| azurerm_key_vault_secret.terraform_client_id | resource |
| azurerm_key_vault_secret.terraform_client_secret | resource |
| azurerm_resource_group.backend_rg | resource |
| azurerm_resource_group.primary_rg | resource |
| azurerm_role_assignment.primary_rg_ra | resource |
| azurerm_role_assignment.primary_sa_container_ra | resource |
| azurerm_role_definition.terraform_role | resource |
| azurerm_storage_account.backend_sa | resource |
| azurerm_storage_container.backend_sa_container | resource |
| azurerm_storage_container.primary_sa_container | resource |
| null_resource.setup-log | resource |
| azurerm_client_config.current | data source |
| azurerm_subscription.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| backend_resource_group_name | The name for the backend resource group that will home the backend storage account and backend key vault. (Default: BackendRG) | string |
"BackendRG" |
no |
| backend_sa_access_tier | The access tier of the backend storage account. (accepted values: Cool, Hot) | string |
"Hot" |
no |
| backend_sa_account_kind | Defines the Kind of account. (accepted values: BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2) | string |
"BlobStorage" |
no |
| backend_sa_account_repl | Defines the type of replication to use for this storage account. (accepted values: LRS, GRS, RAGRS, ZRS) | string |
"LRS" |
no |
| backend_sa_account_tier | Defines the Tier to use for this storage account. (accepted values: Standard, Premium. For FileStorage accounts only Premium is valid.) | string |
"Standard" |
no |
| backend_storage_account_name | The name for the backend storage account that will home the backend and primary state blob containers. (Unique all lowercase) | string |
"tfbackendsa" |
no |
| common_tags | A map of key value pairs that is used to tag resources created. (Default: demo map) | map(string) |
{ |
no |
| environment | Value to describe the environment. Primarily used for tagging and naming resources. (Default: Development) | string |
"Development" |
no |
| kv_name | The name for the backend key vault that will home terraform secrets e.g. terraform ARM_CLIENT_ID and ARM_CLIENT_SECRET. (Unique all lowercase) | string |
"terraform-kv" |
no |
| kv_sku | Key Vault SKU. (Default: standard) | string |
"standard" |
no |
| location | Location in azure where resources will be created. (Default: uksouth) | string |
"uksouth" |
no |
| primary_resource_group_name | The name for the primary resource group with 'terraform-contributor' role assigned. (Default: BackendRG) | string |
"PrimaryRG" |
no |
| soft_delete_retention_days | Key Vault soft delete retention days. (Default: 7) | number |
"7" |
no |
| spn_name | Azure AD App & SPN name. (Default: terraform-SPN) | string |
"terraform-SPN" |
no |
| Name | Description |
|---|---|
| backend_key_vault_id | The resource ID for the backend key vault. |
| backend_resource_group_id | The resource ID for the backend resource group. |
| backend_storage_account_id | The resource ID for the backend storage account. |
| primary_resource_group_id | The resource ID for the primary resource group. |
| terraform_application_id | The CLIENT ID for the terraform application service principal. |
| terraform_custom_role_id | The terraform-contributor role id. |