In the latest blog post (1/2) Setting up Azure workload identity federation with Terraform in Azure DevOps pipelines (2 Part Series) we learned how to setup Azure DevOps using Workload Identiy Federation Because we are using a managed identity and not a service principal with a secret that has a certain lifetime, we are not directly able to run terraform from locally. But what about using a service principal for local activities whose secret will expire after a few hours instead of months?

I was curious about how to set up Azure DevOps to utilize Terraform for deploying Azure resources with workload identity federation instead of relying on a service principal with secrets. In this blog post, I will demonstrate how I set up this configuration. To learn more about workload identity federation read the docs: Workload identity federation - Microsoft Entra | Microsoft Learn Prerequisites Azure DevOps Org “Customer Azure Tenant” with Subscription “Backend Azure Tenant” with Subscription (can be in the same tenant - in our example we use different tenants) Azure Powershell Module Overview - Setup Steps Create a storage account that will store the Terraform state file Create a managed identity which has contributor permissions on this storage account If not already the case, install the Terraform extension for your Azure DevOps Org Create a new Azure DevOps Project Create a service connection to the “backend tenant” using workload identity federation with your previously created managed identity Create a managed identity in the customer tenant where you finally want to deploy Azure Resources using Terraform, with Contributor permission on the Subscription Create a service connection to the customer tenant using workload identity federation with your previously created managed identity Create a repository with basic Terraform files Create an Azure DevOps Pipeline Preview Prepare “Backend Tenant” to store Terraform State File As outlined in this example, I intend to store the Terraform state file in a different Azure Tenant than where the actual Azure Deployment will occur.

MindMap for the Book Steal Like an Artist: 10 Things Nobody Told You About Being Creative Preview

Note: My Microsoft Cybersecurity Architect MindMap covers already a lot of topics mentioned here: SC-100 MindMap Collection This MindMap is based on the MS Learning path: SC-300 Preview

Certificates MindMap: SSL certificates - what? why? How do certificates work? Types of certificates How HTTPS encryption works CERTIFICATION AUTHORITIES (CA) .. Preview

Note: My Microsoft Cybersecurity Architect MindMap covers already a lot of topics mentioned here: SC-100 MindMap Collection This MindMap is based on the MS Learning path: AZ-500 Preview