(1/2) Setting up Azure workload identity federation with Terraform in Azure DevOps pipelines (2 Part Series)
I was curious about how to set up Azure DevOps to utilize Terraform for deploying Azure resources with workload identity federation instead of relying on a service principal with secrets. In this blog post, I will demonstrate how I set up this configuration.
To learn more about workload identity federation read the docs:
Workload identity federation - Microsoft Entra | Microsoft Learn
Prerequisites
- Azure DevOps Org
- “Customer Azure Tenant” with Subscription
- “Backend Azure Tenant” with Subscription (can be in the same tenant - in our example we use different tenants)
- Azure Powershell Module
Overview - Setup Steps
- Create a storage account that will store the Terraform state file
- Create a managed identity which has contributor permissions on this storage account
- If not already the case, install the Terraform extension for your Azure DevOps Org
- Create a new Azure DevOps Project
- Create a service connection to the “backend tenant” using workload identity federation with your previously created managed identity
- Create a managed identity in the customer tenant where you finally want to deploy Azure Resources using Terraform, with Contributor permission on the Subscription
- Create a service connection to the customer tenant using workload identity federation with your previously created managed identity
- Create a repository with basic Terraform files
- Create an Azure DevOps Pipeline
