https://nasan.ch/tags/infrastructureascode/Recent content in InfrastructureAsCode on NASANHugoenTue, 26 Sep 2023 06:10:21 +0100https://nasan.ch/posts/2023-09-27-terraform-locally/Tue, 26 Sep 2023 06:10:21 +0100https://nasan.ch/posts/2023-09-27-terraform-locally/<p>In the latest blog post <a href="https://nasan.ch/posts/2023-09-23-azuredevopsterraform/" target="_blank" rel="noopener noreffer">(1/2) Setting up Azure workload identity federation with Terraform in Azure DevOps pipelines (2 Part Series)</a> we learned how to setup Azure DevOps using Workload Identiy Federation</p> <p>Because we are using a managed identity and not a service principal with a secret that has a certain lifetime, we are not directly able to run terraform from locally.</p> <p>But what about using a service principal for local activities whose secret will expire after a few hours instead of months?<br> This wasn&rsquo;t practical when using a service principal in the service connection. Typically, the secret had a longer lifetime, so it didn&rsquo;t need to be renewed every time within the service connection.</p>https://nasan.ch/posts/2023-09-23-azuredevopsterraform/Sat, 23 Sep 2023 06:10:21 +0100https://nasan.ch/posts/2023-09-23-azuredevopsterraform/<p>I was curious about how to set up Azure DevOps to utilize Terraform for deploying Azure resources with <strong>workload identity federation</strong> instead of relying on a <strong>service principal</strong> with secrets. In this blog post, I will demonstrate how I set up this configuration.</p> <p>To learn more about workload identity federation read the docs:<br> <a href="https://learn.microsoft.com/en-us/azure/active-directory/workload-identities/workload-identity-federation" target="_blank" rel="noopener noreffer">Workload identity federation - Microsoft Entra | Microsoft Learn</a></p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>Azure DevOps Org</li> <li><strong>&ldquo;Customer Azure Tenant&rdquo;</strong> with Subscription</li> <li><strong>&ldquo;Backend Azure Tenant&rdquo;</strong> with Subscription (can be in the same tenant - in our example we use different tenants)</li> <li><a href="https://learn.microsoft.com/en-us/powershell/azure/" target="_blank" rel="noopener noreffer">Azure Powershell Module</a></li> </ul> <h2 id="overview---setup-steps">Overview - Setup Steps</h2> <ol> <li>Create a <strong>storage account</strong> that will store the Terraform state file</li> <li>Create a <strong>managed identity</strong> which has contributor permissions on this storage account</li> <li>If not already the case, install the <strong>Terraform extension</strong> for your Azure DevOps Org</li> <li>Create a new <strong>Azure DevOps Project</strong></li> <li>Create a <strong>service connection</strong> to the &ldquo;backend tenant&rdquo; using workload identity federation with your previously created managed identity</li> <li>Create a <strong>managed identity</strong> in the customer tenant where you finally want to deploy Azure Resources using Terraform, with Contributor permission on the Subscription</li> <li>Create a <strong>service connection</strong> to the customer tenant using workload identity federation with your previously created managed identity</li> <li>Create a <strong>repository</strong> with basic Terraform files</li> <li>Create an <strong>Azure DevOps Pipeline</strong></li> </ol> <p><figure><a class="lightgallery" href="https://nasan.ch/images/terraform-overview-Demo1.png" title="image" data-thumbnail="/images/terraform-overview-Demo1.png" data-sub-html="<h2>Preview</h2><p>image</p>