This article is sort of like a Part 2. You see, I wrote a previous article that discussed connecting Terraform Cloud with Azure DevOps Services. You can see that article here.

For this article, I'd like to elaborate on that a little bit, as well as discuss how to connect with an Azure Subscription.

Terraform needs a way to create resources in your Azure Subscription. One solution to this is to create a Service Principal (with a Client Secret) in Azure AD. Then, you assign that Service Principal permissions to your Azure resources. You can choose to give it whatever access you want. In the diagram above, we are giving it the "Contributor" permissions at the Subscription level. See this page on the Terraform docs which shows you how to create a Service Principal (with a Client Secret) to be used for this purpose.

Next, we need to tell Terraform Cloud about our Service Principal so that it can utilize it. There's a few ways this can be done, but what I like to do is define some special environment variables on the Terraform Cloud Workspace. There are 4 environment variables that you will need to define in this particular example:

1. ARM_CLIENT_ID = This is the Application (client) ID of the Service Principal

2. ARM_CLIENT_SECRET = This is the secret password for the Service Principal

3. ARM_TENANT_ID = This is the Directory (tenant) ID of the Service Principal

4. ARM_SUBSCRIPTION_ID = The ID of the Subscription where resources will be created

I would recommend that you mark the ARM_CLIENT_SECRET environment variable as "sensitive" in your Terraform Cloud Workspace. This means nobody will be able to see the value after it has been set. Feel free to mark some of the other environment variables as sensitive, if you wish.

So, Terraform Cloud should now be able to successfully talk with our Azure environment. Now, how to configure Terraform Cloud to talk with Azure DevOps. In a nutshell, follow the guidance in my previous article. But, what are we actually doing when we go through those steps? I'll highlight that below.

Terraform Cloud needs an OAuth Authorization to be created under somebody's account in your Azure DevOps organization. It can be any account in your Azure DevOps, but make sure the account is a member of the "Project Collection Administrators" group in Azure DevOps. See this page on the Terraform docs which has some more details. Personally, I like to create a service account in my Azure DevOps Services just for this purpose.

Well, I think that about covers it. Did I miss anything?

References:

- Azure Provider: Authenticating using a Service Principal with a Client Secret

- Configuring Azure DevOps Services Access