Azure Provider

The Azure Provider can be used to configure infrastructure in Microsoft Azure using the Azure Resource Manager API's. Documentation regarding the Data Sources and Resources supported by the Azure Provider can be found in the navigation to the left.

To learn the basics of Terraform using this provider, follow the hands-on get started tutorials.

Interested in the provider's latest features, or want to make sure you're up to date? Check out the changelog for version information and release notes.

Authenticating to Azure

Terraform supports a number of different methods for authenticating to Azure:

• Authenticating to Azure using the Azure CLI
• Authenticating to Azure using Managed Service Identity
• Authenticating to Azure using a Service Principal and a Client Certificate
• Authenticating to Azure using a Service Principal and a Client Secret
• Authenticating to Azure using OpenID Connect

We recommend using either a Service Principal or Managed Service Identity when running Terraform non-interactively (such as when running Terraform in a CI server) - and authenticating using the Azure CLI when running Terraform locally.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: hashicorp/azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "example_2",
  {
    address_space: ["10.0.0.0/16"],
    location: azurermResourceGroupExample.location,
    name: "example-network",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");

Features and Bug Requests

The Azure provider's bugs and feature requests can be found in the GitHub repo issues. Please avoid "me too" or "+1" comments. Instead, use a thumbs up reaction on enhancement requests. Provider maintainers will often prioritize work based on the number of thumbs on an issue.

Community input is appreciated on outstanding issues! We love to hear what use cases you have for new features, and want to provide the best possible experience for you using the Azure provider.

If you have a bug or feature request without an existing issue

• if an existing resource or field is working in an unexpected way, file a bug.

• if you'd like the provider to support a new resource or field, file an enhancement/feature request.

The provider maintainers will often use the assignee field on an issue to mark who is working on it.

• An issue assigned to an individual maintainer indicates that the maintainer is working on the issue

• If you're interested in working on an issue please leave a comment on that issue

If you have configuration questions, or general questions about using the provider, try checking out:

• Terraform's community resources
• HashiCorp support for Terraform Enterprise customers

Argument Reference

The following arguments are supported:

• features - (Required) A features block as defined below which can be used to customize the behaviour of certain Azure Provider resources.

• clientId - (Optional) The Client ID which should be used. This can also be sourced from the armClientId Environment Variable.

• environment - (Optional) The Cloud Environment which should be used. Possible values are public, usgovernment, german, and china. Defaults to public. This can also be sourced from the armEnvironment Environment Variable.

• subscriptionId - (Optional) The Subscription ID which should be used. This can also be sourced from the armSubscriptionId Environment Variable.

• tenantId - (Optional) The Tenant ID which should be used. This can also be sourced from the armTenantId Environment Variable.

• auxiliaryTenantIds - (Optional) List of auxiliary Tenant IDs required for multi-tenancy and cross-tenant scenarios. This can also be sourced from the armAuxiliaryTenantIds Environment Variable.

When authenticating as a Service Principal using a Client Certificate, the following fields can be set:

• clientCertificate - (Optional) A base64-encoded PKCS#12 bundle to be used as the client certificate for authentication. This can also be sourced from the armClientCertificate environment variable.

• clientCertificatePassword - (Optional) The password associated with the Client Certificate. This can also be sourced from the armClientCertificatePassword Environment Variable.

• clientCertificatePath - (Optional) The path to the Client Certificate associated with the Service Principal which should be used. This can also be sourced from the armClientCertificatePath Environment Variable.

More information on how to configure a Service Principal using a Client Certificate can be found in this guide.

When authenticating as a Service Principal using a Client Secret, the following fields can be set:

• clientSecret - (Optional) The Client Secret which should be used. This can also be sourced from the armClientSecret Environment Variable.

More information on how to configure a Service Principal using a Client Secret can be found in this guide.

When authenticating as a Service Principal using Open ID Connect, the following fields can be set:

• oidcRequestToken - (Optional) The bearer token for the request to the OIDC provider. This can also be sourced from the armOidcRequestToken or actionsIdTokenRequestToken Environment Variables.

• oidcRequestUrl - (Optional) The URL for the OIDC provider from which to request an ID token. This can also be sourced from the armOidcRequestUrl or actionsIdTokenRequestUrl Environment Variables.

• oidcToken - (Optional) The ID token when authenticating using OpenID Connect (OIDC). This can also be sourced from the armOidcToken environment Variable.

• oidcTokenFilePath - (Optional) The path to a file containing an ID token when authenticating using OpenID Connect (OIDC). This can also be sourced from the armOidcTokenFilePath environment Variable.

• useOidc - (Optional) Should OIDC be used for Authentication? This can also be sourced from the armUseOidc Environment Variable. Defaults to false.

More information on how to configure a Service Principal using OpenID Connect can be found in this guide.

When authenticating using Managed Identity, the following fields can be set:

• msiEndpoint - (Optional) The path to a custom endpoint for Managed Identity - in most circumstances, this should be detected automatically. This can also be sourced from the armMsiEndpoint Environment Variable.

• useMsi - (Optional) Should Managed Identity be used for Authentication? This can also be sourced from the armUseMsi Environment Variable. Defaults to false.

More information on how to configure a Service Principal using Managed Identity can be found in this guide.

For Azure CLI authentication, the following fields can be set:

• useCli - (Optional) Should Azure CLI be used for authentication? This can also be sourced from the armUseCli environment variable. Defaults to true.

For some advanced scenarios, such as where more granular permissions are necessary - the following properties can be set:

• disableTerraformPartnerId - (Optional) Disable sending the Terraform Partner ID if a custom partnerId isn't specified, which allows Microsoft to better understand the usage of Terraform. The Partner ID does not give HashiCorp any direct access to usage information. This can also be sourced from the armDisableTerraformPartnerId environment variable. Defaults to false.

• metadataHost - (Optional) The Hostname of the Azure Metadata Service (for example managementAzureCom), used to obtain the Cloud Environment when using a Custom Azure Environment. This can also be sourced from the armMetadataHostname Environment Variable.

\~> Note: environment must be set to the requested environment name in the list of available environments held in the metadataHost.

• partnerId - (Optional) A GUID/UUID registered with Microsoft to facilitate partner resource usage attribution. This can also be sourced from the armPartnerId Environment Variable. Supported formats are <guid> / pid-<guid> (GUIDs registered in Partner Center) and pid-<guid>Partnercenter (for published commercial marketplace Azure apps).

• auxiliaryTenantIds - (Optional) Contains a list of (up to 3) other Tenant IDs used for cross-tenant and multi-tenancy scenarios with multiple AzureRM provider definitions. The list of auxiliaryTenantIds in a given AzureRM provider definition contains the other, remote Tenants and should not include its own subscriptionId (or armSubscriptionId Environment Variable).

• skipProviderRegistration - (Optional) Should the AzureRM Provider skip registering the Resource Providers it supports? This can also be sourced from the armSkipProviderRegistration Environment Variable. Defaults to false.

-> By default, Terraform will attempt to register any Resource Providers that it supports, even if they're not used in your configurations to be able to display more helpful error messages. If you're running in an environment with restricted permissions, or wish to manage Resource Provider Registration outside of Terraform you may wish to disable this flag; however, please note that the error messages returned from Azure may be confusing as a result (example: apiVersion20190101WasNotFoundForMicrosoftFoo).

• storageUseAzuread - (Optional) Should the AzureRM Provider use AzureAD to connect to the Storage Blob & Queue API's, rather than the SharedKey from the Storage Account? This can also be sourced from the armStorageUseAzuread Environment Variable. Defaults to false.

\~> Note: This requires that the User/Service Principal being used has the associated storage roles - which are added to new Contributor/Owner role-assignments, but have not been backported by Azure to existing role-assignments.

\~> Note: The Files & Table Storage API's do not support authenticating via AzureAD and will continue to use a SharedKey to access the API's.

• useMsal - (Optional) When true, and when using service principal authentication, the provider will obtain v2 authentication tokens from the Microsoft Identity Platform. Has no effect when authenticating via Managed Identity or the Azure CLI. Can also be set via the armUseMsal or armUseMsgraph environment variables.

-> Note: This will behaviour will be defaulted on in version 3.0 of the AzureRM (with no opt-out) due to the deprecation of Azure Active Directory Graph.

It's also possible to use multiple Provider blocks within a single Terraform configuration, for example, to work with resources across multiple Subscriptions - more information can be found in the documentation for Providers.

Features

The features block allows configuring the behaviour of the Azure Provider, more information can be found on the dedicated page for the features block.